Define the catalog/runtime/integration layering, per-org composite
view route, curated landing surface, breadcrumb positional contract,
reserved query-param real estate, and single-entry-point grant action
affordances. Adds 6 requirements to operator-panel-navigation; the
legacy ?tab= SPA contract stays until M7d retires it.
Also files an independent tech-debt item for member-console reading
products.product_type directly instead of the billing.product_kinds
view, per upstream membcons-db Doc 35 Product Kind Taxonomy.
status/milestones.md: mark M6 phases 6a-6f as Done — the plan-ladder
schema, transition primitive, operator catalog/auto-provisioning/
enrollment UIs, and member tier-aware view have all landed and are
exercised by Phase A v2 evidence.
status/issues.md: file 11 concrete bugs surfaced during Phase A v1
and v2 walkthroughs that were previously only living in
docs/operator-ux-walkthrough-evidence/INDEX.md. Distinction: research
findings stay in INDEX.md; bugs go in issues.md so they're tracked
for M7 sub-phases to pick up.
Filed:
- v1: heading hierarchy (a11y), missing autocomplete (a11y), inline
event-handler (CSP), URL/route/code naming drift, FedWiki Sites
empty under seed, operator SPA partial eager-fetch.
- v2: rules form supports only limit rules, revoke-and-transition
empty-product-name interpolation defect, lifecycle_status not
exposed in product edit, plan-ladder Tiers "no products" copy is
misleading, two grant-issuance surfaces with no cross-link, two
grant-revoke paths non-equivalent and indistinguishable.
Move 2026-05-10-member-console-demo-seeder,
2026-05-11-keycloak-id-pinning-fix, and 2026-05-11-demo-seeder-persons
into openspec/changes/archive/ and fold their specs into
openspec/specs/{keycloak-test-seed,member-console-demo-seed}/spec.md.
Re-run Phase A walkthrough against the seeded baseline (demo seeder
+ Keycloak ID pinning fix + person seeding). 14 slugs gain
screenshot-v2.png; 10 previously-skipped slugs are now reachable.
INDEX.md gains:
- A Phase A v2 run-metadata block alongside the original v1 metadata.
- Status upgrades for the 10 newly-reachable slugs (✗ → ✓ v2).
- 10 cross-check findings (Phase A v2 findings section) comparing
seeded evidence against the 7a.1 research doc — including the
two-revoke-paths divergence in confirm-modal copy, per-org Issue
Grant being plan-only, the empty-product-name interpolation defect
on revoke-and-transition, and the rules form supporting only
`limit` rules despite schema supporting boolean.
Adds a README.md documenting Phase A's overwrite-in-place contract
(non-LLM-keyed evidence reflecting current stack state).
Add a `seed-demo` subcommand (cmd/seed_demo.go + internal/demoseed/)
that inserts a fixed reference catalog into the member-console DB so
the operator panel has rows to walk through for UX research. Catalog:
6 demo-* products (4 by product_type + 2 extra plans), 1 plan ladder
with 3 tiers, 1 entitlement set with 2 rules (limit + boolean), and 1
grant on Alice's personal org (once she's logged in).
Person rows for bob/carlos/diana are seeded via provisioning.AutoProvision
keyed on the pinned Keycloak UUIDs — no longer fragile now that
seed-keycloak.sh's partialImport switch preserves the pinned id. Alice
is intentionally NOT pre-seeded so the lazy-creation OIDC flow stays
exercised on every fresh stack.
Idempotency: list+filter by `name` for catalog rows, by `oidc_subject`
for persons. Re-running is a no-op for created rows; warns + skips
the grant if alice hasn't logged in yet.
Host-side invocation only — run `./test/seed-demo.sh` after
bootstrap-stack.sh. Mirrors how member-console itself runs on the
host (config + secrets live under test/).
Two OpenSpec changes folded in: 2026-05-10-member-console-demo-seeder
(the seeder) and 2026-05-11-demo-seeder-persons (the persons follow-up
unlocked by the Keycloak fix).
POST /admin/realms/{realm}/users silently drops the `id` field on
Keycloak 26.x. Switch user creation in seed-keycloak.sh to
POST /admin/realms/{realm}/partialImport, which preserves the pinned
id (verified by round-trip). This restores deterministic UUIDs for
alice/bob/carlos/diana and unblocks downstream consumers that depend
on stable `sub` claims (FedWiki owner.json references, demo seeder
person rows).
Deterministic capture of the operator panel: per-slug evidence
(screenshots, console/network dumps, a11y and tab-order data) stored
under docs/operator-ux-walkthrough-evidence. Add Phase A task briefing
and update status files to mark 7a progress and note downstream issues
Add a fedwiki-render compose service and render.sh to resolve real
Keycloak user UUIDs and render .tpl templates into testdata on compose
up.
Convert hardcoded FedWiki testdata into templates, add seed-stack.sh
helper,
and update compose/env and .gitignore to run seeding before starting
fedwiki.
Use the unified ./cmd entrypoint in test docs and bootstrap scripts
instead of ./cmd/member-console. Add derive_slug to pick a more
informative SLUG for worktrees (prefer parent dir or branch when the
basename is "member-console"). Improve teardown to remove root-owned
test files via a short-lived docker container fallback.
Signal dependent tabs to re-fetch when plan ladders change.
operator_plan_ladders handlers set HX-Trigger: planLadderMutation on
create/update/delete and tier operations so Org Types' plan dropdowns
refresh. operator.html adds explanatory comments and hx-trigger attrs
so Org Types, Grants, and Products panes listen for productMutation,
planLadderMutation, and entitlementMutation
Add default_plan_ladder_id with a forward data migration and update
the runtime to resolve the ladder's rank-0 tier at use-time. Regenerate
sqlc, update auto-provisioning, ReapplyDefaultsForPool, operator UI and
tests; add GetTierByLadderRank and pool/provision query helpers. Add a
CSP-safe confirm-action modal and wire operator actions to it. Close
plan-sole-writer safety gaps and serialize IssueGrant with a FOR UPDATE
pool lock to prevent ladder races.
Introduce extends_grant_id on grants (models, CreateGrant param and
SQL), add
GetGrantLineage recursive query, and enforce same-org/immutability
guards via
migration triggers. Implement TransitionTarget.Extend with validation
and an
extend path that issues a chained grant + provision. Update docs, specs
and
tests accordingly.
Introduce operator enrollment partials and handlers that route plan-tier
granting and revocation through entitlements.Transition(). Add
member-facing
tier labels, plan architecture and grant-plan-safety documentation, plus
unit and e2e tests. Also add small querier helpers and wire Temporal
client
hooks for trial expiration scheduling.
Introduce DB migrations for ladder and pool-attachment tables and an
audit log for provision transitions. Make product_type nullable and add
lifecycle_status plus a product_kinds view. Implement Transition and
ReapplyDefaultsForPool primitives, SQLC queries/models, webhook and
Temporal workflow integration, and accompanying unit/integration tests.
Expose /webhooks/stripe as a public path (signature-verified)
Verify webhook signatures with ConstructEventWithOptions and
IgnoreAPIVersionMismatch=true, and log API version mismatches.
Start two Temporal workflows: stripe-webhook-processor and
stripe-outbox-poller; workflow start failures are non-fatal.
Add ConnectPlain to open the DB without the custom search_path and
switch migration and CLI flows to run on that plain connection.
Wrap multi-statement goose migrations with StatementBegin/End to
ensure statements are executed atomically. Move Stripe price outbox
seeding into a dedicated stripe migration.
Drop redundant schema prefixes from all sqlc-generated Go types. Since
each module generates into its own package, the package already provides
the namespace — billing.Account is unambiguous without
billing.BillingAccount.
Changes:
- Add rename: blocks to all 6 sqlc.yaml files mapping schema-prefixed
names to clean idiomatic names (e.g. BillingBillingAccount → Account,
IdentityPerson → Person, OrganizationOrganization → Organization)
- Rename billing.billing_accounts → billing.accounts (table name
repeated
the schema; the schema already provides that context)
- Rename integration.integration_outbox → integration.outbox (same
reason)
- Regenerate all sqlc output across billing, identity, organization,
entitlements, stripe, and fedwiki modules
- Update all calling code (server, workflows, provisioning, tests) to
use
the new names
- Add internal/db/sqlc_schemas.sql — sqlc-only schema declarations so
every module can resolve schema-qualified names without including the
full db migrations
- Update docs/database-management.md with the naming convention and
standard sqlc.yaml template
Convention going forward: table names must not repeat the schema name;
generated types carry no schema prefix; the Go package provides the
namespace (like http.Request, not http.HttpRequest).
