@nest-boot/row-level-security 7.0.0

package/dist/utils/assert-identifier.d.ts

@@ -0,0 +1,2 @@
+/** Asserts that a value is a safe unquoted PostgreSQL identifier. */
+export declare function assertIdentifier(identifier: string): string;

package/dist/utils/assert-identifier.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertIdentifier = assertIdentifier;
+/** Asserts that a value is a safe unquoted PostgreSQL identifier. */
+function assertIdentifier(identifier) {
+    if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(identifier)) {
+        throw new Error(`Invalid SQL identifier: ${identifier}`);
+    }
+    return identifier;
+}
+//# sourceMappingURL=assert-identifier.js.map

package/dist/utils/assert-identifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"assert-identifier.js","sourceRoot":"","sources":["../../src/utils/assert-identifier.ts"],"names":[],"mappings":";;AACA,4CAMC;AAPD,qEAAqE;AACrE,SAAgB,gBAAgB,CAAC,UAAkB;IACjD,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QACjD,MAAM,IAAI,KAAK,CAAC,2BAA2B,UAAU,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC"}

package/dist/utils/assert-snake-case.d.ts

@@ -0,0 +1,2 @@
+/** Asserts that a value is snake_case for use in roles or context keys. */
+export declare function assertSnakeCase(value: string, label: string): void;

package/dist/utils/assert-snake-case.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertSnakeCase = assertSnakeCase;
+/** Asserts that a value is snake_case for use in roles or context keys. */
+function assertSnakeCase(value, label) {
+    if (!/^[a-z]+(_[a-z]+)*$/.test(value)) {
+        throw new Error(`${label} must be snake_case: ${value}`);
+    }
+}
+//# sourceMappingURL=assert-snake-case.js.map

package/dist/utils/assert-snake-case.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"assert-snake-case.js","sourceRoot":"","sources":["../../src/utils/assert-snake-case.ts"],"names":[],"mappings":";;AACA,0CAIC;AALD,2EAA2E;AAC3E,SAAgB,eAAe,CAAC,KAAa,EAAE,KAAa;IAC1D,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,wBAAwB,KAAK,EAAE,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC"}

package/dist/utils/create-policy-bootstrap-sql-statements.d.ts

@@ -0,0 +1,2 @@
+/** Creates SQL statements for shared RLS roles, grants, schema, and `app.get_context`. */
+export declare function createPolicyBootstrapSqlStatements(): string[];

package/dist/utils/create-policy-bootstrap-sql-statements.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createPolicyBootstrapSqlStatements = createPolicyBootstrapSqlStatements;
+/** Creates SQL statements for shared RLS roles, grants, schema, and `app.get_context`. */
+function createPolicyBootstrapSqlStatements() {
+    return [
+        "do $$ begin if not exists (select 1 from pg_roles where rolname = 'authenticated') then create role authenticated nologin; end if; end $$;",
+        "do $$ begin if not exists (select 1 from pg_roles where rolname = 'anonymous') then create role anonymous nologin; end if; end $$;",
+        "grant authenticated to current_user;",
+        "grant anonymous to current_user;",
+        "create schema if not exists app;",
+        "grant usage on schema app to authenticated;",
+        "grant usage on schema app to anonymous;",
+        "create or replace function app.get_context(context_key text, context_type anyelement) returns anyelement as $$ declare context_value text; begin context_value := current_setting('app.' || context_key, true); if context_value is null or context_value = '' then return null; end if; execute format('select $1::%s', pg_typeof(context_type)::text) using context_value into context_type; return context_type; end; $$ language plpgsql stable;",
+    ];
+}
+//# sourceMappingURL=create-policy-bootstrap-sql-statements.js.map

package/dist/utils/create-policy-bootstrap-sql-statements.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-policy-bootstrap-sql-statements.js","sourceRoot":"","sources":["../../src/utils/create-policy-bootstrap-sql-statements.ts"],"names":[],"mappings":";;AACA,gFAWC;AAZD,0FAA0F;AAC1F,SAAgB,kCAAkC;IAChD,OAAO;QACL,4IAA4I;QAC5I,oIAAoI;QACpI,sCAAsC;QACtC,kCAAkC;QAClC,kCAAkC;QAClC,6CAA6C;QAC7C,yCAAyC;QACzC,sbAAsb;KACvb,CAAC;AACJ,CAAC"}

package/dist/utils/create-policy-down-sql.d.ts

@@ -0,0 +1,3 @@
+import type { PolicySqlOptions } from "../interfaces/policy-sql-options.interface";
+/** Creates guarded SQL for dropping a policy and disabling RLS when no policies remain. */
+export declare function createPolicyDownSql(options: PolicySqlOptions): string;

package/dist/utils/create-policy-down-sql.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createPolicyDownSql = createPolicyDownSql;
+const assert_identifier_1 = require("./assert-identifier");
+const quote_qualified_identifier_1 = require("./quote-qualified-identifier");
+/** Creates guarded SQL for dropping a policy and disabling RLS when no policies remain. */
+function createPolicyDownSql(options) {
+    const tableIdentifier = (0, quote_qualified_identifier_1.quoteQualifiedIdentifier)(options.schemaName, options.tableName);
+    const policyName = (0, assert_identifier_1.assertIdentifier)(options.policyName);
+    return /* SQL */ `
+do $$
+declare
+  policy_count integer;
+begin
+  if to_regclass('${tableIdentifier}') is not null then
+    execute 'drop policy if exists ${policyName} on ${tableIdentifier}';
+
+    select count(*) into policy_count
+    from pg_policies
+    where schemaname = '${options.schemaName}' and tablename = '${options.tableName}';
+
+    if policy_count = 0 then
+      execute 'alter table ${tableIdentifier} disable row level security';
+    end if;
+  end if;
+end
+$$;
+`.trim();
+}
+//# sourceMappingURL=create-policy-down-sql.js.map

package/dist/utils/create-policy-down-sql.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-policy-down-sql.js","sourceRoot":"","sources":["../../src/utils/create-policy-down-sql.ts"],"names":[],"mappings":";;AAKA,kDA0BC;AA9BD,2DAAuD;AACvD,6EAAwE;AAExE,2FAA2F;AAC3F,SAAgB,mBAAmB,CAAC,OAAyB;IAC3D,MAAM,eAAe,GAAG,IAAA,qDAAwB,EAC9C,OAAO,CAAC,UAAU,EAClB,OAAO,CAAC,SAAS,CAClB,CAAC;IACF,MAAM,UAAU,GAAG,IAAA,oCAAgB,EAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAExD,OAAO,SAAS,CAAC;;;;;oBAKC,eAAe;qCACE,UAAU,OAAO,eAAe;;;;0BAI3C,OAAO,CAAC,UAAU,sBAAsB,OAAO,CAAC,SAAS;;;6BAGtD,eAAe;;;;;CAK3C,CAAC,IAAI,EAAE,CAAC;AACT,CAAC"}

package/dist/utils/create-policy-up-sql-statements.d.ts

@@ -0,0 +1,3 @@
+import type { PolicySqlOptions } from "../interfaces/policy-sql-options.interface";
+/** Creates SQL statements that enable RLS and recreate a PostgreSQL policy. */
+export declare function createPolicyUpSqlStatements(options: PolicySqlOptions): string[];

package/dist/utils/create-policy-up-sql-statements.js

@@ -0,0 +1,114 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createPolicyUpSqlStatements = createPolicyUpSqlStatements;
+const policy_command_enum_1 = require("../enums/policy-command.enum");
+const policy_mode_enum_1 = require("../enums/policy-mode.enum");
+const assert_identifier_1 = require("./assert-identifier");
+const escape_sql_literal_1 = require("./escape-sql-literal");
+const quote_qualified_identifier_1 = require("./quote-qualified-identifier");
+/** Creates SQL statements that enable RLS and recreate a PostgreSQL policy. */
+function createPolicyUpSqlStatements(options) {
+    const tableIdentifier = (0, quote_qualified_identifier_1.quoteQualifiedIdentifier)(options.schemaName, options.tableName);
+    const policyName = (0, assert_identifier_1.assertIdentifier)(options.policyName);
+    const mode = options.mode ?? policy_mode_enum_1.PolicyMode.PERMISSIVE;
+    const command = options.command ?? policy_command_enum_1.PolicyCommand.ALL;
+    const roles = options.roles ?? [];
+    const roleSql = roles.map((role) => (0, assert_identifier_1.assertIdentifier)(role)).join(", ");
+    const predicates = getPolicyPredicates(options);
+    return [
+        `alter table ${tableIdentifier} enable row level security;`,
+        ...createPrivilegeGrantSqlStatements(options, tableIdentifier, roleSql),
+        `drop policy if exists ${policyName} on ${tableIdentifier};`,
+        `create policy ${policyName} on ${tableIdentifier} as ${mode} for ${command}${roleSql ? ` to ${roleSql}` : ""} ${getPolicyPredicateSql(command, predicates)};`,
+    ];
+}
+function createPrivilegeGrantSqlStatements(options, tableIdentifier, roleSql) {
+    if (!roleSql) {
+        return [];
+    }
+    const command = options.command ?? policy_command_enum_1.PolicyCommand.ALL;
+    const privileges = getTablePrivileges(command).join(", ");
+    const statements = [
+        `grant ${privileges} on table ${tableIdentifier} to ${roleSql};`,
+    ];
+    if (requiresSequencePrivileges(command)) {
+        statements.push(createSequenceGrantSql(options, tableIdentifier, roleSql));
+    }
+    return statements;
+}
+function getTablePrivileges(command) {
+    if (command === policy_command_enum_1.PolicyCommand.SELECT) {
+        return ["select"];
+    }
+    if (command === policy_command_enum_1.PolicyCommand.INSERT) {
+        return ["insert"];
+    }
+    if (command === policy_command_enum_1.PolicyCommand.UPDATE) {
+        return ["select", "update"];
+    }
+    if (command === policy_command_enum_1.PolicyCommand.DELETE) {
+        return ["select", "delete"];
+    }
+    return ["select", "insert", "update", "delete"];
+}
+function requiresSequencePrivileges(command) {
+    return command === policy_command_enum_1.PolicyCommand.INSERT || command === policy_command_enum_1.PolicyCommand.ALL;
+}
+function createSequenceGrantSql(options, tableIdentifier, roleSql) {
+    const tableLiteral = (0, escape_sql_literal_1.escapeSqlLiteral)(tableIdentifier);
+    const schemaName = (0, escape_sql_literal_1.escapeSqlLiteral)(options.schemaName);
+    const tableName = (0, escape_sql_literal_1.escapeSqlLiteral)(options.tableName);
+    return /* SQL */ `do $$ declare sequence_identifier text; begin for sequence_identifier in select pg_get_serial_sequence('${tableLiteral}', columns.column_name) from information_schema.columns where columns.table_schema = '${schemaName}' and columns.table_name = '${tableName}' and pg_get_serial_sequence('${tableLiteral}', columns.column_name) is not null loop execute format('grant usage, select on sequence %s to ${roleSql}', sequence_identifier); end loop; end $$;`;
+}
+function getPolicyPredicates(options) {
+    const command = options.command ?? policy_command_enum_1.PolicyCommand.ALL;
+    const predicates = {
+        using: normalizeExpression(options.using),
+        withCheck: normalizeExpression(options.withCheck),
+    };
+    assertPolicyPredicates(command, predicates);
+    return predicates;
+}
+function normalizeExpression(expression) {
+    const normalized = expression?.trim();
+    if (!normalized) {
+        return undefined;
+    }
+    return normalized;
+}
+function assertPolicyPredicates(command, predicates) {
+    if (command === policy_command_enum_1.PolicyCommand.SELECT || command === policy_command_enum_1.PolicyCommand.DELETE) {
+        if (!predicates.using) {
+            throw new Error("Policy using expression is required");
+        }
+        if (predicates.withCheck) {
+            throw new Error(`Policy withCheck is not allowed for ${command}`);
+        }
+        return;
+    }
+    if (command === policy_command_enum_1.PolicyCommand.INSERT) {
+        if (predicates.using) {
+            throw new Error("Policy using is not allowed for insert");
+        }
+        if (!predicates.withCheck) {
+            throw new Error("Policy withCheck expression is required");
+        }
+        return;
+    }
+    if (!predicates.using && !predicates.withCheck) {
+        throw new Error("Policy using or withCheck expression is required");
+    }
+}
+function getPolicyPredicateSql(command, predicates) {
+    const fragments = [];
+    if (command !== policy_command_enum_1.PolicyCommand.INSERT && predicates.using) {
+        fragments.push(`using ${predicates.using}`);
+    }
+    if (command !== policy_command_enum_1.PolicyCommand.SELECT &&
+        command !== policy_command_enum_1.PolicyCommand.DELETE &&
+        predicates.withCheck) {
+        fragments.push(`with check ${predicates.withCheck}`);
+    }
+    return fragments.join(" ");
+}
+//# sourceMappingURL=create-policy-up-sql-statements.js.map

package/dist/utils/create-policy-up-sql-statements.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-policy-up-sql-statements.js","sourceRoot":"","sources":["../../src/utils/create-policy-up-sql-statements.ts"],"names":[],"mappings":";;AAQA,kEAkBC;AA1BD,sEAA6D;AAC7D,gEAAuD;AAEvD,2DAAuD;AACvD,6DAAwD;AACxD,6EAAwE;AAExE,+EAA+E;AAC/E,SAAgB,2BAA2B,CAAC,OAAyB;IACnE,MAAM,eAAe,GAAG,IAAA,qDAAwB,EAC9C,OAAO,CAAC,UAAU,EAClB,OAAO,CAAC,SAAS,CAClB,CAAC;IACF,MAAM,UAAU,GAAG,IAAA,oCAAgB,EAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACxD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,6BAAU,CAAC,UAAU,CAAC;IACnD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,mCAAa,CAAC,GAAG,CAAC;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAA,oCAAgB,EAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACvE,MAAM,UAAU,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;IAEhD,OAAO;QACL,eAAe,eAAe,6BAA6B;QAC3D,GAAG,iCAAiC,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC;QACvE,yBAAyB,UAAU,OAAO,eAAe,GAAG;QAC5D,iBAAiB,UAAU,OAAO,eAAe,OAAO,IAAI,QAAQ,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,qBAAqB,CAAC,OAAO,EAAE,UAAU,CAAC,GAAG;KAC/J,CAAC;AACJ,CAAC;AAED,SAAS,iCAAiC,CACxC,OAAyB,EACzB,eAAuB,EACvB,OAAe;IAEf,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,mCAAa,CAAC,GAAG,CAAC;IACrD,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG;QACjB,SAAS,UAAU,aAAa,eAAe,OAAO,OAAO,GAAG;KACjE,CAAC;IAEF,IAAI,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;QACxC,UAAU,CAAC,IAAI,CAAC,sBAAsB,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7E,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAsB;IAChD,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACpB,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACpB,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,0BAA0B,CAAC,OAAsB;IACxD,OAAO,OAAO,KAAK,mCAAa,CAAC,MAAM,IAAI,OAAO,KAAK,mCAAa,CAAC,GAAG,CAAC;AAC3E,CAAC;AAED,SAAS,sBAAsB,CAC7B,OAAyB,EACzB,eAAuB,EACvB,OAAe;IAEf,MAAM,YAAY,GAAG,IAAA,qCAAgB,EAAC,eAAe,CAAC,CAAC;IACvD,MAAM,UAAU,GAAG,IAAA,qCAAgB,EAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,IAAA,qCAAgB,EAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEtD,OAAO,SAAS,CAAC,2GAA2G,YAAY,yFAAyF,UAAU,+BAA+B,SAAS,iCAAiC,YAAY,kGAAkG,OAAO,4CAA4C,CAAC;AACxd,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAyB;IACpD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,mCAAa,CAAC,GAAG,CAAC;IACrD,MAAM,UAAU,GAAG;QACjB,KAAK,EAAE,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC;QACzC,SAAS,EAAE,mBAAmB,CAAC,OAAO,CAAC,SAAS,CAAC;KAClD,CAAC;IAEF,sBAAsB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAE5C,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,mBAAmB,CAAC,UAA8B;IACzD,MAAM,UAAU,GAAG,UAAU,EAAE,IAAI,EAAE,CAAC;IAEtC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,sBAAsB,CAC7B,OAAsB,EACtB,UAAkD;IAElD,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACzE,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QAED,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,uCAAuC,OAAO,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,OAAO;IACT,CAAC;IAED,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,EAAE,CAAC;QACrC,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO;IACT,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAC5B,OAAsB,EACtB,UAAkD;IAElD,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,IAAI,OAAO,KAAK,mCAAa,CAAC,MAAM,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;QACzD,SAAS,CAAC,IAAI,CAAC,SAAS,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,IACE,OAAO,KAAK,mCAAa,CAAC,MAAM;QAChC,OAAO,KAAK,mCAAa,CAAC,MAAM;QAChC,UAAU,CAAC,SAAS,EACpB,CAAC;QACD,SAAS,CAAC,IAAI,CAAC,cAAc,UAAU,CAAC,SAAS,EAAE,CAAC,CAAC;IACvD,CAAC;IAED,OAAO,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC"}

package/dist/utils/default-row-level-security-options.d.ts

@@ -0,0 +1,3 @@
+import { RowLevelSecurityOptions } from "../interfaces/row-level-security-options.interface";
+/** Default RLS database roles. */
+export declare const DEFAULT_ROW_LEVEL_SECURITY_OPTIONS: Required<Pick<RowLevelSecurityOptions, "authenticatedRole" | "anonymousRole">>;

package/dist/utils/default-row-level-security-options.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_ROW_LEVEL_SECURITY_OPTIONS = void 0;
+/** Default RLS database roles. */
+exports.DEFAULT_ROW_LEVEL_SECURITY_OPTIONS = {
+    authenticatedRole: "authenticated",
+    anonymousRole: "anonymous",
+};
+//# sourceMappingURL=default-row-level-security-options.js.map

package/dist/utils/default-row-level-security-options.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"default-row-level-security-options.js","sourceRoot":"","sources":["../../src/utils/default-row-level-security-options.ts"],"names":[],"mappings":";;;AAEA,kCAAkC;AACrB,QAAA,kCAAkC,GAE3C;IACF,iBAAiB,EAAE,eAAe;IAClC,aAAa,EAAE,WAAW;CAC3B,CAAC"}

package/dist/utils/escape-sql-literal.d.ts

@@ -0,0 +1,2 @@
+/** Escapes a string for use inside a single-quoted SQL literal. */
+export declare function escapeSqlLiteral(value: string): string;

package/dist/utils/escape-sql-literal.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.escapeSqlLiteral = escapeSqlLiteral;
+/** Escapes a string for use inside a single-quoted SQL literal. */
+function escapeSqlLiteral(value) {
+    return value.replace(/'/g, "''");
+}
+//# sourceMappingURL=escape-sql-literal.js.map

package/dist/utils/escape-sql-literal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"escape-sql-literal.js","sourceRoot":"","sources":["../../src/utils/escape-sql-literal.ts"],"names":[],"mappings":";;AACA,4CAEC;AAHD,mEAAmE;AACnE,SAAgB,gBAAgB,CAAC,KAAa;IAC5C,OAAO,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AACnC,CAAC"}

package/dist/utils/get-row-level-security-options.d.ts

@@ -0,0 +1,8 @@
+/** Reads the process-level RLS options used by the entity manager. */
+export declare function getRowLevelSecurityOptions(): {
+    authenticatedRole?: string;
+    anonymousRole?: string;
+    shouldApply?: () => import("..").MaybePromise<boolean>;
+    isAuthenticated?: () => import("..").MaybePromise<boolean>;
+    getContext?: () => import("..").MaybePromise<import("..").RowLevelSecurityContextEntries | undefined>;
+};

package/dist/utils/get-row-level-security-options.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getRowLevelSecurityOptions = getRowLevelSecurityOptions;
+const row_level_security_options_state_1 = require("./row-level-security-options-state");
+/** Reads the process-level RLS options used by the entity manager. */
+function getRowLevelSecurityOptions() {
+    return { ...row_level_security_options_state_1.rowLevelSecurityOptionsState.value };
+}
+//# sourceMappingURL=get-row-level-security-options.js.map

package/dist/utils/get-row-level-security-options.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-row-level-security-options.js","sourceRoot":"","sources":["../../src/utils/get-row-level-security-options.ts"],"names":[],"mappings":";;AAGA,gEAEC;AALD,yFAAkF;AAElF,sEAAsE;AACtE,SAAgB,0BAA0B;IACxC,OAAO,EAAE,GAAG,+DAA4B,CAAC,KAAK,EAAE,CAAC;AACnD,CAAC"}

package/dist/utils/index.d.ts

@@ -0,0 +1,13 @@
+export * from "./assert-identifier";
+export * from "./assert-snake-case";
+export * from "./create-policy-bootstrap-sql-statements";
+export * from "./create-policy-down-sql";
+export * from "./create-policy-up-sql-statements";
+export * from "./default-row-level-security-options";
+export * from "./escape-sql-literal";
+export * from "./get-row-level-security-options";
+export * from "./quote-identifier";
+export * from "./quote-qualified-identifier";
+export * from "./row-level-security-context-builder";
+export type * from "./row-level-security-context-builder.types";
+export * from "./set-row-level-security-options";

package/dist/utils/index.js

@@ -0,0 +1,29 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./assert-identifier"), exports);
+__exportStar(require("./assert-snake-case"), exports);
+__exportStar(require("./create-policy-bootstrap-sql-statements"), exports);
+__exportStar(require("./create-policy-down-sql"), exports);
+__exportStar(require("./create-policy-up-sql-statements"), exports);
+__exportStar(require("./default-row-level-security-options"), exports);
+__exportStar(require("./escape-sql-literal"), exports);
+__exportStar(require("./get-row-level-security-options"), exports);
+__exportStar(require("./quote-identifier"), exports);
+__exportStar(require("./quote-qualified-identifier"), exports);
+__exportStar(require("./row-level-security-context-builder"), exports);
+__exportStar(require("./set-row-level-security-options"), exports);
+//# sourceMappingURL=index.js.map

package/dist/utils/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,sDAAoC;AACpC,sDAAoC;AACpC,2EAAyD;AACzD,2DAAyC;AACzC,oEAAkD;AAClD,uEAAqD;AACrD,uDAAqC;AACrC,mEAAiD;AACjD,qDAAmC;AACnC,+DAA6C;AAC7C,uEAAqD;AAErD,mEAAiD"}

package/dist/utils/policy-migration-sql.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/utils/policy-migration-sql.spec.js

@@ -0,0 +1,168 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const policy_command_enum_1 = require("../enums/policy-command.enum");
+const policy_mode_enum_1 = require("../enums/policy-mode.enum");
+const create_policy_bootstrap_sql_statements_1 = require("./create-policy-bootstrap-sql-statements");
+const create_policy_down_sql_1 = require("./create-policy-down-sql");
+const create_policy_up_sql_statements_1 = require("./create-policy-up-sql-statements");
+describe("policy migration SQL", () => {
+    it("generates row level security bootstrap SQL", () => {
+        const statements = (0, create_policy_bootstrap_sql_statements_1.createPolicyBootstrapSqlStatements)();
+        expect(statements).toEqual([
+            "do $$ begin if not exists (select 1 from pg_roles where rolname = 'authenticated') then create role authenticated nologin; end if; end $$;",
+            "do $$ begin if not exists (select 1 from pg_roles where rolname = 'anonymous') then create role anonymous nologin; end if; end $$;",
+            "grant authenticated to current_user;",
+            "grant anonymous to current_user;",
+            "create schema if not exists app;",
+            "grant usage on schema app to authenticated;",
+            "grant usage on schema app to anonymous;",
+            "create or replace function app.get_context(context_key text, context_type anyelement) returns anyelement as $$ declare context_value text; begin context_value := current_setting('app.' || context_key, true); if context_value is null or context_value = '' then return null; end if; execute format('select $1::%s', pg_typeof(context_type)::text) using context_value into context_type; return context_type; end; $$ language plpgsql stable;",
+        ]);
+        expect(statements.join("\n")).not.toContain("grant all on all tables");
+        expect(statements.join("\n")).not.toContain("get_policy_context");
+    });
+    it("generates policy up SQL", () => {
+        const statements = (0, create_policy_up_sql_statements_1.createPolicyUpSqlStatements)({
+            schemaName: "public",
+            tableName: "workspace_member",
+            policyName: "workspace_member_user_select_policy",
+            command: policy_command_enum_1.PolicyCommand.SELECT,
+            using: `((select app.get_context('user_id', null::bigint)) = "user_id")`,
+        });
+        expect(statements).toEqual([
+            'alter table "public"."workspace_member" enable row level security;',
+            'drop policy if exists workspace_member_user_select_policy on "public"."workspace_member";',
+            'create policy workspace_member_user_select_policy on "public"."workspace_member" as permissive for select using ((select app.get_context(\'user_id\', null::bigint)) = "user_id");',
+        ]);
+    });
+    it("generates policy SQL for explicit roles", () => {
+        const statements = (0, create_policy_up_sql_statements_1.createPolicyUpSqlStatements)({
+            schemaName: "public",
+            tableName: "workspace_member",
+            policyName: "workspace_member_user_select_policy",
+            command: policy_command_enum_1.PolicyCommand.SELECT,
+            using: `((select app.get_context('user_id', null::bigint)) = "user_id")`,
+            roles: ["authenticated", "anonymous"],
+        });
+        expect(statements[2]).toBe('drop policy if exists workspace_member_user_select_policy on "public"."workspace_member";');
+    });
+    it("generates table grants for explicit policy roles", () => {
+        const statements = (0, create_policy_up_sql_statements_1.createPolicyUpSqlStatements)({
+            schemaName: "public",
+            tableName: "workspace_member",
+            policyName: "workspace_member_user_select_policy",
+            command: policy_command_enum_1.PolicyCommand.SELECT,
+            using: `((select app.get_context('user_id', null::bigint)) = "user_id")`,
+            roles: ["authenticated", "anonymous"],
+        });
+        expect(statements).toEqual([
+            'alter table "public"."workspace_member" enable row level security;',
+            'grant select on table "public"."workspace_member" to authenticated, anonymous;',
+            'drop policy if exists workspace_member_user_select_policy on "public"."workspace_member";',
+            'create policy workspace_member_user_select_policy on "public"."workspace_member" as permissive for select to authenticated, anonymous using ((select app.get_context(\'user_id\', null::bigint)) = "user_id");',
+        ]);
+    });
+    it("generates sequence grants for explicit insert policy roles", () => {
+        const statements = (0, create_policy_up_sql_statements_1.createPolicyUpSqlStatements)({
+            schemaName: "public",
+            tableName: "workspace_member",
+            policyName: "workspace_member_insert_policy",
+            command: policy_command_enum_1.PolicyCommand.INSERT,
+            withCheck: "true",
+            roles: ["authenticated"],
+        });
+        expect(statements).toContain('grant insert on table "public"."workspace_member" to authenticated;');
+        expect(statements).toEqual(expect.arrayContaining([
+            expect.stringContaining("pg_get_serial_sequence"),
+            expect.stringContaining("grant usage, select on sequence %s to authenticated"),
+        ]));
+    });
+    it("generates restrictive policy SQL", () => {
+        const statements = (0, create_policy_up_sql_statements_1.createPolicyUpSqlStatements)({
+            schemaName: "public",
+            tableName: "workspace_member",
+            policyName: "tenant_required_policy",
+            mode: policy_mode_enum_1.PolicyMode.RESTRICTIVE,
+            using: `((select app.get_context('tenant_id', null::bigint)) is not null)`,
+        });
+        expect(statements[2]).toBe('create policy tenant_required_policy on "public"."workspace_member" as restrictive for all using ((select app.get_context(\'tenant_id\', null::bigint)) is not null);');
+    });
+    it("generates insert policy SQL with only a with check predicate", () => {
+        const statements = (0, create_policy_up_sql_statements_1.createPolicyUpSqlStatements)({
+            schemaName: "public",
+            tableName: "workspace_member",
+            policyName: "workspace_member_insert_policy",
+            command: policy_command_enum_1.PolicyCommand.INSERT,
+            withCheck: ` true `,
+        });
+        expect(statements[2]).toBe('create policy workspace_member_insert_policy on "public"."workspace_member" as permissive for insert with check true;');
+    });
+    it.each([
+        [
+            "select without using",
+            {
+                schemaName: "public",
+                tableName: "workspace_member",
+                policyName: "workspace_member_select_policy",
+                command: policy_command_enum_1.PolicyCommand.SELECT,
+            },
+            "Policy using expression is required",
+        ],
+        [
+            "delete with withCheck",
+            {
+                schemaName: "public",
+                tableName: "workspace_member",
+                policyName: "workspace_member_delete_policy",
+                command: policy_command_enum_1.PolicyCommand.DELETE,
+                using: "true",
+                withCheck: "true",
+            },
+            "Policy withCheck is not allowed for delete",
+        ],
+        [
+            "insert with using",
+            {
+                schemaName: "public",
+                tableName: "workspace_member",
+                policyName: "workspace_member_insert_policy",
+                command: policy_command_enum_1.PolicyCommand.INSERT,
+                using: "true",
+                withCheck: "true",
+            },
+            "Policy using is not allowed for insert",
+        ],
+        [
+            "insert without withCheck",
+            {
+                schemaName: "public",
+                tableName: "workspace_member",
+                policyName: "workspace_member_insert_policy",
+                command: policy_command_enum_1.PolicyCommand.INSERT,
+            },
+            "Policy withCheck expression is required",
+        ],
+        [
+            "all without predicates",
+            {
+                schemaName: "public",
+                tableName: "workspace_member",
+                policyName: "workspace_member_all_policy",
+            },
+            "Policy using or withCheck expression is required",
+        ],
+    ])("rejects %s", (_name, options, message) => {
+        expect(() => (0, create_policy_up_sql_statements_1.createPolicyUpSqlStatements)(options)).toThrow(message);
+    });
+    it("generates guarded policy down SQL", () => {
+        const sql = (0, create_policy_down_sql_1.createPolicyDownSql)({
+            schemaName: "public",
+            tableName: "workspace_member",
+            policyName: "workspace_member_user_select_policy",
+        });
+        expect(sql).toContain('to_regclass(\'"public"."workspace_member"\')');
+        expect(sql).toContain('drop policy if exists workspace_member_user_select_policy on "public"."workspace_member"');
+        expect(sql).toContain("disable row level security");
+    });
+});
+//# sourceMappingURL=policy-migration-sql.spec.js.map

package/dist/utils/policy-migration-sql.spec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-migration-sql.spec.js","sourceRoot":"","sources":["../../src/utils/policy-migration-sql.spec.ts"],"names":[],"mappings":";;AAAA,sEAA6D;AAC7D,gEAAuD;AACvD,qGAA8F;AAC9F,qEAA+D;AAC/D,uFAAgF;AAEhF,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,UAAU,GAAG,IAAA,2EAAkC,GAAE,CAAC;QAExD,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC;YACzB,4IAA4I;YAC5I,oIAAoI;YACpI,sCAAsC;YACtC,kCAAkC;YAClC,kCAAkC;YAClC,6CAA6C;YAC7C,yCAAyC;YACzC,sbAAsb;SACvb,CAAC,CAAC;QACH,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,yBAAyB,CAAC,CAAC;QACvE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,UAAU,GAAG,IAAA,6DAA2B,EAAC;YAC7C,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,qCAAqC;YACjD,OAAO,EAAE,mCAAa,CAAC,MAAM;YAC7B,KAAK,EAAE,iEAAiE;SACzE,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC;YACzB,oEAAoE;YACpE,2FAA2F;YAC3F,oLAAoL;SACrL,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,UAAU,GAAG,IAAA,6DAA2B,EAAC;YAC7C,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,qCAAqC;YACjD,OAAO,EAAE,mCAAa,CAAC,MAAM;YAC7B,KAAK,EAAE,iEAAiE;YACxE,KAAK,EAAE,CAAC,eAAe,EAAE,WAAW,CAAC;SACtC,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CACxB,2FAA2F,CAC5F,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,UAAU,GAAG,IAAA,6DAA2B,EAAC;YAC7C,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,qCAAqC;YACjD,OAAO,EAAE,mCAAa,CAAC,MAAM;YAC7B,KAAK,EAAE,iEAAiE;YACxE,KAAK,EAAE,CAAC,eAAe,EAAE,WAAW,CAAC;SACtC,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC;YACzB,oEAAoE;YACpE,gFAAgF;YAChF,2FAA2F;YAC3F,gNAAgN;SACjN,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,UAAU,GAAG,IAAA,6DAA2B,EAAC;YAC7C,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,gCAAgC;YAC5C,OAAO,EAAE,mCAAa,CAAC,MAAM;YAC7B,SAAS,EAAE,MAAM;YACjB,KAAK,EAAE,CAAC,eAAe,CAAC;SACzB,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,SAAS,CAC1B,qEAAqE,CACtE,CAAC;QACF,MAAM,CAAC,UAAU,CAAC,CAAC,OAAO,CACxB,MAAM,CAAC,eAAe,CAAC;YACrB,MAAM,CAAC,gBAAgB,CAAC,wBAAwB,CAAC;YACjD,MAAM,CAAC,gBAAgB,CACrB,qDAAqD,CACtD;SACF,CAAC,CACH,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,UAAU,GAAG,IAAA,6DAA2B,EAAC;YAC7C,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,wBAAwB;YACpC,IAAI,EAAE,6BAAU,CAAC,WAAW;YAC5B,KAAK,EAAE,mEAAmE;SAC3E,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CACxB,uKAAuK,CACxK,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,UAAU,GAAG,IAAA,6DAA2B,EAAC;YAC7C,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,gCAAgC;YAC5C,OAAO,EAAE,mCAAa,CAAC,MAAM;YAC7B,SAAS,EAAE,QAAQ;SACpB,CAAC,CAAC;QAEH,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CACxB,uHAAuH,CACxH,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,IAAI,CAAC;QACN;YACE,sBAAsB;YACtB;gBACE,UAAU,EAAE,QAAQ;gBACpB,SAAS,EAAE,kBAAkB;gBAC7B,UAAU,EAAE,gCAAgC;gBAC5C,OAAO,EAAE,mCAAa,CAAC,MAAM;aAC9B;YACD,qCAAqC;SACtC;QACD;YACE,uBAAuB;YACvB;gBACE,UAAU,EAAE,QAAQ;gBACpB,SAAS,EAAE,kBAAkB;gBAC7B,UAAU,EAAE,gCAAgC;gBAC5C,OAAO,EAAE,mCAAa,CAAC,MAAM;gBAC7B,KAAK,EAAE,MAAM;gBACb,SAAS,EAAE,MAAM;aAClB;YACD,4CAA4C;SAC7C;QACD;YACE,mBAAmB;YACnB;gBACE,UAAU,EAAE,QAAQ;gBACpB,SAAS,EAAE,kBAAkB;gBAC7B,UAAU,EAAE,gCAAgC;gBAC5C,OAAO,EAAE,mCAAa,CAAC,MAAM;gBAC7B,KAAK,EAAE,MAAM;gBACb,SAAS,EAAE,MAAM;aAClB;YACD,wCAAwC;SACzC;QACD;YACE,0BAA0B;YAC1B;gBACE,UAAU,EAAE,QAAQ;gBACpB,SAAS,EAAE,kBAAkB;gBAC7B,UAAU,EAAE,gCAAgC;gBAC5C,OAAO,EAAE,mCAAa,CAAC,MAAM;aAC9B;YACD,yCAAyC;SAC1C;QACD;YACE,wBAAwB;YACxB;gBACE,UAAU,EAAE,QAAQ;gBACpB,SAAS,EAAE,kBAAkB;gBAC7B,UAAU,EAAE,6BAA6B;aAC1C;YACD,kDAAkD;SACnD;KACF,CAAC,CAAC,YAAY,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE;QAC3C,MAAM,CAAC,GAAG,EAAE,CAAC,IAAA,6DAA2B,EAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,GAAG,GAAG,IAAA,4CAAmB,EAAC;YAC9B,UAAU,EAAE,QAAQ;YACpB,SAAS,EAAE,kBAAkB;YAC7B,UAAU,EAAE,qCAAqC;SAClD,CAAC,CAAC;QAEH,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,8CAA8C,CAAC,CAAC;QACtE,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CACnB,0FAA0F,CAC3F,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/utils/policy-sql-options.d.ts

@@ -0,0 +1,12 @@
+import { PolicyCommand } from "../enums/policy-command.enum";
+import { PolicyMode } from "../enums/policy-mode.enum";
+export interface PolicySqlOptions {
+    schemaName: string;
+    tableName: string;
+    policyName: string;
+    mode?: PolicyMode;
+    command?: PolicyCommand;
+    using?: string;
+    withCheck?: string;
+    roles?: string[];
+}

package/dist/utils/policy-sql-options.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=policy-sql-options.js.map

package/dist/utils/policy-sql-options.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-sql-options.js","sourceRoot":"","sources":["../../src/utils/policy-sql-options.ts"],"names":[],"mappings":""}

package/dist/utils/quote-identifier.d.ts

@@ -0,0 +1,2 @@
+/** Quotes a validated PostgreSQL identifier. */
+export declare function quoteIdentifier(identifier: string): string;

package/dist/utils/quote-identifier.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.quoteIdentifier = quoteIdentifier;
+const assert_identifier_1 = require("./assert-identifier");
+/** Quotes a validated PostgreSQL identifier. */
+function quoteIdentifier(identifier) {
+    (0, assert_identifier_1.assertIdentifier)(identifier);
+    return `"${identifier}"`;
+}
+//# sourceMappingURL=quote-identifier.js.map

package/dist/utils/quote-identifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"quote-identifier.js","sourceRoot":"","sources":["../../src/utils/quote-identifier.ts"],"names":[],"mappings":";;AAGA,0CAIC;AAPD,2DAAuD;AAEvD,gDAAgD;AAChD,SAAgB,eAAe,CAAC,UAAkB;IAChD,IAAA,oCAAgB,EAAC,UAAU,CAAC,CAAC;IAE7B,OAAO,IAAI,UAAU,GAAG,CAAC;AAC3B,CAAC"}

package/dist/utils/quote-qualified-identifier.d.ts

@@ -0,0 +1,2 @@
+/** Quotes a schema-qualified PostgreSQL table identifier. */
+export declare function quoteQualifiedIdentifier(schemaName: string, tableName: string): string;

package/dist/utils/quote-qualified-identifier.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.quoteQualifiedIdentifier = quoteQualifiedIdentifier;
+const quote_identifier_1 = require("./quote-identifier");
+/** Quotes a schema-qualified PostgreSQL table identifier. */
+function quoteQualifiedIdentifier(schemaName, tableName) {
+    return `${(0, quote_identifier_1.quoteIdentifier)(schemaName)}.${(0, quote_identifier_1.quoteIdentifier)(tableName)}`;
+}
+//# sourceMappingURL=quote-qualified-identifier.js.map

package/dist/utils/quote-qualified-identifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"quote-qualified-identifier.js","sourceRoot":"","sources":["../../src/utils/quote-qualified-identifier.ts"],"names":[],"mappings":";;AAGA,4DAKC;AARD,yDAAqD;AAErD,6DAA6D;AAC7D,SAAgB,wBAAwB,CACtC,UAAkB,EAClB,SAAiB;IAEjB,OAAO,GAAG,IAAA,kCAAe,EAAC,UAAU,CAAC,IAAI,IAAA,kCAAe,EAAC,SAAS,CAAC,EAAE,CAAC;AACxE,CAAC"}

package/dist/utils/row-level-security-context-builder.d.ts

@@ -0,0 +1,12 @@
+import { RowLevelSecurityContextValue, SnakeCase } from "./row-level-security-context-builder.types";
+/** Builds SQL that writes RLS context values into PostgreSQL transaction settings. */
+export declare class RowLevelSecurityContextBuilder {
+    private readonly ctx;
+    private readonly namespace;
+    /** Adds a context key and value, ignoring nullish values. */
+    set<S extends string>(key: SnakeCase<S>, value: RowLevelSecurityContextValue): this;
+    /** Returns the context entries that will be emitted to SQL. */
+    entries(): [string, string][];
+    /** Renders a `SELECT set_config(...)` statement for the collected entries. */
+    toSQL(): string;
+}