feat(sec): harden supabase rbac and admin tooling

CHANGELOG.md

@@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- Supabase-backed feature flag governance service with admin management UI, audit logging, and typed SDK instrumentation.
+- Hardened Supabase RBAC with updated roles/profile_roles migrations, refreshed RLS policies, and the `rbac_hardening_v1` rollout flag.
 - **Alert Dialog Component**: Installed neo-brutalism styled alert-dialog component from neobrutalism.dev
 - **Confirmation Dialogs**: Implemented confirmation dialogs for all major destructive actions across the application
   - Post deletion and publishing in PostsTable (mobile and desktop views)
@@ -27,6 +29,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Updated CommentsModeration to use AlertDialog for comment deletion
 - Updated UserAccountPanel to use AlertDialog for sign out confirmation
 - Removed `window.confirm` usage in favor of accessible AlertDialog components
+- Updated admin dashboard to surface highest-role badges and gate role management via `rbac_hardening_v1` with new authz telemetry.
+
+### Fixed
+
+- Added the missing `rbac_hardening_v1` enum value to feature flag migrations to keep Supabase schema in sync with governance defaults.
+- Locked the admin feature flag API (including PURGE) behind RBAC checks, emitting denial telemetry and documenting reversible down migrations.
 
 ### Planned - Library Feature
 - **User Library System**: Complete Medium-style library feature for saving and organizing content
@@ -46,6 +54,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Documentation
 - Added `docs/library-feature-implementation-plan.md` - Complete implementation roadmap
 - Added `docs/library-feature-summary.md` - Executive summary and feature overview
+- Refreshed security, data model, release plan, and test strategy docs to capture SEC-001 RBAC changes and telemetry.
 - Added `docs/library-technical-spec.md` - Detailed technical specifications and database schema
 
 ## [1.12.9] - 2025-02-27

docs/00-audit-report.md

@@ -0,0 +1,72 @@
+# Phase 0 Audit Report
+
+## 1. Executive Summary
+Syntax & Sips currently delivers a production-grade editorial and community publishing experience built on Next.js 15 (App Router) and Supabase Postgres/Auth. The platform already exposes public storytelling surfaces (blogs, tutorials, podcasts, changelog), gated admin tooling, gamification widgets, and Supabase edge functions for newsletters and AI summarization. However, it lacks the governance, extensibility, and documentation required to evolve into the Community Platform Fusion vision that blends long-form publishing, structured Q&A, discussion spaces, and events/commerce. Phase 0 exposes the gaps and codifies priorities for an incremental roadmap.
+
+## 2. System Inventory
+### 2.1 Applications & Frontend
+- **Next.js App Router** under `src/app` with feature-first routes (`/blogs`, `/tutorials`, `/videos`, `/community`, `/admin`).
+- **Neo-brutalist component library** stored in `src/components`, `src/components/ui`, `src/components/magicui`, and themed via `tailwind.config.js` & `src/app/globals.css`.
+- **Authentication middleware** (`src/middleware.ts`, `src/lib/supabase`) gating admin, account, and onboarding routes.
+- **Client integrations** for analytics, newsletters, and gamification controls (e.g., `src/components/admin`, `src/components/auth`, `src/components/ui/NewSummarizeButton.tsx`).
+
+### 2.2 Backend & Data
+- **Supabase Postgres** schema defined through migrations under `supabase/migrations`. Key tables: `posts`, `post_tags`, `categories`, `tags`, `profiles`, `roles`, `profile_roles`, `comments`, `newsletter_subscribers`, `site_settings`.
+- **Supabase Functions** for newsletter opt-in/out and AI summarization inside `supabase/functions`.
+- **Next.js API routes** within `src/app/api/**` handling CRUD for content, newsletter, gamification, and admin workflows.
+- **Edge/Server components** performing server-side Supabase queries with caching hints and streaming responses.
+
+### 2.3 Tooling & Operations
+- **Testing:** Vitest configuration (`vitest.config.ts`) and Playwright setup (`playwright.config.ts`, `tests/` directory) with partial coverage.
+- **Linting & formatting:** ESLint (`eslint.config.mjs`), Tailwind/PostCSS configs, but no documented Prettier hook.
+- **Scripts:** `scripts/` folder for build-time helpers (e.g., chunk sync) and deployment automation.
+- **Observability:** No unified telemetry spec; ad-hoc logging via console. No dashboards or metric definitions in repo.
+
+### 2.4 Documentation
+- Extensive marketing and program documentation in `/docs`, but missing the mandated artifacts for architecture, backlog, release plan, security posture, observability, and risk tracking.
+
+## 3. Current Data Flows
+| Flow | Trigger | Path | Notes |
+| --- | --- | --- | --- |
+| Public content render | Anonymous visitor requests `/blogs/[slug]` | Next.js server component fetches from Supabase `posts` and `post_tags` tables, caches response per ISR settings | No feature flags; all users share same experience |
+| Admin moderation | Authenticated admin visits `/admin` | Middleware validates Supabase session → client components fetch analytics/queues via API routes → updates persisted via Supabase | Audit logging limited to Supabase defaults |
+| Newsletter opt-in | Visitor submits email form | API route validates input → Supabase function handles subscription + transactional email via Mailtrap | Limited error handling surfaced to UI |
+| Gamified summarization | Reader clicks summarize button | Client component calls Supabase function / edge worker to generate summary | No usage caps; potential abuse risk |
+
+## 4. Dependencies & Integrations
+- **Supabase services:** Auth, Postgres, Edge Functions, Storage (for media assets referenced in content components).
+- **Mailtrap SMTP:** For newsletter confirmations (per README environment requirements).
+- **Analytics:** References to dashboards in admin components but no documented provider (likely Supabase or bespoke). Needs confirmation.
+- **Third-party assets:** Tabler icon CDN in README, fonts under `/fonts`.
+
+## 5. Known Gaps & Technical Debt (Prioritized)
+| Priority | Gap / Debt | Impact | Recommendation |
+| --- | --- | --- | --- |
+| P0 | Missing governance documents & feature flag framework for new modules | Blocks compliant delivery of new capabilities | Produce documentation suite (this Phase 0), define flag utilities, integrate with release plan |
+| P0 | No dedicated spaces/communities domain model | Prevents Spaces rollout | Design new schema (`spaces`, `space_members`, `space_rules`, `space_roles`) and APIs with feature flags |
+| P0 | Observability & KPI metrics undefined | Cannot monitor KPIs or enforce SLOs | Establish telemetry spec (metrics, traces, logging) and dashboards before Phase 1 |
+| P1 | Moderation tooling lacks audit logs & sanctions | Non-compliant with safety requirements | Introduce `audit_logs`, sanctions workflow, and mod action logging |
+| P1 | Search experience limited to curated content pages | Does not meet taxonomy/search goals | Implement full-text search index, synonyms, and topic pages |
+| P2 | Payments, donations, events, and bounties absent | Blocks monetization phases | Plan integrations (Stripe/Razorpay/UPI) with compliance and KYC flows |
+| P2 | Reputation system incomplete | Privilege ladder not enforceable | Model `reputation_events`, scoring rules, and privilege gating |
+| P3 | Accessibility baseline unverified | Risk of WCAG non-compliance | Add automated accessibility tests, manual audits, and design token checks |
+
+## 6. Risks & Constraints
+- **Data Integrity:** Existing schema may lack foreign keys/indices for new relationships; migrations must be reversible.
+- **AuthZ Complexity:** Role expansion (member → admin) will require new policy definitions in Supabase; current RLS coverage unknown.
+- **Operational Load:** Supabase quotas and email providers need capacity review before launching events/donations.
+- **Timeline Pressure:** Deliverables span product, engineering, and UX; cross-functional syncs required to avoid drift.
+
+## 7. Baseline Metrics & Gaps
+- **Content publish latency:** No measurement instrumentation; must be added in Phase 1.
+- **Search P95 latency:** Search not centralized; baseline currently uninstrumented pending unified search rollout.
+- **Donation success rate:** Payments not implemented; baseline 0%.
+- **Moderation queue age:** Admin views exist but no metric tracking; instrumentation required.
+- **Event RSVP conversion:** Events not yet live.
+
+## 8. Recommendations for Phase 1 Kickoff
+1. Adopt the documentation suite defined in this repo (target architecture, product spec, roadmap, backlog, release plan).
+2. Stand up feature flag utilities (likely using Supabase `site_settings` or ConfigCat/LaunchDarkly) to gate new modules.
+3. Define telemetry plan before building new features to avoid retrofitting instrumentation.
+4. Align design system updates with forthcoming Spaces/Content templates to reduce rework.
+5. Audit Supabase RLS policies and plan for expanded role matrix.

docs/01-target-architecture.md

@@ -0,0 +1,176 @@
+# Target Architecture Blueprint
+
+## 1. Context Diagram
+```mermaid
+flowchart LR
+    subgraph Users
+        Visitor[Visitor]
+        Member[Member]
+        Creator[Creator]
+        Moderator[Moderator]
+        Admin[Platform Admin]
+        Sponsor[Sponsor / Donor]
+    end
+
+    Visitor -->|consume content| WebApp[Next.js Web Experience]
+    Member -->|publish / engage| WebApp
+    Creator -->|manage projects/events| WebApp
+    Moderator -->|review queues| WebApp
+    Admin -->|configure policies| WebApp
+    Sponsor -->|fund bounties/donations| WebApp
+
+    WebApp -->|RLS-secured queries| Supabase[(Supabase Postgres + Auth)]
+    WebApp -->|Edge functions| SupaFunctions[Supabase Edge Functions]
+    WebApp -->|Payments API| Payments[Stripe / Razorpay / UPI]
+    WebApp -->|Video & Conferencing| Conferencing[Zoom / Google Meet]
+    WebApp -->|Email + Webhooks| Messaging[Mailer (SMTP) + Webhooks]
+    WebApp -->|Analytics events| Observability[Metrics & Tracing Pipeline]
+
+    Supabase -->|Auth callbacks| WebApp
+    SupaFunctions -->|Automation| Supabase
+    Payments -->|webhooks| WebApp
+    Messaging -->|notifications| Users
+```
+
+## 2. Container Diagram
+```mermaid
+flowchart TB
+    subgraph Client
+        NextClient[Next.js Client Components]
+    end
+    subgraph Server
+        NextServer[Next.js Server Components & Route Handlers]
+        FeatureFlags[Feature Flag Service]
+        Worker[Background Workers (Jobs/Queues)]
+    end
+    subgraph DataPlane
+        SupabaseDB[(Supabase Postgres)]
+        Storage[(Supabase Storage)]
+        Search[Index & Vector Search]
+    end
+    subgraph External
+        PaymentAPI[Stripe/Razorpay/UPI]
+        ConferencingAPI[Zoom/Google Meet]
+        EmailAPI[SMTP Provider]
+        ObservabilityStack[Telemetry Collector → Dashboard]
+    end
+
+    NextClient <--> NextServer
+    NextServer -->|SQL/RPC| SupabaseDB
+    NextServer --> Storage
+    NextServer -->|search queries| Search
+    NextServer --> FeatureFlags
+    NextServer --> EmailAPI
+    NextServer --> ObservabilityStack
+    NextServer -->|webhooks| Worker
+    Worker --> SupabaseDB
+    Worker --> ObservabilityStack
+    Worker --> PaymentAPI
+    Worker --> ConferencingAPI
+    PaymentAPI --> NextServer
+    ConferencingAPI --> NextServer
+    EmailAPI --> Users
+```
+
+## 3. Component Diagram (Core Modules)
+```mermaid
+flowchart LR
+    subgraph Presentation
+        AppRouter[App Router Layouts]
+        SpaceShell[Space Shell & Navigation]
+        ContentTemplates[Article/Discussion/Q&A/Event Templates]
+        ReputationWidgets[XP, Badges, Leaderboards]
+        NotificationsPanel[Notification Center]
+    end
+
+    subgraph Domain Services
+        SpaceService[Spaces Service]
+        ContentService[Content Service]
+        TaxonomyService[Tags & Search Service]
+        ReputationService[Reputation & Privileges]
+        ModerationService[Moderation & Safety]
+        CommerceService[Donations/Bounties/Events]
+        MessagingService[Comments & Direct Messages]
+        NotificationService[Notifications & Webhooks]
+    end
+
+    subgraph Data Access
+        SupabaseClient[Supabase Typed Client]
+        FeatureFlagClient[Feature Flag SDK]
