Capgo - Denial of Service via Unlimited Demo App Creation

An authenticated user with org write permissions can repeatedly send POST requests to `https://api.capgo.app/app/demo` with a valid `owner_org` and API key. Each request triggers approximately 138 database write operations across tables such as `apps`, `app_versions`, `manifest`, `channels`, `deploy_history`, `devices`, `daily_mau`, `daily_bandwidth`, `daily_storage`, `daily_version`, and `build_requests` [ref_id=1]. Because no rate limiting or quota enforcement exists, an attacker can exhaust database resources, degrade performance for legitimate users, and increase storage/compute costs [CWE-770] [ref_id=1].

The vulnerability resides in `supabase/functions/_backend/public/app/demo.ts` — specifically the `createDemoApp()` handler for the `POST /app/demo` endpoint. The handler only checks that the user has an `owner_org` and `write` permission via `hasOrgRight(..., 'write')`, but applies no rate limiting, quota enforcement, or plan checks before performing ~138 database write operations per request using the `supabaseAdmin` service-role client.

The advisory recommends enforcing plan quotas before demo app creation, adding strict per-user and per-org rate limiting (e.g., 1 per hour/day), moving heavy demo-data generation to an async job with bounded work, and optionally restricting demo creation to UI-only flows [ref_id=1]. No patch diff is provided in the bundle, so the exact code changes are not visible; the remediation guidance focuses on preventing unlimited write amplification by introducing rate limits and quota checks.