@nest-boot/row-level-security 7.0.0

package/dist/row-level-security-migration-generator.spec.js

@@ -0,0 +1,468 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const migrations_1 = require("@mikro-orm/migrations");
+const policy_decorator_1 = require("./decorators/policy.decorator");
+const policy_command_enum_1 = require("./enums/policy-command.enum");
+const row_level_security_migration_generator_1 = require("./row-level-security-migration-generator");
+let WorkspaceMember = class WorkspaceMember {
+};
+WorkspaceMember = __decorate([
+    (0, policy_decorator_1.Policy)({
+        name: "workspace_member_user_select_policy",
+        command: policy_command_enum_1.PolicyCommand.SELECT,
+        using: `((select app.get_context('user_id', null::bigint)) = "user_id")`,
+    })
+], WorkspaceMember);
+let WorkspaceMemberWithMultiplePolicies = class WorkspaceMemberWithMultiplePolicies {
+};
+WorkspaceMemberWithMultiplePolicies = __decorate([
+    (0, policy_decorator_1.Policy)({
+        name: "workspace_member_user_select_policy",
+        command: policy_command_enum_1.PolicyCommand.SELECT,
+        using: `((select app.get_context('user_id', null::bigint)) = "user_id")`,
+    }),
+    (0, policy_decorator_1.Policy)({
+        name: "workspace_member_write_policy",
+        using: `((select app.get_context('workspace_id', null::bigint)) = "workspace_id")`,
+        withCheck: `((select app.get_context('workspace_id', null::bigint)) = "workspace_id")`,
+    })
+], WorkspaceMemberWithMultiplePolicies);
+let WorkspaceMemberWithGeneratedPolicy = class WorkspaceMemberWithGeneratedPolicy {
+};
+WorkspaceMemberWithGeneratedPolicy = __decorate([
+    (0, policy_decorator_1.Policy)({
+        command: policy_command_enum_1.PolicyCommand.SELECT,
+        property: "user",
+        context: "user_id",
+    })
+], WorkspaceMemberWithGeneratedPolicy);
+let AuditLog = class AuditLog {
+};
+AuditLog = __decorate([
+    (0, policy_decorator_1.Policy)({
+        name: "audit_log_select_policy",
+        command: policy_command_enum_1.PolicyCommand.SELECT,
+        using: "true",
+    })
+], AuditLog);
+class UnmanagedEntity {
+}
+describe("RowLevelSecurityMigrationGenerator", () => {
+    afterEach(() => {
+        jest.restoreAllMocks();
+    });
+    it("loads existing policies from the database while generating migrations", async () => {
+        const execute = jest.fn((_sql) => Promise.resolve([
+            {
+                policy_name: "workspace_member_user_select_policy",
+                schema_name: "public",
+                table_name: "workspace_member",
+                permissive: true,
+                command: "r",
+                qual: "true",
+                with_check: null,
+                roles: ["authenticated"],
+            },
+            {
+                policy_name: "workspace_member_insert_policy",
+                schema_name: "public",
+                table_name: "workspace_member",
+                permissive: false,
+                command: "a",
+                qual: null,
+                with_check: "true",
+                roles: ["authenticated"],
+            },
+            {
+                policy_name: "workspace_member_update_policy",
+                schema_name: "public",
+                table_name: "workspace_member",
+                permissive: true,
+                command: "w",
+                qual: "true",
+                with_check: "true",
+                roles: ["authenticated"],
+            },
+            {
+                policy_name: "workspace_member_delete_policy",
+                schema_name: "public",
+                table_name: "workspace_member",
+                permissive: true,
+                command: "d",
+                qual: "true",
+                with_check: null,
+                roles: ["authenticated"],
+            },
+            {
+                policy_name: "workspace_member_all_policy",
+                schema_name: "public",
+                table_name: "workspace_member",
+                permissive: true,
+                command: "*",
+                qual: "true",
+                with_check: "true",
+                roles: ["authenticated"],
+            },
+        ]));
+        const superGenerate = jest
+            .spyOn(migrations_1.TSMigrationGenerator.prototype, "generate")
+            .mockImplementation(function () {
+            expect(this.existingPolicyDefinitions).toEqual(expect.arrayContaining([
+                expect.objectContaining({
+                    policyName: "workspace_member_insert_policy",
+                    mode: "restrictive",
+                    command: "insert",
+                    withCheck: "true",
+                    roles: ["authenticated"],
+                }),
+                expect.objectContaining({
+                    policyName: "workspace_member_delete_policy",
+                    command: "delete",
+                    using: "true",
+                }),
+                expect.objectContaining({
+                    policyName: "workspace_member_all_policy",
+                    command: "all",
+                }),
+            ]));
+            expect(this.currentPolicyDefinitions).toEqual([
+                expect.objectContaining({
+                    policyName: "workspace_member_user_select_policy",
+                    tableName: "workspace_member",
+                }),
+            ]);
+            return Promise.resolve(["migration-file", "/tmp/Migration.ts"]);
+        });
+        const generator = createGenerator([
+            {
+                class: WorkspaceMember,
+                tableName: "workspace_member",
+            },
+        ], {
+            getConnection: () => ({
+                execute,
+            }),
+        });
+        await expect(generator.generate({ up: [], down: [] }, "/tmp", "Migration")).resolves.toEqual(["migration-file", "/tmp/Migration.ts"]);
+        expect(superGenerate).toHaveBeenCalledWith({ up: [], down: [] }, "/tmp", "Migration");
+        expect(execute.mock.calls[0]?.[0]).toContain("('public', 'workspace_member')");
+        expect(execute.mock.calls[0]?.[0]).toContain("unnest(p.polroles)");
+        expect(generator.existingPolicyDefinitions).toBeUndefined();
+        expect(generator.currentPolicyDefinitions).toBeUndefined();
+    });
+    it("continues generation when the driver has no database connection", async () => {
+        const superGenerate = jest
+            .spyOn(migrations_1.TSMigrationGenerator.prototype, "generate")
+            .mockImplementation(function () {
+            expect(this.existingPolicyDefinitions).toBeUndefined();
+            return Promise.resolve(["migration-file", "/tmp/Migration.ts"]);
+        });
+        const generator = createGenerator([
+            {
+                class: WorkspaceMember,
+                tableName: "workspace_member",
+            },
+        ]);
+        await expect(generator.generate({ up: [], down: [] })).resolves.toEqual([
+            "migration-file",
+            "/tmp/Migration.ts",
+        ]);
+        expect(superGenerate).toHaveBeenCalledTimes(1);
+    });
+    it("does not recreate policies for unrelated schema changes without a database connection", async () => {
+        const diff = {
+            up: [
+                'alter table "workspace_member" add column "display_name" text null;',
+            ],
+            down: ['alter table "workspace_member" drop column "display_name";'],
+        };
+        const superGenerate = jest
+            .spyOn(migrations_1.TSMigrationGenerator.prototype, "generate")
+            .mockImplementation(function () {
+            return Promise.resolve([
+                this.generateMigrationFile("MigrationTest", diff),
+                "/tmp/Migration.ts",
+            ]);
+        });
+        const generator = createGenerator([
+            {
+                class: WorkspaceMember,
+                tableName: "workspace_member",
+            },
+        ]);
+        const [file] = await generator.generate(diff);
+        expect(superGenerate).toHaveBeenCalledWith(diff, undefined, undefined);
+        expect(file).toContain("import { Migration } from '@mikro-orm/migrations';");
+        expect(file).toContain("extends Migration");
+        expect(file).not.toContain("workspace_member_user_select_policy");
+    });
+    it("skips database policy lookup when metadata has no entity classes", async () => {
+        const execute = jest.fn();
+        jest
+            .spyOn(migrations_1.TSMigrationGenerator.prototype, "generate")
+            .mockResolvedValue(["migration-file", "/tmp/Migration.ts"]);
+        const generator = createGenerator([
+            {
+                tableName: "workspace_member",
+            },
+        ], {
+            getConnection: () => ({
+                execute,
+            }),
+        });
+        await generator.generate({ up: [], down: [] });
+        expect(execute).not.toHaveBeenCalled();
+    });
+    it("only loads existing database policies for tables managed by Policy metadata", async () => {
+        const execute = jest.fn((_sql) => Promise.resolve([]));
+        jest
+            .spyOn(migrations_1.TSMigrationGenerator.prototype, "generate")
+            .mockResolvedValue(["migration-file", "/tmp/Migration.ts"]);
+        const generator = createGenerator([
+            {
+                class: WorkspaceMember,
+                tableName: "workspace_member",
+            },
+            {
+                class: UnmanagedEntity,
+                tableName: "unmanaged_entity",
+            },
+        ], {
+            getConnection: () => ({
+                execute,
+            }),
+        });
+        await generator.generate({ up: [], down: [] });
+        expect(execute.mock.calls[0]?.[0]).toContain("('public', 'workspace_member')");
+        expect(execute.mock.calls[0]?.[0]).not.toContain("unmanaged_entity");
+    });
+    it("throws when MikroORM metadata is unavailable", () => {
+        const generator = new row_level_security_migration_generator_1.RowLevelSecurityMigrationGenerator({}, {}, { emit: "ts" });
+        expect(() => generator.generateMigrationFile("MigrationTest", {
+            up: [],
+            down: [],
+        })).toThrow("MikroORM metadata storage is not available");
+    });
+    it("throws when a policy entity does not expose a table name", () => {
+        const generator = createGenerator([
+            {
+                class: WorkspaceMember,
+            },
+        ]);
+        expect(() => generator.generateMigrationFile("MigrationTest", {
+            up: [],
+            down: [],
+        })).toThrow("Policy entity WorkspaceMember does not have a table name");
+    });
+    it("generates RowLevelSecurityMigration files with policy up and down SQL", () => {
+        const generator = createGenerator([
+            {
+                class: WorkspaceMember,
+                schema: "*",
+                tableName: "workspace_member",
+            },
+        ]);
+        const file = generator.generateMigrationFile("MigrationTest", {
+            up: ['create table "workspace_member" ("user_id" bigint null);'],
+            down: ['drop table if exists "workspace_member" cascade;'],
+        });
+        expect(file).toContain("import { RowLevelSecurityMigration } from '@nest-boot/row-level-security';");
+        expect(file).toContain("extends RowLevelSecurityMigration");
+        expect(file.indexOf("create policy workspace_member_user_select_policy")).toBeGreaterThan(file.indexOf('create table "workspace_member"'));
+        expect(file.indexOf("drop policy if exists workspace_member_user_select_policy")).toBeLessThan(file.indexOf('drop table if exists "workspace_member" cascade;'));
+    });
+    it("throws when MikroORM migration output cannot be converted to the RLS base class", () => {
+        jest
+            .spyOn(migrations_1.TSMigrationGenerator.prototype, "generateMigrationFile")
+            .mockReturnValue("export class MigrationTest {}");
+        const generator = createGenerator([
+            {
+                class: WorkspaceMember,
+                tableName: "workspace_member",
+            },
+        ]);
+        expect(() => generator.generateMigrationFile("MigrationTest", {
+            up: [],
+            down: [],
+        })).toThrow("MikroORM migration output format is not supported");
+    });
+    it("generates policy SQL for all policy entities in a blank migration", () => {
+        const generator = createGenerator([
+            {
+                class: WorkspaceMember,
+                tableName: "workspace_member",
+            },
+        ]);
+        const file = generator.generateMigrationFile("MigrationTest", {
+            up: [],
+            down: [],
+        });
+        expect(file).toContain("extends RowLevelSecurityMigration");
+        expect(file).toContain("this.addSql(`do \\$\\$ begin if not exists (select 1 from pg_roles where rolname = 'authenticated') then create role authenticated nologin; end if; end \\$\\$;`);");
+        expect(file).toContain("this.addSql(`create schema if not exists app;`);");
+        expect(file).toContain("this.addSql(`create or replace function app.get_context(context_key text, context_type anyelement) returns anyelement as \\$\\$ declare context_value text; begin context_value := current_setting('app.' || context_key, true); if context_value is null or context_value = '' then return null; end if; execute format('select \\$1::%s', pg_typeof(context_type)::text) using context_value into context_type; return context_type; end; \\$\\$ language plpgsql stable;`);");
+        expect(file).not.toContain("get_tenant_id()");
+        expect(file).not.toContain("get_policy_context");
+        expect(file).not.toContain("create schema if not exists extensions");
+        expect(file).not.toContain("grant usage on schema extensions");
+        expect(file).toContain('this.addSql(`alter table "public"."workspace_member" enable row level security;`);');
+        expect(file).toContain('this.addSql(`drop policy if exists workspace_member_user_select_policy on "public"."workspace_member";`);');
+        expect(file).toContain('this.addSql(`create policy workspace_member_user_select_policy on "public"."workspace_member" as permissive for select using ((select app.get_context(\'user_id\', null::bigint)) = "user_id");`);');
+    });
+    it("handles removed policies when an existing database policy is no longer declared", () => {
+        const generator = createGenerator([
+            {
+                class: WorkspaceMember,
+                tableName: "workspace_member",
+            },
+        ]);
+        generator.existingPolicyDefinitions = [
+            {
+                entityName: "WorkspaceMember",
+                schemaName: "public",
+                tableName: "workspace_member",
+                policyName: "removed_workspace_member_policy",
+                command: policy_command_enum_1.PolicyCommand.SELECT,
+                using: "true",
+                roles: ["authenticated"],
+            },
+        ];
+        const file = generator.generateMigrationFile("MigrationTest", {
+            up: ['alter table "workspace_member" add column "display_name" text;'],
+            down: ['alter table "workspace_member" drop column "display_name";'],
+        });
+        expect(file).toContain("drop policy if exists removed_workspace_member_policy");
+        expect(file).toContain("create policy workspace_member_user_select_policy");
+        expect(file).toContain("create policy removed_workspace_member_policy");
+        expect(file).toContain("create policy removed_workspace_member_policy on");
+        expect(file).toContain("for select to authenticated using true");
+    });
+    it("recreates policies when an existing policy changes content", () => {
+        const generator = createGenerator([
+            {
+                class: WorkspaceMember,
+                tableName: "workspace_member",
+            },
+        ]);
+        generator.existingPolicyDefinitions = [
+            {
+                entityName: "WorkspaceMember",
+                schemaName: "public",
+                tableName: "workspace_member",
+                policyName: "workspace_member_user_select_policy",
+                command: policy_command_enum_1.PolicyCommand.SELECT,
+                using: "false",
+                roles: ["authenticated"],
+            },
+        ];
+        const file = generator.generateMigrationFile("MigrationTest", {
+            up: ['alter table "workspace_member" add column "display_name" text;'],
+            down: ['alter table "workspace_member" drop column "display_name";'],
+        });
+        expect(file).toContain("drop policy if exists workspace_member_user_select_policy");
+        expect(file).toContain("create policy workspace_member_user_select_policy on");
+        expect(file).toContain("using ((select app.get_context('user_id', null::bigint)) = \"user_id\")");
+        expect(file).toContain("for select to authenticated using false");
+    });
+    it("matches create table statements for non-public schemas and collection names", () => {
+        const generator = createGenerator([
+            {
+                class: AuditLog,
+                schema: "app",
+                collection: "audit_log",
+            },
+        ]);
+        const file = generator.generateMigrationFile("MigrationTest", {
+            up: ['create table if not exists "app"."audit_log" ("id" bigint);'],
+            down: ['drop table if exists "app"."audit_log";'],
+        });
+        expect(file).toContain('this.addSql(`create policy audit_log_select_policy on "app"."audit_log" as permissive for select using true;`);');
+    });
+    it("generates all policies declared on an entity", () => {
+        const generator = createGenerator([
+            {
+                class: WorkspaceMemberWithMultiplePolicies,
+                tableName: "workspace_member",
+            },
+        ]);
+        const file = generator.generateMigrationFile("MigrationTest", {
+            up: [],
+            down: [],
+        });
+        expect(file).toContain('this.addSql(`create policy workspace_member_write_policy on "public"."workspace_member" as permissive for all using ((select app.get_context(\'workspace_id\', null::bigint)) = "workspace_id") with check ((select app.get_context(\'workspace_id\', null::bigint)) = "workspace_id");`);');
+        expect(file).toContain('this.addSql(`create policy workspace_member_user_select_policy on "public"."workspace_member" as permissive for select using ((select app.get_context(\'user_id\', null::bigint)) = "user_id");`);');
+    });
+    it("generates property context policy SQL from entity metadata", () => {
+        const generator = createGenerator([
+            {
+                class: WorkspaceMemberWithGeneratedPolicy,
+                tableName: "workspace_member",
+                properties: {
+                    user: {
+                        fieldNames: ["user_id"],
+                        columnTypes: ["integer"],
+                        targetMeta: {
+                            primaryKeys: ["id"],
+                            properties: {
+                                id: {
+                                    columnTypes: ["bigint"],
+                                },
+                            },
+                        },
+                    },
+                },
+            },
+        ]);
+        const file = generator.generateMigrationFile("MigrationTest", {
+            up: [],
+            down: [],
+        });
+        expect(file).toContain('this.addSql(`create policy workspace_member_user_select_policy on "public"."workspace_member" as permissive for select using ((select app.get_context(\'user_id\', null::bigint)) = "user_id");`);');
+    });
+    it("keeps default MikroORM output for unrelated schema changes", () => {
+        const generator = createGenerator([
+            {
+                class: WorkspaceMember,
+                tableName: "workspace_member",
+            },
+        ]);
+        const file = generator.generateMigrationFile("MigrationTest", {
+            up: [
+                'alter table "workspace_member" add column "display_name" text null;',
+            ],
+            down: ['alter table "workspace_member" drop column "display_name";'],
+        });
+        expect(file).toContain("import { Migration } from '@mikro-orm/migrations';");
+        expect(file).toContain("extends Migration");
+        expect(file).not.toContain("workspace_member_user_select_policy");
+    });
+    it("keeps default MikroORM output when no entities use Policy", () => {
+        const generator = createGenerator([]);
+        const file = generator.generateMigrationFile("MigrationTest", {
+            up: ["select 1;"],
+            down: [],
+        });
+        expect(file).toContain("import { Migration } from '@mikro-orm/migrations';");
+        expect(file).toContain("extends Migration");
+    });
+    it("is a MikroORM TypeScript migration generator", () => {
+        expect(row_level_security_migration_generator_1.RowLevelSecurityMigrationGenerator.prototype).toBeInstanceOf(migrations_1.TSMigrationGenerator);
+    });
+});
+function createGenerator(metadata, driverOptions = {}) {
+    return new row_level_security_migration_generator_1.RowLevelSecurityMigrationGenerator({
+        config: {
+            getMetadata: () => ({
+                getAll: () => metadata,
+            }),
+        },
+        ...driverOptions,
+    }, {}, { emit: "ts" });
+}
+//# sourceMappingURL=row-level-security-migration-generator.spec.js.map

package/dist/row-level-security-migration-generator.spec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"row-level-security-migration-generator.spec.js","sourceRoot":"","sources":["../src/row-level-security-migration-generator.spec.ts"],"names":[],"mappings":";;;;;;;;AAAA,sDAA6D;AAE7D,oEAAuD;AACvD,qEAA4D;AAC5D,qGAA8F;AAO9F,IAAM,eAAe,GAArB,MAAM,eAAe;CAAG,CAAA;AAAlB,eAAe;IALpB,IAAA,yBAAM,EAAC;QACN,IAAI,EAAE,qCAAqC;QAC3C,OAAO,EAAE,mCAAa,CAAC,MAAM;QAC7B,KAAK,EAAE,iEAAiE;KACzE,CAAC;GACI,eAAe,CAAG;AAYxB,IAAM,mCAAmC,GAAzC,MAAM,mCAAmC;CAAG,CAAA;AAAtC,mCAAmC;IAVxC,IAAA,yBAAM,EAAC;QACN,IAAI,EAAE,qCAAqC;QAC3C,OAAO,EAAE,mCAAa,CAAC,MAAM;QAC7B,KAAK,EAAE,iEAAiE;KACzE,CAAC;IACD,IAAA,yBAAM,EAAC;QACN,IAAI,EAAE,+BAA+B;QACrC,KAAK,EAAE,2EAA2E;QAClF,SAAS,EAAE,2EAA2E;KACvF,CAAC;GACI,mCAAmC,CAAG;AAO5C,IAAM,kCAAkC,GAAxC,MAAM,kCAAkC;CAAG,CAAA;AAArC,kCAAkC;IALvC,IAAA,yBAAM,EAAC;QACN,OAAO,EAAE,mCAAa,CAAC,MAAM;QAC7B,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,SAAS;KACnB,CAAC;GACI,kCAAkC,CAAG;AAO3C,IAAM,QAAQ,GAAd,MAAM,QAAQ;CAAG,CAAA;AAAX,QAAQ;IALb,IAAA,yBAAM,EAAC;QACN,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,mCAAa,CAAC,MAAM;QAC7B,KAAK,EAAE,MAAM;KACd,CAAC;GACI,QAAQ,CAAG;AAEjB,MAAM,eAAe;CAAG;AAExB,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;IAClD,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,CAAC,eAAe,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,KAAK,IAAI,EAAE;QACrF,MAAM,OAAO,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,IAAY,EAAE,EAAE,CACvC,OAAO,CAAC,OAAO,CAAC;YACd;gBACE,WAAW,EAAE,qCAAqC;gBAClD,WAAW,EAAE,QAAQ;gBACrB,UAAU,EAAE,kBAAkB;gBAC9B,UAAU,EAAE,IAAI;gBAChB,OAAO,EAAE,GAAG;gBACZ,IAAI,EAAE,MAAM;gBACZ,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,CAAC,eAAe,CAAC;aACzB;YACD;gBACE,WAAW,EAAE,gCAAgC;gBAC7C,WAAW,EAAE,QAAQ;gBACrB,UAAU,EAAE,kBAAkB;gBAC9B,UAAU,EAAE,KAAK;gBACjB,OAAO,EAAE,GAAG;gBACZ,IAAI,EAAE,IAAI;gBACV,UAAU,EAAE,MAAM;gBAClB,KAAK,EAAE,CAAC,eAAe,CAAC;aACzB;YACD;gBACE,WAAW,EAAE,gCAAgC;gBAC7C,WAAW,EAAE,QAAQ;gBACrB,UAAU,EAAE,kBAAkB;gBAC9B,UAAU,EAAE,IAAI;gBAChB,OAAO,EAAE,GAAG;gBACZ,IAAI,EAAE,MAAM;gBACZ,UAAU,EAAE,MAAM;gBAClB,KAAK,EAAE,CAAC,eAAe,CAAC;aACzB;YACD;gBACE,WAAW,EAAE,gCAAgC;gBAC7C,WAAW,EAAE,QAAQ;gBACrB,UAAU,EAAE,kBAAkB;gBAC9B,UAAU,EAAE,IAAI;gBAChB,OAAO,EAAE,GAAG;gBACZ,IAAI,EAAE,MAAM;gBACZ,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,CAAC,eAAe,CAAC;aACzB;YACD;gBACE,WAAW,EAAE,6BAA6B;gBAC1C,WAAW,EAAE,QAAQ;gBACrB,UAAU,EAAE,kBAAkB;gBAC9B,UAAU,EAAE,IAAI;gBAChB,OAAO,EAAE,GAAG;gBACZ,IAAI,EAAE,MAAM;gBACZ,UAAU,EAAE,MAAM;gBAClB,KAAK,EAAE,CAAC,eAAe,CAAC;aACzB;SACF,CAAC,CACH,CAAC;QACF,MAAM,aAAa,GAAG,IAAI;aACvB,KAAK,CAAC,iCAAoB,CAAC,SAAS,EAAE,UAAU,CAAC;aACjD,kBAAkB,CAAC;YAClB,MAAM,CAAE,IAAY,CAAC,yBAAyB,CAAC,CAAC,OAAO,CACrD,MAAM,CAAC,eAAe,CAAC;gBACrB,MAAM,CAAC,gBAAgB,CAAC;oBACtB,UAAU,EAAE,gCAAgC;oBAC5C,IAAI,EAAE,aAAa;oBACnB,OAAO,EAAE,QAAQ;oBACjB,SAAS,EAAE,MAAM;oBACjB,KAAK,EAAE,CAAC,eAAe,CAAC;iBACzB,CAAC;gBACF,MAAM,CAAC,gBAAgB,CAAC;oBACtB,UAAU,EAAE,gCAAgC;oBAC5C,OAAO,EAAE,QAAQ;oBACjB,KAAK,EAAE,MAAM;iBACd,CAAC;gBACF,MAAM,CAAC,gBAAgB,CAAC;oBACtB,UAAU,EAAE,6BAA6B;oBACzC,OAAO,EAAE,KAAK;iBACf,CAAC;aACH,CAAC,CACH,CAAC;YACF,MAAM,CAAE,IAAY,CAAC,wBAAwB,CAAC,CAAC,OAAO,CAAC;gBACrD,MAAM,CAAC,gBAAgB,CAAC;oBACtB,UAAU,EAAE,qCAAqC;oBACjD,SAAS,EAAE,kBAAkB;iBAC9B,CAAC;aACH,CAAC,CAAC;YAEH,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;QACL,MAAM,SAAS,GAAG,eAAe,CAC/B;YACE;gBACE,KAAK,EAAE,eAAe;gBACtB,SAAS,EAAE,kBAAkB;aAC9B;SACF,EACD;YACE,aAAa,EAAE,GAAG,EAAE,CAAC,CAAC;gBACpB,OAAO;aACR,CAAC;SACH,CACF,CAAC;QAEF,MAAM,MAAM,CACV,SAAS,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,WAAW,CAAC,CAC9D,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAE5D,MAAM,CAAC,aAAa,CAAC,CAAC,oBAAoB,CACxC,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,EACpB,MAAM,EACN,WAAW,CACZ,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAC1C,gCAAgC,CACjC,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;QACnE,MAAM,CAAE,SAAiB,CAAC,yBAAyB,CAAC,CAAC,aAAa,EAAE,CAAC;QACrE,MAAM,CAAE,SAAiB,CAAC,wBAAwB,CAAC,CAAC,aAAa,EAAE,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;QAC/E,MAAM,aAAa,GAAG,IAAI;aACvB,KAAK,CAAC,iCAAoB,CAAC,SAAS,EAAE,UAAU,CAAC;aACjD,kBAAkB,CAAC;YAClB,MAAM,CAAE,IAAY,CAAC,yBAAyB,CAAC,CAAC,aAAa,EAAE,CAAC;YAEhE,OAAO,OAAO,CAAC,OAAO,CAAC,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;QACL,MAAM,SAAS,GAAG,eAAe,CAAC;YAChC;gBACE,KAAK,EAAE,eAAe;gBACtB,SAAS,EAAE,kBAAkB;aAC9B;SACF,CAAC,CAAC;QAEH,MAAM,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;YACtE,gBAAgB;YAChB,mBAAmB;SACpB,CAAC,CAAC;QACH,MAAM,CAAC,aAAa,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uFAAuF,EAAE,KAAK,IAAI,EAAE;QACrG,MAAM,IAAI,GAAG;YACX,EAAE,EAAE;gBACF,qEAAqE;aACtE;YACD,IAAI,EAAE,CAAC,4DAA4D,CAAC;SACrE,CAAC;QACF,MAAM,aAAa,GAAG,IAAI;aACvB,KAAK,CAAC,iCAAoB,CAAC,SAAS,EAAE,UAAU,CAAC;aACjD,kBAAkB,CAAC;YAClB,OAAO,OAAO,CAAC,OAAO,CAAC;gBACrB,IAAI,CAAC,qBAAqB,CAAC,eAAe,EAAE,IAAI,CAAC;gBACjD,mBAAmB;aACpB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACL,MAAM,SAAS,GAAG,eAAe,CAAC;YAChC;gBACE,KAAK,EAAE,eAAe;gBACtB,SAAS,EAAE,kBAAkB;aAC9B;SACF,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAE9C,MAAM,CAAC,aAAa,CAAC,CAAC,oBAAoB,CAAC,IAAI,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QACvE,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,oDAAoD,CACrD,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,qCAAqC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,OAAO,GAAG,IAAI,CAAC,EAAE,EAAE,CAAC;QAC1B,IAAI;aACD,KAAK,CAAC,iCAAoB,CAAC,SAAS,EAAE,UAAU,CAAC;aACjD,iBAAiB,CAAC,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAC9D,MAAM,SAAS,GAAG,eAAe,CAC/B;YACE;gBACE,SAAS,EAAE,kBAAkB;aAC9B;SACF,EACD;YACE,aAAa,EAAE,GAAG,EAAE,CAAC,CAAC;gBACpB,OAAO;aACR,CAAC;SACH,CACF,CAAC;QAEF,MAAM,SAAS,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;QAE/C,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6EAA6E,EAAE,KAAK,IAAI,EAAE;QAC3F,MAAM,OAAO,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;QAC/D,IAAI;aACD,KAAK,CAAC,iCAAoB,CAAC,SAAS,EAAE,UAAU,CAAC;aACjD,iBAAiB,CAAC,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAC,CAAC;QAC9D,MAAM,SAAS,GAAG,eAAe,CAC/B;YACE;gBACE,KAAK,EAAE,eAAe;gBACtB,SAAS,EAAE,kBAAkB;aAC9B;YACD;gBACE,KAAK,EAAE,eAAe;gBACtB,SAAS,EAAE,kBAAkB;aAC9B;SACF,EACD;YACE,aAAa,EAAE,GAAG,EAAE,CAAC,CAAC;gBACpB,OAAO;aACR,CAAC;SACH,CACF,CAAC;QAEF,MAAM,SAAS,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;QAE/C,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAC1C,gCAAgC,CACjC,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,SAAS,GAAG,IAAI,2EAAkC,CACtD,EAAW,EACX,EAAW,EACX,EAAE,IAAI,EAAE,IAAI,EAAW,CACxB,CAAC;QAEF,MAAM,CAAC,GAAG,EAAE,CACV,SAAS,CAAC,qBAAqB,CAAC,eAAe,EAAE;YAC/C,EAAE,EAAE,EAAE;YACN,IAAI,EAAE,EAAE;SACT,CAAC,CACH,CAAC,OAAO,CAAC,4CAA4C,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;QAClE,MAAM,SAAS,GAAG,eAAe,CAAC;YAChC;gBACE,KAAK,EAAE,eAAe;aACvB;SACF,CAAC,CAAC;QAEH,MAAM,CAAC,GAAG,EAAE,CACV,SAAS,CAAC,qBAAqB,CAAC,eAAe,EAAE;YAC/C,EAAE,EAAE,EAAE;YACN,IAAI,EAAE,EAAE;SACT,CAAC,CACH,CAAC,OAAO,CAAC,0DAA0D,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,SAAS,GAAG,eAAe,CAAC;YAChC;gBACE,KAAK,EAAE,eAAe;gBACtB,MAAM,EAAE,GAAG;gBACX,SAAS,EAAE,kBAAkB;aAC9B;SACF,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,SAAS,CAAC,qBAAqB,CAAC,eAAe,EAAE;YAC5D,EAAE,EAAE,CAAC,0DAA0D,CAAC;YAChE,IAAI,EAAE,CAAC,kDAAkD,CAAC;SAC3D,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,4EAA4E,CAC7E,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,mCAAmC,CAAC,CAAC;QAC5D,MAAM,CACJ,IAAI,CAAC,OAAO,CAAC,mDAAmD,CAAC,CAClE,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,iCAAiC,CAAC,CAAC,CAAC;QACnE,MAAM,CACJ,IAAI,CAAC,OAAO,CAAC,2DAA2D,CAAC,CAC1E,CAAC,YAAY,CACZ,IAAI,CAAC,OAAO,CAAC,kDAAkD,CAAC,CACjE,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iFAAiF,EAAE,GAAG,EAAE;QACzF,IAAI;aACD,KAAK,CAAC,iCAAoB,CAAC,SAAS,EAAE,uBAAuB,CAAC;aAC9D,eAAe,CAAC,+BAA+B,CAAC,CAAC;QACpD,MAAM,SAAS,GAAG,eAAe,CAAC;YAChC;gBACE,KAAK,EAAE,eAAe;gBACtB,SAAS,EAAE,kBAAkB;aAC9B;SACF,CAAC,CAAC;QAEH,MAAM,CAAC,GAAG,EAAE,CACV,SAAS,CAAC,qBAAqB,CAAC,eAAe,EAAE;YAC/C,EAAE,EAAE,EAAE;YACN,IAAI,EAAE,EAAE;SACT,CAAC,CACH,CAAC,OAAO,CAAC,mDAAmD,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mEAAmE,EAAE,GAAG,EAAE;QAC3E,MAAM,SAAS,GAAG,eAAe,CAAC;YAChC;gBACE,KAAK,EAAE,eAAe;gBACtB,SAAS,EAAE,kBAAkB;aAC9B;SACF,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,SAAS,CAAC,qBAAqB,CAAC,eAAe,EAAE;YAC5D,EAAE,EAAE,EAAE;YACN,IAAI,EAAE,EAAE;SACT,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,mCAAmC,CAAC,CAAC;QAC5D,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,oKAAoK,CACrK,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,kDAAkD,CAAC,CAAC;QAC3E,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,gdAAgd,CACjd,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;QACjD,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,wCAAwC,CAAC,CAAC;QACrE,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,kCAAkC,CAAC,CAAC;QAC/D,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,oFAAoF,CACrF,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,2GAA2G,CAC5G,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,oMAAoM,CACrM,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iFAAiF,EAAE,GAAG,EAAE;QACzF,MAAM,SAAS,GAAG,eAAe,CAAC;YAChC;gBACE,KAAK,EAAE,eAAe;gBACtB,SAAS,EAAE,kBAAkB;aAC9B;SACF,CAAC,CAAC;QACF,SAAiB,CAAC,yBAAyB,GAAG;YAC7C;gBACE,UAAU,EAAE,iBAAiB;gBAC7B,UAAU,EAAE,QAAQ;gBACpB,SAAS,EAAE,kBAAkB;gBAC7B,UAAU,EAAE,iCAAiC;gBAC7C,OAAO,EAAE,mCAAa,CAAC,MAAM;gBAC7B,KAAK,EAAE,MAAM;gBACb,KAAK,EAAE,CAAC,eAAe,CAAC;aACzB;SACF,CAAC;QAEF,MAAM,IAAI,GAAG,SAAS,CAAC,qBAAqB,CAAC,eAAe,EAAE;YAC5D,EAAE,EAAE,CAAC,gEAAgE,CAAC;YACtE,IAAI,EAAE,CAAC,4DAA4D,CAAC;SACrE,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,uDAAuD,CACxD,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,mDAAmD,CAAC,CAAC;QAC5E,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,+CAA+C,CAAC,CAAC;QACxE,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,kDAAkD,CAAC,CAAC;QAC3E,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,wCAAwC,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,SAAS,GAAG,eAAe,CAAC;YAChC;gBACE,KAAK,EAAE,eAAe;gBACtB,SAAS,EAAE,kBAAkB;aAC9B;SACF,CAAC,CAAC;QACF,SAAiB,CAAC,yBAAyB,GAAG;YAC7C;gBACE,UAAU,EAAE,iBAAiB;gBAC7B,UAAU,EAAE,QAAQ;gBACpB,SAAS,EAAE,kBAAkB;gBAC7B,UAAU,EAAE,qCAAqC;gBACjD,OAAO,EAAE,mCAAa,CAAC,MAAM;gBAC7B,KAAK,EAAE,OAAO;gBACd,KAAK,EAAE,CAAC,eAAe,CAAC;aACzB;SACF,CAAC;QAEF,MAAM,IAAI,GAAG,SAAS,CAAC,qBAAqB,CAAC,eAAe,EAAE;YAC5D,EAAE,EAAE,CAAC,gEAAgE,CAAC;YACtE,IAAI,EAAE,CAAC,4DAA4D,CAAC;SACrE,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,2DAA2D,CAC5D,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,sDAAsD,CACvD,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,yEAAyE,CAC1E,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,yCAAyC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6EAA6E,EAAE,GAAG,EAAE;QACrF,MAAM,SAAS,GAAG,eAAe,CAAC;YAChC;gBACE,KAAK,EAAE,QAAQ;gBACf,MAAM,EAAE,KAAK;gBACb,UAAU,EAAE,WAAW;aACxB;SACF,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,SAAS,CAAC,qBAAqB,CAAC,eAAe,EAAE;YAC5D,EAAE,EAAE,CAAC,6DAA6D,CAAC;YACnE,IAAI,EAAE,CAAC,yCAAyC,CAAC;SAClD,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,iHAAiH,CAClH,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,SAAS,GAAG,eAAe,CAAC;YAChC;gBACE,KAAK,EAAE,mCAAmC;gBAC1C,SAAS,EAAE,kBAAkB;aAC9B;SACF,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,SAAS,CAAC,qBAAqB,CAAC,eAAe,EAAE;YAC5D,EAAE,EAAE,EAAE;YACN,IAAI,EAAE,EAAE;SACT,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,4RAA4R,CAC7R,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,oMAAoM,CACrM,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,SAAS,GAAG,eAAe,CAAC;YAChC;gBACE,KAAK,EAAE,kCAAkC;gBACzC,SAAS,EAAE,kBAAkB;gBAC7B,UAAU,EAAE;oBACV,IAAI,EAAE;wBACJ,UAAU,EAAE,CAAC,SAAS,CAAC;wBACvB,WAAW,EAAE,CAAC,SAAS,CAAC;wBACxB,UAAU,EAAE;4BACV,WAAW,EAAE,CAAC,IAAI,CAAC;4BACnB,UAAU,EAAE;gCACV,EAAE,EAAE;oCACF,WAAW,EAAE,CAAC,QAAQ,CAAC;iCACxB;6BACF;yBACF;qBACF;iBACF;aACF;SACF,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,SAAS,CAAC,qBAAqB,CAAC,eAAe,EAAE;YAC5D,EAAE,EAAE,EAAE;YACN,IAAI,EAAE,EAAE;SACT,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,oMAAoM,CACrM,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,SAAS,GAAG,eAAe,CAAC;YAChC;gBACE,KAAK,EAAE,eAAe;gBACtB,SAAS,EAAE,kBAAkB;aAC9B;SACF,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,SAAS,CAAC,qBAAqB,CAAC,eAAe,EAAE;YAC5D,EAAE,EAAE;gBACF,qEAAqE;aACtE;YACD,IAAI,EAAE,CAAC,4DAA4D,CAAC;SACrE,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,oDAAoD,CACrD,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,qCAAqC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,MAAM,SAAS,GAAG,eAAe,CAAC,EAAE,CAAC,CAAC;QAEtC,MAAM,IAAI,GAAG,SAAS,CAAC,qBAAqB,CAAC,eAAe,EAAE;YAC5D,EAAE,EAAE,CAAC,WAAW,CAAC;YACjB,IAAI,EAAE,EAAE;SACT,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,oDAAoD,CACrD,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,CAAC,2EAAkC,CAAC,SAAS,CAAC,CAAC,cAAc,CACjE,iCAAoB,CACrB,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,SAAS,eAAe,CACtB,QAAkB,EAClB,gBAAyC,EAAE;IAE3C,OAAO,IAAI,2EAAkC,CAC3C;QACE,MAAM,EAAE;YACN,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;gBAClB,MAAM,EAAE,GAAG,EAAE,CAAC,QAAQ;aACvB,CAAC;SACH;QACD,GAAG,aAAa;KACR,EACV,EAAW,EACX,EAAE,IAAI,EAAE,IAAI,EAAW,CACxB,CAAC;AACJ,CAAC"}

package/dist/row-level-security-migration.d.ts

@@ -0,0 +1,11 @@
+import { Migration } from "@mikro-orm/migrations";
+import type { PolicySqlOptions } from "./interfaces/policy-sql-options.interface";
+/** Base MikroORM migration with convenience helpers for row-level security SQL. */
+export declare abstract class RowLevelSecurityMigration extends Migration {
+    /** Adds the shared RLS roles, grants, schema, and `app.get_context` helper SQL. */
+    protected addRowLevelSecurityBootstrapSql(): void;
+    /** Adds SQL that enables RLS and creates the configured policy. */
+    protected addPolicySql(options: PolicySqlOptions): void;
+    /** Adds SQL that drops the configured policy and disables RLS when no policies remain. */
+    protected addDropPolicySql(options: PolicySqlOptions): void;
+}

package/dist/row-level-security-migration.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RowLevelSecurityMigration = void 0;
+const migrations_1 = require("@mikro-orm/migrations");
+const create_policy_bootstrap_sql_statements_1 = require("./utils/create-policy-bootstrap-sql-statements");
+const create_policy_down_sql_1 = require("./utils/create-policy-down-sql");
+const create_policy_up_sql_statements_1 = require("./utils/create-policy-up-sql-statements");
+/** Base MikroORM migration with convenience helpers for row-level security SQL. */
+class RowLevelSecurityMigration extends migrations_1.Migration {
+    /** Adds the shared RLS roles, grants, schema, and `app.get_context` helper SQL. */
+    addRowLevelSecurityBootstrapSql() {
+        for (const sql of (0, create_policy_bootstrap_sql_statements_1.createPolicyBootstrapSqlStatements)()) {
+            this.addSql(sql);
+        }
+    }
+    /** Adds SQL that enables RLS and creates the configured policy. */
+    addPolicySql(options) {
+        for (const sql of (0, create_policy_up_sql_statements_1.createPolicyUpSqlStatements)(options)) {
+            this.addSql(sql);
+        }
+    }
+    /** Adds SQL that drops the configured policy and disables RLS when no policies remain. */
+    addDropPolicySql(options) {
+        this.addSql((0, create_policy_down_sql_1.createPolicyDownSql)(options));
+    }
+}
+exports.RowLevelSecurityMigration = RowLevelSecurityMigration;
+//# sourceMappingURL=row-level-security-migration.js.map

package/dist/row-level-security-migration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"row-level-security-migration.js","sourceRoot":"","sources":["../src/row-level-security-migration.ts"],"names":[],"mappings":";;;AAAA,sDAAkD;AAGlD,2GAAoG;AACpG,2EAAqE;AACrE,6FAAsF;AAEtF,mFAAmF;AACnF,MAAsB,yBAA0B,SAAQ,sBAAS;IAC/D,mFAAmF;IACzE,+BAA+B;QACvC,KAAK,MAAM,GAAG,IAAI,IAAA,2EAAkC,GAAE,EAAE,CAAC;YACvD,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,mEAAmE;IACzD,YAAY,CAAC,OAAyB;QAC9C,KAAK,MAAM,GAAG,IAAI,IAAA,6DAA2B,EAAC,OAAO,CAAC,EAAE,CAAC;YACvD,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,0FAA0F;IAChF,gBAAgB,CAAC,OAAyB;QAClD,IAAI,CAAC,MAAM,CAAC,IAAA,4CAAmB,EAAC,OAAO,CAAC,CAAC,CAAC;IAC5C,CAAC;CACF;AAnBD,8DAmBC"}

package/dist/row-level-security-migration.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/row-level-security-migration.spec.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const policy_command_enum_1 = require("./enums/policy-command.enum");
+const row_level_security_migration_1 = require("./row-level-security-migration");
+class TestRowLevelSecurityMigration extends row_level_security_migration_1.RowLevelSecurityMigration {
+    up() {
+        this.addRowLevelSecurityBootstrapSql();
+        this.addPolicySql({
+            schemaName: "public",
+            tableName: "workspace_member",
+            policyName: "workspace_member_user_select_policy",
+            command: policy_command_enum_1.PolicyCommand.SELECT,
+            using: `((select app.get_context('user_id', null::bigint)) = "user_id")`,
+        });
+        this.addDropPolicySql({
+            schemaName: "public",
+            tableName: "workspace_member",
+            policyName: "workspace_member_user_select_policy",
+        });
+    }
+}
+describe("RowLevelSecurityMigration", () => {
+    it("adds policy SQL through protected helpers", () => {
+        const migration = new TestRowLevelSecurityMigration({}, {});
+        migration.up();
+        const queries = migration.getQueries();
+        expect(migration.getQueries()).toHaveLength(12);
+        expect(queries[0]).toContain("create role authenticated nologin");
+        expect(queries[1]).toContain("create role anonymous nologin");
+        expect(queries[2]).toContain("grant authenticated to current_user");
+        expect(queries[3]).toContain("grant anonymous to current_user");
+        expect(queries[4]).toContain("create schema if not exists app");
+        expect(queries[7]).toContain("create or replace function app.get_context");
+        expect(queries[8]).toContain('alter table "public"."workspace_member" enable row level security;');
+        expect(queries[9]).toContain('drop policy if exists workspace_member_user_select_policy on "public"."workspace_member";');
+        expect(queries[10]).toContain("create policy workspace_member_user_select_policy");
+        expect(queries[11]).toContain("drop policy if exists workspace_member_user_select_policy");
+    });
+});
+//# sourceMappingURL=row-level-security-migration.spec.js.map

package/dist/row-level-security-migration.spec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"row-level-security-migration.spec.js","sourceRoot":"","sources":["../src/row-level-security-migration.spec.ts"],"names":[],"mappings":";;AAAA,qEAA4D;AAC5D,iFAA2E;AAE3E,MAAM,6BAA8B,SAAQ,wDAAyB;IAC1D,EAAE;QACT,IAAI,CAAC,+BAA+B,EAAE,CAAC;QACvC,IAAI,CAAC,YAAY,CAAC;YAChB,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,qCAAqC;YACjD,OAAO,EAAE,mCAAa,CAAC,MAAM;YAC7B,KAAK,EAAE,iEAAiE;SACzE,CAAC,CAAC;QACH,IAAI,CAAC,gBAAgB,CAAC;YACpB,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,qCAAqC;SAClD,CAAC,CAAC;IACL,CAAC;CACF;AAED,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,SAAS,GAAG,IAAI,6BAA6B,CACjD,EAAW,EACX,EAAW,CACZ,CAAC;QAEF,SAAS,CAAC,EAAE,EAAE,CAAC;QAEf,MAAM,OAAO,GAAG,SAAS,CAAC,UAAU,EAAc,CAAC;QAEnD,MAAM,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QAChD,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,mCAAmC,CAAC,CAAC;QAClE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,+BAA+B,CAAC,CAAC;QAC9D,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,qCAAqC,CAAC,CAAC;QACpE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,iCAAiC,CAAC,CAAC;QAChE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,iCAAiC,CAAC,CAAC;QAChE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,4CAA4C,CAAC,CAAC;QAC3E,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAC1B,oEAAoE,CACrE,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAC1B,2FAA2F,CAC5F,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAC3B,mDAAmD,CACpD,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAC3B,2DAA2D,CAC5D,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}