@soulbatical/tetra-dev-toolkit 1.17.3 → 1.18.0

package/lib/checks/security/config-rls-alignment.js

@@ -194,15 +194,30 @@ function parseMigrations(projectRoot) {
           || content.match(/(?:TEXT\[\]|text\[\])\s*:=\s*ARRAY\s*\[\s*'([^[\]]+)'\s*\]/i)
         if (arrayMatch) {
           const loopTables = arrayMatch[1].split(/'\s*,\s*'/).map(t => t.trim())
-          const execLines = [...content.matchAll(/EXECUTE\s+format\s*\(\s*'(CREATE\s+POLICY\s+.*?)'\s*,/gi)]
+          // Match EXECUTE format('CREATE POLICY ...', ...) — multi-line, with escaped quotes ('')
+          // PL/pgSQL escapes single quotes as '' inside strings, so we must allow '' within the match
+          // The format string ends with a single ' (not '') followed by , or ;
+          const execLines = [...content.matchAll(/EXECUTE\s+format\s*\(\s*'(CREATE\s+POLICY(?:[^']|'')*?)'\s*,/gi)]
           for (const exec of execLines) {
-            const stmt = exec[1]
+            // Unescape PL/pgSQL doubled quotes back to single quotes for analysis
+            const stmt = exec[1].replace(/''/g, "'")
             const forOp = stmt.match(/FOR\s+(SELECT|INSERT|UPDATE|DELETE|ALL)/i)
             const operation = forOp ? forOp[1].toUpperCase() : 'ALL'
             const hasUsing = /\bUSING\b/i.test(stmt)
             const hasWithCheck = /WITH\s+CHECK/i.test(stmt)
-            const condMatch = stmt.match(/(?:USING|WITH\s+CHECK)\s*\(\s*(.*?)\s*\)/i)
-            const condition = condMatch ? condMatch[1] : ''
+
+            // Extract the full USING/WITH CHECK clause (may be multi-line with nested parens)
+            let usingCondition = ''
+            let withCheckCondition = ''
+            if (hasUsing) {
+              const uMatch = stmt.match(/USING\s*\(\s*([\s\S]*?)\s*\)\s*(?:WITH\s+CHECK|$)/i)
+                || stmt.match(/USING\s*\(\s*([\s\S]*?)\s*\)\s*$/i)
+              usingCondition = uMatch ? uMatch[1].trim() : ''
+            }
+            if (hasWithCheck) {
+              const wcMatch = stmt.match(/WITH\s+CHECK\s*\(\s*([\s\S]*?)\s*\)\s*$/i)
+              withCheckCondition = wcMatch ? wcMatch[1].trim() : ''
+            }
 
             for (const table of loopTables) {
               if (!tables.has(table)) tables.set(table, { rlsEnabled: false, policies: [], rpcFunctions: new Map() })
@@ -211,8 +226,8 @@ function parseMigrations(projectRoot) {
                 tables.get(table).policies.push({
                   name: policyName,
                   operation,
-                  using: hasUsing ? condition : '',
-                  withCheck: hasWithCheck ? condition : '',
+                  using: usingCondition,
+                  withCheck: withCheckCondition,
                   file: relFile
                 })
               }

package/lib/checks/security/rls-live-audit.js

@@ -0,0 +1,164 @@
+/**
+ * RLS Live DB Audit — queries pg_policies from the LIVE database
+ *
+ * The source of truth for RLS policy validation. Migration file parsing can miss:
+ * - Policies applied directly via SQL (not in migration files)
+ * - PL/pgSQL dynamic policies (EXECUTE format)
+ * - Policies overridden by later manual changes
+ *
+ * Requires SUPABASE_URL + SUPABASE_SERVICE_ROLE_KEY in environment.
+ * Connects via @supabase/supabase-js and calls a lightweight RPC.
+ *
+ * Setup (one-time per project):
+ *   CREATE OR REPLACE FUNCTION tetra_rls_audit()
+ *   RETURNS TABLE(tablename text, policyname text, using_clause text, with_check_clause text)
+ *   LANGUAGE sql SECURITY DEFINER AS $$
+ *     SELECT tablename::text, policyname::text, qual::text, with_check::text
+ *     FROM pg_policies WHERE schemaname = 'public';
+ *   $$;
+ */
+
+export const meta = {
+  id: 'rls-live-audit',
+  name: 'RLS Live DB Audit',
+  category: 'security',
+  severity: 'critical',
+  description: 'Queries pg_policies from the live database and validates all RLS clauses against whitelisted patterns. Catches bypasses that migration parsing misses.'
+}
+
+const BANNED_RLS_PATTERNS = [
+  { pattern: /service_role/i, label: 'service_role bypass — service role already bypasses RLS at the Supabase layer' },
+  { pattern: /auth\.role\s*\(\)\s*=\s*'service_role'/i, label: 'auth.role() service_role bypass' },
+  { pattern: /current_setting\s*\(\s*'role'/i, label: 'PostgreSQL role check — bypasses tenant isolation' },
+  { pattern: /current_setting\s*\(\s*'request\.jwt\.claims'/i, label: 'JWT claims role check — bypasses tenant isolation' },
+  { pattern: /session_user/i, label: 'session_user check — bypasses tenant isolation' },
+  { pattern: /current_user\s*=/i, label: 'current_user check — bypasses tenant isolation' },
+  { pattern: /pg_has_role/i, label: 'pg_has_role — bypasses tenant isolation' },
+]
+
+const ALLOWED_RLS_PATTERNS = [
+  { pattern: /auth_admin_organizations\s*\(\)/i },
+  { pattern: /auth_user_organizations\s*\(\)/i },
+  { pattern: /auth_org_id\s*\(\)/i },
+  { pattern: /auth\.uid\s*\(\)/i },
+  { pattern: /auth_current_user_id\s*\(\)/i },
+  { pattern: /auth\.role\s*\(\)\s*=\s*'authenticated'/i },
+  { pattern: /auth\.role\s*\(\)\s*=\s*'anon'/i },
+  { pattern: /\w+\s*=\s*/i },
+  { pattern: /\w+\s+IS\s+(NOT\s+)?NULL/i },
+  { pattern: /\w+\s+IN\s*\(/i },
+  { pattern: /\w+\s*=\s*ANY\s*\(/i },
+  { pattern: /EXISTS\s*\(\s*SELECT/i },
+  { pattern: /^\s*\(?true\)?\s*$/i },
+  { pattern: /^\s*\(?false\)?\s*$/i },
+  { pattern: /auth\.jwt\s*\(\)/i },
+  { pattern: /current_setting\s*\(\s*'app\./i },
+  { pattern: /\b\w+\s*\([^)]*\)/i },
+]
+
+function validateRlsClause(clause) {
+  if (!clause || !clause.trim()) return null
+
+  for (const { pattern, label } of BANNED_RLS_PATTERNS) {
+    if (pattern.test(clause)) return label
+  }
+
+  if (!ALLOWED_RLS_PATTERNS.some(({ pattern }) => pattern.test(clause))) {
+    return `Unrecognized RLS clause: "${clause.substring(0, 150)}". Only whitelisted patterns allowed.`
+  }
+
+  return null
+}
+
+export async function run(config, projectRoot) {
+  const results = {
+    passed: true,
+    skipped: false,
+    findings: [],
+    summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0 },
+    details: { policiesChecked: 0, tablesChecked: 0, violations: 0 }
+  }
+
+  const supabaseUrl = process.env.SUPABASE_URL
+  const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY
+
+  if (!supabaseUrl || !supabaseKey) {
+    results.skipped = true
+    results.skipReason = 'No SUPABASE_URL/SUPABASE_SERVICE_ROLE_KEY in environment'
+    return results
+  }
+
+  // Try to call tetra_rls_audit() RPC
+  let policies
+  try {
+    const response = await fetch(`${supabaseUrl}/rest/v1/rpc/tetra_rls_audit`, {
+      method: 'POST',
+      headers: {
+        'apikey': supabaseKey,
+        'Authorization': `Bearer ${supabaseKey}`,
+        'Content-Type': 'application/json',
+      },
+      body: '{}',
+    })
+
+    if (!response.ok) {
+      const status = response.status
+      if (status === 404) {
+        results.skipped = true
+        results.skipReason = 'RPC tetra_rls_audit() not found. Create it once:\n\n  CREATE OR REPLACE FUNCTION tetra_rls_audit()\n  RETURNS TABLE(tablename text, policyname text, using_clause text, with_check_clause text)\n  LANGUAGE sql SECURITY DEFINER AS $$\n    SELECT tablename::text, policyname::text, qual::text, with_check::text\n    FROM pg_policies WHERE schemaname = \'public\';\n  $$;'
+      } else {
+        results.skipped = true
+        results.skipReason = `RPC tetra_rls_audit() failed with status ${status}`
+      }
+      return results
+    }
+
+    policies = await response.json()
+  } catch (err) {
+    results.skipped = true
+    results.skipReason = `Failed to query live DB: ${err.message}`
+    return results
+  }
+
+  if (!Array.isArray(policies) || policies.length === 0) {
+    results.skipped = true
+    results.skipReason = 'No policies returned from tetra_rls_audit()'
+    return results
+  }
+
+  const backendOnlyTables = config.supabase?.backendOnlyTables || []
+  const tablesChecked = new Set()
+
+  for (const policy of policies) {
+    if (!policy) continue
+    const { tablename, policyname, using_clause, with_check_clause } = policy
+
+    if (backendOnlyTables.includes(tablename)) continue
+    if (tablename?.startsWith('_') || tablename?.startsWith('pg_')) continue
+
+    tablesChecked.add(tablename)
+    results.details.policiesChecked++
+
+    for (const [clauseType, clause] of [['USING', using_clause], ['WITH CHECK', with_check_clause]]) {
+      if (!clause) continue
+      const violation = validateRlsClause(clause)
+      if (violation) {
+        results.passed = false
+        results.details.violations++
+        results.findings.push({
+          file: `LIVE DB → ${tablename}`,
+          line: 1,
+          type: 'rls-live-bypass',
+          severity: 'critical',
+          message: `[LIVE] Policy "${policyname}" on "${tablename}": ${violation}`,
+          fix: 'Fix the policy in the database and add a corrective migration.'
+        })
+        results.summary.critical++
+        results.summary.total++
+      }
+    }
+  }
+
+  results.details.tablesChecked = tablesChecked.size
+  return results
+}

package/lib/checks/security/systemdb-whitelist.js

@@ -63,6 +63,9 @@ const ALLOWED_FILE_PATTERNS = [
   /BaseCronService/,
   // Internal service-to-service routes (API key auth, no user JWT)
   /internalRoutes/,
+  // Billing routers — hybrid files with both authenticated admin routes and unauthenticated webhook handlers
+  // systemDB is needed for Tetra BillingService config callbacks (getSystemDB, getWebhookDB)
+  /billingRouter/,
 ]
 
 /**

package/lib/runner.js

@@ -26,6 +26,7 @@ import * as namingConventions from './checks/codeQuality/naming-conventions.js'
 import * as routeSeparation from './checks/codeQuality/route-separation.js'
 import * as gitignoreValidation from './checks/security/gitignore-validation.js'
 import * as routeConfigAlignment from './checks/security/route-config-alignment.js'
+import * as rlsLiveAudit from './checks/security/rls-live-audit.js'
 import * as rlsPolicyAudit from './checks/supabase/rls-policy-audit.js'
 import * as rpcParamMismatch from './checks/supabase/rpc-param-mismatch.js'
 import * as rpcGeneratorOrigin from './checks/supabase/rpc-generator-origin.js'
@@ -96,7 +97,8 @@ const ALL_CHECKS = {
     rpcSecurityMode,
     systemdbWhitelist,
     gitignoreValidation,
-    routeConfigAlignment
+    routeConfigAlignment,
+    rlsLiveAudit
   ],
   stability: [
     huskyHooks,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.17.3",
+  "version": "1.18.0",
   "publishConfig": {
     "access": "restricted"
   },
@@ -31,7 +31,8 @@
     "tetra-dev-token": "./bin/tetra-dev-token.js",
     "tetra-check-rls": "./bin/tetra-check-rls.js",
     "tetra-migration-lint": "./bin/tetra-migration-lint.js",
-    "tetra-db-push": "./bin/tetra-db-push.js"
+    "tetra-db-push": "./bin/tetra-db-push.js",
+    "tetra-check-peers": "./bin/tetra-check-peers.js"
   },
   "files": [
     "bin/",