test: guard metrics RPCs with org oracle checks

[riderx]

Summary (AI generated)\n\n- Added an SQL regression test to verify cross-tenant/org access control boundaries for org-scoped metrics RPCs.\n- The new test protects against unauthenticated or unauthorized callers reading data via get_app_metrics, get_global_metrics, and get_total_metrics.\n- Existing behavior is also validated for authorized owner and service-role-only explicit total-metrics access.\n\n## Motivation (AI generated)\n\n- Prior code paths could expose or cache metrics across tenants when org/context checks were bypassed.\n- This regression test locks in the expected oracle-based authorization behavior after the recent RPC hardening changes.\n\n## Business Impact (AI generated)\n\n- Prevents cross-tenant metric leakage and reinforces tenant isolation for billing/usage and dashboard reporting endpoints.\n- Reduces regression risk in a security-sensitive area with low test coverage previously.\n\n## Test Plan (AI generated)\n\n- [x] Added supabase/tests/45_test_metrics_oracle.sql with dedicated users, org/app fixtures, and authorization assertions.\n- [x] Ran bun lint:backend successfully.\n\nGenerated with AI

[coderabbitai]

Warning

Rate limit exceeded

@riderx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 0 minutes and 11 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 901134bb-78f8-46a1-8a13-4c33211b9ca0

📥 Commits

Reviewing files that changed from the base of the PR and between 2af3a08 and cdaa98e.

📒 Files selected for processing (3)

• AGENTS.md
• supabase/migrations/20260308121758_fix_get_app_global_metrics_rbac.sql
• supabase/tests/45_test_metrics_oracle.sql

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch riderx/metrics-rpc-rbac-tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b72544d5fc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Assert permission denial before switching to service_role

This test switches to service_role and then expects get_total_metrics(org_id, start_date, end_date) to throw permission denied, but that overload is granted to service_role (see supabase/migrations/20260224093000_fix_get_total_metrics_auth.sql), so the assertion is inverted and will fail when the SQL test suite runs. The denial assertion should be executed while still authenticated as a non-service caller (e.g. the attacker) to verify the intended access control boundary.

Useful? React with 👍 / 👎.

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud