@kaiz11/stack-client 0.0.14

package/dist/storage/policies-client.js

@@ -0,0 +1,115 @@
+import { normalizePolicy, } from "./policy-types.js";
+import { generatePolicySet } from "./policy-templates.js";
+/**
+ * Storage policies client for managing RLS policies on storage.objects
+ */
+export class StoragePoliciesClient {
+    http;
+    tenantId;
+    accountId;
+    constructor(config) {
+        this.http = config.http;
+        this.tenantId = config.tenantId;
+        this.accountId = config.accountId;
+    }
+    /**
+     * Build path to postgres-meta policies endpoint
+     */
+    path(endpoint = "") {
+        return `/pg/${this.accountId}/${this.tenantId}/policies${endpoint}`;
+    }
+    /**
+     * List all storage policies, optionally filtered by bucket
+     */
+    async list(bucketId) {
+        const response = await this.http.rawRequest(`${this.path()}?included_schemas=storage`, { method: "GET" });
+        const data = (await response.json());
+        // Filter to only storage.objects policies
+        let policies = data
+            .filter((p) => p.schema === "storage" && p.table === "objects")
+            .map(normalizePolicy);
+        // Optionally filter by bucket
+        if (bucketId) {
+            policies = policies.filter((p) => p.definition?.includes(`bucket_id = '${bucketId}'`) ||
+                p.check?.includes(`bucket_id = '${bucketId}'`));
+        }
+        return policies;
+    }
+    /**
+     * Create a single policy
+     */
+    async create(policy) {
+        const body = {
+            name: policy.name.toLowerCase().replace(/\s+/g, "_"),
+            schema: "storage",
+            table: "objects",
+            action: "PERMISSIVE",
+            command: policy.command,
+            roles: policy.roles,
+        };
+        // INSERT only allows WITH CHECK, not USING (definition)
+        if (policy.command === "INSERT") {
+            body.check = policy.check ?? policy.definition;
+        }
+        else {
+            body.definition = policy.definition;
+            if (policy.check) {
+                body.check = policy.check;
+            }
+        }
+        const response = await this.http.rawRequest(this.path(), {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(body),
+        });
+        const data = (await response.json());
+        return normalizePolicy(data);
+    }
+    /**
+     * Create multiple policies from a policy set (additive)
+     */
+    async createSet(bucketId, policies) {
+        const created = [];
+        if (policies.select) {
+            created.push(await this.create(policies.select));
+        }
+        if (policies.insert) {
+            created.push(await this.create(policies.insert));
+        }
+        if (policies.update) {
+            created.push(await this.create(policies.update));
+        }
+        if (policies.delete) {
+            created.push(await this.create(policies.delete));
+        }
+        return created;
+    }
+    /**
+     * Apply a template (deletes existing bucket policies, creates new ones)
+     */
+    async applyTemplate(bucketId, template) {
+        // Delete existing policies for this bucket
+        await this.deleteAll(bucketId);
+        // Generate and create new policies
+        const policySet = generatePolicySet(bucketId, template);
+        return this.createSet(bucketId, policySet);
+    }
+    /**
+     * Delete a policy by ID
+     */
+    async delete(policyId) {
+        await this.http.rawRequest(this.path(`/${policyId}`), {
+            method: "DELETE",
+        });
+    }
+    /**
+     * Delete all policies for a bucket
+     */
+    async deleteAll(bucketId) {
+        const policies = await this.list(bucketId);
+        for (const policy of policies) {
+            await this.delete(policy.id);
+        }
+    }
+}
+//# sourceMappingURL=policies-client.js.map

package/dist/storage/policies-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policies-client.js","sourceRoot":"","sources":["../../src/storage/policies-client.ts"],"names":[],"mappings":"AACA,OAAO,EAML,eAAe,GAChB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAoD1D;;GAEG;AACH,MAAM,OAAO,qBAAqB;IACf,IAAI,CAAa;IACjB,QAAQ,CAAS;IACjB,SAAS,CAAS;IAEnC,YAAY,MAAmC;QAC7C,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QACxB,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QAChC,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;IACpC,CAAC;IAED;;OAEG;IACK,IAAI,CAAC,WAAmB,EAAE;QAChC,OAAO,OAAO,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,QAAQ,YAAY,QAAQ,EAAE,CAAC;IACtE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI,CAAC,QAAiB;QAC1B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,UAAU,CACzC,GAAG,IAAI,CAAC,IAAI,EAAE,2BAA2B,EACzC,EAAE,MAAM,EAAE,KAAK,EAAE,CAClB,CAAC;QAEF,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAgB,CAAC;QAEpD,0CAA0C;QAC1C,IAAI,QAAQ,GAAG,IAAI;aAChB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,KAAK,KAAK,SAAS,CAAC;aAC9D,GAAG,CAAC,eAAe,CAAC,CAAC;QAExB,8BAA8B;QAC9B,IAAI,QAAQ,EAAE,CAAC;YACb,QAAQ,GAAG,QAAQ,CAAC,MAAM,CACxB,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,UAAU,EAAE,QAAQ,CAAC,gBAAgB,QAAQ,GAAG,CAAC;gBACnD,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,gBAAgB,QAAQ,GAAG,CAAC,CACjD,CAAC;QACJ,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,MAA0B;QACrC,MAAM,IAAI,GAA4B;YACpC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;YACpD,MAAM,EAAE,SAAS;YACjB,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC;QAEF,wDAAwD;QACxD,IAAI,MAAM,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YAChC,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,UAAU,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;YACpC,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE;YACvD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAc,CAAC;QAClD,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CACb,QAAgB,EAChB,QAA0B;QAE1B,MAAM,OAAO,GAAoB,EAAE,CAAC;QAEpC,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;YACpB,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;YACpB,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;YACpB,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;YACpB,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,QAAgB,EAChB,QAAwB;QAExB,2CAA2C;QAC3C,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAE/B,mCAAmC;QACnC,MAAM,SAAS,GAAG,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,QAAgB;QAC3B,MAAM,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE,CAAC,EAAE;YACpD,MAAM,EAAE,QAAQ;SACjB,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAE3C,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;YAC9B,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;CACF"}

package/dist/storage/policy-templates.d.ts

@@ -0,0 +1,6 @@
+import type { StoragePolicySet } from "./policy-types.js";
+/**
+ * Generate policy set for a specific template and bucket
+ */
+export declare function generatePolicySet(bucketId: string, template: string): StoragePolicySet;
+//# sourceMappingURL=policy-templates.d.ts.map

package/dist/storage/policy-templates.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-templates.d.ts","sourceRoot":"","sources":["../../src/storage/policy-templates.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAE1D;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,gBAAgB,CAmBlB"}

package/dist/storage/policy-templates.js

@@ -0,0 +1,290 @@
+/**
+ * Generate policy set for a specific template and bucket
+ */
+export function generatePolicySet(bucketId, template) {
+    const prefix = bucketId.replace(/[^a-z0-9_]/gi, "_");
+    switch (template) {
+        case "ownerOnly":
+            return ownerOnlyPolicies(bucketId, prefix);
+        case "authenticated":
+            return authenticatedPolicies(bucketId, prefix);
+        case "publicRead":
+            return publicReadPolicies(bucketId, prefix);
+        case "uploadOnly":
+            return uploadOnlyPolicies(bucketId, prefix);
+        case "userFolder":
+            return userFolderPolicies(bucketId, prefix);
+        case "adminOnly":
+            return adminOnlyPolicies(bucketId, prefix);
+        default:
+            throw new Error(`Unknown policy template: ${template}`);
+    }
+}
+/**
+ * Template: Owner Only
+ *
+ * Users can only access files they uploaded (via `owner_id`).
+ *
+ * Access Matrix:
+ * | Role          | SELECT | INSERT | UPDATE | DELETE |
+ * |---------------|--------|--------|--------|--------|
+ * | anon          | ❌     | ❌     | ❌     | ❌     |
+ * | authenticated | Own    | ✅     | Own    | Own    |
+ * | service_role  | ✅     | ✅     | ✅     | ✅     |
+ *
+ * Use case: User profile pictures, personal documents.
+ */
+function ownerOnlyPolicies(bucketId, prefix) {
+    const bucketCheck = `bucket_id = '${bucketId}'`;
+    const ownerCheck = `owner_id = auth.uid()::text`;
+    const serviceBypass = `auth.role() = 'service_role'`;
+    return {
+        select: {
+            name: `${prefix}_owner_select`,
+            command: "SELECT",
+            roles: ["authenticated", "service_role"],
+            definition: `${bucketCheck} AND (${ownerCheck} OR ${serviceBypass})`,
+        },
+        insert: {
+            name: `${prefix}_owner_insert`,
+            command: "INSERT",
+            roles: ["authenticated", "service_role"],
+            definition: bucketCheck,
+            check: bucketCheck,
+        },
+        update: {
+            name: `${prefix}_owner_update`,
+            command: "UPDATE",
+            roles: ["authenticated", "service_role"],
+            definition: `${bucketCheck} AND (${ownerCheck} OR ${serviceBypass})`,
+        },
+        delete: {
+            name: `${prefix}_owner_delete`,
+            command: "DELETE",
+            roles: ["authenticated", "service_role"],
+            definition: `${bucketCheck} AND (${ownerCheck} OR ${serviceBypass})`,
+        },
+    };
+}
+/**
+ * Template: Authenticated
+ *
+ * Any logged-in user can access all files in the bucket.
+ *
+ * Access Matrix:
+ * | Role          | SELECT | INSERT | UPDATE | DELETE |
+ * |---------------|--------|--------|--------|--------|
+ * | anon          | ❌     | ❌     | ❌     | ❌     |
+ * | authenticated | ✅     | ✅     | ✅     | ✅     |
+ * | service_role  | ✅     | ✅     | ✅     | ✅     |
+ *
+ * Use case: Team shared folders, workspace documents.
+ */
+function authenticatedPolicies(bucketId, prefix) {
+    const bucketCheck = `bucket_id = '${bucketId}'`;
+    const authCheck = `auth.role() IN ('authenticated', 'service_role')`;
+    return {
+        select: {
+            name: `${prefix}_auth_select`,
+            command: "SELECT",
+            roles: ["authenticated", "service_role"],
+            definition: `${bucketCheck} AND ${authCheck}`,
+        },
+        insert: {
+            name: `${prefix}_auth_insert`,
+            command: "INSERT",
+            roles: ["authenticated", "service_role"],
+            definition: bucketCheck,
+            check: bucketCheck,
+        },
+        update: {
+            name: `${prefix}_auth_update`,
+            command: "UPDATE",
+            roles: ["authenticated", "service_role"],
+            definition: `${bucketCheck} AND ${authCheck}`,
+        },
+        delete: {
+            name: `${prefix}_auth_delete`,
+            command: "DELETE",
+            roles: ["authenticated", "service_role"],
+            definition: `${bucketCheck} AND ${authCheck}`,
+        },
+    };
+}
+/**
+ * Template: Public Read
+ *
+ * Anyone can read files, but only authenticated users can write.
+ * Only service_role can update/delete.
+ *
+ * Access Matrix:
+ * | Role          | SELECT | INSERT | UPDATE | DELETE |
+ * |---------------|--------|--------|--------|--------|
+ * | anon          | ✅     | ❌     | ❌     | ❌     |
+ * | authenticated | ✅     | ✅     | ❌     | ❌     |
+ * | service_role  | ✅     | ✅     | ✅     | ✅     |
+ *
+ * Use case: CDN assets, blog images, public marketing content.
+ */
+function publicReadPolicies(bucketId, prefix) {
+    const bucketCheck = `bucket_id = '${bucketId}'`;
+    return {
+        select: {
+            name: `${prefix}_public_select`,
+            command: "SELECT",
+            roles: ["anon", "authenticated", "service_role"],
+            definition: bucketCheck,
+        },
+        insert: {
+            name: `${prefix}_public_insert`,
+            command: "INSERT",
+            roles: ["authenticated", "service_role"],
+            definition: bucketCheck,
+            check: bucketCheck,
+        },
+        update: {
+            name: `${prefix}_public_update`,
+            command: "UPDATE",
+            roles: ["service_role"],
+            definition: bucketCheck,
+        },
+        delete: {
+            name: `${prefix}_public_delete`,
+            command: "DELETE",
+            roles: ["service_role"],
+            definition: bucketCheck,
+        },
+    };
+}
+/**
+ * Template: Upload Only
+ *
+ * Anyone can upload files, but only service_role can read/delete.
+ * Useful for form submissions or anonymous file drops.
+ *
+ * Access Matrix:
+ * | Role          | SELECT | INSERT | UPDATE | DELETE |
+ * |---------------|--------|--------|--------|--------|
+ * | anon          | ❌     | ✅     | ❌     | ❌     |
+ * | authenticated | ❌     | ✅     | ❌     | ❌     |
+ * | service_role  | ✅     | ✅     | ❌     | ✅     |
+ *
+ * Use case: Form submissions, anonymous file inbox.
+ */
+function uploadOnlyPolicies(bucketId, prefix) {
+    const bucketCheck = `bucket_id = '${bucketId}'`;
+    return {
+        select: {
+            name: `${prefix}_upload_select`,
+            command: "SELECT",
+            roles: ["service_role"],
+            definition: bucketCheck,
+        },
+        insert: {
+            name: `${prefix}_upload_insert`,
+            command: "INSERT",
+            roles: ["anon", "authenticated", "service_role"],
+            definition: bucketCheck,
+            check: bucketCheck,
+        },
+        delete: {
+            name: `${prefix}_upload_delete`,
+            command: "DELETE",
+            roles: ["service_role"],
+            definition: bucketCheck,
+        },
+    };
+}
+/**
+ * Template: User Folder
+ *
+ * Path-based isolation where the first folder must be the user's ID.
+ * Files at `/{user_id}/...` are accessible only to that user.
+ *
+ * Access Matrix:
+ * | Role          | SELECT   | INSERT   | UPDATE   | DELETE   |
+ * |---------------|----------|----------|----------|----------|
+ * | anon          | ❌       | ❌       | ❌       | ❌       |
+ * | authenticated | Own path | Own path | Own path | Own path |
+ * | service_role  | ✅       | ✅       | ✅       | ✅       |
+ *
+ * Use case: Multi-tenant storage isolation, user-specific directories.
+ */
+function userFolderPolicies(bucketId, prefix) {
+    const bucketCheck = `bucket_id = '${bucketId}'`;
+    const folderCheck = `split_part(name, '/', 1) = auth.uid()::text`;
+    const serviceBypass = `auth.role() = 'service_role'`;
+    return {
+        select: {
+            name: `${prefix}_folder_select`,
+            command: "SELECT",
+            roles: ["authenticated", "service_role"],
+            definition: `${bucketCheck} AND (${folderCheck} OR ${serviceBypass})`,
+        },
+        insert: {
+            name: `${prefix}_folder_insert`,
+            command: "INSERT",
+            roles: ["authenticated", "service_role"],
+            definition: `${bucketCheck} AND (${folderCheck} OR ${serviceBypass})`,
+            check: `${bucketCheck} AND (${folderCheck} OR ${serviceBypass})`,
+        },
+        update: {
+            name: `${prefix}_folder_update`,
+            command: "UPDATE",
+            roles: ["authenticated", "service_role"],
+            definition: `${bucketCheck} AND (${folderCheck} OR ${serviceBypass})`,
+        },
+        delete: {
+            name: `${prefix}_folder_delete`,
+            command: "DELETE",
+            roles: ["authenticated", "service_role"],
+            definition: `${bucketCheck} AND (${folderCheck} OR ${serviceBypass})`,
+        },
+    };
+}
+/**
+ * Template: Admin Only
+ *
+ * Only service_role (backend) can access files.
+ * No access for anon or authenticated users.
+ *
+ * Access Matrix:
+ * | Role          | SELECT | INSERT | UPDATE | DELETE |
+ * |---------------|--------|--------|--------|--------|
+ * | anon          | ❌     | ❌     | ❌     | ❌     |
+ * | authenticated | ❌     | ❌     | ❌     | ❌     |
+ * | service_role  | ✅     | ✅     | ✅     | ✅     |
+ *
+ * Use case: System files, internal assets, API-generated content.
+ */
+function adminOnlyPolicies(bucketId, prefix) {
+    const bucketCheck = `bucket_id = '${bucketId}'`;
+    return {
+        select: {
+            name: `${prefix}_admin_select`,
+            command: "SELECT",
+            roles: ["service_role"],
+            definition: bucketCheck,
+        },
+        insert: {
+            name: `${prefix}_admin_insert`,
+            command: "INSERT",
+            roles: ["service_role"],
+            definition: bucketCheck,
+            check: bucketCheck,
+        },
+        update: {
+            name: `${prefix}_admin_update`,
+            command: "UPDATE",
+            roles: ["service_role"],
+            definition: bucketCheck,
+        },
+        delete: {
+            name: `${prefix}_admin_delete`,
+            command: "DELETE",
+            roles: ["service_role"],
+            definition: bucketCheck,
+        },
+    };
+}
+//# sourceMappingURL=policy-templates.js.map

