This document is for a release-verification or incident-response agent landing cold on the M021 email sign-up proof gap. After reading it, the agent should be able to rerun the S04 remediation verifier, decide whether live Supabase Auth sign-up proof exists, and update evidence without exposing credentials or overclaiming a skipped smoke run.
S04 has two separate proof levels:
Current status for the 2026-05-02 execution environment: live Supabase Auth signup proof is blocked/re-scoped/deferred because the explicit live-smoke opt-in, disposable test identity, disposable test password, and target URL env keys were not present. This is not a live signup pass. The deterministic regression remains the only validated proof level until an operator provisions live-smoke configuration.
Allowed evidence statuses:
| Status | Meaning | May claim live Supabase signup passed? |
|---|---|---|
deterministic-regression-passed |
The S03/S04 deterministic local regression passed without credentials. | No. |
live-blocked-rescoped |
Live smoke did not run because required opt-in env or safe disposable credentials were unavailable. | No. |
live-pass |
The opt-in live harness ran once, exited 0, and recorded only redacted identity/outcome fields. |
Yes. |
live-failed-redacted |
The opt-in live harness ran once and failed with a redacted phase, timeout, selector, or provider-safe diagnostic. | No. |
Run the S04 verifier from the repository root:
python3 scripts/verify_m021_s04_live_signup_remediation.py
The verifier always runs the deterministic M021 auth regression first. It then inspects live-smoke readiness by environment key name only. If live-smoke env is missing, it must print a skipped/no-live-success state and validate that tracked docs record a blocked or re-scoped live-proof outcome. If live-smoke env is configured, it runs the live harness once and fails on non-zero exit, timeout, selector drift, or unsafe secret-looking output.
Use this task-level guard when changing this remediation path:
web/python-web-app/venv/bin/pytest web/python-web-app/tests/test_m021_live_signup_remediation.py web/python-web-app/tests/test_m021_auth_signup_verification.py -q && python3 scripts/verify_m021_s04_live_signup_remediation.py
Only run the live harness when all required env is intentionally provisioned for a disposable test account and at least one public browser target surface:
SPEAKTRUE_M021_LIVE_SMOKE=1 SPEAKTRUE_M021_SIGNUP_EMAIL=<redacted-test-email> SPEAKTRUE_M021_SIGNUP_PASSWORD=<redacted-test-password> deno run -A scripts/live_m021_auth_signup_smoke.mjs
Required readiness:
SPEAKTRUE_M021_LIVE_SMOKE=1 is set.SPEAKTRUE_M021_SIGNUP_EMAIL contains a disposable test identity, never a personal or production account.SPEAKTRUE_M021_SIGNUP_PASSWORD contains a disposable password.SPEAKTRUE_M021_MARKETING_URL, SPEAKTRUE_M021_WEB_APP_URL, or both.Run at most one live attempt per configured surface. Do not add retry loops, because repeated sign-up attempts can create unmanaged Supabase Auth users or hit provider rate limits.
The live harness supports these target-surface configurations without untracked fixtures:
| Target env configured | Expected scope | Acceptable outcome |
|---|---|---|
SPEAKTRUE_M021_MARKETING_URL only |
Marketing create-account flow only. | Check-email confirmation or real session observed. |
SPEAKTRUE_M021_WEB_APP_URL only |
Strict web-app create-account gate only. | Check-email confirmation or real session observed. |
| Both target URLs | Marketing and strict web-app flows in one invocation. | Each configured surface reports check-email confirmation or real session observed. |
| No target URL or no opt-in/credential env | No live browser smoke. | live-blocked-rescoped; deterministic regression may still pass. |
A deterministic regression pass means the public browser contract still holds locally: the create-account branches use auth.signUp, sign-in still uses auth.signInWithPassword, Google OAuth remains available, and no server-side sign-up endpoint, service-role signup, admin API, custom auth-table write, redirect-only success, or raw provider output is introduced.
A live pass means the live harness actually ran with explicit env and reported check-email confirmation or real session observed for every configured surface with exit code 0.
A blocked/re-scoped result means live Supabase signup proof is not validated. It is a truthful operational status, not success. Validation may cite it only as a deferred live-proof item paired with deterministic regression evidence.
A live failure means the live harness ran and found a concrete operational problem. Record only the redacted phase, target-surface label, exit code, and sanitized diagnostic. Do not copy raw provider JSON, submitted passwords, full emails, access tokens, refresh tokens, service-role markers, client secrets, or private-key markers.
| Date | Status | Target surface | Command | Redacted identity | Observed outcome | Secret-safety result | Exit code | Notes |
|---|---|---|---|---|---|---|---|---|
| 2026-05-02 | live-blocked-rescoped |
Marketing and/or strict web-app | python3 scripts/verify_m021_s04_live_signup_remediation.py |
Not available | Deterministic regression can pass; live Supabase signup not validated because live-smoke env is absent. | No password, token, raw provider payload, full email, service-role marker, client secret, or private-key marker was recorded. | 0 for verifier blocked/re-scope path when regression/docs pass |
Missing live env is deferred to a provisioned operational smoke; do not claim live signup passed. |
<redacted-test-email> and <redacted-test-password> in commands.te***@disposable.test only after a real live run.