The classes/class_teachers/class_students/enrollment_requests tables existed
only on live dev (.94) with no tracked DDL, and RLS exposed class_students /
class_teachers to service_role ONLY — so any API path calling Supabase as the
user read zero rows.
- 71-class-management.sql captures the real schema (idempotent), adds SECURITY
DEFINER membership helpers, and adds as-user RLS policies (cs_read/cs_write,
ct_read/ct_write, classes_admin_write, er_class_staff) while preserving the
existing service_role / institute_read / er_own policies.
Applied + verified on dev .94: class teacher sees roster (1), unrelated teacher
denied (0), service_role unaffected (full). FKs/uniques/checks already present
on .94 (no constraint changes needed).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
