@lunora/server 0.0.0 → 1.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (39) hide show
  1. package/LICENSE.md +105 -0
  2. package/README.md +130 -9
  3. package/__assets__/package-og.svg +14 -0
  4. package/dist/data-model.d.mts +328 -0
  5. package/dist/data-model.d.ts +328 -0
  6. package/dist/data-model.mjs +1 -0
  7. package/dist/drizzle.d.mts +1 -0
  8. package/dist/drizzle.d.ts +1 -0
  9. package/dist/drizzle.mjs +1 -0
  10. package/dist/index.d.mts +1741 -0
  11. package/dist/index.d.ts +1741 -0
  12. package/dist/index.mjs +24 -0
  13. package/dist/packem_shared/LunoraError-DhggBJZF.mjs +51 -0
  14. package/dist/packem_shared/asBucketStorage-Cnxd9y2q.mjs +11 -0
  15. package/dist/packem_shared/bindTableFacade-DCuyr46L.mjs +71 -0
  16. package/dist/packem_shared/defineAggregateIndex-DzqxtAyV.mjs +236 -0
  17. package/dist/packem_shared/defineEnv-DjFkpkSP.mjs +187 -0
  18. package/dist/packem_shared/defineMigration-CAJLr6fx.mjs +8 -0
  19. package/dist/packem_shared/definePolicy-De67zPDS.mjs +29 -0
  20. package/dist/packem_shared/definePresence-D5LtwGl0.mjs +114 -0
  21. package/dist/packem_shared/defineSchemaExtension-Ck5_TUO8.mjs +100 -0
  22. package/dist/packem_shared/defineStorageRule-qu0mpilX.mjs +20 -0
  23. package/dist/packem_shared/httpAction-B7FYUEgr.mjs +340 -0
  24. package/dist/packem_shared/initLunora-CATvPsVt.mjs +86 -0
  25. package/dist/packem_shared/mask-CkZJHHMM.mjs +211 -0
  26. package/dist/packem_shared/onConnect-CIPXKPyw.mjs +13 -0
  27. package/dist/packem_shared/protectPublic-BjFkQ_Or.mjs +15 -0
  28. package/dist/packem_shared/rls-Zhf5wEeJ.mjs +551 -0
  29. package/dist/packem_shared/run-middleware-CYQOuoV6.mjs +18 -0
  30. package/dist/packem_shared/storageRules-4a30FSpI.mjs +88 -0
  31. package/dist/packem_shared/types.d-BDY0FYHK.d.ts +135 -0
  32. package/dist/packem_shared/types.d-DmvyEMD6.d.mts +135 -0
  33. package/dist/rls/testing.d.mts +63 -0
  34. package/dist/rls/testing.d.ts +63 -0
  35. package/dist/rls/testing.mjs +49 -0
  36. package/dist/types.d.mts +1029 -0
  37. package/dist/types.d.ts +1029 -0
  38. package/dist/types.mjs +31 -0
  39. package/package.json +59 -17
@@ -0,0 +1,135 @@
1
+ import { WhereOf } from "../data-model.js";
2
+ /** Structural mirror of `@lunora/do`'s `WhereInput`. */
3
+ interface WhereInput {
4
+ [field: string]: unknown;
5
+ AND?: WhereInput[];
6
+ NOT?: WhereInput;
7
+ OR?: WhereInput[];
8
+ }
9
+ /** Operations a policy can gate. `read` covers `get`/`findMany`/`query`/`count`. */
10
+ type PolicyOperation = "delete" | "insert" | "read" | "update";
11
+ /**
12
+ * A policy's `when` decision:
13
+ *
14
+ * - `WhereInput`: a row-shape predicate. On reads it is AND-merged into every
15
+ * query against the table — the row is invisible unless it matches. On writes
16
+ * it is evaluated against the candidate document (`insert`) or the pre-write
17
+ * row (`update`/`delete`); a mismatch denies the write with
18
+ * `LunoraError("FORBIDDEN")`. Same operator set as the SQL compiler
19
+ * (`eq`/`ne`/`in`/`notIn`/`lt`/`lte`/`gt`/`gte`/`isNull`/`contains` +
20
+ * `AND`/`OR`/`NOT`).
21
+ * - `true`: unrestricted. On reads no predicate is merged; on writes the row is
22
+ * allowed.
23
+ * - `false`: deny. On reads the table is forced to match zero rows (a sentinel
24
+ * predicate); on writes the operation throws `LunoraError("FORBIDDEN")`.
25
+ *
26
+ * Returning `undefined` opts this specific policy out (rare; useful when
27
+ * branching on `ctx.auth.roles`).
28
+ */
29
+ type PolicyDecision = WhereInput | boolean | undefined;
30
+ /**
31
+ * Relation-aware twin of {@link PolicyDecision}, parameterized over the
32
+ * generated `DataModel` (`DM`) + `Relations` (`REL`) maps and a table `T`. A
33
+ * read policy may now return a Prisma-style relation predicate (the
34
+ * `@lunora/do` pre-resolver resolves it via a semijoin), so the typed
35
+ * authoring surface accepts `WhereOf<DM, REL, T>` — column predicates **and**
36
+ * `is`/`isNot`/`some`/`none`/`every` over `T`'s declared relations — in
37
+ * addition to the `boolean`/`undefined` decisions. Used by the project-bound
38
+ * `definePolicy` from `createPolicyDsl`.
39
+ */
40
+ type PolicyDecisionOf<DM, REL extends Record<keyof DM, object>, T extends keyof DM> = WhereOf<DM, REL, T> | boolean | undefined;
41
+ /**
42
+ * Relation-aware input for a project-bound `definePolicy` (see
43
+ * `createPolicyDsl`). `table` is constrained to a real table name and
44
+ * `when`'s return type is the table-specific {@link PolicyDecisionOf} — so an
45
+ * unknown table, a stray column, or a relation predicate naming a relation the
46
+ * table does not declare is a compile error rather than a silent runtime deny.
47
+ */
48
+ interface TypedDefinePolicyInput<DM, REL extends Record<keyof DM, object>, T extends keyof DM, Context = unknown> {
49
+ on: PolicyOperation;
50
+ table: T;
51
+ when: (context: PolicyContext<Context>) => PolicyDecisionOf<DM, REL, T>;
52
+ }
53
+ /**
54
+ * Context handed to a policy. `auth.roles` is the per-request role list,
55
+ * sourced from the identity resolver (better-auth claims today). `auth.can`
56
+ * answers whether any of those roles grants a permission (see
57
+ * {@link Permission} / {@link RlsOptions}). `row` is present only on write
58
+ * policies (`insert`/`update`/`delete`) — for `update` and `delete` it is the
59
+ * pre-write row; for `insert` it is the candidate document. `ctx` is the full
60
+ * procedure context the middleware closed over.
61
+ */
62
+ interface PolicyContext<Context = unknown> {
63
+ readonly auth: {
64
+ /**
65
+ * `true` when any of the request's `roles` grants `permission` (passed
66
+ * by {@link Permission} object or its `name`). Always `false` when no
67
+ * roles were handed to the middleware (`rls(policies, { roles })`), or
68
+ * when none of the request's roles lists the permission.
69
+ */
70
+ readonly can: (permission: Permission | string) => boolean;
71
+ readonly identity?: Record<string, unknown> | null;
72
+ readonly roles: ReadonlyArray<string>;
73
+ readonly userId: null | string;
74
+ };
75
+ readonly ctx: Context;
76
+ readonly row?: Record<string, unknown>;
77
+ }
78
+ /** A registered policy as stored in the policy table. */
79
+ interface Policy<Context = unknown> {
80
+ readonly on: PolicyOperation;
81
+ readonly table: string;
82
+ readonly when: (context: PolicyContext<Context>) => PolicyDecision;
83
+ }
84
+ /**
85
+ * Input accepted by `definePolicy`. The branded result is the same
86
+ * shape; we keep the input/output split so callers can read JSDoc on the
87
+ * constructor without the type re-exposing `Policy` internals.
