implement, needs review

Author: aligneddev

.github/agents/copilot-instructions.md

@@ -0,0 +1,30 @@
+# neCodeBikeTracking Development Guidelines
+
+Auto-generated from all feature plans. Last updated: 2026-03-13
+
+## Active Technologies
+
+- .NET 10 (C#), F# (domain project), TypeScript 5.x (Aurelia 2 frontend) + ASP.NET Core Minimal API, Microsoft Aspire AppHost, Entity Framework Core + SQLite provider, Aurelia 2 + `@aurelia/router`, .NET `System.Security.Cryptography` (PBKDF2), background worker for outbox retry (001-user-signup-pin)
+
+## Project Structure
+
+```text
+backend/
+frontend/
+tests/
+```
+
+## Commands
+
+npm test; npm run lint
+
+## Code Style
+
+.NET 10 (C#), F# (domain project), TypeScript 5.x (Aurelia 2 frontend): Follow standard conventions
+
+## Recent Changes
+
+- 001-user-signup-pin: Added .NET 10 (C#), F# (domain project), TypeScript 5.x (Aurelia 2 frontend) + ASP.NET Core Minimal API, Microsoft Aspire AppHost, Entity Framework Core + SQLite provider, Aurelia 2 + `@aurelia/router`, .NET `System.Security.Cryptography` (PBKDF2), background worker for outbox retry
+
+<!-- MANUAL ADDITIONS START -->
+<!-- MANUAL ADDITIONS END -->

.gitignore

@@ -40,9 +40,20 @@ appsettings.Development.json
 
 # Others
 *.db
+*.db-shm
+*.db-wal
 *.sqlite
+*.sqlite-shm
+*.sqlite-wal
 *.bak
 *.cache
+node_modules/
+dist/
+build/
+coverage/
+.env*
+*.tmp
+*.swp
 
 #Paket dependency manager
 paket-files/

.specify/memory/constitution.md

@@ -155,6 +155,10 @@ Example: "User records a bike ride" slice includes:
 - Background function listening to CES to update RideProjection
 - Aspire AppHost configuration for frontend + API + database orchestration; Azure CLI deployment scripts for Static Web Apps (frontend) and Container Apps (API)
 
+run `dotnet format .` to enforce code style; `dotnet test` to run tests; `dotnet run --project src/BikeTracking.AppHost` to start local stack; GitHub Actions for CI/CD to Azure.
+
+run Typescript linting and formatting via `npm run lint` and `npm run format` in the frontend directory.
+
 ### Vertical Slice Implementation Strategy: Minimal-First Approach
 
 After the application structure is built, implementation proceeds in **vertical slices with minimal functionality first**:
@@ -166,7 +170,7 @@ After the application structure is built, implementation proceeds in **vertical
    - Event and projection for persistence
    - Database schema (migrations)
    - No bells, whistles, or optional features
-3. **Test & Verify**: Run full test suite (unit, integration, E2E); deploy locally via `dotnet run` and manually verify the slice works as specified.
+3. **Test & Verify**: Run full test suite (unit, integration, E2E); deploy locally via `dotnet run` and manually verify the slice works as specified.  Each slice must be fully tested (unit, integration, E2E) and user-approved before proceeding to the next slice.
 4. **User Decision Point**: Once minimal slice is verified and working, present the user with options:
    - **Approve Minimal & Iterate**: User approves the working slice, then we build next priority feature (additional fields, refinements, enhancement)
    - **Expand Current Slice**: User requests additional functionality for the current slice before finalizing (e.g., "add weather capture" to the ride recording feature)

README.md

@@ -1,30 +1,29 @@
 # Commute Bike Tracker
 
-Scaffolded starter structure for a local-first Bike Tracking application.
+Local-first Bike Tracking application built with .NET Aspire orchestration, .NET 10 Minimal API, F# domain modules, and an Aurelia 2 frontend.
 
-## What exists now
+## Current Feature Slice
 
-- .NET 10 Aspire AppHost orchestration
-- .NET 10 Minimal API backend with hello endpoints
-- F# domain project placeholder
-- React frontend (Vite) with a simple hello screen
-- No business logic implemented yet
-- No database schema created yet
+- Local user signup with name and PIN
+- PIN protection through salted, non-reversible hashing (PBKDF2)
+- Duplicate-name rejection using trimmed, case-insensitive normalization
+- User identification with progressive retry delay (up to 30 seconds)
+- User registration outbox with background retry until successful publication
 
-## Project structure
+## Project Structure
 
 - src/BikeTracking.AppHost - Aspire orchestration host
 - src/BikeTracking.Api - Minimal API service
-- src/BikeTracking.ServiceDefaults - Shared Aspire defaults/telemetry wiring
-- src/BikeTracking.Domain.FSharp - Domain layer starter project (F#)
-- src/BikeTracking.Frontend - React frontend app
+- src/BikeTracking.ServiceDefaults - Shared Aspire defaults and telemetry wiring
+- src/BikeTracking.Domain.FSharp - Domain event and type modules (F#)
+- src/BikeTracking.Frontend - Aurelia 2 frontend app
 
 ## Prerequisites
 
 - .NET SDK 10.x
 - Node.js 20+ and npm
 
-## Quick start
+## Quick Start
 
 1. Install frontend dependencies:
 
@@ -40,15 +39,23 @@ cd ../..
 dotnet run --project src/BikeTracking.AppHost
 ```
 
-3. Open Aspire dashboard and launch services:
-- `frontend` for the React hello screen
-- `api` for the Minimal API
+3. Open Aspire dashboard and launch:
+- frontend service for the signup and identify screen
+- api service for local identity endpoints
 
-## API starter endpoints
+## Local Identity Endpoints
 
-- `/` returns API running message
-- `/hello` returns hello message
+- GET / - API status
+- POST /api/users/signup - create local user record and queue UserRegistered event
+- POST /api/users/identify - authorize user by normalized name and PIN
 
-## Next step
+## Local Scope Boundaries
 
-Use SpecKit to define the first vertical slice before implementing features.
+- This slice is local-only and intentionally excludes OAuth and Azure hosting.
+- Name and PIN are validated on client and server.
+- PIN plaintext is never stored or emitted in events.
+- Future cloud and OAuth expansion will be delivered in a separate feature.
+
+## Next Step
+
+Continue with task execution and verification using specs/001-user-signup-pin/tasks.md.

specs/001-user-signup-pin/checklists/requirements.md

@@ -0,0 +1,35 @@
+# Specification Quality Checklist: Local User Signup and PIN Identity
+
+**Purpose**: Validate specification completeness and quality before proceeding to planning  
+**Created**: 2026-03-13  
+**Feature**: [spec.md](../spec.md)
+
+## Content Quality
+
+- [x] No implementation details (languages, frameworks, APIs)
+- [x] Focused on user value and business needs
+- [x] Written for non-technical stakeholders
+- [x] All mandatory sections completed
+
+## Requirement Completeness
+
+- [x] No [NEEDS CLARIFICATION] markers remain
+- [x] Requirements are testable and unambiguous
+- [x] Success criteria are measurable
+- [x] Success criteria are technology-agnostic (no implementation details)
+- [x] All acceptance scenarios are defined
+- [x] Edge cases are identified
+- [x] Scope is clearly bounded
+- [x] Dependencies and assumptions identified
+
+## Feature Readiness
+
+- [x] All functional requirements have clear acceptance criteria
+- [x] User scenarios cover primary flows
+- [x] Feature meets measurable outcomes defined in Success Criteria
+- [x] No implementation details leak into specification
+
+## Notes
+
+- All checklist items passed in validation iteration 1.
+- No clarification questions are required for this feature.

specs/001-user-signup-pin/contracts/signup-identify-api.yaml

@@ -0,0 +1,174 @@
+openapi: 3.0.3
+info:
+  title: BikeTracking Local User Identity API
+  version: 1.0.0
+  description: Local-first signup and identification endpoints for name and PIN authorization.
+
+paths:
+  /api/users/signup:
+    post:
+      summary: Create a local user with name and PIN
+      operationId: signupUser
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/SignupRequest'
+      responses:
+        '201':
+          description: User created
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/SignupSuccessResponse'
+        '400':
+          description: Validation failed
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+        '409':
+          description: Duplicate normalized name
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+
+  /api/users/identify:
+    post:
+      summary: Identify and authorize local user by normalized name and PIN
+      operationId: identifyUser
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/IdentifyRequest'
+      responses:
+        '200':
+          description: Authorized
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/IdentifySuccessResponse'
+        '400':
+          description: Validation failed
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+        '401':
+          description: Invalid credentials
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+        '429':
+          description: Request throttled due to repeated failures
+          headers:
+            Retry-After:
+              schema:
+                type: integer
+                minimum: 1
+              description: Seconds before next attempt is processed.
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ThrottleResponse'
+
+components:
+  schemas:
+    SignupRequest:
+      type: object
+      required:
+        - name
+        - pin
+      properties:
+        name:
+          type: string
+          description: Display name; server trims and normalizes for duplicate detection.
+        pin:
+          type: string
+          description: Numeric PIN input, validated by policy.
+
+    SignupSuccessResponse:
+      type: object
+      required:
+        - userId
+        - userName
+        - createdAtUtc
+      properties:
+        userId:
+          type: integer
+          format: int64
+        userName:
+          type: string
+        createdAtUtc:
+          type: string
+          format: date-time
+        eventStatus:
+          type: string
+          enum:
+            - queued
+            - published
+
+    IdentifyRequest:
+      type: object
+      required:
+        - name
+        - pin
+      properties:
+        name:
+          type: string
+          description: Name compared using trimmed, case-insensitive normalization.
+        pin:
+          type: string
+
+    IdentifySuccessResponse:
+      type: object
+      required:
+        - userId
+        - userName
+        - authorized
+      properties:
+        userId:
+          type: integer
+          format: int64
+        userName:
+          type: string
+        authorized:
+          type: boolean
+          enum: [true]
+
+    ThrottleResponse:
+      type: object
+      required:
+        - code
+        - message
+        - retryAfterSeconds
+      properties:
+        code:
+          type: string
+          enum:
+            - throttled
+        message:
+          type: string
+        retryAfterSeconds:
+          type: integer
+          minimum: 1
+
+    ErrorResponse:
+      type: object
+      required:
+        - code
+        - message
+      properties:
+        code:
+          type: string
+        message:
+          type: string
+        details:
+          type: array
+          items:
+            type: string