Skip to content

Commit cd6c4e2

Browse files
committed
Verify DEV auth identity link
1 parent 1ce33fe commit cd6c4e2

13 files changed

Lines changed: 1091 additions & 297 deletions

dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_branch_validation.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,19 @@ PASS
1616
- PASS `node --check src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs`
1717
- PASS `node --check dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
1818
- PASS `node --check dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
19+
- PASS `node --check src/dev-runtime/toolbox-api/alfa-tool-services.mjs`
20+
- PASS `node --check dev/scripts/sync-supabase-dev-creator-identities.mjs`
21+
- PASS `node --check dev/tests/dev-runtime/TagsApiService.test.mjs`
1922
- PASS `node --test dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
2023
- PASS `node --test --test-name-pattern "Supabase sign-in resolves|Supabase sign-in does not" dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
24+
- PASS `node --test dev/tests/dev-runtime/TagsApiService.test.mjs`
2125
- PASS `git diff --check`
2226
- PASS `npm run validate:canonical-structure`
2327

28+
## DEV Identity Verification
29+
30+
- PASS `qbytes.dq@gmail.com` exists in Supabase Auth.
31+
- PASS `qbytes.dq@gmail.com` exists in product `users`.
32+
- PASS `users.authProviderUserId` matches Supabase Auth id.
33+
- PASS DEV identity sync ran with password updates disabled.
34+
- PASS `/api/auth/sign-in` resolves qbytes to the database `users.key`.
Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,16 @@
11
# Manual Validation Notes: PR_26179_OWNER_035-dev-auth-user-key-db-authority
22

3-
Manual browser validation was not run because this PR changes server-side auth/session resolution and DEV identity sync behavior. The targeted API-level tests cover the affected user-visible outcomes:
3+
Manual browser validation was not run because this PR changes server-side auth/session resolution and DEV identity sync behavior. The targeted API-level tests and live API sign-in smoke cover the affected user-visible outcomes:
44

55
- A valid Supabase Auth id linked to `users.authProviderUserId` signs in and returns the database-owned `users.key`.
66
- A matching email with stale `users.authProviderUserId` does not sign in and returns the existing Creator-safe identity setup message.
77
- The browser response does not expose raw Auth ids or database user keys on the failure path.
88

9-
Recommended manual follow-up in DEV after merge:
10-
11-
- Run the approved DEV identity sync.
12-
- Sign in as `qbytes.dq@gmail.com`.
13-
- Confirm the session resolves to the existing database `users.key` row whose `authProviderUserId` equals the Supabase Auth user id.
9+
Live DEV notes:
1410

11+
- Initial audit found Supabase Auth present but product `users` missing for `qbytes.dq@gmail.com`.
12+
- The missing database row was caused by a toolbox helper upserting seed users over the reserved account keys.
13+
- The helper was fixed so toolbox seeding no longer upserts `users`.
14+
- The approved DEV account DML restored the missing rows.
15+
- DEV identity sync ran with password updates disabled.
16+
- Final `/api/auth/sign-in` smoke for `qbytes.dq@gmail.com` passed and resolved to the database `users.key`.

dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_report.md

Lines changed: 33 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,11 +33,40 @@ Runtime sign-in now resolves a session only when the Supabase Auth user id match
3333
- Added a narrow server-side Postgres client injection hook for tests, with default runtime behavior unchanged.
3434
- Refactored DEV creator identity sync so canonical identity definitions are email-based and database `users.key` is read from existing rows.
3535
- Changed role assignment and cleanup repair logic to derive canonical user keys from database rows.
36+
- Removed the Alfa toolbox tag/design/configuration helper behavior that upserted seed `users` rows over the static DEV account keys.
37+
- Changed the DEV identity sync default so existing Supabase Auth users are updated without sending a password. Password updates now require an explicit `--update-passwords` flag.
3638
- Added regression tests proving:
3739
- Sign-in uses the database-owned `users.key` matched by `authProviderUserId`.
3840
- Sign-in does not create a session from matching email when `authProviderUserId` is stale.
3941
- DEV sync preserves non-seed database user keys.
4042
- DEV sync fails if an expected database `users` row is missing.
43+
- Tags API seeding does not upsert rows into `users`.
44+
- Existing Auth user sync does not send a password by default.
45+
46+
## DEV Database Verification
47+
48+
Performed against the current `.env` DEV database target.
49+
50+
Initial audit:
51+
52+
- `qbytes.dq@gmail.com` existed in Supabase Auth.
53+
- `qbytes.dq@gmail.com` was missing from the product `users` table.
54+
- The reserved static DEV account keys for User 1 and DavidQ had been overwritten by seed `Creator` / `Forge Bot` rows.
55+
56+
Repair and sync:
57+
58+
- Re-applied the approved DEV account DML to restore the missing database identity rows.
59+
- Ran the DEV identity sync with `updatePasswords: false`.
60+
- qbytes sync action: `updated`.
61+
- qbytes password update: `false`.
62+
63+
Final audit:
64+
65+
- Supabase Auth match count: `1`.
66+
- Product `users` match count: `1`.
67+
- `users.authProviderUserId` equals Supabase Auth `auth.users.id`: PASS.
68+
- Sign-in smoke through `/api/auth/sign-in`: PASS.
69+
- Session resolved to the database `users.key`: PASS.
4170

