fix: P0 correctness and security fixes

- Add missing 'developer' case to check_custom_feed_limit trigger (was falling through to else 1)
- Scope user_entry_states join to authenticated user in /api/v1/entries (admin client bypasses RLS)
- Replace in-memory rate limiting with Supabase-backed solution (UNLOGGED table + check_rate_limit RPC + pg_cron cleanup)

2 files changed, 2 insertions, 2 deletions

diff --git a/apps/web/app/api/webhook-config/route.ts b/apps/web/app/api/webhook-config/route.ts
index eefa9f2..aa63d0d 100644
--- a/apps/web/app/api/webhook-config/route.ts
+++ b/apps/web/app/api/webhook-config/route.ts
@@ -59,7 +59,7 @@ export async function PUT(request: Request) {
     return NextResponse.json({ error: "not authenticated" }, { status: 401 })
   }
 
-  const rateLimitResult = rateLimit(`webhook-config:${user.id}`, 10, 60_000)
+  const rateLimitResult = await rateLimit(`webhook-config:${user.id}`, 10, 60_000)
   if (!rateLimitResult.success) {
     return NextResponse.json({ error: "too many requests" }, { status: 429 })
   }
diff --git a/apps/web/app/api/webhook-config/test/route.ts b/apps/web/app/api/webhook-config/test/route.ts
index 5e58c9c..ae17c5b 100644
--- a/apps/web/app/api/webhook-config/test/route.ts
+++ b/apps/web/app/api/webhook-config/test/route.ts
@@ -21,7 +21,7 @@ export async function POST() {
     return NextResponse.json({ error: "not authenticated" }, { status: 401 })
   }
 
-  const rateLimitResult = rateLimit(`webhook-test:${user.id}`, 5, 60_000)
+  const rateLimitResult = await rateLimit(`webhook-test:${user.id}`, 5, 60_000)
   if (!rateLimitResult.success) {
     return NextResponse.json({ error: "too many requests" }, { status: 429 })
   }