infra(cpb): add dedicated role provisioning and schema setup [coderabbit-ai-review]

[SashkoMarchuk]

Summary

• Replace temporal-based interim DB setup with a two-script architecture using a dedicated cpb_app role
• scripts/cpb/create-role.sh (NEW): One-time provisioning using RDS master password — creates cpb_app role, cpb_bot database, transfers ownership from temporal if needed, grants all privileges
• scripts/cpb/setup-db.sh (REWRITTEN): Repeatable schema setup connecting as cpb_app — applies init-schema.sql, verifies all 6 tables
• sql/cpb/init-schema.sql (NEW): Complete 6-table schema for CPB Slack bot (cycles, opt_in_responses, pairings, pair_history, interactions, admin_reports)
• Deletes old scripts/cpb-setup-db.sh that required temporal user with CREATEDB
• Adds POSTGRES_PASSWORD_MASTER to .env.example (commented out, one-time use)

Operational Workflow

1. Set POSTGRES_PASSWORD_MASTER, POSTGRES_PASSWORD_CPB, CPB_POSTGRES_HOST
2. Run: ./scripts/cpb/create-role.sh    (creates role + database)
3. Run: ./scripts/cpb/setup-db.sh       (creates schema tables)
4. Remove POSTGRES_PASSWORD_MASTER from environment

Security

• Master password required via :? — immediate fail if unset, no fallbacks
• validate_pg_identifier() on all SQL identifiers (regex + length check)
• Single-quote escaping + $$ rejection on passwords
• set -eo pipefail + ON_ERROR_STOP=1 on both scripts
• No passwords in log output

Test plan

• Verify bash -n syntax check passes on both scripts
• Run create-role.sh against RDS — role and database created
• Run create-role.sh again — idempotent, no errors, password updated
• Run setup-db.sh — all 6 tables created
• Run setup-db.sh again — idempotent, no errors
• Verify cpb_app owns cpb_bot database
• Verify schema matches init-schema.sql (triggers, indexes, constraints)

Supersedes #122

Summary by CodeRabbit

• Chores

  • Split DB provisioning into separate role-creation and schema-initialization steps.
  • Replaced a legacy provisioning script with new dedicated provisioning scripts that handle role creation, ownership reassignment, connectivity checks, and schema application.
  • Added a commented environment placeholder for a one-time master DB password and updated provisioning references.

• New Features

  • Added a complete, idempotent database schema with tables, indexes, triggers, validation, and verification checks.

[github-actions]

CodeRabbit

🤖 CodeRabbit AI Review Available

To request a code review from CodeRabbit AI, add [coderabbit-ai-review] to your PR title.

CodeRabbit will analyze your code and provide feedback on:

• Logic and correctness
• Security issues
• Performance optimizations
• Code quality and best practices
• Error handling
• Maintainability

Note: Reviews are only performed when [coderabbit-ai-review] is present in the PR title.

[coderabbitai]

Warning

Rate limit exceeded

@SashkoMarchuk has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 42 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 13 minutes and 42 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 88cede48-b89e-4a4d-9c05-5f8df37d19db

📥 Commits

Reviewing files that changed from the base of the PR and between 0960236 and 5424f1f.

📒 Files selected for processing (1)

• scripts/cpb/setup-db.sh

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Warning

CodeRabbit GitHub Action detected

The repository is using both CodeRabbit Pro and CodeRabbit Open Source (via GitHub Actions), which is not recommended as it may lead to duplicate comments and extra noise. Please remove the CodeRabbit GitHub Action.

📝 Walkthrough

Walkthrough

Replaces an old CPB DB provisioning script with two new executables: scripts/cpb/create-role.sh (provisions role, DB, ownership, reassigns objects, grants privileges) and scripts/cpb/setup-db.sh (applies SQL schema and validates tables). Adds sql/cpb/init-schema.sql and updates .env.example to reference the new scripts and include a POSTGRES_PASSWORD_MASTER placeholder.

