@soulbatical/tetra-dev-toolkit 1.20.5 → 1.20.7

package/README.md

@@ -307,6 +307,203 @@ Projects without `.ralph/@fix_plan.md` don't show the tasks field.
 
 ---
 
+## Config-Driven E2E Testing (v5.0)
+
+Auto-generate CRUD E2E tests from FeatureConfig. Zero boilerplate — add a `testing` section to your feature config and tests are generated automatically.
+
+### How it works
+
+1. Each `FeatureConfig` gets a `testing` section defining create/update bodies and required fields
+2. A single test file imports all configs and generates list/create/read/update/delete + validation tests
+3. Read-only resources just set `skip: { create: true, update: true, delete: true }`
+
+### Step 1: Add `testing` to your feature config
+
+```typescript
+// backend/src/features/adcampaigns/config/adcampaigns.config.ts
+export const adcampaignsFeatureConfig: FeatureConfig = {
+  tableName: 'ad_campaigns',
+  // ... existing config ...
+
+  testing: {
+    restBasePath: '/api/admin/ad-campaigns',
+    createBody: { name: 'E2E Test Campaign $timestamp', platform: 'facebook' },
+    updateBody: { name: 'E2E Updated Campaign' },
+    updateMethod: 'PATCH',          // or 'PUT' (default)
+    createStatus: 200,              // expected status (default: 200, use 201 if your API returns that)
+    requiredFields: ['name', 'platform'],  // generates validation tests
+  }
+};
+```
+
+For read-only resources:
+```typescript
+testing: {
+  restBasePath: '/api/admin/style-library',
+  createBody: {},
+  updateBody: {},
+  skip: { create: true, update: true, delete: true },
+}
+```
+
+### Step 2: Create the test file
+
+```typescript
+// tests/e2e/02-crud-resources.test.ts
+import { describe, it, expect, beforeAll } from 'vitest';
+import { get, post, del, api } from './helpers/api-client';
+import { getTestContext, type TestContext } from './helpers/test-users';
+
+import { adcampaignsFeatureConfig } from '../../backend/src/features/adcampaigns/config/adcampaigns.config';
+import { projectsFeatureConfig } from '../../backend/src/features/projects/config/projects.config';
+// ... import all configs ...
+
+const allConfigs = [adcampaignsFeatureConfig, projectsFeatureConfig /* ... */];
+
+let ctx: TestContext;
+beforeAll(async () => { ctx = await getTestContext(); }, 60000);
+
+for (const config of allConfigs) {
+  const testing = config.testing;
+  if (!testing) continue;
+  const basePath = testing.restBasePath;
+
+  describe(`CRUD: ${config.tableName}`, () => {
+    let createdId: string;
+
+    it(`GET ${basePath} returns 200`, async () => { /* ... */ });
+    if (!testing.skip?.create) {
+      it(`POST ${basePath} creates`, async () => { /* ... */ });
+      it(`GET ${basePath}/:id reads`, async () => { /* ... */ });
+      it(`${testing.updateMethod} ${basePath}/:id updates`, async () => { /* ... */ });
+      it(`DELETE ${basePath}/:id deletes`, async () => { /* ... */ });
+    }
+  });
+}
+```
+
+See `agentrook/tests/e2e/02-crud-resources.test.ts` for a full working example.
+
+### Step 3: Run
+
+```bash
+npx vitest run --config vitest.config.e2e.ts
+```
+
+### TestingConfig reference
+
+| Field | Type | Default | Description |
+|-------|------|---------|-------------|
+| `restBasePath` | string | `config.restBasePath` | API endpoint path |
+| `createBody` | object | required | POST body for create |
+| `updateBody` | object | required | PUT/PATCH body for update |
+| `updateMethod` | `'PUT' \| 'PATCH'` | `'PUT'` | HTTP method for updates |
+| `createStatus` | number | `200` | Expected create response status |
+| `requiredFields` | string[] | `[]` | Fields to test validation for |
+| `skip.create` | boolean | `false` | Skip create/read/update/delete |
+| `skip.read` | boolean | `false` | Skip read test |
+| `skip.update` | boolean | `false` | Skip update test |
+| `skip.delete` | boolean | `false` | Skip delete test |
+
+### Dynamic values
+
+Use `$timestamp` and `$random` in string values for unique test data:
+
+```typescript
+createBody: { name: 'Test $timestamp', key: 'e2e-$random' }
+// Resolves to: { name: 'Test 1710782400000', key: 'e2e-x8k2m9' }
+```
+
+### Runtime utility
+
+For advanced usage, import the generator directly:
+
+```typescript
+import { generateCrudTests } from '@soulbatical/tetra-dev-toolkit/testing';
+```
+
+### Layer 2: Permission + Business Flow Tests
+
+Config-driven tests cover **breadth** (every endpoint). Layer 2 tests cover **depth** — these must be written manually per project.
+
+#### Permission tests (`03-permissions.test.ts`)
+
+Test role-based access control with two test accounts (admin + member):
+
+```typescript
+// Tests per admin endpoint:
+// 1. Admin GET → 200 ✅
+// 2. Member GET → 403 ✅ (catches missing middleware!)
+// 3. No token → 401 ✅
+// Plus: superadmin routes blocked for admin, write ops blocked for member
+```
+
+This catches real security bugs. Agentrook findings:
+- `/api/admin/ad-creatives` — missing `requireOrganizationAdmin`
+- `/api/admin/style-library` — missing `requireOrganizationAdmin`
+
+#### Business flow tests (`04-business-flows.test.ts`)
+
+Multi-step scenarios that span resources:
+
+```typescript
+// Flow: Project → Campaign (cross-resource linking)
+// Flow: Brand Profile → Asset (parent-child)
+// Flow: Status lifecycle (draft → running → paused → completed)
+// Flow: Duplicate key handling
+// Flow: Empty update → 400
+// Flow: Nonexistent resource → 404
+```
+
+### Test user setup
+
+**CRITICAL**: Never create Supabase Auth users via raw SQL — the password hash is incompatible with GoTrue. Use the GoTrue Admin API:
+
+```bash
+SERVICE_KEY=$(doppler secrets get SUPABASE_SERVICE_ROLE_KEY --plain --project X --config Y)
+
+curl -X POST "https://PROJECT.supabase.co/auth/v1/admin/users" \
+  -H "Authorization: Bearer $SERVICE_KEY" \
+  -H "apikey: $SERVICE_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{"email":"e2e-admin@project.com","password":"TestPass1234","email_confirm":true}'
+```
+
+Then add `users_public` + `organization_members` records via SQL.
+
+### 3-layer test pyramid
+
+```
+Layer 3: Browser smoke (gstack)     — 5-10 user flows
+Layer 2: Permission + business flow — catches security bugs, logic errors
+Layer 1: Config-driven CRUD         — catches broken endpoints, missing fields
+```
+
+| Layer | Auto-generated? | What it catches |
+|-------|----------------|-----------------|
+| 1 | Yes (from config) | Broken routes, 500s, missing fields |
+| 2 | No (manual) | Permission bugs, business logic, edge cases |
+| 3 | No (gstack) | Frontend integration, UX issues |
+
+### File structure
+
+```
+tests/e2e/
+  helpers/api-client.ts           — HTTP client with X-Test-Key
+  helpers/test-users.ts           — Login + token caching
+  global-setup.ts                 — Login test accounts
+  02-crud-resources.test.ts       — Layer 1: config-driven
+  03-permissions.test.ts          — Layer 2: role access
+  04-business-flows.test.ts       — Layer 2: multi-step
+tests/e2e-auth/                   — Separate (invalidates tokens)
+  01-auth.test.ts                 — Login, refresh, logout
+  07-security.test.ts             — Auth walls
+```
+
+**Important**: Auth/security tests must run in a separate directory — they invalidate shared tokens.
+
+---
+
 ## Changelog
 
