hai/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-19 10:52:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

merge: incorporate origin/main into community-mode branch

Browse Source 
Conflicts resolved:
- README.md: merge skill lists — keep /gstack-submit from our branch,
  add /plan-devex-review, /devex-review, /pair-agent from main. Accept
  main's team mode step 2 text.
- setup: keep both our install ping (step 9) and main's team mode
  hook registration (step 10)
- supabase/functions/telemetry-ingest/index.ts: keep our deletion
  (dead code removed earlier on this branch, main modified it)

Main brought in: team mode (--team flag, auto-update hook, session
tracking), /plan-devex-review + /devex-review skills, /pair-agent
skill, open-gstack-browser, /checkpoint, /health, /humanizer.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-04-07 20:29:53 -10:00
parent 30e6747814 9d34baa973
commit d519678916
217 changed files with 39025 additions and 2201 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
supabase/migrations/003_installations_upsert_policy.sql Normal file
View File

@@ -0,0 +1,25 @@
-- 003_installations_upsert_policy.sql
-- Re-add a scoped UPDATE policy for installations so the telemetry-ingest
-- edge function can upsert (update last_seen) using the caller's anon key
-- instead of the service role key.
--
-- Migration 002 dropped the overly broad "anon_update_last_seen" policy
-- (which allowed UPDATE on ALL columns). This replacement uses:
-- 1. An RLS policy to allow UPDATE (required for any row access)
-- 2. Column-level GRANT to restrict anon to only the tracking columns
-- the edge function actually writes (last_seen, gstack_version, os)
--
-- This means anon callers cannot UPDATE first_seen or installation_id,
-- closing the residual risk from the broad RLS-only approach.
-- RLS policy: allow UPDATE on rows (required for PostgREST/upsert)
CREATE POLICY "anon_update_tracking" ON installations
FOR UPDATE
USING (true)
WITH CHECK (true);
-- Column-level restriction: anon can only UPDATE these three columns.
-- PostgreSQL GRANT UPDATE (col, ...) is enforced at the query level —
-- any UPDATE touching other columns will be rejected with a permission error.
REVOKE UPDATE ON installations FROM anon;
GRANT UPDATE (last_seen, gstack_version, os) ON installations TO anon;