Complete DEV Supabase DB migration through product cutover and closeout audit - PR_26166_166-172 & Handle Supabase password reset rate limits with safe user messaging - PR_26166_173-password-reset-rate-limit-message

Author: qbytesdq-jpg

.env.example

@@ -1,16 +1,16 @@
 # Game Foundry Studio local development environment
 
-# Supabase Auth is the default auth provider. Local DB remains the product data provider.
+# Supabase Auth and Supabase Postgres are the default DEV auth/product data providers.
 # Missing Supabase configuration reports provider diagnostics instead of falling back.
 GAMEFOUNDRY_AUTH_PROVIDER=supabase-auth
-GAMEFOUNDRY_DB_PROVIDER=local-db
+GAMEFOUNDRY_DB_PROVIDER=supabase-postgres
 
-# Future Supabase DEV browser-safe configuration.
-# Leave values empty until a reviewed Supabase DEV project exists.
+# Supabase DEV browser-safe configuration.
+# Leave values empty in this example; local values belong in .env.local.
 GAMEFOUNDRY_SUPABASE_URL=
 GAMEFOUNDRY_SUPABASE_ANON_KEY=
 
-# Future Supabase DEV server-only configuration.
+# Supabase DEV server-only configuration.
 # Do not expose these values to browser JavaScript, HTML, reports, or screenshots.
 GAMEFOUNDRY_SUPABASE_SERVICE_ROLE_KEY=
 GAMEFOUNDRY_SUPABASE_DATABASE_URL=

admin/db-viewer.html

@@ -61,6 +61,8 @@ <h2>DB Inspector</h2>
                                     <div class="content-stack content-stack--compact" data-admin-db-local-status>
                                         <p><strong>Current URL:</strong> <span data-admin-db-status-current-url>Checking...</span></p>
                                         <p><strong>Detected server mode:</strong> <span data-admin-db-status-server-mode>Checking...</span></p>
+                                        <p><strong>Data provider:</strong> <span data-admin-db-status-provider>Checking...</span></p>
+                                        <p><strong>Data source:</strong> <span data-admin-db-status-source>Checking...</span></p>
                                         <p><strong>Local API availability:</strong> <span data-admin-db-status-api>Checking...</span></p>
                                         <p><strong>Expected API endpoint:</strong> <span data-admin-db-status-endpoint>/api/session/current</span></p>
                                         <p><strong>Admin setup endpoint:</strong> <span data-admin-db-status-setup-endpoint>/api/admin/setup/reseed</span></p>

admin/db-viewer.js

@@ -40,8 +40,8 @@ async function loadLocalDbViewer() {
     return;
   }
   const session = currentSession();
-  if (session.mode !== "local-db") {
-    showGatewayStatus(session.diagnostic || "DB Viewer is available only in Local DB mode.");
+  if (!session.authenticated) {
+    showGatewayStatus(session.diagnostic || "Sign in with an admin account to open DB Viewer.");
     return;
   }
   const module = await import("../src/engine/api/local-db-viewer-ui.js");

assets/theme-v2/js/account-auth-actions.js

@@ -6,6 +6,7 @@ const submitButton = document.querySelector("[data-account-auth-submit]");
 const action = form?.getAttribute("data-account-auth-form") || "";
 const ACCOUNT_IDENTITY_SETUP_MESSAGE = "Account identity setup is incomplete. Please contact support.";
 const AUTH_UNAVAILABLE_MESSAGE = "The site is currently unavailable. Please try again later.";
+const PASSWORD_RESET_RATE_LIMIT_MESSAGE = "Too many reset requests. Please wait and try again later.";
 let authStatus = null;
 
