@prisma-next/extension-supabase 0.13.0-dev.2 → 0.13.0-dev.21

package/dist/test/utils.mjs

@@ -1,9 +1,8 @@
 //#region test/supabase-bootstrap.ts
 /**
-* Seeds the database with the external Supabase schemas and tables. The
-* caller passes an already-connected `pg.Client` — this function does not
-* open or close connections, so the same client can be reused across the
-* test's other setup steps.
+* Seeds the database with the external Supabase schemas, tables, roles, and grants.
+* The caller passes an already-connected `pg.Client` — this function does not
+* open or close connections.
 *
 * Creates two schemas (`auth`, `storage`) and four tables whose columns
 * exactly match the `@prisma-next/extension-supabase` contract:
@@ -13,8 +12,10 @@
 * - `storage.buckets` — id text PK, name text, created_at timestamptz, updated_at timestamptz
 * - `storage.objects` — id uuid PK, bucket_id text, name text, created_at timestamptz, updated_at timestamptz
 *
-* Does NOT create Postgres roles or `auth.*` functions — those are added by
-* the `postgres-rls` constituent.
+* Creates the three Postgres roles and grants that mirror a real Supabase database.
+* `ALTER DEFAULT PRIVILEGES` covers tables created after the shim runs (e.g. via `dbInit`).
+* WAL grants are guarded by a schema-existence check — a PGlite single-connection
+* accommodation so role-bound sessions can interleave with the WAL drain query.
 */
 async function bootstrapSupabaseShim(client) {
 	await client.query("CREATE SCHEMA IF NOT EXISTS auth");
@@ -57,6 +58,18 @@ async function bootstrapSupabaseShim(client) {
       PRIMARY KEY (id)
     )
   `);
+	await client.query("CREATE ROLE anon NOLOGIN");
+	await client.query("CREATE ROLE authenticated NOLOGIN");
+	await client.query("CREATE ROLE service_role NOLOGIN BYPASSRLS");
+	await client.query("GRANT USAGE ON SCHEMA public TO anon, authenticated, service_role");
+	await client.query("GRANT USAGE ON SCHEMA auth, storage TO anon, authenticated, service_role");
+	await client.query("GRANT ALL ON ALL TABLES IN SCHEMA auth TO service_role");
+	await client.query("GRANT ALL ON ALL TABLES IN SCHEMA storage TO service_role");
+	await client.query("GRANT SELECT ON ALL TABLES IN SCHEMA auth TO anon, authenticated");
+	await client.query("GRANT SELECT ON ALL TABLES IN SCHEMA storage TO anon, authenticated");
+	await client.query("ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO service_role");
+	await client.query("ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, UPDATE ON TABLES TO authenticated");
+	await client.query("ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO anon");
 }
 //#endregion
 export { bootstrapSupabaseShim };

package/dist/test/utils.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"utils.mjs","names":[],"sources":["../../test/supabase-bootstrap.ts"],"sourcesContent":["/**\n * Shared Supabase test fixture — seeds the external schemas and tables.\n *\n * Seeds a Postgres/PGlite database with the external Supabase schemas and\n * tables that the framework verifier expects when a composed contract declares\n * `auth.*` and `storage.*` tables as `external`. Without these tables present,\n * `db init`/`db update` will fail at the verify step because the framework\n * confirms declared `external` tables exist.\n *\n * **M1 scope:** `CREATE SCHEMA auth, storage` + the four tables\n * (`auth.users`, `auth.identities`, `storage.buckets`, `storage.objects`) with\n * columns matching the Supabase extension contract's pinned model table.\n *\n * **Future increments:**\n * - `postgres-rls` constituent adds Postgres roles (`anon`, `authenticated`,\n *   `service_role`) and the `auth.uid()`, `auth.jwt()`, `auth.role()` functions.\n * - `cross-contract-refs` constituent seeds `auth.users` rows for FK tests.\n *\n * The caller owns the client lifecycle — pass any already-connected `pg.Client`\n * (e.g. one the test is sharing across setup steps, or one bound to a\n * transaction for isolation). Convenience wrapper for tests that don't already\n * have one:\n *\n * @example\n * ```ts\n * import { withClient } from '@prisma-next/test-utils';\n * import { bootstrapSupabaseShim } from '@prisma-next/extension-supabase/test/utils';\n *\n * await withClient(connectionString, async (client) => {\n *   await bootstrapSupabaseShim(client);\n * });\n * ```\n */\nimport type { Client } from 'pg';\n\n/**\n * Seeds the database with the external Supabase schemas and tables. The\n * caller passes an already-connected `pg.Client` — this function does not\n * open or close connections, so the same client can be reused across the\n * test's other setup steps.\n *\n * Creates two schemas (`auth`, `storage`) and four tables whose columns\n * exactly match the `@prisma-next/extension-supabase` contract:\n *\n * - `auth.users` — id uuid PK, email text, created_at timestamptz, updated_at timestamptz\n * - `auth.identities` — id uuid PK, user_id uuid, provider text, created_at timestamptz, updated_at timestamptz\n * - `storage.buckets` — id text PK, name text, created_at timestamptz, updated_at timestamptz\n * - `storage.objects` — id uuid PK, bucket_id text, name text, created_at timestamptz, updated_at timestamptz\n *\n * Does NOT create Postgres roles or `auth.*` functions — those are added by\n * the `postgres-rls` constituent.\n */\nexport async function bootstrapSupabaseShim(client: Client): Promise<void> {\n  await client.query('CREATE SCHEMA IF NOT EXISTS auth');\n  await client.query('CREATE SCHEMA IF NOT EXISTS storage');\n\n  await client.query(`\n    CREATE TABLE IF NOT EXISTS auth.users (\n      id          uuid        NOT NULL,\n      email       text        NOT NULL,\n      created_at  timestamptz NOT NULL,\n      updated_at  timestamptz NOT NULL,\n      PRIMARY KEY (id)\n    )\n  `);\n\n  await client.query(`\n    CREATE TABLE IF NOT EXISTS auth.identities (\n      id          uuid        NOT NULL,\n      user_id     uuid        NOT NULL,\n      provider    text        NOT NULL,\n      created_at  timestamptz NOT NULL,\n      updated_at  timestamptz NOT NULL,\n      PRIMARY KEY (id)\n    )\n  `);\n\n  await client.query(`\n    CREATE TABLE IF NOT EXISTS storage.buckets (\n      id          text        NOT NULL,\n      name        text        NOT NULL,\n      created_at  timestamptz NOT NULL,\n      updated_at  timestamptz NOT NULL,\n      PRIMARY KEY (id)\n    )\n  `);\n\n  await client.query(`\n    CREATE TABLE IF NOT EXISTS storage.objects (\n      id          uuid        NOT NULL,\n      bucket_id   text        NOT NULL,\n      name        text        NOT NULL,\n      created_at  timestamptz NOT NULL,\n      updated_at  timestamptz NOT NULL,\n      PRIMARY KEY (id)\n    )\n  `);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAoDA,eAAsB,sBAAsB,QAA+B;CACzE,MAAM,OAAO,MAAM,kCAAkC;CACrD,MAAM,OAAO,MAAM,qCAAqC;CAExD,MAAM,OAAO,MAAM;;;;;;;;GAQlB;CAED,MAAM,OAAO,MAAM;;;;;;;;;GASlB;CAED,MAAM,OAAO,MAAM;;;;;;;;GAQlB;CAED,MAAM,OAAO,MAAM;;;;;;;;;GASlB;AACH"}
+{"version":3,"file":"utils.mjs","names":[],"sources":["../../test/supabase-bootstrap.ts"],"sourcesContent":["/**\n * Shared Supabase test fixture — seeds the external schemas, tables, roles, and grants.\n *\n * Seeds a Postgres/PGlite database with the external Supabase schemas and\n * tables that the framework verifier expects when a composed contract declares\n * `auth.*` and `storage.*` tables as `external`. Without these tables present,\n * `db init`/`db update` will fail at the verify step because the framework\n * confirms declared `external` tables exist.\n *\n * Also creates the three Postgres roles (`anon`, `authenticated`, `service_role`)\n * with grants that mirror a real Supabase database. `ALTER DEFAULT PRIVILEGES`\n * ensures tables created after the shim runs (e.g. `public.profile` via `dbInit`)\n * are automatically accessible to the roles.\n *\n * The caller owns the client lifecycle — pass any already-connected `pg.Client`\n * (e.g. one the test is sharing across setup steps, or one bound to a\n * transaction for isolation). Convenience wrapper for tests that don't already\n * have one:\n *\n * @example\n * ```ts\n * import { withClient } from '@prisma-next/test-utils';\n * import { bootstrapSupabaseShim } from '@prisma-next/extension-supabase/test/utils';\n *\n * await withClient(connectionString, async (client) => {\n *   await bootstrapSupabaseShim(client);\n * });\n * ```\n */\nimport type { Client } from 'pg';\n\n/**\n * Seeds the database with the external Supabase schemas, tables, roles, and grants.\n * The caller passes an already-connected `pg.Client` — this function does not\n * open or close connections.\n *\n * Creates two schemas (`auth`, `storage`) and four tables whose columns\n * exactly match the `@prisma-next/extension-supabase` contract:\n *\n * - `auth.users` — id uuid PK, email text, created_at timestamptz, updated_at timestamptz\n * - `auth.identities` — id uuid PK, user_id uuid, provider text, created_at timestamptz, updated_at timestamptz\n * - `storage.buckets` — id text PK, name text, created_at timestamptz, updated_at timestamptz\n * - `storage.objects` — id uuid PK, bucket_id text, name text, created_at timestamptz, updated_at timestamptz\n *\n * Creates the three Postgres roles and grants that mirror a real Supabase database.\n * `ALTER DEFAULT PRIVILEGES` covers tables created after the shim runs (e.g. via `dbInit`).\n * WAL grants are guarded by a schema-existence check — a PGlite single-connection\n * accommodation so role-bound sessions can interleave with the WAL drain query.\n */\nexport async function bootstrapSupabaseShim(client: Client): Promise<void> {\n  await client.query('CREATE SCHEMA IF NOT EXISTS auth');\n  await client.query('CREATE SCHEMA IF NOT EXISTS storage');\n\n  await client.query(`\n    CREATE TABLE IF NOT EXISTS auth.users (\n      id          uuid        NOT NULL,\n      email       text        NOT NULL,\n      created_at  timestamptz NOT NULL,\n      updated_at  timestamptz NOT NULL,\n      PRIMARY KEY (id)\n    )\n  `);\n\n  await client.query(`\n    CREATE TABLE IF NOT EXISTS auth.identities (\n      id          uuid        NOT NULL,\n      user_id     uuid        NOT NULL,\n      provider    text        NOT NULL,\n      created_at  timestamptz NOT NULL,\n      updated_at  timestamptz NOT NULL,\n      PRIMARY KEY (id)\n    )\n  `);\n\n  await client.query(`\n    CREATE TABLE IF NOT EXISTS storage.buckets (\n      id          text        NOT NULL,\n      name        text        NOT NULL,\n      created_at  timestamptz NOT NULL,\n      updated_at  timestamptz NOT NULL,\n      PRIMARY KEY (id)\n    )\n  `);\n\n  await client.query(`\n    CREATE TABLE IF NOT EXISTS storage.objects (\n      id          uuid        NOT NULL,\n      bucket_id   text        NOT NULL,\n      name        text        NOT NULL,\n      created_at  timestamptz NOT NULL,\n      updated_at  timestamptz NOT NULL,\n      PRIMARY KEY (id)\n    )\n  `);\n\n  // Roles + grants mirror a real Supabase database; WAL grants are a\n  // PGlite-single-connection test accommodation.\n  await client.query('CREATE ROLE anon NOLOGIN');\n  await client.query('CREATE ROLE authenticated NOLOGIN');\n  await client.query('CREATE ROLE service_role NOLOGIN BYPASSRLS');\n  await client.query('GRANT USAGE ON SCHEMA public TO anon, authenticated, service_role');\n  await client.query('GRANT USAGE ON SCHEMA auth, storage TO anon, authenticated, service_role');\n  await client.query('GRANT ALL ON ALL TABLES IN SCHEMA auth TO service_role');\n  await client.query('GRANT ALL ON ALL TABLES IN SCHEMA storage TO service_role');\n  await client.query('GRANT SELECT ON ALL TABLES IN SCHEMA auth TO anon, authenticated');\n  await client.query('GRANT SELECT ON ALL TABLES IN SCHEMA storage TO anon, authenticated');\n\n  // Default privileges cover tables created after this shim runs (e.g. public.profile via dbInit).\n  await client.query(\n    'ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO service_role',\n  );\n  await client.query(\n    'ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, UPDATE ON TABLES TO authenticated',\n  );\n  await client.query('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO anon');\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAiDA,eAAsB,sBAAsB,QAA+B;CACzE,MAAM,OAAO,MAAM,kCAAkC;CACrD,MAAM,OAAO,MAAM,qCAAqC;CAExD,MAAM,OAAO,MAAM;;;;;;;;GAQlB;CAED,MAAM,OAAO,MAAM;;;;;;;;;GASlB;CAED,MAAM,OAAO,MAAM;;;;;;;;GAQlB;CAED,MAAM,OAAO,MAAM;;;;;;;;;GASlB;CAID,MAAM,OAAO,MAAM,0BAA0B;CAC7C,MAAM,OAAO,MAAM,mCAAmC;CACtD,MAAM,OAAO,MAAM,4CAA4C;CAC/D,MAAM,OAAO,MAAM,mEAAmE;CACtF,MAAM,OAAO,MAAM,0EAA0E;CAC7F,MAAM,OAAO,MAAM,wDAAwD;CAC3E,MAAM,OAAO,MAAM,2DAA2D;CAC9E,MAAM,OAAO,MAAM,kEAAkE;CACrF,MAAM,OAAO,MAAM,qEAAqE;CAGxF,MAAM,OAAO,MACX,+EACF;CACA,MAAM,OAAO,MACX,2FACF;CACA,MAAM,OAAO,MAAM,0EAA0E;AAC/F"}

