Fix security definer view issue by enabling security_invoker on grouped_alerts_view and implement grouped alerts system with new keys, hooks, components, and monitoring overview integration. Added migration to adjust view, updated query keys, created useGroupedAlerts, useAlertGroupActions, GroupedAlertsPanel, and updated MonitoringOverview to include grouped alerts.
Update: implement grouped_alerts_view migration and address security definer concerns by noting default SECURITY INVOKER behavior for views and ensuring RLS policies on underlying tables apply. This commit covers the view creation and related security clarifications for alert grouping feature.
Implement loading state, confirmation dialog, and related UI changes for resolving rate limit alerts:
- Add resolvingAlertId state
- Use ConfirmationDialog for safe resolution
- Update Resolve button to ghost variant with CheckCircle icon and loading behavior
- Wire up loading and disable states during mutation
Implement monitor-rate-limits edge function to compare metrics against alert configurations, trigger notifications, and record alerts; update config and groundwork for admin UI integration.
Approved Lovable tool use and migration updates to fix security warning and add monitoring edge function. Prepare and apply migrations to ensure search_path is set to public and implement monitoring endpoint for rate limit metrics.
Add a React admin dashboard component to visualize rate limit metrics and statistics, including data fetching from the rate-limit-metrics edge function, charts and statistics, and admin routes/integration. Includes setup for routing and UI scaffolding to display total requests, block rate, top blocked IPs/users, and recent activity with interactive charts.
Update database migration to fix create_submission_with_items to use relational park_submission_locations for location data, removing temp_location_data usage; add corresponding TypeScript type cleanup to drop temp_location_data field from submission data types.
Refactor to store park location data relationally:
- Retrieve park_submission_id from park_submissions
- Remove embedded temp_location_data usage
- Update park_submissions without location, then upsert location into park_submission_locations
- Align behavior with updateSubmissionItems pattern to fix JSON storage in Item history
Refactor src/lib/integrationTests/suites/moderationDependencyTests.ts to replace direct submission_items inserts with proper submission helper usage (submitParkCreation), aligning with relational schema. Update dep-001 to create parks via helpers and adjust item retrieval/cleanup accordingly. Modify dep-002 to verify relational submission structure via helpers, ensuring tests interact with new schema and avoid legacy item_data usage. This fixes schema/mapping mismatches and aligns tests with the approved Phase 2 approach.
Implements a CleanupReport UI component to display detailed cleanup results after test runs, including tables cleaned, records deleted per table, duration, and errors. Integrates with IntegrationTestRunner to show cleanup summary post-run and exports a compact inline view.
Adds a new test data cleanup utility to safely remove test fixtures after integration test suites. Includes type-safe cleanup functions for parks, rides, companies, ride_models, locations, and submissions, with safety checks (is_test_data filters) and progress logging. Integrates cleanup invocation post-run to prevent database bloat and preserves safety against prod data deletion.
Add phase 2 migration for moderator INSERT policies and enhance test runner rate-limit mitigations:
- Introduce migration 20251110_fix_missing_insert_policies_phase2.sql to grant moderator INSERT capabilities for park_submission_locations, parks, rides, companies, ride_models, and locations with MFA checks.
- Update test runner to 8s base delays, preemptive cooldowns before heavy suites, and 18s post-suite delays for heavy suites, improving rate-limit handling.
Enhance retry logic to detect 429 rate limits, parse Retry-After headers, and apply smart backoff across all entity submissions. Adds rate-limit-aware backoff, preserves user feedback via UI events, and ensures retries respect server-provided guidance.
Add exponential backoff retry logic with user feedback
- Integrate with existing withRetry patterns
- Introduce unique retry IDs for submissions
- Emit consistent UI events for retry progress, success, and failure
- Enhance rate-limit handling including Retry-After scenarios
- Standardize baseDelay and shouldRetry across park, ride, company, ride_model, and other submissions
Implemented end-to-end fixes:
- Added INSERT RLS policies for park_submissions, ride_submissions, company_submissions, ride_model_submissions, and photo_submissions (own submissions and moderator access)
- Fixed process_approval_transaction to replace ride_type with category and updated references accordingly
- Enhanced rate limiting in testRunner.ts with a 6s base delay and 12s adaptive delays after submission-heavy suites
Adds comprehensive error pattern matching in formatTestError to detect and format Supabase constraint violations (RLs, not-null, unique, foreign keys, check constraints, and related schema/permission issues) into actionable messages, extracting relevant details for clearer test failure guidance. Includes handling for common error shapes and preserves fallback messaging.
Apply quick wins and pipeline fixes for integration tests:
- Remove is_test_data flag from location inserts
- Increase test delay from 2.5s to 5s and add delays between suites to curb rate limiting
- Replace [object Object] error formatting with formatTestError across 10 test suites (31 edits) and add import
- Refactor unit/conversion tests and performance tests to use the approval pipeline
- Extend edge function handling by ensuring item_ids are included in idempotency key inserts (edge function fix)
- Update auth, data integrity, edgeFunction, moderation, performance, submission, unitConversion, and versioning test files accordingly
Introduce visible countdown indicators for rate-limit delays between tests:
- Extend test runner to emit and expose delay progress updates.
- Update IntegrationTestRunner UI to display countdown while pausing.
- Ensure users see why tests are paused during delays.
Introduce automatic delay between test executions in the test runner to prevent rate limiting. Added a delayBetweenTests config (default 2.5s), a delay() helper, and updated runSuite to wait between tests. This helps avoid "Too many submissions in a short time" errors during test runs.
- Replace [object Object] errors with readable messages by using robust error formatting across test suites
- Introduce formatTestError helper and apply it in all catch blocks and error throws
- Update approvalPipelineTests and related suites to utilize improved error extraction for better debugging
Refactor versioningTests.ts, submissionTests.ts, and dataIntegrityTests.ts to replace direct DB inserts with the submission pipeline (submitParkCreation → approve → verify), aligning tests with RLS policies and validation flows.
Apply Phase 1 and 2 fixes:
- Remove display_name from location objects in approvalTestHelpers.ts
- Update submission_type to park/ride instead of park_create/ride_create
Add Markdown formatting utilities for test results, wire up clipboard copy in IntegrationTestRunner, and export new formatters. Introduce formatters.ts, extend index.ts exports, and implement copy all / copy failed / per-test copy functionality with updated UI.
Merge Testing and Integration Tests into a single Testing control center in AdminSettings. Remove the separate integration-tests tab, and update the Testing tab to render both Test Data Generator and Integration Test Runner together, with appropriate headers and icons (Database and TestTube). Add Database to imports.
Expand approvalPipelineTests with 12 tests: park/ride updates, composites, photo galleries, edge cases (locks, invalid refs, banned users), and versioning. Include helpers for photo submissions and direct entity creation, plus photo gallery support and invalid temp-ref handling.
Implement integration plan to connect to Lovable Cloud by adopting the Lovable Cloud toolchain flow:
- Initiate tool-based wiring for Lovable Cloud connectivity
- Set up scaffolding to enable approved workflow and data exchange with Lovable Cloud
- Prepare for secure auth/session handling and API interactions
- Outline groundwork for subsequent implementation steps in the Lovable Cloud integration path
- Implement new unified monitoring hub by adding EdgeFunctionLogs, DatabaseLogs, CorrelatedLogsView, and UnifiedLogSearch components
- Integrate new tabs (edge-functions, database, traces) into ErrorMonitoring and expose TraceViewer route
- Update admin sidebar link to reflect Monitoring hub and extend error modals with log-correlation actions
- Wire up app to include trace viewer route and adjust related components for unified log correlation
Integrate Lovable Cloud tracing updates by enabling distributed tracing in edge functions, adjusting breadcrumb/trace propagation, and preparing RPC span handling. Files touched include edgeFunctionTracking and related RPC tracing scaffolding.
Implement distributed tracing across edge functions:
- Introduce span types and utilities (logger.ts enhancements)
- Replace request tracking with span-based tracing in approval and rejection flows
- Propagate and manage W3C trace context in edge tracking
- Add span visualization scaffolding (spanVisualizer.ts) and admin TraceViewer UI (TraceViewer.tsx)
- Create tracing-related type definitions and support files
- Prepare RPC call logging with span context and retries
Refactor: remove duplicate photo handling from useModerationActions.ts and ensure all photo approvals flow through the atomic process_approval_transaction path. This includes deleting the direct DB update block for photos and relying on the unified approval flow through the edge function. Also note required npm install for package-lock.json.
Created atomic rejection edge function process-selective-rejection and RPC, updated moderation client to use it, and ensured resilience; added CORS wrapper. Reminder: generate package-lock.json by running npm install.
- Adds atomic rejection transaction edge function and RPC
- Updates moderation client to use new rejection path
- Introduces rejection transaction migration and supporting readouts
- Moves photo-related approval handling toward RPC-based flow
- Lays groundwork for idempotency and resilience in moderation actions
The `update_entity_from_submission` function has been updated to correctly handle category fields for rides and ride models. This includes removing a non-existent `ride_type` column reference for rides and adding the missing `category` field for both rides and ride models. The `ride_type` field for ride models has been retained. This resolves critical bugs that were preventing ride and ride model edit submissions from being processed.
The migration to fix timeline event approval and park location creation has been successfully applied. This includes adding the necessary JOINs and data building logic for timeline events in `process_approval_transaction`, and implementing logic in `create_entity_from_submission` to create new locations for parks when location data is provided but no `location_id` exists.
The Lovable Cloud tool was approved and used to apply a migration. This migration fixes a critical bug in the composite submission approval process by resolving temporary references to actual entity IDs, ensuring correct foreign key population and data integrity.
Implement ban evasion reporting for the photo upload component to ensure consistency with other submission types. This change adds a call to `reportBanEvasionAttempt` when a banned user attempts to upload photos, logging the incident to system alerts.
Extend existing alert system to include real-time monitoring for rate limit violations and ban evasion attempts. This involves adding new reporting functions to `pipelineAlerts.ts`, integrating these functions into submission and company helper files, updating the admin dashboard component to display new alert types, and creating a database migration for the new alert type.
Implement comprehensive error recovery mechanisms for the photo upload pipeline in `UppyPhotoSubmissionUpload.tsx`. This includes adding exponential backoff to retries, graceful degradation for partial uploads, and cleanup for orphaned Cloudflare images. The changes also enhance error tracking and user feedback for failed uploads.
Implement rate limiting for `submitCompanyCreation` and `submitCompanyUpdate` to prevent abuse and ensure pipeline integrity. This includes adding checks for submission rate limits and recording submission attempts.
Added `recordSubmissionAttempt(userId)` to `submitParkCreation`, `submitParkUpdate`, `submitRideCreation`, and `submitRideUpdate` in `src/lib/entitySubmissionHelpers.ts`. This ensures that rate limit counters are incremented after a successful rate limit check, closing a vulnerability that allowed for unlimited submissions of parks and rides.
Implement Phase 4 by adding `recordSubmissionAttempt` and `withRetry` logic to the ban check for composite submissions. This ensures better error handling and prevents bypass of ban checks due to transient network issues.
Apply migration to enhance the `validate_submission_items_for_approval` function with specific error codes and item details. Update `process_approval_transaction` to utilize this enhanced error information for improved debugging and monitoring. This completes Phase 3 of the pipeline audit.
Implement rate limiting, ban checks, retry logic, and breadcrumb tracking for ride model creation and update functions. Wrap existing ban checks and database operations in retry logic.
Implement rate limiting, ban checks, retry logic, and breadcrumb tracking for all 8 company submission functions: manufacturer, designer, operator, and property_owner (both create and update). This ensures consistency with other protected entity types and enhances the robustness of the submission pipeline.
Update the `process_approval_transaction` function to utilize the new `error_code` and `item_details` returned by the enhanced `validate_submission_items_for_approval` function. This will improve error handling and debugging by providing more specific information when validation fails.
Implement rate limiting, validation, retry logic, and ban checking for photo and timeline submissions. This includes updates to `UppyPhotoSubmissionUpload.tsx` and `entitySubmissionHelpers.ts`.
