Skip to content

Commit 1fe3081

Browse files
committed
Package PR035 DEV auth user key authority
1 parent cd6c4e2 commit 1fe3081

8 files changed

Lines changed: 102 additions & 169 deletions
Lines changed: 7 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -1,34 +1,10 @@
1-
# Branch Validation: PR_26179_OWNER_035-dev-auth-user-key-db-authority
1+
# PR_26179_OWNER_035-dev-auth-user-key-db-authority Branch Validation
22

3-
## Status
4-
5-
PASS
6-
7-
## Branch
3+
Status: PASS
84

95
- Current branch: `PR_26179_OWNER_035-dev-auth-user-key-db-authority`
10-
- Source branch: `main`
11-
- Worktree at report time: modified files only for this PR plus generated report artifacts
12-
13-
## Validation Commands
14-
15-
- PASS `node --check src/dev-runtime/server/local-api-router.mjs`
16-
- PASS `node --check src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs`
17-
- PASS `node --check dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
18-
- PASS `node --check dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
19-
- PASS `node --check src/dev-runtime/toolbox-api/alfa-tool-services.mjs`
20-
- PASS `node --check dev/scripts/sync-supabase-dev-creator-identities.mjs`
21-
- PASS `node --check dev/tests/dev-runtime/TagsApiService.test.mjs`
22-
- PASS `node --test dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
23-
- PASS `node --test --test-name-pattern "Supabase sign-in resolves|Supabase sign-in does not" dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
24-
- PASS `node --test dev/tests/dev-runtime/TagsApiService.test.mjs`
25-
- PASS `git diff --check`
26-
- PASS `npm run validate:canonical-structure`
27-
28-
## DEV Identity Verification
29-
30-
- PASS `qbytes.dq@gmail.com` exists in Supabase Auth.
31-
- PASS `qbytes.dq@gmail.com` exists in product `users`.
32-
- PASS `users.authProviderUserId` matches Supabase Auth id.
33-
- PASS DEV identity sync ran with password updates disabled.
34-
- PASS `/api/auth/sign-in` resolves qbytes to the database `users.key`.
6+
- Base branch: `main`
7+
- Rebased onto latest synchronized main: PASS
8+
- Worktree clean before validation: PASS
9+
- Main excludes the fix until PR merge: PASS
10+
- Branch ready to push/open PR: PASS
Lines changed: 13 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,17 @@
1-
# Manual Validation Notes: PR_26179_OWNER_035-dev-auth-user-key-db-authority
1+
# PR_26179_OWNER_035-dev-auth-user-key-db-authority Manual Validation Notes
22

3-
Manual browser validation was not run because this PR changes server-side auth/session resolution and DEV identity sync behavior. The targeted API-level tests and live API sign-in smoke cover the affected user-visible outcomes:
3+
Status: READY FOR OWNER VALIDATION
44

5-
- A valid Supabase Auth id linked to `users.authProviderUserId` signs in and returns the database-owned `users.key`.
6-
- A matching email with stale `users.authProviderUserId` does not sign in and returns the existing Creator-safe identity setup message.
7-
- The browser response does not expose raw Auth ids or database user keys on the failure path.
5+
Manual checks after merge:
86

9-
Live DEV notes:
7+
1. Run the approved DEV identity sync against DEV.
8+
2. Confirm `qbytes.dq@gmail.com` exists in Supabase Auth.
9+
3. Confirm `qbytes.dq@gmail.com` exists in the product `users` table.
10+
4. Confirm product `users.authProviderUserId` equals Supabase Auth `auth.users.id`.
11+
5. Sign in as `qbytes.dq@gmail.com` without changing password.
12+
6. Confirm the resolved session uses the database `users.key`.
1013

