Skip to content

Commit 3371971

Browse files
committed
Bootstrap Supabase identity tables for sign-in readiness while product data stays Local DB - PR_26166_155-supabase-identity-tables-bootstrap
1 parent 5d94d2e commit 3371971

7 files changed

Lines changed: 555 additions & 712 deletions

File tree

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
-- Game Foundry Studio Supabase identity bootstrap DDL
2+
-- Scope: Supabase account identity tables only.
3+
-- Product data remains on Local DB for PR_26166_155.
4+
-- No password tables are created here; passwords remain owned by Supabase Auth.
5+
-- users.key is the authoritative ownership reference for app records.
6+
7+
begin;
8+
9+
create table if not exists public.users (
10+
key text primary key,
11+
"displayName" text not null default 'Creator',
12+
email text,
13+
"authProvider" text,
14+
"authProviderUserId" text,
15+
"isActive" boolean not null default true,
16+
"createdAt" timestamptz not null default now(),
17+
"updatedAt" timestamptz not null default now(),
18+
"createdBy" text references public.users(key) on delete set null,
19+
"updatedBy" text references public.users(key) on delete set null,
20+
constraint users_auth_identity_unique unique ("authProvider", "authProviderUserId"),
21+
constraint users_no_mock_auth_provider check ("authProvider" is null or "authProvider" <> 'mock')
22+
);
23+
24+
create unique index if not exists idx_users_email_unique_not_null
25+
on public.users (lower(email))
26+
where email is not null;
27+
28+
create index if not exists idx_users_createdby on public.users ("createdBy");
29+
create index if not exists idx_users_updatedby on public.users ("updatedBy");
30+
31+
create table if not exists public.roles (
32+
key text primary key,
33+
"roleSlug" text not null unique,
34+
name text not null,
35+
description text not null default '',
36+
"isSystemRole" boolean not null default false,
37+
"isActive" boolean not null default true,
38+
"createdAt" timestamptz not null default now(),
39+
"updatedAt" timestamptz not null default now(),
40+
"createdBy" text not null references public.users(key),
41+
"updatedBy" text not null references public.users(key)
42+
);
43+
44+
create index if not exists idx_roles_createdby on public.roles ("createdBy");
45+
create index if not exists idx_roles_updatedby on public.roles ("updatedBy");
46+
47+
create table if not exists public.user_roles (
48+
key text primary key,
49+
"userKey" text not null references public.users(key) on delete cascade,
50+
"roleKey" text not null references public.roles(key) on delete cascade,
51+
"createdAt" timestamptz not null default now(),
52+
"updatedAt" timestamptz not null default now(),
53+
"createdBy" text not null references public.users(key),
54+
"updatedBy" text not null references public.users(key),
55+
constraint user_roles_user_role_unique unique ("userKey", "roleKey")
56+
);
57+
58+
create index if not exists idx_user_roles_userkey on public.user_roles ("userKey");
59+
create index if not exists idx_user_roles_rolekey on public.user_roles ("roleKey");
60+
create index if not exists idx_user_roles_createdby on public.user_roles ("createdBy");
61+
create index if not exists idx_user_roles_updatedby on public.user_roles ("updatedBy");
62+
63+
alter table public.users enable row level security;
64+
alter table public.roles enable row level security;
65+
alter table public.user_roles enable row level security;
66+
67+
revoke all on public.users from anon, authenticated;
68+
revoke all on public.roles from anon, authenticated;
69+
revoke all on public.user_roles from anon, authenticated;
70+
71+
grant select, insert, update, delete on public.users to service_role;
72+
grant select, insert, update, delete on public.roles to service_role;
73+
grant select, insert, update, delete on public.user_roles to service_role;
74+
75+
notify pgrst, 'reload schema';
76+
77+
commit;
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
# Supabase DEV Identity Bootstrap
2+
3+
Use this only for the DEV Supabase project while product data remains on Local DB.
4+
5+
## Bootstrap Order
6+
7+
1. Run `docs_build/database/ddl/account/supabase-identity-tables.sql` in the Supabase SQL editor or through an approved operator SQL path.
8+
2. Run `npm run validate:supabase-dev`.
9+
3. Confirm these checks pass through REST/API:
10+
- `Service role authentication`
11+
- `users table`
12+
- `roles table`
13+
- `user_roles table`
14+
4. Keep `GAMEFOUNDRY_DB_PROVIDER=local-db`.
15+
16+
## Seed Rules
17+
18+
- Passwords remain owned by Supabase Auth.
19+
- Do not create password tables.
20+
- Browser JavaScript must not generate authoritative identity keys.
21+
- Create Account provisions app `users`, `roles`, and `user_roles` records server-side.
22+
- Static DEV user ULIDs are allowed only for these DEV seed users:
23+
- User 1: `01K2GFSJ0Y0000000000000051`
24+
- User 2: `01K2GFSJ0Y0000000000000052`
25+
- User 3: `01K2GFSJ0Y0000000000000053`
26+
- DavidQ admin: `01K2GFSJ0Y0000000000000054`
27+
- Do not use static keys for games, assets, objects, controls, votes, tickets, tool metadata, tool planning, tool state records, guest seed data, roles, or user_roles.
28+
- Do not use `authProvider: mock` for Supabase account identity records.
29+
30+
## Existing Auth Users
31+
32+
For existing DEV Supabase Auth users, provision app identity through the server/API provisioning path so the `users.authProviderUserId` value matches the real Supabase Auth user id.
33+
34+
Do not commit Supabase Auth user ids, access tokens, service role keys, or database URLs.
Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
# PR_26166_155-supabase-identity-tables-bootstrap
2+
3+
## Branch Validation
4+
- PASS: Current branch is `main`.
5+
- Expected branch: `main`.
6+
7+
## Requirement Checklist
8+
- PASS: `docs_build/dev/PROJECT_INSTRUCTIONS.md` was read before implementation.
9+
- PASS: `GAMEFOUNDRY_DB_PROVIDER=local-db` remains the required product-data posture.
10+
- PASS: Product data remains on Local DB; no product-table migration was added.
11+
- PASS: Direct PostgreSQL is not required for identity readiness. `validate:supabase-dev` uses Supabase REST/Auth checks for service-role and identity table readiness.
12+
- PASS: Direct PostgreSQL TLS failure is retained as a diagnostic and can be downgraded to `WARN` when REST/API identity readiness passes.
13+
- PASS: Added Supabase identity DDL under `docs_build/database/ddl/account/`.
14+
- PASS: Added DEV/review bootstrap instructions under `docs_build/database/seed/account/`.
15+
- PASS: Required identity tables are represented in DDL:
16+
- `users`
17+
- `roles`
18+
- `user_roles`
19+
- PASS: Required ownership fields are represented:
20+
- `key`
21+
- `createdAt`
22+
- `updatedAt`
23+
- `createdBy`
24+
- `updatedBy`
25+
- PASS: `users.key` remains the authoritative ownership reference.
26+
- PASS: DEV static ULID exceptions are documented only for User 1, User 2, User 3, and DavidQ admin.
27+
- PASS: No password tables were added.
28+
- PASS: No browser-owned auth or identity data was added.
29+
- PASS: No secrets or `.env.local` files were committed or modified.
30+
- PASS: `validate:supabase-dev` now runs with Node system CA support while keeping TLS verification enabled.
31+
- PASS: Service role authentication validates successfully through REST/Auth.
32+
- FAIL: Live Supabase `users`, `roles`, and `user_roles` table checks do not pass yet because the tables are not present in the remote Supabase schema cache.
33+
- FAIL: Live direct DB TLS failure remains a blocker in the current output because REST/API identity table readiness does not pass yet. Once the tables pass through REST/API, the direct DB TLS failure is downgraded to `WARN`.
34+
35+
## Validation Lane Report
36+
- Impacted lane: targeted operator auth/provider database bootstrap validation.
37+
- Playwright impacted: No. No browser runtime or auth/session page behavior changed.
38+
- Samples validation: SKIP. No samples or sample manifests changed.
39+
40+
## Validation Performed
41+
- PASS: `node --check scripts/validate-supabase-dev.mjs`
42+
- PASS: `node -e "JSON.parse(require('fs').readFileSync('package.json','utf8')); console.log('package.json OK')"`
