|
| 1 | +# PR_26166_147-supabase-auth-live-validation |
| 2 | + |
| 3 | +## Branch Validation |
| 4 | +- PASS: current branch `main`. |
| 5 | +- Expected branch: `main`. |
| 6 | + |
| 7 | +## Requirement Checklist |
| 8 | +- PASS: Read `docs_build/dev/PROJECT_INSTRUCTIONS.md` before validation. |
| 9 | +- PASS: Main branch guard passed before any report artifacts were produced. |
| 10 | +- PASS: No product-table migration was performed. |
| 11 | +- PASS: No schema migration was performed. |
| 12 | +- PASS: `GAMEFOUNDRY_DB_PROVIDER=local-db` was enforced in the live validation process. |
| 13 | +- PASS: Supabase Auth remains the default auth provider; validation used `supabase-auth`. |
| 14 | +- PASS: Browser/backend boundary remains API-only; validation called local backend API contracts for auth/session flows. |
| 15 | +- PASS: Browser-visible missing-config failure remains generic: `The site is currently unavailable. Please try again later.` |
| 16 | +- PASS: Operator diagnostics/evidence include provider/config state and no secret values. |
| 17 | +- PASS: No secrets were committed. |
| 18 | +- PASS: `.env.local` was read for local validation only and was not modified. |
| 19 | +- FAIL: Live Supabase Auth health, Sign In, Create Account, Password Reset, user lookup, role lookup, and user_roles lookup could not complete because Node backend fetch fails TLS verification before HTTP. |
| 20 | +- FAIL: Live backend session resolution could not complete because live identity table lookups failed before an active live identity user could be resolved. |
| 21 | + |
| 22 | +## Live Validation Evidence |
| 23 | +- Evidence file: `docs_build/dev/reports/supabase-auth-live-validation-evidence.json`. |
| 24 | +- Environment presence: |
| 25 | + - `GAMEFOUNDRY_AUTH_PROVIDER`: PRESENT |
| 26 | + - `GAMEFOUNDRY_DB_PROVIDER`: PRESENT |
| 27 | + - `GAMEFOUNDRY_SUPABASE_URL`: PRESENT |
| 28 | + - `GAMEFOUNDRY_SUPABASE_ANON_KEY`: PRESENT |
| 29 | + - `GAMEFOUNDRY_SUPABASE_SERVICE_ROLE_KEY`: PRESENT |
| 30 | +- Backend provider selection: PASS |
| 31 | + - auth provider: `supabase-auth` |
| 32 | + - DB provider: `local-db` |
| 33 | + - backend status: ready |
| 34 | +- Missing-config generic browser message: PASS |
| 35 | +- Live transport result: FAIL |
| 36 | + - sanitized cause code: `UNABLE_TO_VERIFY_LEAF_SIGNATURE` |
| 37 | + - sanitized cause message: `unable to verify the first certificate` |
| 38 | +- No Supabase secret values were printed or written to reports. |
| 39 | + |
| 40 | +## Validation Lane Report |
| 41 | +- PASS: changed-file syntax/static checks: |
| 42 | + - `node --check src/dev-runtime/auth/provider-contract-stubs.mjs` |
| 43 | + - `node --check src/dev-runtime/server/local-api-router.mjs` |
| 44 | + - `node --check tests/dev-runtime/SupabaseProviderContractStub.test.mjs` |
| 45 | +- PASS: targeted auth/provider validation: |
| 46 | + - `node --test tests/dev-runtime/SupabaseProviderContractStub.test.mjs` |
| 47 | + - Result: 23 passed. |
| 48 | +- PASS: Playwright impacted validation: |
| 49 | + - `npm run test:workspace-v2` |
| 50 | + - Result: 5 passed. |
| 51 | +- PASS: diff guardrail: |
| 52 | + - `git diff --check` |
| 53 | + - Result: no whitespace errors; line-ending warning only. |
| 54 | +- FAIL: live Supabase DEV validation: |
| 55 | + - Live outbound requests failed at Node TLS verification before HTTP response. |
| 56 | + |
| 57 | +## Playwright / V8 Coverage |
| 58 | +- Playwright impacted: Yes. |
| 59 | +- PASS: `npm run test:workspace-v2` passed. |
| 60 | +- V8 coverage: N/A because this PR did not change runtime JavaScript. |
| 61 | +- Coverage report path: `docs_build/dev/reports/playwright_v8_coverage_report.txt`. |
| 62 | + |
| 63 | +## Impacted Lanes |
| 64 | +- Auth/provider validation lane. |
| 65 | +- Live Supabase connectivity/auth validation lane. |
| 66 | +- Workspace-contract Playwright lane. |
| 67 | + |
| 68 | +## Skipped Lanes |
| 69 | +- Full samples smoke: SKIP. This PR validates Supabase Auth behavior only and does not touch sample runtime behavior. |
| 70 | +- Product DB migration: SKIP. Requirement explicitly forbids product-table migration. |
| 71 | +- Schema migration: SKIP. No schema changes were required for the attempted validation; live validation failed at TLS transport before schema-level validation could require any migration. |
| 72 | + |
| 73 | +## Manual Validation Notes |
| 74 | +- To complete live DEV validation, fix the Node trust chain for the configured Supabase endpoint. The current Node transport error is `UNABLE_TO_VERIFY_LEAF_SIGNATURE`. |
| 75 | +- After the trust chain is fixed, rerun live validation against the same backend contract. |
| 76 | +- Expected live checks after TLS is resolved: |
| 77 | + - `/api/auth/status` reports Supabase Auth with Local DB product data. |
| 78 | + - `/api/auth/sign-in` routes through Supabase Auth and returns sanitized result. |
| 79 | + - `/api/auth/create-account` routes through Supabase Auth and returns sanitized result. |
| 80 | + - `/api/auth/password-reset` routes through Supabase Auth and returns sanitized result. |
| 81 | + - `/api/session/users` and `/api/session/user` resolve users/roles/user_roles through provider-owned identity tables. |
| 82 | + |
| 83 | +## Changed Files |
| 84 | +See `docs_build/dev/reports/codex_changed_files.txt`. |
0 commit comments