@outs-tand-ing/postgres 0.6.0 → 0.7.0

package/dist/scripts/check-rls-coverage.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Checks that every table referenced in PowerSync sync rules has an RLS policy in setup-rls.sql.
+ * Run: bun run check-rls
+ *
+ * Tables in sync rules but missing RLS → API mode returns 0 rows (silent data loss).
+ * This script catches that before it reaches production.
+ */
+export {};
+//# sourceMappingURL=check-rls-coverage.d.ts.map

package/dist/scripts/check-rls-coverage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"check-rls-coverage.d.ts","sourceRoot":"","sources":["../../src/scripts/check-rls-coverage.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG"}

package/dist/scripts/check-rls-coverage.js

@@ -0,0 +1,55 @@
+/**
+ * Checks that every table referenced in PowerSync sync rules has an RLS policy in setup-rls.sql.
+ * Run: bun run check-rls
+ *
+ * Tables in sync rules but missing RLS → API mode returns 0 rows (silent data loss).
+ * This script catches that before it reaches production.
+ */
+const scriptDir = import.meta.dir;
+const SYNC_RULES_PATH = `${scriptDir}/../../../powersync/config/sync-rules.yaml`;
+const RLS_SCRIPT_PATH = `${scriptDir}/setup-rls.sql`;
+// Tables that intentionally have no RLS policy (admin-only, accessed via owner role)
+const EXCLUDED_TABLES = new Set(['account_subscriptions_to_seasons']);
+const extractTables = (content, pattern) => {
+    const tables = new Set();
+    for (const match of content.matchAll(pattern)) {
+        const table = match[1].toLowerCase();
+        if (!table.startsWith('pg_') && !EXCLUDED_TABLES.has(table))
+            tables.add(table);
+    }
+    return tables;
+};
+const syncRules = await Bun.file(SYNC_RULES_PATH).text();
+const rlsScript = await Bun.file(RLS_SCRIPT_PATH).text();
+// Extract tables from sync rules: FROM "table", FROM table, JOIN "table", JOIN table
+const syncTables = extractTables(syncRules, /(?:FROM|JOIN)\s+"?(\w+)"?/gi);
+// Extract tables with RLS policies: CREATE POLICY ... ON table
+const rlsTables = extractTables(rlsScript, /CREATE\s+POLICY\s+\w+\s+ON\s+(\w+)/gi);
+// Also extract tables that are explicitly covered via helper functions (referenced inside USING)
+// These are indirect — e.g. account_subscriptions is queried inside api_user_season_ids()
+const helperTables = extractTables(rlsScript, /FROM\s+(\w+)\s+WHERE/gi);
+const coveredTables = new Set([...rlsTables, ...helperTables]);
+const missing = [];
+const covered = [];
+for (const table of [...syncTables].sort()) {
+    if (coveredTables.has(table))
+        covered.push(table);
+    else
+        missing.push(table);
+}
+console.log(`\n  Sync rule tables: ${syncTables.size}`);
+console.log(`  RLS policies:     ${rlsTables.size}`);
+console.log(`  Covered:          ${covered.length}`);
+if (missing.length) {
+    console.log(`\n  MISSING RLS POLICY:`);
+    for (const t of missing)
+        console.log(`    - ${t}`);
+    console.log(`\n  These tables will return 0 rows in API mode.`);
+    console.log(`  Add policies to setup-rls.sql and re-run it.\n`);
+    process.exit(1);
+}
+else {
+    console.log(`\n  All sync rule tables have RLS coverage.\n`);
+}
+export {};
+//# sourceMappingURL=check-rls-coverage.js.map

package/dist/scripts/check-rls-coverage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"check-rls-coverage.js","sourceRoot":"","sources":["../../src/scripts/check-rls-coverage.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAA;AACjC,MAAM,eAAe,GAAG,GAAG,SAAS,4CAA4C,CAAA;AAChF,MAAM,eAAe,GAAG,GAAG,SAAS,gBAAgB,CAAA;AAEpD,qFAAqF;AACrF,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,kCAAkC,CAAC,CAAC,CAAA;AAErE,MAAM,aAAa,GAAG,CAAC,OAAe,EAAE,OAAe,EAAe,EAAE;IACtE,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAA;IAChC,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAA;QACpC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;IAChF,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC,CAAA;AAED,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,EAAE,CAAA;AACxD,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,EAAE,CAAA;AAExD,qFAAqF;AACrF,MAAM,UAAU,GAAG,aAAa,CAAC,SAAS,EAAE,6BAA6B,CAAC,CAAA;AAE1E,+DAA+D;AAC/D,MAAM,SAAS,GAAG,aAAa,CAAC,SAAS,EAAE,sCAAsC,CAAC,CAAA;AAElF,iGAAiG;AACjG,0FAA0F;AAC1F,MAAM,YAAY,GAAG,aAAa,CAAC,SAAS,EAAE,wBAAwB,CAAC,CAAA;AAEvE,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,SAAS,EAAE,GAAG,YAAY,CAAC,CAAC,CAAA;AAE9D,MAAM,OAAO,GAAa,EAAE,CAAA;AAC5B,MAAM,OAAO,GAAa,EAAE,CAAA;AAE5B,KAAK,MAAM,KAAK,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;IAC3C,IAAI,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;;QAC5C,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;AAC1B,CAAC;AAED,OAAO,CAAC,GAAG,CAAC,yBAAyB,UAAU,CAAC,IAAI,EAAE,CAAC,CAAA;AACvD,OAAO,CAAC,GAAG,CAAC,uBAAuB,SAAS,CAAC,IAAI,EAAE,CAAC,CAAA;AACpD,OAAO,CAAC,GAAG,CAAC,uBAAuB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;AAEpD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAA;IACtC,KAAK,MAAM,CAAC,IAAI,OAAO;QAAE,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;IAClD,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAA;IAC/D,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAA;IAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC;KAAM,CAAC;IACN,OAAO,CAAC,GAAG,CAAC,+CAA+C,CAAC,CAAA;AAC9D,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@outs-tand-ing/postgres",
-  "version": "0.6.0",
+  "version": "0.7.0",
   "description": "PostgreSQL database with Drizzle ORM for Outs project",
   "type": "module",
   "main": "./dist/index.js",
@@ -79,6 +79,7 @@
     "typecheck": "tsc --noEmit",
     "lint": "eslint .",
     "lint:fix": "eslint . --fix",
+    "check-rls": "bun run src/scripts/check-rls-coverage.ts",
     "backup": "bun run src/scripts/backup.ts",
     "restore": "bun run src/scripts/restore.ts",
     "test": "bun test"