feat(rls): implement Row Level Security policy management

[weroperking]

Summary

This PR implements Row Level Security (RLS) support for the BetterBase framework.

Changes

• CLI Commands: bb rls create, bb rls list, bb rls disable
• Core Library: modules for defining, scanning, generating SQL, applying RLS policies
• Middleware: RLS session middleware for authentication integration
• Migration: Integration for applying RLS policies during database migration

Security Fixes

• Added input validation to prevent SQL injection
• Added policy name validation
• Removed unsafe type assertions

Summary by CodeRabbit

• New Features
  • Added RLS (Row-Level Security) CLI commands for creating, listing, and disabling database policies.
  • Introduced RLS middleware for managing authenticated user sessions.
  • Added RLS policy definition and validation support throughout the framework.
  • Integrated RLS policy scanning and discovery for project directories.
  • Added database migration support for applying RLS policies.
  • Introduced SQL authentication helper functions for RLS enforcement.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This PR introduces comprehensive Row Level Security (RLS) support, adding CLI commands for policy management, context generation with AI integration, session middleware, database migration capabilities, and core RLS utilities including policy generation, scanning, and authentication functions across the framework.

Changes

Cohort / File(s)	Summary
CLI RLS Command Module packages/cli/src/commands/rls.ts, packages/cli/src/index.ts	Adds CLI commands for RLS policy management: create (generates policy templates), list (displays existing policies), and disable (removes policies). Integrates RLS command group with subcommand routing into the CLI framework.
Context & AI Integration packages/cli/src/utils/context-generator.ts	Extends context generation to discover, parse, and embed RLS policies into AI prompts. Adds RLSPolicyConfig interface, scanRLSPolicies helper, and policy inclusion in generated context for AI awareness of RLS configurations.
Core RLS Session Middleware packages/core/src/middleware/rls-session.ts, packages/core/src/middleware/index.ts	Introduces Hono middleware for RLS session management with utilities to read/store user context, enforce authentication, and provide idempotent RLS session setup. Re-exports all RLS-related middleware APIs through the index.
Core RLS Type System packages/core/src/rls/types.ts	Defines PolicyDefinition and PolicyConfig interfaces alongside helper functions (definePolicy, isPolicyDefinition, mergePolicies) for policy construction and validation.
Core RLS SQL Generation packages/core/src/rls/generator.ts, packages/core/src/rls/auth-bridge.ts	Provides SQL generation for RLS policy creation/dropping and authentication functions (auth.uid(), auth.authenticated()). Includes policy statement construction and validation for SQL-safe operations.
Core RLS Policy Scanning packages/core/src/rls/scanner.ts	Adds automated discovery and loading of *.policy.ts files with regex-based fallback parsing, custom error handling, and both lenient and strict scanning modes. Supports metadata extraction and file listing utilities.
Core RLS Migration & Public API packages/core/src/migration/rls-migrator.ts, packages/core/src/migration/index.ts, packages/core/src/rls/index.ts	Implements database migration orchestration with RLS policy application, auth function management, policy existence checks, and cross-driver SQL execution. Aggregates all RLS functionality (types, generator, scanner, auth bridge) into a unified public API surface.

Sequence Diagram(s)

sequenceDiagram
    participant User as Developer (CLI)
    participant CLI as RLS Command
    participant Scanner as Policy Scanner
    participant Generator as SQL Generator
    participant DB as Database
    participant Log as Logger

    User->>CLI: runMigration(projectRoot, db, provider)
    CLI->>Scanner: scanRLSPolicies(projectRoot)
    Scanner->>Scanner: Find *.policy.ts files
    Scanner->>Log: Log loaded policies
    alt Policies Found
        CLI->>Generator: policyToSQL(policies)
        Generator->>Generator: Generate CREATE POLICY + auth.uid() SQL
        Generator->>Log: Log generated statements
        CLI->>DB: executeStatements(sqlStatements)
        DB->>DB: Apply policies & auth function
        DB-->>CLI: Success
        CLI->>Log: Log RLS migration success
    else No Policies
        CLI->>Log: Skip RLS migration (info)
    end
    CLI-->>User: Migration complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

• feat: add new changes for BetterBase #11: Establishes a stub export for the RLS module index that this PR implements and fills with comprehensive RLS functionality including types, generators, scanners, and authentication utilities.

Suggested labels

codex, feature, rls, database

Poem

🐰 Whiskers twitch with RLS delight,
Policies dance in SQL's soft light,
Row-level security now takes the stage,
Auth functions scripted on the database page!
A hop, a skip—migrations run true, ✨
Security hardened through and through!

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch docs/enhanced-codebase-documentation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}