npm - @kysera/rls - Versions diffs - 0.8.1 → 0.8.3 - Mend

@kysera/rls 0.8.1 → 0.8.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/README.md +819 -3
package/dist/index.d.ts +2841 -11
package/dist/index.js +2451 -1
package/dist/index.js.map +1 -1
package/dist/native/index.d.ts +1 -1
package/dist/{types-Dowjd6zG.d.ts → types-CyqksFKU.d.ts} +72 -1
package/package.json +11 -6
package/src/audit/index.ts +25 -0
package/src/audit/logger.ts +465 -0
package/src/audit/types.ts +625 -0
package/src/composition/builder.ts +556 -0
package/src/composition/index.ts +43 -0
package/src/composition/types.ts +415 -0
package/src/field-access/index.ts +38 -0
package/src/field-access/processor.ts +442 -0
package/src/field-access/registry.ts +259 -0
package/src/field-access/types.ts +453 -0
package/src/index.ts +180 -2
package/src/policy/builder.ts +187 -10
package/src/policy/types.ts +84 -0
package/src/rebac/index.ts +30 -0
package/src/rebac/registry.ts +303 -0
package/src/rebac/transformer.ts +391 -0
package/src/rebac/types.ts +412 -0
package/src/resolvers/index.ts +30 -0
package/src/resolvers/manager.ts +507 -0
package/src/resolvers/types.ts +447 -0
package/src/testing/index.ts +554 -0

package/dist/index.js CHANGED Viewed

@@ -312,6 +312,9 @@ function allow(operation, condition, options) {
   if (options?.hints !== void 0) {
     policy.hints = options.hints;
   }
+  if (options?.condition !== void 0) {
+    policy.activationCondition = options.condition;
+  }
   return policy;
 }
 function deny(operation, condition, options) {
@@ -328,6 +331,9 @@ function deny(operation, condition, options) {
   if (options?.hints !== void 0) {
     policy.hints = options.hints;
   }
+  if (options?.condition !== void 0) {
+    policy.activationCondition = options.condition;
+  }
   return policy;
 }
 function filter(operation, condition, options) {
@@ -343,6 +349,9 @@ function filter(operation, condition, options) {
   if (options?.hints !== void 0) {
     policy.hints = options.hints;
   }
+  if (options?.condition !== void 0) {
+    policy.activationCondition = options.condition;
+  }
   return policy;
 }
 function validate(operation, condition, options) {
@@ -359,6 +368,57 @@ function validate(operation, condition, options) {
   if (options?.hints !== void 0) {
     policy.hints = options.hints;
   }
+  if (options?.condition !== void 0) {
+    policy.activationCondition = options.condition;
+  }
+  return policy;
+}
+function whenEnvironment(environments, policyFn) {
+  const policy = policyFn();
+  const existingCondition = policy.activationCondition;
+  policy.activationCondition = (ctx) => {
+    const envMatch = environments.includes(ctx.environment ?? "");
+    if (!envMatch) return false;
+    return existingCondition ? existingCondition(ctx) : true;
+  };
+  return policy;
+}
+function whenFeature(feature, policyFn) {
+  const policy = policyFn();
+  const existingCondition = policy.activationCondition;
+  policy.activationCondition = (ctx) => {
+    let featureEnabled = false;
+    if (Array.isArray(ctx.features)) {
+      featureEnabled = ctx.features.includes(feature);
+    } else if (ctx.features && typeof ctx.features === "object" && "has" in ctx.features) {
+      featureEnabled = ctx.features.has(feature);
+    } else if (ctx.features && typeof ctx.features === "object") {
+      featureEnabled = !!ctx.features[feature];
+    }
+    if (!featureEnabled) return false;
+    return existingCondition ? existingCondition(ctx) : true;
+  };
+  return policy;
+}
+function whenTimeRange(startHour, endHour, policyFn) {
+  const policy = policyFn();
+  const existingCondition = policy.activationCondition;
+  policy.activationCondition = (ctx) => {
+    const hour = (ctx.timestamp ?? /* @__PURE__ */ new Date()).getHours();
+    let inRange;
+    if (startHour > endHour) {
+      inRange = hour >= startHour || hour < endHour;
+    } else {
+      inRange = hour >= startHour && hour < endHour;
+    }
+    if (!inRange) return false;
+    return existingCondition ? existingCondition(ctx) : true;
+  };
+  return policy;
+}
+function whenCondition(condition, policyFn) {
+  const policy = policyFn();
+  policy.activationCondition = condition;
   return policy;
 }
 var PolicyRegistry = class {
@@ -1640,6 +1700,2396 @@ function normalizeOperations(operation) {
   return [operation];
 }
-export { PolicyRegistry, RLSContextError, RLSContextValidationError, RLSError, RLSErrorCodes, RLSPluginOptionsSchema, RLSPolicyEvaluationError, RLSPolicyViolation, RLSSchemaError, allow, createEvaluationContext, createRLSContext, deepMerge, defineRLSSchema, deny, filter, hashString, isAsyncFunction, mergeRLSSchemas, normalizeOperations, rlsContext, rlsPlugin, safeEvaluate, validate, withRLSContext, withRLSContextAsync };
+// src/resolvers/types.ts
+var InMemoryCacheProvider = class {
+  cache = /* @__PURE__ */ new Map();
+  get(key) {
+    const entry = this.cache.get(key);
+    if (!entry) return Promise.resolve(null);
+    if (Date.now() > entry.expiresAt) {
+      this.cache.delete(key);
+      return Promise.resolve(null);
+    }
+    return Promise.resolve(entry.value);
+  }
+  set(key, value, ttlSeconds) {
+    this.cache.set(key, {
+      value,
+      expiresAt: Date.now() + ttlSeconds * 1e3
+    });
+    return Promise.resolve();
+  }
+  delete(key) {
+    this.cache.delete(key);
+    return Promise.resolve();
+  }
+  deletePattern(pattern) {
+    const prefix = pattern.endsWith("*") ? pattern.slice(0, -1) : pattern;
+    for (const key of this.cache.keys()) {
+      if (key.startsWith(prefix)) {
+        this.cache.delete(key);
+      }
+    }
+    return Promise.resolve();
+  }
+  /**
+   * Clear all cached entries
+   */
+  clear() {
+    this.cache.clear();
+  }
+  /**
+   * Get current cache size
+   */
+  get size() {
+    return this.cache.size;
+  }
+};
+// src/resolvers/manager.ts
+var ResolverManager = class {
+  resolvers = /* @__PURE__ */ new Map();
+  cacheProvider;
+  defaultCacheTtl;
+  parallelResolution;
+  resolverTimeout;
+  logger;
+  constructor(options = {}) {
+    this.cacheProvider = options.cacheProvider ?? new InMemoryCacheProvider();
+    this.defaultCacheTtl = options.defaultCacheTtl ?? 300;
+    this.parallelResolution = options.parallelResolution ?? true;
+    this.resolverTimeout = options.resolverTimeout ?? 5e3;
+    this.logger = options.logger;
+  }
+  /**
+   * Register a context resolver
+   *
+   * @param resolver - Resolver to register
+   * @throws RLSError if resolver with same name already exists
+   */
+  register(resolver) {
+    if (this.resolvers.has(resolver.name)) {
+      throw new RLSError(
+        `Resolver "${resolver.name}" is already registered`,
+        RLSErrorCodes.RLS_SCHEMA_INVALID
+      );
+    }
+    if (resolver.dependsOn) {
+      for (const dep of resolver.dependsOn) {
+        if (dep === resolver.name) {
+          throw new RLSError(
+            `Resolver "${resolver.name}" cannot depend on itself`,
+            RLSErrorCodes.RLS_SCHEMA_INVALID
+          );
+        }
+      }
+    }
+    this.resolvers.set(resolver.name, resolver);
+    this.logger?.debug?.(`[ResolverManager] Registered resolver: ${resolver.name}`);
+  }
+  /**
+   * Unregister a context resolver
+   *
+   * @param name - Name of resolver to unregister
+   * @returns true if resolver was removed, false if it didn't exist
+   */
+  unregister(name) {
+    const removed = this.resolvers.delete(name);
+    if (removed) {
+      this.logger?.debug?.(`[ResolverManager] Unregistered resolver: ${name}`);
+    }
+    return removed;
+  }
+  /**
+   * Check if a resolver is registered
+   *
+   * @param name - Resolver name
+   */
+  hasResolver(name) {
+    return this.resolvers.has(name);
+  }
+  /**
+   * Get all registered resolver names
+   */
+  getResolverNames() {
+    return Array.from(this.resolvers.keys());
+  }
+  /**
+   * Resolve context data using all registered resolvers
+   *
+   * @param baseContext - Base context to resolve
+   * @returns Enhanced context with resolved data
+   *
+   * @example
+   * ```typescript
+   * const baseCtx = {
+   *   auth: { userId: '123', roles: ['user'], tenantId: 'acme' },
+   *   timestamp: new Date()
+   * };
+   *
+   * const enhancedCtx = await manager.resolve(baseCtx);
+   * // enhancedCtx.auth.resolved contains all resolved data
+   * ```
+   */
+  async resolve(baseContext) {
+    const startTime = Date.now();
+    const resolverOrder = this.getResolverOrder();
+    this.logger?.debug?.(`[ResolverManager] Starting resolution for user ${baseContext.auth.userId}`, {
+      resolverCount: resolverOrder.length,
+      resolvers: resolverOrder.map((r) => r.name)
+    });
+    const results = /* @__PURE__ */ new Map();
+    if (this.parallelResolution) {
+      await this.resolveParallel(baseContext, resolverOrder, results);
+    } else {
+      await this.resolveSequential(baseContext, resolverOrder, results);
+    }
+    const mergedResolved = this.mergeResolvedData(results);
+    const enhancedContext = {
+      auth: {
+        ...baseContext.auth,
+        resolved: mergedResolved
+      },
+      timestamp: baseContext.timestamp
+    };
+    if (baseContext.meta !== void 0) {
+      enhancedContext.meta = baseContext.meta;
+    }
+    const duration = Date.now() - startTime;
+    this.logger?.info?.(`[ResolverManager] Resolution completed`, {
+      userId: baseContext.auth.userId,
+      durationMs: duration,
+      resolverCount: results.size
+    });
+    return enhancedContext;
+  }
+  /**
+   * Resolve a single resolver (useful for partial updates)
+   *
+   * @param name - Resolver name
+   * @param baseContext - Base context
+   * @returns Resolved data from the specific resolver
+   */
+  async resolveOne(name, baseContext) {
+    const resolver = this.resolvers.get(name);
+    if (!resolver) {
+      this.logger?.warn?.(`[ResolverManager] Resolver not found: ${name}`);
+      return null;
+    }
+    return await this.resolveWithCache(resolver, baseContext);
+  }
+  /**
+   * Invalidate cached data for a user
+   *
+   * @param userId - User ID whose cache should be invalidated
+   * @param resolverName - Optional specific resolver to invalidate
+   */
+  async invalidateCache(userId, resolverName) {
+    if (resolverName) {
+      const resolver = this.resolvers.get(resolverName);
+      if (resolver?.cacheKey) {
+        const key = resolver.cacheKey({ auth: { userId, roles: [] }, timestamp: /* @__PURE__ */ new Date() });
+        if (key) {
+          await this.cacheProvider.delete(key);
+          this.logger?.debug?.(`[ResolverManager] Invalidated cache for ${resolverName}: ${key}`);
+        }
+      }
+    } else {
+      const pattern = `rls:*:${userId}:*`;
+      if (this.cacheProvider.deletePattern) {
+        await this.cacheProvider.deletePattern(pattern);
+      }
+      this.logger?.debug?.(`[ResolverManager] Invalidated all cache for user ${userId}`);
+    }
+  }
+  /**
+   * Clear all cached data
+   */
+  async clearCache() {
+    if (this.cacheProvider instanceof InMemoryCacheProvider) {
+      this.cacheProvider.clear();
+    } else if (this.cacheProvider.deletePattern) {
+      await this.cacheProvider.deletePattern("rls:*");
+    }
+    this.logger?.info?.("[ResolverManager] Cleared all cache");
+  }
+  // ============================================================================
+  // Private Methods
+  // ============================================================================
+  /**
+   * Get resolvers in dependency order (topological sort)
+   */
+  getResolverOrder() {
+    const ordered = [];
+    const visited = /* @__PURE__ */ new Set();
+    const visiting = /* @__PURE__ */ new Set();
+    const visit = (name) => {
+      if (visited.has(name)) return;
+      if (visiting.has(name)) {
+        throw new RLSError(
+          `Circular dependency detected in resolvers involving "${name}"`,
+          RLSErrorCodes.RLS_SCHEMA_INVALID
+        );
+      }
+      const resolver = this.resolvers.get(name);
+      if (!resolver) return;
+      visiting.add(name);
+      if (resolver.dependsOn) {
+        for (const dep of resolver.dependsOn) {
+          visit(dep);
+        }
+      }
+      visiting.delete(name);
+      visited.add(name);
+      ordered.push(resolver);
+    };
+    for (const name of this.resolvers.keys()) {
+      visit(name);
+    }
+    return ordered.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+  }
+  /**
+   * Resolve resolvers sequentially
+   */
+  async resolveSequential(baseContext, resolvers, results) {
+    for (const resolver of resolvers) {
+      const data = await this.resolveWithCache(resolver, baseContext);
+      if (data) {
+        results.set(resolver.name, data);
+      }
+    }
+  }
+  /**
+   * Resolve resolvers in parallel (respecting dependencies)
+   */
+  async resolveParallel(baseContext, resolvers, results) {
+    const levels = [];
+    const assigned = /* @__PURE__ */ new Set();
+    const getLevel = (resolver) => {
+      if (!resolver.dependsOn || resolver.dependsOn.length === 0) {
+        return 0;
+      }
+      let maxDepLevel = 0;
+      for (const dep of resolver.dependsOn) {
+        const depResolver = this.resolvers.get(dep);
+        if (depResolver) {
+          maxDepLevel = Math.max(maxDepLevel, getLevel(depResolver) + 1);
+        }
+      }
+      return maxDepLevel;
+    };
+    for (const resolver of resolvers) {
+      const level = getLevel(resolver);
+      while (levels.length <= level) {
+        levels.push([]);
+      }
+      levels[level].push(resolver);
+      assigned.add(resolver.name);
+    }
+    for (const level of levels) {
+      await Promise.all(
+        level.map(async (resolver) => {
+          const data = await this.resolveWithCache(resolver, baseContext);
+          if (data) {
+            results.set(resolver.name, data);
+          }
+        })
+      );
+    }
+  }
+  /**
+   * Resolve a single resolver with caching
+   */
+  async resolveWithCache(resolver, baseContext) {
+    const startTime = Date.now();
+    try {
+      if (resolver.cacheKey) {
+        const cacheKey = resolver.cacheKey(baseContext);
+        if (cacheKey) {
+          const cached = await this.cacheProvider.get(cacheKey);
+          if (cached) {
+            this.logger?.debug?.(`[ResolverManager] Cache hit for ${resolver.name}`, { cacheKey });
+            return cached;
+          }
+        }
+      }
+      const data = await this.withTimeout(
+        resolver.resolve(baseContext),
+        this.resolverTimeout,
+        `Resolver "${resolver.name}" timed out after ${this.resolverTimeout}ms`
+      );
+      if (resolver.cacheKey) {
+        const cacheKey = resolver.cacheKey(baseContext);
+        if (cacheKey) {
+          const ttl = resolver.cacheTtl ?? this.defaultCacheTtl;
+          await this.cacheProvider.set(cacheKey, data, ttl);
+          this.logger?.debug?.(`[ResolverManager] Cached ${resolver.name}`, { cacheKey, ttl });
+        }
+      }
+      const duration = Date.now() - startTime;
+      this.logger?.debug?.(`[ResolverManager] Resolved ${resolver.name}`, { durationMs: duration });
+      return data;
+    } catch (error) {
+      const duration = Date.now() - startTime;
+      this.logger?.error?.(`[ResolverManager] Failed to resolve ${resolver.name}`, {
+        error: error instanceof Error ? error.message : String(error),
+        durationMs: duration
+      });
+      if (resolver.required !== false) {
+        throw new RLSError(
+          `Required resolver "${resolver.name}" failed: ${error instanceof Error ? error.message : String(error)}`,
+          RLSErrorCodes.RLS_POLICY_EVALUATION_ERROR
+        );
+      }
+      return null;
+    }
+  }
+  /**
+   * Execute a promise with timeout
+   */
+  async withTimeout(promise, timeoutMs, message) {
+    return await Promise.race([
+      promise,
+      new Promise((_, reject) => setTimeout(() => {
+        reject(new Error(message));
+      }, timeoutMs))
+    ]);
+  }
+  /**
+   * Merge resolved data from multiple resolvers
+   */
+  mergeResolvedData(results) {
+    const merged = {
+      resolvedAt: /* @__PURE__ */ new Date()
+    };
+    for (const [name, data] of results) {
+      merged[name] = data;
+      for (const [key, value] of Object.entries(data)) {
+        if (key !== "resolvedAt" && key !== "cacheKey") {
+          if (merged[key] === void 0) {
+            merged[key] = value;
+          }
+        }
+      }
+    }
+    return merged;
+  }
+};
+function createResolverManager(options) {
+  return new ResolverManager(options);
+}
+function createResolver(config) {
+  return {
+    required: true,
+    priority: 0,
+    ...config
+  };
+}
+// src/rebac/types.ts
+function orgMembershipPath(resourceTable, organizationColumn = "organization_id") {
+  return {
+    name: `${resourceTable}_org_membership`,
+    description: `Access ${resourceTable} through organization membership`,
+    steps: [
+      {
+        from: resourceTable,
+        to: "organizations",
+        fromColumn: organizationColumn,
+        toColumn: "id"
+      },
+      {
+        from: "organizations",
+        to: "employees",
+        fromColumn: "id",
+        toColumn: "organization_id"
+      }
+    ]
+  };
+}
+function shopOrgMembershipPath(resourceTable, shopColumn = "shop_id") {
+  return {
+    name: `${resourceTable}_shop_org_membership`,
+    description: `Access ${resourceTable} through shop's organization membership`,
+    steps: [
+      {
+        from: resourceTable,
+        to: "shops",
+        fromColumn: shopColumn,
+        toColumn: "id"
+      },
+      {
+        from: "shops",
+        to: "organizations",
+        fromColumn: "organization_id",
+        toColumn: "id"
+      },
+      {
+        from: "organizations",
+        to: "employees",
+        fromColumn: "id",
+        toColumn: "organization_id"
+      }
+    ]
+  };
+}
+function teamHierarchyPath(resourceTable, teamColumn = "team_id") {
+  return {
+    name: `${resourceTable}_team_access`,
+    description: `Access ${resourceTable} through team membership`,
+    steps: [
+      {
+        from: resourceTable,
+        to: "teams",
+        fromColumn: teamColumn,
+        toColumn: "id"
+      },
+      {
+        from: "teams",
+        to: "team_members",
+        fromColumn: "id",
+        toColumn: "team_id"
+      }
+    ]
+  };
+}
+var ReBAcRegistry = class {
+  tables = /* @__PURE__ */ new Map();
+  globalRelationships = /* @__PURE__ */ new Map();
+  logger;
+  constructor(schema, options) {
+    this.logger = options?.logger ?? silentLogger;
+    if (schema) {
+      this.loadSchema(schema);
+    }
+  }
+  /**
+   * Load ReBAC schema
+   */
+  loadSchema(schema) {
+    for (const [table, config] of Object.entries(schema)) {
+      if (!config) continue;
+      this.registerTable(table, config);
+    }
+  }
+  /**
+   * Register ReBAC configuration for a single table
+   */
+  registerTable(table, config) {
+    const compiled = {
+      relationships: /* @__PURE__ */ new Map(),
+      policies: []
+    };
+    for (const rel of config.relationships) {
+      const compiledPath = this.compileRelationshipPath(rel, table);
+      compiled.relationships.set(rel.name, compiledPath);
+      this.globalRelationships.set(rel.name, compiledPath);
+    }
+    for (let i = 0; i < config.policies.length; i++) {
+      const policy = config.policies[i];
+      if (!policy) continue;
+      const policyName = policy.name ?? `${table}_rebac_policy_${i}`;
+      const compiledPolicy = this.compilePolicy(policy, policyName, table, compiled.relationships);
+      compiled.policies.push(compiledPolicy);
+    }
+    compiled.policies.sort((a, b) => b.priority - a.priority);
+    this.tables.set(table, compiled);
+    this.logger.info?.(`[ReBAC] Registered table: ${table}`, {
+      relationships: config.relationships.length,
+      policies: config.policies.length
+    });
+  }
+  /**
+   * Register a global relationship path (available to all tables)
+   */
+  registerRelationship(path) {
+    if (!path.steps.length) {
+      throw new RLSSchemaError(`Relationship path "${path.name}" has no steps`, {
+        path: path.name
+      });
+    }
+    const compiled = this.compileRelationshipPath(path, path.steps[0].from);
+    this.globalRelationships.set(path.name, compiled);
+  }
+  /**
+   * Get ReBAC policies for a table and operation
+   */
+  getPolicies(table, operation) {
+    const config = this.tables.get(table);
+    if (!config) return [];
+    return config.policies.filter((p) => p.operations.has(operation) || p.operations.has("all"));
+  }
+  /**
+   * Get a specific relationship path
+   */
+  getRelationship(name, table) {
+    if (table) {
+      const tableConfig = this.tables.get(table);
+      const tablePath = tableConfig?.relationships.get(name);
+      if (tablePath) return tablePath;
+    }
+    return this.globalRelationships.get(name);
+  }
+  /**
+   * Check if table has ReBAC configuration
+   */
+  hasTable(table) {
+    return this.tables.has(table);
+  }
+  /**
+   * Get all registered table names
+   */
+  getTables() {
+    return Array.from(this.tables.keys());
+  }
+  /**
+   * Clear all registrations
+   */
+  clear() {
+    this.tables.clear();
+    this.globalRelationships.clear();
+  }
+  // ============================================================================
+  // Private Methods
+  // ============================================================================
+  /**
+   * Compile a relationship path definition
+   */
+  compileRelationshipPath(path, sourceTable) {
+    if (path.steps.length === 0) {
+      throw new RLSSchemaError(`Relationship path "${path.name}" must have at least one step`, {
+        path: path.name
+      });
+    }
+    const compiledSteps = path.steps.map((step, index) => {
+      if (!step.from || !step.to) {
+        throw new RLSSchemaError(
+          `Relationship step ${index} in "${path.name}" must have 'from' and 'to' tables`,
+          { path: path.name, step: index }
+        );
+      }
+      return {
+        from: step.from,
+        to: step.to,
+        fromColumn: step.fromColumn ?? `${step.to}_id`,
+        toColumn: step.toColumn ?? "id",
+        alias: step.alias ?? step.to,
+        joinType: step.joinType ?? "inner",
+        additionalConditions: step.additionalConditions ?? {}
+      };
+    });
+    for (let i = 1; i < compiledSteps.length; i++) {
+      const prevStep = compiledSteps[i - 1];
+      const currentStep = compiledSteps[i];
+      if (currentStep.from !== prevStep.to && currentStep.from !== prevStep.alias) {
+        throw new RLSSchemaError(
+          `Relationship path "${path.name}" has broken chain at step ${i}: expected '${prevStep.to}' but got '${currentStep.from}'`,
+          { path: path.name, step: i }
+        );
+      }
+    }
+    const lastStep = compiledSteps[compiledSteps.length - 1];
+    return {
+      name: path.name,
+      steps: compiledSteps,
+      sourceTable,
+      targetTable: lastStep.to
+    };
+  }
+  /**
+   * Compile a ReBAC policy definition
+   */
+  compilePolicy(policy, name, table, tableRelationships) {
+    const relationshipPath = tableRelationships.get(policy.relationshipPath) ?? this.globalRelationships.get(policy.relationshipPath);
+    if (!relationshipPath) {
+      throw new RLSSchemaError(
+        `ReBAC policy "${name}" references unknown relationship path "${policy.relationshipPath}"`,
+        { policy: name, table, relationshipPath: policy.relationshipPath }
+      );
+    }
+    const ops = Array.isArray(policy.operation) ? policy.operation : [policy.operation];
+    const expandedOps = ops.flatMap(
+      (op) => op === "all" ? ["read", "create", "update", "delete"] : [op]
+    );
+    const getEndConditions = typeof policy.endCondition === "function" ? policy.endCondition : () => policy.endCondition;
+    return {
+      name,
+      type: policy.policyType ?? "allow",
+      operations: new Set(expandedOps),
+      relationshipPath,
+      getEndConditions,
+      priority: policy.priority ?? 0
+    };
+  }
+};
+function createReBAcRegistry(schema, options) {
+  return new ReBAcRegistry(schema, options);
+}
+var ReBAcTransformer = class {
+  constructor(registry, options = {}) {
+    this.registry = registry;
+    this.options = options;
+    this.options = {
+      qualifyColumns: true,
+      dialect: "postgres",
+      ...options
+    };
+  }
+  /**
+   * Transform a SELECT query by applying ReBAC policies
+   *
+   * @param qb - Query builder to transform
+   * @param table - Table being queried
+   * @param operation - Operation being performed
+   * @returns Transformed query builder
+   */
+  transform(qb, table, operation = "read") {
+    const ctx = rlsContext.getContextOrNull();
+    if (!ctx) {
+      return qb;
+    }
+    if (ctx.auth.isSystem) {
+      return qb;
+    }
+    const policies = this.registry.getPolicies(table, operation);
+    if (policies.length === 0) {
+      return qb;
+    }
+    let result = qb;
+    for (const policy of policies) {
+      result = this.applyPolicy(result, policy, ctx, table);
+    }
+    return result;
+  }
+  /**
+   * Generate EXISTS condition SQL for a policy
+   *
+   * This method can be used to get the raw SQL for debugging or manual query building.
+   *
+   * @param policy - ReBAC policy to generate SQL for
+   * @param ctx - RLS context
+   * @param mainTable - Main query table
+   * @param mainTableAlias - Alias for main table
+   * @returns SQL string and parameters
+   */
+  generateExistsSql(policy, ctx, mainTable, mainTableAlias) {
+    const { relationshipPath } = policy;
+    const evalCtx = this.createEvalContext(ctx, mainTable);
+    const endConditions = policy.getEndConditions(evalCtx);
+    const alias = mainTableAlias ?? mainTable;
+    const params = [];
+    let paramIndex = 1;
+    const steps = relationshipPath.steps;
+    if (steps.length === 0) {
+      return { sql: "TRUE", params: [] };
+    }
+    const firstStep = steps[0];
+    let sql3 = `SELECT 1 FROM ${this.quote(firstStep.to)}`;
+    if (firstStep.alias !== firstStep.to) {
+      sql3 += ` AS ${this.quote(firstStep.alias)}`;
+    }
+    for (let i = 1; i < steps.length; i++) {
+      const step = steps[i];
+      const joinType = step.joinType === "left" ? "LEFT JOIN" : step.joinType === "right" ? "RIGHT JOIN" : "JOIN";
+      sql3 += ` ${joinType} ${this.quote(step.to)}`;
+      if (step.alias !== step.to) {
+        sql3 += ` AS ${this.quote(step.alias)}`;
+      }
+      const prevStep = steps[i - 1];
+      const prevAlias = prevStep.alias;
+      sql3 += ` ON ${this.quote(prevAlias)}.${this.quote(step.fromColumn)} = ${this.quote(step.alias)}.${this.quote(step.toColumn)}`;
+      if (Object.keys(step.additionalConditions).length > 0) {
+        for (const [col, val] of Object.entries(step.additionalConditions)) {
+          if (val === null) {
+            sql3 += ` AND ${this.quote(step.alias)}.${this.quote(col)} IS NULL`;
+          } else {
+            sql3 += ` AND ${this.quote(step.alias)}.${this.quote(col)} = ${this.param(paramIndex++)}`;
+            params.push(val);
+          }
+        }
+      }
+    }
+    sql3 += ` WHERE ${this.quote(firstStep.alias)}.${this.quote(firstStep.toColumn)} = ${this.quote(alias)}.${this.quote(firstStep.fromColumn)}`;
+    if (Object.keys(firstStep.additionalConditions).length > 0) {
+      for (const [col, val] of Object.entries(firstStep.additionalConditions)) {
+        if (val === null) {
+          sql3 += ` AND ${this.quote(firstStep.alias)}.${this.quote(col)} IS NULL`;
+        } else {
+          sql3 += ` AND ${this.quote(firstStep.alias)}.${this.quote(col)} = ${this.param(paramIndex++)}`;
+          params.push(val);
+        }
+      }
+    }
+    const lastStep = steps[steps.length - 1];
+    for (const [col, val] of Object.entries(endConditions)) {
+      if (val === null) {
+        sql3 += ` AND ${this.quote(lastStep.alias)}.${this.quote(col)} IS NULL`;
+      } else if (val === void 0) {
+        continue;
+      } else if (Array.isArray(val)) {
+        if (val.length === 0) {
+          sql3 += ` AND FALSE`;
+        } else {
+          const placeholders = val.map(() => this.param(paramIndex++)).join(", ");
+          sql3 += ` AND ${this.quote(lastStep.alias)}.${this.quote(col)} IN (${placeholders})`;
+          params.push(...val);
+        }
+      } else {
+        sql3 += ` AND ${this.quote(lastStep.alias)}.${this.quote(col)} = ${this.param(paramIndex++)}`;
+        params.push(val);
+      }
+    }
+    const existsExpr = policy.type === "deny" ? `NOT EXISTS (${sql3})` : `EXISTS (${sql3})`;
+    return { sql: existsExpr, params };
+  }
+  // ============================================================================
+  // Private Methods
+  // ============================================================================
+  /**
+   * Apply a single ReBAC policy to a query
+   *
+   * NOTE: Uses type casting for dynamic SQL because Kysely's type system
+   * requires compile-time known types, but ReBAC policies work with
+   * runtime-generated EXISTS clauses.
+   */
+  applyPolicy(qb, policy, ctx, table) {
+    const { sql: existsSql, params } = this.generateExistsSql(policy, ctx, table, this.options.mainTableAlias);
+    const sqlParts = existsSql.split(/\$\d+/);
+    const rawBuilder = sql.join(
+      sqlParts.map((part, i) => {
+        if (i < params.length) {
+          return sql`${sql.raw(part)}${params[i]}`;
+        }
+        return sql.raw(part);
+      })
+    );
+    return qb.where(rawBuilder);
+  }
+  /**
+   * Create evaluation context for policy conditions
+   */
+  createEvalContext(ctx, table) {
+    return {
+      auth: ctx.auth,
+      table,
+      operation: "read",
+      ...ctx.meta !== void 0 && { meta: ctx.meta }
+    };
+  }
+  /**
+   * Quote an identifier for the target dialect
+   */
+  quote(identifier) {
+    switch (this.options.dialect) {
+      case "mysql":
+        return `\`${identifier}\``;
+      case "sqlite":
+        return `"${identifier}"`;
+      case "postgres":
+      default:
+        return `"${identifier}"`;
+    }
+  }
+  /**
+   * Generate parameter placeholder for the target dialect
+   */
+  param(index) {
+    switch (this.options.dialect) {
+      case "mysql":
+      case "sqlite":
+        return "?";
+      case "postgres":
+      default:
+        return `$${index}`;
+    }
+  }
+};
+function allowRelation(operation, relationshipPath, endCondition, options) {
+  const policy = {
+    type: "filter",
+    operation,
+    relationshipPath,
+    endCondition,
+    policyType: "allow"
+  };
+  if (options?.name !== void 0) {
+    policy.name = options.name;
+  }
+  if (options?.priority !== void 0) {
+    policy.priority = options.priority;
+  }
+  return policy;
+}
+function denyRelation(operation, relationshipPath, endCondition, options) {
+  const policy = {
+    type: "filter",
+    operation,
+    relationshipPath,
+    endCondition,
+    policyType: "deny",
+    priority: options?.priority ?? 100
+    // Higher priority for deny
+  };
+  if (options?.name !== void 0) {
+    policy.name = options.name;
+  }
+  return policy;
+}
+function createReBAcTransformer(registry, options) {
+  return new ReBAcTransformer(registry, options);
+}
+// src/field-access/types.ts
+function neverAccessible() {
+  return {
+    read: () => false,
+    write: () => false,
+    omitWhenHidden: true
+  };
+}
+function ownerOnly(ownerField = "id") {
+  return {
+    read: (ctx) => {
+      const rowValue = ctx.row?.[ownerField];
+      return String(ctx.auth.userId) === String(rowValue);
+    },
+    write: (ctx) => {
+      const rowValue = ctx.row?.[ownerField];
+      return String(ctx.auth.userId) === String(rowValue);
+    }
+  };
+}
+function ownerOrRoles(roles, ownerField = "id") {
+  return {
+    read: (ctx) => {
+      const rowValue = ctx.row?.[ownerField];
+      return String(ctx.auth.userId) === String(rowValue) || roles.some((r) => ctx.auth.roles.includes(r));
+    },
+    write: (ctx) => {
+      const rowValue = ctx.row?.[ownerField];
+      return String(ctx.auth.userId) === String(rowValue) || roles.some((r) => ctx.auth.roles.includes(r));
+    }
+  };
+}
+function rolesOnly(roles) {
+  return {
+    read: (ctx) => roles.some((r) => ctx.auth.roles.includes(r)),
+    write: (ctx) => roles.some((r) => ctx.auth.roles.includes(r))
+  };
+}
+function readOnly(readCondition) {
+  return {
+    read: readCondition ?? (() => true),
+    write: () => false
+  };
+}
+function publicReadRestrictedWrite(writeCondition) {
+  return {
+    read: () => true,
+    write: writeCondition
+  };
+}
+function maskedField(maskFn, readCondition) {
+  return {
+    read: readCondition,
+    write: readCondition,
+    maskedValue: void 0,
+    // Will be computed by maskFn
+    maskFn
+  };
+}
+var FieldAccessRegistry = class {
+  tables = /* @__PURE__ */ new Map();
+  logger;
+  constructor(schema, options) {
+    this.logger = options?.logger ?? silentLogger;
+    if (schema) {
+      this.loadSchema(schema);
+    }
+  }
+  /**
+   * Load field access schema
+   */
+  loadSchema(schema) {
+    for (const [table, config] of Object.entries(schema)) {
+      if (!config) continue;
+      this.registerTable(table, config);
+    }
+  }
+  /**
+   * Register field access configuration for a table
+   */
+  registerTable(table, config) {
+    const compiled = {
+      table,
+      defaultAccess: config.default ?? "allow",
+      skipFor: config.skipFor ?? [],
+      fields: /* @__PURE__ */ new Map()
+    };
+    for (const [field, fieldConfig] of Object.entries(config.fields)) {
+      if (!fieldConfig) continue;
+      const compiledField = this.compileFieldConfig(field, fieldConfig);
+      compiled.fields.set(field, compiledField);
+    }
+    this.tables.set(table, compiled);
+    this.logger.info?.(`[FieldAccess] Registered table: ${table}`, {
+      fields: compiled.fields.size,
+      defaultAccess: compiled.defaultAccess
+    });
+  }
+  /**
+   * Check if a field is readable in the current context
+   *
+   * @param table - Table name
+   * @param field - Field name
+   * @param ctx - Evaluation context
+   * @returns True if field is readable
+   */
+  async canReadField(table, field, ctx) {
+    const config = this.tables.get(table);
+    if (!config) {
+      return true;
+    }
+    if (config.skipFor.some((role) => ctx.auth.roles.includes(role))) {
+      return true;
+    }
+    if (ctx.auth.isSystem) {
+      return true;
+    }
+    const fieldConfig = config.fields.get(field);
+    if (!fieldConfig) {
+      return config.defaultAccess === "allow";
+    }
+    try {
+      const result = fieldConfig.canRead(ctx);
+      return result instanceof Promise ? await result : result;
+    } catch (error) {
+      this.logger.error?.(`[FieldAccess] Error checking read access for ${table}.${field}`, {
+        error: error instanceof Error ? error.message : String(error)
+      });
+      return false;
+    }
+  }
+  /**
+   * Check if a field is writable in the current context
+   *
+   * @param table - Table name
+   * @param field - Field name
+   * @param ctx - Evaluation context
+   * @returns True if field is writable
+   */
+  async canWriteField(table, field, ctx) {
+    const config = this.tables.get(table);
+    if (!config) {
+      return true;
+    }
+    if (config.skipFor.some((role) => ctx.auth.roles.includes(role))) {
+      return true;
+    }
+    if (ctx.auth.isSystem) {
+      return true;
+    }
+    const fieldConfig = config.fields.get(field);
+    if (!fieldConfig) {
+      return config.defaultAccess === "allow";
+    }
+    try {
+      const result = fieldConfig.canWrite(ctx);
+      return result instanceof Promise ? await result : result;
+    } catch (error) {
+      this.logger.error?.(`[FieldAccess] Error checking write access for ${table}.${field}`, {
+        error: error instanceof Error ? error.message : String(error)
+      });
+      return false;
+    }
+  }
+  /**
+   * Get field configuration
+   *
+   * @param table - Table name
+   * @param field - Field name
+   * @returns Compiled field access config or undefined
+   */
+  getFieldConfig(table, field) {
+    return this.tables.get(table)?.fields.get(field);
+  }
+  /**
+   * Get table configuration
+   *
+   * @param table - Table name
+   * @returns Compiled table field access config or undefined
+   */
+  getTableConfig(table) {
+    return this.tables.get(table);
+  }
+  /**
+   * Check if table has field access configuration
+   */
+  hasTable(table) {
+    return this.tables.has(table);
+  }
+  /**
+   * Get all registered table names
+   */
+  getTables() {
+    return Array.from(this.tables.keys());
+  }
+  /**
+   * Get all fields with explicit configuration for a table
+   *
+   * @param table - Table name
+   * @returns Array of field names
+   */
+  getConfiguredFields(table) {
+    const config = this.tables.get(table);
+    return config ? Array.from(config.fields.keys()) : [];
+  }
+  /**
+   * Clear all configurations
+   */
+  clear() {
+    this.tables.clear();
+  }
+  // ============================================================================
+  // Private Methods
+  // ============================================================================
+  /**
+   * Compile a field access configuration
+   */
+  compileFieldConfig(field, config) {
+    return {
+      field,
+      canRead: config.read ?? (() => true),
+      canWrite: config.write ?? (() => true),
+      maskedValue: config.maskedValue ?? null,
+      omitWhenHidden: config.omitWhenHidden ?? false
+    };
+  }
+};
+function createFieldAccessRegistry(schema, options) {
+  return new FieldAccessRegistry(schema, options);
+}
+// src/field-access/processor.ts
+var FieldAccessProcessor = class {
+  constructor(registry, defaultMaskValue = null) {
+    this.registry = registry;
+    this.defaultMaskValue = defaultMaskValue;
+  }
+  /**
+   * Apply field access control to a single row
+   *
+   * @param table - Table name
+   * @param row - Row data
+   * @param options - Processing options
+   * @returns Masked row with metadata
+   */
+  async maskRow(table, row, options = {}) {
+    const ctx = this.getContext();
+    if (!ctx) {
+      return {
+        data: row,
+        maskedFields: [],
+        omittedFields: []
+      };
+    }
+    if (ctx.auth.isSystem) {
+      return {
+        data: row,
+        maskedFields: [],
+        omittedFields: []
+      };
+    }
+    const tableConfig = this.registry.getTableConfig(table);
+    if (!tableConfig) {
+      return {
+        data: row,
+        maskedFields: [],
+        omittedFields: []
+      };
+    }
+    if (tableConfig.skipFor.some((role) => ctx.auth.roles.includes(role))) {
+      return {
+        data: row,
+        maskedFields: [],
+        omittedFields: []
+      };
+    }
+    const evalCtx = this.createEvalContext(ctx, row, table);
+    const result = {};
+    const maskedFields = [];
+    const omittedFields = [];
+    for (const [field, value] of Object.entries(row)) {
+      if (options.excludeFields?.includes(field)) {
+        continue;
+      }
+      if (options.includeFields && !options.includeFields.includes(field)) {
+        continue;
+      }
+      const fieldResult = await this.evaluateFieldAccess(
+        tableConfig,
+        field,
+        value,
+        evalCtx,
+        options
+      );
+      if (fieldResult.omit) {
+        omittedFields.push(field);
+      } else if (!fieldResult.accessible) {
+        maskedFields.push(field);
+        result[field] = fieldResult.value;
+      } else {
+        result[field] = value;
+      }
+    }
+    return {
+      data: result,
+      maskedFields,
+      omittedFields
+    };
+  }
+  /**
+   * Apply field access control to multiple rows
+   *
+   * @param table - Table name
+   * @param rows - Array of rows
+   * @param options - Processing options
+   * @returns Array of masked rows
+   */
+  async maskRows(table, rows, options = {}) {
+    return await Promise.all(rows.map((row) => this.maskRow(table, row, options)));
+  }
+  /**
+   * Validate that all fields in mutation data are writable
+   *
+   * @param table - Table name
+   * @param data - Mutation data
+   * @param existingRow - Existing row (for update operations)
+   * @throws RLSPolicyViolation if any field is not writable
+   */
+  async validateWrite(table, data, existingRow) {
+    const ctx = this.getContext();
+    if (!ctx) {
+      return;
+    }
+    if (ctx.auth.isSystem) {
+      return;
+    }
+    const tableConfig = this.registry.getTableConfig(table);
+    if (!tableConfig) {
+      return;
+    }
+    if (tableConfig.skipFor.some((role) => ctx.auth.roles.includes(role))) {
+      return;
+    }
+    const evalCtx = this.createEvalContext(ctx, existingRow ?? {}, table, data);
+    const unwritableFields = [];
+    for (const field of Object.keys(data)) {
+      const canWrite = await this.registry.canWriteField(table, field, evalCtx);
+      if (!canWrite) {
+        unwritableFields.push(field);
+      }
+    }
+    if (unwritableFields.length > 0) {
+      throw new RLSPolicyViolation(
+        "write",
+        table,
+        `Cannot write to protected fields: ${unwritableFields.join(", ")}`
+      );
+    }
+  }
+  /**
+   * Filter mutation data to only include writable fields
+   *
+   * @param table - Table name
+   * @param data - Mutation data
+   * @param existingRow - Existing row (for update operations)
+   * @returns Filtered data with only writable fields
+   */
+  async filterWritableFields(table, data, existingRow) {
+    const ctx = this.getContext();
+    if (!ctx) {
+      return { data, removedFields: [] };
+    }
+    if (ctx.auth.isSystem) {
+      return { data, removedFields: [] };
+    }
+    const tableConfig = this.registry.getTableConfig(table);
+    if (!tableConfig) {
+      return { data, removedFields: [] };
+    }
+    if (tableConfig.skipFor.some((role) => ctx.auth.roles.includes(role))) {
+      return { data, removedFields: [] };
+    }
+    const evalCtx = this.createEvalContext(ctx, existingRow ?? {}, table, data);
+    const result = {};
+    const removedFields = [];
+    for (const [field, value] of Object.entries(data)) {
+      const canWrite = await this.registry.canWriteField(table, field, evalCtx);
+      if (canWrite) {
+        result[field] = value;
+      } else {
+        removedFields.push(field);
+      }
+    }
+    return { data: result, removedFields };
+  }
+  /**
+   * Get list of readable fields for a table
+   *
+   * @param table - Table name
+   * @param row - Row data (for context-dependent fields)
+   * @returns Array of readable field names
+   */
+  async getReadableFields(table, row) {
+    const ctx = this.getContext();
+    if (!ctx || ctx.auth.isSystem) {
+      return Object.keys(row);
+    }
+    const tableConfig = this.registry.getTableConfig(table);
+    if (!tableConfig) {
+      return Object.keys(row);
+    }
+    if (tableConfig.skipFor.some((role) => ctx.auth.roles.includes(role))) {
+      return Object.keys(row);
+    }
+    const evalCtx = this.createEvalContext(ctx, row, table);
+    const readable = [];
+    for (const field of Object.keys(row)) {
+      const canRead = await this.registry.canReadField(table, field, evalCtx);
+      if (canRead) {
+        readable.push(field);
+      }
+    }
+    return readable;
+  }
+  /**
+   * Get list of writable fields for a table
+   *
+   * @param table - Table name
+   * @param row - Existing row data (for context-dependent fields)
+   * @returns Array of writable field names
+   */
+  async getWritableFields(table, row) {
+    const ctx = this.getContext();
+    if (!ctx || ctx.auth.isSystem) {
+      return Object.keys(row);
+    }
+    const tableConfig = this.registry.getTableConfig(table);
+    if (!tableConfig) {
+      return Object.keys(row);
+    }
+    if (tableConfig.skipFor.some((role) => ctx.auth.roles.includes(role))) {
+      return Object.keys(row);
+    }
+    const evalCtx = this.createEvalContext(ctx, row, table);
+    const writable = [];
+    for (const field of Object.keys(row)) {
+      const canWrite = await this.registry.canWriteField(table, field, evalCtx);
+      if (canWrite) {
+        writable.push(field);
+      }
+    }
+    return writable;
+  }
+  // ============================================================================
+  // Private Methods
+  // ============================================================================
+  /**
+   * Get current RLS context
+   */
+  getContext() {
+    return rlsContext.getContextOrNull();
+  }
+  /**
+   * Create evaluation context
+   */
+  createEvalContext(ctx, row, table, data) {
+    return {
+      auth: ctx.auth,
+      row,
+      data,
+      table,
+      ...ctx.meta !== void 0 && { meta: ctx.meta }
+    };
+  }
+  /**
+   * Evaluate field access for a specific field
+   */
+  async evaluateFieldAccess(tableConfig, field, value, ctx, options) {
+    const fieldConfig = tableConfig.fields.get(field);
+    if (!fieldConfig) {
+      const accessible = tableConfig.defaultAccess === "allow";
+      return {
+        accessible,
+        value: accessible ? value : this.defaultMaskValue,
+        omit: !accessible && options.throwOnDenied !== true
+      };
+    }
+    try {
+      const canRead = await fieldConfig.canRead(ctx);
+      if (canRead) {
+        return {
+          accessible: true,
+          value
+        };
+      }
+      if (options.throwOnDenied) {
+        throw new RLSPolicyViolation("read", ctx.table ?? "unknown", `Cannot read field: ${field}`);
+      }
+      const configWithMask = fieldConfig;
+      const maskedValue = configWithMask.maskFn ? configWithMask.maskFn(value) : fieldConfig.maskedValue ?? this.defaultMaskValue;
+      return {
+        accessible: false,
+        reason: `Field "${field}" is not accessible`,
+        value: maskedValue,
+        omit: fieldConfig.omitWhenHidden
+      };
+    } catch (error) {
+      if (error instanceof RLSPolicyViolation) {
+        throw error;
+      }
+      return {
+        accessible: false,
+        reason: `Error evaluating access: ${error instanceof Error ? error.message : String(error)}`,
+        value: this.defaultMaskValue,
+        omit: true
+      };
+    }
+  }
+};
+function createFieldAccessProcessor(registry, defaultMaskValue) {
+  return new FieldAccessProcessor(registry, defaultMaskValue);
+}
+// src/composition/builder.ts
+function definePolicy(config, policies) {
+  const result = {
+    name: config.name,
+    policies
+  };
+  if (config.description !== void 0) {
+    result.description = config.description;
+  }
+  if (config.tags !== void 0) {
+    result.tags = config.tags;
+  }
+  return result;
+}
+function defineFilterPolicy(name, filterFn, options) {
+  return {
+    name,
+    policies: [
+      filter("read", filterFn, {
+        name: `${name}-filter`,
+        ...options?.priority !== void 0 && { priority: options.priority }
+      })
+    ]
+  };
+}
+function defineAllowPolicy(name, operation, condition, options) {
+  return {
+    name,
+    policies: [
+      allow(operation, condition, {
+        name: `${name}-allow`,
+        ...options?.priority !== void 0 && { priority: options.priority }
+      })
+    ]
+  };
+}
+function defineDenyPolicy(name, operation, condition, options) {
+  return {
+    name,
+    policies: [
+      deny(operation, condition, {
+        name: `${name}-deny`,
+        priority: options?.priority ?? 100
+      })
+    ]
+  };
+}
+function defineValidatePolicy(name, operation, condition, options) {
+  return {
+    name,
+    policies: [
+      validate(operation, condition, {
+        name: `${name}-validate`,
+        ...options?.priority !== void 0 && { priority: options.priority }
+      })
+    ]
+  };
+}
+function defineCombinedPolicy(name, config) {
+  const policies = [];
+  if (config.filter) {
+    policies.push(
+      filter("read", config.filter, {
+        name: `${name}-filter`
+      })
+    );
+  }
+  if (config.allow) {
+    for (const [op, condition] of Object.entries(config.allow)) {
+      if (condition) {
+        policies.push(
+          allow(op, condition, {
+            name: `${name}-allow-${op}`
+          })
+        );
+      }
+    }
+  }
+  if (config.deny) {
+    for (const [op, condition] of Object.entries(config.deny)) {
+      if (condition) {
+        policies.push(
+          deny(op, condition, {
+            name: `${name}-deny-${op}`,
+            priority: 100
+          })
+        );
+      }
+    }
+  }
+  if (config.validate) {
+    if (config.validate.create) {
+      policies.push(
+        validate("create", config.validate.create, {
+          name: `${name}-validate-create`
+        })
+      );
+    }
+    if (config.validate.update) {
+      policies.push(
+        validate("update", config.validate.update, {
+          name: `${name}-validate-update`
+        })
+      );
+    }
+  }
+  return {
+    name,
+    policies
+  };
+}
+function createTenantIsolationPolicy(config = {}) {
+  const { tenantColumn = "tenant_id", validateOnMutation = true } = config;
+  const policies = [
+    // Filter reads by tenant
+    filter("read", (ctx) => ({ [tenantColumn]: ctx.auth.tenantId }), {
+      name: "tenant-isolation-filter",
+      priority: 1e3
+    })
+  ];
+  if (validateOnMutation) {
+    policies.push(
+      validate("create", (ctx) => {
+        const data = ctx.data;
+        return data?.[tenantColumn] === ctx.auth.tenantId;
+      }, {
+        name: "tenant-isolation-validate-create"
+      }),
+      validate("update", (ctx) => {
+        const data = ctx.data;
+        if (data?.[tenantColumn] !== void 0) {
+          return data[tenantColumn] === ctx.auth.tenantId;
+        }
+        return true;
+      }, {
+        name: "tenant-isolation-validate-update"
+      })
+    );
+  }
+  return {
+    name: "tenantIsolation",
+    description: `Filter by ${tenantColumn} for multi-tenancy`,
+    policies,
+    tags: ["multi-tenant", "isolation"]
+  };
+}
+function createOwnershipPolicy(config = {}) {
+  const { ownerColumn = "owner_id", ownerOperations = ["read", "update", "delete"], canDelete = true } = config;
+  const policies = [];
+  const ops = ownerOperations.filter((op) => op !== "delete" || canDelete);
+  if (ops.length > 0) {
+    policies.push(
+      allow(ops, (ctx) => {
+        const row = ctx.row;
+        return ctx.auth.userId === row?.[ownerColumn];
+      }, {
+        name: "ownership-allow"
+      })
+    );
+  }
+  if (!canDelete && ownerOperations.includes("delete")) {
+    policies.push(
+      deny("delete", () => true, {
+        name: "ownership-no-delete",
+        priority: 150
+      })
+    );
+  }
+  return {
+    name: "ownership",
+    description: `Owner access via ${ownerColumn}`,
+    policies,
+    tags: ["ownership"]
+  };
+}
+function createSoftDeletePolicy(config = {}) {
+  const { deletedColumn = "deleted_at", filterOnRead = true, preventHardDelete = true } = config;
+  const policies = [];
+  if (filterOnRead) {
+    policies.push(
+      filter("read", () => ({ [deletedColumn]: null }), {
+        name: "soft-delete-filter",
+        priority: 900
+      })
+    );
+  }
+  if (preventHardDelete) {
+    policies.push(
+      deny("delete", () => true, {
+        name: "soft-delete-no-hard-delete",
+        priority: 150
+      })
+    );
+  }
+  return {
+    name: "softDelete",
+    description: `Soft delete via ${deletedColumn}`,
+    policies,
+    tags: ["soft-delete"]
+  };
+}
+function createStatusAccessPolicy(config) {
+  const { statusColumn = "status", publicStatuses = [], editableStatuses = [], deletableStatuses = [] } = config;
+  const policies = [];
+  if (publicStatuses.length > 0) {
+    policies.push(
+      allow("read", (ctx) => {
+        const row = ctx.row;
+        return publicStatuses.includes(row?.[statusColumn]);
+      }, {
+        name: "status-public-read"
+      })
+    );
+  }
+  if (editableStatuses.length > 0) {
+    policies.push(
+      deny("update", (ctx) => {
+        const row = ctx.row;
+        return !editableStatuses.includes(row?.[statusColumn]);
+      }, {
+        name: "status-restrict-update",
+        priority: 100
+      })
+    );
+  }
+  if (deletableStatuses.length > 0) {
+    policies.push(
+      deny("delete", (ctx) => {
+        const row = ctx.row;
+        return !deletableStatuses.includes(row?.[statusColumn]);
+      }, {
+        name: "status-restrict-delete",
+        priority: 100
+      })
+    );
+  }
+  return {
+    name: "statusAccess",
+    description: `Status-based access via ${statusColumn}`,
+    policies,
+    tags: ["status"]
+  };
+}
+function createAdminPolicy(roles) {
+  return {
+    name: "adminBypass",
+    description: `Admin access for roles: ${roles.join(", ")}`,
+    policies: [
+      allow("all", (ctx) => roles.some((r) => ctx.auth.roles.includes(r)), {
+        name: "admin-bypass",
+        priority: 500
+      })
+    ],
+    tags: ["admin"]
+  };
+}
+function composePolicies(name, policies) {
+  const allPolicies = [];
+  const allTags = /* @__PURE__ */ new Set();
+  for (const policy of policies) {
+    allPolicies.push(...policy.policies);
+    policy.tags?.forEach((tag) => allTags.add(tag));
+  }
+  return {
+    name,
+    description: `Composed from: ${policies.map((p) => p.name).join(", ")}`,
+    policies: allPolicies,
+    tags: Array.from(allTags)
+  };
+}
+function extendPolicy(base, additional) {
+  const result = {
+    name: `${base.name}_extended`,
+    policies: [...base.policies, ...additional]
+  };
+  if (base.description !== void 0) {
+    result.description = base.description;
+  }
+  if (base.tags !== void 0) {
+    result.tags = base.tags;
+  }
+  return result;
+}
+function overridePolicy(base, overrides) {
+  const newPolicies = base.policies.map((policy) => {
+    const override = policy.name ? overrides[policy.name] : void 0;
+    return override ?? policy;
+  });
+  const result = {
+    name: `${base.name}_overridden`,
+    policies: newPolicies
+  };
+  if (base.description !== void 0) {
+    result.description = base.description;
+  }
+  if (base.tags !== void 0) {
+    result.tags = base.tags;
+  }
+  return result;
+}
+// src/audit/types.ts
+var ConsoleAuditAdapter = class {
+  options;
+  constructor(options = {}) {
+    this.options = {
+      format: options.format ?? "text",
+      colors: options.colors ?? true,
+      includeTimestamp: options.includeTimestamp ?? true
+    };
+  }
+  log(event) {
+    if (this.options.format === "json") {
+      console.log(JSON.stringify(event));
+    } else {
+      const prefix = this.getPrefix(event.decision);
+      const timestamp = this.options.includeTimestamp ? `[${event.timestamp.toISOString()}] ` : "";
+      console.log(
+        `${timestamp}${prefix} RLS ${event.decision.toUpperCase()}: ${event.operation} on ${event.table}` + (event.policyName ? ` (policy: ${event.policyName})` : "") + (event.reason ? ` - ${event.reason}` : "") + (event.userId ? ` [user: ${event.userId}]` : "")
+      );
+    }
+    return Promise.resolve();
+  }
+  async logBatch(events) {
+    for (const event of events) {
+      await this.log(event);
+    }
+  }
+  getPrefix(decision) {
+    if (!this.options.colors) {
+      return decision === "allow" ? "\u2713" : decision === "deny" ? "\u2717" : "~";
+    }
+    switch (decision) {
+      case "allow":
+        return "\x1B[32m\u2713\x1B[0m";
+      // Green
+      case "deny":
+        return "\x1B[31m\u2717\x1B[0m";
+      // Red
+      case "filter":
+        return "\x1B[33m~\x1B[0m";
+      // Yellow
+      default:
+        return "?";
+    }
+  }
+};
+var InMemoryAuditAdapter = class {
+  events = [];
+  maxSize;
+  constructor(maxSize = 1e4) {
+    this.maxSize = maxSize;
+  }
+  log(event) {
+    this.events.push(event);
+    if (this.events.length > this.maxSize) {
+      this.events = this.events.slice(-this.maxSize);
+    }
+    return Promise.resolve();
+  }
+  logBatch(events) {
+    this.events.push(...events);
+    if (this.events.length > this.maxSize) {
+      this.events = this.events.slice(-this.maxSize);
+    }
+    return Promise.resolve();
+  }
+  /**
+   * Get all logged events
+   */
+  getEvents() {
+    return [...this.events];
+  }
+  /**
+   * Query events
+   */
+  query(params) {
+    let results = [...this.events];
+    if (params.userId !== void 0) {
+      results = results.filter((e) => e.userId === params.userId);
+    }
+    if (params.tenantId !== void 0) {
+      results = results.filter((e) => e.tenantId === params.tenantId);
+    }
+    if (params.table) {
+      results = results.filter((e) => e.table === params.table);
+    }
+    if (params.operation) {
+      results = results.filter((e) => e.operation === params.operation);
+    }
+    if (params.decision) {
+      results = results.filter((e) => e.decision === params.decision);
+    }
+    if (params.startTime) {
+      results = results.filter((e) => e.timestamp >= params.startTime);
+    }
+    if (params.endTime) {
+      results = results.filter((e) => e.timestamp < params.endTime);
+    }
+    if (params.requestId) {
+      results = results.filter((e) => e.requestId === params.requestId);
+    }
+    if (params.offset) {
+      results = results.slice(params.offset);
+    }
+    if (params.limit) {
+      results = results.slice(0, params.limit);
+    }
+    return results;
+  }
+  /**
+   * Get statistics
+   */
+  getStats(params) {
+    let events = this.events;
+    if (params?.startTime) {
+      events = events.filter((e) => e.timestamp >= params.startTime);
+    }
+    if (params?.endTime) {
+      events = events.filter((e) => e.timestamp < params.endTime);
+    }
+    const byDecision = { allow: 0, deny: 0, filter: 0 };
+    const byOperation = { read: 0, create: 0, update: 0, delete: 0, all: 0 };
+    const byTable = {};
+    for (const event of events) {
+      byDecision[event.decision]++;
+      byOperation[event.operation]++;
+      byTable[event.table] = (byTable[event.table] ?? 0) + 1;
+    }
+    return {
+      totalEvents: events.length,
+      byDecision,
+      byOperation,
+      byTable,
+      timeRange: {
+        start: events[0]?.timestamp ?? /* @__PURE__ */ new Date(),
+        end: events[events.length - 1]?.timestamp ?? /* @__PURE__ */ new Date()
+      }
+    };
+  }
+  /**
+   * Clear all events
+   */
+  clear() {
+    this.events = [];
+  }
+  /**
+   * Get event count
+   */
+  get size() {
+    return this.events.length;
+  }
+};
+// src/audit/logger.ts
+var AuditLogger = class {
+  adapter;
+  config;
+  buffer = [];
+  flushTimer = null;
+  isShuttingDown = false;
+  constructor(config) {
+    this.adapter = config.adapter;
+    const baseConfig = {
+      enabled: config.enabled ?? true,
+      defaults: config.defaults ?? {
+        logAllowed: false,
+        logDenied: true,
+        logFilters: false
+      },
+      tables: config.tables ?? {},
+      bufferSize: config.bufferSize ?? 100,
+      flushInterval: config.flushInterval ?? 5e3,
+      async: config.async ?? true,
+      sampleRate: config.sampleRate ?? 1
+    };
+    this.config = config.onError !== void 0 ? { ...baseConfig, onError: config.onError } : baseConfig;
+    if (this.config.flushInterval > 0) {
+      this.startFlushTimer();
+    }
+  }
+  /**
+   * Log a policy decision
+   *
+   * @param operation - Database operation
+   * @param table - Table name
+   * @param decision - Decision result
+   * @param policyName - Name of the policy
+   * @param options - Additional options
+   */
+  async logDecision(operation, table, decision, policyName, options) {
+    if (!this.config.enabled || this.isShuttingDown) {
+      return;
+    }
+    if (this.config.sampleRate < 1 && Math.random() > this.config.sampleRate) {
+      return;
+    }
+    const tableConfig = this.getTableConfig(table);
+    if (!this.shouldLog(decision, tableConfig)) {
+      return;
+    }
+    const ctx = rlsContext.getContextOrNull();
+    const event = this.buildEvent(operation, table, decision, policyName, ctx, tableConfig, options);
+    if (tableConfig.filter && !tableConfig.filter(event)) {
+      event.filtered = true;
+      return;
+    }
+    await this.logEvent(event);
+  }
+  /**
+   * Log an allow decision
+   */
+  async logAllow(operation, table, policyName, options) {
+    await this.logDecision(operation, table, "allow", policyName, options);
+  }
+  /**
+   * Log a deny decision
+   */
+  async logDeny(operation, table, policyName, options) {
+    await this.logDecision(operation, table, "deny", policyName, options);
+  }
+  /**
+   * Log a filter application
+   */
+  async logFilter(table, policyName, options) {
+    await this.logDecision("read", table, "filter", policyName, options);
+  }
+  /**
+   * Flush buffered events
+   */
+  async flush() {
+    if (this.buffer.length === 0) {
+      return;
+    }
+    const eventsToFlush = [...this.buffer];
+    this.buffer = [];
+    try {
+      if (this.adapter.logBatch) {
+        await this.adapter.logBatch(eventsToFlush);
+      } else {
+        for (const event of eventsToFlush) {
+          await this.adapter.log(event);
+        }
+      }
+    } catch (error) {
+      this.config.onError?.(error instanceof Error ? error : new Error(String(error)), eventsToFlush);
+    }
+  }
+  /**
+   * Close the logger
+   */
+  async close() {
+    this.isShuttingDown = true;
+    if (this.flushTimer) {
+      clearInterval(this.flushTimer);
+      this.flushTimer = null;
+    }
+    await this.flush();
+    await this.adapter.flush?.();
+    await this.adapter.close?.();
+  }
+  /**
+   * Get buffer size
+   */
+  get bufferSize() {
+    return this.buffer.length;
+  }
+  /**
+   * Check if logger is enabled
+   */
+  get enabled() {
+    return this.config.enabled;
+  }
+  /**
+   * Enable or disable logging
+   */
+  setEnabled(enabled) {
+    this.config.enabled = enabled;
+  }
+  // ============================================================================
+  // Private Methods
+  // ============================================================================
+  /**
+   * Get table-specific config with defaults
+   */
+  getTableConfig(table) {
+    const tableOverride = this.config.tables[table];
+    return {
+      ...this.config.defaults,
+      ...tableOverride,
+      enabled: tableOverride?.enabled ?? true
+    };
+  }
+  /**
+   * Check if decision should be logged
+   */
+  shouldLog(decision, tableConfig) {
+    if (!tableConfig.enabled) {
+      return false;
+    }
+    switch (decision) {
+      case "allow":
+        return tableConfig.logAllowed ?? false;
+      case "deny":
+        return tableConfig.logDenied ?? true;
+      case "filter":
+        return tableConfig.logFilters ?? false;
+      default:
+        return false;
+    }
+  }
+  /**
+   * Build audit event
+   */
+  buildEvent(operation, table, decision, policyName, ctx, tableConfig, options) {
+    const event = {
+      timestamp: /* @__PURE__ */ new Date(),
+      userId: ctx?.auth.userId ?? "anonymous",
+      operation,
+      table,
+      decision
+    };
+    if (ctx?.auth.tenantId !== void 0) {
+      event.tenantId = ctx.auth.tenantId;
+    }
+    if (policyName) {
+      event.policyName = policyName;
+    }
+    if (options?.reason) {
+      event.reason = options.reason;
+    }
+    if (options?.rowIds && options.rowIds.length > 0) {
+      event.rowIds = options.rowIds;
+    }
+    if (options?.queryHash) {
+      event.queryHash = options.queryHash;
+    }
+    if (options?.durationMs !== void 0) {
+      event.durationMs = options.durationMs;
+    }
+    if (ctx?.request) {
+      if (ctx.request.requestId) {
+        event.requestId = ctx.request.requestId;
+      }
+      if (ctx.request.ipAddress) {
+        event.ipAddress = ctx.request.ipAddress;
+      }
+      if (ctx.request.userAgent) {
+        event.userAgent = ctx.request.userAgent;
+      }
+    }
+    const context = this.buildContext(ctx, tableConfig, options?.context);
+    if (context !== void 0) {
+      event.context = context;
+    }
+    return event;
+  }
+  /**
+   * Build context object with filtering
+   */
+  buildContext(ctx, tableConfig, additionalContext) {
+    const context = {};
+    if (ctx?.auth.roles && ctx.auth.roles.length > 0) {
+      context["roles"] = ctx.auth.roles;
+    }
+    if (ctx?.auth.organizationIds && ctx.auth.organizationIds.length > 0) {
+      context["organizationIds"] = ctx.auth.organizationIds;
+    }
+    if (ctx?.meta && typeof ctx.meta === "object") {
+      Object.assign(context, ctx.meta);
+    }
+    if (additionalContext) {
+      Object.assign(context, additionalContext);
+    }
+    let filteredContext = context;
+    if (tableConfig.includeContext && tableConfig.includeContext.length > 0) {
+      filteredContext = {};
+      for (const key of tableConfig.includeContext) {
+        if (key in context) {
+          filteredContext[key] = context[key];
+        }
+      }
+    }
+    if (tableConfig.excludeContext && tableConfig.excludeContext.length > 0) {
+      for (const key of tableConfig.excludeContext) {
+        const { [key]: _, ...rest } = filteredContext;
+        filteredContext = rest;
+      }
+    }
+    return Object.keys(filteredContext).length > 0 ? filteredContext : void 0;
+  }
+  /**
+   * Log event to buffer or directly
+   */
+  async logEvent(event) {
+    if (this.config.async && this.config.bufferSize > 0) {
+      this.buffer.push(event);
+      if (this.buffer.length >= this.config.bufferSize) {
+        await this.flush();
+      }
+    } else if (this.config.async) {
+      this.adapter.log(event).catch((error) => {
+        this.config.onError?.(error instanceof Error ? error : new Error(String(error)), [event]);
+      });
+    } else {
+      try {
+        await this.adapter.log(event);
+      } catch (error) {
+        this.config.onError?.(error instanceof Error ? error : new Error(String(error)), [event]);
+      }
+    }
+  }
+  /**
+   * Start the flush timer
+   */
+  startFlushTimer() {
+    this.flushTimer = setInterval(() => {
+      this.flush().catch((error) => {
+        this.config.onError?.(error instanceof Error ? error : new Error(String(error)), [...this.buffer]);
+      });
+    }, this.config.flushInterval);
+    if (this.flushTimer.unref) {
+      this.flushTimer.unref();
+    }
+  }
+};
+function createAuditLogger(config) {
+  return new AuditLogger(config);
+}
+// src/testing/index.ts
+var PolicyTester = class {
+  registry;
+  constructor(schema) {
+    this.registry = new PolicyRegistry(schema);
+  }
+  /**
+   * Evaluate policies for an operation
+   *
+   * @param table - Table name
+   * @param operation - Operation to test
+   * @param context - Test context
+   * @returns Evaluation result
+   */
+  async evaluate(table, operation, context) {
+    const evaluatedPolicies = [];
+    if (!this.registry.hasTable(table)) {
+      return {
+        allowed: true,
+        decisionType: "default",
+        reason: "Table has no RLS policies",
+        evaluatedPolicies
+      };
+    }
+    if (context.auth.isSystem) {
+      return {
+        allowed: true,
+        decisionType: "allow",
+        reason: "System user bypasses RLS",
+        evaluatedPolicies
+      };
+    }
+    const skipFor = this.registry.getSkipFor(table);
+    if (skipFor.some((role) => context.auth.roles.includes(role))) {
+      return {
+        allowed: true,
+        decisionType: "allow",
+        reason: `Role bypass: ${skipFor.find((r) => context.auth.roles.includes(r))}`,
+        evaluatedPolicies
+      };
+    }
+    const evalCtx = {
+      auth: context.auth,
+      row: context.row,
+      data: context.data,
+      table,
+      operation,
+      ...context.meta !== void 0 && { meta: context.meta }
+    };
+    const denies = this.registry.getDenies(table, operation);
+    for (const deny2 of denies) {
+      const result = await this.evaluatePolicy(deny2, evalCtx);
+      evaluatedPolicies.push({
+        name: deny2.name,
+        type: "deny",
+        result
+      });
+      if (result) {
+        return {
+          allowed: false,
+          policyName: deny2.name,
+          decisionType: "deny",
+          reason: `Denied by policy: ${deny2.name}`,
+          evaluatedPolicies
+        };
+      }
+    }
+    if ((operation === "create" || operation === "update") && context.data) {
+      const validates = this.registry.getValidates(table, operation);
+      for (const validate2 of validates) {
+        const result = await this.evaluatePolicy(validate2, evalCtx);
+        evaluatedPolicies.push({
+          name: validate2.name,
+          type: "validate",
+          result
+        });
+        if (!result) {
+          return {
+            allowed: false,
+            policyName: validate2.name,
+            decisionType: "deny",
+            reason: `Validation failed: ${validate2.name}`,
+            evaluatedPolicies
+          };
+        }
+      }
+    }
+    const allows = this.registry.getAllows(table, operation);
+    const defaultDeny = this.registry.hasDefaultDeny(table);
+    if (defaultDeny && allows.length === 0) {
+      return {
+        allowed: false,
+        decisionType: "default",
+        reason: "No allow policies defined (default deny)",
+        evaluatedPolicies
+      };
+    }
+    for (const allow2 of allows) {
+      const result = await this.evaluatePolicy(allow2, evalCtx);
+      evaluatedPolicies.push({
+        name: allow2.name,
+        type: "allow",
+        result
+      });
+      if (result) {
+        return {
+          allowed: true,
+          policyName: allow2.name,
+          decisionType: "allow",
+          reason: `Allowed by policy: ${allow2.name}`,
+          evaluatedPolicies
+        };
+      }
+    }
+    if (defaultDeny) {
+      return {
+        allowed: false,
+        decisionType: "default",
+        reason: "No allow policies matched (default deny)",
+        evaluatedPolicies
+      };
+    }
+    return {
+      allowed: true,
+      decisionType: "default",
+      reason: "No policies matched (default allow)",
+      evaluatedPolicies
+    };
+  }
+  /**
+   * Get filter conditions for read operations
+   *
+   * @param table - Table name
+   * @param operation - Must be 'read'
+   * @param context - Test context
+   * @returns Filter conditions
+   */
+  getFilters(table, _operation, context) {
+    const conditions = {};
+    const appliedFilters = [];
+    if (!this.registry.hasTable(table)) {
+      return { conditions, appliedFilters };
+    }
+    if (context.auth.isSystem) {
+      return { conditions, appliedFilters };
+    }
+    const skipFor = this.registry.getSkipFor(table);
+    if (skipFor.some((role) => context.auth.roles.includes(role))) {
+      return { conditions, appliedFilters };
+    }
+    const filters = this.registry.getFilters(table);
+    const evalCtx = {
+      auth: context.auth,
+      ...context.meta !== void 0 && { meta: context.meta }
+    };
+    for (const filter2 of filters) {
+      const filterConditions = filter2.getConditions(evalCtx);
+      Object.assign(conditions, filterConditions);
+      appliedFilters.push(filter2.name);
+    }
+    return { conditions, appliedFilters };
+  }
+  /**
+   * Test if a specific policy allows the operation
+   *
+   * @param table - Table name
+   * @param policyName - Name of the policy to test
+   * @param context - Test context
+   * @returns True if policy allows
+   */
+  async testPolicy(table, policyName, context) {
+    const operations = ["read", "create", "update", "delete"];
+    for (const op of operations) {
+      const evalCtx = {
+        auth: context.auth,
+        row: context.row,
+        data: context.data,
+        table,
+        operation: op,
+        ...context.meta !== void 0 && { meta: context.meta }
+      };
+      const allows = this.registry.getAllows(table, op);
+      const allow2 = allows.find((p) => p.name === policyName);
+      if (allow2) {
+        const result = await this.evaluatePolicy(allow2, evalCtx);
+        return { found: true, result };
+      }
+      const denies = this.registry.getDenies(table, op);
+      const deny2 = denies.find((p) => p.name === policyName);
+      if (deny2) {
+        const result = await this.evaluatePolicy(deny2, evalCtx);
+        return { found: true, result };
+      }
+      const validates = this.registry.getValidates(table, op);
+      const validate2 = validates.find((p) => p.name === policyName);
+      if (validate2) {
+        const result = await this.evaluatePolicy(validate2, evalCtx);
+        return { found: true, result };
+      }
+    }
+    return { found: false };
+  }
+  /**
+   * List all policies for a table
+   */
+  listPolicies(table) {
+    const operations = ["read", "create", "update", "delete"];
+    const allowSet = /* @__PURE__ */ new Set();
+    const denySet = /* @__PURE__ */ new Set();
+    const validateSet = /* @__PURE__ */ new Set();
+    for (const op of operations) {
+      this.registry.getAllows(table, op).forEach((p) => allowSet.add(p.name));
+      this.registry.getDenies(table, op).forEach((p) => denySet.add(p.name));
+      this.registry.getValidates(table, op).forEach((p) => validateSet.add(p.name));
+    }
+    return {
+      allows: Array.from(allowSet),
+      denies: Array.from(denySet),
+      filters: this.registry.getFilters(table).map((f) => f.name),
+      validates: Array.from(validateSet)
+    };
+  }
+  /**
+   * Get all registered tables
+   */
+  getTables() {
+    return this.registry.getTables();
+  }
+  /**
+   * Evaluate a single policy
+   */
+  async evaluatePolicy(policy, ctx) {
+    try {
+      const result = policy.evaluate(ctx);
+      return result instanceof Promise ? await result : result;
+    } catch {
+      return false;
+    }
+  }
+};
+function createPolicyTester(schema) {
+  return new PolicyTester(schema);
+}
+function createTestAuthContext(overrides) {
+  return {
+    roles: [],
+    isSystem: false,
+    ...overrides
+  };
+}
+function createTestRow(data) {
+  return { ...data };
+}
+var policyAssertions = {
+  /**
+   * Assert that the result is allowed
+   */
+  assertAllowed(result, message) {
+    if (!result.allowed) {
+      throw new Error(
+        message ?? `Expected policy to allow, but was denied: ${result.reason}`
+      );
+    }
+  },
+  /**
+   * Assert that the result is denied
+   */
+  assertDenied(result, message) {
+    if (result.allowed) {
+      throw new Error(
+        message ?? `Expected policy to deny, but was allowed: ${result.reason}`
+      );
+    }
+  },
+  /**
+   * Assert that a specific policy made the decision
+   */
+  assertPolicyUsed(result, policyName, message) {
+    if (result.policyName !== policyName) {
+      throw new Error(
+        message ?? `Expected policy "${policyName}" but was "${result.policyName}"`
+      );
+    }
+  },
+  /**
+   * Assert that filters include expected conditions
+   */
+  assertFiltersInclude(result, expected, message) {
+    for (const [key, value] of Object.entries(expected)) {
+      if (result.conditions[key] !== value) {
+        throw new Error(
+          message ?? `Expected filter condition ${key}=${JSON.stringify(value)} but got ${JSON.stringify(result.conditions[key])}`
+        );
+      }
+    }
+  }
+};
+export { AuditLogger, ConsoleAuditAdapter, FieldAccessProcessor, FieldAccessRegistry, InMemoryAuditAdapter, InMemoryCacheProvider, PolicyRegistry, PolicyTester, RLSContextError, RLSContextValidationError, RLSError, RLSErrorCodes, RLSPluginOptionsSchema, RLSPolicyEvaluationError, RLSPolicyViolation, RLSSchemaError, ReBAcRegistry, ReBAcTransformer, ResolverManager, allow, allowRelation, composePolicies, createAdminPolicy, createAuditLogger, createEvaluationContext, createFieldAccessProcessor, createFieldAccessRegistry, createOwnershipPolicy, createPolicyTester, createRLSContext, createReBAcRegistry, createReBAcTransformer, createResolver, createResolverManager, createSoftDeletePolicy, createStatusAccessPolicy, createTenantIsolationPolicy, createTestAuthContext, createTestRow, deepMerge, defineAllowPolicy, defineCombinedPolicy, defineDenyPolicy, defineFilterPolicy, definePolicy, defineRLSSchema, defineValidatePolicy, deny, denyRelation, extendPolicy, filter, hashString, isAsyncFunction, maskedField, mergeRLSSchemas, neverAccessible, normalizeOperations, orgMembershipPath, overridePolicy, ownerOnly, ownerOrRoles, policyAssertions, publicReadRestrictedWrite, readOnly, rlsContext, rlsPlugin, rolesOnly, safeEvaluate, shopOrgMembershipPath, teamHierarchyPath, validate, whenCondition, whenEnvironment, whenFeature, whenTimeRange, withRLSContext, withRLSContextAsync };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map