feat(fase-13): server_admins + admin_actions audit log model

Migration 024 introduces the orthogonal global role and the append-only
audit log. server_admins is a separate table (not a column on users) so
that promote/revoke don't require a JWT re-issue; is_server_admin() is a
STABLE SECURITY DEFINER helper matching the shape of is_admin/is_member.

admin_actions has only a SELECT policy (admin-only) — no INSERT/UPDATE/
DELETE policies, so only the SECURITY DEFINER RPCs in migration 025 can
write to it. actor_id FK uses RESTRICT so the audit trail outlives
admins.

Bootstrap via infra/db-init/10-server-admin-seed.sh on first volume
init (reads SERVER_ADMIN_EMAIL); supabase/seed.sql also pre-seeds Ana
for dev/test because docker-entrypoint-initdb.d does not re-fire on
long-lived dev volumes. Documented in .env.erosi.example.

20 new pgTAP assertions cover schema shape, RLS posture, FK behaviour,
and the SECURITY DEFINER + STABLE attributes on is_server_admin().

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
2026-05-18 04:52:18 +02:00
parent 99096f9f4a
commit b1858542d0
5 changed files with 345 additions and 0 deletions

View File

@@ -40,3 +40,19 @@ SUPABASE_SERVICE_ROLE_KEY=CHANGEME-sign-with-above
# DB_ENC_KEY: exactly 16 characters. SECRET_KEY_BASE: ≥ 64 characters.
REALTIME_ENC_KEY=CHANGEME16charkey
REALTIME_SECRET_KEY_BASE=CHANGEME-openssl-rand-base64-64-at-minimum-so-phoenix-is-happy
# ── Server admin bootstrap (Fase 13) ────────────────────────────────────────
# Email of the user who should be promoted to `server_admin` on first volume
# init. The bootstrap script (infra/db-init/10-server-admin-seed.sh) reads
# this and, if `public.server_admins` is empty AND a matching public.users row
# exists, inserts that user as the first admin. Idempotent — re-running with a
# different email after the first admin is created does NOTHING.
#
# IMPORTANT: this fires from `docker-entrypoint-initdb.d`, which only runs on
# a FRESH volume. On prod first deploy:
# 1. Spin up the stack (this will likely log "no user matches" — the user
# hasn't completed their first Keycloak login yet).
# 2. Have the operator sign in once via Keycloak so public.users picks them up.
# 3. Manually re-run: `docker compose exec -T db bash /docker-entrypoint-initdb.d/10-server-admin-seed.sh </dev/null`
# After that the table is non-empty and the script is a no-op forever.
SERVER_ADMIN_EMAIL=operator@example.com