import type { PgAstNode } from '../ast/parse'; import type { PolicyInfo, TableSnapshot } from '../pg/introspect'; import type { ProcVolatility } from '../pg/proc'; import type { Finding } from '../types'; /** * Anti-pattern P1: policy predicate invokes a VOLATILE function (per-row * evaluation, breaks the planner's ability to hoist or cache). * * Also flags SECURITY DEFINER wrappers here (P1b): they can't be inlined and * become per-row function calls. * * Expected input: a volatility map keyed by `schema.name` (see pg/proc.ts). */ export declare function checkVolatileFunctions(table: TableSnapshot, expr: PgAstNode, volatility: Map, policyName: string): Finding[]; /** * Anti-pattern P5: policy references `session_user`, `current_user`, or * `pg_has_role(...)` for tenant gating. These bypass the role-and-JWT layer * that the rest of the auth model is built on, and they silently evaluate * against the *login* role instead of the `SET LOCAL role` role, which * produces confusing RLS behavior across pooled connections. */ export declare function checkSessionUserGating(table: TableSnapshot, expr: PgAstNode, policyName: string): Finding[]; /** * Anti-pattern A7: trivially-permissive policy body. * * A permissive policy whose body is the literal `true` (and has no tightening * `WITH CHECK` clause) adds zero security — it's equivalent to not having RLS * at all for the covered command. This is different from an intentional * *restrictive* `true` (which would require all rows to satisfy it). We only * flag `permissive = true` here because Postgres defaults to PERMISSIVE and * `USING (true)` is the most common accidental "fail-open" shape. * * Severity: HIGH — any auditor should see this as RLS-not-actually-enforced. * * Input: the parsed USING and WITH CHECK ASTs (may be null if empty). */ export declare function checkTriviallyPermissive(table: TableSnapshot, policy: PolicyInfo, usingAst: PgAstNode | null, withCheckAst: PgAstNode | null): Finding | null; /** * Walk a policy expression, collecting unique function `(schema, name)` tuples * so we can resolve volatility in one batch query. */ export declare function collectFunctionNames(expr: PgAstNode): Array<{ schema?: string; name: string; }>; /** Parse a policy expression or return `null` on empty input. Logs parse errors to stderr. */ export declare function parseOrNull(expr: string | null, context: string): Promise;