@soulbatical/tetra-core 0.1.0

package/dist/core/SupabaseUserClient.d.ts

@@ -0,0 +1,14 @@
+import { SupabaseClient } from '@supabase/supabase-js';
+export declare class SupabaseUserClient {
+    /**
+     * Create a public Supabase client (no authentication)
+     * Use this for public endpoints that don't require a user token
+     */
+    static getPublicClient(): SupabaseClient;
+    /**
+     * Create a Supabase client with user authentication context
+     * This ensures RLS policies use the authenticated user's permissions
+     */
+    static createForUser(userToken: string): Promise<SupabaseClient>;
+}
+//# sourceMappingURL=SupabaseUserClient.d.ts.map

package/dist/core/SupabaseUserClient.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SupabaseUserClient.d.ts","sourceRoot":"","sources":["../../src/core/SupabaseUserClient.ts"],"names":[],"mappings":"AAAA,OAAO,EAAgB,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAKrE,qBAAa,kBAAkB;IAC7B;;;OAGG;IACH,MAAM,CAAC,eAAe,IAAI,cAAc;IAgBxC;;;OAGG;WACU,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;CAyBvE"}

package/dist/core/SupabaseUserClient.js

@@ -0,0 +1,49 @@
+import { createClient } from '@supabase/supabase-js';
+import { createLogger } from '../utils/logger.js';
+const logger = createLogger('database:client:user');
+export class SupabaseUserClient {
+    /**
+     * Create a public Supabase client (no authentication)
+     * Use this for public endpoints that don't require a user token
+     */
+    static getPublicClient() {
+        const supabaseUrl = process.env.SUPABASE_URL;
+        const supabaseAnonKey = process.env.SUPABASE_ANON_KEY;
+        if (!supabaseAnonKey) {
+            throw new Error('SUPABASE_ANON_KEY not found in environment');
+        }
+        return createClient(supabaseUrl, supabaseAnonKey, {
+            auth: {
+                persistSession: false,
+                autoRefreshToken: false
+            }
+        });
+    }
+    /**
+     * Create a Supabase client with user authentication context
+     * This ensures RLS policies use the authenticated user's permissions
+     */
+    static async createForUser(userToken) {
+        const supabaseUrl = process.env.SUPABASE_URL;
+        const supabaseAnonKey = process.env.SUPABASE_ANON_KEY;
+        if (!supabaseAnonKey) {
+            throw new Error('SUPABASE_ANON_KEY not found in environment');
+        }
+        if (!userToken) {
+            logger.error('No user token provided for authenticated client');
+            throw new Error('User token required for authenticated database access');
+        }
+        return createClient(supabaseUrl, supabaseAnonKey, {
+            global: {
+                headers: {
+                    Authorization: `Bearer ${userToken}`
+                }
+            },
+            auth: {
+                persistSession: false,
+                autoRefreshToken: false
+            }
+        });
+    }
+}
+//# sourceMappingURL=SupabaseUserClient.js.map

package/dist/core/SupabaseUserClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SupabaseUserClient.js","sourceRoot":"","sources":["../../src/core/SupabaseUserClient.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAkB,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,MAAM,GAAG,YAAY,CAAC,sBAAsB,CAAC,CAAC;AAEpD,MAAM,OAAO,kBAAkB;IAC7B;;;OAGG;IACH,MAAM,CAAC,eAAe;QACpB,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,YAAa,CAAC;QAC9C,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAkB,CAAC;QAEvD,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QAED,OAAO,YAAY,CAAC,WAAW,EAAE,eAAe,EAAE;YAChD,IAAI,EAAE;gBACJ,cAAc,EAAE,KAAK;gBACrB,gBAAgB,EAAE,KAAK;aACxB;SACF,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,SAAiB;QAC1C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,YAAa,CAAC;QAC9C,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAkB,CAAC;QAEvD,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QAED,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;YAChE,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAC3E,CAAC;QAED,OAAO,YAAY,CAAC,WAAW,EAAE,eAAe,EAAE;YAChD,MAAM,EAAE;gBACN,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,SAAS,EAAE;iBACrC;aACF;YACD,IAAI,EAAE;gBACJ,cAAc,EAAE,KAAK;gBACrB,gBAAgB,EAAE,KAAK;aACxB;SACF,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/core/adminDb.d.ts

@@ -0,0 +1,21 @@
+import { AuthenticatedRequest } from '../middleware/authMiddleware.js';
+/**
+ * Admin database helper - for organization admin operations
+ * Enforces admin role and logs access for audit
+ * RLS policies will allow access to all organization data
+ *
+ * @example
+ * ```typescript
+ * import { adminDB } from '@tetra/core';
+ *
+ * async getAllOrgOrders(req: AuthenticatedRequest, res: Response) {
+ *   const supabase = await adminDB(req);
+ *   const { data, error } = await supabase
+ *     .from('orders')
+ *     .select('*');
+ *   // RLS will filter to organization data only
+ * }
+ * ```
+ */
+export declare function adminDB(req: AuthenticatedRequest): Promise<import("@supabase/supabase-js").SupabaseClient<any, "public", "public", any, any>>;
+//# sourceMappingURL=adminDb.d.ts.map

package/dist/core/adminDb.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adminDb.d.ts","sourceRoot":"","sources":["../../src/core/adminDb.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,iCAAiC,CAAC;AAMvE;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,OAAO,CAAC,GAAG,EAAE,oBAAoB,8FAyBtD"}

package/dist/core/adminDb.js

@@ -0,0 +1,43 @@
+import { SupabaseUserClient } from './SupabaseUserClient.js';
+import { createLogger } from '../utils/logger.js';
+const logger = createLogger('security:db:admin');
+/**
+ * Admin database helper - for organization admin operations
+ * Enforces admin role and logs access for audit
+ * RLS policies will allow access to all organization data
+ *
+ * @example
+ * ```typescript
+ * import { adminDB } from '@tetra/core';
+ *
+ * async getAllOrgOrders(req: AuthenticatedRequest, res: Response) {
+ *   const supabase = await adminDB(req);
+ *   const { data, error } = await supabase
+ *     .from('orders')
+ *     .select('*');
+ *   // RLS will filter to organization data only
+ * }
+ * ```
+ */
+export async function adminDB(req) {
+    if (!req.userToken) {
+        throw new Error('Unauthorized: No user token provided');
+    }
+    // Check if user has admin privileges (either org admin or superadmin)
+    if (!req.user?.organizationId && !req.user?.is_superadmin) {
+        logger.error(`Admin access denied - no organization for user ${req.user?.id}`);
+        throw new Error('Forbidden: No active organization');
+    }
+    // For superadmins, they have admin access to any org
+    // For regular admins, RLS will enforce org boundaries
+    const isAdmin = req.user?.is_superadmin || req.user?.organizationId;
+    if (!isAdmin) {
+        logger.error(`Admin access denied for user ${req.user?.id}`);
+        throw new Error('Forbidden: Admin access required');
+    }
+    // Admin calls are expected and common - only log at debug level
+    logger.debug(`Admin database access: user=${req.user.id} org=${req.user.organizationId || 'superadmin'}`);
+    // Use regular user client - RLS will handle admin permissions
+    return SupabaseUserClient.createForUser(req.userToken);
+}
+//# sourceMappingURL=adminDb.js.map

package/dist/core/adminDb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adminDb.js","sourceRoot":"","sources":["../../src/core/adminDb.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,MAAM,GAAG,YAAY,CAAC,mBAAmB,CAAC,CAAC;AAEjD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,GAAyB;IACrD,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,sEAAsE;IACtE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,cAAc,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,aAAa,EAAE,CAAC;QAC1D,MAAM,CAAC,KAAK,CAAC,kDAAkD,GAAG,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;QAC/E,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAED,qDAAqD;IACrD,sDAAsD;IACtD,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,aAAa,IAAI,GAAG,CAAC,IAAI,EAAE,cAAc,CAAC;IAEpE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,gCAAgC,GAAG,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IAED,gEAAgE;IAChE,MAAM,CAAC,KAAK,CAAC,+BAA+B,GAAG,CAAC,IAAI,CAAC,EAAE,QAAQ,GAAG,CAAC,IAAI,CAAC,cAAc,IAAI,YAAY,EAAE,CAAC,CAAC;IAE1G,8DAA8D;IAC9D,OAAO,kBAAkB,CAAC,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;AACzD,CAAC"}

package/dist/core/publicDb.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Public database helper - uses anonymous key for public access
+ * Respects RLS policies for public data access
+ *
+ * @example
+ * ```typescript
+ * import { publicDB } from '../../core/publicDb.js';
+ *
+ * async getPublicProducts(req: Request, res: Response) {
+ *   const supabase = publicDB();
+ *   const { data, error } = await supabase
+ *     .from('products')
+ *     .select('*')
+ *     .eq('active', true);
+ * }
+ * ```
+ */
+export declare function publicDB(): import("@supabase/supabase-js").SupabaseClient<any, "public", "public", any, any>;
+//# sourceMappingURL=publicDb.d.ts.map

package/dist/core/publicDb.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"publicDb.d.ts","sourceRoot":"","sources":["../../src/core/publicDb.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,QAAQ,sFAUvB"}

package/dist/core/publicDb.js

@@ -0,0 +1,29 @@
+import { createClient } from '@supabase/supabase-js';
+/**
+ * Public database helper - uses anonymous key for public access
+ * Respects RLS policies for public data access
+ *
+ * @example
+ * ```typescript
+ * import { publicDB } from '../../core/publicDb.js';
+ *
+ * async getPublicProducts(req: Request, res: Response) {
+ *   const supabase = publicDB();
+ *   const { data, error } = await supabase
+ *     .from('products')
+ *     .select('*')
+ *     .eq('active', true);
+ * }
+ * ```
+ */
+export function publicDB() {
+    const supabaseUrl = process.env.SUPABASE_URL;
+    const supabaseAnonKey = process.env.SUPABASE_ANON_KEY;
+    if (!supabaseUrl || !supabaseAnonKey) {
+        throw new Error('Missing Supabase configuration for public access');
+    }
+    // Create client with anon key - respects RLS policies
+    return createClient(supabaseUrl, supabaseAnonKey);
+}
+// NO ALIASES - BE EXPLICIT!
+//# sourceMappingURL=publicDb.js.map

package/dist/core/publicDb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"publicDb.js","sourceRoot":"","sources":["../../src/core/publicDb.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,QAAQ;IACtB,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IAC7C,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAEtD,IAAI,CAAC,WAAW,IAAI,CAAC,eAAe,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,sDAAsD;IACtD,OAAO,YAAY,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;AACpD,CAAC;AAED,4BAA4B"}

package/dist/core/superadminDb.d.ts

@@ -0,0 +1,29 @@
+import { AuthenticatedRequest } from '../middleware/authMiddleware.js';
+/**
+ * Superadmin database helper - for cross-organization operations
+ * Only for users with is_superadmin = true
+ * Uses system database with full audit logging
+ *
+ * ⚠️ SECURITY WARNING:
+ * This provides FULL database access across ALL organizations!
+ * Only use for legitimate superadmin operations like:
+ * - Cross-organization reporting
+ * - System-wide maintenance
+ * - Emergency fixes
+ * - Data migrations
+ *
+ * @example
+ * ```typescript
+ * import { superadminDB } from '../../core/superadminDb.js';
+ *
+ * async getAllSystemOrders(req: AuthenticatedRequest, res: Response) {
+ *   const supabase = await superadminDB(req);
+ *   const { data, error } = await supabase
+ *     .from('orders')
+ *     .select('*');
+ *   // No RLS filtering - returns ALL orders from ALL organizations
+ * }
+ * ```
+ */
+export declare function superadminDB(req: AuthenticatedRequest): Promise<import("@supabase/supabase-js").SupabaseClient<any, "public", "public", any, any>>;
+//# sourceMappingURL=superadminDb.d.ts.map

package/dist/core/superadminDb.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"superadminDb.d.ts","sourceRoot":"","sources":["../../src/core/superadminDb.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,iCAAiC,CAAC;AAMvE;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,YAAY,CAAC,GAAG,EAAE,oBAAoB,8FAyB3D"}

package/dist/core/superadminDb.js

@@ -0,0 +1,53 @@
+import { systemDB } from './systemDb.js';
+import { createLogger } from '../utils/logger.js';
+const logger = createLogger('security:db:superadmin');
+/**
+ * Superadmin database helper - for cross-organization operations
+ * Only for users with is_superadmin = true
+ * Uses system database with full audit logging
+ *
+ * ⚠️ SECURITY WARNING:
+ * This provides FULL database access across ALL organizations!
+ * Only use for legitimate superadmin operations like:
+ * - Cross-organization reporting
+ * - System-wide maintenance
+ * - Emergency fixes
+ * - Data migrations
+ *
+ * @example
+ * ```typescript
+ * import { superadminDB } from '../../core/superadminDb.js';
+ *
+ * async getAllSystemOrders(req: AuthenticatedRequest, res: Response) {
+ *   const supabase = await superadminDB(req);
+ *   const { data, error } = await supabase
+ *     .from('orders')
+ *     .select('*');
+ *   // No RLS filtering - returns ALL orders from ALL organizations
+ * }
+ * ```
+ */
+export async function superadminDB(req) {
+    if (!req.user) {
+        throw new Error('Unauthorized: No authenticated user');
+    }
+    if (!req.user?.isSuperAdmin) {
+        logger.error(`🚫 Superadmin access denied for user ${req.user?.id}`);
+        throw new Error('Forbidden: Superadmin access required');
+    }
+    const context = `superadmin:${req.user.id}:${req.method}:${req.path}`;
+    logger.warn(`👑 Superadmin database access: ${context}`);
+    // Log additional details for audit trail
+    logger.info({
+        userId: req.user.id,
+        email: req.user.email,
+        method: req.method,
+        path: req.path,
+        timestamp: new Date().toISOString()
+    }, `Superadmin operation details:`);
+    // Superadmins get system access with full audit trail
+    // This bypasses RLS for cross-organizational operations
+    return systemDB(context);
+}
+// NO ALIASES - BE EXPLICIT!
+//# sourceMappingURL=superadminDb.js.map

package/dist/core/superadminDb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"superadminDb.js","sourceRoot":"","sources":["../../src/core/superadminDb.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,MAAM,GAAG,YAAY,CAAC,wBAAwB,CAAC,CAAC;AAEtD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAyB;IAC1D,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC;QAC5B,MAAM,CAAC,KAAK,CAAC,wCAAwC,GAAG,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;QACrE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,MAAM,OAAO,GAAG,cAAc,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;IACtE,MAAM,CAAC,IAAI,CAAC,kCAAkC,OAAO,EAAE,CAAC,CAAC;IAEzD,yCAAyC;IACzC,MAAM,CAAC,IAAI,CAAC;QACV,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE;QACnB,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,KAAK;QACrB,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,EAAE,+BAA+B,CAAC,CAAC;IAEpC,sDAAsD;IACtD,wDAAwD;IACxD,OAAO,QAAQ,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED,4BAA4B"}

package/dist/core/systemDb.d.ts

@@ -0,0 +1,34 @@
+/**
+ * System Database Client — Service Role Key (bypasses RLS)
+ *
+ * For background tasks, cron jobs, and system operations that need
+ * full database access without user context.
+ *
+ * Projects should register their known contexts via addWhitelistedContexts()
+ * to avoid warning logs for legitimate system operations.
+ */
+import { SupabaseClient } from '@supabase/supabase-js';
+/**
+ * Register additional whitelisted contexts for your project.
+ * Call at app startup.
+ *
+ * @example
+ * addWhitelistedContexts([
+ *   'order-sync-service',
+ *   'email-queue-processor',
+ *   'phase-cron-service',
+ * ]);
+ */
+export declare function addWhitelistedContexts(contexts: string[]): void;
+/**
+ * Create a system-level Supabase client (service role key, bypasses RLS).
+ *
+ * @param context - Descriptive string for audit logging (e.g., 'order-sync-service')
+ */
+export declare function systemDB(context: string): SupabaseClient;
+/**
+ * Secure system DB — same as systemDB but with stricter logging.
+ * Use for operations that modify critical data.
+ */
+export declare function secureSystemDB(context: string): SupabaseClient;
+//# sourceMappingURL=systemDb.d.ts.map

package/dist/core/systemDb.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"systemDb.d.ts","sourceRoot":"","sources":["../../src/core/systemDb.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAgB,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAerE;;;;;;;;;;GAUG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,CAI/D;AAED;;;;GAIG;AACH,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,CAexD;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,CAG9D"}

package/dist/core/systemDb.js

@@ -0,0 +1,64 @@
+/**
+ * System Database Client — Service Role Key (bypasses RLS)
+ *
+ * For background tasks, cron jobs, and system operations that need
+ * full database access without user context.
+ *
+ * Projects should register their known contexts via addWhitelistedContexts()
+ * to avoid warning logs for legitimate system operations.
+ */
+import { createClient } from '@supabase/supabase-js';
+import { createLogger } from '../utils/logger.js';
+const logger = createLogger('security:db:system');
+/**
+ * Whitelist of known/approved system database contexts.
+ * Projects add their own via addWhitelistedContexts().
+ */
+const WHITELISTED_CONTEXTS = new Set([
+    // Tetra core
+    'system-migration',
+    'system-health-check',
+]);
+/**
+ * Register additional whitelisted contexts for your project.
+ * Call at app startup.
+ *
+ * @example
+ * addWhitelistedContexts([
+ *   'order-sync-service',
+ *   'email-queue-processor',
+ *   'phase-cron-service',
+ * ]);
+ */
+export function addWhitelistedContexts(contexts) {
+    for (const ctx of contexts) {
+        WHITELISTED_CONTEXTS.add(ctx);
+    }
+}
+/**
+ * Create a system-level Supabase client (service role key, bypasses RLS).
+ *
+ * @param context - Descriptive string for audit logging (e.g., 'order-sync-service')
+ */
+export function systemDB(context) {
+    const url = process.env.SUPABASE_URL;
+    const serviceKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
+    if (!url || !serviceKey) {
+        throw new Error('Missing SUPABASE_URL or SUPABASE_SERVICE_ROLE_KEY environment variables');
+    }
+    if (!WHITELISTED_CONTEXTS.has(context)) {
+        logger.warn({ context }, 'systemDB called with unknown context — consider whitelisting');
+    }
+    return createClient(url, serviceKey, {
+        auth: { persistSession: false }
+    });
+}
+/**
+ * Secure system DB — same as systemDB but with stricter logging.
+ * Use for operations that modify critical data.
+ */
+export function secureSystemDB(context) {
+    logger.info({ context }, 'secureSystemDB access');
+    return systemDB(context);
+}
+//# sourceMappingURL=systemDb.js.map

package/dist/core/systemDb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"systemDb.js","sourceRoot":"","sources":["../../src/core/systemDb.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,YAAY,EAAkB,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,MAAM,GAAG,YAAY,CAAC,oBAAoB,CAAC,CAAC;AAElD;;;GAGG;AACH,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAS;IAC3C,aAAa;IACb,kBAAkB;IAClB,qBAAqB;CACtB,CAAC,CAAC;AAEH;;;;;;;;;;GAUG;AACH,MAAM,UAAU,sBAAsB,CAAC,QAAkB;IACvD,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,QAAQ,CAAC,OAAe;IACtC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACrC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;IAEzD,IAAI,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;IAC7F,CAAC;IAED,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,EAAE,8DAA8D,CAAC,CAAC;IAC3F,CAAC;IAED,OAAO,YAAY,CAAC,GAAG,EAAE,UAAU,EAAE;QACnC,IAAI,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE;KAChC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,MAAM,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,EAAE,uBAAuB,CAAC,CAAC;IAClD,OAAO,QAAQ,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC"}

package/dist/core/userDb.d.ts

@@ -0,0 +1,22 @@
+import { AuthenticatedRequest } from '../middleware/authMiddleware.js';
+/**
+ * User database helper - for accessing user's own data
+ * Enforces JWT authentication and user context
+ * RLS policies will filter to user's own records
+ *
+ * @example
+ * ```typescript
+ * import { userDB } from '@tetra/core';
+ *
+ * async getUserProfile(req: AuthenticatedRequest, res: Response) {
+ *   const supabase = await userDB(req);
+ *   const { data, error } = await supabase
+ *     .from('users_public')
+ *     .select('*')
+ *     .eq('id', req.user.id)
+ *     .single();
+ * }
+ * ```
+ */
+export declare function userDB(req: AuthenticatedRequest): Promise<import("@supabase/supabase-js").SupabaseClient<any, "public", "public", any, any>>;
+//# sourceMappingURL=userDb.d.ts.map

package/dist/core/userDb.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"userDb.d.ts","sourceRoot":"","sources":["../../src/core/userDb.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,iCAAiC,CAAC;AAMvE;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,MAAM,CAAC,GAAG,EAAE,oBAAoB,8FAerD"}

package/dist/core/userDb.js

@@ -0,0 +1,36 @@
+import { SupabaseUserClient } from './SupabaseUserClient.js';
+import { createLogger } from '../utils/logger.js';
+const logger = createLogger('security:db:user');
+/**
+ * User database helper - for accessing user's own data
+ * Enforces JWT authentication and user context
+ * RLS policies will filter to user's own records
+ *
+ * @example
+ * ```typescript
+ * import { userDB } from '@tetra/core';
+ *
+ * async getUserProfile(req: AuthenticatedRequest, res: Response) {
+ *   const supabase = await userDB(req);
+ *   const { data, error } = await supabase
+ *     .from('users_public')
+ *     .select('*')
+ *     .eq('id', req.user.id)
+ *     .single();
+ * }
+ * ```
+ */
+export async function userDB(req) {
+    if (!req.userToken) {
+        logger.error('No user token in request!');
+        throw new Error('Unauthorized: No user token provided');
+    }
+    if (!req.user?.id) {
+        logger.error('No user context in request!');
+        throw new Error('Unauthorized: No user context');
+    }
+    logger.debug(`User database access: user=${req.user.id} org=${req.user.organizationId || 'none'}`);
+    // Use user client - RLS will filter to user's own data
+    return SupabaseUserClient.createForUser(req.userToken);
+}
+//# sourceMappingURL=userDb.js.map

package/dist/core/userDb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"userDb.js","sourceRoot":"","sources":["../../src/core/userDb.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,MAAM,GAAG,YAAY,CAAC,kBAAkB,CAAC,CAAC;AAEhD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,GAAyB;IACpD,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QACnB,MAAM,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC;QAClB,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,8BAA8B,GAAG,CAAC,IAAI,CAAC,EAAE,QAAQ,GAAG,CAAC,IAAI,CAAC,cAAc,IAAI,MAAM,EAAE,CAAC,CAAC;IAEnG,uDAAuD;IACvD,OAAO,kBAAkB,CAAC,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;AACzD,CAAC"}

package/dist/core/webhookDb.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Webhook database helper - for external webhook endpoints
+ * Uses Service Role Key to bypass RLS for webhook operations
+ * Automatically prefixes context with "webhook:" for audit trail
+ *
+ * @param webhookSource - Name of the webhook source (e.g., 'buildship', 'stripe', 'mollie')
+ * @returns Supabase client with full system access
+ *
+ * @example
+ * ```typescript
+ * // In a webhook controller
+ * const supabase = webhookDB('stripe');
+ * ```
+ */
+export declare function webhookDB(webhookSource: string): import("@supabase/supabase-js").SupabaseClient<any, "public", "public", any, any>;
+//# sourceMappingURL=webhookDb.d.ts.map

package/dist/core/webhookDb.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhookDb.d.ts","sourceRoot":"","sources":["../../src/core/webhookDb.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;;;GAaG;AACH,wBAAgB,SAAS,CAAC,aAAa,EAAE,MAAM,qFAQ9C"}

package/dist/core/webhookDb.js

@@ -0,0 +1,26 @@
+import { systemDB } from './systemDb.js';
+import { createLogger } from '../utils/logger.js';
+const logger = createLogger('security:db:webhook');
+/**
+ * Webhook database helper - for external webhook endpoints
+ * Uses Service Role Key to bypass RLS for webhook operations
+ * Automatically prefixes context with "webhook:" for audit trail
+ *
+ * @param webhookSource - Name of the webhook source (e.g., 'buildship', 'stripe', 'mollie')
+ * @returns Supabase client with full system access
+ *
+ * @example
+ * ```typescript
+ * // In a webhook controller
+ * const supabase = webhookDB('stripe');
+ * ```
+ */
+export function webhookDB(webhookSource) {
+    const context = `webhook:${webhookSource}`;
+    // Log webhook access for security auditing
+    logger.info(`🔗 Webhook database access: ${context}`);
+    // Use systemDB under the hood with webhook-specific context
+    return systemDB(context);
+}
+// NO ALIASES - BE EXPLICIT!
+//# sourceMappingURL=webhookDb.js.map

package/dist/core/webhookDb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhookDb.js","sourceRoot":"","sources":["../../src/core/webhookDb.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,MAAM,GAAG,YAAY,CAAC,qBAAqB,CAAC,CAAC;AAEnD;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,SAAS,CAAC,aAAqB;IAC7C,MAAM,OAAO,GAAG,WAAW,aAAa,EAAE,CAAC;IAE3C,2CAA2C;IAC3C,MAAM,CAAC,IAAI,CAAC,+BAA+B,OAAO,EAAE,CAAC,CAAC;IAEtD,4DAA4D;IAC5D,OAAO,QAAQ,CAAC,OAAO,CAAC,CAAC;AAC3B,CAAC;AAED,4BAA4B"}

package/dist/frontend/components/FeatureFilters.d.ts

@@ -0,0 +1,81 @@
+/**
+ * FeatureFilters — Config-driven filter bar component
+ *
+ * Replaces ALL per-feature filter implementations with a single generic component
+ * driven by FeatureConfig.filters[].
+ *
+ * Before (50+ lines boilerplate PER feature):
+ *   <Select value={status} onChange={setStatus} options={statusOptions} />
+ *   <Input value={search} onChange={setSearch} placeholder="Search..." />
+ *   <DatePicker value={dateRange} onChange={setDateRange} />
+ *
+ * After (ZERO boilerplate):
+ *   <FeatureFilters config={ordersConfig} feature={feature} />
+ *
+ * Filter type → UI mapping:
+ * - search      → SearchInput (debounced text input)
+ * - enum        → Select dropdown
+ * - column      → Select dropdown (same as enum, column-based)
+ * - boolean     → Toggle / Switch
+ * - multiselect → Multi-select with checkboxes
+ * - daterange   → Date range picker (from/to)
+ * - time        → Select dropdown (preset time periods)
+ * - nullable    → Select dropdown (all/with/without)
+ * - related     → Select dropdown (all/with/without)
+ * - numeric     → Number range inputs (min/max)
+ * - array       → Multi-select (same UI as multiselect)
+ *
+ * @module @tetra/core/frontend
+ * Created: February 20, 2026
+ */
+import React from 'react';
+import type { FeatureConfig, FilterConfig } from '../../shared/types/feature-config.js';
+import type { UseFeatureResult } from '../hooks/useFeature.js';
+export interface FeatureFiltersProps<TItem = Record<string, unknown>> {
+    /** Feature configuration with filters[] */
+    config: FeatureConfig<TItem>;
+    /** Result from useFeature() hook */
+    feature: UseFeatureResult<TItem>;
+    /** CSS class for the filter bar wrapper */
+    className?: string;
+    /** Layout: horizontal bar or vertical stack (default: 'horizontal') */
+    layout?: 'horizontal' | 'vertical';
+    /** Show reset button (default: true) */
+    showReset?: boolean;
+    /** Reset button label (default: 'Reset') */
+    resetLabel?: string;
+    /** Show active filter count badge (default: true) */
+    showActiveCount?: boolean;
+    /** Collapse filters behind a "More filters" button (default: auto based on filter count) */
+    collapsible?: boolean;
+    /** Max visible filters before collapsing (default: 4) */
+    maxVisible?: number;
+    /** "More filters" button label (default: 'More filters') */
+    moreLabel?: string;
+    /** Show filter count badges from feature.counts (default: true) */
+    showCounts?: boolean;
+    /** Custom filter renderers (keyed by filter name) */
+    filterRenderers?: Record<string, (filter: FilterConfig, value: string | string[] | undefined, onChange: (value: string | string[] | undefined) => void, counts?: Record<string, number>) => React.ReactNode>;
+}
+/**
+ * FeatureFilters — Config-driven filter bar
+ *
+ * @example
+ * ```tsx
+ * import { ordersConfig } from '@/config/features/orders.config';
+ * import { useFeature, FeatureFilters, FeatureTable } from '@tetra/core/frontend';
+ *
+ * function OrdersPage() {
+ *   const feature = useFeature(ordersConfig, supabase, { organizationId });
+ *
+ *   return (
+ *     <div>
+ *       <FeatureFilters config={ordersConfig} feature={feature} />
+ *       <FeatureTable config={ordersConfig} feature={feature} />
+ *     </div>
+ *   );
+ * }
+ * ```
+ */
+export declare function FeatureFilters<TItem = Record<string, unknown>>({ config, feature, className, layout, showReset, resetLabel, showActiveCount, collapsible, maxVisible, moreLabel, showCounts, filterRenderers, }: FeatureFiltersProps<TItem>): import("react/jsx-runtime").JSX.Element;
+//# sourceMappingURL=FeatureFilters.d.ts.map

package/dist/frontend/components/FeatureFilters.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"FeatureFilters.d.ts","sourceRoot":"","sources":["../../../src/frontend/components/FeatureFilters.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,KAAyC,MAAM,OAAO,CAAC;AAC9D,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAkB,MAAM,sCAAsC,CAAC;AACxG,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAW/D,MAAM,WAAW,mBAAmB,CAAC,KAAK,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAClE,2CAA2C;IAC3C,MAAM,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC;IAE7B,oCAAoC;IACpC,OAAO,EAAE,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAEjC,2CAA2C;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,uEAAuE;IACvE,MAAM,CAAC,EAAE,YAAY,GAAG,UAAU,CAAC;IAEnC,wCAAwC;IACxC,SAAS,CAAC,EAAE,OAAO,CAAC;IAEpB,4CAA4C;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,qDAAqD;IACrD,eAAe,CAAC,EAAE,OAAO,CAAC;IAE1B,4FAA4F;IAC5F,WAAW,CAAC,EAAE,OAAO,CAAC;IAEtB,yDAAyD;IACzD,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,4DAA4D;IAC5D,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,mEAAmE;IACnE,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB,qDAAqD;IACrD,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,CAC/B,MAAM,EAAE,YAAY,EACpB,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,EACpC,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,KAAK,IAAI,EACxD,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAC5B,KAAK,CAAC,SAAS,CAAC,CAAC;CACvB;AAoaD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,cAAc,CAAC,KAAK,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,EAC9D,MAAM,EACN,OAAO,EACP,SAAS,EACT,MAAqB,EACrB,SAAgB,EAChB,UAAoB,EACpB,eAAsB,EACtB,WAAW,EACX,UAAc,EACd,SAA0B,EAC1B,UAAiB,EACjB,eAAe,GAChB,EAAE,mBAAmB,CAAC,KAAK,CAAC,2CAuI5B"}