package/dist/storage/policy-templates.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-templates.js","sourceRoot":"","sources":["../../src/storage/policy-templates.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,QAAgB,EAChB,QAAgB;IAEhB,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;IAErD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,WAAW;YACd,OAAO,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC7C,KAAK,eAAe;YAClB,OAAO,qBAAqB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACjD,KAAK,YAAY;YACf,OAAO,kBAAkB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC9C,KAAK,YAAY;YACf,OAAO,kBAAkB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC9C,KAAK,YAAY;YACf,OAAO,kBAAkB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC9C,KAAK,WAAW;YACd,OAAO,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC7C;YACE,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,iBAAiB,CAAC,QAAgB,EAAE,MAAc;IACzD,MAAM,WAAW,GAAG,gBAAgB,QAAQ,GAAG,CAAC;IAChD,MAAM,UAAU,GAAG,6BAA6B,CAAC;IACjD,MAAM,aAAa,GAAG,8BAA8B,CAAC;IAErD,OAAO;QACL,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,eAAe;YAC9B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;YACxC,UAAU,EAAE,GAAG,WAAW,SAAS,UAAU,OAAO,aAAa,GAAG;SACrE;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,eAAe;YAC9B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;YACxC,UAAU,EAAE,WAAW;YACvB,KAAK,EAAE,WAAW;SACnB;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,eAAe;YAC9B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;YACxC,UAAU,EAAE,GAAG,WAAW,SAAS,UAAU,OAAO,aAAa,GAAG;SACrE;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,eAAe;YAC9B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;YACxC,UAAU,EAAE,GAAG,WAAW,SAAS,UAAU,OAAO,aAAa,GAAG;SACrE;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,qBAAqB,CAC5B,QAAgB,EAChB,MAAc;IAEd,MAAM,WAAW,GAAG,gBAAgB,QAAQ,GAAG,CAAC;IAChD,MAAM,SAAS,GAAG,kDAAkD,CAAC;IAErE,OAAO;QACL,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,cAAc;YAC7B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;YACxC,UAAU,EAAE,GAAG,WAAW,QAAQ,SAAS,EAAE;SAC9C;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,cAAc;YAC7B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;YACxC,UAAU,EAAE,WAAW;YACvB,KAAK,EAAE,WAAW;SACnB;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,cAAc;YAC7B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;YACxC,UAAU,EAAE,GAAG,WAAW,QAAQ,SAAS,EAAE;SAC9C;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,cAAc;YAC7B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;YACxC,UAAU,EAAE,GAAG,WAAW,QAAQ,SAAS,EAAE;SAC9C;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAS,kBAAkB,CACzB,QAAgB,EAChB,MAAc;IAEd,MAAM,WAAW,GAAG,gBAAgB,QAAQ,GAAG,CAAC;IAEhD,OAAO;QACL,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,gBAAgB;YAC/B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,MAAM,EAAE,eAAe,EAAE,cAAc,CAAC;YAChD,UAAU,EAAE,WAAW;SACxB;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,gBAAgB;YAC/B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;YACxC,UAAU,EAAE,WAAW;YACvB,KAAK,EAAE,WAAW;SACnB;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,gBAAgB;YAC/B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,cAAc,CAAC;YACvB,UAAU,EAAE,WAAW;SACxB;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,gBAAgB;YAC/B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,cAAc,CAAC;YACvB,UAAU,EAAE,WAAW;SACxB;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAS,kBAAkB,CACzB,QAAgB,EAChB,MAAc;IAEd,MAAM,WAAW,GAAG,gBAAgB,QAAQ,GAAG,CAAC;IAEhD,OAAO;QACL,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,gBAAgB;YAC/B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,cAAc,CAAC;YACvB,UAAU,EAAE,WAAW;SACxB;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,gBAAgB;YAC/B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,MAAM,EAAE,eAAe,EAAE,cAAc,CAAC;YAChD,UAAU,EAAE,WAAW;YACvB,KAAK,EAAE,WAAW;SACnB;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,gBAAgB;YAC/B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,cAAc,CAAC;YACvB,UAAU,EAAE,WAAW;SACxB;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAS,kBAAkB,CACzB,QAAgB,EAChB,MAAc;IAEd,MAAM,WAAW,GAAG,gBAAgB,QAAQ,GAAG,CAAC;IAChD,MAAM,WAAW,GAAG,6CAA6C,CAAC;IAClE,MAAM,aAAa,GAAG,8BAA8B,CAAC;IAErD,OAAO;QACL,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,gBAAgB;YAC/B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;YACxC,UAAU,EAAE,GAAG,WAAW,SAAS,WAAW,OAAO,aAAa,GAAG;SACtE;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,gBAAgB;YAC/B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;YACxC,UAAU,EAAE,GAAG,WAAW,SAAS,WAAW,OAAO,aAAa,GAAG;YACrE,KAAK,EAAE,GAAG,WAAW,SAAS,WAAW,OAAO,aAAa,GAAG;SACjE;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,gBAAgB;YAC/B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;YACxC,UAAU,EAAE,GAAG,WAAW,SAAS,WAAW,OAAO,aAAa,GAAG;SACtE;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,gBAAgB;YAC/B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,eAAe,EAAE,cAAc,CAAC;YACxC,UAAU,EAAE,GAAG,WAAW,SAAS,WAAW,OAAO,aAAa,GAAG;SACtE;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAS,iBAAiB,CAAC,QAAgB,EAAE,MAAc;IACzD,MAAM,WAAW,GAAG,gBAAgB,QAAQ,GAAG,CAAC;IAEhD,OAAO;QACL,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,eAAe;YAC9B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,cAAc,CAAC;YACvB,UAAU,EAAE,WAAW;SACxB;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,eAAe;YAC9B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,cAAc,CAAC;YACvB,UAAU,EAAE,WAAW;YACvB,KAAK,EAAE,WAAW;SACnB;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,eAAe;YAC9B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,cAAc,CAAC;YACvB,UAAU,EAAE,WAAW;SACxB;QACD,MAAM,EAAE;YACN,IAAI,EAAE,GAAG,MAAM,eAAe;YAC9B,OAAO,EAAE,QAAQ;YACjB,KAAK,EAAE,CAAC,cAAc,CAAC;YACvB,UAAU,EAAE,WAAW;SACxB;KACF,CAAC;AACJ,CAAC"}

