@prisma-next/extension-supabase 0.14.0-dev.44 → 0.14.0-dev.46

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1 +1 @@
1
- {"version":3,"file":"runtime.mjs","names":["packageJson.version","extensionContractJson"],"sources":["../src/runtime/descriptor.ts","../src/runtime/supabase-runtime.ts","../src/runtime/supabase.ts","../src/exports/runtime.ts"],"sourcesContent":["import type { SqlRuntimeExtensionDescriptor } from '@prisma-next/sql-runtime';\nimport packageJson from '../../package.json' with { type: 'json' };\n\n/**\n * Tells the runtime that the Supabase pack's runtime component is available.\n *\n * When a contract declares the Supabase pack, the runtime checks that a\n * matching descriptor has been registered. Without this, loading a Supabase\n * contract errors with \"pack runtime component missing\". The `supabase()`\n * factory registers this descriptor automatically — app code never needs to\n * reference it directly.\n */\nexport const supabaseRuntimeDescriptor: SqlRuntimeExtensionDescriptor<'postgres'> = {\n kind: 'extension' as const,\n id: 'supabase',\n version: packageJson.version,\n familyId: 'sql' as const,\n targetId: 'postgres' as const,\n codecs: () => [],\n create() {\n return {\n familyId: 'sql' as const,\n targetId: 'postgres' as const,\n };\n },\n};\n","import type { Contract } from '@prisma-next/contract/types';\nimport type { RuntimeExecuteOptions } from '@prisma-next/framework-components/runtime';\nimport { AsyncIterableResult } from '@prisma-next/framework-components/runtime';\nimport { type PostgresRuntime, PostgresRuntimeImpl } from '@prisma-next/postgres/runtime';\nimport type { SqlStorage } from '@prisma-next/sql-contract/types';\nimport type { SqlExecutionPlan, SqlQueryPlan } from '@prisma-next/sql-relational-core/plan';\nimport type {\n PreparedStatement,\n PreparedStatementImpl,\n RuntimeConnection,\n RuntimeTransaction,\n} from '@prisma-next/sql-runtime';\nimport { blindCast } from '@prisma-next/utils/casts';\n\nexport interface SupabaseRuntime extends PostgresRuntime {}\n\nexport interface SupabaseRoleBinding {\n // TODO(TML-2501): role names move to the Supabase extension contract (roles as first-class IR) when postgres-rls lands.\n readonly role: 'anon' | 'authenticated' | 'service_role';\n readonly claims?: Record<string, unknown>;\n}\n\n/**\n * A connection with a Supabase role already bound via session-scoped set_config.\n * Implements `RuntimeConnection` so it plugs into ORM scope machinery and `withTransaction`.\n */\nexport interface RoleSession extends RuntimeConnection {}\n\nexport class SupabaseRuntimeImpl<\n TContract extends Contract<SqlStorage> = Contract<SqlStorage>,\n> extends PostgresRuntimeImpl<TContract> {\n /**\n * Opens a raw connection and applies role + JWT claims via session-scoped set_config.\n * On bind failure, destroys the connection before rethrowing — no leaked connections.\n * Not on the `SupabaseRuntime` interface; consumed by the facade, not by app code.