@kysera/rls 0.5.1

package/dist/index.js

@@ -0,0 +1,1471 @@
+import { silentLogger } from '@kysera/core';
+import { AsyncLocalStorage } from 'async_hooks';
+
+// src/errors.ts
+var RLSErrorCodes = {
+  /** RLS context is missing or not set */
+  RLS_CONTEXT_MISSING: "RLS_CONTEXT_MISSING",
+  /** RLS policy violation occurred */
+  RLS_POLICY_VIOLATION: "RLS_POLICY_VIOLATION",
+  /** RLS policy definition is invalid */
+  RLS_POLICY_INVALID: "RLS_POLICY_INVALID",
+  /** RLS schema definition is invalid */
+  RLS_SCHEMA_INVALID: "RLS_SCHEMA_INVALID",
+  /** RLS context validation failed */
+  RLS_CONTEXT_INVALID: "RLS_CONTEXT_INVALID"
+};
+var RLSError = class extends Error {
+  code;
+  /**
+   * Creates a new RLS error
+   *
+   * @param message - Error message
+   * @param code - RLS error code
+   */
+  constructor(message, code) {
+    super(message);
+    this.name = "RLSError";
+    this.code = code;
+  }
+  /**
+   * Serializes the error to JSON
+   *
+   * @returns JSON representation of the error
+   */
+  toJSON() {
+    return {
+      name: this.name,
+      message: this.message,
+      code: this.code
+    };
+  }
+};
+var RLSContextError = class extends RLSError {
+  /**
+   * Creates a new RLS context error
+   *
+   * @param message - Error message (defaults to standard message)
+   */
+  constructor(message = "No RLS context found. Ensure code runs within withRLSContext()") {
+    super(message, RLSErrorCodes.RLS_CONTEXT_MISSING);
+    this.name = "RLSContextError";
+  }
+};
+var RLSContextValidationError = class extends RLSError {
+  field;
+  /**
+   * Creates a new context validation error
+   *
+   * @param message - Error message
+   * @param field - Field that failed validation
+   */
+  constructor(message, field) {
+    super(message, RLSErrorCodes.RLS_CONTEXT_INVALID);
+    this.name = "RLSContextValidationError";
+    this.field = field;
+  }
+  toJSON() {
+    return {
+      ...super.toJSON(),
+      field: this.field
+    };
+  }
+};
+var RLSPolicyViolation = class extends RLSError {
+  operation;
+  table;
+  reason;
+  policyName;
+  /**
+   * Creates a new policy violation error
+   *
+   * @param operation - Database operation that was denied (read, create, update, delete)
+   * @param table - Table name where violation occurred
+   * @param reason - Reason for the policy violation
+   * @param policyName - Name of the policy that denied access (optional)
+   */
+  constructor(operation, table, reason, policyName) {
+    super(
+      `RLS policy violation: ${operation} on ${table} - ${reason}`,
+      RLSErrorCodes.RLS_POLICY_VIOLATION
+    );
+    this.name = "RLSPolicyViolation";
+    this.operation = operation;
+    this.table = table;
+    this.reason = reason;
+    if (policyName !== void 0) {
+      this.policyName = policyName;
+    }
+  }
+  toJSON() {
+    const json = {
+      ...super.toJSON(),
+      operation: this.operation,
+      table: this.table,
+      reason: this.reason
+    };
+    if (this.policyName !== void 0) {
+      json["policyName"] = this.policyName;
+    }
+    return json;
+  }
+};
+var RLSSchemaError = class extends RLSError {
+  details;
+  /**
+   * Creates a new schema validation error
+   *
+   * @param message - Error message
+   * @param details - Additional details about the validation failure
+   */
+  constructor(message, details = {}) {
+    super(message, RLSErrorCodes.RLS_SCHEMA_INVALID);
+    this.name = "RLSSchemaError";
+    this.details = details;
+  }
+  toJSON() {
+    return {
+      ...super.toJSON(),
+      details: this.details
+    };
+  }
+};
+
+// src/policy/schema.ts
+function defineRLSSchema(schema) {
+  validateSchema(schema);
+  return schema;
+}
+function validateSchema(schema) {
+  for (const [table, config] of Object.entries(schema)) {
+    if (!config) continue;
+    const tableConfig = config;
+    if (!Array.isArray(tableConfig.policies)) {
+      throw new RLSSchemaError(
+        `Invalid policies for table "${table}": must be an array`,
+        { table }
+      );
+    }
+    for (let i = 0; i < tableConfig.policies.length; i++) {
+      const policy = tableConfig.policies[i];
+      if (policy !== void 0) {
+        validatePolicy(policy, table, i);
+      }
+    }
+    if (tableConfig.skipFor !== void 0) {
+      if (!Array.isArray(tableConfig.skipFor)) {
+        throw new RLSSchemaError(
+          `Invalid skipFor for table "${table}": must be an array of role names`,
+          { table }
+        );
+      }
+      for (const role of tableConfig.skipFor) {
+        if (typeof role !== "string" || role.trim() === "") {
+          throw new RLSSchemaError(
+            `Invalid role in skipFor for table "${table}": must be a non-empty string`,
+            { table }
+          );
+        }
+      }
+    }
+    if (tableConfig.defaultDeny !== void 0 && typeof tableConfig.defaultDeny !== "boolean") {
+      throw new RLSSchemaError(
+        `Invalid defaultDeny for table "${table}": must be a boolean`,
+        { table }
+      );
+    }
+  }
+}
+function validatePolicy(policy, table, index) {
+  if (!policy.type) {
+    throw new RLSSchemaError(
+      `Policy ${index} for table "${table}" missing type`,
+      { table, index }
+    );
+  }
+  const validTypes = ["allow", "deny", "filter", "validate"];
+  if (!validTypes.includes(policy.type)) {
+    throw new RLSSchemaError(
+      `Policy ${index} for table "${table}" has invalid type: ${policy.type}`,
+      { table, index, type: policy.type }
+    );
+  }
+  if (!policy.operation) {
+    throw new RLSSchemaError(
+      `Policy ${index} for table "${table}" missing operation`,
+      { table, index }
+    );
+  }
+  const validOps = ["read", "create", "update", "delete", "all"];
+  const ops = Array.isArray(policy.operation) ? policy.operation : [policy.operation];
+  for (const op of ops) {
+    if (!validOps.includes(op)) {
+      throw new RLSSchemaError(
+        `Policy ${index} for table "${table}" has invalid operation: ${op}`,
+        { table, index, operation: op }
+      );
+    }
+  }
+  if (policy.condition === void 0 || policy.condition === null) {
+    throw new RLSSchemaError(
+      `Policy ${index} for table "${table}" missing condition`,
+      { table, index }
+    );
+  }
+  if (typeof policy.condition !== "function" && typeof policy.condition !== "string") {
+    throw new RLSSchemaError(
+      `Policy ${index} for table "${table}" condition must be a function or string`,
+      { table, index }
+    );
+  }
+  if (policy.priority !== void 0 && typeof policy.priority !== "number") {
+    throw new RLSSchemaError(
+      `Policy ${index} for table "${table}" priority must be a number`,
+      { table, index }
+    );
+  }
+  if (policy.name !== void 0 && typeof policy.name !== "string") {
+    throw new RLSSchemaError(
+      `Policy ${index} for table "${table}" name must be a string`,
+      { table, index }
+    );
+  }
+}
+function mergeRLSSchemas(...schemas) {
+  const merged = {};
+  for (const schema of schemas) {
+    for (const [table, config] of Object.entries(schema)) {
+      if (!config) continue;
+      const existingConfig = merged[table];
+      const newConfig = config;
+      if (existingConfig) {
+        existingConfig.policies = [
+          ...existingConfig.policies,
+          ...newConfig.policies
+        ];
+        if (newConfig.skipFor) {
+          const existingSkipFor = existingConfig.skipFor ?? [];
+          const combinedSkipFor = [...existingSkipFor, ...newConfig.skipFor];
+          existingConfig.skipFor = Array.from(new Set(combinedSkipFor));
+        }
+        if (newConfig.defaultDeny !== void 0) {
+          existingConfig.defaultDeny = newConfig.defaultDeny;
+        }
+      } else {
+        merged[table] = {
+          policies: [...newConfig.policies],
+          skipFor: newConfig.skipFor ? [...newConfig.skipFor] : void 0,
+          defaultDeny: newConfig.defaultDeny
+        };
+      }
+    }
+  }
+  validateSchema(merged);
+  return merged;
+}
+
+// src/policy/builder.ts
+function allow(operation, condition, options) {
+  const policy = {
+    type: "allow",
+    operation,
+    condition,
+    priority: options?.priority ?? 0
+  };
+  if (options?.name !== void 0) {
+    policy.name = options.name;
+  }
+  if (options?.hints !== void 0) {
+    policy.hints = options.hints;
+  }
+  return policy;
+}
+function deny(operation, condition, options) {
+  const policy = {
+    type: "deny",
+    operation,
+    condition: condition ?? (() => true),
+    priority: options?.priority ?? 100
+    // Deny policies run first by default
+  };
+  if (options?.name !== void 0) {
+    policy.name = options.name;
+  }
+  if (options?.hints !== void 0) {
+    policy.hints = options.hints;
+  }
+  return policy;
+}
+function filter(operation, condition, options) {
+  const policy = {
+    type: "filter",
+    operation: operation === "all" ? "read" : operation,
+    condition,
+    priority: options?.priority ?? 0
+  };
+  if (options?.name !== void 0) {
+    policy.name = options.name;
+  }
+  if (options?.hints !== void 0) {
+    policy.hints = options.hints;
+  }
+  return policy;
+}
+function validate(operation, condition, options) {
+  const ops = operation === "all" ? ["create", "update"] : [operation];
+  const policy = {
+    type: "validate",
+    operation: ops,
+    condition,
+    priority: options?.priority ?? 0
+  };
+  if (options?.name !== void 0) {
+    policy.name = options.name;
+  }
+  if (options?.hints !== void 0) {
+    policy.hints = options.hints;
+  }
+  return policy;
+}
+var PolicyRegistry = class {
+  tables = /* @__PURE__ */ new Map();
+  compiled = false;
+  logger;
+  constructor(schema, options) {
+    this.logger = options?.logger ?? silentLogger;
+    if (schema) {
+      this.loadSchema(schema);
+    }
+  }
+  /**
+   * Load and compile policies from schema
+   *
+   * @example
+   * ```typescript
+   * const registry = new PolicyRegistry<Database>();
+   * registry.loadSchema({
+   *   users: {
+   *     policies: [
+   *       allow('read', ctx => ctx.auth.userId === ctx.row.id),
+   *       filter('read', ctx => ({ tenant_id: ctx.auth.tenantId })),
+   *     ],
+   *     defaultDeny: true,
+   *   },
+   * });
+   * ```
+   */
+  loadSchema(schema) {
+    for (const [table, config] of Object.entries(schema)) {
+      if (!config) continue;
+      this.registerTable(table, config);
+    }
+    this.compiled = true;
+  }
+  /**
+   * Register policies for a single table
+   *
+   * @param table - Table name
+   * @param config - Table RLS configuration
+   */
+  registerTable(table, config) {
+    const tableConfig = {
+      allows: [],
+      denies: [],
+      filters: [],
+      validates: [],
+      skipFor: config.skipFor ?? [],
+      defaultDeny: config.defaultDeny ?? true
+    };
+    for (let i = 0; i < config.policies.length; i++) {
+      const policy = config.policies[i];
+      if (!policy) continue;
+      const policyName = policy.name ?? `${table}_policy_${i}`;
+      try {
+        if (policy.type === "filter") {
+          const compiled = this.compileFilterPolicy(policy, policyName);
+          tableConfig.filters.push(compiled);
+        } else {
+          const compiled = this.compilePolicy(policy, policyName);
+          switch (policy.type) {
+            case "allow":
+              tableConfig.allows.push(compiled);
+              break;
+            case "deny":
+              tableConfig.denies.push(compiled);
+              break;
+            case "validate":
+              tableConfig.validates.push(compiled);
+              break;
+          }
+        }
+      } catch (error) {
+        throw new RLSSchemaError(
+          `Failed to compile policy "${policyName}" for table "${table}": ${error instanceof Error ? error.message : String(error)}`,
+          { table, policy: policyName }
+        );
+      }
+    }
+    tableConfig.allows.sort((a, b) => b.priority - a.priority);
+    tableConfig.denies.sort((a, b) => b.priority - a.priority);
+    tableConfig.validates.sort((a, b) => b.priority - a.priority);
+    this.tables.set(table, tableConfig);
+  }
+  register(schemaOrTable, policies, options) {
+    if (typeof schemaOrTable === "object" && schemaOrTable !== null) {
+      this.loadSchema(schemaOrTable);
+      return;
+    }
+    const table = schemaOrTable;
+    if (!policies) {
+      throw new RLSSchemaError("Policies are required when registering by table name", { table });
+    }
+    const config = {
+      policies
+    };
+    if (options?.skipFor !== void 0) {
+      config.skipFor = options.skipFor;
+    }
+    if (options?.defaultDeny !== void 0) {
+      config.defaultDeny = options.defaultDeny;
+    }
+    this.registerTable(table, config);
+  }
+  /**
+   * Compile a policy definition into an internal compiled policy
+   *
+   * @param policy - Policy definition to compile
+   * @param name - Policy name for debugging
+   * @returns Compiled policy ready for evaluation
+   */
+  compilePolicy(policy, name) {
+    const operations = Array.isArray(policy.operation) ? policy.operation : [policy.operation];
+    const expandedOps = operations.flatMap(
+      (op) => op === "all" ? ["read", "create", "update", "delete"] : [op]
+    );
+    return {
+      name,
+      operations: new Set(expandedOps),
+      type: policy.type,
+      evaluate: policy.condition,
+      priority: policy.priority ?? (policy.type === "deny" ? 100 : 0)
+    };
+  }
+  /**
+   * Compile a filter policy
+   *
+   * @param policy - Filter policy definition
+   * @param name - Policy name for debugging
+   * @returns Compiled filter policy
+   */
+  compileFilterPolicy(policy, name) {
+    const condition = policy.condition;
+    return {
+      operation: "read",
+      getConditions: condition,
+      name
+    };
+  }
+  /**
+   * Convert internal compiled policy to public CompiledPolicy
+   */
+  toCompiledPolicy(internal) {
+    return {
+      name: internal.name,
+      type: internal.type,
+      operation: Array.from(internal.operations),
+      evaluate: internal.evaluate,
+      priority: internal.priority
+    };
+  }
+  /**
+   * Get allow policies for a table and operation
+   */
+  getAllows(table, operation) {
+    const config = this.tables.get(table);
+    if (!config) return [];
+    return config.allows.filter((p) => p.operations.has(operation)).map((p) => this.toCompiledPolicy(p));
+  }
+  /**
+   * Get deny policies for a table and operation
+   */
+  getDenies(table, operation) {
+    const config = this.tables.get(table);
+    if (!config) return [];
+    return config.denies.filter((p) => p.operations.has(operation)).map((p) => this.toCompiledPolicy(p));
+  }
+  /**
+   * Get validate policies for a table and operation
+   */
+  getValidates(table, operation) {
+    const config = this.tables.get(table);
+    if (!config) return [];
+    return config.validates.filter((p) => p.operations.has(operation)).map((p) => this.toCompiledPolicy(p));
+  }
+  /**
+   * Get filter policies for a table
+   */
+  getFilters(table) {
+    const config = this.tables.get(table);
+    return config?.filters ?? [];
+  }
+  /**
+   * Get roles that skip RLS for a table
+   */
+  getSkipFor(table) {
+    const config = this.tables.get(table);
+    return config?.skipFor ?? [];
+  }
+  /**
+   * Check if table has default deny
+   */
+  hasDefaultDeny(table) {
+    const config = this.tables.get(table);
+    return config?.defaultDeny ?? true;
+  }
+  /**
+   * Check if a table is registered
+   */
+  hasTable(table) {
+    return this.tables.has(table);
+  }
+  /**
+   * Get all registered table names
+   */
+  getTables() {
+    return Array.from(this.tables.keys());
+  }
+  /**
+   * Check if registry is compiled
+   */
+  isCompiled() {
+    return this.compiled;
+  }
+  /**
+   * Validate that all policies are properly defined
+   *
+   * This method checks for common issues:
+   * - Tables with no policies and defaultDeny=false (warns)
+   * - Tables with skipFor operations but no corresponding policies
+   */
+  validate() {
+    for (const [table, config] of this.tables) {
+      const hasPolicy = config.allows.length > 0 || config.denies.length > 0 || config.filters.length > 0 || config.validates.length > 0;
+      if (!hasPolicy && !config.defaultDeny) {
+        this.logger.warn?.(
+          `[RLS] Table "${table}" has no policies and defaultDeny is false. All operations will be allowed.`
+        );
+      }
+      if (config.skipFor.length > 0) {
+        const opsWithPolicies = /* @__PURE__ */ new Set();
+        for (const allow2 of config.allows) {
+          allow2.operations.forEach((op) => opsWithPolicies.add(op));
+        }
+        for (const deny2 of config.denies) {
+          deny2.operations.forEach((op) => opsWithPolicies.add(op));
+        }
+        for (const validate2 of config.validates) {
+          validate2.operations.forEach((op) => opsWithPolicies.add(op));
+        }
+        if (config.filters.length > 0) {
+          opsWithPolicies.add("read");
+        }
+        const skippedOpsWithPolicies = config.skipFor.filter((op) => {
+          if (op === "all") return opsWithPolicies.size > 0;
+          return opsWithPolicies.has(op);
+        });
+        if (skippedOpsWithPolicies.length > 0) {
+          this.logger.warn?.(
+            `[RLS] Table "${table}" has skipFor operations that also have policies: ${skippedOpsWithPolicies.join(", ")}. The policies will be ignored for these operations.`
+          );
+        }
+      }
+    }
+  }
+  /**
+   * Clear all policies
+   */
+  clear() {
+    this.tables.clear();
+    this.compiled = false;
+  }
+  /**
+   * Remove policies for a specific table
+   */
+  remove(table) {
+    this.tables.delete(table);
+  }
+};
+var rlsStorage = new AsyncLocalStorage();
+
+// src/context/manager.ts
+function createRLSContext(options) {
+  validateAuthContext(options.auth);
+  const context = {
+    auth: {
+      ...options.auth,
+      isSystem: options.auth.isSystem ?? false
+      // Default to false if not provided
+    },
+    timestamp: /* @__PURE__ */ new Date()
+  };
+  if (options.request) {
+    context.request = {
+      ...options.request,
+      timestamp: options.request.timestamp ?? /* @__PURE__ */ new Date()
+    };
+  }
+  if (options.meta !== void 0) {
+    context.meta = options.meta;
+  }
+  return context;
+}
+function validateAuthContext(auth) {
+  if (auth.userId === void 0 || auth.userId === null) {
+    throw new RLSContextValidationError("userId is required in auth context", "userId");
+  }
+  if (!Array.isArray(auth.roles)) {
+    throw new RLSContextValidationError("roles must be an array", "roles");
+  }
+}
+var RLSContextManager = class {
+  /**
+   * Run a synchronous function within an RLS context
+   */
+  run(context, fn) {
+    return rlsStorage.run(context, fn);
+  }
+  /**
+   * Run an async function within an RLS context
+   */
+  async runAsync(context, fn) {
+    return rlsStorage.run(context, fn);
+  }
+  /**
+   * Get current RLS context
+   * @throws RLSContextError if no context is set
+   */
+  getContext() {
+    const ctx = rlsStorage.getStore();
+    if (!ctx) {
+      throw new RLSContextError();
+    }
+    return ctx;
+  }
+  /**
+   * Get current RLS context or null if not set
+   */
+  getContextOrNull() {
+    return rlsStorage.getStore() ?? null;
+  }
+  /**
+   * Check if running within RLS context
+   */
+  hasContext() {
+    return rlsStorage.getStore() !== void 0;
+  }
+  /**
+   * Get current auth context
+   * @throws RLSContextError if no context is set
+   */
+  getAuth() {
+    return this.getContext().auth;
+  }
+  /**
+   * Get current user ID
+   * @throws RLSContextError if no context is set
+   */
+  getUserId() {
+    return this.getAuth().userId;
+  }
+  /**
+   * Get current tenant ID
+   * @throws RLSContextError if no context is set
+   */
+  getTenantId() {
+    return this.getAuth().tenantId;
+  }
+  /**
+   * Check if current user has a specific role
+   */
+  hasRole(role) {
+    const ctx = this.getContextOrNull();
+    return ctx?.auth.roles.includes(role) ?? false;
+  }
+  /**
+   * Check if current user has a specific permission
+   */
+  hasPermission(permission) {
+    const ctx = this.getContextOrNull();
+    return ctx?.auth.permissions?.includes(permission) ?? false;
+  }
+  /**
+   * Check if current context is a system context (bypasses RLS)
+   */
+  isSystem() {
+    const ctx = this.getContextOrNull();
+    return ctx?.auth.isSystem ?? false;
+  }
+  /**
+   * Create a system context for operations that should bypass RLS
+   */
+  asSystem(fn) {
+    const currentCtx = this.getContextOrNull();
+    if (!currentCtx) {
+      throw new RLSContextError("Cannot create system context without existing context");
+    }
+    const systemCtx = {
+      ...currentCtx,
+      auth: { ...currentCtx.auth, isSystem: true }
+    };
+    return this.run(systemCtx, fn);
+  }
+  /**
+   * Create a system context for async operations
+   */
+  async asSystemAsync(fn) {
+    const currentCtx = this.getContextOrNull();
+    if (!currentCtx) {
+      throw new RLSContextError("Cannot create system context without existing context");
+    }
+    const systemCtx = {
+      ...currentCtx,
+      auth: { ...currentCtx.auth, isSystem: true }
+    };
+    return this.runAsync(systemCtx, fn);
+  }
+};
+var rlsContext = new RLSContextManager();
+function withRLSContext(context, fn) {
+  return rlsContext.run(context, fn);
+}
+async function withRLSContextAsync(context, fn) {
+  return rlsContext.runAsync(context, fn);
+}
+
+// src/transformer/select.ts
+var SelectTransformer = class {
+  constructor(registry) {
+    this.registry = registry;
+  }
+  /**
+   * Transform a SELECT query by applying filter policies
+   *
+   * @param qb - The query builder to transform
+   * @param table - Table name being queried
+   * @returns Transformed query builder with RLS filters applied
+   *
+   * @example
+   * ```typescript
+   * const transformer = new SelectTransformer(registry);
+   * let query = db.selectFrom('posts').selectAll();
+   * query = transformer.transform(query, 'posts');
+   * // Query now includes WHERE conditions from RLS policies
+   * ```
+   */
+  transform(qb, table) {
+    const ctx = rlsContext.getContextOrNull();
+    if (!ctx) {
+      return qb;
+    }
+    if (ctx.auth.isSystem) {
+      return qb;
+    }
+    const skipFor = this.registry.getSkipFor(table);
+    if (skipFor.some((role) => ctx.auth.roles.includes(role))) {
+      return qb;
+    }
+    const filters = this.registry.getFilters(table);
+    if (filters.length === 0) {
+      return qb;
+    }
+    let result = qb;
+    for (const filter2 of filters) {
+      const conditions = this.evaluateFilter(filter2, ctx, table);
