import type { TableSnapshot } from '../pg/introspect'; import type { Finding } from '../types'; /** * A1: RLS is enabled but there are zero policies on the table. * * Every non-owner query returns 0 rows. Usually a sign that someone ran * `ALTER TABLE … ENABLE ROW LEVEL SECURITY` but never wrote the policies. */ export declare function checkRlsEnabledNoPolicies(table: TableSnapshot): Finding | null; /** * A2: The table has non-trivial grants but RLS is disabled. * * Intent: if a real role (not just the owner or PUBLIC) can SELECT/INSERT/UPDATE/DELETE, * we'd expect RLS to be on. Tables intentionally meant to be global (e.g. lookup tables) * may be false positives; callers can exclude them via `--schemas`. */ export declare function checkGrantsWithoutRls(table: TableSnapshot): Finding | null; /** * A3: RLS is enabled but FORCE ROW LEVEL SECURITY is not set. * * Without FORCE, the table owner bypasses all policies. For anything with * tenant data, that usually isn't what you want. Medium severity — owners * bypassing policies is sometimes intentional (e.g. admin tooling). */ export declare function checkRlsNotForced(table: TableSnapshot): Finding | null;