fix(db): drop inlined RDS CA bundle, use Node default trust store (#2775)

URGENT: production runtime fix. Staging is hitting:

  Error [PrismaClientKnownRequestError]
  Invalid `prisma.member.findFirst()` invocation
  Error opening a TLS connection: unable to get local issuer certificate
  code: 'P1011', driverAdapterError: TlsConnectionError

Cause: PR #2772 set `ssl.ca = RDS_CA_BUNDLE` in the prisma adapter, which
*replaces* Node's trust store rather than augmenting it. Our bundle only
contains the 108 RDS-specific regional self-signed CAs — it does NOT
contain Amazon Root CA 1, which is where AWS RDS Proxy chains terminate
(and which lives in Node's default Mozilla bundle). So the chain failed
to validate at runtime under the strict-TLS branch.

Why apps/app and apps/portal didn't trip this in earlier checks:
- The /auth route returned 200 because that codepath doesn't query the
  DB; it talks to apps/api over HTTP, and apps/api uses a different
  prisma client (Docker, NODE_EXTRA_CA_CERTS at OS level).
- DB-touching SSR routes (e.g., /[orgId]/overview) are exactly what the
  reported staging failure exercises.

Fix: drop the `ca:` field. Node's default trust store includes Amazon
Root CA 1, which is sufficient for chain validation against RDS Proxy.
Hostname check is still skipped (NLB topology — chain check still
rejects forged or wrong-CA certs). PRISMA_ALLOW_INSECURE_TLS=1 remains
the explicit insecure opt-out — the original Cubic finding fix is
preserved.

Files:
- packages/db/src/ssl-config.ts: drop RDS_CA_BUNDLE import + usage
- packages/db/src/client.test.ts: rewrite tests for new behavior (6 pass)
- apps/{app,portal,framework-editor}/prisma/client.ts: drop the ca: branch
- Delete: packages/db/{certs/rds-global-bundle.pem,src/rds-ca-bundle.ts,
  scripts/generate-ca-bundle-ts.mjs} and the inlined rds-ca-bundle.ts
  copies in apps/{app,portal,framework-editor}/prisma/ (~660KB removed)
- packages/db: 2.2.0 → 2.3.0 (also drops `certs` from `files` array)
- apps/api/prisma/client.ts: unchanged — Docker still uses
  NODE_EXTRA_CA_CERTS at OS level and that path is fine.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Marfuen

apps/app/prisma/client.ts

@@ -1,8 +1,6 @@
 import { PrismaClient } from '@prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 
-import { RDS_CA_BUNDLE } from './rds-ca-bundle';
-
 const globalForPrisma = global as unknown as { prisma?: PrismaClient };
 
 const LOCAL_HOSTNAMES = new Set(['localhost', '127.0.0.1', '::1']);
@@ -28,21 +26,24 @@ function createPrismaClient(): PrismaClient {
   const isLocalhost = isLocalhostUrl(rawUrl);
   const allowInsecure = process.env.PRISMA_ALLOW_INSECURE_TLS === '1';
 
-  let ssl:
-    | undefined
-    | { ca: string; checkServerIdentity: () => undefined }
-    | { rejectUnauthorized: false };
-  if (isLocalhost) {
-    ssl = undefined;
-  } else if (allowInsecure) {
-    ssl = { rejectUnauthorized: false };
-  } else {
-    // Verified TLS using the inlined AWS RDS CA bundle. Skip hostname check
-    // because connections may traverse an AWS NLB whose hostname isn't in the
-    // RDS Proxy cert's SAN list. The chain check still rejects forged or
-    // wrong-CA certs.
-    ssl = { ca: RDS_CA_BUNDLE, checkServerIdentity: () => undefined };
-  }
+  // Verified TLS via Node's default trust store, which includes Amazon Root
+  // CA 1 — where AWS RDS Proxy chains terminate. Hostname check is skipped
+  // because connections traverse an AWS NLB whose hostname isn't in the RDS
+  // Proxy cert's SAN list; the chain check still rejects forged or wrong-CA
+  // certs. PRISMA_ALLOW_INSECURE_TLS=1 is an explicit opt-out (no silent
+  // fallback to unverified TLS).
+  //
+  // Previously this passed `ca: RDS_CA_BUNDLE` — but `ssl.ca` *replaces*
+  // Node's trust store rather than augmenting it, and our bundle only
+  // contains regional RDS CAs (not Amazon Root CA 1), so the RDS Proxy
+  // chain failed to validate. Surfaced as P1011 TlsConnectionError /
+  // "unable to get local issuer certificate" at runtime.
+  const ssl: undefined | { checkServerIdentity: () => undefined } | { rejectUnauthorized: false } =
+    isLocalhost
+      ? undefined
+      : allowInsecure
+        ? { rejectUnauthorized: false }
+        : { checkServerIdentity: () => undefined };
 
   const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
   const adapter = new PrismaPg({ connectionString: url, ssl });

apps/app/prisma/rds-ca-bundle.ts

@@ -1,8 +1,6 @@
 import { PrismaClient } from '@prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 
-import { RDS_CA_BUNDLE } from './rds-ca-bundle';
-
 const globalForPrisma = global as unknown as { prisma?: PrismaClient };
 
 const LOCAL_HOSTNAMES = new Set(['localhost', '127.0.0.1', '::1']);
@@ -28,17 +26,15 @@ function createPrismaClient(): PrismaClient {
   const isLocalhost = isLocalhostUrl(rawUrl);
   const allowInsecure = process.env.PRISMA_ALLOW_INSECURE_TLS === '1';
 
-  let ssl:
-    | undefined
-    | { ca: string; checkServerIdentity: () => undefined }
-    | { rejectUnauthorized: false };
-  if (isLocalhost) {
-    ssl = undefined;
-  } else if (allowInsecure) {
-    ssl = { rejectUnauthorized: false };
-  } else {
-    ssl = { ca: RDS_CA_BUNDLE, checkServerIdentity: () => undefined };
-  }
+  // See apps/app/prisma/client.ts for the rationale on dropping `ssl.ca`
+  // (replaces rather than augments the trust store; broke RDS Proxy
+  // chain validation).
+  const ssl: undefined | { checkServerIdentity: () => undefined } | { rejectUnauthorized: false } =
+    isLocalhost
+      ? undefined
+      : allowInsecure
+        ? { rejectUnauthorized: false }
+        : { checkServerIdentity: () => undefined };
 
   const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
   const adapter = new PrismaPg({ connectionString: url, ssl });

apps/framework-editor/prisma/client.ts

@@ -1,8 +1,6 @@
 import { PrismaClient } from '../src/generated/prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 
-import { RDS_CA_BUNDLE } from './rds-ca-bundle';
-
 const globalForPrisma = global as unknown as { prisma?: PrismaClient };
 
 const LOCAL_HOSTNAMES = new Set(['localhost', '127.0.0.1', '::1']);
@@ -28,17 +26,15 @@ function createPrismaClient(): PrismaClient {
   const isLocalhost = isLocalhostUrl(rawUrl);
   const allowInsecure = process.env.PRISMA_ALLOW_INSECURE_TLS === '1';
 
-  let ssl:
-    | undefined
-    | { ca: string; checkServerIdentity: () => undefined }
-    | { rejectUnauthorized: false };
-  if (isLocalhost) {
-    ssl = undefined;
-  } else if (allowInsecure) {
-    ssl = { rejectUnauthorized: false };
-  } else {
-    ssl = { ca: RDS_CA_BUNDLE, checkServerIdentity: () => undefined };
-  }
+  // See apps/app/prisma/client.ts for the rationale on dropping `ssl.ca`
+  // (replaces rather than augments the trust store; broke RDS Proxy
+  // chain validation).
+  const ssl: undefined | { checkServerIdentity: () => undefined } | { rejectUnauthorized: false } =
+    isLocalhost
+      ? undefined
+      : allowInsecure
+        ? { rejectUnauthorized: false }
+        : { checkServerIdentity: () => undefined };
 
   const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
   const adapter = new PrismaPg({ connectionString: url, ssl });