fix(db): restrict manifest mutation access

[riderx]

Summary (AI generated)

• Restrict public.manifest insert and delete access to upload-capable principals instead of any org member
• Add regression coverage proving read-only org members can still read manifest rows but cannot mutate them
• Keep the /updates manifest flow covered so the security fix does not regress delivery behavior

Motivation (AI generated)

A read-only org member could write live OTA manifest metadata through public.manifest, and /updates later returned that metadata to devices. Manifest mutation should require upload-level access because it affects device-facing update artifacts.

Business Impact (AI generated)

This closes a high-severity OTA integrity issue and reduces the chance that low-privilege org members can tamper with update metadata served to customer devices.

Test Plan (AI generated)

• bun lint
• bun run supabase:with-env -- bunx vitest run tests/manifest-rls.test.ts
• bun run supabase:with-env -- bunx vitest run tests/updates-manifest.test.ts

Generated with AI

Summary by CodeRabbit

• New Features

  • Read-only user support: members with read-only rights can view manifest entries.

• Updates

  • Stronger manifest access controls: explicit deny rules now prevent INSERT and DELETE for non-authorized users.

• Tests

  • Expanded coverage verifying read, insert, and delete behaviors for owner vs read-only members; lifecycle seeding/cleanup added.

• Documentation

  • Added guidance to prefer explicit deny policies for operations that must be impossible.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fdedea2e-6319-4be2-9d3c-628cdb5cc81a

📥 Commits

Reviewing files that changed from the base of the PR and between 350df5a and da00475.

📒 Files selected for processing (4)

• AGENTS.md
• supabase/migrations/20260427105834_restrict_manifest_mutation_access.sql
• supabase/tests/26_test_rls_policies.sql
• tests/manifest-rls.test.ts

✅ Files skipped from review due to trivial changes (2)

• supabase/tests/26_test_rls_policies.sql
• AGENTS.md

🚧 Files skipped from review as they are similar to previous changes (2)

• supabase/migrations/20260427105834_restrict_manifest_mutation_access.sql
• tests/manifest-rls.test.ts

---

📝 Walkthrough

Walkthrough

This PR adds explicit restrictive RLS policies preventing INSERT and DELETE on public.manifest via a migration, updates SQL test expectations accordingly, expands TypeScript test coverage for read-only members and REST write-guards, and documents the explicit-deny guideline.

Changes

Cohort / File(s)	Summary
Migration supabase/migrations/20260427105834_restrict_manifest_mutation_access.sql	Drops any existing INSERT/DELETE policies and creates explicit restrictive policies that deny INSERT (WITH CHECK false) and DELETE (USING false) for anon and authenticated.
pgTAP RLS tests supabase/tests/26_test_rls_policies.sql	Updates expectations to assert that INSERT and DELETE on public.manifest are prevented rather than allowed; retains read/update expectations.
Integration tests (TS) tests/manifest-rls.test.ts	Adds read-only app/org fixtures, new helpers (getRestManifestUrl, parseResponseBody, insertManifestRow, deleteManifestRow), a shared ManifestRow type, and tests asserting REST POST/DELETE are blocked for owners and read-only members; seeds/cleans new fixtures.
Documentation AGENTS.md	Adds Rule 1.5: require explicit deny policies for impossible operations with example CREATE POLICY snippets and guidance on naming to express denial intent.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~23 minutes

Possibly related PRs

• fix(db): deny retention metrics user access #1961 — Adds explicit deny RLS policies via SQL migrations and updates the same pgTAP RLS test (supabase/tests/26_test_rls_policies.sql) to assert deny behaviour.

Poem

🐰 I nibble at the schema, make the rules quite clear,

No INSERT hops for mischief, DELETEs shall not appear,
Read-only friends may peek and hum a quiet tune,
Policies locked down beneath the silver moon,
Hop, hop — secure and tidy, manifest sleeps soon.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(db): restrict manifest mutation access' directly and clearly summarizes the main change: restricting insert and delete operations on the manifest table to prevent unauthorized mutations.
Description check	✅ Passed	The description includes a summary and test plan section, though the test plan appears AI-generated and lacks detailed reproduction steps. The description covers the key motivations and business impact but has incomplete formatting relative to the template.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-manifest-mutation-rls

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 SQLFluff (4.1.0)

supabase/migrations/20260427105834_restrict_manifest_mutation_access.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

supabase/tests/26_test_rls_policies.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/fix-manifest-mutation-rls (da00475) with main (7112440)}

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@supabase/migrations/20260427105834_restrict_manifest_mutation_access.sql`:
- Around line 1-2: Restore two row-level security policies on table
"public.manifest": recreate an INSERT policy (e.g., "Allow users to insert
manifest entries") and a DELETE policy (e.g., "Allow users to delete manifest
entries") that grant permission only when check_min_rights('upload',
get_identity_org_appid()) returns true; ensure the policies target ROLE
authenticated (not anon) and use get_identity_org_appid() to resolve API-key/app
identity per guidelines so upload-capable principals can write while read-only
members remain blocked.

In `@tests/manifest-rls.test.ts`:
- Around line 291-391: Tests only assert that low-privilege principals are
denied; you must add positive cases proving an upload-scoped principal can
INSERT and DELETE. Add one test that uses the upload-capable auth headers (e.g.,
the upload-scoped header constant you have in the suite) to call
insertManifestRow with a new, dedicated app_version_id (or ownVersionId) and
unique file_name/s3_path, assert response.ok/200 and that the created row exists
via getSupabaseClient().from('manifest').select(...).eq('id', createdId), then
add a corresponding test that creates its own row (via direct DB insert or the
insert helper), calls deleteManifestRow with the same upload-scoped headers,
asserts the delete response indicates success and that the row is gone; ensure
you do not reuse shared seed rows and clean up any created rows at test end.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 003d5373-cc8f-4e77-a3a8-fce4cac64a6a

📥 Commits

Reviewing files that changed from the base of the PR and between 36c4353 and 350df5a.

📒 Files selected for processing (3)

• supabase/migrations/20260427105834_restrict_manifest_mutation_access.sql
• supabase/tests/26_test_rls_policies.sql
• tests/manifest-rls.test.ts

💤 Files with no reviewable changes (1)

• supabase/tests/26_test_rls_policies.sql

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud