feat(realtime): Fase 2b.0 infra + first R-series tests green

Enable postgres_changes broadcasts on shopping_items / shopping_lists and prove
the path end-to-end with Vitest Realtime tests and a pgTAP configuration check.

Infra changes that were silently blocking events
- Migration 007: shopping_items + shopping_lists added to supabase_realtime
  publication with REPLICA IDENTITY FULL (UPDATE/DELETE payloads need the full
  row so list_id-based filters work and RLS can evaluate DELETE against OLD)
- Realtime service: DB_USER=supabase_admin (superuser; supabase_replication_admin
  lacks CREATE on the `realtime` schema that the service auto-creates per tenant)
- Realtime service: SELF_HOST_TENANT_NAME=realtime so the seed tenant name
  matches the default supabase-js resolves for localhost URLs (was realtime-dev
  → TenantNotFound)

Tests
- pgTAP 004_realtime_publication.sql — P-01..P-04: publication membership and
  REPLICA IDENTITY FULL for both shopping tables
- Vitest realtime-postgres-changes.test.ts — R-01 INSERT broadcast,
  R-02 UPDATE carries full row, R-03 list_id filter isolates events
- test-utils realtime-helpers.ts — subscribePostgresChanges() returns a
  waitFor(predicate, timeout) helper that captures the SUBSCRIBED handshake
  before returning so mutations issued right after are not lost
- createClientAs now calls realtime.setAuth(token) so the server evaluates
  RLS against the test user's JWT
- Justfile test-db now globs supabase/tests/*.sql so new pgTAP files are picked
  up automatically

Totals: 54→57 Vitest, 12→16 pgTAP, 15 Playwright = 88 tests green.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-13 02:33:40 +02:00
parent f396897cb5
commit 4c913cf495
10 changed files with 370 additions and 14 deletions

View File

@@ -26,10 +26,14 @@ async function signToken(userId: string): Promise<string> {
/**
* Create a Supabase client that authenticates as the given seed user.
* RLS policies see auth.uid() = userId.
*
* Also calls `realtime.setAuth(token)` so Realtime subscriptions carry the
* same identity — the server evaluates RLS against this JWT when deciding
* which Postgres-changes events to forward.
*/
export async function createClientAs(userId: string) {
const token = await signToken(userId);
return createClient<Database>(
const client = createClient<Database>(
requiredEnv('PUBLIC_SUPABASE_URL'),
requiredEnv('PUBLIC_SUPABASE_ANON_KEY'),
{
@@ -37,6 +41,9 @@ export async function createClientAs(userId: string) {
auth: { persistSession: false, autoRefreshToken: false }
}
);
// @ts-expect-error — realtime.setAuth exists at runtime on supabase-js v2
client.realtime.setAuth(token);
return client;
}
/**