@trycompai/db 2.2.0 → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/schema.prisma +32 -4
  2. package/dist/ssl-config.d.ts +0 -1
  3. package/dist/ssl-config.d.ts.map +1 -1
  4. package/dist/ssl-config.js +11 -6
  5. package/package.json +1 -2
  6. package/certs/rds-global-bundle.pem +0 -2736
  7. package/dist/rds-ca-bundle.d.ts +0 -2
  8. package/dist/rds-ca-bundle.d.ts.map +0 -1
  9. package/dist/rds-ca-bundle.js +0 -9
package/dist/schema.prisma CHANGED
@@ -630,20 +630,35 @@ model CustomRequirement {
630
630
  description String
631
631
  identifier String
632
632
 
633
- organizationId String
634
- organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
635
- customFrameworkId String
633
+ organizationId String
634
+ organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
635
+
636
+ // A custom requirement hangs off either a CustomFramework (the org authored
637
+ // a whole new framework) or a single FrameworkInstance (the org tacked an
638
+ // extra requirement onto a platform framework like ISO 27001). Exactly one
639
+ // of these is set — enforced by a DB CHECK constraint.
640
+ customFrameworkId String?
636
641
  // Composite FK onto (id, organizationId) so tenant consistency with the
637
642
  // referenced CustomFramework is enforced at the DB level.
638
- customFramework CustomFramework @relation(fields: [customFrameworkId, organizationId], references: [id, organizationId], onDelete: Cascade)
643
+ customFramework CustomFramework? @relation(fields: [customFrameworkId, organizationId], references: [id, organizationId], onDelete: Cascade)
644
+
645
+ frameworkInstanceId String?
646
+ // Composite FK onto (id, organizationId) so a per-instance custom requirement
647
+ // can only point at an FI in its own org.
648
+ frameworkInstance FrameworkInstance? @relation(fields: [frameworkInstanceId, organizationId], references: [id, organizationId], onDelete: Cascade)
639
649
 
640
650
  requirementMaps RequirementMap[]
641
651
 
642
652
  createdAt DateTime @default(now())
643
653
  updatedAt DateTime @default(now()) @updatedAt
644
654
 
655
+ // Identifier uniqueness scoped to whichever parent is set. Postgres treats
656
+ // NULLs as distinct in unique indexes, so the inactive parent column doesn't
657
+ // collide across rows.
645
658
  @@unique([customFrameworkId, identifier])
659
+ @@unique([frameworkInstanceId, identifier])
646
660
  @@index([organizationId])
661
+ @@index([frameworkInstanceId])
647
662
  }
648
663
 
649
664
  // ===== device.prisma =====
@@ -1139,7 +1154,14 @@ model FrameworkInstance {
1139
1154
  requirementsMapped RequirementMap[]
1140
1155
  timelineInstances TimelineInstance[]
1141
1156
  syncOperations FrameworkSyncOperation[]
1157
+ // Per-instance custom requirements (used when an org tacks an extra requirement
1158
+ // onto a platform framework instance). Custom requirements attached to a
1159
+ // CustomFramework hang off CustomFramework.requirements instead.
1160
+ customRequirements CustomRequirement[]
1142
1161
 
1162
+ // (id, organizationId) is the composite-FK target for CustomRequirement.frameworkInstanceId
1163
+ // so a per-instance custom requirement can only point at an FI in its own org.
1164
+ @@unique([id, organizationId])
1143
1165
  @@unique([organizationId, frameworkId])
1144
1166
  @@unique([organizationId, customFrameworkId])
1145
1167
  @@index([customFrameworkId])
@@ -2983,6 +3005,8 @@ model Trust {
2983
3005
  hipaa Boolean @default(false)
2984
3006
  pci_dss Boolean @default(false)
2985
3007
  iso9001 Boolean @default(false)
3008
+ pipeda Boolean @default(false)
3009
+ ccpa Boolean @default(false)
2986
3010
 
2987
3011
  soc2_status FrameworkStatus @default(started)
2988
3012
  soc2type1_status FrameworkStatus @default(started)
@@ -2995,6 +3019,8 @@ model Trust {
2995
3019
  hipaa_status FrameworkStatus @default(started)
2996
3020
  pci_dss_status FrameworkStatus @default(started)
2997
3021
  iso9001_status FrameworkStatus @default(started)
3022
+ pipeda_status FrameworkStatus @default(started)
3023
+ ccpa_status FrameworkStatus @default(started)
2998
3024
 
