infra(cpb): add dedicated role provisioning and schema setup [coderabbit-ai-review] by SashkoMarchuk · Pull Request #123 · speedandfunction/automatization

SashkoMarchuk · 2026-04-06T16:57:55Z

Summary

Replace temporal-based interim DB setup with a two-script architecture using a dedicated cpb_app role
scripts/cpb/create-role.sh (NEW): One-time provisioning using RDS master password — creates cpb_app role, cpb_bot database, transfers ownership from temporal if needed, grants all privileges
scripts/cpb/setup-db.sh (REWRITTEN): Repeatable schema setup connecting as cpb_app — applies init-schema.sql, verifies all 6 tables
sql/cpb/init-schema.sql (NEW): Complete 6-table schema for CPB Slack bot (cycles, opt_in_responses, pairings, pair_history, interactions, admin_reports)
Deletes old scripts/cpb-setup-db.sh that required temporal user with CREATEDB
Adds POSTGRES_PASSWORD_MASTER to .env.example (commented out, one-time use)

Operational Workflow

1. Set POSTGRES_PASSWORD_MASTER, POSTGRES_PASSWORD_CPB, CPB_POSTGRES_HOST
2. Run: ./scripts/cpb/create-role.sh    (creates role + database)
3. Run: ./scripts/cpb/setup-db.sh       (creates schema tables)
4. Remove POSTGRES_PASSWORD_MASTER from environment

Security

Master password required via :? — immediate fail if unset, no fallbacks
validate_pg_identifier() on all SQL identifiers (regex + length check)
Single-quote escaping + $$ rejection on passwords
set -eo pipefail + ON_ERROR_STOP=1 on both scripts
No passwords in log output

Test plan

Verify bash -n syntax check passes on both scripts
Run create-role.sh against RDS — role and database created
Run create-role.sh again — idempotent, no errors, password updated
Run setup-db.sh — all 6 tables created
Run setup-db.sh again — idempotent, no errors
Verify cpb_app owns cpb_bot database
Verify schema matches init-schema.sql (triggers, indexes, constraints)

Supersedes #122

Summary by CodeRabbit

Chores
- Split DB provisioning into separate role-creation and schema-initialization steps.
- Replaced a legacy provisioning script with new dedicated provisioning scripts that handle role creation, ownership reassignment, connectivity checks, and schema application.
- Added a commented environment placeholder for a one-time master DB password and updated provisioning references.
New Features
- Added a complete, idempotent database schema with tables, indexes, triggers, validation, and verification checks.

…ple Bot Replace the old setup script that required postgres admin access and CREATEROLE with a version that uses temporal user (CREATEDB) and grants to existing n8n user. Add complete 6-table schema (cycles, opt_in_responses, pairings, pair_history, interactions, admin_reports) with idempotent IF NOT EXISTS, triggers, and indexes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Fix two filename references in header comments flagged by CodeRabbit: - setup-db.sh usage example: cpb-setup-db.sh → cpb/setup-db.sh - init-schema.sql usage example: cpb-init-schema.sql → init-schema.sql Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Refactor schema grant error handling from fragile `cmd && echo || { ... }` to proper if/then/else. Prevents false error-path execution if echo fails. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Replace temporal-based DB setup with a two-script architecture: - create-role.sh: one-time provisioning using RDS master password to create cpb_app role and cpb_bot database - setup-db.sh: repeatable schema setup connecting as cpb_app Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

github-actions · 2026-04-06T16:58:06Z

CodeRabbit

🤖 CodeRabbit AI Review Available

To request a code review from CodeRabbit AI, add [coderabbit-ai-review] to your PR title.

CodeRabbit will analyze your code and provide feedback on:

Logic and correctness
Security issues
Performance optimizations
Code quality and best practices
Error handling
Maintainability

Note: Reviews are only performed when [coderabbit-ai-review] is present in the PR title.

coderabbitai · 2026-04-06T16:58:09Z

Warning

Rate limit exceeded

@SashkoMarchuk has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 42 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 13 minutes and 42 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 88cede48-b89e-4a4d-9c05-5f8df37d19db

📥 Commits

Reviewing files that changed from the base of the PR and between 0960236 and 5424f1f.

📒 Files selected for processing (1)

scripts/cpb/setup-db.sh

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Warning

CodeRabbit GitHub Action detected

The repository is using both CodeRabbit Pro and CodeRabbit Open Source (via GitHub Actions), which is not recommended as it may lead to duplicate comments and extra noise. Please remove the CodeRabbit GitHub Action.

📝 Walkthrough

Walkthrough

Replaces an old CPB DB provisioning script with two new executables: scripts/cpb/create-role.sh (provisions role, DB, ownership, reassigns objects, grants privileges) and scripts/cpb/setup-db.sh (applies SQL schema and validates tables). Adds sql/cpb/init-schema.sql and updates .env.example to reference the new scripts and include a POSTGRES_PASSWORD_MASTER placeholder.

Changes

Cohort / File(s)	Summary
Environment `.env.example`	Updated provisioning comments to reference `create-role.sh` and `setup-db.sh`; added commented placeholder `POSTGRES_PASSWORD_MASTER=` with a note about one-time use.
Provisioning scripts `scripts/cpb/create-role.sh`, `scripts/cpb/setup-db.sh`, `scripts/cpb-setup-db.sh`	Removed legacy `scripts/cpb-setup-db.sh`. Added `create-role.sh` to create/alter role, create DB, change ownership, reassign owned objects, and grant privileges. Added `setup-db.sh` to apply `sql/cpb/init-schema.sql`, validate connectivity, and verify expected table count.
Schema `sql/cpb/init-schema.sql`	Added full CPB schema: trigger function `update_updated_at_column()`, tables (`cycles`, `opt_in_responses`, `pairings`, `pair_history`, `interactions`, `admin_reports`), indexes, constraints, and BEFORE UPDATE triggers to maintain `updated_at`.

Sequence Diagram(s)

sequenceDiagram
  participant Operator as "Operator"
  participant FS as "Filesystem (repo/sql)"
  participant Script as "create-role.sh"
  participant PG as "Postgres master (psql)"
  rect rgba(200,240,200,0.5)
    Operator->>Script: invoke with env (HOST, MASTER_PW, CPB_PW)
    Script->>PG: CONNECT as master (psql ON_ERROR_STOP=1)
    PG-->>Script: connection OK / auth
    Script->>PG: CREATE ROLE IF NOT EXISTS / ALTER ROLE ... WITH PASSWORD
    PG-->>Script: role created/updated
    Script->>PG: CREATE DATABASE IF NOT EXISTS ... OWNER on create
    PG-->>Script: database created or exists
    Script->>PG: CHECK/CHANGE DB owner if different
    Script->>PG: REASSIGN OWNED BY other_roles TO cpb_role
    PG-->>Script: reassignments applied
    Script->>PG: GRANT CONNECT/USAGE/ALL PRIVILEGES
    Script-->>Operator: provisioning complete + next steps
  end

sequenceDiagram
  participant Operator as "Operator"
  participant FS as "Filesystem (repo/sql)"
  participant Script as "setup-db.sh"
  participant PG as "Postgres CPB DB (psql)"
  rect rgba(200,220,255,0.5)
    Operator->>Script: invoke with env (HOST, CPB_PW)
    Script->>FS: locate sql/cpb/init-schema.sql
    FS-->>Script: file found
    Script->>PG: CONNECT and run SELECT 1 (verify)
    PG-->>Script: success
    Script->>PG: psql -f init-schema.sql (apply schema)
    PG-->>Script: schema applied
    Script->>PG: count base tables in public schema
    PG-->>Operator: verified table count (expected 6) -> success banner
  end

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

infra(cpb): add database, env vars, and setup scripts for Connecting People Bot #120 — Replaces and reorganizes CPB PostgreSQL provisioning; touches the same provisioning scripts and schema.

Suggested labels

database

Suggested reviewers

killev
automatization-bot

Poem

"I nibble keys and hop through rows,
I plant new roles where data grows.
With schema neat and grants all right,
I tuck the DB in for the night.
Carrots for reviews — hop, delight! 🥕"

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main change: adding dedicated role provisioning and schema setup scripts for CPB infrastructure, which aligns with the core objective of replacing temporal-based setup with a two-script architecture.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch feature/cpb-dedicated-role

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/cpb/create-role.sh`:
- Around line 110-148: Step 3 in create-role.sh only changes the database owner
but leaves individual objects owned by the previous role, causing schema
reapplication in setup-db.sh to fail; after the ownership transfer block (the DO
$$ ... END $$; that uses current_owner and ${CPB_USER}) add a REASSIGN OWNED BY
<old_owner> TO "${CPB_USER}" step (or insert it in setup-db.sh before applying
sql/cpb/init-schema.sql) so that all tables, sequences, functions and triggers
owned by the previous role are reassigned to ${CPB_USER}; use the current_owner
variable value captured in the DO block (or ${MASTER_USER} if appropriate) to
build the REASSIGN OWNED command and run it as the superuser.

In `@scripts/cpb/setup-db.sh`:
- Around line 106-111: The script currently only warns when TABLE_COUNT != 6,
allowing setup-db.sh to exit 0 with an incomplete schema; update the else branch
that checks TABLE_COUNT to make the script fail fast by printing the warning to
stderr (as it already does) and then exiting with a non-zero status (e.g., exit
1) so callers detect failure—modify the block that compares TABLE_COUNT (the
existing if [[ "$TABLE_COUNT" -eq 6 ]]; then ... else ...) to add a failing exit
after the error messages.

In `@sql/cpb/init-schema.sql`:
- Around line 157-181: Add a multi-column CHECK constraint on the interactions
table to enforce valid touchpoint/action pairs (instead of independent checks)
by updating the CREATE TABLE for interactions (or via ALTER TABLE) to include a
constraint (e.g., interactions_touchpoint_action_valid) that allows only the
permitted action values for each touchpoint value; reference the touchpoint and
action columns in the constraint and enumerate the allowed combinations (for
example, actions allowed for 'opt_in' vs 'checkin' vs 'survey') so impossible
pairs like touchpoint='opt_in' with action='satisfied' are rejected.
- Around line 107-129: Add a uniqueness constraint to enforce one-pair-per-cycle
by making (cycle_id, person_a_id, person_b_id) unique on the pairings table;
update the schema for the pairings table (which already has CHECK (person_a_id <
person_b_id)) to include either a UNIQUE constraint or create a unique index
(e.g., uniq_pairings_cycle_pair) on those three columns so duplicate rows cannot
be inserted and notification/History duplication is prevented.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 3234300b-0af9-4cf8-900e-e8f827a63e62

📥 Commits

Reviewing files that changed from the base of the PR and between 404d9ed and 5edcc5d.

📒 Files selected for processing (5)

.env.example
scripts/cpb-setup-db.sh
scripts/cpb/create-role.sh
scripts/cpb/setup-db.sh
sql/cpb/init-schema.sql

💤 Files with no reviewable changes (1)

scripts/cpb-setup-db.sh

scripts/cpb/create-role.sh

scripts/cpb/setup-db.sh

sql/cpb/init-schema.sql

- Add REASSIGN OWNED step in create-role.sh to transfer object ownership (tables, sequences, functions) after database ownership transfer - Fail fast in setup-db.sh when table count != 6 (exit 1, not warning) - Add UNIQUE(cycle_id, person_a_id, person_b_id) to pairings table - Replace independent touchpoint/action CHECKs with composite constraint that enforces valid combinations (e.g. blocks opt_in + satisfied) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

github-actions · 2026-04-06T17:46:11Z

CodeRabbit

Currently reviewing new changes in this PR...

Commits

Files that changed from the base of the PR and between 0960236 and 5424f1f commits.

Files selected (1)

scripts/cpb/setup-db.sh (1)

CodeRabbit

Uplevel your code reviews with CodeRabbit Pro

CodeRabbit Pro

If you like this project, please support us by purchasing the Pro version. The Pro version has advanced context, superior noise reduction and several proprietary improvements compared to the open source version. Moreover, CodeRabbit Pro is free for open source projects.

coderabbitai

🧹 Nitpick comments (1)

sql/cpb/init-schema.sql (1)

188-207: Consider whether multiple reports per cycle are intentional.

The admin_reports table allows multiple rows per cycle_id. If only one report per cycle is expected, consider adding a uniqueness constraint.

🔧 Optional: Add uniqueness if one report per cycle

 CREATE INDEX IF NOT EXISTS idx_admin_reports_cycle
     ON admin_reports(cycle_id);
+
+-- Uncomment if only one report per cycle is allowed:
+-- ALTER TABLE admin_reports ADD CONSTRAINT uq_admin_reports_cycle UNIQUE (cycle_id);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@sql/cpb/init-schema.sql` around lines 188 - 207, The admin_reports table
currently allows multiple rows per cycle_id (index idx_admin_reports_cycle is
non-unique); if the intent is one report per cycle, add a uniqueness constraint
on admin_reports.cycle_id (either change the CREATE TABLE to include
UNIQUE(cycle_id) or replace the non-unique index with a UNIQUE INDEX on
cycle_id) so duplicate reports for the same cycle are prevented; ensure the
trigger trg_admin_reports_updated_at and any existing data are compatible with
the new uniqueness constraint before applying.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@sql/cpb/init-schema.sql`:
- Around line 188-207: The admin_reports table currently allows multiple rows
per cycle_id (index idx_admin_reports_cycle is non-unique); if the intent is one
report per cycle, add a uniqueness constraint on admin_reports.cycle_id (either
change the CREATE TABLE to include UNIQUE(cycle_id) or replace the non-unique
index with a UNIQUE INDEX on cycle_id) so duplicate reports for the same cycle
are prevented; ensure the trigger trg_admin_reports_updated_at and any existing
data are compatible with the new uniqueness constraint before applying.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: d419d69f-7c6d-4ebe-a407-f989e93bc8b6

📥 Commits

Reviewing files that changed from the base of the PR and between 5edcc5d and c9c7c2a.

📒 Files selected for processing (3)

scripts/cpb/create-role.sh
scripts/cpb/setup-db.sh
sql/cpb/init-schema.sql

🚧 Files skipped from review as they are similar to previous changes (1)

scripts/cpb/setup-db.sh

One report per cycle is the correct invariant — enforce at DB level. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

github-actions · 2026-04-06T17:57:05Z

🔍 Vulnerabilities of `temporal-test:latest`

📦 Image Reference temporal-test:latest

digest	`sha256:17e54ff5e9a181d1bdbf7334ce9637f9c3934d54a65427ae36a5743f46487f15`
vulnerabilities
platform	linux/amd64
size	218 MB
packages	358

📦 Base Image alpine:3

also known as	`3.21` `3.21.3` `latest`
digest	`sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474`
vulnerabilities

stdlib 1.23.6 (golang)

pkg:golang/stdlib@1.23.6

Affected range	`<1.24.13`
Fixed version	`1.24.13`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Affected range	`<1.23.8`
Fixed version	`1.23.8`
EPSS Score	`0.127%`
EPSS Percentile	`32nd percentile`

Description

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`<1.24.11`
Fixed version	`1.24.11`
EPSS Score	`0.023%`
EPSS Percentile	`6th percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`<1.24.12`
Fixed version	`1.24.12`
EPSS Score	`0.032%`
EPSS Percentile	`9th percentile`

Description

The net/url package does not set a limit on the number of query parameters in a query.

While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.028%`
EPSS Percentile	`8th percentile`

Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.027%`
EPSS Percentile	`8th percentile`

Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.006%`
EPSS Percentile	`0th percentile`

Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

Affected range	`<1.24.9`
Fixed version	`1.24.9`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

stdlib 1.23.2 (golang)

pkg:golang/stdlib@1.23.2

Affected range	`<1.24.13`
Fixed version	`1.24.13`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Affected range	`<1.23.8`
Fixed version	`1.23.8`
EPSS Score	`0.127%`
EPSS Percentile	`32nd percentile`

Description

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`<1.24.11`
Fixed version	`1.24.11`
EPSS Score	`0.023%`
EPSS Percentile	`6th percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`<1.24.12`
Fixed version	`1.24.12`
EPSS Score	`0.032%`
EPSS Percentile	`9th percentile`

Description

The net/url package does not set a limit on the number of query parameters in a query.

While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.028%`
EPSS Percentile	`8th percentile`

Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.027%`
EPSS Percentile	`8th percentile`

Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.006%`
EPSS Percentile	`0th percentile`

Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

Affected range	`<1.24.9`
Fixed version	`1.24.9`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

google.golang.org/grpc 1.56.3 (golang)

pkg:golang/google.golang.org/grpc@1.56.3

Improper Authorization

Affected range	`<1.79.3`
Fixed version	`1.79.3`
CVSS Score	`9.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`
EPSS Score	`0.014%`
EPSS Percentile	`3rd percentile`

Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).

Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

v1.79.3

The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:
func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)
2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

google.golang.org/grpc 1.70.0 (golang)

pkg:golang/google.golang.org/grpc@1.70.0

Improper Authorization

Affected range	`<1.79.3`
Fixed version	`1.79.3`
CVSS Score	`9.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`
EPSS Score	`0.014%`
EPSS Percentile	`3rd percentile`

Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).

Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

v1.79.3

The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:
func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)
2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

google.golang.org/grpc 1.71.0 (golang)

pkg:golang/google.golang.org/grpc@1.71.0

Improper Authorization

Affected range	`<1.79.3`
Fixed version	`1.79.3`
CVSS Score	`9.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`
EPSS Score	`0.014%`
EPSS Percentile	`3rd percentile`

Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).

Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

v1.79.3

The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:
func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)
2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

openssl 3.3.3-r0 (apk)

pkg:apk/alpine/openssl@3.3.3-r0?os_name=alpine&os_version=3.21

Affected range	`<3.3.6-r0`
Fixed version	`3.3.6-r0`
EPSS Score	`0.705%`
EPSS Percentile	`72nd percentile`

Description

Affected range	`<3.3.5-r0`
Fixed version	`3.3.5-r0`
EPSS Score	`0.034%`
EPSS Percentile	`10th percentile`

Description

Affected range	`<3.3.6-r0`
Fixed version	`3.3.6-r0`
EPSS Score	`0.036%`
EPSS Percentile	`11th percentile`

Description

Affected range	`<3.3.6-r0`
Fixed version	`3.3.6-r0`
EPSS Score	`0.303%`
EPSS Percentile	`54th percentile`