Changes

Cohort / File(s)	Summary
Environment .env.example	Updated provisioning comments to reference create-role.sh and setup-db.sh; added commented placeholder POSTGRES_PASSWORD_MASTER= with a note about one-time use.
Provisioning scripts scripts/cpb/create-role.sh, scripts/cpb/setup-db.sh, scripts/cpb-setup-db.sh	Removed legacy scripts/cpb-setup-db.sh. Added create-role.sh to create/alter role, create DB, change ownership, reassign owned objects, and grant privileges. Added setup-db.sh to apply sql/cpb/init-schema.sql, validate connectivity, and verify expected table count.
Schema sql/cpb/init-schema.sql	Added full CPB schema: trigger function update_updated_at_column(), tables (cycles, opt_in_responses, pairings, pair_history, interactions, admin_reports), indexes, constraints, and BEFORE UPDATE triggers to maintain updated_at.

Sequence Diagram(s)

sequenceDiagram
  participant Operator as "Operator"
  participant FS as "Filesystem (repo/sql)"
  participant Script as "create-role.sh"
  participant PG as "Postgres master (psql)"
  rect rgba(200,240,200,0.5)
    Operator->>Script: invoke with env (HOST, MASTER_PW, CPB_PW)
    Script->>PG: CONNECT as master (psql ON_ERROR_STOP=1)
    PG-->>Script: connection OK / auth
    Script->>PG: CREATE ROLE IF NOT EXISTS / ALTER ROLE ... WITH PASSWORD
    PG-->>Script: role created/updated
    Script->>PG: CREATE DATABASE IF NOT EXISTS ... OWNER on create
    PG-->>Script: database created or exists
    Script->>PG: CHECK/CHANGE DB owner if different
    Script->>PG: REASSIGN OWNED BY other_roles TO cpb_role
    PG-->>Script: reassignments applied
    Script->>PG: GRANT CONNECT/USAGE/ALL PRIVILEGES
    Script-->>Operator: provisioning complete + next steps
  end

Loading

sequenceDiagram
  participant Operator as "Operator"
  participant FS as "Filesystem (repo/sql)"
  participant Script as "setup-db.sh"
  participant PG as "Postgres CPB DB (psql)"
  rect rgba(200,220,255,0.5)
    Operator->>Script: invoke with env (HOST, CPB_PW)
    Script->>FS: locate sql/cpb/init-schema.sql
    FS-->>Script: file found
    Script->>PG: CONNECT and run SELECT 1 (verify)
    PG-->>Script: success
    Script->>PG: psql -f init-schema.sql (apply schema)
    PG-->>Script: schema applied
    Script->>PG: count base tables in public schema
    PG-->>Operator: verified table count (expected 6) -> success banner
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• infra(cpb): add database, env vars, and setup scripts for Connecting People Bot #120 — Replaces and reorganizes CPB PostgreSQL provisioning; touches the same provisioning scripts and schema.

Suggested labels

database

Suggested reviewers

• killev
• automatization-bot

Poem

"I nibble keys and hop through rows,
I plant new roles where data grows.
With schema neat and grants all right,
I tuck the DB in for the night.
Carrots for reviews — hop, delight! 🥕"

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main change: adding dedicated role provisioning and schema setup scripts for CPB infrastructure, which aligns with the core objective of replacing temporal-based setup with a two-script architecture.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/cpb-dedicated-role

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/cpb/create-role.sh`:
- Around line 110-148: Step 3 in create-role.sh only changes the database owner
but leaves individual objects owned by the previous role, causing schema
reapplication in setup-db.sh to fail; after the ownership transfer block (the DO
$$ ... END $$; that uses current_owner and ${CPB_USER}) add a REASSIGN OWNED BY
<old_owner> TO "${CPB_USER}" step (or insert it in setup-db.sh before applying
sql/cpb/init-schema.sql) so that all tables, sequences, functions and triggers
owned by the previous role are reassigned to ${CPB_USER}; use the current_owner
variable value captured in the DO block (or ${MASTER_USER} if appropriate) to
build the REASSIGN OWNED command and run it as the superuser.

In `@scripts/cpb/setup-db.sh`:
- Around line 106-111: The script currently only warns when TABLE_COUNT != 6,
allowing setup-db.sh to exit 0 with an incomplete schema; update the else branch
that checks TABLE_COUNT to make the script fail fast by printing the warning to
stderr (as it already does) and then exiting with a non-zero status (e.g., exit
1) so callers detect failure—modify the block that compares TABLE_COUNT (the
existing if [[ "$TABLE_COUNT" -eq 6 ]]; then ... else ...) to add a failing exit
after the error messages.

In `@sql/cpb/init-schema.sql`:
- Around line 157-181: Add a multi-column CHECK constraint on the interactions
table to enforce valid touchpoint/action pairs (instead of independent checks)
by updating the CREATE TABLE for interactions (or via ALTER TABLE) to include a
constraint (e.g., interactions_touchpoint_action_valid) that allows only the
permitted action values for each touchpoint value; reference the touchpoint and
action columns in the constraint and enumerate the allowed combinations (for
example, actions allowed for 'opt_in' vs 'checkin' vs 'survey') so impossible
pairs like touchpoint='opt_in' with action='satisfied' are rejected.
- Around line 107-129: Add a uniqueness constraint to enforce one-pair-per-cycle
by making (cycle_id, person_a_id, person_b_id) unique on the pairings table;
update the schema for the pairings table (which already has CHECK (person_a_id <
person_b_id)) to include either a UNIQUE constraint or create a unique index
(e.g., uniq_pairings_cycle_pair) on those three columns so duplicate rows cannot
be inserted and notification/History duplication is prevented.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 3234300b-0af9-4cf8-900e-e8f827a63e62

📥 Commits

Reviewing files that changed from the base of the PR and between 404d9ed and 5edcc5d.

📒 Files selected for processing (5)

• .env.example
• scripts/cpb-setup-db.sh
• scripts/cpb/create-role.sh
• scripts/cpb/setup-db.sh
• sql/cpb/init-schema.sql

💤 Files with no reviewable changes (1)

• scripts/cpb-setup-db.sh

[github-actions]

CodeRabbit

Currently reviewing new changes in this PR...

Commits

Files that changed from the base of the PR and between 0960236 and 5424f1f commits.

Files selected (1)

• scripts/cpb/setup-db.sh (1)

---

CodeRabbit

---

Uplevel your code reviews with CodeRabbit Pro

CodeRabbit Pro

If you like this project, please support us by purchasing the Pro version. The Pro version has advanced context, superior noise reduction and several proprietary improvements compared to the open source version. Moreover, CodeRabbit Pro is free for open source projects.

[coderabbitai]

🧹 Nitpick comments (1)

sql/cpb/init-schema.sql (1)

188-207: Consider whether multiple reports per cycle are intentional.

The admin_reports table allows multiple rows per cycle_id. If only one report per cycle is expected, consider adding a uniqueness constraint.

🔧 Optional: Add uniqueness if one report per cycle

 CREATE INDEX IF NOT EXISTS idx_admin_reports_cycle
     ON admin_reports(cycle_id);
+
+-- Uncomment if only one report per cycle is allowed:
+-- ALTER TABLE admin_reports ADD CONSTRAINT uq_admin_reports_cycle UNIQUE (cycle_id);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@sql/cpb/init-schema.sql` around lines 188 - 207, The admin_reports table
currently allows multiple rows per cycle_id (index idx_admin_reports_cycle is
non-unique); if the intent is one report per cycle, add a uniqueness constraint
on admin_reports.cycle_id (either change the CREATE TABLE to include
UNIQUE(cycle_id) or replace the non-unique index with a UNIQUE INDEX on
cycle_id) so duplicate reports for the same cycle are prevented; ensure the
trigger trg_admin_reports_updated_at and any existing data are compatible with
the new uniqueness constraint before applying.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@sql/cpb/init-schema.sql`:
- Around line 188-207: The admin_reports table currently allows multiple rows
per cycle_id (index idx_admin_reports_cycle is non-unique); if the intent is one
report per cycle, add a uniqueness constraint on admin_reports.cycle_id (either
change the CREATE TABLE to include UNIQUE(cycle_id) or replace the non-unique
index with a UNIQUE INDEX on cycle_id) so duplicate reports for the same cycle
are prevented; ensure the trigger trg_admin_reports_updated_at and any existing
data are compatible with the new uniqueness constraint before applying.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: d419d69f-7c6d-4ebe-a407-f989e93bc8b6

📥 Commits

Reviewing files that changed from the base of the PR and between 5edcc5d and c9c7c2a.

