@soulbatical/tetra-dev-toolkit 1.9.2 → 1.10.0

package/lib/checks/health/security-layers.js

@@ -68,19 +68,26 @@ export async function check(projectPath) {
     result.details.missing.push('Layer 2: .husky/pre-push missing tetra-check-rls')
   }
 
-  // Layer 3: railway.json has tetra-check-rls --errors-only
-  const railwayPaths = [
+  // Layer 3: build/deploy has tetra-check-rls --errors-only
+  // Check railway.json, Dockerfile, docker-compose, and CI workflows
+  const buildFiles = [
     join(projectPath, 'railway.json'),
     join(projectPath, '..', 'railway.json'),
-    join(projectPath, 'backend', 'railway.json')
+    join(projectPath, 'backend', 'railway.json'),
+    join(projectPath, 'Dockerfile'),
+    join(projectPath, 'backend', 'Dockerfile'),
+    join(projectPath, '.github', 'workflows', 'quality.yml'),
+    join(projectPath, '.github', 'workflows', 'deploy.yml'),
+    join(projectPath, '.github', 'workflows', 'ci.yml')
   ]
 
-  for (const p of railwayPaths) {
+  for (const p of buildFiles) {
     if (existsSync(p)) {
       try {
         const content = readFileSync(p, 'utf-8')
         if (content.includes('tetra-check-rls')) {
           result.details.layer3_build = true
+          result.details.layer3_source = p.split('/').slice(-2).join('/')
           result.score += 1
           break
         }
@@ -89,7 +96,7 @@ export async function check(projectPath) {
   }
 
   if (!result.details.layer3_build) {
-    result.details.missing.push('Layer 3: railway.json missing tetra-check-rls --errors-only in buildCommand')
+    result.details.missing.push('Layer 3: No build/deploy file contains tetra-check-rls --errors-only (checked railway.json, Dockerfile, CI workflows)')
   }
 
   // Set status

package/lib/checks/security/frontend-supabase-queries.js

@@ -0,0 +1,172 @@
+/**
+ * Frontend Supabase Queries Detection — HARD BLOCK
+ *
+ * Frontend code MUST NEVER query the database directly.
+ * All data access must go through backend API endpoints.
+ *
+ * This check finds:
+ * - supabase.from('table') calls in frontend code
+ * - supabase.rpc('function') calls in frontend code
+ * - supabase.storage calls in frontend code
+ *
+ * ALLOWED:
+ * - supabase.auth.* (login, signup, session management — that's what the anon key is for)
+ * - Type-only imports (import type { ... })
+ * - Test files
+ * - Supabase client initialization files (creating the client is OK, using .from() is NOT)
+ *
+ * WHY THIS MATTERS:
+ * - Frontend queries bypass backend validation, audit logging, and business logic
+ * - RLS is the ONLY protection — if policies are wrong, data leaks
+ * - Backend APIs can enforce rate limiting, input validation, and access control
+ * - Frontend queries expose your table schema to anyone with DevTools
+ */
+
+import { glob } from 'glob'
+import { readFileSync } from 'fs'
+
+export const meta = {
+  id: 'frontend-supabase-queries',
+  name: 'Frontend Direct DB Queries',
+  category: 'security',
+  severity: 'critical',
+  description: 'Blocks direct Supabase .from()/.rpc()/.storage calls in frontend code — all data access must go through backend API'
+}
+
+/**
+ * Patterns that indicate a direct database query (not auth)
+ */
+const QUERY_PATTERNS = [
+  // .from('table_name') or .from("table_name") or .from(variable)
+  { regex: /\.from\s*\(\s*['"`]/, type: 'direct-db-query', desc: '.from() query' },
+  { regex: /\.from\s*\(\s*[a-zA-Z]/, type: 'direct-db-query', desc: '.from() query with variable' },
+  // .rpc('function_name')
+  { regex: /\.rpc\s*\(\s*['"`]/, type: 'direct-rpc-call', desc: '.rpc() call' },
+  // .storage.from('bucket')
+  { regex: /\.storage\s*\./, type: 'direct-storage-access', desc: '.storage access' },
+]
+
+/**
+ * Lines to skip (not violations)
+ */
+const SKIP_PATTERNS = [
+  // Comments
+  /^\s*\/\//,
+  /^\s*\*/,
+  /^\s*\/\*/,
+  // Type definitions
+  /import\s+type/,
+  // Array.from() — not Supabase
+  /Array\.from/,
+  // Date.from, Object.from, etc
+  /\b(?:Array|Object|Date|Map|Set|FormData|URLSearchParams|Buffer)\.from/,
+  // new FormData().from — not Supabase
+  /FormData/,
+]
+
+/**
+ * Files that are allowed to have Supabase queries in the frontend.
+ * These should be VERY rare — ideally zero.
+ */
+const ALLOWED_FILES = [
+  // Supabase client setup files (creating client is OK)
+  /supabase\.ts$/,
+  /supabaseClient\.ts$/,
+  /supabase-client\.ts$/,
+  /createBrowserClient/,
+]
+
+export async function run(config, projectRoot) {
+  const results = {
+    passed: true,
+    findings: [],
+    summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0 }
+  }
+
+  // Detect frontend directories
+  const frontendDirs = []
+  const candidates = ['frontend', 'web', 'app', 'client', 'src/app', 'src/pages', 'src/components']
+  for (const dir of candidates) {
+    try {
+      const files = await glob(`${dir}/**/*.{ts,tsx,js,jsx}`, {
+        cwd: projectRoot,
+        ignore: config.ignore || []
+      })
+      if (files.length > 0) {
+        frontendDirs.push(dir)
+      }
+    } catch {
+      // ignore
+    }
+  }
+
+  // If no frontend directory found, also check for Next.js app router pattern
+  if (frontendDirs.length === 0) {
+    results.skipped = true
+    results.skipReason = 'No frontend directory detected'
+    return results
+  }
+
+  // Scan all frontend files
+  for (const dir of frontendDirs) {
+    const files = await glob(`${dir}/**/*.{ts,tsx,js,jsx}`, {
+      cwd: projectRoot,
+      ignore: [
+        ...config.ignore,
+        '**/*.test.*',
+        '**/*.spec.*',
+        '**/*.d.ts',
+        '**/node_modules/**',
+        '**/.next/**',
+        '**/dist/**',
+        '**/build/**',
+      ]
+    })
+
+    for (const file of files) {
+      // Check if file is in allowed list
+      if (ALLOWED_FILES.some(pattern => pattern.test(file))) continue
+
+      try {
+        const content = readFileSync(`${projectRoot}/${file}`, 'utf-8')
+        const lines = content.split('\n')
+
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i]
+
+          // Skip comment lines and type imports
+          if (SKIP_PATTERNS.some(p => p.test(line))) continue
+
+          for (const pattern of QUERY_PATTERNS) {
+            if (pattern.regex.test(line)) {
+              // Double check it's not Array.from or similar
+              if (/(?:Array|Object|Date|Map|Set|FormData|URLSearchParams|Buffer|crypto)\.from/.test(line)) continue
+              // Skip if it's clearly in a comment at end of line
+              const commentIdx = line.indexOf('//')
+              const matchIdx = line.search(pattern.regex)
+              if (commentIdx >= 0 && commentIdx < matchIdx) continue
+
+              results.passed = false
+              results.findings.push({
+                file,
+                line: i + 1,
+                type: pattern.type,
+                severity: 'critical',
+                message: `BLOCKED: Frontend code has direct Supabase ${pattern.desc}. Move to backend API endpoint.`,
+                snippet: line.trim().substring(0, 120),
+                fix: `Create a backend API endpoint and call it via fetch() or your API client instead.`
+              })
+              results.summary.critical++
+              results.summary.total++
+              break // One finding per line is enough
+            }
+          }
+        }
+      } catch {
+        // Skip unreadable files
+      }
+    }
+  }
+
+  return results
+}

package/lib/checks/supabase/rls-policy-audit.js

@@ -63,6 +63,7 @@ export async function run(config, projectRoot) {
   const tables = new Map()       // tableName -> { created: true, rlsEnabled: false, policies: [], droppedPolicies: [], file: string }
   const securityDefinerFns = []  // { name, file }
   const publicTables = config.supabase?.publicTables || []
+  const backendOnlyTables = config.supabase?.backendOnlyTables || []
 
   for (const filePath of sqlFiles) {
     let content
@@ -171,6 +172,9 @@ export async function run(config, projectRoot) {
     // Skip intentionally public tables
     if (publicTables.includes(tableName)) continue
 
+    // Skip backend-only tables (RLS ON + 0 policies is intentional — accessed via systemDB only)
+    if (backendOnlyTables.includes(tableName)) continue
+
     // Skip internal Supabase tables
     if (tableName.startsWith('_') || tableName.startsWith('pg_') || tableName.startsWith('auth_')) continue
 
@@ -191,17 +195,17 @@ export async function run(config, projectRoot) {
 
     results.details.tablesWithRls++
 
-    // 2. Check policies exist
+    // 2. Check policies exist — RLS ON + 0 policies = DEAD TABLE (nobody can access, not even legit code)
     if (info.policies.length === 0) {
       results.passed = false
       results.findings.push({
         file: info.file,
-        type: 'No RLS policies',
-        severity: 'high',
-        message: `Table "${tableName}" has RLS enabled but NO policies defined (all access blocked)`,
+        type: 'RLS without policies',
+        severity: 'critical',
+        message: `Table "${tableName}" has RLS enabled but ZERO policies — all access blocked, table is dead. Either add policies or document as backend-only in .tetra-quality.json supabase.backendOnlyTables`,
         table: tableName
       })
-      results.summary.high++
+      results.summary.critical++
       results.summary.total++
     } else {
       results.details.tablesWithPolicies++

package/lib/runner.js

@@ -11,6 +11,7 @@ import * as hardcodedSecrets from './checks/security/hardcoded-secrets.js'
 import * as serviceKeyExposure from './checks/security/service-key-exposure.js'
 import * as deprecatedSupabaseAdmin from './checks/security/deprecated-supabase-admin.js'
 import * as directSupabaseClient from './checks/security/direct-supabase-client.js'
+import * as frontendSupabaseQueries from './checks/security/frontend-supabase-queries.js'
 import * as systemdbWhitelist from './checks/security/systemdb-whitelist.js'
 import * as huskyHooks from './checks/stability/husky-hooks.js'
 import * as ciPipeline from './checks/stability/ci-pipeline.js'
@@ -33,6 +34,7 @@ const ALL_CHECKS = {
     serviceKeyExposure,
     deprecatedSupabaseAdmin,
     directSupabaseClient,
+    frontendSupabaseQueries,
     systemdbWhitelist,
     gitignoreValidation
   ],
@@ -169,7 +171,9 @@ export async function runQuickCheck(options = {}) {
   // Run only critical security checks
   const criticalChecks = [
     hardcodedSecrets,
-    serviceKeyExposure
+    serviceKeyExposure,
+    directSupabaseClient,
+    frontendSupabaseQueries
   ]
 
   const results = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-dev-toolkit",
-  "version": "1.9.2",
+  "version": "1.10.0",
   "publishConfig": {
     "access": "restricted"
   },