feat(user/v1): add UserProvisioningService.ResolveOrCreateByEmail (NEW-40 decoupling) #6

Merged

hibryda merged 6 commits from feat/user-provisioning-rpc into main 2026-06-02 11:14:07 +02:00

Conversation 6 Commits 6 Files changed 1 +161

hibryda commented 2026-06-02 10:19:44 +02:00

Owner

Copy link

Contract for the NEW-40 user-identity decoupling (.planning/28 in im2be-mono). social-login will call user-service at OAuth login to resolve-or-create the canonical user by email, returning the canonical UUID — making user-service the sole users-table writer (today both user-service + social-login INSERT directly: the R1 two-writer anti-pattern + NEW-13 duplicate-row race).

• New user/v1/user_provisioning.proto: UserProvisioningService.ResolveOrCreateByEmail — idempotent; creates verified + password-less OAuth users + fires the standard init fan-out once; returns shared.v1.UserId + created flag. Fail-closed (INVALID_ARGUMENT on blank email/UNSPECIFIED provider; INTERNAL on fault → caller fails login closed, no local-UUID fallback). Issues NO JWT (token issuance stays in social-login).
• AuthProvider enum {GOOGLE, APPLE}; reuses shared.v1.UserId.
• Separate service from UserProfileService so its SPIFFE ACL (social-login → provision) is distinct from identity → profile.
• Additive → buf BACKWARD-safe. buf lint + build clean; import-direction guard OK.

First of the decoupling PRs: (1) this contract; (2) user-service impl (gRPC + V10 password-nullable migration + provisioning) consuming the vendored copy; (3) social-login gRPC client + stop direct-write + the new mTLS hop; (4) docs/ADR retiring NEW-40.

Contract for the NEW-40 user-identity decoupling (.planning/28 in im2be-mono). social-login will call user-service at OAuth login to resolve-or-create the canonical user by email, returning the canonical UUID — making user-service the sole users-table writer (today both user-service + social-login INSERT directly: the R1 two-writer anti-pattern + NEW-13 duplicate-row race). - New user/v1/user_provisioning.proto: UserProvisioningService.ResolveOrCreateByEmail — idempotent; creates verified + password-less OAuth users + fires the standard init fan-out once; returns shared.v1.UserId + created flag. Fail-closed (INVALID_ARGUMENT on blank email/UNSPECIFIED provider; INTERNAL on fault → caller fails login closed, no local-UUID fallback). Issues NO JWT (token issuance stays in social-login). - AuthProvider enum {GOOGLE, APPLE}; reuses shared.v1.UserId. - Separate service from UserProfileService so its SPIFFE ACL (social-login → provision) is distinct from identity → profile. - Additive → buf BACKWARD-safe. buf lint + build clean; import-direction guard OK. First of the decoupling PRs: (1) this contract; (2) user-service impl (gRPC + V10 password-nullable migration + provisioning) consuming the vendored copy; (3) social-login gRPC client + stop direct-write + the new mTLS hop; (4) docs/ADR retiring NEW-40.

hibryda added 1 commit 2026-06-02 10:19:44 +02:00

feat(user/v1): add UserProvisioningService.ResolveOrCreateByEmail (NEW-40 decoupling) ... 0d4fe1cfac

The canonical-user-provisioning gRPC contract for the NEW-40 user-identity decoupling
(.planning/28): social-login-service will call user-service at OAuth login to resolve —
or, on first sign-in, create — the canonical user by provider-verified email, returning
the canonical UUID. This makes user-service the SOLE writer of the users table (today
both user-service and social-login INSERT rows directly — the R1 two-writer anti-pattern).

New file user/v1/user_provisioning.proto: UserProvisioningService.ResolveOrCreateByEmail
(idempotent; creates verified + password-less OAuth users, fires the standard init fan-out
once, returns shared.v1.UserId + created flag). AuthProvider enum {GOOGLE, APPLE}. Reuses
shared.v1.UserId. Additive (buf BACKWARD-safe); separate service from UserProfileService so
its SPIFFE ACL (social-login → provision) is distinct from the identity → profile ACL.

buf lint + build clean; import-direction guard OK.

pr-reviewer-bot commented 2026-06-02 10:25:23 +02:00

Member

Copy link

Superseded by round 2.

Show previous round

hib-pr-reviewer review — PR #6 (affinity-intelligence-rework/im2be-protobuf)

Round 1 — head 0d4fe1cface2, base main, trigger opened

TL;DR: NEEDS_WORK — 1 major + 1 minor + 1 info findings kept this round.

Summary

Arbiter reconciled 2 (A) + 3 (B) → 3 findings.

CI status (head 0d4fe1cface2)

Overall: ✗ failure

3 checks: 3 pending

Check	State	Link
protobuf CI / scripts/check-import-direction.sh (pull_request)	⏳ pending	details
protobuf CI / buf lint (pull_request)	⏳ pending	details
protobuf CI / buf build (pull_request)	⏳ pending	details

Findings (3)

[MAJOR] ResolveOrCreateByEmailRequest missing provider_subject field — email-only lookup enables account-takeover and permanent identity split

user/v1/user_provisioning.proto:71

Agreed finding (A + B independently). ResolveOrCreateByEmailRequest carries email (field 1) and provider (field 4) but has no field for the OAuth provider's stable, per-app subject identifier — the sub claim from the OIDC ID token. This creates two concrete, irreversible data problems:

1. Account takeover via recycled email (A). Google retires and eventually recycles email addresses. A new Google user who inherits a recycled address resolves to the previous owner's canonical UUID on first sign-in — silently inheriting their data (family membership, diary, subscription tier). The sub claim is per-account and not recycled.

2. Apple private-relay rotation permanently splits identity (B). Sign in with Apple may supply a per-app relay address (xyz@privaterelay.appleid.com). If the user revokes and re-grants consent, Apple rotates that relay address. The next sign-in finds no email match, creates a second canonical user with a new UUID, and the original account is orphaned. The only stable Apple identifier across revoke+re-grant is the sub claim.

Adding provider_subject later is wire-safe (new field number), but any sign-in before the field is introduced writes a NULL provider_subject column — making retroactive provider-side account linking impossible without an Apple/Google API migration script.

Concrete fix — add after field 4 in ResolveOrCreateByEmailRequest:

// Stable, immutable per-app subject identifier from the OAuth provider's
// ID token (the "sub" claim). Required; blank → INVALID_ARGUMENT.
// Primary lookup key for provider-based account resolution: the server
// SHOULD look up by (provider, provider_subject) first, falling back to
// email, and persist both on the new-user path. Stable across email
// changes and Apple private-relay rotations.
string provider_subject = 7;

The semantics block at line 47 should extend the fail-closed list: Blank provider_subject → INVALID_ARGUMENT.

[MINOR] Consent-version fields have dual under-specification: no blank-string validation contract and no stated create-only vs upsert semantics

user/v1/user_provisioning.proto:87

Agreed finding (A + B — complementary aspects). accepted_privacy_policy_version (field 5, line 89) and accepted_terms_version (field 6, line 91) have two related but distinct specification gaps:

Gap 1 — Blank-string validation (A). The semantics block at line 47 enumerates fail-closed cases (blank email, UNSPECIFIED provider) but is silent about blank consent-version strings. Proto3 zero-value strings ("") are valid on the wire and indistinguishable from an absent field. If user-service persists empty strings without rejecting them, the consent audit trail (required for GDPR Article 7 / App Store Review) is silently broken for any caller that omits these fields.

Gap 2 — Create-only vs upsert on the resolve path (B). Line 37-38 states "No mutation: an existing user's profile / verification / password … is untouched." Lines 87-88 state "Persisted on the canonical user record." These are in direct tension. A returning user who accepted a newer ToS at the OAuth consent screen would either have their consent record silently un-updated (if create-only) or trigger an unintended mutation (if upsert). Neither interpretation is stated.

Fix — pick one semantics and document both aspects in the line-87 comment block:

If create-only + blank is rejected on create:

// Privacy-policy version accepted at the OAuth consent screen.
// Required when created=true; blank → INVALID_ARGUMENT on the create path.
// Create-only: ignored on the resolve path (existing user's stored
// consent versions are never overwritten by this RPC).
string accepted_privacy_policy_version = 5;
// Terms-and-conditions version accepted at the OAuth consent screen.
// Same validation and create-only semantics as accepted_privacy_policy_version.
string accepted_terms_version = 6;

If upsert is intended, remove "No mutation" generality at line 38 and note the carve-out explicitly.

[INFO] AuthProvider enum is package-scoped but consumed by only one message — deferred hygiene

user/v1/user_provisioning.proto:59

Unique-to-B, verified. enum AuthProvider is defined at the user.v1 package scope (line 59) but is consumed exclusively by ResolveOrCreateByEmailRequest.provider (line 85). The existing codebase pattern for shared/reusable enums is package-scope placement; for single-consumer enums, nesting inside the owning message reduces namespace surface and makes the dependency obvious.

This has zero wire impact (proto field numbers govern the wire, not nesting), and buf lint does not enforce nesting. No change is needed before merge — the right time to address it is the planned shared/v1 extraction referenced in buf.yaml (TODO PR-OPAQUE-4-FOLLOWUP-shared-proto-extraction), or when a second service needs a provider enum and promotion is warranted. Raised as a tracking note.

