73 lines
2.5 KiB
PL/PgSQL
73 lines
2.5 KiB
PL/PgSQL
-- AwoooP RLS Canary Wave 1.1: low-row MCP tool registry
|
|
-- Date: 2026-05-12
|
|
--
|
|
-- Scope:
|
|
-- - awooop_mcp_tool_registry
|
|
--
|
|
-- Why this table:
|
|
-- Latest production exact count: 4 rows, all project_id='ewoooc'.
|
|
-- Runtime read path is MCP Gateway Gate 3 and filters by ctx.project_id.
|
|
--
|
|
-- Why not awooop_projects in this wave:
|
|
-- Operator Console list_tenants() currently expects cross-tenant visibility.
|
|
-- A normal tenant policy would hide ewoooc when context is awoooi, so
|
|
-- awooop_projects remains blocked until an explicit platform-admin DB path
|
|
-- exists.
|
|
--
|
|
-- Safety:
|
|
-- - fail-closed policy only; no NULL/empty-string app.project_id bypass.
|
|
-- - aborts if target is missing project_id, has NULL project_id, or has
|
|
-- more rows than the reviewed canary cap.
|
|
-- - run with a migration/operator role, not through the production app role.
|
|
|
|
BEGIN;
|
|
|
|
SET LOCAL lock_timeout = '5s';
|
|
SET LOCAL statement_timeout = '30s';
|
|
|
|
DO $$
|
|
DECLARE
|
|
total_rows bigint;
|
|
null_project_rows bigint;
|
|
BEGIN
|
|
IF to_regclass('public.awooop_mcp_tool_registry') IS NULL THEN
|
|
RAISE EXCEPTION 'RLS canary target table does not exist: awooop_mcp_tool_registry';
|
|
END IF;
|
|
|
|
IF NOT EXISTS (
|
|
SELECT 1
|
|
FROM information_schema.columns
|
|
WHERE table_schema = 'public'
|
|
AND table_name = 'awooop_mcp_tool_registry'
|
|
AND column_name = 'project_id'
|
|
) THEN
|
|
RAISE EXCEPTION 'RLS canary target missing project_id: awooop_mcp_tool_registry';
|
|
END IF;
|
|
|
|
SELECT COUNT(*), COUNT(*) FILTER (WHERE project_id IS NULL)
|
|
INTO total_rows, null_project_rows
|
|
FROM awooop_mcp_tool_registry;
|
|
|
|
IF null_project_rows <> 0 THEN
|
|
RAISE EXCEPTION 'RLS canary target has NULL project_id rows: %, nulls=%',
|
|
'awooop_mcp_tool_registry', null_project_rows;
|
|
END IF;
|
|
|
|
IF total_rows > 20 THEN
|
|
RAISE EXCEPTION 'RLS canary wave1.1 reviewed cap exceeded: %, rows=%',
|
|
'awooop_mcp_tool_registry', total_rows;
|
|
END IF;
|
|
END
|
|
$$;
|
|
|
|
ALTER TABLE awooop_mcp_tool_registry ENABLE ROW LEVEL SECURITY;
|
|
ALTER TABLE awooop_mcp_tool_registry FORCE ROW LEVEL SECURITY;
|
|
DROP POLICY IF EXISTS mcp_tool_registry_tenant_isolation ON awooop_mcp_tool_registry;
|
|
DROP POLICY IF EXISTS awooop_mcp_tool_registry_tenant ON awooop_mcp_tool_registry;
|
|
CREATE POLICY awooop_mcp_tool_registry_tenant ON awooop_mcp_tool_registry
|
|
FOR ALL TO awooop_app
|
|
USING (project_id = current_setting('app.project_id', TRUE))
|
|
WITH CHECK (project_id = current_setting('app.project_id', TRUE));
|
|
|
|
COMMIT;
|