🏠 Overview ✅ Implementation Tasks ✅ epic-organizational-hierarchy-management-core-services-task-015

Deploy RLS migrations to staging and production Supabase

epic-organizational-hierarchy-management-core-services-task-015 — Apply all RLS migration scripts to the staging Supabase project, run the full role simulation test suite, then promote to production. Document the migration sequence, rollback procedure, and any required Supabase CLI commands. Verify that existing data remains accessible to correctly authenticated users after deployment.

critical priority medium complexity deployment pending devops specialist Tier 5

Acceptance Criteria

All RLS migration scripts (from tasks 011, 012, 013) are applied to staging Supabase project in the correct sequential order without errors
The full pgTAP role simulation test suite (from task-014) runs against staging and produces 100% pass rate before production deployment proceeds
A smoke test is performed on staging: an existing peer mentor account can log in, fetch their own activities, and cannot fetch another user's activities
A smoke test is performed on staging: an existing coordinator account can log in, fetch all activities in their chapter, and cannot fetch activities from another chapter
After staging validation, the same migration sequence is applied to production Supabase via Supabase CLI (not dashboard manual apply)
Production deployment is performed during a low-traffic window with prior communication to organisation contacts
All RLS migration files are committed to the repository under supabase/migrations/ and tagged with a git tag (e.g., rls-v1.0)
A migration runbook document describes: pre-deployment checklist, exact Supabase CLI commands, expected output, post-deployment verification steps, and rollback commands
Rollback procedure is tested on staging: down migrations successfully remove all policies and disable RLS without data loss
Post-production deployment: verify via Supabase dashboard (Authentication → Policies) that all expected policies are active on all 5 tables
Existing data integrity confirmed: row counts on all protected tables match pre-migration counts after deployment
Incident response plan documented: if RLS blocks legitimate access after deployment, the rollback script can be executed within 15 minutes

Technical Requirements

frameworks
Supabase CLI
Supabase PostgreSQL 15
apis
Supabase Management API (for migration status verification)
Supabase CLI (supabase db push, supabase db test, supabase migration list)
data models
activity
assignment
contact
contact_chapter
performance requirements
Migration application must complete within 5 minutes on production (all migration files combined)
Post-deployment query performance must be verified: run EXPLAIN ANALYZE on 3 representative queries (coordinator fetch, peer mentor fetch, admin fetch) and confirm no new Seq Scans on large tables
Confirm that RLS policy evaluation does not increase P95 query latency by more than 10ms on representative workloads
security requirements
Supabase CLI credentials (project ref, access token) must be stored in CI/CD secrets — never committed to the repository
Service role key used for migration application must be rotated after the deployment window if it was shared across team members
Production migration must be applied via CI/CD pipeline (not local developer machine) to ensure auditability and prevent accidental application of unapproved migrations
Rollback scripts must be reviewed and approved by a second team member before the deployment window begins
After deployment, verify that the Supabase dashboard shows Force Row Level Security enabled on all target tables (not just RLS enabled)

Execution Context

Execution Tier
Tier 5

Tier 5 - 253 tasks

Can start after Tier 4 completes

Implementation Notes

Migration sequence commands: (1) supabase login, (2) supabase link --project-ref {STAGING_REF}, (3) supabase db push --dry-run (review output), (4) supabase db push (apply), (5) supabase db test (run pgTAP suite). Repeat steps 2-5 for production ref. The --dry-run flag shows which migrations will be applied without executing them — always run this first. Use supabase migration list to confirm which migrations have been applied and which are pending.

For the rollback procedure: supabase db push applies down migrations if they exist in the migration files; alternatively, maintain a dedicated rollback.sql that can be run directly via psql. Critical deployment timing consideration: since task-012 (JWT hook) must be registered in the Supabase Auth settings manually (not via CLI migration), include a checklist step to verify the hook is registered BEFORE applying the RLS policy migrations. If the hook is not active when RLS migrations are applied, legitimate users will lose data access immediately. The correct deployment order is: (1) Register JWT hook in Auth settings, (2) Apply task-011 base RLS migrations, (3) Apply task-012 hook function migration, (4) Apply task-013 role-differentiated policy migrations, (5) Run full test suite.

Document this order explicitly in the runbook.

Testing Requirements

Pre-deployment (staging): run supabase db test to execute full pgTAP suite; run manual smoke tests for each role type (peer_mentor, coordinator, global_admin) using actual user accounts in the staging environment; record results in a deployment checklist. Post-deployment (staging): verify Supabase dashboard policy list matches expected; run EXPLAIN ANALYZE on 3 queries; confirm row counts match pre-migration. Pre-deployment (production): repeat staging smoke tests using production test accounts (created specifically for deployment validation, not real organisation accounts). Post-deployment (production): run smoke tests again; monitor Supabase logs for 30 minutes post-deployment for unexpected 403 errors or RLS policy violations; confirm all organisation contacts can access their data normally.

Rollback test (staging only): apply down migrations, confirm policies removed and data accessible without restriction, re-apply up migrations.

Component
RLS Policy Manager
infrastructure high
Dependencies (1)
Write automated tests that simulate multiple role scenarios (coordinator of chapter A trying to read chapter B data, peer mentor reading another mentor's records, global admin bypass) using Supabase's set_config for JWT simulation. Confirm data isolation is enforced and no cross-tenant leakage is possible. epic-organizational-hierarchy-management-core-services-task-014
Epic Risks (4)
high impact medium prob security

Injecting all unit assignment IDs into JWT claims for users assigned to many units (up to 5 for NHF peer mentors, many more for national coordinators) may exceed JWT size limits, causing authentication failures.

Mitigation & Contingency

Mitigation: Store unit IDs in a Supabase session variable or a dedicated Postgres function rather than embedding them directly in the JWT payload. Use set_config('app.unit_ids', ...) within RLS helper functions querying the assignments table at policy evaluation time.

Contingency: Fall back to querying the unit_assignments table directly within RLS policies using the authenticated user ID, accepting a small per-query overhead in exchange for removing the JWT size constraint.

medium impact medium prob technical

Rendering 1,400+ nodes in a recursive Flutter tree widget may cause jank or memory pressure on lower-end devices used by field peer mentors, degrading the admin experience.

Mitigation & Contingency

Mitigation: Implement lazy tree expansion — only the root level is rendered on initial load. Child nodes are rendered on demand when the parent is expanded. Use const constructors and ListView.builder for all node lists to minimize rebuild scope.

Contingency: Add a search/filter bar that scopes the visible tree to matching nodes, reducing the visible node count. Provide a 'flat list' fallback view for administrators who prefer searching over browsing the tree.

medium impact medium prob scope

Requirements for what constitutes a valid hierarchy structure may expand during NHF sign-off (e.g., mandatory coordinator assignments per chapter, minimum member counts per region), requiring repeated validator redesign.

Mitigation & Contingency

Mitigation: Design the validator as a pluggable rule engine where each check is a discrete, independently testable function. New rules can be added without changing the core validation orchestration. Surface all rules in a configuration table per organization.

Contingency: Defer non-blocking validation rules to warning-level feedback rather than hard blocks, allowing structural changes to proceed while flagging potential issues for admin review.

high impact low prob integration

Deploying RLS policy migrations to a shared Supabase project used by multiple organizations simultaneously could lock tables or interrupt active sessions, causing downtime during production migration.

Mitigation & Contingency

Mitigation: Write all RLS policies as CREATE POLICY IF NOT EXISTS statements. Schedule migrations during off-peak hours. Use Supabase's migration preview environment to validate policies against production data shapes before applying.

Contingency: Prepare rollback migration scripts for every RLS policy. If a migration causes issues, execute the rollback immediately and re-test the policy logic in staging before reattempting.

Quick Links
All Tasks Execution Plan