4271
## Files Changed
4372

@@ -54,8 +83,11 @@ PASS:
5483
- `node --check src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs`
5584
- `node --check dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
5685
- `node --check dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
86+
- `node --check src/dev-runtime/toolbox-api/alfa-tool-services.mjs`
87+
- `node --check dev/scripts/sync-supabase-dev-creator-identities.mjs`
88+
- `node --check dev/tests/dev-runtime/TagsApiService.test.mjs`
5789
- `node --test dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
5890
- `node --test --test-name-pattern "Supabase sign-in resolves|Supabase sign-in does not" dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
91+
- `node --test dev/tests/dev-runtime/TagsApiService.test.mjs`
5992
- `git diff --check`
6093
- `npm run validate:canonical-structure`
61-

dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_requirement_checklist.md

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,15 @@
1111
- PASS Do not add password tables.
1212
- PASS Do not use `displayName` as an identity key.
1313
- PASS Do not hardcode DavidQ/user keys in runtime login resolution.
14+
- PASS Verify qbytes exists in Supabase Auth.
15+
- PASS Verify qbytes exists in the product `users` table.
16+
- PASS Verify `users.authProviderUserId` equals Supabase Auth id.
17+
- PASS If the database row/link is stale, run DEV identity sync.
18+
- PASS Do not change password during existing Auth user sync.
19+
- PASS Do not recreate qbytes Auth user because it already exists.
20+
- PASS Do not use email fallback for session resolution.
21+
- PASS Re-test sign-in after sync.
1422
- PASS Report where `users.key` currently comes from.
1523
- PASS Report where `authProviderUserId` is populated.
1624
- PASS Report whether seed constants are setup-only or runtime identity authority.
1725
- PASS Report exact fix.
18-

dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_validation_lane_report.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,14 @@ Targeted auth and DEV identity sync validation.
88

99
- PASS `node --test dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`
1010
- PASS `node --test --test-name-pattern "Supabase sign-in resolves|Supabase sign-in does not" dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
11+
- PASS `node --test dev/tests/dev-runtime/TagsApiService.test.mjs`
12+
- PASS live DEV identity audit and sign-in smoke for `qbytes.dq@gmail.com`
1113

1214
## Coverage
1315

1416
- DEV identity sync reads existing database `users.key` values by email.
1517
- DEV identity sync writes real Supabase Auth ids to `users.authProviderUserId`.
18+
- Existing Auth user sync does not update passwords by default.
1619
- Session resolution accepts only `auth.users.id` matched to `users.authProviderUserId`.
1720
- Email-only session resolution is rejected with the existing Creator-safe setup message.
18-
21+
- Tags API setup no longer writes seed rows to the account `users` table.

dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_validation_report.md

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,21 @@ PASS
1010
- `node --check src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs`: PASS
1111
- `node --check dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`: PASS
1212
- `node --check dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`: PASS
13+
- `node --check src/dev-runtime/toolbox-api/alfa-tool-services.mjs`: PASS
14+
- `node --check dev/scripts/sync-supabase-dev-creator-identities.mjs`: PASS
15+
- `node --check dev/tests/dev-runtime/TagsApiService.test.mjs`: PASS
1316
- `node --test dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs`: PASS, 2 tests
1417
- `node --test --test-name-pattern "Supabase sign-in resolves|Supabase sign-in does not" dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs`: PASS, 2 tests
18+
- `node --test dev/tests/dev-runtime/TagsApiService.test.mjs`: PASS, 3 tests
19+
20+
## Live DEV Validation
21+
22+
- PASS Initial audit detected Supabase Auth user for `qbytes.dq@gmail.com`.
23+
- PASS Initial audit detected missing/stale product `users` row and halted sign-in retest.
24+
- PASS Approved DEV account DML restored the missing identity rows.
25+
- PASS DEV identity sync completed with `updatePasswords: false`.
26+
- PASS Final audit verified `users.authProviderUserId` equals Supabase Auth id.
27+
- PASS `/api/auth/sign-in` returned HTTP 200 and resolved the session to the database `users.key`.
1528

