[dev] [Marfuen] mariano/secure-rds-tls#2762
Merged
Merged
Conversation
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Move SSL-resolution logic into a pure ssl-config.ts module so it can be tested with bun:test (matching strip-ssl-mode.test.ts's pattern) without importing the module-level Prisma client. Drop vitest devDependency. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Extracts SSL config logic into apps/app/prisma/ssl-config.ts and updates the Prisma client to throw at boot when connecting to a non-local database without a verified CA bundle or explicit PRISMA_ALLOW_INSECURE_TLS=1 opt-in. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…pps/app Add `./ssl-config` subpath export to @trycompai/db so apps/app (and upcoming portal/framework-editor) can import the single source of truth instead of maintaining their own copy. Widen the `env` parameter type from `NodeJS.ProcessEnv` to `Partial<NodeJS.ProcessEnv>` (strictly more permissive) to satisfy apps/app's strict TS config. Delete the duplicate apps/app/prisma/ssl-config.ts and its redundant test file. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Ships the RDS CA bundle (packages/db/certs/rds-global-bundle.pem) into Trigger.dev task images at /app/certs/rds-global-bundle.pem and sets NODE_EXTRA_CA_CERTS via the deploy.env layer so Node TLS initialization picks it up before any Prisma connection attempt. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…age dependency
Drop `import { resolveSslConfig } from '@trycompai/db/ssl-config'` from
apps/app, apps/portal, and apps/framework-editor and inline the full
localhost/CA-bundle/PRISMA_ALLOW_INSECURE_TLS logic directly.
Trigger.dev pins @trycompai/db@^2.0.0 from npm which lacks the
./ssl-config subpath, causing indexer crashes at deploy time.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…lity) AWS NLB → RDS Proxy connections fail TLS hostname verification because the NLB hostname (*.elb.amazonaws.com) isn't in the RDS Proxy cert's SAN list. Cert chain verification is preserved — an attacker still cannot present a forged or wrong-CA cert. Only the hostname-string check is relaxed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add outputFileTracingIncludes to apps/app and apps/portal next.config.ts so the rds-global-bundle.pem is included in Vercel's traced file output for each deployed function. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Documents the NODE_EXTRA_CA_CERTS values to set in Vercel (both candidate paths), the Trigger.dev PRISMA_ALLOW_INSECURE_TLS removal commands, and notes that API Docker needs no action. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
next build imports every route handler to analyze it, which previously triggered our strict-TLS throw at module load even though no queries run. Wrap the client in a Proxy that constructs the real PrismaClient on first property access. The strict check still fires — just at first use, not at import.
cubic flagged: the subpath export's types entry pointed at ./src/ssl-config.ts, but the published package's files array only includes dist/. Downstream npm consumers would get broken type resolution. Workspace consumers were unaffected because @trycompai/db resolves to source via workspace:*.
Hit /api/_debug-tls on the deployed preview. Reports process.cwd(), NODE_EXTRA_CA_CERTS value, and existence/size for the env-var path plus common candidate paths. Delete this commit once the path is confirmed.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
This was referenced May 6, 2026
Marfuen
added a commit
that referenced
this pull request
May 6, 2026
…2767) After the verified-TLS PR (#2761) merged, two follow-ups didn't make it in: 1. Add 'certs' to packages/db/package.json files array so the RDS CA bundle ships with the published @trycompai/db package. Downstream consumers (e.g. comp-private/apps/enterprise-api) can then reference the cert at node_modules/@trycompai/db/certs/rds-global-bundle.pem instead of committing their own copy. 2. Delete the debug-tls routes (apps/app/src/app/api/_debug-tls and apps/app/src/app/api/debug-tls) that were merged in via auto-PRs #2762 and #2763 but never cleaned up. They were temporary verification endpoints, since used to confirm the Vercel cert path. 3. Update the deploy checklist with verified-staging notes and the downstream consumer pattern.
claudfuen
pushed a commit
that referenced
this pull request
May 6, 2026
# [3.44.0](v3.43.1...v3.44.0) (2026-05-06) ### Bug Fixes * **api:** correct the total number of active members from overview scores ([ed9561f](ed9561f)) * **api:** make submission endpoints accessible as an employee ([3c96a1d](3c96a1d)) * **billing:** surface wallet credits to pentest + bg-check UIs ([05d87d4](05d87d4)) * **treatment-plan:** cap linked-work lists and treatment plan body height ([8a1c46f](8a1c46f)), closes [#36](#36) [#37](#37) * **treatment-plan:** cap linked-work lists and treatment plan body height ([46d7e83](46d7e83)), closes [#36](#36) [#37](#37) * **upgrade:** keep self-hosted check on the page to avoid OSS regression ([e42e6ef](e42e6ef)) ### Features * **db:** ship CA bundle with @trycompai/db, clean up debug routes ([#2767](#2767)) ([84da90c](84da90c)), closes [#2761](#2761) [#2762](#2762) [#2763](#2763) * **integration-platform:** remove code-based jumpcloud, route via DIP ([2ab5b78](2ab5b78)) * **risks:** treatment plan as first-class + vendor AI widening + matrix polish ([1a97746](1a97746)), closes [hi#confidence](https://github.com/hi/issues/confidence) [#2671](#2671) [#2](https://github.com/trycompai/comp/issues/2) [#3](#3) [#9](#9) [#4](#4) [#5](#5) [#7](#7) [#26](#26) [#6](#6) [#1](https://github.com/trycompai/comp/issues/1) [#10](#10) [#36](#36) [#35](#35) [#39](#39) [#37](#37) [#32](#32) [#33](#33) [#34](#34) [#17](#17) [#18](#18) [#19](#19) [#20](#20) [#21](#21) [#22](#22) [#30](#30) [#31](#31) [#29](#29) [#23](#23) [#40](#40) [#28](#28) [#27](#27) [#38](#38) [#24](#24) [#2671](#2671) * **vendors:** refine inherent risk score after research lands posture data ([#2760](#2760)) ([e999c72](e999c72)) * verified-TLS to RDS from every runtime ([#2761](#2761)) ([2bde7ad](2bde7ad))
Contributor
|
🎉 This PR is included in version 3.44.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to merge mariano/secure-rds-tls into dev.
It was created by the [Auto Pull Request] action.
Summary by cubic
Secure Postgres TLS across apps and workers using the AWS RDS CA bundle, with strict Prisma TLS gating and lazy client initialization to avoid build-time crashes.
New Features
packages/db/certs/rds-global-bundle.pemand setsNODE_EXTRA_CA_CERTSfor verified TLS.caBundleExtensionto copy the cert and set the env var at runtime.outputFileTracingIncludesin Next.js configs (app + portal).PRISMA_ALLOW_INSECURE_TLS=1. Hostname check is skipped when the CA bundle is present (NLB → RDS Proxy), while chain verification remains./api/_debug-tlsroute to verify cert path at runtime.Migration
NODE_EXTRA_CA_CERTSto/var/task/packages/db/certs/rds-global-bundle.pem(or/vercel/path0/...if needed).caBundleExtension, then removePRISMA_ALLOW_INSECURE_TLS.NODE_EXTRA_CA_CERTS)./api/_debug-tlson a preview deploy, then remove the route once confirmed.Written for commit 975d029. Summary will update on new commits.