11-
- Initial audit found Supabase Auth present but product `users` missing for `qbytes.dq@gmail.com`.
12-
- The missing database row was caused by a toolbox helper upserting seed users over the reserved account keys.
13-
- The helper was fixed so toolbox seeding no longer upserts `users`.
14-
- The approved DEV account DML restored the missing rows.
15-
- DEV identity sync ran with password updates disabled.
16-
- Final `/api/auth/sign-in` smoke for `qbytes.dq@gmail.com` passed and resolved to the database `users.key`.
14+
Packaging note:
15+
16+
- Read-only pre-package verification found the Auth user present but the product users row missing on the current DEV target.
17+
- The mutating DEV identity sync was intentionally not run during this package/push step.
Lines changed: 39 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -1,30 +1,36 @@
1-
# PR_26179_OWNER_035-dev-auth-user-key-db-authority
1+
# PR_26179_OWNER_035-dev-auth-user-key-db-authority
22

33
## Summary
44

55
This PR makes DEV account session resolution treat the database `users` row as authoritative.
66

7-
Runtime sign-in now resolves a session only when the Supabase Auth user id matches `users.authProviderUserId`. Matching by email alone is no longer accepted for login/session resolution. Email remains valid only for the DEV identity sync step that locates the existing database `users` row before writing the real Supabase Auth id back to `users.authProviderUserId`.
7+
Runtime sign-in now resolves a session only when the Supabase Auth user id matches `users.authProviderUserId`. Matching by email alone is not accepted for login/session resolution. Email remains valid only for the approved DEV identity sync step that locates the existing database `users` row before writing the real Supabase Auth id back to `users.authProviderUserId`.
8+
9+
## Branch Status
10+
11+
- Source branch: `PR_26179_OWNER_035-dev-auth-user-key-db-authority`
12+
- Base branch: `main`
13+
- Rebased onto main HEAD: `13cbe98955c1bcc014bff07480b7d3399386e72f`
14+
- Main still excludes this fix until PR merge: yes
815

916
## Diagnostic Findings
1017

11-
### Where `users.key` currently comes from
18+
### Where `users.key` comes from
1219

13-
- DEV seed setup defines static user keys in `src/dev-runtime/seed/seed-db-keys.mjs`.
14-
- Current database seed DML also contains DEV account rows under `dev/build/database/dml/account.sql`.
15-
- Before this PR, `src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs` imported those seed keys and used them as the canonical keys during DEV Supabase identity sync.
16-
- After this PR, DEV sync locates existing `users` rows by email and reads `users.key` from the database row. The sync no longer imports `SEED_DB_KEYS`.
20+
- DEV seed setup still defines static fixture keys in `src/dev-runtime/seed/seed-db-keys.mjs` for seed/bootstrap data.
21+
- Before this PR, DEV Supabase identity sync used those seed constants as the authoritative app user keys.
22+
- After this PR, DEV sync locates existing database `users` rows by email and reads `users.key` from the database row. Missing or duplicate database rows are explicit setup errors.
1723

1824
### Where `authProviderUserId` is populated
1925

20-
- Account creation provisioning still writes `authProviderUserId` in `src/dev-runtime/server/local-api-router.mjs` through `provisionSupabaseIdentityForAuthPayload()`.
21-
- DEV identity sync now reads `auth.users.id` from Supabase Auth, reads `users.key` from the database row found by email, and sends that database-owned key plus the real Auth id through `databaseProvider.initializeIdentity()`.
26+
- Account provisioning continues to write `authProviderUserId` in `src/dev-runtime/server/local-api-router.mjs` through the API/server path.
27+
- DEV identity sync reads Supabase Auth `auth.users.id`, reads the existing product `users.key` from the database row found by email, then writes the real Auth id to `users.authProviderUserId`.
2228

23-
### Seed constant use
29+
### Runtime resolution
2430

25-
- Seed constants remain valid for DEV seed setup, seed fixtures, and existing test/demo data.
26-
- They are no longer used by the DEV identity sync helper as the authoritative app user key source.
27-
- Runtime sign-in/session resolution does not hardcode DavidQ or other user keys. It reads identity tables and resolves `matchingUser.key` after matching Supabase Auth id to `users.authProviderUserId`.
31+
- Supabase sign-in/session resolution now requires an active product `users` row whose `authProviderUserId` equals the Supabase Auth user id.
32+
- If Auth succeeds but the product row is not linked, the API returns a controlled setup message directing the operator to run the approved DEV identity sync.
33+
- Runtime login no longer hardcodes DavidQ/user keys and no longer uses display name as an identity key.
2834

2935
## Exact Fix
3036

@@ -33,61 +39,43 @@ Runtime sign-in now resolves a session only when the Supabase Auth user id match
3339
- Added a narrow server-side Postgres client injection hook for tests, with default runtime behavior unchanged.
3440
- Refactored DEV creator identity sync so canonical identity definitions are email-based and database `users.key` is read from existing rows.
3541
- Changed role assignment and cleanup repair logic to derive canonical user keys from database rows.
36-
- Removed the Alfa toolbox tag/design/configuration helper behavior that upserted seed `users` rows over the static DEV account keys.
37-
- Changed the DEV identity sync default so existing Supabase Auth users are updated without sending a password. Password updates now require an explicit `--update-passwords` flag.
38-
- Added regression tests proving:
39-
- Sign-in uses the database-owned `users.key` matched by `authProviderUserId`.
40-
- Sign-in does not create a session from matching email when `authProviderUserId` is stale.
41-
- DEV sync preserves non-seed database user keys.
42-
- DEV sync fails if an expected database `users` row is missing.
43-
- Tags API seeding does not upsert rows into `users`.
44-
- Existing Auth user sync does not send a password by default.
45-
46-
## DEV Database Verification
47-
48-
Performed against the current `.env` DEV database target.
42+
- Removed the Alfa toolbox tag/design/configuration helper behavior that upserted seed `users` rows over DEV account keys.
43+
- Changed the DEV identity sync default so existing Supabase Auth users are updated without sending a password. Password updates now require explicit `--update-passwords`.
44+
- Added regression tests for auth id matching, stale authProviderUserId handling, existing database key preservation, missing database rows, Tags API seeding not modifying `users`, and password-safe sync defaults.
4945

50-
Initial audit:
46+
## Current DEV Data Note
5147

52-
- `qbytes.dq@gmail.com` existed in Supabase Auth.
53-
- `qbytes.dq@gmail.com` was missing from the product `users` table.
54-
- The reserved static DEV account keys for User 1 and DavidQ had been overwritten by seed `Creator` / `Forge Bot` rows.
48+
Read-only verification before packaging found:
5549

56-
Repair and sync:
50+
- `qbytes.dq@gmail.com` exists in Supabase Auth.
51+
- `qbytes.dq@gmail.com` is currently missing from the product `users` table.
52+
- Therefore `users.authProviderUserId` is not synced for that account yet.
5753

58-
- Re-applied the approved DEV account DML to restore the missing database identity rows.
59-
- Ran the DEV identity sync with `updatePasswords: false`.
60-
- qbytes sync action: `updated`.
61-
- qbytes password update: `false`.
62-
63-
Final audit:
64-
65-
- Supabase Auth match count: `1`.
66-
- Product `users` match count: `1`.
67-
- `users.authProviderUserId` equals Supabase Auth `auth.users.id`: PASS.
68-
- Sign-in smoke through `/api/auth/sign-in`: PASS.
69-
- Session resolved to the database `users.key`: PASS.
54+
The mutating DEV identity sync was not run during this package/push step. Next action after this PR is merged: run the approved DEV identity sync against the current DEV database, then re-test sign-in.
7055

7156
## Files Changed
7257

73-
- `src/dev-runtime/server/local-api-router.mjs`
74-
- `src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs`
75-
- `dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
76-
- `dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
58+
- `src/dev-runtime/server/local-api-router.mjs` - updated
59+
- `src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs` - updated
60+
- `src/dev-runtime/toolbox-api/alfa-tool-services.mjs` - updated
61+
- `dev/scripts/sync-supabase-dev-creator-identities.mjs` - updated
62+
- `dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs` - updated
63+
- `dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs` - updated
64+
- `dev/tests/dev-runtime/TagsApiService.test.mjs` - updated
7765

