fix(api): harden API key management auth

[riderx]

Summary (AI generated)

• Removed stale route-level key-mode authorization such as middlewareV2(['all', 'write']); handlers now authenticate first and enforce authorization through RBAC checks, API route guards, and RLS.
• Removed app-side use_new_rbac runtime gating while keeping the compatibility output field and old SQL compatibility helpers.
• Hardened /apikey management: broad non-limited all API keys retain sibling key update/delete compatibility, while limited scoped keys are filtered out and all API keys are blocked from key creation, self-mutation, and role-binding replacement.
• Hardened org settings writes: direct anonymous/API-key RLS updates to orgs are closed, use_new_rbac is forced true, rollback cannot disable RBAC, and cli organization set now calls PUT /organization instead of writing orgs directly.
• Added explicit backend validation for password_policy_config so moving CLI org settings to the API route does not drop the password-policy feature.
• Fixed the events notify-console path so it relies on the verified org/app resolution instead of an org-only preflight that broke app-scoped authorization.

Motivation (AI generated)

RBAC is now the authoritative authorization model. Leaving old key-mode write labels, app-side RBAC feature flags, and CLI direct org writes made the active security boundary ambiguous and could preserve upgrade/downgrade paths that no longer match the product model. This PR removes those stale surfaces while preserving intentional compatibility for old API-key read paths and old org payload shape.

Fix Justification (AI generated)

• Auth-only middleware defaults: old ['all', 'write'] route declarations are no longer the security boundary and were misleading.
• API-key mutation guard: a leaked API key, even a broad one, must not be able to update/regenerate/delete API keys or upgrade its own API-key RBAC bindings.
• /apikey read/list compatibility: keeping API-key reads avoids breaking old compatible callers; scoped keys still use the existing limited-scope filter.
• Org RLS hardening: orgs UPDATE is now authenticated-only and named-RBAC guarded; API-key org settings writes must go through the backend route where middlewareV2, checkPermission, and API-key org policy checks run before the service-role write.
• CLI org settings route migration: cli organization set no longer relies on direct Supabase orgs.update(...), so it does not need the old write RLS policy to stay open.
• Password-policy route validation: the backend route now accepts only a typed policy object with min_length bounded to 6..72, matching the DB constraint.
• Compatibility helpers: rbac_enable_for_org remains service-role callable for old automation, but always returns RBAC enabled; rbac_rollback_org is retained but cannot disable RBAC or delete bindings.

Business Impact (AI generated)

This reduces the chance of API-key self-escalation, leaked-key damage, or accidental reactivation of legacy write behavior, while avoiding a breaking change for compatible API-key read/list callers and current CLI org-settings workflows.

Test Plan (AI generated)

• bun lint:backend
• bun typecheck:backend
• commit hook: bun run cli:typecheck && bun run typecheck:backend && bun run typecheck:frontend
• bun run cli:check
• bun run supabase:db:reset
• PGSSLMODE=disable bunx supabase test db --db-url postgresql://postgres:postgres@127.0.0.1:60642/postgres supabase/tests/00-supabase_test_helpers.sql supabase/tests/26_test_rls_policies.sql supabase/tests/48_test_rbac_admin_rpc_execute_grants.sql
• bun test --timeout 60000 tests/events.test.ts tests/apikeys.test.ts tests/apikeys-expiration.test.ts tests/organization-api.test.ts tests/audit-logs.test.ts tests/password-policy.test.ts
• bunx vitest run tests/organization-put-stripe-sync.unit.test.ts

Generated with AI

Summary by CodeRabbit

• New Features

  • API key management now enforces centralized authorization with improved permission controls.
  • Organization settings can be updated via the API, enabling better programmatic management.

• Improvements

  • Authorization system simplified to use role-based permissions exclusively, removing legacy compatibility modes.
  • Organization membership and invitations now use a cleaner role model for improved consistency.
  • API key creation and validation streamlined with stronger permission checks.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Replaces legacy key-mode/min-rights with RBAC-only checks. Updates middleware, handlers, SQL policies/migrations, generated types, seeds, CLI permission flow, frontend role handling, and tests/docs. Centralizes API-key management with JWT-only operations and ownership scoping. Removes obsolete functions/enums and aligns RLS assertions.

