npm - @soulbatical/tetra-dev-toolkit - Versions diffs - 1.16.3 → 1.17.0 - Mend

@soulbatical/tetra-dev-toolkit 1.16.3 → 1.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/lib/checks/security/config-rls-alignment.js +6 -2
package/lib/checks/security/direct-supabase-client.js +2 -2
package/lib/checks/security/mixed-db-usage.js +5 -3
package/lib/checks/security/route-config-alignment.js +35 -6
package/lib/checks/security/systemdb-whitelist.js +2 -1
package/lib/config.js +7 -1
package/package.json +1 -1

package/lib/checks/security/config-rls-alignment.js CHANGED Viewed

@@ -424,8 +424,12 @@ export async function run(config, projectRoot) {
       }
     }
-    // CHECK 4: RPC functions must be SECURITY INVOKER
+    // CHECK 4: RPC functions must be SECURITY INVOKER (unless whitelisted)
+    const definerWhitelist = config?.supabase?.securityDefinerWhitelist || []
     for (const rpcName of cfg.rpcFunctions) {
+      // Skip if explicitly whitelisted in config
+      if (definerWhitelist.includes(rpcName)) continue
       const rpcInfo = tableRls.rpcFunctions.get(rpcName)
       if (rpcInfo && rpcInfo.securityMode === 'DEFINER') {
         results.passed = false
@@ -435,7 +439,7 @@ export async function run(config, projectRoot) {
           type: 'rpc-security-definer',
           severity: 'critical',
           message: `RPC function "${rpcName}" for table "${tableName}" uses SECURITY DEFINER — this BYPASSES RLS completely. Any authenticated user can see ALL data.`,
-          fix: `Change to SECURITY INVOKER or remove the SECURITY DEFINER clause.`
+          fix: `Change to SECURITY INVOKER or add "${rpcName}" to supabase.securityDefinerWhitelist in .tetra-quality.json.`
         })
         results.summary.critical++
         results.summary.total++

package/lib/checks/security/direct-supabase-client.js CHANGED Viewed

@@ -74,8 +74,8 @@ export async function run(config, projectRoot) {
     summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0 }
   }
-  // Build whitelist from hardcoded + config
-  const configWhitelist = config?.supabase?.directSupabaseClientWhitelist || config?.directSupabaseClientWhitelist || []
+  // Build whitelist from hardcoded + config (canonical: security.directSupabaseClientWhitelist)
+  const configWhitelist = config?.security?.directSupabaseClientWhitelist || config?.directSupabaseClientWhitelist || []
   const extraPatterns = configWhitelist.map(p => new RegExp(p.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')))
   const allAllowed = [...ALLOWED_FILES, ...extraPatterns]

package/lib/checks/security/mixed-db-usage.js CHANGED Viewed

@@ -77,7 +77,8 @@ export async function run(config, projectRoot) {
   }
   // Config-based ignore for controllers that legitimately mix DB helpers
-  const mixedDbIgnore = config?.supabase?.mixedDbUsageIgnore || []
+  // Canonical: security.mixedDbWhitelist
+  const mixedDbIgnore = config?.security?.mixedDbWhitelist || config?.mixedDbWhitelist || []
   const files = await glob('**/*[Cc]ontroller*.ts', {
     cwd: projectRoot,
@@ -157,11 +158,12 @@ export async function run(config, projectRoot) {
     // HIGH: Multiple DB helper types in one controller
     if (usedLevels.length > 1) {
-      // Allow: Superadmin controllers may legitimately use SUPERADMIN + ADMIN
+      // Allow: Superadmin controllers use superadminDB which internally calls systemDB
+      // So tetra sees SUPERADMIN + SYSTEM (or SUPERADMIN + ADMIN) — both are legitimate
       const isSuperadminMixingAdmin = expectedLevel === 'SUPERADMIN' &&
         usedLevels.length === 2 &&
         usedLevels.includes('SUPERADMIN') &&
-        usedLevels.includes('ADMIN')
+        (usedLevels.includes('ADMIN') || usedLevels.includes('SYSTEM'))
       if (!isSuperadminMixingAdmin) {
         results.passed = false

package/lib/checks/security/route-config-alignment.js CHANGED Viewed

@@ -102,6 +102,32 @@ function hasOrgAdminMiddleware(content) {
   return /requireOrganizationAdmin/.test(content)
 }
+/**
+ * Check if admin routes are protected by a RouteManager group-level middleware.
+ * Many projects apply auth middleware at the route group level (e.g., all /api/admin/* routes)
+ * rather than in individual route files.
+ */
+function hasRouteManagerGroupAuth(projectRoot) {
+  const candidates = [
+    join(projectRoot, 'backend/src/core/RouteManager.ts'),
+    join(projectRoot, 'src/core/RouteManager.ts'),
+    join(projectRoot, 'backend/src/routes/index.ts'),
+    join(projectRoot, 'src/routes/index.ts')
+  ]
+  for (const file of candidates) {
+    if (!existsSync(file)) continue
+    try {
+      const content = readFileSync(file, 'utf-8')
+      // Check for group middleware pattern: prefix '/api/admin' with authenticateToken
+      if (/\/api\/admin/.test(content) && /authenticateToken/.test(content)) {
+        return true
+      }
+    } catch { /* skip */ }
+  }
+  return false
+}
 /**
  * Expected route filename for a given accessLevel
  */
@@ -123,8 +149,11 @@ export async function run(config, projectRoot) {
     details: { routesChecked: 0, violations: 0 }
   }
-  // Config-based ignore for specific features/routes
-  const routeIgnore = config?.supabase?.routeConfigAlignmentIgnore || []
+  // Canonical: security.routeConfigIgnore
+  const routeIgnore = config?.security?.routeConfigIgnore || config?.routeConfigAlignmentIgnore || []
+  // Detect if RouteManager applies group-level auth middleware to /api/admin/*
+  const routeManagerHasGroupAuth = hasRouteManagerGroupAuth(projectRoot)
   const featureConfigs = parseFeatureConfigs(projectRoot)
@@ -176,8 +205,8 @@ export async function run(config, projectRoot) {
       if (cfg.accessLevel === 'admin') {
         // Route name should be adminRoutes.ts
         if (routeName === 'adminRoutes.ts') {
-          // CRITICAL: admin route MUST have authenticateToken
-          if (!hasAuthMiddleware(content)) {
+          // CRITICAL: admin route MUST have authenticateToken (in file OR via RouteManager group)
+          if (!hasAuthMiddleware(content) && !routeManagerHasGroupAuth) {
             results.findings.push({
               file: relRouteFile,
               line: 1,
@@ -192,8 +221,8 @@ export async function run(config, projectRoot) {
             results.details.violations++
           }
-          // CRITICAL: admin route MUST have requireOrganizationAdmin
-          if (!hasOrgAdminMiddleware(content)) {
+          // CRITICAL: admin route MUST have requireOrganizationAdmin (in file OR via RouteManager group)
+          if (!hasOrgAdminMiddleware(content) && !routeManagerHasGroupAuth) {
             results.findings.push({
               file: relRouteFile,
               line: 1,

package/lib/checks/security/systemdb-whitelist.js CHANGED Viewed

@@ -86,7 +86,8 @@ const FORBIDDEN_FILE_PATTERNS = [
 const DEFAULT_MAX_WHITELIST_SIZE = 35
 export async function run(config, projectRoot) {
-  const MAX_WHITELIST_SIZE = config?.supabase?.maxWhitelistEntries || DEFAULT_MAX_WHITELIST_SIZE
+  // Canonical: security.systemDbMaxEntries
+  const MAX_WHITELIST_SIZE = config?.security?.systemDbMaxEntries || config?.systemDB?.maxWhitelistEntries || DEFAULT_MAX_WHITELIST_SIZE
   const results = {
     passed: true,
     findings: [],

package/lib/config.js CHANGED Viewed

@@ -42,7 +42,13 @@ export const DEFAULT_CONFIG = {
     // Code patterns
     checkSqlInjection: true,
     checkEvalUsage: true,
-    checkCommandInjection: true
+    checkCommandInjection: true,
+    // Whitelists — project-specific overrides in .tetra-quality.json
+    directSupabaseClientWhitelist: [],  // Files allowed to import createClient directly
+    mixedDbWhitelist: [],               // Controllers allowed to mix DB helper types
+    routeConfigIgnore: [],              // Tables to skip in route↔config alignment check
+    systemDbMaxEntries: 35              // Max systemDB whitelist entries before warning
   },
   // Stability checks

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.16.3",
+  "version": "1.17.0",
   "publishConfig": {
     "access": "restricted"
   },