updated spec

rowing-courses-spec.md

@@ -688,21 +688,17 @@ wrangler dev
 
 ## Open questions for developer kickoff
 
-1. **CrewNerd integration design — confirm with Tony Andrews.** Two sub-questions:
+1. **CrewNerd integration design — resolved.** Confirmed by Tony Andrews (March 2026).
 
-   a. **Auth endpoint.** The proposed UX requires no browser redirect and no manual key entry. CrewNerd already holds the user's intervals.icu bearer token from its existing intervals.icu integration. A single background call is all that is needed:
+   **Auth endpoint:** Tony confirmed agreement with the bearer token exchange approach — no browser redirect, no manual key entry. CrewNerd will call `POST /api/auth/crewnerd` with the existing intervals.icu bearer token in the background and store the returned API key.
 
-   ```
-   POST /api/auth/crewnerd
-   Authorization: Bearer {intervals_access_token}
-   ← {"api_key": "abc123..."}
-   ```
+   **User-facing UX:** Tony will add an opt-in switch to the intervals.icu settings page in CrewNerd. For discoverability, users will be prompted to opt in the first time they press the "Sync" button on the courses page. No browser handoff, no copy-paste.
 
-   The Worker verifies the token against intervals.icu (`GET /api/v1/athlete/self`), derives the API key using `apiKeyForAthlete()`, and returns it. From the user's perspective: tap "Connect to rownative.icu" in CrewNerd, done. Confirm with Tony that (i) CrewNerd can make this call on the user's behalf and store the returned key, and (ii) users who have already connected CrewNerd to intervals.icu do not need to re-authenticate — the existing token can be reused immediately.
+   **Base URL:** CrewNerd already has a configurable cloud selector. Tony will add a dev cloud mode that enables the rownative.icu integration logic without impacting live users, allowing iteration on the Worker endpoints before public launch. A production release will follow once both sides are tested.
 
-   b. **Base URL configurability.** Confirm whether a configurable Rowsandall base URL already exists in CrewNerd, or whether a new release is needed before Stage 1 is usable. This is the Stage 1 deadline driver.
+   **Timeline:** Tony is on vacation for three weeks from late March 2026. The Worker skeleton with `POST /api/auth/crewnerd` should be live and reachable before he returns so he has something to test against.
 
-2. **intervals.icu OAuth app registration.** Confirm with David Tinker (`@david` on the intervals.icu forum) whether a community/open-source OAuth app can be registered for this project, or whether each instance operator registers separately. Also confirm the available scopes — specifically whether `PROFILE_READ` and `ACTIVITY_READ` can be requested in the same grant or require separate authorisation flows. The redirect URI will be `https://{worker-domain}/oauth/callback`.
+2. **intervals.icu OAuth app registration — resolved.** Register a new OAuth app for `rownative.icu` at intervals.icu (same process as the existing `rowsandall.com` app). Redirect URI: `https://rownative.icu/oauth/callback`. Add the resulting `client_id` and `client_secret` as Worker secrets (`INTERVALS_CLIENT_ID`, `INTERVALS_CLIENT_SECRET`). Scopes and cookie approach already confirmed by David Tinker (see question 7).
 
 3. **Course ID scheme — resolved.** Rowsandall integer IDs are preserved exactly as strings (e.g. course 66 → `courses/66.json`, `"id": "66"`). No zero-padding. This ensures liked-course migration works without a translation table.