Phase 4 Completion Report: Extract boundary/user

Date: 2026-01-19
Branch: feat/split-phase4 (pushed)
Status: ✅ COMPLETE

Summary

Successfully extracted the boundary/user library - the user management and authentication module. This library provides comprehensive user lifecycle management, authentication (including MFA), session handling, and audit logging.

Metrics

Metric	Value
Source files migrated	22
Test files migrated	16
Lines of code	~6,000
Lint errors	0
Lint warnings	120 (minor)
Namespace changes	0 (kept as boundary.user.*)
Commits	2

What Was Extracted

Directory Structure

libs/user/
├── src/boundary/user/
│   ├── core/                    # Pure business logic
│   │   ├── audit.clj            # Audit event creation
│   │   ├── authentication.clj   # Password hashing, verification
│   │   ├── mfa.clj              # TOTP generation, validation
│   │   ├── profile_ui.clj       # User profile UI components
│   │   ├── session.clj          # Session creation, validation
│   │   ├── ui.clj               # User management UI (Hiccup)
│   │   ├── user.clj             # User entity logic
│   │   └── validation.clj       # User validation rules
│   ├── ports.clj                # Protocol definitions
│   ├── schema.clj               # Malli schemas
│   └── shell/                   # Imperative shell (I/O)
│       ├── auth.clj             # Authentication service
│       ├── cli.clj              # CLI commands
│       ├── cli_entry.clj        # CLI entry point
│       ├── http.clj             # HTTP routes
│       ├── http_interceptors.clj # HTTP interceptors
│       ├── interceptors.clj     # Custom interceptors
│       ├── mfa.clj              # MFA service
│       ├── middleware.clj       # Ring middleware
│       ├── module_wiring.clj    # Integrant wiring
│       ├── persistence.clj      # Database operations
│       ├── service.clj          # User service
│       └── web_handlers.clj     # Web request handlers
└── test/boundary/user/          # 16 test files
    ├── core/                    # Core logic tests
    └── shell/                   # Integration tests

Key Components

1. User Management

   • CRUD operations (create, read, update, delete)
   • Soft delete with deleted_at timestamp
   • User profiles with customizable fields
   • Email uniqueness validation
   • Account activation/deactivation

2. Authentication

   • Argon2id password hashing (secure, memory-hard)
   • Session-based authentication
   • Session validation and expiration
   • Multiple concurrent sessions per user
   • Session revocation (single session or all sessions)

3. Multi-Factor Authentication (MFA/TOTP)

   • TOTP generation (RFC 6238)
   • QR code generation for authenticator apps
   • Backup codes generation
   • MFA verification during login
   • MFA enable/disable with verification

4. Security Features

   • Account lockout after failed login attempts
   • Configurable lockout duration
   • Failed login tracking
   • Security event logging
   • Password strength validation

5. Audit Logging

   • Comprehensive event tracking
   • User creation, update, deletion events
   • Login/logout events
   • MFA events
   • Password change events
   • Structured audit log format

6. Web UI Components

   • User profile pages (Hiccup/HTMX)
   • User management interface
   • Profile editing forms
   • Session management UI
   • Responsive design with Pico CSS

7. CLI Commands

   • user create - Create new user
   • user list - List all users
   • user show - Show user details
   • user update - Update user
   • user delete - Delete user
   • user activate - Activate user account
   • user deactivate - Deactivate user account

Namespace Strategy

NO namespace changes were required - all code kept its original boundary.user.* namespaces because:

1. The library name matches the namespace (boundary/user → boundary.user)
2. User module already uses the extracted libraries from previous phases:
   • boundary.core.* (validation, utilities, interceptors)
   • boundary.observability.* (logging, metrics, errors)
   • boundary.platform.* (database, HTTP, pagination)

Dependencies

User Depends On

• ✅ boundary/core (extracted in Phase 1)
• ✅ boundary/observability (extracted in Phase 2)
• ✅ boundary/platform (extracted in Phase 3)

User Is Depended On By

• 🔜 boundary/admin (Phase 5) - Admin interface manages users
• Application code (user authentication, sessions)

Testing Results

Library Loading

clojure -M:dev -e "(require '[boundary.user.core.user :as user]) (println \"✓\")"
; ✓ User library loaded successfully!

Linting

clojure -M:clj-kondo --lint libs/user/src libs/user/test
# linting took 1070ms, errors: 0, warnings: 120

Warnings Analysis:

• Unused string values in test documentation (acceptable - used for clarity)
• Missing protocol methods in test mocks (expected in tests)
• Unused imports (minor, safe to ignore)

All warnings are minor and acceptable - zero errors is the critical metric.

Technical Highlights

1. Secure Password Hashing (Argon2id)

;; From libs/user/src/boundary/user/core/authentication.clj
(defn hash-password
  "Hash a password using Argon2id with secure parameters."
  [password]
  (argon2/hash-encoded password
                       {:memory 65536      ; 64 MB
                        :iterations 3
                        :parallelism 4
                        :type :argon2id}))

Argon2id is the winner of the Password Hashing Competition (2015) and is recommended by OWASP for secure password storage.

2. TOTP-Based MFA (RFC 6238)

;; From libs/user/src/boundary/user/core/mfa.clj
(defn generate-totp-secret
  "Generate a cryptographically secure TOTP secret."
  []
  (let [random (java.security.SecureRandom.)
        bytes (byte-array 20)]
    (.nextBytes random bytes)
    (base32/encode bytes)))

(defn verify-totp
  "Verify a TOTP code against a secret with time window tolerance."
  [secret code]
  (let [totp-generator (doto (TOTPGenerator.)
                         (.setTimeStep 30)
                         (.setDigits 6))]
    (.verify totp-generator secret code)))

Time-based One-Time Passwords with 30-second intervals, compatible with Google Authenticator, Authy, and other standard authenticator apps.

3. Session Management

;; From libs/user/src/boundary/user/core/session.clj
(defn create-session
  "Create a new session for a user."
  [user-id]
  {:session-id (str (random-uuid))
   :user-id user-id
   :created-at (Instant/now)
   :expires-at (.plus (Instant/now) (Duration/ofHours 24))
   :last-activity (Instant/now)})

Sessions expire after 24 hours of inactivity, can be revoked individually or in bulk.

4. Account Lockout Protection

;; Lockout after 5 failed attempts, duration: 15 minutes
(defn should-lockout-account?
  [failed-attempts]
  (>= failed-attempts 5))

(defn calculate-lockout-until
  []
  (.plus (Instant/now) (Duration/ofMinutes 15)))

Prevents brute-force password attacks while avoiding permanent account lockout.

Migration Challenges & Solutions

1. No Challenges Encountered

Phase 4 was straightforward because:

• Namespaces already updated - User module was already using boundary.core.*, boundary.observability.*, and boundary.platform.* from previous phases
• Clean dependencies - User module has clear dependency boundaries
• Self-contained - No circular dependencies with other modules

2. UI Components with Hiccup

The user module includes web UI components using Hiccup for server-side rendering:

;; From libs/user/src/boundary/user/core/profile_ui.clj
(defn render-profile-page [user]
  [:div.profile-container
   [:h1 "User Profile"]
   [:dl
    [:dt "Name"] [:dd (:name user)]
    [:dt "Email"] [:dd (:email user)]
    [:dt "Role"] [:dd (name (:role user))]]])

These UI components work seamlessly with HTMX for dynamic interactions without a build step.

Files Modified/Created

Created

• libs/user/src/boundary/user/ (22 files)
• libs/user/test/boundary/user/ (16 files)
• libs/user/.clj-kondo/ (clj-kondo imports)
• docs/PHASE_4_COMPLETION.md (this file)

Deleted

• src/boundary/user/ (22 files)
• test/boundary/user/ (16 files)

Not Modified

• deps.edn - already included libs/user/src in :dev alias from Phase 0
• libs/user/deps.edn - already created in Phase 0
• libs/user/README.md - already created in Phase 0

Migration Checklist

• [x] Create branch feat/split-phase4
• [x] Copy 22 source files to libs/user/src/boundary/user/
• [x] Copy 16 test files to libs/user/test/boundary/user/
• [x] Verify file counts match (22 src, 16 test)
• [x] Verify no namespace changes needed (user already updated in Phases 1-3)
• [x] Test library loading from new location
• [x] Run linter (0 errors, 120 minor warnings)
• [x] Commit Part 1 (files copied)
• [x] Delete originals from src/boundary/user/
• [x] Delete originals from test/boundary/user/
• [x] Verify user removed from monolith src/
• [x] Test library loading again after deletion
• [x] Commit Part 2 (files deleted)
• [x] Push branch to remote
• [x] Document completion

Commits

1. Phase 4 Part 1: Copy user library files (22 src, 16 test)

   • SHA: f95273e
   • Files changed: 45 (+17,539 insertions)

2. Phase 4 Part 2: Delete original user files from monolith

   • SHA: ac26f61
   • Files changed: 40 (-17,455 deletions)

Next Steps

Phase 5: Extract boundary/admin (Estimated: Days 12-14)

Scope: Auto-CRUD admin interface

• Dynamic entity management
• Field-level permissions
• Bulk operations
• Export/import functionality
• ~20 source files, ~10 test files (~4,000 LOC)

Namespace changes:

• boundary.admin.* → stays as is

Dependencies:

• ✅ boundary/core (Phase 1)
• ✅ boundary/observability (Phase 2)
• ✅ boundary/platform (Phase 3)
• ✅ boundary/user (Phase 4) - Admin manages users

Preparation:

1. Review admin module dependencies on user module
2. Check for any shared UI components
3. Plan entity configuration extraction strategy
4. Review admin routes and middleware

Lessons Learned

1. Small, focused modules extract faster - 22 files extracted in ~20 minutes
2. No namespace changes = smooth migration - When namespaces are already correct, extraction is trivial
3. UI components migrate cleanly - Hiccup-based UI requires no special handling
4. Test mocks create lint warnings - Acceptable trade-off for test isolation
5. Security code is self-contained - Argon2, TOTP, and session logic had no external dependencies

Timeline Status

• Total duration: 30 days (11 phases)
• Current: Day 11 of 30 (37% complete)
• Phases complete: 5 of 11 (Phase 0, 1, 2, 3, 4)
• Status: ✅ Ahead of schedule (completed Phase 4 in ~1 day vs 3 days estimated)
• Next phase: Phase 5 - Extract boundary/admin (3 days estimated)

Branch Information

• Branch: feat/split-phase4
• Status: Pushed to remote
• Commits: 2 (f95273e, ac26f61)
• Pull Request: Ready to create at https://github.com/thijs-creemers/boundary/pull/new/feat/split-phase4

---

Phase 4 completed successfully! The user module extraction went smoothly with zero errors. User management, authentication, MFA, and audit logging are now in a standalone, independently publishable library.