@moneypot/hub 0.0.1

package/dist/src/graphql-queries.js

@@ -0,0 +1,123 @@
+import { gql } from "./__generated__/gql.js";
+export const GET_USER_FROM_USER_TOKEN = gql(`
+  mutation GetUserFromUserToken($token: UUID!) {
+    userFromUserToken(input: { token: $token }) {
+      user {
+        id
+        uname
+      }
+      experience {
+        id
+        name
+      }
+    }
+  }
+`);
+export const START_PENDING_EXPERIENCE_TRANSFER = gql(`
+  mutation StartPendingExperienceTransfer(
+    $mpUserId: UUID!
+    $mpExperienceId: UUID!
+    $amount: Int!
+    $currency: String!
+    $metadata: JSON!
+  ) {
+    transferCurrencyExperienceToUser(
+      input: {
+        userId: $mpUserId
+        experienceId: $mpExperienceId
+        amount: $amount
+        currency: $currency
+        metadata: $metadata
+      }
+    ) {
+      result {
+        ... on TransferCurrencyExperienceToUserSuccess {
+          __typename
+          transfer {
+            id
+            status
+          }
+        }
+        ... on TransferMetadataIdExists {
+          __typename
+          transfer {
+            id
+            status
+          }
+        }
+      }
+    }
+  }
+`);
+export const PAGINATE_TRANSFERS = gql(`
+  query PaginateTransfers(
+    $controllerId: UUID!
+    $after: Cursor
+    $limit: Int = 10
+  ) {
+    transfersByHolder(
+      input: {
+        holderId: $controllerId
+        after: $after
+        first: $limit
+        orderBy: ID_ASC
+        type: EXPERIENCE
+      }
+    ) {
+      pageInfo {
+        endCursor
+        hasNextPage
+      }
+      edges {
+        cursor
+        node {
+          __typename
+          id
+          amount
+          status
+          statusAt
+          currencyByCurrency {
+            id
+            displayUnitName
+            displayUnitScale
+          }
+          fromHolderId
+          holderByFromHolderId {
+            __typename
+            id
+            ... on User {
+              uname
+            }
+          }
+          toHolderId
+          holderByToHolderId {
+            __typename
+            id
+            ... on User {
+              uname
+            }
+          }
+          ... on ExperienceTransfer {
+            id
+            experienceId
+            experienceByExperienceId {
+              id
+              name
+            }
+          }
+        }
+      }
+    }
+  }
+`);
+export const GET_CURRENCIES = gql(`
+  query GetCurrencies {
+    allCurrencies {
+      nodes {
+        id
+        displayUnitName
+        displayUnitScale
+      }
+    }
+  }
+`);

package/dist/src/graphql.d.ts

@@ -0,0 +1 @@
+export * from "graphql";

package/dist/src/graphql.js

@@ -0,0 +1 @@
+export * from "graphql";

package/dist/src/index.d.ts

@@ -0,0 +1,15 @@
+import { Express } from "express";
+import { Logger } from "./logger.js";
+export { defaultPlugins, type PluginContext, } from "./server/graphile.config.js";
+export type ServerOptions = {
+    configureApp?: (app: Express) => void;
+    plugins?: readonly GraphileConfig.Plugin[];
+    extraPgSchemas?: string[];
+    exportSchemaSDLPath: string;
+    userDatabaseMigrationsPath?: string;
+    logger?: Logger;
+};
+type ListenInfo = {
+    port: number;
+};
+export declare function startAndListen(options: ServerOptions): Promise<ListenInfo>;

package/dist/src/index.js

@@ -0,0 +1,65 @@
+import PgUpgradeSchema, { DatabaseAheadError, } from "@moneypot/pg-upgrade-schema";
+import * as db from "./db/index.js";
+import config from "./config.js";
+import * as server from "./server/index.js";
+import { initializeTransferProcessors } from "./process-transfers.js";
+import { join } from "path";
+import { logger, setLogger } from "./logger.js";
+export { defaultPlugins, } from "./server/graphile.config.js";
+async function initialize(options) {
+    if (options.logger) {
+        setLogger(options.logger);
+    }
+    const pgClient = db.getPgClient(config.SUPERUSER_DATABASE_URL);
+    await pgClient.connect();
+    try {
+        await PgUpgradeSchema.default({
+            pgClient,
+            dirname: join(import.meta.dirname, "pg-versions"),
+            schemaName: "hub_core_versions",
+        });
+    }
+    catch (e) {
+        logger.error("Error upgrading core schema", e);
+        if (e instanceof DatabaseAheadError) {
+            logger.error("⚠️".repeat(80));
+            logger.error("@moneypot/hub database was reset to prepare for a production release and you must reset your database to continue. Please see <https://www.npmjs.com/package/@moneypot/hub#change-log> for more info.");
+            logger.error("⚠️".repeat(80));
+            process.exit(1);
+        }
+    }
+    if (options.userDatabaseMigrationsPath) {
+        await PgUpgradeSchema.default({
+            pgClient,
+            dirname: options.userDatabaseMigrationsPath,
+            schemaName: "hub_user_versions",
+        });
+    }
+    await pgClient.end();
+    initializeTransferProcessors();
+}
+export async function startAndListen(options) {
+    if (options.userDatabaseMigrationsPath &&
+        !options.userDatabaseMigrationsPath.startsWith("/")) {
+        throw new Error(`userDatabaseMigrationsPath must be an absolute path, got ${options.userDatabaseMigrationsPath}`);
+    }
+    if (!options.exportSchemaSDLPath.startsWith("/")) {
+        throw new Error(`exportSchemaSDLPath must be an absolute path, got ${options.exportSchemaSDLPath}`);
+    }
+    await initialize({
+        userDatabaseMigrationsPath: options.userDatabaseMigrationsPath,
+        logger: options.logger,
+    });
+    return server
+        .listen({
+        configureApp: options.configureApp,
+        plugins: options.plugins,
+        exportSchemaSDLPath: options.exportSchemaSDLPath,
+        extraPgSchemas: options.extraPgSchemas,
+    })
+        .then(() => {
+        return {
+            port: config.PORT,
+        };
+    });
+}

package/dist/src/logger.d.ts

@@ -0,0 +1,9 @@
+export declare class Logger {
+    debug(...args: any[]): void;
+    error(...args: any[]): void;
+    info(...args: any[]): void;
+    trace(...args: any[]): void;
+    warn(...args: any[]): void;
+}
+export declare let logger: Logger;
+export declare function setLogger(instance: Logger): void;

package/dist/src/logger.js

@@ -0,0 +1,21 @@
+export class Logger {
+    debug(...args) {
+        logger.debug(...args);
+    }
+    error(...args) {
+        logger.error(...args);
+    }
+    info(...args) {
+        logger.info(...args);
+    }
+    trace(...args) {
+        logger.trace(...args);
+    }
+    warn(...args) {
+        logger.warn(...args);
+    }
+}
+export let logger = console;
+export function setLogger(instance) {
+    logger = instance;
+}

package/dist/src/pg-versions/001-schema.sql

@@ -0,0 +1,456 @@
+-- Flattened migrations from 001-015
+
+-- Schema Setup
+drop schema if exists public cascade;
+create schema public;
+
+DROP SCHEMA IF EXISTS hub CASCADE;
+CREATE SCHEMA hub;
+
+DROP SCHEMA IF EXISTS hub_hidden CASCADE;
+CREATE SCHEMA hub_hidden;
+
+DROP SCHEMA IF EXISTS hub_secret CASCADE;
+CREATE SCHEMA hub_secret;
+
+create extension if not exists pgcrypto;
+create extension if not exists "uuid-ossp";
+
+
+-- PostgreSQL role setup
+-- We need an app_postgraphile role to exist here so that we can grant it permissions.
+-- The user can either create it themselves before they run the migrations, or they
+-- can update the password after the fact.
+DO $$
+DECLARE
+    random_password text := gen_random_uuid()::text;
+BEGIN
+    IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'app_postgraphile') THEN
+        EXECUTE format('CREATE ROLE app_postgraphile LOGIN PASSWORD %L', random_password);
+    END IF;
+END $$;
+
+-- TODO: We may want an hub_secret for things that postgraphile user can't even do (e.g. things we only manipulate in security definer functions)
+
+-- UUID v7 generation functions
+CREATE OR REPLACE FUNCTION hub_hidden.uuid_generate_v7() RETURNS uuid LANGUAGE plpgsql PARALLEL SAFE AS $$
+  DECLARE
+    -- The current UNIX timestamp in milliseconds
+    unix_time_ms CONSTANT bytea NOT NULL DEFAULT substring(int8send((extract(epoch FROM clock_timestamp()) * 1000)::bigint) from 3);
+
+    -- The buffer used to create the UUID, starting with the UNIX timestamp and followed by random bytes
+    buffer                bytea NOT NULL DEFAULT unix_time_ms || gen_random_bytes(10);
+  BEGIN
+    -- Set most significant 4 bits of 7th byte to 7 (for UUID v7), keeping the last 4 bits unchanged
+    buffer = set_byte(buffer, 6, (b'0111' || get_byte(buffer, 6)::bit(4))::bit(8)::int);
+
+    -- Set most significant 2 bits of 9th byte to 2 (the UUID variant specified in RFC 4122), keeping the last 6 bits unchanged
+    buffer = set_byte(buffer, 8, (b'10'   || get_byte(buffer, 8)::bit(6))::bit(8)::int);
+
+    RETURN encode(buffer, 'hex');
+  END
+$$;
+
+CREATE OR REPLACE FUNCTION extract_timestamp_from_uuid_v7(uuid_v7 UUID) RETURNS TIMESTAMPTZ AS $$
+  SELECT to_timestamp(('x'||replace(uuid_v7::text, '-', ''))::bit(48)::bigint / 1000) AS result;
+$$ LANGUAGE sql IMMUTABLE;
+
+-- Helper functions for RLS
+create or replace function hub_hidden.is_operator() returns boolean as $$
+  select nullif(current_setting('operator.api_key', true), '') is not null;
+$$ language sql stable;
+
+create or replace function hub_hidden.current_user_id() returns uuid as $$
+  select nullif(current_setting('session.user_id', true), '')::uuid;
+$$ language sql stable;
+
+create or replace function hub_hidden.current_casino_id() returns uuid as $$
+  select nullif(current_setting('session.casino_id', true), '')::uuid;
+$$ language sql stable;
+
+create or replace function hub_hidden.current_experience_id() returns uuid as $$
+  select nullif(current_setting('session.experience_id', true), '')::uuid;
+$$ language sql stable;
+
+create or replace function hub_hidden.current_session_id() returns uuid as $$
+  select nullif(current_setting('session.id', true), '')::uuid;
+$$ language sql stable;
+
+-- Enums
+create type hub.transfer_status_kind as enum ('PENDING', 'COMPLETED', 'CANCELED', 'UNCLAIMED', 'EXPIRED');
+
+-- Tables
+CREATE TABLE hub.casino(
+  id          uuid PRIMARY KEY DEFAULT hub_hidden.uuid_generate_v7(),
+  base_url    TEXT NOT NULL, -- todo: this should probably be an array.. 
+  name        TEXT NOT NULL,
+  graphql_url TEXT NOT NULL
+);
+
+create unique index casino_base_url_key on hub.casino(base_url);
