npm - @prisma-next/extension-supabase - Versions diffs - 0.13.0-dev.12 → 0.13.0-dev.14 - Mend

@prisma-next/extension-supabase 0.13.0-dev.12 → 0.13.0-dev.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/pack.mjs +1 -3
package/dist/pack.mjs.map +1 -1
package/dist/package-BxYGU2sD.mjs +6 -0
package/dist/package-BxYGU2sD.mjs.map +1 -0
package/dist/runtime.d.mts +110 -3
package/dist/runtime.d.mts.map +1 -1
package/dist/runtime.mjs +278 -3
package/dist/runtime.mjs.map +1 -1
package/dist/test/utils.d.mts +7 -6
package/dist/test/utils.d.mts.map +1 -1
package/dist/test/utils.mjs +19 -6
package/dist/test/utils.mjs.map +1 -1
package/package.json +28 -25
package/src/exports/runtime.ts +17 -29
package/src/runtime/descriptor.ts +26 -0
package/src/runtime/supabase-runtime.ts +171 -0
package/src/runtime/supabase.ts +323 -0

package/dist/pack.mjs CHANGED Viewed

@@ -1,7 +1,5 @@
+import { t as version } from "./package-BxYGU2sD.mjs";
 import { blindCast } from "@prisma-next/utils/casts";
-//#region package.json
-var version = "0.13.0-dev.12";
-//#endregion
 //#region src/contract/contract.json
 var contract_default = {
 	schemaVersion: "1",

package/dist/pack.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"pack.mjs","names":["contractJson","packageJson.version"],"sources":["../~~package.json","../~~src/contract/contract.json","../src/pack/index.ts"],"sourcesContent":["","~~","~~import type { SqlControlExtensionDescriptor } from '@prisma-next/family-sql/control';\nimport { blindCast } from '@prisma-next/utils/casts';\nimport packageJson from '../../package.json' with { type: 'json' };\nimport type { Contract } from '../contract/contract.d';\nimport contractJson from '../contract/contract.json' with { type: 'json' };\n\nconst SUPABASE_SPACE_ID = 'supabase' as const;\n\nfunction buildContractSpace(contractOverride?: unknown) {\n const contract = blindCast<\n Contract,\n 'JSON import narrowed to emitted Contract type; assertDescriptorSelfConsistency verifies the storageHash at load time'\n >(contractOverride ?? contractJson);\n return {\n contractJson: contract,\n migrations: [] as const,\n headRef: { hash: contract.storage.storageHash, invariants: [] as const },\n };\n}\n\nconst supabaseContractSpace = buildContractSpace();\n\nconst supabasePackBase = {\n kind: 'extension' as const,\n id: SUPABASE_SPACE_ID,\n familyId: 'sql' as const,\n targetId: 'postgres' as const,\n version: packageJson.version,\n contractSpace: supabaseContractSpace,\n create: () => ({\n familyId: 'sql' as const,\n targetId: 'postgres' as const,\n }),\n} satisfies SqlControlExtensionDescriptor<'postgres'>;\n\nexport const supabasePack: SqlControlExtensionDescriptor<'postgres'> = supabasePackBase;\n\n/*\n Returns a pack using `contractOverride` in place of the shipped\n * `contract.json` when provided, otherwise returns the default pack.\n \n Intended for tests that need to drive the framework with a synthetic\n * contract while still exercising the full descriptor wiring.\n */\nexport function supabasePackWith(options?: {\n contractOverride?: unknown;\n}): SqlControlExtensionDescriptor<'postgres'> {\n if (options?.contractOverride === undefined) return supabasePack;\n return {\n ...supabasePackBase,\n contractSpace: buildContractSpace(options.contractOverride),\n };\n}\n\nexport default supabasePack;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AEMA,MAAM,oBAAoB;AAE1B,SAAS,mBAAmB,kBAA4B;CACtD,MAAM,WAAW,UAGf,oBAAoBA,gBAAY;CAClC,OAAO;EACL,cAAc;EACd,YAAY,CAAC;EACb,SAAS;GAAE,MAAM,SAAS,QAAQ;GAAa,YAAY,CAAC;EAAW;CACzE;AACF;AAIA,MAAM,mBAAmB;CACvB,MAAM;CACN,IAAI;CACJ,UAAU;CACV,UAAU;CACDC;CACT,eAR4B,mBAQb;CACf,eAAe;EACb,UAAU;EACV,UAAU;CACZ;AACF;AAEA,MAAa,eAA0D;;;;;;;;AASvE,SAAgB,iBAAiB,SAEa;CAC5C,IAAI,SAAS,qBAAqB,KAAA,GAAW,OAAO;CACpD,OAAO;EACL,GAAG;EACH,eAAe,mBAAmB,QAAQ,gBAAgB;CAC5D;AACF"}
1	+ {"version":3,"file":"pack.mjs","names":["contractJson","packageJson.version"],"sources":["../src/contract/contract.json","../src/pack/index.ts"],"sourcesContent":["","import type { SqlControlExtensionDescriptor } from '@prisma-next/family-sql/control';\nimport { blindCast } from '@prisma-next/utils/casts';\nimport packageJson from '../../package.json' with { type: 'json' };\nimport type { Contract } from '../contract/contract.d';\nimport contractJson from '../contract/contract.json' with { type: 'json' };\n\nconst SUPABASE_SPACE_ID = 'supabase' as const;\n\nfunction buildContractSpace(contractOverride?: unknown) {\n const contract = blindCast<\n Contract,\n 'JSON import narrowed to emitted Contract type; assertDescriptorSelfConsistency verifies the storageHash at load time'\n >(contractOverride ?? contractJson);\n return {\n contractJson: contract,\n migrations: [] as const,\n headRef: { hash: contract.storage.storageHash, invariants: [] as const },\n };\n}\n\nconst supabaseContractSpace = buildContractSpace();\n\nconst supabasePackBase = {\n kind: 'extension' as const,\n id: SUPABASE_SPACE_ID,\n familyId: 'sql' as const,\n targetId: 'postgres' as const,\n version: packageJson.version,\n contractSpace: supabaseContractSpace,\n create: () => ({\n familyId: 'sql' as const,\n targetId: 'postgres' as const,\n }),\n} satisfies SqlControlExtensionDescriptor<'postgres'>;\n\nexport const supabasePack: SqlControlExtensionDescriptor<'postgres'> = supabasePackBase;\n\n/*\n Returns a pack using `contractOverride` in place of the shipped\n * `contract.json` when provided, otherwise returns the default pack.\n \n Intended for tests that need to drive the framework with a synthetic\n * contract while still exercising the full descriptor wiring.\n */\nexport function supabasePackWith(options?: {\n contractOverride?: unknown;\n}): SqlControlExtensionDescriptor<'postgres'> {\n if (options?.contractOverride === undefined) return supabasePack;\n return {\n ...supabasePackBase,\n contractSpace: buildContractSpace(options.contractOverride),\n };\n}\n\nexport default supabasePack;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACMA,MAAM,oBAAoB;AAE1B,SAAS,mBAAmB,kBAA4B;CACtD,MAAM,WAAW,UAGf,oBAAoBA,gBAAY;CAClC,OAAO;EACL,cAAc;EACd,YAAY,CAAC;EACb,SAAS;GAAE,MAAM,SAAS,QAAQ;GAAa,YAAY,CAAC;EAAW;CACzE;AACF;AAIA,MAAM,mBAAmB;CACvB,MAAM;CACN,IAAI;CACJ,UAAU;CACV,UAAU;CACDC;CACT,eAR4B,mBAQb;CACf,eAAe;EACb,UAAU;EACV,UAAU;CACZ;AACF;AAEA,MAAa,eAA0D;;;;;;;;AASvE,SAAgB,iBAAiB,SAEa;CAC5C,IAAI,SAAS,qBAAqB,KAAA,GAAW,OAAO;CACpD,OAAO;EACL,GAAG;EACH,eAAe,mBAAmB,QAAQ,gBAAgB;CAC5D;AACF"}

package/dist/package-BxYGU2sD.mjs ADDED Viewed

@@ -0,0 +1,6 @@
+//#region package.json
+var version = "0.13.0-dev.14";
+//#endregion
+export { version as t };
+//# sourceMappingURL=package-BxYGU2sD.mjs.map

package/dist/package-BxYGU2sD.mjs.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"package-BxYGU2sD.mjs","names":[],"sources":["../package.json"],"sourcesContent":[""],"mappings":""}

package/dist/runtime.d.mts CHANGED Viewed

@@ -1,7 +1,114 @@
-import { SqlRuntimeExtensionDescriptor } from "@prisma-next/sql-runtime";
+import { orm } from "@prisma-next/sql-orm-client";
+import { RawSqlTag } from "@prisma-next/sql-relational-core/expression";
+import { ExecutionContext, RuntimeConnection, SqlExecutionStackWithDriver, SqlMiddleware, SqlRuntimeExtensionDescriptor, TransactionContext, VerifyMarkerOption } from "@prisma-next/sql-runtime";
+import { Client, Pool } from "pg";
+import { AsyncIterableResult, RuntimeExecuteOptions } from "@prisma-next/framework-components/runtime";
+import { PostgresRuntime, PostgresRuntimeImpl } from "@prisma-next/postgres/runtime";
+import { Contract } from "@prisma-next/contract/types";
+import { Db } from "@prisma-next/sql-builder/types";
+import { SqlStorage } from "@prisma-next/sql-contract/types";
+import { SqlExecutionPlan, SqlQueryPlan } from "@prisma-next/sql-relational-core/plan";
-//#region src/exports/runtime.d.ts
+//#region src/runtime/descriptor.d.ts
+/**
+ * Tells the runtime that the Supabase pack's runtime component is available.
+ *
+ * When a contract declares the Supabase pack, the runtime checks that a
+ * matching descriptor has been registered. Without this, loading a Supabase
+ * contract errors with "pack runtime component missing". The `supabase()`
+ * factory registers this descriptor automatically — app code never needs to
+ * reference it directly.
+ */
 declare const supabaseRuntimeDescriptor: SqlRuntimeExtensionDescriptor<'postgres'>;
 //#endregion
-export { supabaseRuntimeDescriptor as default };
+//#region src/runtime/supabase.d.ts
+type SupabaseTargetId = 'postgres';
+type OrmClient<TContract extends Contract<SqlStorage>> = ReturnType<typeof orm<TContract>>;
+declare class SupabaseConfigError extends Error {
+  readonly name = "SupabaseConfigError";
+  constructor(message: string);
+}
+declare class InvalidJwtError extends Error {
+  readonly name = "InvalidJwtError";
+  readonly reason: string;
+  constructor(reason: string);
+}
+interface RoleBoundDb<TContract extends Contract<SqlStorage>> {
+  readonly sql: Db<TContract>;
+  readonly orm: OrmClient<TContract>;
+  readonly raw: RawSqlTag;
+  execute<Row>(plan: (SqlExecutionPlan<Row> | SqlQueryPlan<Row>) & {
+    readonly _row?: Row;
+  }, options?: RuntimeExecuteOptions): AsyncIterableResult<Row>;
+  transaction<R>(fn: (tx: TransactionContext) => PromiseLike<R>): Promise<R>;
+}
+interface SupabaseDb<TContract extends Contract<SqlStorage>> {
+  readonly context: ExecutionContext<TContract>;
+  readonly stack: SqlExecutionStackWithDriver<SupabaseTargetId>;
+  asUser(jwt: string): Promise<RoleBoundDb<TContract>>;
+  asAnon(): RoleBoundDb<TContract>;
+  asServiceRole(): RoleBoundDb<TContract>;
+  close(): Promise<void>;
+  [Symbol.asyncDispose](): Promise<void>;
+}
+interface SupabaseOptionsBase {
+  readonly extensions?: readonly SqlRuntimeExtensionDescriptor<SupabaseTargetId>[];
+  readonly middleware?: readonly SqlMiddleware[];
+  readonly verifyMarker?: VerifyMarkerOption;
+  readonly poolOptions?: {
+    readonly connectionTimeoutMillis?: number;
+    readonly idleTimeoutMillis?: number;
+  };
+}
+interface SupabaseBindingOptions {
+  readonly url?: string;
+  readonly pg?: Pool | Client;
+}
+type JwtSecretOption = {
+  readonly jwtSecret: string;
+  readonly jwksUrl?: never;
+};
+type JwksUrlOption = {
+  readonly jwksUrl: string;
+  readonly jwtSecret?: never;
+};
+type SupabaseOptionsWithContract<TContract extends Contract<SqlStorage>> = SupabaseBindingOptions & SupabaseOptionsBase & (JwtSecretOption | JwksUrlOption) & {
+  readonly contract: TContract;
+  readonly contractJson?: never;
+};
+type SupabaseOptionsWithContractJson<TContract extends Contract<SqlStorage>> = SupabaseBindingOptions & SupabaseOptionsBase & (JwtSecretOption | JwksUrlOption) & {
+  readonly contractJson: unknown;
+  readonly contract?: never;
+  readonly _contract?: TContract;
+};
+type SupabaseOptions<TContract extends Contract<SqlStorage>> = SupabaseOptionsWithContract<TContract> | SupabaseOptionsWithContractJson<TContract>;
+declare function supabase<TContract extends Contract<SqlStorage>>(options: SupabaseOptionsWithContract<TContract>): Promise<SupabaseDb<TContract>>;
+declare function supabase<TContract extends Contract<SqlStorage>>(options: SupabaseOptionsWithContractJson<TContract>): Promise<SupabaseDb<TContract>>;
+//#endregion
+//#region src/runtime/supabase-runtime.d.ts
+interface SupabaseRuntime extends PostgresRuntime {}
+interface SupabaseRoleBinding {
+  readonly role: 'anon' | 'authenticated' | 'service_role';
+  readonly claims?: Record<string, unknown>;
+}
+/**
+ * A connection with a Supabase role already bound via session-scoped set_config.
+ * Implements `RuntimeConnection` so it plugs into ORM scope machinery and `withTransaction`.
+ */
+interface RoleSession extends RuntimeConnection {}
+declare class SupabaseRuntimeImpl<TContract extends Contract<SqlStorage> = Contract<SqlStorage>> extends PostgresRuntimeImpl<TContract> {
+  /**
+   * Opens a raw connection and applies role + JWT claims via session-scoped set_config.
+   * On bind failure, destroys the connection before rethrowing — no leaked connections.
+   * Not on the `SupabaseRuntime` interface; consumed by the facade, not by app code.
+   */
+  openRoleSession(binding: SupabaseRoleBinding): Promise<RoleSession>;
+  /**
+   * Opens a role session, executes the plan, then releases after the stream drains.
+   * On mid-stream error, destroys the session instead of releasing.
+   */
+  executeWithRole<Row>(plan: SqlExecutionPlan<Row> | SqlQueryPlan<Row>, binding: SupabaseRoleBinding, options?: RuntimeExecuteOptions): AsyncIterableResult<Row>;
+}
+//#endregion
+export { InvalidJwtError, type RoleBoundDb, type RoleSession, SupabaseConfigError, type SupabaseDb, type SupabaseOptions, type SupabaseOptionsWithContract, type SupabaseOptionsWithContractJson, type SupabaseRoleBinding, type SupabaseRuntime, SupabaseRuntimeImpl, type SupabaseTargetId, supabaseRuntimeDescriptor as default, supabase };
 //# sourceMappingURL=runtime.d.mts.map

