Session log — 2026-04-17 — Atlas staging provisioning

Scope

Provision a staging MongoDB Atlas environment with narrow-scoped users per Issue #56, in parallel with the AWS-migration session (Issue #47). Execute under the constraint that no change is made to the production Atlas project, its cluster, or its users.

Actor

Human: Taha Abbasi.
Agent: Claude Opus 4.7 (1M context), running in Claude Code CLI.

Tickets

Implements Issue #56 (staging portion only). Prod rollout deferred.
Unblocks Issue #47 (AWS migration) staging-Mongo target.

ADRs created this session

External systems touched

MongoDB Atlas

Org 69dc20c64005b222804daf75.
New project: askflorence-staging (ID 69e31af12fd2c0aef51bbb41).
New M0 cluster: askflorence-staging in AWS US_EAST_1, MongoDB 8.0.21. Host askflorence-staging.efsikmv.mongodb.net.
Access list: one entry, Taha's laptop IP 136.38.212.186/32. No 0.0.0.0/0.
Custom roles created: role_writer_survey, role_writer_plans, role_writer_agents, role_admin_agents, role_audit_reader. Full JSON in runbook.
Database users created: six — app_read_staging, app_writer_survey, app_writer_plans, app_writer_agents, app_admin_agents, audit_reader.
Temporary user created and deleted same session: tmp_restore_admin (atlasAdmin), used only for mongorestore of the seeded snapshot.
Prod project (AskFlorence, 69dc20c64005b222804dafa4) — untouched. Read-only mongodump executed through the existing app-read credential. No writes, no user changes, no allowlist changes.

Local filesystem

.env.staging.local written (mode 600, gitignored).
docs/briefs/SESSION_BRIEF_2026-04-17_atlas.md written (handoff artifact for AWS session, no secrets).
/docs tree extended: three ADRs, one runbook, this session log, four compliance-mapping skeletons.

Code

No application code changes. src/lib/db.ts, src/lib/agent-db.ts, scripts/audit/lib/db-helpers.js, scripts/db/*.js, and all API routes are unchanged.
.env.example updated with five placeholder keys for the narrow-scoped users.

Data replication

mongodump of prod's askflorence DB (dataSize 231 MB, 35,056 docs across 6 collections) → mongorestore into staging's askflorence DB. Post-restore verification confirmed identical counts per collection: plans=4326, zip_county=30338, regions=357, plan_years=31, agent_survey_responses=4, audit_log=0.

No PHI, no agent/member records. All collections are public or plan-pipeline. BAA not required on staging.

Verification

12 probes run via mongosh. All passed.

Positive (expected to succeed)

User	Probe	Result
`app_read_staging`	`db.plans.findOne()`, `db.zip_county.findOne()`	OK
`app_writer_survey`	insert + delete on `agent_survey_responses`	OK
`app_writer_plans`	read `plans`, `plan_years`	OK
`app_writer_agents`	insert into `agent_audit_log`	OK (append-only)
`app_admin_agents`	insert + delete on `admins`	OK
`audit_reader`	read `agent_audit_log`	OK

Negative (expected to be denied)

User	Probe	Result
`app_writer_survey`	read `plans`	`not allowed to do action [find]` — denied as expected
`app_writer_agents`	update `agent_audit_log`	`not allowed to do action [update]` — denied, append-only holds
`app_writer_agents`	read `admins`	`not allowed to do action [find]` — denied, no horizontal escalation
`audit_reader`	insert into `agent_audit_log`	denied — readonly confirmed
`app_admin_agents`	update `agent_audit_log`	denied, append-only holds even for admin role
`app_read_staging`	insert into `plans`	denied — readonly confirmed

Deviations from the plan

Atlas CLI session was expired at session start. Required a one-time interactive atlas auth login from the user; automation continued uninterrupted after. Captured for future runbook use.
mongodump/mongorestore not installed. Installed mongodb-database-tools 100.16.0 via brew. No deviation from the design.
Custom-role inheritance rejected — role_admin_agents was originally designed to use --inheritedRole role_writer_agents@askflorence. Atlas returned ATLAS_INVALID_CUSTOM_ROLE_INHERITED_SCOPE. Resolved by enumerating privileges explicitly. Documented in runbook.
Custom-role-to-user assignment syntax — initially attempted role@askflorence; Atlas rejected with UNSUPPORTED_ROLE: Custom role X must scoped to admin database. Resolved by assigning as role@admin (the role's privileges still target askflorence.*). Documented in runbook.
No deviations from role scope or security design.

Deferred / not done

Prod rollout. Same six users + five roles are not yet created on the AskFlorence prod project. That ships in a later session, sequenced after AWS staging + AWS prod are both verified. Runbook is reusable for that session.
Retiring app-write. Still exists on prod. That's the Issue #56 production exit criterion; happens in the same later session.
Code migration. scripts/db/*.js, src/lib/agent-db.ts fallback path, and the outlier src/app/api/unsubscribe/route.ts:54 still reference MONGODB_WRITE_URI. Migration to narrow users is deferred to after AWS cutover.
app_super_admin user for /sa-login. Ships with the admin dashboard implementation, not this session.
VPC peering. AWS session will add CIDR 10.40.0.0/16 to the staging allowlist and eventually replace the laptop IP entry. Not this session.
Adding staging env vars to Vercel. AWS session owns the Secrets Manager handoff.

Cost delta

+$0 MongoDB Atlas (M0 is free tier).
+$0 tooling (mongodb-database-tools is free).

Artifacts

.env.staging.local — credentials, gitignored, mode 600.
docs/briefs/SESSION_BRIEF_2026-04-17_atlas.md — handoff to AWS session.
ADRs 0001, 0002, 0003.
Runbook.
Control-mapping entries added in (paths updated 2026-05-11; were originally docs/compliance/{soc2,hipaa,ede,drata}/):
- docs/security-compliance/soc2-control-mapping.md — CC6.1, CC6.3, CC6.6, CC7.2.
- docs/security-compliance/hipaa-control-mapping.md — §164.312(a)(1), §164.312(b), §164.308(a)(4).
- docs/security-compliance/ede-control-mapping.md — §9 Access Control Logging.
- docs/security-compliance/compliance-automation-integration.md — seeded.