43+
- PASS: `git diff --check`
44+
- PASS: No TLS bypass patterns were added.
45+
- PASS: No password table DDL was added.
46+
- FAIL: `npm run validate:supabase-dev` because the remote Supabase identity tables still need the DDL applied.
47+
48+
## validate:supabase-dev Output
49+
50+
```text
51+
> html-javascript-gaming@1.0.0 validate:supabase-dev
52+
> node --use-system-ca ./scripts/validate-supabase-dev.mjs
53+
54+
PASS - .env.local loaded (6 key(s) loaded)
55+
PASS - URL configured (GAMEFOUNDRY_SUPABASE_URL=https:...e.co)
56+
PASS - Publishable key configured (GAMEFOUNDRY_SUPABASE_ANON_KEY=sb_pub...V2Zj)
57+
PASS - Service role key configured (GAMEFOUNDRY_SUPABASE_SERVICE_ROLE_KEY=sb_sec...KRU6)
58+
PASS - Database URL configured (GAMEFOUNDRY_SUPABASE_DATABASE_URL=postgr...gres)
59+
PASS - Supabase reachable (HTTP 404)
60+
PASS - TLS validation
61+
PASS - Auth endpoint reachable (HTTP 200)
62+
PASS - Service role authentication (HTTP 200)
63+
FAIL - Database connection (SELF_SIGNED_CERT_IN_CHAIN)
64+
FAIL - users table (HTTP 404: Could not find the table 'public.users' in the schema cache Run docs_build/database/ddl/account/supabase-identity-tables.sql through the approved Supabase SQL setup path.)
65+
FAIL - roles table (HTTP 404: Could not find the table 'public.roles' in the schema cache Run docs_build/database/ddl/account/supabase-identity-tables.sql through the approved Supabase SQL setup path.)
66+
FAIL - user_roles table (HTTP 404: Could not find the table 'public.user_roles' in the schema cache Run docs_build/database/ddl/account/supabase-identity-tables.sql through the approved Supabase SQL setup path.)
67+
68+
Overall Result: FAIL
69+
Failed checks: Database connection, users table, roles table, user_roles table
70+
```
71+
72+
## Manual Validation Notes
73+
- The new DDL file is the approved SQL setup path for the missing Supabase identity tables.
74+
- REST/Auth TLS now validates successfully under Node by using the system CA store; TLS verification remains enabled.
75+
- Service-role authentication passes without printing secret values.
76+
- The direct database URL still fails TLS trust, which matches the known DEV DB URL issue.
77+
- The validator intentionally keeps the direct DB failure as `FAIL` until REST/API identity table readiness is green.
78+
- After running the DDL in Supabase SQL editor or another approved operator SQL path, rerun `npm run validate:supabase-dev`; expected result is identity table PASS and direct DB TLS WARN if the DB URL still fails.
79+
80+
## Changed Files
81+
- `package.json`
82+
- `scripts/validate-supabase-dev.mjs`
83+
- `docs_build/database/ddl/account/supabase-identity-tables.sql`
84+
- `docs_build/database/seed/account/supabase-dev-identity-bootstrap.md`
85+
- `docs_build/dev/reports/PR_26166_155-supabase-identity-tables-bootstrap.md`
86+
87+
## Review Artifacts
88+
- `docs_build/dev/reports/codex_review.diff`
89+
- `docs_build/dev/reports/codex_changed_files.txt`
Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,16 @@
11
# git status --short
22
M package.json
3-
?? docs_build/dev/reports/PR_26166_154-supabase-dev-tls-identity-readiness.md
4-
?? scripts/validate-supabase-dev.mjs
3+
M scripts/validate-supabase-dev.mjs
4+
?? docs_build/database/ddl/account/
5+
?? docs_build/database/seed/account/
6+
?? docs_build/dev/reports/PR_26166_155-supabase-identity-tables-bootstrap.md
57

68
# git ls-files --others --exclude-standard
7-
docs_build/dev/reports/PR_26166_154-supabase-dev-tls-identity-readiness.md
8-
scripts/validate-supabase-dev.mjs
9+
docs_build/database/ddl/account/supabase-identity-tables.sql
10+
docs_build/database/seed/account/supabase-dev-identity-bootstrap.md
11+
docs_build/dev/reports/PR_26166_155-supabase-identity-tables-bootstrap.md
912

1013
# git diff --stat
11-
package.json | 1 +
12-
1 file changed, 1 insertion(+)
14+
package.json | 2 +-
15+
scripts/validate-supabase-dev.mjs | 63 +++++++++++++++++++++++++++++++++------
16+
2 files changed, 55 insertions(+), 10 deletions(-)

0 commit comments

Comments
 (0)