KB-7A37
07 — Function Permission Exposure
2 min read Revision 1
Supertrack G — Function Permission Exposure Control
Live landscape
| metric | count |
|---|---|
| total public functions | 598 |
| PUBLIC EXECUTE | 570 |
| SECURITY DEFINER (total) | 60 |
| SECDEF + PUBLIC EXECUTE (escalation surface) | 38 |
| PUBLIC + volatile (mutating-capable) | 294 |
Risk-ranked inventory
| risk_tier | n | note |
|---|---|---|
| P1_PRIV_ESCALATION_CALLABLE | 2 | SECDEF + PUBLIC + volatile + callable + sensitive (1 birth: fn_birth_onboarding_full_scan; 1 event: fn_iu_auto_instantiate_from_event) |
| P2_SECDEF_PUBLIC_MUTATING_CALLABLE | 24 | SECDEF + PUBLIC + volatile + callable (job/queue/IU mutators) |
| P2_PUBLIC_MUTATING_SENSITIVE | 9 | PUBLIC + volatile + sensitive name (2 birth, 3 event, 3 governance, 1 other) |
| P3_SECDEF_PUBLIC_TRIGGER_ONLY | 10 | SECDEF trigger fns — low practical risk (PUBLIC cannot supply NEW/OLD) |
| P3_NOT_PUBLIC | 28 | already restricted (good) |
| P4_LOW | 525 | low |
Ranking prioritizes approval/birth/governance/event/realrun mutators. No realrun/actuation function is PUBLIC-callable.
Hardening plan (staged only — nothing applied)
v_function_permission_hardening_plan emits 35 staged REVOKE statements (2 P1 + 24 P2-secdef + 9 P2-sensitive), each with applied_this_session=false and the note that directus/service-role reliance on PUBLIC EXECUTE must be impact-proven before applying. No GRANT/REVOKE was executed.
No-go guard (v_function_permission_no_go_guard) 4/4 PASS: no grant/revoke applied this session; hardening plan staged-only; realrun functions not publicly callable; inventory covers all 598 functions.
Views built: v_function_permission_risk_inventory, v_function_permission_hardening_plan, v_function_permission_no_go_guard.