Changes

End-to-end RBAC unification across services

Layer / File(s)	Summary
RBAC refactor, policy/type updates, and test/CLI/frontend alignment supabase/functions/_backend/..., supabase/schemas/*.sql, supabase/migrations/*, supabase/seed.sql, cli/src/*, src/*, tests/*, supabase/tests/*, docs/*	Middleware switched to middlewareAuth/middlewareKey(options). Handlers enforce RBAC via checkPermission; API key management centralized. Schema/policies/types/seeds updated to RBAC (remove key_mode/user_min_right). CLI uses string permission keys; frontend roles/ranks updated. Tests/docs realigned to RBAC and removed legacy helpers.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• Cap-go/capgo#2391 — Also updates API key management in public/apikey/put.ts with RBAC-focused changes.
• Cap-go/capgo#1997 — Touches private/create_device.ts to validate org scope against app owner; overlaps with this PR’s RBAC checks.
• Cap-go/capgo#2330 — Modifies /private/events handler; intersects with this PR’s middleware/auth and parsing refactor.

[codspeed-hq]

Merging this PR will not alter performance

✅ 43 untouched benchmarks
⏩ 2 skipped benchmarks¹

---

_{Comparing codex/rbac-apikey-management-hardening (022e342) with main (bf283f4)}

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

supabase/tests/26_test_rls_policies.sql (1)

377-393: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Assert the new deny policies are actually restrictive.

This only proves the three policy names exist. If a future migration recreates any of them as PERMISSIVE, the test still passes while the deny becomes ineffective against the existing owner allow-policies. Please add pg_policies assertions for permissive = 'RESTRICTIVE' and the expected roles/cmd on these three new policies.

As per coding guidelines: Add explicit deny policies for operations that must be impossible for user-facing roles, using RESTRICTIVE policies instead of relying on implicit deny.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@supabase/tests/26_test_rls_policies.sql` around lines 377 - 393, The test
currently only checks that policy names exist for table apikeys via policies_are
but does not verify they are restrictive; add assertions that query pg_policies
for the three deny policies (e.g., 'Deny anon delete on apikeys', 'Deny anon
select on apikeys', 'Deny anon update on apikeys') and assert permissive =
'RESTRICTIVE' and that the role(s) and cmd columns match the expected values for
each policy; locate this near the existing policies_are call for apikeys and add
one assertion per deny policy checking pg_policies.permissive, pg_policies.roles
and pg_policies.cmd to ensure the denies are actually restrictive.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@supabase/functions/_backend/public/apikey/auth.ts`:
- Around line 18-21: The code reads auth.authType without guarding for missing
auth; change the declaration to allow undefined (e.g., const auth =
c.get('auth') as AuthInfo | undefined) and update the guard to check for missing
auth first (if (!auth || auth.authType !== 'jwt' || !auth.userId) { ... }), and
when building the quickError payload use optional chaining for the authType
field (auth?.authType) so a missing auth produces the intended 401 instead of a
500; keep the same quickError call, errorCode, action and moreInfo variables.

In `@tests/apikeys-expiration.test.ts`:
- Around line 807-812: The test block removed an endpoint-level check, leaving
only direct Supabase/RLS reads (expectApiKeyCannotReadBaseOrg and
expectApiKeyCanReadBaseOrg); restore one HTTP-path assertion against the /apikey
endpoint in this block so middleware/header-parsing is exercised—add a single
assertion that the expiredKeyValue is rejected when calling the /apikey HTTP
route (alongside the RLS helper) and keep the validKeyValue HTTP-path check in
the other test block, referencing the existing helpers for RLS reads and the
/apikey route to locate where to add it.

In `@tests/apikeys.test.ts`:
- Around line 1030-1077: The test "plain key cannot update apikeys table
directly through RLS" leaves the created API key if an assertion fails; wrap the
cleanup DELETE call in a finally block so the seeded key is always removed.
Specifically, after creating the key (createResponse / createData), move the
fetch DELETE for `/apikey/${createData.id}` into a finally section that runs
regardless of test success, keeping the existing authHeaders and preserving the
rest of the assertions in the try block; ensure createData.id is available in
the finally (declare it in the outer scope if needed) so cleanup always
executes.

---

Outside diff comments:
In `@supabase/tests/26_test_rls_policies.sql`:
- Around line 377-393: The test currently only checks that policy names exist
for table apikeys via policies_are but does not verify they are restrictive; add
assertions that query pg_policies for the three deny policies (e.g., 'Deny anon
delete on apikeys', 'Deny anon select on apikeys', 'Deny anon update on
apikeys') and assert permissive = 'RESTRICTIVE' and that the role(s) and cmd
columns match the expected values for each policy; locate this near the existing
policies_are call for apikeys and add one assertion per deny policy checking
pg_policies.permissive, pg_policies.roles and pg_policies.cmd to ensure the
denies are actually restrictive.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9d385eca-b762-452d-a898-93a462ad60c4

📥 Commits

Reviewing files that changed from the base of the PR and between e64b645 and 6d7e2b2.

📒 Files selected for processing (10)

• cli/src/types/supabase.types.ts
• supabase/functions/_backend/public/apikey/auth.ts
• supabase/functions/_backend/public/apikey/delete.ts
• supabase/functions/_backend/public/apikey/get.ts
• supabase/functions/_backend/public/apikey/put.ts
• supabase/functions/_backend/public/apikey/scope.ts
• supabase/migrations/20260603120805_deny_apikey_management_from_api_key_auth.sql
• supabase/tests/26_test_rls_policies.sql
• tests/apikeys-expiration.test.ts
• tests/apikeys.test.ts

💤 Files with no reviewable changes (1)

• supabase/functions/_backend/public/apikey/scope.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cli/src/types/supabase.types.ts`:
- Around line 3037-3045: The RPC type for app_versions_has_app_permission
incorrectly requires both p_apikey and p_user_id as non-null strings; update the
SQL RPC signature so the inactive auth parameter is nullable (make p_apikey OR
p_user_id NULLABLE/optional in the function definition for
app_versions_has_app_permission), deploy the migration, then regenerate the
TypeScript types (run the project type generation command, e.g. `bun types`) so
the generated supabase.types.ts reflects p_apikey and p_user_id as
nullable/optional and callers no longer need unsafe casts or dummy values.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 81ad7474-945a-4192-9133-1c57dfd028ca

📥 Commits

Reviewing files that changed from the base of the PR and between 6d7e2b2 and a8fc38e.

📒 Files selected for processing (10)

• cli/src/types/supabase.types.ts
• supabase/functions/_backend/public/apikey/auth.ts
• supabase/functions/_backend/public/apikey/delete.ts
• supabase/functions/_backend/public/apikey/get.ts
• supabase/functions/_backend/public/apikey/put.ts
• supabase/functions/_backend/public/apikey/scope.ts
• supabase/migrations/20260603120805_deny_apikey_management_from_api_key_auth.sql
• supabase/tests/26_test_rls_policies.sql
• tests/apikeys-expiration.test.ts
• tests/apikeys.test.ts

💤 Files with no reviewable changes (1)

• supabase/functions/_backend/public/apikey/scope.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fea72cb875

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[WcaleNieWolny]

Hostile Review — RBAC + API-key hardening

Adversarial multi-engine review (CodeRabbit + Codex + a 10-agent Claude reviewer fleet), merged and deduped. Base: origin/main. Scope: 142 reviewable files (generated schema dumps excluded). The highest-impact findings below were manually verified against the code; a few medium items are marked unverified (the automated verify pass got rate-limited).

Nothing here was auto-fixed — this is report-only. Line numbers are approximate to the PR diff.

🔴 Critical

1. Privilege escalation via direct role_bindings write

supabase/migrations/20260611190328_harden_rbac_compat_cleanup.sql (role_bindings_insert / role_bindings_update)

The new RLS policies gate writes on rbac_check_permission_request(org.update_user_roles, …) but never validate role_id against the caller's own priority. The priority-escalation guard check_org_user_privileges() is wired only to org_users (trigger check_privileges) — there is no equivalent trigger on role_bindings.

Result: an authenticated principal with org.update_user_roles (e.g. an org_admin, below super-admin) can INSERT INTO role_bindings directly via PostgREST a row granting themselves org_super_admin — a role above their ceiling — bypassing the guard that only fires on the org_users path. This directly undercuts the hardening goal of the PR.

Suggested fix: add a BEFORE INSERT OR UPDATE trigger on role_bindings that enforces the same caller-priority ceiling as check_org_user_privileges(), and/or extend the policy WITH CHECK to verify the target role_id's priority ≤ caller's max priority.

Note: CodeRabbit also flagged "missing WITH CHECK on UPDATE → cross-org move." That part is a false alarm — Postgres reuses USING as WITH CHECK when the latter is omitted on UPDATE, so the new row's org_id is re-validated. The real hole is the missing role_id/priority check (present on both INSERT and UPDATE).

🟠 High

2. Swallowed membership-creation failure consumes the invite

supabase/functions/_backend/private/accept_invitation.ts (ensureOrgMembership, call sites ~321 / ~386 / ~469)

ensureOrgMembership() returns quickError(...) objects on 6 failure branches (role resolution, org_users update, role-binding insert, …) instead of throwing. All three call sites do await ensureOrgMembership(...) without capturing the return value, so the error is silently dropped. Execution then continues to delete the invite / tmp_users row ("only after success"), and the endpoint returns 200.

Failure mode: if membership creation fails, the user ends up with no membership and a consumed invite (unrecoverable), while the API reports success.

Suggested fix: const err = await ensureOrgMembership(...); if (err) return err; at each call site (or make the helper throw).

3. API-key key_mode scope no longer enforced at the route layer

supabase/functions/_backend/utils/hono_middleware.ts + all public routers

The diff removes the rights: key_mode[] parameter from middlewareKey(), resolveApiKey, and resolveSubkey; every router now calls bare middlewareKey(). The read / write / upload key_mode scope is no longer checked per-request — authorization moves entirely into in-handler checkPermission(...).

Two residual risks:

• Coverage: any mutating route that does not call checkPermission is now a write-authorization hole. (set_channel.ts and update_metadata.ts do call it; bundle|channel|device/index.ts delegate to sub-handlers — please confirm each mutation path is covered.)
• Intent: a user's read-only key is silently ignored — a read-mode key whose principal has RBAC write permissions can now mutate.

Suggested action: a per-route audit confirming every mutating handler enforces an RBAC permission, plus a decision on whether key_mode should still cap a key below its principal's RBAC grants.

4. SSO re-login wipes existing members' org bindings (reported by Codex)

supabase/functions/_backend/private/sso/provision-user.ts (ensureOrgRoleBinding, ~296–369)

For an existing member (is_invite === false), promoteExistingInvite calls ensureOrgRoleBinding, which runs DELETE FROM role_bindings WHERE scope=org AND org_id=… and re-inserts a single binding from org_users.rbac_role_name. Because that column is stale metadata, a normal SSO login can downgrade or erase an admin's current org-scoped RBAC grants.

Suggested fix: for existing members, make this a no-op or a repair-only path (insert the binding only if missing); never delete current grants.

🟡 Medium

#	Location	Issue
5	public/organization/audit.ts:~65	Gates on org.delete, but org.read_audit exists (rbac.ts:43) and the RLS function audit_logs_allowed_orgs() uses rbac_perm_org_read_audit(). A read_audit-only auditor is blocked at the API; a delete-only caller passes the API but gets RLS-filtered to empty. Contract mismatch in both directions — use org.read_audit.
6	…190328…sql org_users backfill CASE	The org-scope branch maps invite_super_admin / invite_admin, but the app_id / channel_id branches omit invite_write / invite_upload, so those users fall through to app_reader / channel_reader (silent downgrade for anyone mid-invite at app/channel scope).
7	public/apikey/get.ts:~46–79	List/get use supabaseAdmin(c) + .select('*') for API-key callers, returning the key column (plaintext for non-hashed keys) in the response — defeating the new anon-deny RLS policy. Scoped to the caller's own keys (.eq('user_id', …)), so not cross-user, but key material should be masked/omitted from responses.
8	cli/src/bundle/upload.ts:~1530	When the key lacks channel RBAC permission, the code only log.warns and then proceeds to emit "App Uploaded" and report success. Server-side denial is correct, but the CLI silently turns "upload + set channel" into "upload only" — --channel users believe the channel was updated.
9	public/apikey/scope.ts:~26–30	isValidApiKeyIdFormat accepts only UUID / numeric, but selectOwnedApiKeyByIdentifier supports .eq('key', id) lookups. Legacy non-UUID key values would 400 before reaching the lookup. Impact depends on whether non-UUID keys exist in prod.
10	public/bundle/set_channel.ts:~60 (unverified)	checkPermission (which acquires a second pool connection) is now called inside an open BEGIN transaction that already holds a connection → possible pool-starvation deadlock under load. Move the check before BEGIN.

🟢 Low / Minor

• cli/src/channel/delete.ts:~39 — successIfNotFound returns true before the permission check, but no deletion happens for a missing channel → existence-oracle only, not an auth bypass.
• src/pages/settings/organization/Members.vue:~608 — console.log leaks invited email + role (PII) in production.
• src/stores/organization.ts:~620 — console.log leaks org ID, full org object, and user ID in deleteOrganization.
• src/pages/ApiKeys.vue:~638 / src/stores/organization.ts:~75 (unverified) — owner-role priority / roleHasOrgRank edge cases in client-side gating (display-only; server is authoritative).

Refuted / discarded (investigated, not real)

• "group_members_update / groups_update lack WITH CHECK → cross-org move" — Postgres reuses USING as WITH CHECK on UPDATE, so the new org_id / group_id is re-validated. Not exploitable.
• "API keys without RBAC bindings fail open to the JWT path" — refuted on inspection; the genuine, narrower issue is folded into Critical Launch paid offers #1.
• "middlewareKey allows unauthenticated access to any route" — authentication still happens; the real issue is the authorization decoupling (High #3).
• Several accept_invitation atomicity/overwrite + apikey TOCTOU claims — overlapping duplicates; the real defect is the silent failure (High Display download stats from live update in capgo app #2).

Coverage notes

• Automated adversarial verification was rate-limited; 11 highest-impact findings were hand-verified, the rest (esp. items marked unverified) deserve a maintainer look.
• The 43 pgTAP security tests (supabase/tests/*.sql) and regenerated schema dumps were excluded from CodeRabbit (file-count cap) — not independently reviewed here.

---

Engines: CodeRabbit · Codex · Claude reviewer fleet (security / database / typescript / silent-failure / correctness agents). Report-only — no code was modified.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cd9e395297

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f19fb3d516

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2c844bbb31

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7b60ad205c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ba13a5dc05

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid app-read precheck for channel-scoped CLI actions

When a key/user is scoped only to a channel (for example the seeded channel_admin role), channel set and channel delete now pass the channel id into hasCliPermission, but this shared helper still calls checkAppExists() first. That RPC is gated by app.read with no channel id, so channel-scoped callers fail here with “App ... does not exist” before their channel.update_settings/channel.delete permission can be evaluated.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Include API-key role in channel-device inserts

Fresh evidence after the route-level forced-device permission fix: API-key callers that pass channel.manage_forced_devices still write through supabaseWithAuth, which uses the anon role for capgkey auth, but this INSERT policy is only TO authenticated. Creating a new forced-device override through /private/channel_device with a valid channel-scoped API key therefore fails under RLS even though the handler already authorized the channel.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9c1465f596

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[sonarqubecloud]

Quality Gate passed

Issues
26 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud