Unit tests: ProxyActivityRepository coverage

epic-bulk-and-proxy-registration-services-task-006 — Write comprehensive unit tests for ProxyActivityRepository using flutter_test and mocked Supabase client. Cover: dual-identity insert persists both user IDs correctly, coordinator audit query filters by recorded_by_user_id only, peer mentor stats query uses peer_mentor_id only, batch insert returns per-row results, RLS boundary test (coordinator cannot read another coordinator's proxy records), and error handling for network failures.

high priority medium complexity testing pending testing specialist Tier 3

Acceptance Criteria

All tests pass with `flutter test` — zero failures, zero errors

Test coverage for ProxyActivityRepository reaches ≥ 90% line coverage

Dual-identity insert test: verifies that both recorded_by_user_id and peer_mentor_id are present and distinct in the persisted payload

Coordinator audit query test: mock returns rows with mixed recorded_by_user_id values; assert only coordinatorId rows are returned

Peer mentor stats test: mock returns rows with mixed recorded_by values; assert aggregation uses peer_mentor_id exclusively

Batch insert test: mock returns a partial failure; assert BatchInsertResult has correct per-row success/failure flags at correct indices

RLS boundary test: mock simulates a Supabase 403/RLS violation error for cross-coordinator access; assert UnauthorizedFailure is returned

Network failure test: mock throws a socket/timeout error; assert NetworkFailure is returned for all repository methods

All test data uses UUIDs that clearly distinguish coordinator identity from mentor identity (e.g., different UUID prefixes in test fixtures)

No real Supabase client or network calls are made in any test — all external dependencies are mocked

Technical Requirements

frameworks

Flutter

BLoC

apis

Supabase PostgreSQL 15

data models

activity

contact

assignment

performance requirements

Entire test suite runs in under 30 seconds

Tests are isolated — no shared mutable state between test cases

security requirements

Test fixtures must not contain real personnummer, real names, or real UUIDs from production

RLS boundary tests must explicitly simulate unauthorized access to verify failure handling

Execution Context

Execution Tier

Tier 3

Tier 3 - 413 tasks

Can start after Tier 2 completes

View Full Execution Plan

Implementation Notes

Create a `MockSupabaseClient` using mocktail's `Mock` class. Use `when(() => mockClient.from('activities').select(...)).thenReturn(...)` pattern adapted to the Supabase Dart SDK's builder interface. Since Supabase Dart uses a fluent builder API, you may need to mock at the `SupabaseQueryBuilder` level — consider creating a thin `IActivityDataSource` interface around the raw Supabase calls so the repository can be tested without mocking the entire Supabase builder chain. This also makes the tests more resilient to Supabase SDK version changes.

Fixtures should be defined as static const maps in a `ProxyActivityTestFixtures` class.

Testing Requirements

Unit tests only using flutter_test. Use mocktail or mockito to mock the Supabase client. Organize tests in a single describe block per method: insertProxyActivity, getActivitiesRecordedByCoordinator, getActivitiesAttributedToMentor, getActivityCountsByMentor, insertBatch. Each method block must cover: happy path, empty/zero result, filter correctness, RLS violation, and network error.

Use `setUp` to initialize a fresh mock before each test group.

Component

Proxy Activity Repository

data medium

Dependencies (3)

Add query methods to ProxyActivityRepository that filter by recorded_by_user_id so a coordinator can retrieve only the proxy records they personally registered. Implement getActivitiesRecordedByCoordinator(coordinatorId, {dateRange, featureFilters}) returning a paginated list. This feeds the coordinator audit trail screen and must return the attributed peer mentor name alongside the coordinator's own entry. epic-bulk-and-proxy-registration-services-task-003 Add query methods that aggregate activities by peer_mentor_id regardless of who recorded them, so peer mentor statistics correctly credit the attributed mentor. Implement getActivitiesAttributedToMentor(mentorId, {dateRange}) and getActivityCountsByMentor(chapterId, period) for chapter-scoped statistics. These views must exclude the coordinator identity to prevent double-counting in Bufdir reports. epic-bulk-and-proxy-registration-services-task-004 Integrate the Batch Insert RPC Adapter into ProxyActivityRepository to support bulk proxy insertions. Implement insertBatch(List<ProxyActivityRecord>) that delegates to the Supabase RPC function for atomic multi-row inserts. Ensure each row in the batch carries its own recorded_by_user_id and peer_mentor_id. Handle partial failures by returning a BatchInsertResult with per-row success/failure flags. epic-bulk-and-proxy-registration-services-task-005

Epic Risks (2)

high impact low prob security

The Proxy Registration Service must verify that the coordinator has a legitimate assignment relationship with the target peer mentor before creating a record. If this check is implemented only in application code and not enforced at the DB/RLS level, a compromised or buggy client could bypass it by calling the Supabase endpoint directly, creating fraudulent proxy records for arbitrary peer mentors.

Mitigation & Contingency

Mitigation: Implement permission validation at two levels: (1) application-layer check in Proxy Registration Service that queries the assignments table before constructing the payload, and (2) RLS policy on the activities table that restricts INSERT to rows where recorded_by_user_id matches the authenticated user AND peer_mentor_id is in the set of peer mentors assigned to that coordinator. The RLS policy is the authoritative guard; the service-layer check provides early user-facing feedback.

Contingency: If RLS policy implementation is blocked by Supabase plan constraints, implement a Supabase Edge Function as a proxy endpoint that enforces the permission check server-side before forwarding to the DB. Disable direct client inserts entirely for proxy activities.

medium impact medium prob technical

For a bulk session with 30 selected peer mentors, the Proxy Duplicate Detector must query existing activities for each mentor. If implemented as 30 sequential Supabase queries, round-trip latency could make the bulk confirmation screen feel slow (>3s), degrading coordinator experience and potentially causing timeouts.

Mitigation & Contingency

Mitigation: Implement the duplicate check as a single Supabase query using an IN clause on peer_mentor_id combined with the activity_type and date filters, returning all potential duplicates for the entire batch in one network round-trip. Group results client-side by mentor ID to produce the per-mentor warning structure.

Contingency: If the single-query approach returns too much data for very large chapters, add a database index on (peer_mentor_id, activity_type, date) and profile query time. If still insufficient, accept a short loading state on the confirmation screen with a progress indicator rather than pre-loading duplicates before navigation.

Quick Links

All Tasks Execution Plan