2999
3025
  // Overview section for public trust portal
3000
3026
  overviewTitle String?
@@ -3032,6 +3058,8 @@ enum TrustFramework {
3032
3058
  pci_dss
3033
3059
  nen_7510
3034
3060
  iso_9001
3061
+ pipeda
3062
+ ccpa
3035
3063
  }
3036
3064
 
3037
3065
  model TrustResource {
package/dist/ssl-config.d.ts CHANGED
@@ -1,5 +1,4 @@
1
1
  export type SslConfig = undefined | {
2
- ca: string;
3
2
  checkServerIdentity: () => undefined;
4
3
  } | {
5
4
  rejectUnauthorized: false;
package/dist/ssl-config.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"ssl-config.d.ts","sourceRoot":"","sources":["../src/ssl-config.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,SAAS,GACjB,SAAS,GACT;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,mBAAmB,EAAE,MAAM,SAAS,CAAA;CAAE,GACpD;IAAE,kBAAkB,EAAE,KAAK,CAAA;CAAE,CAAC;AAgBlC,wBAAgB,gBAAgB,CAC9B,WAAW,EAAE,MAAM,EACnB,GAAG,GAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAe,GAC5C,SAAS,CAQX"}
1
+ {"version":3,"file":"ssl-config.d.ts","sourceRoot":"","sources":["../src/ssl-config.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,SAAS,GACjB,SAAS,GACT;IAAE,mBAAmB,EAAE,MAAM,SAAS,CAAA;CAAE,GACxC;IAAE,kBAAkB,EAAE,KAAK,CAAA;CAAE,CAAC;AAgBlC,wBAAgB,gBAAgB,CAC9B,WAAW,EAAE,MAAM,EACnB,GAAG,GAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAe,GAC5C,SAAS,CAcX"}
package/dist/ssl-config.js CHANGED
@@ -1,7 +1,6 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.resolveSslConfig = resolveSslConfig;
4
- const rds_ca_bundle_1 = require("./rds-ca-bundle");
5
4
  const LOCAL_HOSTNAMES = new Set(['localhost', '127.0.0.1', '::1']);
6
5
  function isLocalhostUrl(connectionString) {
7
6
  try {
@@ -20,9 +19,15 @@ function resolveSslConfig(databaseUrl, env = process.env) {
20
19
  return undefined;
21
20
  if (env.PRISMA_ALLOW_INSECURE_TLS === '1')
22
21
  return { rejectUnauthorized: false };
23
- // Verified TLS using the inlined AWS RDS CA bundle. Skip the hostname check
24
- // because connections may traverse an AWS NLB whose hostname isn't in the
25
- // RDS Proxy cert's SAN list. The chain check still rejects forged or
26
- // wrong-CA certs.
27
- return { ca: rds_ca_bundle_1.RDS_CA_BUNDLE, checkServerIdentity: () => undefined };
22
+ // Verified TLS via Node's default trust store, which includes Amazon Root
23
+ // CA 1 where AWS RDS Proxy chains terminate. Hostname check is skipped
24
+ // because connections traverse an AWS NLB whose hostname isn't in the RDS
25
+ // Proxy cert's SAN list; the chain check still rejects forged or wrong-CA
26
+ // certs.
27
+ //
28
+ // Previously this returned `{ ca: RDS_CA_BUNDLE, ... }` — but `ssl.ca`
29
+ // *replaces* Node's trust store rather than augmenting it, and the bundle
30
+ // only contains regional RDS CAs (not Amazon Root CA 1), so RDS Proxy
31
+ // chain validation failed at runtime (P1011 / TlsConnectionError).
32
+ return { checkServerIdentity: () => undefined };
28
33
  }
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@trycompai/db",
3
3
  "description": "Database package with Prisma client and schema for Comp AI",
4
- "version": "2.2.0",
4
+ "version": "2.3.1",
5
5
  "dependencies": {
6
6
  "@prisma/adapter-pg": "7.6.0",
7
7
  "@prisma/client": "7.6.0",
@@ -36,7 +36,6 @@
36
36
  },
37
37
  "files": [
38
38
  "dist",
39
- "certs",
40
39
  "README.md",
41
40
  "INTEGRATION_GUIDE.md"
42
41
  ],