Skip to content

feat(db): strengthen RLS advisory message for stronger agent compliance#5107

Merged
myerekapan merged 1 commit into
developfrom
mertyerekapan/growth-712-tighten-rls-advisory-message
Apr 20, 2026
Merged

feat(db): strengthen RLS advisory message for stronger agent compliance#5107
myerekapan merged 1 commit into
developfrom
mertyerekapan/growth-712-tighten-rls-advisory-message

Conversation

@myerekapan
Copy link
Copy Markdown
Contributor

@myerekapan myerekapan commented Apr 20, 2026

Summary

Tightens the wording of the RLS advisory injected into supabase db query agent-mode responses. Mirrors the matching change on the MCP side in supabase-community/supabase-mcp#251 so the two surfaces stay consistent.

Why

Testing feedback on the MCP PR (Cursor with "auto" model) showed that the original wording was being treated as a light warning — the agent would mention RLS in passing but not prompt the user to fix it, which is the core intent of GROWTH-712. The previous message was descriptive ("Without RLS, these tables are accessible to any role...") but contained no directive to the agent about what to do.

What changed

Only the Message field in checkRLSAdvisory. Three deliberate shifts:

  • Active framing: "have RLS disabled" instead of "do not have RLS enabled"
  • Concrete consequence: "anyone with the anon key can read or modify every row" instead of the abstract "accessible to any role with table privileges"
  • Imperative directives to the agent: "You MUST surface this security issue to the user" and "Do not auto-apply the remediation SQL: enabling RLS without policies will block all access" — the second guards against agents silently running the remediation and locking the table

Schema, priority, level, remediation SQL, and filtering logic are unchanged.

Test plan

  • go test ./internal/db/query/... passes locally
  • Existing assert.Contains assertions on "N table(s)" and table names still hold
  • CI green

@myerekapan myerekapan requested a review from a team as a code owner April 20, 2026 16:19
@coveralls
Copy link
Copy Markdown

coveralls commented Apr 20, 2026

Coverage Report for CI Build 24677604488

Warning

No base build found for commit 6b1b270 on develop.
Coverage changes can't be calculated without a base build.
If a base build is processing, this comment will update automatically when it completes.

Coverage: 63.667%

Details

  • Patch coverage: 6 of 6 lines across 1 file are fully covered (100%).

Uncovered Changes

No uncovered changes found.

Coverage Regressions

Requires a base build to compare against. How to fix this →

Coverage Stats

Coverage Status
Relevant Lines: 15501
Covered Lines: 9869
Line Coverage: 63.67%
Coverage Strength: 7.0 hits per line
💛 - Coveralls

@myerekapan myerekapan merged commit 6438193 into develop Apr 20, 2026
15 checks passed
@myerekapan myerekapan deleted the mertyerekapan/growth-712-tighten-rls-advisory-message branch April 20, 2026 17:00
@BrewTestBot BrewTestBot mentioned this pull request Apr 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jgoux jgoux jgoux approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@myerekapan @coveralls @jgoux