Skip to content

Update Protos#1988

Open
github-actions[bot] wants to merge 1 commit intomainfrom
nightly-proto
Open

Update Protos#1988
github-actions[bot] wants to merge 1 commit intomainfrom
nightly-proto

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Apr 21, 2026
edited by macroscopeapp Bot
Loading

  • Nightly Proto Update

Auto-generated by create-pull-request

Note

Add generated protobuf and Swagger files for component permissions

Adds two generated files for the mls/message_contents/component_permissions.proto schema: a Go protobuf file (component_permissions.pb.go) defining the ComponentType enum and ComponentPermissions/ComponentMetadata messages, and a Swagger 2.0 spec (component_permissions.swagger.json) with shared definitions but no paths.

Macroscope summarized 5e57346.

@github-actions github-actions Bot requested a review from a team as a code owner April 21, 2026 10:32
@octane-security-app
Copy link
Copy Markdown

octane-security-app Bot commented Apr 21, 2026

Summary by Octane

New Contracts

  • component_permissions.pb.go: The smart contract defines component-level metadata and permissions for app data, including policies for insertion, updating, and deletion.

Updated Contracts

No contracts were updated.

🔗 Commit Hash: 5e57346

@macroscopeapp
Copy link
Copy Markdown
Contributor

macroscopeapp Bot commented Apr 21, 2026

Approvability

Verdict: Needs human review

Automated proto update adding new generated protobuf definitions for component permissions. Changes are purely additive with no runtime impact, but the bot author does not own these files (owned by @xmtp/backend), so a designated owner should approve.

You can customize Macroscope's approvability policy. Learn more.

@fbac fbac closed this Apr 21, 2026
@fbac fbac reopened this Apr 21, 2026
@octane-security-app
Copy link
Copy Markdown

octane-security-app Bot commented Apr 21, 2026

Overview

Vulnerabilities found: 3                                                                                
Severity breakdown: 2 Medium, 1 Low
Warnings found: 1                                                                                

Detailed findings

pkg/api/message/service.go

  • Global LIMIT after originator-ordered pagination in multi-originator queries causes starvation and delayed live mode. See more

pkg/api/metadata/cursor_updater.go

  • Non-resilient read-replica-backed cursor updater in metadata service causes false DependsOn rejections and publish liveness loss. See more

pkg/api/payer/client_manager.go

  • Stale gRPC connection cache in Gateway/Payer client manager causes publish liveness degradation and potential message blackholing. See more

Warnings

pkg/proto/mls/message_contents/component_permissions.pb.go

  • Ambiguous DeletePolicy semantics in MLS ComponentPermissions proto causes unauthorized whole-component deletion. See more

🔗 Commit Hash: 5e57346
🛡️ Octane Dashboard: All vulnerabilities

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fbac @mkysel