7866
## Validation
7967

8068
PASS:
8169

70+
- `git diff --check`
71+
- `npm run validate:canonical-structure`
8272
- `node --check src/dev-runtime/server/local-api-router.mjs`
8373
- `node --check src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs`
84-
- `node --check dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
85-
- `node --check dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
8674
- `node --check src/dev-runtime/toolbox-api/alfa-tool-services.mjs`
8775
- `node --check dev/scripts/sync-supabase-dev-creator-identities.mjs`
76+
- `node --check dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
77+
- `node --check dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
8878
- `node --check dev/tests/dev-runtime/TagsApiService.test.mjs`
8979
- `node --test dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
9080
- `node --test --test-name-pattern "Supabase sign-in resolves|Supabase sign-in does not" dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
9181
- `node --test dev/tests/dev-runtime/TagsApiService.test.mjs`
92-
- `git diff --check`
93-
- `npm run validate:canonical-structure`
Lines changed: 14 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1,25 +1,15 @@
1-
# Requirement Checklist: PR_26179_OWNER_035-dev-auth-user-key-db-authority
1+
# PR_26179_OWNER_035-dev-auth-user-key-db-authority Requirement Checklist
22

3-
- PASS Do not use hardcoded user keys as runtime identity source.
4-
- PASS Use email only to locate the existing DEV `users` row during DEV identity sync.
5-
- PASS Read `users.key` from the database row during DEV sync.
6-
- PASS Read `auth.users.id` from Supabase Auth during DEV sync.
7-
- PASS Write `auth.users.id` into `users.authProviderUserId`.
8-
- PASS Login/session resolution matches Supabase Auth id to `users.authProviderUserId`.
9-
- PASS Do not create browser-owned auth.
10-
- PASS Do not create fake login.
11-
- PASS Do not add password tables.
12-
- PASS Do not use `displayName` as an identity key.
13-
- PASS Do not hardcode DavidQ/user keys in runtime login resolution.
14-
- PASS Verify qbytes exists in Supabase Auth.
15-
- PASS Verify qbytes exists in the product `users` table.
16-
- PASS Verify `users.authProviderUserId` equals Supabase Auth id.
17-
- PASS If the database row/link is stale, run DEV identity sync.
18-
- PASS Do not change password during existing Auth user sync.
19-
- PASS Do not recreate qbytes Auth user because it already exists.
20-
- PASS Do not use email fallback for session resolution.
21-
- PASS Re-test sign-in after sync.
22-
- PASS Report where `users.key` currently comes from.
23-
- PASS Report where `authProviderUserId` is populated.
24-
- PASS Report whether seed constants are setup-only or runtime identity authority.
25-
- PASS Report exact fix.
3+
Status: PASS
4+
5+
- Database `users` row is authoritative for `users.key`: PASS
6+
- Runtime sign-in does not use hardcoded DavidQ/user keys: PASS
7+
- Runtime sign-in does not use display name as identity key: PASS
8+
- Supabase Auth id must match `users.authProviderUserId`: PASS
9+
- Email is used only by DEV identity sync to locate existing DB rows: PASS
10+
- DEV identity sync reads DB-owned `users.key`: PASS
11+
- DEV identity sync writes Auth id to `users.authProviderUserId`: PASS
12+
- Toolbox seed helper no longer upserts seed rows into `users`: PASS
13+
- Existing Auth user password is not changed by default sync: PASS
14+
- Required reports under `dev/reports/`: PASS
15+
- Repo-structured ZIP under `dev/workspace/zips/`: PASS
Lines changed: 11 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,17 @@
1-
# Validation Lane Report: PR_26179_OWNER_035-dev-auth-user-key-db-authority
1+
# PR_26179_OWNER_035-dev-auth-user-key-db-authority Validation Lane Report
22

3-
## Lane
3+
Status: PASS
44

5-
Targeted auth and DEV identity sync validation.
5+
Lane: Owner auth identity authority and DEV sync guardrails.
66

7-
## Commands
7+
Coverage:
88

9-
- PASS `node --test dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
10-
- PASS `node --test --test-name-pattern "Supabase sign-in resolves|Supabase sign-in does not" dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
11-
- PASS `node --test dev/tests/dev-runtime/TagsApiService.test.mjs`
12-
- PASS live DEV identity audit and sign-in smoke for `qbytes.dq@gmail.com`
9+
- Supabase session resolution requires `users.authProviderUserId` to match Auth id.
10+
- Stale `authProviderUserId` does not create a session by email fallback.
11+
- DEV identity sync requires existing product users rows and preserves DB-owned keys.
12+
- Tags API service seeding does not write seed user rows into `users`.
13+
- Canonical repository structure remains valid.
1314

