fix(api): allow scoped keys past cli warnings

[riderx]

Summary (AI generated)

• Updated get_organization_cli_warnings so app-scoped API keys are not blocked by an org-level read warning gate.
• Added a regression test proving an app-scoped API key can upload while receiving no org CLI warnings.

Motivation (AI generated)

The upload command calls the org CLI warning RPC before the actual app-scoped upload permission check. New API keys can be valid for app administration or upload without org-level read access, so the warning RPC was incorrectly failing before upload could use the correct permission path.

Business Impact (AI generated)

This restores bundle uploads for customers using scoped API keys in CI/CD while preserving existing plan and upload permission checks. It reduces false authorization failures for the new API key model.

Test Plan (AI generated)

• bun lint
• bunx vitest run tests/rbac-permissions.test.ts
• Pre-commit hook: bun run cli:build && vue-tsc --noEmit

Generated with AI

Summary by CodeRabbit

• New Features

  • CLI warnings refined: scoped/app API keys without org read access no longer trigger read-related fatal warnings; uploads remain permitted when appropriate.
  • Storage-limit warnings now clearly indicate when uploads will be blocked for orgs lacking storage entitlement while other services remain active.

• Tests

  • Added tests confirming scoped keys with restricted org read rights produce no CLI warnings and still allow uploads.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 76d0a71b-15ca-4634-b34d-8645fdd84e29

📥 Commits

Reviewing files that changed from the base of the PR and between ab517b5 and 5f70410.

📒 Files selected for processing (1)

• supabase/migrations/20260507171200_skip_cli_warning_read_fatal_for_scoped_keys.sql

---

📝 Walkthrough

Walkthrough

Adds a SECURITY DEFINER RPC public.get_organization_cli_warnings(orgid, cli_version) that skips org-level warnings when the caller lacks org read rights and may append a fatal storage-limit warning for certain plan states. A test ensures app-scoped API keys without org read rights receive zero warnings.

Changes

CLI Warning Generation for Scoped API Keys

Layer / File(s)	Summary
Function Logic and Security Setup supabase/migrations/20260507171200_skip_cli_warning_read_fatal_for_scoped_keys.sql	New get_organization_cli_warnings(orgid uuid, cli_version text) RPC: resolves API key header, checks org read rights via check_min_rights(), returns empty warnings if read is denied (optionally appending a fatal API-key warning), and conditionally appends a fatal storage-limit warning when plan flags indicate storage is not covered. Function is SECURITY DEFINER, uses empty search_path, owned by postgres, revokes public execute and grants ALL execute to anon, authenticated, and service_role.
RBAC Behavior Validation tests/rbac-permissions.test.ts	New Vitest case in RBAC mode that creates an app-scoped API key without org read rights, sets the capgkey header, asserts check_min_rights denies org read but allows app upload, and asserts get_organization_cli_warnings(..., '7.95.12') returns zero warnings.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Cap-go/capgo#2061: Related changes around org-level rights and API-key/RBAC semantics that interact with get_organization_cli_warnings permission checks.

Suggested labels

codex

Poem

🐰 I hopped through SQL fields at night,
Checked keys and rights before the light,
Scoped keys stay calm — no warnings shown,
Uploads still run, seeds safely sown.
Storage bells ring only when plans are tight.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: allowing scoped API keys to bypass CLI warning validation, which is the core fix in this PR.
Description check	✅ Passed	The description includes a summary explaining the fix, motivation for why it's needed, and a test plan showing the changes were validated.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-cli-warning-scoped-api-keys

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 SQLFluff (4.1.0)

supabase/migrations/20260507171200_skip_cli_warning_read_fatal_for_scoped_keys.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/fix-cli-warning-scoped-api-keys (5f70410) with main (658fdbd)}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: acd095b4a7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@supabase/migrations/20260507171200_skip_cli_warning_read_fatal_for_scoped_keys.sql`:
- Around line 34-39: The migration uses unqualified built-in functions
array_append and jsonb_build_object inside a SECURITY DEFINER function with
search_path = '', so update the calls to use the pg_catalog schema
(pg_catalog.array_append and pg_catalog.jsonb_build_object) to avoid relying on
search_path and prevent potential privilege escalation; change every occurrence
of array_append(...) and jsonb_build_object(...) in the migration to their
pg_catalog-qualified forms and keep the argument order/structure identical.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0cecc63e-b959-468b-b5d9-b7902b3b18e7

📥 Commits

Reviewing files that changed from the base of the PR and between f98a769 and ab517b5.

📒 Files selected for processing (2)

• supabase/migrations/20260507171200_skip_cli_warning_read_fatal_for_scoped_keys.sql
• tests/rbac-permissions.test.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b4ae1bd553

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[adamsardo]

Found one authorization edge case worth tightening before merge.

get_organization_cli_warnings now returns an empty warning array whenever check_min_rights(... read ...) is false but the supplied API key exists and is not expired. That fixes the app-scoped upload case, but it also means any unrelated active API key can call this RPC for an org it has no read/upload relationship to and avoid the previous fatal API key does not have read access to this organization response.

The regression test covers a scoped key whose limited_to_orgs includes the target org, so it does not catch the unrelated-key path. A safer boundary would be to skip the fatal warning only when the key is non-expired and is plausibly scoped to the requested org, e.g. orgid = ANY(api_key.limited_to_orgs) or one of api_key.limited_to_apps resolves to an app owned by orgid; otherwise keep returning the fatal warning. That preserves app-scoped CI uploads without silently treating a wrong valid key as acceptable for this org.

[grantf04]

I think this can accidentally remove the only storage-limit enforcement for app-scoped uploads. get_organization_cli_warnings() is where the fatal storage warning is generated when storage is not on a good plan, but this patch returns early for any valid scoped API key without org read access. The later POST /bundle path appears to check app.upload_bundle, HTTPS URL format, encryption policy, duplicate version, and then inserts app_versions; I do not see an equivalent is_paying_and_good_plan_org_action(... storage ...) check there. So an app-scoped key can now avoid the fatal storage warning and still create the bundle metadata for an external upload URL.

Could we either keep the storage-plan warning/check even when skipping the org-read warning, or add the same storage entitlement check to the upload/bundle creation path? A regression with storage over limit + app-scoped key + no org read would make this clear.

[KCDaemon]

Rechecked the latest head (5f70410) and the authorization/plan boundary concerns are still present in the current SQL. get_organization_cli_warnings() returns early whenever org read is denied and the supplied API key merely exists and is not expired. It does not prove that the key is scoped to the requested org, nor that one of its app scopes belongs to that org.

That keeps the unrelated-active-key path open: a valid key for some other org can avoid the fatal API key does not have read access to this organization warning for this org. The new regression only covers the intended app-scoped key case, so it does not protect that boundary.

The same early return also still skips the storage-plan warning path. If the later bundle creation path is meant to be the storage entitlement gate, this PR should add/point to that enforcement and cover it; otherwise app-scoped uploads without org read can bypass the fatal storage warning generated here.

git diff --check origin/main...origin/pr-2075 passes locally, but I would keep this blocked until the early-return is limited to keys actually related to the requested org/app and the storage-limit behavior is covered by a regression or enforced later in the upload path.