1.7 KiB
1.7 KiB
id, title, status, assignee, created_date, updated_date, labels, dependencies, priority, ordinal
| id | title | status | assignee | created_date | updated_date | labels | dependencies | priority | ordinal |
|---|---|---|---|---|---|---|---|---|---|
| TASK-31 | Require auth for usage event reads | In Progress | 2026-06-06 20:27 | 2026-06-06 20:31 | high | 33000 |
Description
Protect public Convex usageEvents read queries from unauthenticated access while preserving validators, bounded reads, and index usage.
Acceptance Criteria
- #1 Source contracts assert every public usageEvents read query requires requireOperator auth
- #2 usageEvents read queries call requireOperator before reading sensitive telemetry
- #3 Focused usage-events source tests pass after the implementation
Implementation Plan
- Inspect usageEvents source tests and local auth patterns
- Add RED source contracts for authenticated read queries
- Run focused test and capture RED
- Add minimal requireOperator guard to usageEvents reads
- Run focused GREEN verification and self-review
Implementation Notes
RED: pnpm test -- tests/usage-events-source.test.ts is blocked by pre-existing tests/ai-schemas.test.ts missing exports. Focused node --test tests/usage-events-source.test.ts fails as expected on missing usageEvents requireOperator auth guard.
GREEN: node --test tests/usage-events-source.test.ts passes 6/6. pnpm test -- tests/usage-events-source.test.ts compiles and usageEvents tests pass, but the overall runner fails on existing external-audit-pipeline-source.test.js: audit generation action sanitizes raw errors before run events and run failure summaries, outside Worker F scope.