@gencow/core 0.1.21 → 0.1.23

package/src/__tests__/reactive.test.ts

@@ -294,3 +294,164 @@ describe("mutation(name, def) — query와 동일 패턴", () => {
         console.warn = originalWarn;
     });
 });
+
+// ─── _flushRefresh — buildCtxForRefresh 통합 테스트 ──────────────────────────
+
+describe("_flushRefresh() — query re-run via buildCtxForRefresh", () => {
+
+    it("buildCtxForRefresh 전달 시 query handler가 정상 ctx로 re-run된다", async () => {
+        // 테스트용 query 등록
+        const testQueryKey = "flush.test.rerun";
+        const handler = mock(async (ctx: any) => {
+            // ctx.db가 존재하는지 확인 (이전 버그: ctx = {} → crash)
+            if (!ctx.db) throw new Error("ctx.db is undefined!");
+            return [{ id: 1, count: ctx.db.mockValue }];
+        });
+
+        query(testQueryKey, { public: true, handler });
+
+        // buildCtxForRefresh 콜백 제공
+        const mockDb = { mockValue: 42 };
+        const rt = buildRealtimeCtx({
+            buildCtxForRefresh: () => ({
+                db: mockDb,
+                auth: { getUserIdentity: () => null, requireAuth: () => { throw new Error(); } },
+                realtime: { emit: () => {}, refresh: () => {} },
+            } as any),
+        });
+
+        rt.refresh(testQueryKey);
+        await rt._flushRefresh();
+
+        // handler가 호출됐는지 확인
+        expect(handler).toHaveBeenCalledTimes(1);
+        // ctx.db가 올바르게 전달됐는지 확인
+        const callCtx = handler.mock.calls[0][0];
+        expect(callCtx.db).toBe(mockDb);
+    });
+
+    it("buildCtxForRefresh 미전달 시 ({} as ctx) 사용 + 경고 로그 출력", async () => {
+        const testQueryKey = "flush.test.noCallback";
+        const handler = mock(async (_ctx: any) => [{ id: 1 }]);
+        query(testQueryKey, { public: true, handler });
+
+        const warnSpy = mock(() => {});
+        const originalWarn = console.warn;
+        console.warn = warnSpy;
+
+        // buildCtxForRefresh 없이 생성
+        const rt = buildRealtimeCtx();
+        rt.refresh(testQueryKey);
+        await rt._flushRefresh();
+
+        // 경고 출력 확인
+        const warnCalls = warnSpy.mock.calls.map(c => String(c[0]));
+        const hasWarning = warnCalls.some(msg =>
+            msg.includes("buildCtxForRefresh not provided")
+        );
+        expect(hasWarning).toBe(true);
+
+        console.warn = originalWarn;
+    });
+
+    it("refresh 결과가 WS 구독자에게 query:updated로 push된다", async () => {
+        const testQueryKey = "flush.test.push";
+        const freshData = [{ id: 99, name: "Refreshed" }];
+        query(testQueryKey, {
+            public: true,
+            handler: async () => freshData,
+        });
+
+        const ws = makeMockWs();
+        subscribe(testQueryKey, ws);
+
+        const rt = buildRealtimeCtx({
+            buildCtxForRefresh: () => ({
+                db: {},
+                auth: { getUserIdentity: () => null, requireAuth: () => { throw new Error(); } },
+                realtime: { emit: () => {}, refresh: () => {} },
+            } as any),
+        });
+
+        rt.refresh(testQueryKey);
+        await rt._flushRefresh();
+
+        // 50ms debounce 대기
+        await new Promise(r => setTimeout(r, 80));
+
+        expect(ws._sent.length).toBeGreaterThanOrEqual(1);
+        const msg = JSON.parse(ws._sent[ws._sent.length - 1]);
+        expect(msg.type).toBe("query:updated");
+        expect(msg.query).toBe(testQueryKey);
+        expect(msg.data).toEqual(freshData);
+
+        deregisterClient(ws);
+    });
+
+    it("httpCallback 모드에서 refresh 결과가 callback으로 전달된다", async () => {
+        const testQueryKey = "flush.test.http";
+        const freshData = [{ id: 77, title: "HTTP Push" }];
+        query(testQueryKey, {
+            public: true,
+            handler: async () => freshData,
+        });
+
+        const httpCallback = mock((_event: any) => {});
+
+        const rt = buildRealtimeCtx({
+            httpCallback,
+            buildCtxForRefresh: () => ({
+                db: {},
+                auth: { getUserIdentity: () => null, requireAuth: () => { throw new Error(); } },
+                realtime: { emit: () => {}, refresh: () => {} },
+            } as any),
+        });
+
+        rt.refresh(testQueryKey);
+        await rt._flushRefresh();
+
+        expect(httpCallback).toHaveBeenCalledTimes(1);
+        const event = httpCallback.mock.calls[0][0];
+        expect(event.type).toBe("emit");
+        expect(event.queryKey).toBe(testQueryKey);
+        expect(event.data).toEqual(freshData);
+    });
+
+    it("flush 후 _pendingRefresh가 비워진다", async () => {
+        const testQueryKey = "flush.test.clear";
+        query(testQueryKey, { public: true, handler: async () => [] });
+
+        const rt = buildRealtimeCtx({
+            buildCtxForRefresh: () => ({
+                db: {},
+                auth: { getUserIdentity: () => null, requireAuth: () => { throw new Error(); } },
+                realtime: { emit: () => {}, refresh: () => {} },
+            } as any),
+        });
+
+        rt.refresh(testQueryKey);
+        expect(rt._pendingRefresh).toHaveLength(1);
+
+        await rt._flushRefresh();
+        expect(rt._pendingRefresh).toHaveLength(0);
+    });
+
+    it("미등록 queryKey refresh는 무시되고 경고 출력", async () => {
+        const warnSpy = mock(() => {});
+        const originalWarn = console.warn;
+        console.warn = warnSpy;
+
+        const rt = buildRealtimeCtx({
+            buildCtxForRefresh: () => ({} as any),
+        });
+        rt.refresh("nonexistent.query.key.xyz");
+        await rt._flushRefresh();
+
+        const hasWarning = warnSpy.mock.calls.some(c =>
+            String(c[0]).includes("query not found in registry")
+        );
+        expect(hasWarning).toBe(true);
+
+        console.warn = originalWarn;
+    });
+});

package/src/__tests__/rls-crud-basic.test.ts

@@ -5,131 +5,39 @@
  * filled by drizzle-seed’s same per-type generators as `seed()` (see `fillPartialRowsForInsert`).
  *
  * Migrations run as the PGlite bootstrap user (table owner). We then create `gencow_rls_app` and
- * `SET ROLE` so the session is non-owner → RLS policies apply. `createRlsDb` + crud’s use of
- * `db.transaction` sets `app.current_user_id` per operation.
+ * `SET ROLE` so the session is non-owner → RLS policies apply. `createRlsDb` injects
+ * `app.current_user_id` for every query path (including bare `select()` / `execute()`).
  * We rely on `current_setting('app.current_user_id', true)` (missing_ok=true): this avoids
  * missing-GUC errors before `set_config` and keeps PGlite behavior aligned with PostgreSQL.
  *
  * Run: bun test packages/core/src/__tests__/rls-crud-basic.test.ts
  */
 
-import {
-  describe,
-  it,
-  expect,
-  beforeAll,
-  afterAll,
-} from "bun:test";
-import { dirname, join } from "path";
-import { fileURLToPath } from "url";
-import type { InferSelectModel } from "drizzle-orm";
+import { describe, it, expect, beforeAll, afterAll } from "bun:test";
+import { eq, type InferSelectModel } from "drizzle-orm";
 import { PGlite } from "@electric-sql/pglite";
 import { drizzle } from "drizzle-orm/pglite";
-import { crud } from "../crud";
-import type { UserIdentity } from "../reactive";
-import { tasks, user } from "./fixtures/basic/schema";
+import { crud } from "../crud.js";
+import { createRlsDb } from "../rls-db.js";
+import { tasks } from "./fixtures/basic/schema.js";
 import {
-  createPgliteRlsAppRole,
-  DEFAULT_PGLITE_RLS_APP_ROLE,
-  setPgliteSessionRole,
-} from "./helpers/pglite-rls-session";
-import { loadAndApplyMigrations } from "./helpers/pglite-migrations";
-import { fillPartialRowsForInsert } from "./helpers/seed-like-fill";
+  basicFixtureUsers as fixtureUsers,
+  basicFixtureTasks as fixtureTasks,
+  basicUser0Identity as user0Identity,
+  basicUser1Identity as user1Identity,
+  createBasicRlsEnvironment,
+} from "./helpers/basic-rls-fixture.js";
 import {
   makeTestGencowCtxWithRls,
   runWithRollbackTestGencowCtxWithRls,
-} from "./helpers/test-gencow-ctx-rls";
-
-const __dirname = dirname(fileURLToPath(import.meta.url));
-
-const fixtureUsers = [
-  { id: "us_000", name: "User 0", email: "user-0@s.com", emailVerified: true },
-  { id: "us_001", name: "User 1", email: "user-1@s.com", emailVerified: true },
-];
-
-/** Realistic titles; "Project Alpha" appears on two rows for us_000 and one for us_001 (RLS). */
-const fixtureTasks = [
-  {
-    id: "tk-000",
-    userId: fixtureUsers[0].id,
-    done: false,
-    title: "Project Alpha — Q4 review prep",
-  },
-  {
-    id: "tk-001",
-    userId: fixtureUsers[1].id,
-    done: true,
-    title: "Project Alpha — teammate handoff",
-  },
-  {
-    id: "tk-002",
-    userId: fixtureUsers[0].id,
-    done: false,
-    title: "Project Alpha — backlog grooming",
-  },
-  {
-    id: "tk-003",
-    userId: fixtureUsers[0].id,
-    done: false,
-    title: "Quarterly planning — Q4",
-  },
-  {
-    id: "tk-004",
-    userId: fixtureUsers[1].id,
-    done: false,
-    title: "Project Beta — API docs",
-  },
-  {
-    id: "tk-005",
-    userId: fixtureUsers[1].id,
-    done: false,
-    title: "Project Gamma — research notes",
-  },
-  {
-    id: "tk-006",
-    userId: fixtureUsers[0].id,
-    done: false,
-    title: "Project Beta — spike",
-  },
-];
-
-const user0Identity = {
-  id: fixtureUsers[0].id,
-  email: fixtureUsers[0].email,
-} satisfies UserIdentity;
-
-const user1Identity = {
-  id: fixtureUsers[1].id,
-  email: fixtureUsers[1].email,
-} satisfies UserIdentity;
+} from "./helpers/test-gencow-ctx-rls.js";
 
 type TaskRow = InferSelectModel<typeof tasks>;
 type CrudDefs = ReturnType<typeof crud<typeof tasks>>;
 type TaskListResult = { data: TaskRow[]; total: number };
 
-async function seedBasicFixtures(db: ReturnType<typeof drizzle>) {
-  await db.insert(user).values(fillPartialRowsForInsert(user, fixtureUsers));
-  const taskRows = fillPartialRowsForInsert(
-    tasks,
-    fixtureTasks
-  ) as TaskRow[];
-  await db.insert(tasks).values(taskRows);
-  return taskRows;
-}
-
 async function createSeededCrudEnv() {
-  const client = new PGlite();
-  await client.waitReady;
-  await loadAndApplyMigrations(
-    client,
-    join(__dirname, "fixtures/basic/migrations")
-  );
-  const db = drizzle(client);
-  const taskRows = await seedBasicFixtures(db);
-  await createPgliteRlsAppRole(client, {
-    roleName: DEFAULT_PGLITE_RLS_APP_ROLE,
-  });
-  await setPgliteSessionRole(client, DEFAULT_PGLITE_RLS_APP_ROLE);
+  const { client, db, taskRows } = await createBasicRlsEnvironment();
 
   const defs = crud(tasks, {
     prefix: "fixture_basic_pglite_tasks",
@@ -187,78 +95,116 @@ describe("fixtures/basic + PGlite + CRUD + RLS", () => {
     }
   });
 
+  it("createRlsDb: bare select() applies RLS without explicit db.transaction", async () => {
+    const scoped = createRlsDb(db as any, {
+      userId: user0Identity.id,
+      role: "user",
+      tenantId: "tenant_fixture",
+      vars: { "app.note": "ok" },
+    });
+    const otherUserRows = await scoped
+      .select()
+      .from(tasks)
+      .where(eq(tasks.userId, fixtureUsers[1].id));
+    expect(otherUserRows.length).toBe(0);
+
+    const ownRows = await scoped
+      .select()
+      .from(tasks)
+      .where(eq(tasks.userId, user0Identity.id));
+    expect(ownRows.length).toBe(
+      seededTaskRows.filter((r) => r.userId === user0Identity.id).length
+    );
+  });
+
   it("tasks.list returns only the current user (us_000) rows per RLS and total matches", async () => {
     expect(listDef).toBeDefined();
 
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
-      const listResult = await listHandler(ctx, {});
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (ctx) => {
+        const listResult = await listHandler(ctx, {});
 
-      const expected = seededTaskRows.filter(
-        (r) => r.userId === fixtureUsers[0].id
-      );
+        const expected = seededTaskRows.filter(
+          (r) => r.userId === fixtureUsers[0].id
+        );
 
-      expect(listResult).toHaveProperty("data");
-      expect(listResult).toHaveProperty("total");
-      expect(listResult.total).toBe(expected.length);
+        expect(listResult).toHaveProperty("data");
+        expect(listResult).toHaveProperty("total");
+        expect(listResult.total).toBe(expected.length);
 
-      const rows = listResult.data;
+        const rows = listResult.data;
 
-      const byId = new Map(rows.map((r) => [r.id, r]));
-      expect(byId.size).toBe(expected.length);
+        const byId = new Map(rows.map((r) => [r.id, r]));
+        expect(byId.size).toBe(expected.length);
 
-      for (const seeded of expected) {
-        const row = byId.get(seeded.id);
-        expect(row).toBeDefined();
-        expect(row!.id).toBe(seeded.id);
-        expect(row!.userId).toBe(seeded.userId);
-        expect(row!.done).toBe(seeded.done);
-        expect(row!.title).toBe(seeded.title);
+        for (const seeded of expected) {
+          const row = byId.get(seeded.id);
+          expect(row).toBeDefined();
+          expect(row!.id).toBe(seeded.id);
+          expect(row!.userId).toBe(seeded.userId);
+          expect(row!.done).toBe(seeded.done);
+          expect(row!.title).toBe(seeded.title);
+        }
       }
-    });
+    );
   });
 
   it("search parameter applies to title/description ilike search", async () => {
     expect(listDef).toBeDefined();
 
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
-      const sharedSubstring = "Project Alpha";
-      const expectedForUser0 = seededTaskRows.filter(
-        (r) =>
-          r.userId === user0Identity.id &&
-          r.title.toLowerCase().includes(sharedSubstring.toLowerCase())
-      );
-      expect(expectedForUser0.length).toBe(2);
-
-      const result = await listHandler(ctx, { search: sharedSubstring });
-      const rows = result.data;
-      expect(rows.length).toBe(expectedForUser0.length);
-
-      const byId = new Map(rows.map((r) => [r.id, r]));
-      for (const seeded of expectedForUser0) {
-        expect(byId.get(seeded.id)?.title).toBe(seeded.title);
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (ctx) => {
+        const sharedSubstring = "Project Alpha";
+        const expectedForUser0 = seededTaskRows.filter(
+          (r) =>
+            r.userId === user0Identity.id &&
+            r.title.toLowerCase().includes(sharedSubstring.toLowerCase())
+        );
+        expect(expectedForUser0.length).toBe(2);
+
+        const result = await listHandler(ctx, { search: sharedSubstring });
+        const rows = result.data;
+        expect(rows.length).toBe(expectedForUser0.length);
+
+        const byId = new Map(rows.map((r) => [r.id, r]));
+        for (const seeded of expectedForUser0) {
+          expect(byId.get(seeded.id)?.title).toBe(seeded.title);
+        }
       }
-    });
+    );
   });
 
   it("tasks.get succeeds when current user reads own task", async () => {
     const ownTaskId = "tk-003";
 
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
-      const task = await getHandler(ctx, { id: ownTaskId });
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (ctx) => {
+        const task = await getHandler(ctx, { id: ownTaskId });
 
-      expect(task).toBeDefined();
-      expect(task?.id).toBe(ownTaskId);
-      expect(task?.userId).toBe(user0Identity.id);
-    });
+        expect(task).toBeDefined();
+        expect(task?.id).toBe(ownTaskId);
+        expect(task?.userId).toBe(user0Identity.id);
+      }
+    );
   });
 
   it("tasks.get fails when current user tries to read another user's task", async () => {
     const user1TaskId = "tk-001";
 
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
-      const task = await getHandler(ctx, { id: user1TaskId });
-      expect(task).toBeNull();
-    });
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (ctx) => {
+        const task = await getHandler(ctx, { id: user1TaskId });
+        expect(task).toBeNull();
+      }
+    );
   });
 
   it("tasks.update succeeds when updating a task owned by current user", async () => {
@@ -335,16 +281,23 @@ describe("fixtures/basic + PGlite + CRUD + RLS", () => {
       db,
       user0Identity,
       async (user0Ctx) => {
-        await expect(
-          createHandler(user0Ctx, {
+        let thrown: unknown;
+        try {
+          await createHandler(user0Ctx, {
             id: unauthorizedTaskId,
             userId: user1Identity.id,
             title: "Unauthorized create attempt",
             done: false,
-          })
-        ).rejects.toThrow();
-
-        const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
+          });
+        } catch (e) {
+          thrown = e;
+        }
+        expect(thrown).toBeInstanceOf(Error);
+
+        const user1Ctx = makeTestGencowCtxWithRls(
+          user0Ctx.unsafeDb as any,
+          user1Identity
+        );
         const after = await getHandler(user1Ctx, { id: unauthorizedTaskId });
         expect(after).toBeNull();
       }
@@ -357,7 +310,10 @@ describe("fixtures/basic + PGlite + CRUD + RLS", () => {
       db,
       user0Identity,
       async (user0Ctx) => {
-        const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
+        const user1Ctx = makeTestGencowCtxWithRls(
+          user0Ctx.unsafeDb as any,
+          user1Identity
+        );
 
         const before = await getHandler(user1Ctx, {
           id: user1TaskId,
@@ -410,7 +366,10 @@ describe("fixtures/basic + PGlite + CRUD + RLS", () => {
       db,
       user0Identity,
       async (user0Ctx) => {
-        const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
+        const user1Ctx = makeTestGencowCtxWithRls(
+          user0Ctx.unsafeDb as any,
+          user1Identity
+        );
 
         const before = await getHandler(user1Ctx, { id: user1TaskId });
         expect(before).toBeDefined();

package/src/__tests__/rls-crud-no-owner-rls-pglite.test.ts

@@ -0,0 +1,117 @@
+/**
+ * `news` has **no** `ownerRls()` and **no** PostgreSQL RLS (`fixtures/basic/migrations/0001_news.sql`).
+ * `crud(news, { public: true })` keeps legacy behavior: no Layer-1 owner filter on list/get/update/remove.
+ *
+ * Complements mock-based `crud-owner-rls.test.ts` (“하위호환”) with PGlite + non-owner session.
+ *
+ * Run: bun test packages/core/src/__tests__/rls-crud-no-owner-rls-pglite.test.ts
+ */
+
+import { describe, it, expect, beforeAll, afterAll } from "bun:test";
+
+import { crud } from "../crud.js";
+import { createRlsDb } from "../rls-db.js";
+import { news } from "./fixtures/basic/schema.js";
+import {
+    assertTableRowLevelSecurityDisabled,
+    basicUser0Identity,
+    basicUser1Identity,
+    createBasicRlsEnvironment,
+} from "./helpers/basic-rls-fixture.js";
+import {
+    makeTestGencowCtxWithRls,
+    runWithRollbackTestGencowCtxWithRls,
+} from "./helpers/test-gencow-ctx-rls.js";
+
+describe("crud + PGlite: news without ownerRls, public crud", () => {
+    let client: import("@electric-sql/pglite").PGlite;
+    let db: ReturnType<typeof import("drizzle-orm/pglite").drizzle>;
+    let listHandler: (ctx: unknown, args: unknown) => Promise<{ data: unknown[]; total: number }>;
+    let getHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
+    let createHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
+    let updateHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
+    let removeHandler: (ctx: unknown, args: unknown) => Promise<{ success: boolean }>;
+
+    beforeAll(async () => {
+        const env = await createBasicRlsEnvironment();
+        client = env.client;
+        db = env.db;
+
+        const defs = crud(news, {
+            prefix: "fixture_basic_news",
+            public: true,
+            defaultLimit: 50,
+        });
+        listHandler = defs.list!.handler as (typeof listHandler);
+        getHandler = defs.get!.handler as (typeof getHandler);
+        createHandler = defs.create!.handler as (typeof createHandler);
+        updateHandler = defs.update!.handler as (typeof updateHandler);
+        removeHandler = defs.remove!.handler as (typeof removeHandler);
+    });
+
+    afterAll(async () => {
+        try {
+            await client.close();
+        } catch {
+            /* ignore */
+        }
+    });
+
+    it("list: authenticated user sees all rows (no owner filter)", async () => {
+        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+        const result = await listHandler(ctx, {});
+        expect(result.total).toBe(2);
+        expect(result.data).toHaveLength(2);
+        const ids = new Set(result.data.map((r: any) => r.id));
+        expect(ids.has("nw-000")).toBe(true);
+        expect(ids.has("nw-001")).toBe(true);
+    });
+
+    it("get: can read another user row by id (no owner filter)", async () => {
+        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+        const row = await getHandler(ctx, { id: "nw-001" });
+        expect(row).not.toBeNull();
+        expect((row as any).userId).toBe(basicUser1Identity.id);
+    });
+
+    it("createRlsDb + bare select: no DB policies — still full table visibility", async () => {
+        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+            userId: basicUser0Identity.id,
+        });
+        const rows = await scoped.select().from(news);
+        expect(rows.length).toBe(2);
+    });
+
+    it("create: with public crud, pass userId explicitly (no auth-based auto-inject)", async () => {
+        await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+            const created = await createHandler(ctx, {
+                id: "nw-created",
+                title: "new row",
+                userId: basicUser0Identity.id,
+            });
+            expect((created as any).userId).toBe(basicUser0Identity.id);
+        });
+    });
+
+    it("update: can change another user row by id (no owner WHERE)", async () => {
+        await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+            const updated = await updateHandler(ctx, {
+                id: "nw-001",
+                title: "touched by user0",
+            });
+            expect((updated as any).title).toBe("touched by user0");
+        });
+    });
+
+    it("remove: can delete another user row by id (no owner WHERE)", async () => {
+        await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+            await removeHandler(ctx, { id: "nw-001" });
+            const after = await getHandler(ctx, { id: "nw-001" });
+            expect(after).toBeNull();
+        });
+    });
+
+    it("pg_catalog: news has row security disabled", async () => {
+        await assertTableRowLevelSecurityDisabled(db, news);
+    });
+});