GT AI OS Community Edition v2.0.33

Security hardening release addressing CodeQL and Dependabot alerts:

- Fix stack trace exposure in error responses
- Add SSRF protection with DNS resolution checking
- Implement proper URL hostname validation (replaces substring matching)
- Add centralized path sanitization to prevent path traversal
- Fix ReDoS vulnerability in email validation regex
- Improve HTML sanitization in validation utilities
- Fix capability wildcard matching in auth utilities
- Update glob dependency to address CVE
- Add CodeQL suppression comments for verified false positives

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/postgresql/unified/01-create-tenant-roles.sql

@@ -0,0 +1,62 @@
+-- GT 2.0 Tenant Cluster Role Creation Script
+-- Creates PostgreSQL roles for tenant cluster (including replication)
+-- Runs in tenant postgres container only
+
+-- Enable logging
+\set ON_ERROR_STOP on
+\set ECHO all
+
+-- Create replication user for High Availability
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'replicator') THEN
+        CREATE ROLE replicator WITH REPLICATION PASSWORD 'tenant_replicator_dev_password' LOGIN;
+        RAISE NOTICE 'Created replicator role for HA cluster';
+    ELSE
+        RAISE NOTICE 'Replicator role already exists';
+    END IF;
+END $$;
+
+-- Create application user for tenant backend connections (legacy)
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'gt2_app') THEN
+        CREATE ROLE gt2_app LOGIN PASSWORD 'gt2_app_password';
+        RAISE NOTICE 'Created gt2_app role for tenant backend';
+    ELSE
+        RAISE NOTICE 'gt2_app role already exists';
+    END IF;
+END $$;
+
+-- Create tenant user for tenant database operations (current)
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'gt2_tenant_user') THEN
+        CREATE ROLE gt2_tenant_user LOGIN PASSWORD 'gt2_tenant_dev_password';
+        RAISE NOTICE 'Created gt2_tenant_user role for tenant operations';
+    ELSE
+        RAISE NOTICE 'gt2_tenant_user role already exists';
+    END IF;
+END $$;
+
+-- Set default search_path for gt2_tenant_user role
+-- This ensures all connections automatically use tenant_test_company schema
+ALTER ROLE gt2_tenant_user SET search_path TO tenant_test_company, public;
+
+-- Grant database connection permissions (only on gt2_tenants which exists in tenant container)
+GRANT CONNECT ON DATABASE gt2_tenants TO gt2_app;
+GRANT CONNECT ON DATABASE gt2_tenants TO gt2_tenant_user;
+GRANT CONNECT ON DATABASE gt2_tenants TO replicator;
+
+-- Log completion
+DO $$
+BEGIN
+    RAISE NOTICE '=== GT 2.0 TENANT CLUSTER ROLE CREATION ===';
+    RAISE NOTICE 'Roles created:';
+    RAISE NOTICE '  - replicator (for HA replication)';
+    RAISE NOTICE '  - gt2_app (tenant backend - legacy)';
+    RAISE NOTICE '  - gt2_tenant_user (tenant operations - current)';
+    RAISE NOTICE 'Permissions granted on:';
+    RAISE NOTICE '  - gt2_tenants database';
+    RAISE NOTICE '==========================================';
+END $$;