package/dist/storage/policy-types.d.ts

@@ -0,0 +1,98 @@
+/**
+ * Policy command (SQL operations)
+ */
+export type PolicyCommand = "SELECT" | "INSERT" | "UPDATE" | "DELETE" | "ALL";
+/**
+ * Policy action type
+ */
+export type PolicyAction = "PERMISSIVE" | "RESTRICTIVE";
+/**
+ * Available policy templates for storage buckets.
+ *
+ * Each template defines access rules for different roles:
+ * - `anon`: Unauthenticated users (no JWT or anon key)
+ * - `authenticated`: Logged-in users with valid JWT
+ * - `service_role`: Backend services with service_role key (bypasses RLS)
+ *
+ * Note: Basejump account-level access (owner/member) is not handled by these
+ * templates. For account-based access, use custom policies with JWT claims
+ * like `auth.jwt()->>'account_id'`.
+ *
+ * ## Template Access Matrix
+ *
+ * | Template        | anon | authenticated | service_role | Notes                           |
+ * |-----------------|------|---------------|--------------|----------------------------------|
+ * | `ownerOnly`     | ❌   | Own files     | ✅ All       | Uses `owner_id = auth.uid()`     |
+ * | `authenticated` | ❌   | ✅ All        | ✅ All       | Team shared bucket               |
+ * | `publicRead`    | Read | Read + Write  | ✅ All       | CDN/public assets                |
+ * | `uploadOnly`    | Write| Write         | ✅ All       | Form submissions, inbox          |
+ * | `userFolder`    | ❌   | Own folder    | ✅ All       | Path: `/{user_id}/...`           |
+ * | `adminOnly`     | ❌   | ❌            | ✅ All       | System/internal files            |
+ */
+export type PolicyTemplate = "ownerOnly" | "authenticated" | "publicRead" | "uploadOnly" | "userFolder" | "adminOnly";
+/**
+ * Input for creating a single policy
+ */
+export interface StoragePolicyInput {
+    /** Policy name (will be snake_cased) */
+    name: string;
+    /** SQL command this policy applies to */
+    command: PolicyCommand;
+    /** Roles this policy applies to */
+    roles: string[];
+    /** SQL expression for USING clause (SELECT/UPDATE/DELETE) */
+    definition: string;
+    /** SQL expression for WITH CHECK clause (INSERT/UPDATE) */
+    check?: string;
+}
+/**
+ * Full policy as returned from API
+ */
+export interface StoragePolicy {
+    /** Policy ID */
+    id: number;
+    /** Policy name */
+    name: string;
+    /** Schema (always "storage" for storage policies) */
+    schema: string;
+    /** Table (always "objects" for storage policies) */
+    table: string;
+    /** Policy action */
+    action: PolicyAction;
+    /** SQL command */
+    command: PolicyCommand;
+    /** Roles this policy applies to */
+    roles: string[];
+    /** USING clause expression */
+    definition: string | null;
+    /** WITH CHECK clause expression */
+    check: string | null;
+}
+/**
+ * Set of policies for all CRUD operations
+ */
+export interface StoragePolicySet {
+    select?: StoragePolicyInput;
+    insert?: StoragePolicyInput;
+    update?: StoragePolicyInput;
+    delete?: StoragePolicyInput;
+}
+/**
+ * Raw policy from postgres-meta API
+ */
+export interface ApiPolicy {
+    id: number;
+    name: string;
+    schema: string;
+    table: string;
+    action: string;
+    command: string;
+    roles: string[];
+    definition: string | null;
+    check: string | null;
+}
+/**
+ * Normalize API policy to SDK format
+ */
+export declare function normalizePolicy(policy: ApiPolicy): StoragePolicy;
+//# sourceMappingURL=policy-types.d.ts.map

package/dist/storage/policy-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-types.d.ts","sourceRoot":"","sources":["../../src/storage/policy-types.ts"],"names":[],"mappings":"AAIA;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAAG,KAAK,CAAC;AAE9E;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,YAAY,GAAG,aAAa,CAAC;AAExD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,MAAM,cAAc,GACtB,WAAW,GACX,eAAe,GACf,YAAY,GACZ,YAAY,GACZ,YAAY,GACZ,WAAW,CAAC;AAEhB;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,wCAAwC;IACxC,IAAI,EAAE,MAAM,CAAC;IACb,yCAAyC;IACzC,OAAO,EAAE,aAAa,CAAC;IACvB,mCAAmC;IACnC,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,6DAA6D;IAC7D,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,gBAAgB;IAChB,EAAE,EAAE,MAAM,CAAC;IACX,kBAAkB;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,qDAAqD;IACrD,MAAM,EAAE,MAAM,CAAC;IACf,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAC;IACd,oBAAoB;IACpB,MAAM,EAAE,YAAY,CAAC;IACrB,kBAAkB;IAClB,OAAO,EAAE,aAAa,CAAC;IACvB,mCAAmC;IACnC,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,8BAA8B;IAC9B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,mCAAmC;IACnC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,EAAE,kBAAkB,CAAC;IAC5B,MAAM,CAAC,EAAE,kBAAkB,CAAC;IAC5B,MAAM,CAAC,EAAE,kBAAkB,CAAC;IAC5B,MAAM,CAAC,EAAE,kBAAkB,CAAC;CAC7B;AAMD;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,SAAS,GAAG,aAAa,CAYhE"}

package/dist/storage/policy-types.js

@@ -0,0 +1,20 @@
+// ============================================
+// Storage Policy Types
+// ============================================
+/**
+ * Normalize API policy to SDK format
+ */
+export function normalizePolicy(policy) {
+    return {
+        id: policy.id,
+        name: policy.name,
+        schema: policy.schema,
+        table: policy.table,
+        action: policy.action,
+        command: policy.command,
+        roles: policy.roles,
+        definition: policy.definition,
+        check: policy.check,
+    };
+}
+//# sourceMappingURL=policy-types.js.map

package/dist/storage/policy-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-types.js","sourceRoot":"","sources":["../../src/storage/policy-types.ts"],"names":[],"mappings":"AAAA,+CAA+C;AAC/C,uBAAuB;AACvB,+CAA+C;AAgH/C;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,MAAiB;IAC/C,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,EAAE;QACb,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,MAAM,EAAE,MAAM,CAAC,MAAsB;QACrC,OAAO,EAAE,MAAM,CAAC,OAAwB;QACxC,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,KAAK,EAAE,MAAM,CAAC,KAAK;KACpB,CAAC;AACJ,CAAC"}

package/dist/storage/storage-client.d.ts

@@ -0,0 +1,32 @@
+import type { HttpClient } from "../lib/http.js";
+import type { IStorageClient, IBucketRef } from "./interface.js";
+import { type Bucket, type CreateBucketOptions, type UpdateBucketOptions } from "./types.js";
+import { type IStoragePoliciesClient } from "./policies-client.js";
+/**
+ * Storage client configuration
+ */
+export interface StorageClientConfig {
+    http: HttpClient;
+    tenantId: string;
+    /** Account ID for admin operations (policies, etc.) */
+    accountId?: string;
+}
+/**
+ * Storage client for bucket and object operations
+ */
+export declare class StorageClient implements IStorageClient {
+    private readonly http;
+    private readonly tenantId;
+    /** Policies client (null if accountId not provided) */
+    readonly policies: IStoragePoliciesClient | null;
+    constructor(config: StorageClientConfig);
+    private path;
+    listBuckets(): Promise<Bucket[]>;
+    getBucket(id: string): Promise<Bucket>;
+    createBucket(options: CreateBucketOptions): Promise<Bucket>;
+    updateBucket(id: string, options: UpdateBucketOptions): Promise<Bucket>;
+    deleteBucket(id: string): Promise<void>;
+    emptyBucket(id: string): Promise<void>;
+    from(bucketId: string): IBucketRef;
+}
+//# sourceMappingURL=storage-client.d.ts.map

package/dist/storage/storage-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage-client.d.ts","sourceRoot":"","sources":["../../src/storage/storage-client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAGjD,OAAO,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACjE,OAAO,EAEL,KAAK,MAAM,EACX,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EAEzB,MAAM,YAAY,CAAC;AACpB,OAAO,EAEL,KAAK,sBAAsB,EAC5B,MAAM,sBAAsB,CAAC;AAE9B;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,UAAU,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,qBAAa,aAAc,YAAW,cAAc;IAClD,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAa;IAClC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAElC,uDAAuD;IACvD,QAAQ,CAAC,QAAQ,EAAE,sBAAsB,GAAG,IAAI,CAAC;gBAErC,MAAM,EAAE,mBAAmB;IAgBvC,OAAO,CAAC,IAAI;IAIN,WAAW,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAShC,SAAS,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAStC,YAAY,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,MAAM,CAAC;IAmB3D,YAAY,CAChB,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,MAAM,CAAC;IAgBZ,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMvC,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAU5C,IAAI,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU;CAGnC"}