[codex] fix CLI warnings for app-scoped API keys

[riderx]

Summary (AI generated)

• Added a database migration that lets get_organization_cli_warnings validate app-scoped API keys through an allowed app in the requested org.
• Added pgTAP regression coverage for app-scoped RBAC v2 keys that should pass and app-scoped keys outside the org that should still fail.

Motivation (AI generated)

CLI uploads were failing during the warning preflight with API key does not have read access to this organization when a customer used a key limited to both an org and a specific app. The warning RPC checked org read without app context, so limited_to_apps blocked valid upload keys before the upload permission path ran.

Business Impact (AI generated)

This restores secure scoped API-key uploads for paid customers with multiple apps, avoiding the need to use unrestricted keys in CI/CD and reducing support load around CLI upload failures.

Test Plan (AI generated)

• bunx sqlfluff lint --dialect postgres supabase/migrations/20260516151507_fix_cli_warnings_app_scoped_apikeys.sql
• bun scripts/supabase-worktree.ts test db supabase/tests/00-supabase_test_helpers.sql supabase/tests/20_test_org_management_functions.sql
• Commit hook: bun run cli:build && vue-tsc --noEmit

Generated with AI

Summary by CodeRabbit

• Bug Fixes
  • Fixed CLI permission validation for app-scoped API keys to properly check organization access.
  • Enhanced warning messages for storage limit scenarios, providing clearer guidance on upload restrictions and upgrade recommendations.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new PostgreSQL migration introduces get_organization_cli_warnings(), a security-definer function that checks org-read permission and bridges app-scoped API keys through allowed apps before evaluating storage limit warnings. Extended test fixtures and cases validate permission behavior for app-scoped keys both within and outside the target org.

Changes

CLI warnings and app-scoped RBAC bridging

Layer / File(s)	Summary
CLI warnings function with app-scoped permission bridging supabase/migrations/20260516151507_fix_cli_warnings_app_scoped_apikeys.sql	New get_organization_cli_warnings(orgid uuid, cli_version text) RETURNS jsonb function evaluates org-read permission and bridges app-scoped API keys through an allowed app in the org when permission is denied. Returns fatal messages for org-access denial and storage-limit-exceeded states. Sets function ownership to postgres, grants EXECUTE to anon, authenticated, and service_role, and enforces empty search_path.
App-scoped API key test fixtures and cases supabase/tests/20_test_org_management_functions.sql	Updates test plan to 51 assertions, declares RBAC role/app ID variables for app-uploader and demo-admin roles, inserts app-scoped API key fixtures (target org/app and out-of-org), and adds test cases A2/A3 verifying absence/presence of "no read access" fatal warning for in-org vs. out-of-org app-scoped keys.

Sequence Diagram

sequenceDiagram
  participant Caller as CLI caller
  participant get_org_warnings as get_organization_cli_warnings
  participant cli_check_perm as cli_check_permission
  participant get_apikey as get_apikey_header
  participant db as Database
  
  Caller->>get_org_warnings: call with org_id, cli_version
  get_org_warnings->>cli_check_perm: check org-read permission
  cli_check_perm-->>get_org_warnings: permission denied
  
  get_org_warnings->>get_apikey: extract API key from headers
  get_apikey-->>get_org_warnings: api_key_id
  get_org_warnings->>db: load API key and limited_to_apps
  db-->>get_org_warnings: api_key record
  
  alt key is app-scoped
    get_org_warnings->>db: select allowed app in org
    db-->>get_org_warnings: app_id
    get_org_warnings->>cli_check_perm: re-check permission with app_id
    cli_check_perm-->>get_org_warnings: permission result
  end
  
  alt permission still denied
    get_org_warnings-->>Caller: fatal org-access denial message
  else permission granted
    get_org_warnings->>db: check storage action satisfied
    alt storage not satisfied, MAU/bandwidth satisfied
      get_org_warnings-->>Caller: fatal storage-limit-exceeded message
    else all limits satisfied
      get_org_warnings-->>Caller: empty/success array
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Cap-go/capgo#2060: The new public.get_organization_cli_warnings function relies on the public.cli_check_permission API-key/RBAC oracle introduced in this PR, and the tests extend app-scoped permission checks validated by that earlier work.
• Cap-go/capgo#2214: Further extends public.get_organization_cli_warnings with additional app-scoped RBAC v2 scenarios, building directly on the permission-bridging logic added in the main PR.
• Cap-go/capgo#2079: Addresses app-only RBAC for API keys to ensure org-read checks work with app-scoped keys, complementing the main PR's org-read bridging through allowed apps.

