Gate PIN UX (Phase 1): set/reset audit + first-time confirm & double-entry#1071
Merged
Conversation
Phase 1 of the gate claim/PIN UX rework:
- Audit every PIN set/reset via IAuditLogService (new AuditAction
GateStaffPinSet/GateStaffPinReset — no migration), recording the acting
user: the staffer on self-enrol, the admin on admin set/reset. PIN values
are never logged. Threads actorUserId through
IGateService.AdminSetPinAsync/ClearPinAsync (interface change — see PR note).
- First-time set only (never verify): an "Is this you, {name}?" confirm
before a PIN is minted in someone's name, and double-entry (enter twice,
must match) so a mis-typed PIN can't silently lock a volunteer out
(there is no self-service reset). Confined to the claim-only gate-pin.js;
the shared keypad and supervisor-override panel are untouched.
Build + 122 gate tests green; dotnet format clean. Live-verified end-to-end
(confirm, double-entry match, mismatch-restart) on the tablet viewport.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This was referenced Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Phase 1 of the gate claim/PIN UX rework (from an investigation into three pathways: check-in source of truth, PIN/login ambiguity, and the supervisor PIN block). This PR is the safe, decision-independent slice; D2/D3/D1 follow separately.
What this does
IAuditLogService— newAuditAction.GateStaffPinSet/GateStaffPinReset(string-enum, no migration). Records the acting user: the staffer on self-enrol, the admin on admin set/reset. PIN values are never logged.Parts 2–3 are confined to the claim-only
gate-pin.js+Pin.cshtml; the sharedgate-keypad.jsand the supervisor-override panel are untouched.IGateServiceinterface change:AdminSetPinAsync/ClearPinAsyncgained aGuid actorUserIdparam, threaded from the Web layer'sGetCurrentUserId()(the service can't discover the acting admin itself). Per reuse-first discipline this public-surface change needs your OK. Only one implementor, no caching decorator — fully contained.Verification
dotnet formatclean.Related
Part of the gate rework tracked in nobodies-collective#906 (check-in divergence), nobodies-collective#907 (claim search), nobodies-collective#909 (gate-lead role). Not for merge without your review.
🤖 Generated with Claude Code