[dev] [Marfuen] mariano/secure-rds-tls (#2762)

* chore(db): commit AWS RDS global CA bundle for verified TLS

* feat(db): strict TLS gating in shared prisma client

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(db): extract resolveSslConfig and use bun:test for consistency

Move SSL-resolution logic into a pure ssl-config.ts module so it can be
tested with bun:test (matching strip-ssl-mode.test.ts's pattern) without
importing the module-level Prisma client. Drop vitest devDependency.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(app): strict TLS gating in app prisma client

Extracts SSL config logic into apps/app/prisma/ssl-config.ts and
updates the Prisma client to throw at boot when connecting to a
non-local database without a verified CA bundle or explicit
PRISMA_ALLOW_INSECURE_TLS=1 opt-in.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* refactor(db): expose resolveSslConfig via subpath export; dedupe in apps/app

Add `./ssl-config` subpath export to @trycompai/db so apps/app (and
upcoming portal/framework-editor) can import the single source of truth
instead of maintaining their own copy. Widen the `env` parameter type
from `NodeJS.ProcessEnv` to `Partial<NodeJS.ProcessEnv>` (strictly more
permissive) to satisfy apps/app's strict TS config. Delete the duplicate
apps/app/prisma/ssl-config.ts and its redundant test file.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(portal): strict TLS gating in prisma client

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(framework-editor): strict TLS gating in prisma client

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(trigger): add caBundleExtension for verified-TLS Postgres

Ships the RDS CA bundle (packages/db/certs/rds-global-bundle.pem) into
Trigger.dev task images at /app/certs/rds-global-bundle.pem and sets
NODE_EXTRA_CA_CERTS via the deploy.env layer so Node TLS initialization
picks it up before any Prisma connection attempt.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(prisma): inline TLS gating in app clients to avoid published-package dependency

Drop `import { resolveSslConfig } from '@trycompai/db/ssl-config'` from
apps/app, apps/portal, and apps/framework-editor and inline the full
localhost/CA-bundle/PRISMA_ALLOW_INSECURE_TLS logic directly.
Trigger.dev pins @trycompai/db@^2.0.0 from npm which lacks the
./ssl-config subpath, causing indexer crashes at deploy time.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(prisma): skip hostname check when CA bundle is set (NLB compatibility)

AWS NLB → RDS Proxy connections fail TLS hostname verification because the
NLB hostname (*.elb.amazonaws.com) isn't in the RDS Proxy cert's SAN list.
Cert chain verification is preserved — an attacker still cannot present a
forged or wrong-CA cert. Only the hostname-string check is relaxed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(vercel): bundle RDS CA cert with Next.js apps for verified TLS

Add outputFileTracingIncludes to apps/app and apps/portal next.config.ts
so the rds-global-bundle.pem is included in Vercel's traced file output
for each deployed function.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs: deploy checklist for verified-TLS env vars

Documents the NODE_EXTRA_CA_CERTS values to set in Vercel (both candidate
paths), the Trigger.dev PRISMA_ALLOW_INSECURE_TLS removal commands, and
notes that API Docker needs no action.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(prisma): lazy-init client to prevent TLS throw during Next.js build

next build imports every route handler to analyze it, which previously
triggered our strict-TLS throw at module load even though no queries run.
Wrap the client in a Proxy that constructs the real PrismaClient on first
property access. The strict check still fires — just at first use, not at
import.

* fix(db): point ssl-config types at dist (src/ is not published)

cubic flagged: the subpath export's types entry pointed at ./src/ssl-config.ts,
but the published package's files array only includes dist/. Downstream npm
consumers would get broken type resolution. Workspace consumers were unaffected
because @trycompai/db resolves to source via workspace:*.

* chore: temporary debug endpoint to verify Vercel cert path

Hit /api/_debug-tls on the deployed preview. Reports process.cwd(),
NODE_EXTRA_CA_CERTS value, and existence/size for the env-var path plus
common candidate paths. Delete this commit once the path is confirmed.

---------

Co-authored-by: Mariano <marfuen98@gmail.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 3 people

apps/app/src/app/api/_debug-tls/route.ts

@@ -0,0 +1,35 @@
+import { existsSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+
+export const dynamic = 'force-dynamic';
+export const runtime = 'nodejs';
+
+export async function GET() {
+  const envVar = process.env.NODE_EXTRA_CA_CERTS;
+  const candidates = [
+    envVar,
+    '/var/task/packages/db/certs/rds-global-bundle.pem',
+    '/vercel/path0/packages/db/certs/rds-global-bundle.pem',
+    join(process.cwd(), 'packages/db/certs/rds-global-bundle.pem'),
+    join(process.cwd(), '../../packages/db/certs/rds-global-bundle.pem'),
+  ].filter((p): p is string => Boolean(p));
+
+  const probes = candidates.map((p) => {
+    try {
+      const exists = existsSync(p);
+      const size = exists ? statSync(p).size : null;
+      return { path: p, exists, size };
+    } catch (e) {
+      return { path: p, exists: false, error: (e as Error).message };
+    }
+  });
+
+  return Response.json({
+    cwd: process.cwd(),
+    nodeExtraCaCerts: envVar ?? null,
+    prismaAllowInsecureTls: process.env.PRISMA_ALLOW_INSECURE_TLS ?? null,
+    probes,
+    nodeVersion: process.version,
+    platform: process.platform,
+  });
+}