@elevasis/core 0.34.2 → 0.35.0

package/src/supabase/__tests__/helpers.test.ts

@@ -1,51 +1,92 @@
-import { describe, it, expect } from 'vitest'
-import { sanitizePostgrestValue } from '../helpers'
-
-describe('sanitizePostgrestValue', () => {
-  it('passes through normal search strings unchanged', () => {
-    expect(sanitizePostgrestValue('hello')).toBe('hello')
-    expect(sanitizePostgrestValue('John Doe')).toBe('John Doe')
-    expect(sanitizePostgrestValue('test@example.com')).toBe('test@example.com')
-  })
-
-  it('strips commas that would split .or() conditions', () => {
-    expect(sanitizePostgrestValue('foo,bar')).toBe('foobar')
-    expect(sanitizePostgrestValue('a,b,c')).toBe('abc')
-  })
-
-  it('strips parentheses that would create logical grouping', () => {
-    expect(sanitizePostgrestValue('foo(bar)')).toBe('foobar')
-    expect(sanitizePostgrestValue('(test)')).toBe('test')
-  })
-
-  it('strips all special chars together', () => {
-    expect(sanitizePostgrestValue('test,name.eq.admin()')).toBe('testname.eq.admin')
-  })
-
-  it('preserves dots (safe in ilike values)', () => {
-    expect(sanitizePostgrestValue('example.com')).toBe('example.com')
-    expect(sanitizePostgrestValue('v1.2.3')).toBe('v1.2.3')
-  })
-
-  it('preserves percent and underscore (SQL wildcards used intentionally)', () => {
-    expect(sanitizePostgrestValue('100%')).toBe('100%')
-    expect(sanitizePostgrestValue('test_value')).toBe('test_value')
-  })
-
-  it('handles empty string', () => {
-    expect(sanitizePostgrestValue('')).toBe('')
-  })
-
-  it('prevents the specific attack vector: injecting extra filter conditions', () => {
-    // Without sanitization, this would produce:
-    //   name.ilike.%test,name.eq.secret%,domain.ilike.%test,name.eq.secret%
-    // PostgREST would parse "name.eq.secret%" as an additional filter condition
-    const malicious = 'test,name.eq.secret'
-    const sanitized = sanitizePostgrestValue(malicious)
-    const filter = `name.ilike.%${sanitized}%,domain.ilike.%${sanitized}%`
-
-    // Should produce exactly 2 conditions (one comma separator)
-    const topLevelCommas = filter.split(',').length - 1
-    expect(topLevelCommas).toBe(1)
-  })
-})
+import { describe, it, expect } from 'vitest'
+import { eqOrgId, sanitizePostgrestValue } from '../helpers'
+import { brandSupabaseOrgId, brandWorkOsOrgId } from '../../auth/multi-tenancy/org-id'
+
+describe('sanitizePostgrestValue', () => {
+  it('passes through normal search strings unchanged', () => {
+    expect(sanitizePostgrestValue('hello')).toBe('hello')
+    expect(sanitizePostgrestValue('John Doe')).toBe('John Doe')
+    expect(sanitizePostgrestValue('test@example.com')).toBe('test@example.com')
+  })
+
+  it('strips commas that would split .or() conditions', () => {
+    expect(sanitizePostgrestValue('foo,bar')).toBe('foobar')
+    expect(sanitizePostgrestValue('a,b,c')).toBe('abc')
+  })
+
+  it('strips parentheses that would create logical grouping', () => {
+    expect(sanitizePostgrestValue('foo(bar)')).toBe('foobar')
+    expect(sanitizePostgrestValue('(test)')).toBe('test')
+  })
+
+  it('strips all special chars together', () => {
+    expect(sanitizePostgrestValue('test,name.eq.admin()')).toBe('testname.eq.admin')
+  })
+
+  it('preserves dots (safe in ilike values)', () => {
+    expect(sanitizePostgrestValue('example.com')).toBe('example.com')
+    expect(sanitizePostgrestValue('v1.2.3')).toBe('v1.2.3')
+  })
+
+  it('preserves percent and underscore (SQL wildcards used intentionally)', () => {
+    expect(sanitizePostgrestValue('100%')).toBe('100%')
+    expect(sanitizePostgrestValue('test_value')).toBe('test_value')
+  })
+
+  it('handles empty string', () => {
+    expect(sanitizePostgrestValue('')).toBe('')
+  })
+
