35 lines
1.8 KiB
Markdown
35 lines
1.8 KiB
Markdown
---
|
|
id: TASK-39
|
|
title: Secure Convex operator APIs
|
|
status: In Progress
|
|
assignee: []
|
|
created_date: '2026-06-06 21:52'
|
|
updated_date: '2026-06-06 22:00'
|
|
labels: []
|
|
dependencies: []
|
|
priority: high
|
|
ordinal: 41000
|
|
---
|
|
|
|
## Description
|
|
|
|
<!-- SECTION:DESCRIPTION:BEGIN -->
|
|
Guard non-public Convex audit, lead, and run APIs so sensitive operational data is not exposed or mutated without authentication while preserving internal pipeline calls.
|
|
<!-- SECTION:DESCRIPTION:END -->
|
|
|
|
## Acceptance Criteria
|
|
<!-- AC:BEGIN -->
|
|
- [x] #1 Audit admin reads and writes require operator auth while getPublicBySlug remains public
|
|
- [x] #2 Lead admin reads and review mutations require operator auth while internal audit-generation calls use internal functions
|
|
- [x] #3 Run admin reads/writes require operator auth while internal actions can append run events safely
|
|
- [x] #4 Source contracts and full tests pass
|
|
<!-- AC:END -->
|
|
|
|
## Implementation Notes
|
|
|
|
<!-- SECTION:NOTES:BEGIN -->
|
|
Worker I audit slice: Added source-contract coverage for audit admin auth guards and preserved public getPublicBySlug. RED: node --test .test-output/tests/audits-auth-source.test.js failed on create missing requireOperator before ctx.db. GREEN: pnpm exec tsc -p tsconfig.test.json passed; node --test .test-output/tests/audits-auth-source.test.js passed (2/2).
|
|
|
|
Worker J RED/GREEN: Added leads/runs source contracts; initial pnpm test failed on missing lead/run requireOperator guards and missing internal lead/run action refs. Implemented operator auth for public leads/runs APIs, added internal lead get/review update and run append event mutations, and switched auditGenerationAction/pageSpeedAction/websiteEnrichmentAction to internal refs. GREEN: pnpm test passed (363/363). Did not touch convex/audits.ts and did not stage/commit.
|
|
<!-- SECTION:NOTES:END -->
|