Verdict

NEEDS_WORK

---

_{hib-pr-reviewer • round 1 • 3 findings (1M/1m/1i) • 2026-06-02T08:22:55.023Z → 2026-06-02T08:25:23.337Z • posted-as: pr-reviewer-bot • model: auto • [bookkeeping fallback]}

<!-- hib-pr-reviewer collapsed --> > _Superseded by round 2._ <details> <summary>Show previous round</summary> <!-- hib-pr-reviewer round:1 --> ## hib-pr-reviewer review — PR #6 (affinity-intelligence-rework/im2be-protobuf) **Round 1** — head `0d4fe1cface2`, base `main`, trigger `opened` **TL;DR:** NEEDS_WORK — 1 major + 1 minor + 1 info findings kept this round. ### Summary Arbiter reconciled 2 (A) + 3 (B) → 3 findings. ### CI status (head `0d4fe1cface2`) **Overall: ✗ failure** 3 checks: 3 pending | Check | State | Link | |---|---|---| | protobuf CI / scripts/check-import-direction.sh (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/22/jobs/0) | | protobuf CI / buf lint (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/22/jobs/1) | | protobuf CI / buf build (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/22/jobs/2) | ### Findings (3) #### **[MAJOR]** ResolveOrCreateByEmailRequest missing provider_subject field — email-only lookup enables account-takeover and permanent identity split _user/v1/user_provisioning.proto:71_ **Agreed finding (A + B independently).** `ResolveOrCreateByEmailRequest` carries `email` (field 1) and `provider` (field 4) but has no field for the OAuth provider's stable, per-app subject identifier — the `sub` claim from the OIDC ID token. This creates two concrete, irreversible data problems: 1. **Account takeover via recycled email (A).** Google retires and eventually recycles email addresses. A new Google user who inherits a recycled address resolves to the *previous* owner's canonical UUID on first sign-in — silently inheriting their data (family membership, diary, subscription tier). The `sub` claim is per-account and not recycled. 2. **Apple private-relay rotation permanently splits identity (B).** Sign in with Apple may supply a per-app relay address (`xyz@privaterelay.appleid.com`). If the user revokes and re-grants consent, Apple rotates that relay address. The next sign-in finds no email match, creates a second canonical user with a new UUID, and the original account is orphaned. The only stable Apple identifier across revoke+re-grant is the `sub` claim. Adding `provider_subject` later is wire-safe (new field number), but any sign-in before the field is introduced writes a NULL `provider_subject` column — making retroactive provider-side account linking impossible without an Apple/Google API migration script. **Concrete fix** — add after field 4 in `ResolveOrCreateByEmailRequest`: ```protobuf // Stable, immutable per-app subject identifier from the OAuth provider's // ID token (the "sub" claim). Required; blank → INVALID_ARGUMENT. // Primary lookup key for provider-based account resolution: the server // SHOULD look up by (provider, provider_subject) first, falling back to // email, and persist both on the new-user path. Stable across email // changes and Apple private-relay rotations. string provider_subject = 7; ``` The semantics block at line 47 should extend the fail-closed list: `Blank provider_subject → INVALID_ARGUMENT`. #### **[MINOR]** Consent-version fields have dual under-specification: no blank-string validation contract and no stated create-only vs upsert semantics _user/v1/user_provisioning.proto:87_ **Agreed finding (A + B — complementary aspects).** `accepted_privacy_policy_version` (field 5, line 89) and `accepted_terms_version` (field 6, line 91) have two related but distinct specification gaps: **Gap 1 — Blank-string validation (A).** The semantics block at line 47 enumerates fail-closed cases (`blank email`, `UNSPECIFIED provider`) but is silent about blank consent-version strings. Proto3 zero-value strings (`""`) are valid on the wire and indistinguishable from an absent field. If user-service persists empty strings without rejecting them, the consent audit trail (required for GDPR Article 7 / App Store Review) is silently broken for any caller that omits these fields. **Gap 2 — Create-only vs upsert on the resolve path (B).** Line 37-38 states "No mutation: an existing user's profile / verification / password … is untouched." Lines 87-88 state "Persisted on the canonical user record." These are in direct tension. A returning user who accepted a newer ToS at the OAuth consent screen would either have their consent record silently un-updated (if create-only) or trigger an unintended mutation (if upsert). Neither interpretation is stated. **Fix — pick one semantics and document both aspects in the line-87 comment block:** If create-only + blank is rejected on create: ```protobuf // Privacy-policy version accepted at the OAuth consent screen. // Required when created=true; blank → INVALID_ARGUMENT on the create path. // Create-only: ignored on the resolve path (existing user's stored // consent versions are never overwritten by this RPC). string accepted_privacy_policy_version = 5; // Terms-and-conditions version accepted at the OAuth consent screen. // Same validation and create-only semantics as accepted_privacy_policy_version. string accepted_terms_version = 6; ``` If upsert is intended, remove "No mutation" generality at line 38 and note the carve-out explicitly. #### **[INFO]** `AuthProvider` enum is package-scoped but consumed by only one message — deferred hygiene _user/v1/user_provisioning.proto:59_ **Unique-to-B, verified.** `enum AuthProvider` is defined at the `user.v1` package scope (line 59) but is consumed exclusively by `ResolveOrCreateByEmailRequest.provider` (line 85). The existing codebase pattern for shared/reusable enums is package-scope placement; for single-consumer enums, nesting inside the owning message reduces namespace surface and makes the dependency obvious. This has **zero wire impact** (proto field numbers govern the wire, not nesting), and `buf lint` does not enforce nesting. No change is needed before merge — the right time to address it is the planned `shared/v1` extraction referenced in `buf.yaml` (`TODO PR-OPAQUE-4-FOLLOWUP-shared-proto-extraction`), or when a second service needs a provider enum and promotion is warranted. Raised as a tracking note. ### Verdict **NEEDS_WORK** --- _{hib-pr-reviewer • round 1 • 3 findings (1M/1m/1i) • 2026-06-02T08:22:55.023Z → 2026-06-02T08:25:23.337Z • posted-as: pr-reviewer-bot • model: auto • [bookkeeping fallback]} </details>

hibryda referenced this pull request from a commit 2026-06-02 10:29:30 +02:00

fix(user/v1): address PR #6 R1 — add provider_subject (OIDC sub) + consent create-only

hibryda added 1 commit 2026-06-02 10:29:30 +02:00

fix(user/v1): address PR #6 R1 — add provider_subject (OIDC sub) + consent create-only ... da77a71308

R1 NEEDS_WORK (1 major + 1 minor + 1 info):
- [MAJOR] ResolveOrCreateByEmail was email-only → account-takeover (Google recycles
  emails: a new owner inherits the prior owner's canonical UUID + data) + identity-split
  (Apple private-relay rotates on revoke+re-grant → orphaned account). Added
  provider_subject (field 7, the OIDC `sub`) as the PRIMARY stable identity key: resolve
  by (provider, provider_subject) first, fall back to email (backfilling the sub as a
  targeted idempotent link), persist both on create. Blank provider_subject →
  INVALID_ARGUMENT (fail-closed).
- [MINOR] consent-version fields: documented CREATE-ONLY semantics (ignored on resolve;
  no overwrite of an existing user's stored consent — resolves the line-37/87 tension) +
  required-on-create / blank → INVALID_ARGUMENT (GDPR Art.7 consent-audit integrity).
- [INFO] AuthProvider enum scope — left package-scoped (single consumer today; deferred).

buf lint + build clean; vendored user-service copy re-synced byte-identical.

pr-reviewer-bot commented 2026-06-02 10:36:11 +02:00

Member

Copy link

Superseded by round 3.

Show previous round

hib-pr-reviewer review — PR #6 (affinity-intelligence-rework/im2be-protobuf)

Round 2 — head da77a713082f, base main, trigger synchronize

TL;DR: NEEDS_WORK — kept 2 findings: 1 agreed minor (field-number source ordering) + 1 unique-to-B major (verified: backfill path indistinguishable in response, security audit gap).

Summary

Arbitration — Round 2 (user/v1/user_provisioning.proto)

Memora context

No prior memories found for this repo or PR (both queries returned empty). Treating this as first-persisted entry; Memora write attempted but MCP tag-validation permissions blocked all create paths — logged for ops.

File verification

Read the full file at /var/lib/pr-reviewer/repos/affinity-intelligence-rework/im2be-protobuf/1479/user/v1/user_provisioning.proto (126 lines).

Finding 1 — field ordering (agreed A+B, verified ✅)

Lines 83–111 confirm the declaration sequence: email=1 (83), first_name=2 (87), last_name=3 (90), provider=4 (93), provider_subject=7 (102), accepted_privacy_policy_version=5 (108), accepted_terms_version=6 (111). Source-order of field numbers is 1, 2, 3, 4, 7, 5, 6. Both reviewers agree; finding is grounded. Kept as minor. B's concrete fix (reorder the provider_subject block to after field 6, keeping the wire number 7) is the cleanest option and is incorporated in the body.

Finding 2 — provider_linked missing from response (unique-to-B, verified ✅)

Lines 115–125 confirm ResolveOrCreateByEmailResponse has only user_id=1 and created=2. The service comment at lines 41–46 explicitly describes three distinct outcomes, of which two — normal returning sign-in and new-provider backfill — both return created=false with no distinguishing signal. B's claim is grounded in the file text. The security consequence (audit gap, no step-up hook, email-recycling vector at the protocol layer) is coherent and not rebutted by A. Kept as major.

Outcome

Kept 2 findings: 1 agreed minor (field ordering) + 1 unique-to-B major (verified, provider_linked absent). Verdict: NEEDS_WORK.

Blast Radius

Single new proto file, but it defines the public gRPC contract between two services (social-login-service and user-service). Once generated code is committed and both services implement against this contract, any response-shape change requires coordinated updates to both callers and servers. The provider_linked fix must land before either service implementation is finalised.

BLAST_SCORE: 5/10

Risk Indicators

Indicator	Value
Sensitive functions	ResolveOrCreateByEmail, provider_subject backfill path
Migration touched	—
Test delta	—
Dependency changes	—

CI status (head da77a713082f)

Overall: ✗ failure

3 checks: 3 pending

Check	State	Link
protobuf CI / scripts/check-import-direction.sh (pull_request)	⏳ pending	details
protobuf CI / buf lint (pull_request)	⏳ pending	details
protobuf CI / buf build (pull_request)	⏳ pending	details

Findings (2)

[MINOR] provider_subject = 7 declared out of field-number order in a brand-new file — safe to fix now

user/v1/user_provisioning.proto:102

The source declaration sequence in ResolveOrCreateByEmailRequest is 1, 2, 3, 4, 7, 5, 6: provider_subject = 7 (line 102) appears physically between provider = 4 (line 93) and accepted_privacy_policy_version = 5 (line 108). Proto3 encoding is valid — field numbers need only be unique, not ordered — but the non-sequential layout creates real maintenance friction:

• Proto linters (e.g. buf lint with FIELD_NUMBERS_ORDER) will flag this.
• Generated struct field orderings in Go / Java follow declaration order, not field-number order, so field 7 ends up before fields 5 and 6 in generated structs.
• Future maintainers adding field 8 may be confused about whether the gap between 4 and 5 is intentional.

Because this is a brand-new file from /dev/null with zero existing wire-format consumers or generated-code dependents, there is no backward-compatibility cost to correcting this now.

Recommended fix — reorder source to match wire numbers (no field-number changes, no semantic change):

string email = 1;
string first_name = 2;
string last_name = 3;
AuthProvider provider = 4;
string accepted_privacy_policy_version = 5;
string accepted_terms_version = 6;
string provider_subject = 7;   // ← same wire number 7, now last in source

Declaration order and numeric order become identical (1 → 7 top-to-bottom).

[MAJOR] ResolveOrCreateByEmailResponse carries no signal for the OAuth provider-backfill path — new linkage events are invisible to social-login

user/v1/user_provisioning.proto:124

The service comment (lines 37–46) documents three distinct outcomes for ResolveOrCreateByEmail:

#	Condition	created returned
1	Returning user, same (provider, provider_subject) — no mutation	false
2	New user, first sign-in — full creation + fan-out	true
3	Returning user, NEW provider backfilled — (provider, provider_subject) miss, email match → link established	false

Cases 1 and 3 are indistinguishable to social-login via the current response. This is a security-contract gap, not merely a logging inconvenience:

1. Audit gap — social-login has no hook to emit a security event, notify the account owner, or surface the new linkage to an admin dashboard. A permanent new OAuth provider-to-account binding was established, and the caller has no way to know.
2. Step-up verification impossible — linking a fresh OAuth identity to an existing account is higher-risk than a normal returning sign-in. Without provider_linked=true, social-login cannot gate the JWT on "confirm via registered email" or similar step-up controls.
3. Email-recycling vector — an attacker controlling a recycled address signs in with a new OAuth provider; the (provider, provider_subject) lookup misses, email matches the original owner, provider_subject is silently backfilled, and the attacker receives the original owner's UUID — with created=false, indistinguishable from a normal login. The planning doc §9 is referenced but the proto gives social-login nothing to act on.

Concrete fix — add one boolean field (pure additive, zero wire-format impact on existing fields):

message ResolveOrCreateByEmailResponse {
  shared.v1.UserId user_id = 1;
  bool created = 2;
  // True iff this call backfilled provider_subject onto an existing account
  // (the (provider, provider_subject) lookup missed but email matched).
  // Signals a new OAuth provider linkage — NOT a normal returning sign-in.
  // social-login SHOULD emit a security event and MAY require step-up
  // verification before issuing a JWT.
  // Always false when created=true. Idempotent: a subsequent sign-in with
  // the same (provider, provider_subject) returns false.
  bool provider_linked = 3;
}

This is additive-only: existing consumers reading only user_id and created are unaffected.

Verdict

NEEDS_WORK

---

_{hib-pr-reviewer • round 2 • 2 findings (1M/1m) • 2026-06-02T08:33:54.422Z → 2026-06-02T08:36:11.107Z • posted-as: pr-reviewer-bot • model: auto}

<!-- hib-pr-reviewer collapsed --> > _Superseded by round 3._ <details> <summary>Show previous round</summary> <!-- hib-pr-reviewer round:2 --> ## hib-pr-reviewer review — PR #6 (affinity-intelligence-rework/im2be-protobuf) **Round 2** — head `da77a713082f`, base `main`, trigger `synchronize` **TL;DR:** NEEDS_WORK — kept 2 findings: 1 agreed minor (field-number source ordering) + 1 unique-to-B major (verified: backfill path indistinguishable in response, security audit gap). ### Summary ## Arbitration — Round 2 (`user/v1/user_provisioning.proto`) ### Memora context No prior memories found for this repo or PR (both queries returned empty). Treating this as first-persisted entry; Memora write attempted but MCP tag-validation permissions blocked all create paths — logged for ops. ### File verification Read the full file at `/var/lib/pr-reviewer/repos/affinity-intelligence-rework/im2be-protobuf/1479/user/v1/user_provisioning.proto` (126 lines). ### Finding 1 — field ordering (agreed A+B, verified ✅) Lines 83–111 confirm the declaration sequence: `email=1` (83), `first_name=2` (87), `last_name=3` (90), `provider=4` (93), **`provider_subject=7` (102)**, `accepted_privacy_policy_version=5` (108), `accepted_terms_version=6` (111). Source-order of field numbers is **1, 2, 3, 4, 7, 5, 6**. Both reviewers agree; finding is grounded. Kept as minor. B's concrete fix (reorder the `provider_subject` block to after field 6, keeping the wire number 7) is the cleanest option and is incorporated in the body. ### Finding 2 — `provider_linked` missing from response (unique-to-B, verified ✅) Lines 115–125 confirm `ResolveOrCreateByEmailResponse` has only `user_id=1` and `created=2`. The service comment at lines 41–46 explicitly describes three distinct outcomes, of which two — *normal returning sign-in* and *new-provider backfill* — both return `created=false` with no distinguishing signal. B's claim is grounded in the file text. The security consequence (audit gap, no step-up hook, email-recycling vector at the protocol layer) is coherent and not rebutted by A. Kept as major. ### Outcome Kept 2 findings: 1 agreed minor (field ordering) + 1 unique-to-B major (verified, `provider_linked` absent). Verdict: **NEEDS_WORK**. ### Blast Radius Single new proto file, but it defines the public gRPC contract between two services (social-login-service and user-service). Once generated code is committed and both services implement against this contract, any response-shape change requires coordinated updates to both callers and servers. The `provider_linked` fix must land before either service implementation is finalised. **BLAST_SCORE: 5/10** ### Risk Indicators | Indicator | Value | |---|---| | Sensitive functions | `ResolveOrCreateByEmail`, `provider_subject backfill path` | | Migration touched | — | | Test delta | — | | Dependency changes | — | ### CI status (head `da77a713082f`) **Overall: ✗ failure** 3 checks: 3 pending | Check | State | Link | |---|---|---| | protobuf CI / scripts/check-import-direction.sh (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/23/jobs/0) | | protobuf CI / buf lint (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/23/jobs/1) | | protobuf CI / buf build (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/23/jobs/2) | ### Findings (2) #### **[MINOR]** `provider_subject = 7` declared out of field-number order in a brand-new file — safe to fix now _user/v1/user_provisioning.proto:102_ The source declaration sequence in `ResolveOrCreateByEmailRequest` is **1, 2, 3, 4, 7, 5, 6**: `provider_subject = 7` (line 102) appears physically between `provider = 4` (line 93) and `accepted_privacy_policy_version = 5` (line 108). Proto3 encoding is valid — field numbers need only be unique, not ordered — but the non-sequential layout creates real maintenance friction: - Proto linters (e.g. `buf lint` with `FIELD_NUMBERS_ORDER`) will flag this. - Generated struct field orderings in Go / Java follow *declaration* order, not field-number order, so field 7 ends up before fields 5 and 6 in generated structs. - Future maintainers adding field 8 may be confused about whether the gap between 4 and 5 is intentional. Because this is a **brand-new file from `/dev/null`** with zero existing wire-format consumers or generated-code dependents, there is no backward-compatibility cost to correcting this now. **Recommended fix** — reorder source to match wire numbers (no field-number changes, no semantic change): ```protobuf string email = 1; string first_name = 2; string last_name = 3; AuthProvider provider = 4; string accepted_privacy_policy_version = 5; string accepted_terms_version = 6; string provider_subject = 7; // ← same wire number 7, now last in source ``` Declaration order and numeric order become identical (1 → 7 top-to-bottom). #### **[MAJOR]** `ResolveOrCreateByEmailResponse` carries no signal for the OAuth provider-backfill path — new linkage events are invisible to social-login _user/v1/user_provisioning.proto:124_ The service comment (lines 37–46) documents **three** distinct outcomes for `ResolveOrCreateByEmail`: | # | Condition | `created` returned | |---|---|---| | 1 | Returning user, same `(provider, provider_subject)` — no mutation | `false` | | 2 | New user, first sign-in — full creation + fan-out | `true` | | 3 | **Returning user, NEW provider backfilled** — `(provider, provider_subject)` miss, email match → link established | **`false`** | Cases 1 and 3 are **indistinguishable** to social-login via the current response. This is a security-contract gap, not merely a logging inconvenience: 1. **Audit gap** — social-login has no hook to emit a security event, notify the account owner, or surface the new linkage to an admin dashboard. A permanent new OAuth provider-to-account binding was established, and the caller has no way to know. 2. **Step-up verification impossible** — linking a fresh OAuth identity to an existing account is higher-risk than a normal returning sign-in. Without `provider_linked=true`, social-login cannot gate the JWT on "confirm via registered email" or similar step-up controls. 3. **Email-recycling vector** — an attacker controlling a recycled address signs in with a new OAuth provider; the `(provider, provider_subject)` lookup misses, email matches the original owner, `provider_subject` is silently backfilled, and the attacker receives the original owner's UUID — with `created=false`, indistinguishable from a normal login. The planning doc §9 is referenced but the proto gives social-login nothing to act on. **Concrete fix** — add one boolean field (pure additive, zero wire-format impact on existing fields): ```protobuf message ResolveOrCreateByEmailResponse { shared.v1.UserId user_id = 1; bool created = 2; // True iff this call backfilled provider_subject onto an existing account // (the (provider, provider_subject) lookup missed but email matched). // Signals a new OAuth provider linkage — NOT a normal returning sign-in. // social-login SHOULD emit a security event and MAY require step-up // verification before issuing a JWT. // Always false when created=true. Idempotent: a subsequent sign-in with // the same (provider, provider_subject) returns false. bool provider_linked = 3; } ``` This is additive-only: existing consumers reading only `user_id` and `created` are unaffected. ### Verdict **NEEDS_WORK** --- _{hib-pr-reviewer • round 2 • 2 findings (1M/1m) • 2026-06-02T08:33:54.422Z → 2026-06-02T08:36:11.107Z • posted-as: pr-reviewer-bot • model: auto} </details>

