Account / Identity

Intent

Keep authentication and identity state correct, observable, and isolated from other bounded contexts.

Boundaries

• Treat identity as a separate context: other modules depend on identity signals/tokens, not on Firebase Auth types.
• Do not leak platform objects (Firebase User, JWT claims) into Domain models.

Signal-First Auth State

• Represent the current session as signals (user, isAuthenticated, userId, claims).
• Convert Observable streams to signals at the store/facade boundary.
• Ensure cleanup is automatic (use Angular signal interop helpers and lifecycle-aware patterns).

Authorization

• Prefer explicit permissions signals (e.g., canReadWorkspace, canManageMembers) derived from claims/membership.
• Keep permission rules centralized (one store/service), not duplicated across components.

Routing

• Use functional guards and inject().
• Guard by signals (not by async subscribe-in-guard side effects).

Error Handling

• Map provider errors (Firebase/HTTP) to app-level error types before exposing to UI.
• UI should render stable error states; avoid throwing raw platform errors.

Security Checklist

• Never rely on the client for authorization.
• Treat security rules / server checks as the enforcement mechanism.
• Avoid persisting secrets in source code; use environment configuration.