@soulbatical/tetra-dev-toolkit 1.9.1 → 1.9.2

package/lib/checks/health/index.js

@@ -37,3 +37,4 @@ export { check as checkDependencyAutomation } from './dependency-automation.js'
 export { check as checkLicenseAudit } from './license-audit.js'
 export { check as checkSast } from './sast.js'
 export { check as checkBundleSize } from './bundle-size.js'
+export { check as checkSecurityLayers } from './security-layers.js'

package/lib/checks/health/scanner.js

@@ -33,6 +33,7 @@ import { check as checkDependencyAutomation } from './dependency-automation.js'
 import { check as checkLicenseAudit } from './license-audit.js'
 import { check as checkSast } from './sast.js'
 import { check as checkBundleSize } from './bundle-size.js'
+import { check as checkSecurityLayers } from './security-layers.js'
 import { calculateHealthStatus } from './types.js'
 
 /**
@@ -74,7 +75,8 @@ export async function scanProjectHealth(projectPath, projectName, options = {})
     checkDependencyAutomation(projectPath),
     checkLicenseAudit(projectPath),
     checkSast(projectPath),
-    checkBundleSize(projectPath)
+    checkBundleSize(projectPath),
+    checkSecurityLayers(projectPath)
   ])
 
   const totalScore = checks.reduce((sum, c) => sum + c.score, 0)

package/lib/checks/health/security-layers.js

@@ -0,0 +1,107 @@
+/**
+ * Health Check: 3-Layer Security Model
+ *
+ * Verifies the project has all 3 security layers active:
+ *   Layer 1 (pre-commit):  tetra-audit quick
+ *   Layer 2 (pre-push):    tetra-check-rls
+ *   Layer 3 (build/deploy): tetra-check-rls --errors-only in railway.json
+ *
+ * Score: 0-3 (1 point per layer)
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('security-layers', 3, {
+    layer1_precommit: false,
+    layer2_prepush: false,
+    layer3_build: false,
+    missing: []
+  })
+
+  // Layer 1: pre-commit has tetra-audit
+  const preCommitPaths = [
+    join(projectPath, '.husky', 'pre-commit'),
+    // monorepo: check parent dir too
+    join(projectPath, '..', '.husky', 'pre-commit')
+  ]
+
+  for (const p of preCommitPaths) {
+    if (existsSync(p)) {
+      try {
+        const content = readFileSync(p, 'utf-8')
+        if (content.includes('tetra-audit')) {
+          result.details.layer1_precommit = true
+          result.score += 1
+          break
+        }
+      } catch { /* ignore read errors */ }
+    }
+  }
+
+  if (!result.details.layer1_precommit) {
+    result.details.missing.push('Layer 1: .husky/pre-commit missing tetra-audit quick')
+  }
+
+  // Layer 2: pre-push has tetra-check-rls
+  const prePushPaths = [
+    join(projectPath, '.husky', 'pre-push'),
+    join(projectPath, '..', '.husky', 'pre-push')
+  ]
+
+  for (const p of prePushPaths) {
+    if (existsSync(p)) {
+      try {
+        const content = readFileSync(p, 'utf-8')
+        if (content.includes('tetra-check-rls')) {
+          result.details.layer2_prepush = true
+          result.score += 1
+          break
+        }
+      } catch { /* ignore read errors */ }
+    }
+  }
+
+  if (!result.details.layer2_prepush) {
+    result.details.missing.push('Layer 2: .husky/pre-push missing tetra-check-rls')
+  }
+
+  // Layer 3: railway.json has tetra-check-rls --errors-only
+  const railwayPaths = [
+    join(projectPath, 'railway.json'),
+    join(projectPath, '..', 'railway.json'),
+    join(projectPath, 'backend', 'railway.json')
+  ]
+
+  for (const p of railwayPaths) {
+    if (existsSync(p)) {
+      try {
+        const content = readFileSync(p, 'utf-8')
+        if (content.includes('tetra-check-rls')) {
+          result.details.layer3_build = true
+          result.score += 1
+          break
+        }
+      } catch { /* ignore read errors */ }
+    }
+  }
+
+  if (!result.details.layer3_build) {
+    result.details.missing.push('Layer 3: railway.json missing tetra-check-rls --errors-only in buildCommand')
+  }
+
+  // Set status
+  if (result.score === 3) {
+    result.status = 'ok'
+  } else if (result.score >= 2) {
+    result.status = 'warning'
+  } else {
+    result.status = 'error'
+  }
+
+  result.details.fix = 'Run: npx tetra-setup hooks'
+
+  return result
+}

package/lib/checks/health/types.js

@@ -5,7 +5,7 @@
  */
 
 /**
- * @typedef {'plugins'|'mcps'|'git'|'tests'|'secrets'|'quality-toolkit'|'naming-conventions'|'rls-audit'|'rpc-param-mismatch'|'typescript-strict'|'prettier'|'coverage-thresholds'|'eslint-security'|'dependency-cruiser'|'conventional-commits'|'knip'|'dependency-automation'|'license-audit'|'sast'|'bundle-size'|'gitignore'|'repo-visibility'|'vincifox-widget'|'stella-integration'|'claude-md'|'doppler-compliance'|'infrastructure-yml'|'file-organization'} HealthCheckType
+ * @typedef {'plugins'|'mcps'|'git'|'tests'|'secrets'|'quality-toolkit'|'naming-conventions'|'rls-audit'|'rpc-param-mismatch'|'typescript-strict'|'prettier'|'coverage-thresholds'|'eslint-security'|'dependency-cruiser'|'conventional-commits'|'knip'|'dependency-automation'|'license-audit'|'sast'|'bundle-size'|'gitignore'|'repo-visibility'|'vincifox-widget'|'stella-integration'|'claude-md'|'doppler-compliance'|'infrastructure-yml'|'file-organization'|'security-layers'} HealthCheckType
  *
  * @typedef {'ok'|'warning'|'error'} HealthStatus
  *
@@ -66,7 +66,7 @@ export function calculateHealthStatus(checks) {
 
   // Critical checks override percentage
   if (checks.some(c =>
-    (c.type === 'secrets' || c.type === 'rls-audit' || c.type === 'rpc-param-mismatch' || c.type === 'repo-visibility') && c.status === 'error'
+    (c.type === 'secrets' || c.type === 'rls-audit' || c.type === 'rpc-param-mismatch' || c.type === 'repo-visibility' || c.type === 'security-layers') && c.status === 'error'
   )) {
     return 'unhealthy'
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.9.1",
+  "version": "1.9.2",
   "publishConfig": {
     "access": "restricted"
   },