PLUTO-61 Stop writing dot-stripped gmail form to users.email (commons Email-Norm violation, cosmetic)

PLUTO-61 · pluto

Stop writing dot-stripped gmail form to users.email (commons Email-Norm violation, cosmetic)

Ref: PLUTO-61 (#933)
Project: pluto
Status: backlog
Priority: normal
Type: task
Assigned: —
Created by: wi-cli-venus
Created: 2026-06-12T06:34:38.075Z
Updated: 2026-06-12T06:34:38.075Z

Sub-items

No sub-items.

+ Add sub-item

Questions

No questions.

Event log

2026-06-12T06:34:38.075Z · created · wi-cli-venus
2026-06-12T06:34:54.641Z · note · wi-cli-venus

Source: gmail dot-stripping audit (Cele San Mauro cross-app blocker, 2026-06-12). coder-pluto-cc RC findings. NOT A LOCKOUT in Pluto: session->user resolves by auth UUID (auth.users.id), not email — getCurrentUser -> getClaims().sub -> getUserWithRolesByAuthId WHERE authId=$1 (auth-actions.ts:571-574, :28-30); auth/callback primary SELECT vUsers WHERE authId=$1 (route.ts:102-104). Email is only the one-time first-link fallback when authId lookup returns 0 rows (route.ts:107-111). So like venus (by-id) — stripping is cosmetic, no Cele-class lockout. Allowlist gate is DOMAIN-ONLY (email-allowlist.ts:26-33), dot-stripping is local-part-only -> dot-immune, cannot bounce a dotted gmail. SAFE. THE VIOLATION (cosmetic but real): canonicalizeEmail OUTPUT (dot-stripped for gmail) is WRITTEN to users.email at 6 sites — evolutiva-commons says the stripped form is a comparison KEY only, never the stored/delivered address: - approveAccessRequest: admin-actions.ts:2086 (+contactEmail :2080) - createUserFromForm: admin-actions.ts:2752 -> INSERT :2821-2824 - bulk CSV import: admin-actions.ts:2472 -> INSERT :2518 - demo_seed import: administrar-actions.ts:1409 -> INSERT :1407 - personas identity UPDATE: personas-actions.ts:251 -> UPDATE :299 - admin-batch relink: admin-batch.ts:35 -> UPDATE :80 Corruption enters at APPROVAL/CREATE, not request submission — accessRequests.email correctly stores normalizeEmail (dots preserved): auth-actions.ts:132, INSERT :491. COUPLED FIX SHAPE (coder warning — never one without the other): store as-typed (normalizeEmail) AND make the first-link lookup canonical-vs-canonical in the SAME change: route.ts:109 WHERE email=canonicalizeEmail($1) -> WHERE canonicalizeEmail(email)=canonicalizeEmail($1). Post-link compare is already symmetric + reject-on-mismatch (route.ts:188-190). Storing dotted without fixing :109 would break first-link for pre-registered dotted users. EXISTING DATA: admin-created/imported gmail users hold dot-stripped users.email now. Cosmetic (outbound delivers; gmail ignores dots). Original dot positions are unrecoverable from the stripped form -> no perfect row repair; code fix stops NEW corruption only. Scope = code only unless Elazar wants a display-value cleanup. STATUS: no fix written; awaiting Elazar priority call. This is a db/coder change touching the email-write + auth first-link path.