feat: verified-TLS to RDS from every runtime (#2761)

* chore(db): commit AWS RDS global CA bundle for verified TLS

* feat(db): strict TLS gating in shared prisma client

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(db): extract resolveSslConfig and use bun:test for consistency

Move SSL-resolution logic into a pure ssl-config.ts module so it can be
tested with bun:test (matching strip-ssl-mode.test.ts's pattern) without
importing the module-level Prisma client. Drop vitest devDependency.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(app): strict TLS gating in app prisma client

Extracts SSL config logic into apps/app/prisma/ssl-config.ts and
updates the Prisma client to throw at boot when connecting to a
non-local database without a verified CA bundle or explicit
PRISMA_ALLOW_INSECURE_TLS=1 opt-in.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(db): expose resolveSslConfig via subpath export; dedupe in apps/app

Add `./ssl-config` subpath export to @trycompai/db so apps/app (and
upcoming portal/framework-editor) can import the single source of truth
instead of maintaining their own copy. Widen the `env` parameter type
from `NodeJS.ProcessEnv` to `Partial<NodeJS.ProcessEnv>` (strictly more
permissive) to satisfy apps/app's strict TS config. Delete the duplicate
apps/app/prisma/ssl-config.ts and its redundant test file.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(portal): strict TLS gating in prisma client

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(framework-editor): strict TLS gating in prisma client

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(trigger): add caBundleExtension for verified-TLS Postgres

Ships the RDS CA bundle (packages/db/certs/rds-global-bundle.pem) into
Trigger.dev task images at /app/certs/rds-global-bundle.pem and sets
NODE_EXTRA_CA_CERTS via the deploy.env layer so Node TLS initialization
picks it up before any Prisma connection attempt.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(prisma): inline TLS gating in app clients to avoid published-package dependency

Drop `import { resolveSslConfig } from '@trycompai/db/ssl-config'` from
apps/app, apps/portal, and apps/framework-editor and inline the full
localhost/CA-bundle/PRISMA_ALLOW_INSECURE_TLS logic directly.
Trigger.dev pins @trycompai/db@^2.0.0 from npm which lacks the
./ssl-config subpath, causing indexer crashes at deploy time.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(prisma): skip hostname check when CA bundle is set (NLB compatibility)

AWS NLB → RDS Proxy connections fail TLS hostname verification because the
NLB hostname (*.elb.amazonaws.com) isn't in the RDS Proxy cert's SAN list.
Cert chain verification is preserved — an attacker still cannot present a
forged or wrong-CA cert. Only the hostname-string check is relaxed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(vercel): bundle RDS CA cert with Next.js apps for verified TLS

Add outputFileTracingIncludes to apps/app and apps/portal next.config.ts
so the rds-global-bundle.pem is included in Vercel's traced file output
for each deployed function.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs: deploy checklist for verified-TLS env vars

Documents the NODE_EXTRA_CA_CERTS values to set in Vercel (both candidate
paths), the Trigger.dev PRISMA_ALLOW_INSECURE_TLS removal commands, and
notes that API Docker needs no action.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(prisma): lazy-init client to prevent TLS throw during Next.js build

next build imports every route handler to analyze it, which previously
triggered our strict-TLS throw at module load even though no queries run.
Wrap the client in a Proxy that constructs the real PrismaClient on first
property access. The strict check still fires — just at first use, not at
import.

* fix(db): point ssl-config types at dist (src/ is not published)

cubic flagged: the subpath export's types entry pointed at ./src/ssl-config.ts,
but the published package's files array only includes dist/. Downstream npm
consumers would get broken type resolution. Workspace consumers were unaffected
because @trycompai/db resolves to source via workspace:*.

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Marfuen

apps/api/caBundleExtension.ts

@@ -0,0 +1,50 @@
+import type { BuildContext, BuildExtension, BuildManifest } from '@trigger.dev/build';
+import { existsSync } from 'node:fs';
+import { cp, mkdir } from 'node:fs/promises';
+import { dirname, join, resolve } from 'node:path';
+
+// Path relative to the monorepo root (apps/api or apps/app → ../../packages/db/certs/...)
+const BUNDLE_RELATIVE_FROM_APP = '../../packages/db/certs/rds-global-bundle.pem';
+const BUNDLE_DEST_REL = 'certs/rds-global-bundle.pem';
+
+function findBundleSrc(workingDir: string): string | undefined {
+  // Walk up from workingDir to find the cert — handles both normal checkouts and git worktrees
+  // where workspaceDir points to the main worktree root (wrong for us).
+  const candidates = [
+    resolve(workingDir, BUNDLE_RELATIVE_FROM_APP),
+    resolve(workingDir, '../packages/db/certs/rds-global-bundle.pem'),
+    resolve(workingDir, 'packages/db/certs/rds-global-bundle.pem'),
+  ];
+
+  return candidates.find((c) => existsSync(c));
+}
+
+export function caBundleExtension(): BuildExtension {
+  return {
+    name: 'CABundleExtension',
+    onBuildStart: (context) => {
+      // Real OS env var at task spawn time — verified flow:
+      //   addLayer.deploy.env → manifest.deploy.sync.env → syncEnvVarsWithServer →
+      //   taskRunProcessProvider injects into worker env before Node TLS init.
+      context.addLayer({
+        id: 'ca-bundle-env',
+        deploy: {
+          env: { NODE_EXTRA_CA_CERTS: `/app/${BUNDLE_DEST_REL}` },
+          override: true,
+        },
+      });
+    },
+    onBuildComplete: async (context: BuildContext, manifest: BuildManifest) => {
+      const src = findBundleSrc(context.workingDir);
+      if (!src) {
+        throw new Error(
+          `CABundleExtension: rds-global-bundle.pem not found. Searched relative to ${context.workingDir}`,
+        );
+      }
+      const dest = join(manifest.outputPath, BUNDLE_DEST_REL);
+      await mkdir(dirname(dest), { recursive: true });
+      await cp(src, dest);
+      context.logger.log(`Copied RDS CA bundle to ${BUNDLE_DEST_REL}`);
+    },
+  };
+}

apps/api/prisma/client.ts

@@ -1,7 +1,7 @@
 import { PrismaClient } from '@prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 
-const globalForPrisma = global as unknown as { prisma: PrismaClient };
+const globalForPrisma = global as unknown as { prisma?: PrismaClient };
 
 const LOCAL_HOSTNAMES = new Set(['localhost', '127.0.0.1', '::1']);
 
@@ -40,11 +40,18 @@ function createPrismaClient(): PrismaClient {
   //   silently downgrading.
   const hasCABundle = !!process.env.NODE_EXTRA_CA_CERTS;
   const allowInsecure = process.env.PRISMA_ALLOW_INSECURE_TLS === '1';
-  let ssl: undefined | true | { rejectUnauthorized: false };
+  let ssl:
+    | undefined
+    | { checkServerIdentity: () => undefined }
+    | { rejectUnauthorized: false };
   if (isLocalhost) {
     ssl = undefined;
   } else if (hasCABundle) {
-    ssl = true;
+    // Verified TLS: rely on Node's TLS context (NODE_EXTRA_CA_CERTS adds the AWS
+    // RDS CA to the trust store). Skip hostname check because connections may
+    // traverse an AWS NLB whose hostname isn't in the RDS Proxy cert's SAN list.
+    // The chain check still rejects forged or wrong-CA certs.
+    ssl = { checkServerIdentity: () => undefined };
   } else if (allowInsecure) {
     ssl = { rejectUnauthorized: false };
   } else {
@@ -63,6 +70,21 @@ function createPrismaClient(): PrismaClient {
   });
 }
 
-export const db = globalForPrisma.prisma || createPrismaClient();
+// Lazy initialization. Importing this module does NOT construct a Prisma client
+// — that only happens on first property access on `db`. Critical so that
+// Next.js `next build` (which imports every route handler to analyze it) does
+// not trigger the strict TLS check at build time when no actual queries run.
+function getClient(): PrismaClient {
+  if (!globalForPrisma.prisma) {
+    globalForPrisma.prisma = createPrismaClient();
+  }
+  return globalForPrisma.prisma;
+}
 
-if (process.env.NODE_ENV !== 'production') globalForPrisma.prisma = db;
+export const db = new Proxy({} as PrismaClient, {
+  get(_target, prop, _receiver) {
+    const client = getClient();
+    const value = Reflect.get(client, prop, client);
+    return typeof value === 'function' ? value.bind(client) : value;
+  },
+});

apps/api/trigger.config.ts

@@ -1,4 +1,5 @@
 import { defineConfig } from '@trigger.dev/sdk';
+import { caBundleExtension } from './caBundleExtension';
 import { prismaExtension } from './customPrismaExtension';
 import { emailExtension } from './emailExtension';
 import { integrationPlatformExtension } from './integrationPlatformExtension';
@@ -10,6 +11,7 @@ export default defineConfig({
   maxDuration: 300, // 5 minutes
   build: {
     extensions: [
+      caBundleExtension(),
       prismaExtension({
         version: '7.6.0',
         dbPackageVersion: '^2.0.0',

apps/app/caBundleExtension.ts

@@ -0,0 +1,50 @@
+import type { BuildContext, BuildExtension, BuildManifest } from '@trigger.dev/build';
+import { existsSync } from 'node:fs';
+import { cp, mkdir } from 'node:fs/promises';
+import { dirname, join, resolve } from 'node:path';
+
+// Path relative to the monorepo root (apps/api or apps/app → ../../packages/db/certs/...)
+const BUNDLE_RELATIVE_FROM_APP = '../../packages/db/certs/rds-global-bundle.pem';
+const BUNDLE_DEST_REL = 'certs/rds-global-bundle.pem';
+
+function findBundleSrc(workingDir: string): string | undefined {
+  // Walk up from workingDir to find the cert — handles both normal checkouts and git worktrees
+  // where workspaceDir points to the main worktree root (wrong for us).
+  const candidates = [
+    resolve(workingDir, BUNDLE_RELATIVE_FROM_APP),
+    resolve(workingDir, '../packages/db/certs/rds-global-bundle.pem'),
+    resolve(workingDir, 'packages/db/certs/rds-global-bundle.pem'),
+  ];
+
+  return candidates.find((c) => existsSync(c));
+}
+
+export function caBundleExtension(): BuildExtension {
+  return {
+    name: 'CABundleExtension',
+    onBuildStart: (context) => {
+      // Real OS env var at task spawn time — verified flow:
+      //   addLayer.deploy.env → manifest.deploy.sync.env → syncEnvVarsWithServer →
+      //   taskRunProcessProvider injects into worker env before Node TLS init.
+      context.addLayer({
+        id: 'ca-bundle-env',
+        deploy: {
+          env: { NODE_EXTRA_CA_CERTS: `/app/${BUNDLE_DEST_REL}` },
+          override: true,
+        },
+      });
+    },
+    onBuildComplete: async (context: BuildContext, manifest: BuildManifest) => {
+      const src = findBundleSrc(context.workingDir);
+      if (!src) {
+        throw new Error(
+          `CABundleExtension: rds-global-bundle.pem not found. Searched relative to ${context.workingDir}`,
+        );
+      }
+      const dest = join(manifest.outputPath, BUNDLE_DEST_REL);
+      await mkdir(dirname(dest), { recursive: true });
+      await cp(src, dest);
+      context.logger.log(`Copied RDS CA bundle to ${BUNDLE_DEST_REL}`);
+    },
+  };
+}

apps/app/next.config.ts

@@ -76,6 +76,9 @@ const config: NextConfig = {
     webpackMemoryOptimizations: true,
   },
   outputFileTracingRoot: workspaceRoot,
+  outputFileTracingIncludes: {
+    '/**/*': ['../../packages/db/certs/rds-global-bundle.pem'],
+  },
 
   // Reduce memory usage during production build
   productionBrowserSourceMaps: false,

apps/app/prisma/client.ts

@@ -1,22 +1,52 @@
 import { PrismaClient } from '@prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 
-const globalForPrisma = global as unknown as { prisma: PrismaClient };
+const globalForPrisma = global as unknown as { prisma?: PrismaClient };
+
+const LOCAL_HOSTNAMES = new Set(['localhost', '127.0.0.1', '::1']);
 
 function stripSslMode(connectionString: string): string {
   const url = new URL(connectionString);
   url.searchParams.delete('sslmode');
   return url.toString();
 }
 
+function isLocalhostUrl(connectionString: string): boolean {
+  try {
+    const { hostname } = new URL(connectionString);
+    const stripped = hostname.replace(/^\[/, '').replace(/\]$/, '');
+    return LOCAL_HOSTNAMES.has(stripped);
+  } catch {
+    return false;
+  }
+}
+
 function createPrismaClient(): PrismaClient {
   const rawUrl = process.env.DATABASE_URL!;
-  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(rawUrl);
-  // Use verified SSL when NODE_EXTRA_CA_CERTS is set (Docker with RDS CA bundle),
-  // otherwise fall back to unverified SSL (Trigger.dev, Vercel, other environments).
+  const isLocalhost = isLocalhostUrl(rawUrl);
   const hasCABundle = !!process.env.NODE_EXTRA_CA_CERTS;
-  const ssl = isLocalhost ? undefined : hasCABundle ? true : { rejectUnauthorized: false };
-  // Strip sslmode from the connection string to avoid conflicts with the explicit ssl option
+  const allowInsecure = process.env.PRISMA_ALLOW_INSECURE_TLS === '1';
+
+  let ssl:
+    | undefined
+    | { checkServerIdentity: () => undefined }
+    | { rejectUnauthorized: false };
+  if (isLocalhost) {
+    ssl = undefined;
+  } else if (hasCABundle) {
+    // Verified TLS: rely on Node's TLS context (NODE_EXTRA_CA_CERTS adds the AWS
+    // RDS CA to the trust store). Skip hostname check because connections may
+    // traverse an AWS NLB whose hostname isn't in the RDS Proxy cert's SAN list.
+    // The chain check still rejects forged or wrong-CA certs.
+    ssl = { checkServerIdentity: () => undefined };
+  } else if (allowInsecure) {
+    ssl = { rejectUnauthorized: false };
+  } else {
+    throw new Error(
+      'Refusing to connect to a non-local Postgres without TLS verification. Set NODE_EXTRA_CA_CERTS to a CA bundle, or set PRISMA_ALLOW_INSECURE_TLS=1 if you intentionally want unverified TLS.',
+    );
+  }
+
   const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
   const adapter = new PrismaPg({ connectionString: url, ssl });
   return new PrismaClient({
@@ -27,6 +57,21 @@ function createPrismaClient(): PrismaClient {
   });
 }
 
-export const db = globalForPrisma.prisma || createPrismaClient();
+// Lazy initialization. Importing this module does NOT construct a Prisma client
+// — that only happens on first property access on `db`. Critical so that
+// Next.js `next build` (which imports every route handler to analyze it) does
+// not trigger the strict TLS check at build time when no actual queries run.
+function getClient(): PrismaClient {
+  if (!globalForPrisma.prisma) {
+    globalForPrisma.prisma = createPrismaClient();
+  }
+  return globalForPrisma.prisma;
+}
 
-if (process.env.NODE_ENV !== 'production') globalForPrisma.prisma = db;
+export const db = new Proxy({} as PrismaClient, {
+  get(_target, prop, _receiver) {
+    const client = getClient();
+    const value = Reflect.get(client, prop, client);
+    return typeof value === 'function' ? value.bind(client) : value;
+  },
+});

apps/app/trigger.config.ts

@@ -1,5 +1,6 @@
 import { puppeteer } from '@trigger.dev/build/extensions/puppeteer';
 import { defineConfig } from '@trigger.dev/sdk';
+import { caBundleExtension } from './caBundleExtension';
 import { prismaExtension } from './customPrismaExtension';
 
 export default defineConfig({
@@ -14,6 +15,7 @@ export default defineConfig({
   maxDuration: 300, // 5 minutes
   build: {
     extensions: [
+      caBundleExtension(),
       prismaExtension({
         version: '7.6.0',
         dbPackageVersion: '^2.0.0',

apps/app/vitest.config.mts

@@ -9,7 +9,10 @@ export default defineConfig({
     environment: 'jsdom',
     globals: true,
     setupFiles: ['./src/test-utils/setup.ts'],
-    include: ['src/**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}'],
+    include: [
+      'src/**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}',
+      'prisma/**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}',
+    ],
     exclude: ['node_modules', 'dist', '.next', 'e2e'],
     coverage: {
       reporter: ['text', 'json', 'html'],

apps/framework-editor/prisma/client.ts

@@ -1,22 +1,52 @@
 import { PrismaClient } from '@prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 
-const globalForPrisma = global as unknown as { prisma: PrismaClient };
+const globalForPrisma = global as unknown as { prisma?: PrismaClient };
+
+const LOCAL_HOSTNAMES = new Set(['localhost', '127.0.0.1', '::1']);
 
 function stripSslMode(connectionString: string): string {
   const url = new URL(connectionString);
   url.searchParams.delete('sslmode');
   return url.toString();
 }
 
+function isLocalhostUrl(connectionString: string): boolean {
+  try {
+    const { hostname } = new URL(connectionString);
+    const stripped = hostname.replace(/^\[/, '').replace(/\]$/, '');
+    return LOCAL_HOSTNAMES.has(stripped);
+  } catch {
+    return false;
+  }
+}
+
 function createPrismaClient(): PrismaClient {
   const rawUrl = process.env.DATABASE_URL!;
-  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(rawUrl);
-  // Use verified SSL when NODE_EXTRA_CA_CERTS is set (Docker with RDS CA bundle),
-  // otherwise fall back to unverified SSL (Trigger.dev, Vercel, other environments).
+  const isLocalhost = isLocalhostUrl(rawUrl);
   const hasCABundle = !!process.env.NODE_EXTRA_CA_CERTS;
-  const ssl = isLocalhost ? undefined : hasCABundle ? true : { rejectUnauthorized: false };
-  // Strip sslmode from the connection string to avoid conflicts with the explicit ssl option
+  const allowInsecure = process.env.PRISMA_ALLOW_INSECURE_TLS === '1';
+
+  let ssl:
+    | undefined
+    | { checkServerIdentity: () => undefined }
+    | { rejectUnauthorized: false };
+  if (isLocalhost) {
+    ssl = undefined;
+  } else if (hasCABundle) {
+    // Verified TLS: rely on Node's TLS context (NODE_EXTRA_CA_CERTS adds the AWS
+    // RDS CA to the trust store). Skip hostname check because connections may
+    // traverse an AWS NLB whose hostname isn't in the RDS Proxy cert's SAN list.
+    // The chain check still rejects forged or wrong-CA certs.
+    ssl = { checkServerIdentity: () => undefined };
+  } else if (allowInsecure) {
+    ssl = { rejectUnauthorized: false };
+  } else {
+    throw new Error(
+      'Refusing to connect to a non-local Postgres without TLS verification. Set NODE_EXTRA_CA_CERTS to a CA bundle, or set PRISMA_ALLOW_INSECURE_TLS=1 if you intentionally want unverified TLS.',
+    );
+  }
+
   const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
   const adapter = new PrismaPg({ connectionString: url, ssl });
   return new PrismaClient({
@@ -27,6 +57,21 @@ function createPrismaClient(): PrismaClient {
   });
 }
 
-export const db = globalForPrisma.prisma || createPrismaClient();
+// Lazy initialization. Importing this module does NOT construct a Prisma client
+// — that only happens on first property access on `db`. Critical so that
+// Next.js `next build` (which imports every route handler to analyze it) does
+// not trigger the strict TLS check at build time when no actual queries run.
+function getClient(): PrismaClient {
+  if (!globalForPrisma.prisma) {
+    globalForPrisma.prisma = createPrismaClient();
+  }
+  return globalForPrisma.prisma;
+}
 
-if (process.env.NODE_ENV !== 'production') globalForPrisma.prisma = db;
+export const db = new Proxy({} as PrismaClient, {
+  get(_target, prop, _receiver) {
+    const client = getClient();
+    const value = Reflect.get(client, prop, client);
+    return typeof value === 'function' ? value.bind(client) : value;
+  },
+});

apps/portal/next.config.ts

@@ -65,6 +65,9 @@ const config = {
   },
   skipTrailingSlashRedirect: true,
   outputFileTracingRoot: path.join(__dirname, '../../'),
+  outputFileTracingIncludes: {
+    '/**/*': ['../../packages/db/certs/rds-global-bundle.pem'],
+  },
   ...(isStandalone
     ? {
         output: 'standalone' as const,