Fix RLS policy for test data registry

supabase/migrations/20251104163017_0b5975ea-d452-45aa-8dd4-77b41c557351.sql

@@ -0,0 +1,31 @@
+-- Relax RLS on test_data_registry to not require MFA for management operations
+-- Separate SELECT (viewing) from INSERT/UPDATE/DELETE (management)
+
+-- Drop ALL existing policies on test_data_registry
+DROP POLICY IF EXISTS "Moderators can manage test data registry" ON test_data_registry;
+DROP POLICY IF EXISTS "Moderators can view test data registry" ON test_data_registry;
+
+-- Keep MFA requirement for viewing (sensitive operation tracking)
+CREATE POLICY "Moderators can view test data registry"
+ON test_data_registry
+FOR SELECT
+TO authenticated
+USING (
+  is_moderator(auth.uid()) 
+  AND (
+    (NOT EXISTS (
+      SELECT 1 FROM auth.mfa_factors 
+      WHERE user_id = auth.uid() AND status = 'verified'
+    ))
+    OR has_aal2()
+  )
+);
+
+-- Allow moderators to insert/update/delete without MFA requirement
+-- Test data cleanup is a low-risk development operation
+CREATE POLICY "Moderators can manage test data registry"
+ON test_data_registry
+FOR ALL
+TO authenticated
+USING (is_moderator(auth.uid()))
+WITH CHECK (is_moderator(auth.uid()));