fix(rbac): enforce channel promotion overrides

[riderx]

Summary (AI generated)

• Hardened channel promotion entry points so bundle-to-channel writes keep the app-level access guard and still require channel-scoped channel.promote_bundle permission.
• Tightened frontend channel-version actions to use promotion permission for version changes and recheck promotion before writing from the bundle page.
• Added unit coverage for the /bundle/set_channel RBAC guard sequence and denial behavior.

Motivation (AI generated)

GHSA-633x-9x77-77gf requires channel-specific promotion overrides to be respected on promotion paths. The current base already includes database trigger enforcement; this PR closes the remaining backend/UI guard coverage around the shortcut flows.

Business Impact (AI generated)

This reduces the risk that a user with broad app access can promote bundles to channels where a channel-specific deny override should apply, protecting staged rollout and production channel controls.

Test Plan (AI generated)

• bun lint
• bun lint:backend
• bun typecheck
• bun run supabase:with-env -- bunx vitest run tests/bundle-set-channel-rbac.unit.test.ts tests/rbac-permissions.test.ts
• GitHub CI checks on the updated PR branch

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds channel-scoped RBAC permission checks for bundle promotion across the frontend UI and backend API, with tests verifying the backend guard. Frontend components filter available channels to only promotable ones and perform permission checks before updates. The backend enforces both app-scoped and channel-scoped permissions early. Error handling provides explicit user feedback when operations are blocked.

Changes

Channel-Scoped Bundle Promotion RBAC

Layer / File(s)	Summary
Backend Permission Guard supabase/functions/_backend/public/bundle/set_channel.ts	setChannel performs early app-scoped RBAC permission check after validating appId, before fetching records.
Backend Permission Tests tests/bundle-set-channel-rbac.unit.test.ts	Unit tests verify setChannel enforces both app-scoped and channel-scoped channel.promote_bundle checks, issues UPDATE query on success, and rejects with 400 when channel-scoped permission is denied.
Frontend Permission Computation src/pages/app/[app].bundle.[bundle].vue	Introduces selectableChannels computed property that filters channels to only those the user can promote.
Bundle Page Permission-Gated Actions src/pages/app/[app].bundle.[bundle].vue	Bundle page setChannel checks channel-scoped permission before Supabase update; channel chooser template switches to iterate selectableChannels.
Channel Settings Page Updates src/pages/app/[app].channel.[channel].vue	saveChannelChange derives permission gate by key (canPromoteBundle for version, canUpdateChannelSettings for other fields), validates input, and returns boolean success status with explicit error/success toasts.
Deployment Banner User Feedback src/components/dashboard/DeploymentBanner.vue	executeDeployment shows error toast when no allowed deployment targets remain after filtering.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Cap-go/capgo#2067: Related PR implementing the initial channel-scoped channel.promote_bundle permission framework that this PR extends with frontend filtering and backend permission enforcement.

Poem

A rabbit hops through channels with care,
Checking permissions with every dare,
No silent returns when access denied—
A toast appears by the user's side! 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(rbac): enforce channel promotion overrides' directly summarizes the main change: adding RBAC enforcement for channel promotion, which is the primary objective across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description is largely complete with a clear summary, motivation, business impact, and detailed test plan, though it lacks explicit manual testing steps and screenshots sections from the template.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-channel-promotion-rbac

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 43 untouched benchmarks
⏩ 2 skipped benchmarks¹

---

_{Comparing codex/fix-channel-promotion-rbac (9874da7) with main (bf9ae36)}

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud