feat(db): add role-based access grants for analytics schema

[maidul98]

Context

This PR adds the ability to grant read access (USAGE + SELECT) on the analytics schema to a configurable PostgreSQL role after schema generation. This enables external analytics tools to query the sanitized views with a dedicated read-only database role even after each schema re-create.

Workflow

When GENERATE_SANITIZED_SCHEMA=true:

1. Drop schema (before migrations) - prevents dependency conflicts so that ALTER commands don't conflict with table that has views
2. Run migrations
3. Create schema and views
4. Grant access to role (if SANITIZED_SCHEMA_ROLE is configured)

New Environment Variables

When SANITIZED_SCHEMA_ROLE is defined it will grant read access to the analytics schema for the given role.

Screenshots

N/A - Backend changes only

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds the ability to grant read-only database access to the analytics schema via a configurable PostgreSQL role (SANITIZED_SCHEMA_ROLE). After schema generation, the system calls generateGrantReadAccessSQL() from the updated @infisical/pg-view-generator package to execute GRANT statements.

Major Changes:

• Renamed schema from "infisical-sanitized" to "analytics"
• Added new grantSanitizedSchemaAccess() function in sanitized-schema.ts
• Integrated grant logic into both migration workflow paths (with/without pending migrations)
• Added SANITIZED_SCHEMA_ROLE environment variable with zod validation
• Bumped @infisical/pg-view-generator to v1.1.0

Critical Security Issue:

• SQL injection vulnerability in grantSanitizedSchemaAccess() - the role parameter is not validated before being used in raw SQL execution

Additional Notes:

• Environment variable access should use the validated config helper instead of direct process.env access
• Consider documenting this new feature in the /docs folder for customer discoverability (per custom rule)

Confidence Score: 1/5

• This PR contains a critical SQL injection vulnerability that must be fixed before merging
• The grantSanitizedSchemaAccess() function accepts an unvalidated role parameter that is passed directly into raw SQL execution. This creates a severe security vulnerability where anyone who can control the SANITIZED_SCHEMA_ROLE environment variable could execute arbitrary SQL commands, potentially leading to data breaches, data loss, or complete database compromise. The codebase already demonstrates awareness of SQL injection risks (see validateGeneratedSQL() function), but this new function bypasses those protections.
• Critical attention required for backend/src/db/sanitized-schema.ts - the SQL injection vulnerability must be patched with input validation before this can be merged safely

Important Files Changed

Filename	Overview
backend/src/db/sanitized-schema.ts	Added grantSanitizedSchemaAccess() function with CRITICAL SQL injection vulnerability - role parameter needs validation before use in raw SQL
backend/src/auto-start-migrations.ts	Integrated role grant logic into migration workflow at two execution paths - should use validated config instead of direct env access
backend/src/lib/config/env.ts	Added SANITIZED_SCHEMA_ROLE environment variable definition with proper zod schema validation
backend/package.json	Bumped @infisical/pg-view-generator from 1.0.0 to 1.1.0 to support generateGrantReadAccessSQL() function

[greptile-apps]

_{3 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}