Description

Affected range	`<3.3.6-r0`
Fixed version	`3.3.6-r0`
EPSS Score	`0.063%`
EPSS Percentile	`20th percentile`

Description

curl 8.12.1-r0 (apk)

pkg:apk/alpine/curl@8.12.1-r0?os_name=alpine&os_version=3.21

Affected range	`<=8.14.0-r0`
Fixed version	Not Fixed
EPSS Score	`0.039%`
EPSS Percentile	`12th percentile`

Description

Affected range	`<8.14.1-r2`
Fixed version	`8.14.1-r2`
EPSS Score	`0.035%`
EPSS Percentile	`10th percentile`

Description

Affected range	`<8.14.1-r0`
Fixed version	`8.14.1-r0`
EPSS Score	`0.486%`
EPSS Percentile	`65th percentile`

Description

golang.org/x/crypto 0.32.0 (golang)

pkg:golang/golang.org/x/crypto@0.32.0

Affected range	`<0.43.0`
Fixed version	`0.43.0`
EPSS Score	`0.039%`
EPSS Percentile	`12th percentile`

Description

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

Affected range	`<0.35.0`
Fixed version	`0.35.0`
EPSS Score	`0.289%`
EPSS Percentile	`52nd percentile`

Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc 0.36.4 (golang)

pkg:golang/go.opentelemetry.io/contrib/instrumentation@0.36.4#google.golang.org/grpc/otelgrpc

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<0.46.0`
Fixed version	`0.46.0`
EPSS Score	`4.299%`
EPSS Percentile	`89th percentile`

Description

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider.

nghttp2 1.64.0-r0 (apk)

pkg:apk/alpine/nghttp2@1.64.0-r0?os_name=alpine&os_version=3.21

Affected range	`<=1.64.0-r0`
Fixed version	Not Fixed
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

github.com/golang-jwt/jwt 3.2.2+incompatible (golang)

pkg:golang/github.com/golang-jwt/jwt@3.2.2%2Bincompatible

Asymmetric Resource Consumption (Amplification)

Affected range	`>=3.2.0 <=3.2.2`
Fixed version	Not Fixed
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.102%`
EPSS Percentile	`28th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

go.opentelemetry.io/otel/sdk 1.35.0 (golang)

pkg:golang/go.opentelemetry.io/otel/sdk@1.35.0

Untrusted Search Path

Affected range	`>=1.21.0 <1.40.0`
Fixed version	`1.40.0`
CVSS Score	`7`
CVSS Vector	`CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`
EPSS Score	`0.007%`
EPSS Percentile	`1st percentile`

Description

Impact

The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application.

Patches

This has been patched in d45961b, which was released with v1.40.0.

References

CWE-426: Untrusted Search Path

go.opentelemetry.io/otel/sdk 1.34.0 (golang)

pkg:golang/go.opentelemetry.io/otel/sdk@1.34.0

Untrusted Search Path

Affected range	`>=1.21.0 <1.40.0`
Fixed version	`1.40.0`
CVSS Score	`7`
CVSS Vector	`CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`
EPSS Score	`0.007%`
EPSS Percentile	`1st percentile`

Description

Impact

The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application.

Patches

This has been patched in d45961b, which was released with v1.40.0.

References

CWE-426: Untrusted Search Path

golang.org/x/crypto 0.35.0 (golang)

pkg:golang/golang.org/x/crypto@0.35.0

Affected range	`<0.43.0`
Fixed version	`0.43.0`
EPSS Score	`0.039%`
EPSS Percentile	`12th percentile`

Description

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

golang.org/x/crypto 0.36.0 (golang)

pkg:golang/golang.org/x/crypto@0.36.0

Affected range	`<0.43.0`
Fixed version	`0.43.0`
EPSS Score	`0.039%`
EPSS Percentile	`12th percentile`

Description

SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

github.com/go-jose/go-jose/v4 4.0.5 (golang)

pkg:golang/github.com/go-jose/go-jose@4.0.5#v4

Uncaught Exception

Affected range	`<4.1.4`
Fixed version	`4.1.4`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

Description

Impact

Decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key.

This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected.

This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common.

Panics can lead to denial of service.

Fixed In

4.1.4 and v3.0.5

Workarounds

If the list of keyAlgorithms passed to ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() does not include key wrapping algorithms (those ending in KW), your application is unaffected.

If your application uses key wrapping, you can prevalidate to the JWE objects to ensure the encrypted_key field is nonempty. If your application accepts JWE Compact Serialization, apply that validation to the corresponding field of that serialization (the data between the first and second .).

