@kysera/rls 0.5.1

package/dist/native/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/native/postgres.ts","../../src/native/migration.ts"],"names":[],"mappings":";;;AAoBO,IAAM,uBAAN,MAA2B;AAAA;AAAA;AAAA;AAAA,EAIhC,kBAAA,CACE,MAAA,EACA,OAAA,GAA8B,EAAC,EACrB;AACV,IAAA,MAAM;AAAA,MACJ,KAAA,GAAQ,IAAA;AAAA,MACR,UAAA,GAAa,QAAA;AAAA,MACb,YAAA,GAAe;AAAA,KACjB,GAAI,OAAA;AAEJ,IAAA,MAAM,aAAuB,EAAC;AAE9B,IAAA,KAAA,MAAW,CAAC,KAAA,EAAO,MAAM,KAAK,MAAA,CAAO,OAAA,CAAQ,MAAM,CAAA,EAAG;AACpD,MAAA,IAAI,CAAC,MAAA,EAAQ;AAEb,MAAA,MAAM,cAAA,GAAiB,CAAA,EAAG,UAAU,CAAA,CAAA,EAAI,KAAK,CAAA,CAAA;AAC7C,MAAA,MAAM,WAAA,GAAc,MAAA;AAGpB,MAAA,UAAA,CAAW,IAAA,CAAK,CAAA,YAAA,EAAe,cAAc,CAAA,2BAAA,CAA6B,CAAA;AAE1E,MAAA,IAAI,KAAA,EAAO;AACT,QAAA,UAAA,CAAW,IAAA,CAAK,CAAA,YAAA,EAAe,cAAc,CAAA,0BAAA,CAA4B,CAAA;AAAA,MAC3E;AAGA,MAAA,IAAI,WAAA,GAAc,CAAA;AAClB,MAAA,KAAA,MAAW,MAAA,IAAU,YAAY,QAAA,EAAU;AACzC,QAAA,MAAM,UAAA,GAAa,MAAA,CAAO,IAAA,IAAQ,CAAA,EAAG,YAAY,CAAA,CAAA,EAAI,KAAK,CAAA,CAAA,EAAI,MAAA,CAAO,IAAI,CAAA,CAAA,EAAI,WAAA,EAAa,CAAA,CAAA;AAC1F,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,cAAA,CAAe,cAAA,EAAgB,YAAY,MAAM,CAAA;AACxE,QAAA,IAAI,SAAA,EAAW;AACb,UAAA,UAAA,CAAW,KAAK,SAAS,CAAA;AAAA,QAC3B;AAAA,MACF;AAAA,IACF;AAEA,IAAA,OAAO,UAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,cAAA,CACN,KAAA,EACA,IAAA,EACA,MAAA,EACe;AAEf,IAAA,IAAI,MAAA,CAAO,IAAA,KAAS,QAAA,IAAY,MAAA,CAAO,SAAS,UAAA,EAAY;AAC1D,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,IAAI,CAAC,MAAA,CAAO,KAAA,IAAS,CAAC,OAAO,SAAA,EAAW;AACtC,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,KAAA,GAAkB;AAAA,MACtB,kBAAkB,IAAI,CAAA,CAAA,CAAA;AAAA,MACtB,MAAM,KAAK,CAAA;AAAA,KACb;AAGA,IAAA,IAAI,MAAA,CAAO,SAAS,MAAA,EAAQ;AAC1B,MAAA,KAAA,CAAM,KAAK,gBAAgB,CAAA;AAAA,IAC7B,CAAA,MAAO;AACL,MAAA,KAAA,CAAM,KAAK,eAAe,CAAA;AAAA,IAC5B;AAGA,IAAA,KAAA,CAAM,IAAA,CAAK,CAAA,GAAA,EAAM,MAAA,CAAO,IAAA,IAAQ,QAAQ,CAAA,CAAE,CAAA;AAG1C,IAAA,KAAA,CAAM,KAAK,CAAA,IAAA,EAAO,IAAA,CAAK,aAAa,MAAA,CAAO,SAAS,CAAC,CAAA,CAAE,CAAA;AAGvD,IAAA,IAAI,OAAO,KAAA,EAAO;AAChB,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,OAAA,EAAU,MAAA,CAAO,KAAK,CAAA,CAAA,CAAG,CAAA;AAAA,IACtC;AAGA,IAAA,IAAI,OAAO,SAAA,EAAW;AACpB,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,YAAA,EAAe,MAAA,CAAO,SAAS,CAAA,CAAA,CAAG,CAAA;AAAA,IAC/C;AAEA,IAAA,OAAO,KAAA,CAAM,IAAA,CAAK,MAAM,CAAA,GAAI,GAAA;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,SAAA,EAA4C;AAC/D,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,SAAS,CAAA,EAAG;AAC5B,MAAA,IAAI,SAAA,CAAU,WAAW,CAAA,EAAG;AAC1B,QAAA,OAAO,KAAA;AAAA,MACT;AACA,MAAA,IAAI,UAAU,MAAA,KAAW,CAAA,IAAK,SAAA,CAAU,QAAA,CAAS,KAAK,CAAA,EAAG;AACvD,QAAA,OAAO,KAAA;AAAA,MACT;AAGA,MAAA,OAAO,IAAA,CAAK,kBAAA,CAAmB,SAAA,CAAU,CAAC,CAAE,CAAA;AAAA,IAC9C;AACA,IAAA,OAAO,IAAA,CAAK,mBAAmB,SAAS,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKQ,mBAAmB,EAAA,EAAuB;AAChD,IAAA,QAAQ,EAAA;AAAI,MACV,KAAK,MAAA;AAAQ,QAAA,OAAO,QAAA;AAAA,MACpB,KAAK,QAAA;AAAU,QAAA,OAAO,QAAA;AAAA,MACtB,KAAK,QAAA;AAAU,QAAA,OAAO,QAAA;AAAA,MACtB,KAAK,QAAA;AAAU,QAAA,OAAO,QAAA;AAAA,MACtB,KAAK,KAAA;AAAO,QAAA,OAAO,KAAA;AAAA,MACnB;AAAS,QAAA,OAAO,KAAA;AAAA;AAClB,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,wBAAA,GAAmC;AACjC,IAAA,OAAO;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA,CAAA;AAAA,EAuCT;AAAA;AAAA;AAAA;AAAA,EAKA,sBAAA,CACE,MAAA,EACA,OAAA,GAA8B,EAAC,EACrB;AACV,IAAA,MAAM,EAAE,UAAA,GAAa,QAAA,EAAU,YAAA,GAAe,OAAM,GAAI,OAAA;AACxD,IAAA,MAAM,aAAuB,EAAC;AAE9B,IAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,IAAA,CAAK,MAAM,CAAA,EAAG;AACvC,MAAA,MAAM,cAAA,GAAiB,CAAA,EAAG,UAAU,CAAA,CAAA,EAAI,KAAK,CAAA,CAAA;AAG7C,MAAA,UAAA,CAAW,IAAA;AAAA,QACT,CAAA;AAAA;AAAA,kFAAA,EAE4E,cAAc,CAAA;AAAA;AAAA,uBAAA,EAEzE,KAAK,CAAA;AAAA,wBAAA,EACJ,UAAU,CAAA;AAAA,2BAAA,EACP,YAAY,CAAA;AAAA;AAAA,OAAA;AAAA,OAGnC;AAGA,MAAA,UAAA,CAAW,IAAA,CAAK,CAAA,YAAA,EAAe,cAAc,CAAA,4BAAA,CAA8B,CAAA;AAAA,IAC7E;AAEA,IAAA,OAAO,UAAA;AAAA,EACT;AACF;AAMA,eAAsB,qBAAA,CACpB,IACA,OAAA,EAOe;AACf,EAAA,MAAM,EAAE,MAAA,EAAQ,QAAA,EAAU,KAAA,EAAO,WAAA,EAAa,UAAS,GAAI,OAAA;AAE3D,EAAA,MAAM,GAAA;AAAA;AAAA,gCAAA,EAE0B,MAAA,CAAO,MAAM,CAAC,CAAA;AAAA,kCAAA,EACZ,QAAA,GAAW,MAAA,CAAO,QAAQ,CAAA,GAAI,EAAE,CAAA;AAAA,8BAAA,EAAA,CACnC,KAAA,IAAS,EAAC,EAAG,IAAA,CAAK,GAAG,CAAC,CAAA;AAAA,oCAAA,EAAA,CAChB,WAAA,IAAe,EAAC,EAAG,IAAA,CAAK,GAAG,CAAC,CAAA;AAAA,kCAAA,EAC/B,QAAA,GAAW,SAAS,OAAO,CAAA;AAAA,EAAA,CAAA,CAC3D,QAAQ,EAAE,CAAA;AACd;AAKA,eAAsB,qBAAyB,EAAA,EAA+B;AAC5E,EAAA,MAAM,GAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAAA,CAAA,CAOJ,QAAQ,EAAE,CAAA;AACd;;;ACrPO,IAAM,wBAAN,MAA4B;AAAA,EACzB,SAAA,GAAY,IAAI,oBAAA,EAAqB;AAAA;AAAA;AAAA;AAAA,EAK7C,iBAAA,CACE,MAAA,EACA,OAAA,GAA4B,EAAC,EACrB;AACR,IAAA,MAAM;AAAA,MACJ,IAAA,GAAO,cAAA;AAAA,MACP,uBAAA,GAA0B,IAAA;AAAA,MAC1B,GAAG;AAAA,KACL,GAAI,OAAA;AAEJ,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,SAAA,CAAU,kBAAA,CAAmB,QAAQ,gBAAgB,CAAA;AAC/E,IAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,SAAA,CAAU,sBAAA,CAAuB,QAAQ,gBAAgB,CAAA;AAErF,IAAA,MAAM,gBAAA,GAAmB,uBAAA,GACrB,IAAA,CAAK,SAAA,CAAU,0BAAyB,GACxC,EAAA;AAEJ,IAAA,OAAO,CAAA;;AAAA;AAAA,cAAA,EAGK,IAAI;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA,EAOlB,uBAAA,GAA0B,CAAA;AAAA,kBAAA,EACR,IAAA,CAAK,cAAA,CAAe,gBAAgB,CAAC,CAAA;;AAAA,CAAA,GAErD,EAAE,CAAA;AAAA,EACJ,YAAA,CAAa,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,kBAAA,EAAqB,IAAA,CAAK,cAAA,CAAe,CAAC,CAAC,CAAA,gBAAA,CAAkB,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC;AAAA;;AAAA;AAAA,EAI/F,cAAA,CAAe,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,kBAAA,EAAqB,IAAA,CAAK,cAAA,CAAe,CAAC,CAAC,CAAA,gBAAA,CAAkB,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC;AAAA,EACjG,uBAAA,GAA0B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kBAAA,CAAA,GAUN,EAAE;AAAA;AAAA,CAAA;AAAA,EAGtB;AAAA;AAAA;AAAA;AAAA,EAKQ,eAAe,GAAA,EAAqB;AAC1C,IAAA,OAAO,IAAI,OAAA,CAAQ,IAAA,EAAM,KAAK,CAAA,CAAE,OAAA,CAAQ,OAAO,KAAK,CAAA;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAA,CAAiB,OAAe,cAAA,EAAwB;AACtD,IAAA,MAAM,6BAAY,IAAI,IAAA,EAAK,EAAE,WAAA,GAC1B,OAAA,CAAQ,OAAA,EAAS,EAAE,CAAA,CACnB,QAAQ,GAAA,EAAK,GAAG,CAAA,CAChB,OAAA,CAAQ,QAAQ,EAAE,CAAA;AACrB,IAAA,OAAO,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,IAAI,CAAA,GAAA,CAAA;AAAA,EAC7B;AACF","file":"index.js","sourcesContent":["import type { Kysely } from 'kysely';\nimport { sql } from 'kysely';\nimport type { RLSSchema, TableRLSConfig, PolicyDefinition, Operation } from '../policy/types.js';\n\n/**\n * Options for PostgreSQL RLS generation\n */\nexport interface PostgresRLSOptions {\n  /** Force RLS on table owners */\n  force?: boolean;\n  /** Schema name (default: public) */\n  schemaName?: string;\n  /** Prefix for generated policy names */\n  policyPrefix?: string;\n}\n\n/**\n * PostgreSQL RLS Generator\n * Generates native PostgreSQL RLS statements from Kysera RLS schema\n */\nexport class PostgresRLSGenerator {\n  /**\n   * Generate all PostgreSQL RLS statements from schema\n   */\n  generateStatements<DB>(\n    schema: RLSSchema<DB>,\n    options: PostgresRLSOptions = {}\n  ): string[] {\n    const {\n      force = true,\n      schemaName = 'public',\n      policyPrefix = 'rls',\n    } = options;\n\n    const statements: string[] = [];\n\n    for (const [table, config] of Object.entries(schema)) {\n      if (!config) continue;\n\n      const qualifiedTable = `${schemaName}.${table}`;\n      const tableConfig = config as TableRLSConfig;\n\n      // Enable RLS on table\n      statements.push(`ALTER TABLE ${qualifiedTable} ENABLE ROW LEVEL SECURITY;`);\n\n      if (force) {\n        statements.push(`ALTER TABLE ${qualifiedTable} FORCE ROW LEVEL SECURITY;`);\n      }\n\n      // Generate policies\n      let policyIndex = 0;\n      for (const policy of tableConfig.policies) {\n        const policyName = policy.name ?? `${policyPrefix}_${table}_${policy.type}_${policyIndex++}`;\n        const policySQL = this.generatePolicy(qualifiedTable, policyName, policy);\n        if (policySQL) {\n          