docs(ux): inscribe QR/deeplink onboarding decision + V4 security constraints#37
Merged
Merged
Conversation
…traints
Capture maintainer-validated decision (2026-05-24): QR codes and deeplinks
are trigger-only UX for `.klickd` v4 onboarding; they never transport raw
file content, passphrase, durable token, or permanent public link.
- New `docs/ux/V4-ONBOARDING-QR-DEEPLINK.md` (NON-NORMATIVE):
- preferred zero-server flows `klickd://import` and
`https://klickd.app/import-klickd` launcher (PWA/WASM, server-stateless);
- conditional future server-temporary URL gated behind C1–C7
(encrypted-file-only, short TTL, one-time use, no passphrase, explicit
consent, no durable identifier, RFC-gated);
- classification table: local import + reload = P0; trigger schemes =
P1 conditional; server-temporary URL = P2 conditional; raw-payload QR =
REJECTED (anti-pattern A3).
- `docs/roadmap/ROAD-TO-V4-GA.md` §2.4 R4-P1-5: replace placeholder
decision (a/b/c) with the inscribed decision and cross-link the new spec.
Strict governance respected: no SPEC / schema / SDK / vector / wire-format
change; no release / tag; no package version bump; no locked_* touched;
docs-only.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Docs-only PR that inscribes the maintainer-validated decision (2026-05-24, Vince) on QR / deeplink onboarding for
.klickdv4 and the security constraints that surround it. Follows the merge of #36 (SHA27e53be44cf512c0420143c2e36bef2b39d4d9a1).The previous R4-P1-5 entry in
docs/roadmap/ROAD-TO-V4-GA.mdlisted three open alternatives (a/b/c). Vince validated the direction: QR / deeplink is a trigger for the import / resume UI, never a transport for secrets. This PR closes that decision and writes it down.Changes
docs/ux/V4-ONBOARDING-QR-DEEPLINK.md(new, NON-NORMATIVE) — load-bearing decision:.klickdcontent, passphrase, durable token, or permanent public link to a.klickdfile.klickd://importand stateless HTTPS launcherhttps://klickd.app/import-klickd(PWA / WASM, decryption client-side via Web Crypto / hash-wasm Argon2id). User then picks the local file and enters the passphrase locally — same path as R4-P0-1.Acceptedbefore shipping.klickd://importand HTTPS launcher = P1 conditional; server-temporary URL = P2 conditional + future RFC; QR / deeplink transporting raw payload or passphrase = REJECTED (anti-pattern A3).V4-UX-SPEC.mdP3), metadata-only audit logs.docs/roadmap/ROAD-TO-V4-GA.md§2.4 R4-P1-5 — replace the placeholder a/b/c decision with the inscribed decision and cross-link the new spec. P1 conditional → P2 if zero-server architecture review blocks is preserved.Strict governance respected
locked_*field touched.Test plan
python verify_vectors.py→ 59/59 passed (0 failed).klickd Cross-Impl Test Vectorsgreen on this branch.🤖 Generated with Claude Code