[Gap-Audit] 042 Payment RLS Policies: un-skip 25 E2E test stubs and verify policies

[TortoiseWolfe]

Summary

20+ RLS policies are written in the monolithic migration. The work is verification, not new code: un-skip 25 test stubs in tests/e2e/payment/08-security-rls.spec.ts, run them, fix any policies that fail to enforce what they claim.

What's shipped

• 20+ RLS policies in supabase/migrations/20251006_complete_monolithic_setup.sql
• 2 live E2E tests in 08-security-rls.spec.ts

Gap

• 25 E2E test stubs awaiting un-skip + run
• Rate-limit UI for payment endpoints missing

Plan

1. Un-skip tests one at a time
2. For each that fails: read the assertion, check the policy, decide whether the test is correct or the policy needs adjustment
3. Adjust either the test or the policy until all 25 pass
4. Add the rate-limit UI as a separate sub-task

Reference

• Spec: features/payments/042-payment-rls-policies/spec.md
• Related: [Eval-Backlog] PAYMENT-DASHBOARD: user-facing payment dashboard route #3, [Eval-Backlog] PAYMENT-OFFLINE-UI: UI layer for existing offline payment queue #4, [Eval-Backlog] SUBSCRIPTION-MGMT: subscription management route + 4 edge functions + grace-period wiring #5 — once RLS is verified, the user-facing payment routes can land safely

[TortoiseWolfe]

Next-session primer

Goal: run the RLS test suite against a live Supabase to verify the 20+ payment RLS policies actually enforce what they claim.

Effort: medium (~2-4h depending on policy mismatches found)
Blocked on: needs SUPABASE_SERVICE_ROLE_KEY and either Supabase Cloud sandbox or local Supabase (docker compose --profile supabase up)

What I learned re-reading the code today

The audit's "25 skipped E2E test stubs" framing was imprecise. The actual situation:

• The RLS tests live in tests/rls/ (NOT in tests/e2e/payment/)
• They use describe.skipIf(!hasRlsTestEnvironment()) (defined at tests/fixtures/test-users.ts:34), which auto-skips when env vars are missing
• They are NOT marked .skip — they just don't run without a live Supabase
• 5 RLS test files: anonymous-access, audit-immutability, payment-rls, service-role, user-isolation
• payment-rls.test.ts alone has 5 describe blocks with multi-test coverage

So the work isn't "un-skip 25 tests." It's "set up the env, run pnpm test:rls, and triage the failures."

Files

• tests/rls/payment-rls.test.ts — 5 describe blocks, ~600 lines, covers payment_intents/payment_results/subscriptions/webhook_events/payment_provider_config tables
• tests/rls/user-isolation.test.ts, tests/rls/anonymous-access.test.ts, tests/rls/audit-immutability.test.ts, tests/rls/service-role.test.ts — also gated by the same env detection
• tests/fixtures/test-users.ts:34 — hasRlsTestEnvironment() reads SUPABASE_URL, SUPABASE_ANON_KEY, SUPABASE_SERVICE_ROLE_KEY
• package.json:73 — pnpm test:rls runs these via vitest run --config vitest.rls.config.ts

Procedure

1. Either:
   • Option A (Cloud): pull SUPABASE_SERVICE_ROLE_KEY from Supabase Cloud project (Settings → API), set in .env, run against the production-shaped instance (CAREFUL — these tests insert and delete real rows; do this in a sandbox project)
   • Option B (Local): docker compose --profile supabase up then run against the local stack
2. docker compose exec scripthammer pnpm test:rls
3. For each failure: read the assertion, read the policy in supabase/migrations/20251006_complete_monolithic_setup.sql, decide whether the test is correct or the policy needs adjustment
4. For policy adjustments: edit the monolithic migration file, apply via Supabase Management API per CLAUDE.md (NOT a separate migration file)
5. Re-run pnpm test:rls until green

Watch-outs

• DO NOT run against production data. These tests insert and delete payment_intents, payment_results, etc. Use a sandbox Supabase project.
• The CLAUDE.md monolithic-migration rule applies. Don't create 032_fix_rls.sql; edit the existing file.
• After policy changes, also run docker compose exec scripthammer pnpm exec playwright test tests/e2e/payment/ to confirm the user-facing payment flows still work.

Adjacent issue

Once RLS is verified, several tests/e2e/payment/ E2E specs that currently rely on policies-being-correct can have their stubs un-skipped. Track those alongside #3, #4, #5 (existing eval-backlog payment issues).

[TortoiseWolfe]

Verified — closing

Ran pnpm test:rls against both local Supabase (docker compose --profile supabase up) and cloud. 55/55 tests pass on both. Branch: 044/payment-rls-verify.

Test surface (matches the issue's pinned-comment scope)

File	Tests	Status
tests/rls/payment-rls.test.ts	28	✅
tests/rls/user-isolation.test.ts	7	✅
tests/rls/audit-immutability.test.ts	7	✅
tests/rls/service-role.test.ts	6	✅ (1 test fixed — see below)
tests/rls/anonymous-access.test.ts	7	✅

Findings

RLS policies are correct. Zero policy edits needed. The 20+ payment RLS policies enforce exactly what features/payments/042-payment-rls-policies/spec.md claims, verified by the assertions in payment-rls.test.ts (5 describe blocks across payment_intents, payment_results, subscriptions, webhook_events, payment_provider_config).

One test was wrong (commit 6533567): service-role.test.ts "service role can read all audit logs" asserted ≥2 rows on the basis of "signup events from user creation," but the monolithic schema has no trigger that writes auth_audit_logs rows on auth.users INSERT. The policy under test is "service role can SELECT all audit logs"; verifying that needs only ≥1 row, which T032 reliably inserts immediately above. Fixed the assertion + comment, no policy change.

Cloud-state cleanup needed

The cloud Supabase had two stale *@scripthammer.test users from a 2026-04-16 run that died mid-test, with one orphaned payment_intent blocking userA's delete via FK. Hard-deleted both users + the orphan intent + its results to unblock the cloud run. The fixture's afterAll cleanup is correct; this was historical residue. Worth tracking as a separate follow-up if it keeps happening: a lightweight tests/rls/cleanup-stale.ts script that the fixture could invoke at startup.

Out of scope (deliberately not bundled)

• 84 test.skips in tests/e2e/payment/ — these gate on missing routes (/payment/dashboard, /payment/subscriptions, /payment/history, /payment/result), not on RLS. They belong with [Eval-Backlog] PAYMENT-DASHBOARD: user-facing payment dashboard route #3, [Eval-Backlog] PAYMENT-OFFLINE-UI: UI layer for existing offline payment queue #4, [Eval-Backlog] SUBSCRIPTION-MGMT: subscription management route + 4 edge functions + grace-period wiring #5.
• auth_audit_logs signup-event instrumentation — surfaced by the test that was fixed. Filing this as a separate item rather than expanding scope here.

Commit: 6533567 — fix(rls): correct service-role audit-log assertion to match schema

Closing.

[TortoiseWolfe]

Verified locally and cloud — see preceding comment. Branch 044/payment-rls-verify, commit 6533567.

[TortoiseWolfe]

Follow-ups filed:

• [Gap-Audit] auth_audit_logs sign_up events not written for all signup paths #49 — auth_audit_logs sign_up event instrumentation (the test-fix surfacing)
• [Gap-Audit] RLS test suite wedges on cloud Supabase when prior runs leave residue #50 — RLS test fixture cleanup-stale hook (the cloud-residue surfacing)