Skip to content

CI-001D — Prove backend-first staging and deploy the profile repair #136

Description

@daliu

Outcome

Use the protected release gate and short-lived deployment identity to prove the #118 profile-recovery backend in isolated staging, then deploy the exact compatible backend to the approved target Firebase project before publishing the website.

This is the actual release/evidence ticket. #135 is closed and the #118 source is merged. It is not ready to claim until #113 and #133 close and a protected Netlify production-release child under WEB-001 closes.

Officer impact: The reported profile permission failure is repaired without an officer editing a member record, deleting an account, or granting a role.

Officer documentation: Verify/update docs/officers/EVENTS_SHOP_MEMBERS.md, docs/officers/EMERGENCY_AND_RECOVERY.md, docs/officers/PUBLISH_AND_CHECK.md, docs/officers/SYSTEM_MAPS.md, OPERATIONS_RUNBOOK.md, and the private continuity record.

Deployment evidence: None at creation. Closure requires separate exact evidence for staging, target Rules, each target Function, website publication, runmprc.com, App Check policy, rollback, and synthetic live behavior.

Dependencies

Do not use a broad all-Functions deployment. This release is limited to the exact #100 Rules plus createMemberOnSignUp and ensureMemberProfile, followed by the dependent website. Other Functions remain outside this ticket.

Required release sequence

  1. Record the exact approved source commit and required green checks.
  2. Confirm the staging project contains no real member/customer data and all provider calls are isolated.
  3. Record the configured staging App Check policy.
  4. Deploy the exact SEC-001 — Replace the Firestore admin catch-all with resource-specific rules #100 Rules plus both revised Functions to staging as one compatible backend set.
  5. With made-up accounts only, prove:
    • one missing profile is created with the exact pending schema;
    • retries and concurrent calls preserve it byte-for-byte;
    • an existing member/admin profile and custom claims never change;
    • anonymous, injected-field, wrong-project, backend-down, missing-profile, Rules-denial, and cross-user paths fail safely;
    • missing/invalid App Check is rejected when enforcement is enabled, or the open enforcement gate is recorded when disabled;
    • name/phone edits succeed only for the caller and all protected-field/cross-user writes fail.
  6. Record and rehearse the last-compatible Rules/Functions/website rollback or reviewed safe roll-forward in staging.
  7. Obtain the named production approval through the protected environment.
  8. Deploy and verify the same exact Rules plus both revised Functions in the approved target Firebase project.
  9. If any target backend surface is skipped, partial, mismatched, or unverified, stop. Restore the reviewed backend set or safely roll forward. Do not publish the website.
  10. Publish the dependent website only after exact target-backend proof.
  11. Verify the exact website revision on the configured hosts and runmprc.com.
  12. Run only the approved synthetic live smoke. Never inspect or modify a real member profile.

Acceptance criteria

Stop conditions

Stop if any dependency is open, target project/approver is uncertain, provider isolation is unproven, the deployment would include all Functions, the backend is partial, or a test needs real member data. Do not repair production data through Firebase Console.

Claim protocol

Creation is not a claim. After every dependency is closed, assign one release agent and post CLAIMED by <canonical agent> at <UTC>; exact commit <sha> before any staging action. Provider-console and production approval remain human-owner actions. Keep all sensitive evidence in the approved private continuity record.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:authAuthentication and authorizationarea:ciContinuous integration and deploymentarea:firebaseFirebase services and dataarea:webWeb application and hostingneeds-external-configRequires provider console or external configurationpriority:P0Launch blocker or urgent security risksize:MMedium multi-file issuestatus:proposedDesigned but dependencies or decisions remaintype:operationsOperational setup or runbooktype:reliabilityReliability and recovery

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions