From 84d2e775adbb99b5bbf237b72f86fa5fe9a1f265 Mon Sep 17 00:00:00 2001
From: Adolfo Delorenzo <adelorenzo@oe74.net>
Date: Wed, 25 Mar 2026 12:40:08 -0600
Subject: [PATCH] =?UTF-8?q?fix:=20register=20RLS=20hook=20on=20gateway=20?=
 =?UTF-8?q?=E2=80=94=20agent=20creation=20was=20failing=20with=20policy=20?=
 =?UTF-8?q?violation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The gateway never called configure_rls_hook(engine), so SET LOCAL
app.current_tenant was never set for any DB operation through the
portal API endpoints. All tenant-scoped writes (agent creation, etc.)
failed with "new row violates row-level security policy."

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 packages/gateway/gateway/main.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/packages/gateway/gateway/main.py b/packages/gateway/gateway/main.py
index f1a61aa..ead84ce 100644
--- a/packages/gateway/gateway/main.py
+++ b/packages/gateway/gateway/main.py
@@ -53,13 +53,17 @@ from shared.api import (
     webhook_router,
 )
 from shared.config import settings
-from shared.db import async_session_factory
+from shared.db import async_session_factory, engine
+from shared.rls import configure_rls_hook
 
 logger = logging.getLogger(__name__)
 
 # ---------------------------------------------------------------------------
 # FastAPI app
 # ---------------------------------------------------------------------------
+# Register RLS hook so tenant context is set for all DB operations
+configure_rls_hook(engine)
+
 app = FastAPI(
     title="Konstruct Channel Gateway",
     description="Unified ingress for all messaging platforms",