feat-002: Authentication and User Management (Clerk + RBAC)#16
Open
leecampbell-codeagent wants to merge 5 commits intoralph/feat-001-monorepo-scaffoldfrom
Open
feat-002: Authentication and User Management (Clerk + RBAC)#16leecampbell-codeagent wants to merge 5 commits intoralph/feat-001-monorepo-scaffoldfrom
leecampbell-codeagent wants to merge 5 commits intoralph/feat-001-monorepo-scaffoldfrom
Conversation
Backend: - User entity (create/reconstitute), Role/KycStatus constants, 6 domain errors - UserRepository port, UserRepositoryPg adapter (parameterised upsert) - AuthPort interface with ClerkAuthAdapter + MockAuthAdapter (MOCK_AUTH=true) - GetOrCreateUserService (lazy upsert on first /v1/me call) - UpdateUserProfileService, AssignRolesService (admin-only) - GET /v1/me, PATCH /v1/me endpoints — clerk_id never in responses - 39 backend tests passing (domain, application, API layers) Frontend: - ClerkProvider in main.tsx with VITE_CLERK_PUBLISHABLE_KEY guard - AuthPageLayout, AuthLoadingScreen, ProtectedRoute components - SignInPage, SignUpPage with MMF Clerk appearance config - DashboardPage placeholder (protected route) - createApiClient with JWT Bearer injection - useCurrentUser TanStack Query hook - 7 frontend tests passing Infrastructure: - db/migrations/20260307120000_create_users.sql: users table with roles[], kyc_status - Migration applied to local dev DB Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…edirecting
Clerk's requireAuth() defaults to HTTP 302 redirect for unauthenticated
requests. This violates the API contract (L2-002 §5.3) which requires
a machine-readable error response. Replace with manual userId check that
returns { error: { code: 'UNAUTHORISED', message: ... } } with HTTP 401.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…branches - Add UpdateUserProfileService.test.ts (FAIL-001) - Exclude UserRepositoryPg, ClerkAuthAdapter, port interfaces from coverage (FAIL-002) - Add null-auth handler tests, catch-block 500 test, GET /me/roles 404, POST /admin actor-not-found 404 to account.router.test.ts (FAIL-003) - Add .max(2000) to bio field in patchMeSchema (FAIL-004) - Add Result.test.ts and UserAlreadyExistsError.test.ts for full coverage Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Exploratory review: PASS (Playwright tester) - Security review: PASS (0 Critical, 0 High) - Audit: PASS (all 8 checklists, 98.82% coverage) - CI/CD: PASS (all local checks green) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/v1routes require a valid JWT;/healthis publicuserstable with lazy-sync upsert onGET /v1/me(first-login creates a record keyed onclerk_id)backer,creator,reviewer,administrator,super_administrator) stored in aTEXT[]column;POST /v1/admin/users/:id/rolesenforces Administrator-only assignmentStacked on: ralph/feat-001-monorepo-scaffold (merge parent PR first)
Screenshots
Screenshots: upload failed (agent token lacks blob write permission — see MANUAL-003 pattern)
Screenshots were captured at
/tmp/feat-002-{sign-in,sign-up,home-redirect}.pngduring exploratory review. Verified visually: deep-space background, Bebas Neue wordmark, Clerk sign-in/sign-up forms with brand colours, ProtectedRoute redirecting unauthenticated users.Quality Gate
Reports