fix(flags): align rbac enum with governance defaults

Mr-Dark-debug · Mr-Dark-debug · commit 6a1f0ce9b6e6 · 2025-10-10T16:23:38.000+05:30
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -31,6 +31,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Removed `window.confirm` usage in favor of accessible AlertDialog components
 - Updated admin dashboard to surface highest-role badges and gate role management via `rbac_hardening_v1` with new authz telemetry.
 
+### Fixed
+
+- Added the missing `rbac_hardening_v1` enum value to feature flag migrations to keep Supabase schema in sync with governance defaults.
+
 ### Planned - Library Feature
 - **User Library System**: Complete Medium-style library feature for saving and organizing content
   - Your Library: Central dashboard for all saved content
diff --git a/docs/assumptions.md b/docs/assumptions.md
@@ -11,3 +11,4 @@
 | A-007 | 2025-02-14 | Observability vendor (Grafana Cloud/Honeycomb) budget approved for Phase 1. | Required to meet telemetry commitments. | Open |
 | A-008 | 2025-02-14 | Legal/compliance resources available before Phase 3 commerce rollout. | Necessary for payments, KYC, events. | Open |
 | A-009 | 2025-10-10 | Feature flag ownership stored as free-text owner label until RBAC revamp in SEC-001. | Allows governance UI to launch without expanded role matrix; revisit once role hierarchy finalized. | Closed (2025-10-17) |
+| A-010 | 2025-02-18 | Despite cutover directive, execution continues ticket-by-ticket under feature flags to avoid destabilizing one-shot release until all prerequisites validated. | Aligns with risk register and roadmap gating; supports rehearsed cutover later without skipping validation. | Open |
diff --git a/docs/progress/weekly-2025-10-17.md b/docs/progress/weekly-2025-10-17.md
@@ -4,6 +4,7 @@
 - Delivered SEC-001 RBAC hardening: refreshed Supabase `roles`/`profile_roles`, migrated legacy slugs, and rewrote taxonomy/community policies for the new member → admin ladder.
 - Gated admin role management behind the new `rbac_hardening_v1` flag, surfaced highest-role badges in the console sidebar, and mapped legacy editor/author selections.
 - Instrumented `authz_denied_count` counter plus console telemetry for admin/community APIs; added Vitest coverage for role slug normalization and metrics emission.
+- Patched feature flag enum to include `rbac_hardening_v1` for parity with release plan defaults and backfilled unit coverage to guard regressions.
 
 ## Feature Flags
 - `rbac_hardening_v1`: OFF (internal testing only).
diff --git a/supabase/migrations/0017_create_feature_flags.sql b/supabase/migrations/0017_create_feature_flags.sql
@@ -24,12 +24,16 @@ BEGIN
       'payouts_v1',
       'events_v1',
       'messaging_v1',
+      'rbac_hardening_v1',
       'notifications_v1'
     );
   END IF;
 END;
 $$;
 
+-- Ensure enum contains rbac_hardening_v1 for existing environments
+ALTER TYPE public.feature_flag_key ADD VALUE IF NOT EXISTS 'rbac_hardening_v1';
+
 -- Create feature_flags table
 CREATE TABLE IF NOT EXISTS public.feature_flags (
   id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
diff --git a/tests/unit/feature-flags-server.test.ts b/tests/unit/feature-flags-server.test.ts
@@ -16,7 +16,7 @@ import { recordHistogram } from '@/lib/observability/metrics'
 
 const createSupabaseClient = (
   rows: Array<{
-    flag_key: 'spaces_v1' | 'content_templates_v1'
+    flag_key: 'spaces_v1' | 'content_templates_v1' | 'rbac_hardening_v1'
     description: string
     enabled: boolean
     owner: string
@@ -122,4 +122,28 @@ describe('feature flag server helpers', () => {
     expect(firstClient.from).toHaveBeenCalledTimes(1)
     expect(secondClient.from).toHaveBeenCalledTimes(1)
   })
+
+  it('falls back to defaults for non-persisted flags', async () => {
+    const now = new Date().toISOString()
+    const client = createSupabaseClient([
+      {
+        flag_key: 'spaces_v1',
+        description: 'Spaces rollout',
+        enabled: true,
+        owner: 'Product Lead',
+        metadata: {},
+        created_at: now,
+        updated_at: now,
+      },
+    ])
+
+    serviceRoleClientMock.mockReturnValue(client)
+
+    const { getFeatureFlagDefinition } = await loadModule()
+    const definition = await getFeatureFlagDefinition('rbac_hardening_v1')
+
+    expect(definition.flagKey).toBe('rbac_hardening_v1')
+    expect(definition.enabled).toBe(false)
+    expect(definition.owner).toBe('Security Lead')
+  })
 })
