System Enforces Role-Based Access Control on Proxy Registration Routes

• Given a user with peer_mentor role is authenticated, when they attempt to navigate to the Proxy Registration Screen URL directly, then the navigation guard redirects them to the no-access screen
• Given a coordinator submits a proxy registration, when the Activity Delegation Service processes the request, then it verifies the acting user's role before invoking the insert — if the role check fails, the service returns an authorization error
• Given a coordinator's JWT contains a valid coordinator role claim, when the Supabase RLS policy evaluates the insert, then the policy permits the insert on behalf of the specified peer mentor user_id
• Given a user without coordinator role somehow bypasses the Flutter navigation layer, when the RLS policy evaluates the insert, then the insert is rejected at the database layer with a policy violation error
• Given the coordinator's session token expires mid-submission, when the proxy insert is attempted, then authentication is re-requested and the submission does not proceed with an invalid token

Proxy registration allows one user to create activity records attributed to another user, which is a significant privilege that must be tightly controlled. Without multi-layer enforcement, a single bypass at the UI layer would allow any authenticated user to submit activities on behalf of others, corrupting the activity log, falsifying reporting data, and potentially enabling grant fraud. Defense-in-depth (navigation + service + RLS) ensures no single point of failure can compromise the integrity of delegated submissions.

• Proxy Registration Screen ui
• Activity Delegation Service service
• Delegation Repository data