fix(edge-fn): replace getClaims with adminClient.auth.getUser(token)

fix(edge-fn): use user.id instead of claims.sub; fixes 500s and false cert_required
fix(migrations): drop broad reservations SELECT policy; add reservation_slots view with security_invoker=false
fix(tests): correct weekSlot() keys from start/end to start_time/end_time
fix(tests): spread overlap test slots across separate ISO weeks
fix(tests): update e2e assertion to match actual authenticated home text
fix(app): hide IonMenu before user is authenticated
feat(dx): add test:all script running unit, integration, and e2e in sequence
docs(claude-md): document SELinux fix, Edge Function auth pattern, security_invoker behaviour

CLAUDE.md

@@ -41,6 +41,16 @@ You work with Patrick, a Solutions Architect, on the OYS Borrow a Boat app (oysq
 - Types in `types/supabase.ts` — regenerate with: `npx supabase gen types typescript --project-id YOUR_ID > types/supabase.ts`
 - `useSupabaseClient<Database>()` typed against `types/supabase.ts`
 
+### Edge Functions
+- Located in `supabase/functions/<name>/` — each function has its own `deno.json`
+- Auth pattern: extract Bearer token → `adminClient.auth.getUser(token)` (pass JWT directly to service-role client). Do NOT create a separate userClient with the anon key.
+- Use `SUPABASE_SERVICE_ROLE_KEY` (adminClient) for all DB operations inside functions; the caller's identity comes from JWT claims (`claims.sub` = user ID).
+- **SELinux (Fedora/RHEL local dev)**: Before running `supabase functions serve`, label the project directory for container access:
+  ```
+  sudo chcon -Rt container_file_t $(pwd)
+  ```
+  This must be applied after any `git clone` or directory move. Failure symptom: function bootstrap error with no useful stderr output.
+
 ### Icons
 - Ionicons only (`ionicons/icons`) — no PrimeIcons
 - Always import individual icon names from `ionicons/icons` (tree-shakeable)