@kysera/rls 0.7.3 → 0.8.0

package/dist/index.js

@@ -1,7 +1,8 @@
-import { silentLogger } from '@kysera/core';
-import { getRawDb } from '@kysera/executor';
-import { sql } from 'kysely';
+import { DatabaseError, silentLogger } from '@kysera/core';
+import { isRepositoryLike, getRawDb } from '@kysera/executor';
+import { z } from 'zod';
 import { AsyncLocalStorage } from 'async_hooks';
+import { sql } from 'kysely';
 
 // src/errors.ts
 var RLSErrorCodes = {
@@ -18,8 +19,7 @@ var RLSErrorCodes = {
   /** RLS policy evaluation threw an error */
   RLS_POLICY_EVALUATION_ERROR: "RLS_POLICY_EVALUATION_ERROR"
 };
-var RLSError = class extends Error {
-  code;
+var RLSError = class extends DatabaseError {
   /**
    * Creates a new RLS error
    *
@@ -27,21 +27,8 @@ var RLSError = class extends Error {
    * @param code - RLS error code
    */
   constructor(message, code) {
-    super(message);
+    super(message, code);
     this.name = "RLSError";
-    this.code = code;
-  }
-  /**
-   * Serializes the error to JSON
-   *
-   * @returns JSON representation of the error
-   */
-  toJSON() {
-    return {
-      name: this.name,
-      message: this.message,
-      code: this.code
-    };
   }
 };
 var RLSContextError = class extends RLSError {
@@ -198,10 +185,7 @@ function validateSchema(schema) {
     if (!config) continue;
     const tableConfig = config;
     if (!Array.isArray(tableConfig.policies)) {
-      throw new RLSSchemaError(
-        `Invalid policies for table "${table}": must be an array`,
-        { table }
-      );
+      throw new RLSSchemaError(`Invalid policies for table "${table}": must be an array`, { table });
     }
     for (let i = 0; i < tableConfig.policies.length; i++) {
       const policy = tableConfig.policies[i];
@@ -226,19 +210,15 @@ function validateSchema(schema) {
       }
     }
     if (tableConfig.defaultDeny !== void 0 && typeof tableConfig.defaultDeny !== "boolean") {
-      throw new RLSSchemaError(
-        `Invalid defaultDeny for table "${table}": must be a boolean`,
-        { table }
-      );
+      throw new RLSSchemaError(`Invalid defaultDeny for table "${table}": must be a boolean`, {
+        table
+      });
     }
   }
 }
 function validatePolicy(policy, table, index) {
   if (!policy.type) {
-    throw new RLSSchemaError(
-      `Policy ${index} for table "${table}" missing type`,
-      { table, index }
-    );
+    throw new RLSSchemaError(`Policy ${index} for table "${table}" missing type`, { table, index });
   }
   const validTypes = ["allow", "deny", "filter", "validate"];
   if (!validTypes.includes(policy.type)) {
@@ -248,10 +228,10 @@ function validatePolicy(policy, table, index) {
     );
   }
   if (!policy.operation) {
-    throw new RLSSchemaError(
-      `Policy ${index} for table "${table}" missing operation`,
-      { table, index }
-    );
+    throw new RLSSchemaError(`Policy ${index} for table "${table}" missing operation`, {
+      table,
+      index
+    });
   }
   const validOps = ["read", "create", "update", "delete", "all"];
   const ops = Array.isArray(policy.operation) ? policy.operation : [policy.operation];
@@ -264,10 +244,10 @@ function validatePolicy(policy, table, index) {
     }
   }
   if (policy.condition === void 0 || policy.condition === null) {
-    throw new RLSSchemaError(
-      `Policy ${index} for table "${table}" missing condition`,
-      { table, index }
-    );
+    throw new RLSSchemaError(`Policy ${index} for table "${table}" missing condition`, {
+      table,
+      index
+    });
   }
   if (typeof policy.condition !== "function" && typeof policy.condition !== "string") {
     throw new RLSSchemaError(
@@ -276,16 +256,16 @@ function validatePolicy(policy, table, index) {
     );
   }
