You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Scope: V48 starts as the interactive local experiential QA target over promoted V47 commercial website testnet launch canon.
14
+
- QA findings ledger: `BITCODE_V48_QA.md` (the running record of accepted V48 findings and repairs)
15
+
- Gate 1 (in progress): identity and authentication interactive QA on branch `v48/gate-1-identity-auth-interactive-qa`
16
+
- Full draft family (`BITCODE_SPEC_V48.md`, `BITCODE_SPEC_V48_DELTA.md`, `BITCODE_SPEC_V48_PARITY_MATRIX.md`) opens in a dedicated specification-authoring gate once the interactive QA tracks have accumulated the specification intent; Gate 1 closed as the identity/authentication QA-and-repairs gate
14
17
15
18
## Notes-only draft rule
16
19
@@ -53,6 +56,39 @@ deployed staging-testnet system end to end, step by step, and fix what breaks.
53
56
- Ledgerized journaling: replayability, auditability, `/packs` page UX/UI, and
54
57
the personal (Auxillaries) history of work.
55
58
59
+
## V48 Gate 1 in progress: identity and authentication interactive QA
60
+
61
+
Gate 1 exercises the live commercial testnet experience exactly as the
62
+
notes-only rule directs: interactively, recording accepted findings in
63
+
`BITCODE_V48_QA.md` (F1-F10 so far), and landing fail-closed repairs on the
64
+
gate branch. The full draft family is authored at Gate 1 closure from this
65
+
QA-driven specification intent.
66
+
67
+
Accepted findings converted to repairs so far:
68
+
69
+
- Supabase `redirect_to` law: GoTrue validates the Auth redirect allow-list by
70
+
exact string match, so `redirect_to` must stay query-free. The post-auth
71
+
destination travels through origin-local storage
72
+
(`uapi/lib/supabase-auth-redirect.ts`) and is consumed once by the callback.
73
+
This repaired wallet sign-in from both localhost and production www, which
74
+
previously stranded the PKCE verifier and never minted a session.
75
+
- Identity-derived wallet binding: the canonical wallet sign-up signs on the
76
+
OAuth provider authorize page, so nothing is staged client-side to replay.
77
+
`/api/wallet/authenticate` now derives the binding server-side from the
0 commit comments