+      result = this.applyConditions(result, conditions, table);
+    }
+    return result;
+  }
+  /**
+   * Evaluate a filter policy to get WHERE conditions
+   *
+   * @param filter - The filter policy to evaluate
+   * @param ctx - RLS context
+   * @param table - Table name
+   * @returns WHERE clause conditions as key-value pairs
+   */
+  evaluateFilter(filter2, ctx, table) {
+    const evalCtx = {
+      auth: ctx.auth,
+      ...ctx.meta !== void 0 && { meta: ctx.meta }
+    };
+    const result = filter2.getConditions(evalCtx);
+    if (result instanceof Promise) {
+      throw new RLSError(
+        `Async filter policies are not supported in SELECT transformers. Filter '${filter2.name}' on table '${table}' returned a Promise. Use synchronous conditions for filter policies.`,
+        RLSErrorCodes.RLS_POLICY_INVALID
+      );
+    }
+    return result;
+  }
+  /**
+   * Apply filter conditions to query builder
+   *
+   * @param qb - Query builder to modify
+   * @param conditions - WHERE clause conditions
+   * @param table - Table name (for qualified column names)
+   * @returns Modified query builder
+   */
+  applyConditions(qb, conditions, table) {
+    let result = qb;
+    for (const [column, value] of Object.entries(conditions)) {
+      const qualifiedColumn = `${table}.${column}`;
+      if (value === null) {
+        result = result.where(qualifiedColumn, "is", null);
+      } else if (value === void 0) {
+        continue;
+      } else if (Array.isArray(value)) {
+        if (value.length === 0) {
+          result = result.where(qualifiedColumn, "=", "__RLS_NO_MATCH__");
+        } else {
+          result = result.where(qualifiedColumn, "in", value);
+        }
+      } else {
+        result = result.where(qualifiedColumn, "=", value);
+      }
+    }
+    return result;
+  }
+};
+
+// src/transformer/mutation.ts
+var MutationGuard = class {
+  constructor(registry, executor) {
+    this.registry = registry;
+    this.executor = executor;
+  }
+  /**
+   * Check if CREATE operation is allowed
+   *
+   * @param table - Table name
+   * @param data - Data being inserted
+   * @throws RLSPolicyViolation if access is denied
+   *
+   * @example
+   * ```typescript
+   * const guard = new MutationGuard(registry, db);
+   * await guard.checkCreate('posts', { title: 'Hello', tenant_id: 1 });
+   * ```
+   */
+  async checkCreate(table, data) {
+    await this.checkMutation(table, "create", void 0, data);
+  }
+  /**
+   * Check if UPDATE operation is allowed
+   *
+   * @param table - Table name
+   * @param existingRow - Current row data
+   * @param data - Data being updated
+   * @throws RLSPolicyViolation if access is denied
+   *
+   * @example
+   * ```typescript
+   * const guard = new MutationGuard(registry, db);
+   * const existingPost = await db.selectFrom('posts').where('id', '=', 1).selectAll().executeTakeFirst();
+   * await guard.checkUpdate('posts', existingPost, { title: 'Updated' });
+   * ```
+   */
+  async checkUpdate(table, existingRow, data) {
+    await this.checkMutation(table, "update", existingRow, data);
+  }
+  /**
+   * Check if DELETE operation is allowed
+   *
+   * @param table - Table name
+   * @param existingRow - Row to be deleted
+   * @throws RLSPolicyViolation if access is denied
+   *
+   * @example
+   * ```typescript
+   * const guard = new MutationGuard(registry, db);
+   * const existingPost = await db.selectFrom('posts').where('id', '=', 1).selectAll().executeTakeFirst();
+   * await guard.checkDelete('posts', existingPost);
+   * ```
+   */
+  async checkDelete(table, existingRow) {
+    await this.checkMutation(table, "delete", existingRow);
+  }
+  /**
+   * Check if READ operation is allowed on a specific row
+   *
+   * @param table - Table name
+   * @param row - Row to check access for
+   * @returns true if access is allowed
+   *
+   * @example
+   * ```typescript
+   * const guard = new MutationGuard(registry, db);
+   * const post = await db.selectFrom('posts').where('id', '=', 1).selectAll().executeTakeFirst();
+   * const canRead = await guard.checkRead('posts', post);
+   * ```
+   */
+  async checkRead(table, row) {
+    try {
+      await this.checkMutation(table, "read", row);
+      return true;
+    } catch (error) {
+      if (error instanceof RLSPolicyViolation) {
+        return false;
+      }
+      throw error;
+    }
+  }
+  /**
+   * Generic check for any operation (helper for testing)
+   *
+   * @param operation - Operation type
+   * @param table - Table name
+   * @param row - Existing row (for UPDATE/DELETE/READ)
+   * @param data - New data (for CREATE/UPDATE)
+   * @returns true if access is allowed, false otherwise
+   */
+  async canMutate(operation, table, row, data) {
+    try {
+      await this.checkMutation(table, operation, row, data);
+      return true;
+    } catch (error) {
+      if (error instanceof RLSPolicyViolation) {
+        return false;
+      }
+      throw error;
+    }
+  }
+  /**
+   * Validate mutation data (for validate policies)
+   *
+   * @param operation - Operation type
+   * @param table - Table name
+   * @param data - New data (for CREATE/UPDATE)
+   * @param row - Existing row (for UPDATE)
+   * @returns true if valid, false otherwise
+   */
+  async validateMutation(operation, table, data, row) {
+    const ctx = rlsContext.getContextOrNull();
+    if (!ctx) {
+      return false;
+    }
+    if (ctx.auth.isSystem) {
+      return true;
+    }
+    const skipFor = this.registry.getSkipFor(table);
+    if (skipFor.some((role) => ctx.auth.roles.includes(role))) {
+      return true;
+    }
+    const validates = this.registry.getValidates(table, operation);
+    if (validates.length === 0) {
+      return true;
+    }
+    const evalCtx = {
+      auth: ctx.auth,
+      row,
+      data,
+      table,
+      operation,
+      ...ctx.meta !== void 0 && { meta: ctx.meta }
+    };
+    for (const validate2 of validates) {
+      const result = await this.evaluatePolicy(validate2.evaluate, evalCtx);
+      if (!result) {
+        return false;
+      }
+    }
+    return true;
+  }
+  /**
+   * Check mutation against RLS policies
+   *
+   * @param table - Table name
+   * @param operation - Operation type
+   * @param row - Existing row (for UPDATE/DELETE/READ)
+   * @param data - New data (for CREATE/UPDATE)
+   * @throws RLSPolicyViolation if access is denied
+   */
+  async checkMutation(table, operation, row, data) {
+    const ctx = rlsContext.getContextOrNull();
+    if (!ctx) {
+      throw new RLSPolicyViolation(
+        operation,
+        table,
+        "No RLS context available"
+      );
+    }
+    if (ctx.auth.isSystem) {
+      return;
+    }
+    const skipFor = this.registry.getSkipFor(table);
+    if (skipFor.some((role) => ctx.auth.roles.includes(role))) {
+      return;
+    }
+    const denies = this.registry.getDenies(table, operation);
+    for (const deny2 of denies) {
+      const evalCtx = this.createEvalContext(ctx, table, operation, row, data);
+      const result = await this.evaluatePolicy(deny2.evaluate, evalCtx);
+      if (result) {
+        throw new RLSPolicyViolation(
+          operation,
+          table,
+          `Denied by policy: ${deny2.name}`
+        );
+      }
+    }
+    if ((operation === "create" || operation === "update") && data) {
+      const validates = this.registry.getValidates(table, operation);
+      for (const validate2 of validates) {
+        const evalCtx = this.createEvalContext(ctx, table, operation, row, data);
+        const result = await this.evaluatePolicy(validate2.evaluate, evalCtx);
+        if (!result) {
+          throw new RLSPolicyViolation(
+            operation,
+            table,
+            `Validation failed: ${validate2.name}`
+          );
+        }
+      }
+    }
+    const allows = this.registry.getAllows(table, operation);
+    const defaultDeny = this.registry.hasDefaultDeny(table);
+    if (defaultDeny && allows.length === 0) {
+      throw new RLSPolicyViolation(
+        operation,
+        table,
+        "No allow policies defined (default deny)"
+      );
+    }
+    if (allows.length > 0) {
+      let allowed = false;
+      for (const allow2 of allows) {
+        const evalCtx = this.createEvalContext(ctx, table, operation, row, data);
+        const result = await this.evaluatePolicy(allow2.evaluate, evalCtx);
+        if (result) {
+          allowed = true;
+          break;
+        }
+      }
+      if (!allowed) {
+        throw new RLSPolicyViolation(
+          operation,
+          table,
+          "No allow policies matched"
+        );
+      }
+    }
+  }
+  /**
+   * Create policy evaluation context
+   */
+  createEvalContext(ctx, table, operation, row, data) {
+    return {
+      auth: ctx.auth,
+      row,
+      data,
+      table,
+      operation,
+      metadata: ctx.meta
+    };
+  }
+  /**
+   * Evaluate a policy condition
+   */
+  async evaluatePolicy(condition, evalCtx) {
+    try {
+      const result = condition(evalCtx);
+      return result instanceof Promise ? await result : result;
+    } catch (error) {
+      throw new RLSPolicyViolation(
+        evalCtx.operation,
+        evalCtx.table,
+        `Policy evaluation error: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+  /**
+   * Filter an array of rows, keeping only accessible ones
+   * Useful for post-query filtering when query-level filtering is not possible
+   *
+   * @param table - Table name
+   * @param rows - Array of rows to filter
+   * @returns Filtered array containing only accessible rows
+   *
+   * @example
+   * ```typescript
+   * const guard = new MutationGuard(registry, db);
+   * const allPosts = await db.selectFrom('posts').selectAll().execute();
+   * const accessiblePosts = await guard.filterRows('posts', allPosts);
+   * ```
+   */
+  async filterRows(table, rows) {
+    const results = [];
+    for (const row of rows) {
+      if (await this.checkRead(table, row)) {
+        results.push(row);
+      }
+    }
+    return results;
+  }
+};
+function rlsPlugin(options) {
+  const {
+    schema,
+    skipTables = [],
+    bypassRoles = [],
+    logger = silentLogger,
+    requireContext = false,
+    auditDecisions = false,
+    onViolation
+  } = options;
+  let registry;
+  let selectTransformer;
+  let mutationGuard;
+  return {
+    name: "@kysera/rls",
+    version: "0.5.1",
+    // Run after soft-delete (priority 0), before audit
+    priority: 50,
+    // No dependencies by default
+    dependencies: [],
+    /**
+     * Initialize plugin - compile policies
+     */
+    async onInit(executor) {
+      logger.info?.("[RLS] Initializing RLS plugin", {
+        tables: Object.keys(schema).length,
+        skipTables: skipTables.length,
+        bypassRoles: bypassRoles.length
+      });
+      registry = new PolicyRegistry(schema);
+      registry.validate();
+      selectTransformer = new SelectTransformer(registry);
+      mutationGuard = new MutationGuard(registry, executor);
+      logger.info?.("[RLS] RLS plugin initialized successfully");
+    },
+    /**
+     * Intercept queries to apply RLS filtering
+     *
+     * This hook is called for every query builder operation. For SELECT queries,
+     * it applies filter policies as WHERE conditions. For mutations, it marks
+     * that RLS validation is required (performed in extendRepository).
+     */
+    interceptQuery(qb, context) {
+      const { operation, table, metadata } = context;
+      if (skipTables.includes(table)) {
+        logger.debug?.(`[RLS] Skipping RLS for excluded table: ${table}`);
+        return qb;
+      }
+      if (metadata["skipRLS"] === true) {
+        logger.debug?.(`[RLS] Skipping RLS (explicit skip): ${table}`);
+        return qb;
+      }
+      const ctx = rlsContext.getContextOrNull();
+      if (!ctx) {
+        if (requireContext) {
+          throw new RLSContextError("RLS context required but not found");
+        }
+        logger.warn?.(`[RLS] No context for ${operation} on ${table}`);
+        return qb;
+      }
+      if (ctx.auth.isSystem) {
+        logger.debug?.(`[RLS] Bypassing RLS (system user): ${table}`);
+        return qb;
+      }
+      if (bypassRoles.some((role) => ctx.auth.roles.includes(role))) {
+        logger.debug?.(`[RLS] Bypassing RLS (bypass role): ${table}`);
+        return qb;
+      }
+      if (operation === "select") {
+        try {
+          const transformed = selectTransformer.transform(qb, table);
+          if (auditDecisions) {
+            logger.info?.("[RLS] Filter applied", {
+              table,
+              operation,
+              userId: ctx.auth.userId
+            });
+          }
+          return transformed;
+        } catch (error) {
+          logger.error?.("[RLS] Error applying filter", { table, error });
+          throw error;
+        }
+      }
+      if (operation === "insert" || operation === "update" || operation === "delete") {
+        metadata["__rlsRequired"] = true;
+        metadata["__rlsTable"] = table;
+      }
+      return qb;
+    },
+    /**
+     * Extend repository with RLS-aware methods
+     *
+     * Wraps create, update, and delete methods to enforce RLS policies.
+     * Also adds utility methods for bypassing RLS and checking access.
+     */
+    extendRepository(repo) {
+      const baseRepo = repo;
+      if (!("tableName" in baseRepo) || !("executor" in baseRepo)) {
+        return repo;
+      }
+      const table = baseRepo.tableName;
+      if (skipTables.includes(table)) {
+        return repo;
+      }
+      if (!registry.hasTable(table)) {
+        logger.debug?.(`[RLS] Table "${table}" not in RLS schema, skipping`);
+        return repo;
+      }
+      logger.debug?.(`[RLS] Extending repository for table: ${table}`);
+      const originalCreate = baseRepo.create?.bind(baseRepo);
+      const originalUpdate = baseRepo.update?.bind(baseRepo);
+      const originalDelete = baseRepo.delete?.bind(baseRepo);
+      const originalFindById = baseRepo.findById?.bind(baseRepo);
+      const extendedRepo = {
+        ...baseRepo,
+        /**
+         * Wrapped create with RLS check
+         */
+        async create(data) {
+          if (!originalCreate) {
+            throw new RLSError("Repository does not support create operation", RLSErrorCodes.RLS_POLICY_INVALID);
+          }
+          const ctx = rlsContext.getContextOrNull();
+          if (ctx && !ctx.auth.isSystem && !bypassRoles.some((role) => ctx.auth.roles.includes(role))) {
+            try {
+              await mutationGuard.checkCreate(table, data);
+              if (auditDecisions) {
+                logger.info?.("[RLS] Create allowed", { table, userId: ctx.auth.userId });
+              }
+            } catch (error) {
+              if (error instanceof RLSPolicyViolation) {
+                onViolation?.(error);
+                if (auditDecisions) {
+                  logger.warn?.("[RLS] Create denied", {
+                    table,
+                    userId: ctx.auth.userId,
+                    reason: error.reason
+                  });
+                }
+              }
+              throw error;
+            }
+          }
+          return originalCreate(data);
+        },
+        /**
+         * Wrapped update with RLS check
+         */
+        async update(id, data) {
+          if (!originalUpdate || !originalFindById) {
+            throw new RLSError("Repository does not support update operation", RLSErrorCodes.RLS_POLICY_INVALID);
+          }
+          const ctx = rlsContext.getContextOrNull();
+          if (ctx && !ctx.auth.isSystem && !bypassRoles.some((role) => ctx.auth.roles.includes(role))) {
+            const existingRow = await originalFindById(id);
+            if (!existingRow) {
+              return originalUpdate(id, data);
+            }
+            try {
+              await mutationGuard.checkUpdate(
+                table,
+                existingRow,
+                data
+              );
+              if (auditDecisions) {
+                logger.info?.("[RLS] Update allowed", { table, id, userId: ctx.auth.userId });
+              }
+            } catch (error) {
+              if (error instanceof RLSPolicyViolation) {
+                onViolation?.(error);
+                if (auditDecisions) {
+                  logger.warn?.("[RLS] Update denied", {
+                    table,
+                    id,
+                    userId: ctx.auth.userId,
+                    reason: error.reason
+                  });
+                }
+              }
+              throw error;
+            }
+          }
+          return originalUpdate(id, data);
+        },
+        /**
+         * Wrapped delete with RLS check
+         */
+        async delete(id) {
+          if (!originalDelete || !originalFindById) {
+            throw new RLSError("Repository does not support delete operation", RLSErrorCodes.RLS_POLICY_INVALID);
+          }
+          const ctx = rlsContext.getContextOrNull();
+          if (ctx && !ctx.auth.isSystem && !bypassRoles.some((role) => ctx.auth.roles.includes(role))) {
+            const existingRow = await originalFindById(id);
+            if (!existingRow) {
+              return originalDelete(id);
+            }
+            try {
+              await mutationGuard.checkDelete(table, existingRow);
+              if (auditDecisions) {
+                logger.info?.("[RLS] Delete allowed", { table, id, userId: ctx.auth.userId });
+              }
+            } catch (error) {
+              if (error instanceof RLSPolicyViolation) {
+                onViolation?.(error);
+                if (auditDecisions) {
+                  logger.warn?.("[RLS] Delete denied", {
+                    table,
+                    id,
+                    userId: ctx.auth.userId,
+                    reason: error.reason
+                  });
+                }
+              }
+              throw error;
+            }
+          }
+          return originalDelete(id);
+        },
+        /**
+         * Bypass RLS for specific operation
+         * Requires existing context
+         *
+         * @example
+         * ```typescript
+         * // Perform operation as system user
+         * const result = await repo.withoutRLS(async () => {
+         *   return repo.findAll(); // No RLS filtering
+         * });
+         * ```
+         */
+        async withoutRLS(fn) {
+          return rlsContext.asSystemAsync(fn);
+        },
+        /**
+         * Check if current user can perform operation on a row
+         *
+         * @example
+         * ```typescript
+         * const post = await repo.findById(1);
+         * const canUpdate = await repo.canAccess('update', post);
+         * if (canUpdate) {
+         *   await repo.update(1, { title: 'New title' });
+         * }
+         * ```
+         */
+        async canAccess(operation, row) {
+          const ctx = rlsContext.getContextOrNull();
+          if (!ctx) return false;
+          if (ctx.auth.isSystem) return true;
+          if (bypassRoles.some((role) => ctx.auth.roles.includes(role))) return true;
+          try {
+            switch (operation) {
+              case "read":
+                return await mutationGuard.checkRead(table, row);
+              case "create":
+                await mutationGuard.checkCreate(table, row);
+                return true;
+              case "update":
+                await mutationGuard.checkUpdate(table, row, {});
+                return true;
+              case "delete":
+                await mutationGuard.checkDelete(table, row);
+                return true;
+              default:
+                return false;
+            }
+          } catch (error) {
+            logger.debug?.("[RLS] Access check failed", {
+              table,
+              operation,
+              error: error instanceof Error ? error.message : String(error)
+            });
+            return false;
+          }
+        }
+      };
+      return extendedRepo;
+    }
+  };
+}
+
+// src/utils/helpers.ts
+function createEvaluationContext(rlsCtx, options) {
+  const ctx = {
+    auth: rlsCtx.auth
+  };
+  if (options?.row !== void 0) {
+    ctx.row = options.row;
+  }
+  if (options?.data !== void 0) {
+    ctx.data = options.data;
+  }
+  if (rlsCtx.request !== void 0) {
+    ctx.request = rlsCtx.request;
+  }
+  if (rlsCtx.meta !== void 0) {
+    ctx.meta = rlsCtx.meta;
+  }
+  return ctx;
+}
+function isAsyncFunction(fn) {
+  return fn instanceof Function && fn.constructor.name === "AsyncFunction";
+}
+async function safeEvaluate(fn, defaultValue) {
+  try {
+    const result = fn();
+    if (result instanceof Promise) {
+      return await result;
+    }
+    return result;
+  } catch (error) {
+    return defaultValue;
+  }
+}
+function deepMerge(target, source) {
+  const result = { ...target };
+  for (const key of Object.keys(source)) {
+    const sourceValue = source[key];
+    const targetValue = result[key];
+    if (sourceValue !== void 0 && typeof sourceValue === "object" && sourceValue !== null && !Array.isArray(sourceValue) && typeof targetValue === "object" && targetValue !== null && !Array.isArray(targetValue)) {
+      result[key] = deepMerge(
+        targetValue,
+        sourceValue
+      );
+    } else if (sourceValue !== void 0) {
+      result[key] = sourceValue;
+    }
+  }
+  return result;
+}
+function hashString(str) {
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash = (hash << 5) - hash + char;
+    hash = hash & hash;
+  }
+  return hash.toString(36);
+}
+function normalizeOperations(operation) {
+  if (Array.isArray(operation)) {
+    if (operation.includes("all")) {
+      return ["read", "create", "update", "delete"];
+    }
+    return operation;
+  }
+  if (operation === "all") {
+    return ["read", "create", "update", "delete"];
+  }
+  return [operation];
+}
+
+export { PolicyRegistry, RLSContextError, RLSContextValidationError, RLSError, RLSErrorCodes, RLSPolicyViolation, RLSSchemaError, allow, createEvaluationContext, createRLSContext, deepMerge, defineRLSSchema, deny, filter, hashString, isAsyncFunction, mergeRLSSchemas, normalizeOperations, rlsContext, rlsPlugin, safeEvaluate, validate, withRLSContext, withRLSContextAsync };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map