package/package.json

@@ -1,44 +1,47 @@
 {
   "name": "@prisma-next/extension-supabase",
-  "version": "0.13.0-dev.2",
+  "version": "0.13.0-dev.21",
   "license": "Apache-2.0",
   "type": "module",
   "sideEffects": false,
   "dependencies": {
-    "@prisma-next/contract": "0.13.0-dev.2",
-    "@prisma-next/contract-authoring": "0.13.0-dev.2",
-    "@prisma-next/family-sql": "0.13.0-dev.2",
-    "@prisma-next/framework-components": "0.13.0-dev.2",
-    "@prisma-next/migration-tools": "0.13.0-dev.2",
-    "@prisma-next/sql-contract": "0.13.0-dev.2",
-    "@prisma-next/sql-contract-ts": "0.13.0-dev.2",
-    "@prisma-next/sql-operations": "0.13.0-dev.2",
-    "@prisma-next/sql-relational-core": "0.13.0-dev.2",
-    "@prisma-next/sql-runtime": "0.13.0-dev.2",
-    "@prisma-next/sql-schema-ir": "0.13.0-dev.2",
-    "@prisma-next/utils": "0.13.0-dev.2",
+    "@prisma-next/adapter-postgres": "0.13.0-dev.21",
+    "@prisma-next/contract": "0.13.0-dev.21",
+    "@prisma-next/driver-postgres": "0.13.0-dev.21",
+    "@prisma-next/postgres": "0.13.0-dev.21",
+    "@prisma-next/sql-builder": "0.13.0-dev.21",
+    "@prisma-next/sql-orm-client": "0.13.0-dev.21",
+    "@prisma-next/target-postgres": "0.13.0-dev.21",
+    "jose": "^5",
+    "pg": "8.21.0",
+    "@prisma-next/contract-authoring": "0.13.0-dev.21",
+    "@prisma-next/family-sql": "0.13.0-dev.21",
+    "@prisma-next/framework-components": "0.13.0-dev.21",
+    "@prisma-next/migration-tools": "0.13.0-dev.21",
+    "@prisma-next/sql-contract": "0.13.0-dev.21",
+    "@prisma-next/sql-contract-ts": "0.13.0-dev.21",
+    "@prisma-next/sql-operations": "0.13.0-dev.21",
+    "@prisma-next/sql-relational-core": "0.13.0-dev.21",
+    "@prisma-next/sql-runtime": "0.13.0-dev.21",
+    "@prisma-next/sql-schema-ir": "0.13.0-dev.21",
+    "@prisma-next/utils": "0.13.0-dev.21",
     "@standard-schema/spec": "^1.1.0",
     "arktype": "^2.2.0"
   },
   "devDependencies": {
-    "@prisma-next/adapter-postgres": "0.13.0-dev.2",
-    "@prisma-next/cli": "0.13.0-dev.2",
-    "@prisma-next/driver-postgres": "0.13.0-dev.2",
-    "@prisma-next/operations": "0.13.0-dev.2",
-    "@prisma-next/postgres": "0.13.0-dev.2",
-    "@prisma-next/sql-contract-psl": "0.13.0-dev.2",
-    "@prisma-next/target-postgres": "0.13.0-dev.2",
-    "@prisma-next/test-utils": "0.13.0-dev.2",
-    "@prisma-next/tsconfig": "0.13.0-dev.2",
-    "@prisma-next/tsdown": "0.13.0-dev.2",
+    "@prisma-next/cli": "0.13.0-dev.21",
+    "@prisma-next/operations": "0.13.0-dev.21",
+    "@prisma-next/sql-contract-psl": "0.13.0-dev.21",
+    "@prisma-next/test-utils": "0.13.0-dev.21",
+    "@prisma-next/tsconfig": "0.13.0-dev.21",
+    "@prisma-next/tsdown": "0.13.0-dev.21",
     "@types/pg": "8.20.0",
-    "pg": "8.21.0",
     "tsdown": "0.22.1",
     "typescript": "5.9.3",
     "vitest": "4.1.8"
   },
   "peerDependencies": {
-    "@prisma-next/adapter-postgres": "0.13.0-dev.2",
+    "@prisma-next/adapter-postgres": "0.13.0-dev.21",
     "typescript": ">=5.9"
   },
   "peerDependenciesMeta": {

package/src/contract/contract.d.ts

@@ -31,7 +31,7 @@ import type {
 } from '@prisma-next/contract/types';
 
 export type StorageHash =
-  StorageHashBase<'sha256:a92ac18f82eb73f747fa9512351caec3e42df1a1a897bce787966af84371638c'>;
+  StorageHashBase<'sha256:27dcfcb121eec1827ff7464f6262582a413af76d4d86627d93db97bb2108410a'>;
 export type ExecutionHash = ExecutionHashBase<string>;
 export type ProfileHash =
   ProfileHashBase<'sha256:9c8aa3114e84ed3b7ea2bd57526d9c2e1bf7c5292be694e9d3801f566fda7ccb'>;
@@ -45,14 +45,14 @@ type DefaultLiteralValue<CodecId extends string, _Encoded> = CodecId extends key
 
 export type FieldOutputTypes = {
   readonly AuthIdentity: {
-    readonly id: CodecTypes['pg/text@1']['output'];
-    readonly user_id: CodecTypes['pg/text@1']['output'];
+    readonly id: CodecTypes['pg/uuid@1']['output'];
+    readonly user_id: CodecTypes['pg/uuid@1']['output'];
     readonly provider: CodecTypes['pg/text@1']['output'];
     readonly created_at: CodecTypes['pg/timestamptz@1']['output'];
     readonly updated_at: CodecTypes['pg/timestamptz@1']['output'];
   };
   readonly AuthUser: {
-    readonly id: CodecTypes['pg/text@1']['output'];
+    readonly id: CodecTypes['pg/uuid@1']['output'];
     readonly email: CodecTypes['pg/text@1']['output'];
     readonly created_at: CodecTypes['pg/timestamptz@1']['output'];
     readonly updated_at: CodecTypes['pg/timestamptz@1']['output'];
@@ -64,7 +64,7 @@ export type FieldOutputTypes = {
     readonly updated_at: CodecTypes['pg/timestamptz@1']['output'];
   };
   readonly StorageObject: {
-    readonly id: CodecTypes['pg/text@1']['output'];
+    readonly id: CodecTypes['pg/uuid@1']['output'];
     readonly bucket_id: CodecTypes['pg/text@1']['output'];
     readonly name: CodecTypes['pg/text@1']['output'];
     readonly created_at: CodecTypes['pg/timestamptz@1']['output'];
@@ -73,14 +73,14 @@ export type FieldOutputTypes = {
 };
 export type FieldInputTypes = {
   readonly AuthIdentity: {
-    readonly id: CodecTypes['pg/text@1']['input'];
-    readonly user_id: CodecTypes['pg/text@1']['input'];
+    readonly id: CodecTypes['pg/uuid@1']['input'];
+    readonly user_id: CodecTypes['pg/uuid@1']['input'];
     readonly provider: CodecTypes['pg/text@1']['input'];
     readonly created_at: CodecTypes['pg/timestamptz@1']['input'];
     readonly updated_at: CodecTypes['pg/timestamptz@1']['input'];
   };
   readonly AuthUser: {
-    readonly id: CodecTypes['pg/text@1']['input'];
+    readonly id: CodecTypes['pg/uuid@1']['input'];
     readonly email: CodecTypes['pg/text@1']['input'];
     readonly created_at: CodecTypes['pg/timestamptz@1']['input'];
     readonly updated_at: CodecTypes['pg/timestamptz@1']['input'];
@@ -92,7 +92,7 @@ export type FieldInputTypes = {
     readonly updated_at: CodecTypes['pg/timestamptz@1']['input'];
   };
   readonly StorageObject: {
-    readonly id: CodecTypes['pg/text@1']['input'];
+    readonly id: CodecTypes['pg/uuid@1']['input'];
     readonly bucket_id: CodecTypes['pg/text@1']['input'];
     readonly name: CodecTypes['pg/text@1']['input'];
     readonly created_at: CodecTypes['pg/timestamptz@1']['input'];
@@ -124,13 +124,13 @@ type ContractBase = Omit<
                 columns: {
                   readonly id: {
                     readonly nativeType: 'uuid';
-                    readonly codecId: 'pg/text@1';
+                    readonly codecId: 'pg/uuid@1';
                     readonly nullable: false;
                     readonly typeRef: 'Uuid';
                   };
                   readonly user_id: {
                     readonly nativeType: 'uuid';
-                    readonly codecId: 'pg/text@1';
+                    readonly codecId: 'pg/uuid@1';
                     readonly nullable: false;
                     readonly typeRef: 'Uuid';
                   };
@@ -161,7 +161,7 @@ type ContractBase = Omit<
                 columns: {
                   readonly id: {
                     readonly nativeType: 'uuid';
-                    readonly codecId: 'pg/text@1';
+                    readonly codecId: 'pg/uuid@1';
                     readonly nullable: false;
                     readonly typeRef: 'Uuid';
                   };
@@ -235,7 +235,7 @@ type ContractBase = Omit<
                 columns: {
                   readonly id: {
                     readonly nativeType: 'uuid';
-                    readonly codecId: 'pg/text@1';
+                    readonly codecId: 'pg/uuid@1';
                     readonly nullable: false;
                     readonly typeRef: 'Uuid';
                   };
@@ -274,7 +274,7 @@ type ContractBase = Omit<
       readonly types: {
         readonly Uuid: {
           readonly kind: 'codec-instance';
-          readonly codecId: 'pg/text@1';
+          readonly codecId: 'pg/uuid@1';
           readonly nativeType: 'uuid';
           readonly typeParams: Record<string, never>;
         };
@@ -292,11 +292,11 @@ type ContractBase = Omit<
         readonly fields: {
           readonly id: {
             readonly nullable: false;
-            readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/text@1' };
+            readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/uuid@1' };
           };
           readonly user_id: {
             readonly nullable: false;
-            readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/text@1' };
+            readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/uuid@1' };
           };
           readonly provider: {
             readonly nullable: false;
@@ -328,7 +328,7 @@ type ContractBase = Omit<
         readonly fields: {
           readonly id: {
             readonly nullable: false;
-            readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/text@1' };
+            readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/uuid@1' };
           };
           readonly email: {
             readonly nullable: false;
@@ -390,7 +390,7 @@ type ContractBase = Omit<
         readonly fields: {
           readonly id: {
             readonly nullable: false;
-            readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/text@1' };
+            readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/uuid@1' };
           };
           readonly bucket_id: {
             readonly nullable: false;
@@ -451,11 +451,11 @@ type ContractBase = Omit<
             readonly fields: {
               readonly id: {
                 readonly nullable: false;
-                readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/text@1' };
+                readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/uuid@1' };
               };
               readonly user_id: {
                 readonly nullable: false;
-                readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/text@1' };
+                readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/uuid@1' };
               };
               readonly provider: {
                 readonly nullable: false;
@@ -487,7 +487,7 @@ type ContractBase = Omit<
             readonly fields: {
               readonly id: {
                 readonly nullable: false;
-                readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/text@1' };
+                readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/uuid@1' };
               };
               readonly email: {
                 readonly nullable: false;
@@ -553,7 +553,7 @@ type ContractBase = Omit<
             readonly fields: {
               readonly id: {
                 readonly nullable: false;
-                readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/text@1' };
+                readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/uuid@1' };
               };
               readonly bucket_id: {
                 readonly nullable: false;

package/src/contract/contract.json

@@ -37,7 +37,7 @@
               "id": {
                 "nullable": false,
                 "type": {
-                  "codecId": "pg/text@1",
+                  "codecId": "pg/uuid@1",
                   "kind": "scalar"
                 }
               },
@@ -58,7 +58,7 @@
               "user_id": {
                 "nullable": false,
                 "type": {
-                  "codecId": "pg/text@1",
+                  "codecId": "pg/uuid@1",
                   "kind": "scalar"
                 }
               }
@@ -105,7 +105,7 @@
               "id": {
                 "nullable": false,
                 "type": {
-                  "codecId": "pg/text@1",
+                  "codecId": "pg/uuid@1",
                   "kind": "scalar"
                 }
               },
@@ -211,7 +211,7 @@
               "id": {
                 "nullable": false,
                 "type": {
-                  "codecId": "pg/text@1",
+                  "codecId": "pg/uuid@1",
                   "kind": "scalar"
                 }
               },
@@ -278,7 +278,7 @@
                   "typeRef": "Timestamptz"
                 },
                 "id": {
-                  "codecId": "pg/text@1",
+                  "codecId": "pg/uuid@1",
                   "nativeType": "uuid",
                   "nullable": false,
                   "typeRef": "Uuid"
@@ -295,7 +295,7 @@
                   "typeRef": "Timestamptz"
                 },
                 "user_id": {
-                  "codecId": "pg/text@1",
+                  "codecId": "pg/uuid@1",
                   "nativeType": "uuid",
                   "nullable": false,
                   "typeRef": "Uuid"
@@ -324,7 +324,7 @@
                   "nullable": false
                 },
                 "id": {
-                  "codecId": "pg/text@1",
+                  "codecId": "pg/uuid@1",
                   "nativeType": "uuid",
                   "nullable": false,
                   "typeRef": "Uuid"
@@ -408,7 +408,7 @@
                   "typeRef": "Timestamptz"
                 },
                 "id": {
-                  "codecId": "pg/text@1",
+                  "codecId": "pg/uuid@1",
                   "nativeType": "uuid",
                   "nullable": false,
                   "typeRef": "Uuid"
@@ -440,7 +440,7 @@
         "kind": "postgres-schema"
       }
     },
-    "storageHash": "sha256:a92ac18f82eb73f747fa9512351caec3e42df1a1a897bce787966af84371638c",
+    "storageHash": "sha256:27dcfcb121eec1827ff7464f6262582a413af76d4d86627d93db97bb2108410a",
     "types": {
       "Timestamptz": {
         "codecId": "pg/timestamptz@1",
@@ -448,7 +448,7 @@
         "nativeType": "timestamptz"
       },
       "Uuid": {
-        "codecId": "pg/text@1",
+        "codecId": "pg/uuid@1",
         "kind": "codec-instance",
         "nativeType": "uuid"
       }

package/src/exports/runtime.ts

@@ -1,31 +1,19 @@
-/**
- * Minimal M1 runtime descriptor for the Supabase extension.
- *
- * The Supabase pack contributes no runtime codec types or query operations in
- * M1 — `auth.*`/`storage.*` are external tables accessed via the stock
- * postgres runtime, not through a custom codec or operation surface. This
- * descriptor exists so the postgres runtime's contract-requirements check
- * (which verifies every `extensionPacks` entry in the emitted `contract.json`
- * has a matching runtime component) passes.
- *
- * TODO(M2): Replace with the real SupabaseRuntime that adds
- *   `asUser()`/`asAnon()` role-binding and the Supabase auth surface.
- */
-import type { SqlRuntimeExtensionDescriptor } from '@prisma-next/sql-runtime';
-
-const supabaseRuntimeDescriptor: SqlRuntimeExtensionDescriptor<'postgres'> = {
-  kind: 'extension' as const,
-  id: 'supabase',
-  version: '0.12.0',
-  familyId: 'sql' as const,
-  targetId: 'postgres' as const,
-  codecs: () => [],
-  create() {
-    return {
-      familyId: 'sql' as const,
-      targetId: 'postgres' as const,
-    };
-  },
-};
+import { supabaseRuntimeDescriptor } from '../runtime/descriptor';
 
 export default supabaseRuntimeDescriptor;
+
+export type {
+  RoleBoundDb,
+  SupabaseDb,
+  SupabaseOptions,
+  SupabaseOptionsWithContract,
+  SupabaseOptionsWithContractJson,
+  SupabaseTargetId,
+} from '../runtime/supabase';
+export { default as supabase, InvalidJwtError, SupabaseConfigError } from '../runtime/supabase';
+export type {
+  RoleSession,
+  SupabaseRoleBinding,
+  SupabaseRuntime,
+} from '../runtime/supabase-runtime';
+export { SupabaseRuntimeImpl } from '../runtime/supabase-runtime';

package/src/runtime/descriptor.ts

@@ -0,0 +1,26 @@
+import type { SqlRuntimeExtensionDescriptor } from '@prisma-next/sql-runtime';
+import packageJson from '../../package.json' with { type: 'json' };
+
+/**
+ * Tells the runtime that the Supabase pack's runtime component is available.
+ *
+ * When a contract declares the Supabase pack, the runtime checks that a
+ * matching descriptor has been registered. Without this, loading a Supabase
+ * contract errors with "pack runtime component missing". The `supabase()`
+ * factory registers this descriptor automatically — app code never needs to
+ * reference it directly.
+ */
+export const supabaseRuntimeDescriptor: SqlRuntimeExtensionDescriptor<'postgres'> = {
+  kind: 'extension' as const,
+  id: 'supabase',
+  version: packageJson.version,
+  familyId: 'sql' as const,
+  targetId: 'postgres' as const,
+  codecs: () => [],
+  create() {
+    return {
+      familyId: 'sql' as const,
+      targetId: 'postgres' as const,
+    };
+  },
+};

