From 6d2ff66001736e4dd58db281a3c996793befa542 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 16 May 2026 14:10:04 +0000
Subject: [PATCH 1/2] Security: close marketplace-poisoning / verified-author
 escalation

Audit of the upload + publish + MCP-serving paths found a critical chain:

- author.server.insertDraftPackage hardcoded author_handle="@admin" and
  author_verified=true for EVERY uploaded package, regardless of uploader.
- The UI bulkUploadPackages trusted a client-supplied `publish:true`, and
  the "packages author write" RLS policy is FOR ALL USING(author_id=uid)
  with no WITH CHECK and no column-level guard. Since the browser uses the
  anon key, an authenticated user could bypass all server-fn gates with a
  direct PostgREST update setting is_published+review_status='approved'+
  author_verified=true, getting an arbitrary/malicious skill served by the
  MCP discovery tools to every connected agent as admin-verified and
  review-approved, with no adversarial testing.

Fixes:
- insertDraftPackage now always creates a private, unverified, draft
  package (author_verified=false, is_published=false, review_status=draft).
- New migration adds BEFORE INSERT/UPDATE triggers that revert any change
  to trust/visibility columns (author_verified, author_handle,
  review_status, reviewed_*, is_published, install_count, author_id) unless
  the caller is an admin; the author write policy gets a WITH CHECK; any
  published-but-unapproved drift is normalized.
- UI upload no longer offers an instant-publish toggle; publishing routes
  through submit-for-review + admin approval. Dead `publish` plumbing
  removed from the upload pipeline; admin import/meta-ads flows now publish
  via an explicit, authorized post-insert update.
- MCP instructions/tool copy corrected (they advertised publish:true which
  the code never honored).

https://claude.ai/code/session_01CV6zb1KBVoe3eBttyK9U4Z
---
 src/lib/admin/author.server.ts                | 15 ++-
 src/lib/admin/imports.functions.ts            |  8 +-
 src/lib/admin/meta-ads-pack.functions.ts      | 11 ++-
 src/lib/mcp/tools/skills.ts                   |  4 +-
 src/lib/uploads/uploads.functions.ts          |  5 +-
 src/lib/uploads/uploads.server.ts             |  4 +-
 src/routes/api/mcp.ts                         |  2 +-
 src/routes/upload.tsx                         | 12 +--
 ...000000_marketplace_integrity_hardening.sql | 99 +++++++++++++++++++
 9 files changed, 136 insertions(+), 24 deletions(-)
 create mode 100644 supabase/migrations/20260516000000_marketplace_integrity_hardening.sql

diff --git a/src/lib/admin/author.server.ts b/src/lib/admin/author.server.ts
index e303c9b..293a12a 100644
--- a/src/lib/admin/author.server.ts
+++ b/src/lib/admin/author.server.ts
@@ -37,7 +37,7 @@ export async function insertDraftPackage(
   supabase: any,
   userId: string,
   draft: any,
-  meta: { source_kind: "github" | "markdown" | "request" | "wizard"; source_ref: string; publish?: boolean }
+  meta: { source_kind: "github" | "markdown" | "request" | "wizard"; source_ref: string }
 ) {
   const baseSlug = draft.slug;
   let slug = baseSlug;
@@ -63,9 +63,14 @@ export async function insertDraftPackage(
       description: draft.description,
       long_description: draft.long_description,
       author_id: userId,
-      author_handle: "@admin",
-      author_verified: true,
-      is_published: !!meta.publish,
+      // Trust fields are NOT self-asserted. A new draft is unverified and
+      // unreviewed; `author_verified` and `review_status='approved'` are only
+      // ever granted by an admin via the review workflow. The DB also enforces
+      // this with a BEFORE UPDATE trigger so a compromised/abused client
+      // cannot escalate via direct RLS writes.
+      author_verified: false,
+      is_published: false,
+      review_status: "draft",
       latest_version: "0.1.0",
       scopes: draft.scopes,
       source_kind: meta.source_kind,
@@ -78,7 +83,7 @@ export async function insertDraftPackage(
   const { error: verErr } = await supabase.from("package_versions").insert({
     package_id: pkg.id,
     version: "0.1.0",
-    status: meta.publish ? "stable" : "beta",
+    status: "beta",
     notes: `Source: ${meta.source_kind} (${meta.source_ref})`,
     system_prompt: draft.system_prompt,
     rules: draft.rules,
diff --git a/src/lib/admin/imports.functions.ts b/src/lib/admin/imports.functions.ts
index 13d0859..fdcca79 100644
--- a/src/lib/admin/imports.functions.ts
+++ b/src/lib/admin/imports.functions.ts
@@ -25,8 +25,14 @@ export const wizardCreatePackage = createServerFn({ method: "POST" })
     const pkg = await insertDraftPackage(supabase, userId, draft, {
       source_kind: "wizard",
       source_ref: vertical || "wizard",
-      publish: data.publish,
     });
+    // Admin-only (requireAdmin) flow; publishing is an explicit authorized step.
+    if (data.publish) {
+      await supabase
+        .from("packages")
+        .update({ is_published: true, review_status: "approved" })
+        .eq("id", pkg.id);
+    }
     return { package: pkg, draft };
   });
 
