@soulbatical/tetra-dev-toolkit 1.20.0 → 2.0.0

package/lib/checks/security/tetra-core-compliance.js

@@ -1,197 +0,0 @@
-/**
- * Tetra Core Compliance — HARD BLOCK
- *
- * If a project has @soulbatical/tetra-core as a dependency, it MUST use:
- * 1. configureAuth() — sets up authentication middleware
- * 2. authenticateToken — middleware on protected routes
- * 3. adminDB/userDB/systemDB — db helpers (NOT raw createClient)
- *
- * If ANY of these are missing, the project is NOT secure.
- * There is no "skip" — if you have tetra-core, you use it fully or not at all.
- *
- * This check also detects projects that SHOULD have tetra-core but don't:
- * - Has a backend/ dir with Express + Supabase → MUST have tetra-core
- */
-
-import { readFileSync, existsSync } from 'fs'
-import { join } from 'path'
-import { glob } from 'glob'
-
-export const meta = {
-  id: 'tetra-core-compliance',
-  name: 'Tetra Core Compliance',
-  category: 'security',
-  severity: 'critical',
-  description: 'Ensures projects using @soulbatical/tetra-core implement ALL required security patterns — auth, middleware, db helpers'
-}
-
-export async function run(config, projectRoot) {
-  const results = {
-    passed: true,
-    findings: [],
-    summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0 }
-  }
-
-  // ─── Step 1: Does this project have tetra-core? ────────────────
-
-  const packageJsonPaths = [
-    join(projectRoot, 'package.json'),
-    join(projectRoot, 'backend', 'package.json')
-  ]
-
-  let hasTetraCore = false
-  let tetraCoreLocation = null
-
-  for (const pkgPath of packageJsonPaths) {
-    if (!existsSync(pkgPath)) continue
-    try {
-      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
-      const deps = { ...pkg.dependencies, ...pkg.devDependencies }
-      if (deps['@soulbatical/tetra-core']) {
-        hasTetraCore = true
-        tetraCoreLocation = pkgPath.replace(projectRoot + '/', '')
-        break
-      }
-    } catch { /* skip */ }
-  }
-
-  // ─── Step 2: Check if project SHOULD have tetra-core ───────────
-
-  if (!hasTetraCore) {
-    // Check if this is an Express + Supabase backend that should have it
-    const backendDirs = ['backend/src', 'src']
-    let hasExpress = false
-    let hasSupabase = false
-
-    for (const dir of backendDirs) {
-      const pkgPath = dir === 'src' ? join(projectRoot, 'package.json') : join(projectRoot, 'backend', 'package.json')
-      if (!existsSync(pkgPath)) continue
-      try {
-        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'))
-        const deps = { ...pkg.dependencies, ...pkg.devDependencies }
-        if (deps['express']) hasExpress = true
-        if (deps['@supabase/supabase-js']) hasSupabase = true
-      } catch { /* skip */ }
-    }
-
-    if (hasExpress && hasSupabase) {
-      results.passed = false
-      results.findings.push({
-        type: 'missing-tetra-core',
-        severity: 'critical',
-        message: 'Project has Express + Supabase but does NOT have @soulbatical/tetra-core. This means NO standard auth middleware, NO db helpers, NO RLS enforcement. Install tetra-core and follow the architecture guide.',
-        fix: 'npm install @soulbatical/tetra-core && see stella_howto_get slug="tetra-architecture-guide"'
-      })
-      results.summary.critical++
-      results.summary.total++
-    } else {
-      // Not a backend project, skip
-      results.skipped = true
-      results.skipReason = 'Not a Tetra backend project (no Express + Supabase)'
-      return results
-    }
-
-    return results
-  }
-
-  // ─── Step 3: Has tetra-core → check FULL compliance ────────────
-
-  const backendSrc = existsSync(join(projectRoot, 'backend', 'src')) ? 'backend/src' : 'src'
-
-  // Check 3a: configureAuth() is called somewhere
-  const tsFiles = await glob(`${backendSrc}/**/*.ts`, {
-    cwd: projectRoot,
-    ignore: ['**/node_modules/**', '**/*.test.ts', '**/*.spec.ts', '**/*.d.ts']
-  })
-
-  let hasConfigureAuth = false
-  let hasAuthenticateToken = false
-  let hasDbHelpers = false
-  let dbHelperImports = { adminDB: false, userDB: false, systemDB: false, publicDB: false, superadminDB: false }
-  let hasRawCreateClient = false
-  let rawCreateClientFiles = []
-
-  for (const file of tsFiles) {
-    try {
-      const content = readFileSync(join(projectRoot, file), 'utf-8')
-
-      if (content.includes('configureAuth')) hasConfigureAuth = true
-      if (content.includes('authenticateToken')) hasAuthenticateToken = true
-
-      // Check for db helper usage
-      if (/(?:import|from).*(?:adminDB|userDB|systemDB|publicDB|superadminDB)/.test(content)) {
-        hasDbHelpers = true
-        if (content.includes('adminDB')) dbHelperImports.adminDB = true
-        if (content.includes('userDB')) dbHelperImports.userDB = true
-        if (content.includes('systemDB')) dbHelperImports.systemDB = true
-        if (content.includes('publicDB')) dbHelperImports.publicDB = true
-        if (content.includes('superadminDB')) dbHelperImports.superadminDB = true
-      }
-
-      // Check for raw createClient usage (should be caught by direct-supabase-client check too)
-      if (/import\s*\{[^}]*createClient[^}]*\}\s*from\s*['"]@supabase\/supabase-js['"]/.test(content)) {
-        if (!/import\s+type/.test(content)) {
-          // Not in core wrapper files
-          if (!/core\//.test(file) && !/SupabaseUserClient/.test(file) && !/scripts\//.test(file)) {
-            hasRawCreateClient = true
-            rawCreateClientFiles.push(file)
-          }
-        }
-      }
-    } catch { /* skip */ }
-  }
-
-  // ─── Report findings ──────────────────────────────────────────
-
-  if (!hasConfigureAuth) {
-    results.passed = false
-    results.findings.push({
-      type: 'missing-configureAuth',
-      severity: 'critical',
-      message: 'Project has @soulbatical/tetra-core but NEVER calls configureAuth(). This means the auth middleware is not initialized — all routes are potentially unprotected.',
-      fix: 'Create an auth-config.ts that calls configureAuth({ loadUserContext, roleHierarchy }). See sparkbuddy-live/backend/src/auth-config.ts for reference.'
-    })
-    results.summary.critical++
-    results.summary.total++
-  }
-
-  if (!hasAuthenticateToken) {
-    results.passed = false
-    results.findings.push({
-      type: 'missing-authenticateToken',
-      severity: 'critical',
-      message: 'Project has @soulbatical/tetra-core but NO route uses authenticateToken middleware. All API endpoints are unprotected.',
-      fix: 'Add authenticateToken middleware to all protected routes: router.use(authenticateToken, requireOrganizationAdmin)'
-    })
-    results.summary.critical++
-    results.summary.total++
-  }
-
-  if (!hasDbHelpers) {
-    results.passed = false
-    results.findings.push({
-      type: 'missing-db-helpers',
-      severity: 'critical',
-      message: 'Project has @soulbatical/tetra-core but does NOT use any db helpers (adminDB, userDB, systemDB, publicDB). Database access has no RLS enforcement.',
-      fix: 'Use adminDB(req) for admin routes, userDB(req) for user routes, systemDB(context) for system operations. See stella_howto_get slug="tetra-architecture-guide"'
-    })
-    results.summary.critical++
-    results.summary.total++
-  }
-
-  // Info: which helpers are used
-  const usedHelpers = Object.entries(dbHelperImports).filter(([_, used]) => used).map(([name]) => name)
-  const unusedHelpers = Object.entries(dbHelperImports).filter(([_, used]) => !used).map(([name]) => name)
-
-  results.info = {
-    tetraCoreLocation,
-    configureAuth: hasConfigureAuth,
-    authenticateToken: hasAuthenticateToken,
-    dbHelpers: {
-      used: usedHelpers,
-      unused: unusedHelpers
-    }
-  }
-
-  return results
-}