You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* docs(it5): open It5-T01 branch — update CURRENT-STATE + CLAUDE.md
Marks branch feat/007-it5-instrutor-auth as active. CURRENT-STATE.md
reflects the 12-task T01 plan (INSTRUTOR auth hardening), promotes the
auth gap to P1 in the incomplete table, and extends the auth.ts key
files entry. CLAUDE.md updated with It5 tech context via agent script.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs(it5): document pre-existing TS2882 regression in quality gates
globals.css side-effect import errors since src/types/css.d.ts was
deleted in PR #80 (TypeScript 6 upgrade). Tracked as P2 — must be
fixed before any It5 PR merges to main.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(typecheck): restore src/types/css.d.ts deleted in PR #80 TS6 upgrade
TS2882 side-effect import error on globals.css was introduced when the
TS6 upgrade PR accidentally removed this ambient declaration file. One
line: declare module '*.css' {}
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs(it5): mark TS2882 resolved in CURRENT-STATE quality gates
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(it5): add requireAnyRole helper to auth.ts
T001 — exports requireAnyRole(allowedRoles: Role[]): Promise<void>
following the exact same fail-closed pattern as requireRole. redirects
to /login if unauthenticated, /dashboard if role is not in allowedRoles
or on any DB error. needed by the /dashboard/treinos route gate.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(it5): add failing E2E negative auth test (TDD red)
T002 — instrutor-auth-negative.spec.ts asserts RECEPCIONISTA and ALUNO
cannot access /dashboard/treinos (must redirect). tests fail until T003
adds the requireAnyRole gate to the page — that is the intended red phase.
also anchors /specs/ in .gitignore to root so tests/e2e/specs/ is no
longer inadvertently excluded.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(it5): gate /dashboard/treinos with requireAnyRole
T003 — replaces bare if(!user) check with requireAnyRole(['INSTRUTOR',
'GERENTE']). RECEPCIONISTA and ALUNO are now redirected fail-closed to
/dashboard. getUser() call kept temporarily for instrutorId={user.id}
prop; removed in T008 after client cleanup.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(it5): add failing unit tests for treinos actions (TDD red)
T004 + T009 — treinos.test.ts covers upsertTreinoAction (instrutorId
derivation) and ownership checks for deleteTreinoAction and
updateTreinoDayAction. 4 tests currently fail (red phase): INSTRUTOR
instrutorId derivation, RECEPCIONISTA blocked, and both non-owner
ownership guards. tests written before implementation as required by
constitution principle III.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(it5): remove instrutorId from TreinoBaseSchema (server-derived)
T005: instrutorId is now server-derived from session in upsertTreinoAction.
Removed from TreinoBaseSchema (client input); preserved in TreinoSchema
(entity read-type). Cascade errors in treinos.ts:35 and
treinos-client.tsx:384,433 are intentional red state — fixed in T006/T007.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(it5): derive instrutorId from session in upsertTreinoAction
T006: instrutorId is now fetched from the funcionarios table instead of
the client payload. RECEPCIONISTA is blocked (Acesso não autorizado).
ALUNO (not in funcionarios → data=null) and GERENTE both receive
instrutorId=null. INSTRUTOR receives their own user.id.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(it5): remove instrutorId prop from TreinosManagementClient
T007: instrutorId is no longer needed as a component prop since
upsertTreinoAction now derives it server-side from session. Removed
from props interface and both upsertTreinoAction call sites.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(it5): remove redundant getUser and instrutorId prop from TreinosPage
T008: requireAnyRole already asserts authentication, so the subsequent
supabase.auth.getUser() call and instrutorId={user.id} prop are removed.
instrutorId is now fully derived server-side in upsertTreinoAction.
Zero typecheck errors after this task.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(it5): add ownership check to updateTreinoDayAction
T010: INSTRUTOR can only update treinos they own (instrutorId = user.id).
GERENTE can update any treino. Unauthorized callers receive
{ success: false, error: 'Acesso não autorizado' }.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(it5): add ownership check to deleteTreinoAction
T011: mirrors T010 pattern — INSTRUTOR can only delete treinos they own;
GERENTE can delete any treino. All 10 unit tests green. Zero typecheck
and lint errors.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* chore(it5): update CRITICAL-PATHS.md 18 → 19 scenarios
T012: added entry for instrutor-auth-negative.spec.ts (RECEPCIONISTA/ALUNO
blocked from /dashboard/treinos). All 12 tasks for 007-it5-instrutor-auth
are now complete.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* docs: update CURRENT-STATE.md for It5 completion
All 12 tasks complete. Auth gap closed. Unit tests 22→32.
E2E scenarios 18→19. Auth gap removed from incomplete list.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* test(it5): add requireAnyRole unit tests to restore auth.ts 100% coverage
CI coverage threshold for src/lib/auth.ts requires 100%. Adding
requireAnyRole tests mirrors the requireRole test structure: allowed role
resolves without redirect, wrong role → /dashboard, no user → /login,
DB error → /dashboard, null record (ALUNO) → /dashboard.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix(auth): address CodeRabbit review findings on PR #81
auth.ts: requireRole now delegates to requireAnyRole([role]) eliminating
duplicated auth/redirect logic; consistent fail-closed behavior guaranteed
by single implementation.
treinos.ts: fix two security issues flagged by CodeRabbit:
- upsertTreinoAction: ALUNOs (funcData=null) now get alunoId=user.id
server-side, preventing cross-user spoofing of alunoId from client
- updateTreinoDayAction + deleteTreinoAction: ownership guard now also
checks treino.alunoId === user.id, allowing ALUNOs to manage their own
treinos (previously blocked because instrutorId is null on ALUNO-created
treinos)
instrutor-auth-negative.spec.ts: ALUNO redirect test now asserts
destination /aluno (middleware redirects non-funcionarios to /aluno)
instead of weak negative assertion.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Emiya Kiritsugu <emiyakiritsugu3@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
0 commit comments