Thanks

Thanks to Datadog's Security team for finding this issue.

golang.org/x/oauth2 0.26.0 (golang)

pkg:golang/golang.org/x/oauth2@0.26.0

Improper Validation of Syntactic Correctness of Input

Affected range	`<0.27.0`
Fixed version	`0.27.0`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
EPSS Score	`0.261%`
EPSS Percentile	`49th percentile`

Description

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

github.com/golang-jwt/jwt/v4 4.5.1 (golang)

pkg:golang/github.com/golang-jwt/jwt@4.5.1#v4

Asymmetric Resource Consumption (Amplification)

Affected range	`<4.5.2`
Fixed version	`4.5.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.102%`
EPSS Percentile	`28th percentile`

Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

c-ares 1.34.3-r0 (apk)

pkg:apk/alpine/c-ares@1.34.3-r0?os_name=alpine&os_version=3.21

Affected range	`<1.34.5-r0`
Fixed version	`1.34.5-r0`
EPSS Score	`0.618%`
EPSS Percentile	`70th percentile`

Description

golang.org/x/oauth2 0.7.0 (golang)

pkg:golang/golang.org/x/oauth2@0.7.0

Improper Validation of Syntactic Correctness of Input

Affected range	`<0.27.0`
Fixed version	`0.27.0`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
EPSS Score	`0.261%`
EPSS Percentile	`49th percentile`

Description

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

github-actions

CodeRabbit

Commits

Files that changed from the base of the PR and between 404d9ed and 0d879ef commits.

Files selected (5)

.env.example (1)
scripts/cpb-setup-db.sh (1)
scripts/cpb/create-role.sh (1)
scripts/cpb/setup-db.sh (1)
sql/cpb/init-schema.sql (1)

Files not summarized due to errors (5)

scripts/cpb/create-role.sh (diff tokens exceeds limit)
sql/cpb/init-schema.sql (diff tokens exceeds limit)
scripts/cpb-setup-db.sh (nothing obtained from openai)
scripts/cpb/setup-db.sh (nothing obtained from openai)
.env.example (nothing obtained from openai)

Files not reviewed due to errors (5)

.env.example (no response)
scripts/cpb/setup-db.sh (no response)
sql/cpb/init-schema.sql (no response)
scripts/cpb-setup-db.sh (no response)
scripts/cpb/create-role.sh (no response)

Review comments generated (0)

Review: 0
LGTM: 0

Tips

Chat with CodeRabbit Bot (`@coderabbitai`)

Reply on review comments left by this bot to ask follow-up questions. A review comment is a comment on a diff or a file.
Invite the bot into a review comment chain by tagging @coderabbitai in a reply.

Code suggestions

The bot may make code suggestions, but please review them carefully before committing since the line number ranges may be misaligned.
You can edit the comment made by the bot and manually tweak the suggestion if it is slightly off.

Pausing incremental reviews

Add @coderabbitai: ignore anywhere in the PR description to pause further reviews from the bot.

- Add updated_at + trigger to pairings table (6 mutable columns had no modification timestamp, breaking pattern of other mutable tables) - Remove 3 redundant indexes whose leading columns are already covered by UNIQUE constraints (opt_in_responses, pairings, admin_reports) - Fix misleading "-v" hint in setup-db.sh error message Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Enforce YYYY-MM format via regex to prevent invalid values like '2026-13' or 'foobar' from being inserted. Flagged independently by two /ultra XL agents (D2-contrarian, V2-schema). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

github-actions

CodeRabbit

Commits

Files that changed from the base of the PR and between 0d879ef and 0960236 commits.

Files selected (2)

scripts/cpb/setup-db.sh (1)
sql/cpb/init-schema.sql (1)

Files not summarized due to errors (2)

sql/cpb/init-schema.sql (diff tokens exceeds limit)
scripts/cpb/setup-db.sh (nothing obtained from openai)

Files not reviewed due to errors (2)

sql/cpb/init-schema.sql (no response)
scripts/cpb/setup-db.sh (no response)

Review comments generated (0)

Review: 0
LGTM: 0

Tips

Chat with CodeRabbit Bot (`@coderabbitai`)

Reply on review comments left by this bot to ask follow-up questions. A review comment is a comment on a diff or a file.
Invite the bot into a review comment chain by tagging @coderabbitai in a reply.

Code suggestions

The bot may make code suggestions, but please review them carefully before committing since the line number ranges may be misaligned.
You can edit the comment made by the bot and manually tweak the suggestion if it is slightly off.

Pausing incremental reviews

Add @coderabbitai: ignore anywhere in the PR description to pause further reviews from the bot.

SashkoMarchuk · 2026-04-07T03:27:59Z

@coderabbitai review

coderabbitai · 2026-04-07T03:28:35Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai

🧹 Nitpick comments (1)

scripts/cpb/setup-db.sh (1)

78-84: Consider preserving the actual connection error for easier debugging.

Redirecting stderr to /dev/null hides useful diagnostics (e.g., "password authentication failed" vs "database does not exist" vs "connection refused"). Capturing or displaying the actual error would help users troubleshoot faster.

💡 Suggested improvement

 echo "Step 1: Verifying database connection..."
-if ! PGPASSWORD="${CPB_PASS}" psql -v ON_ERROR_STOP=1 \
-    -h "$PGHOST" -p "$PGPORT" -U "$CPB_USER" -d "$CPB_DB" \
-    -c "SELECT 1;" > /dev/null 2>&1; then
+CONN_ERR=$(PGPASSWORD="${CPB_PASS}" psql -v ON_ERROR_STOP=1 \
+    -h "$PGHOST" -p "$PGPORT" -U "$CPB_USER" -d "$CPB_DB" \
+    -c "SELECT 1;" 2>&1 > /dev/null) || {
     echo "ERROR: Cannot connect to ${CPB_DB} as ${CPB_USER}" >&2
+    echo "  psql: ${CONN_ERR}" >&2
     echo "  Have you run create-role.sh first?" >&2
     exit 1
-fi
+}
 echo "  Connection: OK"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/cpb/setup-db.sh` around lines 78 - 84, The connection check currently
hides psql's stderr by redirecting output to /dev/null; change the check so the
actual error message from psql is preserved and printed (for example by removing
the "2>&1 > /dev/null" redirection or by capturing psql's stdout/stderr into a
variable and echoing it on failure) when the PGPASSWORD="${CPB_PASS}" psql -v
ON_ERROR_STOP=1 -h "$PGHOST" -p "$PGPORT" -U "$CPB_USER" -d "$CPB_DB" -c "SELECT
1;" command fails, so users see the real diagnostic (e.g., password auth failed,
database missing, connection refused) instead of a generic error.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@scripts/cpb/setup-db.sh`:
- Around line 78-84: The connection check currently hides psql's stderr by
redirecting output to /dev/null; change the check so the actual error message
from psql is preserved and printed (for example by removing the "2>&1 >
/dev/null" redirection or by capturing psql's stdout/stderr into a variable and
echoing it on failure) when the PGPASSWORD="${CPB_PASS}" psql -v ON_ERROR_STOP=1
-h "$PGHOST" -p "$PGPORT" -U "$CPB_USER" -d "$CPB_DB" -c "SELECT 1;" command
fails, so users see the real diagnostic (e.g., password auth failed, database
missing, connection refused) instead of a generic error.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 3bffb364-e0f6-4138-a300-952e63da4614

📥 Commits

Reviewing files that changed from the base of the PR and between 0d879ef and 0960236.

📒 Files selected for processing (2)

scripts/cpb/setup-db.sh
sql/cpb/init-schema.sql

Capture and display the actual psql error on connection failure instead of suppressing it. Operators now see the real diagnostic (wrong password, host unreachable, DB missing) instead of generic "Cannot connect" message. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

sonarqubecloud · 2026-04-07T04:07:03Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

SashkoMarchuk · 2026-04-07T04:09:35Z

https://github.com/coderabbitai review
@coderabbitai

coderabbitai · 2026-04-07T04:09:46Z

@SashkoMarchuk Sure! I'll kick off a review of PR #123 right away.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

## Summary - Replace temporal-based interim DB setup with a two-script architecture using a dedicated `cpb_app` role - **`scripts/cpb/create-role.sh`** (NEW): One-time provisioning using RDS master password — creates `cpb_app` role, `cpb_bot` database, transfers ownership from `temporal` if needed, grants all privileges - **`scripts/cpb/setup-db.sh`** (REWRITTEN): Repeatable schema setup connecting as `cpb_app` — applies `init-schema.sql`, verifies all 6 tables - **`sql/cpb/init-schema.sql`** (NEW): Complete 6-table schema for CPB Slack bot (cycles, opt_in_responses, pairings, pair_history, interactions, admin_reports) - Deletes old `scripts/cpb-setup-db.sh` that required temporal user with CREATEDB - Adds `POSTGRES_PASSWORD_MASTER` to `.env.example` (commented out, one-time use) ## Operational Workflow ``` 1. Set POSTGRES_PASSWORD_MASTER, POSTGRES_PASSWORD_CPB, CPB_POSTGRES_HOST 2. Run: ./scripts/cpb/create-role.sh (creates role + database) 3. Run: ./scripts/cpb/setup-db.sh (creates schema tables) 4. Remove POSTGRES_PASSWORD_MASTER from environment ``` ## Security - Master password required via `:?` — immediate fail if unset, no fallbacks - `validate_pg_identifier()` on all SQL identifiers (regex + length check) - Single-quote escaping + `$$` rejection on passwords - `set -eo pipefail` + `ON_ERROR_STOP=1` on both scripts - No passwords in log output ## Test plan - [ ] Verify `bash -n` syntax check passes on both scripts - [ ] Run `create-role.sh` against RDS — role and database created - [ ] Run `create-role.sh` again — idempotent, no errors, password updated - [ ] Run `setup-db.sh` — all 6 tables created - [ ] Run `setup-db.sh` again — idempotent, no errors - [ ] Verify `cpb_app` owns `cpb_bot` database - [ ] Verify schema matches `init-schema.sql` (triggers, indexes, constraints) Supersedes #123  ## Summary by CodeRabbit ## Release Notes * **Chores** * Reorganized PostgreSQL provisioning process into separate one-time role creation and schema initialization steps for improved setup reliability. * Updated environment variable configuration documentation with new provisioning credentials placeholder. * **New Features** * Added comprehensive database schema with tables for cycle management, user opt-in tracking, pairing records, interaction history, and administrative reporting capabilities.  --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

SashkoMarchuk and others added 4 commits April 6, 2026 23:43

fix(cpb): replace A && B || C with explicit if-then-else (SC2015)

6a7e67f

Refactor schema grant error handling from fragile `cmd && echo || { ... }` to proper if/then/else. Prevents false error-path execution if echo fails. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

SashkoMarchuk requested a review from killev as a code owner April 6, 2026 16:57

coderabbitai bot reviewed Apr 6, 2026

View reviewed changes

scripts/cpb/create-role.sh Show resolved Hide resolved

scripts/cpb/setup-db.sh Show resolved Hide resolved

sql/cpb/init-schema.sql Show resolved Hide resolved

sql/cpb/init-schema.sql Show resolved Hide resolved

SashkoMarchuk changed the title ~~infra(cpb): add dedicated role provisioning and schema setup~~ infra(cpb): add dedicated role provisioning and schema setup [coderabbit-ai-review] Apr 6, 2026

coderabbitai bot reviewed Apr 6, 2026

View reviewed changes

fix(cpb): add UNIQUE constraint on admin_reports.cycle_id

0d879ef

One report per cycle is the correct invariant — enforce at DB level. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

github-actions bot reviewed Apr 6, 2026

View reviewed changes

SashkoMarchuk and others added 2 commits April 7, 2026 10:21

github-actions bot reviewed Apr 7, 2026

View reviewed changes

coderabbitai bot reviewed Apr 7, 2026

View reviewed changes

SashkoMarchuk closed this Apr 7, 2026

SashkoMarchuk mentioned this pull request Apr 7, 2026

infra(cpb): add dedicated role provisioning and schema setup #124

Merged

7 tasks

SashkoMarchuk deleted the feature/cpb-dedicated-role branch April 7, 2026 04:32

Conversation

SashkoMarchuk commented Apr 6, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Operational Workflow

Security

Test plan

Summary by CodeRabbit

Uh oh!

github-actions bot commented Apr 6, 2026

🤖 CodeRabbit AI Review Available

Uh oh!

coderabbitai bot commented Apr 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Rate limit exceeded

Reviews paused

CodeRabbit GitHub Action detected

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Possibly related PRs

Suggested labels

Suggested reviewers

Poem

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-actions bot commented Apr 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CodeRabbit Pro

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Apr 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 Vulnerabilities of temporal-test:latest

Impact

Patches

Workarounds

1. Use a Validating Interceptor (Recommended Mitigation)

2. Infrastructure-Level Normalization

3. Policy Hardening

Impact

Patches

Workarounds

1. Use a Validating Interceptor (Recommended Mitigation)

2. Infrastructure-Level Normalization

3. Policy Hardening

Impact

Patches

Workarounds

1. Use a Validating Interceptor (Recommended Mitigation)

2. Infrastructure-Level Normalization

3. Policy Hardening

Summary

Details

Impact

Impact

Patches

References

Impact

Patches

References

Impact

Fixed In

Workarounds

Thanks

Summary

Details

Impact

Uh oh!

github-actions bot left a comment

Choose a reason for hiding this comment

SashkoMarchuk commented Apr 6, 2026 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Apr 6, 2026 •

edited

Loading

github-actions bot commented Apr 6, 2026 •

edited

Loading

github-actions bot commented Apr 6, 2026 •

edited

Loading

🔍 Vulnerabilities of `temporal-test:latest`

Chat with CodeRabbit Bot (`@coderabbitai`)

Chat with CodeRabbit Bot (`@coderabbitai`)