# PROJECT_STATE.md

## Project
OTB Cloud

## Current version
v0.2.1

## Build date
2026-04-12

## Host
vault3

## App path
/opt/otb_cloud

## Purpose
Portal-authenticated secure backup and storage platform for customer files, including images, videos, documents, and other uploaded data.

## Core requirements locked in
- Shared OTB branding, nav, footer, favicon
- Portal login / auth handoff through OTB Billing
- No unauthenticated file/account access
- MariaDB backend
- Vault3 storage root at `/tank/backups/otb-cloud`
- Tenant-isolated storage
- User-created devices
- Immutable originals
- Derived-file processing workflow
- Search by filename and date
- Bulk zip export
- Audit logging
- Owner-approved admin support access using one-time token

## Current implemented scaffold
- Flask app factory
- Main blueprint
- Auth blueprint
- MariaDB connection helper
- Signed handoff endpoint
- Auth-protected dashboard
- Branded OTB portal shell styling
- SQL schema file
- DB bootstrap script
- Storage bootstrap scripts
- Gunicorn systemd service on vault3
- Mintme reverse proxy in place
- OTB Billing signed handoff working
- Add Device flow
- Remove Device flow for empty devices
- Browser upload flow to device originals
- Device file browser page

## Immediate next tasks
1. Add single-file download
2. Add searchable file listing
3. Add rename basename-only flow
4. Add zip export flow
5. Add media processing jobs
6. Add derived/original filtering

## Notes
Original uploaded files should remain preserved and effectively read-only.
Any user-facing edits or processing outputs should create derivative files.
Admin access should require owner-issued one-time support authorization.
New tenants no longer receive default devices automatically; devices are now user-created.
Devices can only be removed when no files are associated with them.
Browser uploads write original files into device-specific originals directories and create DB records.
The device browser is DB-backed and tenant-scoped.