@ingram-tech/nk-db 0.3.0 → 0.5.0

package/README.md

@@ -39,7 +39,7 @@ import * as schema from "./schema";
 
 export const pool = createPool(); // TLS-aware; local socket → max:1
 export const db = createDb(pool, schema); // Drizzle — the default query path
-export const { query, one, maybeOne, execute, withTx } = createQueries(pool);
+export const { query, one, maybeOne, execute, withTx, withRls } = createQueries(pool);
 export { schema };
 ```
 
@@ -55,6 +55,55 @@ same pool: `betterAuth({ database: pool, … })`.
   `timestamptz` as ISO strings (on the golden path, prefer Drizzle's
   `timestamp(..., { mode: "string" })` per column).
 
+## Keeping RLS on a direct connection (`withRls` / `withRlsTransaction`)
+
+A direct `pg`/Drizzle connection has no PostgREST, so the `SET ROLE authenticated`
++ `request.jwt.claims` setup that made `auth.uid()` policies fire is gone — a
+plain query runs as the connection's role with no claims. These helpers reproduce
+that setup **per transaction**, so your **existing RLS policies keep working
+unchanged**, whether you're still on Supabase Postgres or already on DO. It's
+pure Postgres and behaves identically on both.
+
+```ts
+import { withRlsTransaction } from "@ingram-tech/nk-db";
+import { auth } from "@/lib/auth"; // your Better Auth instance
+import { db } from "@/lib/db";
+
+const session = await auth.api.getSession({ headers });
+// scoped: sets request.jwt.claims + SET LOCAL ROLE authenticated, then runs fn
+const notes = await withRlsTransaction(db, { sub: session.user.id }, (tx) =>
+	tx.select().from(schema.notes), // returns only this user's rows
+);
+```
+
+The claims come **straight from the Better Auth session** (`sub` = `user.id`) — no
+JWT minting, no JWKS issuer, no `supabase.auth`. The raw helpers expose the same
+thing as `withRls` (sibling of `withTx`):
+
+```ts
+const { withRls } = createQueries(pool);
+const rows = await withRls({ sub: userId }, (tx) =>
+	tx.query<Note>("select * from notes"),
+);
+```
+
+Two requirements **you** own (they can't be enforced from the library):
+
+- **Connect as a role that doesn't bypass RLS** for user-facing rows — not the
+  table owner, not a `BYPASSRLS` superuser. After `SET ROLE authenticated`, RLS
+  applies even if the underlying connection is `postgres` (exactly what PostgREST
+  relied on). Service-role/admin paths keep using plain `db` / `query` and bypass
+  RLS as before.
+- **The connecting role must be allowed to `SET ROLE`** to the target
+  (Supabase's `authenticator`/`postgres` already can; on DO, `GRANT app_user TO …`).
+
+Override the role / claims GUC when your DB role name differs from the JWT claim:
+`withRlsTransaction(db, { sub }, fn, { role: "app_user" })`. Both helpers set the
+GUCs **transaction-locally** (`is_local = true`), so they reset at
+commit/rollback and never leak across pooled connections. See
+[`docs/db-package.md` §RLS](https://github.com/ingram-technologies/nextkit/blob/main/docs/db-package.md)
+and [`docs/better-auth-migration.md`](https://github.com/ingram-technologies/nextkit/blob/main/docs/better-auth-migration.md).
+
 ## PGlite dev & test (`@ingram-tech/nk-db/pglite`)
 
 `nk dev` runs the `nk-pglite-dev` bin automatically when this package is

package/dist/drizzle.d.ts

@@ -1,5 +1,6 @@
 import { type NodePgDatabase } from "drizzle-orm/node-postgres";
 import type { Pool } from "pg";
+import { type RlsClaims, type RlsOptions } from "./rls.js";
 /**
  * Build the Drizzle instance on the shared pool. This is the default query path
  * for app tables — schema-first, with `drizzle-kit` generating the migrations
@@ -11,4 +12,21 @@ import type { Pool } from "pg";
  *   export const db = createDb(pool, schema);
  */
 export declare const createDb: <TSchema extends Record<string, unknown>>(pool: Pool, schema: TSchema) => NodePgDatabase<TSchema>;
+/** The transaction handle Drizzle hands its `db.transaction(fn)` callback. */
+type DrizzleTx<TSchema extends Record<string, unknown>> = Parameters<Parameters<NodePgDatabase<TSchema>["transaction"]>[0]>[0];
+/**
+ * Run `fn` inside a Drizzle transaction **scoped to a user**, so RLS policies
+ * apply on a direct connection (no PostgREST). It sets `request.jwt.claims` +
+ * `SET LOCAL ROLE` (default `authenticated`) as the first statement, so existing
+ * `auth.uid()` policies fire unchanged; the `tx` passed to `fn` is a normal
+ * Drizzle transaction (full query builder + `tx.execute`). Use for user-facing
+ * reads/writes; use plain `db` for service-role paths. The connection role must
+ * not bypass RLS for the rows touched — see `rls.ts`.
+ *
+ *   const notes = await withRlsTransaction(db, { sub: user.id }, (tx) =>
+ *       tx.select().from(schema.notes),
+ *   );
+ */
+export declare const withRlsTransaction: <TSchema extends Record<string, unknown>, T>(db: NodePgDatabase<TSchema>, claims: RlsClaims, fn: (tx: DrizzleTx<TSchema>) => Promise<T>, options?: RlsOptions) => Promise<T>;
+export {};
 //# sourceMappingURL=drizzle.d.ts.map

package/dist/drizzle.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"drizzle.d.ts","sourceRoot":"","sources":["../src/drizzle.ts"],"names":[],"mappings":"AAAA,OAAO,EAAW,KAAK,cAAc,EAAE,MAAM,2BAA2B,CAAC;AACzE,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAE/B;;;;;;;;;GASG;AACH,eAAO,MAAM,QAAQ,GAAI,OAAO,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/D,MAAM,IAAI,EACV,QAAQ,OAAO,KACb,cAAc,CAAC,OAAO,CAA8B,CAAC"}
+{"version":3,"file":"drizzle.d.ts","sourceRoot":"","sources":["../src/drizzle.ts"],"names":[],"mappings":"AACA,OAAO,EAAW,KAAK,cAAc,EAAE,MAAM,2BAA2B,CAAC;AACzE,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,EAAE,KAAK,SAAS,EAAE,KAAK,UAAU,EAAoB,MAAM,UAAU,CAAC;AAE7E;;;;;;;;;GASG;AACH,eAAO,MAAM,QAAQ,GAAI,OAAO,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/D,MAAM,IAAI,EACV,QAAQ,OAAO,KACb,cAAc,CAAC,OAAO,CAA8B,CAAC;AAExD,8EAA8E;AAC9E,KAAK,SAAS,CAAC,OAAO,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,UAAU,CACnE,UAAU,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CACrD,CAAC,CAAC,CAAC,CAAC;AAEL;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,kBAAkB,GAAI,OAAO,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,EAC5E,IAAI,cAAc,CAAC,OAAO,CAAC,EAC3B,QAAQ,SAAS,EACjB,IAAI,CAAC,EAAE,EAAE,SAAS,CAAC,OAAO,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,EAC1C,UAAS,UAAe,KACtB,OAAO,CAAC,CAAC,CAOT,CAAC"}

package/dist/drizzle.js

@@ -1,4 +1,6 @@
+import { sql } from "drizzle-orm";
 import { drizzle } from "drizzle-orm/node-postgres";
+import { resolveRlsConfig } from "./rls.js";
 /**
  * Build the Drizzle instance on the shared pool. This is the default query path
  * for app tables — schema-first, with `drizzle-kit` generating the migrations
@@ -10,4 +12,22 @@ import { drizzle } from "drizzle-orm/node-postgres";
  *   export const db = createDb(pool, schema);
  */
 export const createDb = (pool, schema) => drizzle(pool, { schema });
+/**
+ * Run `fn` inside a Drizzle transaction **scoped to a user**, so RLS policies
+ * apply on a direct connection (no PostgREST). It sets `request.jwt.claims` +
+ * `SET LOCAL ROLE` (default `authenticated`) as the first statement, so existing
+ * `auth.uid()` policies fire unchanged; the `tx` passed to `fn` is a normal
+ * Drizzle transaction (full query builder + `tx.execute`). Use for user-facing
+ * reads/writes; use plain `db` for service-role paths. The connection role must
+ * not bypass RLS for the rows touched — see `rls.ts`.
+ *
+ *   const notes = await withRlsTransaction(db, { sub: user.id }, (tx) =>
+ *       tx.select().from(schema.notes),
+ *   );
+ */
+export const withRlsTransaction = (db, claims, fn, options = {}) => db.transaction(async (tx) => {
+    const { role, claimsSetting, claimsJson } = resolveRlsConfig(claims, options);
+    await tx.execute(sql `select set_config(${claimsSetting}, ${claimsJson}, true), set_config('role', ${role}, true)`);
+    return fn(tx);
+});
 //# sourceMappingURL=drizzle.js.map

package/dist/drizzle.js.map

@@ -1 +1 @@
-{"version":3,"file":"drizzle.js","sourceRoot":"","sources":["../src/drizzle.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAuB,MAAM,2BAA2B,CAAC;AAGzE;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAG,CACvB,IAAU,EACV,MAAe,EACW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC"}
+{"version":3,"file":"drizzle.js","sourceRoot":"","sources":["../src/drizzle.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,EAAE,OAAO,EAAuB,MAAM,2BAA2B,CAAC;AAEzE,OAAO,EAAmC,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAE7E;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAG,CACvB,IAAU,EACV,MAAe,EACW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;AAOxD;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CACjC,EAA2B,EAC3B,MAAiB,EACjB,EAA0C,EAC1C,UAAsB,EAAE,EACX,EAAE,CACf,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;IAC3B,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,UAAU,EAAE,GAAG,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9E,MAAM,EAAE,CAAC,OAAO,CACf,GAAG,CAAA,qBAAqB,aAAa,KAAK,UAAU,+BAA+B,IAAI,SAAS,CAChG,CAAC;IACF,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;AACf,CAAC,CAAC,CAAC"}

package/dist/id.d.ts

@@ -0,0 +1,63 @@
+/**
+ * The Ingram id codec — a UUIDv7 and its base58 skin. It lives here in nk-db
+ * (the lowest package in the graph) behind the `@ingram-tech/nk-db/id` subpath,
+ * so it stays `node:crypto`-only — no `pg` / `drizzle` — and any site can mint
+ * ids without pulling a heavier slice.
+ *
+ * The Python twin lives in cloud.ingram.tech's `v1/core.py` (`new_id`); the
+ * byte → string vectors in `id.test.ts` and that repo's `tests/test_ids.py` are
+ * kept identical, so a stored UUIDv7 and an `agt_` / `smt_` id from the API are
+ * the same encoding of the same 16 bytes. That cross-impl contract is the most
+ * important property of this file — keep the vectors in lockstep.
+ *
+ * Store the hyphenated UUIDv7 at rest (uuid columns stay native and time-ordered
+ * for index locality) and use {@link toPrefixedId} to skin it as a prefixed
+ * base58 id for the wire / display, {@link fromPrefixedId} to recover it.
+ * {@link base58Id} mints a fresh one directly; {@link createIdRegistry} builds a
+ * typed, prefix-validated set of helpers for a project's entities.
+ */
+/**
+ * Mint a **UUIDv7** (RFC 9562): a 48-bit Unix-ms timestamp prefix + random tail,
+ * version `7`, variant `10`. UUID-shaped (drops straight into a `uuid` column)
+ * while staying time-ordered for index locality. Used as Better Auth's
+ * `advanced.database.generateId`. Node/Bun's `randomUUID` is v4-only, so we lay
+ * the bytes out by hand.
+ */
+export declare const uuidGenerateId: () => string;
+/** Skin a stored hyphenated UUIDv7 as a prefixed base58 id, e.g. `team_…`. */
+export declare function toPrefixedId(uuid: string, prefix: string): string;
+/** Inverse of {@link toPrefixedId}: recover the hyphenated UUIDv7. */
+export declare function fromPrefixedId(id: string): string;
+/** Mint a fresh prefixed base58 id (UUIDv7 core), for text-id sites / API parity. */
+export declare function base58Id(prefix: string): string;
+/** Typed helpers for one entity's prefixed ids — built by {@link createIdRegistry}. */
+export interface IdHelper {
+    /** This entity's prefix, e.g. `"agt"` (no trailing underscore). */
+    readonly prefix: string;
+    /** Mint a fresh prefixed id (new UUIDv7 core). */
+    mint(): string;
+    /** Skin a stored hyphenated UUIDv7 as this entity's prefixed id. */
+    encode(uuid: string): string;
+    /** Recover the hyphenated UUIDv7; throws if the prefix / shape doesn't match. */
+    decode(id: string): string;
+    /** Whether `id` is a well-formed prefixed id for this entity. */
+    is(id: string): boolean;
+}
+/** The map returned by {@link createIdRegistry}: one {@link IdHelper} per key. */
+export type IdRegistry<K extends string> = Record<K, IdHelper>;
+/**
+ * Build a typed, prefix-validated id registry for a project's entities — one
+ * place to declare every prefix instead of hand-rolling encode/decode wrappers:
+ *
+ * ```ts
+ * const ids = createIdRegistry({ org: "org", agent: "agt", session: "cs" });
+ * ids.org.mint();          // "org_3k9…"
+ * ids.org.encode(uuid);    // "org_…"
+ * ids.org.decode("org_…"); // uuid — throws on a wrong / missing prefix
+ * ids.agent.is(someId);    // boolean
+ * ```
+ */
+export declare function createIdRegistry<const T extends Record<string, string>>(prefixes: T): {
+    [K in keyof T]: IdHelper;
+};
+//# sourceMappingURL=id.d.ts.map

package/dist/id.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"id.d.ts","sourceRoot":"","sources":["../src/id.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;GAiBG;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,QAAO,MAYjC,CAAC;AAuDF,8EAA8E;AAC9E,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAEjE;AAED,sEAAsE;AACtE,wBAAgB,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAGjD;AAED,qFAAqF;AACrF,wBAAgB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED,uFAAuF;AACvF,MAAM,WAAW,QAAQ;IACxB,mEAAmE;IACnE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,kDAAkD;IAClD,IAAI,IAAI,MAAM,CAAC;IACf,oEAAoE;IACpE,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,iFAAiF;IACjF,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;IAC3B,iEAAiE;IACjE,EAAE,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,kFAAkF;AAClF,MAAM,MAAM,UAAU,CAAC,CAAC,SAAS,MAAM,IAAI,MAAM,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;AAiB/D;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACtE,QAAQ,EAAE,CAAC,GACT;KAAG,CAAC,IAAI,MAAM,CAAC,GAAG,QAAQ;CAAE,CAM9B"}

package/dist/id.js

@@ -0,0 +1,138 @@
+import { randomBytes } from "node:crypto";
+/**
+ * The Ingram id codec — a UUIDv7 and its base58 skin. It lives here in nk-db
+ * (the lowest package in the graph) behind the `@ingram-tech/nk-db/id` subpath,
+ * so it stays `node:crypto`-only — no `pg` / `drizzle` — and any site can mint
+ * ids without pulling a heavier slice.
+ *
+ * The Python twin lives in cloud.ingram.tech's `v1/core.py` (`new_id`); the
+ * byte → string vectors in `id.test.ts` and that repo's `tests/test_ids.py` are
+ * kept identical, so a stored UUIDv7 and an `agt_` / `smt_` id from the API are
+ * the same encoding of the same 16 bytes. That cross-impl contract is the most
+ * important property of this file — keep the vectors in lockstep.
+ *
+ * Store the hyphenated UUIDv7 at rest (uuid columns stay native and time-ordered
+ * for index locality) and use {@link toPrefixedId} to skin it as a prefixed
+ * base58 id for the wire / display, {@link fromPrefixedId} to recover it.
+ * {@link base58Id} mints a fresh one directly; {@link createIdRegistry} builds a
+ * typed, prefix-validated set of helpers for a project's entities.
+ */
+/**
+ * Mint a **UUIDv7** (RFC 9562): a 48-bit Unix-ms timestamp prefix + random tail,
+ * version `7`, variant `10`. UUID-shaped (drops straight into a `uuid` column)
+ * while staying time-ordered for index locality. Used as Better Auth's
+ * `advanced.database.generateId`. Node/Bun's `randomUUID` is v4-only, so we lay
+ * the bytes out by hand.
+ */
+export const uuidGenerateId = () => {
+    const bytes = randomBytes(16);
+    const ts = Date.now();
+    bytes[0] = Math.floor(ts / 2 ** 40) & 0xff;
+    bytes[1] = Math.floor(ts / 2 ** 32) & 0xff;
+    bytes[2] = Math.floor(ts / 2 ** 24) & 0xff;
+    bytes[3] = Math.floor(ts / 2 ** 16) & 0xff;
+    bytes[4] = Math.floor(ts / 2 ** 8) & 0xff;
+    bytes[5] = ts & 0xff;
+    bytes[6] = ((bytes[6] ?? 0) & 0x0f) | 0x70; // version 7
+    bytes[8] = ((bytes[8] ?? 0) & 0x3f) | 0x80; // variant 10
+    return bytesToUuid(bytes);
+};
+const B58 = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+// ceil(128 / log2(58)): a 16-byte value never needs more than 22 digits. We
+// left-pad to it so every body is uniform width and sorts lexically ==
+// chronologically (UUIDv7's ms-timestamp prefix lives in the high bytes).
+const WIDTH = 22;
+// A bare base58 body: 22 chars, Bitcoin alphabet (no 0 / I / O / l).
+const BODY = "[1-9A-HJ-NP-Za-km-z]{22}";
+/** Big-endian base58 (Bitcoin alphabet) of 16 bytes, left-padded to `WIDTH`. */
+function encode58(bytes) {
+    let n = 0n;
+    for (const b of bytes)
+        n = (n << 8n) | BigInt(b);
+    let out = "";
+    while (n > 0n) {
+        out = B58.charAt(Number(n % 58n)) + out;
+        n /= 58n;
+    }
+    return out.padStart(WIDTH, B58.charAt(0));
+}
+/** Inverse of {@link encode58}: a base58 body back to 16 bytes. */
+function decode58(body) {
+    let n = 0n;
+    for (const ch of body) {
+        const v = B58.indexOf(ch);
+        if (v < 0)
+            throw new Error(`invalid base58 char: ${ch}`);
+        n = n * 58n + BigInt(v);
+    }
+    const bytes = new Uint8Array(16);
+    for (let i = 15; i >= 0; i--) {
+        bytes[i] = Number(n & 0xffn);
+        n >>= 8n;
+    }
+    return bytes;
+}
+/** A hyphenated UUID string → its 16 raw bytes. */
+function uuidToBytes(uuid) {
+    const hex = uuid.replace(/-/g, "");
+    if (!/^[0-9a-fA-F]{32}$/.test(hex))
+        throw new Error(`not a uuid: ${uuid}`);
+    const bytes = new Uint8Array(16);
+    for (let i = 0; i < 16; i++) {
+        bytes[i] = Number.parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+    }
+    return bytes;
+}
+/** 16 raw bytes → a canonical hyphenated UUID string. */
+function bytesToUuid(bytes) {
+    const hex = Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+    return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}
+/** Skin a stored hyphenated UUIDv7 as a prefixed base58 id, e.g. `team_…`. */
+export function toPrefixedId(uuid, prefix) {
+    return `${prefix}_${encode58(uuidToBytes(uuid))}`;
+}
+/** Inverse of {@link toPrefixedId}: recover the hyphenated UUIDv7. */
+export function fromPrefixedId(id) {
+    const body = id.slice(id.indexOf("_") + 1);
+    return bytesToUuid(decode58(body));
+}
+/** Mint a fresh prefixed base58 id (UUIDv7 core), for text-id sites / API parity. */
+export function base58Id(prefix) {
+    return toPrefixedId(uuidGenerateId(), prefix);
+}
+function makeHelper(prefix) {
+    // Prefixes are developer-controlled identifier constants, never user input.
+    const matcher = new RegExp(`^${prefix}_${BODY}$`);
+    return {
+        prefix,
+        mint: () => base58Id(prefix),
+        encode: (uuid) => toPrefixedId(uuid, prefix),
+        decode: (id) => {
+            if (!matcher.test(id))
+                throw new Error(`not a ${prefix}_ id: ${id}`);
+            return fromPrefixedId(id);
+        },
+        is: (id) => matcher.test(id),
+    };
+}
+/**
+ * Build a typed, prefix-validated id registry for a project's entities — one
+ * place to declare every prefix instead of hand-rolling encode/decode wrappers:
+ *
+ * ```ts
+ * const ids = createIdRegistry({ org: "org", agent: "agt", session: "cs" });
+ * ids.org.mint();          // "org_3k9…"
+ * ids.org.encode(uuid);    // "org_…"
+ * ids.org.decode("org_…"); // uuid — throws on a wrong / missing prefix
+ * ids.agent.is(someId);    // boolean
+ * ```
+ */
+export function createIdRegistry(prefixes) {
+    const reg = {};
+    for (const [key, prefix] of Object.entries(prefixes)) {
+        reg[key] = makeHelper(prefix);
+    }
+    return reg;
+}
+//# sourceMappingURL=id.js.map

package/dist/id.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"id.js","sourceRoot":"","sources":["../src/id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C;;;;;;;;;;;;;;;;;GAiBG;AAEH;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,GAAW,EAAE;IAC1C,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC9B,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACtB,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAC3C,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAC3C,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAC3C,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAC3C,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;IAC1C,KAAK,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IACrB,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,YAAY;IACxD,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,aAAa;IACzD,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC,CAAC;AAEF,MAAM,GAAG,GAAG,4DAA4D,CAAC;AACzE,4EAA4E;AAC5E,uEAAuE;AACvE,0EAA0E;AAC1E,MAAM,KAAK,GAAG,EAAE,CAAC;AACjB,qEAAqE;AACrE,MAAM,IAAI,GAAG,0BAA0B,CAAC;AAExC,gFAAgF;AAChF,SAAS,QAAQ,CAAC,KAAiB;IAClC,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACjD,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC;QACf,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,GAAG,CAAC;QACxC,CAAC,IAAI,GAAG,CAAC;IACV,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED,mEAAmE;AACnE,SAAS,QAAQ,CAAC,IAAY;IAC7B,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC1B,IAAI,CAAC,GAAG,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,EAAE,EAAE,CAAC,CAAC;QACzD,CAAC,GAAG,CAAC,GAAG,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,KAAK,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9B,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;QAC7B,CAAC,KAAK,EAAE,CAAC;IACV,CAAC;IACD,OAAO,KAAK,CAAC;AACd,CAAC;AAED,mDAAmD;AACnD,SAAS,WAAW,CAAC,IAAY;IAChC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACnC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;IAC3E,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,KAAK,CAAC;AACd,CAAC;AAED,yDAAyD;AACzD,SAAS,WAAW,CAAC,KAAiB;IACrC,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/E,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC;AAC5G,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,MAAc;IACxD,OAAO,GAAG,MAAM,IAAI,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;AACnD,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,cAAc,CAAC,EAAU;IACxC,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3C,OAAO,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;AACpC,CAAC;AAED,qFAAqF;AACrF,MAAM,UAAU,QAAQ,CAAC,MAAc;IACtC,OAAO,YAAY,CAAC,cAAc,EAAE,EAAE,MAAM,CAAC,CAAC;AAC/C,CAAC;AAmBD,SAAS,UAAU,CAAC,MAAc;IACjC,4EAA4E;IAC5E,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,IAAI,MAAM,IAAI,IAAI,GAAG,CAAC,CAAC;IAClD,OAAO;QACN,MAAM;QACN,IAAI,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC5B,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC;QAC5C,MAAM,EAAE,CAAC,EAAE,EAAE,EAAE;YACd,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAAE,MAAM,IAAI,KAAK,CAAC,SAAS,MAAM,SAAS,EAAE,EAAE,CAAC,CAAC;YACrE,OAAO,cAAc,CAAC,EAAE,CAAC,CAAC;QAC3B,CAAC;QACD,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;KAC5B,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,gBAAgB,CAC/B,QAAW;IAEX,MAAM,GAAG,GAA6B,EAAE,CAAC;IACzC,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACtD,GAAG,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAC/B,CAAC;IACD,OAAO,GAAmC,CAAC;AAC5C,CAAC"}

package/dist/index.d.ts

@@ -1,6 +1,7 @@
-export { createDb } from "./drizzle.js";
+export { createDb, withRlsTransaction } from "./drizzle.js";
 export { type DbEnv, dbEnv, getDatabaseUrl, isConfigured } from "./keys.js";
 export { type CreatePoolConfig, createPool } from "./pool.js";
 export { createQueries, type PoolQueries, type Queries } from "./queries.js";
+export { RLS_CLAIMS_SETTING, RLS_DEFAULT_ROLE, type ResolvedRlsConfig, type RlsClaims, type RlsOptions, resolveRlsConfig, rlsPreamble, } from "./rls.js";
 export { configureTimestampsAsStrings } from "./types.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AACxC,OAAO,EAAE,KAAK,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAC5E,OAAO,EAAE,KAAK,gBAAgB,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,KAAK,WAAW,EAAE,KAAK,OAAO,EAAE,MAAM,cAAc,CAAC;AAC7E,OAAO,EAAE,4BAA4B,EAAE,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,QAAQ,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAC5D,OAAO,EAAE,KAAK,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAC5E,OAAO,EAAE,KAAK,gBAAgB,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,KAAK,WAAW,EAAE,KAAK,OAAO,EAAE,MAAM,cAAc,CAAC;AAC7E,OAAO,EACN,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,iBAAiB,EACtB,KAAK,SAAS,EACd,KAAK,UAAU,EACf,gBAAgB,EAChB,WAAW,GACX,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,4BAA4B,EAAE,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -1,9 +1,10 @@
 // The Ingram Postgres data layer. The PGlite dev/test harness lives behind the
 // "@ingram-tech/nk-db/pglite" subpath so its WASM/dev-only deps never reach a
 // production bundle.
-export { createDb } from "./drizzle.js";
+export { createDb, withRlsTransaction } from "./drizzle.js";
 export { dbEnv, getDatabaseUrl, isConfigured } from "./keys.js";
 export { createPool } from "./pool.js";
 export { createQueries } from "./queries.js";
+export { RLS_CLAIMS_SETTING, RLS_DEFAULT_ROLE, resolveRlsConfig, rlsPreamble, } from "./rls.js";
 export { configureTimestampsAsStrings } from "./types.js";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,8EAA8E;AAC9E,qBAAqB;AAErB,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AACxC,OAAO,EAAc,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAC5E,OAAO,EAAyB,UAAU,EAAE,MAAM,WAAW,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAkC,MAAM,cAAc,CAAC;AAC7E,OAAO,EAAE,4BAA4B,EAAE,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,8EAA8E;AAC9E,qBAAqB;AAErB,OAAO,EAAE,QAAQ,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAC5D,OAAO,EAAc,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAC5E,OAAO,EAAyB,UAAU,EAAE,MAAM,WAAW,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAkC,MAAM,cAAc,CAAC;AAC7E,OAAO,EACN,kBAAkB,EAClB,gBAAgB,EAIhB,gBAAgB,EAChB,WAAW,GACX,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,4BAA4B,EAAE,MAAM,YAAY,CAAC"}

package/dist/queries.d.ts

@@ -1,4 +1,5 @@
 import type { Pool, QueryResultRow } from "pg";
+import { type RlsClaims, type RlsOptions } from "./rls.js";
 export interface Queries {
     /** Run a query and return all rows. */
     query: <T extends QueryResultRow = QueryResultRow>(text: string, params?: unknown[]) => Promise<T[]>;
@@ -17,6 +18,15 @@ export interface PoolQueries extends Queries {
      * statements that must be atomic.
      */
     withTx: <T>(fn: (tx: Queries) => Promise<T>) => Promise<T>;
+    /**
+     * Like `withTx`, but first **scopes the transaction to a user** so RLS
+     * policies apply: it sets `request.jwt.claims` + `SET LOCAL ROLE` (default
+     * `authenticated`) before `fn`, reproducing what PostgREST did. Use this for
+     * user-facing reads/writes on a direct connection; keep `withTx` / `query`
+     * for service-role paths that should bypass RLS. The connection role must not
+     * bypass RLS for the rows touched — see `rls.ts`.
+     */
+    withRls: <T>(claims: RlsClaims, fn: (tx: Queries) => Promise<T>, options?: RlsOptions) => Promise<T>;
 }
 /**
  * Bind the raw-SQL helpers (`query` / `one` / `maybeOne` / `execute` / `withTx`)

package/dist/queries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"queries.d.ts","sourceRoot":"","sources":["../src/queries.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAc,cAAc,EAAE,MAAM,IAAI,CAAC;AAK3D,MAAM,WAAW,OAAO;IACvB,uCAAuC;IACvC,KAAK,EAAE,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc,EAChD,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,OAAO,EAAE,KACd,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC;IAClB,wEAAwE;IACxE,QAAQ,EAAE,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc,EACnD,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,OAAO,EAAE,KACd,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IACvB,sEAAsE;IACtE,GAAG,EAAE,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc,EAC9C,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,OAAO,EAAE,KACd,OAAO,CAAC,CAAC,CAAC,CAAC;IAChB,qDAAqD;IACrD,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CAC/D;AAoCD,MAAM,WAAW,WAAY,SAAQ,OAAO;IAC3C;;;;;OAKG;IACH,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,OAAO,KAAK,OAAO,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC;CAC3D;AAED;;;;;;GAMG;AACH,eAAO,MAAM,aAAa,GAAI,MAAM,IAAI,KAAG,WAiB1C,CAAC"}
+{"version":3,"file":"queries.d.ts","sourceRoot":"","sources":["../src/queries.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAc,cAAc,EAAE,MAAM,IAAI,CAAC;AAC3D,OAAO,EACN,KAAK,SAAS,EACd,KAAK,UAAU,EAGf,MAAM,UAAU,CAAC;AAKlB,MAAM,WAAW,OAAO;IACvB,uCAAuC;IACvC,KAAK,EAAE,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc,EAChD,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,OAAO,EAAE,KACd,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC;IAClB,wEAAwE;IACxE,QAAQ,EAAE,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc,EACnD,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,OAAO,EAAE,KACd,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IACvB,sEAAsE;IACtE,GAAG,EAAE,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc,EAC9C,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,OAAO,EAAE,KACd,OAAO,CAAC,CAAC,CAAC,CAAC;IAChB,qDAAqD;IACrD,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CAC/D;AAoCD,MAAM,WAAW,WAAY,SAAQ,OAAO;IAC3C;;;;;OAKG;IACH,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,OAAO,KAAK,OAAO,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC;IAC3D;;;;;;;OAOG;IACH,OAAO,EAAE,CAAC,CAAC,EACV,MAAM,EAAE,SAAS,EACjB,EAAE,EAAE,CAAC,EAAE,EAAE,OAAO,KAAK,OAAO,CAAC,CAAC,CAAC,EAC/B,OAAO,CAAC,EAAE,UAAU,KAChB,OAAO,CAAC,CAAC,CAAC,CAAC;CAChB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,aAAa,GAAI,MAAM,IAAI,KAAG,WAkC1C,CAAC"}

package/dist/queries.js

@@ -1,3 +1,4 @@
+import { resolveRlsConfig, rlsPreamble, } from "./rls.js";
 const bind = (executor) => {
     const query = async (text, params = []) => {
         const result = await executor.query(text, params);
@@ -32,10 +33,14 @@ const bind = (executor) => {
  */
 export const createQueries = (pool) => {
     const base = bind(pool);
-    const withTx = async (fn) => {
+    // One transaction runner; `setup` (if any) runs after `begin`, before `fn` —
+    // that's where withRls injects the claims/role GUCs.
