Repository:
- Add _lock to InMemoryMunicipalityProfileRepository; make duplicate-JCode
check + insert atomic in CreateAsync (TOCTOU fix) and wrap UpdateAsync
read-modify-write in lock (lost-update fix)
- Normalize JCode before passing to ILegacyLinkValidator so validation and
storage use the same form (was: raw input validated, ToUpperInvariant stored)
- UpdateAsync returns ProfileNotFound (new factory on MunicipalityProfileSaveResult)
so controller can distinguish 404 from 422
Controller:
- Null-guard post-save/update GetByIdAsync result instead of bang-deref
- Return 404 (not 422) when update target profile does not exist
- GET /api/municipalities/jurisdictions accepted as in-scope extension
Data access:
- FromJsonSeedFile: catch(Exception ex) with Console.Error.WriteLine;
DistinctBy(JCode) before projection to suppress duplicates in seed file
- 422 body shape mismatch: problem.error ?? 'Validation failed.' fallback
in createMunicipalityProfile and updateMunicipalityProfile
Frontend:
- Split Promise.all into independent profile + jurisdiction loads so a
jurisdiction failure does not suppress the profile table
- Add jurisdictionsLoadError state; disable "New" button and show warning
alert when jurisdictions are unavailable
Tests:
- Override ILegacyDataAccess in AuthIntegrationTestFactory with hardcoded
defaults, isolating integration tests from the development seed file
- Add wrong-role 403, jurisdiction endpoint 401, update-not-found 404,
and AC#3 audit assertion tests (create + update) to controller suite
- Add fetchAvailableJurisdictions contract tests (success + failure)
- Story 1.10 marked done; sprint-status synced
- wire legacy schema checks to live OleDb inspection and durable history
- harden schema baseline parsing and add constraint drift detection
- authenticate admin schema API calls from the client
- add release-gate workflow for legacy schema validation
- add extension-record save path with pre-save legacy link validation
- add link ambiguity detection, provider coverage reporting, and nightly integrity scheduler
- mark stories 1.7 and 1.8 done after review fixes
React StrictMode's double-invocation of useEffect caused the first run to
remove oidcStateStorageKey from sessionStorage before the async code exchange
began. The second run would see the missing state, throw, and display
"Authentication failed" — while the first run completed in the background
(storing tokens and replacing the URL), making a page refresh appear to work.
Introduces a module-scope Promise (pendingCallbackSequence) that covers the
full callback sequence: token exchange, session fetch, and URL navigation. The
second effect run shares the same Promise and awaits its result, so no re-
validation or re-fetching occurs, and only the non-cancelled run sets state.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Daniel Covington
nano