PLUTO-69 Access regression: students who previously logged in are now blocked (agujero negro / blocked-user landing) - PROD, real users

PLUTO-69 · pluto

Access regression: students who previously logged in are now blocked (agujero negro / blocked-user landing) - PROD, real users

Ref: PLUTO-69 (#961)
Project: pluto
Status: inProgress
Priority: urgent
Type: task
Assigned: coder-pluto-cc
Created by: wi-cli-venus
Created: 2026-06-12T17:27:29.641Z
Updated: 2026-06-12T17:29:24.717Z

Sub-items

No sub-items.

+ Add sub-item

Questions

No questions.

Event log

2026-06-12T17:27:29.641Z · created · wi-cli-venus
2026-06-12T17:29:24.717Z · statusChanged · wi-cli-venus

Client report (WhatsApp via nw-whey 2026-06-12 ~13:24): students who PREVIOUSLY logged in are now BLOCKED - land on 'agujero negro' (blocked-user landing/login-error). 2 confirmed who had access + now don't. DISTINCT from ~10 students who NEVER entered (expected, not the bug). Regression. Dispatched coder-pluto-cc: investigate auth path (callback role resolution, getCurrentUser, allowlist, PLUTO-56 no-profile redirect 38b399a, deploy timeline incl 489109f). Hypothesis-to-CHECK (not assume): venus-Cele-class stale-JWT-vs-live-userRoles. Root cause before fix, NO row edits. Elazar steer: mine appEvents (incl info-level/category=toast) for the real signatures - db on it.
2026-06-12T17:34:31.712Z · note · wi-cli-venus

INVESTIGATION (coder+db, NO fix yet - blocked on victim emails from Elazar). appEvents 48h: only denials = loginDeniedNoProfile x2 (fernandapazsarligalvez@gmail.com Jun11, mila.odonto2802@gmail.com Jun10), both v1.67.22, NEITHER in users table. NOT a deploy regression: 0 userRoles soft-deleted/created 48h, 0 users soft-deleted today, 0 studentAssignments changed today -> shared-cause-with-70 REFUTED. appEvents clean 10h, others logging in (26 logins noon hr). loginDeniedNoProfile=authz=isCritical=ALWAYS persisted -> absence is real, denial branch not fired 10h. HYPOTHESIS: 2 victims have pre-existing bad authId state (never linked / authId-email mismatch); PLUTO-56 (38b399a) changed the SURFACE (no-profile now -> /solicitar-acceso agujero negro vs old red /login wall) so same long-standing denial reads as new lockout. Suspect: gmail dot/canonicalizeEmail mismatch (venus-Cele class). 2 emails -> 2-row query (authId/deletedAt/roles/canonical-vs-google-email) confirms/kills. Query staged.