pitchfast/backlog/tasks/task-31 - Require-auth-for-usage-event-reads.md

---
id: TASK-31
title: Require auth for usage event reads
status: Done
assignee: []
created_date: '2026-06-06 20:27'
updated_date: '2026-06-10 19:27'
labels: []
dependencies: []
priority: high
ordinal: 33000
---

## Description

<!-- SECTION:DESCRIPTION:BEGIN -->
Protect public Convex usageEvents read queries from unauthenticated access while preserving validators, bounded reads, and index usage.
<!-- SECTION:DESCRIPTION:END -->

## Acceptance Criteria
<!-- AC:BEGIN -->
- [x] #1 Source contracts assert every public usageEvents read query requires requireOperator auth
- [x] #2 usageEvents read queries call requireOperator before reading sensitive telemetry
- [x] #3 Focused usage-events source tests pass after the implementation
<!-- AC:END -->

## Implementation Plan

<!-- SECTION:PLAN:BEGIN -->
1. Inspect usageEvents source tests and local auth patterns
2. Add RED source contracts for authenticated read queries
3. Run focused test and capture RED
4. Add minimal requireOperator guard to usageEvents reads
5. Run focused GREEN verification and self-review
<!-- SECTION:PLAN:END -->

## Implementation Notes

<!-- SECTION:NOTES:BEGIN -->
RED: pnpm test -- tests/usage-events-source.test.ts is blocked by pre-existing tests/ai-schemas.test.ts missing exports. Focused node --test tests/usage-events-source.test.ts fails as expected on missing usageEvents requireOperator auth guard.

GREEN: node --test tests/usage-events-source.test.ts passes 6/6. pnpm test -- tests/usage-events-source.test.ts compiles and usageEvents tests pass, but the overall runner fails on existing external-audit-pipeline-source.test.js: audit generation action sanitizes raw errors before run events and run failure summaries, outside Worker F scope.
<!-- SECTION:NOTES:END -->

## Final Summary

<!-- SECTION:FINAL_SUMMARY:BEGIN -->
Closed per explicit user request while switching project tracking to pitchfast.
<!-- SECTION:FINAL_SUMMARY:END -->