+  it('prevents the specific attack vector: injecting extra filter conditions', () => {
+    // Without sanitization, this would produce:
+    //   name.ilike.%test,name.eq.secret%,domain.ilike.%test,name.eq.secret%
+    // PostgREST would parse "name.eq.secret%" as an additional filter condition
+    const malicious = 'test,name.eq.secret'
+    const sanitized = sanitizePostgrestValue(malicious)
+    const filter = `name.ilike.%${sanitized}%,domain.ilike.%${sanitized}%`
+
+    // Should produce exactly 2 conditions (one comma separator)
+    const topLevelCommas = filter.split(',').length - 1
+    expect(topLevelCommas).toBe(1)
+  })
+})
+
+/** Minimal stand-in for a PostgREST filter builder: records `.eq` calls, returns itself for chaining. */
+function createMockQuery() {
+  const calls: Array<[string, string]> = []
+  const query = {
+    calls,
+    eq(column: 'organization_id', value: string) {
+      calls.push([column, value])
+      return query
+    }
+  }
+  return query
+}
+
+describe('eqOrgId', () => {
+  it('applies an organization_id equality filter and returns the same builder for chaining', () => {
+    const query = createMockQuery()
+    const id = brandSupabaseOrgId('2ac228f7-a0a1-49f9-920e-8a348f5253d3')
+
+    const result = eqOrgId(query, id)
+
+    expect(result).toBe(query)
+    expect(query.calls).toEqual([['organization_id', id]])
+  })
+
+  it('rejects the dual-org-ID swap at compile time', () => {
+    // Compile-time guard. The standing CI gate lives at the Supabase-direct call sites in
+    // command-center (which `check-types`), since @repo/core excludes test files from check-types
+    // (see memory: reference_package_test_typecheck). These assertions document + dev-hook-enforce it.
+    const query = createMockQuery()
+    const workOsId = brandWorkOsOrgId('org_01K64D59CA5J3PJCWJFQV87PPN')
+
+    // @ts-expect-error a WorkOsOrgId must not be accepted where a SupabaseOrgId is required
+    eqOrgId(query, workOsId)
+    // @ts-expect-error a raw string must not be accepted either
+    eqOrgId(query, 'plain-string')
+
+    expect(query.calls).toHaveLength(2)
+  })
+})

package/src/supabase/helpers.ts

@@ -1,20 +1,40 @@
-import type { Database, Tables, TablesInsert, TablesUpdate } from './database.types'
-
-export type TableRow<T extends keyof Database['public']['Tables']> = Tables<T>
-export type TableInsert<T extends keyof Database['public']['Tables']> = TablesInsert<T>
-export type TableUpdate<T extends keyof Database['public']['Tables']> = TablesUpdate<T>
-
-export type SupabaseFunction<T extends keyof Database['public']['Functions']> = Database['public']['Functions'][T]
-
-/**
- * Strip characters that have special meaning in PostgREST filter syntax.
- * Use on user-supplied search strings before interpolating into `.or()` filter expressions.
- *
- * PostgREST uses `,` as the OR separator and `(` / `)` for logical grouping.
- * The supabase-js `.or()` method passes strings as-is with no escaping.
- */
-export function sanitizePostgrestValue(value: string): string {
-  return value.replace(/[,()]/g, '')
-}
-
-export type UpsertUserProfileResult = SupabaseFunction<'upsert_user_profile'>['Returns'][0]
+import type { Database, Tables, TablesInsert, TablesUpdate } from './database.types'
+import type { SupabaseOrgId } from '../auth/multi-tenancy/org-id'
+
+export type TableRow<T extends keyof Database['public']['Tables']> = Tables<T>
+export type TableInsert<T extends keyof Database['public']['Tables']> = TablesInsert<T>
+export type TableUpdate<T extends keyof Database['public']['Tables']> = TablesUpdate<T>
+
+export type SupabaseFunction<T extends keyof Database['public']['Functions']> = Database['public']['Functions'][T]
+
+/**
+ * Strip characters that have special meaning in PostgREST filter syntax.
+ * Use on user-supplied search strings before interpolating into `.or()` filter expressions.
+ *
+ * PostgREST uses `,` as the OR separator and `(` / `)` for logical grouping.
+ * The supabase-js `.or()` method passes strings as-is with no escaping.
+ */
+export function sanitizePostgrestValue(value: string): string {
+  return value.replace(/[,()]/g, '')
+}
+
+/**
+ * Typed seam for organization-scoped Supabase filters.
+ *
+ * Supabase's `.eq()` accepts any string, so `.eq('organization_id', workOsOrgId)` compiles
+ * cleanly even though the column holds the Supabase UUID — the exact dual-org-ID swap we want
+ * to prevent. Routing org filters through this helper forces a `SupabaseOrgId`, turning that
+ * swap into a compile error while leaving the query-builder chain otherwise unchanged.
+ *
+ * The structural `Q` constraint matches any PostgREST filter builder (its `.eq` returns `this`),
+ * so the helper is independent of the supabase-js generic shape.
+ *
+ * @example
+ * let query = supabase.from('acq_companies').select('*')
+ * query = eqOrgId(query, currentSupabaseOrganizationId) // currentSupabaseOrganizationId: SupabaseOrgId
+ */
+export function eqOrgId<Q extends { eq(column: 'organization_id', value: string): Q }>(query: Q, id: SupabaseOrgId): Q {
+  return query.eq('organization_id', id)
+}
+
+export type UpsertUserProfileResult = SupabaseFunction<'upsert_user_profile'>['Returns'][0]

package/src/supabase/index.ts

@@ -1,52 +1,52 @@
-import type { Database, Tables, TablesInsert, TablesUpdate } from './database.types'
-
-export type { Database, Tables, TablesInsert, TablesUpdate, Enums, CompositeTypes, Json } from './database.types'
-
-export { Constants } from './database.types'
-
-export type SupabaseClient = import('@supabase/supabase-js').SupabaseClient<Database>
-
-// Note: supabaseClient is a server-only export available via @repo/core/server
-// DO NOT export it from the main entry point to prevent browser bundling
-
-export type SupabaseUserProfile = Tables<'users'>
-export type SupabaseOrganization = Tables<'organizations'>
-export type SupabaseOrgMembership = Tables<'org_memberships'>
-export type SupabaseTaskSchedule = Tables<'task_schedules'>
-/** @deprecated Use SupabaseTaskSchedule instead. Alias for backward compatibility. */
-export type SupabaseScheduledTask = SupabaseTaskSchedule
-export type SupabaseCommandQueue = Tables<'command_queue'>
-export type SupabaseExecutionLogs = Tables<'execution_logs'>
-export type SupabaseApiKey = Tables<'api_keys'>
-/** API response type for API key list items (omits sensitive key_hash) */
-export type ApiKeyListItem = Omit<SupabaseApiKey, 'key_hash'>
-export type SupabaseOrganizationCredential = Tables<'credentials'>
-
-export type SupabaseUserProfileInsert = TablesInsert<'users'>
-export type SupabaseOrganizationInsert = TablesInsert<'organizations'>
-export type SupabaseTaskScheduleInsert = TablesInsert<'task_schedules'>
-/** @deprecated Use SupabaseTaskScheduleInsert instead. Alias for backward compatibility. */
-export type SupabaseScheduledTaskInsert = SupabaseTaskScheduleInsert
-export type SupabaseCommandQueueInsert = TablesInsert<'command_queue'>
-export type SupabaseApiKeyInsert = TablesInsert<'api_keys'>
-export type SupabaseExecutionLogsInsert = TablesInsert<'execution_logs'>
-export type SupabaseOrganizationCredentialInsert = TablesInsert<'credentials'>
-
-export type SupabaseUserProfileUpdate = TablesUpdate<'users'>
-export type SupabaseOrganizationUpdate = TablesUpdate<'organizations'>
-export type SupabaseTaskScheduleUpdate = TablesUpdate<'task_schedules'>
