Area: api · policy · observability (streaming) — security (RLS bypass on the stream path) · found via pre-launch audit
Expected: the SSE delivery path applies the same policy as the structured-query path — both the column allowlist and the row-filter (RLS predicate) that the query path injects.
Actual: the SSE stream applies the column allowlist but not the policy row-filter, so the two read paths drift: a subscriber receives rows that the structured-query path would filter out for that role.
Impact: any deployment that combines row-policies with a public or role-scoped SSE stream leaks rows over the stream that RLS should remove — a data-exposure on the streaming surface. Live signal on Stats is limited (the public table carries no restrictive row-policy), but the gap is real for any future private/PII table fronted by a stream.
Scope: apply the query-path row-filter inside the stream policy evaluation (applyStreamPolicy).
Related: #294 (SSE delivery path), #214 (per-table policy scopes), the applyStreamPolicy unfiltered-passthrough issue.
From WaveHouse-Stats pre-launch security audit (WAVEHOUSE-FEEDBACK.md dogfooding), audited dev 60fed15 (2026-06-10). Filed via /pm-triage.
Area: api · policy · observability (streaming) — security (RLS bypass on the stream path) · found via pre-launch audit
Expected: the SSE delivery path applies the same policy as the structured-query path — both the column allowlist and the row-filter (RLS predicate) that the query path injects.
Actual: the SSE stream applies the column allowlist but not the policy row-filter, so the two read paths drift: a subscriber receives rows that the structured-query path would filter out for that role.
Impact: any deployment that combines row-policies with a public or role-scoped SSE stream leaks rows over the stream that RLS should remove — a data-exposure on the streaming surface. Live signal on Stats is limited (the public table carries no restrictive row-policy), but the gap is real for any future private/PII table fronted by a stream.
Scope: apply the query-path row-filter inside the stream policy evaluation (
applyStreamPolicy).Related: #294 (SSE delivery path), #214 (per-table policy scopes), the
applyStreamPolicyunfiltered-passthrough issue.From WaveHouse-Stats pre-launch security audit (
WAVEHOUSE-FEEDBACK.mddogfooding), audited dev60fed15(2026-06-10). Filed via /pm-triage.