npm - @abloatai/ablo - Versions diffs - 0.9.4 → 0.9.5 - Mend

@abloatai/ablo 0.9.4 → 0.9.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,11 @@
 # Changelog
+## 0.9.5
+### Patch Changes
+- Scoped-role automation + tenant-routing fix. `ablo migrate` now auto-creates the RLS-gated scoped role (zero SQL) with a log-safe SCRAM-SHA-256 password verifier, plus a Neon/Supabase scoped-role `databaseUrl` recipe. Fix a jsonb double-encode that corrupted per-tenant routing and silently fell back to the shared pool.
 ## 0.9.4
 ### Patch Changes

package/dist/cli.cjs CHANGED Viewed

@@ -125060,7 +125060,7 @@ ${lanes.join("\n")}
           }
         }
         function createImportCallExpressionAMD(arg, containsLexicalThis) {
-          const resolve5 = factory2.createUniqueName("resolve");
+          const resolve6 = factory2.createUniqueName("resolve");
           const reject = factory2.createUniqueName("reject");
           const parameters = [
             factory2.createParameterDeclaration(
@@ -125069,7 +125069,7 @@ ${lanes.join("\n")}
               /*dotDotDotToken*/
               void 0,
               /*name*/
-              resolve5
+              resolve6
             ),
             factory2.createParameterDeclaration(
               /*modifiers*/
@@ -125086,7 +125086,7 @@ ${lanes.join("\n")}
                 factory2.createIdentifier("require"),
                 /*typeArguments*/
                 void 0,
-                [factory2.createArrayLiteralExpression([arg || factory2.createOmittedExpression()]), resolve5, reject]
+                [factory2.createArrayLiteralExpression([arg || factory2.createOmittedExpression()]), resolve6, reject]
               )
             )
           ]);
@@ -211695,8 +211695,8 @@ Additional information: BADCLIENT: Bad error code, ${badCode} not found in range
         installPackage(options) {
           this.packageInstallId++;
           const request = { kind: "installPackage", ...options, id: this.packageInstallId };
-          const promise = new Promise((resolve5, reject) => {
-            (this.packageInstalledPromise ?? (this.packageInstalledPromise = /* @__PURE__ */ new Map())).set(this.packageInstallId, { resolve: resolve5, reject });
+          const promise = new Promise((resolve6, reject) => {
+            (this.packageInstalledPromise ?? (this.packageInstalledPromise = /* @__PURE__ */ new Map())).set(this.packageInstallId, { resolve: resolve6, reject });
           });
           this.installer.send(request);
           return promise;
@@ -213965,7 +213965,7 @@ var require_path_browserify = __commonJS({
     }
     var posix = {
       // path.resolve([from ...], to)
-      resolve: function resolve5() {
+      resolve: function resolve6() {
         var resolvedPath = "";
         var resolvedAbsolute = false;
         var cwd;
@@ -218865,41 +218865,41 @@ var require_queue = __commonJS({
       queue.drained = drained;
       return queue;
       function push2(value) {
-        var p2 = new Promise(function(resolve5, reject) {
+        var p2 = new Promise(function(resolve6, reject) {
           pushCb(value, function(err, result) {
             if (err) {
               reject(err);
               return;
             }
-            resolve5(result);
+            resolve6(result);
           });
         });
         p2.catch(noop3);
         return p2;
       }
       function unshift(value) {
-        var p2 = new Promise(function(resolve5, reject) {
+        var p2 = new Promise(function(resolve6, reject) {
           unshiftCb(value, function(err, result) {
             if (err) {
               reject(err);
               return;
             }
-            resolve5(result);
+            resolve6(result);
           });
         });
         p2.catch(noop3);
         return p2;
       }
       function drained() {
-        var p2 = new Promise(function(resolve5) {
+        var p2 = new Promise(function(resolve6) {
           process.nextTick(function() {
             if (queue.idle()) {
-              resolve5();
+              resolve6();
             } else {
               var previousDrain = queue.drain;
               queue.drain = function() {
                 if (typeof previousDrain === "function") previousDrain();
-                resolve5();
+                resolve6();
                 queue.drain = previousDrain;
               };
             }
@@ -219396,9 +219396,9 @@ var require_stream3 = __commonJS({
         });
       }
       _getStat(filepath) {
-        return new Promise((resolve5, reject) => {
+        return new Promise((resolve6, reject) => {
           this._stat(filepath, this._fsStatSettings, (error, stats) => {
-            return error === null ? resolve5(stats) : reject(error);
+            return error === null ? resolve6(stats) : reject(error);
           });
         });
       }
@@ -219423,10 +219423,10 @@ var require_async5 = __commonJS({
         this._readerStream = new stream_1.default(this._settings);
       }
       dynamic(root, options) {
-        return new Promise((resolve5, reject) => {
+        return new Promise((resolve6, reject) => {
           this._walkAsync(root, options, (error, entries) => {
             if (error === null) {
-              resolve5(entries);
+              resolve6(entries);
             } else {
               reject(error);
             }
@@ -219436,10 +219436,10 @@ var require_async5 = __commonJS({
       async static(patterns, options) {
         const entries = [];
         const stream = this._readerStream.static(patterns, options);
-        return new Promise((resolve5, reject) => {
+        return new Promise((resolve6, reject) => {
           stream.once("error", reject);
           stream.on("data", (entry) => entries.push(entry));
-          stream.once("end", () => resolve5(entries));
+          stream.once("end", () => resolve6(entries));
         });
       }
     };
@@ -252345,12 +252345,12 @@ type XMLHttpRequestResponseType = "" | "arraybuffer" | "blob" | "document" | "js
     };
     var NodeRuntimeFileSystem = class {
       delete(path2) {
-        return new Promise((resolve5, reject) => {
+        return new Promise((resolve6, reject) => {
           fs__namespace.rm(path2, { recursive: true }, (err) => {
             if (err)
               reject(err);
             else
-              resolve5();
+              resolve6();
           });
         });
       }
@@ -252369,12 +252369,12 @@ type XMLHttpRequestResponseType = "" | "arraybuffer" | "blob" | "document" | "js
         }));
       }
       readFile(filePath, encoding = "utf-8") {
-        return new Promise((resolve5, reject) => {
+        return new Promise((resolve6, reject) => {
           fs__namespace.readFile(filePath, encoding, (err, data) => {
             if (err)
               reject(err);
             else
-              resolve5(data);
+              resolve6(data);
           });
         });
       }
@@ -252382,12 +252382,12 @@ type XMLHttpRequestResponseType = "" | "arraybuffer" | "blob" | "document" | "js
         return fs__namespace.readFileSync(filePath, encoding);
       }
       async writeFile(filePath, fileText) {
-        await new Promise((resolve5, reject) => {
+        await new Promise((resolve6, reject) => {
           fs__namespace.writeFile(filePath, fileText, (err) => {
             if (err)
               reject(err);
             else
-              resolve5();
+              resolve6();
           });
         });
       }
@@ -252401,12 +252401,12 @@ type XMLHttpRequestResponseType = "" | "arraybuffer" | "blob" | "document" | "js
         fs__namespace.mkdirSync(dirPath, { recursive: true });
       }
       move(srcPath, destPath) {
-        return new Promise((resolve5, reject) => {
+        return new Promise((resolve6, reject) => {
           fs__namespace.rename(srcPath, destPath, (err) => {
             if (err)
               reject(err);
             else
-              resolve5();
+              resolve6();
           });
         });
       }
@@ -252414,12 +252414,12 @@ type XMLHttpRequestResponseType = "" | "arraybuffer" | "blob" | "document" | "js
         fs__namespace.renameSync(srcPath, destPath);
       }
       copy(srcPath, destPath) {
-        return new Promise((resolve5, reject) => {
+        return new Promise((resolve6, reject) => {
           fs__namespace.copyFile(srcPath, destPath, (err) => {
             if (err)
               reject(err);
             else
-              resolve5();
+              resolve6();
           });
         });
       }
@@ -252427,15 +252427,15 @@ type XMLHttpRequestResponseType = "" | "arraybuffer" | "blob" | "document" | "js
         fs__namespace.copyFileSync(srcPath, destPath);
       }
       stat(path2) {
-        return new Promise((resolve5, reject) => {
+        return new Promise((resolve6, reject) => {
           fs__namespace.stat(path2, (err, stat) => {
             if (err) {
               if (err.code === "ENOENT" || err.code === "ENOTDIR")
-                resolve5(void 0);
+                resolve6(void 0);
               else
                 reject(err);
             } else {
-              resolve5(stat);
+              resolve6(stat);
             }
           });
         });
@@ -276702,7 +276702,7 @@ var Y2 = ({ indicator: t = "dots" } = {}) => {
 // src/cli/index.ts
 var import_picocolors16 = __toESM(require_picocolors(), 1);
 var import_fs11 = require("fs");
-var import_path6 = require("path");
+var import_path7 = require("path");
 var import_child_process2 = require("child_process");
 // src/cli/migrate.ts
@@ -276775,6 +276775,7 @@ var ERROR_CODES = {
   issuer_register_forbidden: wire("permission", 403, false, "Registering a trusted issuer requires a secret (sk_) API key."),
   capability_invalid: wire("capability", 403, false, "The capability is unknown, revoked, or expired."),
   test_database_not_registered: wire("permission", 403, false, "Test mode requires a registered dev database for this org \u2014 run `npx ablo init`, or construct the client with `databaseUrl` using your test key."),
+  tenant_routing_failed: wire("server", 500, true, "The org's registered database could not be resolved or dialed. Ablo never falls back to shared storage for a dedicated tenant \u2014 retry, and check the datasource status if it persists."),
   database_role_cannot_enforce_rls: wire("permission", 403, false, "The connected database role cannot enforce row-level security (superuser or BYPASSRLS)."),
   database_role_unreadable: wire("permission", 403, false, "The connected database role could not be introspected."),
   database_tables_unforced_rls: wire("permission", 403, false, "Synced tables in the connected database do not have FORCE ROW LEVEL SECURITY applied."),
@@ -277089,6 +277090,7 @@ var ErrorBodyShapeSchema = import_zod2.z.object({
 // src/cli/migrate.ts
 var import_picocolors3 = __toESM(require_picocolors(), 1);
 var import_fs4 = require("fs");
+var import_path3 = require("path");
 // node_modules/postgres/src/index.js
 init_cjs_shims();
@@ -277106,9 +277108,9 @@ var originError = /* @__PURE__ */ Symbol("OriginError");
 var CLOSE = {};
 var Query = class extends Promise {
   constructor(strings, args, handler, canceller, options = {}) {
-    let resolve5, reject;
+    let resolve6, reject;
     super((a, b4) => {
-      resolve5 = a;
+      resolve6 = a;
       reject = b4;
     });
     this.tagged = Array.isArray(strings.raw);
@@ -277119,7 +277121,7 @@ var Query = class extends Promise {
     this.options = options;
     this.state = null;
     this.statement = null;
-    this.resolve = (x2) => (this.active = false, resolve5(x2));
+    this.resolve = (x2) => (this.active = false, resolve6(x2));
     this.reject = (x2) => (this.active = false, reject(x2));
     this.active = false;
     this.cancelled = null;
@@ -277167,12 +277169,12 @@ var Query = class extends Promise {
           if (this.executed && !this.active)
             return { done: true };
           prev && prev();
-          const promise = new Promise((resolve5, reject) => {
+          const promise = new Promise((resolve6, reject) => {
             this.cursorFn = (value) => {
-              resolve5({ value, done: false });
+              resolve6({ value, done: false });
               return new Promise((r2) => prev = r2);
             };
-            this.resolve = () => (this.active = false, resolve5({ done: true }));
+            this.resolve = () => (this.active = false, resolve6({ done: true }));
             this.reject = (x2) => (this.active = false, reject(x2));
           });
           this.execute();
@@ -277804,12 +277806,12 @@ function Connection(options, queues = {}, { onopen = noop, onend = noop, onclose
     x2.on("drain", drain);
     return x2;
   }
-  async function cancel({ pid, secret }, resolve5, reject) {
+  async function cancel({ pid, secret }, resolve6, reject) {
     try {
       cancelMessage = bytes_default().i32(16).i32(80877102).i32(pid).i32(secret).end(16);
       await connect();
       socket.once("error", reject);
-      socket.once("close", resolve5);
+      socket.once("close", resolve6);
     } catch (error2) {
       reject(error2);
     }
@@ -278758,7 +278760,7 @@ function parseEvent(x2) {
 init_cjs_shims();
 var import_stream2 = __toESM(require("stream"), 1);
 function largeObject(sql, oid, mode2 = 131072 | 262144) {
-  return new Promise(async (resolve5, reject) => {
+  return new Promise(async (resolve6, reject) => {
     await sql.begin(async (sql2) => {
       let finish;
       !oid && ([{ oid }] = await sql2`select lo_creat(-1) as oid`);
@@ -278784,7 +278786,7 @@ function largeObject(sql, oid, mode2 = 131072 | 262144) {
           ) seek
         `
       };
-      resolve5(lo);
+      resolve6(lo);
       return new Promise(async (r2) => finish = r2);
       async function readable({
         highWaterMark = 2048 * 8,
@@ -278958,8 +278960,8 @@ function Postgres(a, b4) {
   }
   async function reserve() {
     const queue = queue_default();
-    const c = open.length ? open.shift() : await new Promise((resolve5, reject) => {
-      const query = { reserve: resolve5, reject };
+    const c = open.length ? open.shift() : await new Promise((resolve6, reject) => {
+      const query = { reserve: resolve6, reject };
       queries.push(query);
       closed.length && connect(closed.shift(), query);
     });
@@ -278996,9 +278998,9 @@ function Postgres(a, b4) {
       let uncaughtError, result;
       name && await sql2`savepoint ${sql2(name)}`;
       try {
-        result = await new Promise((resolve5, reject) => {
+        result = await new Promise((resolve6, reject) => {
           const x2 = fn2(sql2);
-          Promise.resolve(Array.isArray(x2) ? Promise.all(x2) : x2).then(resolve5, reject);
+          Promise.resolve(Array.isArray(x2) ? Promise.all(x2) : x2).then(resolve6, reject);
         });
         if (uncaughtError)
           throw uncaughtError;
@@ -279055,8 +279057,8 @@ function Postgres(a, b4) {
     return c.execute(query) ? move(c, busy) : move(c, full);
   }
   function cancel(query) {
-    return new Promise((resolve5, reject) => {
-      query.state ? query.active ? connection_default(options).cancel(query.state, resolve5, reject) : query.cancelled = { resolve: resolve5, reject } : (queries.remove(query), query.cancelled = true, query.reject(Errors.generic("57014", "canceling statement due to user request")), resolve5());
+    return new Promise((resolve6, reject) => {
+      query.state ? query.active ? connection_default(options).cancel(query.state, resolve6, reject) : query.cancelled = { resolve: resolve6, reject } : (queries.remove(query), query.cancelled = true, query.reject(Errors.generic("57014", "canceling statement due to user request")), resolve6());
     });
   }
   async function end({ timeout = null } = {}) {
@@ -279075,11 +279077,11 @@ function Postgres(a, b4) {
   async function close() {
     await Promise.all(connections.map((c) => c.end()));
   }
-  async function destroy(resolve5) {
+  async function destroy(resolve6) {
     await Promise.all(connections.map((c) => c.terminate()));
     while (queries.length)
       queries.shift().reject(Errors.connection("CONNECTION_DESTROYED", options));
-    resolve5();
+    resolve6();
   }
   function connect(c, query) {
     move(c, connecting);
@@ -279224,6 +279226,81 @@ function osUsername() {
   }
 }
+// src/cli/dbRole.ts
+init_cjs_shims();
+var import_crypto2 = require("crypto");
+var DEFAULT_SCOPED_ROLE = "ablo_app";
+async function detectRoleSafety(sql) {
+  const rows = await sql`SELECT rolname, rolsuper, rolbypassrls FROM pg_roles WHERE rolname = current_user`;
+  const row = rows[0];
+  if (!row) return { role: "unknown", superuser: false, bypassRls: false, unsafe: false };
+  return {
+    role: row.rolname,
+    superuser: row.rolsuper,
+    bypassRls: row.rolbypassrls,
+    unsafe: row.rolsuper || row.rolbypassrls
+  };
+}
+function generateRolePassword() {
+  return (0, import_crypto2.randomBytes)(24).toString("base64url");
+}
+function scramSha256Verifier(password, iterations = 4096) {
+  const salt = (0, import_crypto2.randomBytes)(16);
+  const saltedPassword = (0, import_crypto2.pbkdf2Sync)(password, salt, iterations, 32, "sha256");
+  const clientKey = (0, import_crypto2.createHmac)("sha256", saltedPassword).update("Client Key").digest();
+  const storedKey = (0, import_crypto2.createHash)("sha256").update(clientKey).digest();
+  const serverKey = (0, import_crypto2.createHmac)("sha256", saltedPassword).update("Server Key").digest();
+  return `SCRAM-SHA-256$${iterations}:${salt.toString("base64")}$${storedKey.toString("base64")}:${serverKey.toString("base64")}`;
+}
+function scopedRoleStatements(input) {
+  const role = input.role ?? DEFAULT_SCOPED_ROLE;
+  const q2 = (id) => `"${id.replace(/"/g, '""')}"`;
+  const pw = (input.passwordMode ?? "scram-verifier") === "scram-verifier" ? scramSha256Verifier(input.password) : input.password.replace(/'/g, "''");
+  return [
+    `DO $$ BEGIN
+  CREATE ROLE ${q2(role)} LOGIN PASSWORD '${pw}'
+    NOSUPERUSER NOBYPASSRLS NOCREATEDB NOCREATEROLE;
+EXCEPTION WHEN duplicate_object THEN
+  -- Rerun: rotate ONLY the password. Re-asserting attributes here trips
+  -- managed-Postgres permission walls (Neon: "permission denied to alter
+  -- role" for attribute changes by non-superusers); the attributes were set
+  -- at creation, and the server-side probe still audits the live role.
+  ALTER ROLE ${q2(role)} WITH LOGIN PASSWORD '${pw}';
+END $$;`,
+    `GRANT CREATE, CONNECT ON DATABASE ${q2(input.database)} TO ${q2(role)};`,
+    `GRANT CREATE, USAGE ON SCHEMA public TO ${q2(role)};`
+  ];
+}
+function rewriteDatabaseUrl(ownerUrl, role, password) {
+  const url = new URL(ownerUrl);
+  url.username = role;
+  url.password = password;
+  return url.toString();
+}
+async function createScopedRole(ownerUrl, options) {
+  const role = options?.role ?? DEFAULT_SCOPED_ROLE;
+  const password = generateRolePassword();
+  const database = new URL(ownerUrl).pathname.replace(/^\//, "") || "postgres";
+  const sql = src_default(ownerUrl, { max: 1, prepare: false, onnotice: () => {
+  } });
+  try {
+    try {
+      for (const statement of scopedRoleStatements({ database, role, password })) {
+        await sql.unsafe(statement);
+      }
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      if (!/plaintext password/i.test(message)) throw err;
+      for (const statement of scopedRoleStatements({ database, role, password, passwordMode: "plaintext" })) {
+        await sql.unsafe(statement);
+      }
+    }
+  } finally {
+    await sql.end({ timeout: 5 });
+  }
+  return { role, databaseUrl: rewriteDatabaseUrl(ownerUrl, role, password) };
+}
 // src/cli/migrate.ts
 var import_schema2 = require("@abloatai/ablo/schema");
 var import_source = require("@abloatai/ablo/source");
@@ -279500,9 +279577,9 @@ async function push(argv) {
     }
     console.error(import_picocolors2.default.dim(`  Re-push with ${import_picocolors2.default.bold("--force")} to override, or use ${import_picocolors2.default.bold("--rename old:new")} if you renamed a model.`));
   } else if (status2 === 403) {
-    console.error(import_picocolors2.default.red(`  Forbidden: ${body.reason ?? "key lacks schema:push scope"}.`));
+    console.error(import_picocolors2.default.red(`  Forbidden: ${body.message ?? body.reason ?? "key lacks schema:push scope"}`));
   } else {
-    console.error(import_picocolors2.default.red(`  Push failed (${status2}): ${body.reason ?? bodyText}`));
+    console.error(import_picocolors2.default.red(`  Push failed (${status2}): ${body.message ?? body.reason ?? bodyText}`));
   }
   process.exit(1);
 }
@@ -279595,7 +279672,7 @@ async function applyStatements(dbUrl, targetSchema, statements, concurrent = [])
         if (pg.code === PG_LOCK_NOT_AVAILABLE && attempt < MAX_LOCK_ATTEMPTS) {
           const backoffMs = Math.min(6e4, 10 * 2 ** attempt) + Math.floor(Math.random() * 50);
           log.warn("schema change blocked by a lock; backing off and retrying", { targetSchema, attempt, backoffMs });
-          await new Promise((resolve5) => setTimeout(resolve5, backoffMs));
+          await new Promise((resolve6) => setTimeout(resolve6, backoffMs));
           continue;
         }
         throw err;
@@ -279653,18 +279730,96 @@ async function migrate(argv) {
     console.error(import_picocolors3.default.red("  Set DATABASE_URL (or ABLO_DATABASE_URL) to apply, or use --dry-run to preview."));
     process.exit(1);
   }
+  const effectiveUrl = await ensureScopedRole(dbUrl);
   try {
-    await applyStatements(dbUrl, args.targetSchema, plan.statements, plan.concurrent);
+    await applyStatements(effectiveUrl, args.targetSchema, plan.statements, plan.concurrent);
     console.log(`  ${import_picocolors3.default.green("\u2713")} Migration complete`);
   } catch {
     process.exit(1);
   }
 }
+async function ensureScopedRole(dbUrl) {
+  let safety;
+  try {
+    const sql = src_default(dbUrl, { max: 1, prepare: false, onnotice: () => {
+    } });
+    try {
+      safety = await detectRoleSafety(sql);
+    } finally {
+      await sql.end({ timeout: 5 });
+    }
+  } catch {
+    return dbUrl;
+  }
+  if (!safety.unsafe) return dbUrl;
+  const why = safety.superuser ? "a superuser" : "BYPASSRLS";
+  console.log(
+    `
+  ${import_picocolors3.default.yellow("!")} DATABASE_URL connects as ${import_picocolors3.default.bold(safety.role)} \u2014 ${why}, so row-level security can't be enforced.
+    Ablo's server will refuse this connection (${import_picocolors3.default.bold("database_role_cannot_enforce_rls")}).`
+  );
+  if (!process.stdout.isTTY) {
+    console.log(
+      import_picocolors3.default.dim(
+        `    Create a scoped role and update DATABASE_URL \u2014 run \`npx ablo migrate\` interactively
+    to do it automatically, or see https://docs.abloatai.com/quickstart#scoped-role`
+      )
+    );
+    return dbUrl;
+  }
+  const proceed = await ye({
+    message: `Create a scoped role ${DEFAULT_SCOPED_ROLE} (NOSUPERUSER, NOBYPASSRLS) and update DATABASE_URL?`,
+    initialValue: true
+  });
+  if (pD(proceed) || !proceed) {
+    console.log(import_picocolors3.default.dim("    Skipped \u2014 see https://docs.abloatai.com/quickstart#scoped-role for the manual recipe."));
+    return dbUrl;
+  }
+  const { role, databaseUrl } = await createScopedRole(dbUrl);
+  const where = persistDatabaseUrl(databaseUrl);
+  console.log(
+    `  ${import_picocolors3.default.green("\u2713")} Created role ${import_picocolors3.default.bold(role)} and updated ${import_picocolors3.default.bold("DATABASE_URL")} in ${import_picocolors3.default.bold(where)}.
+` + import_picocolors3.default.dim(`    The owner credential never left this machine; the new password was written, not printed.`)
+  );
+  return databaseUrl;
+}
+function persistDatabaseUrl(databaseUrl, cwd = process.cwd()) {
+  const line = `DATABASE_URL=${databaseUrl}`;
+  for (const name of [".env.local", ".env"]) {
+    const path = (0, import_path3.resolve)(cwd, name);
+    if (!(0, import_fs4.existsSync)(path)) continue;
+    const content = (0, import_fs4.readFileSync)(path, "utf8");
+    if (/^DATABASE_URL=/m.test(content)) {
+      (0, import_fs4.writeFileSync)(path, content.replace(/^DATABASE_URL=.*$/m, line));
+      return name;
+    }
+  }
+  const envLocal = (0, import_path3.resolve)(cwd, ".env.local");
+  if ((0, import_fs4.existsSync)(envLocal)) {
+    const content = (0, import_fs4.readFileSync)(envLocal, "utf8");
+    (0, import_fs4.appendFileSync)(envLocal, `${content.endsWith("\n") || content.length === 0 ? "" : "\n"}${line}
+`);
+  } else {
+    (0, import_fs4.writeFileSync)(envLocal, `${line}
+`, { mode: 384 });
+  }
+  const gitignorePath = (0, import_path3.resolve)(cwd, ".gitignore");
+  const gitignore = (0, import_fs4.existsSync)(gitignorePath) ? (0, import_fs4.readFileSync)(gitignorePath, "utf8") : "";
+  if (!/^(\.env\.local|\.env\*|\.env\.\*|\.env.*)$/m.test(gitignore)) {
+    (0, import_fs4.writeFileSync)(
+      gitignorePath,
+      `${gitignore.endsWith("\n") || gitignore.length === 0 ? gitignore : `${gitignore}
+`}.env.local
+`
+    );
+  }
+  return ".env.local";
+}
 // src/cli/generate.ts
 init_cjs_shims();
 var import_fs5 = require("fs");
-var import_path3 = require("path");
+var import_path4 = require("path");
 var import_picocolors4 = __toESM(require_picocolors(), 1);
 var import_schema3 = require("@abloatai/ablo/schema");
 var DEFAULT_SCHEMA_PATH3 = "ablo/schema.ts";
@@ -279709,8 +279864,8 @@ async function generate(argv) {
     console.error(import_picocolors4.default.red(`  ${err instanceof Error ? err.message : String(err)}`));
     process.exit(1);
   }
-  const abs = (0, import_path3.resolve)(process.cwd(), args.out);
-  (0, import_fs5.mkdirSync)((0, import_path3.dirname)(abs), { recursive: true });
+  const abs = (0, import_path4.resolve)(process.cwd(), args.out);
+  (0, import_fs5.mkdirSync)((0, import_path4.dirname)(abs), { recursive: true });
   (0, import_fs5.writeFileSync)(abs, source);
   console.log(`  ${import_picocolors4.default.green("\u2713")} Generated types \u2192 ${import_picocolors4.default.bold(args.out)}`);
 }
@@ -279719,7 +279874,7 @@ async function generate(argv) {
 init_cjs_shims();
 var import_picocolors5 = __toESM(require_picocolors(), 1);
 var import_fs6 = require("fs");
-var import_path4 = require("path");
+var import_path5 = require("path");
 var import_schema4 = require("@abloatai/ablo/schema");
 // src/cli/theme.ts
@@ -279786,7 +279941,7 @@ function classifyKey(apiKey) {
   return { ok: false, reason: `${import_picocolors5.default.bold("ABLO_API_KEY")} is not an Ablo key (expected ${import_picocolors5.default.bold("sk_test_\u2026")}).` };
 }
 function wireEnvLocal(apiKey, cwd = process.cwd()) {
-  const envPath = (0, import_path4.resolve)(cwd, ".env.local");
+  const envPath = (0, import_path5.resolve)(cwd, ".env.local");
   const line = `ABLO_API_KEY=${apiKey}`;
   let action;
   if (!(0, import_fs6.existsSync)(envPath)) {
@@ -279807,7 +279962,7 @@ function wireEnvLocal(apiKey, cwd = process.cwd()) {
       action = `Updated ${import_picocolors5.default.bold("ABLO_API_KEY")} in ${import_picocolors5.default.bold(".env.local")} ${import_picocolors5.default.dim(`(was ${match[1].slice(0, 12)}\u2026)`)}`;
     }
   }
-  const gitignorePath = (0, import_path4.resolve)(cwd, ".gitignore");
+  const gitignorePath = (0, import_path5.resolve)(cwd, ".gitignore");
   const gitignore = (0, import_fs6.existsSync)(gitignorePath) ? (0, import_fs6.readFileSync)(gitignorePath, "utf8") : "";
   const ignored = /^(\.env\.local|\.env\*|\.env\.\*|\.env.*)$/m.test(gitignore);
   let gitignoreNote = "";
@@ -279848,15 +280003,15 @@ async function runPush(schema, args) {
     return { ok: false, message: lines.join("\n") };
   }
   if (status2 === 403) {
+    const serverSays = body.message ?? body.reason;
+    const hint = body.code === "database_role_cannot_enforce_rls" ? `Run ${import_picocolors5.default.bold("npx ablo migrate")} \u2014 it creates the scoped role for you (your DB credential never leaves this machine).` : `Schema authoring needs a ${import_picocolors5.default.bold("sandbox")} key with ${import_picocolors5.default.bold("schema:push")} \u2014 manage keys at ${import_picocolors5.default.cyan("https://abloatai.com")}.`;
     return {
       ok: false,
-      message: `This key can't author schema (${body.reason ?? "missing schema:push scope"}).
-` + import_picocolors5.default.dim(
-        `Use a ${import_picocolors5.default.bold("sandbox")} key, or one with ${import_picocolors5.default.bold("schema authoring")} enabled at ${import_picocolors5.default.cyan("https://abloatai.com")}.`
-      )
+      message: `${serverSays ?? "This key can't author schema (missing schema:push scope)."}
+` + import_picocolors5.default.dim(hint)
     };
   }
-  return { ok: false, message: `Push failed (${status2}): ${body.reason ?? bodyText}` };
+  return { ok: false, message: `Push failed (${status2}): ${body.message ?? body.reason ?? bodyText}` };
 }
 async function dev(argv) {
   let args;
@@ -279898,7 +280053,7 @@ async function dev(argv) {
   }
   console.log(`  Your app is wired for the sandbox.`);
   if (!args.watch) return;
-  const abs = (0, import_path4.resolve)(process.cwd(), args.schemaPath);
+  const abs = (0, import_path5.resolve)(process.cwd(), args.schemaPath);
   console.log(`  ${import_picocolors5.default.dim(`watching ${args.schemaPath} \u2026 (Ctrl-C to stop)`)}
 `);
   let timer2 = null;
@@ -281297,7 +281452,7 @@ async function prismaPull(argv) {
 init_cjs_shims();
 var import_picocolors15 = __toESM(require_picocolors(), 1);
 var import_fs10 = require("fs");
-var import_path5 = require("path");
+var import_path6 = require("path");
 var DEFAULT_OUT4 = "ablo/schema.ts";
 var DEFAULT_IMPORT3 = "@abloatai/ablo/schema";
 var BASE_FIELD_NAMES2 = /* @__PURE__ */ new Set(["id", "organizationId", "createdBy", "createdAt", "updatedAt"]);
@@ -281423,7 +281578,7 @@ function parseDrizzlePullArgs(argv) {
 async function loadModule(path) {
   const { createJiti } = await import("jiti");
   const jiti = createJiti(process.cwd());
-  const mod = await jiti.import((0, import_path5.resolve)(path));
+  const mod = await jiti.import((0, import_path6.resolve)(path));
   return mod;
 }
 async function drizzlePull(argv) {
@@ -281731,13 +281886,13 @@ async function init(args = []) {
       }
     }
   }
-  (0, import_fs11.writeFileSync)((0, import_path6.join)(abloDir, "schema.ts"), schemaSource);
+  (0, import_fs11.writeFileSync)((0, import_path7.join)(abloDir, "schema.ts"), schemaSource);
   created.push(`${abloDir}/schema.ts${schemaNote}`);
-  (0, import_fs11.writeFileSync)((0, import_path6.join)(abloDir, "index.ts"), generateSyncConfig(auth, storage));
+  (0, import_fs11.writeFileSync)((0, import_path7.join)(abloDir, "index.ts"), generateSyncConfig(auth, storage));
   created.push(`${abloDir}/index.ts`);
   const orm = detectOrm(opts.orm);
   if (storage === "endpoint") {
-    (0, import_fs11.writeFileSync)((0, import_path6.join)(abloDir, "data-source.ts"), generateDataSource(orm));
+    (0, import_fs11.writeFileSync)((0, import_path7.join)(abloDir, "data-source.ts"), generateDataSource(orm));
     created.push(`${abloDir}/data-source.ts${orm === "drizzle" ? " (Drizzle)" : " (Prisma)"}`);
   }
   const envFile = framework === "nextjs" ? ".env.local" : ".env";
@@ -281754,25 +281909,25 @@ async function init(args = []) {
     }
   }
   if (agent) {
-    (0, import_fs11.writeFileSync)((0, import_path6.join)(abloDir, "agent.ts"), generateAgent());
+    (0, import_fs11.writeFileSync)((0, import_path7.join)(abloDir, "agent.ts"), generateAgent());
     created.push(`${abloDir}/agent.ts`);
   }
   if (framework === "nextjs") {
     if (storage === "endpoint") {
-      const webhookDir = (0, import_path6.join)("app", "api", "ablo", "webhooks");
+      const webhookDir = (0, import_path7.join)("app", "api", "ablo", "webhooks");
       (0, import_fs11.mkdirSync)(webhookDir, { recursive: true });
-      (0, import_fs11.writeFileSync)((0, import_path6.join)(webhookDir, "route.ts"), generateWebhookRoute(orm));
+      (0, import_fs11.writeFileSync)((0, import_path7.join)(webhookDir, "route.ts"), generateWebhookRoute(orm));
       created.push(`${webhookDir}/route.ts${orm === "prisma" ? " (Prisma mirror)" : " (add your database write)"}`);
     }
-    (0, import_fs11.writeFileSync)((0, import_path6.join)("app", "providers.tsx"), generateProviders());
+    (0, import_fs11.writeFileSync)((0, import_path7.join)("app", "providers.tsx"), generateProviders());
     created.push(`app/providers.tsx ${import_picocolors16.default.dim("(wrap app/layout.tsx in <Providers>)")}`);
-    const sessionDir = (0, import_path6.join)("app", "api", "ablo-session");
+    const sessionDir = (0, import_path7.join)("app", "api", "ablo-session");
     (0, import_fs11.mkdirSync)(sessionDir, { recursive: true });
-    (0, import_fs11.writeFileSync)((0, import_path6.join)(sessionDir, "route.ts"), generateSessionRoute());
+    (0, import_fs11.writeFileSync)((0, import_path7.join)(sessionDir, "route.ts"), generateSessionRoute());
     created.push(`app/api/ablo-session/route.ts ${import_picocolors16.default.dim("(wire your auth)")}`);
   }
   if (framework !== "vanilla") {
-    (0, import_fs11.writeFileSync)((0, import_path6.join)(abloDir, "TaskList.tsx"), generateComponent());
+    (0, import_fs11.writeFileSync)((0, import_path7.join)(abloDir, "TaskList.tsx"), generateComponent());
     created.push(`${abloDir}/TaskList.tsx`);
   }
   Me(created.map((f) => `${import_picocolors16.default.green("\u2713")} ${f}`).join("\n"), "Created");

package/dist/errorCodes.d.ts CHANGED Viewed

@@ -139,6 +139,7 @@ export declare const ERROR_CODES: {
     readonly issuer_register_forbidden: ErrorCodeSpec;
     readonly capability_invalid: ErrorCodeSpec;
     readonly test_database_not_registered: ErrorCodeSpec;
+    readonly tenant_routing_failed: ErrorCodeSpec;
     readonly database_role_cannot_enforce_rls: ErrorCodeSpec;
     readonly database_role_unreadable: ErrorCodeSpec;
     readonly database_tables_unforced_rls: ErrorCodeSpec;

package/dist/errorCodes.js CHANGED Viewed

@@ -130,6 +130,7 @@ export const ERROR_CODES = {
     issuer_register_forbidden: wire('permission', 403, false, 'Registering a trusted issuer requires a secret (sk_) API key.'),
     capability_invalid: wire('capability', 403, false, 'The capability is unknown, revoked, or expired.'),
     test_database_not_registered: wire('permission', 403, false, 'Test mode requires a registered dev database for this org — run `npx ablo init`, or construct the client with `databaseUrl` using your test key.'),
+    tenant_routing_failed: wire('server', 500, true, "The org's registered database could not be resolved or dialed. Ablo never falls back to shared storage for a dedicated tenant — retry, and check the datasource status if it persists."),
     database_role_cannot_enforce_rls: wire('permission', 403, false, 'The connected database role cannot enforce row-level security (superuser or BYPASSRLS).'),
     database_role_unreadable: wire('permission', 403, false, 'The connected database role could not be introspected.'),
     database_tables_unforced_rls: wire('permission', 403, false, 'Synced tables in the connected database do not have FORCE ROW LEVEL SECURITY applied.'),

package/docs/quickstart.md CHANGED Viewed

@@ -74,7 +74,26 @@ export const ablo = Ablo({
 Use a dedicated **non-superuser role** for the connection — Ablo enforces
 tenant isolation with row-level security, so the server rejects superuser or
-`BYPASSRLS` roles outright.