\n */\n async openRoleSession(binding: SupabaseRoleBinding): Promise<RoleSession> {\n const conn = await this.acquireRawConnection();\n\n try {\n await conn.query('SELECT set_config($1, $2, false)', ['role', binding.role]);\n await conn.query('SELECT set_config($1, $2, false)', [\n 'request.jwt.claims',\n JSON.stringify(binding.claims ?? {}),\n ]);\n } catch (err) {\n await conn.destroy(err).catch(() => undefined);\n throw err;\n }\n\n const self = this;\n\n const session: RoleSession = {\n execute<Row>(\n plan: (SqlExecutionPlan<unknown> | SqlQueryPlan<unknown>) & { readonly _row?: Row },\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return self.executeAgainstQueryable<Row>(plan, conn, { ...options, scope: 'connection' });\n },\n\n executePrepared<Params, Row>(\n ps: PreparedStatement<Params, Row>,\n params: Params,\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return self.executePreparedAgainstQueryable(\n blindCast<\n PreparedStatementImpl<Params, Row>,\n 'PreparedStatement is PreparedStatementImpl; the impl class is the only concrete form'\n >(ps),\n blindCast<\n Record<string, unknown>,\n 'params are structurally Record<string, unknown> at runtime'\n >(params),\n conn,\n { ...options, scope: 'connection' },\n );\n },\n\n async transaction(): Promise<RuntimeTransaction> {\n const tx = await conn.beginTransaction();\n return {\n async commit(): Promise<void> {\n await tx.commit();\n },\n async rollback(): Promise<void> {\n await tx.rollback();\n },\n execute<Row>(\n plan: (SqlExecutionPlan<unknown> | SqlQueryPlan<unknown>) & { readonly _row?: Row },\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return self.executeAgainstQueryable<Row>(plan, tx, {\n ...options,\n scope: 'transaction',\n });\n },\n executePrepared<Params, Row>(\n ps: PreparedStatement<Params, Row>,\n params: Params,\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return self.executePreparedAgainstQueryable(\n blindCast<\n PreparedStatementImpl<Params, Row>,\n 'PreparedStatement is PreparedStatementImpl; the impl class is the only concrete form'\n >(ps),\n blindCast<\n Record<string, unknown>,\n 'params are structurally Record<string, unknown> at runtime'\n >(params),\n tx,\n { ...options, scope: 'transaction' },\n );\n },\n };\n },\n\n /**\n * Resets all session-local config then releases the connection back to the pool.\n * If RESET ALL fails, destroys the connection instead — pool-poisoning guarantee.\n */\n async release(): Promise<void> {\n try {\n await conn.query('RESET ALL');\n await conn.release();\n } catch (resetError) {\n await conn.destroy(resetError).catch(() => undefined);\n }\n },\n\n async destroy(reason?: unknown): Promise<void> {\n await conn.destroy(reason);\n },\n };\n\n return session;\n }\n\n /**\n * Opens a role session, executes the plan, then releases after the stream drains.\n * On mid-stream error, destroys the session instead of releasing.\n */\n executeWithRole<Row>(\n plan: SqlExecutionPlan<Row> | SqlQueryPlan<Row>,\n binding: SupabaseRoleBinding,\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n const self = this;\n\n const generator = async function* (): AsyncGenerator<Row, void, unknown> {\n const session = await self.openRoleSession(binding);\n let errored = false;\n try {\n for await (const row of session.execute(plan, options)) {\n yield row;\n }\n } catch (err) {\n errored = true;\n await session.destroy(err).catch(() => undefined);\n throw err;\n } finally {\n if (!errored) {\n await session.release();\n }\n }\n };\n\n return new AsyncIterableResult(generator());\n }\n}\n","import postgresAdapter from '@prisma-next/adapter-postgres/runtime';\nimport type { Contract } from '@prisma-next/contract/types';\nimport postgresDriver from '@prisma-next/driver-postgres/runtime';\nimport { instantiateExecutionStack } from '@prisma-next/framework-components/execution';\nimport