From 64cb431ecbefb8d3aaafaa157bad6a4db8a81d5a Mon Sep 17 00:00:00 2001
From: Mariano <marfuen98@gmail.com>
Date: Wed, 6 May 2026 15:25:15 +0100
Subject: [PATCH] feat(db): ship CA bundle with @trycompai/db, clean up debug
 routes

After the verified-TLS PR (#2761) merged, two follow-ups didn't make it in:

1. Add 'certs' to packages/db/package.json files array so the RDS CA bundle
   ships with the published @trycompai/db package. Downstream consumers (e.g.
   comp-private/apps/enterprise-api) can then reference the cert at
   node_modules/@trycompai/db/certs/rds-global-bundle.pem instead of
   committing their own copy.
2. Delete the debug-tls routes (apps/app/src/app/api/_debug-tls and
   apps/app/src/app/api/debug-tls) that were merged in via auto-PRs #2762
   and #2763 but never cleaned up. They were temporary verification
   endpoints, since used to confirm the Vercel cert path.
3. Update the deploy checklist with verified-staging notes and the
   downstream consumer pattern.
---
 apps/app/src/app/api/_debug-tls/route.ts      | 35 -----------------
 apps/app/src/app/api/debug-tls/route.ts       | 35 -----------------
 docs/plans/secure-rds-tls-deploy-checklist.md | 38 +++++++++++++------
 packages/db/package.json                      |  1 +
 4 files changed, 27 insertions(+), 82 deletions(-)
 delete mode 100644 apps/app/src/app/api/_debug-tls/route.ts
 delete mode 100644 apps/app/src/app/api/debug-tls/route.ts

diff --git a/apps/app/src/app/api/_debug-tls/route.ts b/apps/app/src/app/api/_debug-tls/route.ts
deleted file mode 100644
index fc22f7d18f..0000000000
--- a/apps/app/src/app/api/_debug-tls/route.ts
+++ /dev/null
@@ -1,35 +0,0 @@
-import { existsSync, statSync } from 'node:fs';
-import { join } from 'node:path';
-
-export const dynamic = 'force-dynamic';
-export const runtime = 'nodejs';
-
-export async function GET() {
-  const envVar = process.env.NODE_EXTRA_CA_CERTS;
-  const candidates = [
-    envVar,
-    '/var/task/packages/db/certs/rds-global-bundle.pem',
-    '/vercel/path0/packages/db/certs/rds-global-bundle.pem',
-    join(process.cwd(), 'packages/db/certs/rds-global-bundle.pem'),
-    join(process.cwd(), '../../packages/db/certs/rds-global-bundle.pem'),
-  ].filter((p): p is string => Boolean(p));
-
-  const probes = candidates.map((p) => {
-    try {
-      const exists = existsSync(p);
-      const size = exists ? statSync(p).size : null;
-      return { path: p, exists, size };
-    } catch (e) {
-      return { path: p, exists: false, error: (e as Error).message };
-    }
-  });
-
-  return Response.json({
-    cwd: process.cwd(),
-    nodeExtraCaCerts: envVar ?? null,
-    prismaAllowInsecureTls: process.env.PRISMA_ALLOW_INSECURE_TLS ?? null,
-    probes,
-    nodeVersion: process.version,
-    platform: process.platform,
-  });
-}
diff --git a/apps/app/src/app/api/debug-tls/route.ts b/apps/app/src/app/api/debug-tls/route.ts
deleted file mode 100644
index fc22f7d18f..0000000000
--- a/apps/app/src/app/api/debug-tls/route.ts
+++ /dev/null
@@ -1,35 +0,0 @@
-import { existsSync, statSync } from 'node:fs';
-import { join } from 'node:path';
-
-export const dynamic = 'force-dynamic';
-export const runtime = 'nodejs';
-
-export async function GET() {
-  const envVar = process.env.NODE_EXTRA_CA_CERTS;
-  const candidates = [
-    envVar,
-    '/var/task/packages/db/certs/rds-global-bundle.pem',
-    '/vercel/path0/packages/db/certs/rds-global-bundle.pem',
-    join(process.cwd(), 'packages/db/certs/rds-global-bundle.pem'),
-    join(process.cwd(), '../../packages/db/certs/rds-global-bundle.pem'),
-  ].filter((p): p is string => Boolean(p));
-
-  const probes = candidates.map((p) => {
-    try {
-      const exists = existsSync(p);
-      const size = exists ? statSync(p).size : null;
-      return { path: p, exists, size };
-    } catch (e) {
-      return { path: p, exists: false, error: (e as Error).message };
-    }
-  });
-
-  return Response.json({
-    cwd: process.cwd(),
-    nodeExtraCaCerts: envVar ?? null,
-    prismaAllowInsecureTls: process.env.PRISMA_ALLOW_INSECURE_TLS ?? null,
-    probes,
-    nodeVersion: process.version,
-    platform: process.platform,
-  });
-}
diff --git a/docs/plans/secure-rds-tls-deploy-checklist.md b/docs/plans/secure-rds-tls-deploy-checklist.md
index 9853f2b3cb..5ac7e9240c 100644
--- a/docs/plans/secure-rds-tls-deploy-checklist.md
+++ b/docs/plans/secure-rds-tls-deploy-checklist.md
@@ -4,23 +4,37 @@ After merging the secure-rds-tls PR, the following env vars must be set per envi
 
 ## Vercel (apps/app and apps/portal)
 
-Set on each Vercel project, all environments (preview + production):
+Set on each Vercel project, all environments (Production + Preview + Development):
 
 ```
 NODE_EXTRA_CA_CERTS=/var/task/packages/db/certs/rds-global-bundle.pem
 ```
 
-The cert is bundled into the deployed function via `outputFileTracingIncludes` in `next.config.ts`.
-At Vercel runtime the function CWD is conventionally `/var/task`, so the path above is the first
-candidate. If a preview deploy crashes with "Refusing to connect" or "ENOENT", the runtime cwd
-isn't `/var/task` — try instead:
-
-```
-NODE_EXTRA_CA_CERTS=/vercel/path0/packages/db/certs/rds-global-bundle.pem
-```
-
-Both paths can be tested with a preview deploy. The wrong one produces an ENOENT error at boot;
-the right one succeeds silently.
+Verified on staging (apps/app): `process.cwd()` is `/var/task/apps/app`, the cert is traced
+into the deploy at `/var/task/packages/db/certs/rds-global-bundle.pem` (165408 bytes), and
+`/api/health` succeeds end-to-end. The cert is bundled via `outputFileTracingIncludes` in
+each app's `next.config.ts`.
+
+## Downstream consumers (comp-private/apps/enterprise-api, etc.)
+
+The CA bundle now ships with the published `@trycompai/db` package (added to the `files` array
+in this PR). After the next `@trycompai/db` publish, downstream consumers can ship the cert with
+their own Vercel/Docker/Trigger.dev builds without committing a copy.
+
+For Vercel-deployed apps that install `@trycompai/db` from npm:
+
+1. Bump the dependency to the version that includes `certs/`.
+2. Add `outputFileTracingIncludes` to `next.config.{ts,mjs}`:
+   ```ts
+   outputFileTracingIncludes: {
+     '/**/*': ['./node_modules/@trycompai/db/certs/rds-global-bundle.pem'],
+   },
+   ```
+3. Set the Vercel env var:
+   ```
+   NODE_EXTRA_CA_CERTS=/var/task/node_modules/@trycompai/db/certs/rds-global-bundle.pem
+   ```
+4. Apply the same strict-TLS Prisma client logic (or import a shared helper from `@trycompai/db`).
 
 ## Trigger.dev (api and app projects, staging + prod)
 
diff --git a/packages/db/package.json b/packages/db/package.json
index 09672d40c8..3aae3c16f9 100644
--- a/packages/db/package.json
+++ b/packages/db/package.json
@@ -36,6 +36,7 @@
     },
     "files": [
         "dist",
+        "certs",
         "README.md",
         "INTEGRATION_GUIDE.md"
     ],