專案清單與子 Agent 計畫

公開安全的專案進度看板(由 JSON 讀取進度,不包含任何敏感資訊)。

技術: Strapi(CMS)+ Next.js(上傳/審核入口) 重點: 帳號權限、審核流程、部署與安全 最後更新:
已完成 進行中 待辦 卡住

怎麼看這頁

目標: 把 Strapi 需要改的地方、上傳站(Next.js)需要做的事情、審核/發布流程、以及部署/安全策略,都集中在同一頁,方便對外同步進度。
  1. 先看 狀態表:目前做到哪、卡在哪。
  2. 各區塊可以展開 詳細任務:包含驗收標準與注意事項。
  3. 子 Agent 計畫 把工作切開並行,並在下方活動紀錄追蹤進度。

提醒:此頁設計為可公開(不包含任何帳密、內網連結或敏感資訊)。

狀態表

區域 任務 負責 狀態 備註 / 驗收標準(公開安全)

此表格由 data/progress.json 渲染。要更新進度/負責人/狀態,只要改那個檔案即可。

Strapi 調整

1) Content types & relations Deliverable: schema checklist
  • Define a primary content type (example): Submission with fields: title, description, submitter identity ref, status, timestamps.
  • Model uploaded assets: via Strapi Media Library and/or external object storage references.
  • Store review metadata: reviewer, decision, notes, decision timestamp, change history.
  • Plan for versioning: keep a record of what was approved/published.
2) Permissions & roles (least privilege) Deliverable: roles matrix
  • Submitter: create submissions, view own submissions, upload assets, cannot publish.
  • Reviewer: view all submitted items, add review notes, approve/reject.
  • Admin: manage users/roles, override, configure plugins, deployment env.
  • Prefer explicit permission grants; avoid “super user” accounts for daily use.
3) API surface & tokens Deliverable: API contract
  • Decide which endpoints are used by Next app (REST/GraphQL) and which are internal-only.
  • Use server-to-server credentials only on the server (never in browser JS).
  • Document required scopes for each operation (create submission, upload, list review queue, update status).
4) Storage strategy Deliverable: storage decision
  • Choose local vs S3-compatible storage for media assets.
  • If external storage: use private buckets + signed URLs + upload size limits.
  • Define retention and deletion policies for rejected/expired submissions.

活動紀錄

公開安全的紀錄:只記「決策/進度/子 agent 任務」,不包含內網連結或任何憑證。

上傳站(Next.js:帳號 / 權限)

1) Authentication approach Deliverable: chosen approach + rationale
  • Pick an auth model: email magic link, OAuth (Google/Microsoft), or SSO/SAML (enterprise).
  • Ensure sessions are httpOnly cookies; protect against CSRF where applicable.
  • Clarify identity source of truth: IdP vs Strapi Users & Permissions plugin.
2) Role mapping & authorization Deliverable: mapping rules
  • Map authenticated users to roles (submitter/reviewer/admin).
  • Enforce authorization server-side (API routes / server actions) and double-check at Strapi layer.
  • Hide UI affordances for unauthorized actions, but never rely only on UI gating.
3) Upload flow Deliverable: end-to-end upload spec
  • Decide: direct-to-storage upload (preferred for large files) vs proxy through Next server.
  • Validate: type/size, malware scanning hook (if needed), filename normalization.
  • Show: progress, retries, and clear error messages.
4) Reviewer experience Deliverable: review queue UI
  • Queue list: filters by status/date/submitter.
  • Detail view: preview assets, add internal notes, approve/reject with reason codes.
  • Audit trail: show history of decisions and changes.

審核流程

1) State machine Deliverable: states + transitions
  • Define canonical states: draft, submitted, in_review, approved, rejected, published.
  • Specify transitions and who can perform them.
  • Ensure state changes are atomic (avoid double-approval races).
2) Notifications & SLAs Deliverable: notification rules
  • Notify reviewers on new submissions; notify submitters on decision.
  • Optional: reminders on aging items.
  • Keep notification content generic (don’t leak private data into email).
3) Publishing boundaries Deliverable: publish policy
  • Decide what “published” means: visible on a public site, or available to an internal audience.
  • Require approvals before publish if needed.
  • Record who published and when.

部署與安全

本區塊先精簡:我們目前的目標是把 checklist 對外掛到 checklist.jackeyluo.me(Cloudflare Pages + Git 自動部署)。更完整的部署/安全細節之後需要再補,再開新的任務列在狀態表追蹤。

子 Agent 計畫

這裡只顯示「實際存在的子 agent」。新增/更新狀態請改 data/progress.json