fix(users): store avatars as bytea in DB + login hydration & badge-403 polish

[ToddHebebrand]

What

Three fixes that came out of the v0.70 release-checklist testing pass, hardened by a multi-agent review round.

1. Avatar storage → DB bytea (the headline fix). POST /users/me/avatar 500'd with EACCES: permission denied, open '/data/avatars/….png.tmp' — the API runs as uid=1001(hono) but the api_data volume's /data/avatars is root:root 0755, so filesystem avatar storage (#1059) was broken in any deployment with that ownership, prod included. Avatars now live on the user's own row as avatar_data bytea + avatar_mime + avatar_updated_at (migration 2026-06-11-j): no volume dependency, works across replicas, and the existing dual-axis users RLS is the access boundary. statAvatar sizes via octet_length() so the conditional-GET 304 path never transfers the blob. The migration clears only dangling internal /api/v1/users/%/avatar URLs (external pre-upload-era URLs still resolve) and always logs the count.

2. React #418 hydration error on /login. cfAccessRedirectChecked was seeded from a typeof window helper — true on the server (renders the form), false on a clean client load (renders the placeholder) — so every login visit hydrated mismatched trees. Now a constant false with the skip decision inside the effect; a regression test asserts renderToString output is identical with and without window. The CF-config fetch that gates the form also gets a 4s AbortSignal.timeout so a hung request can't pin login behind an empty placeholder.

3. Per-page 403 console error. The sidebar fired GET /admin/account-deletion-requests/pending-count for every user, but the endpoint requires platform admin — so every page load logged a 403 for everyone (no platform admin exists in prod). /users/me and the login/MFA payloads now expose isPlatformAdmin, the store merges it on the preferences refresh (heals persisted pre-field sessions), and the sidebar hides the nav item + skips the badge fetch without it.

Review round (multi-agent, both commits)

The second commit addresses the findings: the critical one was that isPlatformAdmin initially only rode the /users/me response, which never reaches the store on password login — the gate would have hidden the nav from the exact users it serves. Also fixed there: schema/migration timestamptz drift, Sentry capture on the avatar write catch + soft-500 branches, invalid-avatar_mime detection (corruption no longer masquerades as "no avatar"), and stale filesystem-era comments.

Testing

• users.test.ts 53/53 — avatar I/O mocked behind an in-memory store with the real sniffing/ETag helpers kept live; new 304 conditional-GET and 500-path tests; vestigial db.update mocks removed
• New integration test avatar-bytea-roundtrip 3/3 against the real driver as breeze_app: byte-exact round-trip (all 256 byte values), octet_length sizing, RLS fail-closed across partners (the fix(api): partner-scoped custom fields fail RLS — 500 on "add custom field" #1257 class of gap mocked suites can't see)
• login.test.ts 4/4 incl. new payload regression tests; LoginPage.test.tsx 8/8 incl. the hydration-invariant test
• pnpm db:check-drift clean (237 files); web + api tsc clean
• Not yet done: live browser verify of the upload (needs the API image rebuilt from this branch — the running local container predates it)

🤖 Generated with Claude Code

[cloudflare-workers-and-pages]

Deploying breeze with    Cloudflare Pages

Latest commit:	ac49be1
Status:	✅  Deploy successful!
Preview URL:	https://61e6de85.breeze-9te.pages.dev
Branch Preview URL:	https://fix-avatar-db-storage-and-ui.breeze-9te.pages.dev

View logs