Private
Public Access
1
0
Catherine Renelle bd12160ebb Phase 2: Enforce Row-Level Security at the PostgreSQL level
- Rewrite rls.ts with withTenant()/withBypassRLS() using parameterized
  set_config() in interactive Prisma transactions (no SQL injection)
- Add FORCE ROW LEVEL SECURITY on all 15 tenant-scoped tables
- Add __bypass__ sentinel and WITH CHECK clauses to every RLS policy
- Explicitly DISABLE RLS on tenants, tenant_hostnames, sessions
- Wrap all API route and page loader queries in withTenant()
- Wrap validateSession() in withBypassRLS() (joins RLS-protected users)
- Keep existing tenantId where-clause filters as optimization layer
- Add postgresql-client to Dockerfile and auto-apply RLS via entrypoint

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 22:54:26 -05:00

Pounce

An open source, self-hosted, multi-tenant kanban board.

Tech Stack

  • Frontend: SvelteKit + Svelte 5 + Tailwind CSS v4
  • Backend: SvelteKit API routes + Prisma ORM
  • Database: PostgreSQL 16
  • Real-time: Socket.IO
  • Auth: Email/password with bcrypt + session cookies
  • Deployment: Docker Compose + Portainer

Getting Started

Prerequisites

  • Node.js 22+
  • PostgreSQL 16+

Development

npm install
cp .env.example .env   # edit DATABASE_URL as needed
npm run db:push         # sync schema to database
npm run db:seed         # seed default tenant + admin user
npm run dev

Docker

docker compose up

The app will be available at http://localhost:3000.

Default Credentials

Multi-Tenancy

Pounce supports multiple tenants on a single instance. Each tenant is identified by hostname — map additional domains via the tenant_hostnames table.

License

MIT

S
Description
No description provided
Readme 1 MiB
Languages
Svelte 57.5%
TypeScript 40%
JavaScript 1.4%
CSS 0.5%
Shell 0.3%
Other 0.3%