Dshamir/AI-Legal@76fedfc6

fix(infra): RLS deny-all on PostgREST, SSE stream timeout, zip doc cap

↗ view on GitHub · Dshamir · 2026-05-23 · 76fedfc6

- Add RLS to all public tables with deny-all default policy and
  auto-enable event trigger for future tables. PostgREST anon role
  can no longer read any data. Prisma service-role bypasses RLS (PR #145)
- Wrap runLLMStream() in Promise.race with 180s configurable timeout;
  sends SSE error event on timeout and closes connection (PR #112)
- Cap download-zip document_ids array at 50 to prevent memory
  exhaustion from unbounded batch downloads (PR #111)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Repository	Dshamir/AI-Legal
Author	Dshamir <dshamir@blucap.ca>
Authored	2026-05-23T20:01:53-04:00
Parents	`52f47ba4`
Stats	6 files changed , +671 , -703
Part of	Upstream-PR security and infra hardening

Repository

Dshamir/AI-Legal

Author

Dshamir <dshamir@blucap.ca>

Authored

2026-05-23T20:01:53-04:00

Parents

52f47ba4

Stats

6 files changed , +671 , -703

Part of

Upstream-PR security and infra hardening

Capture this commit into my fork

Download a Markdown prompt that tells Claude how to port this exact commit into your working tree. Run it via claude -p < capture-commit-76fedfc6.md from inside the repo you want the change in.

⬇ Download capture-commit-76fedfc6.md