@soulbatical/tetra-dev-toolkit 1.15.1 → 1.16.1

package/README.md

@@ -17,8 +17,8 @@ npx tetra-setup
 ```
 
 This creates:
-- `.husky/pre-commit` — quick security checks before every commit
-- `.husky/pre-push` — hygiene + RLS security gate before every push
+- `.husky/pre-commit` — quick security checks + migration lint before every commit
+- `.husky/pre-push` — full security audit + RLS security gate before every push
 - `.github/workflows/quality.yml` — full audit on PR/push to main
 - `.tetra-quality.json` — project config (override defaults)
 
@@ -30,238 +30,149 @@ npx tetra-setup ci       # GitHub Actions only
 npx tetra-setup config   # Config file only
 ```
 
-Re-running `tetra-setup hooks` on an existing project adds missing hooks without overwriting existing ones.
-
 ---
 
-## 3-Layer Security Model
-
-Every Tetra project is protected by three layers. All three must pass before code reaches production. No fallbacks. No soft warnings. Hard errors only.
-
-```
-LAYER 1: PRE-COMMIT (tetra-audit quick)
-  Blocks: hardcoded secrets, service key exposure, direct createClient imports
-
-LAYER 2: PRE-PUSH (tetra-check-rls + tetra-audit hygiene)
-  Blocks: RLS violations on live DB, repo clutter, missing FORCE RLS
-
-LAYER 3: BUILD (Railway/deploy — tetra-check-rls --errors-only)
-  Blocks: anything that bypassed --no-verify. Last line of defense.
-```
-
-### Layer 1: Pre-commit
-
-Installed by `tetra-setup hooks`. Runs `tetra-audit quick` which executes critical security checks:
-
-| Check | What it catches |
-|-------|-----------------|
-| Hardcoded Secrets | API keys, tokens, JWTs in source code |
-| Service Key Exposure | Supabase service role keys in frontend code |
-| Direct Supabase Client | `createClient()` imports outside core db wrappers |
-
-If any check fails, the commit is **blocked**. No `--force`, no workaround.
-
-### Layer 2: Pre-push (RLS Security Gate)
-
-Installed by `tetra-setup hooks`. Runs before every `git push`. Two checks:
-
-1. **Repo hygiene** — `tetra-audit hygiene` blocks clutter
-2. **RLS Security Gate** — `tetra-check-rls --errors-only` against the live Supabase database
-
-The RLS gate auto-detects your Doppler project from `doppler.yaml` and runs 23 checks across 6 categories:
-
-| Category | Checks | What it catches |
-|----------|--------|-----------------|
-| Foundation | 3 | Tables without RLS, missing FORCE RLS, RLS without policies |
-| Policy Quality | 5 | Public role mutations, always-true policies, missing WITH CHECK |
-| Auth Functions | 4 | Missing auth functions, wrong SECURITY DEFINER, bad search_path |
-| Bypass Routes | 5 | SECURITY DEFINER data functions, anon grants, views bypassing RLS |
-| Data Exposure | 1 | Realtime enabled on sensitive tables |
-| Migration State | 4 | Non-Tetra auth patterns, missing org columns |
-
-If the RLS gate fails, the push is **blocked**. No `--no-verify` escape — Layer 3 catches that.
-
-### Layer 3: Build-time check
-
-Add to your Railway/deploy build command:
-
-```bash
-# Railway build command
-doppler run -- npx tetra-check-rls --errors-only && npm run build
-```
-
-This catches developers who bypass git hooks with `--no-verify`. If RLS is broken, the build fails, the deploy never happens.
-
----
-
-## Supabase Client Architecture
-
-Every Tetra project MUST use the 5 db helpers. Direct `createClient` imports are **blocked** by the `direct-supabase-client` check.
-
-### The 5 DB Helpers
+## 8-Layer Security Architecture
 
-| Helper | Key Used | RLS | When to Use |
-|--------|----------|-----|-------------|
-| `adminDB(req)` | Anon + user JWT | Enforced | Admin panel queries (org-scoped) |
-| `userDB(req)` | Anon + user JWT | Enforced | User's own data |
-| `publicDB()` | Anon key | Enforced | Public/anonymous access |
-| `superadminDB(req)` | Service Role | Bypassed | Cross-org operations (superadmin only, audit logged) |
-| `systemDB(context)` | Service Role | Bypassed | Webhooks, crons, system ops (whitelisted, audit logged) |
+Every Tetra project is protected by 8 layers. From the moment a developer writes code to the moment a database query executes — every layer enforces security independently. If one layer is bypassed, the next catches it.
 
-### Why this matters
+See [SECURITY.md](./SECURITY.md) for the complete architecture reference.
 
 ```
-createClient(url, SERVICE_ROLE_KEY)  →  Bypasses ALL RLS. No audit trail. No access control.
-adminDB(req)                         →  Uses user's JWT. RLS enforces org boundaries. Audit logged.
+LAYER 1: CONFIG FILES         Feature configs define what SHOULD happen
+LAYER 2: PRE-COMMIT           Quick checks + migration lint on staged files
+LAYER 3: PRE-PUSH             Full security audit (12 checks) + live RLS gate
+LAYER 4: MIGRATION PUSH       tetra-db-push blocks unsafe SQL before Supabase
+LAYER 5: CI/CD                TypeScript compile + tests + build
+LAYER 6: RUNTIME              Express middleware (HTTPS, CORS, auth, rate limit, input sanitize)
+LAYER 7: DATABASE              RLS policies enforce org/user isolation on every query
+LAYER 8: DB HELPERS            adminDB/userDB/publicDB/systemDB enforce correct access pattern
 ```
 
-A single `createClient` call with the service role key can leak data across all organizations. The db helpers enforce the security boundary at the application layer.
-
-### Allowed exceptions
-
-These files MAY import `createClient` directly because they ARE the wrappers:
-
-- `core/systemDb.ts`, `core/publicDb.ts`, `core/adminDb.ts`, `core/userDb.ts`, `core/superadminDb.ts`
-- `core/Application.ts` (bootstrap)
-- `features/database/services/SupabaseUserClient.ts`
-- `auth/controllers/AuthController.ts` (needs `auth.admin` API)
-- `backend-mcp/src/supabase-client.ts`, `org-scoped-client.ts`, `api-key-service.ts`, `http-server.ts`
-- `scripts/` (not production code)
-
-Everything else gets a **hard error** at commit time.
-
 ---
 
-## Usage
-
-```bash
-npx tetra-audit              # Run all checks
-npx tetra-audit security     # Security checks only
-npx tetra-audit stability    # Stability checks only
-npx tetra-audit codeQuality  # Code quality checks only
-npx tetra-audit supabase     # Supabase checks only
-npx tetra-audit hygiene      # Repo hygiene checks only
-npx tetra-audit quick        # Quick critical checks (pre-commit)
-npx tetra-audit --ci         # CI mode (GitHub Actions annotations)
-npx tetra-audit --json       # JSON output
-npx tetra-audit --verbose    # Detailed output with fix suggestions
-```
-
-Exit codes: `0` = passed, `1` = failed, `2` = error. No middle ground.
-
-## RLS Security Gate (standalone)
-
-```bash
-npx tetra-check-rls                              # Auto-detect from doppler.yaml
-npx tetra-check-rls --url <url> --key <key>      # Explicit credentials
-npx tetra-check-rls --errors-only                # CI/build mode
-npx tetra-check-rls --json                       # JSON output for automation
-npx tetra-check-rls --fix                        # Generate hardening migration SQL
-npx tetra-check-rls --check-exec-sql             # Verify exec_sql function is secure
-```
-
-### Programmatic usage
+## CLI Tools
 
-```typescript
-import { runRLSCheck } from '@soulbatical/tetra-core';
+| Command | Description |
+|---------|-------------|
+| `tetra-audit` | Run quality/security/hygiene checks |
+| `tetra-audit quick` | Quick critical checks (pre-commit) |
+| `tetra-audit security` | Full security suite (12 checks) |
+| `tetra-audit stability` | Stability suite (3 checks) |
+| `tetra-audit codeQuality` | Code quality suite (4 checks) |
+| `tetra-audit supabase` | Supabase suite (3 checks) |
+| `tetra-audit hygiene` | Repo hygiene suite (2 checks) |
+| `tetra-audit --ci` | CI mode (GitHub Actions annotations) |
+| `tetra-audit --json` | JSON output |
+| `tetra-audit --verbose` | Detailed output with fix suggestions |
+| `tetra-migration-lint` | Offline SQL migration linter (8 rules) |
+| `tetra-migration-lint --staged` | Only git-staged .sql files (pre-commit hook) |
+| `tetra-migration-lint --fix-suggestions` | Show fix SQL per violation |
+| `tetra-db-push` | Safe wrapper: lint + `supabase db push` |
+| `tetra-check-rls` | RLS security gate against live Supabase |
+| `tetra-check-rls --fix` | Generate hardening migration SQL |
+| `tetra-setup` | Install hooks, CI, and config |
+| `tetra-init` | Initialize project config files |
+| `tetra-dev-token` | Generate development tokens |
 
-const report = await runRLSCheck(supabaseServiceClient);
-if (!report.passed) {
-  throw new Error(report.summary); // Hard error. No soft fail.
-}
-```
+Exit codes: `0` = passed, `1` = failed (CRITICAL/HIGH), `2` = error. No middle ground.
 
 ---
 
 ## Check Suites
 
-### Security (6 checks)
+### Security (12 checks)
 
 | Check | Severity | What it catches |
 |-------|----------|-----------------|
-| Hardcoded Secrets | critical | API keys, tokens, JWTs in source code |
-| Service Key Exposure | critical | Supabase service role keys in frontend |
-| Deprecated Supabase Admin | high | Legacy `supabaseAdmin` patterns |
-| Direct Supabase Client | critical | Direct `createClient` imports outside core wrappers |
-| SystemDB Whitelist | critical | Unauthorized service role key usage in authenticated routes |
-| Gitignore Validation | high | Missing .gitignore entries, tracked .env files |
+| `hardcoded-secrets` | critical | API keys, tokens, JWTs in source code |
+| `service-key-exposure` | critical | Supabase service role keys in frontend |
+| `deprecated-supabase-admin` | critical | Legacy `supabaseAdmin` patterns |
+| `direct-supabase-client` | critical | Direct `createClient` imports outside core wrappers |
+| `frontend-supabase-queries` | critical | `.from()` / `.rpc()` / `.storage` calls in frontend code |
+| `tetra-core-compliance` | critical | Missing configureAuth, authenticateToken, or db helpers |
+| `mixed-db-usage` | critical | Controller uses wrong DB helper or mixes types |
+| `config-rls-alignment` | critical | Feature config accessLevel does not match RLS policies |
+| `rpc-security-mode` | critical | SECURITY DEFINER on data RPCs (bypasses RLS) |
+| `route-config-alignment` | high | Route middleware does not match config accessLevel |
+| `systemdb-whitelist` | high | systemDB() in unauthorized contexts |
+| `gitignore-validation` | high | Missing .gitignore entries, tracked .env files |
+
+### Migration Lint (8 rules)
+
+| Rule | Severity | What it catches |
+|------|----------|-----------------|
+| `DEFINER_DATA_RPC` | critical | SECURITY DEFINER on data RPCs |
+| `CREATE_TABLE_NO_RLS` | critical | New table without ENABLE ROW LEVEL SECURITY |
+| `DISABLE_RLS` | critical | ALTER TABLE ... DISABLE RLS |
+| `USING_TRUE_WRITE` | critical | USING(true) on INSERT/UPDATE/DELETE/ALL policies |
+| `GRANT_PUBLIC_ANON` | critical | GRANT write permissions to public/anon |
+| `RAW_SERVICE_KEY` | critical | Hardcoded JWT in migration file |
+| `DROP_POLICY` | high | DROP POLICY without replacement in same migration |
+| `POLICY_NO_WITH_CHECK` | medium | INSERT/UPDATE policy without WITH CHECK clause |
 
-### Stability (3 checks)
+### Supabase (3 checks, auto-detected)
 
 | Check | Severity | What it catches |
 |-------|----------|-----------------|
-| Husky Hooks | medium | Missing pre-commit/pre-push hooks |
-| CI Pipeline | medium | Missing or incomplete CI config |
-| NPM Audit | high | Known vulnerabilities in dependencies |
+| `rls-policy-audit` | critical | Tables without Row Level Security |
+| `rpc-param-mismatch` | critical | TypeScript `.rpc()` calls with wrong parameter names vs SQL |
+| `rpc-generator-origin` | high | RPC functions not generated by Tetra SQL Generator |
 
-### Code Quality (4 checks)
+### Stability (3 checks)
 
 | Check | Severity | What it catches |
 |-------|----------|-----------------|
-| API Response Format | medium | Non-standard response format |
-| File Size | medium | Files exceeding line limits |
-| Naming Conventions | medium | Inconsistent file/dir naming |
-| Route Separation | high | Business logic in route files |
+| `husky-hooks` | medium | Missing pre-commit/pre-push hooks |
+| `ci-pipeline` | medium | Missing or incomplete CI config |
+| `npm-audit` | high | Known vulnerabilities in dependencies |
 
-### Supabase (3 checks, auto-detected)
+### Code Quality (4 checks)
 
 | Check | Severity | What it catches |
 |-------|----------|-----------------|
-| RLS Policy Audit | critical | Tables without Row Level Security |
-| RPC Param Mismatch | critical | TypeScript `.rpc()` calls with wrong parameter names vs SQL |
-| RPC Generator Origin | high | RPC functions not generated by Tetra SQL Generator |
+| `api-response-format` | medium | Non-standard response format |
+| `file-size` | medium | Files exceeding line limits |
+| `naming-conventions` | medium | Inconsistent file/dir naming |
+| `route-separation` | high | Business logic in route files |
 
 ### Hygiene (2 checks)
 
 | Check | Severity | What it catches |
 |-------|----------|-----------------|
-| File Organization | high | Stray .md, .sh, clutter in code dirs |
-| Stella Compliance | medium | Missing Stella integration |
+| `file-organization` | high | Stray .md, .sh, clutter in code dirs |
+| `stella-compliance` | medium | Missing Stella integration |
 
 ---
 
-## Health Checks
-
-Scored assessment (0-N points) used by the Ralph Manager dashboard:
-
-| Check | Max | What it measures |
-|-------|-----|------------------|
-| File Organization | 6pt | Docs in /docs, scripts in /scripts, clean root & code dirs |
-| Git | 4pt | Clean working tree, branch hygiene, commit frequency |
-| Gitignore | 3pt | Critical entries present |
-| CLAUDE.md | 3pt | Project instructions for AI assistants |
-| Secrets | 3pt | No exposed secrets |
-| Tests | 4pt | Test framework, coverage, test files |
-| Naming Conventions | 5pt | File/dir naming consistency |
-| Infrastructure YML | 3pt | Railway/Docker config |
-| Doppler Compliance | 2pt | Secrets management via Doppler |
-| MCP Servers | 2pt | MCP configuration |
-| Stella Integration | 2pt | Stella package integration |
-| Quality Toolkit | 2pt | Tetra dev-toolkit installed |
-| Repo Visibility | 1pt | Private repo |
-| RLS Audit | 3pt | Row Level Security policies |
-| Plugins | 2pt | Claude Code plugin config |
-| VinciFox Widget | 1pt | Widget installation |
+## Supabase Client Architecture
 
----
+Every Tetra project MUST use the 5 db helpers. Direct `createClient` imports are **blocked** by the `direct-supabase-client` check.
 
-## Auto-fix: Cleanup Script
+### The 5 DB Helpers
 
-For hygiene issues, an auto-fix script is included:
+| Helper | Key Used | RLS | When to Use |
+|--------|----------|-----|-------------|
+| `adminDB(req)` | Anon + user JWT | Enforced | Admin panel queries (org-scoped) |
+| `userDB(req)` | Anon + user JWT | Enforced | User's own data |
+| `publicDB()` | Anon key | Enforced | Public/anonymous access |
+| `superadminDB(req)` | Service Role | Bypassed | Cross-org operations (superadmin only, audit logged) |
+| `systemDB(context)` | Service Role | Bypassed | Webhooks, crons, system ops (whitelisted, audit logged) |
 
-```bash
-# Dry run (shows what would change)
-bash node_modules/@soulbatical/tetra-dev-toolkit/bin/cleanup-repos.sh
+### Why this matters
 
-# Execute
-bash node_modules/@soulbatical/tetra-dev-toolkit/bin/cleanup-repos.sh --execute
 ```
+createClient(url, SERVICE_ROLE_KEY)  →  Bypasses ALL RLS. No audit trail. No access control.
+adminDB(req)                         →  Uses user's JWT. RLS enforces org boundaries. Audit logged.
+```
+
+A single `createClient` call with the service role key can leak data across all organizations. The db helpers enforce the security boundary at the application layer.
 
 ---
 
 ## Configuration
 
-Override defaults in `.tetra-quality.json` or `"tetra-quality"` key in `package.json`:
+Override defaults in `.tetra-quality.json`:
 
 ```json
 {
@@ -274,50 +185,31 @@ Override defaults in `.tetra-quality.json` or `"tetra-quality"` key in `package.
   },
   "supabase": {
     "publicRpcFunctions": ["get_public_data"],
-    "publicTables": ["public_lookup"]
+    "publicTables": ["public_lookup"],
+    "backendOnlyTables": ["system_logs", "cron_state"],
+    "securityDefinerWhitelist": ["auth_org_id", "auth_uid"]
   },
-  "stability": {
-    "allowedVulnerabilities": {
-      "critical": 0,
-      "high": 0,
-      "moderate": 10
-    }
-  }
+  "ignore": ["**/legacy/**", "**/scripts/**"]
 }
 ```
 
 ---
 
-## CLI Tools
-
-| Command | Description |
-|---------|-------------|
-| `tetra-audit` | Run quality/security/hygiene checks |
-| `tetra-setup` | Install hooks, CI, and config |
-| `tetra-check-rls` | RLS security gate against live Supabase |
-| `tetra-init` | Initialize project config files |
-| `tetra-dev-token` | Generate development tokens |
-
----
-
 ## New Project Checklist
 
-After `npm install` in a new Tetra project:
-
 ```bash
 # 1. Install hooks (creates pre-commit + pre-push)
 npx tetra-setup hooks
 
-# 2. Verify hooks are active
-cat .husky/pre-commit   # Should contain tetra-audit quick
-cat .husky/pre-push     # Should contain tetra-check-rls
-
-# 3. Run full audit
+# 2. Run full audit
 npx tetra-audit
 
-# 4. Run RLS gate manually once
+# 3. Run RLS gate manually
 doppler run -- npx tetra-check-rls
 
+# 4. Verify migration lint works
+npx tetra-migration-lint
+
 # 5. Add to Railway build command
 # doppler run -- npx tetra-check-rls --errors-only && npm run build
 ```
@@ -328,44 +220,54 @@ If any step fails, fix it before writing code. No exceptions.
 
 ## Changelog
 
-### 1.9.0
+### 1.15.0
+
+**New: Migration Lint + DB Push Guard**
+- `tetra-migration-lint` — offline SQL migration linter (8 rules)
+- `tetra-db-push` — safe wrapper around `supabase db push` (lint first, push second)
+- Pre-commit hook now lints staged `.sql` files automatically
+- Rules: DEFINER on data RPCs, CREATE TABLE without RLS, DISABLE RLS, USING(true) writes, GRANT public/anon, DROP POLICY without replacement, missing WITH CHECK, hardcoded JWT
+
+### 1.14.0
+
+**New: Config-RLS Alignment + Route-Config Alignment + RPC Security Mode**
+- `config-rls-alignment` — verifies feature config accessLevel matches RLS policies on the table
+- `route-config-alignment` — verifies route middleware matches config accessLevel (admin routes need auth middleware)
+- `rpc-security-mode` — scans ALL RPCs for SECURITY DEFINER (must be INVOKER unless whitelisted)
 
-**New: Direct Supabase Client check (CRITICAL)**
-- Added `direct-supabase-client` check in security suite
-- Blocks any `createClient` import from `@supabase/supabase-js` outside core db wrappers
-- Hard error at commit time — no fallback, no override
-- Type-only imports (`import type { SupabaseClient }`) are allowed
-- Allowed files whitelist: core wrappers, auth controller, MCP server internals, scripts
+### 1.13.0
 
-**New: 3-Layer Security Model documentation**
-- Layer 1: Pre-commit (tetra-audit quick)
-- Layer 2: Pre-push (tetra-check-rls + hygiene)
-- Layer 3: Build-time (tetra-check-rls --errors-only in Railway)
-- Complete Supabase Client Architecture docs with the 5 db helpers
+**New: Mixed DB Usage Detection**
+- `mixed-db-usage` — controllers must use exactly ONE DB helper type matching their naming convention
+- AdminController → adminDB only, UserController → userDB only, etc.
+- Detects systemDB misuse when authenticated user context is available
 
-**Improved: prepublishOnly hooks**
-- tetra-core: `npm run build && npm run typecheck` before publish
-- tetra-dev-toolkit: `npm test` before publish
+### 1.12.0
+
+**New: Tetra Core Compliance**
+- `tetra-core-compliance` — if a project has @soulbatical/tetra-core, it MUST use configureAuth, authenticateToken, and db helpers
+- No more "skipped" checks — if tetra-core is a dependency, ALL security checks run
+
+### 1.11.0
+
+**New: Frontend Supabase Queries check**
+- `frontend-supabase-queries` — blocks `.from()`, `.rpc()`, `.storage` in frontend code
+- Frontend MUST use API client, never query Supabase directly
+
+### 1.10.0
+
+**Improved: RLS Policy Audit**
+- Tables with RLS ON but 0 policies now flagged as CRITICAL (was HIGH)
+- New config: `supabase.backendOnlyTables` for tables that intentionally have no policies
+
+### 1.9.0
 
-### 1.3.0 (2025-02-21)
+**New: Direct Supabase Client check + 3-Layer Security Model**
 
-**New: Hygiene suite**
-- Added `tetra-audit hygiene` — detects stray docs, scripts, clutter in code dirs
-- Added `cleanup-repos.sh` auto-fix script in `bin/`
-- `tetra-setup hooks` now creates pre-push hook with hygiene gate
-- Re-running `tetra-setup hooks` on existing repos adds hygiene check without overwriting
+### 1.3.0
 
-**New: RPC Param Mismatch check**
-- Added `rpc-param-mismatch` check in supabase suite
-- Statically compares `.rpc()` calls in TypeScript with SQL function parameter names
-- Catches PGRST202 errors before they hit production
+**New: Hygiene suite + RPC Param Mismatch check**
 
 ### 1.2.0
 
 - Initial public version
-- Security suite: hardcoded secrets, service key exposure, deprecated admin, systemdb whitelist, gitignore
-- Stability suite: husky hooks, CI pipeline, npm audit
-- Code quality suite: API response format
-- Supabase suite: RLS policy audit
-- Health checks: 16 checks, max 37pt
-- CLI: `tetra-audit`, `tetra-setup`, `tetra-dev-token`

package/bin/tetra-migration-lint.js

@@ -46,11 +46,18 @@ const RULES = [
       const funcName = match[1]
       // Auth helpers are OK as DEFINER
       const authWhitelist = [
+        // Auth helpers (need DEFINER to read auth schema)
         'auth_org_id', 'auth_uid', 'auth_role', 'auth_user_role',
         'auth_admin_organizations', 'auth_user_id', 'requesting_user_id',
         'get_auth_org_id', 'get_current_user_id',
         'auth_user_organizations', 'auth_creator_organizations',
-        'auth_organization_id', 'auth_is_admin', 'auth_is_superadmin'
+        'auth_organization_id', 'auth_is_admin', 'auth_is_superadmin',
+        // Public RPCs (anon access, DEFINER needed to bypass RLS and return safe columns)
+        'search_public_ad_library',
+        // System/billing RPCs (no user context)
+        'get_org_credit_limits',
+        // Supabase internal
+        'handle_new_user', 'moddatetime'
       ]
       return !authWhitelist.includes(funcName)
     },

package/lib/checks/security/config-rls-alignment.js

@@ -105,12 +105,46 @@ function parseMigrations(projectRoot) {
       sqlFiles = findFiles(projectRoot, dir.replace(projectRoot + '/', '') + '/*.sql')
     } catch { continue }
 
+    // Sort migrations by filename (timestamp order) so later migrations override earlier ones
+    sqlFiles.sort()
+
     for (const file of sqlFiles) {
       let content
       try { content = readFileSync(file, 'utf-8') } catch { continue }
 
       const relFile = file.replace(projectRoot + '/', '')
 
+      // Handle DROP POLICY — removes policy from earlier migration
+      const dropPolicyMatches = content.matchAll(/DROP\s+POLICY\s+(?:IF\s+EXISTS\s+)?"?([^";\s]+)"?\s+ON\s+(?:public\.)?(\w+)/gi)
+      for (const m of dropPolicyMatches) {
+        const policyName = m[1]
+        const table = m[2]
+        if (tables.has(table)) {
+          tables.get(table).policies = tables.get(table).policies.filter(p => p.name !== policyName)
+        }
+      }
+
+      // Handle ALTER FUNCTION ... SECURITY INVOKER/DEFINER — overrides earlier CREATE FUNCTION
+      const alterFuncMatches = content.matchAll(/ALTER\s+FUNCTION\s+(?:public\.)?(\w+)(?:\s*\([^)]*\))?\s+SECURITY\s+(INVOKER|DEFINER)/gi)
+      for (const m of alterFuncMatches) {
+        const funcName = m[1]
+        const securityMode = m[2].toUpperCase()
+        // Update all tables that reference this function
+        for (const [, tableInfo] of tables) {
+          if (tableInfo.rpcFunctions.has(funcName)) {
+            tableInfo.rpcFunctions.get(funcName).securityMode = securityMode
+            tableInfo.rpcFunctions.get(funcName).file = relFile
+          }
+        }
+      }
+
+      // Handle DISABLE RLS — overrides earlier ENABLE
+      const disableRlsMatches = content.matchAll(/ALTER\s+TABLE\s+(?:public\.)?(\w+)\s+DISABLE\s+ROW\s+LEVEL\s+SECURITY/gi)
+      for (const m of disableRlsMatches) {
+        const table = m[1]
+        if (tables.has(table)) tables.get(table).rlsEnabled = false
+      }
+
       // Find RLS enables
       const rlsMatches = content.matchAll(/ALTER\s+TABLE\s+(?:public\.)?(\w+)\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi)
       for (const m of rlsMatches) {

package/lib/checks/security/direct-supabase-client.js

@@ -74,6 +74,11 @@ export async function run(config, projectRoot) {
     summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0 }
   }
 
+  // Build whitelist from hardcoded + config
+  const configWhitelist = config?.supabase?.directSupabaseClientWhitelist || config?.directSupabaseClientWhitelist || []
+  const extraPatterns = configWhitelist.map(p => new RegExp(p.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')))
+  const allAllowed = [...ALLOWED_FILES, ...extraPatterns]
+
   // Get all TypeScript files
   const files = await glob('**/*.ts', {
     cwd: projectRoot,
@@ -107,8 +112,8 @@ export async function run(config, projectRoot) {
 
         // Check for createClient import from supabase
         if (/import\s*\{[^}]*createClient[^}]*\}\s*from\s*['"]@supabase\/supabase-js['"]/.test(line)) {
-          // Check if this file is in the allowed list
-          const isAllowed = ALLOWED_FILES.some(pattern => pattern.test(file))
+          // Check if this file is in the allowed list (hardcoded + config whitelist)
+          const isAllowed = allAllowed.some(pattern => pattern.test(file))
 
           if (!isAllowed) {
             results.passed = false
@@ -129,7 +134,7 @@ export async function run(config, projectRoot) {
         // Also catch: const supabase = createClient(url, key) without the import
         // (in case someone imports it via re-export or variable)
         if (/createClient\s*\(\s*(?:process\.env|supabase|SUPABASE)/.test(line)) {
-          const isAllowed = ALLOWED_FILES.some(pattern => pattern.test(file))
+          const isAllowed = allAllowed.some(pattern => pattern.test(file))
           const isImportLine = /import/.test(line)
 
           if (!isAllowed && !isImportLine) {

package/lib/checks/security/mixed-db-usage.js

@@ -76,6 +76,9 @@ export async function run(config, projectRoot) {
     details: { controllersChecked: 0, violations: 0 }
   }
 
+  // Config-based ignore for controllers that legitimately mix DB helpers
+  const mixedDbIgnore = config?.supabase?.mixedDbUsageIgnore || []
+
   const files = await glob('**/*[Cc]ontroller*.ts', {
     cwd: projectRoot,
     ignore: [
@@ -104,6 +107,9 @@ export async function run(config, projectRoot) {
     results.details.controllersChecked++
     const fileName = basename(file)
 
+    // Skip controllers explicitly ignored in config
+    if (mixedDbIgnore.some(pattern => file.includes(pattern) || fileName.includes(pattern))) continue
+
     // Detect all DB usages in this file
     const dbUsages = new Map() // level -> [{type, line, code}]
     const lines = content.split('\n')
@@ -151,17 +157,25 @@ export async function run(config, projectRoot) {
 
     // HIGH: Multiple DB helper types in one controller
     if (usedLevels.length > 1) {
-      results.passed = false
-      results.findings.push({
-        file,
-        line: 1,
-        type: 'mixed db usage',
-        severity: 'high',
-        message: `${fileName} mixes ${usedLevels.join(' + ')} database helpers. Controllers MUST use exactly ONE DB helper type.`,
-        fix: `Split into separate controllers per DB level, or refactor services to accept injected supabase client. Admin + System mix → move system ops to a separate SystemXxxController.`
-      })
-      results.summary.high++
-      results.summary.total++
+      // Allow: Superadmin controllers may legitimately use SUPERADMIN + ADMIN
+      const isSuperadminMixingAdmin = expectedLevel === 'SUPERADMIN' &&
+        usedLevels.length === 2 &&
+        usedLevels.includes('SUPERADMIN') &&
+        usedLevels.includes('ADMIN')
+
+      if (!isSuperadminMixingAdmin) {
+        results.passed = false
+        results.findings.push({
+          file,
+          line: 1,
+          type: 'mixed db usage',
+          severity: 'high',
+          message: `${fileName} mixes ${usedLevels.join(' + ')} database helpers. Controllers MUST use exactly ONE DB helper type.`,
+          fix: `Split into separate controllers per DB level, or refactor services to accept injected supabase client. Admin + System mix → move system ops to a separate SystemXxxController.`
+        })
+        results.summary.high++
+        results.summary.total++
+      }
     }
 
     // MEDIUM: DB helper doesn't match naming convention

package/lib/checks/security/route-config-alignment.js

@@ -123,6 +123,9 @@ export async function run(config, projectRoot) {
     details: { routesChecked: 0, violations: 0 }
   }
 
+  // Config-based ignore for specific features/routes
+  const routeIgnore = config?.supabase?.routeConfigAlignmentIgnore || []
+
   const featureConfigs = parseFeatureConfigs(projectRoot)
 
   if (featureConfigs.length === 0) {
@@ -132,6 +135,8 @@ export async function run(config, projectRoot) {
   }
 
   for (const cfg of featureConfigs) {
+    // Skip features explicitly ignored in config
+    if (routeIgnore.some(pattern => cfg.tableName === pattern || cfg.configFile.includes(pattern))) continue
     const routeFiles = findRouteFiles(cfg.featureDir)
 
     // --- system: should NOT have any route file ---

package/lib/checks/security/systemdb-whitelist.js

@@ -80,11 +80,13 @@ const FORBIDDEN_FILE_PATTERNS = [
 ]
 
 /**
- * Maximum allowed whitelist size — anything above indicates architectural problems
+ * Default maximum allowed whitelist size — override via .tetra-quality.json:
+ * { "supabase": { "maxWhitelistEntries": 50 } }
  */
-const MAX_WHITELIST_SIZE = 35
+const DEFAULT_MAX_WHITELIST_SIZE = 35
 
 export async function run(config, projectRoot) {
+  const MAX_WHITELIST_SIZE = config?.supabase?.maxWhitelistEntries || DEFAULT_MAX_WHITELIST_SIZE
   const results = {
     passed: true,
     findings: [],
@@ -132,14 +134,52 @@ export async function run(config, projectRoot) {
     const whitelistMatch = systemDbContent.match(/new Set\s*(?:<[^>]+>)?\s*\(\s*\[([\s\S]*?)\]\s*\)/m)
 
     if (whitelistMatch) {
-      const entries = whitelistMatch[1]
-        .split('\n')
-        .map(line => {
-          const m = line.match(/['"]([^'"]+)['"]/)
-          return m ? m[1] : null
-        })
-        .filter(Boolean)
-      whitelist = new Set(entries)
+      const rawLines = whitelistMatch[1].split('\n')
+      let lastComment = null
+
+      for (let i = 0; i < rawLines.length; i++) {
+        const line = rawLines[i].trim()
+
+        // Track comments — group comments (// ...) or inline comments
+        const commentMatch = line.match(/^\s*\/\/\s*(.+)/)
+        if (commentMatch) {
+          lastComment = commentMatch[1].trim()
+          continue
+        }
+
+        const entryMatch = line.match(/['"]([^'"]+)['"]/)
+        if (!entryMatch) { continue }
+
+        const entry = entryMatch[1]
+        whitelist.add(entry)
+
+        // Check for inline comment: 'entry', // reason
+        const inlineCommentMatch = line.match(/['"][^'"]+['"]\s*,?\s*\/\/\s*(.+)/)
+        const reason = inlineCommentMatch ? inlineCommentMatch[1].trim() : lastComment
+
+        // Find line number in original file
+        const entryLineInFile = systemDbContent.substring(0, systemDbContent.indexOf(entry)).split('\n').length
+
+        if (!reason) {
+          results.findings.push({
+            file: systemDbPath.replace(projectRoot + '/', ''),
+            line: entryLineInFile,
+            type: 'whitelist-no-justification',
+            severity: 'high',
+            message: `systemDB whitelist entry '${entry}' has NO comment explaining WHY it needs service role key access. Every whitelist entry MUST have a comment above or inline.`,
+            fix: `Add a comment explaining why '${entry}' cannot use adminDB/userDB. Example:\n  // OAuth callback — browser redirect, no JWT in header\n  '${entry}',`
+          })
+          results.summary.high++
+          results.summary.total++
+          results.passed = false
+        }
+
+        // Reset lastComment after consuming it for a non-dynamic entry
+        // (don't reset for "// Dynamic:" comments which apply to patterns, not specific entries)
+        if (lastComment && !lastComment.toLowerCase().startsWith('dynamic')) {
+          lastComment = null
+        }
+      }
     }
 
     if (whitelist.size > MAX_WHITELIST_SIZE) {
@@ -157,6 +197,28 @@ export async function run(config, projectRoot) {
     }
   }
 
+  // Also check .tetra-quality.json for documented whitelist with justifications
+  const configWhitelist = config?.supabase?.systemDbWhitelist || {}
+  if (typeof configWhitelist === 'object' && !Array.isArray(configWhitelist)) {
+    // Format: { "context-name": "reason why systemDB is needed" }
+    for (const [context, reason] of Object.entries(configWhitelist)) {
+      whitelist.add(context)
+      if (!reason || typeof reason !== 'string' || reason.trim().length < 5) {
+        results.findings.push({
+          file: '.tetra-quality.json',
+          line: 1,
+          type: 'config-whitelist-no-justification',
+          severity: 'high',
+          message: `systemDbWhitelist entry '${context}' has empty or insufficient justification: "${reason || ''}". Explain WHY this context cannot use adminDB/userDB.`,
+          fix: `In .tetra-quality.json, set: "systemDbWhitelist": { "${context}": "Reason: e.g. OAuth callback — no JWT available, browser redirect flow" }`
+        })
+        results.summary.high++
+        results.summary.total++
+        results.passed = false
+      }
+    }
+  }
+
   // ─── Check 2: systemDB in forbidden locations ───────────────
 
   const files = await glob('**/*.ts', {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.15.1",
+  "version": "1.16.1",
   "publishConfig": {
     "access": "restricted"
   },