npm - @soulbatical/tetra-dev-toolkit - Versions diffs - 1.17.4 → 1.18.0 - Mend

@soulbatical/tetra-dev-toolkit 1.17.4 → 1.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/lib/checks/security/rls-live-audit.js +164 -0
package/lib/runner.js +3 -1
package/package.json +1 -1

package/lib/checks/security/rls-live-audit.js ADDED Viewed

@@ -0,0 +1,164 @@
+/**
+ * RLS Live DB Audit — queries pg_policies from the LIVE database
+ *
+ * The source of truth for RLS policy validation. Migration file parsing can miss:
+ * - Policies applied directly via SQL (not in migration files)
+ * - PL/pgSQL dynamic policies (EXECUTE format)
+ * - Policies overridden by later manual changes
+ *
+ * Requires SUPABASE_URL + SUPABASE_SERVICE_ROLE_KEY in environment.
+ * Connects via @supabase/supabase-js and calls a lightweight RPC.
+ *
+ * Setup (one-time per project):
+ *   CREATE OR REPLACE FUNCTION tetra_rls_audit()
+ *   RETURNS TABLE(tablename text, policyname text, using_clause text, with_check_clause text)
+ *   LANGUAGE sql SECURITY DEFINER AS $$
+ *     SELECT tablename::text, policyname::text, qual::text, with_check::text
+ *     FROM pg_policies WHERE schemaname = 'public';
+ *   $$;
+ */
+export const meta = {
+  id: 'rls-live-audit',
+  name: 'RLS Live DB Audit',
+  category: 'security',
+  severity: 'critical',
+  description: 'Queries pg_policies from the live database and validates all RLS clauses against whitelisted patterns. Catches bypasses that migration parsing misses.'
+}
+const BANNED_RLS_PATTERNS = [
+  { pattern: /service_role/i, label: 'service_role bypass — service role already bypasses RLS at the Supabase layer' },
+  { pattern: /auth\.role\s*\(\)\s*=\s*'service_role'/i, label: 'auth.role() service_role bypass' },
+  { pattern: /current_setting\s*\(\s*'role'/i, label: 'PostgreSQL role check — bypasses tenant isolation' },
+  { pattern: /current_setting\s*\(\s*'request\.jwt\.claims'/i, label: 'JWT claims role check — bypasses tenant isolation' },
+  { pattern: /session_user/i, label: 'session_user check — bypasses tenant isolation' },
+  { pattern: /current_user\s*=/i, label: 'current_user check — bypasses tenant isolation' },
+  { pattern: /pg_has_role/i, label: 'pg_has_role — bypasses tenant isolation' },
+]
+const ALLOWED_RLS_PATTERNS = [
+  { pattern: /auth_admin_organizations\s*\(\)/i },
+  { pattern: /auth_user_organizations\s*\(\)/i },
+  { pattern: /auth_org_id\s*\(\)/i },
+  { pattern: /auth\.uid\s*\(\)/i },
+  { pattern: /auth_current_user_id\s*\(\)/i },
+  { pattern: /auth\.role\s*\(\)\s*=\s*'authenticated'/i },
+  { pattern: /auth\.role\s*\(\)\s*=\s*'anon'/i },
+  { pattern: /\w+\s*=\s*/i },
+  { pattern: /\w+\s+IS\s+(NOT\s+)?NULL/i },
+  { pattern: /\w+\s+IN\s*\(/i },
+  { pattern: /\w+\s*=\s*ANY\s*\(/i },
+  { pattern: /EXISTS\s*\(\s*SELECT/i },
+  { pattern: /^\s*\(?true\)?\s*$/i },
+  { pattern: /^\s*\(?false\)?\s*$/i },
+  { pattern: /auth\.jwt\s*\(\)/i },
+  { pattern: /current_setting\s*\(\s*'app\./i },
+  { pattern: /\b\w+\s*\([^)]*\)/i },
+]
+function validateRlsClause(clause) {
+  if (!clause || !clause.trim()) return null
+  for (const { pattern, label } of BANNED_RLS_PATTERNS) {
+    if (pattern.test(clause)) return label
+  }
+  if (!ALLOWED_RLS_PATTERNS.some(({ pattern }) => pattern.test(clause))) {
+    return `Unrecognized RLS clause: "${clause.substring(0, 150)}". Only whitelisted patterns allowed.`
+  }
+  return null
+}
+export async function run(config, projectRoot) {
+  const results = {
+    passed: true,
+    skipped: false,
+    findings: [],
+    summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0 },
+    details: { policiesChecked: 0, tablesChecked: 0, violations: 0 }
+  }
+  const supabaseUrl = process.env.SUPABASE_URL
+  const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY
+  if (!supabaseUrl || !supabaseKey) {
+    results.skipped = true
+    results.skipReason = 'No SUPABASE_URL/SUPABASE_SERVICE_ROLE_KEY in environment'
+    return results
+  }
+  // Try to call tetra_rls_audit() RPC
+  let policies
+  try {
+    const response = await fetch(`${supabaseUrl}/rest/v1/rpc/tetra_rls_audit`, {
+      method: 'POST',
+      headers: {
+        'apikey': supabaseKey,
+        'Authorization': `Bearer ${supabaseKey}`,
+        'Content-Type': 'application/json',
+      },
+      body: '{}',
+    })
+    if (!response.ok) {
+      const status = response.status
+      if (status === 404) {
+        results.skipped = true
+        results.skipReason = 'RPC tetra_rls_audit() not found. Create it once:\n\n  CREATE OR REPLACE FUNCTION tetra_rls_audit()\n  RETURNS TABLE(tablename text, policyname text, using_clause text, with_check_clause text)\n  LANGUAGE sql SECURITY DEFINER AS $$\n    SELECT tablename::text, policyname::text, qual::text, with_check::text\n    FROM pg_policies WHERE schemaname = \'public\';\n  $$;'
+      } else {
+        results.skipped = true
+        results.skipReason = `RPC tetra_rls_audit() failed with status ${status}`
+      }
+      return results
+    }
+    policies = await response.json()
+  } catch (err) {
+    results.skipped = true
+    results.skipReason = `Failed to query live DB: ${err.message}`
+    return results
+  }
+  if (!Array.isArray(policies) || policies.length === 0) {
+    results.skipped = true
+    results.skipReason = 'No policies returned from tetra_rls_audit()'
+    return results
+  }
+  const backendOnlyTables = config.supabase?.backendOnlyTables || []
+  const tablesChecked = new Set()
+  for (const policy of policies) {
+    if (!policy) continue
+    const { tablename, policyname, using_clause, with_check_clause } = policy
+    if (backendOnlyTables.includes(tablename)) continue
+    if (tablename?.startsWith('_') || tablename?.startsWith('pg_')) continue
+    tablesChecked.add(tablename)
+    results.details.policiesChecked++
+    for (const [clauseType, clause] of [['USING', using_clause], ['WITH CHECK', with_check_clause]]) {
+      if (!clause) continue
+      const violation = validateRlsClause(clause)
+      if (violation) {
+        results.passed = false
+        results.details.violations++
+        results.findings.push({
+          file: `LIVE DB → ${tablename}`,
+          line: 1,
+          type: 'rls-live-bypass',
+          severity: 'critical',
+          message: `[LIVE] Policy "${policyname}" on "${tablename}": ${violation}`,
+          fix: 'Fix the policy in the database and add a corrective migration.'
+        })
+        results.summary.critical++
+        results.summary.total++
+      }
+    }
+  }
+  results.details.tablesChecked = tablesChecked.size
+  return results
+}

package/lib/runner.js CHANGED Viewed

@@ -26,6 +26,7 @@ import * as namingConventions from './checks/codeQuality/naming-conventions.js'
 import * as routeSeparation from './checks/codeQuality/route-separation.js'
 import * as gitignoreValidation from './checks/security/gitignore-validation.js'
 import * as routeConfigAlignment from './checks/security/route-config-alignment.js'
+import * as rlsLiveAudit from './checks/security/rls-live-audit.js'
 import * as rlsPolicyAudit from './checks/supabase/rls-policy-audit.js'
 import * as rpcParamMismatch from './checks/supabase/rpc-param-mismatch.js'
 import * as rpcGeneratorOrigin from './checks/supabase/rpc-generator-origin.js'
@@ -96,7 +97,8 @@ const ALL_CHECKS = {
     rpcSecurityMode,
     systemdbWhitelist,
     gitignoreValidation,
-    routeConfigAlignment
+    routeConfigAlignment,
+    rlsLiveAudit
   ],
   stability: [
     huskyHooks,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.17.4",
+  "version": "1.18.0",
   "publishConfig": {
     "access": "restricted"
   },