fix(db): align API-key oracle grants in schema dump

[hieu-lee]

Summary

• remove stale anon grants for API-key oracle RPCs from supabase/schemas/prod.sql
• align the schema dump with 20260427105909_fix_apikey_helper_rpc_public_execute.sql and the existing pgTAP expectations
• keep authenticated and service_role execute grants unchanged

/claim #1667

Test plan

• git diff --check
• confirmed no remaining anon grants for get_user_id(text), get_user_id(text,text), or get_org_perm_for_apikey(text,text) in supabase/schemas/prod.sql
• npx --yes bun@latest run lint:sql -- supabase/schemas/prod.sql could not run locally because sqlfluff is not installed in this environment

Notes

No new migration is needed here: the migration chain already revokes these grants. This patch fixes the schema dump so fresh schema-based resets do not reintroduce the anonymous RPC surface.

Summary by CodeRabbit

• Bug Fixes
  • Updated API access restrictions to require authentication for certain backend functions that were previously accessible to anonymous users.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 35b3009f-f1e0-4542-99b2-d903c70f3bbe

📥 Commits

Reviewing files that changed from the base of the PR and between 1b91d87 and ca6afaa.

📒 Files selected for processing (1)

• supabase/schemas/prod.sql

💤 Files with no reviewable changes (1)

• supabase/schemas/prod.sql

---

📝 Walkthrough

Walkthrough

This PR removes anonymous/public access to two API key-related database functions by revoking PUBLIC execute permissions and granting execution only to authenticated and service_role roles.

Changes

API Key Function Access Control

Layer / File(s)	Summary
Privilege Tightening supabase/schemas/prod.sql	get_org_perm_for_apikey and get_user_id remove anon access; execution is revoked from PUBLIC and re-granted to authenticated and service_role only.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• Cap-go/capgo#1966: Tightens execute grants for API-key-related DB functions by removing anon/public execute access.
• Cap-go/capgo#1965: Tightens RPC privileges for the same functions (get_user_id and get_org_perm_for_apikey) by revoking public/anon EXECUTE.
• Cap-go/capgo#2060: Addresses API-key RBAC by restricting anonymous execution of API-key-related RPCs including get_user_id and permission checks.

Poem

🐰 Locks tighten on the API gates,
Anon no more shall validate,
Authenticated keys now reign,
Security grows in the chain. 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: removing stale anonymous grants for API-key oracle functions in the schema dump file.
Description check	✅ Passed	The description includes a clear summary of changes, a comprehensive test plan with specific confirmations, and helpful context about why no new migration is needed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 43 untouched benchmarks
⏩ 2 skipped benchmarks¹

---

_{Comparing hieu-lee:bounty-1667-schema-dump-apikey-oracle-grants (ca6afaa) with main (38e5856)²}

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

2. No successful run was found on main (1b91d87) during the generation of this report, so 38e5856 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud