@nextsparkjs/core 0.1.0-beta.166 → 0.1.0-beta.168

package/dist/migrations/022_rls_runtime_roles.sql

@@ -0,0 +1,87 @@
+-- ============================================================================
+-- 022 · RLS runtime roles — nextspark_app (non-owner runtime role) + grants
+-- ============================================================================
+-- Generic framework migration: creates the non-owner runtime role the app
+-- connects as so RLS is actually evaluated on the app path.
+--
+-- WHY: by default the app connects to Postgres as the table OWNER, so RLS
+-- policies are never evaluated on the app path (owner skips RLS unless FORCE).
+-- This migration creates the non-owner runtime role the app connects as after
+-- the runtime cutover. Until the cutover nothing changes for the running app:
+-- migrations and seeds keep running as the owner.
+--
+-- Design decisions:
+-- - nextspark_app is NOLOGIN here; the LOGIN credential is created per environment
+--   at cutover time (deploy-time secret), never in a migration.
+-- - nextspark_app is a member of `authenticated` (INHERIT): every existing policy
+--   declared `TO authenticated` applies to it without rewriting.
+-- - NO `FORCE ROW LEVEL SECURITY`: nextspark_app is not the owner so plain ENABLE
+--   is enough, and FORCE would break owner-run seeds/sample-data on Supabase
+--   (where `postgres` is owner but not superuser).
+-- - NO `BYPASSRLS` role here: that attribute requires superuser (not available
+--   on Supabase). The service context for machine actors (webhooks, scheduled
+--   actions) is a CORE/environment workstream: the app uses a separate service
+--   connection (DATABASE_SERVICE_URL) for system operations.
+-- - `anon` gets an explicit REVOKE + default privileges revoke: on Supabase the
+--   default privileges grant to anon automatically; abstaining is not enough.
+--
+-- Ordering: runs after all core table DDL (<= 021) so `GRANT ... ON ALL TABLES`
+-- covers every existing table; `ALTER DEFAULT PRIVILEGES` covers tables created
+-- later (theme/entity migrations) by the same migration owner.
+
+-- ----------------------------------------------------------------------------
+-- 1. Runtime role
+-- ----------------------------------------------------------------------------
+DO $$
+BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'nextspark_app') THEN
+    CREATE ROLE nextspark_app NOLOGIN NOINHERIT;
+  END IF;
+END $$;
+
+-- INHERIT membership in `authenticated` so policies `TO authenticated` apply.
+ALTER ROLE nextspark_app INHERIT;
+GRANT authenticated TO nextspark_app;
+
+-- Allow the migration/validation user to SET ROLE nextspark_app (e.g. an RLS
+-- isolation test suite can run its checks as this role without a LOGIN credential).
+DO $$
+BEGIN
+  EXECUTE format('GRANT nextspark_app TO %I', current_user);
+EXCEPTION WHEN OTHERS THEN
+  RAISE NOTICE 'GRANT nextspark_app TO current_user skipped: %', SQLERRM;
+END $$;
+
+-- ----------------------------------------------------------------------------
+-- 2. Grants for nextspark_app (RLS does the row filtering; grants gate the tables)
+-- ----------------------------------------------------------------------------
+GRANT USAGE ON SCHEMA public TO nextspark_app;
+GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO nextspark_app;
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO nextspark_app;
+GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO nextspark_app;
+
+-- Future objects created by the migration owner inherit the same grants.
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+  GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO nextspark_app;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+  GRANT USAGE, SELECT ON SEQUENCES TO nextspark_app;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+  GRANT EXECUTE ON FUNCTIONS TO nextspark_app;
+
+-- ----------------------------------------------------------------------------
+-- 3. anon: explicit lockdown (defense for PostgREST/Data API surfaces)
+-- ----------------------------------------------------------------------------
+DO $$
+BEGIN
+  IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'anon') THEN
+    REVOKE ALL ON ALL TABLES    IN SCHEMA public FROM anon;
+    REVOKE ALL ON ALL SEQUENCES IN SCHEMA public FROM anon;
+    REVOKE ALL ON ALL FUNCTIONS IN SCHEMA public FROM anon;
+    ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES    FROM anon;
+    ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON SEQUENCES FROM anon;
+    ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON FUNCTIONS FROM anon;
+  END IF;
+END $$;
+
+COMMENT ON ROLE nextspark_app IS
+  'Non-owner runtime role for the NextSpark app. Member of authenticated (policies TO authenticated apply). RLS is evaluated for every query once DATABASE_URL connects as this role instead of the table owner.';

package/dist/styles/classes.json

@@ -1,5 +1,5 @@
 {
-  "generated": "2026-06-10T14:55:15.602Z",
+  "generated": "2026-06-19T20:37:03.117Z",
   "totalClasses": 1081,
   "classes": [
     "!text-2xl",

package/dist/templates/app/api/auth/[...all]/route.ts

@@ -8,6 +8,7 @@ import { isPublicSignupRestricted } from "@nextsparkjs/core/lib/teams/helpers";
 import { TeamService } from "@nextsparkjs/core/lib/services";
 import { wrapAuthHandlerWithCors, handleCorsPreflightRequest, addCorsHeaders } from "@nextsparkjs/core/lib/api/helpers";
 import { checkDistributedRateLimit } from "@nextsparkjs/core/lib/api/rate-limit";
+import { withSignupContext } from "@nextsparkjs/core/lib/auth-context";
 
 const handlers = toNextJsHandler(auth);
 
@@ -137,6 +138,18 @@ export async function POST(req: NextRequest) {
     }
   }
 
+  // Read the optional signup intent (`x-signup-intent` header) and run the signup
+  // within request-scoped context so the user.create.after hook can map it to an
+  // initial team role (AUTH_CONFIG.signupIntent).
+  const signupIntent = isSignupAttempt
+    ? (req.headers.get('x-signup-intent') || undefined)
+    : undefined;
+
   // Wrap with CORS headers for cross-origin requests (mobile apps, etc.)
-  return wrapAuthHandlerWithCors(() => handlers.POST(req), req);
+  return wrapAuthHandlerWithCors(
+    signupIntent
+      ? () => withSignupContext({ signupIntent }, () => handlers.POST(req))
+      : () => handlers.POST(req),
+    req
+  );
 }

package/migrations/001_better_auth_and_functions.sql

@@ -47,6 +47,76 @@ $$;
 -- function with the alias, causing infinite recursion. All RLS policies should
 -- use `public.get_auth_user_id()` with the explicit schema qualifier.
 
+-- =============================================================================
+-- RLS BYPASS / VISIBILITY PRIMITIVES
+-- Defined here (migration 001) so EVERY later migration's policies can use them,
+-- including the auth/identity tables in 002. These are plpgsql functions, so the
+-- tables they reference (users, team_members) are resolved at CALL time, not at
+-- function-creation time — it is safe to define them before those tables exist.
+-- They are SECURITY DEFINER so they read team_members/users without re-triggering
+-- RLS (avoids recursive policy evaluation).
+-- =============================================================================
+
+-- Can the current request user bypass RLS? (superadmin always; developer if a
+-- member of the System Admin Team). Mirrors app-level bypass in dual-auth.ts.
+CREATE OR REPLACE FUNCTION public.can_bypass_rls()
+RETURNS BOOLEAN AS $$
+DECLARE
+  current_user_id TEXT;
+  user_role TEXT;
+  is_system_admin_member BOOLEAN;
+BEGIN
+  current_user_id := public.get_auth_user_id();
+
+  SELECT role INTO user_role
+  FROM public."users"
+  WHERE id = current_user_id;
+
+  IF user_role = 'superadmin' THEN
+    RETURN TRUE;
+  END IF;
+
+  IF user_role = 'developer' THEN
+    SELECT EXISTS(
+      SELECT 1 FROM public."team_members"
+      WHERE "userId" = current_user_id
+        AND "teamId" = 'team-nextspark-001'
+    ) INTO is_system_admin_member;
+
+    RETURN is_system_admin_member;
+  END IF;
+
+  RETURN FALSE;
+END;
+$$ LANGUAGE plpgsql STABLE SECURITY DEFINER;
+
+-- Backward-compatible alias (deprecated, use can_bypass_rls).
+CREATE OR REPLACE FUNCTION public.is_superadmin()
+RETURNS BOOLEAN AS $$
+BEGIN
+  RETURN public.can_bypass_rls();
+END;
+$$ LANGUAGE plpgsql STABLE SECURITY DEFINER;
+
+-- May the current request user SEE the row of `target_user_id`? True when they
+-- share a team where either side is staff (owner/admin). Used by the `users`
+-- SELECT policy (002) without a create-time dependency on team_members.
+CREATE OR REPLACE FUNCTION public.auth_user_can_see_user(target_user_id TEXT)
+RETURNS BOOLEAN AS $$
+BEGIN
+  RETURN EXISTS (
+    SELECT 1 FROM public."team_members" me
+    JOIN public."team_members" them ON them."teamId" = me."teamId"
+    WHERE me."userId" = public.get_auth_user_id()
+      AND them."userId" = target_user_id
+      AND (
+        me.role   IN ('owner','admin')   -- I am staff of this team -> I see everyone in it
+        OR them.role IN ('owner','admin') -- the target is staff of my team -> I see them
+      )
+  );
+END;
+$$ LANGUAGE plpgsql STABLE SECURITY DEFINER;
+
 -- Utilidad: updatedAt (si no existe ya en otra migration)
 CREATE OR REPLACE FUNCTION public.set_updated_at()
 RETURNS trigger

package/migrations/002_auth_tables.sql

@@ -96,16 +96,96 @@ ALTER TABLE "verification" ENABLE ROW LEVEL SECURITY;
 -- POLICIES
 -- ============================================
 
--- Mantener comportamiento actual (abierto). No es lo ideal, pero respeta "que siga funcionando".
-CREATE POLICY "users_allow_all"        ON "users"        FOR ALL USING (true) WITH CHECK (true);
-CREATE POLICY "session_allow_all"      ON "session"      FOR ALL USING (true) WITH CHECK (true);
-CREATE POLICY "account_allow_all"      ON "account"      FOR ALL USING (true) WITH CHECK (true);
-CREATE POLICY "verification_allow_all" ON "verification" FOR ALL USING (true) WITH CHECK (true);
-
--- VERSIÓN MÁS SEGURA (recomendada) – comentar lo de arriba y descomentar esto cuando ordenes acceso:
--- Nota: el role service_role bypassa RLS. Si solo accede backend, podrías no necesitar policies.
--- CREATE POLICY "auth_tables_readonly_auth" ON "users" FOR SELECT TO authenticated USING (true);
--- Repite granular por tabla según necesidad real.
+-- ============================================================================
+-- Per-user RLS on the auth/identity tables (hardened defaults).
+--
+-- Uses ONLY core primitives: public.can_bypass_rls() (010) and
+-- public.get_auth_user_id() (001), and public."team_members". "Staff of a team"
+-- is the base elevated set the core enum knows: ('owner','admin'). A theme that
+-- extends team roles widens the staff set through its own config-derived
+-- mechanism; the core ships the base elevated set only.
+--
+-- WHY: under real RLS, the previous `USING(true)` let ANY authenticated user read
+-- every row of users (PII), account (Better Auth credentials/providers) and
+-- session (other users' sessions/tokens).
+--
+-- SERVICE DEPENDENCY (not a data hole): Better Auth reads these tables WITHOUT a
+-- user GUC during login/verification, so it runs under the SERVICE connection
+-- (DATABASE_SERVICE_URL, bypass). With it, login works AND these policies stay
+-- active.
+-- ============================================================================
+
+-- ----------------------------------------------------------------------------
+-- users — self + staff visibility (no user sees unrelated users)
+-- ----------------------------------------------------------------------------
+DROP POLICY IF EXISTS "users_allow_all"           ON "users";
+DROP POLICY IF EXISTS "Users self and staff read" ON "users";
+DROP POLICY IF EXISTS "Users service insert"      ON "users";
+DROP POLICY IF EXISTS "Users self update"         ON "users";
+DROP POLICY IF EXISTS "Users service delete"      ON "users";
+
+-- Staff visibility is resolved by public.auth_user_can_see_user() (defined in
+-- 001) so this policy has no create-time dependency on team_members (created in
+-- a later migration).
+CREATE POLICY "Users self and staff read"
+ON "users"
+FOR SELECT TO authenticated
+USING (
+  public.can_bypass_rls()
+  OR id = public.get_auth_user_id()
+  OR public.auth_user_can_see_user(id)
+);
+
+-- Identity is created/managed by the auth service; a user may edit ITS OWN row.
+CREATE POLICY "Users service insert" ON "users"
+FOR INSERT TO authenticated WITH CHECK (public.can_bypass_rls());
+CREATE POLICY "Users self update" ON "users"
+FOR UPDATE TO authenticated
+USING (public.can_bypass_rls() OR id = public.get_auth_user_id())
+WITH CHECK (public.can_bypass_rls() OR id = public.get_auth_user_id());
+CREATE POLICY "Users service delete" ON "users"
+FOR DELETE TO authenticated USING (public.can_bypass_rls());
+
+-- ----------------------------------------------------------------------------
+-- account — only the owner sees/uses its own auth accounts; writes are service
+-- ----------------------------------------------------------------------------
+DROP POLICY IF EXISTS "account_allow_all"      ON "account";
+DROP POLICY IF EXISTS "Account self read"      ON "account";
+DROP POLICY IF EXISTS "Account service write"  ON "account";
+
+CREATE POLICY "Account self read" ON "account"
+FOR SELECT TO authenticated
+USING (public.can_bypass_rls() OR "userId" = public.get_auth_user_id());
+CREATE POLICY "Account service write" ON "account"
+FOR ALL TO authenticated
+USING (public.can_bypass_rls())
+WITH CHECK (public.can_bypass_rls());
+
+-- ----------------------------------------------------------------------------
+-- session — only the owner sees its own sessions; writes are service (login)
+-- ----------------------------------------------------------------------------
+DROP POLICY IF EXISTS "session_allow_all"      ON "session";
+DROP POLICY IF EXISTS "Session self read"      ON "session";
+DROP POLICY IF EXISTS "Session service write"  ON "session";
+
+CREATE POLICY "Session self read" ON "session"
+FOR SELECT TO authenticated
+USING (public.can_bypass_rls() OR "userId" = public.get_auth_user_id());
+CREATE POLICY "Session service write" ON "session"
+FOR ALL TO authenticated
+USING (public.can_bypass_rls())
+WITH CHECK (public.can_bypass_rls());
+
+-- ----------------------------------------------------------------------------
+-- verification — email/reset tokens (no userId); service-only under RLS
+-- ----------------------------------------------------------------------------
+DROP POLICY IF EXISTS "verification_allow_all"  ON "verification";
+DROP POLICY IF EXISTS "Verification service all" ON "verification";
+
+CREATE POLICY "Verification service all" ON "verification"
+FOR ALL TO authenticated
+USING (public.can_bypass_rls())
+WITH CHECK (public.can_bypass_rls());
 
 -- ============================================
 -- CONSTRAINTS

package/migrations/007_teams_table.sql

@@ -7,10 +7,16 @@
 -- ENUM TYPES (must be defined first)
 -- ============================================
 
--- Team member roles: owner (creator), admin, member, viewer
-DO $$ BEGIN
-  CREATE TYPE team_role AS ENUM ('owner', 'admin', 'member', 'viewer');
-EXCEPTION WHEN duplicate_object THEN NULL; END $$;
+-- Team member roles are stored as TEXT (NOT a Postgres ENUM).
+--
+-- WHY: themes extend team roles via config (app.config.availableTeamRoles /
+-- permissions.config.ts). A Postgres ENUM would force every theme to patch the
+-- type with `ALTER TYPE team_role ADD VALUE ...`. Using TEXT lets a theme store
+-- any role string without DB DDL. No privilege boundary is lost: RLS policies
+-- compare against explicit literals ('owner','admin') and an unknown role fails
+-- closed (matches no elevated tier). Value integrity is enforced at the app
+-- layer (zod derived from availableTeamRoles + the permissions registry), so no
+-- CHECK constraint is added (a CHECK with the base set would block theme roles).
 
 -- Invitation status lifecycle
 DO $$ BEGIN

package/migrations/008_team_members_table.sql

@@ -10,7 +10,7 @@ CREATE TABLE IF NOT EXISTS public."team_members" (
   id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
   "teamId" TEXT NOT NULL REFERENCES public."teams"(id) ON DELETE CASCADE,
   "userId" TEXT NOT NULL REFERENCES public."users"(id) ON DELETE CASCADE,
-  role team_role NOT NULL DEFAULT 'member',
+  role TEXT NOT NULL DEFAULT 'member',  -- TEXT (not ENUM) so themes extend roles via config; see 007
   "invitedBy" TEXT REFERENCES public."users"(id),
   "joinedAt" TIMESTAMPTZ DEFAULT now(),
   "createdAt" TIMESTAMPTZ NOT NULL DEFAULT now(),

package/migrations/009_team_invitations_table.sql

@@ -10,7 +10,7 @@ CREATE TABLE IF NOT EXISTS public."team_invitations" (
   id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
   "teamId" TEXT NOT NULL REFERENCES public."teams"(id) ON DELETE CASCADE,
   email TEXT NOT NULL,
-  role team_role NOT NULL DEFAULT 'member',
+  role TEXT NOT NULL DEFAULT 'member',  -- TEXT (not ENUM) so themes extend roles via config; see 007
   status invitation_status NOT NULL DEFAULT 'pending',
   token TEXT UNIQUE NOT NULL DEFAULT gen_random_uuid()::text,
   "invitedBy" TEXT NOT NULL REFERENCES public."users"(id),

package/migrations/010_teams_functions_triggers.sql

@@ -13,7 +13,7 @@ RETURNS TABLE (
   team_id TEXT,
   team_name TEXT,
   team_slug TEXT,
-  user_role team_role,
+  user_role TEXT,  -- team roles are TEXT (not ENUM); see 007
   joined_at TIMESTAMPTZ,
   member_count BIGINT
 ) AS $$
@@ -39,11 +39,11 @@ $$ LANGUAGE plpgsql STABLE SECURITY DEFINER;
 CREATE OR REPLACE FUNCTION has_team_permission(
   user_id_param TEXT,
   team_id_param TEXT,
-  required_roles team_role[]
+  required_roles TEXT[]  -- team roles are TEXT (not ENUM); see 007
 )
 RETURNS BOOLEAN AS $$
 DECLARE
-  user_role team_role;
+  user_role TEXT;
 BEGIN
   SELECT role INTO user_role
   FROM public."team_members"
@@ -108,51 +108,9 @@ BEGIN
 END;
 $$ LANGUAGE plpgsql STABLE SECURITY DEFINER;
 
--- Check if current user can bypass RLS (Row Level Security)
--- Returns true if user is superadmin OR developer in System Admin Team
--- Used for RLS policies to grant elevated users full cross-team access
--- Matches app-level bypass logic in dual-auth.ts
-CREATE OR REPLACE FUNCTION public.can_bypass_rls()
-RETURNS BOOLEAN AS $$
-DECLARE
-  current_user_id TEXT;
-  user_role TEXT;
-  is_system_admin_member BOOLEAN;
-BEGIN
-  current_user_id := public.get_auth_user_id();
-
-  -- Get user role
-  SELECT role INTO user_role
-  FROM public."users"
-  WHERE id = current_user_id;
-
-  -- Superadmin always bypasses
-  IF user_role = 'superadmin' THEN
-    RETURN TRUE;
-  END IF;
-
-  -- Developer can bypass if member of System Admin Team (team-nextspark-001)
-  IF user_role = 'developer' THEN
-    SELECT EXISTS(
-      SELECT 1 FROM public."team_members"
-      WHERE "userId" = current_user_id
-        AND "teamId" = 'team-nextspark-001'
-    ) INTO is_system_admin_member;
-
-    RETURN is_system_admin_member;
-  END IF;
-
-  RETURN FALSE;
-END;
-$$ LANGUAGE plpgsql STABLE SECURITY DEFINER;
-
--- Alias for backward compatibility (deprecated, use can_bypass_rls)
-CREATE OR REPLACE FUNCTION public.is_superadmin()
-RETURNS BOOLEAN AS $$
-BEGIN
-  RETURN public.can_bypass_rls();
-END;
-$$ LANGUAGE plpgsql STABLE SECURITY DEFINER;
+-- NOTE: public.can_bypass_rls() and public.is_superadmin() are defined in
+-- migration 001 (foundational RLS primitives) so that the auth/identity table
+-- policies in 002 can use them. They are intentionally NOT redefined here.
 
 -- ============================================
 -- TEAMS RLS POLICIES

package/migrations/013_billing_subscriptions.sql

@@ -90,59 +90,89 @@ WHERE status IN ('active', 'trialing', 'past_due');
 -- ============================================
 ALTER TABLE public."subscriptions" ENABLE ROW LEVEL SECURITY;
 
--- Cleanup existing policies
-DROP POLICY IF EXISTS "Subscriptions team read"      ON public."subscriptions";
-DROP POLICY IF EXISTS "Subscriptions team write"     ON public."subscriptions";
-DROP POLICY IF EXISTS "Subscriptions superadmin"     ON public."subscriptions";
+-- ============================================================================
+-- Per-user RLS on subscriptions (hardened).
+--
+-- WHY: a team's "team read" let ANY team member read the team's subscriptions.
+-- When subscriptions are per (userId, teamId) and a team holds many users,
+-- team-wide read means every user reads every other user's membership row.
+-- Uses ONLY core primitives: can_bypass_rls() (superadmin/developer/service
+-- bypass), get_auth_user_id(), team_members. Elevated tier = ('owner','admin').
+--
+-- NOTE on subscriptions."userId": NULLable by design (team-level subscriptions).
+-- The own-row branch evaluates NULL -> false, so team-level subscriptions are
+-- visible only to the elevated tier. Correct and intended.
+-- ============================================================================
 
--- Team members can read their team's subscription
-CREATE POLICY "Subscriptions team read"
+-- Cleanup existing policies
+DROP POLICY IF EXISTS "Subscriptions team read"        ON public."subscriptions";
+DROP POLICY IF EXISTS "Subscriptions team write"       ON public."subscriptions";
+DROP POLICY IF EXISTS "Subscriptions superadmin"       ON public."subscriptions";
+DROP POLICY IF EXISTS "Subscriptions per-user select"  ON public."subscriptions";
+DROP POLICY IF EXISTS "Subscriptions elevated insert"  ON public."subscriptions";
+DROP POLICY IF EXISTS "Subscriptions elevated update"  ON public."subscriptions";
+DROP POLICY IF EXISTS "Subscriptions elevated delete"  ON public."subscriptions";
+
+CREATE POLICY "Subscriptions per-user select"
 ON public."subscriptions"
 FOR SELECT TO authenticated
 USING (
-  EXISTS (
+  public.can_bypass_rls()
+  OR "userId" = public.get_auth_user_id()
+  OR EXISTS (
+    SELECT 1 FROM public."team_members" tm
+    WHERE tm."teamId" = public."subscriptions"."teamId"
+      AND tm."userId" = public.get_auth_user_id()
+      AND tm.role IN ('owner','admin')
+  )
+);
+
+-- Writes: elevated tier or bypass only — NEVER an own-row branch (a user must
+-- not be able to grant themselves a membership).
+CREATE POLICY "Subscriptions elevated insert"
+ON public."subscriptions"
+FOR INSERT TO authenticated
+WITH CHECK (
+  public.can_bypass_rls()
+  OR EXISTS (
     SELECT 1 FROM public."team_members" tm
-    WHERE tm."teamId" = "subscriptions"."teamId"
+    WHERE tm."teamId" = public."subscriptions"."teamId"
       AND tm."userId" = public.get_auth_user_id()
+      AND tm.role IN ('owner','admin')
   )
 );
 
