Skip to content

fix(db): enable RLS on tables added since the original RLS migration#332

Merged
QSchlegel merged 1 commit into
preprodfrom
fix/enable-rls-followup-tables
Jul 6, 2026
Merged

fix(db): enable RLS on tables added since the original RLS migration#332
QSchlegel merged 1 commit into
preprodfrom
fix/enable-rls-followup-tables

Conversation

@QSchlegel

Copy link
Copy Markdown
Collaborator

Why

The Supabase security advisor reports rls_disabled_in_public (ERROR level) for seven tables in production: PendingBot, BotClaimToken, AuditLog, Contact, WalletBotAccess, BotKey, BotUser. All were created after 20251215090000_enable_rls_disable_postgrest, which enabled RLS + deny-all PostgREST policies on every table that existed at the time — but nothing enforces the pattern for tables added later.

This closes the July roadmap item "review the Supabase RLS advisory on the seven rls_enabled:false tables".

What

One follow-up migration in the exact pattern of the original:

  • The 7 flagged tables, plus the tables that will be flagged as soon as they deploy: ProposalTally (on main, deploy still pending) and the notification-center tables WalletSignerNotificationSetting, EmailVerificationToken, NotificationDelivery (currently preprod-only) — 11 total.
  • RLS enabled unconditionally; deny-all policies for anon/authenticated created only if those roles exist; tables that don't exist are skipped. Safe on any PostgreSQL, no-op outside Supabase.
  • Prisma connects as the table owner (service role) and continues to bypass RLS — no app behavior change.

Advisor reference: rls_disabled_in_public

Note for the deploy

The ProposalTally migration from #303 still hasn't been applied to production (the June 17 deploy-migrations run failed pre-Node-22-fix, and nothing has re-triggered it). When this PR eventually reaches main it will trigger the deploy workflow and apply both. If governance tallies erroring in prod is urgent before then, dispatch Deploy Database Migrations manually on main.

🤖 Generated with Claude Code

…ce the original RLS migration

The Supabase security advisor flags rls_disabled_in_public (ERROR) on the
seven tables created after 20251215090000_enable_rls_disable_postgrest:
PendingBot, BotClaimToken, AuditLog, Contact, WalletBotAccess, BotKey,
BotUser. ProposalTally and the three notification-center tables would be
flagged as soon as they reach production, so they are included too.

Same idempotent pattern as the original migration: RLS on, deny-all for
anon/authenticated when those roles exist, Prisma service role unaffected.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
multisig Ready Ready Preview, Comment Jul 6, 2026 8:31am

Request Review

@QSchlegel QSchlegel merged commit 1e5dae8 into preprod Jul 6, 2026
7 checks passed
@QSchlegel QSchlegel deleted the fix/enable-rls-followup-tables branch July 6, 2026 09:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant