🏠 Overview ✅ Implementation Tasks ✅ epic-external-system-integration-configuration-foundation-task-012

Write unit tests for repository and vault client

epic-external-system-integration-configuration-foundation-task-012 — Write comprehensive unit tests for OrganizationIntegrationRepository and IntegrationCredentialVault using flutter_test and mocktail. Cover: CRUD success paths, Supabase error mapping, JSONB serialization round-trips, vault RPC call contracts, and null-safety edge cases. Achieve minimum 80% coverage on all repository and vault client methods.

high priority medium complexity testing pending testing specialist Tier 5

Acceptance Criteria

Unit tests exist for all public methods of OrganizationIntegrationRepository: create, read, update, delete, list
Unit tests exist for all public methods of IntegrationCredentialVault: storeCredential, retrieveCredential, rotateCredential, deleteCredential
All Supabase error codes (PostgrestException, AuthException, network errors) are mapped to domain exceptions and tested
JSONB serialization round-trip tests verify that storing and retrieving integration config produces identical domain objects
Vault RPC call contracts are tested: correct RPC function names, parameter shapes, and response parsing
Null-safety edge cases are covered: null responses from Supabase, missing optional fields, empty credential stores
Minimum 80% line and branch coverage achieved on OrganizationIntegrationRepository and IntegrationCredentialVault
All tests pass in CI without requiring network access (fully mocked via mocktail)
Test file naming follows flutter_test conventions: *_test.dart in test/ directory mirroring lib/ structure
No test shares mutable state — each test sets up and tears down its own mock state

Technical Requirements

frameworks
Flutter
flutter_test
mocktail
apis
Supabase PostgREST client mock
Supabase RPC mock
data models
OrganizationIntegration
IntegrationCredential
IntegrationConfig
FieldMappings
performance requirements
Full test suite completes in under 30 seconds
No individual test exceeds 500ms
security requirements
No real credentials or API keys used in any test fixture
Vault credential values in test fixtures must be clearly fake (e.g. 'test-secret-value')
Tests must not write to any real Supabase project

Execution Context

Execution Tier
Tier 5

Tier 5 - 253 tasks

Can start after Tier 4 completes

Integration Task

Handles integration between different epics or system components. Requires coordination across multiple development streams.

Implementation Notes

Use mocktail's `when().thenAnswer()` pattern for async Supabase calls. Create a shared `FakeSupabaseClient` helper class in `test/helpers/` that all repository tests can extend — this prevents duplication of mock wiring. For JSONB round-trip tests, store the expected JSON fixture as a `.json` file in `test/fixtures/` and load it with `rootBundle` or `File` — do not inline large JSON strings in test code. For vault RPC tests, capture the actual arguments passed to the mock using `verify(mockClient.rpc(captureAny(), params: captureAnyNamed('params')))` to assert the exact parameter shape.

Be careful with Dart null-safety: use `isNull` and `isNotNull` matchers rather than `== null` comparisons in `expect()` calls. Group tests with `group()` matching the class under test, and use `setUp()` for mock initialization.

Testing Requirements

Pure unit tests using flutter_test and mocktail. Mock the Supabase client at the lowest abstraction boundary — do not mock repository methods themselves. Test groups: (1) Repository CRUD success paths — verify correct Supabase query construction and domain object mapping; (2) Repository error mapping — inject PostgrestException with each relevant code (23505 duplicate, 42501 permission denied, PGRST116 not found) and assert the correct domain exception is thrown; (3) JSONB round-trips — serialize a fully-populated IntegrationConfig, deserialize from the mocked Supabase response, and assert field equality including nested FieldMappings; (4) Vault RPC contracts — verify storeCredential calls the correct RPC function name with expected parameters, retrieveCredential decodes the response envelope, rotateCredential invalidates old references; (5) Null-safety — test nullable fields returning null from Supabase, empty list responses, and missing optional JSONB keys. Run with `flutter test --coverage` and enforce 80% minimum via lcov threshold.

Component
Organization Integration Repository
data medium
Dependencies (3)
Build serialization/deserialization utilities for the field_mappings JSONB column. Define FieldMapping model with source_field, target_field, transformation, and integration_type fields. Implement round-trip JSON serialization, validation against registry-defined mapping targets, and migration helpers for evolving mapping schemas over time. epic-external-system-integration-configuration-foundation-task-010 Implement the full Dart repository class for CRUD operations on organization_integrations via Supabase client. Methods: getIntegrationsByOrg(), getIntegrationById(), createIntegration(), updateIntegration(), deleteIntegration(). All methods must handle Supabase exceptions, map to domain errors, and serialize/deserialize JSONB field_mappings correctly. epic-external-system-integration-configuration-foundation-task-008 Create the Dart client that communicates with the Supabase Vault wrapper functions via RPC calls. Implement storeCredentials(), retrieveCredentials(), rotateCredentials(), and deleteCredentials() methods. The client must never log or expose plaintext values, handle vault RPC errors gracefully, and return typed CredentialReference objects containing only the vault secret ID. epic-external-system-integration-configuration-foundation-task-009
Epic Risks (3)
high impact medium prob technical

Supabase Vault API has limited documentation for Dart/Flutter clients; wrapping it correctly for credential rotation and secret reference management may require significant trial and error, delaying the vault component and blocking all downstream credential-dependent work.

Mitigation & Contingency

Mitigation: Spike the Vault integration in the first sprint using a minimal proof-of-concept (store, retrieve, rotate one secret). Document the API surface before building the full vault client. Identify any missing Dart SDK bindings early.

Contingency: If Supabase Vault is too complex, fall back to Supabase's encrypted column approach (pgcrypto) for credential storage as a temporary measure, with a planned migration path to Vault once the API is understood.

high impact low prob security

Incorrect RLS policy configuration on organization_integrations could allow org admins of one organization to read or modify another organization's integration credentials, creating a serious data breach and compliance violation.

Mitigation & Contingency

Mitigation: Write integration tests that explicitly attempt cross-org data access using different JWT tokens and assert 0 rows returned. Include RLS policy review in PR checklist. Use Supabase's local development stack for policy validation before deployment.

Contingency: If a breach is discovered post-deployment, immediately revoke all integration credentials, rotate vault secrets, notify affected organizations, and apply emergency RLS patches.

medium impact medium prob technical

JSONB columns for field_mappings and sync_schedule lack database-level schema enforcement; AI-generated or malformed JSON could silently corrupt integration configurations, causing export failures that are hard to diagnose.

Mitigation & Contingency

Mitigation: Define TypeScript/Dart model classes with strict deserialization and validation. Add database check constraints or triggers that validate JSONB structure at write time. Version the JSONB schema to enable forward-compatible migrations.

Contingency: Build a repair script that scans organization_integrations for invalid JSONB and resets corrupted records to a safe default state, alerting the admin of the affected organization.

Quick Links
All Tasks Execution Plan