1629
## Repository Guardrails
1730

@@ -21,4 +34,3 @@ PASS
2134
## Notes
2235

2336
The targeted tests use a server-side Postgres client fixture to exercise the Local API route without opening a real database connection. Default runtime behavior remains unchanged because the injected client defaults to `null`.
24-
Lines changed: 47 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,26 +1,52 @@
11
# git status --short
2-
M dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs
3-
M dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs
4-
M src/dev-runtime/server/local-api-router.mjs
2+
M dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_branch_validation.md
3+
M dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_manual_validation_notes.md
4+
M dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_report.md
5+
M dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_requirement_checklist.md
6+
M dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_validation_lane_report.md
7+
M dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_validation_report.md
8+
M dev/reports/codex_changed_files.txt
9+
M dev/reports/codex_review.diff
10+
M dev/scripts/sync-supabase-dev-creator-identities.mjs
11+
M dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs
12+
M dev/tests/dev-runtime/TagsApiService.test.mjs
513
M src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs
6-
?? dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_branch_validation.md
7-
?? dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_manual_validation_notes.md
8-
?? dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_report.md
9-
?? dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_requirement_checklist.md
10-
?? dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_validation_lane_report.md
11-
?? dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_validation_report.md
14+
M src/dev-runtime/toolbox-api/alfa-tool-services.mjs
15+
16+
# git diff --name-status main
17+
A dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_branch_validation.md
18+
A dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_manual_validation_notes.md
19+
A dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_report.md
20+
A dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_requirement_checklist.md
21+
A dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_validation_lane_report.md
22+
A dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_validation_report.md
23+
M dev/reports/codex_changed_files.txt
24+
M dev/reports/codex_review.diff
25+
M dev/scripts/sync-supabase-dev-creator-identities.mjs
26+
M dev/tests/dev-runtime/SupabaseDevCreatorIdentitySeedSync.test.mjs
27+
M dev/tests/dev-runtime/SupabaseProviderContractStub.test.mjs
28+
M dev/tests/dev-runtime/TagsApiService.test.mjs
29+
M src/dev-runtime/server/local-api-router.mjs
30+
M src/dev-runtime/testing/supabase-dev-creator-identity-seed-sync.mjs
31+
M src/dev-runtime/toolbox-api/alfa-tool-services.mjs
1232

1333
# git ls-files --others --exclude-standard
14-
dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_branch_validation.md
15-
dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_manual_validation_notes.md
16-
dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_report.md
17-
dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_requirement_checklist.md
18-
dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_validation_lane_report.md
19-
dev/reports/PR_26179_OWNER_035-dev-auth-user-key-db-authority_validation_report.md
34+
(no output)
2035

21-
# git diff --stat
22-
.../SupabaseDevCreatorIdentitySeedSync.test.mjs | 188 ++++++++++++++-------
23-
.../SupabaseProviderContractStub.test.mjs | 138 ++++++++++++++-
24-
src/dev-runtime/server/local-api-router.mjs | 24 ++-
25-
.../supabase-dev-creator-identity-seed-sync.mjs | 155 +++++++++++------
26-
4 files changed, 391 insertions(+), 114 deletions(-)
36+
# git diff --stat main
37+
...auth-user-key-db-authority_branch_validation.md | 34 ++
38+
...ser-key-db-authority_manual_validation_notes.md | 16 +
39+
...ER_035-dev-auth-user-key-db-authority_report.md | 93 +++++
40+
...-user-key-db-authority_requirement_checklist.md | 25 ++
41+
...user-key-db-authority_validation_lane_report.md | 21 +
42+
...auth-user-key-db-authority_validation_report.md | 36 ++
43+
dev/reports/codex_changed_files.txt | 33 +-
44+
dev/reports/codex_review.diff | 448 ++++++++++++++++-----
45+
.../sync-supabase-dev-creator-identities.mjs | 5 +-
46+
.../SupabaseDevCreatorIdentitySeedSync.test.mjs | 192 ++++++---
47+
.../SupabaseProviderContractStub.test.mjs | 138 ++++++-
48+
dev/tests/dev-runtime/TagsApiService.test.mjs | 1 +
49+
src/dev-runtime/server/local-api-router.mjs | 24 +-
50+
.../supabase-dev-creator-identity-seed-sync.mjs | 167 +++++---
51+
src/dev-runtime/toolbox-api/alfa-tool-services.mjs | 31 --
52+
15 files changed, 996 insertions(+), 268 deletions(-)

0 commit comments

Comments
 (0)