# Phase 1: Foundation & Auth - Context

**Gathered:** 2026-01-31
**Status:** Ready for planning

<domain>
## Phase Boundary

Users can create accounts, log in (email/password or Google OAuth), and subscribe to plans (Free, Creator, Pro) in a secure multi-tenant environment. All data is isolated per tenant with Row Level Security. This phase builds the foundation — onboarding wizard, chat interface, and social connections are separate phases.

</domain>

<decisions>
## Implementation Decisions

### Registration Flow
- Email verification is **mandatory** — user cannot access the app until verified
- Password requirements: **medium** (8+ characters, 1 number, 1 uppercase)
- Registration fields: Claude's discretion (likely minimal to reduce friction)
- Verification method: Claude's discretion (link vs 6-digit code)

### Plan Selection
- When to choose plan: Claude's discretion (likely start Free, upgrade later)
- Plan display format: Claude's discretion (table vs cards)
- Trial offering: Claude's discretion (likely no trial, Free tier is the trial)
- Upgrade prompt style: Claude's discretion (likely non-invasive banner)

### Session Behavior
- Session duration: Claude's discretion (likely 30 days)
- Multi-device: Claude's discretion (likely unlimited)
- "Logout from all devices": Claude's discretion
- **New device notification: YES** — email when login from unrecognized device

### Login Experience
- Login method priority: Claude's discretion (Google vs email form)
- "Remember me" checkbox: Claude's discretion
- **Error messages: SPECIFIC** — tell user "Password errata" or "Email non registrata" (more helpful than generic)
- **Password reset: link via email** (not code)

### Claude's Discretion
- Registration form fields (minimize friction)
- Verification method (link vs code)
- Plan selection timing and UI
- Trial offering (if any)
- Upgrade prompt style
- Session duration
- Multi-device policy
- Login method visual priority
- "Remember me" behavior

</decisions>

<specifics>
## Specific Ideas

- Error messages should be helpful and specific (user-friendly over security-paranoid)
- New device login notification via email (security feature the user explicitly wanted)
- Password reset via clickable link, not OTP code

</specifics>

<deferred>
## Deferred Ideas

None — discussion stayed within phase scope

</deferred>

---

*Phase: 01-foundation-auth*
*Context gathered: 2026-01-31*