ONBOARDING BRIEF · AUTO-GENERATED · 2026-06-02

This is the brief your next hire opens on day one.

Not a wiki to maintain — a living document Blockd compiles per ticket, grounded in your real code and cited to the line. Below is an actual generated brief, untouched.

BOT-11 · GH #13

Audit-log viewer in the UI (currently only via SQL)

KNQuoc/blockd-onboard · main · TypeScript

readiness: blockedReviewpriority low

For: New Engineer
Manager: Maya Chen
Team: Blockd Onboard
Project: Blockd Onboard Backlog
Generated: 2026-06-02

What you are joining

Welcome to Blockd Onboard. Your first backlog entry point is BOT-11 — a UI-oriented, backend-adjacent task that makes audit data visible without relying on direct SQL access. You’ll work in KNQuoc/blockd-onboard, a private TypeScript repo on the main branch.

Sources²blockd-onboard · README.md

Open these files first

6 files · crawled at main

AccessSettingsClient.tsx241–340client delete/bulk success paths, refresh, signed-in actor, declaration list entry

AccessSettingsClient.tsx481–580existing audit-log rendering for declaration rows

access-declarations.ts161–260Prisma declaration upsert/delete audit emission + descending query

verify-and-revoke.ts241–320revoke auth checks + pre-GitHub AccessProvisionAuditLog creation

approve-and-provision.ts161–203approval status transitions + provisioning handoff

scripts/access-declarations-smoke.ts81–180smoke path seeding managers + audit rows

Audit-log data paths to understand

Keep two audit concepts separate. Access declarations write an AccessDeclarationAuditLog row on create, update and delete — queryable via listAuditLogs(companyId, projectName), ordered by time descending. Provision and revoke events write accessProvisionAuditLog rows; the revoke path writes a revoke_requested breadcrumb before any GitHub call.

Sources⁵access-declarations.ts:161–260 ⁷verify-and-revoke.ts:241–320

Local setup notes for this task

needs manager input

Use .env.example as the checklist — DATABASE_URL, AUTH_SECRET, AUTH_GITHUB_ID, AUTH_GITHUB_SECRET, AUTH_URL and LINEAR_API_KEY. The compose service postgres runs pgvector/pgvector:pg16 on 5432:5432. That matters here because the viewer depends on rows persisted through the Prisma-backed access flows, not mocked client state.

Sources¹⁵.env.example (35 vars)¹⁶docker-compose · postgres

Your first task on BOT-11

Trace the existing audit presentation in AccessSettingsClient.tsx — the “Audit log” section renders declaration edits only: action, target, actor email, timestamp. Then trace the server-side provision/revoke audit data. A good first slice: extend that surface with provision/revoke entries using the same company and project scoping as listAuditLogs(companyId, projectName).

Sources¹²AccessSettingsClient.tsx:481–580 ⁸approve-and-provision.ts:161–203

Embedded access bundle

Derived from the ticket’s actual code paths

BOT-11 needs exactly one scope: write access to the repo it changes. Routed to the declared owner; if approval blocks the first task, escalate through Repo admins.

github:repo:knquoc/blockd-onboard
Owner · quocn@bgsu.edu · escalates to Repo admins
needed

Status: not requested · no additional scopes in the access plan

Decision context to confirm

needs manager input

The evidence package did not include a matched decision thread for BOT-11. Before you commit to table columns, filters, retention language, or who can see the viewer, confirm the desired behavior with your manager or the ticket owner. Use the code as the current contract — not as the product decision.

Failure modes to avoid

Query without companyId + project scoping

Symptom — Audit rows from another company or project appear in the BOT-11 UI. Invariant — listAuditLogs(companyId, projectName) filters by company and, when present, project.

Move revoke audit creation after the GitHub call

Symptom — Failed GitHub revocations with no revoke_requested breadcrumb. Invariant — The revoke path writes the audit row before external GitHub calls, so exceptions still leave a trace.

Mutating UI actions without a refresh

Symptom — A stale audit section immediately after a declaration create or delete. Invariant — The client calls router.refresh() after successful writes so rendered rows reflect server state.

Prior work & same-file history

Prior-work search surfaced live code references rather than a reverted prior BOT-11 attempt. Start with AccessSettingsClient.tsx — it already contains an audit-log rendering pattern close to the requested viewer.

54fe430V5.4-B5..B6: Access declarations UI + API + end-to-end smoke

2ea808dC-MR: Multi-repo support — bulk declare + batch approve

0dc2669Auth-3: Migrate routes from X-Actor-Email to session()

c230dc9VD: Verify access + revoke access (decline detection + invite cleanup)

Why a manager signs off on this

The brief is only as good as its sources. So we bound it to them.

Cited to the line

Every claim links to a real file and line range. Footnotes, not paraphrase — the manager can open the source in one click.

Honest about gaps

Missing decision threads and setup blanks are flagged “needs manager input,” never hallucinated into confident prose.

Prior-work aware

Surfaces same-file history and previous attempts so the new hire builds on what exists instead of re-deriving it.

Access, embedded

The bundle is derived from the ticket’s code paths and routed to the declared owner — not a separate ticket to chase.

Give every hire this on day one.

Blockd turns any ticket into a cited brief and a one-click access bundle. Your institutional memory, mounted per hire.

Or join the waitlist