Backend-Frontend Sync Analysis

Date: 2025-10-14 Status: 🔴 CRITICAL - Backend Rebuild Required Impact: Current deployed backend doesn't have new FDB models/repositories

---

🚨 Executive Summary

Critical Discovery

The backend pod has been running since October 9 (5d19h), but FDB models and repositories were created/modified on October 14. This means:

❌ Deployed backend DOES NOT have the new FDB code ❌ 2,860 lines of FDB models/repos are not in production ❌ Auth handlers using new repositories will fail ❌ Session handlers expect workspaceSession but use old Session model

Impact

• Backend API handlers reference FDB repositories that don't exist in the deployed code
• Login/Register will fail because UserRepository, TenantRepository, AuthSessionRepository don't exist in deployed version
• Session management will fail because handlers expect workspaceSession model
• No database persistence for new registrations/logins

Required Actions

1. Fix Code Mismatches (30 minutes)
2. Rebuild Backend Docker Image (5-10 minutes)
3. Deploy to GKE (5-10 minutes)
4. Test End-to-End (30 minutes)

Total Time: ~1.5 hours

---

📊 File Modification Analysis

Backend Files Modified Oct 14 (After Deployment)

Oct 14  backend/src/db/models.rs           (27 KB, 943 lines)
Oct 14  backend/src/db/repositories.rs     (57 KB, 1,917 lines)
Oct 14  backend/src/handlers/auth.rs       (390 lines)
Oct 14  backend/src/handlers/sessions.rs   (230 lines)
Oct 14  backend/src/main.rs                (117 lines)

Backend Files From Oct 7 (Deployed Version)

Oct 7   backend/src/db/mod.rs
Oct 7   backend/src/handlers/health.rs
Oct 7   backend/src/handlers/mod.rs
Oct 7   backend/src/middleware/auth_json.rs
Oct 7   backend/src/middleware/auth.rs
Oct 7   backend/src/middleware/mod.rs
Oct 7   backend/src/models/mod.rs
Oct 7   backend/src/models/response.rs
Oct 7   backend/src/services/mod.rs
Oct 7   backend/src/state.rs

Code Diff Summary

New Code (Oct 14):

• 10 FDB models (Tenant, User, AuthSession, workspaceSession, Conversation, Message, Audit, File, Agent, Setting)
• 11 FDB repositories with full CRUD operations
• Auth handlers (login, register, logout, refresh)
• Session handlers (create, get, list, delete)
• JWT Claims with session_id and token_family

Deployed Code (Oct 7):

• Basic health check endpoint
• JWT middleware skeleton
• No FDB integration
• No auth handlers
• No session handlers

---

🔍 Backend Code Analysis

1. Auth Handlers (backend/src/handlers/auth.rs)

What It Does:

• /api/v5/auth/register - Create user with Argon2 password hashing
• /api/v5/auth/login - Authenticate user and return JWT
• /api/v5/auth/logout - Logout (currently just returns success)
• /api/v5/auth/refresh - Token rotation using AuthSession

Dependencies:

• UserRepository::new() → backend/src/db/repositories.rs:UserRepository
• TenantRepository::new() → backend/src/db/repositories.rs:TenantRepository
• AuthSessionRepository::new() → backend/src/db/repositories.rs:AuthSessionRepository
• User::new() → backend/src/db/models.rs:User
• Tenant::new_self_tenant() → backend/src/db/models.rs:Tenant

JWT Claims Structure:

pub struct Claims {
    pub sub: String,           // user_id
    pub tenant_id: String,
    pub email: String,
    pub session_id: String,    // AuthSession ID
    pub token_family: String,  // Token family UUID
    pub exp: usize,
    pub iat: usize,
}

⚠️ ISSUE FOUND: Lines 128-134 (login) and 232-237 (register) create Claims without session_id and token_family fields, but the struct expects them (lines 52-59).

Fix Required:

// Line 128-134 should include:
use crate::db::models::AuthSession;
use crate::db::repositories::AuthSessionRepository;

let auth_session = AuthSession::new(
    user.user_id,
    user.primary_tenant_id,
    req_ip,  // Need to extract from request
    req_user_agent,  // Need to extract from request
);

let session_repo = AuthSessionRepository::new(app_state.db.clone());
session_repo.create(&auth_session).await?;

let claims = Claims {
    sub: user.user_id.to_string(),
    tenant_id: user.primary_tenant_id.to_string(),
    email: user.email.clone(),
    session_id: auth_session.session_id.to_string(),
    token_family: auth_session.token_family.to_string(),
    exp: (Utc::now() + Duration::hours(24)).timestamp() as usize,
    iat: Utc::now().timestamp() as usize,
};

---

2. Session Handlers (backend/src/handlers/sessions.rs)

What It Does:

• POST /api/v5/sessions - Create session
• GET /api/v5/sessions/{id} - Get session by ID
• GET /api/v5/sessions - List user sessions
• DELETE /api/v5/sessions/{id} - Delete session

Dependencies:

• SessionRepository::new() → Expects SessionRepository in repositories.rs
• Session::new() → Expects Session model in models.rs

⚠️ ISSUE FOUND: Handlers reference Session model but we implemented workspaceSession model.

Options:

1. Rename workspaceSession → Session (simplest)
2. Create Session model as alias to workspaceSession
3. Update handlers to use workspaceSession

Recommendation: Rename workspaceSession to Session in models.rs and workspaceSessionRepository to SessionRepository in repositories.rs. This matches handler expectations and is semantically correct (sessions ARE workspace sessions).

---

3. Main Entry Point (backend/src/main.rs)

What It Does:

• Initialize FDB connection with retry logic
• Create AppState with FDB database
• Register routes:
  • /api/v5/health
  • /api/v5/auth/login
  • /api/v5/auth/register
  • /api/v5/auth/logout
  • /api/v5/auth/refresh
  • /api/v5/sessions (POST, GET)
  • /api/v5/sessions/{id} (GET, DELETE)

✅ Looks Good: Main.rs properly imports handlers and sets up routes.

---

🔍 Frontend API Contract Analysis

Frontend Session Service (src/services/session-service.ts)

What It Expects:

// Session interface
interface Session {
  id: string
  tenant_id: string
  name: string
  type: 'workspace' | 'ai-studio' | 'theia'
  settings?: Record<string, any>
  created_at: string
  updated_at: string
}

// Endpoints
POST   /api/v5/sessions/create    // ⚠️ MISMATCH - Backend has /sessions
GET    /api/v5/sessions
GET    /api/v5/sessions/:id
PUT    /api/v5/sessions/:id       // ⚠️ MISSING - Backend doesn't have update
DELETE /api/v5/sessions/:id

// Response format
{ sessions: Session[] }  // List endpoint
{ session: Session }     // Single session endpoint

Backend Session Response:

pub struct SessionResponse {
    pub id: String,
    pub name: String,
    pub tenant_id: String,
    pub user_id: String,
    pub workspace_path: Option<String>,
    pub created_at: String,
    pub updated_at: String,
    pub last_accessed_at: String,
}

// Backend wraps with ApiResponse:
{ success: true, data: SessionResponse }      // Single
{ success: true, data: Vec<SessionResponse> } // List

Contract Mismatches

1. Endpoint Mismatch:

   • Frontend: POST /sessions/create
   • Backend: POST /sessions
   • Fix: Update frontend to use /sessions (line 98)

2. Response Format Mismatch:

   • Frontend expects: data.sessions and data.session
   • Backend returns: ApiResponse { success, data }
   • Fix: Update frontend to use data.data or data directly

3. Missing Fields:

   • Frontend expects: type field (workspace/ai-studio/theia)
   • Backend returns: No type field
   • Fix: Add type to SessionResponse or make frontend optional

4. Missing Endpoint:

   • Frontend: PUT /sessions/:id (update)
   • Backend: Not implemented
   • Fix: Add update handler or remove from frontend

5. Base URL Hardcoded:

   • Frontend: http://34.46.212.40/api/v5 (line 29)
   • Should be: /api/v5 (relative, works with NGINX proxy)
   • Fix: Change to relative URL

---

🔌 WebSocket Integration Analysis

NGINX WebSocket Configuration

theia WebSocket Routing (nginx-combined.conf):

# theia Backend at localhost:3000
location /theia/ {
    rewrite ^/theia/(.*) /$1 break;
    proxy_pass http://localhost:3000;
    proxy_http_version 1.1;

    # WebSocket support
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    # Timeouts for long-running operations
    proxy_read_timeout 86400;
    proxy_send_timeout 86400;
}

# Explicit WebSocket endpoint
location /theia/services {
    rewrite ^/theia/(.*) /$1 break;
    proxy_pass http://localhost:3000;
    proxy_http_version 1.1;

    # WebSocket headers
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    # No timeouts for WebSocket
    proxy_read_timeout 0;
    proxy_send_timeout 0;
}

WebSocket Flow

Browser (V5 Frontend)
    ↓ ws://coditect.ai/theia/services
NGINX (coditect-combined pod)
    ↓ ws://localhost:3000/services (rewrite strips /theia)
theia Backend (localhost:3000)
    ↓ Opens PTY for terminal
Container OS terminal

terminal Session Persistence Requirements

Current State: WebSocket connection is ephemeral Required: Link WebSocket → AuthSession → workspaceSession → FDB

Implementation Needed:

1. WebSocket Authentication (backend/src/websocket/auth.rs):

   • Extract JWT from WebSocket upgrade request
   • Verify JWT and get user_id, tenant_id, session_id
   • Tag WebSocket connection with user context

2. terminal Session Tracking:

   • When terminal opens, create terminalState in workspaceSession
   • Save terminal state (cwd, history, env vars) to FDB
   • On reconnect, restore terminal state from FDB

3. theia IDE State Persistence:

   • Track open files in editorState
   • Save cursor positions, selections
   • Persist to workspaceSession in FDB
   • Restore on browser reload

---

🗄️ Session Persistence Flow Analysis

Current Flow (After Backend Rebuild)

1. USER REGISTRATION
   ↓
   POST /api/v5/auth/register
   ↓
   Backend creates:
   - User (with Argon2 password hash)
   - Tenant (self-tenant for user)
   - AuthSession (JWT token family)
   ↓
   FDB stores:
   /{tenant_id}/tenant
   /{tenant_id}/users/{user_id}
   /users/by_email/{email} → {user_id}
   /{tenant_id}/auth_sessions/{session_id}
   ↓
   Returns JWT with claims:
   {
     sub: user_id,
     tenant_id: tenant_id,
     email: email,
     session_id: auth_session_id,
     token_family: token_family_uuid,
     exp: timestamp
   }

2. USER LOGIN
   ↓
   Frontend: POST /api/v5/auth/login
   ↓
   Backend:
   - Verify email/password (Argon2)
   - Create AuthSession
   - Generate JWT with session info
   ↓
   Frontend stores JWT in authStore
   ↓
   Returns JWT token

3. CREATE WORKSPACE SESSION
   ↓
   Frontend: POST /api/v5/sessions
   Headers: Authorization: Bearer <JWT>
   Body: { name: "My Project", workspacePath: "/workspace/project1" }
   ↓
   Backend:
   - JWT middleware extracts claims
   - Verify user_id, tenant_id
   - Create workspaceSession with:
     * workspace_path
     * active_files: []
     * editor_state: default
     * terminal_state: default
     * conversation_id: null
     * session_memory: empty
   ↓
   FDB stores:
   /{tenant_id}/workspace_sessions/{session_id}
   /{tenant_id}/workspace_sessions_by_user/{user_id} → {session_id}
   /{tenant_id}/sessions_by_workspace/{workspace_path} → {session_id}
   ↓
   Returns SessionResponse

4. THEIA IDE LOADS
   ↓
   Frontend: theiaEmbed component renders
   URL: /theia/?token=<JWT>&sessionId=<session_id>
   ↓
   NGINX proxies to theia at localhost:3000
   ↓
   theia receives JWT and sessionId as query params
   ↓
   ⚠️ PROBLEM: theia doesn't validate JWT or link to session
   ↓
   theia opens terminal and editor

5. TERMINAL OPENS
   ↓
   WebSocket: ws://coditect.ai/theia/services
   ↓
   ⚠️ PROBLEM: No authentication on WebSocket
   ↓
   theia opens PTY in container
   ↓
   terminal state NOT saved to FDB

6. USER EDITS FILE
   ↓
   theia Monaco editor updates in memory
   ↓
   ⚠️ PROBLEM: File not saved to FDB
   ↓
   File only exists in container filesystem
   ↓
   Data lost on pod restart

Required Flow (What Needs to be Built)

1. THEIA IDE LOADS (Fixed)
   ↓
   Frontend: theiaEmbed passes JWT
   <iframe src="/theia/?token=<JWT>&sessionId=<session_id>" />
   ↓
   theia extension extracts JWT and sessionId
   ↓
   Validates JWT with backend
   ↓
   Loads workspaceSession from FDB
   ↓
   Restores:
   - Open files from active_files
   - Cursor positions from editor_state
   - terminal cwd/history from terminal_state
   - Conversation context from conversation_id

2. TERMINAL OPENS (Fixed)
   ↓
   WebSocket: ws://coditect.ai/theia/services?token=<JWT>
   ↓
   Backend WebSocket auth middleware:
   - Extract JWT from query param or header
   - Verify JWT signature
   - Get user_id, tenant_id, session_id from claims
   - Tag connection with user context
   ↓
   theia opens PTY with user context
   ↓
   terminal state tracked:
   - cwd: /workspace/project1/src
   - command_history: ["npm install", "npm run dev"]
   - environment_vars: { PATH: "..." }
   ↓
   Saved to FDB:
   /{tenant_id}/workspace_sessions/{session_id}
   Updates terminal_state field

3. USER EDITS FILE (Fixed)
   ↓
   theia file system provider (FDB-backed)
   ↓
   On file change:
   - Calculate SHA-256 checksum
   - Store file content in FDB
   /{tenant_id}/files/{file_id}
   /{tenant_id}/files_by_session/{session_id}
   /{tenant_id}/files_by_path/{workspace_path}/{file_path}
   ↓
   Also update workspaceSession:
   - Add to active_files
   - Update editor_state with cursor position
   ↓
   Saved to FDB:
   /{tenant_id}/workspace_sessions/{session_id}

4. BROWSER REFRESH (Fixed)
   ↓
   Frontend: Reload page
   ↓
   AuthStore restores JWT from localStorage
   ↓
   Frontend: GET /api/v5/sessions (list sessions)
   ↓
   User selects "My Project" session
   ↓
   theia loads with session_id
   ↓
   theia FDB file system provider:
   - Reads files from FDB
   /{tenant_id}/files_by_session/{session_id}
   ↓
   Restores workspaceSession:
   - Opens active_files
   - Sets cursor positions from editor_state
   - Restores terminal cwd from terminal_state
   ↓
   USER SEES EXACT STATE FROM BEFORE REFRESH

---

🔧 Required Code Fixes

1. Fix Auth Handler Claims (backend/src/handlers/auth.rs)

File: backend/src/handlers/auth.rs

Issue: Lines 128-134 (login) and 232-237 (register) create Claims without session_id and token_family

Fix:

// Add at top of login() function after line 114
use crate::db::models::AuthSession;
use crate::db::repositories::AuthSessionRepository;

// After password verification (line 114), add:
// Create AuthSession for JWT token family tracking
let ip_address = req
    .connection_info()
    .realip_remote_addr()
    .unwrap_or("unknown")
    .to_string();

let user_agent = req
    .headers()
    .get("User-Agent")
    .and_then(|v| v.to_str().ok())
    .unwrap_or("unknown")
    .to_string();

let auth_session = AuthSession::new(
    user.user_id,
    user.primary_tenant_id,
    ip_address,
    user_agent,
);

let session_repo = AuthSessionRepository::new(app_state.db.clone());
session_repo.create(&auth_session).await.map_err(|e| {
    log::error!("Failed to create auth session: {:?}", e);
    actix_web::error::ErrorInternalServerError("Session creation failed")
})?;

// Update Claims creation (replace lines 128-134)
let claims = Claims {
    sub: user.user_id.to_string(),
    tenant_id: user.primary_tenant_id.to_string(),
    email: user.email.clone(),
    session_id: auth_session.session_id.to_string(),
    token_family: auth_session.token_family.to_string(),
    exp: (Utc::now() + Duration::hours(24)).timestamp() as usize,
    iat: Utc::now().timestamp() as usize,
};

Same fix needed in register() function (lines 232-237)

---

2. Rename workspaceSession → Session

File: backend/src/db/models.rs

Find and replace:

// Change all occurrences
workspaceSession → Session
workspaceSessionMemory → SessionMemory

File: backend/src/db/repositories.rs

Find and replace:

workspaceSessionRepository → SessionRepository

Rationale: Handlers expect Session model, so renaming is simplest. Semantically correct since workspace sessions are the primary session type.

---

3. Fix Frontend Session Service

File: src/services/session-service.ts

Change line 29:

// OLD: Hardcoded IP
constructor(baseUrl: string = 'http://34.46.212.40/api/v5') {

// NEW: Relative URL (works with NGINX proxy)
constructor(baseUrl: string = '/api/v5') {

Change line 98:

// OLD: /sessions/create endpoint
const response = await fetch(`${this.baseUrl}/sessions/create`, {

// NEW: /sessions endpoint (matches backend)
const response = await fetch(`${this.baseUrl}/sessions`, {

Change line 64:

// OLD: Expects data.sessions
return data.sessions || []

// NEW: Backend returns ApiResponse { success, data: Vec<SessionResponse> }
return data.data || []

Change line 86:

// OLD: Expects data.session
return data.session

// NEW: Backend returns ApiResponse { success, data: SessionResponse }
return data.data

Change line 109:

// OLD: Expects data.session
return data.session

// NEW: Backend returns ApiResponse { success, data: SessionResponse }
return data.data

Change line 132:

// OLD: Expects data.session
return data.session

// NEW: Backend returns ApiResponse { success, data: SessionResponse }
return data.data

---

4. Add Missing Update Handler (Optional)

File: backend/src/handlers/sessions.rs

Add after delete_session() function:

#[put("/sessions/{session_id}")]
pub async fn update_session(
    req: HttpRequest,
    path: web::Path<String>,
    body: web::Json<Value>,
    app_state: web::Data<crate::state::AppState>,
) -> Result<HttpResponse> {
    use crate::db::repositories::SessionRepository;
    use crate::middleware::auth::extract_claims;
    use crate::models::response::ApiResponse;

    let claims = extract_claims(&req).ok_or_else(|| {
        actix_web::error::ErrorUnauthorized("Unauthorized")
    })?;

    let session_id = Uuid::parse_str(&path.into_inner()).map_err(|_| {
        actix_web::error::ErrorBadRequest("Invalid session ID")
    })?;

    let tenant_id = Uuid::parse_str(&claims.tenant_id).map_err(|_| {
        actix_web::error::ErrorBadRequest("Invalid tenant ID")
    })?;

    let session_repo = SessionRepository::new(app_state.db.clone());
    let mut session = match session_repo.get(session_id).await? {
        Some(s) if s.tenant_id == tenant_id => s,
        Some(_) => {
            return Ok(HttpResponse::Forbidden().json(ApiResponse::<()>::error(
                "FORBIDDEN".to_string(),
                "Access denied".to_string(),
            )));
        }
        None => {
            return Ok(HttpResponse::NotFound().json(ApiResponse::<()>::error(
                "NOT_FOUND".to_string(),
                "Session not found".to_string(),
            )));
        }
    };

    // Update fields from request body
    if let Some(name) = body.get("name").and_then(|v| v.as_str()) {
        session.name = name.to_string();
    }
    if let Some(workspace_path) = body.get("workspacePath").and_then(|v| v.as_str()) {
        session.workspace_path = Some(workspace_path.to_string());
    }

    session_repo.update(&session).await.map_err(|e| {
        log::error!("Failed to update session: {:?}", e);
        actix_web::error::ErrorInternalServerError("Failed to update session")
    })?;

    let response = SessionResponse {
        id: session.session_id.to_string(),
        name: session.name,
        tenant_id: session.tenant_id.to_string(),
        user_id: session.user_id.to_string(),
        workspace_path: session.workspace_path,
        created_at: session.created_at.to_rfc3339(),
        updated_at: session.updated_at.to_rfc3339(),
        last_accessed_at: session.last_accessed_at.to_rfc3339(),
    };

    Ok(HttpResponse::Ok().json(ApiResponse::success(response)))
}

Update main.rs (line 103):

.service(handlers::sessions::update_session)

---

🔨 Rebuild and Deploy Plan

Prerequisites

1. Fix Code Issues (30 minutes):
   • Fix Auth handler Claims (auth.rs)
   • Rename workspaceSession → Session (models.rs, repositories.rs)
   • Fix frontend session service (session-service.ts)
   • (Optional) Add update handler (sessions.rs, main.rs)

Build Steps

2. Build Backend Docker Image (5-10 minutes):

cd /home/hal/v4/PROJECTS/t2

# Build with timestamp tag
docker build -t gcr.io/serene-voltage-464305-n2/coditect-api-v5:oct14-v2 \
  -f backend/Dockerfile backend/

# Also tag as latest
docker tag gcr.io/serene-voltage-464305-n2/coditect-api-v5:oct14-v2 \
  gcr.io/serene-voltage-464305-n2/coditect-api-v5:latest

# Push to GCR
docker push gcr.io/serene-voltage-464305-n2/coditect-api-v5:oct14-v2
docker push gcr.io/serene-voltage-464305-n2/coditect-api-v5:latest

3. Deploy to GKE (5-10 minutes):

# Update deployment to use new image
kubectl set image deployment/coditect-api-v5 \
  coditect-api-v5=gcr.io/serene-voltage-464305-n2/coditect-api-v5:oct14-v2 \
  -n coditect-app

# Watch rollout
kubectl rollout status deployment/coditect-api-v5 -n coditect-app

# Verify new pod is running
kubectl get pods -n coditect-app -l app=coditect-api-v5

4. Verify Deployment (10 minutes):

# Get pod name
POD=$(kubectl get pods -n coditect-app -l app=coditect-api-v5 -o jsonpath='{.items[0].metadata.name}')

# Check logs for FDB connection
kubectl logs -n coditect-app $POD --tail=50

# Test health endpoint
kubectl exec -n coditect-app $POD -- curl http://localhost:8080/api/v5/health

# Check new routes are registered
kubectl logs -n coditect-app $POD | grep "Starting Coditect V5 API"

5. Test End-to-End (30 minutes):

# 1. Test registration
curl -X POST https://coditect.ai/api/v5/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "email": "test@example.com",
    "password": "testpass123",
    "firstName": "Test",
    "lastName": "User"
  }'

# Expected: { success: true, data: { token: "...", user: {...} } }

# 2. Test login
curl -X POST https://coditect.ai/api/v5/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "test@example.com",
    "password": "testpass123"
  }'

# Expected: { success: true, data: { token: "...", user: {...} } }
# Save JWT token from response

# 3. Test session creation
curl -X POST https://coditect.ai/api/v5/sessions \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <JWT_TOKEN>" \
  -d '{
    "name": "Test Project",
    "workspacePath": "/workspace/test-project"
  }'

# Expected: { success: true, data: { id: "...", name: "Test Project", ... } }

# 4. Test session list
curl -X GET https://coditect.ai/api/v5/sessions \
  -H "Authorization: Bearer <JWT_TOKEN>"

# Expected: { success: true, data: [ {...}, ... ] }

# 5. Verify data in FDB
kubectl exec -n coditect-app foundationdb-0 -- \
  fdbcli --exec "getrangekeys tenants/'' tenants/\xff 20"

# Should see tenant, user, session records

6. Frontend Testing (10 minutes):

# Rebuild frontend with fixes
cd /home/hal/v4/PROJECTS/t2
npm run build

# Test in browser
# 1. Visit https://coditect.ai
# 2. Click "Register" and create account
# 3. Login with new account
# 4. Create session from Sessions page
# 5. Verify session appears in list
# 6. Reload page and verify session persists

---

📊 Testing Checklist

Backend API Tests

• Health Check: GET /api/v5/health returns 200
• Registration: POST /auth/register creates user in FDB
• Login: POST /auth/login returns JWT with session_id
• Session Create: POST /sessions creates workspaceSession in FDB
• Session List: GET /sessions returns user sessions
• Session Get: GET /sessions/:id returns specific session
• Session Delete: DELETE /sessions/:id removes session
• Auth Middleware: Requests without JWT return 401
• Tenant Isolation: User can't access other tenant's sessions

FDB Data Persistence Tests

• User Persistence: User record in FDB after registration
• Tenant Persistence: Self-tenant created for new user
• Session Persistence: workspaceSession saved to FDB
• Email Index: User findable by email
• Session Index: Sessions findable by tenant_id and user_id
• Data Survives Restart: Pod restart doesn't lose data

Frontend Integration Tests

• Registration Flow: Frontend → Backend → FDB → JWT returned
• Login Flow: Frontend → Backend → JWT with session_id
• Session Creation: Frontend creates session via API
• Session Display: Sessions list shows created sessions
• JWT Refresh: Token refresh works (not yet implemented)
• Logout: Logout invalidates session (not yet implemented)

WebSocket Tests (Phase 2 - After Auth Fix)

• theia Loads: theia iframe loads with JWT
• terminal Opens: terminal WebSocket connects
• Auth Validation: WebSocket validates JWT
• terminal Persistence: terminal state saved to FDB
• File Persistence: Files saved to FDB (Phase 3)

---

🎯 Success Criteria

Minimum Viable (Phase 1 - This Rebuild)

1. ✅ Backend deploys with new FDB code
2. ✅ User can register account
3. ✅ User can login and receive JWT
4. ✅ JWT contains session_id and token_family
5. ✅ User can create workspace session
6. ✅ Sessions persist in FDB
7. ✅ User can list and retrieve sessions
8. ✅ Frontend session service works with backend

Enhanced (Phase 2 - Next Task)

1. ⏳ WebSocket authentication with JWT
2. ⏳ terminal state persists to FDB
3. ⏳ theia validates JWT on load
4. ⏳ workspaceSession restores on browser refresh

Full MVP (Phase 3 - Future)

1. ⏳ Files saved to FDB via theia extension
2. ⏳ editor state (cursor, tabs) persists
3. ⏳ Per-user workspace pods
4. ⏳ Resource isolation

---

📁 Files to Modify

Must Fix Before Rebuild

1. backend/src/handlers/auth.rs (lines 128-134, 232-237)

   • Add AuthSession creation
   • Fix Claims to include session_id and token_family

2. backend/src/db/models.rs (find/replace)

   • Rename workspaceSession → Session
   • Rename workspaceSessionMemory → SessionMemory

3. backend/src/db/repositories.rs (find/replace)

   • Rename workspaceSessionRepository → SessionRepository

4. src/services/session-service.ts (lines 29, 64, 86, 98, 109, 132)

   • Fix baseUrl to /api/v5
   • Fix endpoint from /sessions/create to /sessions
   • Fix response access from data.sessions to data.data

Optional (Can Do Later)

5. backend/src/handlers/sessions.rs

   • Add update_session() handler

6. backend/src/main.rs (line 103)

   • Register update handler

---

🚀 Timeline

Code Fixes: 30 minutes Backend Build: 5-10 minutes Deploy to GKE: 5-10 minutes Verification: 10 minutes End-to-End Testing: 30 minutes

Total: ~1.5 hours

---

📝 Next Steps After Rebuild

1. ✅ Verify Backend Deployment (Task 1) - COMPLETE
2. ✅ Fix FDB Storage Engine (Task 2) - ALREADY COMPLETE
3. ⏳ Fix Code Mismatches (This document) - 30 minutes
4. ⏳ Rebuild and Deploy Backend (This document) - 20 minutes
5. ⏳ Test End-to-End (This document) - 30 minutes
6. ⏳ Implement WebSocket Auth (Task 4) - 1-2 days
7. ⏳ Implement FDB File System (Task 5) - 2-3 days

---

🔗 Related Documents

• Deployment Status: deployment-status-2025-10-14.md
• Critical Path: mvp-critical-path-2025-10-14.md
• Implementation Guide: docs/reference/tasklist-full-integration.md
• FDB Checklist: docs/reference/fdb-models-implementation-checklist.md

---

Generated: 2025-10-14 14:15 UTC Status: 🔴 READY FOR CODE FIXES Next Action: Fix code mismatches, then rebuild backend Estimated Time: 1.5 hours to production-ready backend