Skip to content

fix: verify-rls.sh matches deployed policy (inserts allowed, HTTP parsing)#461

Merged
garrytan merged 2 commits intomainfrom
garrytan/supabase-post-landing
Mar 24, 2026
Merged

fix: verify-rls.sh matches deployed policy (inserts allowed, HTTP parsing)#461
garrytan merged 2 commits intomainfrom
garrytan/supabase-post-landing

Conversation

@garrytan
Copy link
Owner

@garrytan garrytan commented Mar 24, 2026

Summary

Post-landing fix for the RLS verification script from #460.

  • INSERTs are now expected to succeed — we kept INSERT policies for old client compat, but the verify script was still treating them as failures
  • HTTP code parsing fixed — curl's -sf + -w '%{http_code}' concatenated codes (e.g., 401000). Now uses -s without -f and captures response body properly
  • 409 (conflict) treated as PASS for INSERT checks — duplicate key means the INSERT policy works, row just already exists
  • 204 (no content) treated as PASS for UPDATE denial — no rows affected means the attacker can't modify data

Verified live against Supabase: 9/9 PASS.

Test plan

  • bash supabase/verify-rls.sh returns 9/9 PASS against live Supabase

🤖 Generated with Claude Code

garrytan added 2 commits March 24, 2026 15:04
@garrytan
fix: verify-rls.sh — match current policy (inserts allowed, fix HTTP …
6ac4071 
…code parsing)

- INSERTs are now expected to succeed (kept for old client compat)
- Fix HTTP code parsing bug (401000 concatenation from -sf + write-out)
- Accept 200+empty as PASS for SELECT denial (RLS filtering)
@garrytan
fix: verify-rls.sh handles 409 conflicts and 204 no-ops correctly
a7c1670
@garrytan garrytan merged commit 3703320 into main Mar 24, 2026
17 checks passed
@github-actions
Copy link

github-actions bot commented Mar 24, 2026

E2E Evals: ❌ FAIL

14/36 tests passed | $6.88 total cost | 12 parallel runners

Suite Result Status Cost
e2e-routing 7/18 $3.44
e2e-routing 7/18 $3.44

12x ubicloud-standard-2 (Docker: pre-baked toolchain + deps) | wall clock ≈ slowest suite

Failures

  • ❌ journey-qa: success
  • ❌ journey-visual-qa: success
  • ❌ journey-debug: success
  • ❌ journey-qa: success
  • ❌ journey-visual-qa: success
  • ❌ journey-design-system: success
  • ❌ journey-qa: success
  • ❌ journey-debug: success
  • ❌ journey-visual-qa: success
  • ❌ journey-debug: success
  • ❌ journey-design-system: success
  • ❌ journey-qa: success
  • ❌ journey-visual-qa: success
  • ❌ journey-debug: success
  • ❌ journey-qa: success
  • ❌ journey-visual-qa: success
  • ❌ journey-design-system: success
  • ❌ journey-qa: success
  • ❌ journey-debug: success
  • ❌ journey-visual-qa: success
  • ❌ journey-debug: success
  • ❌ journey-design-system: success

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@garrytan