@soulbatical/tetra-dev-toolkit 1.8.4 → 1.8.6

package/bin/tetra-check-rls.js

@@ -0,0 +1,180 @@
+#!/usr/bin/env node
+
+/**
+ * Tetra Dev Toolkit - RLS Gate
+ *
+ * Pre-deploy gate that verifies RLS security on a live Supabase project.
+ * Exit code 0 = all checks pass, exit code 1 = violations found.
+ *
+ * Usage:
+ *   tetra-check-rls                    # Auto-detect Supabase config from env/doppler
+ *   tetra-check-rls --url <url> --key <key>  # Explicit credentials
+ *   tetra-check-rls --errors-only      # Only show errors, skip warnings
+ *   tetra-check-rls --json             # JSON output for CI
+ *   tetra-check-rls --fix              # Generate hardening migration SQL
+ *
+ * Environment variables:
+ *   SUPABASE_URL       - Supabase project URL
+ *   SUPABASE_SERVICE_KEY - Service role key (NOT anon key!)
+ *
+ * CI Usage (GitHub Actions):
+ *   - name: RLS Security Gate
+ *     run: npx tetra-check-rls --errors-only
+ *     env:
+ *       SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
+ *       SUPABASE_SERVICE_KEY: ${{ secrets.SUPABASE_SERVICE_KEY }}
+ */
+
+import { program } from 'commander'
+import { createClient } from '@supabase/supabase-js'
+import { readFileSync, existsSync } from 'fs'
+import { join, resolve, dirname } from 'path'
+import { config as dotenvConfig } from 'dotenv'
+import chalk from 'chalk'
+
+// Load tetra-core dynamically (it's a peer/workspace dep)
+async function loadTetraCore() {
+  try {
+    return await import('@soulbatical/tetra-core')
+  } catch {
+    // Fallback: try relative path in monorepo
+    try {
+      return await import('../../core/dist/index.js')
+    } catch {
+      console.error(chalk.red('ERROR: @soulbatical/tetra-core not found. Install it first.'))
+      process.exit(1)
+    }
+  }
+}
+
+function findSupabaseConfig() {
+  // Try .env, .env.local, backend/.env, backend/.env.local
+  const cwd = process.cwd()
+  const envPaths = [
+    join(cwd, '.env'),
+    join(cwd, '.env.local'),
+    join(cwd, 'backend', '.env'),
+    join(cwd, 'backend', '.env.local'),
+  ]
+
+  for (const p of envPaths) {
+    if (existsSync(p)) dotenvConfig({ path: p })
+  }
+
+  const url = process.env.SUPABASE_URL || process.env.VITE_SUPABASE_URL
+  const key = process.env.SUPABASE_SERVICE_KEY || process.env.SUPABASE_SERVICE_ROLE_KEY
+
+  return { url, key }
+}
+
+program
+  .name('tetra-check-rls')
+  .description('Pre-deploy RLS security gate — checks live Supabase project')
+  .version('1.0.0')
+  .option('--url <url>', 'Supabase project URL')
+  .option('--key <key>', 'Supabase service role key')
+  .option('--errors-only', 'Only fail on errors, ignore warnings')
+  .option('--json', 'Output as JSON')
+  .option('--fix', 'Generate hardening migration SQL to stdout')
+  .option('--check-exec-sql', 'Only check if exec_sql is installed and secure')
+  .action(async (options) => {
+    try {
+      const tetra = await loadTetraCore()
+      const config = findSupabaseConfig()
+
+      const url = options.url || config.url
+      const key = options.key || config.key
+
+      if (!url || !key) {
+        console.error(chalk.red('ERROR: Missing Supabase credentials.'))
+        console.error(chalk.gray('Set SUPABASE_URL + SUPABASE_SERVICE_KEY, or use --url and --key'))
+        process.exit(1)
+      }
+
+      if (!key.startsWith('eyJ')) {
+        console.error(chalk.red('ERROR: Key does not look like a service_role key (should start with eyJ).'))
+        console.error(chalk.gray('Make sure you are using the SERVICE_ROLE key, not the anon key.'))
+        process.exit(1)
+      }
+
+      const supabase = createClient(url, key)
+
+      // --- Check exec_sql exists and is secure ---
+      if (tetra.checkExecSQLExists) {
+        const execCheck = await tetra.checkExecSQLExists(supabase)
+
+        if (!execCheck.exists) {
+          console.error(chalk.red.bold('\n  BLOCKED: exec_sql function not found\n'))
+          console.error(chalk.yellow('  The RLS checker requires the exec_sql function to be deployed.'))
+          console.error(chalk.yellow('  This function is SAFE — it uses SECURITY INVOKER and only service_role can call it.\n'))
+          console.error(chalk.white('  To deploy it, run this migration:'))
+          console.error(chalk.cyan('    npx tetra-check-rls --fix | head -50\n'))
+          console.error(chalk.white('  Or get the full SQL:'))
+          console.error(chalk.cyan('    import { generateExecSQL } from "@soulbatical/tetra-core"'))
+          console.error(chalk.cyan('    console.log(generateExecSQL())\n'))
+          process.exit(1)
+        }
+
+        if (!execCheck.secure) {
+          console.error(chalk.red.bold('\n  CRITICAL: exec_sql exists but is NOT SECURE\n'))
+          for (const issue of execCheck.issues) {
+            console.error(chalk.red(`  - ${issue}`))
+          }
+          console.error(chalk.yellow('\n  Redeploy the Tetra version to fix:'))
+          console.error(chalk.cyan('    npx tetra-check-rls --fix\n'))
+          process.exit(1)
+        }
+
+        if (options.checkExecSql) {
+          console.log(chalk.green('  exec_sql is installed and secure.'))
+          process.exit(0)
+        }
+      }
+
+      // --- Generate fix migration ---
+      if (options.fix) {
+        if (tetra.generateExecSQL) {
+          console.log(tetra.generateExecSQL())
+        }
+        // Also generate the audit SQL for reference
+        if (tetra.generateAuditSQL) {
+          console.log('\n-- To audit manually, run this SQL in the Supabase SQL editor:')
+          console.log(tetra.generateAuditSQL())
+        }
+        process.exit(0)
+      }
+
+      // --- Run full RLS audit ---
+      console.log(chalk.blue.bold('\n  Tetra RLS Security Gate\n'))
+
+      const report = await tetra.runRLSCheck(supabase, {
+        severities: options.errorsOnly ? ['error'] : undefined,
+      })
+
+      if (options.json) {
+        console.log(JSON.stringify(report, null, 2))
+      } else {
+        console.log(report.text)
+      }
+
+      if (!report.passed) {
+        console.error(chalk.red.bold(`\n  DEPLOY BLOCKED: ${report.errorCount} error(s) found\n`))
+        console.error(chalk.yellow('  Fix all errors before deploying. Warnings are advisory.\n'))
+        process.exit(1)
+      }
+
+      if (report.warnCount > 0) {
+        console.log(chalk.yellow(`\n  PASS with ${report.warnCount} warning(s) — review recommended\n`))
+      } else {
+        console.log(chalk.green.bold('\n  ALL CLEAR — RLS security verified\n'))
+      }
+
+      process.exit(0)
+    } catch (err) {
+      console.error(chalk.red(`\n  ERROR: ${err.message}\n`))
+      if (err.stack && process.env.DEBUG) console.error(err.stack)
+      process.exit(1)
+    }
+  })
+
+program.parse()

package/bin/tetra-setup.js

@@ -153,7 +153,7 @@ echo "✅ Pre-commit checks passed"
     console.log('   ⏭️  .husky/pre-commit already exists (use --force to overwrite)')
   }
 
-  // Create or extend pre-push hook with hygiene check
+  // Create or extend pre-push hook with hygiene check + RLS security gate
   const prePushPath = join(huskyDir, 'pre-push')
   const hygieneBlock = `
 # Tetra hygiene check — blocks push if repo contains clutter
@@ -167,23 +167,72 @@ if [ $? -ne 0 ]; then
   exit 1
 fi
 echo "✅ Repo hygiene passed"
+`
+
+  // RLS security gate — auto-detects Doppler project from doppler.yaml
+  const rlsBlock = `
+# Tetra RLS Security Gate — blocks push if DB has security violations
+# Auto-detects Doppler project from doppler.yaml
+DOPPLER_PROJECT=""
+for dopfile in doppler.yaml backend/doppler.yaml; do
+  if [ -f "$dopfile" ]; then
+    DOPPLER_PROJECT=$(grep 'project:' "$dopfile" | head -1 | sed 's/.*project: *//')
+    break
+  fi
+done
+
+if [ -n "$DOPPLER_PROJECT" ]; then
+  echo ""
+  echo "🔐 Running RLS security gate..."
+  doppler run --project "$DOPPLER_PROJECT" --config dev_backend -- npx tetra-check-rls --errors-only 2>/dev/null
+  RLS_EXIT=$?
+  if [ $RLS_EXIT -ne 0 ]; then
+    echo ""
+    echo "════════════════════════════════════════════════════════════"
+    echo "❌ PUSH BLOCKED — RLS SECURITY VIOLATION"
+    echo "════════════════════════════════════════════════════════════"
+    echo ""
+    echo "Fix all errors before pushing."
+    echo "Run for details: doppler run --project $DOPPLER_PROJECT --config dev_backend -- npx tetra-check-rls"
+    echo ""
+    exit 1
+  fi
+  echo "✅ RLS security gate passed"
+else
+  echo "⚠️  No doppler.yaml found — skipping RLS check (add doppler.yaml to enable)"
+fi
 `
 
   if (!existsSync(prePushPath)) {
-    // No pre-push hook yet — create one
-    const prePushContent = `#!/bin/sh\n${hygieneBlock}\n`
+    // No pre-push hook yet — create one with both checks
+    const prePushContent = `#!/bin/sh\n${hygieneBlock}\n${rlsBlock}\n`
     writeFileSync(prePushPath, prePushContent)
     execSync(`chmod +x ${prePushPath}`)
-    console.log('   ✅ Created .husky/pre-push with hygiene check')
+    console.log('   ✅ Created .husky/pre-push with hygiene + RLS security gate')
   } else {
-    // Pre-push hook exists — add hygiene check if not already there
-    const existing = readFileSync(prePushPath, 'utf-8')
+    // Pre-push hook exists — add missing checks
+    let existing = readFileSync(prePushPath, 'utf-8')
+    let changed = false
+
     if (!existing.includes('tetra-audit hygiene')) {
-      writeFileSync(prePushPath, existing.trimEnd() + '\n' + hygieneBlock)
+      existing = existing.trimEnd() + '\n' + hygieneBlock
+      changed = true
       console.log('   ✅ Added hygiene check to existing .husky/pre-push')
     } else {
       console.log('   ⏭️  .husky/pre-push already has hygiene check')
     }
+
+    if (!existing.includes('tetra-check-rls')) {
+      existing = existing.trimEnd() + '\n' + rlsBlock
+      changed = true
+      console.log('   ✅ Added RLS security gate to existing .husky/pre-push')
+    } else {
+      console.log('   ⏭️  .husky/pre-push already has RLS security gate')
+    }
+
+    if (changed) {
+      writeFileSync(prePushPath, existing)
+    }
   }
 
   // Add prepare script to package.json

package/lib/checks/codeQuality/naming-conventions.js

@@ -29,7 +29,8 @@ export async function run(config, projectRoot) {
   }
 
   const ignoreMigrations = config.codeQuality?.namingConventions?.ignoreMigrations || []
-  const health = await healthCheck(projectRoot, { ignoreMigrations })
+  const ignoreViolations = config.codeQuality?.namingConventions?.ignoreViolations || []
+  const health = await healthCheck(projectRoot, { ignoreMigrations, ignoreViolations })
   result.details = health.details
 
   const dbViolations = health.details.database?.violations || []

package/lib/checks/health/naming-conventions.js

@@ -28,6 +28,7 @@ function scanDatabaseNaming(projectPath, options = {}) {
   ]
 
   const ignoreMigrations = options.ignoreMigrations || []
+  const ignoreViolations = options.ignoreViolations || []
 
   const sqlFiles = []
   for (const dir of migrationDirs) {
@@ -291,10 +292,19 @@ function scanDatabaseNaming(projectPath, options = {}) {
     }
   }
 
+  // Apply ignoreViolations — suppress violations matching any pattern
+  const finalViolations = ignoreViolations.length > 0
+    ? violations.filter(v => {
+        const ignored = ignoreViolations.some(pattern => v.includes(pattern))
+        if (ignored) compliant++
+        return !ignored
+      })
+    : violations
+
   return {
     totalFields,
     compliant,
-    violations: violations.slice(0, 50),
+    violations: finalViolations.slice(0, 50),
     compliancePercent: totalFields > 0 ? Math.round((compliant / totalFields) * 100) : 100
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.8.4",
+  "version": "1.8.6",
   "publishConfig": {
     "access": "restricted"
   },
@@ -28,7 +28,8 @@
     "tetra-audit": "./bin/tetra-audit.js",
     "tetra-init": "./bin/tetra-init.js",
     "tetra-setup": "./bin/tetra-setup.js",
-    "tetra-dev-token": "./bin/tetra-dev-token.js"
+    "tetra-dev-token": "./bin/tetra-dev-token.js",
+    "tetra-check-rls": "./bin/tetra-check-rls.js"
   },
   "files": [
     "bin/",