@elizaos/plugin-sql 1.6.4-alpha.15 → 1.6.4-alpha.17

package/dist/node/index.node.js

@@ -7937,7 +7937,7 @@ var init_migration_service = __esm(() => {
 });
 
 // src/index.node.ts
-import { logger as logger12 } from "@elizaos/core";
+import { logger as logger13, stringToUuid } from "@elizaos/core";
 
 // src/pglite/adapter.ts
 import { logger as logger9 } from "@elizaos/core";
@@ -8173,6 +8173,7 @@ init_pg_core();
 var agentTable = pgTable("agents", {
   id: uuid("id").primaryKey().defaultRandom(),
   enabled: boolean("enabled").default(true).notNull(),
+  owner_id: uuid("owner_id"),
   createdAt: timestamp("created_at", { withTimezone: true }).default(sql`now()`).notNull(),
   updatedAt: timestamp("updated_at", { withTimezone: true }).default(sql`now()`).notNull(),
   name: text("name").notNull(),
@@ -8321,6 +8322,7 @@ __export(exports_schema, {
   roomTable: () => roomTable,
   relationshipTable: () => relationshipTable,
   participantTable: () => participantTable,
+  ownersTable: () => ownersTable,
   messageTable: () => messageTable,
   messageServerTable: () => messageServerTable,
   memoryTable: () => memoryTable,
@@ -8396,6 +8398,14 @@ var logTable = pgTable("logs", {
     foreignColumns: [entityTable.id]
   }).onDelete("cascade")
 ]);
+// src/schema/owners.ts
+init_drizzle_orm();
+init_pg_core();
+var ownersTable = pgTable("owners", {
+  id: uuid("id").primaryKey(),
+  createdAt: timestamp("created_at", { withTimezone: true }).default(sql`now()`).notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true }).default(sql`now()`).notNull()
+});
 // src/schema/participant.ts
 init_drizzle_orm();
 init_pg_core();
@@ -10943,8 +10953,13 @@ import { logger as logger11 } from "@elizaos/core";
 class PostgresConnectionManager {
   pool;
   db;
-  constructor(connectionString) {
-    this.pool = new Pool2({ connectionString });
+  constructor(connectionString, rlsOwnerId) {
+    const poolConfig = { connectionString };
+    if (rlsOwnerId) {
+      poolConfig.application_name = rlsOwnerId;
+      logger11.debug(`[RLS] Pool configured with application_name: ${rlsOwnerId}`);
+    }
+    this.pool = new Pool2(poolConfig);
     this.db = drizzle2(this.pool);
   }
   getDatabase() {
@@ -11028,6 +11043,246 @@ function resolvePgliteDir(dir, fallbackDir) {
 
 // src/index.node.ts
 init_migration_service();
+
+// src/rls.ts
+init_drizzle_orm();
+import { logger as logger12, validateUuid } from "@elizaos/core";
+async function installRLSFunctions(adapter) {
+  const db2 = adapter.db;
+  await db2.execute(sql`
+    CREATE TABLE IF NOT EXISTS owners (
+      id UUID PRIMARY KEY,
+      created_at TIMESTAMPTZ DEFAULT NOW() NOT NULL,
+      updated_at TIMESTAMPTZ DEFAULT NOW() NOT NULL
+    )
+  `);
+  await db2.execute(sql`
+    CREATE OR REPLACE FUNCTION current_owner_id() RETURNS UUID AS $$
+    DECLARE
+      app_name TEXT;
+    BEGIN
+      app_name := NULLIF(current_setting('application_name', TRUE), '');
+
+      -- Return NULL if application_name is not set or not a valid UUID
+      -- This allows admin queries to work without RLS restrictions
+      BEGIN
+        RETURN app_name::UUID;
+      EXCEPTION WHEN OTHERS THEN
+        RETURN NULL;
+      END;
+    END;
+    $$ LANGUAGE plpgsql STABLE;
+  `);
+  await db2.execute(sql`
+    CREATE OR REPLACE FUNCTION add_owner_isolation(
+      schema_name text,
+      table_name text
+    ) RETURNS void AS $$
+    DECLARE
+      full_table_name text;
+      column_exists boolean;
+      orphaned_count bigint;
+    BEGIN
+      full_table_name := schema_name || '.' || table_name;
+
+      -- Check if owner_id column already exists
+      SELECT EXISTS (
+        SELECT 1 FROM information_schema.columns
+        WHERE information_schema.columns.table_schema = schema_name
+          AND information_schema.columns.table_name = add_owner_isolation.table_name
+          AND information_schema.columns.column_name = 'owner_id'
+      ) INTO column_exists;
+
+      -- Add owner_id column if missing (DEFAULT populates it automatically for new rows)
+      IF NOT column_exists THEN
+        EXECUTE format('ALTER TABLE %I.%I ADD COLUMN owner_id UUID DEFAULT current_owner_id()', schema_name, table_name);
+
+        -- Backfill existing rows with current owner_id
+        -- This ensures all existing data belongs to the tenant that is enabling RLS
+        EXECUTE format('UPDATE %I.%I SET owner_id = current_owner_id() WHERE owner_id IS NULL', schema_name, table_name);
+      ELSE
+        -- Column already exists (RLS was previously enabled then disabled)
+        -- Restore the DEFAULT clause (may have been removed during uninstallRLS)
+        EXECUTE format('ALTER TABLE %I.%I ALTER COLUMN owner_id SET DEFAULT current_owner_id()', schema_name, table_name);
+
+        -- Only backfill NULL owner_id rows, do NOT steal data from other owners
+        EXECUTE format('SELECT COUNT(*) FROM %I.%I WHERE owner_id IS NULL', schema_name, table_name) INTO orphaned_count;
+
+        IF orphaned_count > 0 THEN
+          RAISE NOTICE 'Backfilling % rows with NULL owner_id in %.%', orphaned_count, schema_name, table_name;
+          EXECUTE format('UPDATE %I.%I SET owner_id = current_owner_id() WHERE owner_id IS NULL', schema_name, table_name);
+        END IF;
+      END IF;
+
+      -- Create index for efficient owner_id filtering
+      EXECUTE format('CREATE INDEX IF NOT EXISTS idx_%I_owner_id ON %I.%I(owner_id)', table_name, schema_name, table_name);
+
+      -- Enable RLS on the table
+      EXECUTE format('ALTER TABLE %I.%I ENABLE ROW LEVEL SECURITY', schema_name, table_name);
+
+      -- FORCE RLS even for table owners (critical for security)
+      EXECUTE format('ALTER TABLE %I.%I FORCE ROW LEVEL SECURITY', schema_name, table_name);
+
+      -- Drop existing policy if present
+      EXECUTE format('DROP POLICY IF EXISTS owner_isolation_policy ON %I.%I', schema_name, table_name);
+
+      -- Create isolation policy: users can only see/modify rows where owner_id matches current tenant
+      -- No NULL clause - all rows must have a valid owner_id (backfilled during column addition)
+      EXECUTE format('
+        CREATE POLICY owner_isolation_policy ON %I.%I
+        USING (owner_id = current_owner_id())
+        WITH CHECK (owner_id = current_owner_id())
+      ', schema_name, table_name);
+    END;
+    $$ LANGUAGE plpgsql;
+  `);
+  await db2.execute(sql`
+    CREATE OR REPLACE FUNCTION apply_rls_to_all_tables() RETURNS void AS $$
+    DECLARE
+      tbl record;
+    BEGIN
+      FOR tbl IN
+        SELECT schemaname, tablename
+        FROM pg_tables
+        WHERE schemaname = 'public'
+          AND tablename NOT IN (
+            'owners',
+            'drizzle_migrations',
+            '__drizzle_migrations',
+            'server_agents'
+          )
+      LOOP
+        BEGIN
+          PERFORM add_owner_isolation(tbl.schemaname, tbl.tablename);
+        EXCEPTION WHEN OTHERS THEN
+          RAISE WARNING 'Failed to apply RLS to %.%: %', tbl.schemaname, tbl.tablename, SQLERRM;
+        END;
+      END LOOP;
+    END;
+    $$ LANGUAGE plpgsql;
+  `);
+  logger12.info("[RLS] PostgreSQL functions installed");
+}
+async function getOrCreateRlsOwner(adapter, ownerId) {
+  const db2 = adapter.db;
+  await db2.insert(ownersTable).values({
+    id: ownerId
+  }).onConflictDoNothing();
+  logger12.info(`[RLS] Owner: ${ownerId.slice(0, 8)}…`);
+  return ownerId;
+}
+async function setOwnerContext(adapter, ownerId) {
+  if (!validateUuid(ownerId)) {
+    throw new Error(`Invalid owner ID format: ${ownerId}. Must be a valid UUID.`);
+  }
+  const db2 = adapter.db;
+  const owners = await db2.select().from(ownersTable).where(eq(ownersTable.id, ownerId));
+  if (owners.length === 0) {
+    throw new Error(`Owner ${ownerId} does not exist`);
+  }
+  logger12.info(`[RLS] Owner: ${ownerId.slice(0, 8)}…`);
+  logger12.info("[RLS] Context configured successfully (using application_name)");
+}
+async function assignAgentToOwner(adapter, agentId, ownerId) {
+  const db2 = adapter.db;
+  const agents = await db2.select().from(agentTable).where(eq(agentTable.id, agentId));
+  if (agents.length > 0) {
+    const agent = agents[0];
+    const currentOwnerId = agent.owner_id;
+    if (currentOwnerId === ownerId) {
+      logger12.debug(`[RLS] Agent ${agent.name} already owned by correct owner`);
+    } else {
+      await db2.update(agentTable).set({ owner_id: ownerId }).where(eq(agentTable.id, agentId));
+      if (currentOwnerId === null) {
+        logger12.info(`[RLS] Agent ${agent.name} assigned to owner`);
+      } else {
+        logger12.warn(`[RLS] Agent ${agent.name} owner changed`);
+      }
+    }
+  } else {
+    logger12.debug(`[RLS] Agent ${agentId} doesn't exist yet`);
+  }
+}
+async function applyRLSToNewTables(adapter) {
+  const db2 = adapter.db;
+  try {
+    await db2.execute(sql`SELECT apply_rls_to_all_tables()`);
+    logger12.info("[RLS] Applied to all tables");
+  } catch (error) {
+    logger12.warn("[RLS] Failed to apply to some tables:", String(error));
+  }
+}
+async function uninstallRLS(adapter) {
+  const db2 = adapter.db;
+  try {
+    const checkResult = await db2.execute(sql`
+      SELECT EXISTS (
+        SELECT FROM pg_tables
+        WHERE schemaname = 'public' AND tablename = 'owners'
+      ) as rls_enabled
+    `);
+    const rlsEnabled = checkResult.rows?.[0]?.rls_enabled;
+    if (!rlsEnabled) {
+      logger12.debug("[RLS] RLS not installed, skipping cleanup");
+      return;
+    }
+    logger12.info("[RLS] Disabling RLS globally (keeping owner_id columns for schema compatibility)...");
+    await db2.execute(sql`
+      CREATE OR REPLACE FUNCTION _temp_disable_rls_on_table(
+        p_schema_name text,
+        p_table_name text
+      ) RETURNS void AS $$
+      DECLARE
+        policy_rec record;
+      BEGIN
+        -- Drop all policies on this table
+        FOR policy_rec IN
+          SELECT policyname
+          FROM pg_policies
+          WHERE schemaname = p_schema_name AND tablename = p_table_name
+        LOOP
+          EXECUTE format('DROP POLICY IF EXISTS %I ON %I.%I',
+            policy_rec.policyname, p_schema_name, p_table_name);
+        END LOOP;
+
+        -- Disable RLS
+        EXECUTE format('ALTER TABLE %I.%I NO FORCE ROW LEVEL SECURITY', p_schema_name, p_table_name);
+        EXECUTE format('ALTER TABLE %I.%I DISABLE ROW LEVEL SECURITY', p_schema_name, p_table_name);
+      END;
+      $$ LANGUAGE plpgsql;
+    `);
+    const tablesResult = await db2.execute(sql`
+      SELECT schemaname, tablename
+      FROM pg_tables
+      WHERE schemaname = 'public'
+        AND tablename NOT IN ('drizzle_migrations', '__drizzle_migrations')
+    `);
+    for (const row of tablesResult.rows || []) {
+      const schemaName = row.schemaname;
+      const tableName = row.tablename;
+      try {
+        await db2.execute(sql`SELECT _temp_disable_rls_on_table(${schemaName}, ${tableName})`);
+        logger12.debug(`[RLS] Disabled RLS on table: ${schemaName}.${tableName}`);
+      } catch (error) {
+        logger12.warn(`[RLS] Failed to disable RLS on table ${schemaName}.${tableName}:`, String(error));
+      }
+    }
+    await db2.execute(sql`DROP FUNCTION IF EXISTS _temp_disable_rls_on_table(text, text)`);
+    logger12.info("[RLS] Keeping owner_id values intact (prevents data theft on re-enable)");
+    logger12.info("[RLS] Clearing owners table...");
+    await db2.execute(sql`TRUNCATE TABLE owners`);
+    await db2.execute(sql`DROP FUNCTION IF EXISTS apply_rls_to_all_tables() CASCADE`);
+    await db2.execute(sql`DROP FUNCTION IF EXISTS add_owner_isolation(text, text) CASCADE`);
+    await db2.execute(sql`DROP FUNCTION IF EXISTS current_owner_id() CASCADE`);
+    logger12.info("[RLS] Dropped all RLS functions");
