@gencow/core 0.1.21 → 0.1.23

package/src/__tests__/rls-custom-mutation-handlers.test.ts

@@ -0,0 +1,189 @@
+/**
+ * Custom **mutation** handlers (not `crud()` factory) that use `ctx.db` must respect RLS
+ * (update/delete/insert withCheck).
+ *
+ * Run: bun test packages/core/src/__tests__/rls-custom-mutation-handlers.test.ts
+ */
+
+import { describe, it, expect, beforeAll, afterAll } from "bun:test";
+import { eq } from "drizzle-orm";
+import { PGlite } from "@electric-sql/pglite";
+import { drizzle } from "drizzle-orm/pglite";
+
+import type { GencowCtx } from "../reactive.js";
+import { tasks } from "./fixtures/basic/schema.js";
+import {
+  basicFixtureUsers,
+  basicUser0Identity,
+  basicUser1Identity,
+  createBasicRlsEnvironment,
+} from "./helpers/basic-rls-fixture.js";
+import { fillPartialRowsForInsert } from "./helpers/seed-like-fill.js";
+import {
+  makeTestGencowCtxWithRls,
+  runWithRollbackTestGencowCtxWithRls,
+} from "./helpers/test-gencow-ctx-rls.js";
+
+/** User-defined mutation: update title by task id. */
+async function customMutationUpdateTitle(
+  ctx: GencowCtx,
+  taskId: string,
+  title: string
+) {
+  return ctx.db
+    .update(tasks)
+    .set({ title, updatedAt: new Date() })
+    .where(eq(tasks.id, taskId))
+    .returning();
+}
+
+/** User-defined mutation: delete by id. */
+async function customMutationDeleteById(ctx: GencowCtx, taskId: string) {
+  return ctx.db.delete(tasks).where(eq(tasks.id, taskId)).returning();
+}
+
+/** User-defined mutation: insert a new task for the current user (caller supplies logical fields). */
+async function customMutationInsertTask(
+  ctx: GencowCtx,
+  values: { id: string; title: string; userId: string; done?: boolean }
+) {
+  const [row] = fillPartialRowsForInsert(tasks, [
+    {
+      id: values.id,
+      title: values.title,
+      userId: values.userId,
+      done: values.done ?? false,
+    },
+  ]);
+  return ctx.db.insert(tasks).values(row).returning();
+}
+
+describe("Custom mutation handlers + ctx.db + RLS", () => {
+  let client: PGlite;
+  let db: ReturnType<typeof drizzle>;
+
+  beforeAll(async () => {
+    const env = await createBasicRlsEnvironment();
+    client = env.client;
+    db = env.db;
+  });
+
+  afterAll(async () => {
+    try {
+      await client.close();
+    } catch {
+      /* ignore */
+    }
+  });
+
+  it("custom update: can change own task", async () => {
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      basicUser0Identity,
+      async (ctx) => {
+        const updated = await customMutationUpdateTitle(
+          ctx,
+          "tk-003",
+          "Updated by custom handler"
+        );
+        expect(updated.length).toBe(1);
+        expect(updated[0]!.title).toBe("Updated by custom handler");
+      }
+    );
+  });
+
+  it("custom update: cannot modify another user's task (0 rows)", async () => {
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      basicUser0Identity,
+      async (ctx) => {
+        const updated = await customMutationUpdateTitle(
+          ctx,
+          "tk-001",
+          "Should not apply"
+        );
+        expect(updated.length).toBe(0);
+      }
+    );
+  });
+
+  it("custom delete: can remove own task", async () => {
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      basicUser0Identity,
+      async (ctx) => {
+        const removed = await customMutationDeleteById(ctx, "tk-000");
+        expect(removed.length).toBe(1);
+      }
+    );
+  });
+
+  it("custom delete: cannot remove another user's task (0 rows)", async () => {
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      basicUser0Identity,
+      async (ctx) => {
+        const removed = await customMutationDeleteById(ctx, "tk-004");
+        expect(removed.length).toBe(0);
+      }
+    );
+  });
+
+  it("custom insert: succeeds when userId matches session", async () => {
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      basicUser0Identity,
+      async (ctx) => {
+        const inserted = await customMutationInsertTask(ctx, {
+          id: "tk-custom-own",
+          title: "Custom insert OK",
+          userId: basicUser0Identity.id,
+        });
+        expect(inserted.length).toBe(1);
+        expect(inserted[0]!.userId).toBe(basicUser0Identity.id);
+      }
+    );
+  });
+
+  it("custom insert: forged userId (another user) violates RLS withCheck", async () => {
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      basicUser0Identity,
+      async (ctx) => {
+        let thrown: unknown;
+        try {
+          await customMutationInsertTask(ctx, {
+            id: "tk-custom-forge",
+            title: "Forged owner",
+            userId: basicFixtureUsers[1].id,
+          });
+        } catch (e) {
+          thrown = e;
+        }
+        expect(thrown).toBeInstanceOf(Error);
+      }
+    );
+  });
+
+  it("nested db.transaction in custom handler still applies RLS on inner selects", async () => {
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      basicUser0Identity,
+      async (ctx) => {
+        const inner = await ctx.db.transaction(async (tx: typeof ctx.db) => {
+          return tx
+            .select()
+            .from(tasks)
+            .where(eq(tasks.userId, basicFixtureUsers[1].id));
+        });
+        expect(inner.length).toBe(0);
+      }
+    );
+  });
+
+  it("direct ctx.db without outer rollback wrapper: mutation still RLS-scoped", async () => {
+    const ctx = makeTestGencowCtxWithRls(db, basicUser1Identity);
+    const updated = await customMutationUpdateTitle(ctx, "tk-000", "hax");
+    expect(updated.length).toBe(0);
+  });
+});

package/src/__tests__/rls-custom-query-handlers.test.ts

@@ -0,0 +1,128 @@
+/**
+ * Custom **query** handlers (not `crud()` factory) that use `ctx.db` with Drizzle must respect RLS.
+ *
+ * Run: bun test packages/core/src/__tests__/rls-custom-query-handlers.test.ts
+ */
+
+import { describe, it, expect, beforeAll, afterAll } from "bun:test";
+import { eq, sql } from "drizzle-orm";
+import { PGlite } from "@electric-sql/pglite";
+import { drizzle } from "drizzle-orm/pglite";
+
+import type { GencowCtx } from "../reactive.js";
+import { tasks } from "./fixtures/basic/schema.js";
+import type { BasicTaskRow } from "./helpers/basic-rls-fixture.js";
+import {
+    basicFixtureTasks,
+    basicFixtureUsers,
+    basicUser0Identity,
+    basicUser1Identity,
+    createBasicRlsEnvironment,
+} from "./helpers/basic-rls-fixture.js";
+import { makeTestGencowCtxWithRls } from "./helpers/test-gencow-ctx-rls.js";
+
+/** Simulates a user-defined query: list all tasks the ORM can see (RLS limits rows). */
+async function customQueryListAllTasks(ctx: GencowCtx) {
+    return ctx.db.select().from(tasks);
+}
+
+/** Simulates a dashboard query with filters — still subject to RLS. */
+async function customQueryTasksMatchingTitle(ctx: GencowCtx, substring: string) {
+    return ctx.db
+        .select()
+        .from(tasks)
+        .where(sql`${tasks.title} ilike ${"%" + substring + "%"}`);
+}
+
+/** Simulates fetching a single row by id (e.g. detail view). */
+async function customQueryTaskById(ctx: GencowCtx, id: string) {
+    const rows = await ctx.db.select().from(tasks).where(eq(tasks.id, id));
+    return rows[0] ?? null;
+}
+
+/** Raw SQL count — must run with RLS session vars on the same connection semantics as ORM builders. */
+async function customQueryTaskCountRaw(ctx: GencowCtx) {
+    const r = await ctx.db.execute(sql`select count(*)::int as c from ${tasks}`);
+    const rows = r.rows as { c: number }[];
+    return rows[0]?.c ?? 0;
+}
+
+describe("Custom query handlers + ctx.db + RLS", () => {
+    let client: PGlite;
+    let db: ReturnType<typeof drizzle>;
+
+    beforeAll(async () => {
+        const env = await createBasicRlsEnvironment();
+        client = env.client;
+        db = env.db;
+    });
+
+    afterAll(async () => {
+        try {
+            await client.close();
+        } catch {
+            /* ignore */
+        }
+    });
+
+    it("custom list: user0 only sees own rows (not user1 tasks)", async () => {
+        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+        const rows = await customQueryListAllTasks(ctx);
+        expect(rows.every((r: BasicTaskRow) => r.userId === basicUser0Identity.id)).toBe(true);
+        const expectedOwn = basicFixtureTasks.filter((t) => t.userId === basicFixtureUsers[0].id).length;
+        expect(rows.length).toBe(expectedOwn);
+    });
+
+    it("custom list: user1 sees a different row set than user0", async () => {
+        const ctx0 = makeTestGencowCtxWithRls(db, basicUser0Identity);
+        const ctx1 = makeTestGencowCtxWithRls(db, basicUser1Identity);
+        const u0 = await customQueryListAllTasks(ctx0);
+        const u1 = await customQueryListAllTasks(ctx1);
+        const u0Ids = new Set(u0.map((r: BasicTaskRow) => r.id));
+        const u1Ids = new Set(u1.map((r: BasicTaskRow) => r.id));
+        expect(u0Ids.has("tk-001")).toBe(false);
+        expect(u1Ids.has("tk-001")).toBe(true);
+        expect(u1Ids.has("tk-000")).toBe(false);
+    });
+
+    it("custom filtered query: cannot see other user's rows even if title matches", async () => {
+        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+        const rows = await customQueryTasksMatchingTitle(ctx, "Project Alpha");
+        expect(rows.every((r: BasicTaskRow) => r.userId === basicUser0Identity.id)).toBe(true);
+        expect(rows.some((r: BasicTaskRow) => r.id === "tk-001")).toBe(false);
+    });
+
+    it("custom get by id: returns null for another user's task id", async () => {
+        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+        const row = await customQueryTaskById(ctx, "tk-001");
+        expect(row).toBeNull();
+    });
+
+    it("custom get by id: returns own task", async () => {
+        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+        const row = await customQueryTaskById(ctx, "tk-003");
+        expect(row).not.toBeNull();
+        expect(row!.id).toBe("tk-003");
+    });
+
+    it("raw SQL count on ctx.db matches RLS-visible rows only", async () => {
+        const ctx0 = makeTestGencowCtxWithRls(db, basicUser0Identity);
+        const ctx1 = makeTestGencowCtxWithRls(db, basicUser1Identity);
+        const c0 = await customQueryTaskCountRaw(ctx0);
+        const c1 = await customQueryTaskCountRaw(ctx1);
+        const n0 = basicFixtureTasks.filter((t) => t.userId === basicFixtureUsers[0].id).length;
+        const n1 = basicFixtureTasks.filter((t) => t.userId === basicFixtureUsers[1].id).length;
+        expect(c0).toBe(n0);
+        expect(c1).toBe(n1);
+        expect(c0 + c1).toBe(basicFixtureTasks.length);
+    });
+
+    it("unsafeDb without createRlsDb: no session GUC — owner RLS yields no visible rows", async () => {
+        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+        const rlsRows = await customQueryListAllTasks(ctx);
+        expect(rlsRows.length).toBeGreaterThan(0);
+
+        const raw = await ctx.unsafeDb.select().from(tasks);
+        expect(raw.length).toBe(0);
+    });
+});

package/src/__tests__/rls-db-leased-connection.test.ts

@@ -0,0 +1,122 @@
+import { describe, it, expect } from "bun:test";
+import { withRlsLeasedConnection } from "../rls-db.js";
+
+/**
+ * Mirrors production **node-pg Pool** path (`rls-db.ts` path 4): `connect()` → BEGIN →
+ * `set_config` for each RLS field → user work → COMMIT / ROLLBACK → `release()`.
+ * Real pools hit PostgreSQL; these tests assert ordering and side effects on a mock client.
+ */
+
+describe("withRlsLeasedConnection (pg Pool leased client path)", () => {
+  it("commits on success and releases exactly once", async () => {
+    const phases: string[] = [];
+    let released = 0;
+    const leased = {
+      async query(sql: string) {
+        phases.push(sql);
+        return {};
+      },
+      release() {
+        released++;
+      },
+    };
+    const result = await withRlsLeasedConnection(
+      leased,
+      { userId: "u1" },
+      async () => "done"
+    );
+    expect(result).toBe("done");
+    expect(phases[0]).toBe("begin");
+    expect(phases[phases.length - 1]).toBe("commit");
+    expect(phases).not.toContain("rollback");
+    expect(released).toBe(1);
+  });
+
+  it("rolls back when work fails and never commits", async () => {
+    const phases: string[] = [];
+    let released = 0;
+    const leased = {
+      async query(sql: string) {
+        phases.push(sql);
+        return {};
+      },
+      release() {
+        released++;
+      },
+    };
+    let thrown: unknown;
+    try {
+      await withRlsLeasedConnection(leased, { userId: "u1" }, async () => {
+        throw new Error("work failed");
+      });
+    } catch (e) {
+      thrown = e;
+    }
+    expect(thrown).toBeInstanceOf(Error);
+    expect((thrown as Error).message).toBe("work failed");
+
+    expect(phases[0]).toBe("begin");
+    expect(phases[phases.length - 1]).toBe("rollback");
+    expect(phases.includes("commit")).toBe(false);
+    expect(released).toBe(1);
+  });
+
+  it("issues set_config for userId, role, tenantId, and custom vars before commit", async () => {
+    const phases: string[] = [];
+    let released = 0;
+    const leased = {
+      async query(q: string) {
+        phases.push(q);
+        return {};
+      },
+      release() {
+        released++;
+      },
+    };
+    await withRlsLeasedConnection(
+      leased,
+      {
+        userId: "u1",
+        role: "admin",
+        tenantId: "t1",
+        vars: { "app.org_slug": "acme" },
+      },
+      async () => "ok"
+    );
+    expect(phases[0]).toBe("begin");
+    const setCalls = phases.filter((p) => p.includes("set_config"));
+    expect(setCalls.length).toBe(4);
+    expect(phases[phases.length - 1]).toBe("commit");
+    expect(released).toBe(1);
+  });
+
+  it("still rolls back and releases when commit fails after successful work", async () => {
+    const phases: string[] = [];
+    let released = 0;
+    let commitCalls = 0;
+    const leased = {
+      async query(q: string) {
+        phases.push(q);
+        if (q === "commit") {
+          commitCalls++;
+          throw new Error("commit failed");
+        }
+        return {};
+      },
+      release() {
+        released++;
+      },
+    };
+    let thrown: unknown;
+    try {
+      await withRlsLeasedConnection(leased, { userId: "u1" }, async () => "done");
+    } catch (e) {
+      thrown = e;
+    }
+    expect(thrown).toBeInstanceOf(Error);
+    expect((thrown as Error).message).toBe("commit failed");
+    expect(commitCalls).toBe(1);
+    expect(phases[phases.length - 1]).toBe("rollback");
+    expect(released).toBe(1);
+  });
+});

package/src/__tests__/rls-session-and-policies.test.ts

@@ -0,0 +1,246 @@
+/**
+ * RLS session GUCs + PostgreSQL policies — PGlite integration tests.
+ *
+ * **Parity with production (`packages/server/src/index.ts`):**
+ * - Server builds `ctx.db` with `createRlsDb(db, { userId: authCtx?.getUserIdentity()?.id || "" })`.
+ * - Tests use the same helper shape via {@link makeTestGencowCtxWithRls} (only `userId` from identity),
+ *   or `createRlsDb` directly with `role` / `tenantId` / `vars` when exercising those code paths.
+ *
+ * **Parity with PostgreSQL RLS enforcement:**
+ * - After {@link createPgliteRlsAppRole} + {@link setPgliteSessionRole}, the session runs as a
+ *   non-table-owner role, so `ENABLE ROW LEVEL SECURITY` policies apply (same as production DB users).
+ * - Policies in `fixtures/basic/migrations` use `current_setting('app.current_user_id', true)` with
+ *   `missing_ok`, matching `ownerRls()` in `rls.ts` and avoiding errors before `set_config`.
+ *
+ * **Execution paths exercised:**
+ * - **Autocommit / PGlite `transaction()`**: `makeTestGencowCtxWithRls(db)` — each statement opens a
+ *   short transaction with session GUCs (see `rls-db.ts` path 3).
+ * - **Reuse outer Drizzle transaction**: `runWithRollbackTestGencowCtxWithRls` — matches handlers that
+ *   run inside an outer `db.transaction()`; `createRlsDb` detects the tx object and applies GUCs on
+ *   the same connection without a nested top-level `BEGIN` (path 1).
+ *
+ * Run: bun test packages/core/src/__tests__/rls-session-and-policies.test.ts
+ */
+
+import { describe, it, expect, beforeAll, afterAll } from "bun:test";
+import { eq, sql } from "drizzle-orm";
+
+import { createRlsDb } from "../rls-db.js";
+import { tasks } from "./fixtures/basic/schema.js";
+import {
+    basicFixtureTasks,
+    basicUser0Identity,
+    basicUser1Identity,
+    createBasicRlsEnvironment,
+} from "./helpers/basic-rls-fixture.js";
+import { fillPartialRowsForInsert } from "./helpers/seed-like-fill.js";
+import {
+    makeTestGencowCtxWithRls,
+    runWithRollbackTestGencowCtxWithRls,
+} from "./helpers/test-gencow-ctx-rls.js";
+
+type PgliteDb = ReturnType<typeof import("drizzle-orm/pglite").drizzle>;
+
+describe("RLS session + policies (PGlite, non-owner session)", () => {
+    let client: import("@electric-sql/pglite").PGlite;
+    let db: PgliteDb;
+
+    beforeAll(async () => {
+        const env = await createBasicRlsEnvironment();
+        client = env.client;
+        db = env.db;
+    });
+
+    afterAll(async () => {
+        try {
+            await client.close();
+        } catch {
+            /* ignore */
+        }
+    });
+
+    function expectedCountForUser(userId: string): number {
+        return basicFixtureTasks.filter((t) => t.userId === userId).length;
+    }
+
+    it("empty userId matches unauthenticated server contract — no rows visible", async () => {
+        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+            userId: "",
+        });
+        const rows = await scoped.select().from(tasks);
+        expect(rows.length).toBe(0);
+    });
+
+    it("authenticated userId sees only own rows (policy USING)", async () => {
+        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+            userId: basicUser0Identity.id,
+        });
+        const rows = await scoped.select().from(tasks);
+        expect(rows.length).toBe(expectedCountForUser(basicUser0Identity.id));
+        expect(rows.every((r) => r.userId === basicUser0Identity.id)).toBe(true);
+    });
+
+    it("createRlsDb sets optional role and tenantId GUCs (readable via execute)", async () => {
+        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+            userId: basicUser0Identity.id,
+            role: "editor",
+            tenantId: "tenant_test",
+        });
+        const r = await scoped.execute(
+            sql`select current_setting('app.current_user_role', true) as role,
+                       current_setting('app.tenant_id', true) as tid`,
+        );
+        const row = (r as { rows: { role: string; tid: string }[] }).rows[0];
+        expect(row?.role).toBe("editor");
+        expect(row?.tid).toBe("tenant_test");
+    });
+
+    it("custom vars (validated app.* names) are applied for set_config", async () => {
+        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+            userId: basicUser0Identity.id,
+            vars: { "app.org_slug": "acme" },
+        });
+        const r = await scoped.execute(
+            sql`select current_setting('app.org_slug', true) as slug`,
+        );
+        const row = (r as { rows: { slug: string }[] }).rows[0];
+        expect(row?.slug).toBe("acme");
+    });
+
+    it("invalid GUC name in vars throws before executing SQL", async () => {
+        const bad = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+            userId: basicUser0Identity.id,
+            vars: { "App.invalid": "x" },
+        });
+        await expect(Promise.resolve(bad.select().from(tasks))).rejects.toThrow(
+            /invalid/,
+        );
+    });
+
+    it("reserved keys must not appear in vars", async () => {
+        const bad = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+            userId: basicUser0Identity.id,
+            vars: { "app.current_user_id": "hijack" },
+        });
+        await expect(Promise.resolve(bad.select().from(tasks))).rejects.toThrow(
+            /vars must not set/,
+        );
+    });
+
+    it("autocommit path and outer-transaction path return the same RLS-visible counts", async () => {
+        const expected = expectedCountForUser(basicUser0Identity.id);
+
+        const ctxPlain = makeTestGencowCtxWithRls(db, basicUser0Identity);
+        const plainCount = (await ctxPlain.db.select().from(tasks)).length;
+        expect(plainCount).toBe(expected);
+
+        await runWithRollbackTestGencowCtxWithRls(
+            db,
+            basicUser0Identity,
+            async (ctx) => {
+                const txCount = (await ctx.db.select().from(tasks)).length;
+                expect(txCount).toBe(expected);
+            },
+        );
+    });
+
+    it("createRlsDb(db).transaction() injects session vars — inner selects respect RLS", async () => {
+        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+            userId: basicUser0Identity.id,
+        });
+        await scoped.transaction(async (tx) => {
+            const rows = await tx.select().from(tasks);
+            expect(rows.length).toBe(expectedCountForUser(basicUser0Identity.id));
+        });
+    });
+
+    it("parallel selects on the same ctx.db both see RLS-consistent results", async () => {
+        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+        const expected = expectedCountForUser(basicUser0Identity.id);
+        const [a, b] = await Promise.all([
+            ctx.db.select().from(tasks),
+            ctx.db.select().from(tasks),
+        ]);
+        expect(a.length).toBe(expected);
+        expect(b.length).toBe(expected);
+    });
+
+    it("unsafeDb INSERT without session GUC fails RLS withCheck (non-owner)", async () => {
+        const [row] = fillPartialRowsForInsert(tasks, [
+            {
+                id: "tk-rls-unsafe-insert",
+                title: "should not persist",
+                userId: basicUser0Identity.id,
+                done: false,
+            },
+        ]);
+        await expect(Promise.resolve(db.insert(tasks).values(row))).rejects.toThrow();
+    });
+
+    it("unsafeDb UPDATE touches 0 rows when session GUC is unset", async () => {
+        const updated = await db
+            .update(tasks)
+            .set({ title: "nope", updatedAt: new Date() })
+            .where(eq(tasks.id, "tk-000"))
+            .returning();
+        expect(updated.length).toBe(0);
+    });
+
+    it("scoped INSERT cannot forge another user row (withCheck)", async () => {
+        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+            userId: basicUser0Identity.id,
+        });
+        const [row] = fillPartialRowsForInsert(tasks, [
+            {
+                id: "tk-forge-other",
+                title: "forged",
+                userId: basicUser1Identity.id,
+                done: false,
+            },
+        ]);
+        await expect(Promise.resolve(scoped.insert(tasks).values(row))).rejects.toThrow();
+    });
+
+    it("wrong scoped userId cannot read other user's row by primary key", async () => {
+        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+            userId: basicUser0Identity.id,
+        });
+        const rows = await scoped
+            .select()
+            .from(tasks)
+            .where(eq(tasks.id, "tk-001"));
+        expect(rows.length).toBe(0);
+    });
+
+    it("scoped UPDATE affects 0 rows for another user's task (policy USING)", async () => {
+        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+            userId: basicUser0Identity.id,
+        });
+        const updated = await scoped
+            .update(tasks)
+            .set({ title: "blocked", updatedAt: new Date() })
+            .where(eq(tasks.id, "tk-001"))
+            .returning();
+        expect(updated.length).toBe(0);
+    });
+
+    it("scoped DELETE removes 0 rows for another user's task (policy USING)", async () => {
+        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+            userId: basicUser0Identity.id,
+        });
+        const removed = await scoped.delete(tasks).where(eq(tasks.id, "tk-001")).returning();
+        expect(removed.length).toBe(0);
+    });
+
+    it("nested raw SQL count matches builder select count for same session", async () => {
+        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+            userId: basicUser0Identity.id,
+        });
+        const fromBuilder = await scoped.select().from(tasks);
+        const raw = await scoped.execute(
+            sql`select count(*)::int as c from ${tasks}`,
+        );
+        const c = (raw as { rows: { c: number }[] }).rows[0]?.c ?? -1;
+        expect(c).toBe(fromBuilder.length);
+    });
+});