Skip to content

Repair default Compose RLS, CI, and eval truth#1

Merged
ashishki merged 6 commits into
masterfrom
agent/gdev-p0-truth-repair
Jul 13, 2026
Merged

Repair default Compose RLS, CI, and eval truth#1
ashishki merged 6 commits into
masterfrom
agent/gdev-p0-truth-repair

Conversation

@ashishki

Copy link
Copy Markdown
Owner

Outcome

Repairs the P0 security/evidence gap in the default local topology: migrations and request traffic no longer use the same superuser/owner identity, and CI now proves the actual Compose boundary.

Changes

  • bootstraps and migrates as gdev_owner, serves requests as non-owner gdev_app
  • normalizes the app role to NOSUPERUSER NOBYPASSRLS
  • enables and forces RLS on all 16 tenant-scoped tables
  • adds an executable proof for role flags, table ownership, tenant-scoped reads, and cross-tenant write rejection
  • runs that proof plus the auth → signed webhook → audit → approval → metrics demo in CI
  • removes the unused privileged Grafana PostgreSQL datasource
  • aligns eval categories/status handling with the runtime schema and records dataset provenance
  • regenerates the 180-case result without hiding low accuracy or unsafe-routing gaps
  • removes tracked bytecode and repairs the Ruff baseline
  • reconciles the distinct 180/55/100 eval scopes and publishes bounded evidence

Verification

  • Ruff lint: pass
  • Ruff format: 97 files formatted
  • full suite: 310 passed; 45 pre-existing Alembic deprecation warnings; no skips
  • 180-case gate: pass under unchanged thresholds
  • dataset SHA-256: 8db471b52ea78f6bf9daa3993630f57083277660f31ced8e85790860e0b98400
  • visible metrics: classification accuracy 0.1698, risk-routing recall 0.537, unsafe auto-approval 0.463, invalid output 0
  • clean default Compose proof: app role f/f for superuser/BYPASSRLS; 16/16 tables owned by gdev_owner with FORCE RLS; tenant-A read isolation; cross-tenant insert rejected and persisted 0 rows
  • deterministic auth/approval demo: pass

The exact local record is docs/evidence/GDEV_P0_TRUTH_REPAIR_2026-07-13.md. Remote checks remain the merge gate.

No production tenants, external users, customer traffic, or SLO claim is made.

@gitguardian

gitguardian Bot commented Jul 13, 2026

Copy link
Copy Markdown

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
28026235 Triggered Generic Password 08f7071 .env.example View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secret safely. Learn here the best practices.
  3. Revoke and rotate this secret.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@ashishki ashishki marked this pull request as ready for review July 13, 2026 11:18
@ashishki ashishki merged commit 0e4c5f0 into master Jul 13, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant