diff --git a/documentation/CLIENT__IDAA_and_customized_mods.md b/documentation/CLIENT__IDAA_and_customized_mods.md index e0e1a69e..f7db28a3 100644 --- a/documentation/CLIENT__IDAA_and_customized_mods.md +++ b/documentation/CLIENT__IDAA_and_customized_mods.md @@ -237,6 +237,28 @@ The following objects require mandatory `external_person_id` linkage: - **Buttons:** Creation buttons (e.g., "Create New Meeting") must include `external_person_id: $idaa_loc.novi_uuid` in their initial `create_ae_obj` payload. - **Edit Forms:** Edit components must provide robust fallbacks to `$idaa_loc.novi_uuid` for new or incomplete records, ensuring identity is captured even if the initial creation call was narrow. - **Identity Sync:** Along with the UUID, `full_name` and `email` should also be synced from `$idaa_loc` to provide human-readable context in notifications and admin views. +- **Race Condition Defense:** `$idaa_loc` may be briefly null on mount before the store hydrates from localStorage. Creation buttons and edit submit handlers must scavenge identity directly from `localStorage.getItem('ae_idaa_loc')` as a fallback when the store value is missing. + +### 4. Staff Editing Rules (IDAA Trusted/Admin Staff) + +IDAA staff have their own Novi UUID. When they edit member content, their identity must **not** overwrite the member's `external_person_id`, `full_name`, or `email`. + +| Content Type | `external_person_id` for staff | `full_name` / `email` for staff | +|---|---|---| +| BB Post | **Readonly** (unless `administrator_access`) — member's UUID preserved | Same — rendered from existing record, not staff identity | +| Post Comment | **Preserved** — form state initializes from existing record first | Same | +| Recovery Meeting | **Intentionally editable** for trusted staff — staff can reassign meeting ownership | Contact 1 renders from existing `contact_li_json[0]` first; staff identity only fills if blank | + +The fallback to `$idaa_loc.novi_uuid` (the current user's UUID) only fires when the record has **no** existing `external_person_id`. For any record properly created after the 2026-04-07 triple-linkage enforcement, this fallback should never be reached. + +### 5. Recovery Meetings — Contact 1 Convention + +In 99% of cases, **Contact 1 should be the same person linked via `external_person_id`** — the IDAA member who owns and runs the meeting. These are two separate fields: + +- `external_person_id` — the ownership/identity link (Novi UUID). Determines who may edit the meeting. +- `contact_li_json[0]` — the displayed contact info (name, email, phone). Shown to members searching for meetings. + +They are expected to match but are set independently. Members unlock Contact 1 via confirm dialog if they need to list a different contact. Staff can edit both fields directly. ### Permission Upgrade Rule ``` @@ -538,14 +560,16 @@ ae_loc.trusted_access = true; ae_loc.idaa_loc = { novi_uuid: 'test-uuid-value', ... }; ``` -### Current Test Coverage (as of 2026-02-26) +### Current Test Coverage (as of 2026-04-07) | Module | State | Notes | |---|---|---| | Archives | ⚠️ Smoke only | `archive_content.test.ts` — no auth gate test | | Bulletin Board | ❌ None | Priority — most sensitive module | -| Recovery Meetings | ❌ None | — | +| Recovery Meetings | ✅ Substantial | `tests/idaa_recovery_meeting_edit.test.ts` — form render, field interactions, PATCH payload verification (all sections), real backend save, creation linkage (Novi UUID in POST body) | | Video Conferences | ❌ None | Jitsi complexity, lower priority | +**Pending:** BB Post and Post Comment creation linkage tests (pattern established in Recovery Meetings test). + --- ## External Links (idaa.org) @@ -595,4 +619,4 @@ ae_loc.idaa_loc = { novi_uuid: 'test-uuid-value', ... }; --- **Document Status:** ✅ Current -**Last Verified:** 2026-03-09 — updated for Novi UUID verification upgrade +**Last Verified:** 2026-04-07 — updated for Novi UUID triple-linkage enforcement, staff editing rules, Contact 1 convention, test coverage