← All stories

BRANCH · ef-047-check-in-notes

Check-In Notes

EF-047Persona: OrganizerRoots in: event-setup

Check-In Notes are partial: check_in_note is accepted on guest create and patch at workers/events/src/routes/guests.ts:48 and :987, but native check-in display is not proven. This story protects staff-only visibility, history, and length enforcement.

Preconditions

Organizer can edit a guest; staff check-in fixture can view the same guest; public guest confirmation fixture is available for absence checks.

Happy path / Lifecycle

  1. Open a guest note editor.

    Organizer sees the staff-only note field and current history context.

  2. Save a note.

    Patch writes check_in_note, updates staff check-in view, and hides the text from guest pages.

  3. Check native parity marker.

    Until native-app-shell is wired, the gap panel remains visible and testable.

Failure modes

Permission denied at the right boundary

Trigger: viewer/support attempts organizer-only operation.

Resolution: the write request returns 403, the editable surface remains closed or read-only, and the response does not leak hidden guest, event, or tenant fields.

Cross-tenant isolation

Trigger: tenant-A user guesses tenant-B resource id.

Resolution: the server returns 404 instead of 403, masks existence, and the UI renders a generic not-found state.

Soft-delete leaves audit trail

Trigger: organizer removes or deactivates the configured object.

Resolution: the row is marked inactive/deleted with actor, timestamp, and prior state preserved in audit.

Archive vs delete distinction

Trigger: organizer chooses between reversible archive and destructive delete.

Resolution: archive stays reversible and copy/export labels it archived; delete requires separate destructive confirmation and changes copy behavior.

Edit lock during publish

Trigger: publish snapshot begins while an edit is open.

Resolution: publish wins; stale save receives a deterministic conflict modal and does not mutate the published snapshot silently.

Audit log row written on every state change

Trigger: organizer saves any state transition.

Resolution: each state mutation writes an audit row with actor, timestamp, entity id, and before/after payload.

Two organizers concurrent

Trigger: two organizers edit the same state from stale versions.

Resolution: the second save gets conflict UI, both sessions refresh to the same final state, and there is no silent overwrite.

Undo window for destructive actions

Trigger: organizer deletes, cancels, or clears the object.

Resolution: a visible undo affordance lasts 10 seconds and restores the exact prior state when used.

Notes visible only to staff and organizers

Trigger: guest opens public confirmation while staff opens check-in profile.

Resolution: note is visible in staff/organizer check-in surfaces and absent from guest-facing pages and emails.

Edit history preserved

Trigger: organizer edits an existing check-in note.

Resolution: new note value saves while audit/history preserves previous text, actor, and timestamp.

Character limit enforced server-side and client-side

Trigger: organizer pastes text beyond note limit.

Resolution: client counter blocks/truncates before submit and server rejects oversized payloads with a validation error.

Parity gap: native check-in display deferred

Trigger: matrix says native check-in display is not proven.

Resolution: visible gap panel remains until native-app-shell check-in profile displays staff notes reliably.

Stable test attributes

Visibility teeth. Each attribute must be effectively visible when active and must match the agent probes.

data-testWherePurpose
check-in-notes-drawersurfacedrawer
check-in-notes-formsurfaceform
check-in-notes-note-inputsurfacenote input
check-in-notes-character-countersurfacecharacter counter
check-in-notes-save-ctasurfacesave cta
check-in-notes-staff-note-panelsurfacestaff note panel
check-in-notes-guest-note-panelsurfaceguest note panel
check-in-notes-archive-note-ctasurfacearchive note cta
check-in-notes-delete-note-ctasurfacedelete note cta
check-in-notes-undo-toastsurfaceundo toast
check-in-notes-conflict-modalsurfaceconflict modal
check-in-notes-validation-errorsurfacevalidation error
check-in-notes-gap-panelsurfacegap panel

Agent test plan

- check-in-notes-opens
- check-in-notes-saves
- check-in-notes-audit-visible
- permission-denied-boundary
- cross-tenant-404
- soft-delete-audit
- archive-delete-distinction
- publish-edit-lock
- audit-row-every-change
- concurrent-organizers-conflict
- destructive-undo-window
- staff-only-note-visibility
- edit-history-preserved
- character-limit-client-server
- native-display-gap-probe
- evaluate-check-in-notes