Skip to content

[dev] [Marfuen] mariano/secure-rds-tls #2763

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Marfuen merged 17 commits into from
May 6, 2026
+35 −0
Merged

[dev] [Marfuen] mariano/secure-rds-tls #2763

Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
e577b94
chore(db): commit AWS RDS global CA bundle for verified TLS
Marfuen May 6, 2026
dabc3cc
feat(db): strict TLS gating in shared prisma client
Marfuen May 6, 2026
ad1e07f
refactor(db): extract resolveSslConfig and use bun:test for consistency
Marfuen May 6, 2026
4259bc3
feat(app): strict TLS gating in app prisma client
Marfuen May 6, 2026
641fc4b
refactor(db): expose resolveSslConfig via subpath export; dedupe in a…
Marfuen May 6, 2026
4c5d75b
feat(portal): strict TLS gating in prisma client
Marfuen May 6, 2026
6db369c
feat(framework-editor): strict TLS gating in prisma client
Marfuen May 6, 2026
1a8557d
feat(trigger): add caBundleExtension for verified-TLS Postgres
Marfuen May 6, 2026
23db526
fix(prisma): inline TLS gating in app clients to avoid published-pack…
Marfuen May 6, 2026
ca3b0f5
fix(prisma): skip hostname check when CA bundle is set (NLB compatibi…
Marfuen May 6, 2026
7558777
feat(vercel): bundle RDS CA cert with Next.js apps for verified TLS
Marfuen May 6, 2026
00e0a3f
docs: deploy checklist for verified-TLS env vars
Marfuen May 6, 2026
55dd766
fix(prisma): lazy-init client to prevent TLS throw during Next.js build
Marfuen May 6, 2026
60a4452
fix(db): point ssl-config types at dist (src/ is not published)
Marfuen May 6, 2026
31f8e1a
chore: temporary debug endpoint to verify Vercel cert path
Marfuen May 6, 2026
74bde8b
chore: rename debug-tls route (avoid Next.js private-folder rule)
Marfuen May 6, 2026
c6bcabe
Merge branch 'main' into mariano/secure-rds-tls
Marfuen May 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions apps/app/src/app/api/debug-tls/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
import { existsSync, statSync } from 'node:fs';
import { join } from 'node:path';

export const dynamic = 'force-dynamic';
export const runtime = 'nodejs';

export async function GET() {
const envVar = process.env.NODE_EXTRA_CA_CERTS;
const candidates = [
envVar,
'/var/task/packages/db/certs/rds-global-bundle.pem',
'/vercel/path0/packages/db/certs/rds-global-bundle.pem',
join(process.cwd(), 'packages/db/certs/rds-global-bundle.pem'),
join(process.cwd(), '../../packages/db/certs/rds-global-bundle.pem'),
].filter((p): p is string => Boolean(p));

const probes = candidates.map((p) => {
try {
const exists = existsSync(p);
const size = exists ? statSync(p).size : null;
return { path: p, exists, size };
} catch (e) {
return { path: p, exists: false, error: (e as Error).message };
}
});

return Response.json({
cwd: process.cwd(),
nodeExtraCaCerts: envVar ?? null,
prismaAllowInsecureTls: process.env.PRISMA_ALLOW_INSECURE_TLS ?? null,
probes,
nodeVersion: process.version,
platform: process.platform,
});
}
Loading