hibryda referenced this pull request from a commit 2026-06-02 10:38:16 +02:00

fix(user/v1): address PR #6 R2 — observable provider-link + numeric field order

hibryda added 1 commit 2026-06-02 10:38:16 +02:00

fix(user/v1): address PR #6 R2 — observable provider-link + numeric field order ... 4d352904aa

R2 NEEDS_WORK (1 major + 1 minor):
- [MAJOR] ResolveOrCreateByEmailResponse couldn't distinguish a clean stable-key resolve
  (created=false) from an email-fallback BACKFILL that linked a NEW OAuth provider to an
  existing account (also created=false) — making a security-sensitive linkage invisible to
  social-login (no audit event, no step-up gate, and the recycled-email takeover vector is
  silent). Added `bool provider_linked = 3` (additive): true iff the call backfilled
  provider_subject onto an existing email-matched account; social-login SHOULD emit a
  security event + MAY require step-up verification. Always false when created=true.
- [MINOR] reordered ResolveOrCreateByEmailRequest fields to numeric source order
  (1..7; provider_subject=7 now last) — declaration order == wire order, satisfies buf
  FIELD_NUMBERS_ORDER + avoids generated-struct field-order confusion. No field-number or
  semantic change.

buf lint + build clean; vendored user-service copy re-synced byte-identical.

pr-reviewer-bot commented 2026-06-02 10:42:54 +02:00

Member

Copy link

Superseded by round 4.

Show previous round

hib-pr-reviewer review — PR #6 (affinity-intelligence-rework/im2be-protobuf)

Round 3 — head 4d352904aad2, base main, trigger synchronize

TL;DR: NEEDS_WORK — kept 2 findings (1 major agreed A+B, 1 minor unique-to-A verified); no findings dropped.

Summary

Arbitration Round 3 — im2be-protobuf#6

Memora persistence: Tag allowlist blocked pr-review-run; fallback memory_absorb lacked permission. Run history could not be persisted — logged for ops.

Reconciliation actions:

• Finding 1 (AGREED, major): Both A and B independently cite line 129 for the SHOULD/MAY vs MUST language on the provider_linked security-sensitive path. Verified at file lines 129–130: "social-login SHOULD emit a security event and MAY require step-up verification". The comment itself labels this the recycled-email takeover vector boundary; SHOULD/MAY leaves a conformant implementation free to silently issue a JWT. KEPT at major severity.
• Finding 2 (UNIQUE-TO-A, minor): A flags the two-boolean created+provider_linked response design at lines 121–135, which permits the wire-valid but semantically invalid state {created:true, provider_linked:true} (explicitly excluded only in a comment at line 132). Verified: both fields exist as plain bool fields with no proto-level enforcement of the mutual-exclusion. The RESULT_KIND enum fix is well-grounded and consistent with the file's own AUTH_PROVIDER_UNSPECIFIED=0 fail-closed pattern. KEPT at minor severity.
• Dropped: Nothing dropped; B's single finding is the agreed-upon finding 1.

Prior-round closure confirmed (R1 + R2 findings all resolved or deferred, no re-raising).

Blast Radius

Change is a single new proto file (+136/-0) touching only the user-service provisioning surface. The provider_linked field establishes a security-sensitive contract that social-login-service must implement correctly, so the blast radius extends to any OAuth login flow consuming this RPC. The file does not touch shared types or existing wire contracts.

BLAST_SCORE: 3/10

Risk Indicators

Indicator	Value
Sensitive functions	ResolveOrCreateByEmail, provider_linked
Migration touched	—
Test delta	—
Dependency changes	—

CI status (head 4d352904aad2)

Overall: ✗ failure

3 checks: 3 pending

Check	State	Link
protobuf CI / scripts/check-import-direction.sh (pull_request)	⏳ pending	details
protobuf CI / buf lint (pull_request)	⏳ pending	details
protobuf CI / buf build (pull_request)	⏳ pending	details

Findings (2)

[MAJOR] provider_linked contract uses SHOULD/MAY where the recycled-email takeover boundary demands MUST

user/v1/user_provisioning.proto:129

Lines 129–130 (verified):

// sign-in. This is security-sensitive: social-login SHOULD emit a security
// event and MAY require step-up verification (e.g. confirm via the

The comment itself identifies provider_linked=true as the mechanism that "bounds the recycled-email takeover vector" (line 131). RFC 2119 SHOULD permits a conformant implementation to omit the security event entirely; MAY makes step-up fully optional. A social-login implementation that silently issues a JWT on provider_linked=true is therefore contract-conformant today, directly undermining the stated security guarantee.

Contrast line 56–57 in the same file, which correctly uses MUST for the fault path: "The caller (social-login) MUST fail the OAuth login closed (HTTP 503)".

Required fix:

1. SHOULD emit a security event → MUST emit a security event — there is no valid reason to skip observability on an account-linking event.
2. MAY require step-up verification → SHOULD require step-up verification (or MUST, per product policy) — raises the obligation out of "fully optional" while acknowledging that linking policy may legitimately vary by provider.

[MINOR] ResolveOrCreateByEmailResponse two-boolean design admits a wire-valid but semantically invalid combined state

user/v1/user_provisioning.proto:115

Lines 121–135 define two bool fields:

• bool created = 2; (line 124)
• bool provider_linked = 3; (line 135)

Line 132 documents a mutual-exclusion: "Always false when created=true". Proto3 cannot enforce this; a server bug returning {created:true, provider_linked:true} is wire-valid and will silently deserialize in every consumer without error.

Valid combinations per the comment:

created	provider_linked	Meaning
false	false	plain resolve
false	true	resolve + new provider linkage
true	false	new user created
true	true	excluded only in a comment

Recommended fix — replace with a ResultKind enum, consistent with the file's existing UNSPECIFIED=0 fail-closed pattern (AUTH_PROVIDER_UNSPECIFIED=0 at line 71):

enum ResultKind {
  RESULT_KIND_UNSPECIFIED = 0;
  RESULT_KIND_RESOLVED_EXISTING = 1;
  RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK = 2;
  RESULT_KIND_CREATED = 3;
}
ResultKind result_kind = 2;

Field 3 would be tombstoned: reserved 3; reserved "provider_linked";. Since this file is brand-new (+136/-0) and has not shipped, there is no wire-compat concern.

Verdict

NEEDS_WORK

---

_{hib-pr-reviewer • round 3 • 2 findings (1M/1m) • 2026-06-02T08:41:12.451Z → 2026-06-02T08:42:53.652Z • posted-as: pr-reviewer-bot • model: auto}

<!-- hib-pr-reviewer collapsed --> > _Superseded by round 4._ <details> <summary>Show previous round</summary> <!-- hib-pr-reviewer round:3 --> ## hib-pr-reviewer review — PR #6 (affinity-intelligence-rework/im2be-protobuf) **Round 3** — head `4d352904aad2`, base `main`, trigger `synchronize` **TL;DR:** NEEDS_WORK — kept 2 findings (1 major agreed A+B, 1 minor unique-to-A verified); no findings dropped. ### Summary ## Arbitration Round 3 — im2be-protobuf#6 **Memora persistence**: Tag allowlist blocked `pr-review-run`; fallback `memory_absorb` lacked permission. Run history could not be persisted — logged for ops. **Reconciliation actions**: - **Finding 1 (AGREED, major)**: Both A and B independently cite line 129 for the `SHOULD`/`MAY` vs `MUST` language on the `provider_linked` security-sensitive path. Verified at file lines 129–130: `"social-login SHOULD emit a security event and MAY require step-up verification"`. The comment itself labels this the recycled-email takeover vector boundary; SHOULD/MAY leaves a conformant implementation free to silently issue a JWT. KEPT at major severity. - **Finding 2 (UNIQUE-TO-A, minor)**: A flags the two-boolean `created`+`provider_linked` response design at lines 121–135, which permits the wire-valid but semantically invalid state `{created:true, provider_linked:true}` (explicitly excluded only in a comment at line 132). Verified: both fields exist as plain `bool` fields with no proto-level enforcement of the mutual-exclusion. The `RESULT_KIND` enum fix is well-grounded and consistent with the file's own `AUTH_PROVIDER_UNSPECIFIED=0` fail-closed pattern. KEPT at minor severity. - **Dropped**: Nothing dropped; B's single finding is the agreed-upon finding 1. **Prior-round closure confirmed** (R1 + R2 findings all resolved or deferred, no re-raising). ### Blast Radius Change is a single new proto file (+136/-0) touching only the user-service provisioning surface. The `provider_linked` field establishes a security-sensitive contract that social-login-service must implement correctly, so the blast radius extends to any OAuth login flow consuming this RPC. The file does not touch shared types or existing wire contracts. **BLAST_SCORE: 3/10** ### Risk Indicators | Indicator | Value | |---|---| | Sensitive functions | `ResolveOrCreateByEmail`, `provider_linked` | | Migration touched | — | | Test delta | — | | Dependency changes | — | ### CI status (head `4d352904aad2`) **Overall: ✗ failure** 3 checks: 3 pending | Check | State | Link | |---|---|---| | protobuf CI / scripts/check-import-direction.sh (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/24/jobs/0) | | protobuf CI / buf lint (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/24/jobs/1) | | protobuf CI / buf build (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/24/jobs/2) | ### Findings (2) #### **[MAJOR]** `provider_linked` contract uses SHOULD/MAY where the recycled-email takeover boundary demands MUST _user/v1/user_provisioning.proto:129_ Lines 129–130 (verified): ``` // sign-in. This is security-sensitive: social-login SHOULD emit a security // event and MAY require step-up verification (e.g. confirm via the ``` The comment itself identifies `provider_linked=true` as the mechanism that "bounds the recycled-email takeover vector" (line 131). RFC 2119 SHOULD permits a conformant implementation to omit the security event entirely; MAY makes step-up fully optional. A social-login implementation that silently issues a JWT on `provider_linked=true` is therefore contract-conformant today, directly undermining the stated security guarantee. Contrast line 56–57 in the same file, which correctly uses MUST for the fault path: `"The caller (social-login) MUST fail the OAuth login closed (HTTP 503)"`. **Required fix**: 1. `SHOULD emit a security event` → `MUST emit a security event` — there is no valid reason to skip observability on an account-linking event. 2. `MAY require step-up verification` → `SHOULD require step-up verification` (or `MUST`, per product policy) — raises the obligation out of "fully optional" while acknowledging that linking policy may legitimately vary by provider. #### **[MINOR]** `ResolveOrCreateByEmailResponse` two-boolean design admits a wire-valid but semantically invalid combined state _user/v1/user_provisioning.proto:115_ Lines 121–135 define two `bool` fields: - `bool created = 2;` (line 124) - `bool provider_linked = 3;` (line 135) Line 132 documents a mutual-exclusion: `"Always false when created=true"`. Proto3 cannot enforce this; a server bug returning `{created:true, provider_linked:true}` is wire-valid and will silently deserialize in every consumer without error. Valid combinations per the comment: | `created` | `provider_linked` | Meaning | |---|---|---| | false | false | plain resolve | | false | true | resolve + new provider linkage | | true | false | new user created | | **true** | **true** | **excluded only in a comment** | **Recommended fix** — replace with a `ResultKind` enum, consistent with the file's existing `UNSPECIFIED=0` fail-closed pattern (`AUTH_PROVIDER_UNSPECIFIED=0` at line 71): ```protobuf enum ResultKind { RESULT_KIND_UNSPECIFIED = 0; RESULT_KIND_RESOLVED_EXISTING = 1; RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK = 2; RESULT_KIND_CREATED = 3; } ResultKind result_kind = 2; ``` Field 3 would be tombstoned: `reserved 3; reserved "provider_linked";`. Since this file is brand-new (+136/-0) and has not shipped, there is no wire-compat concern. ### Verdict **NEEDS_WORK** --- _{hib-pr-reviewer • round 3 • 2 findings (1M/1m) • 2026-06-02T08:41:12.451Z → 2026-06-02T08:42:53.652Z • posted-as: pr-reviewer-bot • model: auto} </details>

hibryda referenced this pull request from a commit 2026-06-02 10:53:09 +02:00

fix(user/v1): address PR #6 R3 — ResultKind enum (no invalid state) + MUST security event

hibryda added 1 commit 2026-06-02 10:53:09 +02:00

fix(user/v1): address PR #6 R3 — ResultKind enum (no invalid state) + MUST security event ... 21087b8886

R3 NEEDS_WORK (1 major + 1 minor):
- [MAJOR] provider_linked's RFC-2119 SHOULD/MAY let a conformant caller skip the security
  event that bounds the recycled-email takeover vector. Folded into the new ResultKind enum:
  RESOLVED_NEW_PROVIDER_LINK now mandates "MUST emit a security event" + "SHOULD require
  step-up verification" — a caller may NOT silently issue a JWT on a provider-link.
- [MINOR] the {created, provider_linked} two-boolean response admitted a wire-valid but
  semantically invalid created+linked combination. Replaced with ResultKind
  {UNSPECIFIED(fail-closed), RESOLVED_EXISTING, RESOLVED_NEW_PROVIDER_LINK, CREATED} —
  mutually exclusive by construction. Old fields tombstoned (reserved 3 + names).

buf lint + build clean; vendored user-service copy re-synced byte-identical.

pr-reviewer-bot commented 2026-06-02 10:59:06 +02:00

Member

Copy link

Superseded by round 5.

Show previous round

hib-pr-reviewer review — PR #6 (affinity-intelligence-rework/im2be-protobuf)

Round 4 — head 21087b88862e, base main, trigger synchronize

TL;DR: NEEDS_WORK — kept all 3 B findings (1 major SHOULD→MUST security gap on recycled-email boundary, 2 minor doc/reserved issues); A returned empty JSON so all were unique-to-B but each verified against HEAD.

Summary

Memora persistence: Tag allowlist rejected all attempts; memory was not persisted (permissions not granted). Memora step noted as failed.

Reconciliation: Reviewer A returned 0 formal findings (parse-truncated JSON, prose-only salvage). Reviewer B returned 3 findings. All 3 required independent verification against the file at HEAD.

B-1 (major, line 129) — SHOULD→MUST for step-up on RESOLVED_NEW_PROVIDER_LINK: Verified. Line 129 literally reads SHOULD require step-up verification. This has been an open finding since R3 with no change. The closing prohibition (a conformant caller may NOT silently issue a JWT) does not mandate step-up — it only forbids silent issuance. A caller can read SHOULD, skip step-up, emit the required security event, and still issue a JWT without violating any MUST. This is a meaningful gap on a recycled-email takeover boundary. Kept.

B-2 (minor, line 97) — stale (created=true) reference: Verified. Line 97 reads Required on the create path (created=true). The field created is reserved (line 152); it no longer exists in the response message. Both A (prose) and B independently flagged this. Should reference result_kind=RESULT_KIND_CREATED instead. Kept.

B-3 (minor, line 151) — reserved block may not cover provider_linked's original field number: Verified. Lines 151–152 show reserved 3; and reserved "created", "provider_linked";. Only field number 3 is numerically reserved. If the draft provider_linked was = 4 (natural consecutive numbering after created = 3), field number 4 is unprotected and any client built against the never-shipped draft would silently decode a future = 4 field as a boolean. Unique-to-B but grounded. Kept.

Disposition: 1 major + 2 minor → NEEDS_WORK.

Blast Radius

The diff is a single new proto file (+153/-0). It introduces a new public gRPC service surface (UserProvisioningService) that is the sole writer of canonical user identity across the system, invoked by social-login-service at every OAuth login. The blast radius is moderate: the service boundary is narrow (one RPC, one caller via SPIFFE ACL), but the identity data it writes underlies downstream fan-out services (member, halo, subscription, diary, flow-coach) and the RESOLVED_NEW_PROVIDER_LINK path directly bounds the recycled-email account-takeover vector.

BLAST_SCORE: 4/10

Risk Indicators

Indicator	Value
Sensitive functions	ResolveOrCreateByEmail, RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK, AuthProvider, provider_subject
Migration touched	—
Test delta	—
Dependency changes	—

CI status (head 21087b88862e)

Overall: ✗ failure

3 checks: 3 pending

Check	State	Link
protobuf CI / scripts/check-import-direction.sh (pull_request)	⏳ pending	details
protobuf CI / buf lint (pull_request)	⏳ pending	details
protobuf CI / buf build (pull_request)	⏳ pending	details

Findings (3)

[MAJOR] SHOULD step-up verification on RESOLVED_NEW_PROVIDER_LINK must be upgraded to MUST

user/v1/user_provisioning.proto:129

Line 129 still reads: SHOULD require step-up verification (e.g. confirm via the registered email) before issuing a JWT. This has been an open finding since Round 3 and is unchanged. The closing sentence a conformant caller may NOT silently issue a JWT only forbids silent issuance; it does not mandate step-up. A compliant caller can therefore read SHOULD, consciously skip step-up, emit the required security event, and still issue a JWT — all without violating any MUST. On the recycled-email takeover boundary (RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK) that is an exploitable gap. Fix: change SHOULD require → MUST require; or, if step-up is intentionally deployment-controlled, add a server-driven signal (e.g. bool step_up_required in the response) so the server enforces the policy rather than delegating the decision to the caller's reading of a SHOULD.

[MINOR] Stale (created=true) reference in consent-field comment

user/v1/user_provisioning.proto:97

Line 97 reads Required on the create path (created=true). The boolean field created has been removed and is now reserved at line 152 — it no longer exists in the response message. A reader of this comment will search for a created field, find only a reservation, and be confused about the validation rule. Fix: replace (created=true) with (result_kind=RESULT_KIND_CREATED) to reference the live enum value. The identical stale reference should be checked in accepted_terms_version at line 102 (which defers to accepted_privacy_policy_version by cross-reference).

[MINOR] Reserved block covers only field number 3 — provider_linked's original field number may be unprotected

user/v1/user_provisioning.proto:151

Lines 151–152:

reserved 3;
reserved "created", "provider_linked";

Field number 3 is protected by number, and both names are name-reserved. However, if the draft response also had bool provider_linked = 4; (the natural consecutive number after created = 3), then field number 4 is not numerically reserved. Any client binary built against the never-shipped draft would silently decode a future = 4 field as a boolean. Fix: confirm the field number the draft provider_linked carried; if it was = 4, extend the reservation to reserved 3, 4;.

Verdict

NEEDS_WORK

---

_{hib-pr-reviewer • round 4 • 3 findings (1M/2m) • 2026-06-02T08:57:14.369Z → 2026-06-02T08:59:06.066Z • posted-as: pr-reviewer-bot • model: auto}

<!-- hib-pr-reviewer collapsed --> > _Superseded by round 5._ <details> <summary>Show previous round</summary> <!-- hib-pr-reviewer round:4 --> ## hib-pr-reviewer review — PR #6 (affinity-intelligence-rework/im2be-protobuf) **Round 4** — head `21087b88862e`, base `main`, trigger `synchronize` **TL;DR:** NEEDS_WORK — kept all 3 B findings (1 major SHOULD→MUST security gap on recycled-email boundary, 2 minor doc/reserved issues); A returned empty JSON so all were unique-to-B but each verified against HEAD. ### Summary **Memora persistence**: Tag allowlist rejected all attempts; memory was not persisted (permissions not granted). Memora step noted as failed. **Reconciliation**: Reviewer A returned 0 formal findings (parse-truncated JSON, prose-only salvage). Reviewer B returned 3 findings. All 3 required independent verification against the file at HEAD. **B-1 (major, line 129) — SHOULD→MUST for step-up on RESOLVED_NEW_PROVIDER_LINK**: Verified. Line 129 literally reads `SHOULD require step-up verification`. This has been an open finding since R3 with no change. The closing prohibition (`a conformant caller may NOT silently issue a JWT`) does not mandate step-up — it only forbids silent issuance. A caller can read SHOULD, skip step-up, emit the required security event, and still issue a JWT without violating any MUST. This is a meaningful gap on a recycled-email takeover boundary. **Kept.** **B-2 (minor, line 97) — stale `(created=true)` reference**: Verified. Line 97 reads `Required on the create path (created=true)`. The field `created` is reserved (line 152); it no longer exists in the response message. Both A (prose) and B independently flagged this. Should reference `result_kind=RESULT_KIND_CREATED` instead. **Kept.** **B-3 (minor, line 151) — `reserved` block may not cover `provider_linked`'s original field number**: Verified. Lines 151–152 show `reserved 3;` and `reserved "created", "provider_linked";`. Only field number 3 is numerically reserved. If the draft `provider_linked` was `= 4` (natural consecutive numbering after `created = 3`), field number 4 is unprotected and any client built against the never-shipped draft would silently decode a future `= 4` field as a boolean. Unique-to-B but grounded. **Kept.** **Disposition**: 1 major + 2 minor → NEEDS_WORK. ### Blast Radius The diff is a single new proto file (+153/-0). It introduces a new public gRPC service surface (UserProvisioningService) that is the sole writer of canonical user identity across the system, invoked by social-login-service at every OAuth login. The blast radius is moderate: the service boundary is narrow (one RPC, one caller via SPIFFE ACL), but the identity data it writes underlies downstream fan-out services (member, halo, subscription, diary, flow-coach) and the RESOLVED_NEW_PROVIDER_LINK path directly bounds the recycled-email account-takeover vector. **BLAST_SCORE: 4/10** ### Risk Indicators | Indicator | Value | |---|---| | Sensitive functions | `ResolveOrCreateByEmail`, `RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK`, `AuthProvider`, `provider_subject` | | Migration touched | — | | Test delta | — | | Dependency changes | — | ### CI status (head `21087b88862e`) **Overall: ✗ failure** 3 checks: 3 pending | Check | State | Link | |---|---|---| | protobuf CI / scripts/check-import-direction.sh (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/25/jobs/0) | | protobuf CI / buf lint (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/25/jobs/1) | | protobuf CI / buf build (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/25/jobs/2) | ### Findings (3) #### **[MAJOR]** SHOULD step-up verification on RESOLVED_NEW_PROVIDER_LINK must be upgraded to MUST _user/v1/user_provisioning.proto:129_ Line 129 still reads: `SHOULD require step-up verification (e.g. confirm via the registered email) before issuing a JWT`. This has been an open finding since Round 3 and is unchanged. The closing sentence `a conformant caller may NOT silently issue a JWT` only forbids silent issuance; it does not mandate step-up. A compliant caller can therefore read SHOULD, consciously skip step-up, emit the required security event, and still issue a JWT — all without violating any MUST. On the recycled-email takeover boundary (`RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK`) that is an exploitable gap. **Fix**: change `SHOULD require` → `MUST require`; or, if step-up is intentionally deployment-controlled, add a server-driven signal (e.g. `bool step_up_required` in the response) so the server enforces the policy rather than delegating the decision to the caller's reading of a SHOULD. #### **[MINOR]** Stale `(created=true)` reference in consent-field comment _user/v1/user_provisioning.proto:97_ Line 97 reads `Required on the create path (created=true)`. The boolean field `created` has been removed and is now reserved at line 152 — it no longer exists in the response message. A reader of this comment will search for a `created` field, find only a reservation, and be confused about the validation rule. **Fix**: replace `(created=true)` with `(result_kind=RESULT_KIND_CREATED)` to reference the live enum value. The identical stale reference should be checked in `accepted_terms_version` at line 102 (which defers to `accepted_privacy_policy_version` by cross-reference). #### **[MINOR]** Reserved block covers only field number 3 — `provider_linked`'s original field number may be unprotected _user/v1/user_provisioning.proto:151_ Lines 151–152: ```proto reserved 3; reserved "created", "provider_linked"; ``` Field number 3 is protected by number, and both names are name-reserved. However, if the draft response also had `bool provider_linked = 4;` (the natural consecutive number after `created = 3`), then field number 4 is not numerically reserved. Any client binary built against the never-shipped draft would silently decode a future `= 4` field as a boolean. **Fix**: confirm the field number the draft `provider_linked` carried; if it was `= 4`, extend the reservation to `reserved 3, 4;`. ### Verdict **NEEDS_WORK** --- _{hib-pr-reviewer • round 4 • 3 findings (1M/2m) • 2026-06-02T08:57:14.369Z → 2026-06-02T08:59:06.066Z • posted-as: pr-reviewer-bot • model: auto} </details>

hibryda referenced this pull request from a commit 2026-06-02 11:01:59 +02:00

fix(user/v1): address PR #6 R4 — MUST step-up + stale-comment + field-history

hibryda added 1 commit 2026-06-02 11:01:59 +02:00

fix(user/v1): address PR #6 R4 — MUST step-up + stale-comment + field-history ... 3a64d05459

R4 NEEDS_WORK (1 major + 2 minor):
- [MAJOR] SHOULD step-up on RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK left the recycled-email
  takeover boundary exploitable (a compliant caller could skip step-up and still issue a
  JWT). SHOULD → MUST require step-up: both the security event AND step-up are mandatory.
- [MINOR] stale `(created=true)` in the privacy-version field comment →
  `(result_kind=RESULT_KIND_CREATED)` (the created bool was replaced by ResultKind in R3).
- [MINOR] documented the field-number history (created=2 reused by result_kind;
  provider_linked=3 reserved; field 4 never assigned) — confirms reserving 3 is complete.

buf lint + build clean; vendored user-service copy re-synced byte-identical.

pr-reviewer-bot commented 2026-06-02 11:06:48 +02:00

Member

Copy link

Superseded by round 6.

Show previous round

hib-pr-reviewer review — PR #6 (affinity-intelligence-rework/im2be-protobuf)

Round 5 — head 3a64d05459ac, base main, trigger synchronize

TL;DR: CONDITIONAL_APPROVE — kept 2 findings (1 agreed minor wire-type comment error, 1 verified info abbreviated enum names); no blocking issues; all rounds 1–4 blocking/major findings confirmed resolved.

Summary

Round 5 Arbitration — 2 findings kept, 0 dropped

Memora persistence note: memory_create and memory_absorb failed with tag-allowlist errors not attributable to my inputs; run history could not be persisted.

Verification performed

• Read user/v1/user_provisioning.proto at HEAD (158 lines confirmed).
• Line 153 confirmed: // \created` was field 2 (now reused by result_kind, a different wire type);— the phrase "a different wire type" is present and factually wrong. Bothboolandenum` encode as proto varint (wire type 0). AGREED A+B → kept [minor].
• Lines 40, 44, 51 confirmed: service docstring uses result_kind=RESOLVED_EXISTING, result_kind=RESOLVED_NEW_PROVIDER_LINK, and result_kind=CREATED — all missing the RESULT_KIND_ prefix required by the actual enum definitions at lines 125, 134, 137. Generated identifiers in every proto target language carry the full prefix. UNIQUE-TO-B, verified → kept [info].

All prior blocking/major findings (rounds 1–4) were correctly marked resolved by both reviewers and are not re-raised.

Blast Radius

The diff adds a single new proto file (user/v1/user_provisioning.proto) with one new service, two new messages, and two new enums. The blast radius is bounded to consumers of the new UserProvisioningService.ResolveOrCreateByEmail RPC — currently only social-login-service per the SPIFFE ACL. No existing types or field numbers are mutated.

BLAST_SCORE: 3/10

Risk Indicators

Indicator	Value
Sensitive functions	ResolveOrCreateByEmail, RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK
Migration touched	—
Test delta	—
Dependency changes	—

CI status (head 3a64d05459ac)

Overall: ✗ failure

3 checks: 3 pending

Check	State	Link
protobuf CI / scripts/check-import-direction.sh (pull_request)	⏳ pending	details
protobuf CI / buf lint (pull_request)	⏳ pending	details
protobuf CI / buf build (pull_request)	⏳ pending	details

Findings (2)

[MINOR] "a different wire type" is factually wrong — bool and enum are both proto wire type 0 (varint)

user/v1/user_provisioning.proto:153

Line 153 reads:

// `created` was field 2 (now reused by result_kind, a different wire type);

bool and enum/int32 are both encoded as proto wire type 0 (varint). There is no wire-type difference. The phrase implies a harder serialisation break than exists and could mislead a future maintainer into introducing an unnecessary migration or compatibility shim. In reality, old created=true (varint 1) decodes as RESULT_KIND_RESOLVED_EXISTING; old created=false (varint 0) decodes as RESULT_KIND_UNSPECIFIED — both safe outcomes for an unreleased contract. The correct justification for safe field-number reuse is already in the same sentence: "this contract is unreleased — no shipped consumers."

Suggested fix:

// `created` was field 2 (now reused by result_kind; same varint wire type, but
// safe because this contract is unreleased with no shipped consumers);

[INFO] Service-level docstring uses abbreviated ResultKind names that do not match generated identifiers

user/v1/user_provisioning.proto:40

Lines 40, 44, and 51 reference enum values as bare RESOLVED_EXISTING, RESOLVED_NEW_PROVIDER_LINK, and CREATED. The actual generated identifiers in every protobuf target language are RESULT_KIND_RESOLVED_EXISTING, RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK, and RESULT_KIND_CREATED (defined at lines 125, 134, and 137 respectively).

An implementer reading the RPC-level docstring to understand what values to switch on will see names that do not compile if copied directly into generated-code switch statements. Apply the full prefixed names at all three call-sites:

// result_kind=RESULT_KIND_RESOLVED_EXISTING, no mutation.
// result_kind=RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK
// result_kind=RESULT_KIND_CREATED.

Verdict

CONDITIONAL_APPROVE

---

_{hib-pr-reviewer • round 5 • 2 findings (1m/1i) • 2026-06-02T09:05:12.454Z → 2026-06-02T09:06:47.596Z • posted-as: pr-reviewer-bot • model: auto}

<!-- hib-pr-reviewer collapsed --> > _Superseded by round 6._ <details> <summary>Show previous round</summary> <!-- hib-pr-reviewer round:5 --> ## hib-pr-reviewer review — PR #6 (affinity-intelligence-rework/im2be-protobuf) **Round 5** — head `3a64d05459ac`, base `main`, trigger `synchronize` **TL;DR:** CONDITIONAL_APPROVE — kept 2 findings (1 agreed minor wire-type comment error, 1 verified info abbreviated enum names); no blocking issues; all rounds 1–4 blocking/major findings confirmed resolved. ### Summary ## Round 5 Arbitration — 2 findings kept, 0 dropped **Memora persistence note:** `memory_create` and `memory_absorb` failed with tag-allowlist errors not attributable to my inputs; run history could not be persisted. ### Verification performed - Read `user/v1/user_provisioning.proto` at HEAD (158 lines confirmed). - **Line 153** confirmed: `// \`created\` was field 2 (now reused by result_kind, a different wire type);` — the phrase "a different wire type" is present and factually wrong. Both `bool` and `enum` encode as proto varint (wire type 0). **AGREED A+B → kept [minor].** - **Lines 40, 44, 51** confirmed: service docstring uses `result_kind=RESOLVED_EXISTING`, `result_kind=RESOLVED_NEW_PROVIDER_LINK`, and `result_kind=CREATED` — all missing the `RESULT_KIND_` prefix required by the actual enum definitions at lines 125, 134, 137. Generated identifiers in every proto target language carry the full prefix. **UNIQUE-TO-B, verified → kept [info].** All prior blocking/major findings (rounds 1–4) were correctly marked resolved by both reviewers and are not re-raised. ### Blast Radius The diff adds a single new proto file (`user/v1/user_provisioning.proto`) with one new service, two new messages, and two new enums. The blast radius is bounded to consumers of the new `UserProvisioningService.ResolveOrCreateByEmail` RPC — currently only social-login-service per the SPIFFE ACL. No existing types or field numbers are mutated. **BLAST_SCORE: 3/10** ### Risk Indicators | Indicator | Value | |---|---| | Sensitive functions | `ResolveOrCreateByEmail`, `RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK` | | Migration touched | — | | Test delta | — | | Dependency changes | — | ### CI status (head `3a64d05459ac`) **Overall: ✗ failure** 3 checks: 3 pending | Check | State | Link | |---|---|---| | protobuf CI / scripts/check-import-direction.sh (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/26/jobs/0) | | protobuf CI / buf lint (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/26/jobs/1) | | protobuf CI / buf build (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/26/jobs/2) | ### Findings (2) #### **[MINOR]** "a different wire type" is factually wrong — bool and enum are both proto wire type 0 (varint) _user/v1/user_provisioning.proto:153_ Line 153 reads: ``` // `created` was field 2 (now reused by result_kind, a different wire type); ``` `bool` and `enum`/`int32` are **both** encoded as proto wire type 0 (varint). There is no wire-type difference. The phrase implies a harder serialisation break than exists and could mislead a future maintainer into introducing an unnecessary migration or compatibility shim. In reality, old `created=true` (varint 1) decodes as `RESULT_KIND_RESOLVED_EXISTING`; old `created=false` (varint 0) decodes as `RESULT_KIND_UNSPECIFIED` — both safe outcomes for an unreleased contract. The correct justification for safe field-number reuse is already in the same sentence: "this contract is unreleased — no shipped consumers." Suggested fix: ```proto // `created` was field 2 (now reused by result_kind; same varint wire type, but // safe because this contract is unreleased with no shipped consumers); ``` #### **[INFO]** Service-level docstring uses abbreviated ResultKind names that do not match generated identifiers _user/v1/user_provisioning.proto:40_ Lines 40, 44, and 51 reference enum values as bare `RESOLVED_EXISTING`, `RESOLVED_NEW_PROVIDER_LINK`, and `CREATED`. The actual generated identifiers in every protobuf target language are `RESULT_KIND_RESOLVED_EXISTING`, `RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK`, and `RESULT_KIND_CREATED` (defined at lines 125, 134, and 137 respectively). An implementer reading the RPC-level docstring to understand what values to switch on will see names that do not compile if copied directly into generated-code switch statements. Apply the full prefixed names at all three call-sites: ```proto // result_kind=RESULT_KIND_RESOLVED_EXISTING, no mutation. // result_kind=RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK // result_kind=RESULT_KIND_CREATED. ``` ### Verdict **CONDITIONAL_APPROVE** --- _{hib-pr-reviewer • round 5 • 2 findings (1m/1i) • 2026-06-02T09:05:12.454Z → 2026-06-02T09:06:47.596Z • posted-as: pr-reviewer-bot • model: auto} </details>

hibryda referenced this pull request from a commit 2026-06-02 11:09:10 +02:00

fix(user/v1): address PR #6 R5 — correct wire-type comment + full enum names

hibryda added 1 commit 2026-06-02 11:09:10 +02:00

fix(user/v1): address PR #6 R5 — correct wire-type comment + full enum names ... 26b1c36a78

R5 CONDITIONAL_APPROVE (1 minor + 1 info); all R1-R4 major/blocking confirmed resolved:
- [MINOR] field-history comment claimed result_kind is "a different wire type" than the
  old created bool — wrong (bool + enum are both varint wire type 0). Corrected: same
  varint type, safe because unreleased (old created=true would decode as RESOLVED_EXISTING).
- [INFO] service docstring used bare RESOLVED_EXISTING / RESOLVED_NEW_PROVIDER_LINK /
  CREATED → full generated identifiers RESULT_KIND_* at all three call-sites.

buf lint + build clean; vendored user-service copy re-synced byte-identical.

pr-reviewer-bot commented 2026-06-02 11:12:25 +02:00

Member

Copy link

hib-pr-reviewer review — PR #6 (affinity-intelligence-rework/im2be-protobuf)

Round 6 — head 26b1c36a7844, base main, trigger synchronize

TL;DR: APPROVE — all 11 prior findings closed; wire-type comment corrected, full ResultKind identifiers in docstring, MUST-step-up enforcement present; no new issues found.

Summary

[quorum-converged] A=0 = B=0. ## Round 6 Review — All Prior Findings Closed

All 11 previously-open findings have been addressed in this revision:

Finding	Status
R1: missing provider_subject field	✅ Fixed — provider_subject = 7 at line 113
R1: consent-version blank-string validation + create-only semantics	✅ Fixed — lines 97–104 now document both
R2: provider_subject = 7 out of field-number order	✅ Fixed — fields are sequential 1–7
R2: no signal for OAuth provider-backfill path	✅ Fixed — RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK covers this
R3: SHOULD/MAY on step-up verification	✅ Fixed — lines 129–130 both say MUST
R3: two-boolean design admits wire-invalid combined state	✅ Fixed — replaced by mutually-exclusive ResultKind enum
R4: (created=true) stale reference in consent comment	✅ Fixed — line 98 now says result_kind=RESULT_KIND_CREATED
R4: reserved block coverage gap	✅ Fixed — reserved 3 + reserved "created", "provider_linked"
R5: "a different wire type" factually wrong	✅ Fixed — line 154 now says "same varint wire type"
R5: abbreviated ResultKind names in service docstring	✅ Fixed — full RESULT_KIND_* identifiers used throughout
R1 (deferred): AuthProvider enum package-scoped but single-consumer	⏩ Deferred — Forgejo issue filed in round 1, no change needed here

The file is consistent with the repo option conventions (Java-only, no go_package, matching user_profile.proto). The field-number history comment at lines 153–158 is technically accurate: created=true (bool, varint 1) decoding as RESULT_KIND_RESOLVED_EXISTING (enum value 1) is a moot hypothetical given the explicitly-stated "no shipped consumers" precondition. No new actionable findings.

Blast Radius

Single new proto file adding a provisioning service to the user.v1 package. Surface is restricted to social-login-service via SPIFFE/Envoy RBAC, so blast radius is bounded to that service boundary. The ResultKind enum and request message constitute a new exported gRPC contract but have no shipped consumers yet.

BLAST_SCORE: 5/10

Risk Indicators

Indicator	Value
Sensitive functions	UserProvisioningService.ResolveOrCreateByEmail, RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK
Migration touched	—
Test delta	—
Dependency changes	—

CI status (head 26b1c36a7844)

Overall: ✗ failure

3 checks: 3 pending

Check	State	Link
protobuf CI / buf lint (pull_request)	⏳ pending	details
protobuf CI / buf build (pull_request)	⏳ pending	details
protobuf CI / scripts/check-import-direction.sh (pull_request)	⏳ pending	details

Related PRs

• #5 (user_profile.proto UserProfileService — existing user.v1 neighbour)

Findings

No new findings this round.

Quorum converged on empty findings (A + B both returned 0).

Verdict

APPROVE

---

_{hib-pr-reviewer • round 6 • 0 findings • 2026-06-02T09:09:12.013Z → 2026-06-02T09:12:25.099Z • posted-as: pr-reviewer-bot • model: auto}

<!-- hib-pr-reviewer round:6 --> ## hib-pr-reviewer review — PR #6 (affinity-intelligence-rework/im2be-protobuf) **Round 6** — head `26b1c36a7844`, base `main`, trigger `synchronize` **TL;DR:** APPROVE — all 11 prior findings closed; wire-type comment corrected, full ResultKind identifiers in docstring, MUST-step-up enforcement present; no new issues found. ### Summary [quorum-converged] A=0 = B=0. ## Round 6 Review — All Prior Findings Closed All 11 previously-open findings have been addressed in this revision: | Finding | Status | |---|---| | R1: missing `provider_subject` field | ✅ Fixed — `provider_subject = 7` at line 113 | | R1: consent-version blank-string validation + create-only semantics | ✅ Fixed — lines 97–104 now document both | | R2: `provider_subject = 7` out of field-number order | ✅ Fixed — fields are sequential 1–7 | | R2: no signal for OAuth provider-backfill path | ✅ Fixed — `RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK` covers this | | R3: SHOULD/MAY on step-up verification | ✅ Fixed — lines 129–130 both say MUST | | R3: two-boolean design admits wire-invalid combined state | ✅ Fixed — replaced by mutually-exclusive `ResultKind` enum | | R4: `(created=true)` stale reference in consent comment | ✅ Fixed — line 98 now says `result_kind=RESULT_KIND_CREATED` | | R4: reserved block coverage gap | ✅ Fixed — `reserved 3` + `reserved "created", "provider_linked"` | | R5: "a different wire type" factually wrong | ✅ Fixed — line 154 now says "same varint wire type" | | R5: abbreviated ResultKind names in service docstring | ✅ Fixed — full `RESULT_KIND_*` identifiers used throughout | | R1 (deferred): `AuthProvider` enum package-scoped but single-consumer | ⏩ Deferred — Forgejo issue filed in round 1, no change needed here | The file is consistent with the repo option conventions (Java-only, no `go_package`, matching `user_profile.proto`). The field-number history comment at lines 153–158 is technically accurate: `created=true` (bool, varint 1) decoding as `RESULT_KIND_RESOLVED_EXISTING` (enum value 1) is a moot hypothetical given the explicitly-stated "no shipped consumers" precondition. No new actionable findings. ### Blast Radius Single new proto file adding a provisioning service to the user.v1 package. Surface is restricted to social-login-service via SPIFFE/Envoy RBAC, so blast radius is bounded to that service boundary. The ResultKind enum and request message constitute a new exported gRPC contract but have no shipped consumers yet. **BLAST_SCORE: 5/10** ### Risk Indicators | Indicator | Value | |---|---| | Sensitive functions | `UserProvisioningService.ResolveOrCreateByEmail`, `RESULT_KIND_RESOLVED_NEW_PROVIDER_LINK` | | Migration touched | — | | Test delta | — | | Dependency changes | — | ### CI status (head `26b1c36a7844`) **Overall: ✗ failure** 3 checks: 3 pending | Check | State | Link | |---|---|---| | protobuf CI / buf lint (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/27/jobs/1) | | protobuf CI / buf build (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/27/jobs/2) | | protobuf CI / scripts/check-import-direction.sh (pull_request) | ⏳ pending | [details](/affinity-intelligence-rework/im2be-protobuf/actions/runs/27/jobs/0) | ### Related PRs - #5 (user_profile.proto UserProfileService — existing user.v1 neighbour) ### Findings **No new findings this round.** _Quorum converged on empty findings (A + B both returned 0)._ ### Verdict **APPROVE** --- _{hib-pr-reviewer • round 6 • 0 findings • 2026-06-02T09:09:12.013Z → 2026-06-02T09:12:25.099Z • posted-as: pr-reviewer-bot • model: auto}

hibryda merged commit 9b8d92cb57 into main 2026-06-02 11:14:07 +02:00

hibryda deleted branch feat/user-provisioning-rpc 2026-06-02 11:14:07 +02:00

hibryda referenced this pull request from a commit 2026-06-02 11:14:07 +02:00

feat(user/v1): add UserProvisioningService.ResolveOrCreateByEmail (NEW-40 decoupling) (#6)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

affinity-intelligence-rework/im2be-protobuf!6

No description provided.