feat(db): enforce runtime RLS boundaries

2026-04-01 00:24:03 +00:00 · 2026-03-22 22:49:47 +04:00
parent 7665af0268
commit 97b5edcc0a
24 changed files with 2054 additions and 545 deletions
--- a/packages/adapters-db/src/finance-repository.ts
+++ b/packages/adapters-db/src/finance-repository.ts
@@ -1,6 +1,6 @@
 import { and, desc, eq, gte, inArray, isNotNull, isNull, lt, lte, or, sql } from 'drizzle-orm'

-import { createDbClient, schema } from '@household/db'
+import { createDbClient, type DbSessionContext, schema } from '@household/db'
 import type { FinanceRepository } from '@household/ports'
 import {
  instantFromDatabaseValue,
@@ -22,14 +22,22 @@ function toCurrencyCode(raw: string): CurrencyCode {

 export function createDbFinanceRepository(
  databaseUrl: string,
-  householdId: string
+  householdId: string,
+  options: {
+    sessionContext?: DbSessionContext
+  } = {}
 ): {
  repository: FinanceRepository
  close: () => Promise<void>
 } {
  const { db, queryClient } = createDbClient(databaseUrl, {
    max: 5,
-    prepare: false
+    prepare: false,
+    ...(options.sessionContext
+      ? {
+          sessionContext: options.sessionContext
+        }
+      : {})
  })

  async function loadPurchaseParticipants(purchaseIds: readonly string[]): Promise<
--- a/packages/adapters-db/src/household-config-repository.ts
+++ b/packages/adapters-db/src/household-config-repository.ts
@@ -1,6 +1,6 @@
 import { and, asc, eq, sql } from 'drizzle-orm'

-import { createDbClient, schema } from '@household/db'
+import { createDbClient, type DbSessionContext, schema } from '@household/db'
 import {
  instantToDate,
  normalizeSupportedLocale,
@@ -334,13 +334,23 @@ function utilityCategorySlug(name: string): string {
    .slice(0, 48)
 }

-export function createDbHouseholdConfigurationRepository(databaseUrl: string): {
+export function createDbHouseholdConfigurationRepository(
+  databaseUrl: string,
+  options: {
+    sessionContext?: DbSessionContext
+  } = {}
+): {
  repository: HouseholdConfigurationRepository
  close: () => Promise<void>
 } {
  const { db, queryClient } = createDbClient(databaseUrl, {
    max: 5,
-    prepare: false
+    prepare: false,
+    ...(options.sessionContext
+      ? {
+          sessionContext: options.sessionContext
+        }
+      : {})
  })

  const defaultUtilityCategories = [