# AGENTS.md This document provides context for AI agents operating on the `user_creation` infrastructure. ## Architecture & Tooling - This directory contains a standalone Google Apps Script project managed via `@google/clasp`. - Do NOT use TypeScript. We use vanilla `.js` (`src/Code.js`) to bypass local transpilation complexity. - **Authentication**: We use `ScriptApp.getOAuthToken()` directly to authenticate against the Google Identity Toolkit REST API. **DO NOT** implement Web API Keys or Service Accounts in the code. The script relies on its link to the underlying GCP project to inherit the trigger owner's permissions. ## Rules & Safeguards (CRITICAL) 1. **Never physically delete users.** - The declarative logic must use Soft Deletes. If an email is removed from the Google Sheet, the script must issue an API update to set `disableUser: true` in Firebase. This preserves historical records and prevents data corruption. 2. **Respect `DRY_RUN`.** - When `CONFIG.DRY_RUN` is true, the script must only evaluate state and log its intended API calls. It must completely bypass any `UrlFetchApp.fetch` calls that mutate Firebase state. 3. **Trigger Handling (`setup`).** - The script uses dual triggers (`onFormSubmit` and `onChange`). Ensure both are cleared and re-created whenever `setup()` is called. - `clasp push` does not update triggers. Always instruct the human user to run `setup()` manually in the IDE after a push. 4. **Conditional Email Logging.** - Only dispatch the admin summary email (to `CONFIG.ADMIN_EMAIL`) if a mutation occurred. If the target state and current state are perfectly synchronized, exit silently to prevent inbox pollution. ## Implementation Details - **Email/Password Strategy**: The user requested that we do NOT send out official welcome/password reset emails during the initial implementation to avoid spamming end users. We will generate a highly secure random password locally during the `accounts:signUp` request. The admin will manually trigger password resets later when they are ready.