MetricAid · for pat.smuk · 2026-06-26

Legacy 2FA — Beta Readiness

Not ready to ship today

The shared layer is done — mastructs, ptolemy v1, and athena are merged. The user-facing half isn't: charon (auth core), andromeda (login UX), and mercury (OTP email) are still on feature branches, and the services are pinned to drifting mastructs versions. 3 of 6 services ready · 3 blockers.

Where each service stands

service	role in 2FA	state	PR	mastructs pin
mastructs	shared MFA schema + auth claims; auto-creates tables on startup	merged	#31 #32	master (9cde804)
ptolemy v1	API; triggers the table creation on startup	merged	#124	master ✓
athena	Node API; MFA-verified gate in auth middleware	merged	#21 #22	n/a
charon	auth core: TOTP + email-OTP, lockout, replay guards	not merged (17 ahead)	#9 open, no approval	e2f759e (branch)
andromeda	web UI: login challenge, QR enrollment, Security page	not merged (12 ahead)	#144 open, no approval	a8439a8 (older)
mercury	sends the OTP email (charon calls it)	not merged (4 ahead)	no PR opened	1d68265 (Jun 19)

euclid, helios, diocletian — no 2FA branches, no change needed.

What's blocking today

charon #9 is unmerged — and it's the auth core. TOTP + email-OTP live here; no approval, and fixes were still landing today. Everything waits on this.
andromeda #144 is unmerged — no login UX without it. The /login/mfa page, QR enrollment and Security settings are all here.
mercury has no PR — email-OTP can't send. Only a hard blocker if email-OTP is in scope for beta; TOTP works without it.

mastructs pin drift

Legacy MFA tables are auto-created on startup via mastructs ensuretablesexist, so every service must compile against the same mastructs — otherwise the first service to boot can create a table shape another doesn't expect. ptolemy is on master; the three unmerged services aren't.

Fix before tagging: go get github.com/MetricAid/mastructs@master && go mod tidy on charon, andromeda, and mercury.

How it reaches beta

Push a dated tag v20260626 → autobuilder EC2 builds metricaidops/<svc>:tag and :latest → Docker Hub → Komodo redeploy (beta pulls :latest).

Tags can come from any branch, but :latest moves on every build and prod pulls :latest too — so tag master after merge, not feature branches. Legacy DB: the MFA tables are created by mastructs at startup, so there's no manual migration.

Deploy order: charon + mercury → helios + diocletian → euclid → ptolemy → andromeda → athena.

Path to green

Land charon #9 and andromeda #144 (with review); open and merge a mercury PR — or consciously defer mercury if beta is TOTP-first.
Bump charon / andromeda / mercury to mastructs master and go mod tidy.
Tag all six on master with v20260626 → autobuilder → :latest.
Komodo redeploy in order; confirm each container boots clean.
Smoke test: TOTP enroll (QR) → challenge → verify; email-OTP send; backup codes; lockout.

Open questions

Is email-OTP (mercury) in scope for today's beta, or are we TOTP-first?
OK to bump charon / andromeda / mercury to mastructs master before tagging?
Who reviews #9 and #144 — and are charon / andromeda actually final?