Poem

🐰 Hops through the schemas with permission in mind,
App-scoped keys now bridge what org-checks once confined,
Storage limits warn, and the tests all agree—
RBAC v2 flows like the wind through a tree! 🌳✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: fixing CLI warnings for app-scoped API keys, which directly corresponds to the core functionality added in the migration.
Description check	✅ Passed	The description includes Summary, Motivation, Business Impact, and Test Plan sections covering the changes. However, the template requires a more formal structure with explicit Checklist items and manual testing steps not fully addressed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-cli-warnings-app-scoped-apikeys

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 SQLFluff (4.1.0)

supabase/migrations/20260516151507_fix_cli_warnings_app_scoped_apikeys.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

supabase/tests/20_test_org_management_functions.sql

User Error: No dialect was specified. You must configure a dialect or specify one on the command line using --dialect after the command. Available dialects:
ansi, athena, bigquery, clickhouse, databricks, db2, doris, duckdb, exasol, flink, greenplum, hive, impala, mariadb, materialize, mysql, oracle, postgres, redshift, snowflake, soql, sparksql, sqlite, starrocks, teradata, trino, tsql, vertica

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 43 untouched benchmarks
⏩ 2 skipped benchmarks¹

---

_{Comparing codex/fix-cli-warnings-app-scoped-apikeys (8a751a9) with main (7a7226e)}

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@supabase/migrations/20260516151507_fix_cli_warnings_app_scoped_apikeys.sql`:
- Around line 65-77: The user-facing message built in the jsonb_build_object
(look for the messages := array_append(... jsonb_build_object(...) ...) block)
contains a redundant/confusing phrase "In order to upload your plan, please
upgrade your plan here"; update that message string to say "In order to upload,
please upgrade your plan here" (or "To upload, please upgrade your plan here")
so it correctly refers to uploading rather than "uploading your plan" while
preserving the rest of the message and the surrounding jsonb_build_object/fatal
field.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 54c2b801-bfdf-4bd6-8be6-2bcd476b06e9

📥 Commits

Reviewing files that changed from the base of the PR and between 7a7226e and 8a751a9.

📒 Files selected for processing (2)

• supabase/migrations/20260516151507_fix_cli_warnings_app_scoped_apikeys.sql
• supabase/tests/20_test_org_management_functions.sql

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Grammatical error in user-facing message.

The message says "In order to upload your plan, please upgrade your plan" which is confusing. It should be "In order to upload, please upgrade your plan" since uploads are what will fail, not "uploading your plan."

📝 Proposed fix

-            'message', 'You have exceeded your storage limit.\nUpload will fail, but you can still download your data.\nMAU and bandwidth limits are not exceeded.\nIn order to upload your plan, please upgrade your plan here: https://console.capgo.app/settings/plans.',
+            'message', 'You have exceeded your storage limit.\nUpload will fail, but you can still download your data.\nMAU and bandwidth limits are not exceeded.\nIn order to upload, please upgrade your plan here: https://console.capgo.app/settings/plans.',

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@supabase/migrations/20260516151507_fix_cli_warnings_app_scoped_apikeys.sql`
around lines 65 - 77, The user-facing message built in the jsonb_build_object
(look for the messages := array_append(... jsonb_build_object(...) ...) block)
contains a redundant/confusing phrase "In order to upload your plan, please
upgrade your plan here"; update that message string to say "In order to upload,
please upgrade your plan here" (or "To upload, please upgrade your plan here")
so it correctly refers to uploading rather than "uploading your plan" while
preserving the rest of the message and the surrounding jsonb_build_object/fatal
field.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud