@gencow/core 0.1.23 → 0.1.25

package/src/__tests__/rls-crud-no-owner-rls-pglite.test.ts

@@ -13,105 +13,105 @@ import { crud } from "../crud.js";
 import { createRlsDb } from "../rls-db.js";
 import { news } from "./fixtures/basic/schema.js";
 import {
-    assertTableRowLevelSecurityDisabled,
-    basicUser0Identity,
-    basicUser1Identity,
-    createBasicRlsEnvironment,
+  assertTableRowLevelSecurityDisabled,
+  basicUser0Identity,
+  basicUser1Identity,
+  createBasicRlsEnvironment,
 } from "./helpers/basic-rls-fixture.js";
 import {
-    makeTestGencowCtxWithRls,
-    runWithRollbackTestGencowCtxWithRls,
+  makeTestGencowCtxWithRls,
+  runWithRollbackTestGencowCtxWithRls,
 } from "./helpers/test-gencow-ctx-rls.js";
 
 describe("crud + PGlite: news without ownerRls, public crud", () => {
-    let client: import("@electric-sql/pglite").PGlite;
-    let db: ReturnType<typeof import("drizzle-orm/pglite").drizzle>;
-    let listHandler: (ctx: unknown, args: unknown) => Promise<{ data: unknown[]; total: number }>;
-    let getHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
-    let createHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
-    let updateHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
-    let removeHandler: (ctx: unknown, args: unknown) => Promise<{ success: boolean }>;
+  let client: import("@electric-sql/pglite").PGlite;
+  let db: ReturnType<typeof import("drizzle-orm/pglite").drizzle>;
+  let listHandler: (ctx: unknown, args: unknown) => Promise<{ data: unknown[]; total: number }>;
+  let getHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
+  let createHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
+  let updateHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
+  let removeHandler: (ctx: unknown, args: unknown) => Promise<{ success: boolean }>;
 
-    beforeAll(async () => {
-        const env = await createBasicRlsEnvironment();
-        client = env.client;
-        db = env.db;
+  beforeAll(async () => {
+    const env = await createBasicRlsEnvironment();
+    client = env.client;
+    db = env.db;
 
-        const defs = crud(news, {
-            prefix: "fixture_basic_news",
-            public: true,
-            defaultLimit: 50,
-        });
-        listHandler = defs.list!.handler as (typeof listHandler);
-        getHandler = defs.get!.handler as (typeof getHandler);
-        createHandler = defs.create!.handler as (typeof createHandler);
-        updateHandler = defs.update!.handler as (typeof updateHandler);
-        removeHandler = defs.remove!.handler as (typeof removeHandler);
+    const defs = crud(news, {
+      prefix: "fixture_basic_news",
+      public: true,
+      defaultLimit: 50,
     });
+    listHandler = defs.list!.handler as typeof listHandler;
+    getHandler = defs.get!.handler as typeof getHandler;
+    createHandler = defs.create!.handler as typeof createHandler;
+    updateHandler = defs.update!.handler as typeof updateHandler;
+    removeHandler = defs.remove!.handler as typeof removeHandler;
+  });
 
-    afterAll(async () => {
-        try {
-            await client.close();
-        } catch {
-            /* ignore */
-        }
-    });
+  afterAll(async () => {
+    try {
+      await client.close();
+    } catch {
+      /* ignore */
+    }
+  });
 
-    it("list: authenticated user sees all rows (no owner filter)", async () => {
-        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
-        const result = await listHandler(ctx, {});
-        expect(result.total).toBe(2);
-        expect(result.data).toHaveLength(2);
-        const ids = new Set(result.data.map((r: any) => r.id));
-        expect(ids.has("nw-000")).toBe(true);
-        expect(ids.has("nw-001")).toBe(true);
-    });
+  it("list: authenticated user sees all rows (no owner filter)", async () => {
+    const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+    const result = await listHandler(ctx, {});
+    expect(result.total).toBe(2);
+    expect(result.data).toHaveLength(2);
+    const ids = new Set(result.data.map((r: any) => r.id));
+    expect(ids.has("nw-000")).toBe(true);
+    expect(ids.has("nw-001")).toBe(true);
+  });
 
-    it("get: can read another user row by id (no owner filter)", async () => {
-        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
-        const row = await getHandler(ctx, { id: "nw-001" });
-        expect(row).not.toBeNull();
-        expect((row as any).userId).toBe(basicUser1Identity.id);
-    });
+  it("get: can read another user row by id (no owner filter)", async () => {
+    const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+    const row = await getHandler(ctx, { id: "nw-001" });
+    expect(row).not.toBeNull();
+    expect((row as any).userId).toBe(basicUser1Identity.id);
+  });
 
-    it("createRlsDb + bare select: no DB policies — still full table visibility", async () => {
-        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
-            userId: basicUser0Identity.id,
-        });
-        const rows = await scoped.select().from(news);
-        expect(rows.length).toBe(2);
+  it("createRlsDb + bare select: no DB policies — still full table visibility", async () => {
+    const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+      userId: basicUser0Identity.id,
     });
+    const rows = await scoped.select().from(news);
+    expect(rows.length).toBe(2);
+  });
 
-    it("create: with public crud, pass userId explicitly (no auth-based auto-inject)", async () => {
-        await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
-            const created = await createHandler(ctx, {
-                id: "nw-created",
-                title: "new row",
-                userId: basicUser0Identity.id,
-            });
-            expect((created as any).userId).toBe(basicUser0Identity.id);
-        });
+  it("create: with public crud, pass userId explicitly (no auth-based auto-inject)", async () => {
+    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+      const created = await createHandler(ctx, {
+        id: "nw-created",
+        title: "new row",
+        userId: basicUser0Identity.id,
+      });
+      expect((created as any).userId).toBe(basicUser0Identity.id);
     });
+  });
 
-    it("update: can change another user row by id (no owner WHERE)", async () => {
-        await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
-            const updated = await updateHandler(ctx, {
-                id: "nw-001",
-                title: "touched by user0",
-            });
-            expect((updated as any).title).toBe("touched by user0");
-        });
+  it("update: can change another user row by id (no owner WHERE)", async () => {
+    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+      const updated = await updateHandler(ctx, {
+        id: "nw-001",
+        title: "touched by user0",
+      });
+      expect((updated as any).title).toBe("touched by user0");
     });
+  });
 
-    it("remove: can delete another user row by id (no owner WHERE)", async () => {
-        await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
-            await removeHandler(ctx, { id: "nw-001" });
-            const after = await getHandler(ctx, { id: "nw-001" });
-            expect(after).toBeNull();
-        });
+  it("remove: can delete another user row by id (no owner WHERE)", async () => {
+    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+      await removeHandler(ctx, { id: "nw-001" });
+      const after = await getHandler(ctx, { id: "nw-001" });
+      expect(after).toBeNull();
     });
+  });
 
-    it("pg_catalog: news has row security disabled", async () => {
-        await assertTableRowLevelSecurityDisabled(db, news);
-    });
+  it("pg_catalog: news has row security disabled", async () => {
+    await assertTableRowLevelSecurityDisabled(db, news);
+  });
 });

package/src/__tests__/rls-custom-mutation-handlers.test.ts

@@ -25,16 +25,8 @@ import {
 } from "./helpers/test-gencow-ctx-rls.js";
 
 /** User-defined mutation: update title by task id. */
-async function customMutationUpdateTitle(
-  ctx: GencowCtx,
-  taskId: string,
-  title: string
-) {
-  return ctx.db
-    .update(tasks)
-    .set({ title, updatedAt: new Date() })
-    .where(eq(tasks.id, taskId))
-    .returning();
+async function customMutationUpdateTitle(ctx: GencowCtx, taskId: string, title: string) {
+  return ctx.db.update(tasks).set({ title, updatedAt: new Date() }).where(eq(tasks.id, taskId)).returning();
 }
 
 /** User-defined mutation: delete by id. */
@@ -45,7 +37,7 @@ async function customMutationDeleteById(ctx: GencowCtx, taskId: string) {
 /** User-defined mutation: insert a new task for the current user (caller supplies logical fields). */
 async function customMutationInsertTask(
   ctx: GencowCtx,
-  values: { id: string; title: string; userId: string; done?: boolean }
+  values: { id: string; title: string; userId: string; done?: boolean },
 ) {
   const [row] = fillPartialRowsForInsert(tasks, [
     {
@@ -77,108 +69,69 @@ describe("Custom mutation handlers + ctx.db + RLS", () => {
   });
 
   it("custom update: can change own task", async () => {
-    await runWithRollbackTestGencowCtxWithRls(
-      db,
-      basicUser0Identity,
-      async (ctx) => {
-        const updated = await customMutationUpdateTitle(
-          ctx,
-          "tk-003",
-          "Updated by custom handler"
-        );
-        expect(updated.length).toBe(1);
-        expect(updated[0]!.title).toBe("Updated by custom handler");
-      }
-    );
+    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+      const updated = await customMutationUpdateTitle(ctx, "tk-003", "Updated by custom handler");
+      expect(updated.length).toBe(1);
+      expect(updated[0]!.title).toBe("Updated by custom handler");
+    });
   });
 
   it("custom update: cannot modify another user's task (0 rows)", async () => {
-    await runWithRollbackTestGencowCtxWithRls(
-      db,
-      basicUser0Identity,
-      async (ctx) => {
-        const updated = await customMutationUpdateTitle(
-          ctx,
-          "tk-001",
-          "Should not apply"
-        );
-        expect(updated.length).toBe(0);
-      }
-    );
+    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+      const updated = await customMutationUpdateTitle(ctx, "tk-001", "Should not apply");
+      expect(updated.length).toBe(0);
+    });
   });
 
   it("custom delete: can remove own task", async () => {
-    await runWithRollbackTestGencowCtxWithRls(
-      db,
-      basicUser0Identity,
-      async (ctx) => {
-        const removed = await customMutationDeleteById(ctx, "tk-000");
-        expect(removed.length).toBe(1);
-      }
-    );
+    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+      const removed = await customMutationDeleteById(ctx, "tk-000");
+      expect(removed.length).toBe(1);
+    });
   });
 
   it("custom delete: cannot remove another user's task (0 rows)", async () => {
-    await runWithRollbackTestGencowCtxWithRls(
-      db,
-      basicUser0Identity,
-      async (ctx) => {
-        const removed = await customMutationDeleteById(ctx, "tk-004");
-        expect(removed.length).toBe(0);
-      }
-    );
+    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+      const removed = await customMutationDeleteById(ctx, "tk-004");
+      expect(removed.length).toBe(0);
+    });
   });
 
   it("custom insert: succeeds when userId matches session", async () => {
-    await runWithRollbackTestGencowCtxWithRls(
-      db,
-      basicUser0Identity,
-      async (ctx) => {
-        const inserted = await customMutationInsertTask(ctx, {
-          id: "tk-custom-own",
-          title: "Custom insert OK",
-          userId: basicUser0Identity.id,
-        });
-        expect(inserted.length).toBe(1);
-        expect(inserted[0]!.userId).toBe(basicUser0Identity.id);
-      }
-    );
+    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+      const inserted = await customMutationInsertTask(ctx, {
+        id: "tk-custom-own",
+        title: "Custom insert OK",
+        userId: basicUser0Identity.id,
+      });
+      expect(inserted.length).toBe(1);
+      expect(inserted[0]!.userId).toBe(basicUser0Identity.id);
+    });
   });
 
   it("custom insert: forged userId (another user) violates RLS withCheck", async () => {
-    await runWithRollbackTestGencowCtxWithRls(
-      db,
-      basicUser0Identity,
-      async (ctx) => {
-        let thrown: unknown;
-        try {
-          await customMutationInsertTask(ctx, {
-            id: "tk-custom-forge",
-            title: "Forged owner",
-            userId: basicFixtureUsers[1].id,
-          });
-        } catch (e) {
-          thrown = e;
-        }
-        expect(thrown).toBeInstanceOf(Error);
+    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+      let thrown: unknown;
+      try {
+        await customMutationInsertTask(ctx, {
+          id: "tk-custom-forge",
+          title: "Forged owner",
+          userId: basicFixtureUsers[1].id,
+        });
+      } catch (e) {
+        thrown = e;
       }
-    );
+      expect(thrown).toBeInstanceOf(Error);
+    });
   });
 
   it("nested db.transaction in custom handler still applies RLS on inner selects", async () => {
-    await runWithRollbackTestGencowCtxWithRls(
-      db,
-      basicUser0Identity,
-      async (ctx) => {
-        const inner = await ctx.db.transaction(async (tx: typeof ctx.db) => {
-          return tx
-            .select()
-            .from(tasks)
-            .where(eq(tasks.userId, basicFixtureUsers[1].id));
-        });
-        expect(inner.length).toBe(0);
-      }
-    );
+    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+      const inner = await ctx.db.transaction(async (tx: typeof ctx.db) => {
+        return tx.select().from(tasks).where(eq(tasks.userId, basicFixtureUsers[1].id));
+      });
+      expect(inner.length).toBe(0);
+    });
   });
 
   it("direct ctx.db without outer rollback wrapper: mutation still RLS-scoped", async () => {

package/src/__tests__/rls-custom-query-handlers.test.ts

@@ -13,116 +13,116 @@ import type { GencowCtx } from "../reactive.js";
 import { tasks } from "./fixtures/basic/schema.js";
 import type { BasicTaskRow } from "./helpers/basic-rls-fixture.js";
 import {
-    basicFixtureTasks,
-    basicFixtureUsers,
-    basicUser0Identity,
-    basicUser1Identity,
-    createBasicRlsEnvironment,
+  basicFixtureTasks,
+  basicFixtureUsers,
+  basicUser0Identity,
+  basicUser1Identity,
+  createBasicRlsEnvironment,
 } from "./helpers/basic-rls-fixture.js";
 import { makeTestGencowCtxWithRls } from "./helpers/test-gencow-ctx-rls.js";
 
 /** Simulates a user-defined query: list all tasks the ORM can see (RLS limits rows). */
 async function customQueryListAllTasks(ctx: GencowCtx) {
-    return ctx.db.select().from(tasks);
+  return ctx.db.select().from(tasks);
 }
 
 /** Simulates a dashboard query with filters — still subject to RLS. */
 async function customQueryTasksMatchingTitle(ctx: GencowCtx, substring: string) {
-    return ctx.db
-        .select()
-        .from(tasks)
-        .where(sql`${tasks.title} ilike ${"%" + substring + "%"}`);
+  return ctx.db
+    .select()
+    .from(tasks)
+    .where(sql`${tasks.title} ilike ${"%" + substring + "%"}`);
 }
 
 /** Simulates fetching a single row by id (e.g. detail view). */
 async function customQueryTaskById(ctx: GencowCtx, id: string) {
-    const rows = await ctx.db.select().from(tasks).where(eq(tasks.id, id));
-    return rows[0] ?? null;
+  const rows = await ctx.db.select().from(tasks).where(eq(tasks.id, id));
+  return rows[0] ?? null;
 }
 
 /** Raw SQL count — must run with RLS session vars on the same connection semantics as ORM builders. */
 async function customQueryTaskCountRaw(ctx: GencowCtx) {
-    const r = await ctx.db.execute(sql`select count(*)::int as c from ${tasks}`);
-    const rows = r.rows as { c: number }[];
-    return rows[0]?.c ?? 0;
+  const r = await ctx.db.execute(sql`select count(*)::int as c from ${tasks}`);
+  const rows = r.rows as { c: number }[];
+  return rows[0]?.c ?? 0;
 }
 
 describe("Custom query handlers + ctx.db + RLS", () => {
-    let client: PGlite;
-    let db: ReturnType<typeof drizzle>;
-
-    beforeAll(async () => {
-        const env = await createBasicRlsEnvironment();
-        client = env.client;
-        db = env.db;
-    });
-
-    afterAll(async () => {
-        try {
-            await client.close();
-        } catch {
-            /* ignore */
-        }
-    });
-
-    it("custom list: user0 only sees own rows (not user1 tasks)", async () => {
-        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
-        const rows = await customQueryListAllTasks(ctx);
-        expect(rows.every((r: BasicTaskRow) => r.userId === basicUser0Identity.id)).toBe(true);
-        const expectedOwn = basicFixtureTasks.filter((t) => t.userId === basicFixtureUsers[0].id).length;
-        expect(rows.length).toBe(expectedOwn);
-    });
-
-    it("custom list: user1 sees a different row set than user0", async () => {
-        const ctx0 = makeTestGencowCtxWithRls(db, basicUser0Identity);
-        const ctx1 = makeTestGencowCtxWithRls(db, basicUser1Identity);
-        const u0 = await customQueryListAllTasks(ctx0);
-        const u1 = await customQueryListAllTasks(ctx1);
-        const u0Ids = new Set(u0.map((r: BasicTaskRow) => r.id));
-        const u1Ids = new Set(u1.map((r: BasicTaskRow) => r.id));
-        expect(u0Ids.has("tk-001")).toBe(false);
-        expect(u1Ids.has("tk-001")).toBe(true);
-        expect(u1Ids.has("tk-000")).toBe(false);
-    });
-
-    it("custom filtered query: cannot see other user's rows even if title matches", async () => {
-        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
-        const rows = await customQueryTasksMatchingTitle(ctx, "Project Alpha");
-        expect(rows.every((r: BasicTaskRow) => r.userId === basicUser0Identity.id)).toBe(true);
-        expect(rows.some((r: BasicTaskRow) => r.id === "tk-001")).toBe(false);
-    });
-
-    it("custom get by id: returns null for another user's task id", async () => {
-        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
-        const row = await customQueryTaskById(ctx, "tk-001");
-        expect(row).toBeNull();
-    });
-
-    it("custom get by id: returns own task", async () => {
-        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
-        const row = await customQueryTaskById(ctx, "tk-003");
-        expect(row).not.toBeNull();
-        expect(row!.id).toBe("tk-003");
-    });
-
-    it("raw SQL count on ctx.db matches RLS-visible rows only", async () => {
-        const ctx0 = makeTestGencowCtxWithRls(db, basicUser0Identity);
-        const ctx1 = makeTestGencowCtxWithRls(db, basicUser1Identity);
-        const c0 = await customQueryTaskCountRaw(ctx0);
-        const c1 = await customQueryTaskCountRaw(ctx1);
-        const n0 = basicFixtureTasks.filter((t) => t.userId === basicFixtureUsers[0].id).length;
-        const n1 = basicFixtureTasks.filter((t) => t.userId === basicFixtureUsers[1].id).length;
-        expect(c0).toBe(n0);
-        expect(c1).toBe(n1);
-        expect(c0 + c1).toBe(basicFixtureTasks.length);
-    });
-
-    it("unsafeDb without createRlsDb: no session GUC — owner RLS yields no visible rows", async () => {
-        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
-        const rlsRows = await customQueryListAllTasks(ctx);
-        expect(rlsRows.length).toBeGreaterThan(0);
-
-        const raw = await ctx.unsafeDb.select().from(tasks);
-        expect(raw.length).toBe(0);
-    });
+  let client: PGlite;
+  let db: ReturnType<typeof drizzle>;
+
+  beforeAll(async () => {
+    const env = await createBasicRlsEnvironment();
+    client = env.client;
+    db = env.db;
+  });
+
+  afterAll(async () => {
+    try {
+      await client.close();
+    } catch {
+      /* ignore */
+    }
+  });
+
+  it("custom list: user0 only sees own rows (not user1 tasks)", async () => {
+    const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+    const rows = await customQueryListAllTasks(ctx);
+    expect(rows.every((r: BasicTaskRow) => r.userId === basicUser0Identity.id)).toBe(true);
+    const expectedOwn = basicFixtureTasks.filter((t) => t.userId === basicFixtureUsers[0].id).length;
+    expect(rows.length).toBe(expectedOwn);
+  });
+
+  it("custom list: user1 sees a different row set than user0", async () => {
+    const ctx0 = makeTestGencowCtxWithRls(db, basicUser0Identity);
+    const ctx1 = makeTestGencowCtxWithRls(db, basicUser1Identity);
+    const u0 = await customQueryListAllTasks(ctx0);
+    const u1 = await customQueryListAllTasks(ctx1);
+    const u0Ids = new Set(u0.map((r: BasicTaskRow) => r.id));
+    const u1Ids = new Set(u1.map((r: BasicTaskRow) => r.id));
+    expect(u0Ids.has("tk-001")).toBe(false);
+    expect(u1Ids.has("tk-001")).toBe(true);
+    expect(u1Ids.has("tk-000")).toBe(false);
+  });
+
+  it("custom filtered query: cannot see other user's rows even if title matches", async () => {
+    const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+    const rows = await customQueryTasksMatchingTitle(ctx, "Project Alpha");
+    expect(rows.every((r: BasicTaskRow) => r.userId === basicUser0Identity.id)).toBe(true);
+    expect(rows.some((r: BasicTaskRow) => r.id === "tk-001")).toBe(false);
+  });
+
+  it("custom get by id: returns null for another user's task id", async () => {
+    const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+    const row = await customQueryTaskById(ctx, "tk-001");
+    expect(row).toBeNull();
+  });
+
+  it("custom get by id: returns own task", async () => {
+    const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+    const row = await customQueryTaskById(ctx, "tk-003");
+    expect(row).not.toBeNull();
+    expect(row!.id).toBe("tk-003");
+  });
+
+  it("raw SQL count on ctx.db matches RLS-visible rows only", async () => {
+    const ctx0 = makeTestGencowCtxWithRls(db, basicUser0Identity);
+    const ctx1 = makeTestGencowCtxWithRls(db, basicUser1Identity);
+    const c0 = await customQueryTaskCountRaw(ctx0);
+    const c1 = await customQueryTaskCountRaw(ctx1);
+    const n0 = basicFixtureTasks.filter((t) => t.userId === basicFixtureUsers[0].id).length;
+    const n1 = basicFixtureTasks.filter((t) => t.userId === basicFixtureUsers[1].id).length;
+    expect(c0).toBe(n0);
+    expect(c1).toBe(n1);
+    expect(c0 + c1).toBe(basicFixtureTasks.length);
+  });
+
+  it("unsafeDb without createRlsDb: no session GUC — owner RLS yields no visible rows", async () => {
+    const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+    const rlsRows = await customQueryListAllTasks(ctx);
+    expect(rlsRows.length).toBeGreaterThan(0);
+
+    const raw = await ctx.unsafeDb.select().from(tasks);
+    expect(raw.length).toBe(0);
+  });
 });

package/src/__tests__/rls-db-leased-connection.test.ts

@@ -20,11 +20,7 @@ describe("withRlsLeasedConnection (pg Pool leased client path)", () => {
         released++;
       },
     };
-    const result = await withRlsLeasedConnection(
-      leased,
-      { userId: "u1" },
-      async () => "done"
-    );
+    const result = await withRlsLeasedConnection(leased, { userId: "u1" }, async () => "done");
     expect(result).toBe("done");
     expect(phases[0]).toBe("begin");
     expect(phases[phases.length - 1]).toBe("commit");
@@ -81,7 +77,7 @@ describe("withRlsLeasedConnection (pg Pool leased client path)", () => {
         tenantId: "t1",
         vars: { "app.org_slug": "acme" },
       },
-      async () => "ok"
+      async () => "ok",
     );
     expect(phases[0]).toBe("begin");
     const setCalls = phases.filter((p) => p.includes("set_config"));