Skip to content

v0.3.1 — guard covers TanStack server functions

Choose a tag to compare

@devlob devlob released this 13 Jul 15:46
c2274a2

Runtime protection now covers the server-function data path

Validating 0.3.0 on a fresh Lovable app surfaced a real gap: modern Lovable scaffolds mutate data through TanStack server functions (createServerFn) using a server-side Supabase client, which bypasses the browser-client tunnel the guard patches. Exploit payloads reached the database.

What's new

  • protect registers the guard on functionMiddleware too. In addition to the existing browser tunnel (requestMiddleware), the installer now wires a TanStack function middleware that inspects every server-function call's args and blocks on a rule match before the handler writes to the DB. Covers both Lovable data shapes (browser-direct Supabase and server functions) — still zero user-code changes.
  • New runtime export createServerFnGuard({ protection }) — evaluates decoded server-fn args through the same policy as the tunnel (args become the request body, so the engine resolves post.<field> identically). Fail-open.
  • @patchstack/connect/protect now ships types. Added a types condition to the ./protect export (hand-authored dist/protect.d.ts), so strict-TS builds no longer need a .d.ts shim.

Compatibility

  • scan, mark-build, init, status, and the 0.3.0 browser-tunnel guard are unchanged.
  • protect is idempotent; re-running upgrades the wiring in place.

Requires Node >= 18.