Cap-go - Privilege Inversion in Build Log Stream via SSE Disconnect

An attacker holding a read-only API key (e.g., `org_member`, `app_reader`, or `app_uploader` roles) can cancel any running native build for the target app by opening the SSE log stream at `GET /build/logs/:jobId` and then dropping the TCP connection [ref_id=1]. The server unconditionally fires `POST /jobs/:jobId/cancel` via `cancelBuildOnDisconnect()` using its privileged `BUILDER_API_KEY`, bypassing the `app.build_native` permission check enforced on the explicit cancel endpoint [ref_id=1]. This allows repeated disruption of native build operations and CI/CD workflows with no audit trail linking the action to the read-only principal [ref_id=1].

The vulnerability resides in `supabase/functions/_backend/public/build/logs.ts` lines 164–166, where an abort listener is registered unconditionally on the SSE stream. When a client disconnects, `cancelBuildOnDisconnect()` is invoked using the privileged server-side `BUILDER_API_KEY` without re-checking permissions. The route `GET /build/logs/:jobId` in `supabase/functions/_backend/public/build/index.ts` line 50 only requires `app.read_logs` (read-only), while the explicit cancel endpoint `POST /build/cancel/:jobId` at line 61 correctly requires `app.build_native` (write).

The advisory recommends either removing the disconnect-triggered cancellation entirely from `/build/logs/:jobId` or gating the abort handler with a permission check before registering it [ref_id=1]. Specifically, the abort listener in `logs.ts` line 162 should be guarded by `checkPermission(c, 'app.build_native', { appId: buildRequest.app_id })` so that only principals with write-level permission can trigger cancellation on disconnect [ref_id=1]. This ensures all cancel paths—including indirect server-side triggers—enforce the same authorization boundary as the explicit cancel endpoint.