🏠 Overview ✅ Implementation Tasks ✅ epic-bulk-and-proxy-registration-foundation-task-010

Widget Tests for ProxyAuditBadge and Integration Smoke Test

epic-bulk-and-proxy-registration-foundation-task-010 — Write widget tests for ProxyAuditBadge using flutter_test: verify badge renders when IDs differ, verify nothing renders when IDs match, verify semantic label is present for screen readers, and verify design-token colors are applied. Additionally run a smoke integration test against a local Supabase instance that inserts one batch of two proxy activity records (recorded_by_user_id set to coordinator) and asserts the badge appears on both resulting activity cards.

high priority medium complexity testing pending testing specialist Tier 4

Acceptance Criteria

Widget test: ProxyAuditBadge renders a visible widget (finds at least one non-empty widget in the tree) when recorded_by_user_id differs from attributed_user_id
Widget test: ProxyAuditBadge renders nothing (SizedBox.shrink or empty) when both IDs are equal
Widget test: `Semantics` widget with a non-empty label is found in the badge subtree for screen reader support (WCAG 2.2 AA)
Widget test: badge container uses the design token color for proxy indicators (assert specific Color value from the token system, not a hardcoded hex)
Widget test: all four cases above pass with `flutter test` and zero analyzer warnings
Integration smoke test: seeding two proxy activity records via local Supabase and navigating to the activity list results in both cards displaying the ProxyAuditBadge
Integration smoke test: a control record inserted with matching recorded_by_user_id and attributed user_id does NOT show the badge
Integration smoke test is tagged `@Tags(['integration'])` and excluded from standard CI unit test runs
All tests documented with a brief comment explaining each scenario

Technical Requirements

frameworks
Flutter
flutter_test
Riverpod
apis
Supabase PostgREST (local instance for integration test)
Supabase RPC (batch insert for smoke test seed)
data models
ActivityRecord
PeerMentorContact
UserProfile
performance requirements
Widget tests must complete in under 3 seconds total
Integration smoke test may take up to 30 seconds; must be run only on demand or in a dedicated CI job
security requirements
Integration test must use a local or staging Supabase instance — NEVER production credentials
Test credentials must be read from environment variables or a `.env.test` file excluded from version control
ui components
ProxyAuditBadge (111-proxy-audit-badge)
ActivityCard
CoordinatorActivityLogRow

Execution Context

Execution Tier
Tier 4

Tier 4 - 323 tasks

Can start after Tier 3 completes

Implementation Notes

For the design token color assertion, avoid asserting a hardcoded hex — import the token constant directly in the test file and compare `Color == AppDesignTokens.proxyBadgeColor`. This ensures the test breaks if someone changes the token value without updating the badge. For the integration test setup, consider a `setUpAll` block that calls the Supabase admin API to insert test records and a `tearDownAll` that deletes them by test-run ID. Use a unique `test_run_id` metadata field on seeded records to avoid cross-test contamination.

The integration test must boot the full Flutter widget tree (use `IntegrationTestWidgetsFlutterBinding.ensureInitialized()`). Tag it so it does not run in standard `flutter test` — only via `flutter test integration_test/` explicitly.

Testing Requirements

Widget tests: use `WidgetTester.pumpWidget()` wrapping ProxyAuditBadge in a `MaterialApp` with the design token theme applied. Use `find.byType()`, `find.bySemanticsLabel()`, and `find.byWidgetPredicate()` to assert rendering and semantics. Color assertion: use `tester.widget(...)` to read the decoration color and compare to `AppColors.proxyIndicator` (or equivalent token). Integration smoke test: write as a `flutter_test` integration test in `integration_test/` folder.

Use a test helper to seed the local Supabase database before the test and clean up after. Pump the full activity list screen and use `find.byType(ProxyAuditBadge)` to count badge occurrences.

Component
Proxy Audit Badge Widget
ui low
Dependencies (3)
Update all existing activity card and list-item widgets to conditionally render the ProxyAuditBadge by passing recorded_by_user_id and the attributed actor's user_id. Ensure the badge placement is consistent across the peer mentor stats list, coordinator activity log viewer, and post-session report confirmation view. Verify that cards without proxy data render identically to their pre-change state (no visual regression). epic-bulk-and-proxy-registration-foundation-task-007 Write unit tests for the BatchInsertRpcAdapter using flutter_test and a mocked Supabase client. Cover: successful batch insert returning correct IDs, partial payload triggering full transaction rollback, network error propagation as typed exception, empty list handling, and serialization correctness for recorded_by_user_id field. Achieve minimum 90% branch coverage for the adapter class. epic-bulk-and-proxy-registration-foundation-task-008 Write unit tests for ProxyContactListProvider using flutter_test and Riverpod's ProviderContainer. Cover: initial fetch returning correctly mapped PeerMentorContact list, cache hit preventing a second Supabase call, cache invalidation triggering re-fetch, empty roster returning empty list without error, and Supabase error being surfaced as AsyncError state. Mock the Supabase client and assert RLS-aware query parameters. epic-bulk-and-proxy-registration-foundation-task-009
Epic Risks (2)
high impact medium prob security

Adding recorded_by_user_id to the activities table and writing correct RLS policies is error-prone: overly permissive policies would allow coordinators to record activities under arbitrary user IDs they do not manage, while overly restrictive policies would silently block valid proxy inserts. A policy defect here would either create a security vulnerability or break the entire proxy feature at runtime.

Mitigation & Contingency

Mitigation: Write RLS policies in a local Supabase emulator first. Include policy unit tests using pg_tap or supabase test helpers. Have a second reviewer check the migration SQL before merging. Explicitly test the three cases: coordinator inserting for their own mentors (should succeed), coordinator inserting for another chapter's mentors (should fail), peer mentor inserting for themselves (should succeed as before).

Contingency: If a policy defect is discovered in staging, roll back the migration with a down-migration script. Delay feature release until the policy is corrected and re-verified. Apply a feature flag to keep the proxy entry point hidden from coordinators until the fix is confirmed.

high impact low prob technical

The insert_bulk_activities RPC must behave atomically — a failure on row 7 of 12 must roll back rows 1–6. If Supabase's RPC transaction handling is misconfigured or if network interruptions cause partial acknowledgements, some peer mentors could receive duplicate or missing activity records, directly corrupting Bufdir statistics for the coordinator's chapter.

Mitigation & Contingency

Mitigation: Implement the RPC as a PostgreSQL function with explicit BEGIN/EXCEPTION/END block to guarantee atomicity. Add an integration test that inserts a batch where one row violates a unique constraint and asserts zero rows are committed. Document the transaction semantics in code comments.

Contingency: If atomicity cannot be guaranteed via RPC (e.g., due to Supabase plan limitations), fall back to a sequential insert loop with a compensating DELETE in case of partial failure, and surface a clear error to the coordinator listing which mentors failed and which succeeded.

Quick Links
All Tasks Execution Plan