@kozou/svelte-ui 1.2.0 → 1.4.0

package/build/server/chunks/{hooks.server-BCX7tjO4.js → hooks.server-Oa_UD2Wo.js}

@@ -1,4 +1,4 @@
-import { _ as __commonJSMin, b as __require } from './internal-D3PcExp3.js';
+import { _ as __commonJSMin, b as __require } from './internal-Z9Jwi6lX.js';
 import { e as encodeResourceId } from './resource-id-PDcQeAnc.js';
 import { z } from 'zod';
 import require$$0$3 from 'events';
@@ -6478,7 +6478,9 @@ var KNOWN_TAGS = new Set([
 	"ai",
 	"widget",
 	"policy",
-	"example"
+	"example",
+	"expose",
+	"arg"
 ]);
 var TAG_RE = /^\s*@([a-zA-Z_][a-zA-Z0-9_]*)\s*:(.*)$/;
 var INDENT_RE = /^[ \t]/;
@@ -6516,13 +6518,66 @@ function warnMidlineTag(token) {
 function isWidgetType(value) {
 	return KNOWN_WIDGETS.has(value);
 }
+/** Index of the first whitespace character, or -1. Manual scan (no regex) to
+*  stay off CodeQL's polynomial-ReDoS radar, like the rest of this module. */
+function firstWhitespaceIndex(s) {
+	for (let i = 0; i < s.length; i += 1) if (LINE_WS_RE.test(s[i])) return i;
+	return -1;
+}
+/** Extract `<inner>` from a `<name>(<inner>)` directive token (trimmed), or
+*  null when the token is not exactly that shape. Manual scan, no regex. */
+function parenDirective(directive, name) {
+	const prefix = `${name}(`;
+	if (!directive.startsWith(prefix) || !directive.endsWith(")")) return null;
+	return directive.slice(prefix.length, -1).trim();
+}
+/** Parse an `@arg:` value — "<argname> relation(<ref>)" or
+*  "<argname> widget(<type>)". Returns null on any malformed shape so the
+*  caller can warn (no silent drop). `<ref>` is `table.col` (schema defaulted
+*  later) or `schema.table.col`. */
+function parseArgHint(value) {
+	const ws = firstWhitespaceIndex(value);
+	if (ws === -1) return null;
+	const name = value.slice(0, ws);
+	const directive = value.slice(ws + 1).trim();
+	if (name === "" || directive === "") return null;
+	const rel = parenDirective(directive, "relation");
+	if (rel !== null) {
+		const parts = rel.split(".").map((p) => p.trim());
+		if (parts.length === 2 && parts.every((p) => p !== "")) return {
+			name,
+			relation: {
+				schema: null,
+				table: parts[0],
+				column: parts[1]
+			}
+		};
+		if (parts.length === 3 && parts.every((p) => p !== "")) return {
+			name,
+			relation: {
+				schema: parts[0],
+				table: parts[1],
+				column: parts[2]
+			}
+		};
+		return null;
+	}
+	const wid = parenDirective(directive, "widget");
+	if (wid !== null) return isWidgetType(wid) ? {
+		name,
+		widget: wid
+	} : null;
+	return null;
+}
 function parseCommentTags(comment) {
 	const result = {
 		body: "",
 		ai: [],
 		widget: null,
 		policy: [],
-		examples: []
+		examples: [],
+		expose: "none",
+		args: []
 	};
 	if (comment === null || comment === "") return result;
 	const lines = comment.split("\n");
@@ -6598,6 +6653,22 @@ function parseCommentTags(comment) {
 			};
 			continue;
 		}
+		if (tag === "expose") {
+			const tokens = value.toLowerCase().split(/\s+/).filter((t) => t !== "");
+			if (tokens.length === 1 && tokens[0] === "rpc") result.expose = "rpc";
+			else if (tokens.length === 2 && tokens[0] === "rpc" && tokens[1] === "public") result.expose = "rpc-public";
+			else {
+				result.expose = "none";
+				console.warn(`[@kozou/core] parseCommentTags: invalid @expose value "${value}" (expected "rpc" or "rpc public"; not exposed)`);
+			}
+			continue;
+		}
+		if (tag === "arg") {
+			const hint = parseArgHint(value);
+			if (hint !== null) result.args.push(hint);
+			else console.warn(`[@kozou/core] parseCommentTags: invalid @arg value "${value}" (expected "<name> relation(<table.col>)" or "<name> widget(<type>)"; skip)`);
+			continue;
+		}
 		if (!KNOWN_TAGS.has(tag)) {
 			console.warn(`[@kozou/core] parseCommentTags: unknown tag "@${tag}" (forward compat: kept in body)`);
 			bodyLines.push(line);
@@ -6663,6 +6734,252 @@ function inferWidget(input) {
 	return "text";
 }
 //#endregion
+//#region ../core/dist/buildFunctionContext.js
+var POLYMORPHIC_TYPES = new Set([
+	"anyelement",
+	"anyarray",
+	"anynonarray",
+	"anyenum",
+	"anyrange",
+	"anymultirange",
+	"anycompatible",
+	"anycompatiblearray",
+	"anycompatiblenonarray",
+	"anycompatiblerange",
+	"anycompatiblemultirange"
+]);
+/** True for an argument that is part of the call's input (so it appears in the
+*  named-args body). OUT (`out`) and RETURNS TABLE columns (`table`) are
+*  return-side and excluded. */
+function isInputArg(arg) {
+	return arg.mode === "in" || arg.mode === "inout" || arg.mode === "variadic";
+}
+/** Validate an allowlist: every entry must be a schema-qualified name of
+*  exactly the form `schema.function`, with both parts non-empty and no extra
+*  dot (§5.0). A bare name is ambiguous (which schema?); an entry with two+
+*  dots is ambiguous against a quoted identifier that itself contains a dot, so
+*  it could authorize the wrong function — both are dropped with a build issue
+*  rather than matched loosely (fail-closed for the definer / PUBLIC gates).
+*  Returns the set of valid entries. */
+function normalizeAllowlist(entries, configKey, issues) {
+	const set = /* @__PURE__ */ new Set();
+	if (entries === void 0) return set;
+	for (const entry of entries) {
+		const parts = entry.split(".");
+		if (parts.length !== 2 || parts[0] === "" || parts[1] === "") {
+			issues.push({
+				path: `rpc.${configKey}`,
+				message: `"${entry}" is not a schema-qualified function name (expected exactly "schema.function"); ignored.`
+			});
+			continue;
+		}
+		set.add(entry);
+	}
+	return set;
+}
+/** The owner-relative safe-search_path predicate for `security definer`
+*  functions (RPC design §3.2). A definer function runs as its owner, so an
+*  unqualified name resolved through a schema that someone else can write to
+*  can be hijacked. Safe requires: a declared search_path; `pg_temp` present
+*  exactly once and last (else the temp schema is searched implicitly first);
+*  and every other element a schema only the owner may CREATE in. Anything
+*  unresolvable is unsafe (fail-closed). */
+function checkSafeSearchPath(fn) {
+	const sp = fn.searchPath;
+	if (sp === null || sp.length === 0) return {
+		safe: false,
+		reason: "no SET search_path is declared"
+	};
+	const tempCount = sp.filter((e) => e.isTemp).length;
+	if (tempCount === 0) return {
+		safe: false,
+		reason: "pg_temp is not listed, so the session temp schema is searched implicitly first"
+	};
+	if (tempCount > 1 || !sp[sp.length - 1].isTemp) return {
+		safe: false,
+		reason: "pg_temp must appear exactly once and as the last element"
+	};
+	for (const el of sp) {
+		if (el.isTemp) continue;
+		if (el.schema === null) return {
+			safe: false,
+			reason: `element "${el.raw}" does not resolve to a fixed schema`
+		};
+		if (el.writableByOthers === null) return {
+			safe: false,
+			reason: `cannot determine who may CREATE in schema "${el.schema}"`
+		};
+		if (el.writableByOthers === true) return {
+			safe: false,
+			reason: `schema "${el.schema}" is writable by PUBLIC or a role other than the owner`
+		};
+	}
+	return {
+		safe: true,
+		reason: ""
+	};
+}
+/** Build a synthetic RawColumn so argument widget inference reuses the exact
+*  column heuristics (`inferWidget`). Arguments are not foreign keys, so a
+*  relation-select only comes from an `@arg` relation hint, handled in
+*  `buildArg`; here we only need name + udtName for the type-based path. */
+function inferArgWidget(arg, enumValues) {
+	return inferWidget({
+		column: {
+			name: arg.name,
+			dataType: arg.typeName,
+			udtName: arg.udtName,
+			nullable: true,
+			defaultExpr: null,
+			comment: null,
+			position: 0
+		},
+		isForeignKey: false,
+		relationSelectable: false,
+		enumValues,
+		commentBody: ""
+	});
+}
+/** ENUM members for an argument's type, matched by type name (preferring the
+*  function's own schema when an enum name is reused across schemas). */
+function findEnumValues(enums, udtName, fnSchema) {
+	return (enums.find((e) => e.name === udtName && e.schema === fnSchema) ?? enums.find((e) => e.name === udtName))?.values;
+}
+function buildArg(arg, parsed, fnSchema, enums) {
+	const hint = parsed.args.find((h) => h.name === arg.name);
+	const relation = hint?.relation ? {
+		schema: hint.relation.schema ?? fnSchema,
+		table: hint.relation.table,
+		column: hint.relation.column
+	} : void 0;
+	const enumValues = findEnumValues(enums, arg.udtName, fnSchema);
+	let widget;
+	if (hint?.widget) widget = hint.widget;
+	else if (relation) widget = "relation-select";
+	else widget = inferArgWidget(arg, enumValues ?? null);
+	return {
+		name: arg.name,
+		typeName: arg.typeName,
+		hasDefault: arg.hasDefault,
+		...enumValues ? { enumValues } : {},
+		...relation ? { relation } : {},
+		widget
+	};
+}
+function mapReturn(r) {
+	return {
+		kind: r.kind === "unsupported" ? "void" : r.kind,
+		typeName: r.typeName,
+		...r.columns ? { columns: r.columns.map((c) => ({
+			name: c.name,
+			typeName: c.typeName
+		})) } : {}
+	};
+}
+function decideAndBuild(input) {
+	const { fn, parsed, qualifiedName, enums, allowDefiner, allowPublicExecute, issues } = input;
+	const skip = (message) => {
+		issues.push({
+			path: `functions.${qualifiedName}`,
+			message: `"${qualifiedName}" ${message}`
+		});
+		return null;
+	};
+	const inputArgs = fn.arguments.filter(isInputArg);
+	for (const arg of inputArgs) {
+		if (arg.mode === "variadic") return skip(`has a VARIADIC argument ("${arg.name}"), unsupported in v1; not exposed.`);
+		if (arg.name === "") return skip("has an unnamed argument; the named-args RPC body requires names, so it is not exposed.");
+		if (POLYMORPHIC_TYPES.has(arg.udtName)) return skip(`has a polymorphic argument ("${arg.name}" ${arg.typeName}), unsupported in v1; not exposed.`);
+	}
+	if (fn.returns.kind === "unsupported") return skip(`returns "${fn.returns.typeName}", an unsupported return shape in v1 (OUT/INOUT composite, record, or polymorphic); not exposed.`);
+	if (fn.security === "definer") {
+		if (!allowDefiner.has(qualifiedName)) return skip("is SECURITY DEFINER and tagged @expose: rpc, but is not listed in api.rpc.allowDefiner; not exposed (the operator must opt in to a privilege-bypassing endpoint, §3.2).");
+		const sp = checkSafeSearchPath(fn);
+		if (!sp.safe) return skip(`is SECURITY DEFINER but its search_path is not owner-safe (${sp.reason}); not exposed. Declare SET search_path with owner-only schemas and a trailing pg_temp (§3.2).`);
+	}
+	let publicCallable = false;
+	if (fn.publicExecute) {
+		if (!(parsed.expose === "rpc-public" || allowPublicExecute.has(qualifiedName))) return skip("still grants EXECUTE to PUBLIC (the CREATE FUNCTION default); not exposed. REVOKE EXECUTE FROM PUBLIC and GRANT it to the intended role, or declare the public endpoint intentional with @expose: rpc public / api.rpc.allowPublicExecute (§6.1).");
+		publicCallable = true;
+	}
+	const args = inputArgs.map((arg) => buildArg(arg, parsed, fn.schema, enums));
+	const inputArgNames = new Set(inputArgs.map((a) => a.name));
+	for (const hint of parsed.args) if (!inputArgNames.has(hint.name)) issues.push({
+		path: `functions.${qualifiedName}.args.${hint.name}`,
+		message: `@arg hint references argument "${hint.name}", which "${qualifiedName}" does not have; ignored.`
+	});
+	const body = parsed.body !== "" ? parsed.body : null;
+	const label = body !== null ? body.split("\n")[0].trim() : fn.name;
+	return {
+		schema: fn.schema,
+		name: fn.name,
+		qualifiedName,
+		label,
+		description: body,
+		aiDescription: parsed.ai.length > 0 ? parsed.ai.join("\n") : null,
+		policy: parsed.policy,
+		args,
+		returns: mapReturn(fn.returns),
+		volatility: fn.volatility,
+		security: fn.security,
+		publicCallable,
+		rawFunction: fn
+	};
+}
+/** Decide which functions are exposed as RPC actions and shape them into
+*  FunctionContexts (RPC design §3–§5). Skipped-but-tagged functions are pushed
+*  onto `issues`. Output is sorted by qualified name for stable surfaces. */
+function buildFunctionContexts(input) {
+	const { functions, enums, issues } = input;
+	const allowDefiner = normalizeAllowlist(input.rpc?.allowDefiner, "allowDefiner", issues);
+	const allowPublicExecute = normalizeAllowlist(input.rpc?.allowPublicExecute, "allowPublicExecute", issues);
+	const byQualified = /* @__PURE__ */ new Map();
+	for (const fn of functions) {
+		const parsed = parseCommentTags(fn.comment);
+		const q = `${fn.schema}.${fn.name}`;
+		const group = byQualified.get(q);
+		if (group) group.push({
+			fn,
+			parsed
+		});
+		else byQualified.set(q, [{
+			fn,
+			parsed
+		}]);
+	}
+	const result = [];
+	for (const [qualifiedName, group] of byQualified) {
+		if (!group.some((e) => e.parsed.expose !== "none")) continue;
+		if (group.length > 1) {
+			issues.push({
+				path: `functions.${qualifiedName}`,
+				message: `"${qualifiedName}" has ${group.length} overloaded definitions and at least one is tagged for RPC exposure; v1 cannot disambiguate overloads by signature, so none are exposed. Rename the overloads or keep a single definition for this name.`
+			});
+			continue;
+		}
+		const entry = group[0];
+		if (entry.fn.schema.includes(".") || entry.fn.name.includes(".")) {
+			issues.push({
+				path: `functions.${entry.fn.schema}.${entry.fn.name}`,
+				message: `"${entry.fn.schema}"."${entry.fn.name}" has a "." in its schema or name; the schema-qualified RPC identity (schema.function) would be ambiguous, so it is not exposed.`
+			});
+			continue;
+		}
+		const ctx = decideAndBuild({
+			fn: entry.fn,
+			parsed: entry.parsed,
+			qualifiedName,
+			enums,
+			allowDefiner,
+			allowPublicExecute,
+			issues
+		});
+		if (ctx !== null) result.push(ctx);
+	}
+	result.sort((a, b) => a.qualifiedName.localeCompare(b.qualifiedName));
+	return result;
+}
+//#endregion
 //#region ../core/dist/displayField.js
 var CANDIDATES = [
 	"name",
@@ -6743,6 +7060,9 @@ function buildColumn(input) {
 		commentBody: parsed.body
 	});
 	const label = hints?.label ?? deriveLabel(column.name);
+	const priv = column.privileges;
+	const insertable = priv === void 0 ? void 0 : priv.insert;
+	const updatable = priv === void 0 ? void 0 : priv.update;
 	return {
 		name: column.name,
 		dataType: column.dataType,
@@ -6756,7 +7076,9 @@ function buildColumn(input) {
 		policy: parsed.policy,
 		widget,
 		enumValues,
-		readonly: hints?.readonly ?? false
+		readonly: hints?.readonly ?? false,
+		...insertable === void 0 ? {} : { insertable },
+		...updatable === void 0 ? {} : { updatable }
 	};
 }
 function buildRelations(table, issues) {
@@ -6923,7 +7245,7 @@ function buildConcept(view) {
 	};
 }
 async function buildSchemaContext(opts) {
-	const { raw, uiHints, strict = false } = opts;
+	const { raw, uiHints, strict = false, rpc } = opts;
 	const issues = [];
 	const knownTables = new Set(raw.tables.map((t) => `${t.schema}.${t.name}`));
 	raw.views.forEach((v) => knownTables.add(`${v.schema}.${v.name}`));
@@ -6939,13 +7261,32 @@ async function buildSchemaContext(opts) {
 			message: `UIHints view "${viewName}" does not exist in raw.views`
 		});
 	}
-	const tables = raw.tables.map((t) => buildTableContext({
+	const hiddenNames = [];
+	const visibleRawTables = raw.tables.filter((t) => {
+		if (t.privileges?.select === false) {
+			hiddenNames.push(t.name);
+			return false;
+		}
+		return true;
+	});
+	const visibleRawViews = raw.views.filter((v) => {
+		if (v.privileges?.select === false) {
+			hiddenNames.push(v.name);
+			return false;
+		}
+		return true;
+	});
+	if (hiddenNames.length > 0) {
+		const role = raw.tables.find((t) => t.privileges !== void 0)?.privileges?.role ?? raw.views.find((v) => v.privileges !== void 0)?.privileges?.role ?? "the role";
+		console.warn(`[@kozou/core] privilege-aware introspection: hid ${hiddenNames.length} relation(s) that "${role}" cannot SELECT: ${hiddenNames.join(", ")}`);
+	}
+	const tables = visibleRawTables.map((t) => buildTableContext({
 		table: t,
 		hints: uiHints?.tables?.[t.name],
 		issues,
 		knownTables
 	}));
-	const views = raw.views.map((v) => buildViewContext({
+	const views = visibleRawViews.map((v) => buildViewContext({
 		view: v,
 		hints: uiHints?.views?.[v.name],
 		issues
@@ -6956,7 +7297,13 @@ async function buildSchemaContext(opts) {
 		values: e.values,
 		description: null
 	}));
-	const concepts = raw.views.map(buildConcept);
+	const concepts = visibleRawViews.map(buildConcept);
+	const functions = buildFunctionContexts({
+		functions: raw.functions,
