Conversation
Undline
commented
Apr 14, 2026
Undline
commented
- Add migration 012 entity_profile_branding and repository for org logos and user profile images.
- Implement get/set_organization_logo and get/set_user_profile_image with genesis fallback and bootstrap-or-holder auth for writes.
- Register handlers in dispatch, wire catalog entries, and success codes.
- Restore get_core_genesis_branding handler in handlers.py where missing.
- Methods UI: remove Set category, move writes to Protocol; wire live execute for new ops; PrettyMockResponse renders SVG and raster previews.
- Tests: not-found cases for new getters; full suite green.
… catalog - Add migration 012 entity_profile_branding and repository for org logos and user profile images. - Implement get/set_organization_logo and get/set_user_profile_image with genesis fallback and bootstrap-or-holder auth for writes. - Register handlers in dispatch, wire catalog entries, and success codes. - Restore get_core_genesis_branding handler in handlers.py where missing. - Methods UI: remove Set category, move writes to Protocol; wire live execute for new ops; PrettyMockResponse renders SVG and raster previews. - Tests: not-found cases for new getters; full suite green. Made-with: Cursor
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.
Once credits are available, push a new commit or reopen this pull request to trigger a review.
Made-with: Cursor
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 40a57f3005
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if norm_name is not None: | ||
| lookup = _org_lookup_k(norm_name) | ||
| else: | ||
| lookup = _org_lookup_p(org_pk) | ||
|
|
There was a problem hiding this comment.
handle_set_organization_logo authorizes only against organization_signing_public_key_hex, then writes to the k:<organization_key> namespace whenever a key is provided, without checking that this name is actually bound to that public key. In a deployment with existing org name bindings, any signer can submit their own key plus another org's organization_key and overwrite what get_organization_logo returns for that org label, which enables branding spoofing.
Useful? React with 👍 / 👎.
| if has_key == has_pk: | ||
| raise WireValidationError( | ||
| "provide exactly one of organization_key or " | ||
| "organization_signing_public_key_hex", | ||
| code=ErrorCode.PAYLOAD_INVALID, |
There was a problem hiding this comment.
The exclusivity check uses if has_key == has_pk, but these variables are set from ... and str(...).strip(), so they can be non-empty strings instead of booleans. When both identifiers are provided with different values, the comparison is false and the request is incorrectly accepted, violating the "exactly one" contract and silently preferring one branch; the same pattern appears in handle_get_user_profile_image.
Useful? React with 👍 / 👎.
| if handle_norm is not None: | ||
| lookup = _user_lookup_h(handle_norm) | ||
| else: | ||
| lookup = _user_lookup_p(user_pk) |
There was a problem hiding this comment.
When user_handle is present, handle_set_user_profile_image stores the row under h:<handle> only, but get_user_profile_image by user_signing_public_key_hex reads only p:<pubkey> rows. This means a profile saved with a handle cannot be retrieved by public key, causing IDENTITY_NOT_FOUND for existing data and inconsistent behavior versus the advertised "handle or pubkey" lookup semantics.
Useful? React with 👍 / 👎.
- set_organization_logo: non-bootstrap senders must have organization_key bound to organization_signing_public_key_hex via name_bindings (IDENTITY_MISMATCH). - get_organization_logo / get_user_profile_image: use bool() for exactly-one identifier checks so both fields cannot slip past string comparison. - set_user_profile_image: upsert both p:<pubkey> and h:<handle> when handle given so get by pubkey finds the same image. - Tests and wire catalog description updated. Made-with: Cursor
1 participant
