From 1b1544e7a63558a20b18d08f5423394bfded39d3 Mon Sep 17 00:00:00 2001
From: Recoup Agent <agent@recoupable.com>
Date: Thu, 19 Mar 2026 16:28:07 +0000
Subject: [PATCH] =?UTF-8?q?agent:=20@U0AJM7X8FBR=20Supabase=20-=20prevent?=
 =?UTF-8?q?=20API=20keys=20in=20Org=20Accounts.=20=E2=80=A2=20Actual:=20It?=
 =?UTF-8?q?'s?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...319000000_prevent_org_account_api_keys.sql | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 supabase/migrations/20260319000000_prevent_org_account_api_keys.sql

diff --git a/supabase/migrations/20260319000000_prevent_org_account_api_keys.sql b/supabase/migrations/20260319000000_prevent_org_account_api_keys.sql
new file mode 100644
index 0000000..bcb3b6d
--- /dev/null
+++ b/supabase/migrations/20260319000000_prevent_org_account_api_keys.sql
@@ -0,0 +1,26 @@
+-- Migration: Prevent API keys from being created for organization accounts
+-- An account is an "organization" if it exists in the organization_id column
+-- of the account_organization_ids table. API keys should only be issued to
+-- individual member accounts, never to the org account itself.
+
+CREATE OR REPLACE FUNCTION public.prevent_org_account_api_keys()
+RETURNS trigger AS $$
+BEGIN
+  IF EXISTS (
+    SELECT 1
+    FROM public.account_organization_ids
+    WHERE organization_id = NEW.account
+  ) THEN
+    RAISE EXCEPTION
+      'Cannot create an API key for an organization account (account_id: %)',
+      NEW.account;
+  END IF;
+
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER prevent_org_account_api_keys_trigger
+  BEFORE INSERT OR UPDATE ON public.account_api_keys
+  FOR EACH ROW
+  EXECUTE FUNCTION public.prevent_org_account_api_keys();