Migration 019 normalizes every \`created_by\` / \`updated_by\` FK from
\`NOT NULL REFERENCES users(id) ON DELETE RESTRICT\` to
\`NULL REFERENCES users(id) ON DELETE SET NULL\`. Affected tables:
collectives, collective_invitations, shopping_lists, shopping_items,
task_lists, tasks, notes (created_by + updated_by). Without this,
delete_account() would be blocked the first time the user creates any
content. Spec §6.3: content survives the user; the row is orphaned with
the FK set to NULL (UI shows "Deleted user" — to be polished later).
Migration 021 adds delete_account():
- two-step delete: public.users (fires the existing promote-oldest-
admin trigger from migration 002, then CASCADEs collective_members
and SET-NULLs content FKs), then auth.users (CASCADEs sync_conflicts
+ drops the GoTrue identity row + token rows)
- guard: errcode P0003 when the caller is the sole admin of a
collective where every other member is a guest (nobody promotable);
the user must promote someone manually first
- Keycloak is NOT touched (documented limitation in the UI body); the
user can re-register with the same email and will receive a fresh
UUID-distinct profile
Settings UI (already shipped with 10.1) wires the modal: explicit body
listing what is and isn't deleted; confirm button only enables when the
user types DELETE exactly. Post-success calls logout() so the Keycloak
SSO cookie is ended too.
pgTAP 013 (8 assertions): RPC exists, regular user delete + cascade +
content-orphan, sole-admin-with-promotable promotes, sole-admin-with-
only-guest blocked with P0003. Playwright DEL-01 covers the
type-the-word UI guard; full "delete + re-login fails" is left to
pgTAP because seeding ephemeral Keycloak accounts in E2E would
contaminate every downstream suite.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>