fix(security): enforce encrypted bundle updates

[riderx]

Summary (AI generated)

• Enforce encrypted-bundle validation on direct app_versions updates to session_key, key_id, app_id, and owner_org.
• Add a regression test proving an app-scoped API key cannot clear session_key after org encrypted-bundle enforcement is enabled.

Motivation (AI generated)

An organization-level encrypted-bundle control was only enforced at insert time. Direct PostgREST updates could later downgrade an existing encrypted bundle by clearing session_key, which bypassed the intended backend invariant.

Business Impact (AI generated)

This closes a security-control bypass on OTA bundle metadata, preserving the integrity of encrypted-bundle enforcement for customers who enable it.

Test Plan (AI generated)

• bun run supabase:start
• bun run supabase:functions:serve
• bun run supabase:with-env -- bunx vitest run tests/enforce-encrypted-bundles.test.ts
• bun run lint:backend -- --fix=false
• bun run test:backend

Generated with AI

Summary by CodeRabbit

• Bug Fixes

  • Strengthened database enforcement for encrypted bundles so updates that remove required encryption parameters (session key or key identifier) are rejected, preserving encryption integrity.

• Tests

  • Added tests to confirm enforcement rejects attempts to clear encryption fields and that original encryption data remains intact after failed updates.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6a609b59-dec2-4bd5-bf86-5716744dc809

📥 Commits

Reviewing files that changed from the base of the PR and between e722226 and 93e1dbe.

📒 Files selected for processing (1)

• supabase/migrations/20260317100429_fix_encrypted_bundle_update_enforcement.sql

🚧 Files skipped from review as they are similar to previous changes (1)

• supabase/migrations/20260317100429_fix_encrypted_bundle_update_enforcement.sql

---

📝 Walkthrough

Walkthrough

Adds a SQL migration that replaces the existing enforce_encrypted_bundle_trigger on public.app_versions with a trigger that fires BEFORE INSERT OR UPDATE OF session_key, key_id, executing public.check_encrypted_bundle_on_insert(). Also adds a test verifying enforcement rejects clearing session_key.

Changes

Cohort / File(s)	Summary
Database Trigger Migration supabase/migrations/20260317100429_fix_encrypted_bundle_update_enforcement.sql	Drops existing enforce_encrypted_bundle_trigger (if present) and creates it to run BEFORE INSERT OR UPDATE OF session_key, key_id on public.app_versions, calling public.check_encrypted_bundle_on_insert(). Trigger now targets only the encryption-related fields.
Test Coverage tests/enforce-encrypted-bundles.test.ts	Adds a test that enables enforcement, attempts to clear session_key (and set key_id to null) on an existing bundle, asserts an encryption_required error is returned, verifies the original session_key remains, and resets enforcement flag.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related PRs

• Cap-go/capgo#1343 — Modifies the same trigger (enforce_encrypted_bundle_trigger on public.app_versions) and uses the same trigger function (check_encrypted_bundle_on_insert), indicating a direct code-level relationship.

Suggested labels

💰 Rewarded

Poem

🐰 thump-thump with a twitchy nose
A tiny trigger hops in place,
It guards each bundle's secret space,
Tests nibble at the edges bold,
And keep our encrypted carrots cold 🥕🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically identifies the main security fix: enforcing encrypted bundle updates, which directly matches the primary changeset objective.
Description check	✅ Passed	The description covers Summary, Motivation, and Business Impact comprehensively, and includes a detailed Test Plan section with all verification steps marked as completed, though it lacks the standard template format.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-ghsa-4qwf-update-enforcement

📝 Coding Plan

• Generate coding plan for human review comments

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 SQLFluff (4.0.4)

supabase/migrations/20260317100429_fix_encrypted_bundle_update_enforcement.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

tests/enforce-encrypted-bundles.test.ts (1)

48-86: Consider restructuring for concurrent test execution.

The tests use it() instead of it.concurrent() because they sequentially toggle enforce_encrypted_bundles on the same org. While this is a valid reason, consider whether each test could use a separate test org or reset atomically within each test to enable concurrency. The current approach is functional but may slow down the test suite.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/enforce-encrypted-bundles.test.ts` around lines 48 - 86, Tests toggle
the same org's enforce_encrypted_bundles setting sequentially (using it()) which
prevents safe concurrency; update tests that call getSupabaseClient and use
ORG_ID_ENCRYPTED so each test either (a) creates and uses an isolated org id via
a helper (e.g., createTestOrg/deleteTestOrg) and then switch to it.concurrent()
for the two specs, or (b) perform an atomic setup/teardown around each test with
beforeEach/afterEach that sets enforce_encrypted_bundles to a known value so
tests can remain independent; change the two specs ("should have
enforce_encrypted_bundles = false by default" and "should allow updating
enforce_encrypted_bundles setting") to use the chosen isolation helper or
setup/teardown and then enable concurrency where safe.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tests/enforce-encrypted-bundles.test.ts`:
- Around line 48-86: Tests toggle the same org's enforce_encrypted_bundles
setting sequentially (using it()) which prevents safe concurrency; update tests
that call getSupabaseClient and use ORG_ID_ENCRYPTED so each test either (a)
creates and uses an isolated org id via a helper (e.g.,
createTestOrg/deleteTestOrg) and then switch to it.concurrent() for the two
specs, or (b) perform an atomic setup/teardown around each test with
beforeEach/afterEach that sets enforce_encrypted_bundles to a known value so
tests can remain independent; change the two specs ("should have
enforce_encrypted_bundles = false by default" and "should allow updating
enforce_encrypted_bundles setting") to use the chosen isolation helper or
setup/teardown and then enable concurrency where safe.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4b648ad6-ea1f-4f9a-94ef-a82b2989d08a

📥 Commits

Reviewing files that changed from the base of the PR and between 877c35b and e722226.

📒 Files selected for processing (2)

• supabase/migrations/20260317100429_fix_encrypted_bundle_update_enforcement.sql
• tests/enforce-encrypted-bundles.test.ts

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud