The Telegram bot phase ended in Plan 3 — the operator now signs in
via username + password. Migration 0011 drops the legacy column +
its unique index. seed.ts no longer reads SEED_OPERATOR_TELEGRAM_ID;
docker-compose.base.yml swaps the env to SEED_OPERATOR_USERNAME
(default 'admin'); .env.development follows. Settings page shows
'Username' instead of 'Operator ID'. Auth-and-prod-hardening plan
doc updated to drop the synthetic telegram_user_id from the
create-user CLI script and createUserAction insert.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
10 tasks, TDD-shaped, executable by superpowers:subagent-driven-development.
~50 unit tests across auth-cookie / safe-redirect / auth helpers /
loginAction / middleware / user-management actions, covering brute-
force, cookie tampering, replay, expiry, fixation, open redirect,
timing-equivalence on user-not-found, rate-limit trigger, no-
password-leak in logs, role gates, last-admin / self-demote guards,
and the unauth-API regression for /api/events + /api/qr.
Plan honours the project's .gitignore policy of keeping
.env.development committed; ships .env.example for documentation
instead of forcing repo-level removal.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
