fix(rc-entitlement-drift-check): use REVENUECAT_SECRET_API_KEY_V2

[Patchalv]

Follow-up to #60.

Summary

The drift check was failing first contact with the RC v2 API: rc_list_entitlements_403. Cause: the v1 secret key reused from delete-account isn't accepted by RC v2 endpoints.

Splits the env var so each function uses the API key its endpoints expect:

• delete-account continues using REVENUECAT_SECRET_API_KEY (v1) against /v1/subscribers/{id}.
• rc-entitlement-drift-check now reads REVENUECAT_SECRET_API_KEY_V2 (v2-scoped) for /v2/projects/.../customers and /v2/projects/.../entitlements.

Docs updated (payments.md, edge-functions.md, deployment.md) so the first-time setup instructs operators to issue a separate v2 key with customer_information:customers:read + customer_information:entitlements:read scopes.

Test plan

After merging:

• Issue a v2 secret key in the RC dashboard (Project Settings → API Keys → "Create new secret key" → scopes above).
• supabase secrets set REVENUECAT_SECRET_API_KEY_V2="<new-v2-key>".
• supabase functions deploy rc-entitlement-drift-check --no-verify-jwt.
• Re-run the smoke-test invocation from docs/payments.md → "Drift Health Check" → first-time setup step 5. Expect status_code: 200 and a drift_check_complete heartbeat in function logs.

REVENUECAT_SECRET_API_KEY is left untouched — delete-account keeps working.

Follow-up

None.

Summary by CodeRabbit

• Documentation

  • Clarified RevenueCat API secret key configuration for Supabase Edge Functions, distinguishing between v1 and v2 secret keys for different operations (delete-account vs. entitlement drift checking).
  • Updated setup guides to document the separate v2-scoped API key required for entitlement drift-check function.

• Chores

  • Updated edge function to use the correct RevenueCat API secret key version for improved scoping and security.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c8b35a35-7ec5-448c-ba30-0ff8a3db3df8

📥 Commits

Reviewing files that changed from the base of the PR and between 872f729 and daea906.

📒 Files selected for processing (4)

• docs/deployment.md
• docs/edge-functions.md
• docs/payments.md
• supabase/functions/rc-entitlement-drift-check/index.ts

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (3)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Use TypeScript strict mode with no any types
Use functional components only, no class components
Use @/ path alias for all imports, never use relative imports across directories
File naming: kebab-case for files, PascalCase for component files
Supabase queries must go through custom hooks wrapping TanStack Query
Use className prop for all styling in NativeWind, never use StyleSheet.create
Import View, Text, Pressable from react-native for NativeWind compatibility
Bottom sheets (@gorhom/bottom-sheet) use their own styling API, not className
Call Edge Functions via supabase.functions.invoke('fn-name', { body: {...} })
Use router.push() / router.replace() from expo-router for navigation
Use supabase-js SDK for all queries to auto-handle auth tokens

Files:

• supabase/functions/rc-entitlement-drift-check/index.ts

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx,js}: Use ES module imports (import/export), not require
Destructure imports: import { useState } from 'react'

Files:

• supabase/functions/rc-entitlement-drift-check/index.ts

supabase/functions/**/*.ts

📄 CodeRabbit inference engine (CLAUDE.md)

supabase/functions/**/*.ts: Mutations enforcing business rules must go through Edge Functions, not direct client inserts
Always deploy Edge Functions with --no-verify-jwt flag, functions validate auth internally via auth.getUser()

Files:

• supabase/functions/rc-entitlement-drift-check/index.ts

🧠 Learnings (2)

📚 Learning: 2026-03-12T20:10:29.256Z

Learnt from: Patchalv
Repo: Patchalv/mapvault PR: 6
File: docs/mailerlite-integration-prd.md:98-129
Timestamp: 2026-03-12T20:10:29.256Z
Learning: Do not flag markdownlint warnings (e.g., MD040 fenced-code-language) for files under the docs/ directory in this repository. These are internal PRD/documentation files that are not shipped code, and lint churn on documentation should be avoided. Apply this guideline broadly to all markdown files within docs/ (docs/**/*.md); if stricter linting is ever required for docs, consider an explicit CI exception or documentation-only lint setting.

Applied to files:

• docs/deployment.md
• docs/edge-functions.md
• docs/payments.md

📚 Learning: 2026-03-18T13:36:07.355Z

Learnt from: Patchalv
Repo: Patchalv/mapvault PR: 10
File: supabase/functions/grant-beta-premium/index.ts:78-89
Timestamp: 2026-03-18T13:36:07.355Z
Learning: In Patchalv/mapvault, Supabase Database Webhooks are handled by Edge Functions that are fire-and-forget. Do not return non-200 responses for errors; always return 200 for webhook endpoints. Surface errors to Sentry for manual recovery, not as 5xx retries. This guideline applies to all Edge Functions triggered by Supabase Database Webhooks in the repository.

Applied to files:

• supabase/functions/rc-entitlement-drift-check/index.ts

🔇 Additional comments (4)

supabase/functions/rc-entitlement-drift-check/index.ts (1)

90-93: LGTM!

docs/deployment.md (1)

54-55: LGTM!

docs/edge-functions.md (1)

356-356: LGTM!

docs/payments.md (1)

143-155: LGTM!

Also applies to: 215-217, 236-238

---

📝 Walkthrough

Walkthrough

This PR introduces a RevenueCat API secret key split for the rc-entitlement-drift-check edge function. The function now reads a v2-scoped key with specific customer information permissions, while the delete-account function retains the v1 key. All three documentation guides are updated to clarify the distinction and provide setup instructions.

Changes

RevenueCat Secret Key Separation

Layer / File(s)	Summary
rc-entitlement-drift-check v2 key implementation supabase/functions/rc-entitlement-drift-check/index.ts	The drift-check function reads RevenueCat API v2 secret from REVENUECAT_SECRET_API_KEY_V2 instead of the shared key, with added comments distinguishing v2 endpoints (list-customers/list-entitlements) from v1 usage.
Documentation of v2 key split across deployment and setup guides docs/deployment.md, docs/edge-functions.md, docs/payments.md	Deployment secrets table, edge-functions guide, and payments setup documentation are updated to document REVENUECAT_SECRET_API_KEY_V2 as a separate RC v2-scoped secret with customer information read scopes, and clarify it is distinct from the v1 key used by delete-account.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: the rc-entitlement-drift-check function now uses REVENUECAT_SECRET_API_KEY_V2 instead of the previous key, which is the core fix addressed across code and documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}