fix(api): allow scoped keys past cli warnings

[riderx]

Summary (AI generated)

• Updated get_organization_cli_warnings so app-scoped API keys are not blocked by an org-level read warning gate.
• Added a regression test proving an app-scoped API key can upload while receiving no org CLI warnings.

Motivation (AI generated)

The upload command calls the org CLI warning RPC before the actual app-scoped upload permission check. New API keys can be valid for app administration or upload without org-level read access, so the warning RPC was incorrectly failing before upload could use the correct permission path.

Business Impact (AI generated)

This restores bundle uploads for customers using scoped API keys in CI/CD while preserving existing plan and upload permission checks. It reduces false authorization failures for the new API key model.

Test Plan (AI generated)

• bun lint
• bunx vitest run tests/rbac-permissions.test.ts
• Pre-commit hook: bun run cli:build && vue-tsc --noEmit

Generated with AI

Summary by CodeRabbit

• New Features

  • CLI warnings refined: scoped/app API keys without org read access no longer trigger read-related fatal warnings; uploads remain permitted when appropriate.
  • Storage-limit warnings now clearly indicate when uploads will be blocked for orgs lacking storage entitlement while other services remain active.

• Tests

  • Added tests confirming scoped keys with restricted org read rights produce no CLI warnings and still allow uploads.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 76d0a71b-15ca-4634-b34d-8645fdd84e29

📥 Commits

Reviewing files that changed from the base of the PR and between ab517b5 and 5f70410.

📒 Files selected for processing (1)

• supabase/migrations/20260507171200_skip_cli_warning_read_fatal_for_scoped_keys.sql

---

📝 Walkthrough

Walkthrough

Adds a SECURITY DEFINER RPC public.get_organization_cli_warnings(orgid, cli_version) that skips org-level warnings when the caller lacks org read rights and may append a fatal storage-limit warning for certain plan states. A test ensures app-scoped API keys without org read rights receive zero warnings.

Changes

CLI Warning Generation for Scoped API Keys

Layer / File(s)	Summary
Function Logic and Security Setup supabase/migrations/20260507171200_skip_cli_warning_read_fatal_for_scoped_keys.sql	New get_organization_cli_warnings(orgid uuid, cli_version text) RPC: resolves API key header, checks org read rights via check_min_rights(), returns empty warnings if read is denied (optionally appending a fatal API-key warning), and conditionally appends a fatal storage-limit warning when plan flags indicate storage is not covered. Function is SECURITY DEFINER, uses empty search_path, owned by postgres, revokes public execute and grants ALL execute to anon, authenticated, and service_role.
RBAC Behavior Validation tests/rbac-permissions.test.ts	New Vitest case in RBAC mode that creates an app-scoped API key without org read rights, sets the capgkey header, asserts check_min_rights denies org read but allows app upload, and asserts get_organization_cli_warnings(..., '7.95.12') returns zero warnings.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Cap-go/capgo#2061: Related changes around org-level rights and API-key/RBAC semantics that interact with get_organization_cli_warnings permission checks.

Suggested labels

codex

Poem

🐰 I hopped through SQL fields at night,
Checked keys and rights before the light,
Scoped keys stay calm — no warnings shown,
Uploads still run, seeds safely sown.
Storage bells ring only when plans are tight.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: allowing scoped API keys to bypass CLI warning validation, which is the core fix in this PR.
Description check	✅ Passed	The description includes a summary explaining the fix, motivation for why it's needed, and a test plan showing the changes were validated.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-cli-warning-scoped-api-keys

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 SQLFluff (4.1.0)

supabase/migrations/20260507171200_skip_cli_warning_read_fatal_for_scoped_keys.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/fix-cli-warning-scoped-api-keys (5f70410) with main (658fdbd)}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: acd095b4a7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@supabase/migrations/20260507171200_skip_cli_warning_read_fatal_for_scoped_keys.sql`:
- Around line 34-39: The migration uses unqualified built-in functions
array_append and jsonb_build_object inside a SECURITY DEFINER function with
search_path = '', so update the calls to use the pg_catalog schema
(pg_catalog.array_append and pg_catalog.jsonb_build_object) to avoid relying on
search_path and prevent potential privilege escalation; change every occurrence
of array_append(...) and jsonb_build_object(...) in the migration to their
pg_catalog-qualified forms and keep the argument order/structure identical.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0cecc63e-b959-468b-b5d9-b7902b3b18e7

📥 Commits

Reviewing files that changed from the base of the PR and between f98a769 and ab517b5.

📒 Files selected for processing (2)

• supabase/migrations/20260507171200_skip_cli_warning_read_fatal_for_scoped_keys.sql
• tests/rbac-permissions.test.ts

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b4ae1bd553

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud