1.8 KiB
1.8 KiB
AwoooP RLS Canary Wave 1.2
This wave targets:
awooop_projects
Status: staged, apply pending.
Safety Model
awooop_projects is special. Runtime checks such as MCP Gate 1 and budget
lookup should be tenant-scoped, but Operator Console needs a cross-tenant
project list.
Wave 1.2 keeps normal table access tenant-scoped and adds an explicit platform read function:
public.awooop_operator_list_projects()
The function is SECURITY DEFINER, has a fixed search_path, returns only the
Operator Console project-list columns, and grants execute only to awooop_app.
App Changes
platform_operator_service.list_tenants()reads fromawooop_operator_list_projects().budget_service._get_tenant_budget_limit(project_id)now opensget_db_context(project_id), so tenant budget reads match RLS context.
Apply
psql "$DATABASE_URL" -v ON_ERROR_STOP=1 \
-f scripts/ops/awooop-rls-canary-wave1-2-projects.sql
The SQL aborts if:
- table is missing,
project_idis missing,- any
project_idis NULL, - row count exceeds the reviewed canary cap of 20 rows.
Verification
Expected after apply:
app.project_id='awoooi': direct table read sees onlyawoooi.app.project_id='ewoooc': direct table read sees onlyewoooc.awooop_operator_list_projects(): returns both projects for Operator Console.- tenant budget lookup can read the matching tenant row.
- global RLS preflight remains blocked only by later-wave tables.
Rollback
psql "$DATABASE_URL" -v ON_ERROR_STOP=1 \
-f scripts/ops/awooop-rls-canary-wave1-2-projects-rollback.sql
Rollback disables RLS and removes the Wave1.2 policies on awooop_projects.
It intentionally keeps awooop_operator_list_projects() for deployed API
compatibility.