RLS sweep across all content tables - closed without merging
ryanmcdonough opened a PR to extend row-level security beyond user profiles to every other content table in the schema. The intent was a database-layer authorization sweep rather than a targeted fix. The PR was closed on 2026-05-08 without merging, and no explanation was left.
The stated goal was to close the gap where non-profile tables sat without RLS protection. RLS enforcement at the database layer means any future code path that reads or writes a row - including paths not yet written - is subject to the same policy, rather than depending on application-layer access checks that can be missed (as ryanmcdonough's separate checkProjectAccess fix on chat creation demonstrates).
The PR was closed without merging. No comment explains the close, and no follow-up PR is referenced. The change may have been superseded, found to be incomplete, or deferred. Without the diff or a closing comment it's not possible to assess what the policies covered or whether any correctness issues were found.
Upstream willchen96/mike does not have full-table RLS based on published information.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?