fix(security+ci+env): Auditoria 2026-06-02 — Passos 4/5/6 concluídos#627
Conversation
…rreto, RLS ai_description_queue PASSO 4 — Security fix: - supabase/migrations/20260602130000: substitui policy USING(true) em ai_description_queue por 4 policies granulares (mínimo privilégio) - SELECT: owner OR is_admin_or_above() - INSERT: WITH CHECK auth.uid() = requested_by - UPDATE/DELETE: somente is_admin_or_above() Elimina risco de IDOR identificado na Auditoria 2026-06-02 (RISCO-1) PASSO 5 — CI fix: - .github/workflows/quality-gate.yml: arquivo armazenado como YAML puro (a versão anterior em main tinha encodings incorretos com mojibake em VITE_SUPABASE_URL → VITE_SUPA@¡SE_URL). 5 gates agora limpos: Gate1=TSC, Gate2=ESLint, Gate3=Build, Gate4=Vitest, Gate5=SupabaseDrift PASSO 6 — Env fix: - .env.example: primary var agora é VITE_SUPABASE_ANON_KEY (padrão Supabase oficial), PUBLISHABLE_KEY mantida como alias comentado para compatibilidade. Evita que novos devs criem .env com nome errado. Auditoria 2026-06-02 — Ações imediatas: CONCLUÍDO (4/4 passos urgentes)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
|
Warning Review limit reached
More reviews will be available in 25 minutes and 10 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Pull request overview
Este PR conclui os passos 4/5/6 da Auditoria QA (2026-06-02), endurecendo o RLS da fila de IA para mitigar IDOR, restaurando o workflow de “quality gate” do CI em YAML válido e alinhando o .env.example com o nome canônico da anon key do Supabase.
Changes:
- Security: substitui a policy permissiva da
ai_description_queuepor policies granulares (owner/admin). - CI: reescreve o
quality-gate.ymlpara YAML válido e adiciona um check de drift dos types do Supabase. - Env: padroniza
.env.exampleparaVITE_SUPABASE_ANON_KEYmantendo alias legado comentado.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| supabase/migrations/20260602130000_fix_ai_description_queue_rls_policy.sql | Remove policy permissiva e cria conjunto de policies RLS mais restritivas para a fila de IA. |
| .github/workflows/quality-gate.yml | Corrige workflow quebrado (mojibake/base64) e adiciona gate de drift de types do Supabase. |
| .env.example | Alinha variável de anon key com padrão Supabase e mantém alias legado documentado. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| -- SELECT: usuário vê apenas suas próprias filas, admins veem tudo | ||
| CREATE POLICY "ai_queue_read_own_or_admin" | ||
| ON ai_description_queue | ||
| FOR SELECT | ||
| USING ( | ||
| auth.uid() = requested_by | ||
| OR is_admin_or_above(auth.uid()) | ||
| ); |
| -- INSERT: usuário pode inserir somente como ele mesmo | ||
| CREATE POLICY "ai_queue_insert_own" | ||
| ON ai_description_queue | ||
| FOR INSERT | ||
| WITH CHECK ( | ||
| auth.uid() = requested_by | ||
| ); |
| -- UPDATE: somente admins podem atualizar status de fila | ||
| CREATE POLICY "ai_queue_update_admin_only" | ||
| ON ai_description_queue | ||
| FOR UPDATE | ||
| USING ( | ||
| is_admin_or_above(auth.uid()) | ||
| ) | ||
| WITH CHECK ( | ||
| is_admin_or_above(auth.uid()) | ||
| ); |
| -- DELETE: somente admins podem remover entradas de fila | ||
| CREATE POLICY "ai_queue_delete_admin_only" | ||
| ON ai_description_queue | ||
| FOR DELETE | ||
| USING ( | ||
| is_admin_or_above(auth.uid()) | ||
| ); |
| - name: Generate Supabase types | ||
| id: gen_types | ||
| run: | | ||
| npx supabase gen types typescript \ | ||
| --project-id doufsxqlfjyuvxuezpln \ | ||
| > /tmp/supabase-types-fresh.ts | ||
| env: | ||
| SUPABASE_ACCESS_TOKEN: ${{ secrets.SUPABASE_ACCESS_TOKEN }} | ||
| continue-on-error: true | ||
|
|
||
| - name: Check for type drift | ||
| if: steps.gen_types.outcome == 'success' | ||
| run: | | ||
| if ! diff -q src/integrations/supabase/types.ts /tmp/supabase-types-fresh.ts > /dev/null 2>&1; then | ||
| echo "::warning::Supabase types are out of sync with the database schema!" | ||
| echo "::warning::Run: npx supabase gen types typescript --project-id doufsxqlfjyuvxuezpln > src/integrations/supabase/types.ts" | ||
| diff src/integrations/supabase/types.ts /tmp/supabase-types-fresh.ts | head -50 | ||
| else | ||
| echo "Types are in sync ✅" | ||
| fi |
Resumo
Implementa os 3 itens urgentes da Auditoria QA 2026-06-02 que restavam pendentes após os PRs #619–#626.
PASSO 4 — 🔐 Security: RLS
ai_description_queueProblema (RISCO-1 da auditoria):
Policy
ai_queue_service_allcomUSING(true)permite que qualquer usuário autenticado leia, insira, atualize e delete filas de IA — IDOR crítico.Fix (
supabase/migrations/20260602130000):DROP POLICY "ai_queue_service_all"SELECT:auth.uid() = requested_by OR is_admin_or_above()INSERT:WITH CHECK (auth.uid() = requested_by)UPDATE/DELETE: apenasis_admin_or_above()PASSO 5 — ⚙️ CI: Quality Gate corrigido
Problema:
Workflow
quality-gate.ymltinha mojibake (VITE_SUPA@¡SE_URLem vez deVITE_SUPABASE_URL) + arquivo armazenado como base64 puro (GitHub Actions não conseguia parsear).Fix (
.github/workflows/quality-gate.yml):check-tsc-baseline.mjs)lint:baseline)npm run build)test:ci-core)types.tsdiverge do schema realPASSO 6 — 🔧 Env:
.env.examplecorrigidoProblema:
.env.exampledeclaravaVITE_SUPABASE_PUBLISHABLE_KEYmas CI e código-padrão usamVITE_SUPABASE_ANON_KEY(nome oficial Supabase). Novos devs configuravam var errada e não conectavam.Fix:
VITE_SUPABASE_ANON_KEYcomo variável primáriaVITE_SUPABASE_PUBLISHABLE_KEYmantido como alias comentado (compatibilidade com código legado que faz fallback)Checklist
DROP POLICY IF EXISTS)quality-gate.ymlem YAML puro sem encodings especiais.env.examplecom comentário explicativo sobre compatibilidade dualSummary by cubic
Endurece o RLS da tabela
ai_description_queuepara eliminar o risco de IDOR, restaura o quality gate do CI com 5 checagens, e corrige o.env.examplepara usarVITE_SUPABASE_ANON_KEY. Conclui os passos 4/5/6 da Auditoria QA 2026-06-02.Bug Fixes
ai_queue_service_alle cria 4 policies de mínimo privilégio — SELECT (dono ou admin), INSERT (dono), UPDATE/DELETE (apenas admin).quality-gate.ymlem YAML válido com 5 gates (TypeScript baseline, ESLint baseline, build, Vitest, Supabase types drift)..env.examplepassa a usarVITE_SUPABASE_ANON_KEY; mantémVITE_SUPABASE_PUBLISHABLE_KEYcomo alias comentado.Migration
VITE_SUPABASE_ANON_KEYno.env(alias legado opcional).SUPABASE_ACCESS_TOKENpara habilitar o gate de type drift em PRs.Written for commit efbc4a1. Summary will update on new commits.