Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(idaa): update IDAA doc with staff editing rules, Contact 1 convention, test coverage

Browse Source 
- Added Section 4 'Staff Editing Rules': documents per-object behavior when
  trusted/admin staff edit member content. BB Post external_person_id is readonly
  for non-admin staff; Post Comment preserves existing record identity; Recovery
  Meeting external_person_id is intentionally editable for ownership reassignment.
  Clarifies that staff identity only fills when the record has no existing linkage.

- Added Section 5 'Recovery Meetings — Contact 1 Convention': states the business
  rule that Contact 1 is nearly always the same person as external_person_id (the
  meeting owner). Documents the distinction between ownership link vs. display contact.

- Added race condition defense note to Section 3 Implementation Patterns: creation
  buttons and edit submit handlers must scavenge from localStorage when the Svelte
  store is briefly null on mount.

- Updated test coverage table: Recovery Meetings now has substantial Playwright
  coverage (idaa_recovery_meeting_edit.test.ts). Noted pending BB Post/Comment tests.

- Updated Last Verified date to 2026-04-07.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Scott Idem
2026-04-07 22:41:49 -04:00
parent 8d30e01ad4
commit c979454d84
1 changed files with 27 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
documentation/CLIENT__IDAA_and_customized_mods.md
View File

@@ -237,6 +237,28 @@ The following objects require mandatory `external_person_id` linkage:
- **Buttons:** Creation buttons (e.g., "Create New Meeting") must include `external_person_id: $idaa_loc.novi_uuid` in their initial `create_ae_obj` payload.
- **Edit Forms:** Edit components must provide robust fallbacks to `$idaa_loc.novi_uuid` for new or incomplete records, ensuring identity is captured even if the initial creation call was narrow.
- **Identity Sync:** Along with the UUID, `full_name` and `email` should also be synced from `$idaa_loc` to provide human-readable context in notifications and admin views.
- **Race Condition Defense:** `$idaa_loc` may be briefly null on mount before the store hydrates from localStorage. Creation buttons and edit submit handlers must scavenge identity directly from `localStorage.getItem('ae_idaa_loc')` as a fallback when the store value is missing.
### 4. Staff Editing Rules (IDAA Trusted/Admin Staff)
IDAA staff have their own Novi UUID. When they edit member content, their identity must **not** overwrite the member's `external_person_id`, `full_name`, or `email`.
| Content Type | `external_person_id` for staff | `full_name` / `email` for staff |
|---|---|---|
| BB Post | **Readonly** (unless `administrator_access`) — member's UUID preserved | Same — rendered from existing record, not staff identity |
| Post Comment | **Preserved** — form state initializes from existing record first | Same |
| Recovery Meeting | **Intentionally editable** for trusted staff — staff can reassign meeting ownership | Contact 1 renders from existing `contact_li_json[0]` first; staff identity only fills if blank |
The fallback to `$idaa_loc.novi_uuid` (the current user's UUID) only fires when the record has **no** existing `external_person_id`. For any record properly created after the 2026-04-07 triple-linkage enforcement, this fallback should never be reached.
### 5. Recovery Meetings — Contact 1 Convention
In 99% of cases, **Contact 1 should be the same person linked via `external_person_id`** — the IDAA member who owns and runs the meeting. These are two separate fields:
- `external_person_id` — the ownership/identity link (Novi UUID). Determines who may edit the meeting.
- `contact_li_json[0]` — the displayed contact info (name, email, phone). Shown to members searching for meetings.
They are expected to match but are set independently. Members unlock Contact 1 via confirm dialog if they need to list a different contact. Staff can edit both fields directly.
### Permission Upgrade Rule
```
@@ -538,14 +560,16 @@ ae_loc.trusted_access = true;
ae_loc.idaa_loc = { novi_uuid: 'test-uuid-value', ... };
```
### Current Test Coverage (as of 2026-02-26)
### Current Test Coverage (as of 2026-04-07)
| Module | State | Notes |
|---|---|---|
| Archives | ⚠️ Smoke only | `archive_content.test.ts` — no auth gate test |
| Bulletin Board | ❌ None | Priority — most sensitive module |
| Recovery Meetings | ❌ None | — |
| Recovery Meetings | ✅ Substantial | `tests/idaa_recovery_meeting_edit.test.ts` — form render, field interactions, PATCH payload verification (all sections), real backend save, creation linkage (Novi UUID in POST body) |
| Video Conferences | ❌ None | Jitsi complexity, lower priority |
**Pending:** BB Post and Post Comment creation linkage tests (pattern established in Recovery Meetings test).
---
## External Links (idaa.org)
@@ -595,4 +619,4 @@ ae_loc.idaa_loc = { novi_uuid: 'test-uuid-value', ... };
---
**Document Status:** ✅ Current
**Last Verified:** 2026-03-09 — updated for Novi UUID verification upgrade
**Last Verified:** 2026-04-07 — updated for Novi UUID triple-linkage enforcement, staff editing rules, Contact 1 convention, test coverage