type {\n AsyncIterableResult,\n RuntimeExecuteOptions,\n} from '@prisma-next/framework-components/runtime';\nimport { sql } from '@prisma-next/sql-builder/runtime';\nimport type { Db } from '@prisma-next/sql-builder/types';\nimport type { SqlStorage } from '@prisma-next/sql-contract/types';\nimport { orm } from '@prisma-next/sql-orm-client';\nimport type { RawSqlTag } from '@prisma-next/sql-relational-core/expression';\nimport { createRawSql } from '@prisma-next/sql-relational-core/expression';\nimport type { SqlExecutionPlan, SqlQueryPlan } from '@prisma-next/sql-relational-core/plan';\nimport type {\n ExecutionContext,\n SqlExecutionStackWithDriver,\n SqlMiddleware,\n SqlRuntimeExtensionDescriptor,\n TransactionContext,\n VerifyMarkerOption,\n} from '@prisma-next/sql-runtime';\nimport {\n createExecutionContext,\n createSqlExecutionStack,\n withTransaction,\n} from '@prisma-next/sql-runtime';\nimport postgresTarget, { PostgresContractSerializer } from '@prisma-next/target-postgres/runtime';\nimport { blindCast } from '@prisma-next/utils/casts';\nimport { ifDefined } from '@prisma-next/utils/defined';\nimport { createRemoteJWKSet, type JWTVerifyResult, jwtVerify } from 'jose';\nimport type { Client } from 'pg';\nimport { Pool } from 'pg';\nimport extensionContractJson from '../contract/contract.json' with { type: 'json' };\nimport { supabaseRuntimeDescriptor } from './descriptor';\nimport type { SupabaseExtensionContract } from './ext-contract-type';\nimport type { SupabaseRoleBinding, SupabaseRuntime } from './supabase-runtime';\nimport { SupabaseRuntimeImpl } from './supabase-runtime';\n\nexport type SupabaseTargetId = 'postgres';\n\ntype OrmClient<TContract extends Contract<SqlStorage>> = ReturnType<typeof orm<TContract>>;\n\nexport class SupabaseConfigError extends Error {\n override readonly name = 'SupabaseConfigError';\n constructor(message: string) {\n super(message);\n }\n}\n\nexport class InvalidJwtError extends Error {\n override readonly name = 'InvalidJwtError';\n readonly reason: string;\n constructor(reason: string) {\n super(`Invalid JWT: ${reason}`);\n this.reason = reason;\n }\n}\n\ntype KeyMaterial =\n | { readonly kind: 'secret'; readonly key: Uint8Array }\n | { readonly kind: 'jwks'; readonly keyset: ReturnType<typeof createRemoteJWKSet> };\n\nexport interface RoleBoundDb<TContract extends Contract<SqlStorage>> {\n readonly sql: Db<TContract>;\n readonly orm: OrmClient<TContract>;\n readonly raw: RawSqlTag;\n execute<Row>(\n plan: (SqlExecutionPlan<Row> | SqlQueryPlan<Row>) & { readonly _row?: Row },\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row>;\n transaction<R>(fn: (tx: TransactionContext) => PromiseLike<R>): Promise<R>;\n}\n\n/**\n * Query surface for the Supabase-internal contract (`auth`, `storage`). Exposed\n * as a separate secondary root — never merged into the app contract — and only\n * reachable through `service_role`, the one role with grants on those schemas\n * over a direct Postgres connection.\n *\n * Deliberately omits `transaction` (which {@link RoleBoundDb} has): the primary\n * app root and this secondary root are served by separate runtimes that do not\n * share one pinned connection, so a transaction spanning both is out of scope for v1.