From 5a38c20af1de0b6d85edc1156e80b6c8710b901a Mon Sep 17 00:00:00 2001
From: Marcus Pasell <3690498+rickyrombo@users.noreply.github.com>
Date: Fri, 10 Apr 2026 11:49:39 -0700
Subject: [PATCH 1/4] fix(mediorum): make access authority check
 case-insensitive

Ethereum addresses can vary in casing (checksummed vs lowercase). Use
LOWER() on both sides of the management_keys address comparison so
streaming auth matches regardless of case, consistent with the existing
EqualFold check for validator/peer wallets.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 pkg/mediorum/server/serve_blob.go      | 4 ++--
 pkg/mediorum/server/serve_blob_grpc.go | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/mediorum/server/serve_blob.go b/pkg/mediorum/server/serve_blob.go
index 6f6d789b..ab2c2548 100644
--- a/pkg/mediorum/server/serve_blob.go
+++ b/pkg/mediorum/server/serve_blob.go
@@ -526,7 +526,7 @@ func (s *MediorumServer) requireRegisteredSignature(next echo.HandlerFunc) echo.
 			// If track has access_authorities (management_keys), ONLY those signers may authorize - not validator keys
 			if trackID != "" && managementKeyCount > 0 {
 				var count int
-				s.crud.DB.Raw("SELECT COUNT(*) FROM management_keys WHERE track_id = ? AND address = ?", trackID, sig.SignerWallet).Scan(&count)
+				s.crud.DB.Raw("SELECT COUNT(*) FROM management_keys WHERE track_id = ? AND LOWER(address) = LOWER(?)", trackID, sig.SignerWallet).Scan(&count)
 				if count == 0 {
 					s.logger.Debug("sig no match (access_authorities)", zap.String("signed by", sig.SignerWallet), zap.String("track_id", trackID))
 					return c.JSON(401, map[string]string{
@@ -685,7 +685,7 @@ func (ss *MediorumServer) serveTrack(c echo.Context) error {
 	}
 
 	var count int
-	ss.crud.DB.Raw("SELECT COUNT(*) FROM management_keys WHERE track_id = ? AND address = ?", trackId, sig.SignerWallet).Scan(&count)
+	ss.crud.DB.Raw("SELECT COUNT(*) FROM management_keys WHERE track_id = ? AND LOWER(address) = LOWER(?)", trackId, sig.SignerWallet).Scan(&count)
 	if count == 0 {
 		ss.logger.Debug("sig no match", zap.String("signed by", sig.SignerWallet))
 		return c.JSON(401, map[string]string{
diff --git a/pkg/mediorum/server/serve_blob_grpc.go b/pkg/mediorum/server/serve_blob_grpc.go
index 4b9f192b..d754fbf7 100644
--- a/pkg/mediorum/server/serve_blob_grpc.go
+++ b/pkg/mediorum/server/serve_blob_grpc.go
@@ -44,7 +44,7 @@ func (s *MediorumServer) streamTrackGRPC(ctx context.Context, req *v1storage.Str
 	}
 
 	var count int
-	s.crud.DB.Raw("SELECT COUNT(*) FROM management_keys WHERE track_id = ? AND address = ?", trackId, ethAddress).Scan(&count)
+	s.crud.DB.Raw("SELECT COUNT(*) FROM management_keys WHERE track_id = ? AND LOWER(address) = LOWER(?)", trackId, ethAddress).Scan(&count)
 	if count == 0 {
 		s.logger.Debug("sig no match", zap.String("signed by", ethAddress))
 		return connect.NewError(connect.CodePermissionDenied, errors.New("signer not authorized to access"))

From dceccd0d15c691a63293d25d7d7e1fe94ae92962 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 10 Apr 2026 19:02:10 +0000
Subject: [PATCH 2/4] fix(mediorum): normalize address in Go before SQL query
 to preserve index usage

Agent-Logs-Url: https://github.com/OpenAudio/go-openaudio/sessions/4323f5ff-0b33-47bb-911c-7cb6e682029c

Co-authored-by: rickyrombo <3690498+rickyrombo@users.noreply.github.com>
---
 pkg/mediorum/server/serve_blob.go      | 6 ++++--
 pkg/mediorum/server/serve_blob_grpc.go | 4 +++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/pkg/mediorum/server/serve_blob.go b/pkg/mediorum/server/serve_blob.go
index ab2c2548..58a4b5ce 100644
--- a/pkg/mediorum/server/serve_blob.go
+++ b/pkg/mediorum/server/serve_blob.go
@@ -526,7 +526,8 @@ func (s *MediorumServer) requireRegisteredSignature(next echo.HandlerFunc) echo.
 			// If track has access_authorities (management_keys), ONLY those signers may authorize - not validator keys
 			if trackID != "" && managementKeyCount > 0 {
 				var count int
-				s.crud.DB.Raw("SELECT COUNT(*) FROM management_keys WHERE track_id = ? AND LOWER(address) = LOWER(?)", trackID, sig.SignerWallet).Scan(&count)
+				normalizedSignerWallet := strings.ToLower(sig.SignerWallet)
+				s.crud.DB.Raw("SELECT COUNT(*) FROM management_keys WHERE track_id = ? AND address = ?", trackID, normalizedSignerWallet).Scan(&count)
 				if count == 0 {
 					s.logger.Debug("sig no match (access_authorities)", zap.String("signed by", sig.SignerWallet), zap.String("track_id", trackID))
 					return c.JSON(401, map[string]string{
@@ -685,7 +686,8 @@ func (ss *MediorumServer) serveTrack(c echo.Context) error {
 	}
 
 	var count int
-	ss.crud.DB.Raw("SELECT COUNT(*) FROM management_keys WHERE track_id = ? AND LOWER(address) = LOWER(?)", trackId, sig.SignerWallet).Scan(&count)
+	normalizedSignerWallet := strings.ToLower(sig.SignerWallet)
+	ss.crud.DB.Raw("SELECT COUNT(*) FROM management_keys WHERE track_id = ? AND address = ?", trackId, normalizedSignerWallet).Scan(&count)
 	if count == 0 {
 		ss.logger.Debug("sig no match", zap.String("signed by", sig.SignerWallet))
 		return c.JSON(401, map[string]string{
diff --git a/pkg/mediorum/server/serve_blob_grpc.go b/pkg/mediorum/server/serve_blob_grpc.go
index d754fbf7..399db19f 100644
--- a/pkg/mediorum/server/serve_blob_grpc.go
+++ b/pkg/mediorum/server/serve_blob_grpc.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"io"
+	"strings"
 	"time"
 
 	"connectrpc.com/connect"
@@ -44,7 +45,8 @@ func (s *MediorumServer) streamTrackGRPC(ctx context.Context, req *v1storage.Str
 	}
 
 	var count int
-	s.crud.DB.Raw("SELECT COUNT(*) FROM management_keys WHERE track_id = ? AND LOWER(address) = LOWER(?)", trackId, ethAddress).Scan(&count)
+	normalizedEthAddress := strings.ToLower(ethAddress)
+	s.crud.DB.Raw("SELECT COUNT(*) FROM management_keys WHERE track_id = ? AND address = ?", trackId, normalizedEthAddress).Scan(&count)
 	if count == 0 {
 		s.logger.Debug("sig no match", zap.String("signed by", ethAddress))
 		return connect.NewError(connect.CodePermissionDenied, errors.New("signer not authorized to access"))

From 4788740e03c08a8eaf097e353dd3d110a2fdbb80 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 10 Apr 2026 19:05:46 +0000
Subject: [PATCH 3/4] fix(mediorum): normalize management_keys address in Go to
 preserve index usage

Agent-Logs-Url: https://github.com/OpenAudio/go-openaudio/sessions/4323f5ff-0b33-47bb-911c-7cb6e682029c

Co-authored-by: rickyrombo <3690498+rickyrombo@users.noreply.github.com>
---
 pkg/etl/go.mod | 4 ----
 pkg/etl/go.sum | 4 ++--
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/pkg/etl/go.mod b/pkg/etl/go.mod
index bf8fb186..abfb5f42 100644
--- a/pkg/etl/go.mod
+++ b/pkg/etl/go.mod
@@ -31,14 +31,10 @@ require (
 	github.com/jackc/puddle/v2 v2.2.1 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/mmcloughlin/addchain v0.4.0 // indirect
-	github.com/stretchr/testify v1.11.1 // indirect
 	github.com/supranational/blst v0.3.13 // indirect
-	go.opentelemetry.io/otel/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.44.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/sys v0.40.0 // indirect
 	golang.org/x/text v0.31.0 // indirect
 	rsc.io/tmplfunc v0.0.3 // indirect
diff --git a/pkg/etl/go.sum b/pkg/etl/go.sum
index e6aca549..e019d9d9 100644
--- a/pkg/etl/go.sum
+++ b/pkg/etl/go.sum
@@ -146,8 +146,8 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/shirou/gopsutil v3.21.4-0.20210419000835-c7a38de76ee5+incompatible h1:Bn1aCHHRnjv4Bl16T8rcaFjYSrGrIZvpiGO6P3Q4GpU=
 github.com/shirou/gopsutil v3.21.4-0.20210419000835-c7a38de76ee5+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

From b152e610bd26c667b2860c92849e29dd7c8a5a03 Mon Sep 17 00:00:00 2001
From: Marcus Pasell <3690498+rickyrombo@users.noreply.github.com>
Date: Mon, 13 Apr 2026 15:39:48 -0700
Subject: [PATCH 4/4] fix(core): normalize access authority addresses to
 lowercase on insert

Ensures management_keys.address is always stored lowercase so streaming
auth comparisons match regardless of the casing in the original tx.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 pkg/core/server/manage_entity.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/core/server/manage_entity.go b/pkg/core/server/manage_entity.go
index 54042f20..8c9e21b5 100644
--- a/pkg/core/server/manage_entity.go
+++ b/pkg/core/server/manage_entity.go
@@ -101,7 +101,7 @@ func (s *Server) processTrackManageEntity(ctx context.Context, me *v1.ManageEnti
 	for _, addr := range signers {
 		if err := q.InsertManagementKey(ctx, db.InsertManagementKeyParams{
 			TrackID: trackID,
-			Address: addr,
+			Address: strings.ToLower(addr),
 		}); err != nil {
 			return fmt.Errorf("insert management_key: %w", err)
 		}