m/projax
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(db): pivot to dedicated projax_admin role

Browse Source 
Mirrors the mbrian_admin pattern: the binary connects as a role bounded
to the projax schema, so even a compromised projax process cannot read
mai.workers, otto.*, vault.*, etc.

- 0001: switch grants block from postgres → projax_admin (conditional
  on the role existing — bootstrap still works as superuser before the
  role is created). Wrap `create schema` in a guard so the migration
  is idempotent when re-run as a non-superuser app role that lacks
  database-level CREATE.
- 0005_reown_to_projax_admin.sql: enumerate every projax-namespaced
  object via pg_namespace + pg_class / pg_proc and ALTER OWNER to
  projax_admin. Explicitly scoped — no global REASSIGN OWNED that
  would yank ownership from other projects sharing the postgres role.
  Strips residual postgres grants. No-ops with a NOTICE when the role
  is missing.
- README: new "Manual prerequisite" deploy section. Documents the
  CREATE ROLE statement, the cross-schema USAGE + SELECT grants, AND
  the RLS policy `projax_read ON mai.projects` that's required because
  mai.projects has row-level security with policies scoped to `mai`
  and `anon` only. Without the policy, items_unified silently returns
  zero mai-source rows.
- deploy/dokploy.yaml: DSN comment now reflects projax_admin and
  points at the README prereq.

Verified locally against msupabase with a throwaway projax_admin role:
- 13/13 tests green
- mai.workers SELECT → permission denied
- mai.sessions SELECT → permission denied
- mai.projects SELECT → 59 rows (RLS policy in effect)
- projax.items_unified SELECT → 66 rows (7 projax + 59 mai)
This commit is contained in:
mAi
2026-05-15 13:32:56 +02:00
parent 2df9e1b13f
commit 092a56cf24
4 changed files with 153 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
deploy/dokploy.yaml
View File

@@ -4,9 +4,13 @@
# Tailscale-only; no public exposure. Single replica, single tenant (m).
#
# Environment expected (set via Dokploy secrets, NEVER commit):
# PROJAX_DB_URL postgres://postgres:<pw>@<msupabase-tailscale-ip>:6789/postgres?sslmode=disable
# PROJAX_DB_URL postgres://projax_admin:<pw>@<msupabase-tailscale-ip>:6789/postgres?sslmode=disable
# PROJAX_LISTEN_ADDR :8080 (default; Dokploy maps to public port)
# PROJAX_AUTO_MIGRATE on (default; set "off" to bypass embedded migrations on boot)
#
# README §"Deploy / 0. Manual prerequisite" documents the one-time CREATE ROLE
# projax_admin + cross-schema grants + RLS policy on mai.projects. The
# migrations themselves are credential-free.
name: projax
service: projax