@nextsparkjs/core 0.1.0-beta.166 → 0.1.0-beta.168

package/migrations/022_rls_runtime_roles.sql

@@ -0,0 +1,87 @@
+-- ============================================================================
+-- 022 · RLS runtime roles — nextspark_app (non-owner runtime role) + grants
+-- ============================================================================
+-- Generic framework migration: creates the non-owner runtime role the app
+-- connects as so RLS is actually evaluated on the app path.
+--
+-- WHY: by default the app connects to Postgres as the table OWNER, so RLS
+-- policies are never evaluated on the app path (owner skips RLS unless FORCE).
+-- This migration creates the non-owner runtime role the app connects as after
+-- the runtime cutover. Until the cutover nothing changes for the running app:
+-- migrations and seeds keep running as the owner.
+--
+-- Design decisions:
+-- - nextspark_app is NOLOGIN here; the LOGIN credential is created per environment
+--   at cutover time (deploy-time secret), never in a migration.
+-- - nextspark_app is a member of `authenticated` (INHERIT): every existing policy
+--   declared `TO authenticated` applies to it without rewriting.
+-- - NO `FORCE ROW LEVEL SECURITY`: nextspark_app is not the owner so plain ENABLE
+--   is enough, and FORCE would break owner-run seeds/sample-data on Supabase
+--   (where `postgres` is owner but not superuser).
+-- - NO `BYPASSRLS` role here: that attribute requires superuser (not available
+--   on Supabase). The service context for machine actors (webhooks, scheduled
+--   actions) is a CORE/environment workstream: the app uses a separate service
+--   connection (DATABASE_SERVICE_URL) for system operations.
+-- - `anon` gets an explicit REVOKE + default privileges revoke: on Supabase the
+--   default privileges grant to anon automatically; abstaining is not enough.
+--
+-- Ordering: runs after all core table DDL (<= 021) so `GRANT ... ON ALL TABLES`
+-- covers every existing table; `ALTER DEFAULT PRIVILEGES` covers tables created
+-- later (theme/entity migrations) by the same migration owner.
+
+-- ----------------------------------------------------------------------------
+-- 1. Runtime role
+-- ----------------------------------------------------------------------------
+DO $$
+BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'nextspark_app') THEN
+    CREATE ROLE nextspark_app NOLOGIN NOINHERIT;
+  END IF;
+END $$;
+
+-- INHERIT membership in `authenticated` so policies `TO authenticated` apply.
+ALTER ROLE nextspark_app INHERIT;
+GRANT authenticated TO nextspark_app;
+
+-- Allow the migration/validation user to SET ROLE nextspark_app (e.g. an RLS
+-- isolation test suite can run its checks as this role without a LOGIN credential).
+DO $$
+BEGIN
+  EXECUTE format('GRANT nextspark_app TO %I', current_user);
+EXCEPTION WHEN OTHERS THEN
+  RAISE NOTICE 'GRANT nextspark_app TO current_user skipped: %', SQLERRM;
+END $$;
+
+-- ----------------------------------------------------------------------------
+-- 2. Grants for nextspark_app (RLS does the row filtering; grants gate the tables)
+-- ----------------------------------------------------------------------------
+GRANT USAGE ON SCHEMA public TO nextspark_app;
+GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO nextspark_app;
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO nextspark_app;
+GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO nextspark_app;
+
+-- Future objects created by the migration owner inherit the same grants.
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+  GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO nextspark_app;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+  GRANT USAGE, SELECT ON SEQUENCES TO nextspark_app;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+  GRANT EXECUTE ON FUNCTIONS TO nextspark_app;
+
+-- ----------------------------------------------------------------------------
+-- 3. anon: explicit lockdown (defense for PostgREST/Data API surfaces)
+-- ----------------------------------------------------------------------------
+DO $$
+BEGIN
+  IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'anon') THEN
+    REVOKE ALL ON ALL TABLES    IN SCHEMA public FROM anon;
+    REVOKE ALL ON ALL SEQUENCES IN SCHEMA public FROM anon;
+    REVOKE ALL ON ALL FUNCTIONS IN SCHEMA public FROM anon;
+    ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES    FROM anon;
+    ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON SEQUENCES FROM anon;
+    ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON FUNCTIONS FROM anon;
+  END IF;
+END $$;
+
+COMMENT ON ROLE nextspark_app IS
+  'Non-owner runtime role for the NextSpark app. Member of authenticated (policies TO authenticated apply). RLS is evaluated for every query once DATABASE_URL connects as this role instead of the table owner.';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nextsparkjs/core",
-  "version": "0.1.0-beta.166",
+  "version": "0.1.0-beta.168",
   "description": "NextSpark - The complete SaaS framework for Next.js",
   "license": "MIT",
   "author": "NextSpark <hello@nextspark.dev>",
@@ -469,7 +469,7 @@
     "tailwind-merge": "^3.3.1",
     "uuid": "^13.0.0",
     "zod": "^4.1.5",
-    "@nextsparkjs/testing": "0.1.0-beta.166"
+    "@nextsparkjs/testing": "0.1.0-beta.168"
   },
   "scripts": {
     "postinstall": "node scripts/postinstall.mjs || true",

package/scripts/db/run-migrations.mjs

@@ -21,6 +21,11 @@ const rootDir = projectRoot; // For backward compatibility with code below
 const envPath = path.join(projectRoot, '.env');
 
 let DATABASE_URL = process.env.DATABASE_URL ?? null;
+// Migrations and seeds run as the table OWNER. After the runtime cutover the app
+// connects DATABASE_URL as the non-owner `nextspark_app` role, so the owner
+// credential for migrations is provided separately via MIGRATE_DATABASE_URL.
+// Falls back to DATABASE_URL when unset (pre-cutover: same owner connection).
+let MIGRATE_DATABASE_URL = process.env.MIGRATE_DATABASE_URL ?? null;
 let ACTIVE_THEME = process.env.NEXT_PUBLIC_ACTIVE_THEME ?? null;
 
 if (fs.existsSync(envPath)) {
@@ -35,6 +40,9 @@ if (fs.existsSync(envPath)) {
       if (key?.trim() === 'DATABASE_URL' && valueParts.length > 0) {
         DATABASE_URL = value;
       }
+      if (key?.trim() === 'MIGRATE_DATABASE_URL' && valueParts.length > 0) {
+        MIGRATE_DATABASE_URL = value;
+      }
       if (key?.trim() === 'NEXT_PUBLIC_ACTIVE_THEME' && valueParts.length > 0) {
         ACTIVE_THEME = value;
       }
@@ -47,6 +55,9 @@ if (!DATABASE_URL) {
   process.exit(1);
 }
 
+// The URL used for the actual migration connection (owner credential).
+const MIGRATION_URL = MIGRATE_DATABASE_URL || DATABASE_URL;
+
 if (!ACTIVE_THEME) {
   console.error("❌ NEXT_PUBLIC_ACTIVE_THEME not found in environment variables");
   process.exit(1);
@@ -54,7 +65,7 @@ if (!ACTIVE_THEME) {
 
 async function runMigrations() {
   const client = new Client({
-    connectionString: DATABASE_URL,
+    connectionString: MIGRATION_URL,
     ssl: { 
       rejectUnauthorized: false,
       require: true
@@ -359,7 +370,7 @@ async function executeEntityMigration(client, migration) {
 // Entity migrations runner - WordPress-like architecture with sample_data deferred execution
 async function runEntityMigrations() {
   const client = new Client({
-    connectionString: DATABASE_URL,
+    connectionString: MIGRATION_URL,
     ssl: {
       rejectUnauthorized: false,
       require: true

package/templates/app/api/auth/[...all]/route.ts

@@ -8,6 +8,7 @@ import { isPublicSignupRestricted } from "@nextsparkjs/core/lib/teams/helpers";
 import { TeamService } from "@nextsparkjs/core/lib/services";
 import { wrapAuthHandlerWithCors, handleCorsPreflightRequest, addCorsHeaders } from "@nextsparkjs/core/lib/api/helpers";
 import { checkDistributedRateLimit } from "@nextsparkjs/core/lib/api/rate-limit";
+import { withSignupContext } from "@nextsparkjs/core/lib/auth-context";
 
 const handlers = toNextJsHandler(auth);
 
@@ -137,6 +138,18 @@ export async function POST(req: NextRequest) {
     }
   }
 
+  // Read the optional signup intent (`x-signup-intent` header) and run the signup
+  // within request-scoped context so the user.create.after hook can map it to an
+  // initial team role (AUTH_CONFIG.signupIntent).
+  const signupIntent = isSignupAttempt
+    ? (req.headers.get('x-signup-intent') || undefined)
+    : undefined;
+
   // Wrap with CORS headers for cross-origin requests (mobile apps, etc.)
-  return wrapAuthHandlerWithCors(() => handlers.POST(req), req);
+  return wrapAuthHandlerWithCors(
+    signupIntent
+      ? () => withSignupContext({ signupIntent }, () => handlers.POST(req))
+      : () => handlers.POST(req),
+    req
+  );
 }

package/templates/next.config.mjs

@@ -16,10 +16,7 @@ const nextConfig = {
     ignoreBuildErrors: true,
   },
   transpilePackages: ['@nextsparkjs/core'],
-  // Server-only packages that must NOT be bundled (they use Node built-ins like
-  // async_hooks). e.g. the AI plugin's @anthropic-ai/claude-agent-sdk. Listing
-  // a package here is harmless when it isn't installed.
-  serverExternalPackages: ['handlebars', '@anthropic-ai/claude-agent-sdk'],
+  serverExternalPackages: ['handlebars'],
   turbopack: {
     root: __dirname,
   },