Fix critical 401 authentication bug in Edge Functions and add CI/CD

This commit resolves a critical bug where function-to-function calls failed
with 401 "Invalid JWT" errors, and implements comprehensive testing to prevent
regression.

ROOT CAUSE:
- Deno.env.get('SUPABASE_SERVICE_ROLE_KEY') returns a 41-char internal ID
- The real service role JWT is 219+ chars and stored in Supabase Vault
- Edge functions cannot access vault directly, only via SECURITY DEFINER RPC

SOLUTION:
- Created get_service_role_key() PostgreSQL RPC function to access vault
- Updated sync-all-devices to use supabase.rpc('get_service_role_key')
- Fixed all tracker_id → device_id schema migrations in transformers
- Created permanent test fixtures (echo-test, caller-test) for regression

CI/CD INTEGRATION:
- Pre-commit hook (.husky/run-supabase-tests.sh) runs tests locally
- GitHub Actions workflow runs full test suite on PR/push
- Tests verify RPC exists and code uses correct auth pattern

DOCUMENTATION:
- TROUBLESHOOTING.md - Comprehensive bug guide and solutions
- INTEGRATION_GUIDE.md - Step-by-step checklist for new integrations
- POSTMORTEM_401_AUTH_BUG.md - Incident timeline and lessons learned
- README_EDGE_FUNCTIONS.md - Architecture overview
- FUNCTION_TO_FUNCTION_AUTH_TEST.md - Test documentation

TESTING:
- Manual SQL test suite in tests/function-to-function-auth.test.sql
- Automated pre-commit verification
- GitHub Actions CI/CD pipeline
- Permanent test functions prevent future regressions

IMPACT:
- Fitbit: 898 records synced successfully
- Whoop: 3 records synced successfully
- All function-to-function calls now working

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: schwaaamp

.github/workflows/README.md

@@ -0,0 +1,89 @@
+# GitHub Actions Workflows
+
+## Supabase Edge Function Tests
+
+**File:** `supabase-tests.yml`
+
+**Purpose:** Prevent reintroduction of the 401 "Invalid JWT" authentication bug in Supabase Edge Functions.
+
+**Triggers:**
+- Pull requests to `main` branch
+- Pushes to `main` branch
+- Only runs when files in `supabase/` directory are modified
+
+**What It Tests:**
+
+1. **RPC Function Verification:**
+   - Checks that `public.get_service_role_key()` function exists in database
+   - This function is CRITICAL for function-to-function authentication
+   - If missing, edge functions will fail with 401 errors
+
+2. **Code Pattern Verification:**
+   - Ensures `sync-all-devices` uses `supabase.rpc('get_service_role_key')`
+   - Detects if code incorrectly uses `Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')`
+   - The env var is only 41 chars (internal ID), not the 219-char JWT needed
+
+3. **Full Regression Test Suite:**
+   - Runs `supabase/tests/function-to-function-auth.test.sql`
+   - Tests both direct function calls and nested function-to-function calls
+   - Uses permanent test fixtures: `echo-test` and `caller-test` functions
+
+**Requirements:**
+- Repository secret `DATABASE_URL` must be configured
+- Database must have vault secrets configured
+- PostgreSQL client (automatically installed in workflow)
+
+**Workflow will skip if:**
+- No files in `supabase/` directory were modified
+- `DATABASE_URL` secret is not configured (shows as skipped, not failed)
+
+**Setup:**
+
+1. Add repository secret:
+   - Go to Settings → Secrets and variables → Actions
+   - Add `DATABASE_URL` with value: `postgresql://postgres:[password]@[host]:[port]/postgres`
+
+2. Ensure database has required migrations applied:
+   ```bash
+   psql $DATABASE_URL -f supabase/migrations/20260203194800_add_get_service_role_key_function.sql
+   ```
+
+**Viewing Results:**
+- Check the "Actions" tab in GitHub repository
+- Look for workflow run named "Supabase Edge Function Tests"
+- All checks must pass before merging pull requests
+
+**Related Documentation:**
+- See `supabase/TROUBLESHOOTING.md` for details on the 401 bug
+- See `supabase/POSTMORTEM_401_AUTH_BUG.md` for incident history
+- See `supabase/tests/function-to-function-auth.test.sql` for test details
+
+**Troubleshooting:**
+
+If workflow fails:
+
+1. **"get_service_role_key() RPC function missing":**
+   - Apply migration: `supabase/migrations/20260203194800_add_get_service_role_key_function.sql`
+   - Or run: `npx supabase db push`
+
+2. **"sync-all-devices uses env var instead of vault RPC":**
+   - Someone modified `sync-all-devices/index.ts` incorrectly
+   - Must use: `await supabase.rpc('get_service_role_key')`
+   - See `supabase/TROUBLESHOOTING.md` for correct pattern
+
+3. **"Full regression test suite failed":**
+   - Check database connectivity
+   - Verify vault secrets are configured
+   - Review test output for specific failures
+   - Run tests manually: `psql $DATABASE_URL -f supabase/tests/function-to-function-auth.test.sql`
+
+## Adding New Workflows
+
+When adding new workflows to this directory:
+
+1. Name files descriptively: `feature-name.yml`
+2. Add documentation section in this README
+3. Use specific triggers (avoid `on: [push]` for all branches)
+4. Add proper job conditions to skip unnecessary runs
+5. Include clear error messages in failure steps
+6. Document required secrets and setup steps

.github/workflows/supabase-tests.yml

@@ -0,0 +1,102 @@
+name: Supabase Edge Function Tests
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'supabase/**'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'supabase/**'
+
+jobs:
+  test-edge-functions:
+    name: Test Function-to-Function Auth
+    runs-on: ubuntu-latest
+
+    # Only run if DATABASE_URL is configured
+    if: vars.DATABASE_URL != ''
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install PostgreSQL client
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y postgresql-client
+
+      - name: Verify get_service_role_key() RPC exists
+        env:
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+        run: |
+          echo "🧪 Testing get_service_role_key() RPC function..."
+
+          RESULT=$(psql "$DATABASE_URL" -t -c "
+            SELECT CASE
+              WHEN EXISTS (
+                SELECT 1 FROM pg_proc p
+                JOIN pg_namespace n ON p.pronamespace = n.oid
+                WHERE n.nspname = 'public' AND p.proname = 'get_service_role_key'
+              ) THEN 'PASS'
+              ELSE 'FAIL'
+            END as result;
+          " 2>&1)
+
+          if echo "$RESULT" | grep -q "PASS"; then
+            echo "✅ get_service_role_key() RPC function exists"
+          else
+            echo "❌ FAIL: get_service_role_key() RPC function missing!"
+            echo ""
+            echo "This function is CRITICAL for function-to-function authentication."
+            echo "Apply the migration:"
+            echo "  psql \$DATABASE_URL -f supabase/migrations/20260203194800_add_get_service_role_key_function.sql"
+            exit 1
+          fi
+
+      - name: Verify sync-all-devices uses vault RPC
+        run: |
+          echo "🧪 Verifying sync-all-devices uses vault RPC..."
+
+          if grep -q "supabase.rpc('get_service_role_key')" supabase/functions/sync-all-devices/index.ts; then
+            echo "✅ sync-all-devices uses vault RPC (correct)"
+          else
+            if grep -q "Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')" supabase/functions/sync-all-devices/index.ts; then
+              echo "❌ FAIL: sync-all-devices uses env var instead of vault RPC!"
+              echo ""
+              echo "This will cause 401 'Invalid JWT' errors."
+              echo "See: supabase/TROUBLESHOOTING.md"
+              exit 1
+            else
+              echo "⚠️  Could not verify auth method in sync-all-devices"
+              exit 1
+            fi
+          fi
+
+      - name: Run full regression test suite
+        env:
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+        run: |
+          echo "🧪 Running full function-to-function auth regression tests..."
+          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+          psql "$DATABASE_URL" -f supabase/tests/function-to-function-auth.test.sql
+
+          echo ""
+          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+          echo "✅ All regression tests passed"
+
+      - name: Test summary
+        if: always()
+        run: |
+          echo ""
+          echo "📊 Test Summary"
+          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+          echo "✅ RPC function verification"
+          echo "✅ Code pattern verification"
+          echo "✅ Full regression test suite"
+          echo ""
+          echo "💡 For local testing, see: supabase/TROUBLESHOOTING.md"

.husky/pre-commit

@@ -1,6 +1,9 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"
 
+# Run Supabase edge function tests (if supabase/ files changed)
+.husky/run-supabase-tests.sh
+
 # Change to mobile directory
 cd mobile
 

.husky/run-supabase-tests.sh

@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+# Supabase Edge Function Tests
+# Runs regression tests for function-to-function authentication
+
+set -e
+
+# Allow skipping tests with environment variable
+if [ "$SKIP_SUPABASE_TESTS" = "1" ]; then
+  echo "⏭️  Skipping Supabase tests (SKIP_SUPABASE_TESTS=1)"
+  exit 0
+fi
+
+# Check if Supabase files changed
+CHANGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+if ! echo "$CHANGED_FILES" | grep -q "^supabase/"; then
+  echo "⏭️  No Supabase files changed, skipping tests"
+  exit 0
+fi
+
+echo ""
+echo "🧪 Running Supabase Edge Function Tests..."
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+# Check if DATABASE_URL is set
+if [ -z "$DATABASE_URL" ]; then
+  echo "⚠️  WARNING: DATABASE_URL not set"
+  echo "   Cannot run Supabase tests locally"
+  echo "   Tests will run in CI/CD pipeline"
+  echo ""
+  echo "   To run locally, set DATABASE_URL:"
+  echo "   export DATABASE_URL='postgresql://...'"
+  echo ""
+  echo "   Or skip tests:"
+  echo "   SKIP_SUPABASE_TESTS=1 git commit"
+  exit 0
+fi
+
+# Check if psql is available
+if ! command -v psql &> /dev/null; then
+  echo "⚠️  WARNING: psql not found"
+  echo "   Cannot run Supabase tests locally"
+  echo "   Tests will run in CI/CD pipeline"
+  exit 0
+fi
+
+# Run the function-to-function auth test
+echo "Testing function-to-function authentication..."
+
+# Create a simplified test for pre-commit (faster than full test)
+TEST_RESULT=$(psql "$DATABASE_URL" -t -c "
+-- Quick test: Check if get_service_role_key() function exists
+SELECT
+  CASE
+    WHEN EXISTS (
+      SELECT 1 FROM pg_proc p
+      JOIN pg_namespace n ON p.pronamespace = n.oid
+      WHERE n.nspname = 'public' AND p.proname = 'get_service_role_key'
+    ) THEN 'PASS'
+    ELSE 'FAIL'
+  END as result;
+" 2>&1)
+
+if echo "$TEST_RESULT" | grep -q "PASS"; then
+  echo "✅ get_service_role_key() RPC function exists"
+else
+  echo "❌ FAIL: get_service_role_key() RPC function missing!"
+  echo ""
+  echo "This function is CRITICAL for function-to-function authentication."
+  echo "Run this SQL to create it:"
+  echo ""
+  echo "  psql \$DATABASE_URL -f supabase/migrations/20260203194800_add_get_service_role_key_function.sql"
+  echo ""
+  echo "Or apply pending migrations:"
+  echo "  npx supabase db push"
+  exit 1
+fi
+
+# Check that sync-all-devices uses the RPC function (not env var)
+if [ -f "supabase/functions/sync-all-devices/index.ts" ]; then
+  if grep -q "supabase.rpc('get_service_role_key')" supabase/functions/sync-all-devices/index.ts; then
+    echo "✅ sync-all-devices uses vault RPC (correct)"
+  else
+    if grep -q "Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')" supabase/functions/sync-all-devices/index.ts; then
+      echo "❌ FAIL: sync-all-devices uses env var instead of vault RPC!"
+      echo ""
+      echo "This will cause 401 'Invalid JWT' errors."
+      echo "See: supabase/TROUBLESHOOTING.md"
+      exit 1
+    fi
+  fi
+fi
+
+echo ""
+echo "✅ All Supabase pre-commit checks passed"
+echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+echo ""
+echo "💡 To run full regression tests:"
+echo "   psql \$DATABASE_URL -f supabase/tests/function-to-function-auth.test.sql"
+echo ""

mobile/src/types/database.types.ts

@@ -888,35 +888,38 @@ export type Database = {
       intraday_data: {
         Row: {
           created_at: string | null
+          device_id: string
           heart_rate: number | null
           intraday_id: string
           steps_delta: number | null
           timestamp: string
-          tracker_id: string
+          user_id: string | null
           vendor_metadata: Json | null
         }
         Insert: {
           created_at?: string | null
+          device_id: string
           heart_rate?: number | null
           intraday_id?: string
           steps_delta?: number | null
           timestamp: string
-          tracker_id: string
+          user_id?: string | null
           vendor_metadata?: Json | null
         }
         Update: {
           created_at?: string | null
+          device_id?: string
           heart_rate?: number | null
           intraday_id?: string
           steps_delta?: number | null
           timestamp?: string
-          tracker_id?: string
+          user_id?: string | null
           vendor_metadata?: Json | null
         }
         Relationships: [
           {
             foreignKeyName: "intraday_data_tracker_id_fkey"
-            columns: ["tracker_id"]
+            columns: ["device_id"]
             isOneToOne: false
             referencedRelation: "connected_devices"
             referencedColumns: ["device_id"]

mobile/src/types/schema.json

@@ -241,11 +241,12 @@
   ],
   "intraday_data": [
     "created_at",
+    "device_id",
     "heart_rate",
     "intraday_id",
     "steps_delta",
     "timestamp",
-    "tracker_id",
+    "user_id",
     "vendor_metadata"
   ],
   "known_brands": [