Completes the dev CORS origin set after an infra-drift reset discarded a local
kong.yml change (t_764c4b28). Tracked superset so a future kong reload can only
add origins, never drop a needed one. Live .94 kong unchanged (applies on next reload).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Extends 72 for the locked S4-9 shape taxonomy (no Band/span):
- exam_questions: add bounds jsonb + page int (the drawn Part box; null for
derived main questions).
- exam_response_areas: add context_type (v1 generic, future STEM differentiation);
extend kind CHECK to response|context|question_number|mark_area|reference|furniture.
Additive + idempotent. Applied to dev .94 and verified (columns present; CHECK
def lists all 6 kinds). NOT applied to prod .156.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Brings 71-class-management.sql (tracks the previously-untracked class schema + as-user
RLS helpers) and 72-exam-marker.sql (7 exam tables + RLS). Both applied + verified on
dev .94.
Adds the 7 Supabase tables (exam_templates, exam_questions, exam_response_areas,
exam_boundaries, marking_batches, student_submissions, mark_entries) with FKs,
indexes, updated_at triggers (reusing handle_updated_at), and inline RLS.
Authorization owned by this layer (exam API calls as-user): per-table service_role
passthrough + as-user policies scoped via user_institute_ids() (from 71); marks
readable by the owning teacher's batch and by the student themselves (UI deferred).
marking_batches.class_id FKs to public.classes (71).
Applied + verified on dev .94: 7 tables, RLS on, class_id FK valid, teacher can
insert+read a template under RLS. Stacked on feat/class-management-foundation.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The classes/class_teachers/class_students/enrollment_requests tables existed
only on live dev (.94) with no tracked DDL, and RLS exposed class_students /
class_teachers to service_role ONLY — so any API path calling Supabase as the
user read zero rows.
- 71-class-management.sql captures the real schema (idempotent), adds SECURITY
DEFINER membership helpers, and adds as-user RLS policies (cs_read/cs_write,
ct_read/ct_write, classes_admin_write, er_class_staff) while preserving the
existing service_role / institute_read / er_own policies.
Applied + verified on dev .94: class teacher sees roster (1), unrelated teacher
denied (0), service_role unaffected (full). FKs/uniques/checks already present
on .94 (no constraint changes needed).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