📒 Files selected for processing (3)

• scripts/cpb/create-role.sh
• scripts/cpb/setup-db.sh
• sql/cpb/init-schema.sql

🚧 Files skipped from review as they are similar to previous changes (1)

• scripts/cpb/setup-db.sh

[github-actions]

🔍 Vulnerabilities of temporal-test:latest

📦 Image Reference temporal-test:latest

digest	sha256:17e54ff5e9a181d1bdbf7334ce9637f9c3934d54a65427ae36a5743f46487f15
vulnerabilities
platform	linux/amd64
size	218 MB
packages	358

📦 Base Image alpine:3

also known as	3.21 3.21.3 latest
digest	sha256:1c4eef651f65e2f7daee7ee785882ac164b02b78fb74503052a26dc061c90474
vulnerabilities

stdlib 1.23.6 (golang) pkg:golang/stdlib@1.23.6 Affected range <1.24.13 Fixed version 1.24.13 EPSS Score 0.017% EPSS Percentile 4th percentile Description During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. Affected range <1.23.8 Fixed version 1.23.8 EPSS Score 0.127% EPSS Percentile 32nd percentile Description The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.031% EPSS Percentile 9th percentile Description url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.023% EPSS Percentile 6th percentile Description Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.032% EPSS Percentile 9th percentile Description The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.028% EPSS Percentile 8th percentile Description The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.027% EPSS Percentile 8th percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.006% EPSS Percentile 0th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.013% EPSS Percentile 2nd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.

stdlib 1.23.2 (golang) pkg:golang/stdlib@1.23.2 Affected range <1.24.13 Fixed version 1.24.13 EPSS Score 0.017% EPSS Percentile 4th percentile Description During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. Affected range <1.23.8 Fixed version 1.23.8 EPSS Score 0.127% EPSS Percentile 32nd percentile Description The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.031% EPSS Percentile 9th percentile Description url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.023% EPSS Percentile 6th percentile Description Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.032% EPSS Percentile 9th percentile Description The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.028% EPSS Percentile 8th percentile Description The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.027% EPSS Percentile 8th percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.006% EPSS Percentile 0th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.013% EPSS Percentile 2nd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.

google.golang.org/grpc 1.56.3 (golang) pkg:golang/google.golang.org/grpc@1.56.3 Improper Authorization Affected range <1.79.3 Fixed version 1.79.3 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.014% EPSS Percentile 3rd percentile Description Impact What kind of vulnerability is it? Who is impacted? It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. Who is impacted? This affects gRPC-Go servers that meet both of the following criteria: They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx). Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server. Patches Has the problem been patched? What versions should users upgrade to? Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. Users should upgrade to the following versions (or newer): v1.79.3 The latest master branch. It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release. Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: 1. Use a Validating Interceptor (Recommended Mitigation) Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs: func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) { if info.FullMethod == "" || info.FullMethod[0] != '/' { return nil, status.Errorf(codes.Unimplemented, "malformed method name") } return handler(ctx, req) } // Ensure this is the FIRST interceptor in your chain s := grpc.NewServer( grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor), ) 2. Infrastructure-Level Normalization If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash. 3. Policy Hardening Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

google.golang.org/grpc 1.70.0 (golang) pkg:golang/google.golang.org/grpc@1.70.0 Improper Authorization Affected range <1.79.3 Fixed version 1.79.3 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.014% EPSS Percentile 3rd percentile Description Impact What kind of vulnerability is it? Who is impacted? It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. Who is impacted? This affects gRPC-Go servers that meet both of the following criteria: They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx). Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server. Patches Has the problem been patched? What versions should users upgrade to? Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. Users should upgrade to the following versions (or newer): v1.79.3 The latest master branch. It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release. Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: 1. Use a Validating Interceptor (Recommended Mitigation) Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs: func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) { if info.FullMethod == "" || info.FullMethod[0] != '/' { return nil, status.Errorf(codes.Unimplemented, "malformed method name") } return handler(ctx, req) } // Ensure this is the FIRST interceptor in your chain s := grpc.NewServer( grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor), ) 2. Infrastructure-Level Normalization If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash. 3. Policy Hardening Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

