Capgo - Deleted Bundle Selection via Missing Deletion Filter in /updates Endpoint

An authenticated app user deletes a bundle through the normal backend API, which only sets `app_versions.deleted = true` without detaching the channel reference. The `/updates` resolution logic joins `channels.version = app_versions.id` without filtering `app_versions.deleted = false`, so the deleted bundle remains eligible for update selection. As long as the deleted bundle still has a deliverable source (e.g., `external_url`), devices querying `/updates` continue to receive that bundle. This allows an attacker who can delete a bundle to inadvertently or maliciously keep it deployable to devices on any channel that still references it [ref_id=1].

The advisory does not include a published patch diff. It identifies that the fix must add a filter for `app_versions.deleted = false` in the `/updates` selection queries at `supabase/functions/_backend/utils/pg.ts:354-365` (device override path) and `:388-409` (default channel path). Without this filter, deleted bundles remain joinable and resolvable. The advisory also notes that the delete flow at `supabase/functions/_backend/public/bundle/delete.ts:27-36` should either clear the channel reference or reject deletion when a channel still points to the version [ref_id=1].