Add storage status, real asset storage, asset reference linking, and promotion foundation - PR_26168_211-through-214-storage-promotion-stack

Author: qbytesdq-jpg

assets/GFS-Infrastructure v1-2.png

@@ -10,13 +10,15 @@ class OwnerOperationsController {
         this.actionButtons = Array.from(root.querySelectorAll("[data-owner-operation-action]"));
         this.connectionSummary = root.querySelector("[data-owner-connection-summary]");
         this.databaseStatusRows = root.querySelector("[data-owner-database-status-rows]");
+        this.promotionFoundationRows = root.querySelector("[data-owner-promotion-foundation-rows]");
         this.resultRows = root.querySelector("[data-owner-operation-result-rows]");
         this.status = root.querySelector("[data-owner-operations-status]");
+        this.storageStatusRows = root.querySelector("[data-owner-storage-status-rows]");
         this.validateButton = root.querySelector("[data-owner-operation-validate]");
     }
 
     init() {
-        if (!this.connectionSummary || !this.databaseStatusRows || !this.resultRows || !this.status || !this.validateButton) {
+        if (!this.connectionSummary || !this.databaseStatusRows || !this.promotionFoundationRows || !this.resultRows || !this.status || !this.storageStatusRows || !this.validateButton) {
             return;
         }
         this.validateButton.addEventListener("click", () => this.validateConnection());
@@ -34,6 +36,7 @@ class OwnerOperationsController {
         const rows = [
             ["Account", summary.account?.status || "unknown", summary.account?.configured === true ? "configured" : "not configured"],
             ["Product Data", summary.productData?.status || "unknown", summary.productData?.configured === true ? "configured" : "not configured"],
+            ["Project Asset Storage", summary.projectAssetStorage?.status || "unknown", summary.projectAssetStorage?.configured === true ? "configured" : "not configured"],
             ["Environment Switching", summary.environmentSwitching || "manual-env-change-and-server-restart", "manual"],
             ["Secrets", summary.secretsExposed === true ? "exposed" : "not exposed", "read-only summary"],
         ];
@@ -73,6 +76,49 @@ class OwnerOperationsController {
         });
     }
 
+    renderStorageStatus(storageStatus = {}) {
+        const rows = [
+            ["Storage Configured", storageStatus.configured === true ? "PASS" : "WARN", storageStatus.configured === true ? "yes" : "no"],
+            ["Storage Endpoint", storageStatus.endpointStatus || "WARN", storageStatus.endpoint || "not configured"],
+            ["Storage Bucket", storageStatus.bucketStatus || "WARN", storageStatus.bucket || "not configured"],
+            ["Projects Prefix", storageStatus.projectsPrefixStatus || "WARN", storageStatus.projectsPrefix || "not configured"],
+            ["Access Key", storageStatus.accessKeyStatus || "WARN", storageStatus.accessKeyConfigured === true ? "configured; value hidden" : "not configured"],
+            ["Secret Key", storageStatus.secretKeyStatus || "WARN", storageStatus.secretKeyConfigured === true ? "configured; value hidden" : "not configured"],
+        ];
+        this.storageStatusRows.replaceChildren();
+        rows.forEach((row) => {
+            const tableRow = document.createElement("tr");
+            row.forEach((value) => {
+                const cell = document.createElement("td");
+                cell.textContent = value;
+                tableRow.append(cell);
+            });
+            this.storageStatusRows.append(tableRow);
+        });
+    }
+
+    renderPromotionFoundation(promotionFoundation = {}) {
+        const steps = Array.isArray(promotionFoundation.steps) ? promotionFoundation.steps : [];
+        const rows = steps.length
+            ? steps.map((step) => [
+                step.stage || "Unknown",
+                step.operation || "Planning",
+                step.status || "PLAN",
+                `${promotionFoundation.ownerOnly === true ? "Owner-only" : "Restricted"}; ${promotionFoundation.browserExecutionAllowed === false ? "browser execution disabled" : "browser execution unknown"}; ${promotionFoundation.destructiveOperationsAllowed === false ? "destructive operations disabled" : "destructive operations unknown"}; ${step.message || promotionFoundation.message || "Promotion foundation planning."}`,
+            ])
+            : [["DEV/UAT/PROD", "Planning", promotionFoundation.status || "WARN", promotionFoundation.message || "Promotion foundation status unavailable."]];
+        this.promotionFoundationRows.replaceChildren();
+        rows.forEach((row) => {
+            const tableRow = document.createElement("tr");
+            row.forEach((value) => {
+                const cell = document.createElement("td");
+                cell.textContent = value;
+                tableRow.append(cell);
+            });
+            this.promotionFoundationRows.append(tableRow);
+        });
+    }
+
     appendResult(result = {}) {
         const row = document.createElement("tr");
         [
@@ -93,6 +139,8 @@ class OwnerOperationsController {
             const payload = readOwnerOperationsStatus();
             this.renderConnectionSummary(payload.connectionSummary || {});
             this.renderDatabaseStatus(payload.databaseStatus || {});
+            this.renderPromotionFoundation(payload.promotionFoundation || {});
+            this.renderStorageStatus(payload.storageStatus || {});
             this.setStatus(payload.status || "PASS", payload.message || "Owner Operations loaded.");
         } catch (error) {
             this.setStatus("FAIL", error instanceof Error ? error.message : "Owner Operations are unavailable.");
@@ -104,6 +152,8 @@ class OwnerOperationsController {
             const result = validateOwnerOperationsConnection();
             this.renderConnectionSummary(result.connectionSummary || {});
             this.renderDatabaseStatus(result.databaseStatus || {});
+            this.renderPromotionFoundation(result.promotionFoundation || {});
+            this.renderStorageStatus(result.storageStatus || {});
             this.appendResult(result);
             this.setStatus(result.status || "PASS", result.message || "Connection validation finished.");
         } catch (error) {

assets/GFS-Infrastructure v1-3.png

@@ -0,0 +1,61 @@
+# PR_26168_211-storage-status-surface
+
+## Branch Validation
+- PASS - Current branch: `main`.
+- PASS - Expected branch: `main`.
+- PASS - Local branches found: `main`.
+
+## Scope Summary
+- Added safe Project Asset Storage status visibility to Owner Operations.
+- Storage status is status-first and read-only.
+- Browser-visible fields are limited to configured state, endpoint, bucket, projects prefix, and credential configured/hidden status.
+- Storage access key and secret key values are never rendered.
+- No storage write, delete, promotion, `.env` editing, or destructive action was added.
+
+## Validation Lane Report
+- Impacted lane: Owner/Admin operations status surface.
+- PASS - `node --check assets/theme-v2/js/owner-operations.js`.
+- PASS - `node --check src/dev-runtime/server/local-api-router.mjs`.
+- PASS - `node --check tests/helpers/playwrightRepoServer.mjs`.
+- PASS - `node --check tests/playwright/tools/AdminPlatformToolsWireframes.spec.mjs`.
+- PASS - `npx playwright test tests/playwright/tools/AdminPlatformToolsWireframes.spec.mjs -g "Owner Operations"`:
+  - 2 passed.
+  - DavidQ owner/admin session sees storage status.
+  - Signed-in non-owner session is blocked from Owner Operations.
+- WARN - `npm run test:workspace-v2` was run because this PR changes UI/API/storage-adjacent behavior. This command name is legacy; user-facing language remains Project Workspace.
+  - First run failed before PR211 behavior because the Playwright repo server helper did not load `.env` before creating the Local API router.
+  - Fixed the test helper to load `.env` server-side only, matching the Local API runtime path.
+  - Rerun improved to 3 passed / 2 failed.
+  - Remaining failures are outside PR211 scope: a root tools page error and Game Design/Controls repository method 500s in `RootToolsFutureState.spec.mjs`.
+- PASS - Playwright V8 coverage report was produced at `docs_build/dev/reports/playwright_v8_coverage_report.txt`.
+
+## Manual Validation Notes
+- Owner Operations now includes a `Project Asset Storage Status` table.
+- Safe status rows show storage configured state, endpoint, bucket, projects prefix, access key configured/hidden, and secret key configured/hidden.
+- The page continues to state that secrets and configuration files are not editable from the browser.
+- No inline HTML script/style/event handlers were added.
+- No `start_of_day` folders or sample JSON were touched.
+
+## Requirement Checklist
+- PASS - Read `docs_build/dev/PROJECT_INSTRUCTIONS.md` first.
+- PASS - Hard stop unless current branch is `main`.
+- PASS - Kept PR211 independently scoped to storage status visibility.
+- PASS - Added Owner/Admin storage status visibility for configured project asset storage.
+- PASS - Did not expose secrets, keys, or full connection strings.
+- PASS - Preserved Web UI -> API/Service Contract -> Database/Storage.
+- PASS - Did not introduce silent fallbacks or hidden defaults.
+- PASS - Did not introduce page-local product data arrays.
+- PASS - Did not introduce browser storage SSoT.
+- PASS - Did not introduce fake login, MEM DB, or custom auth.
+- PASS - Did not modify `start_of_day` folders.
+- PASS - Did not touch sample JSON.
+- PASS - Did not add inline HTML script/style/event handlers.
+- PASS - Used existing Theme V2 classes only on the public/root UI surface.
+- PASS - Used Local API / Local DB terminology in report prose where DEV runtime is discussed.
+- PASS - Produced required reports: `codex_review.diff`, `codex_changed_files.txt`, and this PR-specific report.
+
+## Full Samples Decision
+- SKIP - Full samples smoke was not run. PR211 changes Owner Operations status UI/API behavior only and does not touch samples, sample JSON, engine runtime, or shared sample launch surfaces.
+
+## Artifact
+- `tmp/PR_26168_211-storage-status-surface_delta.zip`

assets/theme-v2/js/owner-operations.js

@@ -0,0 +1,41 @@
+# PR_26168_212-assets-real-storage-mode
+
+## Branch Validation
+- PASS - Current branch was `main` before and during implementation.
+
+## Summary
+- Wired the Assets DEV storage upload flow through the Local API repository and configured project asset storage contract.
+- Removed the test-owned browser mock boundary for the affected storage path; the targeted test now uses the real Assets page, Local API repository calls, Local DB persistence, and API-owned storage read/list endpoints.
+- Preserved server-side storage secrets: the browser receives read/list API routes and object keys, not access keys or secret keys.
+
+## Requirement Checklist
+- PASS - Hard stop unless current branch is `main`; branch guard passed.
+- PASS - PR scope stayed on Assets real storage mode and the Local API/storage contract.
+- PASS - Preserved Web UI -> API/Service Contract -> Database/Storage.
+- PASS - Affected asset storage path no longer uses page-local product data arrays or browser-owned product-data behavior.
+- PASS - Browser uploads through the Local API repository/service contract.
+- PASS - Object writes use configured storage prefix `/dev/projects/` in the targeted storage validation.
+- PASS - No storage secrets are rendered in the browser; the targeted Playwright test asserts access key and secret key text are absent.
+- PASS - No fake login, MEM DB, custom auth, silent fallback, start_of_day edits, sample JSON edits, or inline HTML script/style/event handlers were added.
+- PASS - DEV user-facing language uses Local API, Local DB, and SQLite terminology where touched.
+
+## Validation Lane Report
+- PASS - `node --check assets/theme-v2/js/owner-operations.js`
+- PASS - `node --check src/dev-runtime/server/local-api-router.mjs`
+- PASS - `node --check tests/helpers/playwrightRepoServer.mjs`
+- PASS - `node --check tests/playwright/tools/AdminPlatformToolsWireframes.spec.mjs`
+- PASS - `node --check tests/playwright/tools/AssetToolMockRepository.spec.mjs`
+- PASS - `npx playwright test tests/playwright/tools/AssetToolMockRepository.spec.mjs -g "Assets DEV storage upload list and read"`
+- INFO - `docs_build/dev/reports/playwright_v8_coverage_report.txt` included as the advisory Playwright V8 coverage report for changed runtime JavaScript.
+- PASS/SKIP - `node .\scripts\validate-storage-config.mjs`: `.env` loaded; live DEV storage values were not configured, so live storage validation skipped.
+- FAIL (known unrelated lane failures) - `npm run test:workspace-v2`: 3 passed, 2 failed in `RootToolsFutureState.spec.mjs` due root tools page error `Cannot read properties of undefined (reading 'length')` and unrelated Game Design/Controls repository 500s. This command name is legacy; user-facing language remains Project Workspace.
+
+## Manual Validation Notes
+- Targeted storage test wrote `SMALL_PNG` through the Assets page and Local API to fake R2 storage.
+- Evidence: storage server observed a `PUT` under `/dev/projects/<projectId>/image/<uploadFileName>.png`.
+- Evidence: `GET /api/storage/project-assets/list?projectId=<projectId>` returned the stored key and `/dev/projects/` prefix.
+- Evidence: `GET /api/storage/project-assets/read?key=<objectKey>` returned the uploaded bytes with `application/octet-stream`.
+- Local DB persistence now writes only the asset runtime rows and the project row needed for the asset FK chain, not a broad browser-owned product snapshot.
+
+## Full Samples Decision
+- SKIP - Full samples smoke was not run because this PR changed a targeted Assets storage/API path and did not require shared samples runtime coverage.