package/dist/runtime.d.mts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"runtime.d.mts","names":[],"sources":["../src/~~exports~~/runtime.ts"],"mappings":"~~;;;cAeM~~,yBAAA,EAA2B,6BAA6B"}
1	+ {"version":3,"file":"runtime.d.mts","names":[],"sources":["../src/runtime/descriptor.ts","../src/runtime/supabase.ts","../src/runtime/supabase-runtime.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;cAYa,yBAAA,EAA2B,6BAA6B;;;KC0BzD,gBAAA;AAAA,KAEP,SAAA,mBAA4B,QAAA,CAAS,UAAA,KAAe,UAAA,QAAkB,GAAA,CAAI,SAAA;AAAA,cAElE,mBAAA,SAA4B,KAAK;EAAA,SAC1B,IAAA;cACN,OAAA;AAAA;AAAA,cAKD,eAAA,SAAwB,KAAK;EAAA,SACtB,IAAA;EAAA,SACT,MAAA;cACG,MAAA;AAAA;AAAA,UAUG,WAAA,mBAA8B,QAAA,CAAS,UAAA;EAAA,SAC7C,GAAA,EAAK,EAAA,CAAG,SAAA;EAAA,SACR,GAAA,EAAK,SAAA,CAAU,SAAA;EAAA,SACf,GAAA,EAAK,SAAA;EACd,OAAA,MACE,IAAA,GAAO,gBAAA,CAAiB,GAAA,IAAO,YAAA,CAAa,GAAA;IAAA,SAAmB,IAAA,GAAO,GAAA;EAAA,GACtE,OAAA,GAAU,qBAAA,GACT,mBAAA,CAAoB,GAAA;EACvB,WAAA,IAAe,EAAA,GAAK,EAAA,EAAI,kBAAA,KAAuB,WAAA,CAAY,CAAA,IAAK,OAAA,CAAQ,CAAA;AAAA;AAAA,UAGzD,UAAA,mBAA6B,QAAA,CAAS,UAAA;EAAA,SAC5C,OAAA,EAAS,gBAAA,CAAiB,SAAA;EAAA,SAC1B,KAAA,EAAO,2BAAA,CAA4B,gBAAA;EAC5C,MAAA,CAAO,GAAA,WAAc,OAAA,CAAQ,WAAA,CAAY,SAAA;EACzC,MAAA,IAAU,WAAA,CAAY,SAAA;EACtB,aAAA,IAAiB,WAAA,CAAY,SAAA;EAC7B,KAAA,IAAS,OAAA;EAAA,CACR,MAAA,CAAO,YAAA,KAAiB,OAAA;AAAA;AAAA,UAGV,mBAAA;EAAA,SACN,UAAA,YAAsB,6BAAA,CAA8B,gBAAA;EAAA,SACpD,UAAA,YAAsB,aAAA;EAAA,SACtB,YAAA,GAAe,kBAAA;EAAA,SACf,WAAA;IAAA,SACE,uBAAA;IAAA,SACA,iBAAA;EAAA;AAAA;AAAA,UAII,sBAAA;EAAA,SACN,GAAA;EAAA,SACA,EAAA,GAAK,IAAA,GAAO,MAAM;AAAA;AAAA,KAGxB,eAAA;EAAA,SACM,SAAA;EAAA,SACA,OAAO;AAAA;AAAA,KAGb,aAAA;EAAA,SACM,OAAA;EAAA,SACA,SAAS;AAAA;AAAA,KAGR,2BAAA,mBAA8C,QAAA,CAAS,UAAA,KACjE,sBAAA,GACE,mBAAA,IACC,eAAA,GAAkB,aAAA;EAAA,SACR,QAAA,EAAU,SAAA;EAAA,SACV,YAAA;AAAA;AAAA,KAGH,+BAAA,mBAAkD,QAAA,CAAS,UAAA,KACrE,sBAAA,GACE,mBAAA,IACC,eAAA,GAAkB,aAAA;EAAA,SACR,YAAA;EAAA,SACA,QAAA;EAAA,SACA,SAAA,GAAY,SAAA;AAAA;AAAA,KAGf,eAAA,mBAAkC,QAAA,CAAS,UAAA,KACnD,2BAAA,CAA4B,SAAA,IAC5B,+BAAA,CAAgC,SAAA;AAAA,iBAwEN,QAAA,mBAA2B,QAAA,CAAS,UAAA,GAChE,OAAA,EAAS,2BAAA,CAA4B,SAAA,IACpC,OAAA,CAAQ,UAAA,CAAW,SAAA;AAAA,iBACQ,QAAA,mBAA2B,QAAA,CAAS,UAAA,GAChE,OAAA,EAAS,+BAAA,CAAgC,SAAA,IACxC,OAAA,CAAQ,UAAA,CAAW,SAAA;;;UC9LL,eAAA,SAAwB,eAAe;AAAA,UAEvC,mBAAA;EAAA,SAEN,IAAA;EAAA,SACA,MAAA,GAAS,MAAM;AAAA;;;;AFP2C;UEcpD,WAAA,SAAoB,iBAAiB;AAAA,cAEzC,mBAAA,mBACO,QAAA,CAAS,UAAA,IAAc,QAAA,CAAS,UAAA,WAC1C,mBAAA,CAAoB,SAAA;EDQlB;;;;AAAgB;ECFpB,eAAA,CAAgB,OAAA,EAAS,mBAAA,GAAsB,OAAA,CAAQ,WAAA;EDIjD;;;;ECuGZ,eAAA,MACE,IAAA,EAAM,gBAAA,CAAiB,GAAA,IAAO,YAAA,CAAa,GAAA,GAC3C,OAAA,EAAS,mBAAA,EACT,OAAA,GAAU,qBAAA,GACT,mBAAA,CAAoB,GAAA;AAAA"}

package/dist/runtime.mjs CHANGED Viewed

@@ -1,8 +1,32 @@
-//#region src/exports/runtime.ts
+import { t as version } from "./package-BxYGU2sD.mjs";
+import { blindCast } from "@prisma-next/utils/casts";
+import postgresAdapter from "@prisma-next/adapter-postgres/runtime";
+import postgresDriver from "@prisma-next/driver-postgres/runtime";
+import { instantiateExecutionStack } from "@prisma-next/framework-components/execution";
+import { sql } from "@prisma-next/sql-builder/runtime";
+import { orm } from "@prisma-next/sql-orm-client";
+import { createRawSql } from "@prisma-next/sql-relational-core/expression";
+import { createExecutionContext, createSqlExecutionStack, withTransaction } from "@prisma-next/sql-runtime";
+import postgresTarget, { PostgresContractSerializer } from "@prisma-next/target-postgres/runtime";
+import { ifDefined } from "@prisma-next/utils/defined";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import { Pool } from "pg";
+import { AsyncIterableResult } from "@prisma-next/framework-components/runtime";
+import { PostgresRuntimeImpl } from "@prisma-next/postgres/runtime";
+//#region src/runtime/descriptor.ts
+/**
+* Tells the runtime that the Supabase pack's runtime component is available.
+*
+* When a contract declares the Supabase pack, the runtime checks that a
+* matching descriptor has been registered. Without this, loading a Supabase
+* contract errors with "pack runtime component missing". The `supabase()`
+* factory registers this descriptor automatically — app code never needs to
+* reference it directly.
+*/
 const supabaseRuntimeDescriptor = {
 	kind: "extension",
 	id: "supabase",
-	version: "0.12.0",
+	version,
 	familyId: "sql",
 	targetId: "postgres",
 	codecs: () => [],
@@ -14,6 +38,257 @@ const supabaseRuntimeDescriptor = {
 	}
 };
 //#endregion
-export { supabaseRuntimeDescriptor as default };
+//#region src/runtime/supabase-runtime.ts
+var SupabaseRuntimeImpl = class extends PostgresRuntimeImpl {
+	/**
+	* Opens a raw connection and applies role + JWT claims via session-scoped set_config.
+	* On bind failure, destroys the connection before rethrowing — no leaked connections.
+	* Not on the `SupabaseRuntime` interface; consumed by the facade, not by app code.
+	*/
+	async openRoleSession(binding) {
+		const conn = await this.acquireRawConnection();
+		try {
+			await conn.query("SELECT set_config($1, $2, false)", ["role", binding.role]);
+			await conn.query("SELECT set_config($1, $2, false)", ["request.jwt.claims", JSON.stringify(binding.claims ?? {})]);
+		} catch (err) {
+			await conn.destroy(err).catch(() => void 0);
+			throw err;
+		}
+		const self = this;
+		return {
+			execute(plan, options) {
+				return self.executeAgainstQueryable(plan, conn, {
+					...options,
+					scope: "connection"
+				});
+			},
+			executePrepared(ps, params, options) {
+				return self.executePreparedAgainstQueryable(blindCast(ps), blindCast(params), conn, {
+					...options,
+					scope: "connection"
+				});
+			},
+			async transaction() {
+				const tx = await conn.beginTransaction();
+				return {
+					async commit() {
+						await tx.commit();
+					},
+					async rollback() {
+						await tx.rollback();
+					},
+					execute(plan, options) {
+						return self.executeAgainstQueryable(plan, tx, {
+							...options,
+							scope: "transaction"
+						});
+					},
+					executePrepared(ps, params, options) {
+						return self.executePreparedAgainstQueryable(blindCast(ps), blindCast(params), tx, {
+							...options,
+							scope: "transaction"
+						});
+					}
+				};
+			},
+			/**
+			* Resets all session-local config then releases the connection back to the pool.
+			* If RESET ALL fails, destroys the connection instead — pool-poisoning guarantee.
+			*/
+			async release() {
+				try {
+					await conn.query("RESET ALL");
+					await conn.release();
+				} catch (resetError) {
+					await conn.destroy(resetError).catch(() => void 0);
+				}
+			},
+			async destroy(reason) {
+				await conn.destroy(reason);
+			}
+		};
+	}
+	/**
+	* Opens a role session, executes the plan, then releases after the stream drains.
+	* On mid-stream error, destroys the session instead of releasing.
+	*/
+	executeWithRole(plan, binding, options) {
+		const self = this;
+		const generator = async function* () {
+			const session = await self.openRoleSession(binding);
+			let errored = false;
+			try {
+				for await (const row of session.execute(plan, options)) yield row;
+			} catch (err) {
+				errored = true;
+				await session.destroy(err).catch(() => void 0);
+				throw err;
+			} finally {
+				if (!errored) await session.release();
+			}
+		};
+		return new AsyncIterableResult(generator());
+	}
+};
+//#endregion
+//#region src/runtime/supabase.ts
+var SupabaseConfigError = class extends Error {
+	name = "SupabaseConfigError";
+	constructor(message) {
+		super(message);
+	}
+};
+var InvalidJwtError = class extends Error {
+	name = "InvalidJwtError";
+	reason;
+	constructor(reason) {
+		super(`Invalid JWT: ${reason}`);
+		this.reason = reason;
+	}
+};
+function hasContractJson(options) {
+	return "contractJson" in options;
+}
+const contractSerializer = new PostgresContractSerializer();
+function resolveContract(options) {
+	const contractInput = hasContractJson(options) ? options.contractJson : options.contract;
+	return blindCast(contractSerializer.deserializeContract(contractInput));
+}
+function resolveKeyMaterial(options) {
+	const jwtSecret = "jwtSecret" in options ? options.jwtSecret : void 0;
+	const jwksUrl = "jwksUrl" in options ? options.jwksUrl : void 0;
+	if (jwtSecret !== void 0 && jwksUrl !== void 0) throw new SupabaseConfigError("Provide either jwtSecret or jwksUrl, not both");
+	if (jwtSecret === void 0 && jwksUrl === void 0) throw new SupabaseConfigError("Either jwtSecret or jwksUrl is required");
+	if (jwtSecret !== void 0) return {
+		kind: "secret",
+		key: new TextEncoder().encode(jwtSecret)
+	};
+	if (jwksUrl !== void 0) return {
+		kind: "jwks",
+		keyset: createRemoteJWKSet(new URL(jwksUrl))
+	};
+	throw new SupabaseConfigError("Either jwtSecret or jwksUrl is required");
+}
+function toPool(options) {
+	if (options.pg instanceof Pool) return {
+		pool: options.pg,
+		owned: false
+	};
+	if (typeof options.url === "string") return {
+		pool: new Pool({
+			connectionString: options.url,
+			connectionTimeoutMillis: options.poolOptions?.connectionTimeoutMillis ?? 2e4,
+			idleTimeoutMillis: options.poolOptions?.idleTimeoutMillis ?? 3e4
+		}),
+		owned: true
+	};
+}
+function withSupabaseDescriptor(extensions) {
+	const packs = extensions ?? [];
+	return packs.some((pack) => pack.id === supabaseRuntimeDescriptor.id) ? packs : [...packs, supabaseRuntimeDescriptor];
+}
+async function supabase(options) {
+	const keyMaterial = resolveKeyMaterial(options);
+	const contract = resolveContract(options);
+	const stack = createSqlExecutionStack({
+		target: postgresTarget,
+		adapter: postgresAdapter,
+		driver: postgresDriver,
+		extensionPacks: withSupabaseDescriptor(options.extensions)
+	});
+	const context = createExecutionContext({
+		contract,
+		stack
+	});
+	const rawCodecInferer = stack.adapter.rawCodecInferer;
+	const rawSqlTag = createRawSql(rawCodecInferer);
+	const poolEntry = toPool(options);
+	let closed = false;
+	const stackInstance = instantiateExecutionStack(stack);
+	const driverDescriptor = stack.driver;
+	if (!driverDescriptor) throw new Error("Driver descriptor missing from execution stack");
+	const driver = driverDescriptor.create({ cursor: { disabled: true } });
+	if (poolEntry) await driver.connect({
+		kind: "pgPool",
+		pool: poolEntry.pool
+	});
+	const runtime = new SupabaseRuntimeImpl({
+		context,
+		adapter: stackInstance.adapter,
+		driver,
+		...ifDefined("verifyMarker", options.verifyMarker),
+		...ifDefined("middleware", options.middleware)
+	});
+	async function verifyJwt(jwt) {
+		try {
+			if (keyMaterial.kind === "secret") return await jwtVerify(jwt, keyMaterial.key);
+			return await jwtVerify(jwt, keyMaterial.keyset);
+		} catch (err) {
+			throw new InvalidJwtError(err instanceof Error ? err.message : String(err));
+		}
+	}
+	function buildRoleBoundDb(binding) {
+		return {
+			sql: sql({
+				context,
+				rawCodecInferer
+			}),
+			orm: orm({
+				runtime: {
+					execute(plan) {
+						return runtime.executeWithRole(plan, binding);
+					},
+					connection: () => runtime.openRoleSession(binding)
+				},
+				context
+			}),
+			raw: rawSqlTag,
+			execute(plan, execOptions) {
+				return runtime.executeWithRole(plan, binding, execOptions);
+			},
+			transaction(fn) {
+				return withTransaction({ connection: () => runtime.openRoleSession(binding) }, fn);
+			}
+		};
+	}
+	async function closeDb() {
+		if (closed) return;
+		closed = true;
+		await runtime.close();
+		if (poolEntry?.owned) await poolEntry.pool.end().catch(() => void 0);
+	}
+	return {
+		context,
+		stack,
+		async asUser(jwt) {
+			const { payload } = await verifyJwt(jwt);
+			const rawRole = payload["role"];
+			const roleStr = typeof rawRole === "string" ? rawRole : "authenticated";
+			return buildRoleBoundDb({
+				role: roleStr === "anon" || roleStr === "authenticated" || roleStr === "service_role" ? roleStr : "authenticated",
+				claims: payload
+			});
+		},
+		asAnon() {
+			return buildRoleBoundDb({
+				role: "anon",
+				claims: {}
+			});
+		},
+		asServiceRole() {
+			return buildRoleBoundDb({
+				role: "service_role",
+				claims: {}
+			});
+		},
+		close: closeDb,
+		[Symbol.asyncDispose]: closeDb
+	};
+}
+//#endregion
+//#region src/exports/runtime.ts
+var runtime_default = supabaseRuntimeDescriptor;
+//#endregion
+export { InvalidJwtError, SupabaseConfigError, SupabaseRuntimeImpl, runtime_default as default, supabase };
 //# sourceMappingURL=runtime.mjs.map

package/dist/runtime.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"runtime.mjs","names":[],"sources":["../src/exports/runtime.ts"],"sourcesContent":["/*\n Minimal M1 runtime descriptor for the Supabase extension.\n \n The Supabase pack contributes no runtime codec types or query operations in\n * M1 — `auth.`/`storage.` are external tables accessed via the stock\n * postgres runtime, not through a custom codec or operation surface. This\n * descriptor exists so the postgres runtime's contract-requirements check\n * (which verifies every `extensionPacks` entry in the emitted `contract.json`\n * has a matching runtime component) passes.\n \n TODO(M2): Replace with the real SupabaseRuntime that adds\n * `asUser()`/`asAnon()` role-binding and the Supabase auth surface.\n */\nimport type { SqlRuntimeExtensionDescriptor } from '@prisma-next/sql-runtime';\n\nconst supabaseRuntimeDescriptor: SqlRuntimeExtensionDescriptor<'postgres'> = {\n kind: 'extension' as const,\n id: 'supabase',\n version: '0.12.0',\n familyId: 'sql' as const,\n targetId: 'postgres' as const,\n codecs: () => [],\n create() {\n return {\n familyId: 'sql' as const,\n targetId: 'postgres' as const,\n };\n },\n};\n\nexport default supabaseRuntimeDescriptor;\n"],"mappings":";AAeA,MAAM,4BAAuE;CAC3E,MAAM;CACN,IAAI;CACJ,SAAS;CACT,UAAU;CACV,UAAU;CACV,cAAc,CAAC;CACf,SAAS;EACP,OAAO;GACL,UAAU;GACV,UAAU;EACZ;CACF;AACF"}
1	+ {"version":3,"file":"runtime.mjs","names":["packageJson.version"],"sources":["../src/runtime/descriptor.ts","../src/runtime/supabase-runtime.ts","../src/runtime/supabase.ts","../src/exports/runtime.ts"],"sourcesContent":["import type { SqlRuntimeExtensionDescriptor } from '@prisma-next/sql-runtime';\nimport packageJson from '../../package.json' with { type: 'json' };\n\n/*\n Tells the runtime that the Supabase pack's runtime component is available.\n \n When a contract declares the Supabase pack, the runtime checks that a\n * matching descriptor has been registered. Without this, loading a Supabase\n * contract errors with \"pack runtime component missing\". The `supabase()`\n * factory registers this descriptor automatically — app code never needs to\n * reference it directly.\n /\nexport const supabaseRuntimeDescriptor: SqlRuntimeExtensionDescriptor<'postgres'> = {\n kind: 'extension' as const,\n id: 'supabase',\n version: packageJson.version,\n familyId: 'sql' as const,\n targetId: 'postgres' as const,\n codecs: () => [],\n create() {\n return {\n familyId: 'sql' as const,\n targetId: 'postgres' as const,\n };\n },\n};\n","import type { Contract } from '@prisma-next/contract/types';\nimport type { RuntimeExecuteOptions } from '@prisma-next/framework-components/runtime';\nimport { AsyncIterableResult } from '@prisma-next/framework-components/runtime';\nimport { type PostgresRuntime, PostgresRuntimeImpl } from '@prisma-next/postgres/runtime';\nimport type { SqlStorage } from '@prisma-next/sql-contract/types';\nimport type { SqlExecutionPlan, SqlQueryPlan } from '@prisma-next/sql-relational-core/plan';\nimport type {\n PreparedStatement,\n PreparedStatementImpl,\n RuntimeConnection,\n RuntimeTransaction,\n} from '@prisma-next/sql-runtime';\nimport { blindCast } from '@prisma-next/utils/casts';\n\nexport interface SupabaseRuntime extends PostgresRuntime {}\n\nexport interface SupabaseRoleBinding {\n // TODO(TML-2501): role names move to the Supabase extension contract (roles as first-class IR) when postgres-rls lands.\n readonly role: 'anon' \| 'authenticated' \| 'service_role';\n readonly claims?: Record<string, unknown>;\n}\n\n/\n A connection with a Supabase role already bound via session-scoped set_config.\n * Implements `RuntimeConnection` so it plugs into ORM scope machinery and `withTransaction`.\n /\nexport interface RoleSession extends RuntimeConnection {}\n\nexport class SupabaseRuntimeImpl<\n TContract extends Contract<SqlStorage> = Contract<SqlStorage>,\n> extends PostgresRuntimeImpl<TContract> {\n /\n Opens a raw connection and applies role + JWT claims via session-scoped set_config.\n * On bind failure, destroys the connection before rethrowing — no leaked connections.\n * Not on the `SupabaseRuntime` interface; consumed by the facade, not by app code.\n /\n async openRoleSession(binding: SupabaseRoleBinding): Promise<RoleSession> {\n const conn = await this.acquireRawConnection();\n\n try {\n await conn.query('SELECT set_config($1, $2, false)', ['role', binding.role]);\n await conn.query('SELECT set_config($1, $2, false)', [\n 'request.jwt.claims',\n JSON.stringify(binding.claims ?? {}),\n ]);\n } catch (err) {\n await conn.destroy(err).catch(() => undefined);\n throw err;\n }\n\n const self = this;\n\n const session: RoleSession = {\n execute<Row>(\n plan: (SqlExecutionPlan<unknown> \| SqlQueryPlan<unknown>) & { readonly _row?: Row },\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return self.executeAgainstQueryable<Row>(plan, conn, { ...options, scope: 'connection' });\n },\n\n executePrepared<Params, Row>(\n ps: PreparedStatement<Params, Row>,\n params: Params,\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return self.executePreparedAgainstQueryable(\n blindCast<\n PreparedStatementImpl<Params, Row>,\n 'PreparedStatement is PreparedStatementImpl; the impl class is the only concrete form'\n >(ps),\n blindCast<\n Record<string, unknown>,\n 'params are structurally Record<string, unknown> at runtime'\n >(params),\n conn,\n { ...options, scope: 'connection' },\n );\n },\n\n async transaction(): Promise<RuntimeTransaction> {\n const tx = await conn.beginTransaction();\n return {\n async commit(): Promise<void> {\n await tx.commit();\n },\n async rollback(): Promise<void> {\n await tx.rollback();\n },\n execute<Row>(\n plan: (SqlExecutionPlan<unknown> \| SqlQueryPlan<unknown>) & { readonly _row?: Row },\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return self.executeAgainstQueryable<Row>(plan, tx, {\n ...options,\n scope: 'transaction',\n });\n },\n executePrepared<Params, Row>(\n ps: PreparedStatement<Params, Row>,\n params: Params,\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return self.executePreparedAgainstQueryable(\n blindCast<\n PreparedStatementImpl<Params, Row>,\n 'PreparedStatement is PreparedStatementImpl; the impl class is the only concrete form'\n >(ps),\n blindCast<\n Record<string, unknown>,\n 'params are structurally Record<string, unknown> at runtime'\n >(params),\n tx,\n { ...options, scope: 'transaction' },\n );\n },\n };\n },\n\n /\n Resets all session-local config then releases the connection back to the pool.\n * If RESET ALL fails, destroys the connection instead — pool-poisoning guarantee.\n /\n async release(): Promise<void> {\n try {\n await conn.query('RESET ALL');\n await conn.release();\n } catch (resetError) {\n await conn.destroy(resetError).catch(() => undefined);\n }\n },\n\n async destroy(reason?: unknown): Promise<void> {\n await conn.destroy(reason);\n },\n };\n\n return session;\n }\n\n /\n Opens a role session, executes the plan, then releases after the stream drains.\n * On mid-stream error, destroys the session instead of releasing.\n /\n executeWithRole<Row>(\n plan: SqlExecutionPlan<Row> \| SqlQueryPlan<Row>,\n binding: SupabaseRoleBinding,\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n const self = this;\n\n const generator = async function (): AsyncGenerator<Row, void, unknown> {\n const session = await self.openRoleSession(binding);\n let errored = false;\n try {\n for await (const row of session.execute(plan, options)) {\n yield row;\n }\n } catch (err) {\n errored = true;\n await session.destroy(err).catch(() => undefined);\n throw err;\n } finally {\n if (!errored) {\n await session.release();\n }\n }\n };\n\n return new AsyncIterableResult(generator());\n }\n}\n","import postgresAdapter from '@prisma-next/adapter-postgres/runtime';\nimport type { Contract } from '@prisma-next/contract/types';\nimport postgresDriver from '@prisma-next/driver-postgres/runtime';\nimport { instantiateExecutionStack } from '@prisma-next/framework-components/execution';\nimport type {\n AsyncIterableResult,\n RuntimeExecuteOptions,\n} from '@prisma-next/framework-components/runtime';\nimport { sql } from '@prisma-next/sql-builder/runtime';\nimport type { Db } from '@prisma-next/sql-builder/types';\nimport type { SqlStorage } from '@prisma-next/sql-contract/types';\nimport { orm } from '@prisma-next/sql-orm-client';\nimport type { RawSqlTag } from '@prisma-next/sql-relational-core/expression';\nimport { createRawSql } from '@prisma-next/sql-relational-core/expression';\nimport type { SqlExecutionPlan, SqlQueryPlan } from '@prisma-next/sql-relational-core/plan';\nimport type {\n ExecutionContext,\n SqlExecutionStackWithDriver,\n SqlMiddleware,\n SqlRuntimeExtensionDescriptor,\n TransactionContext,\n VerifyMarkerOption,\n} from '@prisma-next/sql-runtime';\nimport {\n createExecutionContext,\n createSqlExecutionStack,\n withTransaction,\n} from '@prisma-next/sql-runtime';\nimport postgresTarget, { PostgresContractSerializer } from '@prisma-next/target-postgres/runtime';\nimport { blindCast } from '@prisma-next/utils/casts';\nimport { ifDefined } from '@prisma-next/utils/defined';\nimport { createRemoteJWKSet, type JWTVerifyResult, jwtVerify } from 'jose';\nimport type { Client } from 'pg';\nimport { Pool } from 'pg';\nimport { supabaseRuntimeDescriptor } from './descriptor';\nimport type { SupabaseRoleBinding, SupabaseRuntime } from './supabase-runtime';\nimport { SupabaseRuntimeImpl } from './supabase-runtime';\n\nexport type SupabaseTargetId = 'postgres';\n\ntype OrmClient<TContract extends Contract<SqlStorage>> = ReturnType<typeof orm<TContract>>;\n\nexport class SupabaseConfigError extends Error {\n override readonly name = 'SupabaseConfigError';\n constructor(message: string) {\n super(message);\n }\n}\n\nexport class InvalidJwtError extends Error {\n override readonly name = 'InvalidJwtError';\n readonly reason: string;\n constructor(reason: string) {\n super(`Invalid JWT: ${reason}`);\n this.reason = reason;\n }\n}\n\ntype KeyMaterial =\n \| { readonly kind: 'secret'; readonly key: Uint8Array }\n \| { readonly kind: 'jwks'; readonly keyset: ReturnType<typeof createRemoteJWKSet> };\n\nexport interface RoleBoundDb<TContract extends Contract<SqlStorage>> {\n readonly sql: Db<TContract>;\n readonly orm: OrmClient<TContract>;\n readonly raw: RawSqlTag;\n execute<Row>(\n plan: (SqlExecutionPlan<Row> \| SqlQueryPlan<Row>) & { readonly _row?: Row },\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row>;\n transaction<R>(fn: (tx: TransactionContext) => PromiseLike<R>): Promise<R>;\n}\n\nexport interface SupabaseDb<TContract extends Contract<SqlStorage>> {\n readonly context: ExecutionContext<TContract>;\n readonly stack: SqlExecutionStackWithDriver<SupabaseTargetId>;\n asUser(jwt: string): Promise<RoleBoundDb<TContract>>;\n asAnon(): RoleBoundDb<TContract>;\n asServiceRole(): RoleBoundDb<TContract>;\n close(): Promise<void>;\n [Symbol.asyncDispose](): Promise<void>;\n}\n\nexport interface SupabaseOptionsBase {\n readonly extensions?: readonly SqlRuntimeExtensionDescriptor<SupabaseTargetId>[];\n readonly middleware?: readonly SqlMiddleware[];\n readonly verifyMarker?: VerifyMarkerOption;\n readonly poolOptions?: {\n readonly connectionTimeoutMillis?: number;\n readonly idleTimeoutMillis?: number;\n };\n}\n\nexport interface SupabaseBindingOptions {\n readonly url?: string;\n readonly pg?: Pool \| Client;\n}\n\ntype JwtSecretOption = {\n readonly jwtSecret: string;\n readonly jwksUrl?: never;\n};\n\ntype JwksUrlOption = {\n readonly jwksUrl: string;\n readonly jwtSecret?: never;\n};\n\nexport type SupabaseOptionsWithContract<TContract extends Contract<SqlStorage>> =\n SupabaseBindingOptions &\n SupabaseOptionsBase &\n (JwtSecretOption \| JwksUrlOption) & {\n readonly contract: TContract;\n readonly contractJson?: never;\n };\n\nexport type SupabaseOptionsWithContractJson<TContract extends Contract<SqlStorage>> =\n SupabaseBindingOptions &\n SupabaseOptionsBase &\n (JwtSecretOption \| JwksUrlOption) & {\n readonly contractJson: unknown;\n readonly contract?: never;\n readonly _contract?: TContract;\n };\n\nexport type SupabaseOptions<TContract extends Contract<SqlStorage>> =\n \| SupabaseOptionsWithContract<TContract>\n \| SupabaseOptionsWithContractJson<TContract>;\n\nfunction hasContractJson<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): options is SupabaseOptionsWithContractJson<TContract> {\n return 'contractJson' in options;\n}\n\nconst contractSerializer = new PostgresContractSerializer();\n\nfunction resolveContract<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): TContract {\n const contractInput = hasContractJson(options) ? options.contractJson : options.contract;\n return blindCast<\n TContract,\n 'contractSerializer.deserializeContract returns a validated TContract'\n >(contractSerializer.deserializeContract(contractInput));\n}\n\nfunction resolveKeyMaterial<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): KeyMaterial {\n const jwtSecret = 'jwtSecret' in options ? options.jwtSecret : undefined;\n const jwksUrl = 'jwksUrl' in options ? options.jwksUrl : undefined;\n\n if (jwtSecret !== undefined && jwksUrl !== undefined) {\n throw new SupabaseConfigError('Provide either jwtSecret or jwksUrl, not both');\n }\n if (jwtSecret === undefined && jwksUrl === undefined) {\n throw new SupabaseConfigError('Either jwtSecret or jwksUrl is required');\n }\n\n if (jwtSecret !== undefined) {\n return { kind: 'secret', key: new TextEncoder().encode(jwtSecret) };\n }\n\n if (jwksUrl !== undefined) {\n return { kind: 'jwks', keyset: createRemoteJWKSet(new URL(jwksUrl)) };\n }\n\n throw new SupabaseConfigError('Either jwtSecret or jwksUrl is required');\n}\n\nfunction toPool<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): { pool: Pool; owned: boolean } \| undefined {\n if (options.pg instanceof Pool) {\n return { pool: options.pg, owned: false };\n }\n if (typeof options.url === 'string') {\n return {\n pool: new Pool({\n connectionString: options.url,\n connectionTimeoutMillis: options.poolOptions?.connectionTimeoutMillis ?? 20_000,\n idleTimeoutMillis: options.poolOptions?.idleTimeoutMillis ?? 30_000,\n }),\n owned: true,\n };\n }\n return undefined;\n}\n\nfunction withSupabaseDescriptor(\n extensions: readonly SqlRuntimeExtensionDescriptor<SupabaseTargetId>[] \| undefined,\n): readonly SqlRuntimeExtensionDescriptor<SupabaseTargetId>[] {\n const packs = extensions ?? [];\n return packs.some((pack) => pack.id === supabaseRuntimeDescriptor.id)\n ? packs\n : [...packs, supabaseRuntimeDescriptor];\n}\n\nexport default async function supabase<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptionsWithContract<TContract>,\n): Promise<SupabaseDb<TContract>>;\nexport default async function supabase<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptionsWithContractJson<TContract>,\n): Promise<SupabaseDb<TContract>>;\nexport default async function supabase<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): Promise<SupabaseDb<TContract>> {\n const keyMaterial = resolveKeyMaterial(options);\n const contract = resolveContract(options);\n\n const stack = createSqlExecutionStack({\n target: postgresTarget,\n adapter: postgresAdapter,\n driver: postgresDriver,\n extensionPacks: withSupabaseDescriptor(options.extensions),\n });\n\n const context = createExecutionContext({ contract, stack });\n const rawCodecInferer = stack.adapter.rawCodecInferer;\n const rawSqlTag: RawSqlTag = createRawSql(rawCodecInferer);\n\n const poolEntry = toPool(options);\n let closed = false;\n\n const stackInstance = instantiateExecutionStack(stack);\n const driverDescriptor = stack.driver;\n if (!driverDescriptor) {\n throw new Error('Driver descriptor missing from execution stack');\n }\n const driver = driverDescriptor.create({ cursor: { disabled: true } });\n\n if (poolEntry) {\n await driver.connect({ kind: 'pgPool', pool: poolEntry.pool });\n }\n\n const runtime: SupabaseRuntime & SupabaseRuntimeImpl<TContract> = new SupabaseRuntimeImpl({\n context,\n adapter: stackInstance.adapter,\n driver,\n ...ifDefined('verifyMarker', options.verifyMarker),\n ...ifDefined('middleware', options.middleware),\n });\n\n async function verifyJwt(jwt: string): Promise<JWTVerifyResult> {\n try {\n if (keyMaterial.kind === 'secret') {\n return await jwtVerify(jwt, keyMaterial.key);\n }\n return await jwtVerify(jwt, keyMaterial.keyset);\n } catch (err) {\n const reason = err instanceof Error ? err.message : String(err);\n throw new InvalidJwtError(reason);\n }\n }\n\n function buildRoleBoundDb(binding: SupabaseRoleBinding): RoleBoundDb<TContract> {\n const roleSql: Db<TContract> = sql<TContract>({ context, rawCodecInferer });\n const roleOrm: OrmClient<TContract> = orm({\n runtime: {\n execute(plan) {\n return runtime.executeWithRole(plan, binding);\n },\n // connection() returns a role session; this is the enforcement path for ORM scope\n // operations (mutations, includes) — every statement runs role-bound.\n connection: () => runtime.openRoleSession(binding),\n },\n context,\n });\n\n return {\n sql: roleSql,\n orm: roleOrm,\n raw: rawSqlTag,\n execute<Row>(\n plan: (SqlExecutionPlan<Row> \| SqlQueryPlan<Row>) & { readonly _row?: Row },\n execOptions?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return runtime.executeWithRole<Row>(plan, binding, execOptions);\n },\n transaction<R>(fn: (tx: TransactionContext) => PromiseLike<R>): Promise<R> {\n return withTransaction({ connection: () => runtime.openRoleSession(binding) }, fn);\n },\n };\n }\n\n async function closeDb(): Promise<void> {\n if (closed) return;\n closed = true;\n await runtime.close();\n if (poolEntry?.owned) {\n await poolEntry.pool.end().catch(() => undefined);\n }\n }\n\n return {\n context,\n stack,\n\n async asUser(jwt: string): Promise<RoleBoundDb<TContract>> {\n const { payload } = await verifyJwt(jwt);\n const rawRole = payload['role'];\n const roleStr = typeof rawRole === 'string' ? rawRole : 'authenticated';\n const role: SupabaseRoleBinding['role'] =\n roleStr === 'anon' \|\| roleStr === 'authenticated' \|\| roleStr === 'service_role'\n ? roleStr\n : 'authenticated';\n const binding: SupabaseRoleBinding = { role, claims: payload };\n return buildRoleBoundDb(binding);\n },\n\n asAnon(): RoleBoundDb<TContract> {\n return buildRoleBoundDb({ role: 'anon', claims: {} });\n },\n\n asServiceRole(): RoleBoundDb<TContract> {\n return buildRoleBoundDb({ role: 'service_role', claims: {} });\n },\n\n close: closeDb,\n [Symbol.asyncDispose]: closeDb,\n };\n}\n","import { supabaseRuntimeDescriptor } from '../runtime/descriptor';\n\nexport default supabaseRuntimeDescriptor;\n\nexport type {\n RoleBoundDb,\n SupabaseDb,\n SupabaseOptions,\n SupabaseOptionsWithContract,\n SupabaseOptionsWithContractJson,\n SupabaseTargetId,\n} from '../runtime/supabase';\nexport { default as supabase, InvalidJwtError, SupabaseConfigError } from '../runtime/supabase';\nexport type {\n RoleSession,\n SupabaseRoleBinding,\n SupabaseRuntime,\n} from '../runtime/supabase-runtime';\nexport { SupabaseRuntimeImpl } from '../runtime/supabase-runtime';\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAYA,MAAa,4BAAuE;CAClF,MAAM;CACN,IAAI;CACKA;CACT,UAAU;CACV,UAAU;CACV,cAAc,CAAC;CACf,SAAS;EACP,OAAO;GACL,UAAU;GACV,UAAU;EACZ;CACF;AACF;;;ACGA,IAAa,sBAAb,cAEU,oBAA+B;;;;;;CAMvC,MAAM,gBAAgB,SAAoD;EACxE,MAAM,OAAO,MAAM,KAAK,qBAAqB;EAE7C,IAAI;GACF,MAAM,KAAK,MAAM,oCAAoC,CAAC,QAAQ,QAAQ,IAAI,CAAC;GAC3E,MAAM,KAAK,MAAM,oCAAoC,CACnD,sBACA,KAAK,UAAU,QAAQ,UAAU,CAAC,CAAC,CACrC,CAAC;EACH,SAAS,KAAK;GACZ,MAAM,KAAK,QAAQ,GAAG,CAAC,CAAC,YAAY,KAAA,CAAS;GAC7C,MAAM;EACR;EAEA,MAAM,OAAO;EAsFb,OAAO;GAnFL,QACE,MACA,SAC0B;IAC1B,OAAO,KAAK,wBAA6B,MAAM,MAAM;KAAE,GAAG;KAAS,OAAO;IAAa,CAAC;GAC1F;GAEA,gBACE,IACA,QACA,SAC0B;IAC1B,OAAO,KAAK,gCACV,UAGE,EAAE,GACJ,UAGE,MAAM,GACR,MACA;KAAE,GAAG;KAAS,OAAO;IAAa,CACpC;GACF;GAEA,MAAM,cAA2C;IAC/C,MAAM,KAAK,MAAM,KAAK,iBAAiB;IACvC,OAAO;KACL,MAAM,SAAwB;MAC5B,MAAM,GAAG,OAAO;KAClB;KACA,MAAM,WAA0B;MAC9B,MAAM,GAAG,SAAS;KACpB;KACA,QACE,MACA,SAC0B;MAC1B,OAAO,KAAK,wBAA6B,MAAM,IAAI;OACjD,GAAG;OACH,OAAO;MACT,CAAC;KACH;KACA,gBACE,IACA,QACA,SAC0B;MAC1B,OAAO,KAAK,gCACV,UAGE,EAAE,GACJ,UAGE,MAAM,GACR,IACA;OAAE,GAAG;OAAS,OAAO;MAAc,CACrC;KACF;IACF;GACF;;;;;GAMA,MAAM,UAAyB;IAC7B,IAAI;KACF,MAAM,KAAK,MAAM,WAAW;KAC5B,MAAM,KAAK,QAAQ;IACrB,SAAS,YAAY;KACnB,MAAM,KAAK,QAAQ,UAAU,CAAC,CAAC,YAAY,KAAA,CAAS;IACtD;GACF;GAEA,MAAM,QAAQ,QAAiC;IAC7C,MAAM,KAAK,QAAQ,MAAM;GAC3B;EAGW;CACf;;;;;CAMA,gBACE,MACA,SACA,SAC0B;EAC1B,MAAM,OAAO;EAEb,MAAM,YAAY,mBAAuD;GACvE,MAAM,UAAU,MAAM,KAAK,gBAAgB,OAAO;GAClD,IAAI,UAAU;GACd,IAAI;IACF,WAAW,MAAM,OAAO,QAAQ,QAAQ,MAAM,OAAO,GACnD,MAAM;GAEV,SAAS,KAAK;IACZ,UAAU;IACV,MAAM,QAAQ,QAAQ,GAAG,CAAC,CAAC,YAAY,KAAA,CAAS;IAChD,MAAM;GACR,UAAU;IACR,IAAI,CAAC,SACH,MAAM,QAAQ,QAAQ;GAE1B;EACF;EAEA,OAAO,IAAI,oBAAoB,UAAU,CAAC;CAC5C;AACF;;;AChIA,IAAa,sBAAb,cAAyC,MAAM;CAC7C,OAAyB;CACzB,YAAY,SAAiB;EAC3B,MAAM,OAAO;CACf;AACF;AAEA,IAAa,kBAAb,cAAqC,MAAM;CACzC,OAAyB;CACzB;CACA,YAAY,QAAgB;EAC1B,MAAM,gBAAgB,QAAQ;EAC9B,KAAK,SAAS;CAChB;AACF;AAyEA,SAAS,gBACP,SACuD;CACvD,OAAO,kBAAkB;AAC3B;AAEA,MAAM,qBAAqB,IAAI,2BAA2B;AAE1D,SAAS,gBACP,SACW;CACX,MAAM,gBAAgB,gBAAgB,OAAO,IAAI,QAAQ,eAAe,QAAQ;CAChF,OAAO,UAGL,mBAAmB,oBAAoB,aAAa,CAAC;AACzD;AAEA,SAAS,mBACP,SACa;CACb,MAAM,YAAY,eAAe,UAAU,QAAQ,YAAY,KAAA;CAC/D,MAAM,UAAU,aAAa,UAAU,QAAQ,UAAU,KAAA;CAEzD,IAAI,cAAc,KAAA,KAAa,YAAY,KAAA,GACzC,MAAM,IAAI,oBAAoB,+CAA+C;CAE/E,IAAI,cAAc,KAAA,KAAa,YAAY,KAAA,GACzC,MAAM,IAAI,oBAAoB,yCAAyC;CAGzE,IAAI,cAAc,KAAA,GAChB,OAAO;EAAE,MAAM;EAAU,KAAK,IAAI,YAAY,CAAC,CAAC,OAAO,SAAS;CAAE;CAGpE,IAAI,YAAY,KAAA,GACd,OAAO;EAAE,MAAM;EAAQ,QAAQ,mBAAmB,IAAI,IAAI,OAAO,CAAC;CAAE;CAGtE,MAAM,IAAI,oBAAoB,yCAAyC;AACzE;AAEA,SAAS,OACP,SAC4C;CAC5C,IAAI,QAAQ,cAAc,MACxB,OAAO;EAAE,MAAM,QAAQ;EAAI,OAAO;CAAM;CAE1C,IAAI,OAAO,QAAQ,QAAQ,UACzB,OAAO;EACL,MAAM,IAAI,KAAK;GACb,kBAAkB,QAAQ;GAC1B,yBAAyB,QAAQ,aAAa,2BAA2B;GACzE,mBAAmB,QAAQ,aAAa,qBAAqB;EAC/D,CAAC;EACD,OAAO;CACT;AAGJ;AAEA,SAAS,uBACP,YAC4D;CAC5D,MAAM,QAAQ,cAAc,CAAC;CAC7B,OAAO,MAAM,MAAM,SAAS,KAAK,OAAO,0BAA0B,EAAE,IAChE,QACA,CAAC,GAAG,OAAO,yBAAyB;AAC1C;AAQA,eAA8B,SAC5B,SACgC;CAChC,MAAM,cAAc,mBAAmB,OAAO;CAC9C,MAAM,WAAW,gBAAgB,OAAO;CAExC,MAAM,QAAQ,wBAAwB;EACpC,QAAQ;EACR,SAAS;EACT,QAAQ;EACR,gBAAgB,uBAAuB,QAAQ,UAAU;CAC3D,CAAC;CAED,MAAM,UAAU,uBAAuB;EAAE;EAAU;CAAM,CAAC;CAC1D,MAAM,kBAAkB,MAAM,QAAQ;CACtC,MAAM,YAAuB,aAAa,eAAe;CAEzD,MAAM,YAAY,OAAO,OAAO;CAChC,IAAI,SAAS;CAEb,MAAM,gBAAgB,0BAA0B,KAAK;CACrD,MAAM,mBAAmB,MAAM;CAC/B,IAAI,CAAC,kBACH,MAAM,IAAI,MAAM,gDAAgD;CAElE,MAAM,SAAS,iBAAiB,OAAO,EAAE,QAAQ,EAAE,UAAU,KAAK,EAAE,CAAC;CAErE,IAAI,WACF,MAAM,OAAO,QAAQ;EAAE,MAAM;EAAU,MAAM,UAAU;CAAK,CAAC;CAG/D,MAAM,UAA4D,IAAI,oBAAoB;EACxF;EACA,SAAS,cAAc;EACvB;EACA,GAAG,UAAU,gBAAgB,QAAQ,YAAY;EACjD,GAAG,UAAU,cAAc,QAAQ,UAAU;CAC/C,CAAC;CAED,eAAe,UAAU,KAAuC;EAC9D,IAAI;GACF,IAAI,YAAY,SAAS,UACvB,OAAO,MAAM,UAAU,KAAK,YAAY,GAAG;GAE7C,OAAO,MAAM,UAAU,KAAK,YAAY,MAAM;EAChD,SAAS,KAAK;GAEZ,MAAM,IAAI,gBADK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAC9B;EAClC;CACF;CAEA,SAAS,iBAAiB,SAAsD;EAc9E,OAAO;GACL,KAd6B,IAAe;IAAE;IAAS;GAAgB,CAc5D;GACX,KAdoC,IAAI;IACxC,SAAS;KACP,QAAQ,MAAM;MACZ,OAAO,QAAQ,gBAAgB,MAAM,OAAO;KAC9C;KAGA,kBAAkB,QAAQ,gBAAgB,OAAO;IACnD;IACA;GACF,CAIa;GACX,KAAK;GACL,QACE,MACA,aAC0B;IAC1B,OAAO,QAAQ,gBAAqB,MAAM,SAAS,WAAW;GAChE;GACA,YAAe,IAA4D;IACzE,OAAO,gBAAgB,EAAE,kBAAkB,QAAQ,gBAAgB,OAAO,EAAE,GAAG,EAAE;GACnF;EACF;CACF;CAEA,eAAe,UAAyB;EACtC,IAAI,QAAQ;EACZ,SAAS;EACT,MAAM,QAAQ,MAAM;EACpB,IAAI,WAAW,OACb,MAAM,UAAU,KAAK,IAAI,CAAC,CAAC,YAAY,KAAA,CAAS;CAEpD;CAEA,OAAO;EACL;EACA;EAEA,MAAM,OAAO,KAA8C;GACzD,MAAM,EAAE,YAAY,MAAM,UAAU,GAAG;GACvC,MAAM,UAAU,QAAQ;GACxB,MAAM,UAAU,OAAO,YAAY,WAAW,UAAU;GAMxD,OAAO,iBAAiB;IADe,MAHrC,YAAY,UAAU,YAAY,mBAAmB,YAAY,iBAC7D,UACA;IACuC,QAAQ;GACvB,CAAC;EACjC;EAEA,SAAiC;GAC/B,OAAO,iBAAiB;IAAE,MAAM;IAAQ,QAAQ,CAAC;GAAE,CAAC;EACtD;EAEA,gBAAwC;GACtC,OAAO,iBAAiB;IAAE,MAAM;IAAgB,QAAQ,CAAC;GAAE,CAAC;EAC9D;EAEA,OAAO;GACN,OAAO,eAAe;CACzB;AACF;;;AChUA,IAAA,kBAAe"}

