feat(web): Add auth account data foundation

[brayan]

Summary

• Implement the v1 Auth.js credentials foundation inside the Next.js server boundary.
• Add Drizzle/PostgreSQL account ownership, source/chunk, trace-reference, and pgvector migration foundations.
• Update portfolio evidence docs so auth, database, tests, failure cases, deployment, and cost assumptions match implementation status without claiming RAG/provider behavior.

Changes

• Add local sign-up/sign-in flow with scrypt password hashing, Auth.js route handlers, JWT credentials sessions, and current-account lookup.
• Persist a deterministic active_account_id for credentials users and verify that the selected account has a membership before returning session scope.
• Add fail-closed account scope helpers and account membership verification before returning account context.
• Add Drizzle config, PostgreSQL schema, and migrations for Auth.js tables, accounts/users/memberships, sources, source chunks with vector(1536), and LLM trace references.
• Enforce source/chunk account consistency with a composite (account_id, source_id) foreign key to sources(account_id, id).
• Add focused web tests for registration/login, duplicate user, invalid credentials, missing account scope, cross-account rejection, migration shape, active account persistence, and source/chunk account constraints.
• Update env examples, README/web guidance, web shard routing metadata, shared account identity types, and DB migration command wiring.

Diagram

flowchart TD
  Browser["Browser sign-up and sign-in forms"]
  RegisterRoute["POST /api/auth/register"]
  AuthRoute["/api/auth/[...nextauth]"]
  Credentials["server/auth credentials service"]
  Passwords["scrypt password hashing"]
  JwtSession["Auth.js JWT credentials session"]
  CurrentAccount["current account helper"]
  AccountGuard["fail-closed account scope checks"]
  Drizzle["Drizzle server/db schema"]
  AuthTables["users.active_account_id and auth_provider_accounts"]
  Ownership["accounts and account_memberships"]
  ProductTables["sources, source_chunks, llm_trace_refs"]
  Pgvector["PostgreSQL plus pgvector"]

  Browser --> RegisterRoute
  Browser --> AuthRoute
  RegisterRoute --> Credentials
  AuthRoute --> Credentials
  Credentials --> Passwords
  Credentials --> Drizzle
  Credentials --> JwtSession
  JwtSession --> CurrentAccount
  CurrentAccount --> AccountGuard
  AccountGuard --> ProductTables
  Drizzle --> AuthTables
  Drizzle --> Ownership
  Drizzle --> ProductTables
  AuthTables --> Pgvector
  Ownership --> Pgvector
  ProductTables --> Pgvector

Loading

Testing

• pnpm --filter @ancora/web lint
• pnpm --filter @ancora/web typecheck
• pnpm --filter @ancora/web test
• pnpm --filter @ancora/web exec drizzle-kit check --config drizzle.config.ts
• docker compose -f docker/docker-compose.yml config
• pnpm repo:test:fast
• pnpm repo:test:task
• pnpm repo:test:context
• rg -n "auth|account|session|cross-account|migration|Implemented|Planned" README.md docs

Notes

• Human review is required for auth/session behavior, account isolation, DB migrations, public API contracts, privacy behavior, and portfolio claims.
• Credentials sessions use JWTs because Auth.js credentials providers do not persist sessions through the adapter; provider-ready Auth.js tables are still included in the migration.
• The migrations were generated and checked, but not applied locally.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8b6d4e2b62

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2d088169ac

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Enforce account-scoped FKs for trace source references

llm_trace_refs stores an account_id but its source_id and source_chunk_id columns only reference global IDs, so an insert can point a trace row in account A at a source or chunk owned by account B while still satisfying both foreign keys. That breaks tenant isolation at the data layer and can leak cross-account lineage whenever account-scoped trace queries later join to sources/chunks; make these references account-scoped (for example with composite FKs including account_id) to enforce consistency.

Useful? React with 👍 / 👎.