@soulbatical/tetra-core 0.1.13 → 0.1.15

package/dist/generators/rls-auditor.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Tetra RLS Auditor v2.0
+ *
+ * Generates SQL queries that audit RLS compliance against Tetra standards.
+ * Run these queries on any Supabase project to find violations.
+ *
+ * Categories:
+ *   A. Foundation — RLS enabled, FORCE RLS, policies exist
+ *   B. Policy quality — roles, expressions, completeness
+ *   C. Auth functions — exist, correct signature, SECURITY DEFINER
+ *   D. RLS bypass routes — functions, views, grants that skip RLS
+ *   E. Data exposure — Realtime, storage, schema leaks
+ *   F. Migration verification — Tetra standards applied correctly
+ *
+ * Total: 22 checks (was 10 in v1.0)
+ */
+export interface AuditCheck {
+    /** Short identifier */
+    id: string;
+    /** Human-readable name */
+    name: string;
+    /** Category for grouping */
+    category: 'foundation' | 'policy' | 'auth' | 'bypass' | 'exposure' | 'migration';
+    /** Severity: error = must fix, warn = should fix, info = review */
+    severity: 'error' | 'warn' | 'info';
+    /** SQL query that returns violations (empty result = pass) */
+    sql: string;
+}
+/**
+ * Get all audit checks.
+ * Run each check's SQL on a Supabase project. Non-empty results are violations.
+ */
+export declare function getAuditChecks(): AuditCheck[];
+/**
+ * Generate a single SQL query that runs ALL audit checks and returns a summary.
+ * Returns one row per violation with check_id, severity, category, table_name, and issue.
+ */
+export declare function generateAuditSQL(): string;
+//# sourceMappingURL=rls-auditor.d.ts.map

package/dist/generators/rls-auditor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rls-auditor.d.ts","sourceRoot":"","sources":["../../src/generators/rls-auditor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,MAAM,WAAW,UAAU;IACzB,uBAAuB;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,0BAA0B;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,QAAQ,EAAE,YAAY,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,GAAG,UAAU,GAAG,WAAW,CAAC;IACjF,mEAAmE;IACnE,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,CAAC;IACpC,8DAA8D;IAC9D,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;GAGG;AACH,wBAAgB,cAAc,IAAI,UAAU,EAAE,CAic7C;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CA4CzC"}

package/dist/generators/rls-auditor.js

@@ -0,0 +1,505 @@
+/**
+ * Tetra RLS Auditor v2.0
+ *
+ * Generates SQL queries that audit RLS compliance against Tetra standards.
+ * Run these queries on any Supabase project to find violations.
+ *
+ * Categories:
+ *   A. Foundation — RLS enabled, FORCE RLS, policies exist
+ *   B. Policy quality — roles, expressions, completeness
+ *   C. Auth functions — exist, correct signature, SECURITY DEFINER
+ *   D. RLS bypass routes — functions, views, grants that skip RLS
+ *   E. Data exposure — Realtime, storage, schema leaks
+ *   F. Migration verification — Tetra standards applied correctly
+ *
+ * Total: 22 checks (was 10 in v1.0)
+ */
+/**
+ * Get all audit checks.
+ * Run each check's SQL on a Supabase project. Non-empty results are violations.
+ */
+export function getAuditChecks() {
+    return [
+        // ═══════════════════════════════════════════════════════════
+        // A. FOUNDATION — RLS enabled, force, policies exist
+        // ═══════════════════════════════════════════════════════════
+        {
+            id: 'no-rls',
+            name: 'Tables without RLS enabled',
+            category: 'foundation',
+            severity: 'error',
+            sql: `
+SELECT c.relname as table_name, 'RLS not enabled' as issue
+FROM pg_class c
+JOIN pg_namespace n ON n.oid = c.relnamespace
+WHERE n.nspname = 'public'
+  AND c.relkind = 'r'
+  AND c.relrowsecurity = false
+  AND c.relname NOT LIKE 'pg_%'
+  AND c.relname NOT LIKE '_supabase%'
+  AND c.relname NOT LIKE '_prisma%'
+ORDER BY c.relname;`,
+        },
+        {
+            id: 'no-force-rls',
+            name: 'Tables with RLS but without FORCE RLS (table owner bypasses)',
+            category: 'foundation',
+            severity: 'error',
+            sql: `
+SELECT c.relname as table_name, 'FORCE RLS not enabled — table owner bypasses all policies' as issue
+FROM pg_class c
+JOIN pg_namespace n ON n.oid = c.relnamespace
+WHERE n.nspname = 'public'
+  AND c.relkind = 'r'
+  AND c.relrowsecurity = true
+  AND c.relforcerowsecurity = false
+  AND c.relname NOT LIKE 'pg_%'
+  AND c.relname NOT LIKE '_supabase%'
+ORDER BY c.relname;`,
+        },
+        {
+            id: 'rls-no-policies',
+            name: 'Tables with RLS enabled but no policies (blocks ALL access)',
+            category: 'foundation',
+            severity: 'error',
+            sql: `
+SELECT c.relname as table_name, 'RLS enabled but zero policies — all access blocked including service' as issue
+FROM pg_class c
+JOIN pg_namespace n ON n.oid = c.relnamespace
+WHERE n.nspname = 'public'
+  AND c.relkind = 'r'
+  AND c.relrowsecurity = true
+  AND c.relname NOT IN (SELECT DISTINCT tablename FROM pg_policies WHERE schemaname = 'public')
+  AND c.relname NOT LIKE 'pg_%'
+  AND c.relname NOT LIKE '_supabase%'
+ORDER BY c.relname;`,
+        },
+        // ═══════════════════════════════════════════════════════════
+        // B. POLICY QUALITY — roles, expressions, completeness
+        // ═══════════════════════════════════════════════════════════
+        {
+            id: 'public-role-mutate',
+            name: 'Mutation policies allowing role public',
+            category: 'policy',
+            severity: 'error',
+            sql: `
+SELECT tablename as table_name, policyname || ' (' || cmd || ')' as issue
+FROM pg_policies
+WHERE schemaname = 'public'
+  AND roles::text = '{public}'
+  AND cmd != 'SELECT'
+  AND qual != 'false'
+ORDER BY tablename, cmd;`,
+        },
+        {
+            id: 'always-true-mutate',
+            name: 'USING(true) or WITH CHECK(true) on mutations',
+            category: 'policy',
+            severity: 'error',
+            sql: `
+SELECT tablename as table_name,
+  policyname || ': ' ||
+  CASE
+    WHEN qual = 'true' AND cmd != 'SELECT' THEN 'USING(true) on ' || cmd
+    WHEN with_check = 'true' AND cmd IN ('INSERT', 'UPDATE') THEN 'WITH CHECK(true) on ' || cmd
+  END as issue
+FROM pg_policies
+WHERE schemaname = 'public'
+  AND (
+    (qual = 'true' AND cmd != 'SELECT')
+    OR (with_check = 'true' AND cmd IN ('INSERT', 'UPDATE'))
+  )
+ORDER BY tablename, cmd;`,
+        },
+        {
+            id: 'insert-no-with-check',
+            name: 'INSERT policies without WITH CHECK (allows any data)',
+            category: 'policy',
+            severity: 'error',
+            sql: `
+SELECT tablename as table_name,
+  policyname || ': INSERT policy has no WITH CHECK clause' as issue
+FROM pg_policies
+WHERE schemaname = 'public'
+  AND cmd = 'INSERT'
+  AND (with_check IS NULL OR with_check = '')
+  AND qual != 'false'
+ORDER BY tablename;`,
+        },
+        {
+            id: 'update-mismatch',
+            name: 'UPDATE policies where USING and WITH CHECK differ (can change org_id)',
+            category: 'policy',
+            severity: 'error',
+            sql: `
+SELECT tablename as table_name,
+  policyname || ': USING != WITH CHECK — user could UPDATE row to change organization_id' as issue
+FROM pg_policies
+WHERE schemaname = 'public'
+  AND cmd = 'UPDATE'
+  AND qual IS NOT NULL
+  AND with_check IS NOT NULL
+  AND qual != 'false'
+  AND with_check != 'false'
+  AND qual != with_check
+  AND qual NOT LIKE '%auth.uid()%'
+ORDER BY tablename;`,
+        },
+        {
+            id: 'missing-crud-coverage',
+            name: 'Tables with partial CRUD coverage (missing operations)',
+            category: 'policy',
+            severity: 'warn',
+            sql: `
+WITH table_ops AS (
+  SELECT tablename, array_agg(DISTINCT cmd ORDER BY cmd) as ops
+  FROM pg_policies
+  WHERE schemaname = 'public'
+  GROUP BY tablename
+)
+SELECT tablename as table_name,
+  'Has policies for ' || array_to_string(ops, ', ') ||
+  ' but missing ' ||
+  array_to_string(
+    ARRAY(SELECT x FROM unnest(ARRAY['SELECT','INSERT','UPDATE','DELETE']) x WHERE x != ALL(ops)),
+    ', '
+  ) as issue
+FROM table_ops
+WHERE NOT (ops @> ARRAY['SELECT','INSERT','UPDATE','DELETE'])
+  AND NOT (ops = ARRAY['ALL'])
+  AND tablename NOT IN ('organization_members', 'organization_invites')
+ORDER BY tablename;`,
+        },
+        // ═══════════════════════════════════════════════════════════
+        // C. AUTH FUNCTIONS — exist, signature, security
+        // ═══════════════════════════════════════════════════════════
+        {
+            id: 'missing-auth-functions',
+            name: 'Missing Tetra auth helper functions',
+            category: 'auth',
+            severity: 'error',
+            sql: `
+SELECT fn as table_name, 'Function not found in public schema' as issue
+FROM unnest(ARRAY[
+  'auth_admin_organizations',
+  'auth_user_organizations',
+  'auth_creator_organizations',
+  'auth_current_user_id',
+  'auth_is_superadmin'
+]) fn
+WHERE NOT EXISTS (
+  SELECT 1 FROM pg_proc p
+  JOIN pg_namespace n ON n.oid = p.pronamespace
+  WHERE n.nspname = 'public' AND p.proname = fn
+);`,
+        },
+        {
+            id: 'auth-fn-not-security-definer',
+            name: 'Auth functions without SECURITY DEFINER (cannot read organization_members)',
+            category: 'auth',
+            severity: 'error',
+            sql: `
+SELECT p.proname as table_name,
+  'Not SECURITY DEFINER — function runs as caller who cannot access organization_members' as issue
+FROM pg_proc p
+JOIN pg_namespace n ON n.oid = p.pronamespace
+WHERE n.nspname = 'public'
+  AND p.proname IN ('auth_admin_organizations', 'auth_user_organizations',
+                     'auth_creator_organizations', 'auth_current_user_id', 'auth_is_superadmin')
+  AND NOT p.prosecdef
+ORDER BY p.proname;`,
+        },
+        {
+            id: 'auth-fn-wrong-search-path',
+            name: 'Auth functions with non-empty search_path (search_path injection risk)',
+            category: 'auth',
+            severity: 'error',
+            sql: `
+SELECT p.proname as table_name,
+  'search_path is not empty string — vulnerable to search_path injection. Got: ' ||
+  COALESCE(
+    (SELECT option_value FROM pg_options_to_table(p.proconfig) WHERE option_name = 'search_path'),
+    '(not set)'
+  ) as issue
+FROM pg_proc p
+JOIN pg_namespace n ON n.oid = p.pronamespace
+WHERE n.nspname = 'public'
+  AND p.proname IN ('auth_admin_organizations', 'auth_user_organizations',
+                     'auth_creator_organizations', 'auth_current_user_id', 'auth_is_superadmin')
+  AND (
+    p.proconfig IS NULL
+    OR NOT EXISTS (
+      SELECT 1 FROM pg_options_to_table(p.proconfig)
+      WHERE option_name = 'search_path' AND option_value IN ('', '""')
+    )
+  )
+ORDER BY p.proname;`,
+        },
+        {
+            id: 'auth-fn-not-stable',
+            name: 'Auth functions not marked STABLE (causes repeated evaluation per row)',
+            category: 'auth',
+            severity: 'warn',
+            sql: `
+SELECT p.proname as table_name,
+  'Volatility is ' || p.provolatile || ', should be s (STABLE) for performance' as issue
+FROM pg_proc p
+JOIN pg_namespace n ON n.oid = p.pronamespace
+WHERE n.nspname = 'public'
+  AND p.proname IN ('auth_admin_organizations', 'auth_user_organizations',
+                     'auth_creator_organizations', 'auth_current_user_id', 'auth_is_superadmin')
+  AND p.provolatile != 's'
+ORDER BY p.proname;`,
+        },
+        // ═══════════════════════════════════════════════════════════
+        // D. RLS BYPASS ROUTES — the real dangers
+        // ═══════════════════════════════════════════════════════════
+        {
+            id: 'security-definer-data-fn',
+            name: 'SECURITY DEFINER functions that return data (bypass RLS)',
+            category: 'bypass',
+            severity: 'error',
+            sql: `
+SELECT p.proname as table_name,
+  'SECURITY DEFINER + returns ' || pg_catalog.format_type(p.prorettype, NULL) ||
+  ' — runs as function owner, bypasses RLS' as issue
+FROM pg_proc p
+JOIN pg_namespace n ON n.oid = p.pronamespace
+WHERE n.nspname = 'public'
+  AND p.prosecdef = true
+  AND p.proname NOT IN (
+    'auth_admin_organizations', 'auth_user_organizations',
+    'auth_creator_organizations', 'auth_current_user_id', 'auth_is_superadmin',
+    'update_updated_at_column'
+  )
+  AND p.proname NOT LIKE 'st_%'
+  AND p.proname NOT LIKE 'postgis_%'
+  AND pg_catalog.format_type(p.prorettype, NULL) NOT IN ('trigger', 'event_trigger', 'void')
+ORDER BY p.proname;`,
+        },
+        {
+            id: 'anon-callable-functions',
+            name: 'Functions callable by anon role (unauthenticated access)',
+            category: 'bypass',
+            severity: 'error',
+            sql: `
+SELECT p.proname as table_name,
+  'EXECUTE granted to anon — unauthenticated users can call this function' as issue
+FROM pg_proc p
+JOIN pg_namespace n ON n.oid = p.pronamespace
+WHERE n.nspname = 'public'
+  AND p.proname NOT LIKE 'st_%'
+  AND p.proname NOT LIKE 'postgis_%'
+  AND p.proname NOT LIKE '_supabase%'
+  AND has_function_privilege('anon', p.oid, 'EXECUTE')
+  AND p.proname NOT IN ('auth_admin_organizations', 'auth_user_organizations',
+                         'auth_creator_organizations', 'auth_current_user_id', 'auth_is_superadmin')
+  AND pg_catalog.format_type(p.prorettype, NULL) NOT IN ('trigger', 'event_trigger')
+ORDER BY p.proname;`,
+        },
+        {
+            id: 'views-bypass-rls',
+            name: 'Views without security_invoker=true (run as view creator, bypass RLS)',
+            category: 'bypass',
+            severity: 'error',
+            sql: `
+SELECT c.relname as table_name,
+  'View runs as DEFINER (creator) — bypasses RLS on underlying tables. Add security_invoker=true' as issue
+FROM pg_class c
+JOIN pg_namespace n ON n.oid = c.relnamespace
+WHERE n.nspname = 'public'
+  AND c.relkind = 'v'
+  AND (
+    c.reloptions IS NULL
+    OR 'security_invoker=true' != ALL(c.reloptions)
+  )
+ORDER BY c.relname;`,
+        },
+        {
+            id: 'anon-table-grants',
+            name: 'Direct table grants to anon role',
+            category: 'bypass',
+            severity: 'error',
+            sql: `
+SELECT table_name,
+  'anon has ' || privilege_type || ' grant — even with RLS, anon can attempt queries' as issue
+FROM information_schema.table_privileges
+WHERE table_schema = 'public'
+  AND grantee = 'anon'
+  AND privilege_type IN ('INSERT', 'UPDATE', 'DELETE')
+  AND table_name NOT LIKE 'pg_%'
+  AND table_name NOT LIKE '_supabase%'
+ORDER BY table_name, privilege_type;`,
+        },
+        // ═══════════════════════════════════════════════════════════
+        // E. DATA EXPOSURE — Realtime, storage, schema
+        // ═══════════════════════════════════════════════════════════
+        {
+            id: 'realtime-on-sensitive',
+            name: 'Supabase Realtime enabled on sensitive tables',
+            category: 'exposure',
+            severity: 'warn',
+            sql: `
+SELECT tablename as table_name,
+  'Table is in supabase_realtime publication — live data streams bypass application-level auth' as issue
+FROM pg_publication_tables
+WHERE pubname = 'supabase_realtime'
+  AND schemaname = 'public'
+  AND tablename NOT IN ('messages', 'notifications')
+ORDER BY tablename;`,
+        },
+        // ═══════════════════════════════════════════════════════════
+        // F. MIGRATION VERIFICATION — Tetra standards applied
+        // ═══════════════════════════════════════════════════════════
+        {
+            id: 'legacy-columns',
+            name: 'Legacy column names (not snake_case)',
+            category: 'migration',
+            severity: 'error',
+            sql: `
+SELECT table_name, column_name || ' → should be ' ||
+  CASE
+    WHEN column_name = 'organizationid' THEN 'organization_id'
+    WHEN column_name = 'userid' THEN 'user_id'
+    WHEN column_name = 'user_public_id' THEN 'user_id'
+    WHEN column_name = 'firstname' THEN 'first_name'
+    WHEN column_name = 'lastname' THEN 'last_name'
+    WHEN column_name = 'createdat' THEN 'created_at'
+    WHEN column_name = 'updatedat' THEN 'updated_at'
+    WHEN column_name ~ '^[a-z]+id$' AND column_name != 'id' AND length(column_name) > 3
+      THEN regexp_replace(column_name, '([a-z])id$', '\\1_id')
+    ELSE 'unknown'
+  END as issue
+FROM information_schema.columns
+WHERE table_schema = 'public'
+  AND table_name NOT LIKE 'pg_%'
+  AND table_name NOT LIKE '_supabase%'
+  AND (
+    column_name IN ('organizationid', 'userid', 'user_public_id', 'firstname', 'lastname', 'createdat', 'updatedat')
+    OR (column_name ~ '^[a-z]+id$' AND column_name != 'id' AND length(column_name) > 3)
+  )
+ORDER BY table_name, column_name;`,
+        },
+        {
+            id: 'non-tetra-auth-pattern',
+            name: 'Policies not using Tetra auth functions',
+            category: 'migration',
+            severity: 'warn',
+            sql: `
+SELECT tablename as table_name,
+  policyname || ' (' || cmd || '): uses non-standard auth — ' || left(qual, 60) as issue
+FROM pg_policies
+WHERE schemaname = 'public'
+  AND qual IS NOT NULL
+  AND qual != 'true'
+  AND qual != 'false'
+  AND qual NOT LIKE '%auth_admin_organizations%'
+  AND qual NOT LIKE '%auth_user_organizations%'
+  AND qual NOT LIKE '%auth_creator_organizations%'
+  AND qual NOT LIKE '%auth_is_superadmin%'
+  AND qual NOT LIKE '%auth.uid()%'
+  AND qual NOT LIKE '%is_active%'
+ORDER BY tablename, cmd;`,
+        },
+        {
+            id: 'missing-org-column',
+            name: 'Tables without organization_id (except special tables)',
+            category: 'migration',
+            severity: 'warn',
+            sql: `
+SELECT c.relname as table_name, 'No organization_id column — cannot scope by org' as issue
+FROM pg_class c
+JOIN pg_namespace n ON n.oid = c.relnamespace
+WHERE n.nspname = 'public'
+  AND c.relkind = 'r'
+  AND c.relname NOT LIKE 'pg_%'
+  AND c.relname NOT LIKE '_supabase%'
+  AND c.relname NOT LIKE '_prisma%'
+  AND c.relname NOT IN ('organizations', 'users_public', 'organization_members', 'organization_invites')
+  AND NOT EXISTS (
+    SELECT 1 FROM information_schema.columns ic
+    WHERE ic.table_schema = 'public'
+      AND ic.table_name = c.relname
+      AND ic.column_name = 'organization_id'
+  )
+ORDER BY c.relname;`,
+        },
+        {
+            id: 'org-members-table',
+            name: 'organization_members table missing or wrong structure',
+            category: 'migration',
+            severity: 'error',
+            sql: `
+WITH expected_cols AS (
+  SELECT unnest(ARRAY['id','user_id','organization_id','role','status','created_at','updated_at']) as col
+),
+actual_cols AS (
+  SELECT column_name as col
+  FROM information_schema.columns
+  WHERE table_schema = 'public' AND table_name = 'organization_members'
+),
+table_exists AS (
+  SELECT EXISTS (
+    SELECT 1 FROM information_schema.tables
+    WHERE table_schema = 'public' AND table_name = 'organization_members'
+  ) as exists_flag
+)
+SELECT 'organization_members' as table_name,
+  CASE
+    WHEN NOT (SELECT exists_flag FROM table_exists) THEN 'Table does not exist'
+    ELSE 'Missing column: ' || e.col
+  END as issue
+FROM expected_cols e
+WHERE NOT (SELECT exists_flag FROM table_exists)
+  OR e.col NOT IN (SELECT col FROM actual_cols)
+LIMIT 1;`,
+        },
+    ];
+}
+/**
+ * Generate a single SQL query that runs ALL audit checks and returns a summary.
+ * Returns one row per violation with check_id, severity, category, table_name, and issue.
+ */
+export function generateAuditSQL() {
+    const checks = getAuditChecks();
+    const ctes = checks.map((check, i) => {
+        const innerSQL = check.sql.trim().replace(/;$/, '');
+        return `check_${i} AS (
+  SELECT
+    '${check.id}' as check_id,
+    '${check.severity}' as severity,
+    '${check.category}' as category,
+    '${check.name}' as check_name,
+    t.table_name,
+    t.issue
+  FROM (${innerSQL}) t
+)`;
+    });
+    const unions = checks.map((_, i) => `SELECT * FROM check_${i}`).join('\nUNION ALL\n');
+    return `-- ============================================================================
+-- Tetra RLS Audit v2.0
+-- ============================================================================
+-- 22 checks across 6 categories:
+--   A. Foundation — RLS enabled, FORCE RLS, policies exist
+--   B. Policy quality — roles, expressions, completeness
+--   C. Auth functions — exist, signature, SECURITY DEFINER
+--   D. RLS bypass routes — functions, views, grants that skip RLS
+--   E. Data exposure — Realtime, storage, schema leaks
+--   F. Migration verification — Tetra standards applied correctly
+--
+-- Empty result = all checks pass.
+-- Generated by: Tetra RLS Auditor v2.0
+-- ============================================================================
+
+WITH
+${ctes.join(',\n')}
+
+${unions}
+ORDER BY
+  CASE severity WHEN 'error' THEN 1 WHEN 'warn' THEN 2 ELSE 3 END,
+  CASE category WHEN 'foundation' THEN 1 WHEN 'policy' THEN 2 WHEN 'auth' THEN 3 WHEN 'bypass' THEN 4 WHEN 'exposure' THEN 5 ELSE 6 END,
+  check_id,
+  table_name;
+`;
+}
+//# sourceMappingURL=rls-auditor.js.map

package/dist/generators/rls-auditor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rls-auditor.js","sourceRoot":"","sources":["../../src/generators/rls-auditor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAeH;;;GAGG;AACH,MAAM,UAAU,cAAc;IAC5B,OAAO;QAEL,8DAA8D;QAC9D,qDAAqD;QACrD,8DAA8D;QAE9D;YACE,EAAE,EAAE,QAAQ;YACZ,IAAI,EAAE,4BAA4B;YAClC,QAAQ,EAAE,YAAY;YACtB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;;;oBAUS;SACf;QACD;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,8DAA8D;YACpE,QAAQ,EAAE,YAAY;YACtB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;;;oBAUS;SACf;QACD;YACE,EAAE,EAAE,iBAAiB;YACrB,IAAI,EAAE,6DAA6D;YACnE,QAAQ,EAAE,YAAY;YACtB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;;;oBAUS;SACf;QAED,8DAA8D;QAC9D,uDAAuD;QACvD,8DAA8D;QAE9D;YACE,EAAE,EAAE,oBAAoB;YACxB,IAAI,EAAE,wCAAwC;YAC9C,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;yBAOc;SACpB;QACD;YACE,EAAE,EAAE,oBAAoB;YACxB,IAAI,EAAE,8CAA8C;YACpD,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;;;;;;yBAac;SACpB;QACD;YACE,EAAE,EAAE,sBAAsB;YAC1B,IAAI,EAAE,sDAAsD;YAC5D,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;oBAQS;SACf;QACD;YACE,EAAE,EAAE,iBAAiB;YACrB,IAAI,EAAE,uEAAuE;YAC7E,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;;;;;oBAYS;SACf;QACD;YACE,EAAE,EAAE,uBAAuB;YAC3B,IAAI,EAAE,wDAAwD;YAC9D,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,MAAM;YAChB,GAAG,EAAE;;;;;;;;;;;;;;;;;;oBAkBS;SACf;QAED,8DAA8D;QAC9D,iDAAiD;QACjD,8DAA8D;QAE9D;YACE,EAAE,EAAE,wBAAwB;YAC5B,IAAI,EAAE,qCAAqC;YAC3C,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;;;;;;GAaR;SACE;QACD;YACE,EAAE,EAAE,8BAA8B;YAClC,IAAI,EAAE,4EAA4E;YAClF,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;;oBASS;SACf;QACD;YACE,EAAE,EAAE,2BAA2B;YAC/B,IAAI,EAAE,wEAAwE;YAC9E,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;;;;;;;;;;;;oBAmBS;SACf;QACD;YACE,EAAE,EAAE,oBAAoB;YACxB,IAAI,EAAE,uEAAuE;YAC7E,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,MAAM;YAChB,GAAG,EAAE;;;;;;;;;oBASS;SACf;QAED,8DAA8D;QAC9D,0CAA0C;QAC1C,8DAA8D;QAE9D;YACE,EAAE,EAAE,0BAA0B;YAC9B,IAAI,EAAE,0DAA0D;YAChE,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;;;;;;;;;oBAgBS;SACf;QACD;YACE,EAAE,EAAE,yBAAyB;YAC7B,IAAI,EAAE,0DAA0D;YAChE,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;;;;;;oBAaS;SACf;QACD;YACE,EAAE,EAAE,kBAAkB;YACtB,IAAI,EAAE,uEAAuE;YAC7E,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;;;;oBAWS;SACf;QACD;YACE,EAAE,EAAE,mBAAmB;YACvB,IAAI,EAAE,kCAAkC;YACxC,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;;qCAS0B;SAChC;QAED,8DAA8D;QAC9D,+CAA+C;QAC/C,8DAA8D;QAE9D;YACE,EAAE,EAAE,uBAAuB;YAC3B,IAAI,EAAE,+CAA+C;YACrD,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,MAAM;YAChB,GAAG,EAAE;;;;;;;oBAOS;SACf;QAED,8DAA8D;QAC9D,sDAAsD;QACtD,8DAA8D;QAE9D;YACE,EAAE,EAAE,gBAAgB;YACpB,IAAI,EAAE,sCAAsC;YAC5C,QAAQ,EAAE,WAAW;YACrB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;;;;;;;;;;;;;;;kCAsBuB;SAC7B;QACD;YACE,EAAE,EAAE,wBAAwB;YAC5B,IAAI,EAAE,yCAAyC;YAC/C,QAAQ,EAAE,WAAW;YACrB,QAAQ,EAAE,MAAM;YAChB,GAAG,EAAE;;;;;;;;;;;;;;yBAcc;SACpB;QACD;YACE,EAAE,EAAE,oBAAoB;YACxB,IAAI,EAAE,wDAAwD;YAC9D,QAAQ,EAAE,WAAW;YACrB,QAAQ,EAAE,MAAM;YAChB,GAAG,EAAE;;;;;;;;;;;;;;;;oBAgBS;SACf;QACD;YACE,EAAE,EAAE,mBAAmB;YACvB,IAAI,EAAE,uDAAuD;YAC7D,QAAQ,EAAE,WAAW;YACrB,QAAQ,EAAE,OAAO;YACjB,GAAG,EAAE;;;;;;;;;;;;;;;;;;;;;;;SAuBF;SACJ;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,MAAM,GAAG,cAAc,EAAE,CAAC;IAEhC,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QACnC,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACpD,OAAO,SAAS,CAAC;;OAEd,KAAK,CAAC,EAAE;OACR,KAAK,CAAC,QAAQ;OACd,KAAK,CAAC,QAAQ;OACd,KAAK,CAAC,IAAI;;;UAGP,QAAQ;EAChB,CAAC;IACD,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAEtF,OAAO;;;;;;;;;;;;;;;;EAgBP,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC;;EAEhB,MAAM;;;;;;CAMP,CAAC;AACF,CAAC"}

package/dist/generators/rls-checker.d.ts

@@ -0,0 +1,94 @@
+/**
+ * Tetra RLS Checker v2.0
+ *
+ * Runs the Tetra RLS audit checks against a live Supabase project
+ * and returns a structured report with pass/fail per check.
+ *
+ * This is NOT just a config checker — it verifies:
+ *   - Foundation: RLS enabled, FORCE RLS, policies exist
+ *   - Policy quality: roles, expressions, CRUD coverage
+ *   - Auth functions: exist, SECURITY DEFINER, search_path
+ *   - RLS bypass routes: functions/views/grants that skip RLS entirely
+ *   - Data exposure: Realtime on sensitive tables
+ *   - Migration state: Tetra standards actually applied in the DB
+ *
+ * Usage:
+ *   import { runRLSCheck } from '@tetra/core';
+ *   const report = await runRLSCheck(supabaseClient);
+ *   console.log(report.text);       // Full formatted report
+ *   console.log(report.passed);     // true only if zero errors
+ *   if (!report.passed) throw new Error(report.summary);
+ */
+import { type AuditCheck } from './rls-auditor.js';
+export interface RLSViolation {
+    table_name: string;
+    issue: string;
+    [key: string]: unknown;
+}
+export interface RLSCheckResult {
+    id: string;
+    name: string;
+    category: AuditCheck['category'];
+    severity: AuditCheck['severity'];
+    passed: boolean;
+    violationCount: number;
+    violations: RLSViolation[];
+}
+export interface RLSCategorySummary {
+    category: string;
+    label: string;
+    totalChecks: number;
+    passedChecks: number;
+    errorCount: number;
+    warnCount: number;
+    passed: boolean;
+}
+export interface RLSReport {
+    /** true if zero errors (warnings don't fail the report) */
+    passed: boolean;
+    /** Human-readable summary line */
+    summary: string;
+    /** Total checks run */
+    totalChecks: number;
+    passedCount: number;
+    errorCount: number;
+    warnCount: number;
+    infoCount: number;
+    /** Per-category breakdown */
+    categories: RLSCategorySummary[];
+    /** Per-check results */
+    checks: RLSCheckResult[];
+    /** ISO timestamp */
+    timestamp: string;
+    /** Formatted text report for logging/display */
+    text: string;
+}
+/**
+ * Minimal Supabase client interface — needs rpc() for SQL execution.
+ * Works with @supabase/supabase-js service_role client.
+ */
+interface SupabaseExecutor {
+    rpc: (fn: string, params: Record<string, unknown>) => Promise<{
+        data: unknown;
+        error: unknown;
+    }>;
+}
+/**
+ * Run all Tetra RLS audit checks against a live Supabase project.
+ * Uses the combined CTE approach for a single DB round-trip.
+ */
+export declare function runRLSCheck(supabase: SupabaseExecutor, options?: {
+    /** Only run checks of these severities */
+    severities?: AuditCheck['severity'][];
+    /** Only run checks in these categories */
+    categories?: AuditCheck['category'][];
+    /** Skip these check IDs */
+    skip?: string[];
+}): Promise<RLSReport>;
+/**
+ * Run checks one-by-one (slower but shows which check fails if SQL errors).
+ * Use this for debugging when runRLSCheck fails.
+ */
+export declare function runRLSCheckDebug(supabase: SupabaseExecutor): Promise<RLSReport>;
+export {};
+//# sourceMappingURL=rls-checker.d.ts.map

package/dist/generators/rls-checker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rls-checker.d.ts","sourceRoot":"","sources":["../../src/generators/rls-checker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAkB,KAAK,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnE,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC,CAAC;IACjC,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC,CAAC;IACjC,MAAM,EAAE,OAAO,CAAC;IAChB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,YAAY,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,SAAS;IACxB,2DAA2D;IAC3D,MAAM,EAAE,OAAO,CAAC;IAChB,kCAAkC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,uBAAuB;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,6BAA6B;IAC7B,UAAU,EAAE,kBAAkB,EAAE,CAAC;IACjC,wBAAwB;IACxB,MAAM,EAAE,cAAc,EAAE,CAAC;IACzB,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,gDAAgD;IAChD,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;GAGG;AACH,UAAU,gBAAgB;IACxB,GAAG,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,OAAO,CAAC;QAAE,IAAI,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CAClG;AAaD;;;GAGG;AACH,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,gBAAgB,EAC1B,OAAO,CAAC,EAAE;IACR,0CAA0C;IAC1C,UAAU,CAAC,EAAE,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;IACtC,0CAA0C;IAC1C,UAAU,CAAC,EAAE,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;IACtC,2BAA2B;IAC3B,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB,GACA,OAAO,CAAC,SAAS,CAAC,CA+CpB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,gBAAgB,GACzB,OAAO,CAAC,SAAS,CAAC,CAkBpB"}