+        TelemetryClient[Telemetry SDK]
+    end
+
+    AppRouter --> SpaceShell
+    SpaceShell --> ContentTemplates
+    ContentTemplates --> SpaceService
+    ContentTemplates --> ContentService
+    ContentTemplates --> TaxonomyService
+    ContentTemplates --> MessagingService
+    ReputationWidgets --> ReputationService
+    NotificationsPanel --> NotificationService
+
+    SpaceService --> SupabaseClient
+    ContentService --> SupabaseClient
+    TaxonomyService --> SupabaseClient
+    TaxonomyService --> SearchEngine[Search Index]
+    ReputationService --> SupabaseClient
+    ModerationService --> SupabaseClient
+    CommerceService --> SupabaseClient
+    CommerceService --> PaymentGateway[Payment Gateway SDK]
+    MessagingService --> SupabaseClient
+    NotificationService --> SupabaseClient
+    NotificationService --> EmailAPI
+
+    SupabaseClient --> TelemetryClient
+    FeatureFlagClient --> AppRouter
+```
+
+## 4. Key Sequence Diagrams
+### 4.1 Article Publication with Reputation & Notifications
+```mermaid
+sequenceDiagram
+    participant C as Creator
+    participant UI as Next.js Client
+    participant API as Route Handler (Content Service)
+    participant DB as Supabase Postgres
+    participant Rep as Reputation Service
+    participant Notif as Notification Service
+
+    C->>UI: Draft article & click Publish
+    UI->>API: POST /api/content (draft_id, publish_at)
+    API->>DB: validate permissions + upsert posts, post_versions
+    DB-->>API: success
+    API->>Rep: record reputation_event(feature_flag="spaces_v1")
+    Rep->>DB: insert reputation event & update aggregate
+    API->>Notif: enqueue notifications (followers, space members)
+    Notif->>DB: insert notification rows & webhooks
+    Notif-->>API: queued
+    API-->>UI: 202 Created + publish metadata
+    UI->>C: Confirmation toast + redirect
+```
+
+### 4.2 Space Moderation Workflow
+```mermaid
+sequenceDiagram
+    participant Mod as Space Moderator
+    participant UI as Admin Console
+    participant API as Moderation Service
+    participant DB as Supabase
+    participant Audit as Audit Logger
+
+    Mod->>UI: Review reported post
+    UI->>API: POST /api/moderation/resolve {action: "remove", flag_id}
+    API->>DB: update report status, post visibility
+    API->>Audit: log action with user, role, reason
+    Audit->>DB: insert audit_logs entry
+    API-->>UI: success response
+    UI->>Mod: Display resolution & next steps
+```
+
+## 5. Architectural Principles
+1. **Feature-flag first:** Every new capability (Spaces, Q&A, Events, Commerce) ships behind env-configurable flags with safe defaults.
+2. **Supabase as system of record:** Postgres tables capture canonical content, community, and commerce data with RLS enforcing role matrix.
+3. **Modular domain services:** Route handlers delegate to typed service modules to keep business logic testable and reusable across server components and workers.
+4. **Telemetry baked in:** Each service emits metrics and traces for the KPIs defined in `/docs/08-observability.md`.
+5. **Reversible migrations:** SQL migrations include down scripts and backfill jobs with resume tokens.
+6. **Zero-trust external integrations:** Payments, conferencing, and email providers communicate through signed webhooks and rotate secrets regularly.