DUNIN7 · LOOMWORKS · RECORD
record.dunin7.com
Status Current
Path change-requests/loomworks-signin-email-conformance-cr-v0_1.html
LoomworksChange Requestv0.12026-06-12Landed

Sign-in Email Conformance

Bringing sign-in into line with seed v0.12: email never keys a user lookup. The engine's email-keyed challenge and the Operator Layer's optional email field are both removed; the WebAuthn discoverable-credential flow becomes the sole sign-in path.

Version   0.1
Date   2026-06-12
Status   Landed — engine 5d7b291 and Operator Layer becf598 built, tested, pushed. This CR records the change as one unit.
Render-type   Change request. Operator-facing — HTML primary, Markdown source alongside.
Source   Seed v0.12 (Authentication framework); recovery-completeness handoff (2026-06-12); sign-in-path inspection (2026-06-12).
Repos touched   loomworks-engine and loomworks (Operator Layer)

Plain-language summary

Seed v0.12 says sign-in must never use email to find a user. The system was still allowing it: the engine's sign-in challenge accepted an optional email and, when given one, looked the person up by email to narrow which passkeys the browser offered — a forbidden email-keyed lookup. The Operator Layer fed it through an optional email field on the sign-in form.

This change removes both. Sign-in now runs the WebAuthn discoverable-credential flow only: the browser offers every passkey registered for Loomworks, the operator picks one, and identity is resolved from the chosen credential — never from email. The sign-in form is now a single "Sign in with passkey" action with no email field. The engine already resolved identity by credential at the completion step, so nothing about who can sign in changes — only the forbidden lookup is gone.

The conformance target

Seed v0.12, Authentication framework — the two clauses this change brings the system into line with:

The discoverable-credential flow was already the default and was test-covered on both sides (verified read-only, 2026-06-12). This change makes it the only path.

What changed

Engine — 5d7b291 (email-keyed lookup removed, discoverable-only)

Operator Layer — becf598 (email field removed, passkey-only)

What this conforms — confirmed

No client can send email to /auth/login/begin. The Operator Layer sends an empty body; the engine request model carries no email field.

The engine no longer keys any lookup on email in the sign-in path. get_person_by_email is no longer called from sign-in; identity is resolved at completion by credential_id.

Verification

Standing note — vestigial state (retained deliberately)

Vestigial state left by email removal — get_person_by_email orphaned, db unused in begin_login, LoginBeginRequest now empty. All retained deliberately, not dead-by-accident, pending a separate cleanup decision.

Detail, so a later reader does not mistake any of these for an oversight:

These three are one separate cleanup decision, to be taken on their own.

Out of scope

The recovery-completeness work — second-passkey enrollment, recovery-code surfacing, operator-mediated recovery, and the Companion functional-spec §10.3 wording — is the separate item this change was sequenced ahead of. Not touched here.

Pre-existing typecheck errors in tests/components/tags/TagChipArea.test.tsx (a ProjectTag.project_id drift) predate this change and are unrelated to sign-in. Flagged, not fixed — their own decision.

DUNIN7 — Done In Seven LLC — Miami, Florida
Loomworks — Sign-in Email Conformance — Change Request — v0.1 — 2026-06-12