package/dist/test/utils.d.mts CHANGED Viewed

@@ -2,10 +2,9 @@ import { Client } from "pg";
 //#region test/supabase-bootstrap.d.ts
 /**
- * Seeds the database with the external Supabase schemas and tables. The
- * caller passes an already-connected `pg.Client` — this function does not
- * open or close connections, so the same client can be reused across the
- * test's other setup steps.
+ * Seeds the database with the external Supabase schemas, tables, roles, and grants.
+ * The caller passes an already-connected `pg.Client` — this function does not
+ * open or close connections.
  *
  * Creates two schemas (`auth`, `storage`) and four tables whose columns
  * exactly match the `@prisma-next/extension-supabase` contract:
@@ -15,8 +14,10 @@ import { Client } from "pg";
  * - `storage.buckets` — id text PK, name text, created_at timestamptz, updated_at timestamptz
  * - `storage.objects` — id uuid PK, bucket_id text, name text, created_at timestamptz, updated_at timestamptz
  *
- * Does NOT create Postgres roles or `auth.*` functions — those are added by
- * the `postgres-rls` constituent.
+ * Creates the three Postgres roles and grants that mirror a real Supabase database.
+ * `ALTER DEFAULT PRIVILEGES` covers tables created after the shim runs (e.g. via `dbInit`).
+ * WAL grants are guarded by a schema-existence check — a PGlite single-connection
+ * accommodation so role-bound sessions can interleave with the WAL drain query.
  */
 declare function bootstrapSupabaseShim(client: Client): Promise<void>;
 //#endregion