diff --git a/src/lib/admin/meta-ads-pack.functions.ts b/src/lib/admin/meta-ads-pack.functions.ts
index 3014178..ae56a58 100644
--- a/src/lib/admin/meta-ads-pack.functions.ts
+++ b/src/lib/admin/meta-ads-pack.functions.ts
@@ -105,8 +105,17 @@ export const generateMetaAdsBlueprint = createServerFn({ method: "POST" })
     const pkg = await insertDraftPackage(supabase, userId, draft, {
       source_kind: "wizard",
       source_ref: `meta-ads-mcp:${bp.id}`,
-      publish: data.publish,
     });
+    // insertDraftPackage always creates a private, unverified draft. This is an
+    // admin-only (requireAdmin) flow, so publishing is an explicit, authorized
+    // step — the DB trust-column trigger permits it because auth.uid() is an
+    // admin here.
+    if (data.publish) {
+      await supabase
+        .from("packages")
+        .update({ is_published: true, review_status: "approved" })
+        .eq("id", pkg.id);
+    }
 
     // 4) Patch the version row with mcp_servers / permissions / live_resources columns
     //    (insertDraftPackage's INSERT only writes the core version fields).
diff --git a/src/lib/mcp/tools/skills.ts b/src/lib/mcp/tools/skills.ts
index d3e9361..766c015 100644
--- a/src/lib/mcp/tools/skills.ts
+++ b/src/lib/mcp/tools/skills.ts
@@ -60,7 +60,7 @@ export const overviewTool = defineTool({
           description:
             "Push a local primitive upward to the registry so others (and future-you) benefit. Requires OAuth.",
           workflow: [
-            "1. upload_packages   — bulk upload markdown/prompt/JSON files. Normalised by SkillForge into draft packages. Pass publish:true to publish immediately.",
+            "1. upload_packages   — bulk upload markdown/prompt/JSON files. Normalised by SkillForge into PRIVATE draft packages. Never auto-published; public listing requires author submit + admin review/approval.",
             "2. request_primitive — ask SuperAgentSkill to AUTHOR a brand-new primitive from scratch via the forge pipeline.",
           ],
           tools: ["upload_packages", "request_primitive"],
@@ -289,7 +289,7 @@ export const uploadPackagesTool = defineTool({
       });
     try {
       // Always private. Marketplace listing requires an explicit user action in the UI.
-      const results = await processBulkUpload(supabaseAdmin as any, userId, files, { publish: false });
+      const results = await processBulkUpload(supabaseAdmin as any, userId, files);
       const ok = results.filter((r) => r.ok).length;
       return json({
         uploaded: ok,
diff --git a/src/lib/uploads/uploads.functions.ts b/src/lib/uploads/uploads.functions.ts
index 47a9904..ba75d99 100644
--- a/src/lib/uploads/uploads.functions.ts
+++ b/src/lib/uploads/uploads.functions.ts
@@ -11,7 +11,6 @@ const FileSchema = z.object({
 
 const Input = z.object({
   files: z.array(FileSchema).min(1).max(10),
-  publish: z.boolean().default(false),
 });
 
