Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions supabase/migrations/020_swarm_runner_registry.sql
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,6 @@ $$;

ALTER TABLE public.task_runners ENABLE ROW LEVEL SECURITY;

-- Admins can read runner status for observability
-- Service role can read runner status; later migrations add super-admin observability.
CREATE POLICY "task_runners_select" ON public.task_runners
FOR SELECT USING (true);
FOR SELECT TO service_role USING (true);
4 changes: 2 additions & 2 deletions supabase/migrations/036_file_attachments.sql
Original file line number Diff line number Diff line change
Expand Up @@ -58,11 +58,11 @@ CREATE POLICY "Users can delete own workspace attachments"

-- Service role (task runner) can read/insert attachments
CREATE POLICY "Service role can read attachments"
ON public.file_attachments FOR SELECT
ON public.file_attachments FOR SELECT TO service_role
USING (true);

CREATE POLICY "Service role can insert attachments"
ON public.file_attachments FOR INSERT
ON public.file_attachments FOR INSERT TO service_role
WITH CHECK (true);

-- ─── Storage bucket ─────────────────────────────────────────────────────────
Expand Down
2 changes: 1 addition & 1 deletion supabase/migrations/040_team_memory_search.sql
Original file line number Diff line number Diff line change
Expand Up @@ -60,4 +60,4 @@ CREATE POLICY "team_memory_delete" ON public.team_memory
-- ────────────────────────────────────────────────────────────────────────────

CREATE POLICY "team_memory_insert_service" ON public.team_memory
FOR INSERT WITH CHECK (true);
FOR INSERT TO service_role WITH CHECK (true);
2 changes: 1 addition & 1 deletion supabase/migrations/062_knowledge_base.sql
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ CREATE POLICY "knowledge_chunks_select" ON public.knowledge_chunks

-- Insert/delete by service role (processing pipeline) β€” service role bypasses RLS
CREATE POLICY "knowledge_chunks_insert" ON public.knowledge_chunks
FOR INSERT WITH CHECK (true);
FOR INSERT TO service_role WITH CHECK (true);

CREATE POLICY "knowledge_chunks_delete" ON public.knowledge_chunks
FOR DELETE USING (public.is_workspace_member(workspace_id));
Expand Down
2 changes: 1 addition & 1 deletion supabase/migrations/071_chat_widget.sql
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ CREATE POLICY chat_sessions_workspace_read ON chat_sessions

-- Service role bypass for task runner writes
CREATE POLICY chat_sessions_service_write ON chat_sessions
FOR ALL
FOR ALL TO service_role
USING (true)
WITH CHECK (true);

Expand Down
2 changes: 1 addition & 1 deletion supabase/migrations/078_google_connections.sql
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ CREATE POLICY "google_connections_workspace_access"

-- Service role can read/write (for Edge Functions + task runner)
CREATE POLICY "google_connections_service_role"
ON public.google_connections FOR ALL
ON public.google_connections FOR ALL TO service_role
USING (true)
WITH CHECK (true);

Expand Down
60 changes: 60 additions & 0 deletions supabase/migrations/082_harden_service_role_rls_policies.sql
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
-- SPDX-License-Identifier: AGPL-3.0-or-later
-- Copyright (C) 2026 CrewForm
--
-- 082_harden_service_role_rls_policies.sql
--
-- Tighten policies that were intended for trusted backend/service-role writes.
-- Without an explicit TO clause, PostgreSQL policies apply to PUBLIC, which can
-- make Supabase anon/authenticated clients eligible for the policy.

-- Chat widget sessions: workspace members keep the separate read policy;
-- trusted backend writes are limited to service_role.
DROP POLICY IF EXISTS chat_sessions_service_write ON public.chat_sessions;
CREATE POLICY chat_sessions_service_write
ON public.chat_sessions
FOR ALL TO service_role
USING (true)
WITH CHECK (true);

-- Google OAuth tokens: only service role should read/write token material.
DROP POLICY IF EXISTS "google_connections_service_role" ON public.google_connections;
CREATE POLICY "google_connections_service_role"
ON public.google_connections
FOR ALL TO service_role
USING (true)
WITH CHECK (true);

-- File attachment metadata: workspace policies handle user access; service
-- access is limited to the task runner/backend.
DROP POLICY IF EXISTS "Service role can read attachments" ON public.file_attachments;
CREATE POLICY "Service role can read attachments"
ON public.file_attachments
FOR SELECT TO service_role
USING (true);

DROP POLICY IF EXISTS "Service role can insert attachments" ON public.file_attachments;
CREATE POLICY "Service role can insert attachments"
ON public.file_attachments
FOR INSERT TO service_role
WITH CHECK (true);

-- Team memory and knowledge chunks are inserted by backend pipelines.
DROP POLICY IF EXISTS "team_memory_insert_service" ON public.team_memory;
CREATE POLICY "team_memory_insert_service"
ON public.team_memory
FOR INSERT TO service_role
WITH CHECK (true);

DROP POLICY IF EXISTS "knowledge_chunks_insert" ON public.knowledge_chunks;
CREATE POLICY "knowledge_chunks_insert"
ON public.knowledge_chunks
FOR INSERT TO service_role
WITH CHECK (true);

-- Runner status should not be public. Service-role task runner access bypasses
-- RLS; super admins can still read status for observability.
DROP POLICY IF EXISTS "task_runners_select" ON public.task_runners;
CREATE POLICY "task_runners_select"
ON public.task_runners
FOR SELECT TO authenticated
USING (public.is_super_admin());
Loading