package/dist/test/utils.d.mts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"utils.d.mts","names":[],"sources":["../../test/supabase-bootstrap.ts"],"mappings":"~~;;;;;;;;;;;;;;;;;;;;iBAoDsB~~,qBAAA,CAAsB,MAAA,EAAQ,MAAA,GAAS,OAAO"}
1	+ {"version":3,"file":"utils.d.mts","names":[],"sources":["../../test/supabase-bootstrap.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;iBAiDsB,qBAAA,CAAsB,MAAA,EAAQ,MAAA,GAAS,OAAO"}

package/dist/test/utils.mjs CHANGED Viewed

@@ -1,9 +1,8 @@
 //#region test/supabase-bootstrap.ts
 /**
-* Seeds the database with the external Supabase schemas and tables. The
-* caller passes an already-connected `pg.Client` — this function does not
-* open or close connections, so the same client can be reused across the
-* test's other setup steps.
+* Seeds the database with the external Supabase schemas, tables, roles, and grants.
+* The caller passes an already-connected `pg.Client` — this function does not
+* open or close connections.
 *
 * Creates two schemas (`auth`, `storage`) and four tables whose columns
 * exactly match the `@prisma-next/extension-supabase` contract:
@@ -13,8 +12,10 @@
 * - `storage.buckets` — id text PK, name text, created_at timestamptz, updated_at timestamptz
 * - `storage.objects` — id uuid PK, bucket_id text, name text, created_at timestamptz, updated_at timestamptz
 *
-* Does NOT create Postgres roles or `auth.*` functions — those are added by
-* the `postgres-rls` constituent.
+* Creates the three Postgres roles and grants that mirror a real Supabase database.
+* `ALTER DEFAULT PRIVILEGES` covers tables created after the shim runs (e.g. via `dbInit`).
+* WAL grants are guarded by a schema-existence check — a PGlite single-connection
+* accommodation so role-bound sessions can interleave with the WAL drain query.
 */
 async function bootstrapSupabaseShim(client) {
 	await client.query("CREATE SCHEMA IF NOT EXISTS auth");
@@ -57,6 +58,18 @@ async function bootstrapSupabaseShim(client) {
       PRIMARY KEY (id)
     )
   `);
+	await client.query("CREATE ROLE anon NOLOGIN");
+	await client.query("CREATE ROLE authenticated NOLOGIN");
+	await client.query("CREATE ROLE service_role NOLOGIN BYPASSRLS");
+	await client.query("GRANT USAGE ON SCHEMA public TO anon, authenticated, service_role");
+	await client.query("GRANT USAGE ON SCHEMA auth, storage TO anon, authenticated, service_role");
+	await client.query("GRANT ALL ON ALL TABLES IN SCHEMA auth TO service_role");
+	await client.query("GRANT ALL ON ALL TABLES IN SCHEMA storage TO service_role");
+	await client.query("GRANT SELECT ON ALL TABLES IN SCHEMA auth TO anon, authenticated");
+	await client.query("GRANT SELECT ON ALL TABLES IN SCHEMA storage TO anon, authenticated");
+	await client.query("ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO service_role");
+	await client.query("ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, UPDATE ON TABLES TO authenticated");
+	await client.query("ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO anon");
 }
 //#endregion
 export { bootstrapSupabaseShim };

package/dist/test/utils.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"utils.mjs","names":[],"sources":["../../test/supabase-bootstrap.ts"],"sourcesContent":["/*\n Shared Supabase test fixture — seeds the external schemas and ~~tables~~.\n \n Seeds a Postgres/PGlite database with the external Supabase schemas and\n * tables that the framework verifier expects when a composed contract declares\n * `auth.` and `storage.` tables as `external`. Without these tables present,\n * `db init`/`db update` will fail at the verify step because the framework\n * confirms declared `external` tables exist.\n \n M1 scope: ~~`CREATE SCHEMA auth, storage` +~~ the ~~four~~ ~~tables\n~~ * (`~~auth.users~~`, `~~auth.identities~~`, `~~storage.buckets`,~~ `~~storage.objects`~~) ~~with~~\n * ~~columns~~ ~~matching~~ ~~the~~ ~~Supabase~~ ~~extension~~ ~~contract's~~ ~~pinned~~ ~~model~~ ~~table.\n~~ \n Future ~~increments:\n~~ * - ~~`postgres-rls`~~ ~~constituent~~ ~~adds~~ ~~Postgres roles~~ (~~`anon`,~~ `authenticated`,\n * `~~service_role`)~~ ~~and~~ ~~the~~ `~~auth.uid()`,~~ `~~auth.jwt(~~)~~`, `auth.role()` functions.\~~n * - ~~`cross-contract-refs`~~ ~~constituent~~ ~~seeds~~ ~~`auth.users`~~ ~~rows for FK tests~~.\n \n The caller owns the client lifecycle — pass any already-connected `pg.Client`\n * (e.g. one the test is sharing across setup steps, or one bound to a\n * transaction for isolation). Convenience wrapper for tests that don't already\n * have one:\n \n @example\n * ```ts\n * import { withClient } from '@prisma-next/test-utils';\n * import { bootstrapSupabaseShim } from '@prisma-next/extension-supabase/test/utils';\n \n await withClient(connectionString, async (client) => {\n * await bootstrapSupabaseShim(client);\n * });\n * ```\n /\nimport type { Client } from 'pg';\n\n/\n Seeds the database with the external Supabase schemas and ~~tables. The\~~n * caller passes an already-connected `pg.Client` — this function does not\n * open or close connections~~, so the same client can be reused across the\n * test's other setup steps~~.\n \n Creates two schemas (`auth`, `storage`) and four tables whose columns\n * exactly match the `@prisma-next/extension-supabase` contract:\n \n - `auth.users` — id uuid PK, email text, created_at timestamptz, updated_at timestamptz\n * - `auth.identities` — id uuid PK, user_id uuid, provider text, created_at timestamptz, updated_at timestamptz\n * - `storage.buckets` — id text PK, name text, created_at timestamptz, updated_at timestamptz\n * - `storage.objects` — id uuid PK, bucket_id text, name text, created_at timestamptz, updated_at timestamptz\n \n ~~Does~~ ~~NOT~~ ~~create~~ Postgres roles or `~~auth.`~~ ~~functions~~ — ~~those~~ are ~~added~~ by\n ~~the~~ ~~`postgres~~-~~rls`~~ ~~constituent~~.\n */\nexport async function bootstrapSupabaseShim(client: Client): Promise<void> {\n await client.query('CREATE SCHEMA IF NOT EXISTS auth');\n await client.query('CREATE SCHEMA IF NOT EXISTS storage');\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS auth.users (\n id uuid NOT NULL,\n email text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS auth.identities (\n id uuid NOT NULL,\n user_id uuid NOT NULL,\n provider text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS storage.buckets (\n id text NOT NULL,\n name text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS storage.objects (\n id uuid NOT NULL,\n bucket_id text NOT NULL,\n name text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n}\n"],"mappings":"~~;;;;;;;;;;;;;;;;;;AAoDA~~,eAAsB,sBAAsB,QAA+B;CACzE,MAAM,OAAO,MAAM,kCAAkC;CACrD,MAAM,OAAO,MAAM,qCAAqC;CAExD,MAAM,OAAO,MAAM;;;;;;;;GAQlB;CAED,MAAM,OAAO,MAAM;;;;;;;;;GASlB;CAED,MAAM,OAAO,MAAM;;;;;;;;GAQlB;CAED,MAAM,OAAO,MAAM;;;;;;;;;GASlB;~~AACH~~"}
1	+ {"version":3,"file":"utils.mjs","names":[],"sources":["../../test/supabase-bootstrap.ts"],"sourcesContent":["/*\n Shared Supabase test fixture — seeds the external schemas, tables, roles, and grants.\n \n Seeds a Postgres/PGlite database with the external Supabase schemas and\n * tables that the framework verifier expects when a composed contract declares\n * `auth.` and `storage.` tables as `external`. Without these tables present,\n * `db init`/`db update` will fail at the verify step because the framework\n * confirms declared `external` tables exist.\n \n Also creates the three Postgres roles (`anon`, `authenticated`, `service_role`)\n * with grants that mirror a real Supabase database. `ALTER DEFAULT PRIVILEGES`\n * ensures tables created after the shim runs (e.g. `public.profile` via `dbInit`)\n * are automatically accessible to the roles.\n \n The caller owns the client lifecycle — pass any already-connected `pg.Client`\n * (e.g. one the test is sharing across setup steps, or one bound to a\n * transaction for isolation). Convenience wrapper for tests that don't already\n * have one:\n \n @example\n * ```ts\n * import { withClient } from '@prisma-next/test-utils';\n * import { bootstrapSupabaseShim } from '@prisma-next/extension-supabase/test/utils';\n \n await withClient(connectionString, async (client) => {\n * await bootstrapSupabaseShim(client);\n * });\n * ```\n /\nimport type { Client } from 'pg';\n\n/\n Seeds the database with the external Supabase schemas, tables, roles, and grants.\n * The caller passes an already-connected `pg.Client` — this function does not\n * open or close connections.\n \n Creates two schemas (`auth`, `storage`) and four tables whose columns\n * exactly match the `@prisma-next/extension-supabase` contract:\n \n - `auth.users` — id uuid PK, email text, created_at timestamptz, updated_at timestamptz\n * - `auth.identities` — id uuid PK, user_id uuid, provider text, created_at timestamptz, updated_at timestamptz\n * - `storage.buckets` — id text PK, name text, created_at timestamptz, updated_at timestamptz\n * - `storage.objects` — id uuid PK, bucket_id text, name text, created_at timestamptz, updated_at timestamptz\n \n Creates the three Postgres roles and grants that mirror a real Supabase database.\n * `ALTER DEFAULT PRIVILEGES` covers tables created after the shim runs (e.g. via `dbInit`).\n * WAL grants are guarded by a schema-existence check — a PGlite single-connection\n * accommodation so role-bound sessions can interleave with the WAL drain query.\n */\nexport async function bootstrapSupabaseShim(client: Client): Promise<void> {\n await client.query('CREATE SCHEMA IF NOT EXISTS auth');\n await client.query('CREATE SCHEMA IF NOT EXISTS storage');\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS auth.users (\n id uuid NOT NULL,\n email text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS auth.identities (\n id uuid NOT NULL,\n user_id uuid NOT NULL,\n provider text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS storage.buckets (\n id text NOT NULL,\n name text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS storage.objects (\n id uuid NOT NULL,\n bucket_id text NOT NULL,\n name text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n // Roles + grants mirror a real Supabase database; WAL grants are a\n // PGlite-single-connection test accommodation.\n await client.query('CREATE ROLE anon NOLOGIN');\n await client.query('CREATE ROLE authenticated NOLOGIN');\n await client.query('CREATE ROLE service_role NOLOGIN BYPASSRLS');\n await client.query('GRANT USAGE ON SCHEMA public TO anon, authenticated, service_role');\n await client.query('GRANT USAGE ON SCHEMA auth, storage TO anon, authenticated, service_role');\n await client.query('GRANT ALL ON ALL TABLES IN SCHEMA auth TO service_role');\n await client.query('GRANT ALL ON ALL TABLES IN SCHEMA storage TO service_role');\n await client.query('GRANT SELECT ON ALL TABLES IN SCHEMA auth TO anon, authenticated');\n await client.query('GRANT SELECT ON ALL TABLES IN SCHEMA storage TO anon, authenticated');\n\n // Default privileges cover tables created after this shim runs (e.g. public.profile via dbInit).\n await client.query(\n 'ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO service_role',\n );\n await client.query(\n 'ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, UPDATE ON TABLES TO authenticated',\n );\n await client.query('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO anon');\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAiDA,eAAsB,sBAAsB,QAA+B;CACzE,MAAM,OAAO,MAAM,kCAAkC;CACrD,MAAM,OAAO,MAAM,qCAAqC;CAExD,MAAM,OAAO,MAAM;;;;;;;;GAQlB;CAED,MAAM,OAAO,MAAM;;;;;;;;;GASlB;CAED,MAAM,OAAO,MAAM;;;;;;;;GAQlB;CAED,MAAM,OAAO,MAAM;;;;;;;;;GASlB;CAID,MAAM,OAAO,MAAM,0BAA0B;CAC7C,MAAM,OAAO,MAAM,mCAAmC;CACtD,MAAM,OAAO,MAAM,4CAA4C;CAC/D,MAAM,OAAO,MAAM,mEAAmE;CACtF,MAAM,OAAO,MAAM,0EAA0E;CAC7F,MAAM,OAAO,MAAM,wDAAwD;CAC3E,MAAM,OAAO,MAAM,2DAA2D;CAC9E,MAAM,OAAO,MAAM,kEAAkE;CACrF,MAAM,OAAO,MAAM,qEAAqE;CAGxF,MAAM,OAAO,MACX,+EACF;CACA,MAAM,OAAO,MACX,2FACF;CACA,MAAM,OAAO,MAAM,0EAA0E;AAC/F"}

package/package.json CHANGED Viewed

@@ -1,44 +1,47 @@
 {
   "name": "@prisma-next/extension-supabase",
-  "version": "0.13.0-dev.12",
+  "version": "0.13.0-dev.14",
   "license": "Apache-2.0",
   "type": "module",
   "sideEffects": false,
   "dependencies": {
-    "@prisma-next/contract": "0.13.0-dev.12",
-    "@prisma-next/contract-authoring": "0.13.0-dev.12",
-    "@prisma-next/family-sql": "0.13.0-dev.12",
-    "@prisma-next/framework-components": "0.13.0-dev.12",
-    "@prisma-next/migration-tools": "0.13.0-dev.12",
-    "@prisma-next/sql-contract": "0.13.0-dev.12",
-    "@prisma-next/sql-contract-ts": "0.13.0-dev.12",
-    "@prisma-next/sql-operations": "0.13.0-dev.12",
-    "@prisma-next/sql-relational-core": "0.13.0-dev.12",
-    "@prisma-next/sql-runtime": "0.13.0-dev.12",
-    "@prisma-next/sql-schema-ir": "0.13.0-dev.12",
-    "@prisma-next/utils": "0.13.0-dev.12",
+    "@prisma-next/adapter-postgres": "0.13.0-dev.14",
+    "@prisma-next/contract": "0.13.0-dev.14",
+    "@prisma-next/driver-postgres": "0.13.0-dev.14",
+    "@prisma-next/postgres": "0.13.0-dev.14",
+    "@prisma-next/sql-builder": "0.13.0-dev.14",
+    "@prisma-next/sql-orm-client": "0.13.0-dev.14",
+    "@prisma-next/target-postgres": "0.13.0-dev.14",
+    "jose": "^5",
+    "pg": "8.21.0",
+    "@prisma-next/contract-authoring": "0.13.0-dev.14",
+    "@prisma-next/family-sql": "0.13.0-dev.14",
+    "@prisma-next/framework-components": "0.13.0-dev.14",
+    "@prisma-next/migration-tools": "0.13.0-dev.14",
+    "@prisma-next/sql-contract": "0.13.0-dev.14",
+    "@prisma-next/sql-contract-ts": "0.13.0-dev.14",
+    "@prisma-next/sql-operations": "0.13.0-dev.14",
+    "@prisma-next/sql-relational-core": "0.13.0-dev.14",
+    "@prisma-next/sql-runtime": "0.13.0-dev.14",
+    "@prisma-next/sql-schema-ir": "0.13.0-dev.14",
+    "@prisma-next/utils": "0.13.0-dev.14",
     "@standard-schema/spec": "^1.1.0",
     "arktype": "^2.2.0"
   },
   "devDependencies": {
-    "@prisma-next/adapter-postgres": "0.13.0-dev.12",
-    "@prisma-next/cli": "0.13.0-dev.12",
-    "@prisma-next/driver-postgres": "0.13.0-dev.12",
-    "@prisma-next/operations": "0.13.0-dev.12",
-    "@prisma-next/postgres": "0.13.0-dev.12",
-    "@prisma-next/sql-contract-psl": "0.13.0-dev.12",
-    "@prisma-next/target-postgres": "0.13.0-dev.12",
-    "@prisma-next/test-utils": "0.13.0-dev.12",
-    "@prisma-next/tsconfig": "0.13.0-dev.12",
-    "@prisma-next/tsdown": "0.13.0-dev.12",
+    "@prisma-next/cli": "0.13.0-dev.14",
+    "@prisma-next/operations": "0.13.0-dev.14",
+    "@prisma-next/sql-contract-psl": "0.13.0-dev.14",
+    "@prisma-next/test-utils": "0.13.0-dev.14",
+    "@prisma-next/tsconfig": "0.13.0-dev.14",
+    "@prisma-next/tsdown": "0.13.0-dev.14",
     "@types/pg": "8.20.0",
-    "pg": "8.21.0",
     "tsdown": "0.22.1",
     "typescript": "5.9.3",
     "vitest": "4.1.8"
   },
   "peerDependencies": {
-    "@prisma-next/adapter-postgres": "0.13.0-dev.12",
+    "@prisma-next/adapter-postgres": "0.13.0-dev.14",
     "typescript": ">=5.9"
   },
   "peerDependenciesMeta": {

package/src/exports/runtime.ts CHANGED Viewed

@@ -1,31 +1,19 @@
-/**
- * Minimal M1 runtime descriptor for the Supabase extension.
- *
- * The Supabase pack contributes no runtime codec types or query operations in
- * M1 — `auth.*`/`storage.*` are external tables accessed via the stock
- * postgres runtime, not through a custom codec or operation surface. This
- * descriptor exists so the postgres runtime's contract-requirements check
- * (which verifies every `extensionPacks` entry in the emitted `contract.json`
- * has a matching runtime component) passes.
- *
- * TODO(M2): Replace with the real SupabaseRuntime that adds
- *   `asUser()`/`asAnon()` role-binding and the Supabase auth surface.
- */
-import type { SqlRuntimeExtensionDescriptor } from '@prisma-next/sql-runtime';
-const supabaseRuntimeDescriptor: SqlRuntimeExtensionDescriptor<'postgres'> = {
-  kind: 'extension' as const,
-  id: 'supabase',
-  version: '0.12.0',
-  familyId: 'sql' as const,
-  targetId: 'postgres' as const,
-  codecs: () => [],
-  create() {
-    return {
-      familyId: 'sql' as const,
-      targetId: 'postgres' as const,
-    };
-  },
-};
+import { supabaseRuntimeDescriptor } from '../runtime/descriptor';
 export default supabaseRuntimeDescriptor;
+export type {
+  RoleBoundDb,
+  SupabaseDb,
+  SupabaseOptions,
+  SupabaseOptionsWithContract,
+  SupabaseOptionsWithContractJson,
+  SupabaseTargetId,
+} from '../runtime/supabase';
+export { default as supabase, InvalidJwtError, SupabaseConfigError } from '../runtime/supabase';
+export type {
+  RoleSession,
+  SupabaseRoleBinding,
+  SupabaseRuntime,
+} from '../runtime/supabase-runtime';
+export { SupabaseRuntimeImpl } from '../runtime/supabase-runtime';

package/src/runtime/descriptor.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import type { SqlRuntimeExtensionDescriptor } from '@prisma-next/sql-runtime';
+import packageJson from '../../package.json' with { type: 'json' };
+/**
+ * Tells the runtime that the Supabase pack's runtime component is available.
+ *
+ * When a contract declares the Supabase pack, the runtime checks that a
+ * matching descriptor has been registered. Without this, loading a Supabase
+ * contract errors with "pack runtime component missing". The `supabase()`
+ * factory registers this descriptor automatically — app code never needs to
+ * reference it directly.
+ */
+export const supabaseRuntimeDescriptor: SqlRuntimeExtensionDescriptor<'postgres'> = {
+  kind: 'extension' as const,
+  id: 'supabase',
+  version: packageJson.version,
+  familyId: 'sql' as const,
+  targetId: 'postgres' as const,
+  codecs: () => [],
+  create() {
+    return {
+      familyId: 'sql' as const,
+      targetId: 'postgres' as const,
+    };
+  },
+};

package/src/runtime/supabase-runtime.ts ADDED Viewed

@@ -0,0 +1,171 @@
+import type { Contract } from '@prisma-next/contract/types';
+import type { RuntimeExecuteOptions } from '@prisma-next/framework-components/runtime';
+import { AsyncIterableResult } from '@prisma-next/framework-components/runtime';
+import { type PostgresRuntime, PostgresRuntimeImpl } from '@prisma-next/postgres/runtime';
+import type { SqlStorage } from '@prisma-next/sql-contract/types';
+import type { SqlExecutionPlan, SqlQueryPlan } from '@prisma-next/sql-relational-core/plan';
+import type {
+  PreparedStatement,
+  PreparedStatementImpl,
+  RuntimeConnection,
+  RuntimeTransaction,
+} from '@prisma-next/sql-runtime';
+import { blindCast } from '@prisma-next/utils/casts';
+export interface SupabaseRuntime extends PostgresRuntime {}
+export interface SupabaseRoleBinding {
+  // TODO(TML-2501): role names move to the Supabase extension contract (roles as first-class IR) when postgres-rls lands.
+  readonly role: 'anon' | 'authenticated' | 'service_role';
+  readonly claims?: Record<string, unknown>;
+}
+/**
+ * A connection with a Supabase role already bound via session-scoped set_config.
+ * Implements `RuntimeConnection` so it plugs into ORM scope machinery and `withTransaction`.
+ */
+export interface RoleSession extends RuntimeConnection {}
+export class SupabaseRuntimeImpl<
+  TContract extends Contract<SqlStorage> = Contract<SqlStorage>,
+> extends PostgresRuntimeImpl<TContract> {
+  /**
+   * Opens a raw connection and applies role + JWT claims via session-scoped set_config.
+   * On bind failure, destroys the connection before rethrowing — no leaked connections.
+   * Not on the `SupabaseRuntime` interface; consumed by the facade, not by app code.
+   */
+  async openRoleSession(binding: SupabaseRoleBinding): Promise<RoleSession> {
+    const conn = await this.acquireRawConnection();
+    try {
+      await conn.query('SELECT set_config($1, $2, false)', ['role', binding.role]);
+      await conn.query('SELECT set_config($1, $2, false)', [
+        'request.jwt.claims',
+        JSON.stringify(binding.claims ?? {}),
+      ]);
+    } catch (err) {
+      await conn.destroy(err).catch(() => undefined);
+      throw err;
+    }
+    const self = this;
+    const session: RoleSession = {
+      execute<Row>(
+        plan: (SqlExecutionPlan<unknown> | SqlQueryPlan<unknown>) & { readonly _row?: Row },
+        options?: RuntimeExecuteOptions,
+      ): AsyncIterableResult<Row> {
+        return self.executeAgainstQueryable<Row>(plan, conn, { ...options, scope: 'connection' });
+      },
+      executePrepared<Params, Row>(
+        ps: PreparedStatement<Params, Row>,
+        params: Params,
+        options?: RuntimeExecuteOptions,
+      ): AsyncIterableResult<Row> {
+        return self.executePreparedAgainstQueryable(
+          blindCast<
+            PreparedStatementImpl<Params, Row>,
+            'PreparedStatement is PreparedStatementImpl; the impl class is the only concrete form'
+          >(ps),
+          blindCast<
+            Record<string, unknown>,
+            'params are structurally Record<string, unknown> at runtime'
+          >(params),
+          conn,
+          { ...options, scope: 'connection' },
+        );
+      },
+      async transaction(): Promise<RuntimeTransaction> {
+        const tx = await conn.beginTransaction();
+        return {
+          async commit(): Promise<void> {
+            await tx.commit();
+          },
+          async rollback(): Promise<void> {
+            await tx.rollback();
+          },
+          execute<Row>(
+            plan: (SqlExecutionPlan<unknown> | SqlQueryPlan<unknown>) & { readonly _row?: Row },
+            options?: RuntimeExecuteOptions,
+          ): AsyncIterableResult<Row> {
+            return self.executeAgainstQueryable<Row>(plan, tx, {
+              ...options,
+              scope: 'transaction',
+            });
+          },
+          executePrepared<Params, Row>(
+            ps: PreparedStatement<Params, Row>,
+            params: Params,
+            options?: RuntimeExecuteOptions,
+          ): AsyncIterableResult<Row> {
+            return self.executePreparedAgainstQueryable(
+              blindCast<
+                PreparedStatementImpl<Params, Row>,
+                'PreparedStatement is PreparedStatementImpl; the impl class is the only concrete form'
+              >(ps),
+              blindCast<
+                Record<string, unknown>,
+                'params are structurally Record<string, unknown> at runtime'
+              >(params),
+              tx,
+              { ...options, scope: 'transaction' },
+            );
+          },
+        };
+      },
+      /**
+       * Resets all session-local config then releases the connection back to the pool.
+       * If RESET ALL fails, destroys the connection instead — pool-poisoning guarantee.
+       */
+      async release(): Promise<void> {
+        try {
+          await conn.query('RESET ALL');
+          await conn.release();
+        } catch (resetError) {
+          await conn.destroy(resetError).catch(() => undefined);
+        }
+      },
+      async destroy(reason?: unknown): Promise<void> {
+        await conn.destroy(reason);
+      },
+    };
+    return session;
+  }
+  /**
+   * Opens a role session, executes the plan, then releases after the stream drains.
+   * On mid-stream error, destroys the session instead of releasing.
+   */
+  executeWithRole<Row>(
+    plan: SqlExecutionPlan<Row> | SqlQueryPlan<Row>,
+    binding: SupabaseRoleBinding,
+    options?: RuntimeExecuteOptions,
+  ): AsyncIterableResult<Row> {
+    const self = this;
+    const generator = async function* (): AsyncGenerator<Row, void, unknown> {
+      const session = await self.openRoleSession(binding);
+      let errored = false;
+      try {
+        for await (const row of session.execute(plan, options)) {
+          yield row;
+        }
+      } catch (err) {
+        errored = true;
+        await session.destroy(err).catch(() => undefined);
+        throw err;
+      } finally {
+        if (!errored) {
+          await session.release();
+        }
+      }
+    };
+    return new AsyncIterableResult(generator());
+  }
+}

