v0.3.1 — guard covers TanStack server functions
Runtime protection now covers the server-function data path
Validating 0.3.0 on a fresh Lovable app surfaced a real gap: modern Lovable scaffolds mutate data through TanStack server functions (createServerFn) using a server-side Supabase client, which bypasses the browser-client tunnel the guard patches. Exploit payloads reached the database.
What's new
protectregisters the guard onfunctionMiddlewaretoo. In addition to the existing browser tunnel (requestMiddleware), the installer now wires a TanStack function middleware that inspects every server-function call's args and blocks on a rule match before the handler writes to the DB. Covers both Lovable data shapes (browser-direct Supabase and server functions) — still zero user-code changes.- New runtime export
createServerFnGuard({ protection })— evaluates decoded server-fn args through the same policy as the tunnel (args become the request body, so the engine resolvespost.<field>identically). Fail-open. @patchstack/connect/protectnow ships types. Added atypescondition to the./protectexport (hand-authoreddist/protect.d.ts), so strict-TS builds no longer need a.d.tsshim.
Compatibility
scan,mark-build,init,status, and the 0.3.0 browser-tunnel guard are unchanged.protectis idempotent; re-running upgrades the wiring in place.
Requires Node >= 18.