[comp] Production Deploy

apps/app/prisma/client.ts

@@ -1,8 +1,6 @@
 import { PrismaClient } from '@prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 
-import { RDS_CA_BUNDLE } from './rds-ca-bundle';
-
 const globalForPrisma = global as unknown as { prisma?: PrismaClient };
 
 const LOCAL_HOSTNAMES = new Set(['localhost', '127.0.0.1', '::1']);
@@ -28,21 +26,24 @@ function createPrismaClient(): PrismaClient {
   const isLocalhost = isLocalhostUrl(rawUrl);
   const allowInsecure = process.env.PRISMA_ALLOW_INSECURE_TLS === '1';
 
-  let ssl:
-    | undefined
-    | { ca: string; checkServerIdentity: () => undefined }
-    | { rejectUnauthorized: false };
-  if (isLocalhost) {
-    ssl = undefined;
-  } else if (allowInsecure) {
-    ssl = { rejectUnauthorized: false };
-  } else {
-    // Verified TLS using the inlined AWS RDS CA bundle. Skip hostname check
-    // because connections may traverse an AWS NLB whose hostname isn't in the
-    // RDS Proxy cert's SAN list. The chain check still rejects forged or
-    // wrong-CA certs.
-    ssl = { ca: RDS_CA_BUNDLE, checkServerIdentity: () => undefined };
-  }
+  // Verified TLS via Node's default trust store, which includes Amazon Root
+  // CA 1 — where AWS RDS Proxy chains terminate. Hostname check is skipped
+  // because connections traverse an AWS NLB whose hostname isn't in the RDS
+  // Proxy cert's SAN list; the chain check still rejects forged or wrong-CA
+  // certs. PRISMA_ALLOW_INSECURE_TLS=1 is an explicit opt-out (no silent
+  // fallback to unverified TLS).
+  //
+  // Previously this passed `ca: RDS_CA_BUNDLE` — but `ssl.ca` *replaces*
+  // Node's trust store rather than augmenting it, and our bundle only
+  // contains regional RDS CAs (not Amazon Root CA 1), so the RDS Proxy
+  // chain failed to validate. Surfaced as P1011 TlsConnectionError /
+  // "unable to get local issuer certificate" at runtime.
+  const ssl: undefined | { checkServerIdentity: () => undefined } | { rejectUnauthorized: false } =
+    isLocalhost
+      ? undefined
+      : allowInsecure
+        ? { rejectUnauthorized: false }
+        : { checkServerIdentity: () => undefined };
 
   const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
   const adapter = new PrismaPg({ connectionString: url, ssl });

apps/framework-editor/prisma/client.ts

@@ -1,8 +1,6 @@
 import { PrismaClient } from '@prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 
-import { RDS_CA_BUNDLE } from './rds-ca-bundle';
-
 const globalForPrisma = global as unknown as { prisma?: PrismaClient };
 
 const LOCAL_HOSTNAMES = new Set(['localhost', '127.0.0.1', '::1']);
@@ -28,17 +26,15 @@ function createPrismaClient(): PrismaClient {
   const isLocalhost = isLocalhostUrl(rawUrl);
   const allowInsecure = process.env.PRISMA_ALLOW_INSECURE_TLS === '1';
 
-  let ssl:
-    | undefined
-    | { ca: string; checkServerIdentity: () => undefined }
-    | { rejectUnauthorized: false };
-  if (isLocalhost) {
-    ssl = undefined;
-  } else if (allowInsecure) {
-    ssl = { rejectUnauthorized: false };
-  } else {
-    ssl = { ca: RDS_CA_BUNDLE, checkServerIdentity: () => undefined };
-  }
+  // See apps/app/prisma/client.ts for the rationale on dropping `ssl.ca`
+  // (replaces rather than augments the trust store; broke RDS Proxy
+  // chain validation).
+  const ssl: undefined | { checkServerIdentity: () => undefined } | { rejectUnauthorized: false } =
+    isLocalhost
+      ? undefined
+      : allowInsecure
+        ? { rejectUnauthorized: false }
+        : { checkServerIdentity: () => undefined };
 
   const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
   const adapter = new PrismaPg({ connectionString: url, ssl });

apps/portal/prisma/client.ts

@@ -1,8 +1,6 @@
 import { PrismaClient } from '../src/generated/prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 
-import { RDS_CA_BUNDLE } from './rds-ca-bundle';
-
 const globalForPrisma = global as unknown as { prisma?: PrismaClient };
 
 const LOCAL_HOSTNAMES = new Set(['localhost', '127.0.0.1', '::1']);
@@ -28,17 +26,15 @@ function createPrismaClient(): PrismaClient {
   const isLocalhost = isLocalhostUrl(rawUrl);
   const allowInsecure = process.env.PRISMA_ALLOW_INSECURE_TLS === '1';
 
-  let ssl:
-    | undefined
-    | { ca: string; checkServerIdentity: () => undefined }
-    | { rejectUnauthorized: false };
-  if (isLocalhost) {
-    ssl = undefined;
-  } else if (allowInsecure) {
-    ssl = { rejectUnauthorized: false };
-  } else {
-    ssl = { ca: RDS_CA_BUNDLE, checkServerIdentity: () => undefined };
-  }
+  // See apps/app/prisma/client.ts for the rationale on dropping `ssl.ca`
+  // (replaces rather than augments the trust store; broke RDS Proxy
+  // chain validation).
+  const ssl: undefined | { checkServerIdentity: () => undefined } | { rejectUnauthorized: false } =
+    isLocalhost
+      ? undefined
+      : allowInsecure
+        ? { rejectUnauthorized: false }
+        : { checkServerIdentity: () => undefined };
 
   const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
   const adapter = new PrismaPg({ connectionString: url, ssl });