AGENTS.md

This document provides context for AI agents operating on the user_creation infrastructure.

Architecture & Tooling

This directory contains a standalone Google Apps Script project managed via @google/clasp.
Do NOT use TypeScript. We use vanilla .js (src/Code.js) to bypass local transpilation complexity.
Authentication: We use ScriptApp.getOAuthToken() directly to authenticate against the Google Identity Toolkit REST API. DO NOT implement Web API Keys or Service Accounts in the code. The script relies on its link to the underlying GCP project to inherit the trigger owner's permissions.

Never physically delete users.
- The declarative logic must use Soft Deletes. If an email is removed from the Google Sheet, the script must issue an API update to set disableUser: true in Firebase. This preserves historical records and prevents data corruption.
Respect DRY_RUN.
- When CONFIG.DRY_RUN is true, the script must only evaluate state and log its intended API calls. It must completely bypass any UrlFetchApp.fetch calls that mutate Firebase state.
Trigger Handling (setup).
- The script uses dual triggers (onFormSubmit and onChange). Ensure both are cleared and re-created whenever setup() is called.
- clasp push does not update triggers. Always instruct the human user to run setup() manually in the IDE after a push.
Conditional Email Logging.
- Only dispatch the admin summary email (to CONFIG.ADMIN_EMAIL) if a mutation occurred. If the target state and current state are perfectly synchronized, exit silently to prevent inbox pollution.

Email/Password Strategy: The user requested that we do NOT send out official welcome/password reset emails during the initial implementation to avoid spamming end users. We will generate a highly secure random password locally during the accounts:signUp request. The admin will manually trigger password resets later when they are ready.