Skip to content

Gate claim search (D2): masked-email disambiguator (name-only search)#1073

Merged
peterdrier merged 1 commit into
peterdrier:mainfrom
veryaaron:fix/gate-search-disambig
Jul 1, 2026
Merged

Gate claim search (D2): masked-email disambiguator (name-only search)#1073
peterdrier merged 1 commit into
peterdrier:mainfrom
veryaaron:fix/gate-search-disambig

Conversation

@veryaaron

@veryaaron veryaaron commented Jul 1, 2026

Copy link
Copy Markdown

Phase D2 of the gate claim/PIN UX rework. Fixes nobodies-collective#907 (the "many Pauls" problem): the claim picker matched burner name only and showed no disambiguator, so same-named staff were indistinguishable.

What this does

Each claim-search result now shows a masked email as a disambiguator (plus the existing photo). paul.smith@gmail.comp•••h@gmail.com.

  • Privacy-safe by default: only a verified email the owner set to org-public (AllActiveProfiles) visibility is ever surfaced — never a Board/coordinator/team-scoped address or a GDPR/merge tombstone. So nothing sensitive lands on the shared, role-less GateTerminal kiosk. If a person has no org-public email, the picker shows no disambiguator (the photo still helps). This mirrors the codebase's Bio-bucket public-email rule.
  • Search stays name-only (PersonSearchFields.Name) — you can't type an email to search, so there's no email-confirmation oracle.
  • The email is read per result (cached GetUserInfoAsync) and masked at the presentation layer, so the search and its response shape stay email-free. Mirrors the existing BuildSupervisorOptionsAsync loop — no new service/DTO surface. The picker view already renders Detail.

Your call, Peter

The org-public restriction is deliberately conservative — it means the email hint only shows for people who made an address org-public, which may be few. If you want broader coverage (e.g. show any verified email, masked, accepting a bounded privacy posture on the kiosk), that's a one-line change — your call. Flagging rather than assuming.

Verification

Build clean · gate tests green · dotnet format clean. Live-verified on the tablet viewport: a BoardOnly dev email correctly showed no hint; the same account switched to org-public then rendered d•••r@localhost. Peer-reviewed — this PR already folds in the reviewer's privacy fix (visibility filter) and tombstone guard.

Not for merge without your review.

🤖 Generated with Claude Code

… search)

Fixes the "many Pauls" problem (nobodies-collective#907): the claim search
matched burner-name only with no disambiguator. Each result now shows a
masked email (paul.smith@gmail.com -> p•••h@gmail.com) as a Detail sub-line,
alongside the existing photo.

Privacy: only a verified, OWNER-MADE-ORG-PUBLIC (AllActiveProfiles) email is
ever surfaced — never a Board/coordinator/team-scoped address or a GDPR/merge
tombstone — so nothing sensitive lands on the shared, role-less kiosk. If a
person has no org-public email, the picker shows no disambiguator (photo still
helps). Search stays name-only (PersonSearchFields.Name) — no email input, no
confirmation oracle. The email is read per result (cached) and masked at the
presentation layer, so the search and its response shape stay email-free.
Mirrors the existing BuildSupervisorOptionsAsync loop; no new service/DTO
surface; the picker view already renders Detail.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@veryaaron veryaaron force-pushed the fix/gate-search-disambig branch from 39328c0 to 847cf06 Compare July 1, 2026 00:34
@peterdrier peterdrier merged commit d6a5c26 into peterdrier:main Jul 1, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Gate claim search misses people — matches display/burner name only, capped at 10

2 participants