feat(fase-13): server_admins + admin_actions audit log model

Migration 024 introduces the orthogonal global role and the append-only
audit log. server_admins is a separate table (not a column on users) so
that promote/revoke don't require a JWT re-issue; is_server_admin() is a
STABLE SECURITY DEFINER helper matching the shape of is_admin/is_member.

admin_actions has only a SELECT policy (admin-only) — no INSERT/UPDATE/
DELETE policies, so only the SECURITY DEFINER RPCs in migration 025 can
write to it. actor_id FK uses RESTRICT so the audit trail outlives
admins.

Bootstrap via infra/db-init/10-server-admin-seed.sh on first volume
init (reads SERVER_ADMIN_EMAIL); supabase/seed.sql also pre-seeds Ana
for dev/test because docker-entrypoint-initdb.d does not re-fire on
long-lived dev volumes. Documented in .env.erosi.example.

20 new pgTAP assertions cover schema shape, RLS posture, FK behaviour,
and the SECURITY DEFINER + STABLE attributes on is_server_admin().

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
2026-05-18 04:52:18 +02:00
parent 99096f9f4a
commit b1858542d0
5 changed files with 345 additions and 0 deletions

View File

@@ -129,3 +129,18 @@ BEGIN
last_used_at = EXCLUDED.last_used_at;
END IF;
END $$;
-- ── Fase 13 server admins ─────────────────────────────────────────────────────
-- In dev we promote Ana directly so the integration + e2e suites have a known
-- server admin without depending on `docker-entrypoint-initdb.d` (which only
-- fires on a fresh volume). On prod the same role is bootstrapped by
-- infra/db-init/10-server-admin-seed.sh reading SERVER_ADMIN_EMAIL.
DO $$
BEGIN
IF EXISTS (SELECT 1 FROM information_schema.tables
WHERE table_schema = 'public' AND table_name = 'server_admins') THEN
INSERT INTO public.server_admins (user_id)
VALUES ('11111111-1111-1111-1111-111111111111') -- Ana
ON CONFLICT (user_id) DO NOTHING;
END IF;
END $$;