@soulbatical/tetra-dev-toolkit 1.17.4 → 1.18.1

package/bin/tetra-check-peers.js

@@ -38,50 +38,89 @@ function readJson(path) {
 }
 
 function satisfiesRange(installed, range) {
-  // Simple semver range check without external deps
-  // Handles: exact "2.93.3", caret "^2.93.3", tilde "~2.93.3", star "*", >= ">= 8.0.0"
+  // Check if a consumer's dependency range can satisfy a peer dep range.
+  // Both `installed` and `range` can be semver ranges (^2.48.0, ^2.93.3, etc.)
+  // We check if the ranges CAN overlap — i.e., there exists a version that satisfies both.
   if (!installed || !range) return false
-  if (range === '*') return true
+  if (range === '*' || installed === '*') return true
 
-  // Clean versions: remove leading ^ ~ >= <= > < =
   const cleanVersion = (v) => v.replace(/^[\^~>=<\s]+/, '').trim()
   const parseVersion = (v) => {
     const cleaned = cleanVersion(v)
     const parts = cleaned.split('.').map(Number)
     return { major: parts[0] || 0, minor: parts[1] || 0, patch: parts[2] || 0 }
   }
+  const versionGte = (a, b) => {
+    if (a.major !== b.major) return a.major > b.major
+    if (a.minor !== b.minor) return a.minor > b.minor
+    return a.patch >= b.patch
+  }
 
-  const inst = parseVersion(installed)
-  const req = parseVersion(range)
+  // For || ranges, check each part independently
+  const rangeParts = range.split('||').map(p => p.trim())
+  const installedParts = installed.split('||').map(p => p.trim())
 
-  if (range.startsWith('>=')) {
-    // >= check
-    if (inst.major > req.major) return true
-    if (inst.major === req.major && inst.minor > req.minor) return true
-    if (inst.major === req.major && inst.minor === req.minor && inst.patch >= req.patch) return true
+  return rangeParts.some(rPart => {
+    return installedParts.some(iPart => {
+      return rangesOverlap(iPart, rPart, parseVersion, versionGte)
+    })
+  })
+}
+
+function rangesOverlap(installedRange, requiredRange, parseVersion, versionGte) {
+  const isCaret = (r) => r.startsWith('^')
+  const isTilde = (r) => r.startsWith('~')
+  const isGte = (r) => r.startsWith('>=')
+
+  const inst = parseVersion(installedRange)
+  const req = parseVersion(requiredRange)
+
+  // Both caret ranges with same major: they overlap if their ranges intersect
+  // ^2.48.0 allows 2.48.0 - 2.x.x, ^2.93.3 allows 2.93.3 - 2.x.x
+  // They overlap because ^2.48.0 includes 2.93.3
+  if ((isCaret(installedRange) || !installedRange.match(/^[\^~>=]/)) &&
+      (isCaret(requiredRange) || !requiredRange.match(/^[\^~>=]/))) {
+    // Same major = ranges can overlap
+    if (inst.major === req.major) {
+      // The higher minimum must be reachable from the lower range
+      // ^2.48.0 (allows up to <3.0.0) can reach 2.93.3 ✓
+      // ^3.0.0 cannot reach 2.93.3 ✗
+      return true // Same major with caret = always overlapping
+    }
+    // Different major with exact versions: only if equal
+    if (!isCaret(installedRange) && !isCaret(requiredRange)) {
+      return inst.major === req.major && inst.minor === req.minor && inst.patch === req.patch
+    }
     return false
   }
 
-  if (range.startsWith('^') || range.includes('||')) {
-    // Caret: same major, >= minor.patch
-    // For ranges with || (e.g. "^18.0.0 || ^19.0.0"), check each part
-    const parts = range.split('||').map(p => p.trim())
-    return parts.some(part => {
-      const r = parseVersion(part)
-      if (inst.major !== r.major) return false
-      if (inst.minor > r.minor) return true
-      if (inst.minor === r.minor && inst.patch >= r.patch) return true
-      return false
-    })
+  // >= range checks
+  if (isGte(requiredRange)) {
+    // Required >= X.Y.Z: consumer's range must be able to produce a version >= X.Y.Z
+    // ^9.0.0 can produce 9.0.0+ which is >= 8.0.0 ✓
+    // ^5.3.3 can produce 5.3.3+ which is >= 5.0.0 ✓
+    // The max version of consumer's caret range is <(major+1).0.0
+    // So: consumer max >= required min
+    const consumerMax = isCaret(installedRange) ? { major: inst.major + 1, minor: 0, patch: 0 } : inst
+    return versionGte(consumerMax, req)
+  }
+  if (isGte(installedRange)) {
+    // Consumer has >= X, required has ^Y.Z.W — any version >= X could satisfy ^Y if X <= Y
+    return true // >= is open-ended, always overlaps with bounded ranges
   }
 
-  if (range.startsWith('~')) {
-    // Tilde: same major.minor, >= patch
-    if (inst.major !== req.major || inst.minor !== req.minor) return false
-    return inst.patch >= req.patch
+  // Tilde: ~X.Y.Z allows X.Y.Z - X.Y+1.0
+  if (isTilde(installedRange) || isTilde(requiredRange)) {
+    if (inst.major !== req.major) return false
+    // Tilde ranges on same major.minor overlap
+    if (isTilde(installedRange) && isTilde(requiredRange)) {
+      return inst.minor === req.minor
+    }
+    // Tilde + caret: tilde range must include or be included in caret range
+    return inst.minor === req.minor || (isCaret(requiredRange) && inst.minor >= req.minor)
   }
 
-  // Exact version match
+  // Fallback: exact match
   return inst.major === req.major && inst.minor === req.minor && inst.patch === req.patch
 }
 

package/lib/checks/security/rls-live-audit.js

@@ -0,0 +1,164 @@
+/**
+ * RLS Live DB Audit — queries pg_policies from the LIVE database
+ *
+ * The source of truth for RLS policy validation. Migration file parsing can miss:
+ * - Policies applied directly via SQL (not in migration files)
+ * - PL/pgSQL dynamic policies (EXECUTE format)
+ * - Policies overridden by later manual changes
+ *
+ * Requires SUPABASE_URL + SUPABASE_SERVICE_ROLE_KEY in environment.
+ * Connects via @supabase/supabase-js and calls a lightweight RPC.
+ *
+ * Setup (one-time per project):
+ *   CREATE OR REPLACE FUNCTION tetra_rls_audit()
+ *   RETURNS TABLE(tablename text, policyname text, using_clause text, with_check_clause text)
+ *   LANGUAGE sql SECURITY DEFINER AS $$
+ *     SELECT tablename::text, policyname::text, qual::text, with_check::text
+ *     FROM pg_policies WHERE schemaname = 'public';
+ *   $$;
+ */
+
+export const meta = {
+  id: 'rls-live-audit',
+  name: 'RLS Live DB Audit',
+  category: 'security',
+  severity: 'critical',
+  description: 'Queries pg_policies from the live database and validates all RLS clauses against whitelisted patterns. Catches bypasses that migration parsing misses.'
+}
+
+const BANNED_RLS_PATTERNS = [
+  { pattern: /service_role/i, label: 'service_role bypass — service role already bypasses RLS at the Supabase layer' },
+  { pattern: /auth\.role\s*\(\)\s*=\s*'service_role'/i, label: 'auth.role() service_role bypass' },
+  { pattern: /current_setting\s*\(\s*'role'/i, label: 'PostgreSQL role check — bypasses tenant isolation' },
+  { pattern: /current_setting\s*\(\s*'request\.jwt\.claims'/i, label: 'JWT claims role check — bypasses tenant isolation' },
+  { pattern: /session_user/i, label: 'session_user check — bypasses tenant isolation' },
+  { pattern: /current_user\s*=/i, label: 'current_user check — bypasses tenant isolation' },
+  { pattern: /pg_has_role/i, label: 'pg_has_role — bypasses tenant isolation' },
+]
+
+const ALLOWED_RLS_PATTERNS = [
+  { pattern: /auth_admin_organizations\s*\(\)/i },
+  { pattern: /auth_user_organizations\s*\(\)/i },
+  { pattern: /auth_org_id\s*\(\)/i },
+  { pattern: /auth\.uid\s*\(\)/i },
+  { pattern: /auth_current_user_id\s*\(\)/i },
+  { pattern: /auth\.role\s*\(\)\s*=\s*'authenticated'/i },
+  { pattern: /auth\.role\s*\(\)\s*=\s*'anon'/i },
+  { pattern: /\w+\s*=\s*/i },
+  { pattern: /\w+\s+IS\s+(NOT\s+)?NULL/i },
+  { pattern: /\w+\s+IN\s*\(/i },
+  { pattern: /\w+\s*=\s*ANY\s*\(/i },
+  { pattern: /EXISTS\s*\(\s*SELECT/i },
+  { pattern: /^\s*\(?true\)?\s*$/i },
+  { pattern: /^\s*\(?false\)?\s*$/i },
+  { pattern: /auth\.jwt\s*\(\)/i },
+  { pattern: /current_setting\s*\(\s*'app\./i },
+  { pattern: /\b\w+\s*\([^)]*\)/i },
+]
+
+function validateRlsClause(clause) {
+  if (!clause || !clause.trim()) return null
+
+  for (const { pattern, label } of BANNED_RLS_PATTERNS) {
+    if (pattern.test(clause)) return label
+  }
+
+  if (!ALLOWED_RLS_PATTERNS.some(({ pattern }) => pattern.test(clause))) {
+    return `Unrecognized RLS clause: "${clause.substring(0, 150)}". Only whitelisted patterns allowed.`
+  }
+
+  return null
+}
+
+export async function run(config, projectRoot) {
+  const results = {
+    passed: true,
+    skipped: false,
+    findings: [],
+    summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0 },
+    details: { policiesChecked: 0, tablesChecked: 0, violations: 0 }
+  }
+
+  const supabaseUrl = process.env.SUPABASE_URL
+  const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY
+
+  if (!supabaseUrl || !supabaseKey) {
+    results.skipped = true
+    results.skipReason = 'No SUPABASE_URL/SUPABASE_SERVICE_ROLE_KEY in environment'
+    return results
+  }
+
+  // Try to call tetra_rls_audit() RPC
+  let policies
+  try {
+    const response = await fetch(`${supabaseUrl}/rest/v1/rpc/tetra_rls_audit`, {
+      method: 'POST',
+      headers: {
+        'apikey': supabaseKey,
+        'Authorization': `Bearer ${supabaseKey}`,
+        'Content-Type': 'application/json',
+      },
+      body: '{}',
+    })
+
+    if (!response.ok) {
+      const status = response.status
+      if (status === 404) {
+        results.skipped = true
+        results.skipReason = 'RPC tetra_rls_audit() not found. Create it once:\n\n  CREATE OR REPLACE FUNCTION tetra_rls_audit()\n  RETURNS TABLE(tablename text, policyname text, using_clause text, with_check_clause text)\n  LANGUAGE sql SECURITY DEFINER AS $$\n    SELECT tablename::text, policyname::text, qual::text, with_check::text\n    FROM pg_policies WHERE schemaname = \'public\';\n  $$;'
+      } else {
+        results.skipped = true
+        results.skipReason = `RPC tetra_rls_audit() failed with status ${status}`
+      }
+      return results
+    }
+
+    policies = await response.json()
+  } catch (err) {
+    results.skipped = true
+    results.skipReason = `Failed to query live DB: ${err.message}`
+    return results
+  }
+
+  if (!Array.isArray(policies) || policies.length === 0) {
+    results.skipped = true
+    results.skipReason = 'No policies returned from tetra_rls_audit()'
+    return results
+  }
+
+  const backendOnlyTables = config.supabase?.backendOnlyTables || []
+  const tablesChecked = new Set()
+
+  for (const policy of policies) {
+    if (!policy) continue
+    const { tablename, policyname, using_clause, with_check_clause } = policy
+
+    if (backendOnlyTables.includes(tablename)) continue
+    if (tablename?.startsWith('_') || tablename?.startsWith('pg_')) continue
+
+    tablesChecked.add(tablename)
+    results.details.policiesChecked++
+
+    for (const [clauseType, clause] of [['USING', using_clause], ['WITH CHECK', with_check_clause]]) {
+      if (!clause) continue
+      const violation = validateRlsClause(clause)
+      if (violation) {
+        results.passed = false
+        results.details.violations++
+        results.findings.push({
+          file: `LIVE DB → ${tablename}`,
+          line: 1,
+          type: 'rls-live-bypass',
+          severity: 'critical',
+          message: `[LIVE] Policy "${policyname}" on "${tablename}": ${violation}`,
+          fix: 'Fix the policy in the database and add a corrective migration.'
+        })
+        results.summary.critical++
+        results.summary.total++
+      }
+    }
+  }
+
+  results.details.tablesChecked = tablesChecked.size
+  return results
+}

package/lib/runner.js

@@ -26,6 +26,7 @@ import * as namingConventions from './checks/codeQuality/naming-conventions.js'
 import * as routeSeparation from './checks/codeQuality/route-separation.js'
 import * as gitignoreValidation from './checks/security/gitignore-validation.js'
 import * as routeConfigAlignment from './checks/security/route-config-alignment.js'
+import * as rlsLiveAudit from './checks/security/rls-live-audit.js'
 import * as rlsPolicyAudit from './checks/supabase/rls-policy-audit.js'
 import * as rpcParamMismatch from './checks/supabase/rpc-param-mismatch.js'
 import * as rpcGeneratorOrigin from './checks/supabase/rpc-generator-origin.js'
@@ -96,7 +97,8 @@ const ALL_CHECKS = {
     rpcSecurityMode,
     systemdbWhitelist,
     gitignoreValidation,
-    routeConfigAlignment
+    routeConfigAlignment,
+    rlsLiveAudit
   ],
   stability: [
     huskyHooks,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.17.4",
+  "version": "1.18.1",
   "publishConfig": {
     "access": "restricted"
   },