fix: add missing REVOKE on config-write functions (#64)

## Summary

- `set_config()` and `set_group_config()` were missing `REVOKE ALL ON
FUNCTION ... FROM PUBLIC`, allowing any database user to modify global
and per-group pipeline configuration
- All 12 other management functions already had this protection — these
two were the only gap
- Added ACL regression test coverage for both config-write (denied) and
config-read (allowed) functions

## Test plan

- [x] `make check-regression TEST=acl` — verifies `set_config` and
`set_group_config` are denied for non-superusers, and
`get_config`/`get_group_config` remain accessible
- [x] Full regression suite (42/42 tests pass)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: YuweiXiao

duckpipe-pg/src/api.rs

@@ -2611,6 +2611,7 @@ CREATE FUNCTION duckpipe.set_config(
 ) RETURNS void
 AS 'MODULE_PATHNAME', '@FUNCTION_NAME@'
 LANGUAGE C STRICT;
+REVOKE ALL ON FUNCTION duckpipe.set_config(TEXT, TEXT) FROM PUBLIC;
 ")]
 fn set_config(key: &str, value: &str) {
     // Validate key and value
@@ -2691,6 +2692,7 @@ CREATE FUNCTION duckpipe.set_group_config(
 ) RETURNS void
 AS 'MODULE_PATHNAME', '@FUNCTION_NAME@'
 LANGUAGE C STRICT;
+REVOKE ALL ON FUNCTION duckpipe.set_group_config(TEXT, TEXT, TEXT) FROM PUBLIC;
 ")]
 fn set_group_config(group_name: &str, key: &str, value: &str) {
     // Validate key and value

test/regression/expected/acl.out

@@ -51,6 +51,28 @@ SELECT has_table_privilege('acl_owner', 'public.acl_source_ducklake', 'DELETE')
 SET ROLE acl_owner;
 SELECT duckpipe.add_table('public.acl_source');  -- should fail: permission denied
 ERROR:  permission denied for function add_table
+RESET ROLE;
+-- Verify config-write functions are NOT callable by non-superusers
+SET ROLE acl_owner;
+SELECT duckpipe.set_config('duckdb_threads', '2');  -- should fail: permission denied
+ERROR:  permission denied for function set_config
+SELECT duckpipe.set_group_config('default', 'duckdb_threads', '2');  -- should fail: permission denied
+ERROR:  permission denied for function set_group_config
+RESET ROLE;
+-- Verify config-read functions ARE callable by non-superusers
+SET ROLE acl_owner;
+SELECT duckpipe.get_config('duckdb_threads') IS NOT NULL OR TRUE AS can_call_get_config;
+ can_call_get_config 
+---------------------
+ t
+(1 row)
+
+SELECT duckpipe.get_group_config('default', 'duckdb_threads') IS NOT NULL OR TRUE AS can_call_get_group_config;
+ can_call_get_group_config 
+---------------------------
+ t
+(1 row)
+
 RESET ROLE;
 -- Verify monitoring functions ARE callable by non-superusers (schema USAGE granted to PUBLIC)
 SET ROLE acl_owner;

test/regression/sql/acl.sql

@@ -29,6 +29,18 @@ SET ROLE acl_owner;
 SELECT duckpipe.add_table('public.acl_source');  -- should fail: permission denied
 RESET ROLE;
 
+-- Verify config-write functions are NOT callable by non-superusers
+SET ROLE acl_owner;
+SELECT duckpipe.set_config('duckdb_threads', '2');  -- should fail: permission denied
+SELECT duckpipe.set_group_config('default', 'duckdb_threads', '2');  -- should fail: permission denied
+RESET ROLE;
+
+-- Verify config-read functions ARE callable by non-superusers
+SET ROLE acl_owner;
+SELECT duckpipe.get_config('duckdb_threads') IS NOT NULL OR TRUE AS can_call_get_config;
+SELECT duckpipe.get_group_config('default', 'duckdb_threads') IS NOT NULL OR TRUE AS can_call_get_group_config;
+RESET ROLE;
+
 -- Verify monitoring functions ARE callable by non-superusers (schema USAGE granted to PUBLIC)
 SET ROLE acl_owner;
 SELECT count(*) >= 0 AS can_call_groups FROM duckpipe.groups();