fix(auth-server): handle account deletion failures with passkeys

[vpomerleau]

Because

• deleteAccount_22 deleted accounts before passkeys, violating the passkeys.uid FK constraint and aborting the transaction for any user with a registered passkey.
• The route swallowed the failure silently, returning success to the user even though the account was not deleted.

This pull request

• Adds deleteAccount_23 with passkeys deleted before accounts.
• Throws AppError.accountDeletionFailed (errno 239) so the UI shows a meaningful error instead of "Unexpected error".
• Adds failure metrics, Sentry reporting, and cloud-task uid tagging across both deletion paths.

Issue that this pull request solves

Closes: FXA-13676

Checklist

Put an x in the boxes that apply

• My commit is GPG signed.
• If applicable, I have modified or added tests which pass locally.
• I have added necessary documentation (if appropriate).
• I have verified that my changes render correctly in RTL (if appropriate).
• I have manually reviewed all AI generated code.

How to review (Optional)

• Key files/areas to focus on:
• Suggested review order:
• Risky or complex parts:

Screenshots (Optional)

Please attach the screenshots of the changes made in case of change in user interface.

Other information (Optional)

This bug only impacts environments with passkey feature enabled.

[Copilot]

Pull request overview

This pull request fixes account-deletion failures for users with registered passkeys by updating the auth DB deletion stored procedure order and ensuring failures are correctly surfaced to clients and observability systems (metrics + Sentry), rather than being silently swallowed.

Changes:

• Add deleteAccount_23 DB stored procedure (and bump schema patch level) to delete passkeys before accounts to avoid FK constraint aborts.
• Introduce ACCOUNT_DELETION_FAILED (errno 239) and wire it through shared errors + Settings strings.
• Improve deletion failure handling: propagate quick-delete failures (skip cloud-task enqueue on failure), add failure metrics + Sentry reporting, and tag Sentry user context for cloud-task requests.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
packages/fxa-shared/db/models/auth/base-auth.ts	Switches delete-account proc binding to deleteAccount_23.
packages/fxa-settings/src/lib/auth-errors/en.ftl	Adds localized message for errno 239.
packages/fxa-settings/src/lib/auth-errors/auth-errors.ts	Adds Settings-side mapping for ACCOUNT_DELETION_FAILED.
packages/fxa-auth-server/lib/routes/cloud-tasks.ts	Tags Sentry user with affected uid for cloud-task handlers.
packages/fxa-auth-server/lib/routes/account.spec.ts	Updates /account/destroy behavior expectations when quickDelete fails.
packages/fxa-auth-server/lib/account-delete.ts	Propagates quickDelete failures via AppError(239); adds failure metrics/Sentry reporting for cloud-task deletion path.
packages/fxa-auth-server/lib/account-delete.spec.ts	Adds/updates tests for failure metrics + Sentry reporting + errno 239 behavior.
packages/db-migrations/databases/fxa/target-patch.json	Bumps DB patch level to 192.
packages/db-migrations/databases/fxa/patches/patch-192-191.sql	Adds rollback patch stub for level 192.
packages/db-migrations/databases/fxa/patches/patch-191-192.sql	Creates deleteAccount_23 and updates patch level.
libs/accounts/passkey/PASSKEY_FIELDS.md	Updates documentation reference to deleteAccount_23.
libs/accounts/errors/src/constants.ts	Adds ERRNO.ACCOUNT_DELETION_FAILED = 239.
libs/accounts/errors/src/app-error.ts	Adds AppError.accountDeletionFailed() producing errno 239.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.