--- Team owner/admin can modify subscription
-CREATE POLICY "Subscriptions team write"
+CREATE POLICY "Subscriptions elevated update"
 ON public."subscriptions"
-FOR ALL TO authenticated
+FOR UPDATE TO authenticated
 USING (
-  EXISTS (
+  public.can_bypass_rls()
+  OR EXISTS (
     SELECT 1 FROM public."team_members" tm
-    WHERE tm."teamId" = "subscriptions"."teamId"
+    WHERE tm."teamId" = public."subscriptions"."teamId"
       AND tm."userId" = public.get_auth_user_id()
-      AND tm.role IN ('owner', 'admin')
+      AND tm.role IN ('owner','admin')
   )
 )
 WITH CHECK (
-  EXISTS (
+  public.can_bypass_rls()
+  OR EXISTS (
     SELECT 1 FROM public."team_members" tm
-    WHERE tm."teamId" = "subscriptions"."teamId"
+    WHERE tm."teamId" = public."subscriptions"."teamId"
       AND tm."userId" = public.get_auth_user_id()
-      AND tm.role IN ('owner', 'admin')
+      AND tm.role IN ('owner','admin')
   )
 );
 
--- Superadmin has full access
-CREATE POLICY "Subscriptions superadmin"
+CREATE POLICY "Subscriptions elevated delete"
 ON public."subscriptions"
-FOR ALL TO authenticated
+FOR DELETE TO authenticated
 USING (
-  EXISTS (
-    SELECT 1 FROM public."users" u
-    WHERE u.id = public.get_auth_user_id()
-      AND u.role = 'superadmin'
-  )
-)
-WITH CHECK (
-  EXISTS (
-    SELECT 1 FROM public."users" u
-    WHERE u.id = public.get_auth_user_id()
-      AND u.role = 'superadmin'
+  public.can_bypass_rls()
+  OR EXISTS (
+    SELECT 1 FROM public."team_members" tm
+    WHERE tm."teamId" = public."subscriptions"."teamId"
+      AND tm."userId" = public.get_auth_user_id()
+      AND tm.role IN ('owner','admin')
   )
 );

package/migrations/016_billing_events.sql

@@ -80,8 +80,22 @@ USING (
   )
 );
 
--- System can write (webhooks from payment providers)
-CREATE POLICY "Billing events system write"
+-- INSERT: bypass or team owner/admin only. Payment-provider webhooks insert via
+-- the SERVICE connection (DATABASE_SERVICE_URL, bypass). The previous
+-- WITH CHECK (true) let ANY authenticated user forge billing events.
+DROP POLICY IF EXISTS "Billing events elevated insert" ON public."billing_events";
+CREATE POLICY "Billing events elevated insert"
 ON public."billing_events"
 FOR INSERT TO authenticated
-WITH CHECK (true);
+WITH CHECK (
+  public.can_bypass_rls()
+  OR "subscriptionId" IN (
+    SELECT s.id FROM public."subscriptions" s
+    WHERE EXISTS (
+      SELECT 1 FROM public."team_members" tm
+      WHERE tm."teamId" = s."teamId"
+        AND tm."userId" = public.get_auth_user_id()
+        AND tm.role IN ('owner','admin')
+    )
+  )
+);

package/migrations/017_scheduled_actions_table.sql

@@ -116,12 +116,14 @@ ALTER TABLE public."scheduled_actions" ENABLE ROW LEVEL SECURITY;
 -- Cleanup existing policies
 DROP POLICY IF EXISTS "scheduled_actions auth can select" ON public."scheduled_actions";
 DROP POLICY IF EXISTS "scheduled_actions system can do all" ON public."scheduled_actions";
+DROP POLICY IF EXISTS "Scheduled actions service all" ON public."scheduled_actions";
 
--- Authenticated users can view all actions (for DevTools)
-CREATE POLICY "scheduled_actions auth can select"
+-- Service-only under real RLS. Payloads may carry provisioning PII, so the
+-- previous `USING(true)` SELECT is removed. Reads go to bypass (DevTools runs as
+-- the developer role -> can_bypass_rls()); the in-request scheduler and the
+-- processor INSERT/UPDATE under the SERVICE connection (DATABASE_SERVICE_URL).
+CREATE POLICY "Scheduled actions service all"
 ON public."scheduled_actions"
-FOR SELECT TO authenticated
-USING (true);
-
--- No INSERT/UPDATE/DELETE policies for regular users
--- System operations are handled via service role or direct API with CRON_SECRET
+FOR ALL TO authenticated
+USING (public.can_bypass_rls())
+WITH CHECK (public.can_bypass_rls());