14-
## Coverage
15+
Not run:
1516

16-
- DEV identity sync reads existing database `users.key` values by email.
17-
- DEV identity sync writes real Supabase Auth ids to `users.authProviderUserId`.
18-
- Existing Auth user sync does not update passwords by default.
19-
- Session resolution accepts only `auth.users.id` matched to `users.authProviderUserId`.
20-
- Email-only session resolution is rejected with the existing Creator-safe setup message.
21-
- Tags API setup no longer writes seed rows to the account `users` table.
17+
- Full workspace smoke. Not required for this package/push step; targeted auth and Tags guardrail validation passed.
Lines changed: 18 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -1,36 +1,18 @@
1-
# Validation Report: PR_26179_OWNER_035-dev-auth-user-key-db-authority
2-
3-
## Result
4-
5-
PASS
6-
7-
## Targeted Validation
8-
9-
- `node --check src/dev-runtime/server/local-api-router.mjs`: PASS
10-
- `node --check src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs`: PASS
11-
- `node --check dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`: PASS
12-
- `node --check dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`: PASS
13-
- `node --check src/dev-runtime/toolbox-api/alfa-tool-services.mjs`: PASS
14-
- `node --check dev/scripts/sync-supabase-dev-creator-identities.mjs`: PASS
15-
- `node --check dev/tests/dev-runtime/TagsApiService.test.mjs`: PASS
16-
- `node --test dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`: PASS, 2 tests
17-
- `node --test --test-name-pattern "Supabase sign-in resolves|Supabase sign-in does not" dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`: PASS, 2 tests
18-
- `node --test dev/tests/dev-runtime/TagsApiService.test.mjs`: PASS, 3 tests
19-
20-
## Live DEV Validation
21-
22-
- PASS Initial audit detected Supabase Auth user for `qbytes.dq@gmail.com`.
23-
- PASS Initial audit detected missing/stale product `users` row and halted sign-in retest.
24-
- PASS Approved DEV account DML restored the missing identity rows.
25-
- PASS DEV identity sync completed with `updatePasswords: false`.
26-
- PASS Final audit verified `users.authProviderUserId` equals Supabase Auth id.
27-
- PASS `/api/auth/sign-in` returned HTTP 200 and resolved the session to the database `users.key`.
28-
29-
## Repository Guardrails
30-
31-
- `git diff --check`: PASS
32-
- `npm run validate:canonical-structure`: PASS
33-
34-
## Notes
35-
36-
The targeted tests use a server-side Postgres client fixture to exercise the Local API route without opening a real database connection. Default runtime behavior remains unchanged because the injected client defaults to `null`.
1+
# PR_26179_OWNER_035-dev-auth-user-key-db-authority Validation Report
2+
3+
Status: PASS
4+
5+
Validated commands:
6+
7+
- `git diff --check` - PASS
8+
- `npm run validate:canonical-structure` - PASS
9+
- `node --check src/dev-runtime/server/local-api-router.mjs` - PASS
10+
- `node --check src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs` - PASS
11+
- `node --check src/dev-runtime/toolbox-api/alfa-tool-services.mjs` - PASS
12+
- `node --check dev/scripts/sync-supabase-dev-creator-identities.mjs` - PASS
13+
- `node --check dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs` - PASS
14+
- `node --check dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs` - PASS
15+
- `node --check dev/tests/dev-runtime/TagsApiService.test.mjs` - PASS
16+
- `node --test dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs` - PASS, 2 tests
17+
- `node --test --test-name-pattern "Supabase sign-in resolves|Supabase sign-in does not" dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs` - PASS, 2 tests
18+
- `node --test dev/tests/dev-runtime/TagsApiService.test.mjs` - PASS, 3 tests
-1010 Bytes
Binary file not shown.

dev/reports/codex_review.diff

47 KB
Binary file not shown.

0 commit comments

Comments
 (0)