 ### 1.16.0

package/lib/checks/health/index.js

@@ -39,3 +39,4 @@ export { check as checkSast } from './sast.js'
 export { check as checkBundleSize } from './bundle-size.js'
 export { check as checkSecurityLayers } from './security-layers.js'
 export { check as checkSmokeReadiness } from './smoke-readiness.js'
+export { check as checkReleasePipeline } from './release-pipeline.js'

package/lib/checks/health/release-pipeline.js

@@ -0,0 +1,132 @@
+/**
+ * Health Check: Release Pipeline Readiness
+ *
+ * Checks if a project has proper release pipeline infrastructure:
+ * - GitHub Actions post-deploy workflow with deploy webhook notify step
+ * - DEPLOY_WEBHOOK_SECRET referenced in workflows
+ * - Release-related API routes or VinciFox integration
+ * - Professional git workflow (main + develop branches)
+ *
+ * Score: up to 5 points
+ */
+
+import { existsSync, readFileSync, readdirSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('release-pipeline', 5, {
+    hasDeployWebhook: false,
+    hasWebhookSecret: false,
+    hasProfessionalBranches: false,
+    hasDeployMigrations: false,
+    hasPostDeployNotify: false,
+  })
+
+  // 1. Check for post-deploy workflow with webhook notification (+1 point)
+  const workflowDir = join(projectPath, '.github/workflows')
+  if (existsSync(workflowDir)) {
+    try {
+      const workflows = readdirSync(workflowDir).filter(f => f.endsWith('.yml') || f.endsWith('.yaml'))
+      for (const wf of workflows) {
+        const content = readFileSync(join(workflowDir, wf), 'utf-8')
+        const lower = content.toLowerCase()
+
+        // Check for deploy webhook notification step
+        if (lower.includes('deploy-webhook') || lower.includes('deploy_webhook')) {
+          result.details.hasDeployWebhook = true
+          result.details.webhookWorkflow = wf
+          result.score += 1
+        }
+
+        // Check for DEPLOY_WEBHOOK_SECRET usage (+1 point)
+        if (content.includes('DEPLOY_WEBHOOK_SECRET')) {
+          result.details.hasWebhookSecret = true
+          result.score += 1
+        }
+
+        // Check for deploy-migrations workflow (+1 point)
+        if (lower.includes('supabase') && (lower.includes('db push') || lower.includes('migration'))) {
+          result.details.hasDeployMigrations = true
+          result.details.migrationWorkflow = wf
+          result.score += 1
+        }
+
+        // Check for post-deploy notification (curl to webhook endpoint)
+        if (lower.includes('notify-deploy') || (lower.includes('curl') && lower.includes('deploy-webhook'))) {
+          result.details.hasPostDeployNotify = true
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  // 2. Check for professional git workflow (main + develop branches) (+1 point)
+  // Look in CLAUDE.md or .git config for branch references
+  const claudeMd = join(projectPath, 'CLAUDE.md')
+  if (existsSync(claudeMd)) {
+    try {
+      const content = readFileSync(claudeMd, 'utf-8')
+      if (content.includes('develop') && (content.includes('main') || content.includes('master'))) {
+        if (content.includes('feat/') || content.includes('feat/*') || content.includes('PR')) {
+          result.details.hasProfessionalBranches = true
+          result.score += 1
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  // 3. Check for github_repo configuration in project config (+1 point)
+  // Projects using the release pipeline should have github_repo configured somewhere
+  const configIndicators = [
+    'github_repo',
+    'github_pr_number',
+    'mergeReleasePR',
+    'deploy-webhook',
+  ]
+
+  let hasReleaseIntegration = false
+  const srcDirs = ['src', 'backend/src']
+  for (const srcDir of srcDirs) {
+    const srcPath = join(projectPath, srcDir)
+    if (!existsSync(srcPath)) continue
+
+    try {
+      const scanForRelease = (dir, depth = 0) => {
+        if (depth > 3 || hasReleaseIntegration) return
+        for (const entry of readdirSync(dir, { withFileTypes: true })) {
+          if (entry.name === 'node_modules' || entry.name.startsWith('.')) continue
+          const fullPath = join(dir, entry.name)
+          if (entry.isDirectory()) {
+            scanForRelease(fullPath, depth + 1)
+          } else if (entry.isFile() && /\.(ts|js)$/.test(entry.name)) {
+            try {
+              const content = readFileSync(fullPath, 'utf-8')
+              if (configIndicators.some(i => content.includes(i))) {
+                hasReleaseIntegration = true
+              }
+            } catch { /* skip */ }
+          }
+        }
+      }
+      scanForRelease(srcPath)
+    } catch { /* skip */ }
+  }
+
+  if (hasReleaseIntegration) {
+    result.details.hasReleaseIntegration = true
+    // Already counted in other scores
+  }
+
+  // Cap and set status
+  result.score = Math.min(result.score, result.maxScore)
+
+  if (result.score === 0) {
+    result.status = 'warning'
+    result.details.message = 'No release pipeline infrastructure — add deploy webhook workflow and DEPLOY_WEBHOOK_SECRET'
+  } else if (result.score < 3) {
+    result.status = 'warning'
+    result.details.message = 'Incomplete release pipeline — missing webhook notification or migration workflow'
+  }
+
+  return result
+}

package/lib/checks/health/rls-audit.js

@@ -3,12 +3,19 @@
  *
  * Builds table state from migrations, checks RLS enabled + policies exist.
  * Score: 3 (full) with deductions for missing RLS, missing policies, permissive policies
+ *
+ * Handles both unquoted (public.tablename) and quoted ("public"."tablename") identifiers
+ * as produced by pg_dump / supabase db dump.
  */
 
 import { existsSync, readFileSync, readdirSync } from 'fs'
 import { join } from 'path'
 import { createCheck } from './types.js'
 
+// Matches: public.tablename, "public"."tablename", "public".tablename, tablename, "tablename"
+// Captures the actual table name (without quotes) in group 1
+const TABLE_ID = `(?:"public"\\.|public\\.)?\"?(\\w+)\"?`
+
 export async function check(projectPath) {
   const result = createCheck('rls-audit', 3, {
     tablesFound: 0,
@@ -50,39 +57,50 @@ export async function check(projectPath) {
     let m
 
     // CREATE TABLE
-    const createRe = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:public\.)?["']?(\w+)["']?/gi
+    const createRe = new RegExp(`CREATE\\s+TABLE\\s+(?:IF\\s+NOT\\s+EXISTS\\s+)?${TABLE_ID}`, 'gi')
     while ((m = createRe.exec(content)) !== null) {
       const name = m[1].toLowerCase()
+      if (name === 'public') continue // skip schema name parsed as table
       if (!tables.has(name)) tables.set(name, { rlsEnabled: false, policies: [], file: fileName })
     }
 
     // DROP TABLE
-    const dropRe = /DROP\s+TABLE\s+(?:IF\s+EXISTS\s+)?(?:public\.)?["']?(\w+)["']?/gi
-    while ((m = dropRe.exec(content)) !== null) tables.delete(m[1].toLowerCase())
+    const dropRe = new RegExp(`DROP\\s+TABLE\\s+(?:IF\\s+EXISTS\\s+)?${TABLE_ID}`, 'gi')
+    while ((m = dropRe.exec(content)) !== null) {
+      const name = m[1].toLowerCase()
+      if (name !== 'public') tables.delete(name)
+    }
 
     // RENAME TABLE
-    const renameRe = /ALTER\s+TABLE\s+(?:IF\s+EXISTS\s+)?(?:public\.)?["']?(\w+)["']?\s+RENAME\s+TO\s+["']?(\w+)["']?/gi
+    const renameRe = new RegExp(`ALTER\\s+TABLE\\s+(?:IF\\s+EXISTS\\s+)?${TABLE_ID}\\s+RENAME\\s+TO\\s+\"?(\\w+)\"?`, 'gi')
     while ((m = renameRe.exec(content)) !== null) {
-      const data = tables.get(m[1].toLowerCase())
-      if (data) { tables.delete(m[1].toLowerCase()); tables.set(m[2].toLowerCase(), data) }
+      const oldName = m[1].toLowerCase()
+      const newName = m[2].toLowerCase()
+      if (oldName === 'public' || newName === 'public') continue
+      const data = tables.get(oldName)
+      if (data) { tables.delete(oldName); tables.set(newName, data) }
     }
 
     // ENABLE/DISABLE RLS
-    const enableRe = /ALTER\s+TABLE\s+(?:public\.)?["']?(\w+)["']?\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi
+    const enableRe = new RegExp(`ALTER\\s+TABLE\\s+${TABLE_ID}\\s+ENABLE\\s+ROW\\s+LEVEL\\s+SECURITY`, 'gi')
     while ((m = enableRe.exec(content)) !== null) {
       const name = m[1].toLowerCase()
+      if (name === 'public') continue
       if (tables.has(name)) tables.get(name).rlsEnabled = true
       else tables.set(name, { rlsEnabled: true, policies: [], file: fileName })
     }
-    const disableRe = /ALTER\s+TABLE\s+(?:public\.)?["']?(\w+)["']?\s+DISABLE\s+ROW\s+LEVEL\s+SECURITY/gi
+    const disableRe = new RegExp(`ALTER\\s+TABLE\\s+${TABLE_ID}\\s+DISABLE\\s+ROW\\s+LEVEL\\s+SECURITY`, 'gi')
     while ((m = disableRe.exec(content)) !== null) {
-      if (tables.has(m[1].toLowerCase())) tables.get(m[1].toLowerCase()).rlsEnabled = false
+      const name = m[1].toLowerCase()
+      if (name === 'public') continue
+      if (tables.has(name)) tables.get(name).rlsEnabled = false
     }
 
     // CREATE POLICY
-    const policyRe = /CREATE\s+POLICY\s+"([^"]+)"\s+ON\s+(?:public\.)?["']?(\w+)["']?\s+([\s\S]*?)(?:;|CREATE\s|ALTER\s|DROP\s|GRANT\s)/gi
+    const policyRe = new RegExp(`CREATE\\s+POLICY\\s+"([^"]+)"\\s+ON\\s+${TABLE_ID}\\s+([\\s\\S]*?)(?:;|CREATE\\s|ALTER\\s|DROP\\s|GRANT\\s)`, 'gi')
     while ((m = policyRe.exec(content)) !== null) {
       const tableName = m[2].toLowerCase()
+      if (tableName === 'public') continue
       if (!tables.has(tableName)) tables.set(tableName, { rlsEnabled: false, policies: [], file: fileName })
       tables.get(tableName).policies.push(m[1])
       if (/USING\s*\(\s*true\s*\)/i.test(m[3]) || /WITH\s+CHECK\s*\(\s*true\s*\)/i.test(m[3])) {
@@ -91,16 +109,19 @@ export async function check(projectPath) {
     }
 
     // DROP POLICY
-    const dropPolicyRe = /DROP\s+POLICY\s+(?:IF\s+EXISTS\s+)?"([^"]+)"\s+ON\s+(?:public\.)?["']?(\w+)["']?/gi
+    const dropPolicyRe = new RegExp(`DROP\\s+POLICY\\s+(?:IF\\s+EXISTS\\s+)?"([^"]+)"\\s+ON\\s+${TABLE_ID}`, 'gi')
     while ((m = dropPolicyRe.exec(content)) !== null) {
-      const t = tables.get(m[2].toLowerCase())
+      const name = m[2].toLowerCase()
+      if (name === 'public') continue
+      const t = tables.get(name)
       if (t) t.policies = t.policies.filter(p => p !== m[1])
     }
 
-    // SECURITY DEFINER
-    const secDefRe = /CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION\s+(?:public\.)?["']?(\w+)["']?[\s\S]*?SECURITY\s+DEFINER/gi
+    // SECURITY DEFINER functions
+    const secDefRe = new RegExp(`CREATE\\s+(?:OR\\s+REPLACE\\s+)?FUNCTION\\s+${TABLE_ID}[\\s\\S]*?SECURITY\\s+DEFINER`, 'gi')
     while ((m = secDefRe.exec(content)) !== null) {
-      result.details.securityDefinerFunctions.push(m[1])
+      const name = m[1].toLowerCase()
+      if (name !== 'public') result.details.securityDefinerFunctions.push(name)
     }
   }
 

package/lib/checks/health/scanner.js

@@ -35,6 +35,7 @@ import { check as checkSast } from './sast.js'
 import { check as checkBundleSize } from './bundle-size.js'
 import { check as checkSecurityLayers } from './security-layers.js'
 import { check as checkSmokeReadiness } from './smoke-readiness.js'
+import { check as checkReleasePipeline } from './release-pipeline.js'
 import { calculateHealthStatus } from './types.js'
 
 /**
@@ -78,7 +79,8 @@ export async function scanProjectHealth(projectPath, projectName, options = {})
     checkSast(projectPath),
     checkBundleSize(projectPath),
     checkSecurityLayers(projectPath),
-    checkSmokeReadiness(projectPath)
+    checkSmokeReadiness(projectPath),
+    checkReleasePipeline(projectPath)
   ])
 
   const totalScore = checks.reduce((sum, c) => sum + c.score, 0)

package/lib/checks/health/types.js

@@ -5,7 +5,7 @@
  */
 
 /**
- * @typedef {'plugins'|'mcps'|'git'|'tests'|'secrets'|'quality-toolkit'|'naming-conventions'|'rls-audit'|'rpc-param-mismatch'|'typescript-strict'|'prettier'|'coverage-thresholds'|'eslint-security'|'dependency-cruiser'|'conventional-commits'|'knip'|'dependency-automation'|'license-audit'|'sast'|'bundle-size'|'gitignore'|'repo-visibility'|'vincifox-widget'|'stella-integration'|'claude-md'|'doppler-compliance'|'infrastructure-yml'|'file-organization'|'security-layers'|'smoke-readiness'} HealthCheckType
+ * @typedef {'plugins'|'mcps'|'git'|'tests'|'secrets'|'quality-toolkit'|'naming-conventions'|'rls-audit'|'rpc-param-mismatch'|'typescript-strict'|'prettier'|'coverage-thresholds'|'eslint-security'|'dependency-cruiser'|'conventional-commits'|'knip'|'dependency-automation'|'license-audit'|'sast'|'bundle-size'|'gitignore'|'repo-visibility'|'vincifox-widget'|'stella-integration'|'claude-md'|'doppler-compliance'|'infrastructure-yml'|'file-organization'|'security-layers'|'smoke-readiness'|'release-pipeline'} HealthCheckType
  *
  * @typedef {'ok'|'warning'|'error'} HealthStatus
  *

package/lib/checks/security/config-rls-alignment.js

@@ -89,6 +89,11 @@ function parseFeatureConfigs(projectRoot) {
 /**
  * Parse all SQL migrations to extract RLS info per table
  */
+// SQL table identifier pattern — matches both quoted and unquoted forms:
+//   public.tablename, "public"."tablename", tablename, "tablename"
+// Capture group returns the clean table name without quotes.
+const TABLE_ID = `(?:"?public"?\\.)?"?(\\w+)"?`
+
 function parseMigrations(projectRoot) {
   const tables = new Map() // tableName → { rlsEnabled, policies: [], rpcFunctions: Map }
 
@@ -115,7 +120,7 @@ function parseMigrations(projectRoot) {
       const relFile = file.replace(projectRoot + '/', '')
 
       // Handle DROP POLICY — removes policy from earlier migration
-      const dropPolicyMatches = content.matchAll(/DROP\s+POLICY\s+(?:IF\s+EXISTS\s+)?"([^"]+)"\s+ON\s+(?:public\.)?(\w+)/gi)
+      const dropPolicyMatches = content.matchAll(new RegExp(`DROP\\s+POLICY\\s+(?:IF\\s+EXISTS\\s+)?"([^"]+)"\\s+ON\\s+${TABLE_ID}`, 'gi'))
       for (const m of dropPolicyMatches) {
         const policyName = m[1]
         const table = m[2]
@@ -125,7 +130,9 @@ function parseMigrations(projectRoot) {
       }
 
       // Handle ALTER FUNCTION ... SECURITY INVOKER/DEFINER — overrides earlier CREATE FUNCTION
-      const alterFuncMatches = content.matchAll(/ALTER\s+FUNCTION\s+(?:public\.)?(\w+)(?:\s*\([^)]*\))?\s+SECURITY\s+(INVOKER|DEFINER)/gi)
+      // Uses same quoted-identifier pattern as TABLE_ID but for function names
+      const alterFuncMatches = content.matchAll(new RegExp(`ALTER\\s+FUNCTION\\s+${TABLE_ID}(?:\\s*\\([^)]*\\))?\\s+SECURITY\\s+(INVOKER|DEFINER)`, 'gi'))
+      // Note: TABLE_ID capture group 1 = funcName, group 2 = securityMode
       for (const m of alterFuncMatches) {
         const funcName = m[1]
         const securityMode = m[2].toUpperCase()
@@ -139,14 +146,14 @@ function parseMigrations(projectRoot) {
       }
 
       // Handle DISABLE RLS — overrides earlier ENABLE
-      const disableRlsMatches = content.matchAll(/ALTER\s+TABLE\s+(?:public\.)?(\w+)\s+DISABLE\s+ROW\s+LEVEL\s+SECURITY/gi)
+      const disableRlsMatches = content.matchAll(new RegExp(`ALTER\\s+TABLE\\s+${TABLE_ID}\\s+DISABLE\\s+ROW\\s+LEVEL\\s+SECURITY`, 'gi'))
       for (const m of disableRlsMatches) {
         const table = m[1]
         if (tables.has(table)) tables.get(table).rlsEnabled = false
       }
 
       // Find RLS enables
-      const rlsMatches = content.matchAll(/ALTER\s+TABLE\s+(?:public\.)?(\w+)\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi)
+      const rlsMatches = content.matchAll(new RegExp(`ALTER\\s+TABLE\\s+${TABLE_ID}\\s+ENABLE\\s+ROW\\s+LEVEL\\s+SECURITY`, 'gi'))
       for (const m of rlsMatches) {
         const table = m[1]
         if (!tables.has(table)) tables.set(table, { rlsEnabled: true, policies: [], rpcFunctions: new Map() })
@@ -154,7 +161,7 @@ function parseMigrations(projectRoot) {
       }
 
       // Find policies
-      const policyRegex = /CREATE\s+POLICY\s+"?([^"]+)"?\s+ON\s+(?:public\.)?(\w+)\s*([\s\S]*?)(?=CREATE\s+POLICY|CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION|ALTER\s+TABLE|CREATE\s+(?:UNIQUE\s+)?INDEX|GRANT|$)/gi
+      const policyRegex = new RegExp(`CREATE\\s+POLICY\\s+"?([^"]+)"?\\s+ON\\s+${TABLE_ID}\\s*([\\s\\S]*?)(?=CREATE\\s+POLICY|CREATE\\s+(?:OR\\s+REPLACE\\s+)?FUNCTION|ALTER\\s+TABLE|CREATE\\s+(?:UNIQUE\\s+)?INDEX|GRANT|$)`, 'gi')
       for (const m of content.matchAll(policyRegex)) {
         const policyName = m[1]
         const table = m[2]
@@ -237,7 +244,7 @@ function parseMigrations(projectRoot) {
       }
 
       // Find RPC functions and their security mode
-      const funcRegex = /CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION\s+(?:public\.)?(\w+)\s*\(([\s\S]*?)\)\s*RETURNS\s+([\s\S]*?)(?:LANGUAGE|AS)/gi
+      const funcRegex = new RegExp(`CREATE\\s+(?:OR\\s+REPLACE\\s+)?FUNCTION\\s+${TABLE_ID}\\s*\\(([\\s\\S]*?)\\)\\s*RETURNS\\s+([\\s\\S]*?)(?:LANGUAGE|AS)`, 'gi')
       for (const m of content.matchAll(funcRegex)) {
         const funcName = m[1]
         const funcBody = content.substring(m.index, m.index + 2000)
@@ -274,25 +281,28 @@ function findFiles(projectRoot, pattern) {
  * Check if a USING clause enforces org isolation
  */
 function isOrgIsolation(using) {
-  const hasOrgFunction = /auth_org_id\(\)|auth_admin_organizations\(\)/i.test(using)
+  const u = using.replace(/"/g, '')
+  const hasOrgFunction = /auth_org_id\(\)|auth_admin_organizations\(\)/i.test(u)
   // Legacy pattern: auth.jwt() -> 'app_metadata' ->> 'organization_id'
-  const hasLegacyJwtOrg = /auth\.jwt\(\)\s*->\s*'app_metadata'\s*->>\s*'organization_id'/i.test(using)
-  return (hasOrgFunction || hasLegacyJwtOrg) && /organization_id/i.test(using)
+  const hasLegacyJwtOrg = /auth\.jwt\(\)\s*->\s*'app_metadata'\s*->>\s*'organization_id'/i.test(u)
+  return (hasOrgFunction || hasLegacyJwtOrg) && /organization_id/i.test(u)
 }
 
 /**
  * Check if a USING clause enforces user isolation
  */
 function isUserIsolation(using) {
-  return /auth\.uid\(\)/i.test(using) &&
-         /user_id|created_by|owner_id/i.test(using)
+  const u = using.replace(/"/g, '')
+  return /auth\.uid\(\)/i.test(u) &&
+         /user_id|created_by|owner_id/i.test(u)
 }
 
 /**
  * Check if a USING clause is wide open
  */
 function isWideOpen(using) {
-  return using.trim() === 'true' || using.trim() === '(true)'
+  const u = using.replace(/"/g, '').trim()
+  return u === 'true' || u === '(true)'
 }
 
 /**
@@ -376,15 +386,19 @@ const BANNED_RLS_PATTERNS = [
 function validateRlsClause(clause) {
   if (!clause || !clause.trim()) return null
 
+  // Strip pg_dump quoted identifiers — "public"."auth"."uid"() → public.auth.uid()
+  // This normalizes the clause so whitelist patterns match both quoted and unquoted forms.
+  const normalized = clause.replace(/"/g, '')
+
   // First: check for explicitly banned patterns (these are always wrong)
   for (const { pattern, label } of BANNED_RLS_PATTERNS) {
-    if (pattern.test(clause)) return label
+    if (pattern.test(normalized)) return label
   }
 
   // Second: verify clause contains at least one allowed pattern
-  const hasAllowedPattern = ALLOWED_RLS_PATTERNS.some(({ pattern }) => pattern.test(clause))
+  const hasAllowedPattern = ALLOWED_RLS_PATTERNS.some(({ pattern }) => pattern.test(normalized))
   if (!hasAllowedPattern) {
-    return `Unrecognized RLS clause: "${clause.substring(0, 150)}". Only whitelisted patterns are allowed (org/user isolation, role gates, data filters, subqueries). See ALLOWED_RLS_PATTERNS in config-rls-alignment.js.`
+    return `Unrecognized RLS clause: "${normalized.substring(0, 150)}". Only whitelisted patterns are allowed (org/user isolation, role gates, data filters, subqueries). See ALLOWED_RLS_PATTERNS in config-rls-alignment.js.`
   }
 
   return null

package/lib/checks/supabase/rls-policy-audit.js

@@ -6,6 +6,9 @@
  * 2. Every table with RLS has at least basic policies defined
  * 3. No overly permissive policies (USING (true) / WITH CHECK (true))
  * 4. SECURITY DEFINER functions are flagged for review
+ *
+ * Handles both unquoted (public.tablename) and quoted ("public"."tablename") identifiers
+ * as produced by pg_dump / supabase db dump.
  */
 
 import { readFileSync, existsSync, readdirSync } from 'fs'
@@ -19,6 +22,10 @@ export const meta = {
   description: 'Verifies RLS is enabled on all tables and policies are properly configured'
 }
 
+// Matches: public.tablename, "public"."tablename", "public".tablename, tablename, "tablename"
+// Captures the actual table name (without quotes) in group 1
+const TABLE_ID = `(?:"public"\\.|public\\.)?\"?(\\w+)\"?`
+
 export async function run(config, projectRoot) {
   const results = {
     passed: true,
@@ -74,26 +81,29 @@ export async function run(config, projectRoot) {
     const fileName = filePath.split('/').pop()
 
     // Track CREATE TABLE
-    const createTableRe = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:public\.)?["']?(\w+)["']?/gi
+    const createTableRe = new RegExp(`CREATE\\s+TABLE\\s+(?:IF\\s+NOT\\s+EXISTS\\s+)?${TABLE_ID}`, 'gi')
     let match
     while ((match = createTableRe.exec(content)) !== null) {
       const name = match[1].toLowerCase()
+      if (name === 'public') continue
       if (!tables.has(name)) {
         tables.set(name, { rlsEnabled: false, policies: [], file: fileName })
       }
     }
 
     // Track DROP TABLE (remove from tracking)
-    const dropTableRe = /DROP\s+TABLE\s+(?:IF\s+EXISTS\s+)?(?:public\.)?["']?(\w+)["']?/gi
+    const dropTableRe = new RegExp(`DROP\\s+TABLE\\s+(?:IF\\s+EXISTS\\s+)?${TABLE_ID}`, 'gi')
     while ((match = dropTableRe.exec(content)) !== null) {
-      tables.delete(match[1].toLowerCase())
+      const name = match[1].toLowerCase()
+      if (name !== 'public') tables.delete(name)
     }
 
     // Track ALTER TABLE ... RENAME TO
-    const renameRe = /ALTER\s+TABLE\s+(?:IF\s+EXISTS\s+)?(?:public\.)?["']?(\w+)["']?\s+RENAME\s+TO\s+["']?(\w+)["']?/gi
+    const renameRe = new RegExp(`ALTER\\s+TABLE\\s+(?:IF\\s+EXISTS\\s+)?${TABLE_ID}\\s+RENAME\\s+TO\\s+\"?(\\w+)\"?`, 'gi')
     while ((match = renameRe.exec(content)) !== null) {
       const oldName = match[1].toLowerCase()
       const newName = match[2].toLowerCase()
+      if (oldName === 'public' || newName === 'public') continue
       if (tables.has(oldName)) {
         const data = tables.get(oldName)
         tables.delete(oldName)
@@ -102,9 +112,10 @@ export async function run(config, projectRoot) {
     }
 
     // Track ENABLE ROW LEVEL SECURITY
-    const rlsEnableRe = /ALTER\s+TABLE\s+(?:public\.)?["']?(\w+)["']?\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi
+    const rlsEnableRe = new RegExp(`ALTER\\s+TABLE\\s+${TABLE_ID}\\s+ENABLE\\s+ROW\\s+LEVEL\\s+SECURITY`, 'gi')
     while ((match = rlsEnableRe.exec(content)) !== null) {
       const name = match[1].toLowerCase()
+      if (name === 'public') continue
       if (tables.has(name)) {
         tables.get(name).rlsEnabled = true
       } else {
@@ -114,21 +125,23 @@ export async function run(config, projectRoot) {
     }
 
     // Track DISABLE ROW LEVEL SECURITY
-    const rlsDisableRe = /ALTER\s+TABLE\s+(?:public\.)?["']?(\w+)["']?\s+DISABLE\s+ROW\s+LEVEL\s+SECURITY/gi
+    const rlsDisableRe = new RegExp(`ALTER\\s+TABLE\\s+${TABLE_ID}\\s+DISABLE\\s+ROW\\s+LEVEL\\s+SECURITY`, 'gi')
     while ((match = rlsDisableRe.exec(content)) !== null) {
       const name = match[1].toLowerCase()
+      if (name === 'public') continue
       if (tables.has(name)) {
         tables.get(name).rlsEnabled = false
       }
     }
 
-    // Track CREATE POLICY
-    const policyRe = /CREATE\s+POLICY\s+["']?(\w+)["']?\s+ON\s+(?:public\.)?["']?(\w+)["']?\s+([\s\S]*?)(?:;|CREATE\s|ALTER\s|DROP\s|GRANT\s)/gi
+    // Track CREATE POLICY — policy names can contain spaces, so use quoted capture
+    const policyRe = new RegExp(`CREATE\\s+POLICY\\s+\"([^\"]+)\"\\s+ON\\s+${TABLE_ID}\\s+([\\s\\S]*?)(?:;|CREATE\\s|ALTER\\s|DROP\\s|GRANT\\s)`, 'gi')
     while ((match = policyRe.exec(content)) !== null) {
       const policyName = match[1]
       const tableName = match[2].toLowerCase()
       const policyBody = match[3]
 
+      if (tableName === 'public') continue
       if (!tables.has(tableName)) {
         tables.set(tableName, { rlsEnabled: false, policies: [], file: fileName })
       }
@@ -146,10 +159,11 @@ export async function run(config, projectRoot) {
     }
 
     // Track DROP POLICY
-    const dropPolicyRe = /DROP\s+POLICY\s+(?:IF\s+EXISTS\s+)?["']?(\w+)["']?\s+ON\s+(?:public\.)?["']?(\w+)["']?/gi
+    const dropPolicyRe = new RegExp(`DROP\\s+POLICY\\s+(?:IF\\s+EXISTS\\s+)?\"([^\"]+)\"\\s+ON\\s+${TABLE_ID}`, 'gi')
     while ((match = dropPolicyRe.exec(content)) !== null) {
       const policyName = match[1]
       const tableName = match[2].toLowerCase()
+      if (tableName === 'public') continue
       if (tables.has(tableName)) {
         const table = tables.get(tableName)
         table.policies = table.policies.filter(p => p.name !== policyName)
@@ -157,9 +171,10 @@ export async function run(config, projectRoot) {
     }
 
     // Track SECURITY DEFINER functions
-    const secDefRe = /CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION\s+(?:public\.)?["']?(\w+)["']?[\s\S]*?SECURITY\s+DEFINER/gi
+    const secDefRe = new RegExp(`CREATE\\s+(?:OR\\s+REPLACE\\s+)?FUNCTION\\s+${TABLE_ID}[\\s\\S]*?SECURITY\\s+DEFINER`, 'gi')
     while ((match = secDefRe.exec(content)) !== null) {
-      securityDefinerFns.push({ name: match[1], file: fileName })
+      const name = match[1].toLowerCase()
+      if (name !== 'public') securityDefinerFns.push({ name, file: fileName })
     }
   }
 

package/lib/commands/dev-token.js

@@ -8,9 +8,10 @@
  */
 
 import { createClient } from '@supabase/supabase-js'
-import { readFileSync, writeFileSync, existsSync } from 'fs'
+import { readFileSync, writeFileSync, existsSync, openSync, closeSync } from 'fs'
 import { join, basename, dirname, resolve } from 'path'
 import { createInterface } from 'readline'
+import { execSync } from 'child_process'
 import { config as dotenvConfig } from 'dotenv'
 import chalk from 'chalk'
 
@@ -204,39 +205,36 @@ export async function refresh(url, key, refreshToken) {
   }
 }
 
-/** Prompt for input (password is hidden) */
+/** Prompt for input (password is always hidden, works through npm/doppler pipes) */
 export function promptInput(question) {
-  const rl = createInterface({ input: process.stdin, output: process.stdout })
-  return new Promise((resolve) => {
-    if (question.toLowerCase().includes('password')) {
+  const isPassword = question.toLowerCase().includes('password')
+
+  if (isPassword) {
+    // Read password from /dev/tty with echo disabled.
+    // This bypasses npm/doppler stdin piping that breaks setRawMode.
+    return new Promise((resolve) => {
       process.stdout.write(question)
-      process.stdin.setRawMode(true)
-      process.stdin.resume()
-      process.stdin.setEncoding('utf8')
-      let password = ''
-      const onData = (char) => {
-        if (char === '\n' || char === '\r') {
-          process.stdin.setRawMode(false)
-          process.stdin.removeListener('data', onData)
-          console.log('')
-          rl.close()
-          resolve(password)
-        } else if (char === '\u0003') {
-          process.exit()
-        } else if (char === '\u007F') {
-          if (password.length > 0) {
-            password = password.slice(0, -1)
-            process.stdout.write('\b \b')
-          }
-        } else {
-          password += char
-          process.stdout.write('*')
-        }
+      try {
+        // bash -c ensures stty works even in non-interactive shells
+        const password = execSync(
+          'bash -c \'stty -echo </dev/tty; read -r pw </dev/tty; stty echo </dev/tty; echo "$pw"\'',
+          { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] }
+        ).replace(/\n$/, '')
+        console.log('') // newline after hidden input
+        resolve(password)
+      } catch {
+        // Fallback for non-unix systems: readline with warning
+        console.warn(chalk.yellow('\n⚠️  Cannot hide password input on this system'))
+        const rl = createInterface({ input: process.stdin, output: process.stdout })
+        rl.question('  Password: ', (answer) => { rl.close(); resolve(answer) })
       }
-      process.stdin.on('data', onData)
-    } else {
-      rl.question(question, (answer) => { rl.close(); resolve(answer) })
-    }
+    })
+  }
+
+  // Non-password input: normal readline
+  const rl = createInterface({ input: process.stdin, output: process.stdout })
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => { rl.close(); resolve(answer) })
   })
 }
 

package/lib/index.js

@@ -15,3 +15,6 @@ export * as checks from './checks/index.js'
 
 // Health scanner (project ecosystem checks)
 export { scanProjectHealth, calculateHealthStatus } from './checks/health/index.js'
+
+// Testing utilities (config-driven CRUD test generation)
+export { generateCrudTests } from './testing/index.js'

package/lib/testing/generateCrudTests.js

@@ -0,0 +1,153 @@
+/**
+ * Tetra CRUD Test Generator (v5.0)
+ *
+ * Config-driven E2E test generation. Reads `testing` from FeatureConfig
+ * and generates list/create/read/update/delete tests + validation tests.
+ *
+ * Usage in a project's test file:
+ *
+ *   import { generateCrudTests } from '@soulbatical/tetra-dev-toolkit/testing';
+ *   import { getTestContext } from './helpers/test-users';
+ *   import { adcampaignsFeatureConfig } from '../../backend/src/features/adcampaigns/config/adcampaigns.config';
+ *
+ *   const configs = [adcampaignsFeatureConfig, projectsFeatureConfig, ...];
+ *   generateCrudTests(configs, () => getTestContext());
+ */
+
+/**
+ * Generate CRUD E2E tests for an array of feature configs.
+ *
+ * @param {import('vitest')} vitest - { describe, it, expect, beforeAll } from vitest
+ * @param {Array<import('@soulbatical/tetra-core').FeatureConfig>} configs - Feature configs with `testing` section
+ * @param {() => Promise<TestContext>} getContext - Async function returning test context with admin token
+ * @param {object} httpClient - { get, post, put, del, api } from test helpers
+ */
+export function generateCrudTests(vitest, configs, getContext, httpClient) {
+  const { describe, it, expect, beforeAll } = vitest
+  const { get, post, del, api } = httpClient
+
+  let ctx
+
+  beforeAll(async () => {
+    ctx = await getContext()
+  }, 60000)
+
+  for (const config of configs) {
+    const testing = config.testing
+    if (!testing) continue
+
+    const basePath = testing.restBasePath || config.restBasePath
+    if (!basePath) {
+      console.warn(`⚠️  Skipping ${config.tableName}: no restBasePath in testing or config`)
+      continue
+    }
+
+    const name = config.display?.page?.entityName || config.tableName || basePath
+    const skip = testing.skip || {}
+
+    describe(`CRUD: ${name}`, () => {
+      let createdId
+
+      // ── LIST ──
+      it(`GET ${basePath} returns 200`, async () => {
+        const res = await get(basePath, ctx.admin.token)
+        expect(res.status).toBe(200)
+        expect(res.data.success).toBe(true)
+      })
+
+      // ── CREATE ──
+      if (!skip.create) {
+        it(`POST ${basePath} creates a record`, async () => {
+          const body = resolveCreateBody(testing.createBody)
+          const res = await post(basePath, body, ctx.admin.token)
+          const expectedStatus = testing.createStatus || 200
+          expect(res.status).toBe(expectedStatus)
+          expect(res.data.success).toBe(true)
+          expect(res.data.data).toBeTruthy()
+          createdId = res.data.data.id
+          expect(createdId).toBeTruthy()
+        })
+      }
+
+      // ── READ ──
+      if (!skip.create && !skip.read) {
+        it(`GET ${basePath}/:id reads the record`, async () => {
+          if (!createdId) return
+          const res = await get(`${basePath}/${createdId}`, ctx.admin.token)
+          expect(res.status).toBe(200)
+          expect(res.data.success).toBe(true)
+          expect(res.data.data).toBeTruthy()
+        })
+      }
+
+      // ── UPDATE ──
+      if (!skip.create && !skip.update) {
+        it(`${testing.updateMethod || 'PUT'} ${basePath}/:id updates the record`, async () => {
+          if (!createdId) return
+          const method = testing.updateMethod || 'PUT'
+          const res = await api(`${basePath}/${createdId}`, {
+            method,
+            body: testing.updateBody,
+            token: ctx.admin.token,
+          })
+          expect(res.status).toBe(200)
+          expect(res.data.success).toBe(true)
+        })
+      }
+
+      // ── DELETE ──
+      if (!skip.create && !skip.delete) {
+        it(`DELETE ${basePath}/:id deletes the record`, async () => {
+          if (!createdId) return
+          const res = await del(`${basePath}/${createdId}`, ctx.admin.token)
+          expect(res.status).toBe(200)
+          expect(res.data.success).toBe(true)
+        })
+
+        it(`GET ${basePath}/:id returns 404 after delete`, async () => {
+          if (!createdId) return
+          const res = await get(`${basePath}/${createdId}`, ctx.admin.token)
+          // Some endpoints return 200 with null data instead of 404
+          if (res.status === 200) {
+            expect(res.data.data).toBeFalsy()
+          } else {
+            expect(res.status).toBe(404)
+          }
+        })
+      }
+    })
+
+    // ── VALIDATION: required fields ──
+    if (!skip.create && testing.requiredFields?.length) {
+      describe(`Validation: ${name}`, () => {
+        for (const field of testing.requiredFields) {
+          it(`POST ${basePath} rejects missing ${field}`, async () => {
+            const body = resolveCreateBody(testing.createBody)
+            delete body[field]
+            const res = await post(basePath, body, ctx.admin.token)
+            expect([400, 422]).toContain(res.status)
+          })
+        }
+      })
+    }
+  }
+}
+
+/**
+ * Resolve dynamic values in create body.
+ * Supports $timestamp and $random placeholders.
+ */
+function resolveCreateBody(body) {
+  const resolved = { ...body }
+  const ts = Date.now()
+
+  for (const [key, value] of Object.entries(resolved)) {
+    if (typeof value === 'string') {
+      resolved[key] = value
+        .replace(/\$timestamp/g, String(ts))
+        .replace(/\$random/g, String(Math.random().toString(36).slice(2, 8)))
+    }
+  }
+
+  return resolved
+}

package/lib/testing/index.js

@@ -0,0 +1,7 @@
+/**
+ * Tetra Testing Utilities
+ *
+ * Config-driven test generation from FeatureConfig.
+ */
+
+export { generateCrudTests } from './generateCrudTests.js'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.20.5",
+  "version": "1.20.7",
   "publishConfig": {
     "access": "restricted"
   },
@@ -24,6 +24,10 @@
   ],
   "type": "module",
   "main": "lib/index.js",
+  "exports": {
+    ".": "./lib/index.js",
+    "./testing": "./lib/testing/index.js"
+  },
   "bin": {
     "tetra-audit": "./bin/tetra-audit.js",
     "tetra-init": "./bin/tetra-init.js",