Skip to content

Gate PIN UX (Phase 1): set/reset audit + first-time confirm & double-entry#1071

Merged
peterdrier merged 1 commit into
peterdrier:mainfrom
veryaaron:fix/gate-pin-ux
Jul 1, 2026
Merged

Gate PIN UX (Phase 1): set/reset audit + first-time confirm & double-entry#1071
peterdrier merged 1 commit into
peterdrier:mainfrom
veryaaron:fix/gate-pin-ux

Conversation

@veryaaron

Copy link
Copy Markdown

Phase 1 of the gate claim/PIN UX rework (from an investigation into three pathways: check-in source of truth, PIN/login ambiguity, and the supervisor PIN block). This PR is the safe, decision-independent slice; D2/D3/D1 follow separately.

What this does

  1. PIN set/reset audit. Every gate PIN set/reset now writes an audit entry via the existing IAuditLogService — new AuditAction.GateStaffPinSet/GateStaffPinReset (string-enum, no migration). Records the acting user: the staffer on self-enrol, the admin on admin set/reset. PIN values are never logged.
  2. "Is this you, {name}?" confirm before a first-time PIN is minted in someone's name (attribution guard). Set mode only.
  3. Double-entry on set (enter twice, must match) so a mis-typed PIN can't silently lock a volunteer out — there is no self-service reset. Mismatch resets to a clean "Set a 4-digit PIN" with a distinct error. Verify mode stays a single snappy entry.

Parts 2–3 are confined to the claim-only gate-pin.js + Pin.cshtml; the shared gate-keypad.js and the supervisor-override panel are untouched.

⚠️ Needs your sign-off, Peter

  • IGateService interface change: AdminSetPinAsync/ClearPinAsync gained a Guid actorUserId param, threaded from the Web layer's GetCurrentUserId() (the service can't discover the acting admin itself). Per reuse-first discipline this public-surface change needs your OK. Only one implementor, no caching decorator — fully contained.

Verification

  • Build clean · 122 gate tests green (incl. a new audit-actor test) · dotnet format clean.
  • Live-verified on the rugged-tablet viewport: the confirm step, double-entry happy path, and the mismatch-restart all drive correctly end-to-end; audit fires on self-enrol.
  • Peer-reviewed (two UX tweaks from the review applied: mismatch-restart copy + emphasised re-enter prompt).

Related

Part of the gate rework tracked in nobodies-collective#906 (check-in divergence), nobodies-collective#907 (claim search), nobodies-collective#909 (gate-lead role). Not for merge without your review.

🤖 Generated with Claude Code

Phase 1 of the gate claim/PIN UX rework:
- Audit every PIN set/reset via IAuditLogService (new AuditAction
  GateStaffPinSet/GateStaffPinReset — no migration), recording the acting
  user: the staffer on self-enrol, the admin on admin set/reset. PIN values
  are never logged. Threads actorUserId through
  IGateService.AdminSetPinAsync/ClearPinAsync (interface change — see PR note).
- First-time set only (never verify): an "Is this you, {name}?" confirm
  before a PIN is minted in someone's name, and double-entry (enter twice,
  must match) so a mis-typed PIN can't silently lock a volunteer out
  (there is no self-service reset). Confined to the claim-only gate-pin.js;
  the shared keypad and supervisor-override panel are untouched.

Build + 122 gate tests green; dotnet format clean. Live-verified end-to-end
(confirm, double-entry match, mismatch-restart) on the tablet viewport.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants