@soulbatical/tetra-dev-toolkit 1.1.0

package/lib/checks/supabase/rls-policy-audit.js

@@ -0,0 +1,261 @@
+/**
+ * RLS Policy Audit
+ *
+ * Scans SQL migrations to verify:
+ * 1. Every table has ROW LEVEL SECURITY enabled
+ * 2. Every table with RLS has at least basic policies defined
+ * 3. No overly permissive policies (USING (true) / WITH CHECK (true))
+ * 4. SECURITY DEFINER functions are flagged for review
+ */
+
+import { readFileSync, existsSync, readdirSync } from 'fs'
+import { join } from 'path'
+
+export const meta = {
+  id: 'rls-policy-audit',
+  name: 'Row Level Security Audit',
+  category: 'supabase',
+  severity: 'critical',
+  description: 'Verifies RLS is enabled on all tables and policies are properly configured'
+}
+
+export async function run(config, projectRoot) {
+  const results = {
+    passed: true,
+    findings: [],
+    summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0 },
+    details: {
+      tablesFound: 0,
+      tablesWithRls: 0,
+      tablesWithPolicies: 0,
+      permissivePolicies: 0,
+      securityDefinerFunctions: 0
+    }
+  }
+
+  // Find migration directories
+  const migrationPaths = config.paths?.migrations || ['supabase/migrations', 'migrations']
+  // Also check common backend migration paths
+  const extraPaths = ['backend/supabase/migrations']
+  const allPaths = [...migrationPaths, ...extraPaths]
+
+  const sqlFiles = []
+  for (const relPath of allPaths) {
+    const dir = join(projectRoot, relPath)
+    if (!existsSync(dir)) continue
+    try {
+      const files = readdirSync(dir).filter(f => f.endsWith('.sql')).sort()
+      for (const f of files) {
+        sqlFiles.push(join(dir, f))
+      }
+    } catch {
+      // ignore
+    }
+  }
+
+  if (sqlFiles.length === 0) {
+    results.skipped = true
+    results.skipReason = 'No SQL migration files found'
+    return results
+  }
+
+  // Parse all migrations to build final state
+  const tables = new Map()       // tableName -> { created: true, rlsEnabled: false, policies: [], droppedPolicies: [], file: string }
+  const securityDefinerFns = []  // { name, file }
+  const publicTables = config.supabase?.publicTables || []
+
+  for (const filePath of sqlFiles) {
+    let content
+    try {
+      content = readFileSync(filePath, 'utf-8')
+    } catch { continue }
+
+    const fileName = filePath.split('/').pop()
+
+    // Track CREATE TABLE
+    const createTableRe = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:public\.)?["']?(\w+)["']?/gi
+    let match
+    while ((match = createTableRe.exec(content)) !== null) {
+      const name = match[1].toLowerCase()
+      if (!tables.has(name)) {
+        tables.set(name, { rlsEnabled: false, policies: [], file: fileName })
+      }
+    }
+
+    // Track DROP TABLE (remove from tracking)
+    const dropTableRe = /DROP\s+TABLE\s+(?:IF\s+EXISTS\s+)?(?:public\.)?["']?(\w+)["']?/gi
+    while ((match = dropTableRe.exec(content)) !== null) {
+      tables.delete(match[1].toLowerCase())
+    }
+
+    // Track ALTER TABLE ... RENAME TO
+    const renameRe = /ALTER\s+TABLE\s+(?:IF\s+EXISTS\s+)?(?:public\.)?["']?(\w+)["']?\s+RENAME\s+TO\s+["']?(\w+)["']?/gi
+    while ((match = renameRe.exec(content)) !== null) {
+      const oldName = match[1].toLowerCase()
+      const newName = match[2].toLowerCase()
+      if (tables.has(oldName)) {
+        const data = tables.get(oldName)
+        tables.delete(oldName)
+        tables.set(newName, data)
+      }
+    }
+
+    // Track ENABLE ROW LEVEL SECURITY
+    const rlsEnableRe = /ALTER\s+TABLE\s+(?:public\.)?["']?(\w+)["']?\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi
+    while ((match = rlsEnableRe.exec(content)) !== null) {
+      const name = match[1].toLowerCase()
+      if (tables.has(name)) {
+        tables.get(name).rlsEnabled = true
+      } else {
+        // Table created elsewhere or before our scan
+        tables.set(name, { rlsEnabled: true, policies: [], file: fileName })
+      }
+    }
+
+    // Track DISABLE ROW LEVEL SECURITY
+    const rlsDisableRe = /ALTER\s+TABLE\s+(?:public\.)?["']?(\w+)["']?\s+DISABLE\s+ROW\s+LEVEL\s+SECURITY/gi
+    while ((match = rlsDisableRe.exec(content)) !== null) {
+      const name = match[1].toLowerCase()
+      if (tables.has(name)) {
+        tables.get(name).rlsEnabled = false
+      }
+    }
+
+    // Track CREATE POLICY
+    const policyRe = /CREATE\s+POLICY\s+["']?(\w+)["']?\s+ON\s+(?:public\.)?["']?(\w+)["']?\s+([\s\S]*?)(?:;|CREATE\s|ALTER\s|DROP\s|GRANT\s)/gi
+    while ((match = policyRe.exec(content)) !== null) {
+      const policyName = match[1]
+      const tableName = match[2].toLowerCase()
+      const policyBody = match[3]
+
+      if (!tables.has(tableName)) {
+        tables.set(tableName, { rlsEnabled: false, policies: [], file: fileName })
+      }
+
+      const forOp = policyBody.match(/FOR\s+(SELECT|INSERT|UPDATE|DELETE|ALL)/i)
+      const operation = forOp ? forOp[1].toUpperCase() : 'ALL'
+      const isPermissive = /USING\s*\(\s*true\s*\)/i.test(policyBody) || /WITH\s+CHECK\s*\(\s*true\s*\)/i.test(policyBody)
+
+      tables.get(tableName).policies.push({
+        name: policyName,
+        operation,
+        permissive: isPermissive,
+        file: fileName
+      })
+    }
+
+    // Track DROP POLICY
+    const dropPolicyRe = /DROP\s+POLICY\s+(?:IF\s+EXISTS\s+)?["']?(\w+)["']?\s+ON\s+(?:public\.)?["']?(\w+)["']?/gi
+    while ((match = dropPolicyRe.exec(content)) !== null) {
+      const policyName = match[1]
+      const tableName = match[2].toLowerCase()
+      if (tables.has(tableName)) {
+        const table = tables.get(tableName)
+        table.policies = table.policies.filter(p => p.name !== policyName)
+      }
+    }
+
+    // Track SECURITY DEFINER functions
+    const secDefRe = /CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION\s+(?:public\.)?["']?(\w+)["']?[\s\S]*?SECURITY\s+DEFINER/gi
+    while ((match = secDefRe.exec(content)) !== null) {
+      securityDefinerFns.push({ name: match[1], file: fileName })
+    }
+  }
+
+  // --- Analyze results ---
+
+  results.details.tablesFound = tables.size
+  results.details.securityDefinerFunctions = securityDefinerFns.length
+
+  for (const [tableName, info] of tables) {
+    // Skip intentionally public tables
+    if (publicTables.includes(tableName)) continue
+
+    // Skip internal Supabase tables
+    if (tableName.startsWith('_') || tableName.startsWith('pg_') || tableName.startsWith('auth_')) continue
+
+    // 1. Check RLS enabled
+    if (!info.rlsEnabled) {
+      results.passed = false
+      results.findings.push({
+        file: info.file,
+        type: 'RLS not enabled',
+        severity: 'critical',
+        message: `Table "${tableName}" does not have ROW LEVEL SECURITY enabled`,
+        table: tableName
+      })
+      results.summary.critical++
+      results.summary.total++
+      continue
+    }
+
+    results.details.tablesWithRls++
+
+    // 2. Check policies exist
+    if (info.policies.length === 0) {
+      results.passed = false
+      results.findings.push({
+        file: info.file,
+        type: 'No RLS policies',
+        severity: 'high',
+        message: `Table "${tableName}" has RLS enabled but NO policies defined (all access blocked)`,
+        table: tableName
+      })
+      results.summary.high++
+      results.summary.total++
+    } else {
+      results.details.tablesWithPolicies++
+
+      // 3. Check for overly permissive policies
+      for (const policy of info.policies) {
+        if (policy.permissive) {
+          results.details.permissivePolicies++
+          results.findings.push({
+            file: policy.file,
+            type: 'Permissive policy',
+            severity: 'medium',
+            message: `Policy "${policy.name}" on "${tableName}" uses USING(true) or WITH CHECK(true) — bypasses RLS`,
+            table: tableName,
+            policy: policy.name
+          })
+          results.summary.medium++
+          results.summary.total++
+        }
+      }
+
+      // 4. Check policy coverage (should have at least SELECT + modification policy)
+      const ops = new Set(info.policies.map(p => p.operation))
+      if (!ops.has('ALL') && !ops.has('SELECT')) {
+        results.findings.push({
+          file: info.file,
+          type: 'Missing SELECT policy',
+          severity: 'low',
+          message: `Table "${tableName}" has no explicit SELECT policy`,
+          table: tableName
+        })
+        results.summary.low++
+        results.summary.total++
+      }
+    }
+  }
+
+  // 5. Flag SECURITY DEFINER functions
+  for (const fn of securityDefinerFns) {
+    results.findings.push({
+      file: fn.file,
+      type: 'SECURITY DEFINER function',
+      severity: 'medium',
+      message: `Function "${fn.name}" uses SECURITY DEFINER — runs with owner privileges, bypasses RLS`,
+      function: fn.name
+    })
+    results.summary.medium++
+    results.summary.total++
+  }
+
+  // If there are only medium/low findings, still pass but warn
+  if (results.summary.critical === 0 && results.summary.high === 0) {
+    results.passed = true
+  }
+
+  return results
+}

package/lib/commands/dev-token.js

@@ -0,0 +1,342 @@
+/**
+ * VCA Dev Toolkit - Dev Token Manager
+ *
+ * Centralized dev token management for all VCA/Supabase projects.
+ * Auto-detects project name, finds Supabase config, manages token lifecycle.
+ *
+ * Replaces per-project generate-dev-token.js scripts.
+ */
+
+import { createClient } from '@supabase/supabase-js'
+import { readFileSync, writeFileSync, existsSync } from 'fs'
+import { join, basename, dirname, resolve } from 'path'
+import { createInterface } from 'readline'
+import { config as dotenvConfig } from 'dotenv'
+import chalk from 'chalk'
+
+/**
+ * Find the project root by walking up from cwd.
+ * Prefers the package.json that has "workspaces" (monorepo root)
+ * or is at the git root. Returns { dir, pkg }.
+ */
+function findProjectRoot(cwd = process.cwd()) {
+  let dir = resolve(cwd)
+  const visited = []
+
+  while (dir !== dirname(dir)) {
+    const pkgPath = join(dir, 'package.json')
+    if (existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf8'))
+        visited.push({ dir, pkg })
+        // If this has workspaces, it's the monorepo root
+        if (pkg.workspaces) return { dir, pkg }
+      } catch { /* ignore */ }
+    }
+    // If we hit a .git directory, this is the repo root
+    if (existsSync(join(dir, '.git'))) {
+      // Return the last visited package.json at or above this level
+      const atRoot = visited.find(v => v.dir === dir)
+      if (atRoot) return atRoot
+      break
+    }
+    dir = dirname(dir)
+  }
+
+  // Fallback: first package.json we found
+  return visited.length > 0 ? visited[0] : null
+}
+
+/**
+ * Detect project slug from package.json name or directory name.
+ * Walks up to find monorepo root, strips @scope/ prefix.
+ */
+export function detectProject(cwd = process.cwd()) {
+  const root = findProjectRoot(cwd)
+  if (root && root.pkg.name) {
+    const name = root.pkg.name.replace(/^@[^/]+\//, '')
+    return name.toLowerCase().replace(/[^a-z0-9-]/g, '-')
+  }
+
+  // Fallback: directory name of cwd
+  return basename(cwd).toLowerCase().replace(/[^a-z0-9-]/g, '-')
+}
+
+/**
+ * Find Supabase URL and anon key from environment files.
+ * Searches from both cwd and project root: backend/.env, .env, .env.local.
+ */
+export function findSupabaseConfig(cwd = process.cwd()) {
+  const root = findProjectRoot(cwd)
+  const rootDir = root ? root.dir : cwd
+
+  // Collect unique dirs to search
+  const searchDirs = [...new Set([cwd, rootDir])]
+  const envFiles = []
+
+  for (const dir of searchDirs) {
+    envFiles.push(join(dir, 'backend', '.env'))
+    envFiles.push(join(dir, '.env'))
+    envFiles.push(join(dir, 'backend', '.env.local'))
+    envFiles.push(join(dir, '.env.local'))
+  }
+
+  for (const envFile of envFiles) {
+    if (existsSync(envFile)) {
+      dotenvConfig({ path: envFile, override: true })
+    }
+  }
+
+  const url = process.env.SUPABASE_URL || process.env.NEXT_PUBLIC_SUPABASE_URL
+  const key = process.env.SUPABASE_ANON_KEY || process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY
+
+  return { url, key }
+}
+
+/**
+ * Detect the backend port from .ralph/ports.json or PORT env var.
+ */
+export function detectPort(cwd = process.cwd()) {
+  const root = findProjectRoot(cwd)
+  const rootDir = root ? root.dir : cwd
+
+  // Try .ralph/ports.json at project root
+  const portsPath = join(rootDir, '.ralph', 'ports.json')
+  if (existsSync(portsPath)) {
+    try {
+      const ports = JSON.parse(readFileSync(portsPath, 'utf8'))
+      if (ports.backend_port) return ports.backend_port
+    } catch { /* ignore */ }
+  }
+
+  // Try PORT from env
+  if (process.env.PORT) return parseInt(process.env.PORT)
+
+  return null
+}
+
+/**
+ * Detect curl alias prefix from project slug.
+ * ralph-manager -> rm, sparkbuddy-live -> sb, ad-agent -> aa
+ */
+function detectAliasPrefix(slug) {
+  const knownPrefixes = {
+    'ralph-manager': 'rm',
+    'sparkbuddy-live': 'sb',
+    'ad-agent': 'aa',
+  }
+  if (knownPrefixes[slug]) return knownPrefixes[slug]
+
+  // Generate from initials of hyphenated parts
+  const parts = slug.split('-')
+  if (parts.length >= 2) {
+    return parts.map(p => p[0]).join('')
+  }
+  return slug.slice(0, 2)
+}
+
+/** Decode JWT payload without verification */
+export function decodeJWT(token) {
+  try {
+    const parts = token.split('.')
+    if (parts.length !== 3) return null
+    return JSON.parse(Buffer.from(parts[1], 'base64').toString())
+  } catch {
+    return null
+  }
+}
+
+/** Check if JWT is expired (with buffer) */
+export function isTokenExpired(token, bufferSeconds = 300) {
+  const payload = decodeJWT(token)
+  if (!payload || !payload.exp) return true
+  return payload.exp < (Math.floor(Date.now() / 1000) + bufferSeconds)
+}
+
+/** Token file path for a project */
+export function tokenFilePath(slug) {
+  return `/tmp/${slug}-dev-token`
+}
+
+/** Cache file path for a project */
+export function cacheFilePath(slug) {
+  return `/tmp/${slug}-dev-token-cache.json`
+}
+
+/** Load cached token data */
+export function loadCache(slug) {
+  const path = cacheFilePath(slug)
+  try {
+    if (existsSync(path)) {
+      return JSON.parse(readFileSync(path, 'utf8'))
+    }
+  } catch { /* ignore */ }
+  return null
+}
+
+/** Save token data to cache (chmod 600) */
+export function saveCache(data, slug) {
+  writeFileSync(cacheFilePath(slug), JSON.stringify(data, null, 2), { mode: 0o600 })
+  writeFileSync(tokenFilePath(slug), data.access_token, { mode: 0o600 })
+}
+
+/** Login with email/password via Supabase */
+export async function login(url, key, email, password) {
+  const supabase = createClient(url, key)
+  const { data, error } = await supabase.auth.signInWithPassword({ email, password })
+  if (error) throw new Error(`Login failed: ${error.message}`)
+  return {
+    access_token: data.session.access_token,
+    refresh_token: data.session.refresh_token,
+    user: { id: data.user.id, email: data.user.email },
+  }
+}
+
+/** Refresh session using refresh token */
+export async function refresh(url, key, refreshToken) {
+  const supabase = createClient(url, key)
+  const { data, error } = await supabase.auth.refreshSession({ refresh_token: refreshToken })
+  if (error) throw new Error(`Refresh failed: ${error.message}`)
+  return {
+    access_token: data.session.access_token,
+    refresh_token: data.session.refresh_token,
+    user: { id: data.user.id, email: data.user.email },
+  }
+}
+
+/** Prompt for input (password is hidden) */
+export function promptInput(question) {
+  const rl = createInterface({ input: process.stdin, output: process.stdout })
+  return new Promise((resolve) => {
+    if (question.toLowerCase().includes('password')) {
+      process.stdout.write(question)
+      process.stdin.setRawMode(true)
+      process.stdin.resume()
+      process.stdin.setEncoding('utf8')
+      let password = ''
+      const onData = (char) => {
+        if (char === '\n' || char === '\r') {
+          process.stdin.setRawMode(false)
+          process.stdin.removeListener('data', onData)
+          console.log('')
+          rl.close()
+          resolve(password)
+        } else if (char === '\u0003') {
+          process.exit()
+        } else if (char === '\u007F') {
+          if (password.length > 0) {
+            password = password.slice(0, -1)
+            process.stdout.write('\b \b')
+          }
+        } else {
+          password += char
+          process.stdout.write('*')
+        }
+      }
+      process.stdin.on('data', onData)
+    } else {
+      rl.question(question, (answer) => { rl.close(); resolve(answer) })
+    }
+  })
+}
+
+/** Print usage examples with project-specific values */
+export function printUsage(slug, port) {
+  const tokenFile = tokenFilePath(slug)
+  const prefix = detectAliasPrefix(slug)
+  const host = port ? `http://localhost:${port}` : 'http://localhost:<PORT>'
+
+  console.log('\n' + chalk.dim('-'.repeat(50)))
+  console.log(chalk.bold('Usage:\n'))
+  console.log(`curl ${host}/api/admin/stats \\`)
+  console.log(`  -H "Authorization: Bearer $(cat ${tokenFile})" | jq .`)
+  console.log('')
+  console.log(chalk.dim('Or add alias to ~/.zshrc:'))
+  console.log(`alias ${prefix}curl='curl -H "Authorization: Bearer $(cat ${tokenFile})"'`)
+}
+
+/**
+ * Main dev-token command handler
+ */
+export async function runDevToken({ forceLogin = false, showStatus = false, projectOverride = null } = {}) {
+  const cwd = process.cwd()
+  const slug = projectOverride || detectProject(cwd)
+  const { url, key } = findSupabaseConfig(cwd)
+  const port = detectPort(cwd)
+  const tokenFile = tokenFilePath(slug)
+
+  console.log(chalk.bold(`${slug} Dev Token Manager\n`))
+
+  if (!url || !key) {
+    console.error(chalk.red('Missing SUPABASE_URL or SUPABASE_ANON_KEY'))
+    console.error(chalk.dim('Searched: backend/.env, .env, .env.local'))
+    process.exit(1)
+  }
+
+  const cache = loadCache(slug)
+
+  // --status
+  if (showStatus) {
+    if (!cache) {
+      console.log(chalk.red('No cached token.'))
+      console.log(chalk.dim(`Run: vca-dev-token --login`))
+      process.exit(1)
+    }
+    const payload = decodeJWT(cache.access_token)
+    const expired = isTokenExpired(cache.access_token, 0)
+    console.log(`User:    ${cache.user.email}`)
+    console.log(`Expires: ${new Date(payload.exp * 1000).toLocaleString()}`)
+    console.log(`Status:  ${expired ? chalk.red('Expired') : chalk.green('Valid')}`)
+    console.log(`\nToken:   ${tokenFile}`)
+    process.exit(0)
+  }
+
+  // --login
+  if (forceLogin) {
+    const email = process.env.DEV_AUTH_EMAIL || await promptInput('Email: ')
+    const password = await promptInput('Password: ')
+    console.log(`\nLogging in as ${email}...`)
+    try {
+      const data = await login(url, key, email, password)
+      saveCache(data, slug)
+      const payload = decodeJWT(data.access_token)
+      console.log(chalk.green('\nLogin successful!'))
+      console.log(`  User:    ${data.user.email}`)
+      console.log(`  Expires: ${new Date(payload.exp * 1000).toLocaleString()}`)
+      console.log(`\nToken saved to: ${tokenFile}`)
+      printUsage(slug, port)
+    } catch (error) {
+      console.error(chalk.red(`\n${error.message}`))
+      process.exit(1)
+    }
+    return
+  }
+
+  // Auto: use cached or refresh
+  if (cache) {
+    if (!isTokenExpired(cache.access_token)) {
+      const payload = decodeJWT(cache.access_token)
+      const mins = Math.round((payload.exp - Date.now() / 1000) / 60)
+      console.log(chalk.green(`Using cached token (${mins} min remaining)`) + ` - ${cache.user.email}`)
+      console.log(`\nToken: ${tokenFile}`)
+      printUsage(slug, port)
+      return
+    }
+
+    console.log('Token expired, refreshing...')
+    try {
+      const data = await refresh(url, key, cache.refresh_token)
+      saveCache(data, slug)
+      console.log(chalk.green('Token refreshed!') + ` Saved to: ${tokenFile}`)
+      printUsage(slug, port)
+      return
+    } catch (e) {
+      console.log(chalk.yellow(`Refresh failed: ${e.message}`))
+      console.log(chalk.dim('Run with --login to re-authenticate'))
+    }
+  }
+
+  console.log(chalk.red('No valid token.'))
+  console.log(chalk.dim(`Run: vca-dev-token --login`))
+  process.exit(1)
+}