   if (policy.priority !== void 0 && typeof policy.priority !== "number") {
-    throw new RLSSchemaError(
-      `Policy ${index} for table "${table}" priority must be a number`,
-      { table, index }
-    );
+    throw new RLSSchemaError(`Policy ${index} for table "${table}" priority must be a number`, {
+      table,
+      index
+    });
   }
   if (policy.name !== void 0 && typeof policy.name !== "string") {
-    throw new RLSSchemaError(
-      `Policy ${index} for table "${table}" name must be a string`,
-      { table, index }
-    );
+    throw new RLSSchemaError(`Policy ${index} for table "${table}" name must be a string`, {
+      table,
+      index
+    });
   }
 }
 function mergeRLSSchemas(...schemas) {
@@ -296,10 +276,7 @@ function mergeRLSSchemas(...schemas) {
       const existingConfig = merged[table];
       const newConfig = config;
       if (existingConfig) {
-        existingConfig.policies = [
-          ...existingConfig.policies,
-          ...newConfig.policies
-        ];
+        existingConfig.policies = [...existingConfig.policies, ...newConfig.policies];
         if (newConfig.skipFor) {
           const existingSkipFor = existingConfig.skipFor ?? [];
           const combinedSkipFor = [...existingSkipFor, ...newConfig.skipFor];
@@ -695,7 +672,7 @@ var RLSContextManager = class {
    * Run an async function within an RLS context
    */
   async runAsync(context, fn) {
-    return rlsStorage.run(context, fn);
+    return await rlsStorage.run(context, fn);
   }
   /**
    * Get current RLS context
@@ -788,7 +765,7 @@ var RLSContextManager = class {
       ...currentCtx,
       auth: { ...currentCtx.auth, isSystem: true }
     };
-    return this.runAsync(systemCtx, fn);
+    return await this.runAsync(systemCtx, fn);
   }
 };
 var rlsContext = new RLSContextManager();
@@ -796,7 +773,32 @@ function withRLSContext(context, fn) {
   return rlsContext.run(context, fn);
 }
 async function withRLSContextAsync(context, fn) {
-  return rlsContext.runAsync(context, fn);
+  return await rlsContext.runAsync(context, fn);
+}
+function createQualifiedColumn(table, column) {
+  return `${table}.${column}`;
+}
+function applyWhereCondition(qb, column, operator, value) {
+  return qb.where(column, operator, value);
+}
+function createRawCondition(expression) {
+  return sql`${sql.raw(expression)}`;
+}
+function selectFromDynamicTable(db, table) {
+  return db.selectFrom(table).selectAll();
+}
+function whereIdEquals(qb, id, primaryKeyColumn = "id") {
+  return qb.where(primaryKeyColumn, "=", id);
+}
+function transformQueryBuilder(qb, operation, transform) {
+  if (operation !== "select") {
+    return qb;
+  }
+  const transformed = transform(qb);
+  return transformed;
+}
+function hasRawDb(executor) {
+  return "__rawDb" in executor && executor.__rawDb !== void 0;
 }
 
 // src/transformer/select.ts
@@ -822,7 +824,12 @@ var SelectTransformer = class {
   transform(qb, table) {
     const ctx = rlsContext.getContextOrNull();
     if (!ctx) {
-      return qb;
+      return applyWhereCondition(
+        qb,
+        createRawCondition("FALSE"),
+        "=",
+        true
+      );
     }
     if (ctx.auth.isSystem) {
       return qb;
@@ -867,18 +874,14 @@ var SelectTransformer = class {
   /**
    * Apply filter conditions to query builder
    *
-   * NOTE ON TYPE CASTS:
-   * The `as any` casts in this method are intentional architectural boundaries.
-   * Kysely's type system is designed for static query building where column names
-   * are known at compile time. RLS policies work with dynamic column names at runtime.
+   * Uses type-safe wrappers from utils/type-utils.ts to encapsulate the boundary
+   * between runtime policy conditions and Kysely's compile-time type system.
    *
    * Type safety is maintained through:
    * 1. Policy conditions are validated during schema registration
    * 2. Column names come from policy definitions (developer-controlled)
    * 3. Values are type-checked by the policy condition functions
    *
-   * This is the same pattern used in @kysera/repository/table-operations.ts
-   *
    * @param qb - Query builder to modify
    * @param conditions - WHERE clause conditions
    * @param table - Table name (for qualified column names)
@@ -887,19 +890,24 @@ var SelectTransformer = class {
   applyConditions(qb, conditions, table) {
     let result = qb;
     for (const [column, value] of Object.entries(conditions)) {
-      const qualifiedColumn = `${table}.${column}`;
+      const qualifiedColumn = createQualifiedColumn(table, column);
       if (value === null) {
-        result = result.where(qualifiedColumn, "is", null);
+        result = applyWhereCondition(result, qualifiedColumn, "is", null);
       } else if (value === void 0) {
         continue;
       } else if (Array.isArray(value)) {
         if (value.length === 0) {
-          result = result.where(sql`FALSE`);
+          result = applyWhereCondition(
+            result,
+            createRawCondition("FALSE"),
+            "=",
+            true
+          );
         } else {
-          result = result.where(qualifiedColumn, "in", value);
+          result = applyWhereCondition(result, qualifiedColumn, "in", value);
         }
       } else {
-        result = result.where(qualifiedColumn, "=", value);
+        result = applyWhereCondition(result, qualifiedColumn, "=", value);
       }
     }
     return result;
@@ -907,6 +915,7 @@ var SelectTransformer = class {
 };
 
 // src/transformer/mutation.ts
+var DEFAULT_CHUNK_SIZE = 100;
 var MutationGuard = class {
   constructor(registry) {
     this.registry = registry;
@@ -1060,11 +1069,7 @@ var MutationGuard = class {
   async checkMutation(table, operation, row, data) {
     const ctx = rlsContext.getContextOrNull();
     if (!ctx) {
-      throw new RLSPolicyViolation(
-        operation,
-        table,
-        "No RLS context available"
-      );
+      throw new RLSPolicyViolation(operation, table, "No RLS context available");
     }
     if (ctx.auth.isSystem) {
       return;
@@ -1078,11 +1083,7 @@ var MutationGuard = class {
       const evalCtx = this.createEvalContext(ctx, table, operation, row, data);
       const result = await this.evaluatePolicy(deny2.evaluate, evalCtx, deny2.name);
       if (result) {
-        throw new RLSPolicyViolation(
-          operation,
-          table,
-          `Denied by policy: ${deny2.name}`
-        );
+        throw new RLSPolicyViolation(operation, table, `Denied by policy: ${deny2.name}`);
       }
     }
     if ((operation === "create" || operation === "update") && data) {
@@ -1091,22 +1092,14 @@ var MutationGuard = class {
         const evalCtx = this.createEvalContext(ctx, table, operation, row, data);
         const result = await this.evaluatePolicy(validate2.evaluate, evalCtx, validate2.name);
         if (!result) {
-          throw new RLSPolicyViolation(
-            operation,
-            table,
-            `Validation failed: ${validate2.name}`
-          );
+          throw new RLSPolicyViolation(operation, table, `Validation failed: ${validate2.name}`);
         }
       }
     }
     const allows = this.registry.getAllows(table, operation);
     const defaultDeny = this.registry.hasDefaultDeny(table);
     if (defaultDeny && allows.length === 0) {
-      throw new RLSPolicyViolation(
-        operation,
-        table,
-        "No allow policies defined (default deny)"
-      );
+      throw new RLSPolicyViolation(operation, table, "No allow policies defined (default deny)");
     }
     if (allows.length > 0) {
       let allowed = false;
@@ -1119,11 +1112,7 @@ var MutationGuard = class {
         }
       }
       if (!allowed) {
-        throw new RLSPolicyViolation(
-          operation,
-          table,
-          "No allow policies matched"
-        );
+        throw new RLSPolicyViolation(operation, table, "No allow policies matched");
       }
     }
   }
@@ -1165,11 +1154,12 @@ var MutationGuard = class {
     }
   }
   /**
-   * Filter an array of rows, keeping only accessible ones
-   * Useful for post-query filtering when query-level filtering is not possible
+   * Filter rows based on read policies.
+   * Uses parallel processing with chunking for performance.
    *
    * @param table - Table name
-   * @param rows - Array of rows to filter
+   * @param rows - Rows to filter
+   * @param chunkSize - Number of rows to process in parallel (default: 100)
    * @returns Filtered array containing only accessible rows
    *
    * @example
@@ -1177,34 +1167,63 @@ var MutationGuard = class {
    * const guard = new MutationGuard(registry);
    * const allPosts = await db.selectFrom('posts').selectAll().execute();
    * const accessiblePosts = await guard.filterRows('posts', allPosts);
+   *
+   * // With custom chunk size for large datasets
+   * const accessiblePosts = await guard.filterRows('posts', allPosts, 50);
    * ```
    */
-  async filterRows(table, rows) {
+  async filterRows(table, rows, chunkSize = DEFAULT_CHUNK_SIZE) {
+    if (rows.length === 0) return [];
     const results = [];
-    for (const row of rows) {
-      if (await this.checkRead(table, row)) {
-        results.push(row);
+    for (let i = 0; i < rows.length; i += chunkSize) {
+      const chunk = rows.slice(i, i + chunkSize);
+      const chunkResults = await Promise.all(
+        chunk.map(async (row) => {
+          const allowed = await this.checkRead(table, row);
+          return allowed ? row : null;
+        })
+      );
+      for (const row of chunkResults) {
+        if (row !== null) {
+          results.push(row);
+        }
       }
     }
     return results;
   }
 };
+
+// src/version.ts
+var RAW_VERSION = "__VERSION__";
+var VERSION = RAW_VERSION.startsWith("__") ? "0.0.0-dev" : RAW_VERSION;
+var RLSPluginOptionsSchema = z.object({
+  excludeTables: z.array(z.string()).optional(),
+  bypassRoles: z.array(z.string()).optional(),
+  requireContext: z.boolean().optional(),
+  allowUnfilteredQueries: z.boolean().optional(),
+  auditDecisions: z.boolean().optional(),
+  primaryKeyColumn: z.string().optional()
+});
 function rlsPlugin(options) {
   const {
     schema,
-    skipTables = [],
+    excludeTables = [],
     bypassRoles = [],
     logger = silentLogger,
-    requireContext = false,
+    requireContext = true,
+    // SECURITY: Changed to true for secure-by-default (CRIT-2 fix)
+    allowUnfilteredQueries = false,
+    // SECURITY: Explicit opt-in for unfiltered queries
     auditDecisions = false,
-    onViolation
+    onViolation,
+    primaryKeyColumn = "id"
   } = options;
   let registry;
   let selectTransformer;
   let mutationGuard;
   return {
     name: "@kysera/rls",
-    version: "0.7.0",
+    version: VERSION,
     // Run after soft-delete (priority 0), before audit
     priority: 50,
     // No dependencies by default
@@ -1212,10 +1231,10 @@ function rlsPlugin(options) {
     /**
      * Initialize plugin - compile policies
      */
-    async onInit(_executor) {
+    onInit(_executor) {
       logger.info?.("[RLS] Initializing RLS plugin", {
         tables: Object.keys(schema).length,
-        skipTables: skipTables.length,
+        excludeTables: excludeTables.length,
         bypassRoles: bypassRoles.length
       });
       registry = new PolicyRegistry(schema);
@@ -1224,6 +1243,13 @@ function rlsPlugin(options) {
       mutationGuard = new MutationGuard(registry);
       logger.info?.("[RLS] RLS plugin initialized successfully");
     },
+    /**
+     * Cleanup resources when executor is destroyed
+     */
+    async onDestroy() {
+      registry.clear();
+      logger.info?.("[RLS] RLS plugin destroyed, cleared policy registry");
+    },
     /**
      * Intercept queries to apply RLS filtering
      *
@@ -1233,7 +1259,7 @@ function rlsPlugin(options) {
      */
     interceptQuery(qb, context) {
       const { operation, table, metadata } = context;
-      if (skipTables.includes(table)) {
+      if (excludeTables.includes(table)) {
         logger.debug?.(`[RLS] Skipping RLS for excluded table: ${table}`);
         return qb;
       }
@@ -1244,9 +1270,29 @@ function rlsPlugin(options) {
       const ctx = rlsContext.getContextOrNull();
       if (!ctx) {
         if (requireContext) {
-          throw new RLSContextError("RLS context required but not found");
+          throw new RLSContextError(
+            `RLS context required but not found for ${operation} on ${table}. This prevents unfiltered database access. Either provide RLS context or set 'requireContext: false' with 'allowUnfilteredQueries: true' if intentional.`
+          );
+        }
+        if (!allowUnfilteredQueries) {
+          logger.warn?.(
+            `[RLS] Missing context for ${operation} on ${table}. Queries will return empty results for security. Set 'allowUnfilteredQueries: true' to allow unfiltered access (not recommended).`
+          );
+          if (operation === "select") {
+            return transformQueryBuilder(qb, operation, (selectQb) => {
+              return applyWhereCondition(
+                selectQb,
+                createRawCondition("FALSE"),
+                "=",
+                true
+              );
+            });
+          }
+          return qb;
         }
-        logger.warn?.(`[RLS] No context for ${operation} on ${table}`);
+        logger.warn?.(
+          `[RLS] No context for ${operation} on ${table}. Allowing unfiltered query due to 'allowUnfilteredQueries: true'. This may expose sensitive data.`
+        );
         return qb;
       }
       if (ctx.auth.isSystem) {
@@ -1259,7 +1305,12 @@ function rlsPlugin(options) {
       }
       if (operation === "select") {
         try {
-          const transformed = selectTransformer.transform(qb, table);
+          const transformed = transformQueryBuilder(
+            qb,
+            operation,
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            (selectQb) => selectTransformer.transform(selectQb, table)
+          );
           if (auditDecisions) {
             logger.info?.("[RLS] Filter applied", {
               table,
@@ -1286,12 +1337,13 @@ function rlsPlugin(options) {
      * Also adds utility methods for bypassing RLS and checking access.
