npm - @soulbatical/tetra-core - Versions diffs - 0.1.13 → 0.1.15 - Mend

@soulbatical/tetra-core 0.1.13 → 0.1.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @soulbatical/tetra-core might be problematic. Click here for more details.

Files changed (77) hide show

package/dist/generators/rls-auditor.d.ts +39 -0
package/dist/generators/rls-auditor.d.ts.map +1 -0
package/dist/generators/rls-auditor.js +505 -0
package/dist/generators/rls-auditor.js.map +1 -0
package/dist/generators/rls-checker.d.ts +94 -0
package/dist/generators/rls-checker.d.ts.map +1 -0
package/dist/generators/rls-checker.js +215 -0
package/dist/generators/rls-checker.js.map +1 -0
package/dist/generators/rls-generator.d.ts +77 -0
package/dist/generators/rls-generator.d.ts.map +1 -0
package/dist/generators/rls-generator.js +402 -0
package/dist/generators/rls-generator.js.map +1 -0
package/dist/generators/rpc/detail-rpc-generator.d.ts +58 -0
package/dist/generators/rpc/detail-rpc-generator.d.ts.map +1 -0
package/dist/generators/rpc/detail-rpc-generator.js +163 -0
package/dist/generators/rpc/detail-rpc-generator.js.map +1 -0
package/dist/generators/rpc/index.d.ts +24 -0
package/dist/generators/rpc/index.d.ts.map +1 -0
package/dist/generators/rpc/index.js +20 -0
package/dist/generators/rpc/index.js.map +1 -0
package/dist/generators/rpc/rpc-generator.d.ts +150 -0
package/dist/generators/rpc/rpc-generator.d.ts.map +1 -0
package/dist/generators/rpc/rpc-generator.js +743 -0
package/dist/generators/rpc/rpc-generator.js.map +1 -0
package/dist/generators/rpc/templates/array.d.ts +29 -0
package/dist/generators/rpc/templates/array.d.ts.map +1 -0
package/dist/generators/rpc/templates/array.js +40 -0
package/dist/generators/rpc/templates/array.js.map +1 -0
package/dist/generators/rpc/templates/auth.d.ts +85 -0
package/dist/generators/rpc/templates/auth.d.ts.map +1 -0
package/dist/generators/rpc/templates/auth.js +233 -0
package/dist/generators/rpc/templates/auth.js.map +1 -0
package/dist/generators/rpc/templates/column.d.ts +39 -0
package/dist/generators/rpc/templates/column.d.ts.map +1 -0
package/dist/generators/rpc/templates/column.js +97 -0
package/dist/generators/rpc/templates/column.js.map +1 -0
package/dist/generators/rpc/templates/enum.d.ts +33 -0
package/dist/generators/rpc/templates/enum.d.ts.map +1 -0
package/dist/generators/rpc/templates/enum.js +93 -0
package/dist/generators/rpc/templates/enum.js.map +1 -0
package/dist/generators/rpc/templates/nullable.d.ts +31 -0
package/dist/generators/rpc/templates/nullable.d.ts.map +1 -0
package/dist/generators/rpc/templates/nullable.js +50 -0
package/dist/generators/rpc/templates/nullable.js.map +1 -0
package/dist/generators/rpc/templates/related.d.ts +47 -0
package/dist/generators/rpc/templates/related.d.ts.map +1 -0
package/dist/generators/rpc/templates/related.js +182 -0
package/dist/generators/rpc/templates/related.js.map +1 -0
package/dist/generators/rpc/templates/search.d.ts +42 -0
package/dist/generators/rpc/templates/search.d.ts.map +1 -0
package/dist/generators/rpc/templates/search.js +81 -0
package/dist/generators/rpc/templates/search.js.map +1 -0
package/dist/generators/rpc/templates/time.d.ts +44 -0
package/dist/generators/rpc/templates/time.d.ts.map +1 -0
package/dist/generators/rpc/templates/time.js +143 -0
package/dist/generators/rpc/templates/time.js.map +1 -0
package/dist/generators/rpc/utils.d.ts +58 -0
package/dist/generators/rpc/utils.d.ts.map +1 -0
package/dist/generators/rpc/utils.js +92 -0
package/dist/generators/rpc/utils.js.map +1 -0
package/dist/generators/rpc/validator.d.ts +21 -0
package/dist/generators/rpc/validator.d.ts.map +1 -0
package/dist/generators/rpc/validator.js +398 -0
package/dist/generators/rpc/validator.js.map +1 -0
package/dist/index.d.ts +9 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +6 -0
package/dist/index.js.map +1 -1
package/dist/shared/auth/index.d.ts +1 -1
package/dist/shared/auth/index.d.ts.map +1 -1
package/dist/shared/auth/routes.d.ts +4 -1
package/dist/shared/auth/routes.d.ts.map +1 -1
package/dist/shared/auth/routes.js +83 -1
package/dist/shared/auth/routes.js.map +1 -1
package/dist/shared/auth/types.d.ts +24 -0
package/dist/shared/auth/types.d.ts.map +1 -1
package/package.json +1 -1

package/dist/generators/rls-checker.js ADDED Viewed

@@ -0,0 +1,215 @@
+/**
+ * Tetra RLS Checker v2.0
+ *
+ * Runs the Tetra RLS audit checks against a live Supabase project
+ * and returns a structured report with pass/fail per check.
+ *
+ * This is NOT just a config checker — it verifies:
+ *   - Foundation: RLS enabled, FORCE RLS, policies exist
+ *   - Policy quality: roles, expressions, CRUD coverage
+ *   - Auth functions: exist, SECURITY DEFINER, search_path
+ *   - RLS bypass routes: functions/views/grants that skip RLS entirely
+ *   - Data exposure: Realtime on sensitive tables
+ *   - Migration state: Tetra standards actually applied in the DB
+ *
+ * Usage:
+ *   import { runRLSCheck } from '@tetra/core';
+ *   const report = await runRLSCheck(supabaseClient);
+ *   console.log(report.text);       // Full formatted report
+ *   console.log(report.passed);     // true only if zero errors
+ *   if (!report.passed) throw new Error(report.summary);
+ */
+import { getAuditChecks } from './rls-auditor.js';
+const CATEGORY_LABELS = {
+    foundation: 'A. Foundation (RLS enabled, policies exist)',
+    policy: 'B. Policy Quality (roles, expressions)',
+    auth: 'C. Auth Functions (exist, secure)',
+    bypass: 'D. RLS Bypass Routes (the real dangers)',
+    exposure: 'E. Data Exposure (Realtime, grants)',
+    migration: 'F. Migration Verification (Tetra standards)',
+};
+const CATEGORY_ORDER = ['foundation', 'policy', 'auth', 'bypass', 'exposure', 'migration'];
+/**
+ * Run all Tetra RLS audit checks against a live Supabase project.
+ * Uses the combined CTE approach for a single DB round-trip.
+ */
+export async function runRLSCheck(supabase, options) {
+    const allChecks = getAuditChecks();
+    const { severities, categories: cats, skip = [] } = options ?? {};
+    const checks = allChecks.filter(c => {
+        if (skip.includes(c.id))
+            return false;
+        if (severities && !severities.includes(c.severity))
+            return false;
+        if (cats && !cats.includes(c.category))
+            return false;
+        return true;
+    });
+    // Build combined CTE query for single DB round-trip
+    const ctes = checks.map((check, i) => {
+        const innerSQL = check.sql.trim().replace(/;$/, '');
+        return `check_${i} AS (
+  SELECT '${check.id}' as check_id, t.table_name, t.issue
+  FROM (${innerSQL}) t
+)`;
+    });
+    const unions = checks.map((_, i) => `SELECT * FROM check_${i}`).join('\nUNION ALL\n');
+    const combinedSQL = `WITH\n${ctes.join(',\n')}\n\n${unions}\nORDER BY check_id, table_name;`;
+    const rows = await executeSQL(supabase, combinedSQL);
+    // Group violations by check_id
+    const violationsByCheck = new Map();
+    for (const row of rows) {
+        const checkId = row.check_id;
+        if (!violationsByCheck.has(checkId))
+            violationsByCheck.set(checkId, []);
+        violationsByCheck.get(checkId).push(row);
+    }
+    const results = checks.map(check => {
+        const violations = violationsByCheck.get(check.id) ?? [];
+        return {
+            id: check.id,
+            name: check.name,
+            category: check.category,
+            severity: check.severity,
+            passed: violations.length === 0,
+            violationCount: violations.length,
+            violations,
+        };
+    });
+    return buildReport(results);
+}
+/**
+ * Run checks one-by-one (slower but shows which check fails if SQL errors).
+ * Use this for debugging when runRLSCheck fails.
+ */
+export async function runRLSCheckDebug(supabase) {
+    const checks = getAuditChecks();
+    const results = [];
+    for (const check of checks) {
+        const violations = await executeSQL(supabase, check.sql);
+        results.push({
+            id: check.id,
+            name: check.name,
+            category: check.category,
+            severity: check.severity,
+            passed: violations.length === 0,
+            violationCount: violations.length,
+            violations,
+        });
+    }
+    return buildReport(results);
+}
+// ─── Internal ───────────────────────────────────────────────
+function buildReport(results) {
+    const errorCount = results.filter(r => !r.passed && r.severity === 'error').length;
+    const warnCount = results.filter(r => !r.passed && r.severity === 'warn').length;
+    const infoCount = results.filter(r => !r.passed && r.severity === 'info').length;
+    const passedCount = results.filter(r => r.passed).length;
+    const passed = errorCount === 0;
+    // Build category summaries
+    const categories = CATEGORY_ORDER
+        .filter(cat => results.some(r => r.category === cat))
+        .map(cat => {
+        const catChecks = results.filter(r => r.category === cat);
+        const catErrors = catChecks.filter(r => !r.passed && r.severity === 'error').length;
+        const catWarns = catChecks.filter(r => !r.passed && r.severity === 'warn').length;
+        return {
+            category: cat,
+            label: CATEGORY_LABELS[cat] ?? cat,
+            totalChecks: catChecks.length,
+            passedChecks: catChecks.filter(r => r.passed).length,
+            errorCount: catErrors,
+            warnCount: catWarns,
+            passed: catErrors === 0,
+        };
+    });
+    const parts = [];
+    if (errorCount > 0)
+        parts.push(`${errorCount} error${errorCount > 1 ? 's' : ''}`);
+    if (warnCount > 0)
+        parts.push(`${warnCount} warning${warnCount > 1 ? 's' : ''}`);
+    if (infoCount > 0)
+        parts.push(`${infoCount} info`);
+    const summary = passed
+        ? parts.length > 0
+            ? `PASS: ${passedCount}/${results.length} checks passed (${parts.join(', ')})`
+            : `PASS: ${passedCount}/${results.length} checks passed — all clear`
+        : `FAIL: ${passedCount}/${results.length} checks passed (${parts.join(', ')})`;
+    const text = formatTextReport(results, categories, summary, passed);
+    return {
+        passed,
+        summary,
+        totalChecks: results.length,
+        passedCount,
+        errorCount,
+        warnCount,
+        infoCount,
+        categories,
+        checks: results,
+        timestamp: new Date().toISOString(),
+        text,
+    };
+}
+async function executeSQL(supabase, sql) {
+    // Try common RPC function names for raw SQL execution
+    for (const fnName of ['exec_sql', 'execute_sql']) {
+        const { data, error } = await supabase.rpc(fnName, { query: sql });
+        if (!error && Array.isArray(data))
+            return data;
+        if (!error && data === null)
+            return [];
+    }
+    return [{ table_name: '_rls_checker', issue: 'No exec_sql or execute_sql function found. Create one to run the checker.' }];
+}
+function formatTextReport(results, categories, summary, passed) {
+    const w = 64;
+    const line = '='.repeat(w);
+    const thin = '-'.repeat(w);
+    const lines = [
+        line,
+        '  Tetra RLS Security Report v2.0',
+        line,
+        '',
+        `  Result: ${passed ? 'PASS' : '*** FAIL ***'}`,
+        `  ${summary}`,
+        '',
+    ];
+    // Category overview
+    lines.push('  Category Overview:');
+    for (const cat of categories) {
+        const icon = cat.passed ? 'OK' : 'XX';
+        const detail = cat.passed
+            ? `${cat.passedChecks}/${cat.totalChecks} passed`
+            : `${cat.errorCount} errors, ${cat.warnCount} warnings`;
+        lines.push(`    [${icon}] ${cat.label}`);
+        lines.push(`         ${detail}`);
+    }
+    lines.push('');
+    // Detailed results per category
+    for (const cat of categories) {
+        const catResults = results.filter(r => r.category === cat.category);
+        lines.push(thin);
+        lines.push(`  ${cat.label}`);
+        lines.push(thin);
+        for (const r of catResults) {
+            const icon = r.passed ? 'PASS' : r.severity === 'error' ? 'FAIL' : 'WARN';
+            lines.push(`  [${icon}] ${r.name}`);
+            if (!r.passed) {
+                const show = r.violations.slice(0, 8);
+                for (const v of show) {
+                    const issue = v.issue.length > 50 ? v.issue.slice(0, 50) + '...' : v.issue;
+                    lines.push(`         ${v.table_name}: ${issue}`);
+                }
+                if (r.violationCount > 8) {
+                    lines.push(`         ... and ${r.violationCount - 8} more`);
+                }
+            }
+        }
+        lines.push('');
+    }
+    lines.push(line);
+    lines.push(`  ${new Date().toISOString()}`);
+    lines.push(line);
+    return lines.join('\n');
+}
+//# sourceMappingURL=rls-checker.js.map

package/dist/generators/rls-checker.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rls-checker.js","sourceRoot":"","sources":["../../src/generators/rls-checker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,cAAc,EAAmB,MAAM,kBAAkB,CAAC;AAyDnE,MAAM,eAAe,GAA2B;IAC9C,UAAU,EAAE,6CAA6C;IACzD,MAAM,EAAE,wCAAwC;IAChD,IAAI,EAAE,mCAAmC;IACzC,MAAM,EAAE,yCAAyC;IACjD,QAAQ,EAAE,qCAAqC;IAC/C,SAAS,EAAE,6CAA6C;CACzD,CAAC;AAEF,MAAM,cAAc,GAAG,CAAC,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;AAE3F;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,QAA0B,EAC1B,OAOC;IAED,MAAM,SAAS,GAAG,cAAc,EAAE,CAAC;IACnC,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,IAAI,EAAE,IAAI,GAAG,EAAE,EAAE,GAAG,OAAO,IAAI,EAAE,CAAC;IAElE,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;QAClC,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;YAAE,OAAO,KAAK,CAAC;QACtC,IAAI,UAAU,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;YAAE,OAAO,KAAK,CAAC;QACjE,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;YAAE,OAAO,KAAK,CAAC;QACrD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,oDAAoD;IACpD,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QACnC,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACpD,OAAO,SAAS,CAAC;YACT,KAAK,CAAC,EAAE;UACV,QAAQ;EAChB,CAAC;IACD,CAAC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,uBAAuB,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACtF,MAAM,WAAW,GAAG,SAAS,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,MAAM,kCAAkC,CAAC;IAE7F,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IAErD,+BAA+B;IAC/B,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAA0B,CAAC;IAC5D,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,OAAO,GAAI,GAA8B,CAAC,QAAQ,CAAC;QACzD,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC;YAAE,iBAAiB,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QACxE,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,OAAO,GAAqB,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE;QACnD,MAAM,UAAU,GAAG,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;QACzD,OAAO;YACL,EAAE,EAAE,KAAK,CAAC,EAAE;YACZ,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,MAAM,EAAE,UAAU,CAAC,MAAM,KAAK,CAAC;YAC/B,cAAc,EAAE,UAAU,CAAC,MAAM;YACjC,UAAU;SACX,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,OAAO,WAAW,CAAC,OAAO,CAAC,CAAC;AAC9B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAA0B;IAE1B,MAAM,MAAM,GAAG,cAAc,EAAE,CAAC;IAChC,MAAM,OAAO,GAAqB,EAAE,CAAC;IAErC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;QACzD,OAAO,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,KAAK,CAAC,EAAE;YACZ,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,MAAM,EAAE,UAAU,CAAC,MAAM,KAAK,CAAC;YAC/B,cAAc,EAAE,UAAU,CAAC,MAAM;YACjC,UAAU;SACX,CAAC,CAAC;IACL,CAAC;IAED,OAAO,WAAW,CAAC,OAAO,CAAC,CAAC;AAC9B,CAAC;AAED,+DAA+D;AAE/D,SAAS,WAAW,CAAC,OAAyB;IAC5C,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,MAAM,CAAC;IACnF,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IACjF,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IACjF,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IACzD,MAAM,MAAM,GAAG,UAAU,KAAK,CAAC,CAAC;IAEhC,2BAA2B;IAC3B,MAAM,UAAU,GAAyB,cAAc;SACpD,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC;SACpD,GAAG,CAAC,GAAG,CAAC,EAAE;QACT,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,MAAM,CAAC;QACpF,MAAM,QAAQ,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;QAClF,OAAO;YACL,QAAQ,EAAE,GAAG;YACb,KAAK,EAAE,eAAe,CAAC,GAAG,CAAC,IAAI,GAAG;YAClC,WAAW,EAAE,SAAS,CAAC,MAAM;YAC7B,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM;YACpD,UAAU,EAAE,SAAS;YACrB,SAAS,EAAE,QAAQ;YACnB,MAAM,EAAE,SAAS,KAAK,CAAC;SACxB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEL,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,UAAU,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,UAAU,SAAS,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClF,IAAI,SAAS,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,SAAS,WAAW,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACjF,IAAI,SAAS,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,SAAS,OAAO,CAAC,CAAC;IAEnD,MAAM,OAAO,GAAG,MAAM;QACpB,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;YAChB,CAAC,CAAC,SAAS,WAAW,IAAI,OAAO,CAAC,MAAM,mBAAmB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;YAC9E,CAAC,CAAC,SAAS,WAAW,IAAI,OAAO,CAAC,MAAM,4BAA4B;QACtE,CAAC,CAAC,SAAS,WAAW,IAAI,OAAO,CAAC,MAAM,mBAAmB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;IAEjF,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAEpE,OAAO;QACL,MAAM;QACN,OAAO;QACP,WAAW,EAAE,OAAO,CAAC,MAAM;QAC3B,WAAW;QACX,UAAU;QACV,SAAS;QACT,SAAS;QACT,UAAU;QACV,MAAM,EAAE,OAAO;QACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,IAAI;KACL,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,QAA0B,EAAE,GAAW;IAC/D,sDAAsD;IACtD,KAAK,MAAM,MAAM,IAAI,CAAC,UAAU,EAAE,aAAa,CAAC,EAAE,CAAC;QACjD,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;QACnE,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/C,IAAI,CAAC,KAAK,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,EAAE,CAAC;IACzC,CAAC;IACD,OAAO,CAAC,EAAE,UAAU,EAAE,cAAc,EAAE,KAAK,EAAE,2EAA2E,EAAE,CAAC,CAAC;AAC9H,CAAC;AAED,SAAS,gBAAgB,CACvB,OAAyB,EACzB,UAAgC,EAChC,OAAe,EACf,MAAe;IAEf,MAAM,CAAC,GAAG,EAAE,CAAC;IACb,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAE3B,MAAM,KAAK,GAAa;QACtB,IAAI;QACJ,kCAAkC;QAClC,IAAI;QACJ,EAAE;QACF,aAAa,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,cAAc,EAAE;QAC/C,KAAK,OAAO,EAAE;QACd,EAAE;KACH,CAAC;IAEF,oBAAoB;IACpB,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACnC,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QACtC,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM;YACvB,CAAC,CAAC,GAAG,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,WAAW,SAAS;YACjD,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,YAAY,GAAG,CAAC,SAAS,WAAW,CAAC;QAC1D,KAAK,CAAC,IAAI,CAAC,QAAQ,IAAI,KAAK,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC;QACzC,KAAK,CAAC,IAAI,CAAC,YAAY,MAAM,EAAE,CAAC,CAAC;IACnC,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,gCAAgC;IAChC,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,CAAC,CAAC;QACpE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjB,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEjB,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;YAC1E,KAAK,CAAC,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAEpC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;gBACd,MAAM,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;gBACtC,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;oBACrB,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;oBAC3E,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,UAAU,KAAK,KAAK,EAAE,CAAC,CAAC;gBACnD,CAAC;gBACD,IAAI,CAAC,CAAC,cAAc,GAAG,CAAC,EAAE,CAAC;oBACzB,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,cAAc,GAAG,CAAC,OAAO,CAAC,CAAC;gBAC9D,CAAC;YACH,CAAC;QACH,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjB,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAC5C,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEjB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/generators/rls-generator.d.ts ADDED Viewed

@@ -0,0 +1,77 @@
+/**
+ * Tetra RLS Generator v1.0
+ *
+ * Generates Row Level Security policies based on SparkBuddy production patterns.