\n */\nexport interface SupabaseInternalDb {\n readonly sql: Db<SupabaseExtensionContract>;\n readonly orm: OrmClient<SupabaseExtensionContract>;\n execute<Row>(\n plan: (SqlExecutionPlan<Row> | SqlQueryPlan<Row>) & { readonly _row?: Row },\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row>;\n}\n\n/**\n * The `service_role` db: the app-contract role-bound surface (its `.sql` / `.orm`\n * are app-only, exactly like `asUser` / `asAnon`), plus a `.supabase` secondary\n * root for the Supabase-internal namespaces.\n */\nexport type ServiceRoleDb<TContract extends Contract<SqlStorage>> = RoleBoundDb<TContract> & {\n readonly supabase: SupabaseInternalDb;\n};\n\nexport interface SupabaseDb<TContract extends Contract<SqlStorage>> {\n readonly context: ExecutionContext<TContract>;\n readonly stack: SqlExecutionStackWithDriver<SupabaseTargetId>;\n asUser(jwt: string): Promise<RoleBoundDb<TContract>>;\n asAnon(): RoleBoundDb<TContract>;\n asServiceRole(): ServiceRoleDb<TContract>;\n close(): Promise<void>;\n [Symbol.asyncDispose](): Promise<void>;\n}\n\nexport interface SupabaseOptionsBase {\n readonly extensions?: readonly SqlRuntimeExtensionDescriptor<SupabaseTargetId>[];\n readonly middleware?: readonly SqlMiddleware[];\n readonly verifyMarker?: VerifyMarkerOption;\n readonly poolOptions?: {\n readonly connectionTimeoutMillis?: number;\n readonly idleTimeoutMillis?: number;\n };\n}\n\nexport interface SupabaseBindingOptions {\n readonly url?: string;\n readonly pg?: Pool | Client;\n}\n\ntype JwtSecretOption = {\n readonly jwtSecret: string;\n readonly jwksUrl?: never;\n};\n\ntype JwksUrlOption = {\n readonly jwksUrl: string;\n readonly jwtSecret?: never;\n};\n\nexport type SupabaseOptionsWithContract<TContract extends Contract<SqlStorage>> =\n SupabaseBindingOptions &\n SupabaseOptionsBase &\n (JwtSecretOption | JwksUrlOption) & {\n readonly contract: TContract;\n readonly contractJson?: never;\n };\n\nexport type SupabaseOptionsWithContractJson<TContract extends Contract<SqlStorage>> =\n SupabaseBindingOptions &\n SupabaseOptionsBase &\n (JwtSecretOption | JwksUrlOption) & {\n readonly contractJson: unknown;\n readonly contract?: never;\n readonly _contract?: TContract;\n };\n\nexport type SupabaseOptions<TContract extends Contract<SqlStorage>> =\n | SupabaseOptionsWithContract<TContract>\n | SupabaseOptionsWithContractJson<TContract>;\n\nfunction hasContractJson<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): options is SupabaseOptionsWithContractJson<TContract> {\n return 'contractJson' in options;\n}\n\nconst contractSerializer = new PostgresContractSerializer();\n\nfunction resolveContract<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): TContract {\n const contractJson = hasContractJson(options)\n ? options.contractJson\n : contractSerializer.serializeContract(options.contract);\n return blindCast<\n TContract,\n 'contractSerializer.deserializeContract returns a validated TContract'\n >(contractSerializer.deserializeContract(contractJson));\n}\n\nfunction resolveKeyMaterial<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): KeyMaterial {\n const jwtSecret = 'jwtSecret' in options ? options.jwtSecret : undefined;\n const jwksUrl = 'jwksUrl' in options ? options.jwksUrl : undefined;\n\n if (jwtSecret !== undefined && jwksUrl !== undefined) {\n throw new SupabaseConfigError('Provide either jwtSecret or jwksUrl, not both');\n }\n if (jwtSecret === undefined && jwksUrl === undefined) {\n throw new SupabaseConfigError('Either jwtSecret or jwksUrl is required');\n }\n\n if (jwtSecret !