UNPKG

arela

Version:

AI-powered CTO with multi-agent orchestration, code summarization, visual testing (web + mobile) for blazing fast development.

github.com/newdara/arela

newdara/arela

318 lines (251 loc) 6.97 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
--- id: arela.prd_format title: PRD Format category: product severity: should version: 1.0.0 --- # PRD Format ## Principle **A good PRD answers: What are we building, why, and how do we know it worked?** ## The Template ```markdown # [Feature Name] ## Problem Statement What problem are we solving? Who has this problem? ## Goals What are we trying to achieve? (Measurable) ## Non-Goals What are we explicitly NOT doing? ## User Stories As a [user type], I want to [action], so that [benefit]. ## Success Metrics How do we measure success? ## Requirements ### Must Have - Critical features ### Should Have - Important but not critical ### Nice to Have - Future enhancements ## User Flow Step-by-step user journey ## Technical Considerations - API changes - Database schema - Performance concerns - Security implications ## Open Questions What do we still need to figure out? ## Timeline When do we ship? ``` ## Example: User Authentication ```markdown # User Authentication System ## Problem Statement Users can't create accounts or log in to save their preferences. Without authentication, we can't personalize the experience or track user behavior. **Who:** All users who want to save data ## Goals 1. Enable user registration and login 2. Support email/password and Google OAuth 3. Achieve 80% registration completion rate 4. <2s login time (p95) ## Non-Goals - Social login beyond Google (Twitter, Facebook) - Two-factor authentication (v2) - Password reset via SMS (email only) - Enterprise SSO (future) ## User Stories ### Registration **As a** new user **I want to** create an account with email/password **So that** I can save my preferences **Acceptance Criteria:** - Email validation (format + uniqueness) - Password requirements (8+ chars, 1 number, 1 special) - Email verification required - Clear error messages ### Login **As a** returning user **I want to** log in with my credentials **So that** I can access my saved data **Acceptance Criteria:** - Email + password login - "Remember me" checkbox - "Forgot password" link - Max 5 failed attempts temporary lockout ### OAuth **As a** user **I want to** sign in with Google **So that** I don't need another password **Acceptance Criteria:** - Google OAuth 2.0 - Auto-create account on first login - Link existing account if email matches ## Success Metrics ### Primary - **Registration completion rate:** 80% - Baseline: N/A (new feature) - Measure: % who complete registration after starting - **Login success rate:** 95% - Measure: % of login attempts that succeed ### Secondary - **Time to register:** <60s (p95) - **Time to login:** <2s (p95) - **OAuth adoption:** 40% of new users ### Guardrail - **Failed login rate:** <5% - If higher, investigate UX issues ## Requirements ### Must Have - Email/password registration - Email verification - Login with email/password - Google OAuth - Password reset via email - Session management (7-day expiry) - Logout ### Should Have - "Remember me" (30-day session) - Account lockout after 5 failed attempts - Password strength indicator - Loading states for all actions ### Nice to Have - Magic link login (passwordless) - Profile picture upload - Account deletion - Export user data ## User Flow ### Registration Flow 1. User clicks "Sign Up" 2. Form: Email, Password, Confirm Password 3. Client-side validation 4. Submit API call 5. Success Email sent 6. User clicks verification link 7. Redirect to dashboard ### Login Flow 1. User clicks "Log In" 2. Form: Email, Password, Remember Me 3. Submit API call 4. Success Redirect to dashboard 5. Failure Show error, allow retry ### OAuth Flow 1. User clicks "Continue with Google" 2. Redirect to Google consent 3. User approves 4. Redirect back with token 5. API creates/links account 6. Redirect to dashboard ## Technical Considerations ### API Endpoints ``` POST /api/auth/register POST /api/auth/login POST /api/auth/logout POST /api/auth/verify-email POST /api/auth/reset-password POST /api/auth/oauth/google GET /api/auth/me ``` ### Database Schema ```sql users ( id UUID PRIMARY KEY, email VARCHAR UNIQUE NOT NULL, password_hash VARCHAR, -- NULL for OAuth-only email_verified BOOLEAN DEFAULT FALSE, oauth_provider VARCHAR, oauth_id VARCHAR, created_at TIMESTAMP, last_login TIMESTAMP ) sessions ( id UUID PRIMARY KEY, user_id UUID REFERENCES users, token VARCHAR UNIQUE, expires_at TIMESTAMP, created_at TIMESTAMP ) ``` ### Security - Passwords hashed with bcrypt (cost factor 12) - Session tokens: 32-byte random, stored hashed - HTTPS only (no HTTP) - CSRF protection - Rate limiting: 5 req/min per IP for auth endpoints - SQL injection prevention (parameterized queries) ### Performance - Login: <2s (p95) - Registration: <3s (p95) - Cache user sessions (Redis) - Database indexes on email, session token ## Open Questions 1. Should we support multiple OAuth providers in v1? - **Decision:** Google only, add others in v2 2. Password requirements too strict? - **Decision:** Test with 5 users, adjust if >50% complain 3. Email verification required or optional? - **Decision:** Required (prevent spam) ## Timeline - **Design:** Week 1 - **Backend API:** Week 2-3 - **Frontend:** Week 3-4 - **Testing:** Week 4 - **Launch:** Week 5 ## Dependencies - Email service (SendGrid) - Google OAuth credentials - Redis for session storage ## Risks - **Email deliverability:** Verification emails in spam - Mitigation: Use reputable provider (SendGrid), SPF/DKIM - **OAuth downtime:** Google OAuth unavailable - Mitigation: Fallback to email/password - **Security breach:** Leaked passwords - Mitigation: Bcrypt, rate limiting, monitoring ``` ## The Checklist Before shipping a PRD, ensure it has: - [ ] Clear problem statement - [ ] Measurable goals - [ ] Explicit non-goals - [ ] User stories with acceptance criteria - [ ] Success metrics (primary + secondary) - [ ] Requirements (must/should/nice) - [ ] User flow diagram - [ ] Technical considerations - [ ] Open questions (with decisions) - [ ] Timeline - [ ] Dependencies - [ ] Risks + mitigations ## Common Mistakes ### **1. Solution, Not Problem** ```markdown # ❌ Build a dashboard # ✅ Users can't see their usage metrics ``` ### **2. Vague Goals** ```markdown # ❌ Improve user experience # ✅ Increase registration completion rate from 60% to 80% ``` ### **3. No Success Metrics** ```markdown # ❌ We'll know it's successful when users like it # ✅ 80% registration completion, 95% login success rate ``` ### **4. Everything is Must Have** ```markdown # ❌ Must Have: 47 features # ✅ Must Have: 5 core features, Should Have: 8, Nice to Have: 12 ``` ## Remember **A PRD is not a spec—it's a shared understanding.** Engineers, designers, and product should all be able to read it and know what success looks like. --- *"If you can't measure it, you can't improve it."* *- Peter Drucker*