@soulbatical/tetra-dev-toolkit 1.17.0 → 1.17.2

package/lib/checks/security/config-rls-alignment.js

@@ -280,6 +280,123 @@ function isWideOpen(using) {
   return using.trim() === 'true' || using.trim() === '(true)'
 }
 
+/**
+ * Whitelist-based RLS policy validation.
+ *
+ * ONLY these building blocks are allowed in USING/WITH CHECK clauses.
+ * Derived from sparkbuddy-live (the reference implementation).
+ * Everything that doesn't match is rejected as unrecognized.
+ *
+ * To add a new pattern: add it here AND document why it's safe.
+ */
+const ALLOWED_RLS_ATOMS = [
+  // Org isolation via helper functions
+  /auth_admin_organizations\s*\(\)/i,
+  /auth_user_organizations\s*\(\)/i,
+  /auth_org_id\s*\(\)/i,
+  /auth_current_user_id\s*\(\)/i,
+  // User isolation
+  /auth\.uid\s*\(\)/i,
+  // Column comparisons (org_id, user_id, etc.)
+  /organization_id/i,
+  /organizationid/i,
+  /active_organization_id/i,
+  /user_id/i,
+  /userid/i,
+  /owner_id/i,
+  /created_by/i,
+  /creator_id/i,
+  /shared_by/i,
+  /sparkbuddy_user_id/i,
+  /user_public_id/i,
+  // Boolean/status column checks (for public/active filtering)
+  /is_active/i,
+  /is_public/i,
+  /is_template/i,
+  /is_published/i,
+  /anonymous_access/i,
+  /allow_cross_org_usage/i,
+  /visibility_level/i,
+  /published_status/i,
+  /post_type/i,
+  /status/i,
+  /active/i,
+  /invitation_token/i,
+  /original_testimonial_id/i,
+  /expires_at/i,
+  /session_id/i,
+  // Subqueries to parent tables
+  /\bIN\s*\(\s*SELECT\b/i,
+  /\bEXISTS\s*\(\s*SELECT\b/i,
+  // Literals and operators
+  /true/i,
+  /false/i,
+  /null/i,
+  /now\s*\(\)/i,
+  /\bAND\b/i,
+  /\bOR\b/i,
+  /\bNOT\b/i,
+  /\bIS\b/i,
+  /\bANY\b/i,
+  /\bARRAY\b/i,
+  // Legacy JWT pattern (sparkbuddy initial schema)
+  /auth\.jwt\s*\(\)/i,
+  /app_metadata/i,
+  // current_setting for app context (NOT role/jwt.claims bypass)
+  /current_setting\s*\(\s*'app\./i,
+]
+
+/**
+ * Patterns that are NEVER allowed in RLS policies, regardless of context.
+ * These bypass RLS and defeat the purpose of having policies at all.
+ */
+const BANNED_RLS_PATTERNS = [
+  { pattern: /service_role/i, label: 'service_role bypass — service role already bypasses RLS at the Supabase layer' },
+  { pattern: /current_setting\s*\(\s*'role'\s*(?:,\s*true\s*)?\)/i, label: 'PostgreSQL role check — bypasses tenant isolation' },
+  { pattern: /current_setting\s*\(\s*'request\.jwt\.claims'/i, label: 'JWT claims role check — bypasses tenant isolation' },
+  { pattern: /session_user/i, label: 'session_user check — bypasses tenant isolation' },
+  { pattern: /current_user\s*=/i, label: 'current_user check — bypasses tenant isolation' },
+  { pattern: /auth\.role\s*\(\)/i, label: 'auth.role() check — bypasses tenant isolation' },
+  { pattern: /pg_has_role/i, label: 'pg_has_role — bypasses tenant isolation' },
+]
+
+/**
+ * Validate an RLS clause against the whitelist.
+ * Returns null if valid, or a description of what's wrong.
+ */
+function validateRlsClause(clause) {
+  if (!clause || !clause.trim()) return null
+
+  // First check for explicitly banned patterns
+  for (const { pattern, label } of BANNED_RLS_PATTERNS) {
+    if (pattern.test(clause)) return label
+  }
+
+  // Strip known-safe tokens and see if anything suspicious remains
+  let stripped = clause
+  // Remove string literals
+  stripped = stripped.replace(/'[^']*'/g, '')
+  // Remove numbers
+  stripped = stripped.replace(/\b\d+\b/g, '')
+  // Remove known-safe identifiers and functions
+  for (const atom of ALLOWED_RLS_ATOMS) {
+    stripped = stripped.replace(new RegExp(atom.source, 'gi'), '')
+  }
+  // Remove SQL syntax noise (parens, commas, operators, quotes, casts, aliases)
+  stripped = stripped.replace(/[(),"=<>!:.|{}\-\+\*\/\s]/g, '')
+  stripped = stripped.replace(/\b(AS|FROM|WHERE|SELECT|JOIN|ON|LIMIT|uuid|text|boolean|integer|jsonb|json|public|ARRAY|FOR)\b/gi, '')
+  // Remove table/column qualifiers that look like identifiers (lowercase + underscore)
+  stripped = stripped.replace(/\b[a-z_][a-z0-9_]*\b/gi, '')
+  stripped = stripped.trim()
+
+  // If anything substantial remains, it's an unrecognized pattern
+  if (stripped.length > 0) {
+    return `Unrecognized RLS clause content: "${clause.substring(0, 120)}". Only whitelisted patterns are allowed.`
+  }
+
+  return null
+}
+
 export async function run(config, projectRoot) {
   const results = {
     passed: true,
@@ -446,6 +563,27 @@ export async function run(config, projectRoot) {
       }
     }
 
+    // CHECK 4b: All policy clauses must match whitelisted patterns only
+    for (const p of policies) {
+      for (const [clauseType, clause] of [['USING', p.using], ['WITH CHECK', p.withCheck]]) {
+        if (!clause) continue
+        const violation = validateRlsClause(clause)
+        if (violation) {
+          results.passed = false
+          results.findings.push({
+            file: p.file,
+            line: 1,
+            type: 'rls-invalid-clause',
+            severity: 'critical',
+            message: `Policy "${p.name}" on table "${tableName}" has invalid ${clauseType} clause: ${violation}`,
+            fix: `Only whitelisted patterns are allowed. Valid: auth_admin_organizations(), auth.uid(), org/user column checks, parent-table subqueries, boolean column filters. See ALLOWED_RLS_ATOMS in config-rls-alignment.js.`
+          })
+          results.summary.critical++
+          results.summary.total++
+        }
+      }
+    }
+
     // CHECK 5: Write policies (INSERT/UPDATE) must have WITH CHECK for org isolation
     if (cfg.accessLevel === 'admin' || cfg.accessLevel === 'user') {
       const writePoilciesWithoutCheck = [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.17.0",
+  "version": "1.17.2",
   "publishConfig": {
     "access": "restricted"
   },