+    logger12.success("[RLS] RLS disabled successfully (owner_id columns preserved)");
+  } catch (error) {
+    logger12.error("[RLS] Failed to disable RLS:", String(error));
+    throw error;
+  }
+}
+
+// src/index.node.ts
 var GLOBAL_SINGLETONS = Symbol.for("@elizaos/plugin-sql/global-singletons");
 var globalSymbols = globalThis;
 if (!globalSymbols[GLOBAL_SINGLETONS]) {
@@ -11036,10 +11291,28 @@ if (!globalSymbols[GLOBAL_SINGLETONS]) {
 var globalSingletons = globalSymbols[GLOBAL_SINGLETONS];
 function createDatabaseAdapter(config, agentId) {
   if (config.postgresUrl) {
-    if (!globalSingletons.postgresConnectionManager) {
-      globalSingletons.postgresConnectionManager = new PostgresConnectionManager(config.postgresUrl);
+    const rlsEnabled = process.env.ENABLE_RLS_ISOLATION === "true";
+    let rlsOwnerId;
+    let managerKey = "default";
+    if (rlsEnabled) {
+      const rlsOwnerIdString = process.env.RLS_OWNER_ID;
+      if (!rlsOwnerIdString) {
+        throw new Error("[RLS] ENABLE_RLS_ISOLATION=true requires RLS_OWNER_ID environment variable");
+      }
+      rlsOwnerId = stringToUuid(rlsOwnerIdString);
+      managerKey = rlsOwnerId;
+      logger13.debug(`[RLS] Using connection pool for owner_id: ${rlsOwnerId.slice(0, 8)}… (from RLS_OWNER_ID="${rlsOwnerIdString}")`);
+    }
+    if (!globalSingletons.postgresConnectionManagers) {
+      globalSingletons.postgresConnectionManagers = new Map;
+    }
+    let manager = globalSingletons.postgresConnectionManagers.get(managerKey);
+    if (!manager) {
+      logger13.debug(`[RLS] Creating new connection pool for key: ${managerKey.slice(0, 8)}…`);
+      manager = new PostgresConnectionManager(config.postgresUrl, rlsOwnerId);
+      globalSingletons.postgresConnectionManagers.set(managerKey, manager);
     }
-    return new PgDatabaseAdapter(agentId, globalSingletons.postgresConnectionManager);
+    return new PgDatabaseAdapter(agentId, manager);
   }
   const dataDir = resolvePgliteDir(config.dataDir);
   if (!globalSingletons.pgLiteClientManager) {
@@ -11053,18 +11326,18 @@ var plugin = {
   priority: 0,
   schema: exports_schema,
   init: async (_config, runtime) => {
-    logger12.info("plugin-sql (node) init starting...");
+    logger13.info("plugin-sql (node) init starting...");
     const adapterRegistered = await runtime.isReady().then(() => true).catch((error) => {
       const message = error instanceof Error ? error.message : String(error);
       if (message.includes("Database adapter not registered")) {
-        logger12.info("No pre-registered database adapter detected; registering adapter");
+        logger13.info("No pre-registered database adapter detected; registering adapter");
       } else {
-        logger12.warn({ error }, "Database adapter readiness check error; proceeding to register adapter");
+        logger13.warn({ error }, "Database adapter readiness check error; proceeding to register adapter");
       }
       return false;
     });
     if (adapterRegistered) {
-      logger12.info("Database adapter already registered, skipping creation");
+      logger13.info("Database adapter already registered, skipping creation");
       return;
     }
     const postgresUrl = runtime.getSetting("POSTGRES_URL");
@@ -11074,16 +11347,22 @@ var plugin = {
       postgresUrl
     }, runtime.agentId);
     runtime.registerDatabaseAdapter(dbAdapter);
-    logger12.info("Database adapter created and registered");
+    logger13.info("Database adapter created and registered");
   }
 };
 var index_node_default = plugin;
 export {
+  uninstallRLS,
+  setOwnerContext,
   plugin,
+  installRLSFunctions,
+  getOrCreateRlsOwner,
   index_node_default as default,
   createDatabaseAdapter,
+  assignAgentToOwner,
+  applyRLSToNewTables,
   DatabaseMigrationService
 };
 
-//# debugId=AE1FE5F77043850164756E2164756E21
+//# debugId=81727AD4C0F30EE564756E2164756E21
 //# sourceMappingURL=index.node.js.map