From 05acd4933436c96fcf53acd1034302301eca369c Mon Sep 17 00:00:00 2001
From: "gpt-engineer-app[bot]"
 <159125892+gpt-engineer-app[bot]@users.noreply.github.com>
Date: Tue, 4 Nov 2025 16:30:33 +0000
Subject: [PATCH] Fix RLS policy for test data registry

---
 ...7_0b5975ea-d452-45aa-8dd4-77b41c557351.sql | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 supabase/migrations/20251104163017_0b5975ea-d452-45aa-8dd4-77b41c557351.sql

diff --git a/supabase/migrations/20251104163017_0b5975ea-d452-45aa-8dd4-77b41c557351.sql b/supabase/migrations/20251104163017_0b5975ea-d452-45aa-8dd4-77b41c557351.sql
new file mode 100644
index 00000000..dc9aea67
--- /dev/null
+++ b/supabase/migrations/20251104163017_0b5975ea-d452-45aa-8dd4-77b41c557351.sql
@@ -0,0 +1,31 @@
+-- Relax RLS on test_data_registry to not require MFA for management operations
+-- Separate SELECT (viewing) from INSERT/UPDATE/DELETE (management)
+
+-- Drop ALL existing policies on test_data_registry
+DROP POLICY IF EXISTS "Moderators can manage test data registry" ON test_data_registry;
+DROP POLICY IF EXISTS "Moderators can view test data registry" ON test_data_registry;
+
+-- Keep MFA requirement for viewing (sensitive operation tracking)
+CREATE POLICY "Moderators can view test data registry"
+ON test_data_registry
+FOR SELECT
+TO authenticated
+USING (
+  is_moderator(auth.uid()) 
+  AND (
+    (NOT EXISTS (
+      SELECT 1 FROM auth.mfa_factors 
+      WHERE user_id = auth.uid() AND status = 'verified'
+    ))
+    OR has_aal2()
+  )
+);
+
+-- Allow moderators to insert/update/delete without MFA requirement
+-- Test data cleanup is a low-risk development operation
+CREATE POLICY "Moderators can manage test data registry"
+ON test_data_registry
+FOR ALL
+TO authenticated
+USING (is_moderator(auth.uid()))
+WITH CHECK (is_moderator(auth.uid()));
\ No newline at end of file