Externalize audit pipeline services

backlog/tasks/task-31 - Require-auth-for-usage-event-reads.md

@@ -0,0 +1,43 @@
+---
+id: TASK-31
+title: Require auth for usage event reads
+status: In Progress
+assignee: []
+created_date: '2026-06-06 20:27'
+updated_date: '2026-06-06 20:31'
+labels: []
+dependencies: []
+priority: high
+ordinal: 33000
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Protect public Convex usageEvents read queries from unauthenticated access while preserving validators, bounded reads, and index usage.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [x] #1 Source contracts assert every public usageEvents read query requires requireOperator auth
+- [x] #2 usageEvents read queries call requireOperator before reading sensitive telemetry
+- [x] #3 Focused usage-events source tests pass after the implementation
+<!-- AC:END -->
+
+## Implementation Plan
+
+<!-- SECTION:PLAN:BEGIN -->
+1. Inspect usageEvents source tests and local auth patterns
+2. Add RED source contracts for authenticated read queries
+3. Run focused test and capture RED
+4. Add minimal requireOperator guard to usageEvents reads
+5. Run focused GREEN verification and self-review
+<!-- SECTION:PLAN:END -->
+
+## Implementation Notes
+
+<!-- SECTION:NOTES:BEGIN -->
+RED: pnpm test -- tests/usage-events-source.test.ts is blocked by pre-existing tests/ai-schemas.test.ts missing exports. Focused node --test tests/usage-events-source.test.ts fails as expected on missing usageEvents requireOperator auth guard.
+
+GREEN: node --test tests/usage-events-source.test.ts passes 6/6. pnpm test -- tests/usage-events-source.test.ts compiles and usageEvents tests pass, but the overall runner fails on existing external-audit-pipeline-source.test.js: audit generation action sanitizes raw errors before run events and run failure summaries, outside Worker F scope.
+<!-- SECTION:NOTES:END -->