Record project continuation changes

backend/internal/platform/authority/authority.go

@@ -214,9 +214,49 @@ END, prg.granted_at DESC
 	if err := rows.Err(); err != nil {
 		return "", fmt.Errorf("iterate platform role grants: %w", err)
 	}
+	if bestRole == PlatformRoleUser {
+		if role, ok, err := strictBootstrappedOwnerFallback(ctx, db, verifier, userID, email); err != nil {
+			return "", err
+		} else if ok {
+			return role, nil
+		}
+		return legacyPlatformRole(ctx, db, userID)
+	}
 	return bestRole, nil
 }
 
+func strictBootstrappedOwnerFallback(ctx context.Context, db postgresplatform.DBTX, verifier *Verifier, userID, email string) (string, bool, error) {
+	var role string
+	var bootstrappedOwnerEmail *string
+	var authorityState string
+	var rootFingerprint string
+	err := db.QueryRow(ctx, `
+SELECT u.platform_role, ia.bootstrapped_owner_email, ia.authority_state, ia.product_root_key_fingerprint
+FROM users u
+CROSS JOIN installation_authority ia
+WHERE u.id = $1::uuid
+  AND ia.id = 1
+`, userID).Scan(&role, &bootstrappedOwnerEmail, &authorityState, &rootFingerprint)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return PlatformRoleUser, false, nil
+		}
+		return "", false, fmt.Errorf("query strict bootstrapped owner fallback: %w", err)
+	}
+	if bootstrappedOwnerEmail == nil ||
+		!strings.EqualFold(*bootstrappedOwnerEmail, email) ||
+		authorityState != "active" ||
+		rootFingerprint != verifier.RootFingerprint() {
+		return PlatformRoleUser, false, nil
+	}
+	switch role {
+	case PlatformRoleAdmin, PlatformRoleRecoveryAdmin:
+		return role, true, nil
+	default:
+		return PlatformRoleUser, false, nil
+	}
+}
+
 func legacyPlatformRole(ctx context.Context, db postgresplatform.DBTX, userID string) (string, error) {
 	var role string
 	if err := db.QueryRow(ctx, `SELECT platform_role FROM users WHERE id = $1::uuid`, userID).Scan(&role); err != nil {