 function setStatus(message) {
@@ -36,6 +37,9 @@ async function readJson(response, fallbackMessage) {
     if (payload?.error === ACCOUNT_IDENTITY_SETUP_MESSAGE) {
       throw new Error(ACCOUNT_IDENTITY_SETUP_MESSAGE);
     }
+    if (payload?.error === PASSWORD_RESET_RATE_LIMIT_MESSAGE) {
+      throw new Error(PASSWORD_RESET_RATE_LIMIT_MESSAGE);
+    }
     throw new Error(fallbackMessage);
   }
   return payload?.data || {};

assets/theme-v2/js/admin-db-status-panel.js

@@ -29,7 +29,14 @@ function renderAdminDbStatus() {
   const session = sessionResponse.payload?.data || {};
   const mode = session.mode || "unknown";
   const persistence = session.persistence || "unknown persistence";
-  setText(fields.serverMode, `PASS: ${mode} (${persistence}).`);
+  const providerResponse = safeRequestServerApi("/providers/contract");
+  if (providerResponse.ok) {
+    const authProviderId = providerResponse.payload?.data?.activeProviders?.authProviderId || mode;
+    const providerLabel = authProviderId === "supabase-auth" ? "Supabase Auth" : persistence;
+    setText(fields.serverMode, `PASS: ${authProviderId} (${providerLabel}).`);
+  } else {
+    setText(fields.serverMode, `PASS: ${mode} (${persistence}).`);
+  }
   setText(fields.api, "PASS: /api/session/current responded.");
 }
 

docs_build/dev/codex_commands.md

@@ -1 +1 @@
-Add DEV Supabase auth test user cleanup - PR_26166_165-auth-test-user-cleanup
+Handle password reset rate limits safely - PR_26166_173-password-reset-rate-limit-message

docs_build/dev/commit_comment.txt

@@ -0,0 +1,31 @@
+# PR_26166_166 Cleanup Report
+
+## Summary
+
+PASS
+
+- Validation wrote one live DEV Supabase Auth test account.
+- Cleanup deleted the Supabase Auth user, matching `users` row, and matching `user_roles` row.
+- Final dry-run confirmed zero matching `codex-*` or `playwright-*` `@example.test` test accounts.
+- UAT/PROD were not touched.
+
+## Created Test Records
+
+- `codex-pr166-audit-1781574550756@example.test` userKey=`01KV71WKFRC9XD10D8MZRB7ZJG`
+
+## Deleted Test Records
+
+- `codex-pr166-audit-1781574550756@example.test` userKey=`01KV71WKFRC9XD10D8MZRB7ZJG`; Auth deleted=true; Auth not found=false; user_roles deleted=1; users deleted=1
+
+## Final Cleanup Confirmation
+
+- Command: `npm run cleanup:supabase-dev-auth-test-users -- --dry-run --json`
+- `testDataCandidates`: 0
+- `testDataCreated`: 0
+- `testDataDeleted`: 0 in final dry-run mode
+- `auditReassignmentRequired`: false
+- `status`: PASS
+
+## Non-Test Records
+
+Six non-test users were skipped by the cleanup matcher and were not deleted.

docs_build/dev/reports/PR_26166_166-dev-supabase-auth-closeout-audit_cleanup_report.md

