Notechondria

Version: 0.1.29 Build Date: 2026-04-18T07:00

What's Changed

§1.7 migration: Backend.Creators.Auth (non-bind) + Backend.Creators.Settings

Every non-bind error path in backend/creators/api.py now emits the canonical "<consequence>: <module>/<process> \u2014 <cause>" shape documented in docs/AGENTS.md. The bind endpoints were already migrated in 0.1.26 and are untouched this round; their bind substring sentinel asserted by creators.tests.OAuthBindRejectionTests remains intact.

Migrated surfaces:

  • Backend.Creators.Auth/register.validate_username \u2014 duplicate username check.
  • Backend.Creators.Auth/register.validate_email \u2014 verified account exists for email.
  • Backend.Creators.Auth/register.validate_password \u2014 password complexity rule.
  • Backend.Creators.Auth/register.validate_invitation_code \u2014 invalid/expired invitation code (both serializer- and helper-level).
  • Backend.Creators.Auth/register.validate \u2014 invitation gate missing code.
  • Backend.Creators.Auth/verify \u2014 invalid/expired verification code, no pending account.
  • Backend.Creators.Auth/login \u2014 missing identifier, credential mismatch, account pending verification.
  • Backend.Creators.Auth/resend_verification \u2014 no account, already verified, 60-second cooldown.
  • Backend.Creators.Auth/password.reset.request \u2014 no account.
  • Backend.Creators.Auth/password.reset.confirm \u2014 invalid / expired / already-consumed reset code, no account.
  • Backend.Creators.Auth/password.change.validate \u2014 new-password complexity rule.
  • Backend.Creators.Auth/password.change \u2014 identity verification code + current-password mismatch branches, plus the success message (Password changed: ... session token rotated; previous sessions invalidated.).
  • Backend.Creators.Auth/email.change.request \u2014 new email already in use.
  • Backend.Creators.Auth/email.change.confirm \u2014 invalid verification code, email taken between request and confirm.
  • Backend.Creators.Auth/oauth.register.validate_invitation_code \u2014 helper used by _get_or_create_oauth_user.
  • Backend.Creators.Auth/oauth.google.validate \u2014 missing code + id_token in OAuth payload.
  • Backend.Creators.Settings/update.validate_username \u2014 username collision on profile update.
  • Backend.Creators.Settings/update.validate_email \u2014 email collision on profile update.
  • Backend.Creators.Settings/update.validate_api_base_url \u2014 malformed API base URL.

Each migrated message now carries:

  • Consequence: Registration rejected, Sign-in rejected, Email verification failed, Verification code not resent, Password not updated, Settings not saved, Password changed, Email change aborted, or OAuth request rejected.
  • Module / process: the stable Backend.Creators.* source listed above.
  • Cause: the specific validation / DB / external-service reason.

Files Changed

New

  • docs/versions/0.1.29.md (this file).

Modified

  • VERSION: 0.1.28 \u2192 0.1.29.
  • docs/TODO.md: \u00a71.7 migration checklist marks Backend.Creators.Auth (+ settings) done.
  • backend/creators/api.py: ~26 serializers.ValidationError(...) raises and 2 ChangePasswordApiView Response({"detail": ...}) branches rewritten. Success payload of ChangePasswordApiView.post also updated to carry the \u00a71.7 shape. Bind endpoints untouched.

Verification

  • DJANGO_SETTINGS_MODULE=notechondria.settings_test python manage.py test creators -v 1 \u2014 29 tests pass.
  • ... manage.py test creators notes \u2014 79 tests pass (includes the 50 from the 0.1.28 round).
  • Preserved sentinels in creators.tests:
    • bind (lowercase) still matches in public OAuth endpoint intent-rejection detail (the \u00a71.7 prefix for those endpoints was landed in 0.1.26 and already satisfies the assertion).
    • DRF field-level validators still serialize as {"username": [...]} / {"password": [...]} / etc. so tests checking field presence keep working.

Notes / follow-ups

  • Remaining \u00a71.7 rounds (tracked in docs/TODO.md): Backend.Mcp.Protocol + Backend.Gptutils (smaller), frontend Editor.Sync.*, Editor.LocalStore, Editor.UI cosmetic rounds, Planner.Sync.*, Planner.UI, Portal.Sync.*, Portal.UI, and Shared.AuthDialog.
  • Legacy _appendUiLog(String) in Flutter apps continues to route through the debug-log controller with an empty source for non-Auth call sites. These turn into - source rows in the debug card; they will be upgraded per-module in later rounds.