package/src/runtime/supabase.ts ADDED Viewed

@@ -0,0 +1,323 @@
+import postgresAdapter from '@prisma-next/adapter-postgres/runtime';
+import type { Contract } from '@prisma-next/contract/types';
+import postgresDriver from '@prisma-next/driver-postgres/runtime';
+import { instantiateExecutionStack } from '@prisma-next/framework-components/execution';
+import type {
+  AsyncIterableResult,
+  RuntimeExecuteOptions,
+} from '@prisma-next/framework-components/runtime';
+import { sql } from '@prisma-next/sql-builder/runtime';
+import type { Db } from '@prisma-next/sql-builder/types';
+import type { SqlStorage } from '@prisma-next/sql-contract/types';
+import { orm } from '@prisma-next/sql-orm-client';
+import type { RawSqlTag } from '@prisma-next/sql-relational-core/expression';
+import { createRawSql } from '@prisma-next/sql-relational-core/expression';
+import type { SqlExecutionPlan, SqlQueryPlan } from '@prisma-next/sql-relational-core/plan';
+import type {
+  ExecutionContext,
+  SqlExecutionStackWithDriver,
+  SqlMiddleware,
+  SqlRuntimeExtensionDescriptor,
+  TransactionContext,
+  VerifyMarkerOption,
+} from '@prisma-next/sql-runtime';
+import {
+  createExecutionContext,
+  createSqlExecutionStack,
+  withTransaction,
+} from '@prisma-next/sql-runtime';
+import postgresTarget, { PostgresContractSerializer } from '@prisma-next/target-postgres/runtime';
+import { blindCast } from '@prisma-next/utils/casts';
+import { ifDefined } from '@prisma-next/utils/defined';
+import { createRemoteJWKSet, type JWTVerifyResult, jwtVerify } from 'jose';
+import type { Client } from 'pg';
+import { Pool } from 'pg';
+import { supabaseRuntimeDescriptor } from './descriptor';
+import type { SupabaseRoleBinding, SupabaseRuntime } from './supabase-runtime';
+import { SupabaseRuntimeImpl } from './supabase-runtime';
+export type SupabaseTargetId = 'postgres';
+type OrmClient<TContract extends Contract<SqlStorage>> = ReturnType<typeof orm<TContract>>;
+export class SupabaseConfigError extends Error {
+  override readonly name = 'SupabaseConfigError';
+  constructor(message: string) {
+    super(message);
+  }
+}
+export class InvalidJwtError extends Error {
+  override readonly name = 'InvalidJwtError';
+  readonly reason: string;
+  constructor(reason: string) {
+    super(`Invalid JWT: ${reason}`);
+    this.reason = reason;
+  }
+}
+type KeyMaterial =
+  | { readonly kind: 'secret'; readonly key: Uint8Array }
+  | { readonly kind: 'jwks'; readonly keyset: ReturnType<typeof createRemoteJWKSet> };
+export interface RoleBoundDb<TContract extends Contract<SqlStorage>> {
+  readonly sql: Db<TContract>;
+  readonly orm: OrmClient<TContract>;
+  readonly raw: RawSqlTag;
+  execute<Row>(
+    plan: (SqlExecutionPlan<Row> | SqlQueryPlan<Row>) & { readonly _row?: Row },
+    options?: RuntimeExecuteOptions,
+  ): AsyncIterableResult<Row>;
+  transaction<R>(fn: (tx: TransactionContext) => PromiseLike<R>): Promise<R>;
+}
+export interface SupabaseDb<TContract extends Contract<SqlStorage>> {
+  readonly context: ExecutionContext<TContract>;
+  readonly stack: SqlExecutionStackWithDriver<SupabaseTargetId>;
+  asUser(jwt: string): Promise<RoleBoundDb<TContract>>;
+  asAnon(): RoleBoundDb<TContract>;
+  asServiceRole(): RoleBoundDb<TContract>;
+  close(): Promise<void>;
+  [Symbol.asyncDispose](): Promise<void>;
+}
+export interface SupabaseOptionsBase {
+  readonly extensions?: readonly SqlRuntimeExtensionDescriptor<SupabaseTargetId>[];
+  readonly middleware?: readonly SqlMiddleware[];
+  readonly verifyMarker?: VerifyMarkerOption;
+  readonly poolOptions?: {
+    readonly connectionTimeoutMillis?: number;
+    readonly idleTimeoutMillis?: number;
+  };
+}
+export interface SupabaseBindingOptions {
+  readonly url?: string;
+  readonly pg?: Pool | Client;
+}
+type JwtSecretOption = {
+  readonly jwtSecret: string;
+  readonly jwksUrl?: never;
+};
+type JwksUrlOption = {
+  readonly jwksUrl: string;
+  readonly jwtSecret?: never;
+};
+export type SupabaseOptionsWithContract<TContract extends Contract<SqlStorage>> =
+  SupabaseBindingOptions &
+    SupabaseOptionsBase &
+    (JwtSecretOption | JwksUrlOption) & {
+      readonly contract: TContract;
+      readonly contractJson?: never;
+    };
+export type SupabaseOptionsWithContractJson<TContract extends Contract<SqlStorage>> =
+  SupabaseBindingOptions &
+    SupabaseOptionsBase &
+    (JwtSecretOption | JwksUrlOption) & {
+      readonly contractJson: unknown;
+      readonly contract?: never;
+      readonly _contract?: TContract;
+    };
+export type SupabaseOptions<TContract extends Contract<SqlStorage>> =
+  | SupabaseOptionsWithContract<TContract>
+  | SupabaseOptionsWithContractJson<TContract>;
+function hasContractJson<TContract extends Contract<SqlStorage>>(
+  options: SupabaseOptions<TContract>,
+): options is SupabaseOptionsWithContractJson<TContract> {
+  return 'contractJson' in options;
+}
+const contractSerializer = new PostgresContractSerializer();
+function resolveContract<TContract extends Contract<SqlStorage>>(
+  options: SupabaseOptions<TContract>,
+): TContract {
+  const contractInput = hasContractJson(options) ? options.contractJson : options.contract;
+  return blindCast<
+    TContract,
+    'contractSerializer.deserializeContract returns a validated TContract'
+  >(contractSerializer.deserializeContract(contractInput));
+}
+function resolveKeyMaterial<TContract extends Contract<SqlStorage>>(
+  options: SupabaseOptions<TContract>,
+): KeyMaterial {
+  const jwtSecret = 'jwtSecret' in options ? options.jwtSecret : undefined;
+  const jwksUrl = 'jwksUrl' in options ? options.jwksUrl : undefined;
+  if (jwtSecret !== undefined && jwksUrl !== undefined) {
+    throw new SupabaseConfigError('Provide either jwtSecret or jwksUrl, not both');
+  }
+  if (jwtSecret === undefined && jwksUrl === undefined) {
+    throw new SupabaseConfigError('Either jwtSecret or jwksUrl is required');
+  }
+  if (jwtSecret !== undefined) {
+    return { kind: 'secret', key: new TextEncoder().encode(jwtSecret) };
+  }
+  if (jwksUrl !== undefined) {
+    return { kind: 'jwks', keyset: createRemoteJWKSet(new URL(jwksUrl)) };
+  }
+  throw new SupabaseConfigError('Either jwtSecret or jwksUrl is required');
+}
+function toPool<TContract extends Contract<SqlStorage>>(
+  options: SupabaseOptions<TContract>,
+): { pool: Pool; owned: boolean } | undefined {
+  if (options.pg instanceof Pool) {
+    return { pool: options.pg, owned: false };
+  }
+  if (typeof options.url === 'string') {
+    return {
+      pool: new Pool({
+        connectionString: options.url,
+        connectionTimeoutMillis: options.poolOptions?.connectionTimeoutMillis ?? 20_000,
+        idleTimeoutMillis: options.poolOptions?.idleTimeoutMillis ?? 30_000,
+      }),
+      owned: true,
+    };
+  }
+  return undefined;
+}
+function withSupabaseDescriptor(
+  extensions: readonly SqlRuntimeExtensionDescriptor<SupabaseTargetId>[] | undefined,
+): readonly SqlRuntimeExtensionDescriptor<SupabaseTargetId>[] {
+  const packs = extensions ?? [];
+  return packs.some((pack) => pack.id === supabaseRuntimeDescriptor.id)
+    ? packs
+    : [...packs, supabaseRuntimeDescriptor];
+}
+export default async function supabase<TContract extends Contract<SqlStorage>>(
+  options: SupabaseOptionsWithContract<TContract>,
+): Promise<SupabaseDb<TContract>>;
+export default async function supabase<TContract extends Contract<SqlStorage>>(
+  options: SupabaseOptionsWithContractJson<TContract>,
+): Promise<SupabaseDb<TContract>>;
+export default async function supabase<TContract extends Contract<SqlStorage>>(
+  options: SupabaseOptions<TContract>,
+): Promise<SupabaseDb<TContract>> {
+  const keyMaterial = resolveKeyMaterial(options);
+  const contract = resolveContract(options);
+  const stack = createSqlExecutionStack({
+    target: postgresTarget,
+    adapter: postgresAdapter,
+    driver: postgresDriver,
+    extensionPacks: withSupabaseDescriptor(options.extensions),
+  });
+  const context = createExecutionContext({ contract, stack });
+  const rawCodecInferer = stack.adapter.rawCodecInferer;
+  const rawSqlTag: RawSqlTag = createRawSql(rawCodecInferer);
+  const poolEntry = toPool(options);
+  let closed = false;
+  const stackInstance = instantiateExecutionStack(stack);
+  const driverDescriptor = stack.driver;
+  if (!driverDescriptor) {
+    throw new Error('Driver descriptor missing from execution stack');
+  }
+  const driver = driverDescriptor.create({ cursor: { disabled: true } });
+  if (poolEntry) {
+    await driver.connect({ kind: 'pgPool', pool: poolEntry.pool });
+  }
+  const runtime: SupabaseRuntime & SupabaseRuntimeImpl<TContract> = new SupabaseRuntimeImpl({
+    context,
+    adapter: stackInstance.adapter,
+    driver,
+    ...ifDefined('verifyMarker', options.verifyMarker),
+    ...ifDefined('middleware', options.middleware),
+  });
+  async function verifyJwt(jwt: string): Promise<JWTVerifyResult> {
+    try {
+      if (keyMaterial.kind === 'secret') {
+        return await jwtVerify(jwt, keyMaterial.key);
+      }
+      return await jwtVerify(jwt, keyMaterial.keyset);
+    } catch (err) {
+      const reason = err instanceof Error ? err.message : String(err);
+      throw new InvalidJwtError(reason);
+    }
+  }
+  function buildRoleBoundDb(binding: SupabaseRoleBinding): RoleBoundDb<TContract> {
+    const roleSql: Db<TContract> = sql<TContract>({ context, rawCodecInferer });
+    const roleOrm: OrmClient<TContract> = orm({
+      runtime: {
+        execute(plan) {
+          return runtime.executeWithRole(plan, binding);
+        },
+        // connection() returns a role session; this is the enforcement path for ORM scope
+        // operations (mutations, includes) — every statement runs role-bound.
+        connection: () => runtime.openRoleSession(binding),
+      },
+      context,
+    });
+    return {
+      sql: roleSql,
+      orm: roleOrm,
+      raw: rawSqlTag,
+      execute<Row>(
+        plan: (SqlExecutionPlan<Row> | SqlQueryPlan<Row>) & { readonly _row?: Row },
+        execOptions?: RuntimeExecuteOptions,
+      ): AsyncIterableResult<Row> {
+        return runtime.executeWithRole<Row>(plan, binding, execOptions);
+      },
+      transaction<R>(fn: (tx: TransactionContext) => PromiseLike<R>): Promise<R> {
+        return withTransaction({ connection: () => runtime.openRoleSession(binding) }, fn);
+      },
+    };
+  }
+  async function closeDb(): Promise<void> {
+    if (closed) return;
+    closed = true;
+    await runtime.close();
+    if (poolEntry?.owned) {
+      await poolEntry.pool.end().catch(() => undefined);
+    }
+  }
+  return {
+    context,
+    stack,
+    async asUser(jwt: string): Promise<RoleBoundDb<TContract>> {
+      const { payload } = await verifyJwt(jwt);
+      const rawRole = payload['role'];
+      const roleStr = typeof rawRole === 'string' ? rawRole : 'authenticated';
+      const role: SupabaseRoleBinding['role'] =
+        roleStr === 'anon' || roleStr === 'authenticated' || roleStr === 'service_role'
+          ? roleStr
+          : 'authenticated';
+      const binding: SupabaseRoleBinding = { role, claims: payload };
+      return buildRoleBoundDb(binding);
+    },
+    asAnon(): RoleBoundDb<TContract> {
+      return buildRoleBoundDb({ role: 'anon', claims: {} });
+    },
+    asServiceRole(): RoleBoundDb<TContract> {
+      return buildRoleBoundDb({ role: 'service_role', claims: {} });
+    },
+    close: closeDb,
+    [Symbol.asyncDispose]: closeDb,
+  };
+}