@soulbatical/tetra-dev-toolkit 1.8.3 → 1.8.5

package/bin/tetra-check-rls.js

@@ -0,0 +1,180 @@
+#!/usr/bin/env node
+
+/**
+ * Tetra Dev Toolkit - RLS Gate
+ *
+ * Pre-deploy gate that verifies RLS security on a live Supabase project.
+ * Exit code 0 = all checks pass, exit code 1 = violations found.
+ *
+ * Usage:
+ *   tetra-check-rls                    # Auto-detect Supabase config from env/doppler
+ *   tetra-check-rls --url <url> --key <key>  # Explicit credentials
+ *   tetra-check-rls --errors-only      # Only show errors, skip warnings
+ *   tetra-check-rls --json             # JSON output for CI
+ *   tetra-check-rls --fix              # Generate hardening migration SQL
+ *
+ * Environment variables:
+ *   SUPABASE_URL       - Supabase project URL
+ *   SUPABASE_SERVICE_KEY - Service role key (NOT anon key!)
+ *
+ * CI Usage (GitHub Actions):
+ *   - name: RLS Security Gate
+ *     run: npx tetra-check-rls --errors-only
+ *     env:
+ *       SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
+ *       SUPABASE_SERVICE_KEY: ${{ secrets.SUPABASE_SERVICE_KEY }}
+ */
+
+import { program } from 'commander'
+import { createClient } from '@supabase/supabase-js'
+import { readFileSync, existsSync } from 'fs'
+import { join, resolve, dirname } from 'path'
+import { config as dotenvConfig } from 'dotenv'
+import chalk from 'chalk'
+
+// Load tetra-core dynamically (it's a peer/workspace dep)
+async function loadTetraCore() {
+  try {
+    return await import('@soulbatical/tetra-core')
+  } catch {
+    // Fallback: try relative path in monorepo
+    try {
+      return await import('../../core/dist/index.js')
+    } catch {
+      console.error(chalk.red('ERROR: @soulbatical/tetra-core not found. Install it first.'))
+      process.exit(1)
+    }
+  }
+}
+
+function findSupabaseConfig() {
+  // Try .env, .env.local, backend/.env, backend/.env.local
+  const cwd = process.cwd()
+  const envPaths = [
+    join(cwd, '.env'),
+    join(cwd, '.env.local'),
+    join(cwd, 'backend', '.env'),
+    join(cwd, 'backend', '.env.local'),
+  ]
+
+  for (const p of envPaths) {
+    if (existsSync(p)) dotenvConfig({ path: p })
+  }
+
+  const url = process.env.SUPABASE_URL || process.env.VITE_SUPABASE_URL
+  const key = process.env.SUPABASE_SERVICE_KEY || process.env.SUPABASE_SERVICE_ROLE_KEY
+
+  return { url, key }
+}
+
+program
+  .name('tetra-check-rls')
+  .description('Pre-deploy RLS security gate — checks live Supabase project')
+  .version('1.0.0')
+  .option('--url <url>', 'Supabase project URL')
+  .option('--key <key>', 'Supabase service role key')
+  .option('--errors-only', 'Only fail on errors, ignore warnings')
+  .option('--json', 'Output as JSON')
+  .option('--fix', 'Generate hardening migration SQL to stdout')
+  .option('--check-exec-sql', 'Only check if exec_sql is installed and secure')
+  .action(async (options) => {
+    try {
+      const tetra = await loadTetraCore()
+      const config = findSupabaseConfig()
+
+      const url = options.url || config.url
+      const key = options.key || config.key
+
+      if (!url || !key) {
+        console.error(chalk.red('ERROR: Missing Supabase credentials.'))
+        console.error(chalk.gray('Set SUPABASE_URL + SUPABASE_SERVICE_KEY, or use --url and --key'))
+        process.exit(1)
+      }
+
+      if (!key.startsWith('eyJ')) {
+        console.error(chalk.red('ERROR: Key does not look like a service_role key (should start with eyJ).'))
+        console.error(chalk.gray('Make sure you are using the SERVICE_ROLE key, not the anon key.'))
+        process.exit(1)
+      }
+
+      const supabase = createClient(url, key)
+
+      // --- Check exec_sql exists and is secure ---
+      if (tetra.checkExecSQLExists) {
+        const execCheck = await tetra.checkExecSQLExists(supabase)
+
+        if (!execCheck.exists) {
+          console.error(chalk.red.bold('\n  BLOCKED: exec_sql function not found\n'))
+          console.error(chalk.yellow('  The RLS checker requires the exec_sql function to be deployed.'))
+          console.error(chalk.yellow('  This function is SAFE — it uses SECURITY INVOKER and only service_role can call it.\n'))
+          console.error(chalk.white('  To deploy it, run this migration:'))
+          console.error(chalk.cyan('    npx tetra-check-rls --fix | head -50\n'))
+          console.error(chalk.white('  Or get the full SQL:'))
+          console.error(chalk.cyan('    import { generateExecSQL } from "@soulbatical/tetra-core"'))
+          console.error(chalk.cyan('    console.log(generateExecSQL())\n'))
+          process.exit(1)
+        }
+
+        if (!execCheck.secure) {
+          console.error(chalk.red.bold('\n  CRITICAL: exec_sql exists but is NOT SECURE\n'))
+          for (const issue of execCheck.issues) {
+            console.error(chalk.red(`  - ${issue}`))
+          }
+          console.error(chalk.yellow('\n  Redeploy the Tetra version to fix:'))
+          console.error(chalk.cyan('    npx tetra-check-rls --fix\n'))
+          process.exit(1)
+        }
+
+        if (options.checkExecSql) {
+          console.log(chalk.green('  exec_sql is installed and secure.'))
+          process.exit(0)
+        }
+      }
+
+      // --- Generate fix migration ---
+      if (options.fix) {
+        if (tetra.generateExecSQL) {
+          console.log(tetra.generateExecSQL())
+        }
+        // Also generate the audit SQL for reference
+        if (tetra.generateAuditSQL) {
+          console.log('\n-- To audit manually, run this SQL in the Supabase SQL editor:')
+          console.log(tetra.generateAuditSQL())
+        }
+        process.exit(0)
+      }
+
+      // --- Run full RLS audit ---
+      console.log(chalk.blue.bold('\n  Tetra RLS Security Gate\n'))
+
+      const report = await tetra.runRLSCheck(supabase, {
+        severities: options.errorsOnly ? ['error'] : undefined,
+      })
+
+      if (options.json) {
+        console.log(JSON.stringify(report, null, 2))
+      } else {
+        console.log(report.text)
+      }
+
+      if (!report.passed) {
+        console.error(chalk.red.bold(`\n  DEPLOY BLOCKED: ${report.errorCount} error(s) found\n`))
+        console.error(chalk.yellow('  Fix all errors before deploying. Warnings are advisory.\n'))
+        process.exit(1)
+      }
+
+      if (report.warnCount > 0) {
+        console.log(chalk.yellow(`\n  PASS with ${report.warnCount} warning(s) — review recommended\n`))
+      } else {
+        console.log(chalk.green.bold('\n  ALL CLEAR — RLS security verified\n'))
+      }
+
+      process.exit(0)
+    } catch (err) {
+      console.error(chalk.red(`\n  ERROR: ${err.message}\n`))
+      if (err.stack && process.env.DEBUG) console.error(err.stack)
+      process.exit(1)
+    }
+  })
+
+program.parse()

package/lib/checks/codeQuality/naming-conventions.js

@@ -29,7 +29,8 @@ export async function run(config, projectRoot) {
   }
 
   const ignoreMigrations = config.codeQuality?.namingConventions?.ignoreMigrations || []
-  const health = await healthCheck(projectRoot, { ignoreMigrations })
+  const ignoreViolations = config.codeQuality?.namingConventions?.ignoreViolations || []
+  const health = await healthCheck(projectRoot, { ignoreMigrations, ignoreViolations })
   result.details = health.details
 
   const dbViolations = health.details.database?.violations || []

package/lib/checks/health/naming-conventions.js

@@ -28,6 +28,7 @@ function scanDatabaseNaming(projectPath, options = {}) {
   ]
 
   const ignoreMigrations = options.ignoreMigrations || []
+  const ignoreViolations = options.ignoreViolations || []
 
   const sqlFiles = []
   for (const dir of migrationDirs) {
@@ -235,9 +236,20 @@ function scanDatabaseNaming(projectPath, options = {}) {
 
     // Index violations: 'Index "name" should use idx_...'
     const idxMatch = v.match(/Index\s+"(\w+)"\s+should/)
-    if (idxMatch && isIndexRenamed(idxMatch[1])) {
-      compliant++
-      return false
+    if (idxMatch) {
+      const idxName = idxMatch[1]
+      // Direct rename match
+      if (isIndexRenamed(idxName)) {
+        compliant++
+        return false
+      }
+      // If the index name starts with a renamed table prefix, it's implicitly resolved
+      for (const [oldTable] of renamedTables) {
+        if (idxName.startsWith(oldTable + '_')) {
+          compliant++
+          return false
+        }
+      }
     }
 
     // Missing timestamp violations: 'Table "x" missing created_at, updated_at'
@@ -280,10 +292,19 @@ function scanDatabaseNaming(projectPath, options = {}) {
     }
   }
 
+  // Apply ignoreViolations — suppress violations matching any pattern
+  const finalViolations = ignoreViolations.length > 0
+    ? violations.filter(v => {
+        const ignored = ignoreViolations.some(pattern => v.includes(pattern))
+        if (ignored) compliant++
+        return !ignored
+      })
+    : violations
+
   return {
     totalFields,
     compliant,
-    violations: violations.slice(0, 50),
+    violations: finalViolations.slice(0, 50),
     compliancePercent: totalFields > 0 ? Math.round((compliant / totalFields) * 100) : 100
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.8.3",
+  "version": "1.8.5",
   "publishConfig": {
     "access": "restricted"
   },
@@ -28,7 +28,8 @@
     "tetra-audit": "./bin/tetra-audit.js",
     "tetra-init": "./bin/tetra-init.js",
     "tetra-setup": "./bin/tetra-setup.js",
-    "tetra-dev-token": "./bin/tetra-dev-token.js"
+    "tetra-dev-token": "./bin/tetra-dev-token.js",
+    "tetra-check-rls": "./bin/tetra-check-rls.js"
   },
   "files": [
     "bin/",