+    const runTx = async (setup, fn) => {
         const client = await pool.connect();
         try {
             await client.query("begin");
+            if (setup)
+                await setup(client);
             const result = await fn(bind(client));
             await client.query("commit");
             return result;
@@ -48,6 +53,11 @@ export const createQueries = (pool) => {
             client.release();
         }
     };
-    return { ...base, withTx };
+    const withTx = (fn) => runTx(undefined, fn);
+    const withRls = (claims, fn, options) => runTx(async (client) => {
+        const { text, values } = rlsPreamble(resolveRlsConfig(claims, options));
+        await client.query(text, values);
+    }, fn);
+    return { ...base, withTx, withRls };
 };
 //# sourceMappingURL=queries.js.map

package/dist/queries.js.map

@@ -1 +1 @@
-{"version":3,"file":"queries.js","sourceRoot":"","sources":["../src/queries.ts"],"names":[],"mappings":"AAyBA,MAAM,IAAI,GAAG,CAAC,QAAkB,EAAW,EAAE;IAC5C,MAAM,KAAK,GAAG,KAAK,EAClB,IAAY,EACZ,SAAoB,EAAE,EACP,EAAE;QACjB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAI,IAAI,EAAE,MAAM,CAAC,CAAC;QACrD,OAAO,MAAM,CAAC,IAAI,CAAC;IACpB,CAAC,CAAC;IACF,MAAM,QAAQ,GAAG,KAAK,EACrB,IAAY,EACZ,SAAoB,EAAE,EACF,EAAE;QACtB,MAAM,IAAI,GAAG,MAAM,KAAK,CAAI,IAAI,EAAE,MAAM,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IACxB,CAAC,CAAC;IACF,MAAM,GAAG,GAAG,KAAK,EAChB,IAAY,EACZ,SAAoB,EAAE,EACT,EAAE;QACf,MAAM,IAAI,GAAG,MAAM,KAAK,CAAI,IAAI,EAAE,MAAM,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QAChE,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,OAAO,GAAG,CAAC;IACZ,CAAC,CAAC;IACF,MAAM,OAAO,GAAG,KAAK,EAAE,IAAY,EAAE,SAAoB,EAAE,EAAmB,EAAE;QAC/E,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAClD,OAAO,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC;IACF,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;AAC1C,CAAC,CAAC;AAYF;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAU,EAAe,EAAE;IACxD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;IACxB,MAAM,MAAM,GAAG,KAAK,EAAK,EAA+B,EAAc,EAAE;QACvE,MAAM,MAAM,GAAe,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAChD,IAAI,CAAC;YACJ,MAAM,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC5B,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;YACtC,MAAM,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAC7B,OAAO,MAAM,CAAC;QACf,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,MAAM,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAC/B,MAAM,KAAK,CAAC;QACb,CAAC;gBAAS,CAAC;YACV,MAAM,CAAC,OAAO,EAAE,CAAC;QAClB,CAAC;IACF,CAAC,CAAC;IACF,OAAO,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,CAAC;AAC5B,CAAC,CAAC"}
+{"version":3,"file":"queries.js","sourceRoot":"","sources":["../src/queries.ts"],"names":[],"mappings":"AACA,OAAO,EAGN,gBAAgB,EAChB,WAAW,GACX,MAAM,UAAU,CAAC;AAyBlB,MAAM,IAAI,GAAG,CAAC,QAAkB,EAAW,EAAE;IAC5C,MAAM,KAAK,GAAG,KAAK,EAClB,IAAY,EACZ,SAAoB,EAAE,EACP,EAAE;QACjB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAI,IAAI,EAAE,MAAM,CAAC,CAAC;QACrD,OAAO,MAAM,CAAC,IAAI,CAAC;IACpB,CAAC,CAAC;IACF,MAAM,QAAQ,GAAG,KAAK,EACrB,IAAY,EACZ,SAAoB,EAAE,EACF,EAAE;QACtB,MAAM,IAAI,GAAG,MAAM,KAAK,CAAI,IAAI,EAAE,MAAM,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IACxB,CAAC,CAAC;IACF,MAAM,GAAG,GAAG,KAAK,EAChB,IAAY,EACZ,SAAoB,EAAE,EACT,EAAE;QACf,MAAM,IAAI,GAAG,MAAM,KAAK,CAAI,IAAI,EAAE,MAAM,CAAC,CAAC;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QAChE,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,OAAO,GAAG,CAAC;IACZ,CAAC,CAAC;IACF,MAAM,OAAO,GAAG,KAAK,EAAE,IAAY,EAAE,SAAoB,EAAE,EAAmB,EAAE;QAC/E,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAClD,OAAO,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC;IAC7B,CAAC,CAAC;IACF,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;AAC1C,CAAC,CAAC;AAyBF;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAU,EAAe,EAAE;IACxD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;IACxB,6EAA6E;IAC7E,qDAAqD;IACrD,MAAM,KAAK,GAAG,KAAK,EAClB,KAA0D,EAC1D,EAA+B,EAClB,EAAE;QACf,MAAM,MAAM,GAAe,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAChD,IAAI,CAAC;YACJ,MAAM,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC5B,IAAI,KAAK;gBAAE,MAAM,KAAK,CAAC,MAAM,CAAC,CAAC;YAC/B,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;YACtC,MAAM,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAC7B,OAAO,MAAM,CAAC;QACf,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,MAAM,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAC/B,MAAM,KAAK,CAAC;QACb,CAAC;gBAAS,CAAC;YACV,MAAM,CAAC,OAAO,EAAE,CAAC;QAClB,CAAC;IACF,CAAC,CAAC;IACF,MAAM,MAAM,GAAG,CAAI,EAA+B,EAAc,EAAE,CACjE,KAAK,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IACtB,MAAM,OAAO,GAAG,CACf,MAAiB,EACjB,EAA+B,EAC/B,OAAoB,EACP,EAAE,CACf,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QACtB,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,WAAW,CAAC,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;QACxE,MAAM,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAClC,CAAC,EAAE,EAAE,CAAC,CAAC;IACR,OAAO,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AACrC,CAAC,CAAC"}

package/dist/rls.d.ts

@@ -0,0 +1,82 @@
+/**
+ * Row-Level Security for a **direct Postgres connection** (no PostgREST).
+ *
+ * On Supabase, PostgREST is what made RLS work: per request it did
+ * `SET ROLE authenticated` and set `request.jwt.claims` from the user's JWT, so
+ * policies written against `auth.uid()` fired. The moment a site queries Postgres
+ * directly (`pg` / Drizzle) — whether it's still on Supabase Postgres or has
+ * moved to our DigitalOcean cluster — that setup is gone, and a plain connection
+ * runs as the connection's role with **no claims**, so RLS is either bypassed
+ * (privileged role) or denies everything.
+ *
+ * These helpers reproduce exactly what PostgREST did, per transaction: set the
+ * claims GUC and `SET LOCAL ROLE`, so **existing `auth.uid()` policies keep
+ * working unchanged**. It is pure Postgres, so it behaves identically on Supabase
+ * and on DO. See `docs/db-package.md` (§RLS) and `docs/better-auth-migration.md`.
+ *
+ * Two requirements the caller owns (documented, not enforceable here):
+ *   1. The pool must connect as a role that **does not bypass RLS** for the rows
+ *      it touches — i.e. not the table owner and not a `BYPASSRLS` superuser for
+ *      user-facing reads. (After `SET ROLE authenticated`, RLS applies even if the
+ *      underlying connection is `postgres`, exactly as PostgREST relied on.)
+ *   2. The connecting role must be allowed to `SET ROLE` to the target role
+ *      (Supabase's `authenticator`/`postgres` can; on DO, `GRANT app_user TO …`).
+ */
+/**
+ * The JWT-style claims to scope a transaction by. `sub` becomes `auth.uid()`;
+ * `role` (default `"authenticated"`) is the Postgres role assumed. Any further
+ * keys are written into the claims GUC for policies that read them
+ * (`request.jwt.claims ->> 'org_id'`, etc.).
+ */
+export interface RlsClaims {
+    /**
+     * The user id. Becomes the `sub` claim → `auth.uid()`. For Supabase-style
+     * policies that cast `sub` to `uuid`, this MUST be a valid UUID.
+     */
+    sub: string;
+    /** The Postgres role to assume (the JWT `role` claim). Defaults to `"authenticated"`. */
+    role?: string;
+    /** Any further claims your policies read from `request.jwt.claims`. */
+    [claim: string]: unknown;
+}
+/** Overrides for {@link resolveRlsConfig} (and the helpers that build on it). */
+export interface RlsOptions {
+    /**
+     * Force the Postgres role to `SET LOCAL`, ignoring `claims.role`. Use when the
+     * DB role name differs from the JWT `role` claim (e.g. a dedicated `app_user`
+     * on DO while the claim stays `"authenticated"`).
+     */
+    role?: string;
+    /** The GUC the claims JSON is written to. Defaults to `"request.jwt.claims"`. */
+    claimsSetting?: string;
+}
+/** The role assumed when neither `options.role` nor `claims.role` is set. */
+export declare const RLS_DEFAULT_ROLE = "authenticated";
+/** The GUC `auth.uid()` / `auth.role()` read; what PostgREST populated. */
+export declare const RLS_CLAIMS_SETTING = "request.jwt.claims";
+/** The concrete values a transaction is scoped with. */
+export interface ResolvedRlsConfig {
+    /** Postgres role to assume for the transaction. */
+    role: string;
+    /** GUC the claims JSON is written to. */
+    claimsSetting: string;
+    /** The claims serialized for `set_config` (a JSON string). */
+    claimsJson: string;
+}
+/** Resolve claims + options into the role, GUC name, and serialized claims. */
+export declare const resolveRlsConfig: (claims: RlsClaims, options?: RlsOptions) => ResolvedRlsConfig;
+/**
+ * The single parameterized statement that scopes a transaction: writes the
+ * claims GUC and the `role` GUC, **both transaction-local** (`is_local = true`,
+ * so they reset at `commit`/`rollback` and never leak across pooled
+ * connections). Everything — including the GUC name and role — is bound, never
+ * interpolated, so it's injection-safe.
+ *
+ * Exposed for callers that manage their own connection/transaction (e.g. a
+ * framework middleware): run it as the first statement after `begin`.
+ */
+export declare const rlsPreamble: (config: ResolvedRlsConfig) => {
+    text: string;
+    values: string[];
+};
+//# sourceMappingURL=rls.d.ts.map

package/dist/rls.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rls.d.ts","sourceRoot":"","sources":["../src/rls.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAC;IACZ,yFAAyF;IACzF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,uEAAuE;IACvE,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;CACzB;AAED,iFAAiF;AACjF,MAAM,WAAW,UAAU;IAC1B;;;;OAIG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,iFAAiF;IACjF,aAAa,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,6EAA6E;AAC7E,eAAO,MAAM,gBAAgB,kBAAkB,CAAC;AAChD,2EAA2E;AAC3E,eAAO,MAAM,kBAAkB,uBAAuB,CAAC;AAEvD,wDAAwD;AACxD,MAAM,WAAW,iBAAiB;IACjC,mDAAmD;IACnD,IAAI,EAAE,MAAM,CAAC;IACb,yCAAyC;IACzC,aAAa,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,+EAA+E;AAC/E,eAAO,MAAM,gBAAgB,GAC5B,QAAQ,SAAS,EACjB,UAAS,UAAe,KACtB,iBAID,CAAC;AAEH;;;;;;;;;GASG;AACH,eAAO,MAAM,WAAW,GACvB,QAAQ,iBAAiB,KACvB;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAGjC,CAAC"}

package/dist/rls.js

@@ -0,0 +1,49 @@
+/**
+ * Row-Level Security for a **direct Postgres connection** (no PostgREST).
+ *
+ * On Supabase, PostgREST is what made RLS work: per request it did
+ * `SET ROLE authenticated` and set `request.jwt.claims` from the user's JWT, so
+ * policies written against `auth.uid()` fired. The moment a site queries Postgres
+ * directly (`pg` / Drizzle) — whether it's still on Supabase Postgres or has
+ * moved to our DigitalOcean cluster — that setup is gone, and a plain connection
+ * runs as the connection's role with **no claims**, so RLS is either bypassed
+ * (privileged role) or denies everything.
+ *
+ * These helpers reproduce exactly what PostgREST did, per transaction: set the
+ * claims GUC and `SET LOCAL ROLE`, so **existing `auth.uid()` policies keep
+ * working unchanged**. It is pure Postgres, so it behaves identically on Supabase
+ * and on DO. See `docs/db-package.md` (§RLS) and `docs/better-auth-migration.md`.
+ *
+ * Two requirements the caller owns (documented, not enforceable here):
+ *   1. The pool must connect as a role that **does not bypass RLS** for the rows
+ *      it touches — i.e. not the table owner and not a `BYPASSRLS` superuser for
+ *      user-facing reads. (After `SET ROLE authenticated`, RLS applies even if the
+ *      underlying connection is `postgres`, exactly as PostgREST relied on.)
+ *   2. The connecting role must be allowed to `SET ROLE` to the target role
+ *      (Supabase's `authenticator`/`postgres` can; on DO, `GRANT app_user TO …`).
+ */
+/** The role assumed when neither `options.role` nor `claims.role` is set. */
+export const RLS_DEFAULT_ROLE = "authenticated";
+/** The GUC `auth.uid()` / `auth.role()` read; what PostgREST populated. */
+export const RLS_CLAIMS_SETTING = "request.jwt.claims";
+/** Resolve claims + options into the role, GUC name, and serialized claims. */
+export const resolveRlsConfig = (claims, options = {}) => ({
+    role: options.role ?? claims.role ?? RLS_DEFAULT_ROLE,
+    claimsSetting: options.claimsSetting ?? RLS_CLAIMS_SETTING,
+    claimsJson: JSON.stringify(claims),
+});
+/**
+ * The single parameterized statement that scopes a transaction: writes the
+ * claims GUC and the `role` GUC, **both transaction-local** (`is_local = true`,
+ * so they reset at `commit`/`rollback` and never leak across pooled
+ * connections). Everything — including the GUC name and role — is bound, never
+ * interpolated, so it's injection-safe.
+ *
+ * Exposed for callers that manage their own connection/transaction (e.g. a
+ * framework middleware): run it as the first statement after `begin`.
+ */
+export const rlsPreamble = (config) => ({
+    text: "select set_config($1, $2, true), set_config('role', $3, true)",
+    values: [config.claimsSetting, config.claimsJson, config.role],
+});
+//# sourceMappingURL=rls.js.map

package/dist/rls.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rls.js","sourceRoot":"","sources":["../src/rls.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAgCH,6EAA6E;AAC7E,MAAM,CAAC,MAAM,gBAAgB,GAAG,eAAe,CAAC;AAChD,2EAA2E;AAC3E,MAAM,CAAC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC;AAYvD,+EAA+E;AAC/E,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAC/B,MAAiB,EACjB,UAAsB,EAAE,EACJ,EAAE,CAAC,CAAC;IACxB,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,IAAI,gBAAgB;IACrD,aAAa,EAAE,OAAO,CAAC,aAAa,IAAI,kBAAkB;IAC1D,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;CAClC,CAAC,CAAC;AAEH;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,CAC1B,MAAyB,EACY,EAAE,CAAC,CAAC;IACzC,IAAI,EAAE,+DAA+D;IACrE,MAAM,EAAE,CAAC,MAAM,CAAC,aAAa,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC;CAC9D,CAAC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ingram-tech/nk-db",
-	"version": "0.3.0",
+	"version": "0.5.0",
 	"description": "The Ingram Postgres data layer: one TLS-aware pg pool, raw-SQL helpers, Drizzle wiring, and a PGlite (no-Docker) dev/test harness for Next.js sites.",
 	"license": "MIT",
 	"type": "module",
@@ -23,6 +23,10 @@
 			"types": "./dist/index.d.ts",
 			"import": "./dist/index.js"
 		},
+		"./id": {
+			"types": "./dist/id.d.ts",
+			"import": "./dist/id.js"
+		},
 		"./pglite": {
 			"types": "./dist/pglite/index.d.ts",
 			"import": "./dist/pglite/index.js"
@@ -57,7 +61,7 @@
 	"devDependencies": {
 		"@electric-sql/pglite": "^0.5.0",
 		"@electric-sql/pglite-socket": "^0.2.4",
-		"@ingram-tech/typescript-config": "workspace:*",
+		"@ingram-tech/typescript-config": "0.1.0",
 		"@types/node": "^25.0.0",
 		"@types/pg": "^8.11.0",
 		"drizzle-orm": "^0.45.0",