feat(safegres): pure-Postgres RLS auditor package

Pure-PostgreSQL Row-Level-Security auditor with zero application
dependencies. Re-exports the node-type-registry Authz*/Data*/Relation*
type definitions so consumers writing auditors on top of Constructive's
type system can stay on a single dependency.

Detects:
- A1: RLS enabled but no policies (deny-all)
- A2: grants on tables with RLS disabled
- A3: RLS enabled but FORCE not set (owner bypass)
- A4: write grants without covering policy
- A5: read grants without covering policy
- A6: UPDATE coverage missing WITH CHECK
- A7: trivially-permissive policy (USING (true))
- P1: volatile function in policy body
- P5: session_user / pg_has_role gating

Coverage is aggregated per (table, role) across applicable permissive
policies (FOR ALL, PUBLIC role considered). BYPASSRLS roles suppressed.

Adds graphql/safegres to the run-tests CI matrix.

Author: pyramation

.github/workflows/run-tests.yaml

@@ -87,6 +87,8 @@ jobs:
             env: {}
           - package: graphql/playwright-test
             env: {}
+          - package: graphql/safegres
+            env: {}
           # - package: jobs/knative-job-worker
           #   env: {}
           - package: packages/csv-to-pg

graphql/safegres/README.md

@@ -0,0 +1,53 @@
+# safegres
+
+Pure-PostgreSQL Row-Level-Security auditor. Zero application dependencies — drop it on any Postgres database and get a structured report of grants, RLS flags, policy coverage, and AST-level anti-patterns.
+
+```bash
+npm install -g safegres
+safegres pg --connection postgresql://localhost/mydb
+```
+
+## What it checks
+
+| Code | Severity | Category | Check |
+| --- | --- | --- | --- |
+| A1 | critical | flags | RLS enabled but **0 policies** (effectively deny-all) |
+| A2 | high | flags | Grants exist on a table with **RLS disabled** |
+| A3 | medium | flags | RLS enabled but **`FORCE ROW LEVEL SECURITY` not set** (table owner bypass) |
+| A4 | high | coverage | INSERT / UPDATE / DELETE grant with **no covering policy** for that verb |
+| A5 | medium | coverage | SELECT grant with **no policy** (silent empty result) |
+| A6 | info | coverage | UPDATE has `USING` but **no `WITH CHECK`** (row-smuggling surface) |
+| A7 | high | anti-pattern | Trivially-permissive policy (`USING (true)` / `WITH CHECK (true)`) |
+| P1 | high | anti-pattern | Policy body calls a **VOLATILE function** (per-row evaluation) |
+| P5 | high | anti-pattern | Policy body references **`session_user`** / `current_user` / `pg_has_role(...)` |
+
+Coverage is aggregated `(table, role) → { hasUsing, hasWithCheck }` across every applicable permissive policy (FOR ALL + PUBLIC-role policies considered). Roles with `BYPASSRLS` are suppressed.
+
+## Library use
+
+```ts
+import { Client } from 'pg';
+import { auditPg, renderPretty } from 'safegres';
+
+const client = new Client({ connectionString: process.env.DATABASE_URL });
+await client.connect();
+
+const report = await auditPg(client, {
+  excludeSchemas: ['my_private_schema']
+});
+
+console.log(renderPretty(report));
+console.log(`${report.findings.length} findings`);
+```
+
+## Authz* type re-exports
+
+`safegres` re-exports the [`node-type-registry`](../node-type-registry) Authz* / Data* / Relation* / View* type registry so consumers building auditors on top of Constructive's type system can stay on a single dependency:
+
+```ts
+import { AuthzDirectOwner, type NodeTypeDefinition } from 'safegres';
+```
+
+## License
+
+MIT.

graphql/safegres/__tests__/fixtures/a1-rls-enabled-no-policies.sql

@@ -0,0 +1,11 @@
+-- A1 seed: RLS enabled on a table with zero policies.
+-- Expected finding: A1 (critical)
+
+CREATE SCHEMA IF NOT EXISTS fx_a1;
+
+CREATE TABLE fx_a1.posts (
+  id bigserial PRIMARY KEY,
+  body text
+);
+
+ALTER TABLE fx_a1.posts ENABLE ROW LEVEL SECURITY;

graphql/safegres/__tests__/fixtures/a2-grants-no-rls.sql

@@ -0,0 +1,18 @@
+-- A2 seed: grants to a non-owner role on a table with RLS disabled.
+-- Expected finding: A2 (high)
+
+CREATE SCHEMA IF NOT EXISTS fx_a2;
+
+DO $$ BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'fx_a2_reader') THEN
+    CREATE ROLE fx_a2_reader NOLOGIN;
+  END IF;
+END $$;
+
+CREATE TABLE fx_a2.widgets (
+  id bigserial PRIMARY KEY,
+  body text
+);
+
+GRANT SELECT, INSERT ON fx_a2.widgets TO fx_a2_reader;
+-- RLS intentionally NOT enabled.

graphql/safegres/__tests__/fixtures/a3-rls-not-forced.sql

@@ -0,0 +1,15 @@
+-- A3 seed: RLS enabled but not FORCE'd, with at least one policy so A1 doesn't trigger.
+-- Expected finding: A3 (medium)
+
+CREATE SCHEMA IF NOT EXISTS fx_a3;
+
+CREATE TABLE fx_a3.notes (
+  id bigserial PRIMARY KEY,
+  body text,
+  owner_id uuid
+);
+
+ALTER TABLE fx_a3.notes ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY notes_select ON fx_a3.notes
+  FOR SELECT USING (true);

graphql/safegres/__tests__/fixtures/a4-insert-grant-no-policy.sql

@@ -0,0 +1,25 @@
+-- A4 seed: INSERT grant to a role, but only a SELECT policy exists for that role.
+-- Expected findings: A4 (high), and the INSERT will fail at runtime.
+
+CREATE SCHEMA IF NOT EXISTS fx_a4;
+
+DO $$ BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'fx_a4_writer') THEN
+    CREATE ROLE fx_a4_writer NOLOGIN;
+  END IF;
+END $$;
+
+CREATE TABLE fx_a4.events (
+  id bigserial PRIMARY KEY,
+  body text,
+  owner_id uuid
+);
+
+ALTER TABLE fx_a4.events ENABLE ROW LEVEL SECURITY;
+
+GRANT SELECT, INSERT ON fx_a4.events TO fx_a4_writer;
+
+CREATE POLICY events_select ON fx_a4.events
+  FOR SELECT TO fx_a4_writer
+  USING (true);
+-- No INSERT policy for fx_a4_writer.

graphql/safegres/__tests__/fixtures/a6-update-no-with-check.sql

@@ -0,0 +1,28 @@
+-- A6 seed: UPDATE policy with USING but no WITH CHECK.
+-- Expected finding: A6 (high)
+
+CREATE SCHEMA IF NOT EXISTS fx_a6;
+
+DO $$ BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'fx_a6_editor') THEN
+    CREATE ROLE fx_a6_editor NOLOGIN;
+  END IF;
+END $$;
+
+CREATE TABLE fx_a6.docs (
+  id bigserial PRIMARY KEY,
+  owner_id uuid NOT NULL,
+  body text
+);
+
+ALTER TABLE fx_a6.docs ENABLE ROW LEVEL SECURITY;
+
+GRANT SELECT, UPDATE ON fx_a6.docs TO fx_a6_editor;
+
+CREATE POLICY docs_update ON fx_a6.docs
+  FOR UPDATE TO fx_a6_editor
+  USING (true);
+-- missing WITH CHECK — rows can be moved out of the visible set.
+
+CREATE POLICY docs_select ON fx_a6.docs
+  FOR SELECT TO fx_a6_editor USING (true);

graphql/safegres/__tests__/fixtures/a7-trivially-permissive.sql

@@ -0,0 +1,24 @@
+-- A7 seed: permissive policy whose body is the literal `true` —
+-- effectively "RLS enabled, nothing gated" ⇒ fail-open.
+-- Expected finding: A7 (high)
+
+CREATE SCHEMA IF NOT EXISTS fx_a7;
+
+DO $$ BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'fx_a7_reader') THEN
+    CREATE ROLE fx_a7_reader;
+  END IF;
+END $$;
+
+CREATE TABLE fx_a7.posts (
+  id bigserial PRIMARY KEY,
+  body text
+);
+
+ALTER TABLE fx_a7.posts ENABLE ROW LEVEL SECURITY;
+ALTER TABLE fx_a7.posts FORCE ROW LEVEL SECURITY;
+
+CREATE POLICY fx_a7_open ON fx_a7.posts FOR SELECT TO fx_a7_reader USING (true);
+
+GRANT USAGE ON SCHEMA fx_a7 TO fx_a7_reader;
+GRANT SELECT ON fx_a7.posts TO fx_a7_reader;

graphql/safegres/__tests__/fixtures/clean-table.sql

@@ -0,0 +1,35 @@
+-- Baseline: correctly-configured table with RLS + FORCE + grants covered by
+-- non-trivial policies.
+-- Expected findings: none.
+
+CREATE SCHEMA IF NOT EXISTS fx_clean;
+
+DO $$ BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'fx_clean_user') THEN
+    CREATE ROLE fx_clean_user NOLOGIN;
+  END IF;
+END $$;
+
+CREATE TABLE fx_clean.items (
+  id bigserial PRIMARY KEY,
+  owner_id uuid NOT NULL,
+  body text
+);
+
+ALTER TABLE fx_clean.items ENABLE ROW LEVEL SECURITY;
+ALTER TABLE fx_clean.items FORCE ROW LEVEL SECURITY;
+
+GRANT SELECT, INSERT, UPDATE ON fx_clean.items TO fx_clean_user;
+
+-- Non-trivial policies gated on the row owner column.
+CREATE POLICY items_select ON fx_clean.items
+  FOR SELECT TO fx_clean_user
+  USING (owner_id IS NOT NULL);
+
+CREATE POLICY items_insert ON fx_clean.items
+  FOR INSERT TO fx_clean_user
+  WITH CHECK (owner_id IS NOT NULL);
+
+CREATE POLICY items_update ON fx_clean.items
+  FOR UPDATE TO fx_clean_user
+  USING (owner_id IS NOT NULL) WITH CHECK (owner_id IS NOT NULL);

graphql/safegres/__tests__/fixtures/p1-volatile-func.sql

@@ -0,0 +1,27 @@
+-- P1 seed: policy references a user-defined VOLATILE function.
+-- Expected finding: P1 (high) — per-row evaluation.
+
+CREATE SCHEMA IF NOT EXISTS fx_p1;
+
+DO $$ BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'fx_p1_user') THEN
+    CREATE ROLE fx_p1_user NOLOGIN;
+  END IF;
+END $$;
+
+CREATE FUNCTION fx_p1.slow_auth_lookup() RETURNS uuid
+LANGUAGE sql
+VOLATILE
+AS $$ SELECT gen_random_uuid() $$;
+
+CREATE TABLE fx_p1.records (
+  id bigserial PRIMARY KEY,
+  owner_id uuid
+);
+
+ALTER TABLE fx_p1.records ENABLE ROW LEVEL SECURITY;
+GRANT SELECT ON fx_p1.records TO fx_p1_user;
+
+CREATE POLICY records_select ON fx_p1.records
+  FOR SELECT TO fx_p1_user
+  USING (owner_id = fx_p1.slow_auth_lookup());