From b0e1a5448168090843d01b21bf69b0b95e00f7d0 Mon Sep 17 00:00:00 2001
From: saravanakumardb1 <saravanakumardb1@users.noreply.github.com>
Date: Thu, 12 Mar 2026 15:35:00 -0700
Subject: [PATCH] =?UTF-8?q?fix(auth):=20enterprise=20SSO=20bcrypt=20hash?=
 =?UTF-8?q?=20+=20upgrade=20cost=2010=E2=86=9212?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Enterprise SAML/OIDC callbacks used raw 'sso_xxx' string as passwordHash
  which would crash bcrypt.compare(). Now uses userRepo.hashPassword(randomUUID())
- Added updateLastLogin() for existing enterprise SSO users
- Upgraded bcrypt cost factor from 10 to 12 per PRD spec
- All 53 auth tests passing
---
 .windsurf/workflows/refresh-chat-history.md   | 27 +++++++++++--------
 .windsurf/workflows/repo_backup-and-push.md   |  2 +-
 .windsurf/workflows/repo_push-repos.md        |  4 +--
 .windsurf/workflows/repo_sync-repos.md        |  4 +--
 .windsurf/workflows/repos.txt                 |  4 +++
 .windsurf/workflows/run-code-review.md        |  6 ++++-
 .../src/modules/auth/enterprise/routes.ts     |  8 ++++--
 .../src/modules/auth/repository.ts            |  2 +-
 8 files changed, 37 insertions(+), 20 deletions(-)

diff --git a/.windsurf/workflows/refresh-chat-history.md b/.windsurf/workflows/refresh-chat-history.md
index 8da42c43..37bacaca 100644
--- a/.windsurf/workflows/refresh-chat-history.md
+++ b/.windsurf/workflows/refresh-chat-history.md
@@ -7,18 +7,23 @@ description: Refresh the Windsurf chat history archive (re-scan all repos, updat
 Refreshes the centralized Windsurf chat history archive at `__LOCAL_LLMs/AI_IDE_CHAT_HISTORY/WINDSURF/`.
 Auto-discovers new repos, updates symlinks, and re-copies docs + workflows.
 
-## Covered Repos (All 8 workspaces)
+## Covered Repos (All 13 workspaces)
 
-| Repo                                | Product          | Workflows | Docs |
-| ----------------------------------- | ---------------- | --------- | ---- |
-| `learning_voice_ai_agent`           | LysnrAI          | ✅        | ✅   |
-| `learning_multimodal_memory_agents` | MindLyst         | ✅        | ✅   |
-| `learning_ai_clock`                 | ChronoMind       | ✅        | —    |
-| `learning_ai_peakpulse`             | PeakPulse        | ✅        | —    |
-| `learning_ai_fastgap`               | NomGap           | ✅        | —    |
-| `learning_ai_jarvis_jr`             | JarvisJr         | ✅        | —    |
-| `learning_ai_common_plat`           | Common Platform  | ✅        | —    |
-| `learning_agent_monitoring_fx`      | Agent Monitoring | ✅        | —    |
+| Repo                                | Product            | Workflows | Docs |
+| ----------------------------------- | ------------------ | --------- | ---- |
+| `learning_ai_common_plat`           | Common Platform    | ✅        | ✅   |
+| `learning_voice_ai_agent`           | LysnrAI            | ✅        | ✅   |
+| `learning_multimodal_memory_agents` | MindLyst           | ✅        | ✅   |
+| `learning_ai_clock`                 | ChronoMind         | ✅        | —    |
+| `learning_ai_fastgap`               | NomGap             | ✅        | —    |
+| `learning_ai_jarvis_jr`             | JarvisJr           | ✅        | —    |
+| `learning_ai_peakpulse`             | PeakPulse          | ✅        | —    |
+| `learning_ai_notes`                 | NoteLett           | ✅        | —    |
+| `learning_ai_flowmonk`              | FlowMonk           | ✅        | —    |
+| `learning_ai_trails`                | ActionTrail        | ✅        | —    |
+| `learning_ai_smart_auth`            | SmartAuth          | ✅        | —    |
+| `learning_ai_auth_app`              | ByteLyst Auth      | ✅        | —    |
+| `learning_ai_productivity_web`      | Productivity Tools | ✅        | —    |
 
 ## Steps
 
diff --git a/.windsurf/workflows/repo_backup-and-push.md b/.windsurf/workflows/repo_backup-and-push.md
index 0a27ca22..1b194198 100644
--- a/.windsurf/workflows/repo_backup-and-push.md
+++ b/.windsurf/workflows/repo_backup-and-push.md
@@ -30,7 +30,7 @@ echo "✨ All repos pushed!"
 ## What it does:
 
 1. **Backup** — creates timestamped backup branches, cleans up old ones (7 days), skips duplicates
-2. **Push** — pushes `main` to `origin/main` for all 7 repos
+2. **Push** — pushes `main` to `origin/main` for all 13 repos
 
 ## Repositories:
 
diff --git a/.windsurf/workflows/repo_push-repos.md b/.windsurf/workflows/repo_push-repos.md
index 175e3be0..2ebc559b 100644
--- a/.windsurf/workflows/repo_push-repos.md
+++ b/.windsurf/workflows/repo_push-repos.md
@@ -1,5 +1,5 @@
 ---
-description: Push local main branch to origin for all 7 workspace repos
+description: Push local main branch to origin for all 13 workspace repos
 ---
 
 # Push Repos
@@ -18,7 +18,7 @@ done < ~/code/mygh/learning_ai_common_plat/.windsurf/workflows/repos.txt
 
 ## What it does:
 
-1. Iterates over all 7 workspace repos
+1. Iterates over all 13 workspace repos
 2. Runs `git push origin main` in each
 3. Fails fast if a repo has diverged from remote (resolve with rebase manually)
 
diff --git a/.windsurf/workflows/repo_sync-repos.md b/.windsurf/workflows/repo_sync-repos.md
index 48d83120..13a40c67 100644
--- a/.windsurf/workflows/repo_sync-repos.md
+++ b/.windsurf/workflows/repo_sync-repos.md
@@ -1,5 +1,5 @@
 ---
-description: Pull latest from origin main across all 7 workspace repos
+description: Pull latest from origin main across all 13 workspace repos
 ---
 
 # Sync Repos
@@ -18,7 +18,7 @@ done < ~/code/mygh/learning_ai_common_plat/.windsurf/workflows/repos.txt
 
 ## What it does:
 
-1. Iterates over all 7 workspace repos
+1. Iterates over all 13 workspace repos
 2. Runs `git pull --ff-only origin main` in each
 3. Fails fast if there are local divergent commits (use `git pull --rebase` manually in that case)
 
diff --git a/.windsurf/workflows/repos.txt b/.windsurf/workflows/repos.txt
index 29293819..df66e8dc 100644
--- a/.windsurf/workflows/repos.txt
+++ b/.windsurf/workflows/repos.txt
@@ -11,3 +11,7 @@ learning_ai_jarvis_jr
 learning_ai_peakpulse
 learning_ai_notes
 learning_ai_flowmonk
+learning_ai_trails
+learning_ai_smart_auth
+learning_ai_auth_app
+learning_ai_productivity_web
diff --git a/.windsurf/workflows/run-code-review.md b/.windsurf/workflows/run-code-review.md
index 8b7db272..6631b2d3 100644
--- a/.windsurf/workflows/run-code-review.md
+++ b/.windsurf/workflows/run-code-review.md
@@ -45,6 +45,10 @@ All code across the ByteLyst workspace repos:
   - learning_ai_jarvis_jr (JarvisJr)
   - learning_ai_peakpulse (PeakPulse)
   - learning_ai_notes (NoteLett)
+  - learning_ai_trails (ActionTrail)
+  - learning_ai_smart_auth (SmartAuth)
+  - learning_ai_auth_app (ByteLyst Auth)
+  - learning_ai_productivity_web (Productivity Tools)
 
 ## Domain Context
 
@@ -52,7 +56,7 @@ This is a multi-product ecosystem with shared platform services. Key architectur
 
 - **Platform services** (Fastify 5, TypeScript ESM) provide auth, telemetry, feature flags, etc.
 - **Shared packages** (@bytelyst/\*) eliminate duplication across products
-- **Product backends** handle domain-specific logic (port 4010-4017)
+- **Product backends** handle domain-specific logic (port 4010-4018)
 - **Web apps** use Next.js 16 + React 19
 - **Mobile apps** use native platforms (SwiftUI, Jetpack Compose, React Native)
 
diff --git a/services/platform-service/src/modules/auth/enterprise/routes.ts b/services/platform-service/src/modules/auth/enterprise/routes.ts
index e62511bf..7e2db54c 100644
--- a/services/platform-service/src/modules/auth/enterprise/routes.ts
+++ b/services/platform-service/src/modules/auth/enterprise/routes.ts
@@ -199,7 +199,7 @@ export async function enterpriseRoutes(app: FastifyInstance) {
         id: `usr_${randomUUID()}`,
         productId: idp.productId,
         email,
-        passwordHash: `sso_${randomUUID()}`, // SSO-only — no password login
+        passwordHash: await userRepo.hashPassword(randomUUID()), // SSO-only — random bcrypt hash
         plan: 'free',
         role: 'user',
         displayName: samlData.attributes?.displayName ?? email.split('@')[0],
@@ -211,6 +211,8 @@ export async function enterpriseRoutes(app: FastifyInstance) {
         primaryProductId: idp.productId,
         memberships: [{ productId: idp.productId, plan: 'free', role: 'user', firstAccessAt: now }],
       });
+    } else {
+      await userRepo.updateLastLogin(user.id);
     }
 
     // Issue tokens
@@ -306,7 +308,7 @@ export async function enterpriseRoutes(app: FastifyInstance) {
         id: `usr_${randomUUID()}`,
         productId: idp.productId,
         email,
-        passwordHash: `sso_${randomUUID()}`,
+        passwordHash: await userRepo.hashPassword(randomUUID()), // SSO-only — random bcrypt hash
         plan: 'free',
         role: 'user',
         displayName: displayName ?? email.split('@')[0],
@@ -318,6 +320,8 @@ export async function enterpriseRoutes(app: FastifyInstance) {
         primaryProductId: idp.productId,
         memberships: [{ productId: idp.productId, plan: 'free', role: 'user', firstAccessAt: now }],
       });
+    } else {
+      await userRepo.updateLastLogin(user.id);
     }
 
     // Issue tokens
diff --git a/services/platform-service/src/modules/auth/repository.ts b/services/platform-service/src/modules/auth/repository.ts
index 21e378e9..db84027e 100644
--- a/services/platform-service/src/modules/auth/repository.ts
+++ b/services/platform-service/src/modules/auth/repository.ts
@@ -123,7 +123,7 @@ export async function remove(id: string): Promise<boolean> {
 }
 
 export async function hashPassword(password: string): Promise<string> {
-  return bcrypt.hash(password, 10);
+  return bcrypt.hash(password, 12);
 }
 
 export async function verifyPassword(password: string, hash: string): Promise<boolean> {