Skip to content

fix: align final production migration history#565

Merged
BigSimmo merged 1 commit into
mainfrom
codex/production-migration-history-final
Jul 13, 2026
Merged

fix: align final production migration history#565
BigSimmo merged 1 commit into
mainfrom
codex/production-migration-history-final

Conversation

@BigSimmo

Copy link
Copy Markdown
Owner

Summary

  • codify the two production migration versions that were present remotely but absent from the repository
  • preserve the production ACL hardening for retrieval and ingestion worker RPCs
  • neutralise the later duplicate ingestion privilege migration so history stays monotonic without duplicate DDL

Why

A linked production migration-list preflight found 20260708150150 and 20260709062443 as remote-only after PR #552 merged. Their recorded statements were read-only inspected and match the repository's canonical service-role-only ACL posture. Adding the real production versions removes the final migration-history divergence before the reviewed RAG remediation migrations are applied.

Verification

  • npx vitest run tests/supabase-schema.test.ts — 46/46 passed
  • npm run drift:manifest — scratch PostgreSQL schema replay passed; manifest regenerated
  • npx supabase migration list --linked — these two versions now align; only documented no-op/guard and unapplied remediation migrations remain local-only
  • git diff --check — passed

Safety

No live schema mutation is performed by this PR. The new files codify ACL statements already recorded on production; the later duplicate is a documented no-op.

@BigSimmo
BigSimmo enabled auto-merge (squash) July 13, 2026 08:14
@supabase

supabase Bot commented Jul 13, 2026

Copy link
Copy Markdown

Updates to Preview Branch (codex/production-migration-history-final) ↗︎

Deployments Status Updated
Database Mon, 13 Jul 2026 08:15:42 UTC
Services Mon, 13 Jul 2026 08:15:42 UTC
APIs Mon, 13 Jul 2026 08:15:42 UTC

Tasks are run on every commit but only new migration files are pushed.
Close and reopen this PR if you want to apply changes from existing seed or migration files.

Tasks Status Updated
Configurations Mon, 13 Jul 2026 08:15:50 UTC
Migrations Mon, 13 Jul 2026 08:16:55 UTC
Seeding Mon, 13 Jul 2026 08:16:59 UTC
Edge Functions Mon, 13 Jul 2026 08:17:00 UTC

View logs for this Workflow Run ↗︎.
Learn more about Supabase for Git ↗︎.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Summary by CodeRabbit

  • Security

    • Restricted sensitive retrieval and ingestion operations to authorized server-side execution, reducing unauthorized access risk.
    • Standardized database function permissions and removed unintended default access.
  • Reliability

    • Prevented duplicate migration logic from applying conflicting permission changes.
  • Tests

    • Added coverage to verify production access controls and migration behavior.

Walkthrough

Supabase migrations now restrict retrieval and ingestion RPC execution to service_role, neutralize a duplicate privilege migration, and add schema tests covering these ACL statements. The drift manifest timestamp was regenerated.

Changes

RPC privilege reconciliation

Layer / File(s) Summary
RPC execution privilege migrations
supabase/migrations/*
Retrieval and ingestion functions revoke execution from public roles and grant it to service_role; the duplicate ingestion migration is replaced with a no-op.
Migration validation and manifest update
tests/supabase-schema.test.ts, supabase/drift-manifest.json
Schema tests validate the ACL statements and duplicate migration marker, while the manifest timestamp is updated.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning It covers summary, rationale, verification, and safety, but omits the required Clinical Governance Preflight section for a Supabase/production change. Add the Clinical Governance Preflight checklist items required by the template, and keep the Notes section filled with any relevant follow-ups.
✅ Passed checks (10 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: reconciling production migration history and preserving final ACL posture.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Generated And Sensitive Files ✅ Passed Only documented Supabase migrations, a regenerated drift manifest, and tests changed; scan found no secrets, keys, env files, or other disallowed artifacts.
Verification Claims ✅ Passed PASS: The PR’s Verification section names exact commands and results (vitest, drift:manifest, migration list, git diff --check), with no vague pass claims.
Risky Git Or Deployment Actions ✅ Passed The changed migrations/tests only codify ACL grants/revokes and a no-op duplicate; no force-push, hard reset, destructive clean, or unsafe deployment guidance appears.
Supabase Project And Schema Safety ✅ Passed PASS: Changed files only codify recorded production ACL migrations and a neutralized duplicate; no stale Supabase refs, and the PR documents safety/verification.
Runtime And Package Manager Integrity ✅ Passed No package/runtime files changed; package.json still pins npm@11.17.0 with Node 24.x, .npmrc keeps engine-strict=true, and the PR only adds SQL/test files.
Api Route Failure Handling ✅ Passed Only SQL migrations, drift manifest, and a schema test changed; no API route, server action, RAG/search/ingestion/provider code was modified.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/production-migration-history-final
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch codex/production-migration-history-final

Comment @coderabbitai help to get the list of available commands.

@BigSimmo
BigSimmo merged commit 04c1d0b into main Jul 13, 2026
14 of 15 checks passed

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/supabase-schema.test.ts`:
- Around line 970-985: Strengthen the ACL migration test in the existing test
case by asserting the exact from public, anon, authenticated and to service_role
clauses for all four functions, preserving each function signature. Extend the
duplicate-migration assertions to verify it contains no set search_path, revoke
execute, or grant execute statements while retaining its neutralized marker and
false no-op assertion.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c3b1135f-80a4-46e6-b452-e0391114e591

📥 Commits

Reviewing files that changed from the base of the PR and between 1237774 and 6e8eab2.

📒 Files selected for processing (5)
  • supabase/drift-manifest.json
  • supabase/migrations/20260708150150_harden_retrieval_public_execute.sql
  • supabase/migrations/20260709062443_reconcile_ingestion_rpc_privileges_production.sql
  • supabase/migrations/20260709150000_reconcile_ingestion_rpc_privileges.sql
  • tests/supabase-schema.test.ts

Comment on lines +970 to +985
it("codifies production ACL migration versions and neutralizes the later duplicate", () => {
expect(retrievalPublicExecuteMigration).toContain(
"revoke execute on function public.retrieval_owner_matches(uuid, uuid)",
);
expect(retrievalPublicExecuteMigration).toContain(
"revoke execute on function public.search_document_chunks(uuid, text, integer, uuid)",
);
expect(ingestionRpcPrivilegesMigration).toContain(
"revoke execute on function public.complete_ingestion_job(uuid, uuid, uuid, text, text)",
);
expect(ingestionRpcPrivilegesMigration).toContain(
"revoke execute on function public.fail_or_retry_ingestion_job(uuid, uuid, uuid, boolean, text, text, text, timestamp with time zone, text)",
);
expect(ingestionRpcPrivilegesDuplicateMigration).toContain("NEUTRALIZED 2026-07-13");
expect(ingestionRpcPrivilegesDuplicateMigration).toContain("select 1 where false;");
});

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Assert the complete ACL and no-op contracts.

These assertions would remain green if service_role grants were removed, the revoked roles changed, or the neutralized migration retained active ACL SQL. Assert both the exact from public, anon, authenticated and to service_role clauses for all four functions, and assert the duplicate contains no set search_path, revoke execute, or grant execute statements.

Suggested assertions
+    for (const [migration, signature] of [
+      [retrievalPublicExecuteMigration, "public.retrieval_owner_matches(uuid, uuid)"],
+      [retrievalPublicExecuteMigration, "public.search_document_chunks(uuid, text, integer, uuid)"],
+      [ingestionRpcPrivilegesMigration, "public.complete_ingestion_job(uuid, uuid, uuid, text, text)"],
+      [ingestionRpcPrivilegesMigration, "public.fail_or_retry_ingestion_job(uuid, uuid, uuid, boolean, text, text, text, timestamp with time zone, text)"],
+    ] as const) {
+      expect(migration).toContain(
+        `revoke execute on function ${signature} from public, anon, authenticated;`,
+      );
+      expect(migration).toContain(
+        `grant execute on function ${signature} to service_role;`,
+      );
+    }
+    expect(ingestionRpcPrivilegesDuplicateMigration).not.toMatch(
+      /set search_path|revoke execute on function|grant execute on function/,
+    );
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
it("codifies production ACL migration versions and neutralizes the later duplicate", () => {
expect(retrievalPublicExecuteMigration).toContain(
"revoke execute on function public.retrieval_owner_matches(uuid, uuid)",
);
expect(retrievalPublicExecuteMigration).toContain(
"revoke execute on function public.search_document_chunks(uuid, text, integer, uuid)",
);
expect(ingestionRpcPrivilegesMigration).toContain(
"revoke execute on function public.complete_ingestion_job(uuid, uuid, uuid, text, text)",
);
expect(ingestionRpcPrivilegesMigration).toContain(
"revoke execute on function public.fail_or_retry_ingestion_job(uuid, uuid, uuid, boolean, text, text, text, timestamp with time zone, text)",
);
expect(ingestionRpcPrivilegesDuplicateMigration).toContain("NEUTRALIZED 2026-07-13");
expect(ingestionRpcPrivilegesDuplicateMigration).toContain("select 1 where false;");
});
it("codifies production ACL migration versions and neutralizes the later duplicate", () => {
expect(retrievalPublicExecuteMigration).toContain(
"revoke execute on function public.retrieval_owner_matches(uuid, uuid)",
);
expect(retrievalPublicExecuteMigration).toContain(
"revoke execute on function public.search_document_chunks(uuid, text, integer, uuid)",
);
expect(ingestionRpcPrivilegesMigration).toContain(
"revoke execute on function public.complete_ingestion_job(uuid, uuid, uuid, text, text)",
);
expect(ingestionRpcPrivilegesMigration).toContain(
"revoke execute on function public.fail_or_retry_ingestion_job(uuid, uuid, uuid, boolean, text, text, text, timestamp with time zone, text)",
);
for (const [migration, signature] of [
[retrievalPublicExecuteMigration, "public.retrieval_owner_matches(uuid, uuid)"],
[retrievalPublicExecuteMigration, "public.search_document_chunks(uuid, text, integer, uuid)"],
[ingestionRpcPrivilegesMigration, "public.complete_ingestion_job(uuid, uuid, uuid, text, text)"],
[ingestionRpcPrivilegesMigration, "public.fail_or_retry_ingestion_job(uuid, uuid, uuid, boolean, text, text, text, timestamp with time zone, text)"],
] as const) {
expect(migration).toContain(
`revoke execute on function ${signature} from public, anon, authenticated;`,
);
expect(migration).toContain(
`grant execute on function ${signature} to service_role;`,
);
}
expect(ingestionRpcPrivilegesDuplicateMigration).toContain("NEUTRALIZED 2026-07-13");
expect(ingestionRpcPrivilegesDuplicateMigration).toContain("select 1 where false;");
expect(ingestionRpcPrivilegesDuplicateMigration).not.toMatch(
/set search_path|revoke execute on function|grant execute on function/,
);
});
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/supabase-schema.test.ts` around lines 970 - 985, Strengthen the ACL
migration test in the existing test case by asserting the exact from public,
anon, authenticated and to service_role clauses for all four functions,
preserving each function signature. Extend the duplicate-migration assertions to
verify it contains no set search_path, revoke execute, or grant execute
statements while retaining its neutralized marker and false no-op assertion.

@BigSimmo
BigSimmo deleted the codex/production-migration-history-final branch July 13, 2026 16:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant