refactor: clean up upload integration test — expectRlsDenied, expectSuccess, DRY SQL

[pyramation]

Summary

Test-only refactor of upload.integration.test.ts and its SQL seed fixture, following code review on the prior PR. No test logic or coverage changes — all 34 tests still exercise the same scenarios.

Three changes:

1. expectMutationDenied → expectRlsDenied — The old helper accepted any error as "denied" (including validation errors, 500s, typos). The new helper validates that the denial is specifically from RLS: checks for permission denied, new row violates row-level security, or insufficient_privilege in the error message, or a null mutation result (0-row RLS USING filter). Any other failure shape now throws, preventing tests from passing for the wrong reason.

2. expectSuccess helper — Extracts the repeated expect(res.status).toBe(200); expect(res.body.errors).toBeUndefined() pattern (~20 instances) into a single function that returns res.body.data for chaining.

3. DRY SQL schema — Extracted a _test_create_storage_schema(schema_name) PL/pgSQL function to eliminate ~110 lines of duplicated table definitions across Alice/Bob/Mallory. RLS policies remain inline since they differ per tenant. Function is dropped at the end of the seed file.

Updates since last revision

• Reverted superuser verification — The initial version added a pg.query() superuser check for post-attack data integrity. This was reverted after review feedback: using a separate PG connection introduces a transaction isolation concern. The verification now uses the same HTTP → server → pool path (postGraphQLViaApi + expectSuccess) as the mutations themselves, ensuring we read from the same transactional context.
• Removed unused pg destructuring and PgTestClient import.

Review & Testing Checklist for Human

• Verify expectRlsDenied string matching is complete — Are there other PG error messages for RLS denial that aren't covered by the three patterns (permission denied, new row violates row-level security, insufficient_privilege)? If any current test's denial uses a different message, it will now fail instead of silently passing.
• Verify the DRY SQL function produces identical tables — The _test_create_storage_schema uses EXECUTE format(...) with dynamic SQL. Confirm the generated table structure matches the original static DDL (column types, constraints, comments, grants).
• Run the integration test suite to confirm all 34 tests pass with the refactored helpers and DRY schema: pnpm test -- upload.integration

Notes

• The _test_create_storage_schema function uses CREATE FUNCTION (not CREATE OR REPLACE) since this is a fresh test database — appropriate for a test fixture.
• This PR targets feat/rls-alice-bob-integration-test, so only Socket Security checks run in CI. The full 52-check suite will run once merged toward main.
• Net line reduction: ~80 lines removed across both files.

Link to Devin session: https://app.devin.ai/sessions/94a2728a9c414500bead29cbbc829c15
Requested by: @pyramation

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring