Capgo - Unauthenticated Cross-Tenant Disclosure via get_current_plan_max_org RPC

An unauthenticated attacker who possesses only the public Supabase anon key (`sb_publishable_*`) can call `POST /rest/v1/rpc/get_current_plan_max_org` with an arbitrary organization UUID. The function performs no authorization check — it does not verify that the caller is a member of the target org via `org_users`, RBAC, or API key restrictions. This allows any party with the public key to retrieve billing plan limits (MAU, bandwidth, storage, build_time_unit) for any org UUID they know or can guess [ref_id=1].

The advisory recommends revoking the public grant: `REVOKE ALL ON FUNCTION public.get_current_plan_max_org(uuid) FROM anon;` and adding an authorization check inside the function (RBAC/org membership/API key org restriction) before returning any data [ref_id=1]. Without these changes, the function remains callable by the `anon` role and will return plan limits for any supplied `orgid` without verifying the caller's relationship to that organization.