-/** @deprecated Use SupabaseTaskScheduleUpdate instead. Alias for backward compatibility. */
-export type SupabaseScheduledTaskUpdate = SupabaseTaskScheduleUpdate
-export type SupabaseCommandQueueUpdate = TablesUpdate<'command_queue'>
-export type SupabaseApiKeyUpdate = TablesUpdate<'api_keys'>
-export type SupabaseExecutionLogsUpdate = TablesUpdate<'execution_logs'>
-export type SupabaseOrganizationCredentialUpdate = TablesUpdate<'credentials'>
-
-// Export helper types and utilities
-export type { UpsertUserProfileResult } from './helpers'
-export { sanitizePostgrestValue } from './helpers'
-
-// Composite types for joined queries
-export type SupabaseMembershipWithOrganization = SupabaseOrgMembership & {
-  organization: SupabaseOrganization | null
-}
+import type { Database, Tables, TablesInsert, TablesUpdate } from './database.types'
+
+export type { Database, Tables, TablesInsert, TablesUpdate, Enums, CompositeTypes, Json } from './database.types'
+
+export { Constants } from './database.types'
+
+export type SupabaseClient = import('@supabase/supabase-js').SupabaseClient<Database>
+
+// Note: supabaseClient is a server-only export available via @repo/core/server
+// DO NOT export it from the main entry point to prevent browser bundling
+
+export type SupabaseUserProfile = Tables<'users'>
+export type SupabaseOrganization = Tables<'organizations'>
+export type SupabaseOrgMembership = Tables<'org_memberships'>
+export type SupabaseTaskSchedule = Tables<'task_schedules'>
+/** @deprecated Use SupabaseTaskSchedule instead. Alias for backward compatibility. */
+export type SupabaseScheduledTask = SupabaseTaskSchedule
+export type SupabaseCommandQueue = Tables<'command_queue'>
+export type SupabaseExecutionLogs = Tables<'execution_logs'>
+export type SupabaseApiKey = Tables<'api_keys'>
+/** API response type for API key list items (omits sensitive key_hash) */
+export type ApiKeyListItem = Omit<SupabaseApiKey, 'key_hash'>
+export type SupabaseOrganizationCredential = Tables<'credentials'>
+
+export type SupabaseUserProfileInsert = TablesInsert<'users'>
+export type SupabaseOrganizationInsert = TablesInsert<'organizations'>
+export type SupabaseTaskScheduleInsert = TablesInsert<'task_schedules'>
+/** @deprecated Use SupabaseTaskScheduleInsert instead. Alias for backward compatibility. */
+export type SupabaseScheduledTaskInsert = SupabaseTaskScheduleInsert
+export type SupabaseCommandQueueInsert = TablesInsert<'command_queue'>
+export type SupabaseApiKeyInsert = TablesInsert<'api_keys'>
+export type SupabaseExecutionLogsInsert = TablesInsert<'execution_logs'>
+export type SupabaseOrganizationCredentialInsert = TablesInsert<'credentials'>
+
+export type SupabaseUserProfileUpdate = TablesUpdate<'users'>
+export type SupabaseOrganizationUpdate = TablesUpdate<'organizations'>
+export type SupabaseTaskScheduleUpdate = TablesUpdate<'task_schedules'>
+/** @deprecated Use SupabaseTaskScheduleUpdate instead. Alias for backward compatibility. */
+export type SupabaseScheduledTaskUpdate = SupabaseTaskScheduleUpdate
+export type SupabaseCommandQueueUpdate = TablesUpdate<'command_queue'>
+export type SupabaseApiKeyUpdate = TablesUpdate<'api_keys'>
+export type SupabaseExecutionLogsUpdate = TablesUpdate<'execution_logs'>
+export type SupabaseOrganizationCredentialUpdate = TablesUpdate<'credentials'>
+
+// Export helper types and utilities
+export type { UpsertUserProfileResult } from './helpers'
+export { sanitizePostgrestValue, eqOrgId } from './helpers'
+
+// Composite types for joined queries
+export type SupabaseMembershipWithOrganization = SupabaseOrgMembership & {
+  organization: SupabaseOrganization | null
+}