+create unique index casino_graphql_url_key on hub.casino(graphql_url);
+
+create table hub.casino_secret(
+  id uuid primary key references hub.casino(id),
+  controller_id uuid not null, -- our controller id in the casino's system
+  api_key uuid not null
+);
+
+create table hub.jwk_set (
+  casino_id uuid primary key references hub.casino(id),
+  jwks jsonb not null,
+  updated_at timestamptz not null default now()
+);
+
+-- For audit/debugging
+create table hub.jwk_set_snapshot (
+  id uuid primary key default hub_hidden.uuid_generate_v7(),
+  casino_id uuid not null references hub.casino(id),
+  jwks jsonb not null
+);
+
+create index jwks_snapshot_casino_id_idx on hub.jwk_set_snapshot(casino_id);
+
+create table hub.api_key (
+  id           uuid primary key default hub_hidden.uuid_generate_v7(),
+  key          uuid unique not null default gen_random_uuid(), -- uuid v4
+  last_used_at timestamptz null,
+  revoked_at   timestamptz null
+);
+
+-- This will get populated from each casino graphql API.
+create table hub.currency(
+  key text not null,
+  casino_id uuid not null references hub.casino(id),
+  display_unit_name text not null,
+  display_unit_scale int not null,
+  primary key (key, casino_id)
+);
+
+create index currency_casino_id_idx on hub.currency(casino_id);
+
+create table hub.user (
+    id              uuid NOT NULL PRIMARY KEY DEFAULT hub_hidden.uuid_generate_v7(),
+    casino_id       uuid NOT NULL references hub.casino(id),
+    mp_user_id uuid NOT NULL,
+    uname           text NOT NULL -- from the casino
+);
+
+-- A user can only represent one mp_user_id (Moneypot record) per MP casino.
+create unique index user_casino_id_mp_user_id_key on hub.user(casino_id, mp_user_id);
+
+create table hub_hidden.transfer_cursor (
+    casino_id uuid primary key references hub.casino(id),
+    cursor text not null
+);
+
+create table hub.experience (
+    id                    uuid NOT NULL PRIMARY KEY DEFAULT hub_hidden.uuid_generate_v7(),
+    casino_id             uuid NOT NULL references hub.casino(id),
+    mp_experience_id  uuid NOT NULL, -- graphql id of experience in MP casino
+    name                  text NOT NULL
+);
+-- An experience can only represent one mp_experience_id (Moneypot record) per MP casino.
+CREATE UNIQUE INDEX experience_casino_id_mp_experience_id_key ON hub.experience(casino_id, mp_experience_id);
+CREATE INDEX experience_mp_experience_id_idx ON hub.experience(mp_experience_id);
+
+create table hub.bankroll (
+  id              uuid NOT NULL PRIMARY KEY DEFAULT hub_hidden.uuid_generate_v7(),
+  casino_id  uuid  NOT NULL references hub.casino(id),
+  currency_key text NOT NULL,
+  amount float8 not null default 0,
+  bets bigint not null default 0,
+  wagered float8 not null default 0,
+  expected_value float8 not null default 0,
+  constraint amount_non_negative check (amount >= 0),
+  foreign key (currency_key, casino_id) references hub.currency(key, casino_id)
+);
+
+CREATE UNIQUE INDEX bankroll_casino_id_currency_key_key ON hub.bankroll(casino_id, currency_key);
+CREATE INDEX bankroll_casino_id_idx ON hub.bankroll(casino_id);
+
+create table hub.session (
+    id uuid primary key default hub_hidden.uuid_generate_v7(), --
+    casino_id  uuid  NOT NULL references hub.casino(id),
+    user_id uuid not null references hub.user(id), -- graphql id of MP user
+    experience_id uuid not null references hub.experience(id), -- graphql id of MP experience
+    user_token uuid not null, -- uuid from MP user_token
+    expired_at timestamptz not null DEFAULT now() + interval '1 year',
+    key UUID NOT NULL DEFAULT gen_random_uuid()
+);
+
+CREATE INDEX session_casino_id_idx ON hub.session(casino_id);
+CREATE INDEX session_user_id_idx ON hub.session(user_id);
+CREATE INDEX session_experience_id_idx ON hub.session(experience_id);
+CREATE UNIQUE INDEX session_user_token_idx ON hub.session(user_token);
+CREATE UNIQUE INDEX session_key_idx ON hub.session(key);
+
+-- MP transfers turn into deposits and withdraws in hub
+create table hub.deposit (
+    id uuid primary key default hub_hidden.uuid_generate_v7(), 
+    casino_id uuid not null references hub.casino(id),
+    mp_transfer_id text not null, -- graphql id for (external) MP casino transfer
+    user_id uuid not null references hub.user(id), 
+    experience_id uuid not null references hub.experience(id), 
+    amount float8 not null check (amount > 0),
+    currency_key text not null,
+    foreign key (currency_key, casino_id) references hub.currency(key, casino_id)
+);
+
+create unique index deposit_casino_id_mp_transfer_id_key on hub.deposit(casino_id, mp_transfer_id);
+CREATE INDEX deposit_user_id_idx ON hub.deposit(user_id);
+CREATE INDEX deposit_experience_id_idx ON hub.deposit(experience_id);
+CREATE INDEX deposit_casino_id_idx ON hub.deposit(casino_id);
+
+create table hub.withdrawal_request (
+  id uuid not null primary key default hub_hidden.uuid_generate_v7(),
+  -- Save all the things we need to make the MP transferCurrencyExperienceToUser request
+  casino_id uuid not null references hub.casino(id),
+  experience_id uuid not null references hub.experience(id),
+  user_id uuid not null references hub.user(id),
+  amount float not null check (amount > 0),
+  currency_key text not null,
+
+  -- This is set once we can confirm the transfer was created in MP 
+  -- while submitting metadata={id: withdrawal_request.id}
+  mp_transfer_id text null,
+
+  foreign key (currency_key, casino_id) references hub.currency(key, casino_id)
+);
+
+CREATE INDEX withdrawal_request_user_id_idx ON hub.withdrawal_request(user_id);
+CREATE INDEX withdrawal_request_experience_id_idx ON hub.withdrawal_request(experience_id);
+CREATE INDEX withdrawal_request_casino_id_idx ON hub.withdrawal_request(casino_id);
+
+CREATE UNIQUE INDEX withdrawal_request_casino_id_mp_transfer_id_key ON hub.withdrawal_request(casino_id, mp_transfer_id) 
+WHERE mp_transfer_id IS NOT NULL;
+
+create table hub.withdrawal (
+    id uuid primary key default hub_hidden.uuid_generate_v7(), 
+    casino_id uuid not null references hub.casino(id), 
+    mp_transfer_id text not null, -- Gets set once we confirm that MP casino has the transfer
+    user_id uuid not null references hub.user(id), 
+    experience_id uuid not null references hub.experience(id), 
+    amount float8 not null check (amount > 0),
+    currency_key text not null,
+    status hub.transfer_status_kind not null,
+    status_at timestamptz not null default now(),
+    withdrawal_request_id uuid not null references hub.withdrawal_request(id),
+    foreign key (currency_key, casino_id) references hub.currency(key, casino_id)
+);
+
+create unique index withdrawal_casino_id_mp_transfer_id_key on hub.withdrawal(casino_id, mp_transfer_id);
+CREATE INDEX withdrawal_user_id_idx ON hub.withdrawal(user_id);
+CREATE INDEX withdrawal_experience_id_idx ON hub.withdrawal(experience_id);
+CREATE UNIQUE INDEX withdrawal_withdrawal_request_id_key ON hub.withdrawal(withdrawal_request_id);
+CREATE INDEX withdrawal_casino_id_idx ON hub.withdrawal(casino_id);
+CREATE INDEX withdrawal_withdrawal_request_id_idx ON hub.withdrawal(withdrawal_request_id);
+
+create table hub.faucet_claim (
+    id uuid primary key default hub_hidden.uuid_generate_v7(),
+    user_id uuid not null references hub.user(id),
+    casino_id uuid not null references hub.casino(id),
+    experience_id uuid not null references hub.experience(id),
+    currency_key text not null,
+    amount float8 not null check (amount > 0),
+    foreign key (currency_key, casino_id) references hub.currency(key, casino_id)
+);
+
+CREATE INDEX faucet_claim_user_id_idx ON hub.faucet_claim(user_id);
+CREATE INDEX faucet_claim_experience_id_idx ON hub.faucet_claim(experience_id);
+CREATE INDEX faucet_claim_casino_id_idx ON hub.faucet_claim(casino_id);
+CREATE INDEX faucet_claim_currency_key_idx ON hub.faucet_claim(currency_key);
+
+-- User balances derived from transfers per experience
+create table hub.balance (
+    casino_id uuid not null references hub.casino(id),
+    user_id uuid not null references hub.user(id),
+    experience_id uuid not null references hub.experience(id),
+    currency_key text not null,
+    amount float8 not null default 0,
+    primary key (casino_id, user_id, experience_id, currency_key),
+    constraint amount_non_negative check (amount >= 0),
+    foreign key (currency_key, casino_id) references hub.currency(key, casino_id)
+);
+
+CREATE INDEX balance_user_id_idx ON hub.balance(user_id);
+CREATE INDEX balance_experience_id_idx ON hub.balance(experience_id);
+CREATE INDEX balance_casino_id_idx ON hub.balance(casino_id);
+
+-- Views
+create view hub.active_session as 
+select * from hub.session where expired_at > now();
+
+-- Triggers
+-- Every time a new casino is inserted, a notification is sent to the channel 'new_casino'
+CREATE OR REPLACE FUNCTION notify_new_casino()
+RETURNS TRIGGER AS $$
+BEGIN
+  PERFORM pg_notify('hub:new_casino', json_build_object(
+    'id', NEW.id
+  )::text);
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER new_casino_trigger
+AFTER INSERT ON hub.casino
+FOR EACH ROW
+EXECUTE FUNCTION notify_new_casino();
+
+CREATE OR REPLACE FUNCTION hub.notify_balance_change() RETURNS TRIGGER AS $$
+BEGIN
+    -- For INSERT operations, always notify
+    IF TG_OP = 'INSERT' THEN
+        PERFORM pg_notify(
+          'hub:user:' || NEW.user_id || ':balance_alert',
+          json_build_object('currency_key', NEW.currency_key)::text
+        );
+    -- For UPDATE operations, only notify if amount changed
+    ELSIF TG_OP = 'UPDATE' AND NEW.amount IS DISTINCT FROM OLD.amount THEN
+        PERFORM pg_notify(
+          'hub:user:' || NEW.user_id || ':balance_alert',
+          json_build_object('currency_key', NEW.currency_key)::text
+        );
+    END IF;
+    
+    -- trigger wants us to return new row
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER balance_change_alert 
+AFTER INSERT OR UPDATE OF amount ON hub.balance
+FOR EACH ROW 
+EXECUTE FUNCTION hub.notify_balance_change();
+
+-- Grants
+grant usage on schema public to app_postgraphile;
+grant usage on schema hub to app_postgraphile;
+-- hub_hidden utils like hub_hidden.current_user_id() should be accessible to app_postgraphile
+grant usage on schema hub_hidden to app_postgraphile;
+
+grant select on table hub.currency to app_postgraphile;
+grant select on table hub.user to app_postgraphile;
+grant select on table hub.experience to app_postgraphile;
+grant select on table hub.bankroll to app_postgraphile;
+grant select on table hub.session to app_postgraphile;
+grant select on table hub.deposit to app_postgraphile;
+grant select on table hub.withdrawal to app_postgraphile;
+grant select on table hub.balance to app_postgraphile;
+grant select on table hub.faucet_claim to app_postgraphile;
+grant select on table hub.casino to app_postgraphile;
+grant select on table hub.active_session to app_postgraphile;
+grant select on table hub.casino_secret to app_postgraphile;
+grant select on table hub.api_key to app_postgraphile;
+grant select on table hub.jwk_set to app_postgraphile;
+grant select on table hub.jwk_set_snapshot to app_postgraphile;
+grant select on table hub.withdrawal_request to app_postgraphile;
+
+grant update on hub.casino to app_postgraphile;
+grant update on table hub.bankroll to app_postgraphile;
+
+-- Row Level Security
+alter table hub.casino enable row level security;
+alter table hub.casino_secret enable row level security;
+alter table hub.user enable row level security;
+alter table hub.bankroll enable row level security;
+alter table hub.experience enable row level security;
+alter table hub.session enable row level security;
+alter table hub.deposit enable row level security;
+alter table hub.withdrawal enable row level security;
+alter table hub.balance enable row level security;
+alter table hub.api_key enable row level security;
+alter table hub.currency enable row level security;
+alter table hub.jwk_set enable row level security;
+alter table hub.jwk_set_snapshot enable row level security;
+alter table hub.withdrawal_request enable row level security;
+alter table hub.faucet_claim enable row level security;
+
+-- RLS Policies
+
+-- PUBLIC POLICIES
+create policy select_casino on hub.casino for select using (true);
+create policy select_currency on hub.currency for select using (true);
+create policy select_bankroll on hub.bankroll for select using (true);
+
+-- OPERATOR-ONLY POLICIES
+create policy select_experience on hub.experience for select using (
+  hub_hidden.is_operator()
+);
+
+create policy select_casino_secret on hub.casino_secret for select using (
+  hub_hidden.is_operator()
+);
+
+create policy select_api_key on hub.api_key for select using (
+  hub_hidden.is_operator()
+);
+
+create policy update_casino on hub.casino for update using (
+  hub_hidden.is_operator()
+);
+
+create policy select_jwks on hub.jwk_set for select using (
+  hub_hidden.is_operator()
+);
+
+create policy select_jwks_snapshot on hub.jwk_set_snapshot for select using (
+  hub_hidden.is_operator()
+);
+
+create policy update_bankroll on hub.bankroll for update using (
+  hub_hidden.is_operator()
+);
+
+-- MIXED-USE POLICIES
+-- NOTE: Since hub.user.id is globally-unique in the hub database, it's a
+-- sufficient authorization check to just use `user_id = hub_hidden.current_user_id()`.
+create policy select_user on hub.user for select using (
+  hub_hidden.is_operator() or (
+    -- Users can only see their own records
+    id = hub_hidden.current_user_id()
+  )
+);
+
+create policy select_balance on hub.balance for select using (
+  hub_hidden.is_operator() OR (
+    -- Users can only see their own records
+    user_id = hub_hidden.current_user_id()
+  )
+);
+
+create policy select_deposit on hub.deposit for select using (
+  hub_hidden.is_operator() OR (
+    -- Users can only see their own records
+    user_id = hub_hidden.current_user_id()
+  )
+);
+
+create policy select_withdrawal on hub.withdrawal for select using (
+  hub_hidden.is_operator() OR (
+    -- Users can only see their own records
+    user_id = hub_hidden.current_user_id()
+  )
+);
+
+create policy select_session on hub.session for select using (
+  hub_hidden.is_operator() OR (
+    -- Users can only see their own records
+    user_id = hub_hidden.current_user_id()
+  )
+);
+
+create policy select_withdrawal_request on hub.withdrawal_request for select using (
+  hub_hidden.is_operator() OR (
+    -- Users can only see their own records
+    user_id = hub_hidden.current_user_id()
+  )
+);
+
+create policy select_faucet_claim on hub.faucet_claim for select using (
+  hub_hidden.is_operator() OR (
+    -- Users can only see their own records
+    user_id = hub_hidden.current_user_id()
+  )
+);

package/dist/src/plugins/caas-add-casino.d.ts

@@ -0,0 +1 @@
+export declare const CaasAddCasinoPlugin: GraphileConfig.Plugin;