docs_build/dev/reports/PR_26168_211-storage-status-surface.md

@@ -0,0 +1,37 @@
+# PR_26168_213-project-asset-reference-linking
+
+## Branch Validation
+- PASS - Current branch was `main` before and during implementation.
+
+## Summary
+- Linked storage-backed asset metadata to API-owned object keys.
+- Storage uploads now keep the configured object key as the durable `storedPath` for asset metadata and storage-object metadata.
+- The Assets UI shows the storage object key as read-only metadata; the browser still does not generate or edit authoritative keys.
+
+## Requirement Checklist
+- PASS - Hard stop unless current branch is `main`; branch guard passed.
+- PASS - PR scope stayed on project asset metadata/reference linking.
+- PASS - Asset metadata records link to storage object metadata through `storageObjectId` and `asset_storage_objects.id`.
+- PASS - Local DB metadata carries the API-owned object key in `storedPath` after a storage-backed upload.
+- PASS - The Local API/storage service owns authoritative object keys through `objectKeyForProjectPath`.
+- PASS - Browser receives object-key evidence for display/read calls only; it does not receive storage secrets or own key generation.
+- PASS - Preserved Web UI -> API/Service Contract -> Database/Storage.
+- PASS - No fake login, MEM DB, custom auth, silent fallback, start_of_day edits, sample JSON edits, or inline HTML script/style/event handlers were added.
+
+## Validation Lane Report
+- PASS - `node --check src/dev-runtime/persistence/tool-repositories/assets-mock-repository.js`
+- PASS - `node --check toolbox/assets/assets.js`
+- PASS - `node --check tests/playwright/tools/AssetToolMockRepository.spec.mjs`
+- PASS - `npx playwright test tests/playwright/tools/AssetToolMockRepository.spec.mjs -g "Assets DEV storage upload list and read"`
+- INFO - `docs_build/dev/reports/playwright_v8_coverage_report.txt` included as the advisory Playwright V8 coverage report for changed runtime JavaScript.
+- FAIL (known unrelated lane failures) - `npm run test:workspace-v2`: 3 passed, 2 failed in `RootToolsFutureState.spec.mjs` due root tools page error `Cannot read properties of undefined (reading 'length')` and unrelated Game Design/Controls repository 500s. This command name is legacy; user-facing language remains Project Workspace.
+
+## Manual Validation Notes
+- Targeted Playwright uploaded an image through the real Assets page and Local API storage path.
+- Evidence: `GET /api/storage/project-assets/list?projectId=<projectId>` returned `/dev/projects/<projectId>/image/<fileName>.png`.
+- Evidence: `GET /api/storage/project-assets/read?key=<objectKey>` returned the uploaded bytes.
+- Evidence: Assets metadata displayed `Stored path: <objectKey>`, `Storage object key: <objectKey>`, and the API read URL.
+- Evidence: `/api/product-data/snapshot` returned matching `asset_library_items.storedPath` and `asset_storage_objects.storedPath` for the uploaded object key.
+
+## Full Samples Decision
+- SKIP - Full samples smoke was not run because this PR changed the targeted asset metadata/storage-linking path and did not require shared samples runtime coverage.

docs_build/dev/reports/PR_26168_212-assets-real-storage-mode.md

@@ -0,0 +1,38 @@
+# PR_26168_214-project-promotion-foundation
+
+## Branch Validation
+- PASS - Current branch was `main` before and during implementation.
+
+## Summary
+- Added an Owner-only project promotion foundation surface to Owner Operations.
+- The foundation is planning/status only for DEV, UAT, and PROD export/import/validate flow.
+- No browser-side export/import/validate execution, destructive operation, secret editing, fake auth, or environment switching was added.
+
+## Requirement Checklist
+- PASS - Hard stop unless current branch is `main`; branch guard passed.
+- PASS - PR scope stayed on project promotion foundation planning.
+- PASS - Owner-only access preserved through the existing Owner Operations session gate.
+- PASS - DEV/UAT/PROD promotion foundation includes export, import, and validate planning steps.
+- PASS - Runtime-safe flow is status-first: browser execution and destructive operations are explicitly disabled.
+- PASS - Existing promotion action buttons continue to return `SKIP` and `executed=false`.
+- PASS - Preserved Web UI -> API/Service Contract -> Database/Storage.
+- PASS - No silent fallback, hidden default, page-local product data array, browser storage SSoT, fake login, MEM DB, custom auth, start_of_day edits, sample JSON edits, or inline HTML script/style/event handlers were added.
+- PASS - User-facing DEV copy references Local API and Local DB/SQLite where relevant.
+
+## Validation Lane Report
+- PASS - `node --check assets/theme-v2/js/owner-operations.js`
+- PASS - `node --check src/dev-runtime/server/local-api-router.mjs`
+- PASS - `node --check tests/playwright/tools/AdminPlatformToolsWireframes.spec.mjs`
+- PASS - `npx playwright test tests/playwright/tools/AdminPlatformToolsWireframes.spec.mjs -g "Owner Operations"`
+- INFO - `docs_build/dev/reports/playwright_v8_coverage_report.txt` included as the advisory Playwright V8 coverage report for changed runtime JavaScript; the final combined targeted run covered `toolbox/assets/assets.js` and reports advisory uncollected warnings for server/owner modules.
+- PASS - `npm run validate:browser-env-agnostic`
+- FAIL (known unrelated lane failures) - `npm run test:workspace-v2`: 3 passed, 2 failed in `RootToolsFutureState.spec.mjs` due root tools page error `Cannot read properties of undefined (reading 'length')` and unrelated Game Design/Controls repository 500s. This command name is legacy; user-facing language remains Project Workspace.
+
+## Manual Validation Notes
+- Owner test user sees the promotion foundation table with DEV, UAT, PROD, Export, Import, and Validate planning.
+- Owner table text confirms Owner-only access, browser execution disabled, and destructive operations disabled.
+- Promotion action `promote-dev-to-uat` returns `SKIP` and `executed=false`.
+- Non-owner user remains blocked from Owner Operations and cannot see the promotion surface.
+
+## Full Samples Decision
+- SKIP - Full samples smoke was not run because this PR changed the targeted Owner Operations planning/status surface and did not require shared samples runtime coverage.