npm - @trycompai/db - Versions diffs - 2.1.2 → 2.1.3 - Mend

@trycompai/db 2.1.2 → 2.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/certs/rds-global-bundle.pem +2736 -0
package/dist/client.d.ts +2 -0
package/dist/client.d.ts.map +1 -1
package/dist/client.js +23 -13
package/dist/schema.prisma +42 -5
package/dist/ssl-config.d.ts +7 -0
package/dist/ssl-config.d.ts.map +1 -0
package/dist/ssl-config.js +32 -0
package/package.json +8 -2

package/dist/client.d.ts CHANGED Viewed

@@ -1,3 +1,5 @@
 import { PrismaClient } from '@prisma/client';
+export type { SslConfig } from './ssl-config';
+export { resolveSslConfig } from './ssl-config';
 export declare const db: PrismaClient<import("@prisma/client").Prisma.PrismaClientOptions, never, import("@prisma/client/runtime/client").DefaultArgs>;
 //# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;~~AA6B9C~~,eAAO,MAAM,EAAE,+~~HAAiD~~,CAAC"}
1	+ {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAI9C,YAAY,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAgChD,eAAO,MAAM,EAAE,+HAMb,CAAC"}

package/dist/client.js CHANGED Viewed

@@ -1,8 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.db = void 0;
+exports.db = exports.resolveSslConfig = void 0;
 const client_1 = require("@prisma/client");
 const adapter_pg_1 = require("@prisma/adapter-pg");
+const ssl_config_1 = require("./ssl-config");
+var ssl_config_2 = require("./ssl-config");
+Object.defineProperty(exports, "resolveSslConfig", { enumerable: true, get: function () { return ssl_config_2.resolveSslConfig; } });
 const globalForPrisma = global;
 function stripSslMode(connectionString) {
     const url = new URL(connectionString);
@@ -11,21 +14,28 @@ function stripSslMode(connectionString) {
 }
 function createPrismaClient() {
     const rawUrl = process.env.DATABASE_URL;
-    const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(rawUrl);
-    // Use verified SSL when NODE_EXTRA_CA_CERTS is set (Docker with RDS CA bundle),
-    // otherwise fall back to unverified SSL (Trigger.dev, Vercel, other environments).
-    const hasCABundle = !!process.env.NODE_EXTRA_CA_CERTS;
-    const ssl = isLocalhost ? undefined : hasCABundle ? true : { rejectUnauthorized: false };
-    // Strip sslmode from the connection string to avoid conflicts with the explicit ssl option
+    const ssl = (0, ssl_config_1.resolveSslConfig)(rawUrl);
     const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
     const adapter = new adapter_pg_1.PrismaPg({ connectionString: url, ssl });
     return new client_1.PrismaClient({
         adapter,
-        transactionOptions: {
-            timeout: 60000,
-        },
+        transactionOptions: { timeout: 60000 },
     });
 }
-exports.db = globalForPrisma.prisma || createPrismaClient();
-if (process.env.NODE_ENV !== 'production')
-    globalForPrisma.prisma = exports.db;
+// Lazy initialization. Importing this module does NOT construct a Prisma client
+// — that only happens on first property access on `db`. Critical so that
+// Next.js `next build` (which imports every route handler to analyze it) does
+// not trigger the strict TLS check at build time when no actual queries run.
+function getClient() {
+    if (!globalForPrisma.prisma) {
+        globalForPrisma.prisma = createPrismaClient();
+    }
+    return globalForPrisma.prisma;
+}
+exports.db = new Proxy({}, {
+    get(_target, prop, _receiver) {
+        const client = getClient();
+        const value = Reflect.get(client, prop, client);
+        return typeof value === 'function' ? value.bind(client) : value;
+    },
+});

package/dist/schema.prisma CHANGED Viewed

@@ -2284,7 +2284,28 @@ model Risk {
   residualLikelihood           Likelihood        @default(very_unlikely)
   residualImpact               Impact            @default(insignificant)
   treatmentStrategyDescription String?
-  treatmentStrategy            RiskTreatmentType @default(accept)
+  // Mitigate is the workhorse — the AI mitigation generator writes a
+  // mitigation plan for every new risk, and the plan is stored under
+  // the active strategy. Defaulting to anything other than mitigate
+  // would put the AI plan under the wrong slot.
+  treatmentStrategy            RiskTreatmentType @default(mitigate)
+  // Per-strategy text store. When the user switches strategies, the current
+  // `treatmentStrategyDescription` is moved into this map under the OLD
+  // strategy key, and the NEW strategy's saved value is loaded back into the
+  // active field. Lets users keep an independent Mitigate plan + Accept
+  // rationale + Transfer rationale on the same risk.
+  // Shape: { mitigate?: string, accept?: string, transfer?: string, avoid?: string }
+  strategyDescriptions         Json?
+  // Active auto-link suggestion run (trigger.dev). Set when the user kicks
+  // off an AI suggest scan; cleared when the user applies or discards. Lets
+  // the UI resume an in-flight or completed-but-unreviewed scan after a
+  // page reload so progress isn't lost.
+  autoLinkRunId        String?
+  autoLinkRunStartedAt DateTime?
+  // See Task.embeddingHash — skip-if-unchanged guard for re-embedding.
+  embeddingHash String?
   // Dates
   createdAt DateTime @default(now())
@@ -2780,6 +2801,12 @@ model Task {
   // Sync-driven archive — see Control.archivedAt.
   archivedAt DateTime?
+  // Skip-if-unchanged guard for the auto-linkage embedding pipeline. Holds
+  // a hash of (text + model + dims + department) — when re-running linkage
+  // we skip OpenAI embed + Upstash upsert for any task whose hash matches.
+  // Null means "never embedded" so the next linkage run will embed.
+  embeddingHash String?
   @@index([organizationId, archivedAt])
 }
@@ -2956,8 +2983,6 @@ model Trust {
   hipaa         Boolean @default(false)
   pci_dss       Boolean @default(false)
   iso9001       Boolean @default(false)
-  pipeda        Boolean @default(false)
-  ccpa          Boolean @default(false)
   soc2_status      FrameworkStatus @default(started)
   soc2type1_status FrameworkStatus @default(started)
@@ -2970,8 +2995,6 @@ model Trust {
   hipaa_status     FrameworkStatus @default(started)
   pci_dss_status   FrameworkStatus @default(started)
   iso9001_status   FrameworkStatus @default(started)
-  pipeda_status    FrameworkStatus @default(started)
-  ccpa_status      FrameworkStatus @default(started)
   // Overview section for public trust portal
   overviewTitle   String?
@@ -3199,6 +3222,12 @@ model Vendor {
   inherentImpact      Impact         @default(insignificant)
   residualProbability Likelihood     @default(very_unlikely)
   residualImpact      Impact         @default(insignificant)
+  // See Risk.treatmentStrategy — default mitigate so AI plans land in
+  // the right slot.
+  treatmentStrategy            RiskTreatmentType @default(mitigate)
+  treatmentStrategyDescription String?
+  // See `Risk.strategyDescriptions`.
+  strategyDescriptions         Json?
   website             String?
   isSubProcessor      Boolean        @default(false)
@@ -3208,6 +3237,14 @@ model Vendor {
   trustPortalOrder  Int?
   complianceBadges  Json? // Array of { type: 'soc2' | 'iso27001' | etc, verified: boolean }
+  // Active auto-link suggestion run (trigger.dev). Same semantics as
+  // Risk.autoLinkRunId — lets the UI resume an in-flight scan on reload.
+  autoLinkRunId        String?
+  autoLinkRunStartedAt DateTime?
+  // See Task.embeddingHash — skip-if-unchanged guard for re-embedding.
+  embeddingHash String?
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt

package/dist/ssl-config.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+export type SslConfig = undefined | {
+    checkServerIdentity: () => undefined;
+} | {
+    rejectUnauthorized: false;
+};
+export declare function resolveSslConfig(databaseUrl: string, env?: Partial<NodeJS.ProcessEnv>): SslConfig;
+//# sourceMappingURL=ssl-config.d.ts.map

package/dist/ssl-config.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"ssl-config.d.ts","sourceRoot":"","sources":["../src/ssl-config.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,SAAS,GACjB,SAAS,GACT;IAAE,mBAAmB,EAAE,MAAM,SAAS,CAAA;CAAE,GACxC;IAAE,kBAAkB,EAAE,KAAK,CAAA;CAAE,CAAC;AAgBlC,wBAAgB,gBAAgB,CAC9B,WAAW,EAAE,MAAM,EACnB,GAAG,GAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAe,GAC5C,SAAS,CAeX"}

package/dist/ssl-config.js ADDED Viewed

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveSslConfig = resolveSslConfig;
+const LOCAL_HOSTNAMES = new Set(['localhost', '127.0.0.1', '::1']);
+function isLocalhostUrl(connectionString) {
+    try {
+        const { hostname } = new URL(connectionString);
+        const stripped = hostname.replace(/^\[/, '').replace(/\]$/, '');
+        return LOCAL_HOSTNAMES.has(stripped);
+    }
+    catch {
+        // Malformed URL — be conservative and treat as remote so we don't
+        // accidentally disable TLS verification.
+        return false;
+    }
+}
+function resolveSslConfig(databaseUrl, env = process.env) {
+    const isLocalhost = isLocalhostUrl(databaseUrl);
+    const hasCABundle = !!env.NODE_EXTRA_CA_CERTS;
+    const allowInsecure = env.PRISMA_ALLOW_INSECURE_TLS === '1';
+    if (isLocalhost)
+        return undefined;
+    // Verified TLS: rely on Node's TLS context (NODE_EXTRA_CA_CERTS adds the AWS
+    // RDS CA to the trust store). Skip hostname check because connections may
+    // traverse an AWS NLB whose hostname isn't in the RDS Proxy cert's SAN list.
+    // The chain check still rejects forged or wrong-CA certs.
+    if (hasCABundle)
+        return { checkServerIdentity: () => undefined };
+    if (allowInsecure)
+        return { rejectUnauthorized: false };
+    throw new Error('Refusing to connect to a non-local Postgres without TLS verification. Set NODE_EXTRA_CA_CERTS to a CA bundle, or set PRISMA_ALLOW_INSECURE_TLS=1 if you intentionally want unverified TLS.');
+}

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
     "name": "@trycompai/db",
     "description": "Database package with Prisma client and schema for Comp AI",
-    "version": "2.1.2",
+    "version": "2.1.3",
     "dependencies": {
         "@prisma/adapter-pg": "7.6.0",
         "@prisma/client": "7.6.0",
@@ -21,9 +21,14 @@
             "default": "./dist/index.js"
         },
         "./postinstall": {
-            "import": "./dist/postinstall.js",
             "types": "./src/postinstall.ts",
+            "import": "./dist/postinstall.js",
             "default": "./dist/postinstall.js"
+        },
+        "./ssl-config": {
+            "types": "./dist/ssl-config.d.ts",
+            "import": "./dist/ssl-config.js",
+            "default": "./dist/ssl-config.js"
         }
     },
     "bin": {
@@ -31,6 +36,7 @@
     },
     "files": [
         "dist",
+        "certs",
         "README.md",
         "INTEGRATION_GUIDE.md"
     ],