      */
     extendRepository(repo) {
-      const baseRepo = repo;
-      if (!("tableName" in baseRepo) || !("executor" in baseRepo)) {
+      if (!isRepositoryLike(repo)) {
         return repo;
       }
+      const baseRepo = repo;
       const table = baseRepo.tableName;
-      if (skipTables.includes(table)) {
+      if (excludeTables.includes(table)) {
+        logger.debug?.(`[RLS] Skipping repository extension for excluded table: ${table}`);
         return repo;
       }
       if (!registry.hasTable(table)) {
@@ -1304,7 +1356,7 @@ function rlsPlugin(options) {
       const originalDelete = baseRepo.delete?.bind(baseRepo);
       const originalFindById = baseRepo.findById?.bind(baseRepo);
       const rawDb = getRawDb(baseRepo.executor);
-      const hasRawDb = baseRepo.executor.__rawDb !== void 0;
+      const hasRawDbInstance = hasRawDb(baseRepo.executor);
       const extendedRepo = {
         ...baseRepo,
         /**
@@ -1312,7 +1364,10 @@ function rlsPlugin(options) {
          */
         async create(data) {
           if (!originalCreate) {
-            throw new RLSError("Repository does not support create operation", RLSErrorCodes.RLS_POLICY_INVALID);
+            throw new RLSError(
+              "Repository does not support create operation",
+              RLSErrorCodes.RLS_POLICY_INVALID
+            );
           }
           const ctx = rlsContext.getContextOrNull();
           if (ctx && !ctx.auth.isSystem && !bypassRoles.some((role) => ctx.auth.roles.includes(role))) {
@@ -1335,27 +1390,34 @@ function rlsPlugin(options) {
               throw error;
             }
           }
-          return originalCreate(data);
+          return await originalCreate(data);
         },
         /**
          * Wrapped update with RLS check
          */
         async update(id, data) {
           if (!originalUpdate) {
-            throw new RLSError("Repository does not support update operation", RLSErrorCodes.RLS_POLICY_INVALID);
+            throw new RLSError(
+              "Repository does not support update operation",
+              RLSErrorCodes.RLS_POLICY_INVALID
+            );
           }
           const ctx = rlsContext.getContextOrNull();
           if (ctx && !ctx.auth.isSystem && !bypassRoles.some((role) => ctx.auth.roles.includes(role))) {
             let existingRow;
-            if (hasRawDb) {
-              existingRow = await rawDb.selectFrom(table).selectAll().where("id", "=", id).executeTakeFirst();
+            if (hasRawDbInstance) {
+              const query = selectFromDynamicTable(rawDb, table);
+              existingRow = await whereIdEquals(query, id, primaryKeyColumn).executeTakeFirst();
             } else if (originalFindById) {
               existingRow = await originalFindById(id);
             } else {
-              throw new RLSError("Repository does not support update operation", RLSErrorCodes.RLS_POLICY_INVALID);
+              throw new RLSError(
+                "Repository does not support update operation",
+                RLSErrorCodes.RLS_POLICY_INVALID
+              );
             }
             if (!existingRow) {
-              return originalUpdate(id, data);
+              return await originalUpdate(id, data);
             }
             try {
               await mutationGuard.checkUpdate(
@@ -1381,27 +1443,34 @@ function rlsPlugin(options) {
               throw error;
             }
           }
-          return originalUpdate(id, data);
+          return await originalUpdate(id, data);
         },
         /**
          * Wrapped delete with RLS check
          */
         async delete(id) {
           if (!originalDelete) {
-            throw new RLSError("Repository does not support delete operation", RLSErrorCodes.RLS_POLICY_INVALID);
+            throw new RLSError(
+              "Repository does not support delete operation",
+              RLSErrorCodes.RLS_POLICY_INVALID
+            );
           }
           const ctx = rlsContext.getContextOrNull();
           if (ctx && !ctx.auth.isSystem && !bypassRoles.some((role) => ctx.auth.roles.includes(role))) {
             let existingRow;
-            if (hasRawDb) {
-              existingRow = await rawDb.selectFrom(table).selectAll().where("id", "=", id).executeTakeFirst();
+            if (hasRawDbInstance) {
+              const query = selectFromDynamicTable(rawDb, table);
+              existingRow = await whereIdEquals(query, id, primaryKeyColumn).executeTakeFirst();
             } else if (originalFindById) {
               existingRow = await originalFindById(id);
             } else {
-              throw new RLSError("Repository does not support delete operation", RLSErrorCodes.RLS_POLICY_INVALID);
+              throw new RLSError(
+                "Repository does not support delete operation",
+                RLSErrorCodes.RLS_POLICY_INVALID
+              );
             }
             if (!existingRow) {
-              return originalDelete(id);
+              return await originalDelete(id);
             }
             try {
               await mutationGuard.checkDelete(table, existingRow);
@@ -1423,7 +1492,7 @@ function rlsPlugin(options) {
               throw error;
             }
           }
-          return originalDelete(id);
+          return await originalDelete(id);
         },
         /**
          * Bypass RLS for specific operation
@@ -1438,7 +1507,7 @@ function rlsPlugin(options) {
          * ```
          */
         async withoutRLS(fn) {
-          return rlsContext.asSystemAsync(fn);
+          return await rlsContext.asSystemAsync(fn);
         },
         /**
          * Check if current user can perform operation on a row
@@ -1508,7 +1577,18 @@ function createEvaluationContext(rlsCtx, options) {
   return ctx;
 }
 function isAsyncFunction(fn) {
-  return fn instanceof Function && fn.constructor.name === "AsyncFunction";
+  if (!(fn instanceof Function)) {
+    return false;
+  }
+  if (fn.constructor.name === "AsyncFunction") {
+    return true;
+  }
+  try {
+    const result = fn();
+    return result instanceof Promise;
+  } catch {
+    return false;
+  }
 }
 async function safeEvaluate(fn, defaultValue) {
   try {
@@ -1517,7 +1597,7 @@ async function safeEvaluate(fn, defaultValue) {
       return await result;
     }
     return result;
-  } catch (error) {
+  } catch (_error) {
     return defaultValue;
   }
 }
@@ -1559,6 +1639,6 @@ function normalizeOperations(operation) {
   return [operation];
 }
 
-export { PolicyRegistry, RLSContextError, RLSContextValidationError, RLSError, RLSErrorCodes, RLSPolicyEvaluationError, RLSPolicyViolation, RLSSchemaError, allow, createEvaluationContext, createRLSContext, deepMerge, defineRLSSchema, deny, filter, hashString, isAsyncFunction, mergeRLSSchemas, normalizeOperations, rlsContext, rlsPlugin, safeEvaluate, validate, withRLSContext, withRLSContextAsync };
+export { PolicyRegistry, RLSContextError, RLSContextValidationError, RLSError, RLSErrorCodes, RLSPluginOptionsSchema, RLSPolicyEvaluationError, RLSPolicyViolation, RLSSchemaError, allow, createEvaluationContext, createRLSContext, deepMerge, defineRLSSchema, deny, filter, hashString, isAsyncFunction, mergeRLSSchemas, normalizeOperations, rlsContext, rlsPlugin, safeEvaluate, validate, withRLSContext, withRLSContextAsync };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map