npm - @rvoh/dream - Versions diffs - 2.9.1 → 2.10.0 - Mend

@rvoh/dream 2.9.1 → 2.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (194) hide show

package/dist/cjs/src/dream/QueryDriver/Kysely.js CHANGED Viewed

@@ -2047,15 +2047,14 @@ const associationStringToAssociationAndMaybeAlias = function ({ dreamClass, asso
  * Resolve the value passed to `pg.Pool`'s `ssl` field for a given credential.
  *
  * Precedence:
- *   1. If `connectionConf.ssl` is set (boolean or `tls.ConnectionOptions`),
- *      pass it straight through to `pg`. This is the verified-TLS path —
- *      apps configure `{ rejectUnauthorized: true, ca: <bundle> }` for
- *      authenticated TLS against a private PKI, or `true` to use Node's
- *      default verification against the system CA store.
- *   2. Else if `connectionConf.useSsl` is `true`, fall back to
+ *   1. If `connectionConf.ssl` is set (object or explicit `false`), pass it
+ *      straight through to `pg`.
+ *   2. Else if `connectionConf.useSsl` is `true` (deprecated), fall back to
  *      `{ rejectUnauthorized: false }` — encrypted but **not** authenticated.
- *      Preserved for back-compat; new code should set `ssl` explicitly.
- *   3. Else disable TLS.
+ *
+ * `assertDbCredentialTlsDirective` (in `dream-app`) throws at
+ * `app.set('db', ...)` time when both `ssl` and `useSsl` are unset, so this
+ * resolver never sees the "neither directive" state.
  */
 export function resolvePostgresSsl(connectionConf) {
     if (connectionConf.ssl !== undefined)

package/dist/cjs/src/dream/QueryDriver/helpers/kysely/checkForNeedToBeRunMigrations.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { FileMigrationProvider, Migrator } from 'kysely';
+import { FileMigrationProvider, Migrator } from 'kysely/migration';
 import * as fs from 'node:fs/promises';
 import { closeAllConnectionsForConnectionName } from '../../../../db/DreamDbConnection.js';
 import db from '../../../../db/index.js';

package/dist/cjs/src/dream/QueryDriver/helpers/kysely/runMigration.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { FileMigrationProvider, Migrator } from 'kysely';
+import { FileMigrationProvider, Migrator } from 'kysely/migration';
 import * as fs from 'node:fs/promises';
 import DreamCLI from '../../../../cli/index.js';
 import colorize from '../../../../cli/logger/loggable/colorize.js';

package/dist/cjs/src/dream-app/index.js CHANGED Viewed

@@ -6,6 +6,7 @@ import Encrypt from '../encrypt/index.js';
 import DreamAppInitMissingCallToLoadModels from '../errors/dream-app/DreamAppInitMissingCallToLoadModels.js';
 import DreamAppInitMissingMissingProjectRoot from '../errors/dream-app/DreamAppInitMissingMissingProjectRoot.js';
 import DreamAppInitMissingPackageManager from '../errors/dream-app/DreamAppInitMissingPackageManager.js';
+import MissingDbSslDirective from '../errors/dream-app/MissingDbSslDirective.js';
 import autogeneratedFileDisclaimer from '../helpers/cli/autoGeneratedFileDisclaimer.js';
 import modelClassNameFrom from '../helpers/cli/modelClassNameFrom.js';
 import EnvInternal from '../helpers/EnvInternal.js';
@@ -345,14 +346,16 @@ A new key can also be generated from the CLI:
             case 'bypassDeprecationChecks':
                 this._bypassDeprecationChecks = options;
                 break;
-            case 'db':
-                if (typeof options === 'string') {
-                    this._dbCredentials[options] = secondaryOptions;
-                }
-                else {
-                    this._dbCredentials['default'] = options;
+            case 'db': {
+                const connectionName = typeof options === 'string' ? options : 'default';
+                const credentialOptions = (typeof options === 'string' ? secondaryOptions : options);
+                assertDbCredentialTlsDirective(credentialOptions.primary, connectionName, 'primary');
+                if (credentialOptions.replica) {
+                    assertDbCredentialTlsDirective(credentialOptions.replica, connectionName, 'replica');
                 }
+                this._dbCredentials[connectionName] = credentialOptions;
                 break;
+            }
             case 'encryption':
                 this._encryption = options;
                 break;
@@ -412,6 +415,11 @@ A new key can also be generated from the CLI:
         }
     }
 }
+function assertDbCredentialTlsDirective(credential, connectionName, credentialKey) {
+    if (credential.ssl === undefined && !credential.useSsl) {
+        throw new MissingDbSslDirective(connectionName, credentialKey);
+    }
+}
 function loggerArgToString(arg) {
     if (typeof arg === 'string')
         return arg;

package/dist/cjs/src/errors/dream-app/MissingDbSslDirective.js ADDED Viewed

@@ -0,0 +1,29 @@
+export default class MissingDbSslDirective extends Error {
+    connectionName;
+    credentialKey;
+    constructor(connectionName, credentialKey) {
+        super();
+        this.connectionName = connectionName;
+        this.credentialKey = credentialKey;
+    }
+    get message() {
+        return `
+DreamApp refused to register a db credential without an explicit TLS
+directive. Every \`SingleDbCredential\` passed to \`app.set('db', ...)\`
+must set one of:
+  ssl: { rejectUnauthorized: true }              // verified TLS (system CA)
+  ssl: { rejectUnauthorized: true, ca: <pem> }   // verified TLS (private CA)
+  ssl: { rejectUnauthorized: false }             // unverified TLS
+  ssl: false                                     // TLS disabled
+  useSsl: true                                   // legacy, deprecated
+Omitting the directive used to silently disable TLS. Throwing here
+turns the safety question into a deliberate decision at the call
+site, so a credential cannot reach production with TLS off by accident.
+  connection: ${this.connectionName}
+  credential: ${this.credentialKey}
+    `;
+    }
+}

package/dist/cjs/src/helpers/comparisonKey.js CHANGED Viewed

@@ -13,6 +13,8 @@ export default function comparisonKey(val, toKey = undefined) {
         case 'string':
         case 'bigint':
             return val;
+        case 'function':
+            return val;
         default:
             return val.toString();
     }

package/dist/esm/src/dream/QueryDriver/Kysely.js CHANGED Viewed

@@ -2047,15 +2047,14 @@ const associationStringToAssociationAndMaybeAlias = function ({ dreamClass, asso
  * Resolve the value passed to `pg.Pool`'s `ssl` field for a given credential.
  *
  * Precedence:
- *   1. If `connectionConf.ssl` is set (boolean or `tls.ConnectionOptions`),
- *      pass it straight through to `pg`. This is the verified-TLS path —
- *      apps configure `{ rejectUnauthorized: true, ca: <bundle> }` for
- *      authenticated TLS against a private PKI, or `true` to use Node's
- *      default verification against the system CA store.
- *   2. Else if `connectionConf.useSsl` is `true`, fall back to
+ *   1. If `connectionConf.ssl` is set (object or explicit `false`), pass it
+ *      straight through to `pg`.
+ *   2. Else if `connectionConf.useSsl` is `true` (deprecated), fall back to
  *      `{ rejectUnauthorized: false }` — encrypted but **not** authenticated.
- *      Preserved for back-compat; new code should set `ssl` explicitly.
- *   3. Else disable TLS.
+ *
+ * `assertDbCredentialTlsDirective` (in `dream-app`) throws at
+ * `app.set('db', ...)` time when both `ssl` and `useSsl` are unset, so this
+ * resolver never sees the "neither directive" state.
  */
 export function resolvePostgresSsl(connectionConf) {
     if (connectionConf.ssl !== undefined)

package/dist/esm/src/dream/QueryDriver/helpers/kysely/checkForNeedToBeRunMigrations.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { FileMigrationProvider, Migrator } from 'kysely';
+import { FileMigrationProvider, Migrator } from 'kysely/migration';
 import * as fs from 'node:fs/promises';
 import { closeAllConnectionsForConnectionName } from '../../../../db/DreamDbConnection.js';
 import db from '../../../../db/index.js';

package/dist/esm/src/dream/QueryDriver/helpers/kysely/runMigration.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { FileMigrationProvider, Migrator } from 'kysely';
+import { FileMigrationProvider, Migrator } from 'kysely/migration';
 import * as fs from 'node:fs/promises';
 import DreamCLI from '../../../../cli/index.js';
 import colorize from '../../../../cli/logger/loggable/colorize.js';

package/dist/esm/src/dream-app/index.js CHANGED Viewed

@@ -6,6 +6,7 @@ import Encrypt from '../encrypt/index.js';
 import DreamAppInitMissingCallToLoadModels from '../errors/dream-app/DreamAppInitMissingCallToLoadModels.js';
 import DreamAppInitMissingMissingProjectRoot from '../errors/dream-app/DreamAppInitMissingMissingProjectRoot.js';
 import DreamAppInitMissingPackageManager from '../errors/dream-app/DreamAppInitMissingPackageManager.js';
+import MissingDbSslDirective from '../errors/dream-app/MissingDbSslDirective.js';
 import autogeneratedFileDisclaimer from '../helpers/cli/autoGeneratedFileDisclaimer.js';
 import modelClassNameFrom from '../helpers/cli/modelClassNameFrom.js';
 import EnvInternal from '../helpers/EnvInternal.js';
@@ -345,14 +346,16 @@ A new key can also be generated from the CLI:
             case 'bypassDeprecationChecks':
                 this._bypassDeprecationChecks = options;
                 break;
-            case 'db':
-                if (typeof options === 'string') {
-                    this._dbCredentials[options] = secondaryOptions;
-                }
-                else {
-                    this._dbCredentials['default'] = options;
+            case 'db': {
+                const connectionName = typeof options === 'string' ? options : 'default';
+                const credentialOptions = (typeof options === 'string' ? secondaryOptions : options);
+                assertDbCredentialTlsDirective(credentialOptions.primary, connectionName, 'primary');
+                if (credentialOptions.replica) {
+                    assertDbCredentialTlsDirective(credentialOptions.replica, connectionName, 'replica');
                 }
+                this._dbCredentials[connectionName] = credentialOptions;
                 break;
+            }
             case 'encryption':
                 this._encryption = options;
                 break;
@@ -412,6 +415,11 @@ A new key can also be generated from the CLI:
         }
     }
 }
+function assertDbCredentialTlsDirective(credential, connectionName, credentialKey) {
+    if (credential.ssl === undefined && !credential.useSsl) {
+        throw new MissingDbSslDirective(connectionName, credentialKey);
+    }
+}
 function loggerArgToString(arg) {
     if (typeof arg === 'string')
         return arg;

package/dist/esm/src/errors/dream-app/MissingDbSslDirective.js ADDED Viewed

@@ -0,0 +1,29 @@
+export default class MissingDbSslDirective extends Error {
+    connectionName;
+    credentialKey;
+    constructor(connectionName, credentialKey) {
+        super();
+        this.connectionName = connectionName;
+        this.credentialKey = credentialKey;
+    }
+    get message() {
+        return `
+DreamApp refused to register a db credential without an explicit TLS
+directive. Every \`SingleDbCredential\` passed to \`app.set('db', ...)\`
+must set one of:
+  ssl: { rejectUnauthorized: true }              // verified TLS (system CA)
+  ssl: { rejectUnauthorized: true, ca: <pem> }   // verified TLS (private CA)
+  ssl: { rejectUnauthorized: false }             // unverified TLS
+  ssl: false                                     // TLS disabled
+  useSsl: true                                   // legacy, deprecated
+Omitting the directive used to silently disable TLS. Throwing here
+turns the safety question into a deliberate decision at the call
+site, so a credential cannot reach production with TLS off by accident.
+  connection: ${this.connectionName}
+  credential: ${this.credentialKey}
+    `;
+    }
+}

package/dist/esm/src/helpers/comparisonKey.js CHANGED Viewed

@@ -13,6 +13,8 @@ export default function comparisonKey(val, toKey = undefined) {
         case 'string':
         case 'bigint':
             return val;
+        case 'function':
+            return val;
         default:
             return val.toString();
     }

package/dist/types/src/dream/QueryDriver/Kysely.d.ts CHANGED Viewed

@@ -473,14 +473,13 @@ export default class KyselyQueryDriver<DreamInstance extends Dream> extends Quer
  * Resolve the value passed to `pg.Pool`'s `ssl` field for a given credential.
  *
  * Precedence:
- *   1. If `connectionConf.ssl` is set (boolean or `tls.ConnectionOptions`),
- *      pass it straight through to `pg`. This is the verified-TLS path —
- *      apps configure `{ rejectUnauthorized: true, ca: <bundle> }` for
- *      authenticated TLS against a private PKI, or `true` to use Node's
- *      default verification against the system CA store.
- *   2. Else if `connectionConf.useSsl` is `true`, fall back to
+ *   1. If `connectionConf.ssl` is set (object or explicit `false`), pass it
+ *      straight through to `pg`.
+ *   2. Else if `connectionConf.useSsl` is `true` (deprecated), fall back to
  *      `{ rejectUnauthorized: false }` — encrypted but **not** authenticated.
- *      Preserved for back-compat; new code should set `ssl` explicitly.
- *   3. Else disable TLS.
+ *
+ * `assertDbCredentialTlsDirective` (in `dream-app`) throws at
+ * `app.set('db', ...)` time when both `ssl` and `useSsl` are unset, so this
+ * resolver never sees the "neither directive" state.
  */
-export declare function resolvePostgresSsl(connectionConf: SingleDbCredential): boolean | TlsConnectionOptions;
+export declare function resolvePostgresSsl(connectionConf: SingleDbCredential): TlsConnectionOptions | false;

package/dist/types/src/dream-app/index.d.ts CHANGED Viewed

@@ -213,27 +213,35 @@ export interface SingleDbCredential {
     /**
      * @deprecated Use `ssl` instead.
      *
-     * The legacy boolean opt-in for Postgres TLS. When `true` (and `ssl` is not
+     * Legacy boolean opt-in for Postgres TLS. When `true` (and `ssl` is not
      * set), Dream connects with `{ rejectUnauthorized: false }` — TLS is on but
-     * the server certificate is not verified. The new `ssl` field accepts a
-     * full `tls.ConnectionOptions` object so callers can opt into verified TLS
-     * (`ssl: { rejectUnauthorized: true, ca: readFileSync('ca.pem') }`) or use
-     * Node's defaults (`ssl: true`). This field is preserved for back-compat
-     * and will be removed in a future major version.
+     * the server certificate is not verified. Preserved for back-compat and
+     * will be removed in a future major version. New code should set `ssl`
+     * directly.
      */
     useSsl?: boolean;
     /**
-     * Optional explicit TLS configuration passed straight through to `pg.Pool`'s
-     * `ssl` field. Takes precedence over the deprecated `useSsl` when provided.
+     * TLS configuration passed straight through to `pg.Pool`'s `ssl` field.
+     * Takes precedence over the deprecated `useSsl` when provided.
      *
-     * - `true` lets `pg` use Node's defaults (verified TLS against the system CA).
-     * - `false` disables TLS.
-     * - An object is `tls.ConnectionOptions` — set `rejectUnauthorized: true` plus
-     *   a `ca` bundle for verified TLS against a private PKI; set
-     *   `rejectUnauthorized: false` only if you accept opportunistic-TLS-without-
-     *   authentication (the historical default produced by `useSsl: true` alone).
+     * Set `rejectUnauthorized: true` (Node's own default) for verified TLS
+     * against the system CA store — the right choice for managed providers that
+     * present a public-CA-signed certificate (Supabase, Neon, Render, Azure
+     * Database for PostgreSQL on Flexible Server, etc.).
+     *
+     * For providers that present a private-CA certificate (AWS RDS,
+     * GCP Cloud SQL), add a `ca` bundle:
+     * `ssl: { rejectUnauthorized: true, ca: readFileSync('rds-ca.pem') }`.
+     *
+     * For providers that present a self-signed certificate (Heroku Hobby,
+     * some local docker images), set `rejectUnauthorized: false` — encrypted
+     * but unauthenticated.
+     *
+     * Set `false` to disable TLS entirely. Omitting `ssl` (and `useSsl`) throws
+     * at `app.set('db', ...)` time so the safety question is a deliberate
+     * decision at the call site rather than a silent default.
      */
-    ssl?: boolean | TlsConnectionOptions;
+    ssl?: TlsConnectionOptions | false;
 }
 export type DreamLogger = {
     info: (...args: any[]) => void;

package/dist/types/src/errors/dream-app/MissingDbSslDirective.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+export default class MissingDbSslDirective extends Error {
+    private connectionName;
+    private credentialKey;
+    constructor(connectionName: string, credentialKey: 'primary' | 'replica');
+    get message(): string;
+}

package/dist/types/src/helpers/comparisonKey.d.ts CHANGED Viewed

	@@ -1 +1 @@
1	- export default function comparisonKey<ElementType>(val: ElementType, toKey?: ((a: ElementType) => string \| number \| bigint) \| undefined): number \| string \| bigint \| null \| undefined;
1	+ export default function comparisonKey<ElementType>(val: ElementType, toKey?: ((a: ElementType) => string \| number \| bigint) \| undefined): number \| string \| bigint \| null \| undefined \| ((...args: any[]) => any);