== undefined) {\n return { kind: 'secret', key: new TextEncoder().encode(jwtSecret) };\n }\n\n if (jwksUrl !== undefined) {\n return { kind: 'jwks', keyset: createRemoteJWKSet(new URL(jwksUrl)) };\n }\n\n throw new SupabaseConfigError('Either jwtSecret or jwksUrl is required');\n}\n\nfunction toPool<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): { pool: Pool; owned: boolean } | undefined {\n if (options.pg instanceof Pool) {\n return { pool: options.pg, owned: false };\n }\n if (typeof options.url === 'string') {\n return {\n pool: new Pool({\n connectionString: options.url,\n connectionTimeoutMillis: options.poolOptions?.connectionTimeoutMillis ?? 20_000,\n idleTimeoutMillis: options.poolOptions?.idleTimeoutMillis ?? 30_000,\n }),\n owned: true,\n };\n }\n return undefined;\n}\n\nfunction withSupabaseDescriptor(\n extensions: readonly SqlRuntimeExtensionDescriptor<SupabaseTargetId>[] | undefined,\n): readonly SqlRuntimeExtensionDescriptor<SupabaseTargetId>[] {\n const packs = extensions ?? [];\n return packs.some((pack) => pack.id === supabaseRuntimeDescriptor.id)\n ? packs\n : [...packs, supabaseRuntimeDescriptor];\n}\n\n/**\n * Deserializes the Supabase extension's own emitted contract into a runtime\n * contract: namespaces hydrate into `PostgresSchema` instances (with\n * `qualifyTable`), and `typeRef` columns (`Timestamptz`, `Uuid`) resolve\n * through the codec registry. Exposed only via `service_role`'s `.supabase`\n * secondary root — never merged into the app contract.\n */\nfunction buildExtensionContract(): SupabaseExtensionContract {\n return blindCast<\n SupabaseExtensionContract,\n 'deserializeContract hydrates JSON namespaces into PostgresSchema instances with qualifyTable'\n >(contractSerializer.deserializeContract(extensionContractJson));\n}\n\nexport default async function supabase<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptionsWithContract<TContract>,\n): Promise<SupabaseDb<TContract>>;\nexport default async function supabase<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptionsWithContractJson<TContract>,\n): Promise<SupabaseDb<TContract>>;\nexport default async function supabase<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): Promise<SupabaseDb<TContract>> {\n const keyMaterial = resolveKeyMaterial(options);\n const contract = resolveContract(options);\n\n const stack = createSqlExecutionStack({\n target: postgresTarget,\n adapter: postgresAdapter,\n driver: postgresDriver,\n extensionPacks: withSupabaseDescriptor(options.extensions),\n });\n\n const context = createExecutionContext({ contract, stack });\n const rawCodecInferer = stack.adapter.rawCodecInferer;\n const rawSqlTag: RawSqlTag = createRawSql(rawCodecInferer);\n\n const poolEntry = toPool(options);\n let closed = false;\n\n const stackInstance = instantiateExecutionStack(stack);\n const driverDescriptor = stack.driver;\n if (!driverDescriptor) {\n throw new Error('Driver descriptor missing from execution stack');\n }\n const driver = driverDescriptor.create({ cursor: { disabled: true } });\n\n if (poolEntry) {\n await driver.connect({ kind: 'pgPool', pool: poolEntry.pool });\n }\n\n const runtime: SupabaseRuntime & SupabaseRuntimeImpl<TContract> = new SupabaseRuntimeImpl({\n context,\n adapter: stackInstance.adapter,\n driver,\n ...ifDefined('verifyMarker', options.verifyMarker),\n ...ifDefined('middleware', options.middleware),\n });\n\n async function verifyJwt(jwt: string): Promise<JWTVerifyResult> {\n try {\n if (keyMaterial.kind === 'secret') {\n return await jwtVerify(jwt, keyMaterial.key);\n }\n return await jwtVerify(jwt, keyMaterial.keyset);\n } catch (err) {\n const reason = err instanceof Error ? err.message : String(err);\n throw new InvalidJwtError(reason);\n }\n }\n\n function buildRoleBoundDbWithContext<C extends Contract<SqlStorage>>(\n binding: SupabaseRoleBinding,\n roleContext: ExecutionContext<C>,\n roleRuntime: SupabaseRuntime & SupabaseRuntimeImpl<C>,\n ): RoleBoundDb<C> {\n const roleSql: Db<C> = sql<C>({ context: roleContext, rawCodecInferer });\n const roleOrm: OrmClient<C> = orm({\n runtime: {\n execute(plan) {\n return roleRuntime.executeWithRole(plan, binding);\n },\n connection: () => roleRuntime.openRoleSession(binding),\n },\n context: roleContext,\n });\n\n return {\n sql: roleSql,\n orm: roleOrm,\n raw: rawSqlTag,\n execute<Row>(\n plan: (SqlExecutionPlan<Row> | SqlQueryPlan<Row>) & { readonly _row?: Row },\n execOptions?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return roleRuntime.executeWithRole<Row>(plan, binding, execOptions);\n },\n transaction<R>(fn: (tx: TransactionContext) => PromiseLike<R>): Promise<R> {\n return withTransaction({ connection: () => roleRuntime.openRoleSession(binding) }, fn);\n },\n };\n }\n\n function buildRoleBoundDb(binding: SupabaseRoleBinding): RoleBoundDb<TContract> {\n return buildRoleBoundDbWithContext(binding, context, runtime);\n }\n\n const serviceRoleBinding: SupabaseRoleBinding = { role: 'service_role', claims: {} };\n\n // The Supabase-internal contract (auth/storage) as a separate secondary root.\n // It is contract-bound: a plan built against it carries the extension's\n // storageHash, so it must run on a runtime bound to the extension contract —\n // the app runtime would reject it (PLAN.HASH_MISMATCH). This runtime shares\n // the same driver (one pool, no second connection) and disables marker\n // verification: the extension contract is external and owns no app-space\n // marker, so its hashes must not be checked against the DB marker.\n const extContract = buildExtensionContract();\n const extContext = createExecutionContext({ contract: extContract, stack });\n const extRuntime: SupabaseRuntime & SupabaseRuntimeImpl<SupabaseExtensionContract> =\n new SupabaseRuntimeImpl({\n context: extContext,\n adapter: stackInstance.adapter,\n driver,\n verifyMarker: false,\n ...ifDefined('middleware', options.middleware),\n });\n\n const supabaseInternal: SupabaseInternalDb = {\n sql: sql<SupabaseExtensionContract>({ context: extContext, rawCodecInferer }),\n orm: orm({\n runtime: {\n execute(plan) {\n return extRuntime.executeWithRole(plan, serviceRoleBinding);\n },\n connection: () => extRuntime.openRoleSession(serviceRoleBinding),\n },\n context: extContext,\n }),\n execute<Row>(\n plan: (SqlExecutionPlan<Row> | SqlQueryPlan<Row>) & { readonly _row?: Row },\n execOptions?