package/src/runtime/supabase-runtime.ts

@@ -0,0 +1,171 @@
+import type { Contract } from '@prisma-next/contract/types';
+import type { RuntimeExecuteOptions } from '@prisma-next/framework-components/runtime';
+import { AsyncIterableResult } from '@prisma-next/framework-components/runtime';
+import { type PostgresRuntime, PostgresRuntimeImpl } from '@prisma-next/postgres/runtime';
+import type { SqlStorage } from '@prisma-next/sql-contract/types';
+import type { SqlExecutionPlan, SqlQueryPlan } from '@prisma-next/sql-relational-core/plan';
+import type {
+  PreparedStatement,
+  PreparedStatementImpl,
+  RuntimeConnection,
+  RuntimeTransaction,
+} from '@prisma-next/sql-runtime';
+import { blindCast } from '@prisma-next/utils/casts';
+
+export interface SupabaseRuntime extends PostgresRuntime {}
+
+export interface SupabaseRoleBinding {
+  // TODO(TML-2501): role names move to the Supabase extension contract (roles as first-class IR) when postgres-rls lands.
+  readonly role: 'anon' | 'authenticated' | 'service_role';
+  readonly claims?: Record<string, unknown>;
+}
+
+/**
+ * A connection with a Supabase role already bound via session-scoped set_config.
+ * Implements `RuntimeConnection` so it plugs into ORM scope machinery and `withTransaction`.
+ */
+export interface RoleSession extends RuntimeConnection {}
+
+export class SupabaseRuntimeImpl<
+  TContract extends Contract<SqlStorage> = Contract<SqlStorage>,
+> extends PostgresRuntimeImpl<TContract> {
+  /**
+   * Opens a raw connection and applies role + JWT claims via session-scoped set_config.
+   * On bind failure, destroys the connection before rethrowing — no leaked connections.
+   * Not on the `SupabaseRuntime` interface; consumed by the facade, not by app code.
+   */
+  async openRoleSession(binding: SupabaseRoleBinding): Promise<RoleSession> {
+    const conn = await this.acquireRawConnection();
+
+    try {
+      await conn.query('SELECT set_config($1, $2, false)', ['role', binding.role]);
+      await conn.query('SELECT set_config($1, $2, false)', [
+        'request.jwt.claims',
+        JSON.stringify(binding.claims ?? {}),
+      ]);
+    } catch (err) {
+      await conn.destroy(err).catch(() => undefined);
+      throw err;
+    }
+
+    const self = this;
+
+    const session: RoleSession = {
+      execute<Row>(
+        plan: (SqlExecutionPlan<unknown> | SqlQueryPlan<unknown>) & { readonly _row?: Row },
+        options?: RuntimeExecuteOptions,
+      ): AsyncIterableResult<Row> {
+        return self.executeAgainstQueryable<Row>(plan, conn, { ...options, scope: 'connection' });
+      },
+
+      executePrepared<Params, Row>(
+        ps: PreparedStatement<Params, Row>,
+        params: Params,
+        options?: RuntimeExecuteOptions,
+      ): AsyncIterableResult<Row> {
+        return self.executePreparedAgainstQueryable(
+          blindCast<
+            PreparedStatementImpl<Params, Row>,
+            'PreparedStatement is PreparedStatementImpl; the impl class is the only concrete form'
+          >(ps),
+          blindCast<
+            Record<string, unknown>,
+            'params are structurally Record<string, unknown> at runtime'
+          >(params),
+          conn,
+          { ...options, scope: 'connection' },
+        );
+      },
+
+      async transaction(): Promise<RuntimeTransaction> {
+        const tx = await conn.beginTransaction();
+        return {
+          async commit(): Promise<void> {
+            await tx.commit();
+          },
+          async rollback(): Promise<void> {
+            await tx.rollback();
+          },
+          execute<Row>(
+            plan: (SqlExecutionPlan<unknown> | SqlQueryPlan<unknown>) & { readonly _row?: Row },
+            options?: RuntimeExecuteOptions,
+          ): AsyncIterableResult<Row> {
+            return self.executeAgainstQueryable<Row>(plan, tx, {
+              ...options,
+              scope: 'transaction',
+            });
+          },
+          executePrepared<Params, Row>(
+            ps: PreparedStatement<Params, Row>,
+            params: Params,
+            options?: RuntimeExecuteOptions,
+          ): AsyncIterableResult<Row> {
+            return self.executePreparedAgainstQueryable(
+              blindCast<
+                PreparedStatementImpl<Params, Row>,
+                'PreparedStatement is PreparedStatementImpl; the impl class is the only concrete form'
+              >(ps),
+              blindCast<
+                Record<string, unknown>,
+                'params are structurally Record<string, unknown> at runtime'
+              >(params),
+              tx,
+              { ...options, scope: 'transaction' },
+            );
+          },
+        };
+      },
+
+      /**
+       * Resets all session-local config then releases the connection back to the pool.
+       * If RESET ALL fails, destroys the connection instead — pool-poisoning guarantee.
+       */
+      async release(): Promise<void> {
+        try {
+          await conn.query('RESET ALL');
+          await conn.release();
+        } catch (resetError) {
+          await conn.destroy(resetError).catch(() => undefined);
+        }
+      },
+
+      async destroy(reason?: unknown): Promise<void> {
+        await conn.destroy(reason);
+      },
+    };
+
+    return session;
+  }
+
+  /**
+   * Opens a role session, executes the plan, then releases after the stream drains.
+   * On mid-stream error, destroys the session instead of releasing.
+   */
+  executeWithRole<Row>(
+    plan: SqlExecutionPlan<Row> | SqlQueryPlan<Row>,
+    binding: SupabaseRoleBinding,
+    options?: RuntimeExecuteOptions,
+  ): AsyncIterableResult<Row> {
+    const self = this;
+
+    const generator = async function* (): AsyncGenerator<Row, void, unknown> {
+      const session = await self.openRoleSession(binding);
+      let errored = false;
+      try {
+        for await (const row of session.execute(plan, options)) {
+          yield row;
+        }
+      } catch (err) {
+        errored = true;
+        await session.destroy(err).catch(() => undefined);
+        throw err;
+      } finally {
+        if (!errored) {
+          await session.release();
+        }
+      }
+    };
+
+    return new AsyncIterableResult(generator());
+  }
+}