Skip to content

[codex] Publish social backfill hardening#152

Closed
therealityreport wants to merge 2 commits into
mainfrom
codex/publish/trr-backend/20260705-174033-clean
Closed

[codex] Publish social backfill hardening#152
therealityreport wants to merge 2 commits into
mainfrom
codex/publish/trr-backend/20260705-174033-clean

Conversation

@therealityreport

Copy link
Copy Markdown
Owner

Summary

  • Publish Social Backfill hardening for Instagram comments, shared catalog ingestion, SocialBlade repair, proxy-budget handling, and related migrations/tests.
  • Reject unsupported platform-scoped hashtag writes instead of silently widening them to global writes.
  • Align SocialBlade repair defaults with the live non-sticky Decodo runtime defaults.
  • Preserve existing job metadata when touching dispatch metadata and fail closed on non-local Modal maintenance ownership.
  • Remove large generated .plan-work tool-finder dumps from this replacement PR scope.

Validation

  • git diff --check origin/main...HEAD
  • git diff --name-only --diff-filter=ACMR origin/main...HEAD -- '*.py' | xargs -r uvx ruff@0.14.4 check
  • git diff --name-only --diff-filter=ACMR origin/main...HEAD -- '*.py' | xargs -r uvx ruff@0.14.4 format --check
  • .venv/bin/python -m pytest tests/api -q (1086 passed)
  • .venv/bin/python -m pytest tests/test_modal_jobs.py tests/test_startup_config.py tests/repositories/test_social_dispatch_metadata.py -q
  • Focused social backfill test set covering route shape, hashtag writes, SocialBlade repair/business API, admin comments, classifier, Scrapling async client, deploy health, media guard, proxy budget, catalog ingest, direct catalog, and SocialBlade auth/business repair.

Runtime follow-through

  • Modal trr-backend-jobs deploy/readiness follow-through was completed before PR prep.
  • Health canary returned 200 and readiness checks passed.

Notes

Copilot AI review requested due to automatic review settings July 5, 2026 23:04
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@therealityreport, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 59 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: e1f7d644-e4a0-4107-8acd-262ef9331b0d

📥 Commits

Reviewing files that changed from the base of the PR and between bc9aeae and 2836f35.

📒 Files selected for processing (122)
  • .env.example
  • CONTEXT.md
  • api/main.py
  • api/routers/admin_socialblade.py
  • api/routers/socials/__init__.py
  • docs/observability/modal-v439-v440-serve-backend-api-crash-loop-2026-05-28.md
  • docs/workspace/instagram-comments-scrapling.md
  • docs/workspace/instagram-posts-scrapling.md
  • docs/workspace/scrapling-social-jobs.md
  • requirements.in
  • requirements.lock.txt
  • requirements.modal.browser.lock.txt
  • requirements.modal.lean.lock.txt
  • requirements.modal.vision.lock.txt
  • scripts/db/index_advisor_social_hot_paths.py
  • scripts/db/verify_socialblade_snapshot_fk_indexes.sql
  • scripts/modal/prepare_named_secrets.py
  • scripts/socials/instagram/backfill_progress.py
  • scripts/socials/instagram/bravo_straggler_recovery.py
  • scripts/socials/instagram/classify_approval_blocked_comments.py
  • scripts/socials/instagram/enqueue_comments_audit_cursor_retries.py
  • scripts/socials/reddit/repair_media_urls.py
  • scripts/socials/repair_socialblade_auth.py
  • supabase/migrations/20260625172000_tiktok_post_comment_rollups.sql
  • supabase/migrations/20260629140000_instagram_comments_public_proxy_budget_ledger.sql
  • supabase/migrations/20260629143025_supabase_security_advisor_rpc_and_vector_hardening.sql
  • supabase/migrations/20260629144346_socialblade_snapshot_fk_indexes.sql
  • supabase/migrations/20260629190000_canonical_social_hashtag_assignments.sql
  • supabase/migrations/20260702174000_hashtag_assignments_season_fk_index.sql
  • supabase/migrations/20260702181000_youtube_post_comment_rollups.sql
  • supabase/migrations/20260702184229_social_rollup_function_and_rate_pace_security.sql
  • supabase/migrations/20260702185000_drop_social_unused_index_wave1.sql
  • tests/api/routers/test_socials_season_analytics.py
  • tests/api/test_admin_social_comments.py
  • tests/api/test_admin_socialblade.py
  • tests/db/test_advisor_remediation_sql.py
  • tests/db/test_index_advisor_social_hot_paths.py
  • tests/fixtures/admin_socials_route_shape.json
  • tests/fixtures/instagram/scrapling/comments_polaris_container_first_page.json
  • tests/fixtures/instagram/scrapling/ig_direct_badge_count_off_msys.json
  • tests/fixtures/instagram/scrapling/post_fetch_xdt_media_dict.json
  • tests/fixtures/instagram/scrapling/post_fetch_xdt_media_dict_null_fb.json
  • tests/repositories/test_reddit_refresh.py
  • tests/repositories/test_social_account_catalog_backfill_integration.py
  • tests/repositories/test_social_control_plane_dispatch_runtime.py
  • tests/repositories/test_social_dispatch_metadata.py
  • tests/repositories/test_social_run_lifecycle_repository.py
  • tests/repositories/test_social_season_analytics.py
  • tests/repositories/test_youtube_catalog_backfill_diagnostics.py
  • tests/scripts/test_bravo_straggler_recovery.py
  • tests/scripts/test_classify_approval_blocked_comments.py
  • tests/scripts/test_enqueue_comments_audit_cursor_retries.py
  • tests/scripts/test_prepare_named_secrets.py
  • tests/socials/facebook/test_facebook_posts_catalog.py
  • tests/socials/instagram/comments_scrapling/test_async_http_client.py
  • tests/socials/instagram/comments_scrapling/test_comments_lane_deploy_health.py
  • tests/socials/instagram/comments_scrapling/test_fetcher_status_only.py
  • tests/socials/instagram/comments_scrapling/test_job_runner_cancellation.py
  • tests/socials/instagram/comments_scrapling/test_job_runner_reply_only.py
  • tests/socials/instagram/comments_scrapling/test_media_direct_guard.py
  • tests/socials/instagram/comments_scrapling/test_proxy.py
  • tests/socials/instagram/comments_scrapling/test_proxy_budget.py
  • tests/socials/instagram/comments_scrapling/test_public_blocked_pause.py
  • tests/socials/instagram/comments_scrapling/test_public_decodo_isolation.py
  • tests/socials/instagram/comments_scrapling/test_public_relay_env_knobs.py
  • tests/socials/instagram/test_catalog_ingest_worker_b.py
  • tests/socials/instagram/test_instagram_direct_catalog.py
  • tests/socials/test_instagram_comments_progress_payload.py
  • tests/socials/test_instagram_comments_scrapling_retry.py
  • tests/socials/test_instagram_permalink_metadata.py
  • tests/socials/test_instagram_scraper_public_graphql.py
  • tests/socials/test_profile_dashboard.py
  • tests/socials/test_repair_socialblade_auth.py
  • tests/socials/test_scrapling_transport.py
  • tests/socials/test_socialblade_auth.py
  • tests/socials/test_socialblade_business_api.py
  • tests/socials/test_socialblade_fetcher.py
  • tests/socials/threads/posts_scrapling/test_persistence.py
  • tests/socials/threads/test_threads_posts_catalog.py
  • tests/socials/tiktok/posts_scrapling/test_job_runner.py
  • tests/socials/tiktok/posts_scrapling/test_persistence.py
  • tests/socials/twitter/test_twitter_posts_catalog.py
  • tests/socials/youtube/test_scraper.py
  • tests/test_modal_jobs.py
  • tests/test_startup_config.py
  • trr_backend/modal_jobs.py
  • trr_backend/repositories/reddit_refresh.py
  • trr_backend/socials/api/handlers/profile_reads.py
  • trr_backend/socials/control_plane/dispatch_runtime.py
  • trr_backend/socials/control_plane/run_lifecycle.py
  • trr_backend/socials/facebook/posts_catalog/catalog.py
  • trr_backend/socials/instagram/catalog_ingest.py
  • trr_backend/socials/instagram/comments_scrapling/async_http_client.py
  • trr_backend/socials/instagram/comments_scrapling/fetcher.py
  • trr_backend/socials/instagram/comments_scrapling/job_runner.py
  • trr_backend/socials/instagram/comments_scrapling/proxy.py
  • trr_backend/socials/instagram/comments_scrapling/proxy_budget.py
  • trr_backend/socials/instagram/comments_scrapling/public_mode.py
  • trr_backend/socials/instagram/permalink_metadata.py
  • trr_backend/socials/instagram/posts_scrapling/fetcher.py
  • trr_backend/socials/instagram/scraper.py
  • trr_backend/socials/media_url_safety.py
  • trr_backend/socials/ops/instagram_direct_catalog.py
  • trr_backend/socials/pipelines/account_catalog/launch.py
  • trr_backend/socials/pipelines/account_catalog/progress.py
  • trr_backend/socials/pipelines/comments/__init__.py
  • trr_backend/socials/pipelines/comments/instagram.py
  • trr_backend/socials/read_models/account_profile/common.py
  • trr_backend/socials/scrapling_transport.py
  • trr_backend/socials/social_season_analytics_impl.py
  • trr_backend/socials/socialblade/auth.py
  • trr_backend/socials/socialblade/business_api.py
  • trr_backend/socials/socialblade/fetcher.py
  • trr_backend/socials/threads/posts_catalog/catalog.py
  • trr_backend/socials/threads/posts_scrapling/fetcher.py
  • trr_backend/socials/threads/posts_scrapling/persistence.py
  • trr_backend/socials/tiktok/posts_scrapling/fetcher.py
  • trr_backend/socials/tiktok/posts_scrapling/job_runner.py
  • trr_backend/socials/tiktok/posts_scrapling/persistence.py
  • trr_backend/socials/twitter/posts_catalog/catalog.py
  • trr_backend/socials/youtube/posts_catalog/catalog.py
  • trr_backend/socials/youtube/scraper.py
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/publish/trr-backend/20260705-174033-clean

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@therealityreport

Copy link
Copy Markdown
Owner Author

Superseded by cleaned replacement PR #153 after final Ruff format correction.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens multiple “Publish social backfill” paths across social scraping/catalog pipelines, adds additional operational guardrails (proxy budgeting, savepoint-based persistence, preflight checks), and introduces/updates Supabase migrations and test coverage to lock in the new behavior.

Changes:

  • Extend shared catalog scraping + diagnostics across platforms (YouTube surfaces incl. posts, Twitter bounded-window paging semantics, Threads/Facebook empty soft-block classification).
  • Add resilience/operational controls (per-row DB savepoints for TikTok/Threads persistence, Scrapling fetcher option/metadata plumbing, Instagram public-lane proxy opt-in + run-scoped proxy budget ledger).
  • Add migrations + admin/API/test coverage for SocialBlade, hashtag assignments, comment rollups/security, and various run lifecycle behaviors.

Reviewed changes

Copilot reviewed 119 out of 122 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
trr_backend/socials/youtube/posts_catalog/catalog.py Adds surface selection + metadata improvements for YouTube shared catalog scraping.
trr_backend/socials/twitter/posts_catalog/catalog.py Adjusts max page resolution semantics for bounded-window vs full-history runs.
trr_backend/socials/tiktok/posts_scrapling/persistence.py Adds per-post savepoints + shared catalog upsert accounting.
trr_backend/socials/tiktok/posts_scrapling/job_runner.py Threads ingest mode through job runner + emits catalog upsert counters.
trr_backend/socials/tiktok/posts_scrapling/fetcher.py Adds optional Scrapling fetcher options + redaction-safe metadata plumbing.
trr_backend/socials/threads/posts_scrapling/persistence.py Adds per-post savepoints and shared catalog upsert tracking.
trr_backend/socials/threads/posts_scrapling/fetcher.py Adds optional Scrapling fetcher options + redaction-safe metadata plumbing.
trr_backend/socials/threads/posts_catalog/catalog.py Classifies empty “soft block” results as retryable with structured metadata.
trr_backend/socials/socialblade/fetcher.py Aligns proxy wiring + adds Scrapling fetcher options/metadata.
trr_backend/socials/pipelines/comments/init.py Exposes an additional Instagram comments pipeline helper via all.
trr_backend/socials/media_url_safety.py Expands safe host allowlist and minor formatting cleanup.
trr_backend/socials/instagram/posts_scrapling/fetcher.py Adds Scrapling fetcher options + metadata into runtime instrumentation.
trr_backend/socials/instagram/permalink_metadata.py Improves parsing by skipping excluded payloads and supporting XDTMediaDict inline payloads.
trr_backend/socials/instagram/comments_scrapling/public_mode.py Introduces explicit public-proxy opt-in and splits public isolation invariants.
trr_backend/socials/instagram/comments_scrapling/proxy.py Enables budgeted public proxy path + per-egress fingerprinting for pacing.
trr_backend/socials/instagram/comments_scrapling/proxy_budget.py Adds run-scoped proxy budget config/math + ledger writer.
trr_backend/socials/facebook/posts_catalog/catalog.py Adds empty “soft block” classification for shared Facebook catalog scraping.
trr_backend/socials/control_plane/run_lifecycle.py Hardens deferred comments followup retry flow using CAS-style updates and fail-closed restore behavior.
trr_backend/socials/api/handlers/profile_reads.py Extends profile hashtag reads with assignment_status filtering.
trr_backend/repositories/reddit_refresh.py Adds robust extraction/sanitization for Reddit media URLs.
tests/test_startup_config.py Adds tests to ensure Modal maintenance ownership validation fails closed appropriately.
tests/socials/youtube/test_scraper.py Adds YouTube posts surface coverage + schema.org community post metadata tests.
tests/socials/twitter/test_twitter_posts_catalog.py Locks in explicit 0 max_posts behavior as “unlimited” in bounded-window mode.
tests/socials/tiktok/posts_scrapling/test_persistence.py Adds savepoint behavior tests + shared catalog mode persistence tests.
tests/socials/tiktok/posts_scrapling/test_job_runner.py Verifies ingest mode propagation + catalog counters in job metadata.
tests/socials/threads/test_threads_posts_catalog.py Adds test for retryable empty soft-block classification.
tests/socials/threads/posts_scrapling/test_persistence.py Adds savepoint behavior tests for Threads persistence.
tests/socials/test_socialblade_fetcher.py Updates SocialBlade fetcher proxy expectations (proxy vs proxy_rotator).
tests/socials/test_socialblade_business_api.py Adds SocialBlade business API unit tests for mapping + auth headers.
tests/socials/test_socialblade_auth.py Adds cookie health report redaction and loader behavior tests.
tests/socials/test_scrapling_transport.py Adds tests for fetcher option parsing + proxy metadata redaction + JSON-safe metadata.
tests/socials/test_repair_socialblade_auth.py Adds CLI control-flow tests for blocked validation and proxy-default behavior.
tests/socials/test_profile_dashboard.py Hardens catalog progress/launch state interpretation and skip reason precedence.
tests/socials/test_instagram_permalink_metadata.py Adds fixtures/tests for XDTMediaDict parsing and excluded payload behavior.
tests/socials/instagram/test_instagram_direct_catalog.py Adds direct Instagram catalog soft-block and DB error handling tests.
tests/socials/instagram/comments_scrapling/test_public_relay_env_knobs.py Adds env knob tests for retry limits + rate-scope hashing behavior.
tests/socials/instagram/comments_scrapling/test_public_decodo_isolation.py Verifies public proxy opt-in and invariant enforcement around cookies/auth.
tests/socials/instagram/comments_scrapling/test_public_blocked_pause.py Updates pause threshold test to match raised thresholds.
tests/socials/instagram/comments_scrapling/test_proxy.py Tests new public proxy flag behavior and per-egress fingerprinting.
tests/socials/instagram/comments_scrapling/test_proxy_budget.py Adds DB-free tests for proxy budget math/config resolution.
tests/socials/instagram/comments_scrapling/test_media_direct_guard.py Tests fetcher budget kill-switch + CDN leak tripwire semantics.
tests/socials/instagram/comments_scrapling/test_job_runner_reply_only.py Pins cursor strategy in reply-only job runner test to hit intended fast path.
tests/socials/instagram/comments_scrapling/test_job_runner_cancellation.py Updates cancellation test dependencies for new setup behavior.
tests/socials/instagram/comments_scrapling/test_comments_lane_deploy_health.py Adds import-time deploy drift guard for comments lane modules/entrypoints.
tests/socials/instagram/comments_scrapling/test_async_http_client.py Adds async client factory tests (httpx default + curl_cffi opt-in/fallback).
tests/socials/facebook/test_facebook_posts_catalog.py Adds test for retryable Facebook empty soft-block classification.
tests/scripts/test_prepare_named_secrets.py Updates expected Modal secret defaults for new social knobs (SocialBlade, concurrency, mirror caps).
tests/scripts/test_enqueue_comments_audit_cursor_retries.py Ensures CLI payload includes date bounds + load strategy defaults.
tests/scripts/test_classify_approval_blocked_comments.py Adds script tests for selecting/classifying approval-blocked comment gaps.
tests/scripts/test_bravo_straggler_recovery.py Updates delegated argv to include strategy/date filters and public relay defaults.
tests/repositories/test_youtube_catalog_backfill_diagnostics.py Verifies profile_snapshot merge precedence in YouTube shared catalog metadata.
tests/repositories/test_social_run_lifecycle_repository.py Adds tests ensuring advisory lock release before launch + restore-to-failed behavior on skipped retry.
tests/repositories/test_social_dispatch_metadata.py Tests dispatch metadata touch updates only dispatch key and preserves other metadata.
tests/repositories/test_social_account_catalog_backfill_integration.py Updates integration expectations around comments streaming enablement during catalog bootstrap.
tests/repositories/test_reddit_refresh.py Adds tests for Reddit media URL sanitization + extraction.
tests/fixtures/instagram/scrapling/post_fetch_xdt_media_dict.json Adds fixture for inline fetch__XDTMediaDict post detail payload.
tests/fixtures/instagram/scrapling/post_fetch_xdt_media_dict_null_fb.json Adds fixture for inline payload with null FB count fields.
tests/fixtures/instagram/scrapling/ig_direct_badge_count_off_msys.json Adds fixture for excluded IG direct badge query payload.
tests/fixtures/admin_socials_route_shape.json Updates route-shape fixture for new admin endpoints.
tests/db/test_index_advisor_social_hot_paths.py Adds test for nested advisor recommendation error surfacing.
tests/db/test_advisor_remediation_sql.py Adds assertions for new security/RLS migration behavior.
tests/api/test_admin_socialblade.py Adds SocialBlade cookie preflight checks before dispatch and error handling tests.
tests/api/test_admin_social_comments.py Adds API test ensuring dry-run preview does not enqueue runs.
supabase/migrations/20260702185000_drop_social_unused_index_wave1.sql Drops reviewed unused social indexes for fresh DB replays.
supabase/migrations/20260702184229_social_rollup_function_and_rate_pace_security.sql Locks down rollup functions + rate pace table with RLS/grants/policies.
supabase/migrations/20260702181000_youtube_post_comment_rollups.sql Introduces YouTube comment rollup table/functions/triggers and backfill.
supabase/migrations/20260702174000_hashtag_assignments_season_fk_index.sql Adds missing FK index on social.hashtag_assignments(season_id).
supabase/migrations/20260629190000_canonical_social_hashtag_assignments.sql Introduces canonical hashtag assignments + conflict capture with RLS/grants.
supabase/migrations/20260629144346_socialblade_snapshot_fk_indexes.sql Adds FK indexes for SocialBlade snapshot tables.
supabase/migrations/20260629143025_supabase_security_advisor_rpc_and_vector_hardening.sql Applies security advisor remediations (search_path, grants, extension schema).
supabase/migrations/20260629140000_instagram_comments_public_proxy_budget_ledger.sql Codifies proxy budget ledger table with RLS/grants/indexes.
supabase/migrations/20260625172000_tiktok_post_comment_rollups.sql Introduces TikTok comment rollup table/functions/triggers and backfill.
scripts/socials/reddit/repair_media_urls.py Adds a CLI tool to repair/normalize Reddit mirror source URLs and statuses.
scripts/socials/instagram/enqueue_comments_audit_cursor_retries.py Updates CLI defaults/args to include date bounds and public relay strategy.
scripts/socials/instagram/bravo_straggler_recovery.py Updates recovery CLI defaults/args to public relay + optional date bounds.
scripts/modal/prepare_named_secrets.py Adds/updates Modal named secret defaults for SocialBlade + concurrency caps.
scripts/db/verify_socialblade_snapshot_fk_indexes.sql Adds verification SQL for SocialBlade snapshot FK/index alignment.
scripts/db/index_advisor_social_hot_paths.py Surfaces nested advisor errors and marks warnings in generated reports.
requirements.modal.vision.lock.txt Updates lockfile versions for Modal vision image.
requirements.modal.lean.lock.txt Updates lockfile versions for Modal lean image.
requirements.modal.browser.lock.txt Updates lockfile versions for Modal browser image.
requirements.lock.txt Updates main lockfile versions and pins numpy/sympy/opencv to stable versions.
requirements.in Pins numpy/sympy/opencv for consistent dependency resolution.
docs/workspace/scrapling-social-jobs.md Adds shared Scrapling lane guidance and metadata redaction expectations.
docs/workspace/instagram-posts-scrapling.md Links to shared Scrapling job guidance.
docs/workspace/instagram-comments-scrapling.md Links to shared Scrapling job guidance.
docs/observability/modal-v439-v440-serve-backend-api-crash-loop-2026-05-28.md Updates Modal deploy history stamp.
CONTEXT.md Adds domain-language definitions for social ingestion and completeness semantics.
api/routers/admin_socialblade.py Adds SocialBlade cookie health endpoint + dispatch preflight checks.
api/main.py Makes Modal maintenance owner requirement fail-closed outside local/dev.
.env.example Documents new SocialBlade business API env vars.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +5 to +7
For shared Scrapling process rules, optional browser tuning envs, and
redaction-safe metadata expectations across social lanes, see
[Scrapling Social Jobs](/Users/thomashulihan/Projects/TRR/TRR-Backend/docs/workspace/scrapling-social-jobs.md).
Comment on lines +11 to +13
For shared Scrapling process rules and redaction-safe metadata expectations
across social lanes, see
[Scrapling Social Jobs](/Users/thomashulihan/Projects/TRR/TRR-Backend/docs/workspace/scrapling-social-jobs.md).
Comment on lines +28 to +30
security definer
set search_path = social, public
as $$
Comment on lines +62 to +64
security definer
set search_path = social, public
as $$
Comment on lines +107 to +108
grant execute on function social.refresh_youtube_post_comment_rollup(uuid) to service_role;
grant execute on function social.refresh_youtube_post_comment_rollup_tg() to service_role;
Comment on lines +28 to +30
security definer
set search_path = social, public
as $$
Comment on lines +62 to +64
security definer
set search_path = social, public
as $$
Comment on lines +107 to +108
grant execute on function social.refresh_tiktok_post_comment_rollup(uuid) to service_role;
grant execute on function social.refresh_tiktok_post_comment_rollup_tg() to service_role;
@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Codex Exhaustive Code Review

Findings

  1. High - migration can fail on fresh replay.
    20260629143025_supabase_security_advisor_rpc_and_vector_hardening.sql alters admin.set_updated_at() and firebase_surveys.set_updated_at(), but checked-in migrations only define core.set_updated_at(). ALTER FUNCTION aborts if the function is absent, so a fresh database replay can stop at this migration. Smallest fix: guard each alter with to_regprocedure(...) is not null, or alter the actual existing functions.

  2. High - moving vector breaks existing unqualified casts.
    20260629143025_supabase_security_advisor_rpc_and_vector_hardening.sql relocates the vector extension to extensions, but app SQL still uses unqualified ::vector casts in face_references.py and face_references.py. Write connections also pin search_path to public, core, firebase_surveys in pg.py, excluding extensions. This can break face-reference embedding writes/searches after migration. Smallest fix: qualify casts as extensions.vector or include extensions in read/write DB search paths before moving the extension.

  3. High - profile-scoped hashtag PUT deletes global assignments.
    The route is still profile-scoped at api/routers/socials/init.py, but put_social_account_profile_hashtags now deletes from canonical global social.hashtag_assignments by hashtag only at social_season_analytics_impl.py. Editing one profile’s #finale assignments can delete unrelated shows/accounts’ canonical mappings. Smallest fix: make the endpoint explicitly global/full-replacement, or scope deletion to the exact assignment rows being edited and add a regression test with one hashtag mapped to two shows.

  4. Medium - proxy budget kill-switch is not enforced during a proxied post.
    The public relay decides use_proxy once at fetcher.py and builds one proxied client at fetcher.py. Parent and child pagination then continue through that client at fetcher.py and fetcher.py. Since budget is checked only in _public_proxy_use_allowed, a large post can exceed budget and keep spending until the next post; a CDN leak trip can flip the flag but does not rebuild/abort the already-created client. Smallest fix: check budget before every proxied request and stop or rebuild direct when exhausted.

  5. Medium - proxy byte accounting and ledger are not reliable.
    _record_response_bytes increments _bytes_total for every response at fetcher.py, while _public_proxy_use_allowed treats that total as proxy spend at fetcher.py. The CDN leak tripwire also checks only whether a proxy URL exists, not whether the request used it, at fetcher.py. Separately, record_ledger_row is defined in proxy_budget.py but has no production call site. Smallest fix: track proxied bytes separately from total bytes, update only for requests that actually used proxy, record child responses too, and wire the ledger at run completion.

Validation

AST parse passed for 96 changed Python files. I could not run pytest because pytest is not installed in this environment (No module named pytest).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants