fix: P0 correctness and security fixes

- Add missing 'developer' case to check_custom_feed_limit trigger (was falling through to else 1)
- Scope user_entry_states join to authenticated user in /api/v1/entries (admin client bypasses RLS)
- Replace in-memory rate limiting with Supabase-backed solution (UNLOGGED table + check_rate_limit RPC + pg_cron cleanup)

2 files changed, 2 insertions, 1 deletions

diff --git a/apps/web/app/api/v1/entries/route.ts b/apps/web/app/api/v1/entries/route.ts
index 8a2de62..47789f1 100644
--- a/apps/web/app/api/v1/entries/route.ts
+++ b/apps/web/app/api/v1/entries/route.ts
@@ -43,6 +43,7 @@ export async function GET(request: Request) {
     )
     .in("feed_id", subscribedFeedIdentifiers)
     .is("owner_id", null)
+    .eq("user_entry_states.user_id", authResult.user.userIdentifier)
     .order("published_at", { ascending: false })
     .limit(limit + 1)
 
diff --git a/apps/web/app/api/v1/keys/route.ts b/apps/web/app/api/v1/keys/route.ts
index de63a46..67bad66 100644
--- a/apps/web/app/api/v1/keys/route.ts
+++ b/apps/web/app/api/v1/keys/route.ts
@@ -54,7 +54,7 @@ export async function POST(request: Request) {
     return NextResponse.json({ error: "not authenticated" }, { status: 401 })
   }
 
-  const rateLimitResult = rateLimit(`api-keys:${user.id}`, 10, 60_000)
+  const rateLimitResult = await rateLimit(`api-keys:${user.id}`, 10, 60_000)
   if (!rateLimitResult.success) {
     return NextResponse.json({ error: "too many requests" }, { status: 429 })
   }