samrusani
diff --git a/‎.github/workflows/publish-npm.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/publish-npm.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/security-scans.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/security-scans.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎apps/api/alembic/versions/20260416_0066_hosted_control_plane_owner_writes.py‎
Lines changed: 166 additions & 0 deletions b/‎apps/api/alembic/versions/20260416_0066_hosted_control_plane_owner_writes.py‎
Lines changed: 166 additions & 0 deletions
@@ -23,7 +23,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 20
           registry-url: https://registry.npmjs.org
@@ -73,7 +73,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 20
           registry-url: https://registry.npmjs.org
 
@@ -24,7 +24,7 @@ jobs:
           fetch-depth: 0
 
       - name: Run gitleaks
-        uses: gitleaks/gitleaks-action@v2
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -46,12 +46,12 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
         with:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
 
       - name: Analyze
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
@@ -0,0 +1,166 @@
+"""Restrict hosted control-plane writes to workspace owners."""
+
+from __future__ import annotations
+
+from alembic import op
+
+
+revision = "20260416_0066"
+down_revision = "20260416_0065"
+branch_labels = None
+depends_on = None
+
+_UPGRADE_DROP_STATEMENTS = (
+    "DROP POLICY IF EXISTS workspace_model_pack_bindings_workspace_access ON workspace_model_pack_bindings",
+    "DROP POLICY IF EXISTS model_packs_workspace_access ON model_packs",
+    "DROP POLICY IF EXISTS provider_capabilities_workspace_access ON provider_capabilities",
+    "DROP POLICY IF EXISTS model_providers_workspace_access ON model_providers",
+)
+
+_UPGRADE_CREATE_STATEMENTS = (
+    """
+        CREATE POLICY model_providers_select_access ON model_providers
+          FOR SELECT
+          USING (app.hosted_workspace_access_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY model_providers_insert_owner_access ON model_providers
+          FOR INSERT
+          WITH CHECK (app.hosted_workspace_owner_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY model_providers_update_owner_access ON model_providers
+          FOR UPDATE
+          USING (app.hosted_workspace_owner_allowed(workspace_id))
+          WITH CHECK (app.hosted_workspace_owner_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY model_providers_delete_owner_access ON model_providers
+          FOR DELETE
+          USING (app.hosted_workspace_owner_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY provider_capabilities_select_access ON provider_capabilities
+          FOR SELECT
+          USING (app.hosted_workspace_access_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY provider_capabilities_insert_owner_access ON provider_capabilities
+          FOR INSERT
+          WITH CHECK (app.hosted_workspace_owner_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY provider_capabilities_update_owner_access ON provider_capabilities
+          FOR UPDATE
+          USING (app.hosted_workspace_owner_allowed(workspace_id))
+          WITH CHECK (app.hosted_workspace_owner_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY provider_capabilities_delete_owner_access ON provider_capabilities
+          FOR DELETE
+          USING (app.hosted_workspace_owner_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY model_packs_select_access ON model_packs
+          FOR SELECT
+          USING (app.hosted_workspace_access_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY model_packs_insert_owner_access ON model_packs
+          FOR INSERT
+          WITH CHECK (app.hosted_workspace_owner_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY model_packs_update_owner_access ON model_packs
+          FOR UPDATE
+          USING (app.hosted_workspace_owner_allowed(workspace_id))
+          WITH CHECK (app.hosted_workspace_owner_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY model_packs_delete_owner_access ON model_packs
+          FOR DELETE
+          USING (app.hosted_workspace_owner_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY workspace_model_pack_bindings_select_access ON workspace_model_pack_bindings
+          FOR SELECT
+          USING (app.hosted_workspace_access_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY workspace_model_pack_bindings_insert_owner_access ON workspace_model_pack_bindings
+          FOR INSERT
+          WITH CHECK (app.hosted_workspace_owner_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY workspace_model_pack_bindings_update_owner_access ON workspace_model_pack_bindings
+          FOR UPDATE
+          USING (app.hosted_workspace_owner_allowed(workspace_id))
+          WITH CHECK (app.hosted_workspace_owner_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY workspace_model_pack_bindings_delete_owner_access ON workspace_model_pack_bindings
+          FOR DELETE
+          USING (app.hosted_workspace_owner_allowed(workspace_id));
+        """,
+)
+
+_DOWNGRADE_DROP_STATEMENTS = (
+    "DROP POLICY IF EXISTS workspace_model_pack_bindings_delete_owner_access ON workspace_model_pack_bindings",
+    "DROP POLICY IF EXISTS workspace_model_pack_bindings_update_owner_access ON workspace_model_pack_bindings",
+    "DROP POLICY IF EXISTS workspace_model_pack_bindings_insert_owner_access ON workspace_model_pack_bindings",
+    "DROP POLICY IF EXISTS workspace_model_pack_bindings_select_access ON workspace_model_pack_bindings",
+    "DROP POLICY IF EXISTS model_packs_delete_owner_access ON model_packs",
+    "DROP POLICY IF EXISTS model_packs_update_owner_access ON model_packs",
+    "DROP POLICY IF EXISTS model_packs_insert_owner_access ON model_packs",
+    "DROP POLICY IF EXISTS model_packs_select_access ON model_packs",
+    "DROP POLICY IF EXISTS provider_capabilities_delete_owner_access ON provider_capabilities",
+    "DROP POLICY IF EXISTS provider_capabilities_update_owner_access ON provider_capabilities",
+    "DROP POLICY IF EXISTS provider_capabilities_insert_owner_access ON provider_capabilities",
+    "DROP POLICY IF EXISTS provider_capabilities_select_access ON provider_capabilities",
+    "DROP POLICY IF EXISTS model_providers_delete_owner_access ON model_providers",
+    "DROP POLICY IF EXISTS model_providers_update_owner_access ON model_providers",
+    "DROP POLICY IF EXISTS model_providers_insert_owner_access ON model_providers",
+    "DROP POLICY IF EXISTS model_providers_select_access ON model_providers",
+)
+
+_DOWNGRADE_CREATE_STATEMENTS = (
+    """
+        CREATE POLICY model_providers_workspace_access ON model_providers
+          FOR ALL
+          USING (app.hosted_workspace_access_allowed(workspace_id))
+          WITH CHECK (app.hosted_workspace_access_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY provider_capabilities_workspace_access ON provider_capabilities
+          FOR ALL
+          USING (app.hosted_workspace_access_allowed(workspace_id))
+          WITH CHECK (app.hosted_workspace_access_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY model_packs_workspace_access ON model_packs
+          FOR ALL
+          USING (app.hosted_workspace_access_allowed(workspace_id))
+          WITH CHECK (app.hosted_workspace_access_allowed(workspace_id));
+        """,
+    """
+        CREATE POLICY workspace_model_pack_bindings_workspace_access ON workspace_model_pack_bindings
+          FOR ALL
+          USING (app.hosted_workspace_access_allowed(workspace_id))
+          WITH CHECK (app.hosted_workspace_access_allowed(workspace_id));
+        """,
+)
+
+
+def _execute_statements(statements: tuple[str, ...]) -> None:
+    for statement in statements:
+        op.execute(statement)
+
+
+def upgrade() -> None:
+    _execute_statements(_UPGRADE_DROP_STATEMENTS)
+    _execute_statements(_UPGRADE_CREATE_STATEMENTS)
+
+
+def downgrade() -> None:
+    _execute_statements(_DOWNGRADE_DROP_STATEMENTS)
+    _execute_statements(_DOWNGRADE_CREATE_STATEMENTS)