[codex] fix audit_logs anon DoS

[riderx]

Summary (AI generated)

• Revoke direct anon reads from public.audit_logs.
• Replace the audit log SELECT policy with an authenticated-only super-admin policy using request-scoped helper evaluation.
• Add pgTAP coverage for denied anon access and the existing API-key audit-log write flow.

Motivation (AI generated)

Unauthenticated PostgREST reads against audit_logs could force expensive RLS planning/evaluation and degrade database availability. Blocking anon at the table grant layer makes the public anon-key path fail before the vulnerable RLS path.

Business Impact (AI generated)

This reduces unauthenticated resource-exhaustion risk on the Supabase REST API while preserving authenticated audit-log reads and internal audit-log creation for CLI/API-key operations.

Test Plan (AI generated)

• sqlfluff lint --dialect postgres supabase/migrations/20260502134045_fix_audit_logs_anon_dos.sql supabase/tests/40_test_audit_log_apikey.sql
• bun run supabase:db:reset
• bun scripts/supabase-worktree.ts test db supabase/tests/40_test_audit_log_apikey.sql
• Local REST PoC returns fast 401 permission denied for anon audit_logs read
• Authenticated filtered audit-log REST read returns 200

Generated with AI

[coderabbitai]

Warning

Rate limit exceeded

@riderx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minute and 50 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3a6928bc-9d58-42fd-8edf-d529656ef513

📥 Commits

Reviewing files that changed from the base of the PR and between 97ee8f0 and d10d313.

📒 Files selected for processing (3)

• supabase/functions/_backend/public/organization/audit.ts
• supabase/migrations/20260502134045_fix_audit_logs_anon_dos.sql
• supabase/tests/40_test_audit_log_apikey.sql

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-audit-logs-anon-dos

---

_{Review rate limit: 0/5 reviews remaining, refill in 1 minute and 50 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/fix-audit-logs-anon-dos (d10d313) with main (17d36c6)¹}

Footnotes

1. No successful run was found on main (97ee8f0) during the generation of this report, so 17d36c6 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.