+`BYPASSRLS` roles outright (`database_role_cannot_enforce_rls`).
+> **Neon / Supabase note:** the connection string those dashboards hand you
+> uses the database OWNER role (e.g. `neondb_owner`), which is `BYPASSRLS` —
+> Ablo will reject it. You don't have to fix that by hand: `npx ablo migrate`
+> detects the unsafe role and offers to create the scoped one for you — from
+> your machine, so the owner credential never reaches Ablo. It writes the new
+> `DATABASE_URL` into your env file (the generated password is never printed).
+>
+> Prefer to do it manually? The equivalent SQL:
+>
+> ```sql
+> CREATE ROLE ablo_app LOGIN PASSWORD '<strong password>'
+>   NOSUPERUSER NOBYPASSRLS NOCREATEDB NOCREATEROLE;
+> GRANT CREATE, CONNECT ON DATABASE <your_db> TO ablo_app;
+> GRANT CREATE, USAGE ON SCHEMA public TO ablo_app;
+> ```
+>
+> Then swap the user/password in the dashboard's string:
+> `postgres://ablo_app:<password>@<same-host>/<same-db>?sslmode=require`.
 Don't want a connection string to leave your infrastructure? Keep
 `DATABASE_URL` in your app only and expose one signed **Data Source endpoint**

package/llms-full.txt CHANGED Viewed

@@ -142,6 +142,15 @@ This applies to any API-backed app: Python, Rails, Go, or Node. The backend keep
 its service layer and DB credentials. Ablo gets a Data Source endpoint and uses
 `ABLO_API_KEY`, not a database URL.
+When the user DOES use the connection-string path (`Ablo({ databaseUrl })` /
+`DATABASE_URL` at init): the role must be NON-superuser and NON-BYPASSRLS —
+Ablo enforces row-level security and rejects owner roles with
+`database_role_cannot_enforce_rls`. Neon's and Supabase's default dashboard
+strings use the database OWNER (e.g. `neondb_owner`) and ARE rejected. EASIEST: have the user run `npx ablo migrate` — it detects the unsafe role and creates the scoped one automatically from their machine (owner credential never reaches Ablo; new DATABASE_URL written to the env file). Manual alternative — create a scoped role first (`CREATE ROLE ablo_app LOGIN PASSWORD '...'
+NOSUPERUSER NOBYPASSRLS; GRANT CREATE, CONNECT ON DATABASE <db> TO ablo_app;
+GRANT CREATE, USAGE ON SCHEMA public TO ablo_app;`), then swap user/password
+into the same host/db string.
 ## Client Behavior
 The options that matter: `schema` and `apiKey`. Everything else

package/llms.txt CHANGED Viewed

@@ -120,6 +120,8 @@ Do not add `databaseURL` to `Ablo(...)`. Application and agent code use `ABLO_AP
 Every schema model is backed by a database, and the default is YOUR OWN. Keep your rows in your Postgres and expose a Data Source endpoint that hands Ablo an ORM `adapter` (Drizzle is the default; Prisma and Kysely are also supported) — it owns the transaction, exactly-once idempotency, and outbox in ONE pass (no hand-written `commit`/`events`). Your `DATABASE_URL` lives in your app, never in `Ablo(...)`; run `npx ablo migrate` to provision the synced-model tables in your DB.
+GOTCHA the user WILL hit: `DATABASE_URL` must use a NON-superuser, NON-BYPASSRLS role (Ablo enforces row-level security; owner roles are rejected with `database_role_cannot_enforce_rls`). Neon's and Supabase's default dashboard connection strings use the database OWNER (e.g. `neondb_owner`) and are rejected. EASIEST: `npx ablo migrate` detects the unsafe role and creates the scoped one automatically from the user's machine (owner credential never reaches Ablo; new DATABASE_URL written to the env file). Manual alternative — create a scoped role first: `CREATE ROLE ablo_app LOGIN PASSWORD '...' NOSUPERUSER NOBYPASSRLS; GRANT CREATE, CONNECT ON DATABASE <db> TO ablo_app; GRANT CREATE, USAGE ON SCHEMA public TO ablo_app;` — then swap user/password into the same host/db string.
 ```ts
 // app/api/ablo/source/route.ts
 import { dataSourceNext } from '@abloatai/ablo/source/next';

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@abloatai/ablo",
-  "version": "0.9.4",
+  "version": "0.9.5",
   "description": "State control API for AI agents and collaborative apps.",
   "license": "Apache-2.0",
   "type": "module",