+ * Every Tetra project MUST use these patterns for consistent security.
+ *
+ * NAMING STANDARD (no exceptions):
+ *   - Organization column: organization_id
+ *   - User column: user_id
+ *   - All columns: snake_case
+ *   - All roles: authenticated (never public)
+ *
+ * Table types:
+ *   admin      — Only admin/owner can CRUD. Most common. (default)
+ *   user       — Admins see all, users see only own data (user_id = auth.uid())
+ *   creator    — Creator role can INSERT/SELECT own + shared, admin sees all
+ *   public     — Anyone can SELECT, only admin can mutate
+ *   public-active — Anyone can SELECT where is_active = true, only admin can mutate
+ *   service    — All client access blocked, only service_role can access
+ *   superadmin — Only superadmins can manage (e.g., organizations table)
+ *
+ * Special tables (hardcoded, always the same in every project):
+ *   organizations       → superadmin type, org column = 'id'
+ *   users_public        → custom: self-insert, admin+self select/update
+ *   organization_members → service type
+ *   organization_invites → service type
+ *
+ * Prerequisites:
+ *   - Auth functions from rls-auth-functions.sql must be installed
+ *   - organization_members table with (user_id, organization_id, role, status)
+ *   - users_public table with (id, is_superadmin)
+ */
+export type RLSTableType = 'admin' | 'user' | 'creator' | 'public' | 'public-active' | 'service' | 'superadmin';
+export interface RLSConfig {
+    /** Table name (without schema) */
+    tableName: string;
+    /** Table type determines which policies are generated */
+    tableType: RLSTableType;
+    /** For creator tables: which column controls visibility. Default: 'visibility_level' */
+    visibilityColumn?: string;
+    /** For creator tables: which values are public/shared. Default: ['shared', 'public'] */
+    publicVisibilityValues?: string[];
+    /** For public tables: allow anonymous INSERT (e.g., signups). Default: false */
+    allowAnonInsert?: boolean;
+    /** Additional custom policies to append */
+    extraPolicies?: string[];
+}
+export interface RLSGeneratorResult {
+    /** Complete SQL migration including ENABLE RLS + policies */
+    sql: string;
+    /** Number of policies generated */
+    policyCount: number;
+    /** Table type used */
+    tableType: RLSTableType;
+    /** Policy names generated */
+    policyNames: string[];
+}
+/**
+ * Generate RLS policies for a table.
+ *
+ * Usage:
+ *   const result = generateRLS({ tableName: 'appointments', tableType: 'admin' });
+ *   // Apply result.sql as a Supabase migration
+ */
+export declare function generateRLS(config: RLSConfig): RLSGeneratorResult;
+/**
+ * Generate RLS for multiple tables at once.
+ *
+ * Usage:
+ *   const sql = generateRLSBatch([
+ *     { tableName: 'appointments', tableType: 'admin' },
+ *     { tableName: 'organizations', tableType: 'superadmin' },
+ *     { tableName: 'organization_invites', tableType: 'service' },
+ *   ]);
+ */
+export declare function generateRLSBatch(configs: RLSConfig[]): string;
+//# sourceMappingURL=rls-generator.d.ts.map

package/dist/generators/rls-generator.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rls-generator.d.ts","sourceRoot":"","sources":["../../src/generators/rls-generator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,MAAM,MAAM,YAAY,GACpB,OAAO,GACP,MAAM,GACN,SAAS,GACT,QAAQ,GACR,eAAe,GACf,SAAS,GACT,YAAY,CAAC;AAEjB,MAAM,WAAW,SAAS;IACxB,kCAAkC;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,yDAAyD;IACzD,SAAS,EAAE,YAAY,CAAC;IACxB,wFAAwF;IACxF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,wFAAwF;IACxF,sBAAsB,CAAC,EAAE,MAAM,EAAE,CAAC;IAClC,gFAAgF;IAChF,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,2CAA2C;IAC3C,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,kBAAkB;IACjC,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,mCAAmC;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,sBAAsB;IACtB,SAAS,EAAE,YAAY,CAAC;IACxB,6BAA6B;IAC7B,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAMD;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,SAAS,GAAG,kBAAkB,CA4DjE;AAsTD;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,SAAS,EAAE,GAAG,MAAM,CAe7D"}