feat: add fresh migration replay and platform role scope hardening

Author: brianfunk

docs/MIGRATION_VALIDATION.md

@@ -0,0 +1,29 @@
+# Migration Validation
+
+This project includes a repeatable fresh-database migration replay check.
+
+## Command
+
+```bash
+npm run db:validate:fresh
+```
+
+## What it does
+
+- Starts a temporary local PostgreSQL instance with `initdb`/`pg_ctl`.
+- Creates Supabase compatibility stubs (`auth` schema, `auth.users`, `auth.uid()`, `anon/authenticated/service_role` roles).
+- Replays all SQL migrations in `supabase/migrations` in lexical order.
+- Fails immediately on migration errors (`ON_ERROR_STOP=1`).
+
+## Latest result
+
+- Date: 2026-02-11
+- Result: pass
+- Evidence summary:
+  - All migrations through `20260211000700_platform_role_scope_hardening.sql` applied successfully.
+  - Fresh replay completed with `20` public tables present.
+
+## Notes
+
+- This check validates migration ordering and compatibility in a clean PostgreSQL environment without requiring Docker.
+- Supabase-managed runtime services (Auth/Storage APIs) are represented by minimal SQL stubs for migration execution only.

package.json

@@ -11,6 +11,7 @@
     "preview": "vite preview",
     "db:migrate": "npx supabase db push",
     "db:custom-migrate": "node apply-migrations.js",
+    "db:validate:fresh": "bash scripts/validate-migrations-fresh.sh",
     "test": "vitest --exclude tests/playwright/**",
     "test:ci": "vitest --run --passWithNoTests --exclude tests/playwright/**",
     "test:watch": "vitest --watch --exclude tests/playwright/**",

scripts/validate-migrations-fresh.sh

@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+MIGRATIONS_DIR="$ROOT_DIR/supabase/migrations"
+
+if ! command -v initdb >/dev/null 2>&1; then
+  echo "initdb is required to run fresh migration validation." >&2
+  exit 1
+fi
+
+if ! command -v pg_ctl >/dev/null 2>&1; then
+  echo "pg_ctl is required to run fresh migration validation." >&2
+  exit 1
+fi
+
+if ! command -v psql >/dev/null 2>&1; then
+  echo "psql is required to run fresh migration validation." >&2
+  exit 1
+fi
+
+PORT="${OC_MIGRATION_DB_PORT:-55434}"
+DB_NAME="${OC_MIGRATION_DB_NAME:-opencomments_validation}"
+
+TMPROOT="$(mktemp -d /tmp/opencomments-pg.XXXXXX)"
+PGDATA="$TMPROOT/data"
+PGLOG="$TMPROOT/postgres.log"
+
+cleanup() {
+  if [[ -d "$PGDATA" ]]; then
+    pg_ctl -D "$PGDATA" stop -m fast >/dev/null 2>&1 || true
+  fi
+  rm -rf "$TMPROOT"
+}
+trap cleanup EXIT
+
+initdb -D "$PGDATA" -A trust -U postgres >/dev/null
+cat >> "$PGDATA/postgresql.conf" <<CONF
+fsync = off
+listen_addresses = ''
+port = $PORT
+unix_socket_directories = '/tmp'
+CONF
+
+pg_ctl -D "$PGDATA" -l "$PGLOG" start >/dev/null
+createdb -h /tmp -p "$PORT" -U postgres "$DB_NAME"
+
+psql -h /tmp -p "$PORT" -U postgres -d "$DB_NAME" <<'SQL'
+DO $$
+BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname='anon') THEN
+    CREATE ROLE anon NOLOGIN;
+  END IF;
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname='authenticated') THEN
+    CREATE ROLE authenticated NOLOGIN;
+  END IF;
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname='service_role') THEN
+    CREATE ROLE service_role NOLOGIN;
+  END IF;
+END $$;
+
+CREATE EXTENSION IF NOT EXISTS pgcrypto;
+CREATE SCHEMA IF NOT EXISTS auth;
+CREATE TABLE IF NOT EXISTS auth.users (
+  id uuid PRIMARY KEY,
+  email text,
+  raw_user_meta_data jsonb DEFAULT '{}'::jsonb,
+  created_at timestamptz DEFAULT now()
+);
+CREATE OR REPLACE FUNCTION auth.uid()
+RETURNS uuid
+LANGUAGE sql
+STABLE
+AS $$
+  SELECT '00000000-0000-0000-0000-000000000000'::uuid;
+$$;
+SQL
+
+echo "Running fresh migration replay from: $MIGRATIONS_DIR"
+while IFS= read -r migration; do
+  echo "APPLYING $(basename "$migration")"
+  psql -v ON_ERROR_STOP=1 -h /tmp -p "$PORT" -U postgres -d "$DB_NAME" -f "$migration" >/dev/null
+  echo "OK $(basename "$migration")"
+done < <(ls "$MIGRATIONS_DIR"/*.sql | sort)
+
+TABLE_COUNT=$(psql -h /tmp -p "$PORT" -U postgres -d "$DB_NAME" -t -A -c "SELECT count(*) FROM information_schema.tables WHERE table_schema='public';")
+
+echo "Fresh migration replay complete. Public table count: $TABLE_COUNT"

src/hooks/usePlatformRoles.ts

@@ -143,6 +143,10 @@ export const usePlatformRoles = () => {
   }
 
   const inviteUserToAgency = async (request: InviteUserRequest): Promise<string> => {
+    if (platformRole === 'super_user' && request.role === 'owner') {
+      throw new Error('Super users cannot assign owner role')
+    }
+
     try {
       const { data, error } = await supabase.rpc('platform_invite_user_to_agency', {
         p_agency_id: request.agency_id,

src/pages/platform/PlatformAdmin.tsx

@@ -1,4 +1,4 @@
-import React, { useState } from 'react'
+import React, { useEffect, useMemo, useState } from 'react'
 import { Navigate } from 'react-router-dom'
 import { useAuth } from '../../contexts/AuthContext'
 import { usePlatformRoles } from '../../hooks/usePlatformRoles'
@@ -54,7 +54,7 @@ const PlatformAdmin = () => {
   const [inviteForm, setInviteForm] = useState({
     agency_id: '',
     email: '',
-    role: 'owner' as AgencyRole,
+    role: 'reviewer' as AgencyRole,
     full_name: ''
   })
 
@@ -64,6 +64,20 @@ const PlatformAdmin = () => {
     full_name: ''
   })
 
+  const assignableAgencyRoles = useMemo(() => {
+    return Object.entries(AGENCY_ROLES)
+      .map(([role, info]) => ({ role: role as AgencyRole, info }))
+      .filter(({ role }) => !(platformRole === 'super_user' && role === 'owner'))
+  }, [platformRole])
+
+  useEffect(() => {
+    const defaultRole = assignableAgencyRoles[0]?.role || 'reviewer'
+    setInviteForm((prev) => ({
+      ...prev,
+      role: assignableAgencyRoles.some((entry) => entry.role === prev.role) ? prev.role : defaultRole,
+    }))
+  }, [assignableAgencyRoles])
+
   // Redirect if not authenticated or no platform role
   if (!user || !platformRole) {
     return <Navigate to="/login" replace />
@@ -111,13 +125,17 @@ const PlatformAdmin = () => {
     setSuccessMessage('')
 
     try {
+      if (platformRole === 'super_user' && inviteForm.role === 'owner') {
+        throw new Error('Super users cannot assign owner role')
+      }
+
       await inviteUserToAgency(inviteForm)
 
       setSuccessMessage(`User "${inviteForm.email}" invited successfully as ${AGENCY_ROLES[inviteForm.role].name}`)
       setInviteForm({
         agency_id: '',
         email: '',
-        role: 'owner',
+        role: assignableAgencyRoles[0]?.role || 'reviewer',
         full_name: ''
       })
     } catch (err: any) {
@@ -448,7 +466,7 @@ const PlatformAdmin = () => {
                         className="w-full px-3 py-2 border border-gray-300 rounded-md focus:outline-none focus:ring-2 focus:ring-purple-500 focus:border-transparent"
                         required
                       >
-                        {Object.entries(AGENCY_ROLES).map(([role, info]) => (
+                        {assignableAgencyRoles.map(({ role, info }) => (
                           <option key={role} value={role}>
                             {info.name} - {info.description}
                           </option>