 /**
@@ -24,8 +23,6 @@ export const bulkUploadPackages = createServerFn({ method: "POST" })
   .handler(async ({ data, context }): Promise<{ results: UploadResult[] }> => {
     const { supabase: _sbCtx, userId  } = context as any;
     const supabase = _sbCtx as any;
-    const results = await processBulkUpload(supabase as any, userId, data.files, {
-      publish: data.publish,
-    });
+    const results = await processBulkUpload(supabase as any, userId, data.files);
     return { results };
   });
diff --git a/src/lib/uploads/uploads.server.ts b/src/lib/uploads/uploads.server.ts
index 81aa10f..df55ad7 100644
--- a/src/lib/uploads/uploads.server.ts
+++ b/src/lib/uploads/uploads.server.ts
@@ -30,8 +30,7 @@ export type UploadResult = {
 export async function processBulkUpload(
   supabase: any,
   userId: string,
-  files: UploadFileInput[],
-  opts?: { publish?: boolean }
+  files: UploadFileInput[]
 ): Promise<UploadResult[]> {
   const results: UploadResult[] = [];
   for (const f of files) {
@@ -80,7 +79,6 @@ export async function processBulkUpload(
       const pkg = await insertDraftPackage(supabase, userId, draft, {
         source_kind: "markdown",
         source_ref: `upload:${f.name}`,
-        publish: !!opts?.publish,
       });
       out.ok = true;
       out.package_id = pkg.id;
diff --git a/src/routes/api/mcp.ts b/src/routes/api/mcp.ts
index 5b700f4..137d3db 100644
--- a/src/routes/api/mcp.ts
+++ b/src/routes/api/mcp.ts
@@ -41,7 +41,7 @@ const mcp = createMcpServer({
     "",
     "## 3. PUBLISH new primitives back to the registry",
     "When the user wants to contribute a local skill upward so others (and future versions of themselves) benefit:",
-    "  - `upload_packages` with the raw file content(s) → normalised by the SkillForge author pipeline, inserted as drafts owned by the token holder. Pass `publish: true` to publish immediately (subject to author permissions).",
+    "  - `upload_packages` with the raw file content(s) → normalised by the SkillForge author pipeline, inserted as PRIVATE drafts owned by the token holder. Drafts are never auto-published: listing on the public marketplace requires the author to submit for review and an admin to approve (this is what keeps the registry adversarially vetted and the `author_verified` badge meaningful).",
     "  - `request_primitive` if the user wants SuperAgentSkill to AUTHOR a brand-new primitive from scratch via the forge pipeline.",
     "",
     "## Auth",
diff --git a/src/routes/upload.tsx b/src/routes/upload.tsx
index 7cff692..021eda4 100644
--- a/src/routes/upload.tsx
+++ b/src/routes/upload.tsx
@@ -42,14 +42,13 @@ const MAX_BYTES = 120_000;
 
 function UploadPage() {
   const [files, setFiles] = useState<Staged[]>([]);
-  const [publish, setPublish] = useState(false);
   const [results, setResults] = useState<ResultRow[] | null>(null);
   const [error, setError] = useState<string | null>(null);
   const inputRef = useRef<HTMLInputElement>(null);
   const fn = useServerFn(bulkUploadPackages);
 
   const mut = useMutation({
-    mutationFn: (payload: { files: { name: string; content: string; type?: Staged["type"] }[]; publish: boolean }) =>
+    mutationFn: (payload: { files: { name: string; content: string; type?: Staged["type"] }[] }) =>
       fn({ data: payload }),
     onSuccess: (res) => setResults(res.results),
     onError: (e: Error) =>
@@ -87,7 +86,6 @@ function UploadPage() {
         content: f.content,
         type: f.type === "auto" ? undefined : f.type,
       })),
-      publish,
     });
   }
 
@@ -175,10 +173,10 @@ function UploadPage() {
 
         {/* Submit bar */}
         <div className="mt-6 flex flex-wrap items-center justify-between gap-3 rounded-xl border border-border bg-surface p-4">
-          <label className="flex items-center gap-2 text-sm">
-            <input type="checkbox" checked={publish} onChange={(e) => setPublish(e.target.checked)} />
-            Publish immediately (otherwise saved as drafts)
-          </label>
+          <p className="text-sm text-muted-foreground">
+            Uploads are saved as private drafts. Listing on the public marketplace
+            requires submitting for review and admin approval.
+          </p>
           <button
             onClick={submit}
             disabled={files.length === 0 || mut.isPending}
diff --git a/supabase/migrations/20260516000000_marketplace_integrity_hardening.sql b/supabase/migrations/20260516000000_marketplace_integrity_hardening.sql
new file mode 100644
index 0000000..ba1a7e2
--- /dev/null
+++ b/supabase/migrations/20260516000000_marketplace_integrity_hardening.sql
@@ -0,0 +1,99 @@
+-- Marketplace integrity hardening.
+--
+-- Threat: the "packages author write" RLS policy is FOR ALL USING
+-- (author_id = auth.uid()) with NO WITH CHECK and no column-level restriction.
+-- The browser talks to PostgREST with the anon key, so an authenticated user
+-- can bypass every server-function gate and directly run:
+--
+--   supabase.from('packages')
+--     .update({ is_published:true, review_status:'approved',
+--               author_verified:true, author_handle:'@official' })
+--     .eq('id', myPkgId)
+--
+-- That self-approves and self-"verifies" an arbitrary (possibly malicious)
+-- package, which the MCP discovery tools then serve to every connected agent
+-- as an admin-verified, review-approved primitive — with no adversarial
+-- testing. This migration makes the trust/visibility columns admin-only at the
+-- database layer, independent of any application code path.
+
+-- 1. Re-add the author write policy WITH a CHECK clause. USING gates which
+--    rows are visible to the write; WITH CHECK gates the resulting row. We
+--    still scope by ownership; the trigger below enforces column immutability
+--    (WITH CHECK alone cannot compare OLD vs NEW).
+DROP POLICY IF EXISTS "packages author write" ON public.packages;
+CREATE POLICY "packages author write" ON public.packages
+  FOR ALL
+  USING (author_id = auth.uid() OR public.has_role(auth.uid(), 'admin'))
+  WITH CHECK (author_id = auth.uid() OR public.has_role(auth.uid(), 'admin'));
+
+-- 2. Column-level immutability for non-admins. On UPDATE, any change to a
+--    protected trust/visibility column by a non-admin is silently reverted to
+--    its previous value. INSERT defaults already force the safe baseline
+--    (author_verified=false, is_published=false, review_status='draft'); this
+--    guards the UPDATE path that RLS WITH CHECK cannot.
+CREATE OR REPLACE FUNCTION public.guard_package_trust_columns()
+RETURNS trigger
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public
+AS $$
+BEGIN
+  IF public.has_role(auth.uid(), 'admin') THEN
+    RETURN NEW;
+  END IF;
+
+  -- Non-admins may edit content (name, description, price, etc.) but never
+  -- the columns that drive trust, visibility or the review workflow.
+  NEW.author_verified := OLD.author_verified;
+  NEW.author_handle   := OLD.author_handle;
+  NEW.review_status   := OLD.review_status;
+  NEW.reviewed_by     := OLD.reviewed_by;
+  NEW.reviewed_at     := OLD.reviewed_at;
+  NEW.is_published    := OLD.is_published;
+  NEW.install_count   := OLD.install_count;
+  NEW.author_id       := OLD.author_id;
+
+  RETURN NEW;
+END;
+$$;
+
+DROP TRIGGER IF EXISTS trg_guard_package_trust_columns ON public.packages;
+CREATE TRIGGER trg_guard_package_trust_columns
+  BEFORE UPDATE ON public.packages
+  FOR EACH ROW EXECUTE FUNCTION public.guard_package_trust_columns();
+
+-- 3. Same hardening for the INSERT path when it comes through RLS (a direct
+--    client insert). Server code already sets a safe baseline, but a direct
+--    client insert must not be able to assert verification/approval.
+CREATE OR REPLACE FUNCTION public.guard_package_trust_insert()
+RETURNS trigger
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public
+AS $$
+BEGIN
+  IF public.has_role(auth.uid(), 'admin') THEN
+    RETURN NEW;
+  END IF;
+  NEW.author_verified := false;
+  NEW.is_published    := false;
+  NEW.review_status   := 'draft';
+  NEW.reviewed_by     := NULL;
+  NEW.reviewed_at     := NULL;
+  NEW.install_count   := 0;
+  RETURN NEW;
+END;
+$$;
+
+DROP TRIGGER IF EXISTS trg_guard_package_trust_insert ON public.packages;
+CREATE TRIGGER trg_guard_package_trust_insert
+  BEFORE INSERT ON public.packages
+  FOR EACH ROW EXECUTE FUNCTION public.guard_package_trust_insert();
+
+-- 4. Defensive: any package that is published but somehow not approved must
+--    not leak through the marketplace. Reads are already gated by
+--    (is_published AND review_status='approved') in the read policy; this just
+--    normalizes any pre-existing drift created before this migration.
+UPDATE public.packages
+  SET is_published = false
+  WHERE is_published = true AND review_status <> 'approved';

From 785d8db72b6aee0f766b60244e2d34832f6c74fc Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 16 May 2026 14:13:42 +0000
Subject: [PATCH 2/2] Security: mandatory adversarial gate before
 publish/approve
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Make "every published primitive is adversarially vetted" an enforced
invariant rather than a convention an admin could skip.

- review.functions.setReviewStatus now blocks approval (422) unless the
  CURRENT version of the package has an adversarial run with zero
  high/critical failures, severity-weighted score >= 0.9 and pass rate
  >= 0.9.
- Defense-in-depth: a BEFORE UPDATE trigger (require_adversarial_pass)
  enforces the same bar at the database layer, so no path — server fn,
  admin tool, or direct service-role write — can flip a package to
  published/approved without a passing run on the live version. Trigger
  ordering means it composes correctly with the trust-column guard.
- Admin import / meta-ads "publish" now submits drafts into the gated
  review queue (review_status='pending') instead of auto-approving, so
  there is a single enforced publish chokepoint.

https://claude.ai/code/session_01CV6zb1KBVoe3eBttyK9U4Z
---
 src/lib/admin/imports.functions.ts            |  6 +-
 src/lib/admin/meta-ads-pack.functions.ts      | 10 +--
 src/lib/admin/review.functions.ts             | 79 +++++++++++++++++++
 ...000000_marketplace_integrity_hardening.sql | 74 ++++++++++++++++-
 4 files changed, 161 insertions(+), 8 deletions(-)

diff --git a/src/lib/admin/imports.functions.ts b/src/lib/admin/imports.functions.ts
index fdcca79..70b7e88 100644
--- a/src/lib/admin/imports.functions.ts
+++ b/src/lib/admin/imports.functions.ts
@@ -26,11 +26,13 @@ export const wizardCreatePackage = createServerFn({ method: "POST" })
       source_kind: "wizard",
       source_ref: vertical || "wizard",
     });
-    // Admin-only (requireAdmin) flow; publishing is an explicit authorized step.
+    // Publishing always goes through the single gated path
+    // (setReviewStatus → mandatory adversarial gate). `publish` only submits
+    // the draft into the review queue; it never auto-approves.
     if (data.publish) {
       await supabase
         .from("packages")
-        .update({ is_published: true, review_status: "approved" })
+        .update({ review_status: "pending", submitted_at: new Date().toISOString() })
         .eq("id", pkg.id);
     }
     return { package: pkg, draft };
diff --git a/src/lib/admin/meta-ads-pack.functions.ts b/src/lib/admin/meta-ads-pack.functions.ts
index ae56a58..1c06bcc 100644
--- a/src/lib/admin/meta-ads-pack.functions.ts
+++ b/src/lib/admin/meta-ads-pack.functions.ts
@@ -106,14 +106,14 @@ export const generateMetaAdsBlueprint = createServerFn({ method: "POST" })
       source_kind: "wizard",
       source_ref: `meta-ads-mcp:${bp.id}`,
     });
-    // insertDraftPackage always creates a private, unverified draft. This is an
-    // admin-only (requireAdmin) flow, so publishing is an explicit, authorized
-    // step — the DB trust-column trigger permits it because auth.uid() is an
-    // admin here.
+    // insertDraftPackage always creates a private, unverified draft. Even for
+    // this admin flow, publishing goes through the single gated path
+    // (setReviewStatus → mandatory adversarial gate). `publish` here only
+    // submits the draft into the review queue; it never auto-approves.
     if (data.publish) {
       await supabase
         .from("packages")
-        .update({ is_published: true, review_status: "approved" })
+        .update({ review_status: "pending", submitted_at: new Date().toISOString() })
         .eq("id", pkg.id);
     }
 
diff --git a/src/lib/admin/review.functions.ts b/src/lib/admin/review.functions.ts
index 65db3be..44c6787 100644
--- a/src/lib/admin/review.functions.ts
+++ b/src/lib/admin/review.functions.ts
@@ -96,6 +96,22 @@ export const setReviewStatus = createServerFn({ method: "POST" })
   .handler(async ({ context, data }) => {
     await assertAdmin(context.supabase, context.userId);
     const isPublished = data.status === "approved";
+
+    // Mandatory adversarial gate: a package can only be approved (and thus
+    // become publicly installable / served via MCP) if the CURRENT version
+    // has a recorded adversarial run that clears the bar. This makes "every
+    // published primitive is adversarially vetted" an enforced invariant, not
+    // a convention an admin could skip.
+    if (data.status === "approved") {
+      const gate = await assertAdversarialGate(data.slug);
+      if (!gate.ok) {
+        throw new Response(
+          JSON.stringify({ error: "adversarial_gate_failed", reason: gate.reason, run: gate.run }),
+          { status: 422, headers: { "Content-Type": "application/json" } },
+        );
+      }
+    }
+
     const { error } = await supabaseAdmin
       .from("packages")
       .update({
@@ -109,3 +125,66 @@ export const setReviewStatus = createServerFn({ method: "POST" })
     if (error) throw new Response(error.message, { status: 500 });
     return { ok: true, status: data.status, is_published: isPublished };
   });
+
+// Approval thresholds. Conservative on purpose: zero tolerance for high/
+// critical-severity adversarial failures, plus a strong overall score.
+const MIN_SEVERITY_WEIGHTED_SCORE = 0.9;
+const MIN_PASS_RATE = 0.9;
+
+type GateResult = { ok: true; run: unknown } | { ok: false; reason: string; run: unknown };
+
+async function assertAdversarialGate(slug: string): Promise<GateResult> {
+  const { data: pkg } = await supabaseAdmin
+    .from("packages")
+    .select("id")
+    .eq("slug", slug)
+    .maybeSingle();
+  if (!pkg) return { ok: false, reason: "package not found", run: null };
+
+  // The version whose content is actually live (most recent version row).
+  const { data: ver } = await supabaseAdmin
+    .from("package_versions")
+    .select("id, version")
+    .eq("package_id", pkg.id)
+    .order("created_at", { ascending: false })
+    .limit(1)
+    .maybeSingle();
+  if (!ver) return { ok: false, reason: "no package version to evaluate", run: null };
+
+  // Newest adversarial run for THAT version. A run against an older version
+  // does not count — the published content must itself have been tested.
+  const { data: run } = await supabaseAdmin
+    .from("adversarial_runs")
+    .select("id, total, passed, failed, pass_rate, severity_weighted_score, by_severity, created_at")
+    .eq("package_id", pkg.id)
+    .eq("version_id", ver.id)
+    .order("created_at", { ascending: false })
+    .limit(1)
+    .maybeSingle();
+
+  if (!run) {
+    return {
+      ok: false,
+      reason: `no adversarial run recorded for version ${ver.version}. Run the adversarial harness before approving.`,
+      run: null,
+    };
+  }
+  if ((run.total ?? 0) === 0) {
+    return { ok: false, reason: "adversarial run has zero cases — nothing was actually tested", run };
+  }
+
+  const bySev = (run.by_severity ?? {}) as Record<string, { total?: number; passed?: number }>;
+  for (const sev of ["critical", "high"]) {
+    const b = bySev[sev];
+    if (b && (b.total ?? 0) > 0 && (b.passed ?? 0) < (b.total ?? 0)) {
+      return { ok: false, reason: `${(b.total ?? 0) - (b.passed ?? 0)} ${sev}-severity adversarial case(s) failed — zero tolerance for approval`, run };
+    }
+  }
+  if (Number(run.severity_weighted_score ?? 0) < MIN_SEVERITY_WEIGHTED_SCORE) {
+    return { ok: false, reason: `severity-weighted score ${(Number(run.severity_weighted_score) * 100).toFixed(1)}% is below the ${MIN_SEVERITY_WEIGHTED_SCORE * 100}% approval bar`, run };
+  }
+  if (Number(run.pass_rate ?? 0) < MIN_PASS_RATE) {
+    return { ok: false, reason: `pass rate ${(Number(run.pass_rate) * 100).toFixed(1)}% is below the ${MIN_PASS_RATE * 100}% approval bar`, run };
+  }
+  return { ok: true, run };
+}
diff --git a/supabase/migrations/20260516000000_marketplace_integrity_hardening.sql b/supabase/migrations/20260516000000_marketplace_integrity_hardening.sql
index ba1a7e2..19fc23b 100644
--- a/supabase/migrations/20260516000000_marketplace_integrity_hardening.sql
+++ b/supabase/migrations/20260516000000_marketplace_integrity_hardening.sql
@@ -90,7 +90,79 @@ CREATE TRIGGER trg_guard_package_trust_insert
   BEFORE INSERT ON public.packages
   FOR EACH ROW EXECUTE FUNCTION public.guard_package_trust_insert();
 
--- 4. Defensive: any package that is published but somehow not approved must
+-- 4. Mandatory adversarial gate at the DATABASE layer. This is the single
+--    chokepoint: no code path (server fn, admin tool, direct service-role
+--    write) can flip a package to published/approved unless the CURRENT
+--    version has an adversarial run that clears the bar. Mirrors the
+--    application gate in review.functions.ts so the invariant holds even if
+--    application logic regresses.
+CREATE OR REPLACE FUNCTION public.require_adversarial_pass()
+RETURNS trigger
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public
+AS $$
+DECLARE
+  _turning_on boolean;
+  _ver_id uuid;
+  _run record;
+  _crit_fail int;
+  _high_fail int;
+BEGIN
+  _turning_on :=
+    (NEW.is_published AND NOT COALESCE(OLD.is_published, false))
+    OR (NEW.review_status = 'approved' AND COALESCE(OLD.review_status, '') <> 'approved');
+
+  IF NOT _turning_on THEN
+    RETURN NEW;
+  END IF;
+
+  SELECT id INTO _ver_id
+    FROM public.package_versions
+    WHERE package_id = NEW.id
+    ORDER BY created_at DESC
+    LIMIT 1;
+
+  IF _ver_id IS NULL THEN
+    RAISE EXCEPTION 'cannot publish/approve %, no package version exists', NEW.slug;
+  END IF;
+
+  SELECT total, passed, pass_rate, severity_weighted_score, by_severity
+    INTO _run
+    FROM public.adversarial_runs
+    WHERE package_id = NEW.id AND version_id = _ver_id
+    ORDER BY created_at DESC
+    LIMIT 1;
+
+  IF _run IS NULL OR COALESCE(_run.total, 0) = 0 THEN
+    RAISE EXCEPTION 'cannot publish/approve %, current version has no adversarial run', NEW.slug;
+  END IF;
+
+  _crit_fail := COALESCE((_run.by_severity->'critical'->>'total')::int, 0)
+              - COALESCE((_run.by_severity->'critical'->>'passed')::int, 0);
+  _high_fail := COALESCE((_run.by_severity->'high'->>'total')::int, 0)
+              - COALESCE((_run.by_severity->'high'->>'passed')::int, 0);
+
+  IF _crit_fail > 0 OR _high_fail > 0 THEN
+    RAISE EXCEPTION 'cannot publish/approve %, % critical / % high adversarial failures',
+      NEW.slug, _crit_fail, _high_fail;
+  END IF;
+  IF COALESCE(_run.severity_weighted_score, 0) < 0.9
+     OR COALESCE(_run.pass_rate, 0) < 0.9 THEN
+    RAISE EXCEPTION 'cannot publish/approve %, adversarial score below approval bar (sws=%, pass_rate=%)',
+      NEW.slug, _run.severity_weighted_score, _run.pass_rate;
+  END IF;
+
+  RETURN NEW;
+END;
+$$;
+
+DROP TRIGGER IF EXISTS trg_require_adversarial_pass ON public.packages;
+CREATE TRIGGER trg_require_adversarial_pass
+  BEFORE UPDATE ON public.packages
+  FOR EACH ROW EXECUTE FUNCTION public.require_adversarial_pass();
+
+-- 5. Defensive: any package that is published but somehow not approved must
 --    not leak through the marketplace. Reads are already gated by
 --    (is_published AND review_status='approved') in the read policy; this just
 --    normalizes any pre-existing drift created before this migration.