statements.push(policySQL);\n        }\n      }\n    }\n\n    return statements;\n  }\n\n  /**\n   * Generate a single policy statement\n   */\n  private generatePolicy(\n    table: string,\n    name: string,\n    policy: PolicyDefinition\n  ): string | null {\n    // Skip filter policies (they're ORM-only)\n    if (policy.type === 'filter' || policy.type === 'validate') {\n      return null;\n    }\n\n    // Need USING or WITH CHECK clause for native RLS\n    if (!policy.using && !policy.withCheck) {\n      return null;\n    }\n\n    const parts: string[] = [\n      `CREATE POLICY \"${name}\"`,\n      `ON ${table}`,\n    ];\n\n    // Policy type\n    if (policy.type === 'deny') {\n      parts.push('AS RESTRICTIVE');\n    } else {\n      parts.push('AS PERMISSIVE');\n    }\n\n    // Target role\n    parts.push(`TO ${policy.role ?? 'public'}`);\n\n    // Operation\n    parts.push(`FOR ${this.mapOperation(policy.operation)}`);\n\n    // USING clause\n    if (policy.using) {\n      parts.push(`USING (${policy.using})`);\n    }\n\n    // WITH CHECK clause\n    if (policy.withCheck) {\n      parts.push(`WITH CHECK (${policy.withCheck})`);\n    }\n\n    return parts.join('\\n  ') + ';';\n  }\n\n  /**\n   * Map Kysera operation to PostgreSQL operation\n   */\n  private mapOperation(operation: Operation | Operation[]): string {\n    if (Array.isArray(operation)) {\n      if (operation.length === 0) {\n        return 'ALL';\n      }\n      if (operation.length === 4 || operation.includes('all')) {\n        return 'ALL';\n      }\n      // PostgreSQL doesn't support multiple operations in one policy\n      // Return first operation\n      return this.mapSingleOperation(operation[0]!);\n    }\n    return this.mapSingleOperation(operation);\n  }\n\n  /**\n   * Map single operation\n   */\n  private mapSingleOperation(op: Operation): string {\n    switch (op) {\n      case 'read': return 'SELECT';\n      case 'create': return 'INSERT';\n      case 'update': return 'UPDATE';\n      case 'delete': return 'DELETE';\n      case 'all': return 'ALL';\n      default: return 'ALL';\n    }\n  }\n\n  /**\n   * Generate context-setting functions for PostgreSQL\n   * These functions should be STABLE for optimal performance\n   */\n  generateContextFunctions(): string {\n    return `\n-- RLS Context Functions (STABLE for query planner optimization)\n-- These functions read session variables set by the application\n\nCREATE OR REPLACE FUNCTION rls_current_user_id()\nRETURNS text\nLANGUAGE SQL STABLE\nAS $$ SELECT current_setting('app.user_id', true) $$;\n\nCREATE OR REPLACE FUNCTION rls_current_tenant_id()\nRETURNS uuid\nLANGUAGE SQL STABLE\nAS $$ SELECT NULLIF(current_setting('app.tenant_id', true), '')::uuid $$;\n\nCREATE OR REPLACE FUNCTION rls_current_roles()\nRETURNS text[]\nLANGUAGE SQL STABLE\nAS $$ SELECT string_to_array(COALESCE(current_setting('app.roles', true), ''), ',') $$;\n\nCREATE OR REPLACE FUNCTION rls_has_role(role_name text)\nRETURNS boolean\nLANGUAGE SQL STABLE\nAS $$ SELECT role_name = ANY(rls_current_roles()) $$;\n\nCREATE OR REPLACE FUNCTION rls_current_permissions()\nRETURNS text[]\nLANGUAGE SQL STABLE\nAS $$ SELECT string_to_array(COALESCE(current_setting('app.permissions', true), ''), ',') $$;\n\nCREATE OR REPLACE FUNCTION rls_has_permission(permission_name text)\nRETURNS boolean\nLANGUAGE SQL STABLE\nAS $$ SELECT permission_name = ANY(rls_current_permissions()) $$;\n\nCREATE OR REPLACE FUNCTION rls_is_system()\nRETURNS boolean\nLANGUAGE SQL STABLE\nAS $$ SELECT COALESCE(current_setting('app.is_system', true), 'false')::boolean $$;\n`;\n  }\n\n  /**\n   * Generate DROP statements for cleaning up\n   */\n  generateDropStatements<DB>(\n    schema: RLSSchema<DB>,\n    options: PostgresRLSOptions = {}\n  ): string[] {\n    const { schemaName = 'public', policyPrefix = 'rls' } = options;\n    const statements: string[] = [];\n\n    for (const table of Object.keys(schema)) {\n      const qualifiedTable = `${schemaName}.${table}`;\n\n      // Drop all policies with prefix\n      statements.push(\n        `DO $$ BEGIN\n  EXECUTE (\n    SELECT string_agg('DROP POLICY IF EXISTS ' || quote_ident(policyname) || ' ON ${qualifiedTable};', E'\\\\n')\n    FROM pg_policies\n    WHERE tablename = '${table}'\n      AND schemaname = '${schemaName}'\n      AND policyname LIKE '${policyPrefix}_%'\n  );\nEND $$;`\n      );\n\n      // Disable RLS\n      statements.push(`ALTER TABLE ${qualifiedTable} DISABLE ROW LEVEL SECURITY;`);\n    }\n\n    return statements;\n  }\n}\n\n/**\n * Sync RLS context to PostgreSQL session settings\n * Call this at the start of each request/transaction\n */\nexport async function syncContextToPostgres<DB>(\n  db: Kysely<DB>,\n  context: {\n    userId: string | number;\n    tenantId?: string | number;\n    roles?: string[];\n    permissions?: string[];\n    isSystem?: boolean;\n  }\n): Promise<void> {\n  const { userId, tenantId, roles, permissions, isSystem } = context;\n\n  await sql`\n    SELECT\n      set_config('app.user_id', ${String(userId)}, true),\n      set_config('app.tenant_id', ${tenantId ? String(tenantId) : ''}, true),\n      set_config('app.roles', ${(roles ?? []).join(',')}, true),\n      set_config('app.permissions', ${(permissions ?? []).join(',')}, true),\n      set_config('app.is_system', ${isSystem ? 'true' : 'false'}, true)\n  `.execute(db);\n}\n\n/**\n * Clear RLS context from PostgreSQL session\n */\nexport async function clearPostgresContext<DB>(db: Kysely<DB>): Promise<void> {\n  await sql`\n    SELECT\n      set_config('app.user_id', '', true),\n      set_config('app.tenant_id', '', true),\n      set_config('app.roles', '', true),\n      set_config('app.permissions', '', true),\n      set_config('app.is_system', 'false', true)\n  `.execute(db);\n}\n","import type { RLSSchema } from '../policy/types.js';\nimport { PostgresRLSGenerator, type PostgresRLSOptions } from './postgres.js';\n\n/**\n * Options for migration generation\n */\nexport interface MigrationOptions extends PostgresRLSOptions {\n  /** Migration name */\n  name?: string;\n  /** Include context functions in migration */\n  includeContextFunctions?: boolean;\n}\n\n/**\n * RLS Migration Generator\n * Generates Kysely migration files for RLS policies\n */\nexport class RLSMigrationGenerator {\n  private generator = new PostgresRLSGenerator();\n\n  /**\n   * Generate migration file content\n   */\n  generateMigration<DB>(\n    schema: RLSSchema<DB>,\n    options: MigrationOptions = {}\n  ): string {\n    const {\n      name = 'rls_policies',\n      includeContextFunctions = true,\n      ...generatorOptions\n    } = options;\n\n    const upStatements = this.generator.generateStatements(schema, generatorOptions);\n    const downStatements = this.generator.generateDropStatements(schema, generatorOptions);\n\n    const contextFunctions = includeContextFunctions\n      ? this.generator.generateContextFunctions()\n      : '';\n\n    return `import { Kysely, sql } from 'kysely';\n\n/**\n * Migration: ${name}\n * Generated by @kysera/rls\n *\n * This migration sets up Row-Level Security policies for the database.\n */\n\nexport async function up(db: Kysely<any>): Promise<void> {\n${includeContextFunctions ? `  // Create RLS context functions\n  await sql.raw(\\`${this.escapeTemplate(contextFunctions)}\\`).execute(db);\n\n` : ''}  // Enable RLS and create policies\n${upStatements.map(s => `  await sql.raw(\\`${this.escapeTemplate(s)}\\`).execute(db);`).join('\\n')}\n}\n\nexport async function down(db: Kysely<any>): Promise<void> {\n${downStatements.map(s => `  await sql.raw(\\`${this.escapeTemplate(s)}\\`).execute(db);`).join('\\n')}\n${includeContextFunctions ? `\n  // Drop RLS context functions\n  await sql.raw(\\`\n    DROP FUNCTION IF EXISTS rls_current_user_id();\n    DROP FUNCTION IF EXISTS rls_current_tenant_id();\n    DROP FUNCTION IF EXISTS rls_current_roles();\n    DROP FUNCTION IF EXISTS rls_has_role(text);\n    DROP FUNCTION IF EXISTS rls_current_permissions();\n    DROP FUNCTION IF EXISTS rls_has_permission(text);\n    DROP FUNCTION IF EXISTS rls_is_system();\n  \\`).execute(db);` : ''}\n}\n`;\n  }\n\n  /**\n   * Escape template literal for embedding in string\n   */\n  private escapeTemplate(str: string): string {\n    return str.replace(/`/g, '\\\\`').replace(/\\$/g, '\\\\$');\n  }\n\n  /**\n   * Generate migration filename with timestamp\n   */\n  generateFilename(name: string = 'rls_policies'): string {\n    const timestamp = new Date().toISOString()\n      .replace(/[-:]/g, '')\n      .replace('T', '_')\n      .replace(/\\..+/, '');\n    return `${timestamp}_${name}.ts`;\n  }\n}\n"]}

package/dist/types-Dtg6Lt1k.d.ts

@@ -0,0 +1,633 @@
+import { Kysely } from 'kysely';
+
+/**
+ * Core type definitions for RLS (Row-Level Security) policies
+ *
+ * This module provides comprehensive type definitions for defining and evaluating
+ * row-level security policies in Kysera ORM. It supports multiple policy types,
+ * flexible context management, and type-safe policy definitions.
+ *
+ * @module @kysera/rls/policy/types
+ */
+
+/**
+ * Database operations that can be controlled by RLS policies
+ *
+ * - `read`: SELECT operations
+ * - `create`: INSERT operations
+ * - `update`: UPDATE operations
+ * - `delete`: DELETE operations
+ * - `all`: All operations (wildcard)
+ *
+ * @example
+ * ```typescript
+ * const policy: PolicyDefinition = {
+ *   type: 'allow',
+ *   operation: ['read', 'update'], // Multiple operations
+ *   condition: (ctx) => ctx.auth.userId === ctx.row.userId
+ * };
+ * ```
+ */
+type Operation = 'read' | 'create' | 'update' | 'delete' | 'all';
+/**
+ * Authentication context containing user identity and authorization information
+ *
+ * This context is passed to all policy evaluation functions and contains
+ * information about the authenticated user, their roles, and permissions.
+ *
+ * @typeParam TUser - Custom user type for additional user properties
+ *
+ * @example
+ * ```typescript
+ * const authContext: RLSAuthContext = {
+ *   userId: 123,
+ *   roles: ['user', 'editor'],
+ *   tenantId: 'acme-corp',
+ *   organizationIds: ['org-1', 'org-2'],
+ *   permissions: ['posts:read', 'posts:write'],
+ *   isSystem: false
+ * };
+ * ```
+ */
+interface RLSAuthContext<TUser = unknown> {
+    /**
+     * Unique identifier for the authenticated user
+     * Can be a string or number depending on your ID strategy
+     */
+    userId: string | number;
+    /**
+     * List of roles assigned to the user
+     * Used for role-based access control (RBAC)
+     */
+    roles: string[];
+    /**
+     * Optional tenant identifier for multi-tenancy
+     * Use for tenant isolation in SaaS applications
+     */
+    tenantId?: string | number;
+    /**
+     * Optional list of organization IDs the user belongs to
+     * Use for hierarchical multi-tenancy or organization-based access
+     */
+    organizationIds?: (string | number)[];
+    /**
+     * Optional list of granular permissions
+     * Use for fine-grained access control
+     */
+    permissions?: string[];
+    /**
+     * Optional custom attributes for advanced policy logic
+     * Can contain any additional context needed for policy evaluation
+     */
+    attributes?: Record<string, unknown>;
+    /**
+     * Optional full user object for accessing user properties
+     * Useful when policies need to check user-specific attributes
+     */
+    user?: TUser;
+    /**
+     * Flag indicating if this is a system/admin context
+     * System contexts typically bypass RLS policies
+     *
+     * @default false
+     */
+    isSystem?: boolean;
+}
+/**
+ * HTTP request context for audit and policy evaluation
+ *
+ * Contains information about the current request, useful for logging,
+ * audit trails, and IP-based or time-based access policies.
+ *
+ * @example
+ * ```typescript
+ * const requestContext: RLSRequestContext = {
+ *   requestId: 'req-123abc',
+ *   ipAddress: '192.168.1.100',
+ *   userAgent: 'Mozilla/5.0...',
+ *   timestamp: new Date(),
+ *   headers: { 'x-api-key': 'secret' }
+ * };
+ * ```
+ */
+interface RLSRequestContext {
+    /**
+     * Unique identifier for the request
+     * Useful for tracing and debugging
+     */
+    requestId?: string;
+    /**
+     * Client IP address
+     * Can be used for IP-based access policies
+     */
+    ipAddress?: string;
+    /**
+     * Client user agent string
+     * Useful for device-based access policies
+     */
+    userAgent?: string;
+    /**
+     * Request timestamp
+     * Required for time-based policies and audit logs
+     */
+    timestamp: Date;
+    /**
+     * HTTP headers
+     * Can contain custom authentication or context headers
+     */
+    headers?: Record<string, string>;
+}
+/**
+ * Complete RLS context containing all information for policy evaluation
+ *
+ * This is the main context object passed to policy functions and used
+ * throughout the RLS system.
+ *
+ * @typeParam TUser - Custom user type
+ * @typeParam TMeta - Custom metadata type for additional context
+ *
+ * @example
+ * ```typescript
+ * const rlsContext: RLSContext = {
+ *   auth: {
+ *     userId: 123,
+ *     roles: ['user'],
+ *     tenantId: 'acme-corp'
+ *   },
+ *   request: {
+ *     requestId: 'req-123',
+ *     ipAddress: '192.168.1.1',
+ *     timestamp: new Date()
+ *   },
+ *   meta: {
+ *     feature_flags: ['new_ui', 'beta_access']
+ *   },
+ *   timestamp: new Date()
+ * };
+ * ```
+ */
+interface RLSContext<TUser = unknown, TMeta = unknown> {
+    /**
+     * Authentication context (required)
+     * Contains user identity and authorization information
+     */
+    auth: RLSAuthContext<TUser>;
+    /**
+     * Request context (optional)
+     * Contains HTTP request information
+     */
+    request?: RLSRequestContext;
+    /**
+     * Custom metadata (optional)
+     * Can contain any additional context needed for policy evaluation
+     * Examples: feature flags, A/B test groups, regional settings
+     */
+    meta?: TMeta;
+    /**
+     * Context creation timestamp
+     * Used for temporal policies and audit trails
+     */
+    timestamp: Date;
+}
+/**
+ * Context passed to policy evaluation functions
+ *
+ * This extended context includes the authentication/request context plus
+ * additional information about the current row being evaluated and the
+ * data being operated on.
+ *
+ * @typeParam TAuth - Custom user type for auth context
+ * @typeParam TRow - Type of the database row being evaluated
+ * @typeParam TData - Type of the data being inserted/updated
+ * @typeParam TDB - Database schema type for Kysely
+ *
+ * @example
+ * ```typescript
+ * // Policy function using evaluation context
+ * const ownershipPolicy = (ctx: PolicyEvaluationContext<User, Post>) => {
+ *   // Check if user owns the post
+ *   return ctx.auth.userId === ctx.row.authorId;
+ * };
+ *
+ * // Filter policy using evaluation context
+ * const tenantFilter = (ctx: PolicyEvaluationContext) => {
+ *   return {
+ *     tenant_id: ctx.auth.tenantId
+ *   };
+ * };
+ * ```
+ */
+interface PolicyEvaluationContext<TAuth = unknown, TRow = unknown, TData = unknown, TDB = unknown> {
+    /**
+     * Authentication context
+     * Contains user identity and authorization information
+     */
+    auth: RLSAuthContext<TAuth>;
+    /**
+     * Current row being evaluated (optional)
+     * Available during read/update/delete operations
+     * Used for row-level policies that check row attributes
+     */
+    row?: TRow;
+    /**
+     * Data being inserted or updated (optional)
+     * Available during create/update operations
+     * Used for validation policies
+     */
+    data?: TData;
+    /**
+     * Request context (optional)
+     * Contains HTTP request information
+     */
+    request?: RLSRequestContext;
+    /**
+     * Kysely database instance (optional)
+     * Available for policies that need to perform additional queries
+     * Use sparingly as it can impact performance
+     */
+    db?: Kysely<TDB>;
+    /**
+     * Custom metadata (optional)
+     * Can contain any additional context needed for policy evaluation
+     */
+    meta?: Record<string, unknown>;
+}
+/**
+ * Policy condition function or expression
+ *
+ * Can be either:
+ * - A function that returns a boolean (or Promise<boolean>)
+ * - A string expression for native RLS (PostgreSQL)
+ *
+ * @typeParam TCtx - Policy evaluation context type
+ *
+ * @example
+ * ```typescript
+ * // Function-based condition
+ * const condition: PolicyCondition = (ctx) => {
+ *   return ctx.auth.roles.includes('admin') ||
+ *          ctx.auth.userId === ctx.row.ownerId;
+ * };
+ *
+ * // Async condition
+ * const asyncCondition: PolicyCondition = async (ctx) => {
+ *   const hasPermission = await checkPermission(ctx.auth.userId, 'posts:read');
+ *   return hasPermission;
+ * };
+ *
+ * // String expression for native RLS
+ * const nativeCondition: PolicyCondition = 'user_id = current_user_id()';
+ * ```
+ */
+type PolicyCondition<TCtx extends PolicyEvaluationContext = PolicyEvaluationContext> = ((ctx: TCtx) => boolean | Promise<boolean>) | string;
+/**
+ * Filter condition that returns WHERE clause conditions
+ *
+ * Used for filter-type policies that add WHERE conditions to queries.
+ * Can be either:
+ * - A function that returns an object with column-value pairs
+ * - An object mapping column names to context property paths
+ *
+ * @typeParam TCtx - Policy evaluation context type
+ *
+ * @example
+ * ```typescript
+ * // Function-based filter
+ * const filter: FilterCondition = (ctx) => ({
+ *   tenant_id: ctx.auth.tenantId,
+ *   deleted_at: null
+ * });
+ *
+ * // Static filter mapping
+ * const staticFilter: FilterCondition = {
+ *   tenant_id: 'auth.tenantId',
+ *   status: 'meta.defaultStatus'
+ * };
+ * ```
+ */
+type FilterCondition<TCtx extends PolicyEvaluationContext = PolicyEvaluationContext> = ((ctx: TCtx) => Record<string, unknown>) | Record<string, string>;
+/**
+ * Policy behavior type
+ *
+ * - `allow`: Grants access if condition is true
+ * - `deny`: Denies access if condition is true (takes precedence)
+ * - `filter`: Adds WHERE conditions to automatically filter rows
+ * - `validate`: Validates data during create/update operations
+ *
+ * @example
+ * ```typescript
+ * // Allow policy: grants access to owners
+ * const allowPolicy: PolicyDefinition = {
+ *   type: 'allow',
+ *   operation: 'update',
+ *   condition: (ctx) => ctx.auth.userId === ctx.row.ownerId
+ * };
+ *
+ * // Deny policy: prevents access to deleted items
+ * const denyPolicy: PolicyDefinition = {
+ *   type: 'deny',
+ *   operation: 'read',
+ *   condition: (ctx) => ctx.row.deletedAt !== null
+ * };
+ *
+ * // Filter policy: automatically filters by tenant
+ * const filterPolicy: PolicyDefinition = {
+ *   type: 'filter',
+ *   operation: 'read',
+ *   condition: (ctx) => ({ tenant_id: ctx.auth.tenantId })
+ * };
+ *
+ * // Validate policy: ensures valid status transitions
+ * const validatePolicy: PolicyDefinition = {
+ *   type: 'validate',
+ *   operation: 'update',
+ *   condition: (ctx) => isValidStatusTransition(ctx.row.status, ctx.data.status)
+ * };
+ * ```
+ */
+type PolicyType = 'allow' | 'deny' | 'filter' | 'validate';
+/**
+ * Policy definition for RLS enforcement
+ *
+ * Defines a single security policy with its behavior, operations, and conditions.
+ *
+ * @typeParam TOperation - Operation type(s) the policy applies to
+ * @typeParam TCondition - Condition type (function or string)
+ *
+ * @example
+ * ```typescript
+ * // Basic ownership policy
+ * const ownershipPolicy: PolicyDefinition = {
+ *   type: 'allow',
+ *   operation: ['read', 'update', 'delete'],
+ *   condition: (ctx) => ctx.auth.userId === ctx.row.ownerId,
+ *   name: 'ownership_policy',
+ *   priority: 100
+ * };
+ *
+ * // Native PostgreSQL RLS policy
+ * const nativePolicy: PolicyDefinition = {
+ *   type: 'allow',
+ *   operation: 'read',
+ *   condition: '',
+ *   using: 'user_id = current_user_id()',
+ *   withCheck: 'user_id = current_user_id()',
+ *   role: 'authenticated',
+ *   name: 'user_isolation'
+ * };
+ *
+ * // Multi-tenancy filter
+ * const tenantFilter: PolicyDefinition = {
+ *   type: 'filter',
+ *   operation: 'read',
+ *   condition: (ctx) => ({ tenant_id: ctx.auth.tenantId }),
+ *   name: 'tenant_isolation',
+ *   priority: 1000 // High priority for tenant isolation
+ * };
+ * ```
+ */
+interface PolicyDefinition<TOperation extends Operation = Operation, TCondition = PolicyCondition> {
+    /**
+     * Policy behavior type
+     * Determines how the policy affects access control
+     */
+    type: PolicyType;
+    /**
+     * Operation(s) this policy applies to
+     * Can be a single operation or an array of operations
+     */
+    operation: TOperation | TOperation[];
+    /**
+     * Condition function or expression
+     * - For 'allow'/'deny'/'validate': returns boolean
+     * - For 'filter': returns WHERE conditions object
+     * - For native RLS: SQL expression string
+     */
+    condition: TCondition;
+    /**
+     * Optional policy name for debugging and logging
+     * Recommended for easier policy management
+     */
+    name?: string;
+    /**
+     * Optional priority for policy evaluation order
+     * Higher priority policies are evaluated first
+     * Deny policies typically have higher priority
+     *
+     * @default 0
+     */
+    priority?: number;
+    /**
+     * Optional SQL expression for native RLS USING clause
+     * PostgreSQL only - used for row visibility checks
+     *
+     * @example 'user_id = current_user_id()'
+     */
+    using?: string;
+    /**
+     * Optional SQL expression for native RLS WITH CHECK clause
+     * PostgreSQL only - used for insert/update validation
+     *
+     * @example 'tenant_id = current_tenant_id()'
+     */
+    withCheck?: string;
+    /**
+     * Optional database role this policy applies to
+     * PostgreSQL only - restricts policy to specific roles
+     *
+     * @example 'authenticated'
+     */
+    role?: string;
+    /**
+     * Optional performance optimization hints
+     * Used for query optimization and index suggestions
+     */
+    hints?: PolicyHints;
+}
+/**
+ * RLS configuration for a single database table
+ *
+ * Defines all policies and settings for row-level security on a table.
+ *
+ * @example
+ * ```typescript
+ * const postsConfig: TableRLSConfig = {
+ *   policies: [
+ *     {
+ *       type: 'filter',
+ *       operation: 'read',
+ *       condition: (ctx) => ({ tenant_id: ctx.auth.tenantId }),
+ *       name: 'tenant_isolation',
+ *       priority: 1000
+ *     },
+ *     {
+ *       type: 'allow',
+ *       operation: ['update', 'delete'],
+ *       condition: (ctx) => ctx.auth.userId === ctx.row.authorId,
+ *       name: 'author_access'
+ *     }
+ *   ],
+ *   defaultDeny: true,
+ *   skipFor: ['system', 'admin']
+ * };
+ * ```
+ */
+interface TableRLSConfig {
+    /**
+     * List of policies to enforce on this table
+     * Policies are evaluated in priority order (highest first)
+     */
+    policies: PolicyDefinition[];
+    /**
+     * Default behavior when no policies match
+     * - true: Deny access by default (secure default)
+     * - false: Allow access by default (open default)
+     *
+     * @default true
+     */
+    defaultDeny?: boolean;
+    /**
+     * List of roles that bypass RLS policies
+     * Useful for system operations or admin accounts
+     *
+     * @example ['system', 'admin', 'superuser']
+     */
+    skipFor?: string[];
+}
+/**
+ * Complete RLS schema for all tables in the database
+ *
+ * Maps table names to their RLS configurations.
+ *
+ * @typeParam DB - Database schema type (Kysely DB type)
+ *
+ * @example
+ * ```typescript
+ * interface Database {
+ *   posts: Post;
+ *   comments: Comment;
+ *   users: User;
+ * }
+ *
+ * const rlsSchema: RLSSchema<Database> = {
+ *   posts: {
+ *     policies: [
+ *       {
+ *         type: 'filter',
+ *         operation: 'read',
+ *         condition: (ctx) => ({ tenant_id: ctx.auth.tenantId })
+ *       }
+ *     ],
+ *     defaultDeny: true
+ *   },
+ *   comments: {
+ *     policies: [
+ *       {
+ *         type: 'allow',
+ *         operation: 'all',
+ *         condition: (ctx) => ctx.auth.roles.includes('moderator')
+ *       }
+ *     ]
+ *   }
+ * };
+ * ```
+ */
+type RLSSchema<DB> = {
+    [K in keyof DB]?: TableRLSConfig;
+};
+/**
+ * Compiled policy ready for runtime evaluation
+ *
+ * Internal representation of a policy after compilation and optimization.
+ *
+ * @typeParam TCtx - Policy evaluation context type
+ */
+interface CompiledPolicy<TCtx = PolicyEvaluationContext> {
+    /**
+     * Policy behavior type
+     */
+    type: PolicyType;
+    /**
+     * Operations this policy applies to
+     * Always an array after compilation
+     */
+    operation: Operation[];
+    /**
+     * Compiled evaluation function
+     * Returns boolean or Promise<boolean>
+     */
+    evaluate: (ctx: TCtx) => boolean | Promise<boolean>;
+    /**
+     * Policy name for debugging
+     */
+    name: string;
+    /**
+     * Priority for evaluation order
+     */
+    priority: number;
+}
+/**
+ * Compiled filter policy for query transformation
+ *
+ * Specialized compiled policy type for filter operations.
+ *
+ * @typeParam TCtx - Policy evaluation context type
+ */
+interface CompiledFilterPolicy<TCtx = PolicyEvaluationContext> {
+    /**
+     * Always 'read' for filter policies
+     */
+    operation: 'read';
+    /**
+     * Function to get WHERE conditions
+     * Returns object with column-value pairs
+     */
+    getConditions: (ctx: TCtx) => Record<string, unknown>;
+    /**
+     * Policy name for debugging
+     */
+    name: string;
+}
+/**
+ * Optimization hints for policy execution
+ *
+ * Provides metadata to help optimize policy evaluation and query generation.
+ * These hints can be used by query optimizers and execution planners.
+ *
+ * @example
+ * ```typescript
+ * const hints: PolicyHints = {
+ *   indexColumns: ['tenant_id', 'user_id'],
+ *   selectivity: 'high',
+ *   leakproof: true,
+ *   stable: true
+ * };
+ * ```
+ */
+interface PolicyHints {
+    /**
+     * Columns that should be indexed for optimal performance
+     * Suggests which columns are frequently used in policy conditions
+     */
+    indexColumns?: string[];
+    /**
+     * Expected selectivity of the policy
+     * - 'high': Filters out most rows (good for early evaluation)
+     * - 'medium': Filters moderate number of rows
+     * - 'low': Filters few rows (evaluate later)
+     */
+    selectivity?: 'high' | 'medium' | 'low';
+    /**
+     * Whether the policy is leakproof (PostgreSQL concept)
+     * Leakproof functions don't reveal information about their inputs
+     * Safe to execute before other security checks
+     */
+    leakproof?: boolean;
+    /**
+     * Whether the policy result is stable for the same inputs
+     * Stable policies can be cached during a query execution
+     */
+    stable?: boolean;
+}
+
+export type { CompiledPolicy as C, FilterCondition as F, Operation as O, PolicyCondition as P, RLSSchema as R, TableRLSConfig as T, PolicyHints as a, PolicyDefinition as b, CompiledFilterPolicy as c, RLSContext as d, RLSAuthContext as e, RLSRequestContext as f, PolicyEvaluationContext as g, PolicyType as h };