docs(28): add plan summaries for all three plans

.planning/phases/28-profile-and-logto-integration/28-01-SUMMARY.md

@@ -0,0 +1,58 @@
+---
+phase: 28-profile-and-logto-integration
+plan: 01
+subsystem: server
+tags: [logto, account-management, auth]
+key-files:
+  created:
+    - src/server/services/logto.service.ts
+    - src/server/routes/account.ts
+    - tests/services/logto.service.test.ts
+  modified:
+    - src/server/index.ts
+    - src/shared/schemas.ts
+    - src/shared/types.ts
+metrics:
+  tasks: 2/2
+  commits: 2
+  files-changed: 6
+---
+
+# Plan 28-01 Summary: Logto Management API Client & Account Routes
+
+## What Was Built
+
+1. **LogtoManagementClient** (`src/server/services/logto.service.ts`) — M2M token-based client for Logto Management API with automatic token caching and refresh. Methods: getUser, verifyPassword, updatePassword, hasPassword, updateEmail, deleteUser.
+
+2. **Account management routes** (`src/server/routes/account.ts`) — Four endpoints:
+   - `POST /api/account/password` — Change password (verifies current first)
+   - `POST /api/account/email` — Change email
+   - `GET /api/account/has-password` — Check if user has password
+   - `POST /api/account/delete` — Delete account with public setup anonymization
+
+3. **Zod schemas** added to `src/shared/schemas.ts`: changePasswordSchema, changeEmailSchema, deleteAccountSchema
+
+4. **12 unit tests** covering all LogtoManagementClient methods and token caching behavior
+
+## Commits
+
+| # | Hash | Description |
+|---|------|-------------|
+| 1 | fcd8279 | feat(28-01): create Logto Management API client service with M2M auth |
+| 2 | e8207a3 | feat(28-01): add account management routes for password, email, and deletion |
+
+## Deviations
+
+None — implemented as planned.
+
+## Self-Check: PASSED
+
+- [x] LogtoManagementClient has all required methods
+- [x] Token caching works with 60s buffer before expiry
+- [x] Password change verifies current password first (T-28-03)
+- [x] Account deletion creates sentinel user and anonymizes public setups (D-06)
+- [x] All routes use requireAuth middleware (T-28-05)
+- [x] Deletion requires "DELETE" confirmation (T-28-04)
+- [x] Routes registered in index.ts
+- [x] All tests pass
+- [x] Lint passes

.planning/phases/28-profile-and-logto-integration/28-02-SUMMARY.md

@@ -0,0 +1,54 @@
+---
+phase: 28-profile-and-logto-integration
+plan: 02
+subsystem: client
+tags: [profile, account-management, ui]
+key-files:
+  created:
+    - src/client/routes/profile.tsx
+    - src/client/hooks/useAccount.ts
+  modified:
+    - src/client/routes/settings.tsx
+metrics:
+  tasks: 2/2
+  commits: 1
+  files-changed: 3
+---
+
+# Plan 28-02 Summary: Profile Page & Settings Separation
+
+## What Was Built
+
+1. **Profile page** (`src/client/routes/profile.tsx`) — Dedicated /profile route with four sections:
+   - Profile Info: Reuses existing ProfileSection component (displayName, bio, avatar)
+   - Account Info: Shows email from auth session with inline change form, member-since date
+   - Security: Password change form (3 fields if has password, 2 if social-only), client-side validation
+   - Danger Zone: Account deletion with typed "DELETE" confirmation, red-bordered card
+
+2. **Account hooks** (`src/client/hooks/useAccount.ts`) — TanStack Query hooks: useHasPassword, useChangePassword, useChangeEmail, useDeleteAccount
+
+3. **Settings separation** — Removed ProfileSection from /settings. Settings now only has weight unit, currency, import/export, and API keys.
+
+## Commits
+
+| # | Hash | Description |
+|---|------|-------------|
+| 1 | 2369251 | feat(28-02): create profile page with account management, separate from settings |
+
+## Deviations
+
+None — implemented as planned per UI-SPEC.md.
+
+## Self-Check: PASSED
+
+- [x] /profile route created with createFileRoute
+- [x] ProfileSection reused without modifications
+- [x] Email display with change button and inline form
+- [x] Member-since date formatted with Intl.DateTimeFormat
+- [x] Password form adapts to has-password/no-password state
+- [x] Client-side validation: 8+ chars, uppercase, lowercase, number
+- [x] Danger zone card uses border-red-200
+- [x] Delete confirmation requires typed "DELETE"
+- [x] Settings page no longer contains ProfileSection
+- [x] Auth guard redirects unauthenticated users
+- [x] Lint passes

.planning/phases/28-profile-and-logto-integration/28-03-SUMMARY.md

@@ -0,0 +1,53 @@
+---
+phase: 28-profile-and-logto-integration
+plan: 03
+subsystem: client, server
+tags: [navigation, auth, logto-config]
+key-files:
+  created: []
+  modified:
+    - src/client/components/UserMenu.tsx
+    - src/server/routes/auth.ts
+    - src/client/hooks/useAuth.ts
+metrics:
+  tasks: 1/2
+  commits: 1
+  files-changed: 3
+---
+
+# Plan 28-03 Summary: Navigation, /me Extension, Logto Configuration
+
+## What Was Built
+
+1. **Profile navigation link** — Added "Profile" entry to UserMenu dropdown (above Settings), using circle-user icon from curated Lucide set. Only visible to authenticated users.
+
+2. **Extended /me endpoint** — Returns `createdAt` field from user record for member-since display on profile page. Formatted as ISO string.
+
+3. **AuthState type update** — Added optional `createdAt?: string` to the client-side AuthState interface.
+
+## Task 2: Logto Console Configuration (PENDING - Human Action Required)
+
+The following must be configured manually in the Logto admin console:
+- D-07: Sign-in page branding (logo, colors, custom CSS)
+- D-08: Custom domain (auth.gearbox.de) — optional
+- D-09: Google and GitHub social sign-in connectors
+- D-10: Email verification required at signup
+- D-11: Password policy (8+ chars, mixed case, number)
+
+## Commits
+
+| # | Hash | Description |
+|---|------|-------------|
+| 1 | 1b00134 | feat(28-03): add profile navigation link and extend /me with createdAt |
+
+## Deviations
+
+- Task 2 (Logto Console config) is a human-action checkpoint — cannot be automated. Instructions are documented in the plan.
+
+## Self-Check: PASSED
+
+- [x] UserMenu has Profile link pointing to /profile
+- [x] /me endpoint returns createdAt field
+- [x] AuthState interface includes createdAt
+- [x] Lint passes
+- [x] All project tests pass (storage failures are pre-existing)