Skip to content

Show seeded operator work under portal broker auth #72

Description

@alexeygrigorev

Show seeded operator work under portal broker auth

Status: in progress
Tags: bug, portal, work-engine, frontend, backend, P0
Depends on: None
Blocks: V1 production cutover confidence (#71)

Scope

When Work Engine runs behind the docs portal broker, /api/me may identify the browser session as the synthetic portal-admin user. V1 seeded recurring tasks and notifications are assigned to real operator users. The Operations Home must not hide that production work just because the broker actor is synthetic.

This issue changes only the Work Engine portal-facing behavior:

  • Dashboard user picker and assigned-to-me behavior in work-engine/src/public/app.js.
  • Notification route scoping in work-engine/src/router.ts.
  • Regression tests for the dashboard source behavior and portal-auth notification route.

Acceptance Criteria

  • If the current dashboard user is not present in the loaded users map, the dashboard clears the current user, turns off assigned-to-me filtering, unchecks the assigned-to-me checkbox, and selects an All operators option.
  • Assigned-to-me filtering is only applied when the selected user exists in the users map.
  • Assigned-to-me filtering keeps unassigned tasks and intake rows visible, so shared operational work does not disappear.
  • Trusted portal broker requests to GET /api/notifications with x-user-id: portal-admin are treated as unscoped notification reads, so operator-assigned notifications remain visible.
  • Existing non-portal user notification filtering remains unchanged for real user IDs.

Test Scenarios

Scenario: Portal broker user is synthetic

Given: /api/me returns portal-admin and /api/users does not include portal-admin.
When: The operator opens Operations Home.
Then: The dashboard falls back to All operators, disables assigned-to-me filtering, and shows operator-assigned and unassigned daily work.

Scenario: Portal broker notification read

Given: An undismissed notification exists for a real operator user.
When: A trusted portal broker request calls GET /api/notifications with x-user-id: portal-admin.
Then: The notification appears in the response.

Scenario: Real user notification read

Given: Notifications exist for multiple real users and global notifications.
When: A real authenticated user calls GET /api/notifications.
Then: Existing filtering behavior still returns global plus matching-user notifications only.

Required Verification

  • NODE_ENV=test SKIP_AUTH=true node --import tsx --test tests/home-dashboard.test.ts tests/portal-auth.test.ts
  • npm --prefix work-engine run typecheck
  • After push, On-Call verifies the latest main workflows are green and production /work/api/notifications returns the generated recurring notifications under portal auth.

Out of Scope

  • Changing seeded users or recurring task ownership.
  • Replacing portal broker auth with real per-operator login.
  • Migrating notification storage or task assignment model.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P0Must havebackendBackend/APIbugSomething is brokenfrontendFrontend UIportalShared portal shell and UXtestingTests and QAwork-engineDataTasks task execution engine

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions