# Local Dev Auth Smoke

Use this standard when validating local/dev auth, admin, current-user, admin
panel, or cross-layer frontend/backend behavior.

## Default Policy

Local/dev auth smoke should be non-destructive by default.

Before using any reset/delete/seed command:

- check whether a local admin already exists in the configured local/dev
  database when database access is available.
- use local `.env` credential names for the configured local admin.
- log only whether required credential names are present; never print values.
- attempt login, current-user, admin-only API, and admin panel verification with
  the existing local admin.
- do not delete, demote, reset, or recreate the local admin only to run smoke.

Reset/seed scripts are recovery tools, not the default smoke path.

## Preferred Existing-Admin Smoke Path

1. Load `.env` and app-specific `.env` files without printing values.
2. Confirm required variable names are present, such as:
   - `DATABASE_URL`
   - `JWT_SECRET`
   - `LOCAL_DEV_ADMIN_EMAIL`
   - `LOCAL_DEV_ADMIN_PASSWORD`
3. If database access is available, check that the configured admin record
   exists, has admin role, and has a password hash.
4. Start the backend and frontend locally.
5. Log in with the configured local admin credentials.
6. Verify current-user returns the configured admin identity and role.
7. Verify an admin-only operation or admin panel path is accessible.
8. Stop local child processes and document cleanup.

The smoke output may say that variables are present, login succeeded, or an
admin-only operation passed. It must not print passwords, tokens, bootstrap
tokens, connection strings, or full `.env` contents.

## Reset/Seed Use

Use guarded reset/seed commands only when one of these is true:

- no admin exists and bootstrap/seed setup is required for local/dev validation.
- the local admin credentials are explicitly known to be wrong or missing.
- a chunk specifically changes reset/seed/bootstrap behavior.
- the human explicitly asks for reset/seed behavior.

Reset/seed use must be local/dev-only, guarded, and documented. It must never
run against production or broad non-local data. It must not stage `.env`, local
database files, or runtime state.

## QA Expectations

QA should block or request a decision when:

- the existing-admin smoke path is skipped without explanation.
- a reset/delete script is used as the first choice for ordinary auth/admin
  smoke.
- credentials, tokens, connection strings, or `.env` values are printed.
- runtime smoke requires local database access but the database is unavailable
  and the chunk claims full runtime verification anyway.

QA may accept static/build/test evidence without runtime smoke only when the
runtime gap is explicit, the risk is bounded, and a human decision or follow-up
is recorded.