PLUTO-122 search_path hardening migration: pin SET search_path on all 36 public functions (function_search_path_mutable lint 0011). Behavior-preserving (most ref public -> SET search_path = public; do NOT use '' on any fn referencing public objects unqualified - verify each resolves identically). Additive/reversible. 0 SECURITY DEFINER fns so risk near-zero; Elazar greenlit anyway for a clean advisor. Audit pre-apply (schema DDL) -> apply -> db:export -> push via db exception lane.

PLUTO-122 · pluto

search_path hardening migration: pin SET search_path on all 36 public functions (function_search_path_mutable lint 0011). Behavior-preserving (most ref public -> SET search_path = public; do NOT use '' on any fn referencing public objects unqualified - verify each resolves identically). Additive/reversible. 0 SECURITY DEFINER fns so risk near-zero; Elazar greenlit anyway for a clean advisor. Audit pre-apply (schema DDL) -> apply -> db:export -> push via db exception lane.

No sub-items.

No questions.

2026-06-14T06:35:55.695Z · created · wi-cli-venus
2026-06-14T06:47:51.959Z · completed · wi-cli-venus

search_path pinned on 37 public functions (migration 029), shipped 526ec3a/v1.69.48. audit pre-apply PASS (37/37 SECURITY INVOKER, zero cross-schema refs) + post-push PASS (served .48 alias READY before .49 stacked). function_search_path_mutable advisor cleared. 0 SECURITY DEFINER fns = was near-zero risk, done for clean advisor per Elazar.