Nexus

Hartmut/Nexus

Fork 0

Commit Graph

Author	SHA1	Message	Date
Hartmut	b9040cb328	test(security): scoped-caller forwarding preserves read-only proxy (#47 ) Adds a regression suite asserting that the read-only Prisma proxy is still in effect after a tool's executor forwards ctx.db into a scoped tRPC caller (helpers.ts::createScopedCallerContext). Covers all three attack surfaces: model writes, raw-SQL escape hatches, and interactive $transaction / $runCommandRaw calls. These tests pin the behaviour enforced by 1ff5c33; any future refactor that unwraps the proxy during forwarding will fail this suite. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-17 09:28:02 +02:00

Author

SHA1

Message

Date

Hartmut

b9040cb328

test(security): scoped-caller forwarding preserves read-only proxy (#47 )

Adds a regression suite asserting that the read-only Prisma proxy is
still in effect after a tool's executor forwards ctx.db into a scoped
tRPC caller (helpers.ts::createScopedCallerContext). Covers all three
attack surfaces: model writes, raw-SQL escape hatches, and interactive
$transaction / $runCommandRaw calls.

These tests pin the behaviour enforced by 1ff5c33; any future refactor
that unwraps the proxy during forwarding will fail this suite.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-04-17 09:28:02 +02:00

1 Commits