npm - @jskit-ai/users-core - Versions diffs - 0.1.4 - Mend

@jskit-ai/users-core 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (148) hide show

package/templates/config/workspaceRoles.js ADDED Viewed

@@ -0,0 +1,30 @@
+export const workspaceRoles = {};
+workspaceRoles.defaultInviteRole = "member";
+workspaceRoles.roles = {};
+workspaceRoles.roles.owner = {
+  assignable: false,
+  permissions: []
+};
+workspaceRoles.roles.owner.permissions.push("*");
+workspaceRoles.roles.admin = {
+  assignable: true,
+  permissions: []
+};
+workspaceRoles.roles.admin.permissions.push(
+  "workspace.roles.view",
+  "workspace.settings.view",
+  "workspace.settings.update",
+  "workspace.members.view",
+  "workspace.members.invite",
+  "workspace.members.manage",
+  "workspace.invites.revoke"
+);
+workspaceRoles.roles.member = {
+  assignable: true,
+  permissions: []
+};
+workspaceRoles.roles.member.permissions.push("workspace.settings.view");

package/templates/migrations/users_core_console_owner.cjs ADDED Viewed

@@ -0,0 +1,39 @@
+// JSKIT_MIGRATION_ID: users-core-console-owner
+/**
+ * @param {import('knex').Knex} knex
+ */
+exports.up = async function up(knex) {
+  const hasConsoleSettingsTable = await knex.schema.hasTable("console_settings");
+  if (!hasConsoleSettingsTable) {
+    return;
+  }
+  const hasOwnerUserId = await knex.schema.hasColumn("console_settings", "owner_user_id");
+  if (hasOwnerUserId) {
+    return;
+  }
+  await knex.schema.alterTable("console_settings", (table) => {
+    table.integer("owner_user_id").unsigned().nullable();
+  });
+};
+/**
+ * @param {import('knex').Knex} knex
+ */
+exports.down = async function down(knex) {
+  const hasConsoleSettingsTable = await knex.schema.hasTable("console_settings");
+  if (!hasConsoleSettingsTable) {
+    return;
+  }
+  const hasOwnerUserId = await knex.schema.hasColumn("console_settings", "owner_user_id");
+  if (!hasOwnerUserId) {
+    return;
+  }
+  await knex.schema.alterTable("console_settings", (table) => {
+    table.dropColumn("owner_user_id");
+  });
+};

package/templates/migrations/users_core_initial.cjs ADDED Viewed

@@ -0,0 +1,118 @@
+// JSKIT_MIGRATION_ID: users-core-initial-schema
+/**
+ * @param {import('knex').Knex} knex
+ */
+exports.up = async function up(knex) {
+  await knex.schema.createTable("user_profiles", (table) => {
+    table.increments("id").primary();
+    table.string("auth_provider", 64).notNullable();
+    table.string("auth_provider_user_id", 191).notNullable();
+    table.string("email", 255).notNullable();
+    table.string("username", 120).notNullable();
+    table.string("display_name", 160).notNullable();
+    table.string("avatar_storage_key", 512).nullable();
+    table.string("avatar_version", 64).nullable();
+    table.timestamp("avatar_updated_at", { useTz: false }).nullable();
+    table.timestamp("created_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+    table.unique(["auth_provider", "auth_provider_user_id"], "uq_user_profiles_identity");
+    table.unique(["email"], "uq_user_profiles_email");
+    table.unique(["username"], "uq_user_profiles_username");
+  });
+  await knex.schema.createTable("workspaces", (table) => {
+    table.increments("id").primary();
+    table.string("slug", 120).notNullable().unique();
+    table.string("name", 160).notNullable();
+    table.integer("owner_user_id").unsigned().notNullable().references("id").inTable("user_profiles").onDelete("CASCADE");
+    table.boolean("is_personal").notNullable().defaultTo(true);
+    table.string("avatar_url", 512).notNullable().defaultTo("");
+    table.string("color", 7).notNullable().defaultTo("#0F6B54");
+    table.timestamp("created_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+    table.timestamp("updated_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+    table.timestamp("deleted_at", { useTz: false }).nullable();
+  });
+  await knex.schema.createTable("workspace_memberships", (table) => {
+    table.increments("id").primary();
+    table.integer("workspace_id").unsigned().notNullable().references("id").inTable("workspaces").onDelete("CASCADE");
+    table.integer("user_id").unsigned().notNullable().references("id").inTable("user_profiles").onDelete("CASCADE");
+    table.string("role_id", 64).notNullable().defaultTo("member");
+    table.string("status", 32).notNullable().defaultTo("active");
+    table.timestamp("created_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+    table.timestamp("updated_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+    table.unique(["workspace_id", "user_id"], "uq_workspace_memberships_workspace_user");
+  });
+  await knex.schema.createTable("workspace_settings", (table) => {
+    table.integer("workspace_id").unsigned().primary().references("id").inTable("workspaces").onDelete("CASCADE");
+    table.string("name", 160).notNullable().defaultTo("Workspace");
+    table.string("avatar_url", 512).notNullable().defaultTo("");
+    table.string("color", 7).notNullable().defaultTo("#0F6B54");
+    table.boolean("invites_enabled").notNullable().defaultTo(true);
+    table.timestamp("created_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+    table.timestamp("updated_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+  });
+  await knex.schema.createTable("workspace_invites", (table) => {
+    table.increments("id").primary();
+    table.integer("workspace_id").unsigned().notNullable().references("id").inTable("workspaces").onDelete("CASCADE");
+    table.string("email", 255).notNullable();
+    table.string("role_id", 64).notNullable().defaultTo("member");
+    table.string("status", 32).notNullable().defaultTo("pending");
+    table.string("token_hash", 191).notNullable();
+    table.integer("invited_by_user_id").unsigned().nullable().references("id").inTable("user_profiles").onDelete("SET NULL");
+    table.timestamp("expires_at", { useTz: false }).nullable();
+    table.timestamp("accepted_at", { useTz: false }).nullable();
+    table.timestamp("revoked_at", { useTz: false }).nullable();
+    table.timestamp("created_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+    table.timestamp("updated_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+    table.unique(["token_hash"], "uq_workspace_invites_token_hash");
+    table.index(["workspace_id", "status"], "idx_workspace_invites_workspace_status");
+  });
+  await knex.schema.createTable("user_settings", (table) => {
+    table.integer("user_id").unsigned().primary().references("id").inTable("user_profiles").onDelete("CASCADE");
+    table.integer("last_active_workspace_id").unsigned().nullable().references("id").inTable("workspaces").onDelete("SET NULL");
+    table.string("theme", 32).notNullable().defaultTo("system");
+    table.string("locale", 24).notNullable().defaultTo("en");
+    table.string("time_zone", 64).notNullable().defaultTo("UTC");
+    table.string("date_format", 32).notNullable().defaultTo("yyyy-mm-dd");
+    table.string("number_format", 32).notNullable().defaultTo("1,234.56");
+    table.string("currency_code", 3).notNullable().defaultTo("USD");
+    table.integer("avatar_size").notNullable().defaultTo(64);
+    table.boolean("password_sign_in_enabled").notNullable().defaultTo(true);
+    table.boolean("password_setup_required").notNullable().defaultTo(false);
+    table.boolean("notify_product_updates").notNullable().defaultTo(true);
+    table.boolean("notify_account_activity").notNullable().defaultTo(true);
+    table.boolean("notify_security_alerts").notNullable().defaultTo(true);
+    table.timestamp("created_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+    table.timestamp("updated_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+  });
+  await knex.schema.createTable("console_settings", (table) => {
+    table.integer("id").primary();
+    table.integer("owner_user_id").unsigned().nullable();
+    table.timestamp("created_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+    table.timestamp("updated_at", { useTz: false }).notNullable().defaultTo(knex.fn.now());
+  });
+  await knex("console_settings").insert({
+    id: 1,
+    created_at: knex.fn.now(),
+    updated_at: knex.fn.now()
+  });
+};
+/**
+ * @param {import('knex').Knex} knex
+ */
+exports.down = async function down(knex) {
+  await knex.schema.dropTableIfExists("console_settings");
+  await knex.schema.dropTableIfExists("user_settings");
+  await knex.schema.dropTableIfExists("workspace_invites");
+  await knex.schema.dropTableIfExists("workspace_settings");
+  await knex.schema.dropTableIfExists("workspace_memberships");
+  await knex.schema.dropTableIfExists("workspaces");
+  await knex.schema.dropTableIfExists("user_profiles");
+};

package/templates/migrations/users_core_profile_username.cjs ADDED Viewed

@@ -0,0 +1,98 @@
+// JSKIT_MIGRATION_ID: users-core-profile-username
+const USERNAME_MAX_LENGTH = 120;
+function normalizeUsername(value) {
+  return String(value || "")
+    .trim()
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, "-")
+    .replace(/^-+|-+$/g, "")
+    .slice(0, USERNAME_MAX_LENGTH);
+}
+function usernameBaseFromEmail(email) {
+  const normalizedEmail = String(email || "").trim().toLowerCase();
+  const localPart = normalizedEmail.includes("@") ? normalizedEmail.split("@")[0] : normalizedEmail;
+  const username = normalizeUsername(localPart);
+  return username || "user";
+}
+function buildUsernameCandidate(baseUsername, suffix) {
+  const normalizedBase = normalizeUsername(baseUsername) || "user";
+  if (suffix < 1) {
+    return normalizedBase;
+  }
+  const suffixText = `-${suffix + 1}`;
+  const allowedBaseLength = USERNAME_MAX_LENGTH - suffixText.length;
+  const trimmedBase = normalizedBase.slice(0, allowedBaseLength);
+  return `${trimmedBase}${suffixText}`;
+}
+function resolveUniqueUsername(baseUsername, usedUsernames) {
+  for (let suffix = 0; suffix < 1000; suffix += 1) {
+    const candidate = buildUsernameCandidate(baseUsername, suffix);
+    if (!usedUsernames.has(candidate)) {
+      return candidate;
+    }
+  }
+  throw new Error("Unable to generate unique username for migration.");
+}
+/**
+ * @param {import('knex').Knex} knex
+ */
+exports.up = async function up(knex) {
+  const hasUserProfilesTable = await knex.schema.hasTable("user_profiles");
+  if (!hasUserProfilesTable) {
+    return;
+  }
+  const hasUsername = await knex.schema.hasColumn("user_profiles", "username");
+  if (hasUsername) {
+    return;
+  }
+  await knex.schema.alterTable("user_profiles", (table) => {
+    table.string("username", USERNAME_MAX_LENGTH).nullable();
+  });
+  const profiles = await knex("user_profiles").select(["id", "email"]).orderBy("id", "asc");
+  const usedUsernames = new Set();
+  for (const profile of profiles) {
+    const nextUsername = resolveUniqueUsername(usernameBaseFromEmail(profile.email), usedUsernames);
+    usedUsernames.add(nextUsername);
+    await knex("user_profiles").where({ id: Number(profile.id) }).update({
+      username: nextUsername
+    });
+  }
+  await knex.schema.alterTable("user_profiles", (table) => {
+    table.string("username", USERNAME_MAX_LENGTH).notNullable().alter();
+  });
+  await knex.schema.alterTable("user_profiles", (table) => {
+    table.unique(["username"], "uq_user_profiles_username");
+  });
+};
+/**
+ * @param {import('knex').Knex} knex
+ */
+exports.down = async function down(knex) {
+  const hasUserProfilesTable = await knex.schema.hasTable("user_profiles");
+  if (!hasUserProfilesTable) {
+    return;
+  }
+  const hasUsername = await knex.schema.hasColumn("user_profiles", "username");
+  if (!hasUsername) {
+    return;
+  }
+  await knex.schema.alterTable("user_profiles", (table) => {
+    table.dropColumn("username");
+  });
+};

package/templates/packages/main/src/shared/resources/consoleSettingsFields.js ADDED Viewed

@@ -0,0 +1,11 @@
+// @jskit-contract users.settings-fields.console.v1
+// Append-only settings field registrations for console settings.
+import {
+  defineField,
+  resetConsoleSettingsFields
+} from "@jskit-ai/users-core/shared/resources/consoleSettingsFields";
+resetConsoleSettingsFields();
+void defineField;

package/templates/packages/main/src/shared/resources/userSettingsFields.js ADDED Viewed

@@ -0,0 +1,138 @@
+import { Type } from "typebox";
+import { normalizeLowerText, normalizeText } from "@jskit-ai/kernel/shared/actions/textNormalization";
+import { DEFAULT_USER_SETTINGS } from "@jskit-ai/users-core/shared/settings";
+import {
+  USER_SETTINGS_SECTIONS,
+  defineField,
+  resetUserSettingsFields
+} from "@jskit-ai/users-core/shared/resources/userSettingsFields";
+function normalizePositiveInteger(value, fallback) {
+  const numericValue = Number(value);
+  if (Number.isInteger(numericValue) && numericValue > 0) {
+    return numericValue;
+  }
+  return Number(fallback);
+}
+resetUserSettingsFields();
+defineField({
+  key: "theme",
+  section: USER_SETTINGS_SECTIONS.PREFERENCES,
+  dbColumn: "theme",
+  required: true,
+  inputSchema: Type.String({ minLength: 1, maxLength: 32 }),
+  outputSchema: Type.String({ minLength: 1, maxLength: 32 }),
+  normalizeInput: (value) => normalizeText(value),
+  normalizeOutput: (value) => normalizeText(value) || DEFAULT_USER_SETTINGS.theme,
+  resolveDefault: () => DEFAULT_USER_SETTINGS.theme
+});
+defineField({
+  key: "locale",
+  section: USER_SETTINGS_SECTIONS.PREFERENCES,
+  dbColumn: "locale",
+  required: true,
+  inputSchema: Type.String({ minLength: 1, maxLength: 24 }),
+  outputSchema: Type.String({ minLength: 1, maxLength: 24 }),
+  normalizeInput: (value) => normalizeLowerText(value),
+  normalizeOutput: (value) => normalizeLowerText(value) || DEFAULT_USER_SETTINGS.locale,
+  resolveDefault: () => DEFAULT_USER_SETTINGS.locale
+});
+defineField({
+  key: "timeZone",
+  section: USER_SETTINGS_SECTIONS.PREFERENCES,
+  dbColumn: "time_zone",
+  required: true,
+  inputSchema: Type.String({ minLength: 1, maxLength: 64 }),
+  outputSchema: Type.String({ minLength: 1, maxLength: 64 }),
+  normalizeInput: (value) => normalizeText(value),
+  normalizeOutput: (value) => normalizeText(value) || DEFAULT_USER_SETTINGS.timeZone,
+  resolveDefault: () => DEFAULT_USER_SETTINGS.timeZone
+});
+defineField({
+  key: "dateFormat",
+  section: USER_SETTINGS_SECTIONS.PREFERENCES,
+  dbColumn: "date_format",
+  required: true,
+  inputSchema: Type.String({ minLength: 1, maxLength: 32 }),
+  outputSchema: Type.String({ minLength: 1, maxLength: 32 }),
+  normalizeInput: (value) => normalizeText(value),
+  normalizeOutput: (value) => normalizeText(value) || DEFAULT_USER_SETTINGS.dateFormat,
+  resolveDefault: () => DEFAULT_USER_SETTINGS.dateFormat
+});
+defineField({
+  key: "numberFormat",
+  section: USER_SETTINGS_SECTIONS.PREFERENCES,
+  dbColumn: "number_format",
+  required: true,
+  inputSchema: Type.String({ minLength: 1, maxLength: 32 }),
+  outputSchema: Type.String({ minLength: 1, maxLength: 32 }),
+  normalizeInput: (value) => normalizeText(value),
+  normalizeOutput: (value) => normalizeText(value) || DEFAULT_USER_SETTINGS.numberFormat,
+  resolveDefault: () => DEFAULT_USER_SETTINGS.numberFormat
+});
+defineField({
+  key: "currencyCode",
+  section: USER_SETTINGS_SECTIONS.PREFERENCES,
+  dbColumn: "currency_code",
+  required: true,
+  inputSchema: Type.String({ minLength: 3, maxLength: 3, pattern: "^[A-Za-z]{3}$" }),
+  outputSchema: Type.String({ minLength: 3, maxLength: 3, pattern: "^[A-Z]{3}$" }),
+  normalizeInput: (value) => normalizeText(value).toUpperCase(),
+  normalizeOutput: (value) => normalizeText(value).toUpperCase() || DEFAULT_USER_SETTINGS.currencyCode,
+  resolveDefault: () => DEFAULT_USER_SETTINGS.currencyCode
+});
+defineField({
+  key: "avatarSize",
+  section: USER_SETTINGS_SECTIONS.PREFERENCES,
+  dbColumn: "avatar_size",
+  required: true,
+  inputSchema: Type.Integer({ minimum: 1 }),
+  outputSchema: Type.Integer({ minimum: 1 }),
+  normalizeInput: (value) => Number(value),
+  normalizeOutput: (value) => normalizePositiveInteger(value, DEFAULT_USER_SETTINGS.avatarSize),
+  resolveDefault: () => DEFAULT_USER_SETTINGS.avatarSize
+});
+defineField({
+  key: "productUpdates",
+  section: USER_SETTINGS_SECTIONS.NOTIFICATIONS,
+  dbColumn: "notify_product_updates",
+  required: true,
+  inputSchema: Type.Boolean(),
+  outputSchema: Type.Boolean(),
+  normalizeInput: (value) => value,
+  normalizeOutput: (value) => Boolean(value),
+  resolveDefault: () => DEFAULT_USER_SETTINGS.productUpdates
+});
+defineField({
+  key: "accountActivity",
+  section: USER_SETTINGS_SECTIONS.NOTIFICATIONS,
+  dbColumn: "notify_account_activity",
+  required: true,
+  inputSchema: Type.Boolean(),
+  outputSchema: Type.Boolean(),
+  normalizeInput: (value) => value,
+  normalizeOutput: (value) => Boolean(value),
+  resolveDefault: () => DEFAULT_USER_SETTINGS.accountActivity
+});
+defineField({
+  key: "securityAlerts",
+  section: USER_SETTINGS_SECTIONS.NOTIFICATIONS,
+  dbColumn: "notify_security_alerts",
+  required: true,
+  inputSchema: Type.Boolean(),
+  outputSchema: Type.Boolean(),
+  normalizeInput: (value) => value,
+  normalizeOutput: (value) => Boolean(value),
+  resolveDefault: () => DEFAULT_USER_SETTINGS.securityAlerts
+});