google.golang.org/grpc 1.71.0 (golang) pkg:golang/google.golang.org/grpc@1.71.0 Improper Authorization Affected range <1.79.3 Fixed version 1.79.3 CVSS Score 9.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS Score 0.014% EPSS Percentile 3rd percentile Description Impact What kind of vulnerability is it? Who is impacted? It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. Who is impacted? This affects gRPC-Go servers that meet both of the following criteria: They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx). Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server. Patches Has the problem been patched? What versions should users upgrade to? Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. Users should upgrade to the following versions (or newer): v1.79.3 The latest master branch. It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release. Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: 1. Use a Validating Interceptor (Recommended Mitigation) Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs: func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) { if info.FullMethod == "" || info.FullMethod[0] != '/' { return nil, status.Errorf(codes.Unimplemented, "malformed method name") } return handler(ctx, req) } // Ensure this is the FIRST interceptor in your chain s := grpc.NewServer( grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor), ) 2. Infrastructure-Level Normalization If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash. 3. Policy Hardening Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

openssl 3.3.3-r0 (apk) pkg:apk/alpine/openssl@3.3.3-r0?os_name=alpine&os_version=3.21 Affected range <3.3.6-r0 Fixed version 3.3.6-r0 EPSS Score 0.705% EPSS Percentile 72nd percentile Description Affected range <3.3.5-r0 Fixed version 3.3.5-r0 EPSS Score 0.034% EPSS Percentile 10th percentile Description Affected range <3.3.6-r0 Fixed version 3.3.6-r0 EPSS Score 0.036% EPSS Percentile 11th percentile Description Affected range <3.3.6-r0 Fixed version 3.3.6-r0 EPSS Score 0.303% EPSS Percentile 54th percentile Description Affected range <3.3.6-r0 Fixed version 3.3.6-r0 EPSS Score 0.063% EPSS Percentile 20th percentile Description

curl 8.12.1-r0 (apk) pkg:apk/alpine/curl@8.12.1-r0?os_name=alpine&os_version=3.21 Affected range <=8.14.0-r0 Fixed version Not Fixed EPSS Score 0.039% EPSS Percentile 12th percentile Description Affected range <8.14.1-r2 Fixed version 8.14.1-r2 EPSS Score 0.035% EPSS Percentile 10th percentile Description Affected range <8.14.1-r0 Fixed version 8.14.1-r0 EPSS Score 0.486% EPSS Percentile 65th percentile Description

golang.org/x/crypto 0.32.0 (golang) pkg:golang/golang.org/x/crypto@0.32.0 Affected range <0.43.0 Fixed version 0.43.0 EPSS Score 0.039% EPSS Percentile 12th percentile Description SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. Affected range <0.35.0 Fixed version 0.35.0 EPSS Score 0.289% EPSS Percentile 52nd percentile Description SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc 0.36.4 (golang) pkg:golang/go.opentelemetry.io/contrib/instrumentation@0.36.4#google.golang.org/grpc/otelgrpc OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <0.46.0 Fixed version 0.46.0 EPSS Score 4.299% EPSS Percentile 89th percentile Description OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing otelgrpc.WithMeterProvider option with noop.NewMeterProvider.

nghttp2 1.64.0-r0 (apk) pkg:apk/alpine/nghttp2@1.64.0-r0?os_name=alpine&os_version=3.21 Affected range <=1.64.0-r0 Fixed version Not Fixed EPSS Score 0.017% EPSS Percentile 4th percentile Description

github.com/golang-jwt/jwt 3.2.2+incompatible (golang) pkg:golang/github.com/golang-jwt/jwt@3.2.2%2Bincompatible Asymmetric Resource Consumption (Amplification) Affected range >=3.2.0 <=3.2.2 Fixed version Not Fixed CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.102% EPSS Percentile 28th percentile Description Summary Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification) Details See parse.ParseUnverified Impact Excessive memory allocation

go.opentelemetry.io/otel/sdk 1.35.0 (golang) pkg:golang/go.opentelemetry.io/otel/sdk@1.35.0 Untrusted Search Path Affected range >=1.21.0 <1.40.0 Fixed version 1.40.0 CVSS Score 7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.007% EPSS Percentile 1st percentile Description Impact The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. Patches This has been patched in d45961b, which was released with v1.40.0. References CWE-426: Untrusted Search Path

