galaxy-game/user/docs/flows.md

# Main Flows and Boundaries

## Auth / Session -> User

`Auth / Session Service` uses synchronous REST calls for user ownership
decisions during public auth.

### Resolve by e-mail

`POST /api/v1/internal/user-resolutions/by-email`

Outcome vocabulary:

- `creatable`
- `existing`
- `blocked`

The decision is based on exact-after-trim e-mail matching plus the current
block state for that subject.

### Ensure by e-mail

`POST /api/v1/internal/users/ensure-by-email`

Rules:

- `registration_context` is required
- `registration_context` is create-only
- existing users ignore the supplied registration context
- blocked subjects return `blocked` rather than creating a user
- the current rollout sends temporary `preferred_language="en"` from
  authsession and forwards the public confirm `time_zone`

Create side effects:

- generate opaque `user_id`
- generate default `player-*` race name
- store initial preferred language and time zone
- materialize the initial free entitlement snapshot
- publish initialization-style profile, settings, and entitlement events

## Gateway -> User

Gateway owns the external authenticated gRPC contract and transcodes to this
service's internal REST API.

External authenticated message types:

- `user.account.get`
- `user.profile.update`
- `user.settings.update`

Internal REST routes:

- `GET /api/v1/internal/users/{user_id}/account`
- `POST /api/v1/internal/users/{user_id}/profile`
- `POST /api/v1/internal/users/{user_id}/settings`

Rules:

- gateway derives `user_id` from authenticated session context only
- success returns the shared account aggregate
- business errors return stable `code` and `message`
- timeout or upstream `503` stay transport-level unavailable at gateway

### Profile update

`UpdateMyProfile` changes only `race_name`.

Rules:

- preserve stored casing on success
- enforce canonical reservation uniqueness
- reject conflicts as `409 conflict`
- reject writes while `profile_update_block` is active
- return current aggregate on no-op rename

### Settings update

`UpdateMySettings` changes only:

- `preferred_language`
- `time_zone`

Rules:

- validate BCP 47 and IANA semantics
- reject writes while `profile_update_block` is active
- return the refreshed account aggregate

## Lobby -> User

`Game Lobby Service` reads one synchronous eligibility snapshot through:

- `GET /api/v1/internal/users/{user_id}/eligibility`

Rules:

- unknown users return `exists=false`
- current entitlement is expiry-repaired lazily
- active sanctions are filtered to the lobby-relevant set
- effective limits combine default catalog values plus active overrides
- markers are derived from sanctions, entitlement, and limits

## Geo -> User

`Geo Profile Service` synchronizes the latest approved effective declared
country through:

- `POST /api/v1/internal/users/{user_id}/declared-country/sync`

Rules:

- input must be uppercase ISO 3166-1 alpha-2
- syncing the stored value is a no-op
- `User Service` stores only the current effective value
- geo owns review workflow and history
- successful updates publish `user.declared_country.changed`

## Admin Reads And Commands

Trusted admin callers use:

- exact reads by `user_id`, e-mail, and race name
- deterministic filtered listing
- explicit entitlement commands
- explicit sanction commands
- explicit limit commands

Listing rules:

- order by `created_at desc`, then `user_id desc`
- combine filters with `AND`
- `page_token` is opaque and filter-bound

## Domain Events

The shared auxiliary event stream contains post-commit state propagation for:

- `user.profile.changed`
- `user.settings.changed`
- `user.entitlement.changed`
- `user.sanction.changed`
- `user.limit.changed`
- `user.declared_country.changed`

Operation vocabularies:

- profile and settings:
  - `initialized`
  - `updated`
- entitlement:
  - `initialized`
  - `granted`
  - `extended`
  - `revoked`
  - `expired_repaired`
- sanction:
  - `applied`
  - `removed`
- limit:
  - `set`
  - `removed`