Externalize audit pipeline services

backlog/tasks/task-39 - Secure-Convex-operator-APIs.md

@@ -0,0 +1,34 @@
+---
+id: TASK-39
+title: Secure Convex operator APIs
+status: In Progress
+assignee: []
+created_date: '2026-06-06 21:52'
+updated_date: '2026-06-06 22:00'
+labels: []
+dependencies: []
+priority: high
+ordinal: 41000
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Guard non-public Convex audit, lead, and run APIs so sensitive operational data is not exposed or mutated without authentication while preserving internal pipeline calls.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [x] #1 Audit admin reads and writes require operator auth while getPublicBySlug remains public
+- [x] #2 Lead admin reads and review mutations require operator auth while internal audit-generation calls use internal functions
+- [x] #3 Run admin reads/writes require operator auth while internal actions can append run events safely
+- [x] #4 Source contracts and full tests pass
+<!-- AC:END -->
+
+## Implementation Notes
+
+<!-- SECTION:NOTES:BEGIN -->
+Worker I audit slice: Added source-contract coverage for audit admin auth guards and preserved public getPublicBySlug. RED: node --test .test-output/tests/audits-auth-source.test.js failed on create missing requireOperator before ctx.db. GREEN: pnpm exec tsc -p tsconfig.test.json passed; node --test .test-output/tests/audits-auth-source.test.js passed (2/2).
+
+Worker J RED/GREEN: Added leads/runs source contracts; initial pnpm test failed on missing lead/run requireOperator guards and missing internal lead/run action refs. Implemented operator auth for public leads/runs APIs, added internal lead get/review update and run append event mutations, and switched auditGenerationAction/pageSpeedAction/websiteEnrichmentAction to internal refs. GREEN: pnpm test passed (363/363). Did not touch convex/audits.ts and did not stage/commit.
+<!-- SECTION:NOTES:END -->