2 Commits

Author SHA1 Message Date
27afda74f1 feat(fase-13): admin UI + sidebar entry + isServerAdmin store + e2e SA-01..04
13.3 admin UI:
  - (admin) route group with own layout + red banner + sidebar (Collectives,
    Admins, Audit log, Server). +layout.ts is client-rendered (ssr=false),
    same rationale as the (app) group.
  - /admin/collectives — paginated list via admin_list_collectives, search
    by name, soft-delete / restore / hard-delete modals (hard-delete needs
    explicit checkbox; force toggle bypasses the 30-day wait server-side).
  - /admin/collectives/[id] — members list with kick action; recent actions
    for the collective filtered from admin_actions.
  - /admin/admins — list via server_admins join to users (disambiguated by
    FK name — there are TWO FKs to users so the embed needs the explicit
    server_admins_user_id_fkey); promote modal does an email lookup; revoke
    button is replaced by "you (cannot revoke yourself while sole admin)"
    when applicable.
  - /admin/audit — paginated feed (default 50), action filter.
  - /admin/server — server-layer default-section toggles backed by
    admin_set_default_section + the new admin_clear_default_section RPC
    (added because patching the JSONB to `true` is NOT equivalent to "no
    opinion" — `true` explicitly overrides a collective OFF).

13.4 sidebar/drawer entry:
  - $isServerAdmin store (writable; +$isServerAdminLoaded for the gate
    race) refreshed on every onAuthStateChange in root layout, cleared on
    sign-out. Cached so the sidebar tile is synchronous.
  - DesktopSidebar + MobileDrawer render the entry only when the store is
    true. Distinct red icon so it never blends with normal nav.

Stores wiring:
  - features.ts gains serverSectionDefaults writable + enabledSections
    derived now reads server > collective > user > default. Loader
    piggybacks on loadCurrentUserFeatures so the server layer is fetched
    once per sign-in.
  - serverAdmin.ts new module — refreshServerAdminFlag() + clearServerAdminFlag().
  - Tracks isServerAdminLoaded so the (admin) layout doesn't redirect away
    during the millisecond between SIGNED_IN and the RPC resolving (caught
    empirically — every hard-load to /admin/* bounced to / without it).

13.5 tests:
  - admin.test.ts (SA-01..SA-04) with new loginAsAdmin fixture. Ana is the
    seed admin (server_admins seeded via supabase/seed.sql).
  - SA-04 + SV-02 reset their server-layer JSONB via the new
    admin_clear_default_section RPC so the suites don't leak state into
    each other.

Migration 025 adds admin_clear_default_section(text) — same SECURITY DEFINER
+ audit pattern as the rest. pgTAP 017 updated (23 plans, AR-T13b + the
SECURITY DEFINER list now includes the clear RPC).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 05:30:56 +02:00
7556d77bf8 feat(fase-13): admin RPCs + server_settings + section_enabled server layer
Migration 025 adds:
  - collectives.deleted_at column for soft delete (app-level visibility;
    RLS does NOT enforce soft-delete invisibility — admin area surfaces
    everything by design).
  - server_settings(key text pk, value jsonb) — generic admin-write bag
    seeded with an empty 'default_sections' row.
  - section_enabled() extended with the server layer as the topmost
    coalesce branch. Final precedence: server > collective > user > true.
  - Privileged RPCs: grant_/revoke_server_admin (last-admin guard fires
    P0003), admin_list_collectives, admin_soft_delete_collective,
    admin_restore_collective, admin_hard_delete_collective (30-day or
    p_force=true), admin_remove_member, admin_set_default_section
    (rejects unknown sections via known_sections() lookup).
  - _log_admin_action(): private helper centralising the
    audit INSERT, called by every privileged RPC BEFORE the mutation.

Migration 024 RLS policy on server_admins rewritten to delegate the
admin branch to is_server_admin() (SECURITY DEFINER, bypasses RLS) —
the original inline EXISTS hit infinite recursion (caught empirically
with `SET ROLE authenticated`).

22 new pgTAP assertions cover schema shape, RPC signatures, the
SECURITY DEFINER posture of every admin function, the new deleted_at
column, and the server-layer precedence semantics for section_enabled.

10 new Vitest integration tests (SA-01..SA-10) cover:
  - admin_list_collectives gated for non-admins (P0001 'forbidden').
  - soft / restore / hard delete audit + state transitions.
  - hard-delete recency guard (not_soft_deleted, too_recent, force).
  - hard-delete cascade is non-destructive to public.users.
  - remove_member writes role_was + reason to audit payload.
  - set_default_section rejects unknown sections; patches JSONB
    without clobbering siblings.
  - grant/revoke with last-admin guard (revoking the sole admin
    raises P0003 'last_admin'; failed call does NOT write audit).
  - section_enabled precedence walked layer by layer in one client.
  - RLS: non-admin sees zero rows in admin_actions + server_admins.

packages/types/src/database.ts hand-extended with the new tables and
RPC signatures; collectives Row/Insert/Update get deleted_at.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 05:01:19 +02:00