tiennm99/bsk
1
0
Fork 0
mirror of https://github.com/tiennm99/bsk.git synced 2026-06-17 20:47:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
bsk/docs
T
History
tiennm99 eb1af9013e feat(phase-1): admin enrollment (first-admin claim + invite flow) 
- supabase/migrations/20260525163400_bsk_admin.sql:
  bsk.claim_first_admin(uuid) -> boolean, VOLATILE SECURITY DEFINER.
  Advisory lock keyed by hashtext('bsk:claim_first_admin')::bigint
  serializes concurrent first-sign-ins; EXISTS-guarded INSERT means
  only the first caller wins.
- types/supabase-bsk.ts: added claim_first_admin to bsk.Functions.
- lib/auth/invite-schema.ts: InviteUserSchema (Zod v4: email + role
  enum derived from appRoles) + InviteUserState discriminated union.
- app/[locale]/(app)/admin/invite/{actions,page,form}.tsx: admin-only
  invite Server Action + page + RHF/useActionState client form.
  Caller-role check via getServerSession() (defense in depth; the
  (app)/admin layout in phase 06 will gate at the route level).
  Insert uses createSupabaseAdminClient() because app_users has no
  INSERT RLS policy by design.
- app/[locale]/(auth)/sign-in/actions.ts: extended enrollment-check
  branch — when no row AND count == 0, calls claim_first_admin RPC.
  On true, re-fetches enrollment row and proceeds; on false (race
  lost) or count > 0, falls through to existing sign-out + generic
  error (enumeration defense preserved).
- messages/{vi,en}.json: admin.invite.* keys (parity).
- docs/runbooks/first-admin-setup.md: happy path + manual psql
  fallback bootstrap procedure.

No audit_log refs — trimmed plan respected.
2026-05-25 17:47:47 +07:00
..
runbooks
feat(phase-1): admin enrollment (first-admin claim + invite flow)
2026-05-25 17:47:47 +07:00
supabase-shared-config.md
docs: record phase-5/7 + key-rotation decisions
2026-05-25 16:16:38 +07:00
threat-model.md
chore(ci): add NEXT_PUBLIC_*=sb_secret_* leak guard
2026-05-25 16:19:43 +07:00