+		enums: raw.enums,
+		rpc,
+		issues
+	});
 	if (issues.length > 0) {
 		if (strict) throw new KozouBuildError(`buildSchemaContext: ${issues.length} validation issue(s) (strict=true)`, issues);
 		for (const issue of issues) console.warn(`[@kozou/core] ${issue.path}: ${issue.message}`);
@@ -6970,7 +7317,8 @@ async function buildSchemaContext(opts) {
 		tables,
 		views,
 		enums,
-		concepts
+		concepts,
+		functions
 	};
 }
 //#endregion
@@ -13921,7 +14269,7 @@ async function fetchEnums(client, schemas) {
 	return (await runQuery(client, `SELECT
        n.nspname AS schema,
        t.typname AS name,
-       array_agg(e.enumlabel ORDER BY e.enumsortorder) AS values
+       array_agg(e.enumlabel::text ORDER BY e.enumsortorder) AS values
      FROM pg_type t
      JOIN pg_namespace n ON n.oid = t.typnamespace
      JOIN pg_enum e ON e.enumtypid = t.oid
@@ -13935,6 +14283,371 @@ async function fetchEnums(client, schemas) {
 	}));
 }
 //#endregion
+//#region ../introspect/dist/functions.js
+var FUNCTIONS_SQL = `
+  SELECT
+    n.nspname AS schema,
+    p.proname AS name,
+    pg_get_function_arguments(p.oid) AS argument_signature,
+    p.pronargdefaults AS ndef,
+    p.provolatile AS volatility,
+    p.prosecdef AS security_definer,
+    p.proowner AS owner_oid,
+    ro.rolname AS owner_name,
+    CASE
+      WHEN p.proacl IS NULL THEN true
+      WHEN EXISTS (
+        SELECT 1 FROM aclexplode(p.proacl) ae
+        WHERE ae.grantee = 0 AND ae.privilege_type = 'EXECUTE'
+      ) THEN true
+      ELSE false
+    END AS public_execute,
+    obj_description(p.oid, 'pg_proc') AS comment,
+    (p.prorettype = 'pg_catalog.void'::regtype) AS returns_void,
+    p.proretset AS returns_set,
+    format_type(p.prorettype, NULL) AS return_type,
+    -- Resolve one level of DOMAIN to its base type so a domain over a composite
+    -- is not mistaken for a scalar (and a domain over a scalar stays scalar). A
+    -- still-domain result (domain over domain) is left as 'd' and treated as
+    -- unsupported downstream (fail-closed for that exotic nesting).
+    eff.eff_typtype AS return_typtype,
+    (
+      SELECT json_agg(json_build_object(
+        'name', COALESCE(an.argname, ''),
+        'typeName', format_type(at.typeoid, NULL),
+        'udtName', t.typname,
+        'typeOid', at.typeoid::int,
+        'mode', COALESCE(am.mode, 'i'),
+        'ord', at.ord
+      ) ORDER BY at.ord)
+      FROM unnest(COALESCE(p.proallargtypes, p.proargtypes::oid[]))
+        WITH ORDINALITY AS at(typeoid, ord)
+      LEFT JOIN unnest(p.proargmodes) WITH ORDINALITY AS am(mode, ord) ON am.ord = at.ord
+      LEFT JOIN unnest(p.proargnames) WITH ORDINALITY AS an(argname, ord) ON an.ord = at.ord
+      JOIN pg_type t ON t.oid = at.typeoid
+    ) AS args,
+    CASE
+      WHEN eff.eff_typrelid <> 0 THEN (
+        SELECT json_agg(json_build_object(
+          'name', a.attname,
+          'typeName', format_type(a.atttypid, a.atttypmod),
+          'typeOid', a.atttypid::int
+        ) ORDER BY a.attnum)
+        FROM pg_attribute a
+        WHERE a.attrelid = eff.eff_typrelid AND a.attnum > 0 AND NOT a.attisdropped
+      )
+      ELSE (
+        SELECT json_agg(json_build_object(
+          'name', COALESCE(an.argname, ''),
+          'typeName', format_type(at.typeoid, NULL),
+          'typeOid', at.typeoid::int
+        ) ORDER BY at.ord)
+        FROM unnest(COALESCE(p.proallargtypes, p.proargtypes::oid[]))
+          WITH ORDINALITY AS at(typeoid, ord)
+        JOIN unnest(p.proargmodes) WITH ORDINALITY AS am(mode, ord) ON am.ord = at.ord
+        LEFT JOIN unnest(p.proargnames) WITH ORDINALITY AS an(argname, ord) ON an.ord = at.ord
+        WHERE am.mode IN ('o', 'b', 't')
+      )
+    END AS return_columns,
+    p.proconfig AS proconfig
+  FROM pg_proc p
+  JOIN pg_namespace n ON n.oid = p.pronamespace
+  JOIN pg_roles ro ON ro.oid = p.proowner
+  JOIN pg_type rt ON rt.oid = p.prorettype
+  LEFT JOIN pg_type bt ON bt.oid = rt.typbasetype
+  CROSS JOIN LATERAL (
+    SELECT
+      CASE WHEN rt.typtype = 'd' AND bt.oid IS NOT NULL THEN bt.typtype ELSE rt.typtype END
+        AS eff_typtype,
+      CASE WHEN rt.typtype = 'd' AND bt.oid IS NOT NULL THEN bt.typrelid ELSE rt.typrelid END
+        AS eff_typrelid
+  ) eff
+  WHERE p.prokind = 'f'
+    AND n.nspname = ANY($1)
+  ORDER BY n.nspname, p.proname`;
+var SCHEMA_WRITABILITY_SQL = `
+  SELECT
+    n.nspname AS schema,
+    EXISTS (
+      SELECT 1 FROM aclexplode(COALESCE(n.nspacl, acldefault('n', n.nspowner))) ae
+      WHERE ae.privilege_type = 'CREATE' AND ae.grantee = 0
+    ) AS public_create,
+    COALESCE((
+      SELECT array_agg(r.oid)
+      FROM pg_roles r
+      WHERE NOT r.rolsuper
+        AND has_schema_privilege(r.oid, n.oid, 'CREATE')
+    ), ARRAY[]::oid[]) AS creator_roles
+  FROM pg_namespace n
+  WHERE n.nspname = ANY($1)`;
+function mapVolatility(c) {
+	if (c === "i") return "immutable";
+	if (c === "s") return "stable";
+	return "volatile";
+}
+function mapArgMode(c) {
+	switch (c) {
+		case "o": return "out";
+		case "b": return "inout";
+		case "v": return "variadic";
+		case "t": return "table";
+		default: return "in";
+	}
+}
+function buildArgs(row) {
+	const args = (row.args ?? []).slice().sort((a, b) => a.ord - b.ord).map((a) => ({
+		name: a.name,
+		typeName: a.typeName,
+		udtName: a.udtName,
+		typeOid: a.typeOid,
+		mode: mapArgMode(a.mode),
+		hasDefault: false
+	}));
+	if (row.ndef > 0) {
+		const inputIdx = args.map((a, i) => ({
+			a,
+			i
+		})).filter((e) => e.a.mode === "in" || e.a.mode === "inout" || e.a.mode === "variadic").map((e) => e.i);
+		for (const i of inputIdx.slice(Math.max(0, inputIdx.length - row.ndef))) args[i].hasDefault = true;
+	}
+	return args;
+}
+function classifyReturn(row) {
+	const typeName = row.return_type;
+	const columns = row.return_columns && row.return_columns.length > 0 ? row.return_columns.map((c) => ({
+		name: c.name,
+		typeName: c.typeName,
+		typeOid: c.typeOid
+	})) : void 0;
+	const isScalarType = [
+		"b",
+		"e",
+		"r",
+		"m"
+	].includes(row.return_typtype);
+	if (row.returns_void) return {
+		kind: "void",
+		typeName,
+		returnsSet: false
+	};
+	if (row.returns_set) {
+		if (columns) return {
+			kind: "setof",
+			typeName,
+			returnsSet: true,
+			columns
+		};
+		if (isScalarType) return {
+			kind: "setof",
+			typeName,
+			returnsSet: true
+		};
+		return {
+			kind: "unsupported",
+			typeName,
+			returnsSet: true
+		};
+	}
+	if (row.return_typtype === "c") return columns ? {
+		kind: "composite",
+		typeName,
+		returnsSet: false,
+		columns
+	} : {
+		kind: "unsupported",
+		typeName,
+		returnsSet: false
+	};
+	if (isScalarType) return {
+		kind: "scalar",
+		typeName,
+		returnsSet: false
+	};
+	return {
+		kind: "unsupported",
+		typeName,
+		returnsSet: false
+	};
+}
+/** Split a SET search_path GUC value on commas that are not inside double
+*  quotes, then unquote each element. Handles `"$user", public` and a quoted
+*  identifier that itself contains a comma. */
+function splitSearchPath(value) {
+	const elements = [];
+	let current = "";
+	let inQuotes = false;
+	for (let i = 0; i < value.length; i += 1) {
+		const ch = value[i];
+		if (ch === "\"") if (inQuotes && value[i + 1] === "\"") {
+			current += "\"";
+			i += 1;
+		} else inQuotes = !inQuotes;
+		else if (ch === "," && !inQuotes) {
+			elements.push(current.trim());
+			current = "";
+		} else current += ch;
+	}
+	elements.push(current.trim());
+	return elements.filter((e) => e !== "");
+}
+/** Parse the proconfig `search_path` setting into elements, or null when the
+*  function declares no SET search_path. Each element records whether it is
+*  pg_temp and (for a fixed schema) is resolved to a schema name; a dynamic
+*  element (`$user`) resolves to null. Writability is filled in afterwards. */
+function parseSearchPath(proconfig) {
+	if (proconfig === null) return null;
+	const entry = proconfig.find((c) => c.toLowerCase().startsWith("search_path="));
+	if (entry === void 0) return null;
+	return splitSearchPath(entry.slice(entry.indexOf("=") + 1)).map((raw) => {
+		if (raw === "pg_temp") return {
+			raw,
+			schema: null,
+			writableByOthers: null,
+			isTemp: true
+		};
+		return {
+			raw,
+			schema: raw.startsWith("$") ? null : raw,
+			writableByOthers: null,
+			isTemp: false
+		};
+	});
+}
+/** Fetch CREATE-writability info for the given schema names. */
+async function fetchSchemaWritability(client, schemaNames) {
+	const map = /* @__PURE__ */ new Map();
+	if (schemaNames.length === 0) return map;
+	const rows = await runQuery(client, SCHEMA_WRITABILITY_SQL, [schemaNames], "fetchFunctions (schema writability)");
+	for (const row of rows) map.set(row.schema, {
+		publicCreate: row.public_create,
+		creatorRoles: row.creator_roles ?? []
+	});
+	return map;
+}
+async function fetchFunctions(client, schemas) {
+	if (schemas.length === 0) return [];
+	const rows = await runQuery(client, FUNCTIONS_SQL, [schemas], "fetchFunctions (functions)");
+	if (rows.length === 0) return [];
+	const parsed = rows.map((row) => ({
+		row,
+		searchPath: parseSearchPath(row.proconfig)
+	}));
+	const schemaNames = /* @__PURE__ */ new Set();
+	for (const { row, searchPath } of parsed) {
+		if (!row.security_definer || searchPath === null) continue;
+		for (const el of searchPath) if (!el.isTemp && el.schema !== null) schemaNames.add(el.schema);
+	}
+	const writability = await fetchSchemaWritability(client, [...schemaNames]);
+	return parsed.map(({ row, searchPath }) => {
+		const resolvedSearchPath = searchPath === null ? null : searchPath.map((el) => {
+			if (el.isTemp || el.schema === null) return el;
+			const w = writability.get(el.schema);
+			if (w === void 0) return {
+				...el,
+				writableByOthers: null
+			};
+			const writableByOthers = w.publicCreate || w.creatorRoles.some((r) => r !== row.owner_oid);
+			return {
+				...el,
+				writableByOthers
+			};
+		});
+		return {
+			schema: row.schema,
+			name: row.name,
+			argumentSignature: row.argument_signature,
+			arguments: buildArgs(row),
+			returns: classifyReturn(row),
+			volatility: mapVolatility(row.volatility),
+			security: row.security_definer ? "definer" : "invoker",
+			owner: {
+				oid: row.owner_oid,
+				name: row.owner_name
+			},
+			publicExecute: row.public_execute,
+			searchPath: resolvedSearchPath,
+			comment: row.comment
+		};
+	});
+}
+//#endregion
+//#region ../introspect/dist/privileges.js
+var tableKey = (schema, name) => `${schema}.${name}`;
+/** Throw a clear error if the configured privilege role does not exist, rather
+*  than letting `has_table_privilege` fail mid-query with a terse pg message. */
+async function assertRoleExists(client, role) {
+	if ((await runQuery(client, "SELECT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = $1) AS exists", [role], "fetchPrivileges (role check)"))[0]?.exists !== true) throw new KozouIntrospectError(`introspection.respectPrivileges is on but the role "${role}" does not exist. Set it to the role the Admin UI assumes (auth.ui.role / auth.defaultRole), or turn privilege-aware introspection off.`);
+}
+/**
+* Evaluate the privileges of `role` on every base table / view (and base-table
+* columns) in `schemas`, and attach them to the matching `RawTable` /
+* `RawColumn` / `RawView`. Mutates the inputs in place (mirrors
+* `mergeTableMetadata`). Call only when privilege-aware mode is on; otherwise
+* the privilege fields stay `undefined`.
+*/
+async function fetchAndAttachPrivileges(client, schemas, role, tables, views) {
+	if (schemas.length === 0 || tables.length === 0 && views.length === 0) return;
+	await assertRoleExists(client, role);
+	const tableRows = await runQuery(client, `SELECT
+       n.nspname AS schema,
+       c.relname AS name,
+       has_schema_privilege($2, n.nspname, 'USAGE') AS usage,
+       has_table_privilege($2, c.oid, 'SELECT') AS sel,
+       has_table_privilege($2, c.oid, 'INSERT') AS ins,
+       has_table_privilege($2, c.oid, 'UPDATE') AS upd,
+       has_table_privilege($2, c.oid, 'DELETE') AS del
+     FROM pg_class c
+     JOIN pg_namespace n ON n.oid = c.relnamespace
+     WHERE c.relkind IN ('r', 'v', 'm')
+       AND n.nspname = ANY($1)`, [schemas, role], "fetchPrivileges (relations)");
+	const columnRows = await runQuery(client, `SELECT
+       n.nspname AS schema,
+       c.relname AS table,
+       a.attname AS name,
+       has_schema_privilege($2, n.nspname, 'USAGE') AS usage,
+       has_column_privilege($2, c.oid, a.attname, 'INSERT') AS ins,
+       has_column_privilege($2, c.oid, a.attname, 'UPDATE') AS upd
+     FROM pg_attribute a
+     JOIN pg_class c ON c.oid = a.attrelid
+     JOIN pg_namespace n ON n.oid = c.relnamespace
+     WHERE c.relkind = 'r'
+       AND n.nspname = ANY($1)
+       AND a.attnum > 0
+       AND NOT a.attisdropped`, [schemas, role], "fetchPrivileges (columns)");
+	const tablePrivByKey = /* @__PURE__ */ new Map();
+	for (const row of tableRows) tablePrivByKey.set(tableKey(row.schema, row.name), row);
+	const columnPrivByKey = /* @__PURE__ */ new Map();
+	for (const row of columnRows) {
+		const key = tableKey(row.schema, row.table);
+		if (!columnPrivByKey.has(key)) columnPrivByKey.set(key, /* @__PURE__ */ new Map());
+		columnPrivByKey.get(key).set(row.name, row);
+	}
+	const gate = (tp) => ({
+		role,
+		select: tp.usage && tp.sel,
+		insert: tp.usage && tp.ins,
+		update: tp.usage && tp.upd,
+		delete: tp.usage && tp.del
+	});
+	for (const table of tables) {
+		const key = tableKey(table.schema, table.name);
+		const tp = tablePrivByKey.get(key);
+		if (tp !== void 0) table.privileges = gate(tp);
+		const cols = columnPrivByKey.get(key);
+		if (cols !== void 0) for (const column of table.columns) {
+			const cp = cols.get(column.name);
+			if (cp !== void 0) column.privileges = {
+				insert: cp.usage && cp.ins,
+				update: cp.usage && cp.upd
+			};
+		}
+	}
+	for (const view of views) {
+		const vp = tablePrivByKey.get(tableKey(view.schema, view.name));
+		if (vp !== void 0) view.privileges = gate(vp);
+	}
+}
+//#endregion
 //#region ../introspect/dist/filter.js
 function compilePattern(pattern) {
 	const qualified = pattern.includes(".") ? pattern : `*.${pattern}`;
@@ -14018,6 +14731,8 @@ async function introspect(opts) {
 		mergeTableMetadata(allTables, await fetchForeignKeys(client, validSchemas), await fetchChecks(client, validSchemas));
 		const allViews = await fetchViews(client, validSchemas);
 		const enums = await fetchEnums(client, validSchemas);
+		const functions = await fetchFunctions(client, validSchemas);
+		if (opts.privilegeRole !== void 0) await fetchAndAttachPrivileges(client, validSchemas, opts.privilegeRole, allTables, allViews);
 		const filterOpts = {
 			include: opts.include,
 			exclude: opts.exclude
@@ -14032,7 +14747,7 @@ async function introspect(opts) {
 			tables,
 			views,
 			enums,
-			functions: []
+			functions
 		};
 	} finally {
 		try {
@@ -14127,8 +14842,23 @@ var SchemaCache = class {
 var cache = new SchemaCache({ loader: async () => {
 	const connection = process.env.DATABASE_URL;
 	if (typeof connection !== "string" || connection.length === 0) throw new Error("hooks.server: DATABASE_URL is required to introspect the schema.");
-	return buildSchemaContext({ raw: await introspect({ connection }) });
+	const privilegeRole = process.env.KOZOU_INTROSPECTION_ROLE;
+	return buildSchemaContext({
+		raw: await introspect({
+			connection,
+			...typeof privilegeRole === "string" && privilegeRole.length > 0 ? { privilegeRole } : {}
+		}),
+		rpc: {
+			allowDefiner: parseList(process.env.KOZOU_RPC_ALLOW_DEFINER),
+			allowPublicExecute: parseList(process.env.KOZOU_RPC_ALLOW_PUBLIC_EXECUTE)
+		}
+	});
 } });
+/** Parse a comma-separated env list into trimmed, non-empty entries. */
+function parseList(raw) {
+	if (raw === void 0 || raw.length === 0) return [];
+	return raw.split(",").map((s) => s.trim()).filter((s) => s.length > 0);
+}
 var fkRowCache = new FkRowCache();
 var handle = async ({ event, resolve }) => {
 	event.locals.schema = await cache.get();
@@ -14137,4 +14867,4 @@ var handle = async ({ event, resolve }) => {
 };
 
 export { handle };
-//# sourceMappingURL=hooks.server-BCX7tjO4.js.map
+//# sourceMappingURL=hooks.server-Oa_UD2Wo.js.map