[codex] Fix build log disconnect cancellation authorization

[riderx]

Summary (AI generated)

• require app.build_native before wiring the /build/logs/:jobId disconnect cancellation path
• add a regression test proving read-only log viewers cannot cancel builds by dropping the SSE connection

Motivation (AI generated)

The security advisory GHSA-95g7-xwwx-j737 identified a privilege inversion where a read-only principal could cancel a native build indirectly through the deprecated log-stream endpoint. This change aligns the disconnect side effect with the explicit cancel endpoint authorization boundary.

Business Impact (AI generated)

This closes a native-build disruption path that could let read-only API keys interfere with customer CI/CD workflows. Tightening that boundary protects trust in Capgos RBAC model and reduces operational support risk.

Test Plan (AI generated)

• bunx vitest run tests/build-logs-disconnect-auth.test.ts --reporter=verbose
• bunx vitest run tests/build-job-scope.test.ts --reporter=verbose
• bun lint
• bun lint:backend
• bunx eslint tests/build-logs-disconnect-auth.test.ts
• bun typecheck
• bun test:backend

Generated with AI

Summary by CodeRabbit

• Bug Fixes

  • Build cancellation triggered by client disconnect now properly enforces authorization permissions, ensuring only users with appropriate build permissions can cancel builds. This prevents unintended cancellations from unauthorized users experiencing connection loss.

• Tests

  • Added comprehensive test coverage validating authorization behavior during build log streaming when client connections disconnect, confirming that only authorized users can trigger build cancellation actions.

[coderabbitai]

Warning

Rate limit exceeded

@riderx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 56 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 2 minutes and 56 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 04e8ad58-d745-4d1d-b0bb-c38599c60dc1

📥 Commits

Reviewing files that changed from the base of the PR and between 543919b and c3e2bce.

📒 Files selected for processing (2)

• supabase/functions/_backend/public/build/logs.ts
• tests/build-logs-disconnect-auth.test.ts

📝 Walkthrough

Walkthrough

The stream proxy for building logs now conditionally registers an abort listener only after verifying the caller has app.build_native permission, ensuring disconnect-triggered build cancellation aligns with explicit authorization checks.

Changes

Cohort / File(s)	Summary
Build Logs Authorization supabase/functions/_backend/public/build/logs.ts	Added conditional registration of abort listener after permission verification for app.build_native scope before enabling disconnect-triggered build cancellation.
Build Logs Disconnect Tests tests/build-logs-disconnect-auth.test.ts	New test suite validating authorization behavior when client disconnects: read-only callers don't trigger cancellation, while build-authorized callers trigger cancel requests to builder with proper headers and payload.

Sequence Diagram

sequenceDiagram
    participant Client
    participant StreamProxy as Stream Proxy
    participant PermCheck as Permission Checker
    participant BuildService as Builder Service

    Client->>StreamProxy: Connect & Request Logs
    StreamProxy->>PermCheck: Check app.read_logs
    PermCheck-->>StreamProxy: Permission OK
    StreamProxy->>BuildService: Fetch Logs
    BuildService-->>StreamProxy: Log Stream
    StreamProxy-->>Client: Stream Response (text/event-stream)
    
    alt Caller has app.build_native
        StreamProxy->>PermCheck: Check app.build_native
        PermCheck-->>StreamProxy: Permission OK
        StreamProxy->>StreamProxy: Register abort listener
        Client->>StreamProxy: Disconnect
        StreamProxy->>BuildService: POST /cancel {app_id}
        BuildService-->>StreamProxy: Cancel OK
    else Caller lacks app.build_native
        StreamProxy->>PermCheck: Check app.build_native
        PermCheck-->>StreamProxy: Permission Denied
        StreamProxy->>StreamProxy: Skip abort listener
        Client->>StreamProxy: Disconnect
        Note over StreamProxy: No cancel triggered
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix(build): prevent cross-app job access #1590: Modifies streamBuildLogs to scope abort/disconnect cancellation to resolved buildRequest.app_id and enforce app-scoped permission checks, directly related to this authorization enforcement.

Suggested labels

💰 Rewarded

Poem

🐰 Permission checks upon a thread,
When clients disconnect, cancels spread,
But only those who build are blessed,
With power to stop the builder's quest,
Auth-aligned, we hop with cheer! 🌟

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely identifies the primary security fix: aligning build log disconnect cancellation authorization behavior.
Description check	✅ Passed	The description provides a comprehensive summary with motivation and business impact, includes a detailed test plan with executed checks, but lacks detailed instructions for manual reproduction.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-build-log-disconnect-cancel

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 28 untouched benchmarks

---

_{Comparing codex/fix-build-log-disconnect-cancel (c3e2bce) with main (633aeea)}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 543919bc7e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@supabase/functions/_backend/public/build/logs.ts`:
- Around line 164-169: The optional RBAC call checkPermission(c,
'app.build_native', { appId: buildRequest.app_id }) must not be allowed to throw
and block log streaming; wrap the permission check in a try/catch (or otherwise
handle its promise) and only add the c.req.raw.signal.addEventListener that
calls cancelBuildOnDisconnect(builderUrl, builderApiKey, jobId,
buildRequest.app_id, requestId) if the check resolves to true, while on error
treat it as a no-permission case (optionally log a warning) and continue serving
logs so a transient RBAC/store error does not prevent stream availability.

In `@tests/build-logs-disconnect-auth.test.ts`:
- Around line 121-123: Replace the timing-dependent post-abort setTimeout(0)
waits after controller.abort() in the tests with deterministic synchronization:
for the read-only test remove the wait entirely (no await needed after
controller.abort()), and for the authorized test replace the setTimeout with
awaiting an explicit "cancel request observed" promise exposed by the fetch mock
(have the fetch mock resolve a named promise/Deferred when it sees the
abort/cancel and await that promise after calling controller.abort()). Update
both occurrences (around the controller.abort() call and the similar block
later) to use those deterministic waits so CI won't flake.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f91a82a4-dd1d-4f9d-b99f-77a24ef2524f

📥 Commits

Reviewing files that changed from the base of the PR and between 633aeea and 543919b.

📒 Files selected for processing (2)

• supabase/functions/_backend/public/build/logs.ts
• tests/build-logs-disconnect-auth.test.ts

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud