The previous commit added apikey to _create_base_client headers, but supabase-py
already sets apikey from the key arg → two apikey headers → Kong rejected every
as-user call with 401 'Duplicate API key found' (exam API 502'd on auth). Revert
to Authorization-only; fix the two header unit tests to assert the real contract
(apikey via the key arg; options.headers carries only the user Authorization).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- client.py: set apikey explicitly in _create_base_client headers (Kong needs it
on every request; for per-user clients apikey stays anon while Authorization
carries the user JWT). Fixes the 2 stale header unit tests that asserted apikey
in options.headers, and is robust against supabase-py default-header changes.
- test_dev_stack: exact == seed counts → >= baselines. The greenfield seed sets a
floor; additive exam-marker fixtures (S4-4 cohort) legitimately push live .94
counts above the old snapshot. >= still catches a broken/missing seed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
supabase-py injects apikey internally via create_client(url, key). Manually
setting headers['apikey'] caused PostgREST to log "Duplicate API key found /
JSON could not be generated" on every bootstrap request.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
