Improve security by auditing service role key usage in edge functions

Audit and document the usage of service role keys in multiple Supabase edge functions (cancel-email-change, process-selective-approval, seed-test-data) to ensure secure and scoped access.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: fe5b902e-beda-40fc-bf87-a3c4ab300e3a
Replit-Commit-Checkpoint-Type: intermediate_checkpoint

supabase/functions/seed-test-data/index.ts

@@ -35,6 +35,13 @@ Deno.serve(async (req) => {
   }
 
   try {
+    // SECURITY: Service Role Key Usage
+    // ---------------------------------
+    // This function uses the service role key to seed test data bypassing RLS.
+    // This is required because:
+    // 1. Test data generation needs to create entities in protected tables
+    // 2. Moderator role is verified via is_moderator() RPC call before proceeding
+    // Scope: Limited to moderators only, for test/development purposes
     const supabaseUrl = Deno.env.get('SUPABASE_URL')!;
     const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!;
     const supabase = createClient(supabaseUrl, supabaseServiceKey);