feat: verified-TLS to RDS from every runtime#2761
Merged
Merged
Conversation
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Move SSL-resolution logic into a pure ssl-config.ts module so it can be tested with bun:test (matching strip-ssl-mode.test.ts's pattern) without importing the module-level Prisma client. Drop vitest devDependency. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Extracts SSL config logic into apps/app/prisma/ssl-config.ts and updates the Prisma client to throw at boot when connecting to a non-local database without a verified CA bundle or explicit PRISMA_ALLOW_INSECURE_TLS=1 opt-in. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…pps/app Add `./ssl-config` subpath export to @trycompai/db so apps/app (and upcoming portal/framework-editor) can import the single source of truth instead of maintaining their own copy. Widen the `env` parameter type from `NodeJS.ProcessEnv` to `Partial<NodeJS.ProcessEnv>` (strictly more permissive) to satisfy apps/app's strict TS config. Delete the duplicate apps/app/prisma/ssl-config.ts and its redundant test file. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Ships the RDS CA bundle (packages/db/certs/rds-global-bundle.pem) into Trigger.dev task images at /app/certs/rds-global-bundle.pem and sets NODE_EXTRA_CA_CERTS via the deploy.env layer so Node TLS initialization picks it up before any Prisma connection attempt. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…age dependency
Drop `import { resolveSslConfig } from '@trycompai/db/ssl-config'` from
apps/app, apps/portal, and apps/framework-editor and inline the full
localhost/CA-bundle/PRISMA_ALLOW_INSECURE_TLS logic directly.
Trigger.dev pins @trycompai/db@^2.0.0 from npm which lacks the
./ssl-config subpath, causing indexer crashes at deploy time.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…lity) AWS NLB → RDS Proxy connections fail TLS hostname verification because the NLB hostname (*.elb.amazonaws.com) isn't in the RDS Proxy cert's SAN list. Cert chain verification is preserved — an attacker still cannot present a forged or wrong-CA cert. Only the hostname-string check is relaxed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add outputFileTracingIncludes to apps/app and apps/portal next.config.ts so the rds-global-bundle.pem is included in Vercel's traced file output for each deployed function. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Documents the NODE_EXTRA_CA_CERTS values to set in Vercel (both candidate paths), the Trigger.dev PRISMA_ALLOW_INSECURE_TLS removal commands, and notes that API Docker needs no action. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
next build imports every route handler to analyze it, which previously triggered our strict-TLS throw at module load even though no queries run. Wrap the client in a Proxy that constructs the real PrismaClient on first property access. The strict check still fires — just at first use, not at import.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 17 files
Confidence score: 4/5
- This PR is likely safe to merge, with one moderate packaging issue rather than a runtime blocker (severity 5/10, high confidence).
- In
packages/db/package.json, the new subpath export’stypesfield points to source instead of emitted declarations indist, which can break TypeScript type resolution for consumers after publish. - Pay close attention to
packages/db/package.json- ensure the subpathtypestarget references the publisheddistdeclaration file.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="packages/db/package.json">
<violation number="1" location="packages/db/package.json:29">
P2: Point the new subpath export's `types` entry at the emitted declaration file in `dist`; the source file is not published.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
cubic flagged: the subpath export's types entry pointed at ./src/ssl-config.ts, but the published package's files array only includes dist/. Downstream npm consumers would get broken type resolution. Workspace consumers were unaffected because @trycompai/db resolves to source via workspace:*.
This was referenced May 6, 2026
Marfuen
added a commit
that referenced
this pull request
May 6, 2026
…2767) After the verified-TLS PR (#2761) merged, two follow-ups didn't make it in: 1. Add 'certs' to packages/db/package.json files array so the RDS CA bundle ships with the published @trycompai/db package. Downstream consumers (e.g. comp-private/apps/enterprise-api) can then reference the cert at node_modules/@trycompai/db/certs/rds-global-bundle.pem instead of committing their own copy. 2. Delete the debug-tls routes (apps/app/src/app/api/_debug-tls and apps/app/src/app/api/debug-tls) that were merged in via auto-PRs #2762 and #2763 but never cleaned up. They were temporary verification endpoints, since used to confirm the Vercel cert path. 3. Update the deploy checklist with verified-staging notes and the downstream consumer pattern.
claudfuen
pushed a commit
that referenced
this pull request
May 6, 2026
# [3.44.0](v3.43.1...v3.44.0) (2026-05-06) ### Bug Fixes * **api:** correct the total number of active members from overview scores ([ed9561f](ed9561f)) * **api:** make submission endpoints accessible as an employee ([3c96a1d](3c96a1d)) * **billing:** surface wallet credits to pentest + bg-check UIs ([05d87d4](05d87d4)) * **treatment-plan:** cap linked-work lists and treatment plan body height ([8a1c46f](8a1c46f)), closes [#36](#36) [#37](#37) * **treatment-plan:** cap linked-work lists and treatment plan body height ([46d7e83](46d7e83)), closes [#36](#36) [#37](#37) * **upgrade:** keep self-hosted check on the page to avoid OSS regression ([e42e6ef](e42e6ef)) ### Features * **db:** ship CA bundle with @trycompai/db, clean up debug routes ([#2767](#2767)) ([84da90c](84da90c)), closes [#2761](#2761) [#2762](#2762) [#2763](#2763) * **integration-platform:** remove code-based jumpcloud, route via DIP ([2ab5b78](2ab5b78)) * **risks:** treatment plan as first-class + vendor AI widening + matrix polish ([1a97746](1a97746)), closes [hi#confidence](https://github.com/hi/issues/confidence) [#2671](#2671) [#2](https://github.com/trycompai/comp/issues/2) [#3](#3) [#9](#9) [#4](#4) [#5](#5) [#7](#7) [#26](#26) [#6](#6) [#1](https://github.com/trycompai/comp/issues/1) [#10](#10) [#36](#36) [#35](#35) [#39](#39) [#37](#37) [#32](#32) [#33](#33) [#34](#34) [#17](#17) [#18](#18) [#19](#19) [#20](#20) [#21](#21) [#22](#22) [#30](#30) [#31](#31) [#29](#29) [#23](#23) [#40](#40) [#28](#28) [#27](#27) [#38](#38) [#24](#24) [#2671](#2671) * **vendors:** refine inherent risk score after research lands posture data ([#2760](#2760)) ([e999c72](e999c72)) * verified-TLS to RDS from every runtime ([#2761](#2761)) ([2bde7ad](2bde7ad))
Contributor
|
🎉 This PR is included in version 3.44.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Make every Postgres connection from this monorepo use verified TLS to RDS — closes the silent-MITM exposure that came from
rejectUnauthorized: falsedefaults.truststore.pki.rds.amazonaws.com, ~165KB, safe to publish — same trust model as Mozilla shipping the trusted-root list)prisma/client.ts; sharedresolveSslConfighelper inpackages/dbfor that package's testscaBundleExtensionships the cert into the deploy bundle and registersNODE_EXTRA_CA_CERTSviaaddLayer({ deploy: { env } })— verified end-to-end with--local-buildoutputFileTracingIncludesinnext.config.tsfor app + portal so the cert is bundled into the deployed functionWhy this is safer
Before: any non-localhost connection silently used
{ rejectUnauthorized: false }. Encrypted but unauthenticated — an attacker with on-path access could MITM with any cert.After:
Pre-merge required (post-deploy actions in the checklist)
See
docs/plans/secure-rds-tls-deploy-checklist.md:NODE_EXTRA_CA_CERTS=/var/task/packages/db/certs/rds-global-bundle.pemon each project. If a preview throws "Refusing to connect" or "ENOENT", swap to/vercel/path0/....Verification done
packages/dbtests: 8/8 pass (covers strict throw + chain-only + insecure opt-in + localhost branches)apps/api/Dockerfile.multistagebuild: image inspected,NODE_EXTRA_CA_CERTS=/usr/local/share/aws-rds-ca-bundle.pem, file present (165408 bytes)--local-buildfor both api and app projects: extension copies cert into bundle, env var registered in manifest. App project actually deployed to staging during verification (20260506.5, deploymentizoen4nv) — the hostname-fix is live thereTest plan
Hostname/IP does not match certificate's altnameserror should be goneapps/appandapps/portalwithNODE_EXTRA_CA_CERTSset — boot logs should not contain "Refusing to connect"PRISMA_ALLOW_INSECURE_TLS=1from Trigger.dev environments and confirm tasks still run🤖 Generated with Claude Code
Summary by cubic
Enforces verified TLS for all Postgres connections to RDS across every runtime, with lazy-initialized Prisma clients so Next.js builds don’t throw. Also fixes
@trycompai/db/ssl-configtypes to point todistfor npm consumers.New Features
apps/api,apps/app,apps/portal, andapps/framework-editor. Non-local connects requireNODE_EXTRA_CA_CERTSor an explicitPRISMA_ALLOW_INSECURE_TLS=1opt-in. Hostname check is skipped for AWS NLB; chain verification stays enforced. Clients are lazy-initialized to avoid throwing duringnext build.packages/db/certs/rds-global-bundle.pem. Bundled in Next.js viaoutputFileTracingIncludesand in Trigger.dev via acaBundleExtensionthat copies the cert and setsNODE_EXTRA_CA_CERTS.resolveSslConfigin@trycompai/dbwith tests.Migration
apps/app,apps/portal): setNODE_EXTRA_CA_CERTSto/var/task/packages/db/certs/rds-global-bundle.pemor/vercel/path0/packages/db/certs/rds-global-bundle.pem.api,app): the extension ships the cert and sets the env var; after verifying runs, removePRISMA_ALLOW_INSECURE_TLS.Written for commit 60a4452. Summary will update on new commits.