chore: bump version to 0.5.2

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: dantelex

apps/agent/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent",
-  "version": "0.5.1",
+  "version": "0.5.2",
   "private": true,
   "bin": {
     "connect": "./dist/cli.js"

apps/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "api",
-  "version": "0.5.0",
+  "version": "0.5.2",
   "private": true,
   "scripts": {
     "dev": "nest start --watch",

apps/api/prisma/migrations/20250202_add_row_level_security/migration.sql

@@ -0,0 +1,258 @@
+-- Row Level Security (RLS) Migration
+-- Adds database-level tenant isolation as defense-in-depth
+-- The application already scopes queries by workspaceId; RLS adds a second layer
+
+-- ============================================================================
+-- ENABLE RLS ON WORKSPACE-SCOPED TABLES
+-- ============================================================================
+
+-- Agent table
+ALTER TABLE "Agent" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Agent" FORCE ROW LEVEL SECURITY;
+
+-- Service table
+ALTER TABLE "Service" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Service" FORCE ROW LEVEL SECURITY;
+
+-- ApiKey table
+ALTER TABLE "ApiKey" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "ApiKey" FORCE ROW LEVEL SECURITY;
+
+-- DebugSession table
+ALTER TABLE "DebugSession" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "DebugSession" FORCE ROW LEVEL SECURITY;
+
+-- EnvironmentShare table
+ALTER TABLE "EnvironmentShare" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "EnvironmentShare" FORCE ROW LEVEL SECURITY;
+
+-- AgentMessage table
+ALTER TABLE "AgentMessage" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "AgentMessage" FORCE ROW LEVEL SECURITY;
+
+-- Webhook table
+ALTER TABLE "Webhook" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "Webhook" FORCE ROW LEVEL SECURITY;
+
+-- ============================================================================
+-- CREATE RLS POLICIES
+-- ============================================================================
+-- Policy logic:
+--   - If app.current_workspace_id = '__rls_bypass__' → allow (for admin/migrations)
+--   - If app.current_workspace_id matches workspaceId → allow
+--   - Otherwise → deny (including when NULL/unset for security)
+--
+-- This is a deny-by-default policy. The application MUST set the context before queries.
+
+-- Agent policies
+CREATE POLICY workspace_isolation_select ON "Agent"
+    FOR SELECT
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_insert ON "Agent"
+    FOR INSERT
+    WITH CHECK (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_update ON "Agent"
+    FOR UPDATE
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_delete ON "Agent"
+    FOR DELETE
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+-- Service policies
+CREATE POLICY workspace_isolation_select ON "Service"
+    FOR SELECT
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_insert ON "Service"
+    FOR INSERT
+    WITH CHECK (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_update ON "Service"
+    FOR UPDATE
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_delete ON "Service"
+    FOR DELETE
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+-- ApiKey policies
+CREATE POLICY workspace_isolation_select ON "ApiKey"
+    FOR SELECT
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_insert ON "ApiKey"
+    FOR INSERT
+    WITH CHECK (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_update ON "ApiKey"
+    FOR UPDATE
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_delete ON "ApiKey"
+    FOR DELETE
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+-- DebugSession policies
+CREATE POLICY workspace_isolation_select ON "DebugSession"
+    FOR SELECT
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_insert ON "DebugSession"
+    FOR INSERT
+    WITH CHECK (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_update ON "DebugSession"
+    FOR UPDATE
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_delete ON "DebugSession"
+    FOR DELETE
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+-- EnvironmentShare policies
+CREATE POLICY workspace_isolation_select ON "EnvironmentShare"
+    FOR SELECT
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_insert ON "EnvironmentShare"
+    FOR INSERT
+    WITH CHECK (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_update ON "EnvironmentShare"
+    FOR UPDATE
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_delete ON "EnvironmentShare"
+    FOR DELETE
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+-- AgentMessage policies
+CREATE POLICY workspace_isolation_select ON "AgentMessage"
+    FOR SELECT
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_insert ON "AgentMessage"
+    FOR INSERT
+    WITH CHECK (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_update ON "AgentMessage"
+    FOR UPDATE
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_delete ON "AgentMessage"
+    FOR DELETE
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+-- Webhook policies
+CREATE POLICY workspace_isolation_select ON "Webhook"
+    FOR SELECT
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_insert ON "Webhook"
+    FOR INSERT
+    WITH CHECK (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_update ON "Webhook"
+    FOR UPDATE
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+CREATE POLICY workspace_isolation_delete ON "Webhook"
+    FOR DELETE
+    USING (
+        current_setting('app.current_workspace_id', true) = '__rls_bypass__'
+        OR "workspaceId" = current_setting('app.current_workspace_id', true)
+    );
+
+-- ============================================================================
+-- NOTES
+-- ============================================================================
+-- 1. Policies are DENY by default - if app.current_workspace_id is not set, access is denied
+-- 2. Use '__rls_bypass__' for admin/migration operations that need cross-workspace access
+-- 3. FORCE ROW LEVEL SECURITY ensures even table owners are subject to RLS
+-- 4. The application must SET app.current_workspace_id before queries
+-- 5. Tables without direct workspaceId (like DiagnosticResult) inherit isolation
+--    through their foreign key relationships

apps/api/scripts/setup-rls-role.sql

@@ -0,0 +1,30 @@
+-- Setup script for RLS-enforced application role
+-- Run this ONCE on your production database as superuser before deploying
+
+-- Create application role with RLS enforcement
+-- Replace 'YOUR_SECURE_PASSWORD' with a strong password for production
+DROP ROLE IF EXISTS privateconnect_app;
+CREATE ROLE privateconnect_app LOGIN PASSWORD 'YOUR_SECURE_PASSWORD' NOBYPASSRLS;
+
+-- Grant schema access
+GRANT USAGE ON SCHEMA public TO privateconnect_app;
+
+-- Grant table permissions
+GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO privateconnect_app;
+
+-- Grant sequence permissions (needed for auto-increment IDs)
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO privateconnect_app;
+
+-- Set default privileges for future tables created by the migration user
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO privateconnect_app;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE, SELECT ON SEQUENCES TO privateconnect_app;
+
+-- Verify the role was created correctly
+SELECT rolname, rolsuper, rolbypassrls 
+FROM pg_roles 
+WHERE rolname = 'privateconnect_app';
+
+-- Expected output:
+--       rolname       | rolsuper | rolbypassrls 
+-- --------------------+----------+--------------
+--  privateconnect_app | f        | f

apps/api/src/app.module.ts

@@ -1,5 +1,6 @@
 import { Module } from '@nestjs/common';
 import { ThrottlerModule } from '@nestjs/throttler';
+import { ContextModule } from './context/context.module';
 import { PrismaModule } from './prisma/prisma.module';
 import { AuthModule } from './auth/auth.module';
 import { AdminModule } from './admin/admin.module';
@@ -23,6 +24,8 @@ import { AskModule } from './ask/ask.module';
 
 @Module({
   imports: [
+    // Context module must be first for RLS to work
+    ContextModule,
     // Rate limiting configuration
     ThrottlerModule.forRoot([
       {

apps/api/src/context/context.interceptor.ts

@@ -0,0 +1,36 @@
+import {
+  Injectable,
+  NestInterceptor,
+  ExecutionContext,
+  CallHandler,
+} from '@nestjs/common';
+import { Observable } from 'rxjs';
+import { ContextService } from './context.service';
+
+/**
+ * Interceptor that captures workspaceId from the request and stores it
+ * in AsyncLocalStorage for use by PrismaService (RLS context)
+ */
+@Injectable()
+export class ContextInterceptor implements NestInterceptor {
+  constructor(private readonly contextService: ContextService) {}
+
+  intercept(context: ExecutionContext, next: CallHandler): Observable<any> {
+    const request = context.switchToHttp().getRequest();
+
+    // Extract workspace info from request (set by AuthGuard or ApiKeyGuard)
+    const workspaceId = request.workspaceId || request.workspace?.id;
+    const isAdmin = request.user?.isAdmin ?? false;
+
+    // Run the handler within the context
+    return new Observable((subscriber) => {
+      this.contextService.run({ workspaceId, isAdmin }, () => {
+        next.handle().subscribe({
+          next: (value) => subscriber.next(value),
+          error: (err) => subscriber.error(err),
+          complete: () => subscriber.complete(),
+        });
+      });
+    });
+  }
+}

apps/api/src/context/context.module.ts

@@ -0,0 +1,17 @@
+import { Global, Module } from '@nestjs/common';
+import { APP_INTERCEPTOR } from '@nestjs/core';
+import { ContextService } from './context.service';
+import { ContextInterceptor } from './context.interceptor';
+
+@Global()
+@Module({
+  providers: [
+    ContextService,
+    {
+      provide: APP_INTERCEPTOR,
+      useClass: ContextInterceptor,
+    },
+  ],
+  exports: [ContextService],
+})
+export class ContextModule {}