mirror of
https://github.com/garrytan/gstack.git
synced 2026-07-07 08:37:52 +02:00
merge: incorporate origin/main into community-mode branch
Resolved 10 conflicted files:
- VERSION/package.json: kept 0.12.0.0 (feature branch version)
- CHANGELOG.md: preserved both branch entry and main's new entries
- supabase/config.sh: kept GSTACK_WEB_URL, accepted TELEMETRY_ENDPOINT removal
- bin/gstack-{community-dashboard,telemetry-log,telemetry-sync,update-check}:
took main's improved versions (edge function approach, safe cursor, UUID gen)
- supabase/functions/community-pulse: took main's count-based approach
- test/telemetry.test.ts: took main's structure with fingerprint field name
Post-merge fixes:
- Removed shadowed local RESOLVERS/functions in gen-skill-docs.ts (main's
resolver imports now take precedence for tier-based preamble, coverage gates)
- Added 3 missing E2E_TIERS entries (ship-plan-*, review-plan-completion)
- Updated telemetry test to match current prompt text
- Regenerated all SKILL.md files
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,36 @@
|
||||
-- 002_tighten_rls.sql
|
||||
-- Lock down read/update access. Keep INSERT policies so old clients can still
|
||||
-- write via PostgREST while new clients migrate to edge functions.
|
||||
|
||||
-- Drop all SELECT policies (anon key should not read telemetry data)
|
||||
DROP POLICY IF EXISTS "anon_select" ON telemetry_events;
|
||||
DROP POLICY IF EXISTS "anon_select" ON installations;
|
||||
DROP POLICY IF EXISTS "anon_select" ON update_checks;
|
||||
|
||||
-- Drop dangerous UPDATE policy (was unrestricted on all columns)
|
||||
DROP POLICY IF EXISTS "anon_update_last_seen" ON installations;
|
||||
|
||||
-- Keep INSERT policies — old clients (pre-v0.11.16) still POST directly to
|
||||
-- PostgREST. These will be dropped in a future migration once adoption of
|
||||
-- edge-function-based sync is widespread.
|
||||
-- (anon_insert_only ON telemetry_events — kept)
|
||||
-- (anon_insert_only ON installations — kept)
|
||||
-- (anon_insert_only ON update_checks — kept)
|
||||
|
||||
-- Explicitly revoke view access (belt-and-suspenders)
|
||||
REVOKE SELECT ON crash_clusters FROM anon;
|
||||
REVOKE SELECT ON skill_sequences FROM anon;
|
||||
|
||||
-- Keep error_message and failed_step columns (exist on live schema, may be
|
||||
-- used in future). Add them to the migration record so repo matches live.
|
||||
ALTER TABLE telemetry_events ADD COLUMN IF NOT EXISTS error_message TEXT;
|
||||
ALTER TABLE telemetry_events ADD COLUMN IF NOT EXISTS failed_step TEXT;
|
||||
|
||||
-- Cache table for community-pulse aggregation (prevents DoS via repeated queries)
|
||||
CREATE TABLE IF NOT EXISTS community_pulse_cache (
|
||||
id INTEGER PRIMARY KEY DEFAULT 1,
|
||||
data JSONB NOT NULL DEFAULT '{}'::jsonb,
|
||||
refreshed_at TIMESTAMPTZ DEFAULT now()
|
||||
);
|
||||
ALTER TABLE community_pulse_cache ENABLE ROW LEVEL SECURITY;
|
||||
-- No anon policies — only service_role_key (used by edge functions) can read/write
|
||||
Reference in New Issue
Block a user