Session Log¶

Reverse-chronological log of work sessions on GPUS-IT infrastructure and forms portal. Latest session is always at the top.

2026-04-24 — Phase 2 forms backend LIVE¶

Commits 9511f5a and 8c1f018 pushed to main
forms-backend Cloud Run service deployed to revision 00027-sdv with Phase 2 stubs
Added forms API contract, frontend design spec, and Phase 2 deploy checklist to mkdocs portal
auth_v2 module shipped as additive layer alongside Phase 1 auth (no breakage)

Went with the cream theme over dark for the forms portal (matches Greenpeace brand warmth, better legibility for long-form intake)
Moss-green CTA buttons instead of standard Greenpeace campaign green (differentiates internal tooling from public-facing activism sites)
Fork submission flow into long-form vs short-form paths rather than a single adaptive form (cleaner validation, simpler per-path audit)
auth_v2 is an additive module — Phase 1 /api/forms* routes stay exactly as they are; Phase 2 gets its own namespace
Role derivation lives on the token, not in a DB lookup (keeps the hot path stateless)

Org-wide scope bug in gpus-okta-auth.js — fixed in commit 6cf8c5d
Canonical email mismatch: Okta profile returns .us but tokens carry .org — normalized in auth layer
Repo had an older Phase 2 scaffold that predated the v1 work — removed before layering in the new stubs

/health/phase2 returns 200 with build metadata
/api/me returns caller identity with derived roles
/api/config returns Phase 2 feature flags
/api/admin/forms gated correctly (admin-only)
Token-based role derivation confirmed for both submitter and admin roles
10 environment variables set on Cloud Run revision 00027-sdv (verified via gcloud run revisions describe)

Deploy forms-frontend Cloud Run service
Wire Phase 2 routes through to the Phase 1 data layer
SQLi tabletop + red/blue drill — this gates Phase 3 and must happen before any new write paths land