From 8d30e01ad4078efde698f88cf25e70cab456d40c Mon Sep 17 00:00:00 2001
From: Scott Idem <stidem@gmail.com>
Date: Tue, 7 Apr 2026 22:23:33 -0400
Subject: [PATCH] fix(idaa): harden identity linkage in BB post and comment
 edit handlers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three targeted fixes following code review of the Novi UUID linkage commit:

1. ae_idaa_comp__post_obj_id_edit.svelte — Add localStorage scavenge fallback
   in handle_submit_form() for external_person_id / full_name / email.
   WHY: The form input falls back to $idaa_loc.novi_uuid at render time only.
   On a race-condition mount where the store was null, the input captures an
   empty string.  Without this, a subsequent PATCH on a legacy post (no
   external_person_id) would overwrite the field with an empty string, permanently
   breaking the Novi linkage for that record.  The scavenge re-checks the live
   store and then localStorage before submitting.

2. ae_idaa_comp__post_options.svelte — Fix double alert() on creation failure.
   WHY: The .catch() handler alerted the user and reset 'creating'.  The
   .finally() block then ran unconditionally and fired a second alert when
   final_id was null (which it always is on failure).  User saw two dialogs.
   Fixed by removing the duplicate alert from .finally() — it now only resets
   the 'creating' flag, which .catch() may have already done (harmless reset).

3. ae_idaa_comp__post_comment_obj_id_edit.svelte — Remove 'log_lvl = 1' mutation.
   WHY: log_lvl is a $bindable prop.  Assigning to it inside handle_submit_form()
   unconditionally mutated the parent binding on every single form submission,
   overriding the caller's logging preference.  This was debug code accidentally
   left in.  Removed; the existing 'if (log_lvl)' guard is sufficient.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 ...idaa_comp__post_comment_obj_id_edit.svelte |  1 -
 .../bb/ae_idaa_comp__post_obj_id_edit.svelte  | 30 +++++++++++++++++--
 .../bb/ae_idaa_comp__post_options.svelte      |  2 +-
 3 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/src/routes/idaa/(idaa)/bb/ae_idaa_comp__post_comment_obj_id_edit.svelte b/src/routes/idaa/(idaa)/bb/ae_idaa_comp__post_comment_obj_id_edit.svelte
index 21c2b505..ee4b28a4 100644
--- a/src/routes/idaa/(idaa)/bb/ae_idaa_comp__post_comment_obj_id_edit.svelte
+++ b/src/routes/idaa/(idaa)/bb/ae_idaa_comp__post_comment_obj_id_edit.svelte
@@ -131,7 +131,6 @@ async function handle_submit_form(event: any) {
     post_comment_do['group'] = post_comment_form.group ?? null;
     post_comment_do['enable'] = post_comment_form.enable ?? true;
 
-    log_lvl = 1;
     if (log_lvl) {
         console.log('Final Payload (post_comment_do):', post_comment_do);
     }
diff --git a/src/routes/idaa/(idaa)/bb/ae_idaa_comp__post_obj_id_edit.svelte b/src/routes/idaa/(idaa)/bb/ae_idaa_comp__post_obj_id_edit.svelte
index 4717fc5b..32b0c695 100644
--- a/src/routes/idaa/(idaa)/bb/ae_idaa_comp__post_obj_id_edit.svelte
+++ b/src/routes/idaa/(idaa)/bb/ae_idaa_comp__post_obj_id_edit.svelte
@@ -131,9 +131,33 @@ async function handle_submit_form(event: any) {
 
     post_do['anonymous'] = post_di.anonymous;
 
-    post_do['external_person_id'] = post_di.external_person_id;
-    post_do['full_name'] = post_di.full_name;
-    post_do['email'] = post_di.email;
+    // Robust scavenging: the form input falls back to $idaa_loc.novi_uuid at render
+    // time, but if the store was null during that render (race condition on mount) the
+    // input would have captured an empty string.  Re-check the store and then
+    // localStorage so legacy posts without an external_person_id never overwrite with ''.
+    let identity_person_id: string | null = post_di.external_person_id || null;
+    let identity_full_name: string | null = post_di.full_name || null;
+    let identity_email: string | null = post_di.email || null;
+    if (!identity_person_id) {
+        identity_person_id = $idaa_loc.novi_uuid ?? null;
+        identity_full_name = identity_full_name || $idaa_loc.novi_full_name || null;
+        identity_email = identity_email || $idaa_loc.novi_email || null;
+    }
+    if (!identity_person_id && typeof localStorage !== 'undefined') {
+        try {
+            const ls_val = localStorage.getItem('ae_idaa_loc');
+            if (ls_val) {
+                const ls_json = JSON.parse(ls_val);
+                identity_person_id = ls_json.novi_uuid ?? null;
+                identity_full_name = identity_full_name || ls_json.novi_full_name || null;
+                identity_email = identity_email || ls_json.novi_email || null;
+            }
+        } catch (e) { /* ignore */ }
+    }
+
+    post_do['external_person_id'] = identity_person_id;
+    post_do['full_name'] = identity_full_name;
+    post_do['email'] = identity_email;
     post_do['notify'] = post_di.notify;
 
     post_do['hide'] = post_di.hide;
diff --git a/src/routes/idaa/(idaa)/bb/ae_idaa_comp__post_options.svelte b/src/routes/idaa/(idaa)/bb/ae_idaa_comp__post_options.svelte
index 50036005..0087e892 100644
--- a/src/routes/idaa/(idaa)/bb/ae_idaa_comp__post_options.svelte
+++ b/src/routes/idaa/(idaa)/bb/ae_idaa_comp__post_options.svelte
@@ -248,8 +248,8 @@ let creating = $state(false); // true while create API call is in-flight
                                     );
                                 goto(`/idaa/bb/${final_id}`);
                             } else {
+                                // .catch() already alerted the user — just reset the flag.
                                 creating = false;
-                                alert('Failed to create new post.');
                             }
                         });
                 }}