go.opentelemetry.io/otel/sdk 1.34.0 (golang) pkg:golang/go.opentelemetry.io/otel/sdk@1.34.0 Untrusted Search Path Affected range >=1.21.0 <1.40.0 Fixed version 1.40.0 CVSS Score 7 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H EPSS Score 0.007% EPSS Percentile 1st percentile Description Impact The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. Patches This has been patched in d45961b, which was released with v1.40.0. References CWE-426: Untrusted Search Path

golang.org/x/crypto 0.35.0 (golang) pkg:golang/golang.org/x/crypto@0.35.0 Affected range <0.43.0 Fixed version 0.43.0 EPSS Score 0.039% EPSS Percentile 12th percentile Description SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

golang.org/x/crypto 0.36.0 (golang) pkg:golang/golang.org/x/crypto@0.36.0 Affected range <0.43.0 Fixed version 0.43.0 EPSS Score 0.039% EPSS Percentile 12th percentile Description SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

github.com/go-jose/go-jose/v4 4.0.5 (golang) pkg:golang/github.com/go-jose/go-jose@4.0.5#v4 Uncaught Exception Affected range <4.1.4 Fixed version 4.1.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact Decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. Fixed In 4.1.4 and v3.0.5 Workarounds If the list of keyAlgorithms passed to ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() does not include key wrapping algorithms (those ending in KW), your application is unaffected. If your application uses key wrapping, you can prevalidate to the JWE objects to ensure the encrypted_key field is nonempty. If your application accepts JWE Compact Serialization, apply that validation to the corresponding field of that serialization (the data between the first and second .). Thanks Thanks to Datadog's Security team for finding this issue.

golang.org/x/oauth2 0.26.0 (golang) pkg:golang/golang.org/x/oauth2@0.26.0 Improper Validation of Syntactic Correctness of Input Affected range <0.27.0 Fixed version 0.27.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.261% EPSS Percentile 49th percentile Description An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

github.com/golang-jwt/jwt/v4 4.5.1 (golang) pkg:golang/github.com/golang-jwt/jwt@4.5.1#v4 Asymmetric Resource Consumption (Amplification) Affected range <4.5.2 Fixed version 4.5.2 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.102% EPSS Percentile 28th percentile Description Summary Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification) Details See parse.ParseUnverified Impact Excessive memory allocation

c-ares 1.34.3-r0 (apk) pkg:apk/alpine/c-ares@1.34.3-r0?os_name=alpine&os_version=3.21 Affected range <1.34.5-r0 Fixed version 1.34.5-r0 EPSS Score 0.618% EPSS Percentile 70th percentile Description

golang.org/x/oauth2 0.7.0 (golang) pkg:golang/golang.org/x/oauth2@0.7.0 Improper Validation of Syntactic Correctness of Input Affected range <0.27.0 Fixed version 0.27.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.261% EPSS Percentile 49th percentile Description An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

[github-actions]

CodeRabbit

Commits

Files that changed from the base of the PR and between 404d9ed and 0d879ef commits.

Files selected (5)

• .env.example (1)
• scripts/cpb-setup-db.sh (1)
• scripts/cpb/create-role.sh (1)
• scripts/cpb/setup-db.sh (1)
• sql/cpb/init-schema.sql (1)

Files not summarized due to errors (5)

• scripts/cpb/create-role.sh (diff tokens exceeds limit)
• sql/cpb/init-schema.sql (diff tokens exceeds limit)
• scripts/cpb-setup-db.sh (nothing obtained from openai)
• scripts/cpb/setup-db.sh (nothing obtained from openai)
• .env.example (nothing obtained from openai)

Files not reviewed due to errors (5)

• .env.example (no response)
• scripts/cpb/setup-db.sh (no response)
• sql/cpb/init-schema.sql (no response)
• scripts/cpb-setup-db.sh (no response)
• scripts/cpb/create-role.sh (no response)

Review comments generated (0)

• Review: 0
• LGTM: 0

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

• Reply on review comments left by this bot to ask follow-up questions. A review comment is a comment on a diff or a file.
• Invite the bot into a review comment chain by tagging @coderabbitai in a reply.

Code suggestions

• The bot may make code suggestions, but please review them carefully before committing since the line number ranges may be misaligned.
• You can edit the comment made by the bot and manually tweak the suggestion if it is slightly off.

Pausing incremental reviews

• Add @coderabbitai: ignore anywhere in the PR description to pause further reviews from the bot.

[github-actions]

CodeRabbit

Commits

Files that changed from the base of the PR and between 0d879ef and 0960236 commits.

Files selected (2)

• scripts/cpb/setup-db.sh (1)
• sql/cpb/init-schema.sql (1)

Files not summarized due to errors (2)

• sql/cpb/init-schema.sql (diff tokens exceeds limit)
• scripts/cpb/setup-db.sh (nothing obtained from openai)

Files not reviewed due to errors (2)

• sql/cpb/init-schema.sql (no response)
• scripts/cpb/setup-db.sh (no response)

Review comments generated (0)

• Review: 0
• LGTM: 0

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

• Reply on review comments left by this bot to ask follow-up questions. A review comment is a comment on a diff or a file.
• Invite the bot into a review comment chain by tagging @coderabbitai in a reply.

Code suggestions

• The bot may make code suggestions, but please review them carefully before committing since the line number ranges may be misaligned.
• You can edit the comment made by the bot and manually tweak the suggestion if it is slightly off.

Pausing incremental reviews

• Add @coderabbitai: ignore anywhere in the PR description to pause further reviews from the bot.

[SashkoMarchuk]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

scripts/cpb/setup-db.sh (1)

78-84: Consider preserving the actual connection error for easier debugging.

Redirecting stderr to /dev/null hides useful diagnostics (e.g., "password authentication failed" vs "database does not exist" vs "connection refused"). Capturing or displaying the actual error would help users troubleshoot faster.

💡 Suggested improvement

 echo "Step 1: Verifying database connection..."
-if ! PGPASSWORD="${CPB_PASS}" psql -v ON_ERROR_STOP=1 \
-    -h "$PGHOST" -p "$PGPORT" -U "$CPB_USER" -d "$CPB_DB" \
-    -c "SELECT 1;" > /dev/null 2>&1; then
+CONN_ERR=$(PGPASSWORD="${CPB_PASS}" psql -v ON_ERROR_STOP=1 \
+    -h "$PGHOST" -p "$PGPORT" -U "$CPB_USER" -d "$CPB_DB" \
+    -c "SELECT 1;" 2>&1 > /dev/null) || {
     echo "ERROR: Cannot connect to ${CPB_DB} as ${CPB_USER}" >&2
+    echo "  psql: ${CONN_ERR}" >&2
     echo "  Have you run create-role.sh first?" >&2
     exit 1
-fi
+}
 echo "  Connection: OK"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/cpb/setup-db.sh` around lines 78 - 84, The connection check currently
hides psql's stderr by redirecting output to /dev/null; change the check so the
actual error message from psql is preserved and printed (for example by removing
the "2>&1 > /dev/null" redirection or by capturing psql's stdout/stderr into a
variable and echoing it on failure) when the PGPASSWORD="${CPB_PASS}" psql -v
ON_ERROR_STOP=1 -h "$PGHOST" -p "$PGPORT" -U "$CPB_USER" -d "$CPB_DB" -c "SELECT
1;" command fails, so users see the real diagnostic (e.g., password auth failed,
database missing, connection refused) instead of a generic error.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@scripts/cpb/setup-db.sh`:
- Around line 78-84: The connection check currently hides psql's stderr by
redirecting output to /dev/null; change the check so the actual error message
from psql is preserved and printed (for example by removing the "2>&1 >
/dev/null" redirection or by capturing psql's stdout/stderr into a variable and
echoing it on failure) when the PGPASSWORD="${CPB_PASS}" psql -v ON_ERROR_STOP=1
-h "$PGHOST" -p "$PGPORT" -U "$CPB_USER" -d "$CPB_DB" -c "SELECT 1;" command
fails, so users see the real diagnostic (e.g., password auth failed, database
missing, connection refused) instead of a generic error.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 3bffb364-e0f6-4138-a300-952e63da4614

📥 Commits

Reviewing files that changed from the base of the PR and between 0d879ef and 0960236.

📒 Files selected for processing (2)

• scripts/cpb/setup-db.sh
• sql/cpb/init-schema.sql

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[SashkoMarchuk]

https://github.com/coderabbitai review
@coderabbitai

[coderabbitai]

@SashkoMarchuk Sure! I'll kick off a review of PR #123 right away.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.