Capgo - Subkey Enforcement Bypass via x-limited-key-id Header Parsing

A remote attacker sends an HTTP request to an endpoint protected by `middlewareKey()` that supports the `x-limited-key-id` header. By submitting a malformed value (e.g., `73603x`), the value `0`, duplicate headers, or a comma-delimited value, the `Number()` parsing produces `NaN` or `0`, which the truthy check treats as falsy. This causes the backend to skip subkey enforcement and execute the request using the main API key context instead of the restricted subkey permissions [ref_id=1].

The vulnerability resides in `supabase/functions/_backend/utils/hono_middleware.ts`. The `getSubkeyId()` function (lines 282–285) parses the `x-limited-key-id` header via `Number(headerValue)` without strict validation, and `middlewareKey()` (lines 529–530, 572–585) uses a truthy check (`if (subkey_id)`) that treats `NaN` and `0` as falsy, causing the subkey branch to be silently skipped. Affected endpoints include `GET /app` and `GET /organization` (and any other route using `middlewareKey()`).

The patch (sketched as `getSubkeyIdStrict`) replaces the loose `Number()` parsing with a strict validation function. It rejects non-integer strings, comma-delimited lists, the value `0`, negative values, and values that are not safe integers. After validation, the truthy check is replaced with an explicit `null` comparison, so only a missing header (not `NaN` or `0`) skips the subkey flow. Invalid values now return a 400 error instead of silently falling back to the main key [ref_id=1].