RLS and audit boundaries that must stay green before live family use.
This page summarizes source-backed proof for cross-team denial, archived-season read-only behavior, guardian-scoped RSVP writes, and production audit events.
Cross-team access denial
Live QA proof signs in as the parent and expects zero rows for another team's player.
scripts/verify-rls-boundaries.mjs
Archived season read-only writes
RLS write policies require active team seasons before team branding, event, or RSVP mutation.
supabase/migrations/0013_archived_season_read_only.sql
Archived season live denial
Live QA proof signs in as a coach with archived-team membership and expects the archived event update to be denied.
scripts/verify-rls-boundaries.mjs
Guardian-scoped RSVP writes
RLS requires active guardian links and same-team player/event pairs for parent RSVP writes.
supabase/migrations/0012_rsvp_guardian_scope.sql
Production audit log coverage
Admin membership changes create audit_events with actor, target, action, and organization scope.
lib/supabase/memberships.ts