Olympus Documentation What is Olympus Architecture Repo Map License Glossary

Overview 0001, Dual-domain architecture 0002, Kratos + Hydra over Keycloak 0003, Source-only licensing (Olympus Free Container License)0004, Push-to-main deployment 0005, Fumadocs over Mintlify / Docusaurus / Nextra 0006, AES-256-GCM with HKDF-SHA256 for settings encryption 0007, Encryption key blocklist 0008, Captcha defaults OFF in dev 0009, Caddy over Nginx 0010, Podman over Docker 0011, JSON Schema identity model 0012, Source-only NPM packages 0013, Postgres sslmode=verify-full mandatory in production 0014, Image pinning by digest in production 0015, Email verification mandatory in production 0016, pgAdmin DBA role mapping via OIDC 0017, Recovery HMAC token 0018, Reload API key sidecar 0019, PKCE mandatory for all public clients 0020, Vitest as the default test stack 0021, xterm.js secrets sanitizer in Daedalus 0022, Daedalus MCP server is localhost-only 0023, Tauri over Electron for Daedalus 0024, Bun as runtime for app services 0025, Octl bundles a stack/ directory 0026, Atomic design in Canvas

ADRs

0015, Email verification mandatory in production

Why production Olympus enforces email verification before granting session access

Status: Accepted Date: 2026-03 Stakeholders: Bobby Nannier

Context

Email verification confirms the user controls the email they registered with. Without it:

An attacker can register accounts with someone else's email (the real owner gets a verification email they didn't expect; if they ignore it, the account is taken).
Recovery flows are weakened (you can recover an account by setting a new password if you have access to the registered email).
Bot-driven mass account creation is cheap.

Decision

Production deployments require email verification before granting session access. Enforced by:

The require_verified_address hook on the registration and login flows.
The verify-email-enforcement.yml CI workflow asserts the hook is configured.

A user who registers but doesn't verify cannot log in until verified. Their identity exists in pending state.

Consequences

Some friction. Users who type an email they can't access can't proceed.
Email provider must be reliable. Deliverability matters, see Operate, Email Deliverability.
Tighter cohort. Every active identity is reachable via email.
Dev exception. Verification is optional in dev (compose.dev.yml doesn't enable the hook). MailSlurper captures the email so testing the flow is easy.

Related

Security, Email verification
Identity, Flow verification
Security, OIDC email_verified trust

0014, Image pinning by digest in production

Why production compose files must reference images by sha256 digest, not tag

0016, pgAdmin DBA role mapping via OIDC

Per-engineer Postgres database roles mapped from OIDC role claim

On this page

Context Decision Consequences Related