@@ -0,0 +1,104 @@
+# PR_26166_166-dev-supabase-auth-closeout-audit
+
+## Branch Validation
+
+PASS
+
+- Current branch: `main`
+- Expected branch: `main`
+- Local branches found: `main`
+- `docs_build/dev/PROJECT_INSTRUCTIONS.md` read before execution.
+
+## Scope Summary
+
+PASS
+
+- Audited Supabase Auth readiness after PR_165 cleanup tooling.
+- Validated live DEV Create Account, Sign In, `/api/session/current`, Sign Out, `users`, `roles`, and `user_roles`.
+- Confirmed Codex-created test users were cleaned up before packaging.
+- Confirmed product data provider remains `local-db`.
+- No runtime code, DDL, product cutover, UAT, or PROD resources were changed.
+- No `.env.local` or secret values were changed or committed.
+
+## Requirement Checklist
+
+- PASS - Treat PR_166 as one separate BUILD unit.
+- PASS - Main branch only; current branch was `main`.
+- PASS - Read `docs_build/dev/PROJECT_INSTRUCTIONS.md` before work.
+- PASS - Audit Supabase Auth readiness after PR_165 cleanup tooling.
+- PASS - Validate Create Account.
+- PASS - Validate Sign In.
+- PASS - Validate `/api/session/current`.
+- PASS - Validate Sign Out through `POST /api/session/logout`.
+- PASS - Validate `users`, `roles`, and `user_roles`.
+- PASS - Confirm test users are cleaned up.
+- PASS - Confirm product data still uses Local DB.
+- PASS - Run `npm run validate:supabase-dev`.
+- PASS - Run targeted auth/session validation.
+- PASS - Cleanup ran after validation data was created.
+- PASS - Reports list created and deleted test records.
+- PASS - Playwright impacted: targeted auth/session Playwright run completed.
+- PASS - Full samples smoke was not run.
+
+## Live DEV Auth Audit
+
+PASS
+
+- Created validation account: `codex-pr166-audit-1781574550756@example.test`
+- Created user key: `01KV71WKFRC9XD10D8MZRB7ZJG`
+- Create Account: identity provisioned.
+- Sign In: resolved the same user key.
+- `/api/session/current`: returned authenticated user and `user` role.
+- Sign Out: `POST /api/session/logout` returned guest session.
+- Post-sign-out `/api/session/current`: returned guest session.
+- `users`: row found for created Supabase-auth user.
+- `user_roles`: row found for created user.
+- `roles`: linked role row found with `roleSlug=user`.
+- Provider contract: auth provider `supabase-auth`; product/database provider `local-db`.
+
+## Validation Lane Report
+
+Executed lanes:
+
+- runtime/integration: live DEV local API auth lifecycle audit.
+- integration: `npm run validate:supabase-dev`
+- contract/runtime: `node --test tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
+- targeted Playwright auth/session: `npx playwright test tests/playwright/account/SupabaseSignInSession.spec.mjs --project=playwright --workers=1 --reporter=list`
+- cleanup/live DEV: `npm run cleanup:supabase-dev-auth-test-users -- --dry-run --json`
+
+Skipped lanes:
+
+- Full samples smoke: SKIP by request and because samples were not in scope.
+- Admin DB Viewer validation: SKIP for PR_166 because Admin DB Viewer behavior was not changed.
+- Targeted provider/API validation for migrated product areas: SKIP for PR_166 because no product areas were migrated.
+- `npm run test:workspace-v2`: SKIP because no Project Workspace, toolState, or workspace runtime behavior changed. The command name is legacy; user-facing language remains Project Workspace.
+
+## Validation Results
+
+- PASS - Live DEV auth lifecycle audit.
+- PASS - `npm run validate:supabase-dev` (overall PASS; DEV direct PostgreSQL TLS warning remains advisory: `SELF_SIGNED_CERT_IN_CHAIN`)
+- PASS - `node --test tests/dev-runtime/SupabaseProviderContractStub.test.mjs` (29 tests passed)
+- PASS - `npx playwright test tests/playwright/account/SupabaseSignInSession.spec.mjs --project=playwright --workers=1 --reporter=list` (1 test passed)
+- PASS - `npm run cleanup:supabase-dev-auth-test-users -- --dry-run --json` returned `testDataCandidates: 0`.
+
+## Manual Validation Notes
+
+- Live local API validation used real Supabase DEV Auth and identity tables with `GAMEFOUNDRY_DB_PROVIDER=local-db`.
+- The account lifecycle was validated through server API routes, matching the browser-owned-provider boundary: browser surfaces call API/service contracts only.
+- Product data remained Local DB throughout the audit.
+- The created Codex validation account was deleted before packaging.
+- No UAT or PROD resources were created.
+
+## Playwright V8 Coverage
+
+- Report: `docs_build/dev/reports/playwright_v8_coverage_report.txt`
+- Guardrail: `docs_build/dev/reports/coverage_changed_js_guardrail.txt`
+- PR_166 does not introduce runtime JS source changes. The coverage report is regenerated by the targeted account Playwright run and may list PR_165 runtime files from the repository coverage reporter's HEAD/context scan as advisory warnings.
+
+## Required Artifacts
+
+- `docs_build/dev/reports/PR_26166_166-dev-supabase-auth-closeout-audit_report.md`
+- `docs_build/dev/reports/PR_26166_166-dev-supabase-auth-closeout-audit_cleanup_report.md`
+- `docs_build/dev/reports/codex_review.diff`
+- `docs_build/dev/reports/codex_changed_files.txt`
+- `tmp/PR_26166_166-dev-supabase-auth-closeout-audit_delta.zip`

