Write unit tests for ProxyAuditLogger immutability
epic-coordinator-proxy-registration-foundation-task-010 — Write tests verifying that the ProxyAuditLogger produces append-only records: no update or delete operations succeed on the audit log table (test RLS enforcement), each proxy activity insert produces exactly one audit record, bulk inserts produce one audit record per mentor, payload_snapshot captures the full activity data at write time. Also test that logCreated and logBulkCreated correctly differentiate event_type in the audit log.
Acceptance Criteria
Technical Requirements
Execution Context
Tier 5 - 253 tasks
Can start after Tier 4 completes
Implementation Notes
The payload_snapshot correctness test is the most nuanced: create a ProxyActivityRecord, call logCreated, then mutate the original record object, and assert the captured snapshot still reflects the original state — this verifies that a deep copy/serialization happens at call time, not a reference. Use mocktail's verify(mockClient.from('proxy_audit_log').insert(captureAny)).called(1) pattern to assert call counts. For the 'never calls update/delete' assertion, use verifyNever(mockClient.from('proxy_audit_log').update(any)) after each logCreated/logBulkCreated call. These tests are complementary to task-009: task-009 tests the repository's behavior, task-010 tests the logger service itself in isolation.
Testing Requirements
Use flutter_test with mocktail to mock the Supabase client. Verify INSERT call payloads by capturing the argument passed to .from('proxy_audit_log').insert(). Assert that .update() and .delete() are never called on the mock. For RLS immutability tests, either mock the Supabase client to return a 403 error on update/delete, or note these as integration tests requiring a real Supabase project with RLS enabled.
Group tests: (1) event_type differentiation, (2) row count per method, (3) payload_snapshot correctness, (4) programmatic immutability (no update/delete calls), (5) RLS immutability.
Supabase RLS policies for org-scoped proxy access may be difficult to express correctly, especially for coordinators with multi-chapter access. An overly permissive policy could allow cross-org proxy registrations, corrupting Bufdir reporting; an overly restrictive policy could block legitimate coordinators from registering.
Mitigation & Contingency
Mitigation: Write integration tests covering all access boundary cases (same org, cross-org, multi-chapter coordinator) before merging any RLS migration. Use parameterised RLS test helpers already established by the auth feature.
Contingency: If RLS proves insufficient, add a server-side Edge Function validation layer that re-checks org membership before persisting any proxy record, providing defence in depth.
Adding new tables and foreign key constraints to an existing production Supabase database risks migration failures or locking issues if the database already contains active sessions during deployment.
Mitigation & Contingency
Mitigation: Use additive-only migrations (no DROP or ALTER on existing tables). Test full migration sequence in a staging Supabase project before production deployment. Schedule during low-traffic window.
Contingency: Maintain a rollback migration script. If the migration fails, the feature remains unreachable behind a feature flag while the schema issue is resolved.
Audit log entries must be immutable for compliance, but Supabase RLS by default allows row owners to update their own rows. If audit records are accidentally mutable, dispute resolution and accountability guarantees are invalidated.
Mitigation & Contingency
Mitigation: Configure the proxy_audit_log table with an RLS policy that allows INSERT for coordinators but denies UPDATE and DELETE for all roles including service_role, enforced at the database level.
Contingency: If RLS cannot fully prevent updates, create a database trigger that reverts any UPDATE to the audit table and logs the attempt as a security event.