package/templates/packages/main/src/shared/resources/workspaceSettingsFields.js ADDED Viewed

@@ -0,0 +1,105 @@
+// @jskit-contract users.settings-fields.workspace.v1
+// Append-only settings field registrations for workspace settings.
+import { Type } from "typebox";
+import { normalizeText } from "@jskit-ai/kernel/shared/actions/textNormalization";
+import { coerceWorkspaceColor } from "@jskit-ai/users-core/shared/settings";
+import {
+  defineField,
+  resetWorkspaceSettingsFields
+} from "@jskit-ai/users-core/shared/resources/workspaceSettingsFields";
+function normalizeAvatarUrl(value) {
+  const avatarUrl = normalizeText(value);
+  if (!avatarUrl) {
+    return "";
+  }
+  if (!avatarUrl.startsWith("http://") && !avatarUrl.startsWith("https://")) {
+    return null;
+  }
+  try {
+    return new URL(avatarUrl).toString();
+  } catch {
+    return null;
+  }
+}
+function normalizeHexColor(value) {
+  const color = normalizeText(value);
+  return /^#[0-9A-Fa-f]{6}$/.test(color) ? color.toUpperCase() : null;
+}
+resetWorkspaceSettingsFields();
+defineField({
+  key: "name",
+  dbColumn: "name",
+  required: true,
+  inputSchema: Type.String({
+    minLength: 1,
+    maxLength: 160,
+    messages: {
+      required: "Workspace name is required.",
+      minLength: "Workspace name is required.",
+      maxLength: "Workspace name must be at most 160 characters.",
+      default: "Workspace name is required."
+    }
+  }),
+  outputSchema: Type.String({ minLength: 1, maxLength: 160 }),
+  normalizeInput: (value) => normalizeText(value),
+  normalizeOutput: (value) => normalizeText(value),
+  resolveDefault: ({ workspace = {} } = {}) => normalizeText(workspace.name) || "Workspace"
+});
+defineField({
+  key: "avatarUrl",
+  dbColumn: "avatar_url",
+  required: false,
+  inputSchema: Type.String({
+    pattern: "^(https?://.+)?$",
+    messages: {
+      pattern: "Workspace avatar URL must be a valid absolute URL (http:// or https://).",
+      default: "Workspace avatar URL must be a valid absolute URL (http:// or https://)."
+    }
+  }),
+  outputSchema: Type.String(),
+  normalizeInput: normalizeAvatarUrl,
+  normalizeOutput: (value) => normalizeText(value),
+  resolveDefault: ({ workspace = {} } = {}) => normalizeText(workspace.avatarUrl)
+});
+defineField({
+  key: "color",
+  dbColumn: "color",
+  required: true,
+  inputSchema: Type.String({
+    minLength: 7,
+    maxLength: 7,
+    pattern: "^#[0-9A-Fa-f]{6}$",
+    messages: {
+      required: "Workspace color is required.",
+      pattern: "Workspace color must be a hex color like #0F6B54.",
+      default: "Workspace color must be a hex color like #0F6B54."
+    }
+  }),
+  outputSchema: Type.String({ minLength: 7, maxLength: 7, pattern: "^#[0-9A-Fa-f]{6}$" }),
+  normalizeInput: normalizeHexColor,
+  normalizeOutput: (value) => coerceWorkspaceColor(value),
+  resolveDefault: ({ workspace = {} } = {}) => coerceWorkspaceColor(workspace.color)
+});
+defineField({
+  key: "invitesEnabled",
+  dbColumn: "invites_enabled",
+  required: true,
+  inputSchema: Type.Boolean({
+    messages: {
+      required: "invitesEnabled is required.",
+      default: "invitesEnabled must be a boolean."
+    }
+  }),
+  outputSchema: Type.Boolean(),
+  normalizeInput: (value) => value === true,
+  normalizeOutput: (value) => value !== false,
+  resolveDefault: ({ defaultInvitesEnabled } = {}) => defaultInvitesEnabled !== false
+});

package/test/authProfileSyncService.test.js ADDED Viewed

@@ -0,0 +1,119 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { createService } from "../src/server/common/services/authProfileSyncService.js";
+test("authProfileSyncService.syncIdentityProfile uses shared transaction for profile upsert and provisioning", async () => {
+  const calls = [];
+  const transaction = { trxId: "tx-1" };
+  const service = createService({
+    userProfilesRepository: {
+      async findByIdentity(_identity, options = {}) {
+        calls.push({ step: "find", trx: options.trx || null });
+        return null;
+      },
+      async upsert(payload, options = {}) {
+        calls.push({ step: "upsert", trx: options.trx || null });
+        return {
+          id: 13,
+          authProvider: payload.authProvider,
+          authProviderUserId: payload.authProviderUserId,
+          email: payload.email,
+          displayName: payload.displayName
+        };
+      },
+      async withTransaction(work) {
+        calls.push({ step: "withTransaction", trx: transaction });
+        return work(transaction);
+      }
+    },
+    workspaceProvisioningService: {
+      async provisionWorkspaceForNewUser(_profile, options = {}) {
+        calls.push({ step: "provision", trx: options.trx || null });
+      }
+    }
+  });
+  const profile = await service.syncIdentityProfile({
+    authProvider: "supabase",
+    authProviderUserId: "abc-1",
+    email: "tony@example.com",
+    displayName: "Tony"
+  });
+  assert.equal(Number(profile.id), 13);
+  assert.equal(calls[0].step, "withTransaction");
+  assert.equal(calls[1].step, "find");
+  assert.equal(calls[2].step, "upsert");
+  assert.equal(calls[3].step, "provision");
+  assert.equal(calls[1].trx, transaction);
+  assert.equal(calls[2].trx, transaction);
+  assert.equal(calls[3].trx, transaction);
+});
+test("authProfileSyncService.syncIdentityProfile skips write path when profile is unchanged", async () => {
+  let upsertCalls = 0;
+  let provisionCalls = 0;
+  const service = createService({
+    userProfilesRepository: {
+      async findByIdentity() {
+        return {
+          id: 7,
+          authProvider: "supabase",
+          authProviderUserId: "abc-7",
+          email: "tony@example.com",
+          displayName: "Tony"
+        };
+      },
+      async upsert() {
+        upsertCalls += 1;
+        return null;
+      },
+      async withTransaction(work) {
+        return work({ trxId: "tx-2" });
+      }
+    },
+    workspaceProvisioningService: {
+      async provisionWorkspaceForNewUser() {
+        provisionCalls += 1;
+      }
+    }
+  });
+  const profile = await service.syncIdentityProfile({
+    authProvider: "supabase",
+    authProviderUserId: "abc-7",
+    email: "tony@example.com",
+    displayName: "Tony"
+  });
+  assert.equal(Number(profile.id), 7);
+  assert.equal(upsertCalls, 0);
+  assert.equal(provisionCalls, 0);
+});
+test("authProfileSyncService.findByIdentity normalizes provider identity input", async () => {
+  let capturedIdentity = null;
+  const service = createService({
+    userProfilesRepository: {
+      async findByIdentity(identity) {
+        capturedIdentity = identity;
+        return null;
+      },
+      async upsert() {
+        return null;
+      }
+    }
+  });
+  await service.findByIdentity({
+    authProvider: "  SUPABASE  ",
+    authProviderUserId: " user-1 "
+  });
+  assert.deepEqual(capturedIdentity, {
+    provider: "supabase",
+    providerUserId: "user-1"
+  });
+});