docs_build/dev/reports/PR_26166_166-dev-supabase-auth-closeout-audit_report.md

@@ -0,0 +1,100 @@
+# PR_26166_167-product-data-provider-contract-hardening
+
+## Branch Validation
+
+PASS
+
+- Current branch: `main`
+- Expected branch: `main`
+- Local branches found: `main`
+- `docs_build/dev/PROJECT_INSTRUCTIONS.md` read before PR_167 execution.
+
+## Scope Summary
+
+PASS
+
+- Hardened the browser Toolbox registry client so product metadata must resolve through `/api/toolbox/registry/snapshot`.
+- Removed the silent empty browser-owned registry fallback from `toolbox/tool-registry-api-client.js`.
+- Kept the static missing-image path as display fallback only; it no longer carries product registry data.
+- Added contract coverage for API-backed browser product-data entrypoints.
+- No product table cutover was introduced.
+- No Supabase product tables, UAT resources, PROD resources, `.env.local`, secrets, password tables, or browser-owned auth/provider logic were changed.
+
+## Requirement Checklist
+
+- PASS - Treat PR_167 as one separate BUILD unit.
+- PASS - Main branch only; current branch was `main`.
+- PASS - Read `docs_build/dev/PROJECT_INSTRUCTIONS.md` before work.
+- PASS - Harden product-data provider contracts before cutover.
+- PASS - Ensure browser pages use API/service contracts only.
+- PASS - Identify and fix browser-owned product data paths: fixed the Toolbox registry API client's synthesized empty registry fallback.
+- PASS - No product table cutover was introduced.
+- PASS - Product data remains Local DB for this PR.
+- PASS - No silent fallback remains in the Toolbox registry client when the API contract is unavailable.
+- PASS - `npm run validate:supabase-dev` was skipped because PR_167 does not touch Supabase setup or Supabase data.
+- PASS - Targeted provider/API validation ran.
+- PASS - Targeted Playwright validation ran.
+- PASS - `npm run test:workspace-v2` ran because runtime/tool registry behavior changed. The command name is legacy; user-facing language remains Project Workspace.
+- PASS - No Supabase validation data was written, so no Supabase cleanup report is required.
+- PASS - Playwright impacted: yes.
+- PASS - Full samples smoke was not run.
+
+## Product-Data Contract Findings
+
+PASS
+
+- Finding fixed: `toolbox/tool-registry-api-client.js` previously caught registry API failures and synthesized `{ activeTools: [], tools: [] }` in the browser. That made the browser own product metadata fallback state and could hide a broken API contract.
+- Fix: registry reads now fail visibly with the server API diagnostic until `/api/toolbox/registry/snapshot` succeeds.
+- Fix: a failed read is retryable, so transient route timing does not permanently freeze the diagnostic.
+- Preserved behavior: `getToolImageSource()` may still return `/assets/theme-v2/images/image-missing.svg` when a tool lacks an image field; that is a display asset fallback, not a product-data registry fallback.
+
+## Validation Lane Report
+
+Executed lanes:
+
+- contract/runtime: `node --check toolbox/tool-registry-api-client.js`
+- contract/runtime: `node --check tests/dev-runtime/ProductDataProviderContractHardening.test.mjs`
+- contract/runtime: `node --test tests/dev-runtime/ProductDataProviderContractHardening.test.mjs`
+- provider contract regression: `node --test tests/dev-runtime/SupabaseProviderContractStub.test.mjs`
+- targeted Playwright provider/API: `GAMEFOUNDRY_AUTH_PROVIDER=local-db GAMEFOUNDRY_DB_PROVIDER=local-db npx playwright test tests/playwright/tools/ToolImageRegistry.spec.mjs tests/playwright/tools/ToolboxAdminMetadataSsot.spec.mjs --project=playwright --workers=1 --reporter=list`
+- Project Workspace legacy lane: `GAMEFOUNDRY_AUTH_PROVIDER=local-db GAMEFOUNDRY_DB_PROVIDER=local-db npm run test:workspace-v2`
+
+Skipped lanes:
+
+- `npm run validate:supabase-dev`: SKIP because this PR does not touch Supabase configuration, Supabase Auth, Supabase DDL, or Supabase data.
+- Full samples smoke: SKIP by request and because samples were not in scope.
+- Admin DB Viewer validation: SKIP because Admin DB Viewer behavior is not changed in PR_167.
+- Product cutover validation: SKIP because no product table cutover occurs until PR_170.
+
+## Validation Results
+
+- PASS - `node --check toolbox/tool-registry-api-client.js`
+- PASS - `node --check tests/dev-runtime/ProductDataProviderContractHardening.test.mjs`
+- PASS - `node --test tests/dev-runtime/ProductDataProviderContractHardening.test.mjs` (3 tests passed)
+- PASS - `node --test tests/dev-runtime/SupabaseProviderContractStub.test.mjs` (29 tests passed)
+- PASS - Targeted Playwright provider/API lane (9 tests passed)
+- PASS - `npm run test:workspace-v2` (5 tests passed)
+
+## Manual Validation Notes
+
+- Captured Admin Tool Votes diagnostics during the first targeted run and confirmed the zero-row page state was caused by an auth-provider selector mismatch, not product metadata rendering.
+- Reran the impacted browser lane with explicit `GAMEFOUNDRY_AUTH_PROVIDER=local-db` and `GAMEFOUNDRY_DB_PROVIDER=local-db`, matching PR_167's pre-cutover Local DB product-data scope.
+- Verified Admin Tool Votes and Toolbox index render from API snapshots and do not request the retired browser registry module.
+- Validation wrote no Supabase records. Playwright-created local DB state used per-run temp SQLite files and was cleaned up when each test server closed.
+
+## Playwright V8 Coverage
+
+- Report: `docs_build/dev/reports/playwright_v8_coverage_report.txt`
+- Guardrail: `docs_build/dev/reports/coverage_changed_js_guardrail.txt`
+- PR_167 changed runtime JS: `toolbox/tool-registry-api-client.js`
+- Coverage evidence: `(90%) toolbox/tool-registry-api-client.js - executed lines 155/155; executed functions 26/29`
+- Advisory note: because the PR stack is still uncommitted locally, the coverage report also lists changed runtime JS from earlier stacked PRs as warnings.
+
+## Required Artifacts
+
+- `docs_build/dev/reports/PR_26166_167-product-data-provider-contract-hardening_report.md`
+- `docs_build/dev/reports/codex_review.diff`
+- `docs_build/dev/reports/codex_changed_files.txt`
+- `docs_build/dev/reports/playwright_v8_coverage_report.txt`
+- `docs_build/dev/reports/coverage_changed_js_guardrail.txt`
+- `tmp/PR_26166_167-product-data-provider-contract-hardening_delta.zip`