88
+ */
89
+ interface DefinePolicyInput<Context = unknown> {
90
+ on: PolicyOperation;
91
+ /** Logical table name the policy applies to. */
92
+ table: string;
93
+ /**
94
+ * Decision function. Returning a `WhereInput` (read only) AND-merges the
95
+ * predicate; `true` allows; `false` denies; `undefined` skips this policy.
96
+ *
97
+ * NOTE: `count()` is **unsupported** on a policy-restricted table — the
98
+ * reader throws `LunoraError("COUNT_RLS_UNSUPPORTED")` (422). This mirrors
99
+ * kitcn's documented behavior.
100
+ */
101
+ when: (context: PolicyContext<Context>) => PolicyDecision;
102
+ }
103
+ /**
104
+ * A named, abstract capability a policy can check with `ctx.auth.can(...)`,
105
+ * instead of branching on raw role strings. Declare one with
106
+ * `definePermission`; grant it to a role via {@link Role.permissions};
107
+ * register the roles with the middleware via {@link RlsOptions.roles}.
108
+ */
109
+ interface Permission {
110
+ readonly description?: string;
111
+ readonly name: string;
112
+ }
113
+ /**
114
+ * A role declaration. Roles are string labels attached to the request's
115
+ * identity (via better-auth claims today). `permissions` lists the
116
+ * capabilities the role grants — at request time the middleware unions the
117
+ * permissions of every role in `ctx.auth.roles` so a policy can ask
118
+ * `ctx.auth.can(permission)` rather than enumerate roles.
119
+ */
120
+ interface Role {
121
+ readonly description?: string;
122
+ readonly name: string;
123
+ /** Permissions this role grants — by {@link Permission} object or bare name. */
124
+ readonly permissions?: ReadonlyArray<Permission | string>;
125
+ }
126
+ /**
127
+ * Options for the `rls(policies, options)` middleware. `roles` registers the
128
+ * role→permission grants that back `ctx.auth.can(...)`; a role not listed here
129
+ * grants no permissions (so `can` is conservative — it fails closed for
130
+ * unknown roles).
131
+ */
132
+ interface RlsOptions {
133
+ readonly roles?: ReadonlyArray<Role>;
134
+ }
135
+ export { DefinePolicyInput as D, PolicyOperation as P, Role as R, TypedDefinePolicyInput as T, WhereInput as W, Policy as a, Permission as b, RlsOptions as c, PolicyContext as d, PolicyDecision as e, PolicyDecisionOf as f };
@@ -0,0 +1,135 @@
1
+ import { WhereOf } from "../data-model.mjs";
2
+ /** Structural mirror of `@lunora/do`'s `WhereInput`. */
3
+ interface WhereInput {
4
+ [field: string]: unknown;
5
+ AND?: WhereInput[];
6
+ NOT?: WhereInput;
7
+ OR?: WhereInput[];
8
+ }
9
+ /** Operations a policy can gate. `read` covers `get`/`findMany`/`query`/`count`. */
10
+ type PolicyOperation = "delete" | "insert" | "read" | "update";
11
+ /**
12
+ * A policy's `when` decision:
13
+ *
14
+ * - `WhereInput`: a row-shape predicate. On reads it is AND-merged into every
15
+ * query against the table — the row is invisible unless it matches. On writes
16
+ * it is evaluated against the candidate document (`insert`) or the pre-write
17
+ * row (`update`/`delete`); a mismatch denies the write with
18
+ * `LunoraError("FORBIDDEN")`. Same operator set as the SQL compiler
19
+ * (`eq`/`ne`/`in`/`notIn`/`lt`/`lte`/`gt`/`gte`/`isNull`/`contains` +
20
+ * `AND`/`OR`/`NOT`).
21
+ * - `true`: unrestricted. On reads no predicate is merged; on writes the row is
22
+ * allowed.
23
+ * - `false`: deny. On reads the table is forced to match zero rows (a sentinel
24
+ * predicate); on writes the operation throws `LunoraError("FORBIDDEN")`.
25
+ *
26
+ * Returning `undefined` opts this specific policy out (rare; useful when
27
+ * branching on `ctx.auth.roles`).
28
+ */
29
+ type PolicyDecision = WhereInput | boolean | undefined;
30
+ /**
31
+ * Relation-aware twin of {@link PolicyDecision}, parameterized over the
32
+ * generated `DataModel` (`DM`) + `Relations` (`REL`) maps and a table `T`. A
33
+ * read policy may now return a Prisma-style relation predicate (the
34
+ * `@lunora/do` pre-resolver resolves it via a semijoin), so the typed
35
+ * authoring surface accepts `WhereOf&lt;DM, REL, T>` — column predicates **and**
36
+ * `is`/`isNot`/`some`/`none`/`every` over `T`'s declared relations — in
37
+ * addition to the `boolean`/`undefined` decisions. Used by the project-bound
38
+ * `definePolicy` from `createPolicyDsl`.
39
+ */
40
+ type PolicyDecisionOf<DM, REL extends Record<keyof DM, object>, T extends keyof DM> = WhereOf<DM, REL, T> | boolean | undefined;
41
+ /**
42
+ * Relation-aware input for a project-bound `definePolicy` (see
43
+ * `createPolicyDsl`). `table` is constrained to a real table name and
44
+ * `when`'s return type is the table-specific {@link PolicyDecisionOf} — so an
45
+ * unknown table, a stray column, or a relation predicate naming a relation the
46
+ * table does not declare is a compile error rather than a silent runtime deny.
47
+ */
48
+ interface TypedDefinePolicyInput<DM, REL extends Record<keyof DM, object>, T extends keyof DM, Context = unknown> {
49
+ on: PolicyOperation;
50
+ table: T;
51
+ when: (context: PolicyContext<Context>) => PolicyDecisionOf<DM, REL, T>;
52
+ }
53
+ /**
54
+ * Context handed to a policy. `auth.roles` is the per-request role list,
55
+ * sourced from the identity resolver (better-auth claims today). `auth.can`
56
+ * answers whether any of those roles grants a permission (see
57
+ * {@link Permission} / {@link RlsOptions}). `row` is present only on write
58
+ * policies (`insert`/`update`/`delete`) — for `update` and `delete` it is the
59
+ * pre-write row; for `insert` it is the candidate document. `ctx` is the full
60
+ * procedure context the middleware closed over.
61
+ */
62
+ interface PolicyContext<Context = unknown> {
63
+ readonly auth: {
64
+ /**
65
+ * `true` when any of the request's `roles` grants `permission` (passed
66
+ * by {@link Permission} object or its `name`). Always `false` when no
67
+ * roles were handed to the middleware (`rls(policies, { roles })`), or
68
+ * when none of the request's roles lists the permission.
69
+ */
70
+ readonly can: (permission: Permission | string) => boolean;
71
+ readonly identity?: Record<string, unknown> | null;
72
+ readonly roles: ReadonlyArray<string>;
73
+ readonly userId: null | string;
74
+ };
75
+ readonly ctx: Context;
76
+ readonly row?: Record<string, unknown>;
77
+ }
78
+ /** A registered policy as stored in the policy table. */
79
+ interface Policy<Context = unknown> {
80
+ readonly on: PolicyOperation;
81
+ readonly table: string;
82
+ readonly when: (context: PolicyContext<Context>) => PolicyDecision;
83
+ }
84
+ /**
85
+ * Input accepted by `definePolicy`. The branded result is the same
86
+ * shape; we keep the input/output split so callers can read JSDoc on the
87
+ * constructor without the type re-exposing `Policy` internals.
88
+ */
89
+ interface DefinePolicyInput<Context = unknown> {
90
+ on: PolicyOperation;
91
+ /** Logical table name the policy applies to. */
92
+ table: string;
93
+ /**
94
+ * Decision function. Returning a `WhereInput` (read only) AND-merges the
95
+ * predicate; `true` allows; `false` denies; `undefined` skips this policy.
96
+ *
97
+ * NOTE: `count()` is **unsupported** on a policy-restricted table — the
98
+ * reader throws `LunoraError("COUNT_RLS_UNSUPPORTED")` (422). This mirrors
99
+ * kitcn's documented behavior.
100
+ */
101
+ when: (context: PolicyContext<Context>) => PolicyDecision;
102
+ }
103
+ /**
104
+ * A named, abstract capability a policy can check with `ctx.auth.can(...)`,
105
+ * instead of branching on raw role strings. Declare one with
106
+ * `definePermission`; grant it to a role via {@link Role.permissions};
107
+ * register the roles with the middleware via {@link RlsOptions.roles}.
108
+ */
109
+ interface Permission {
110
+ readonly description?: string;
111
+ readonly name: string;
112
+ }
113
+ /**
114
+ * A role declaration. Roles are string labels attached to the request's
115
+ * identity (via better-auth claims today). `permissions` lists the
116
+ * capabilities the role grants — at request time the middleware unions the
117
+ * permissions of every role in `ctx.auth.roles` so a policy can ask
118
+ * `ctx.auth.can(permission)` rather than enumerate roles.
119
+ */
120
+ interface Role {
121
+ readonly description?: string;
122
+ readonly name: string;
123
+ /** Permissions this role grants — by {@link Permission} object or bare name. */
124
+ readonly permissions?: ReadonlyArray<Permission | string>;
125
+ }
126
+ /**
127
+ * Options for the `rls(policies, options)` middleware. `roles` registers the
128
+ * role→permission grants that back `ctx.auth.can(...)`; a role not listed here
129
+ * grants no permissions (so `can` is conservative — it fails closed for
130
+ * unknown roles).
131
+ */
132
+ interface RlsOptions {
133
+ readonly roles?: ReadonlyArray<Role>;
134
+ }
135
+ export { DefinePolicyInput as D, PolicyOperation as P, Role as R, TypedDefinePolicyInput as T, WhereInput as W, Policy as a, Permission as b, RlsOptions as c, PolicyContext as d, PolicyDecision as e, PolicyDecisionOf as f };
@@ -0,0 +1,63 @@
1
+ import { P as PolicyOperation, R as Role, a as Policy } from "../packem_shared/types.d-DmvyEMD6.mjs";
2
+ import "../data-model.mjs";
3
+ /**
4
+ * The slice of a request identity a policy reads. Mirrors the
5
+ * `PolicyContext.auth` shape the middleware builds at request time — every
6
+ * field is optional and defaults the same way the middleware defaults it
7
+ * (`userId`/`identity` → `null`, `roles` → `[]`).
8
+ */
9
+ interface TestIdentity {
10
+ /** Raw identity claims a policy may branch on (`auth.identity.email`, …). */
11
+ identity?: Record<string, unknown> | null;
12
+ /** Role labels the request carries; resolved to permissions via the harness `roles` registry. */
13
+ roles?: ReadonlyArray<string>;
14
+ /** The caller id (`auth.userId`); `null`/omitted is the anonymous caller. */
15
+ userId?: null | string;
16
+ }
17
+ /** Options for {@link expectPolicy}. */
18
+ interface ExpectPolicyOptions<Context = unknown> {
19
+ /**
20
+ * The procedure context a policy reads via `ctx` (e.g. `ctx.orgId`). Held
21
+ * for the whole harness; pass a fresh `expectPolicy(..., { ctx })` for a
22
+ * different context. Defaults to an empty object.
23
+ */
24
+ ctx?: Context;
25
+ /**
26
+ * Role→permission grants backing `auth.can(...)` — the same registry passed
27
+ * to `rls(policies, { roles })`. A role not listed here grants nothing, so
28
+ * `can(...)` fails closed exactly as it does in production.
29
+ */
30
+ roles?: ReadonlyArray<Role>;
31
+ }
32
+ /** A harness bound to one identity; answers can/cannot for an `(op, table, row)`. */
33
+ interface BoundPolicyAssertion {
34
+ /**
35
+ * Would this identity be **allowed** the operation on `row`?
36
+ *
37
+ * - `read` — is `row` visible? `true` when the table has no read policy (unrestricted), or when the effective read `baseWhere` matches `row`.
38
+ * - `insert` — is the candidate `row` allowed by the insert policies?
39
+ * - `update` / `delete` — is the pre-write `row` allowed? For `update` pass `nextRow` to also assert the post-image (WITH CHECK) — a policy can't be satisfied by the old row while the patch reassigns it to another tenant.
40
+ *
41
+ * A table with **no** policy in the list is unguarded → always `true`
42
+ * (mirrors the middleware passing such tables through unwrapped). A table
43
+ * that participates but declares no policy for the write `op` denies
44
+ * (default-DENY), exactly as the middleware does.
45
+ */
46
+ can: (op: PolicyOperation, table: string, row?: Record<string, unknown>, nextRow?: Record<string, unknown>) => boolean;
47
+ /** Negation of {@link BoundPolicyAssertion.can} — reads more naturally in a denial test. */
48
+ cannot: (op: PolicyOperation, table: string, row?: Record<string, unknown>, nextRow?: Record<string, unknown>) => boolean;
49
+ }
50
+ /** A harness over a policy set; `.as(identity)` binds an identity to assert against. */
51
+ interface PolicyAssertion {
52
+ /** Bind an identity (or `null`/omitted for the anonymous caller) and assert against it. */
53
+ as: (identity?: TestIdentity | null) => BoundPolicyAssertion;
54
+ }
55
+ /**
56
+ * Build an in-process assertion harness over a policy set. Reuses the `rls()`
57
+ * middleware's own evaluation primitives, so an assertion is faithful to
58
+ * request-time behaviour by construction.
59
+ * @param policies the policy list, typically from `definePolicies([...])`.
60
+ * @param options role registry + procedure `ctx` (see {@link ExpectPolicyOptions}).
61
+ */
62
+ declare const expectPolicy: <Context = unknown>(policies: ReadonlyArray<Policy<Context>>, options?: ExpectPolicyOptions<Context>) => PolicyAssertion;
63
+ export { BoundPolicyAssertion, ExpectPolicyOptions, PolicyAssertion, TestIdentity, expectPolicy };
@@ -0,0 +1,63 @@
1
+ import { P as PolicyOperation, R as Role, a as Policy } from "../packem_shared/types.d-BDY0FYHK.js";
2
+ import "../data-model.js";
3
+ /**
4
+ * The slice of a request identity a policy reads. Mirrors the
5
+ * `PolicyContext.auth` shape the middleware builds at request time — every
6
+ * field is optional and defaults the same way the middleware defaults it
7
+ * (`userId`/`identity` → `null`, `roles` → `[]`).
8
+ */
9
+ interface TestIdentity {
10
+ /** Raw identity claims a policy may branch on (`auth.identity.email`, …). */
11
+ identity?: Record<string, unknown> | null;
12
+ /** Role labels the request carries; resolved to permissions via the harness `roles` registry. */
13
+ roles?: ReadonlyArray<string>;
14
+ /** The caller id (`auth.userId`); `null`/omitted is the anonymous caller. */
15
+ userId?: null | string;
16
+ }
17
+ /** Options for {@link expectPolicy}. */
18
+ interface ExpectPolicyOptions<Context = unknown> {
19
+ /**
20
+ * The procedure context a policy reads via `ctx` (e.g. `ctx.orgId`). Held
21
+ * for the whole harness; pass a fresh `expectPolicy(..., { ctx })` for a
22
+ * different context. Defaults to an empty object.
23
+ */
24
+ ctx?: Context;
25
+ /**
26
+ * Role→permission grants backing `auth.can(...)` — the same registry passed
27
+ * to `rls(policies, { roles })`. A role not listed here grants nothing, so
28
+ * `can(...)` fails closed exactly as it does in production.
29
+ */
30
+ roles?: ReadonlyArray<Role>;
31
+ }
32
+ /** A harness bound to one identity; answers can/cannot for an `(op, table, row)`. */
33
+ interface BoundPolicyAssertion {
34
+ /**
35
+ * Would this identity be **allowed** the operation on `row`?
36
+ *
37
+ * - `read` — is `row` visible? `true` when the table has no read policy (unrestricted), or when the effective read `baseWhere` matches `row`.
38
+ * - `insert` — is the candidate `row` allowed by the insert policies?
39
+ * - `update` / `delete` — is the pre-write `row` allowed? For `update` pass `nextRow` to also assert the post-image (WITH CHECK) — a policy can't be satisfied by the old row while the patch reassigns it to another tenant.
40
+ *
41
+ * A table with **no** policy in the list is unguarded → always `true`
42
+ * (mirrors the middleware passing such tables through unwrapped). A table
43
+ * that participates but declares no policy for the write `op` denies
44
+ * (default-DENY), exactly as the middleware does.
45
+ */
46
+ can: (op: PolicyOperation, table: string, row?: Record<string, unknown>, nextRow?: Record<string, unknown>) => boolean;
47
+ /** Negation of {@link BoundPolicyAssertion.can} — reads more naturally in a denial test. */
48
+ cannot: (op: PolicyOperation, table: string, row?: Record<string, unknown>, nextRow?: Record<string, unknown>) => boolean;
49
+ }
50
+ /** A harness over a policy set; `.as(identity)` binds an identity to assert against. */
51
+ interface PolicyAssertion {
52
+ /** Bind an identity (or `null`/omitted for the anonymous caller) and assert against it. */
53
+ as: (identity?: TestIdentity | null) => BoundPolicyAssertion;
54
+ }
55
+ /**
56
+ * Build an in-process assertion harness over a policy set. Reuses the `rls()`
57
+ * middleware's own evaluation primitives, so an assertion is faithful to
58
+ * request-time behaviour by construction.
59
+ * @param policies the policy list, typically from `definePolicies([...])`.
60
+ * @param options role registry + procedure `ctx` (see {@link ExpectPolicyOptions}).
61
+ */
62
+ declare const expectPolicy: <Context = unknown>(policies: ReadonlyArray<Policy<Context>>, options?: ExpectPolicyOptions<Context>) => PolicyAssertion;
63
+ export { BoundPolicyAssertion, ExpectPolicyOptions, PolicyAssertion, TestIdentity, expectPolicy };
@@ -0,0 +1,49 @@
1
+ import { indexRolePermissions, computeReadBaseWhere, matchesWhere, evaluateWrite, permissionName } from '../packem_shared/rls-Zhf5wEeJ.mjs';
2
+
3
+ const expectPolicy = (policies, options = {}) => {
4
+ const rolePermissions = indexRolePermissions(options.roles);
5
+ const context = options.ctx ?? {};
6
+ return {
7
+ as: (identity) => {
8
+ const auth = identity ?? {};
9
+ const roles = auth.roles ?? [];
10
+ const granted = /* @__PURE__ */ new Set();
11
+ for (const roleName of roles) {
12
+ for (const name of rolePermissions.get(roleName) ?? []) {
13
+ granted.add(name);
14
+ }
15
+ }
16
+ const baseContext = {
17
+ auth: {
18
+ can: (permission) => granted.has(permissionName(permission)),
19
+ // eslint-disable-next-line unicorn/no-null -- PolicyContext.auth.identity is a public `… | null` type, mirroring the middleware
20
+ identity: auth.identity ?? null,
21
+ roles,
22
+ // eslint-disable-next-line unicorn/no-null -- PolicyContext.auth.userId is a public `null | string` type, mirroring the middleware
23
+ userId: auth.userId ?? null
24
+ },
25
+ ctx: context
26
+ };
27
+ const can = (op, table, row, nextRow) => {
28
+ const tablePolicies = policies.filter((policy) => policy.table === table);
29
+ if (tablePolicies.length === 0) {
30
+ return true;
31
+ }
32
+ if (op === "read") {
33
+ if (!tablePolicies.some((policy) => policy.on === "read")) {
34
+ return true;
35
+ }
36
+ const baseWhere = computeReadBaseWhere(tablePolicies, baseContext);
37
+ return baseWhere === void 0 || matchesWhere(row ?? {}, baseWhere);
38
+ }
39
+ return evaluateWrite(tablePolicies, op, { ...baseContext, row }, nextRow);
40
+ };
41
+ return {
42
+ can,
43
+ cannot: (op, table, row, nextRow) => !can(op, table, row, nextRow)
44
+ };
45
+ }
46
+ };
47
+ };
48
+
49
+ export { expectPolicy };