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return extRuntime.executeWithRole<Row>(plan, serviceRoleBinding, execOptions);\n },\n };\n\n async function closeDb(): Promise<void> {\n if (closed) return;\n closed = true;\n await runtime.close();\n if (poolEntry?.owned) {\n await poolEntry.pool.end().catch(() => undefined);\n }\n }\n\n return {\n context,\n stack,\n\n async asUser(jwt: string): Promise<RoleBoundDb<TContract>> {\n const { payload } = await verifyJwt(jwt);\n const rawRole = payload['role'];\n const roleStr = typeof rawRole === 'string' ? rawRole : 'authenticated';\n const role: SupabaseRoleBinding['role'] =\n roleStr === 'anon' || roleStr === 'authenticated' || roleStr === 'service_role'\n ? roleStr\n : 'authenticated';\n const binding: SupabaseRoleBinding = { role, claims: payload };\n return buildRoleBoundDb(binding);\n },\n\n asAnon(): RoleBoundDb<TContract> {\n return buildRoleBoundDb({ role: 'anon', claims: {} });\n },\n\n asServiceRole(): ServiceRoleDb<TContract> {\n const roleBound = buildRoleBoundDbWithContext(serviceRoleBinding, context, runtime);\n return { ...roleBound, supabase: supabaseInternal };\n },\n\n close: closeDb,\n [Symbol.asyncDispose]: closeDb,\n };\n}\n","import { supabaseRuntimeDescriptor } from '../runtime/descriptor';\n\nexport default supabaseRuntimeDescriptor;\n\nexport type {\n RoleBoundDb,\n ServiceRoleDb,\n SupabaseDb,\n SupabaseInternalDb,\n SupabaseOptions,\n SupabaseOptionsWithContract,\n SupabaseOptionsWithContractJson,\n SupabaseTargetId,\n} from '../runtime/supabase';\nexport { default as supabase, InvalidJwtError, SupabaseConfigError } from '../runtime/supabase';\nexport type {\n RoleSession,\n SupabaseRoleBinding,\n SupabaseRuntime,\n} from '../runtime/supabase-runtime';\nexport { SupabaseRuntimeImpl } from '../runtime/supabase-runtime';\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAYA,MAAa,4BAAuE;CAClF,MAAM;CACN,IAAI;CACKA;CACT,UAAU;CACV,UAAU;CACV,cAAc,CAAC;CACf,SAAS;EACP,OAAO;GACL,UAAU;GACV,UAAU;EACZ;CACF;AACF;;;ACGA,IAAa,sBAAb,cAEU,oBAA+B;;;;;;CAMvC,MAAM,gBAAgB,SAAoD;EACxE,MAAM,OAAO,MAAM,KAAK,qBAAqB;EAE7C,IAAI;GACF,MAAM,KAAK,MAAM,oCAAoC,CAAC,QAAQ,QAAQ,IAAI,CAAC;GAC3E,MAAM,KAAK,MAAM,oCAAoC,CACnD,sBACA,KAAK,UAAU,QAAQ,UAAU,CAAC,CAAC,CACrC,CAAC;EACH,SAAS,KAAK;GACZ,MAAM,KAAK,QAAQ,GAAG,CAAC,CAAC,YAAY,KAAA,CAAS;GAC7C,MAAM;EACR;EAEA,MAAM,OAAO;EAsFb,OAAO;GAnFL,QACE,MACA,SAC0B;IAC1B,OAAO,KAAK,wBAA6B,MAAM,MAAM;KAAE,GAAG;KAAS,OAAO;IAAa,CAAC;GAC1F;GAEA,gBACE,IACA,QACA,SAC0B;IAC1B,OAAO,KAAK,gCACV,UAGE,EAAE,GACJ,UAGE,MAAM,GACR,MACA;KAAE,GAAG;KAAS,OAAO;IAAa,CACpC;GACF;GAEA,MAAM,cAA2C;IAC/C,MAAM,KAAK,MAAM,KAAK,iBAAiB;IACvC,OAAO;KACL,MAAM,SAAwB;MAC5B,MAAM,GAAG,OAAO;KAClB;KACA,MAAM,WAA0B;MAC9B,MAAM,GAAG,SAAS;KACpB;KACA,QACE,MACA,SAC0B;MAC1B,OAAO,KAAK,wBAA6B,MAAM,IAAI;OACjD,GAAG;OACH,OAAO;MACT,CAAC;KACH;KACA,gBACE,IACA,QACA,SAC0B;MAC1B,OAAO,KAAK,gCACV,UAGE,EAAE,GACJ,UAGE,MAAM,GACR,IACA;OAAE,GAAG;OAAS,OAAO;MAAc,CACrC;KACF;IACF;GACF;;;;;GAMA,MAAM,UAAyB;IAC7B,IAAI;KACF,MAAM,KAAK,MAAM,WAAW;KAC5B,MAAM,KAAK,QAAQ;IACrB,SAAS,YAAY;KACnB,MAAM,KAAK,QAAQ,UAAU,CAAC,CAAC,YAAY,KAAA,CAAS;IACtD;GACF;GAEA,MAAM,QAAQ,QAAiC;IAC7C,MAAM,KAAK,QAAQ,MAAM;GAC3B;EAGW;CACf;;;;;CAMA,gBACE,MACA,SACA,SAC0B;EAC1B,MAAM,OAAO;EAEb,MAAM,YAAY,mBAAuD;GACvE,MAAM,UAAU,MAAM,KAAK,gBAAgB,OAAO;GAClD,IAAI,UAAU;GACd,IAAI;IACF,WAAW,MAAM,OAAO,QAAQ,QAAQ,MAAM,OAAO,GACnD,MAAM;GAEV,SAAS,KAAK;IACZ,UAAU;IACV,MAAM,QAAQ,QAAQ,GAAG,CAAC,CAAC,YAAY,KAAA,CAAS;IAChD,MAAM;GACR,UAAU;IACR,IAAI,CAAC,SACH,MAAM,QAAQ,QAAQ;GAE1B;EACF;EAEA,OAAO,IAAI,oBAAoB,UAAU,CAAC;CAC5C;AACF;;;AC9HA,IAAa,sBAAb,cAAyC,MAAM;CAC7C,OAAyB;CACzB,YAAY,SAAiB;EAC3B,MAAM,OAAO;CACf;AACF;AAEA,IAAa,kBAAb,cAAqC,MAAM;CACzC,OAAyB;CACzB;CACA,YAAY,QAAgB;EAC1B,MAAM,gBAAgB,QAAQ;EAC9B,KAAK,SAAS;CAChB;AACF;AAqGA,SAAS,gBACP,SACuD;CACvD,OAAO,kBAAkB;AAC3B;AAEA,MAAM,qBAAqB,IAAI,2BAA2B;AAE1D,SAAS,gBACP,SACW;CACX,MAAM,eAAe,gBAAgB,OAAO,IACxC,QAAQ,eACR,mBAAmB,kBAAkB,QAAQ,QAAQ;CACzD,OAAO,UAGL,mBAAmB,oBAAoB,YAAY,CAAC;AACxD;AAEA,SAAS,mBACP,SACa;CACb,MAAM,YAAY,eAAe,UAAU,QAAQ,YAAY,KAAA;CAC/D,MAAM,UAAU,aAAa,UAAU,QAAQ,UAAU,KAAA;CAEzD,IAAI,cAAc,KAAA,KAAa,YAAY,KAAA,GACzC,MAAM,IAAI,oBAAoB,+CAA+C;CAE/E,IAAI,cAAc,KAAA,KAAa,YAAY,KAAA,GACzC,MAAM,IAAI,oBAAoB,yCAAyC;CAGzE,IAAI,cAAc,KAAA,GAChB,OAAO;EAAE,MAAM;EAAU,KAAK,IAAI,YAAY,CAAC,CAAC,OAAO,SAAS;CAAE;CAGpE,IAAI,YAAY,KAAA,GACd,OAAO;EAAE,MAAM;EAAQ,QAAQ,mBAAmB,IAAI,IAAI,OAAO,CAAC;CAAE;CAGtE,MAAM,IAAI,oBAAoB,yCAAyC;AACzE;AAEA,SAAS,OACP,SAC4C;CAC5C,IAAI,QAAQ,cAAc,MACxB,OAAO;EAAE,MAAM,QAAQ;EAAI,OAAO;CAAM;CAE1C,IAAI,OAAO,QAAQ,QAAQ,UACzB,OAAO;EACL,MAAM,IAAI,KAAK;GACb,kBAAkB,QAAQ;GAC1B,yBAAyB,QAAQ,aAAa,2BAA2B;GACzE,mBAAmB,QAAQ,aAAa,qBAAqB;EAC/D,CAAC;EACD,OAAO;CACT;AAGJ;AAEA,SAAS,uBACP,YAC4D;CAC5D,MAAM,QAAQ,cAAc,CAAC;CAC7B,OAAO,MAAM,MAAM,SAAS,KAAK,OAAO,0BAA0B,EAAE,IAChE,QACA,CAAC,GAAG,OAAO,yBAAyB;AAC1C;;;;;;;;AASA,SAAS,yBAAoD;CAC3D,OAAO,UAGL,mBAAmB,oBAAoBC,gBAAqB,CAAC;AACjE;AAQA,eAA8B,SAC5B,SACgC;CAChC,MAAM,cAAc,mBAAmB,OAAO;CAC9C,MAAM,WAAW,gBAAgB,OAAO;CAExC,MAAM,QAAQ,wBAAwB;EACpC,QAAQ;EACR,SAAS;EACT,QAAQ;EACR,gBAAgB,uBAAuB,QAAQ,UAAU;CAC3D,CAAC;CAED,MAAM,UAAU,uBAAuB;EAAE;EAAU;CAAM,CAAC;CAC1D,MAAM,kBAAkB,MAAM,QAAQ;CACtC,MAAM,YAAuB,aAAa,eAAe;CAEzD,MAAM,YAAY,OAAO,OAAO;CAChC,IAAI,SAAS;CAEb,MAAM,gBAAgB,0BAA0B,KAAK;CACrD,MAAM,mBAAmB,MAAM;CAC/B,IAAI,CAAC,kBACH,MAAM,IAAI,MAAM,gDAAgD;CAElE,MAAM,SAAS,iBAAiB,OAAO,EAAE,QAAQ,EAAE,UAAU,KAAK,EAAE,CAAC;CAErE,IAAI,WACF,MAAM,OAAO,QAAQ;EAAE,MAAM;EAAU,MAAM,UAAU;CAAK,CAAC;CAG/D,MAAM,UAA4D,IAAI,oBAAoB;EACxF;EACA,SAAS,cAAc;EACvB;EACA,GAAG,UAAU,gBAAgB,QAAQ,YAAY;EACjD,GAAG,UAAU,cAAc,QAAQ,UAAU;CAC/C,CAAC;CAED,eAAe,UAAU,KAAuC;EAC9D,IAAI;GACF,IAAI,YAAY,SAAS,UACvB,OAAO,MAAM,UAAU,KAAK,YAAY,GAAG;GAE7C,OAAO,MAAM,UAAU,KAAK,YAAY,MAAM;EAChD,SAAS,KAAK;GAEZ,MAAM,IAAI,gBADK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAC9B;EAClC;CACF;CAEA,SAAS,4BACP,SACA,aACA,aACgB;EAYhB,OAAO;GACL,KAZqB,IAAO;IAAE,SAAS;IAAa;GAAgB,CAYzD;GACX,KAZ4B,IAAI;IAChC,SAAS;KACP,QAAQ,MAAM;MACZ,OAAO,YAAY,gBAAgB,MAAM,OAAO;KAClD;KACA,kBAAkB,YAAY,gBAAgB,OAAO;IACvD;IACA,SAAS;GACX,CAIa;GACX,KAAK;GACL,QACE,MACA,aAC0B;IAC1B,OAAO,YAAY,gBAAqB,MAAM,SAAS,WAAW;GACpE;GACA,YAAe,IAA4D;IACzE,OAAO,gBAAgB,EAAE,kBAAkB,YAAY,gBAAgB,OAAO,EAAE,GAAG,EAAE;GACvF;EACF;CACF;CAEA,SAAS,iBAAiB,SAAsD;EAC9E,OAAO,4BAA4B,SAAS,SAAS,OAAO;CAC9D;CAEA,MAAM,qBAA0C;EAAE,MAAM;EAAgB,QAAQ,CAAC;CAAE;CAUnF,MAAM,aAAa,uBAAuB;EAAE,UADxB,uBAC4C;EAAG;CAAM,CAAC;CAC1E,MAAM,aACJ,IAAI,oBAAoB;EACtB,SAAS;EACT,SAAS,cAAc;EACvB;EACA,cAAc;EACd,GAAG,UAAU,cAAc,QAAQ,UAAU;CAC/C,CAAC;CAEH,MAAM,mBAAuC;EAC3C,KAAK,IAA+B;GAAE,SAAS;GAAY;EAAgB,CAAC;EAC5E,KAAK,IAAI;GACP,SAAS;IACP,QAAQ,MAAM;KACZ,OAAO,WAAW,gBAAgB,MAAM,kBAAkB;IAC5D;IACA,kBAAkB,WAAW,gBAAgB,kBAAkB;GACjE;GACA,SAAS;EACX,CAAC;EACD,QACE,MACA,aAC0B;GAC1B,OAAO,WAAW,gBAAqB,MAAM,oBAAoB,WAAW;EAC9E;CACF;CAEA,eAAe,UAAyB;EACtC,IAAI,QAAQ;EACZ,SAAS;EACT,MAAM,QAAQ,MAAM;EACpB,IAAI,WAAW,OACb,MAAM,UAAU,KAAK,IAAI,CAAC,CAAC,YAAY,KAAA,CAAS;CAEpD;CAEA,OAAO;EACL;EACA;EAEA,MAAM,OAAO,KAA8C;GACzD,MAAM,EAAE,YAAY,MAAM,UAAU,GAAG;GACvC,MAAM,UAAU,QAAQ;GACxB,MAAM,UAAU,OAAO,YAAY,WAAW,UAAU;GAMxD,OAAO,iBAAiB;IADe,MAHrC,YAAY,UAAU,YAAY,mBAAmB,YAAY,iBAC7D,UACA;IACuC,QAAQ;GACvB,CAAC;EACjC;EAEA,SAAiC;GAC/B,OAAO,iBAAiB;IAAE,MAAM;IAAQ,QAAQ,CAAC;GAAE,CAAC;EACtD;EAEA,gBAA0C;GAExC,OAAO;IAAE,GADS,4BAA4B,oBAAoB,SAAS,OACvD;IAAG,UAAU;GAAiB;EACpD;EAEA,OAAO;GACN,OAAO,eAAe;CACzB;AACF;;;AC5ZA,IAAA,kBAAe"}
1
+ {"version":3,"file":"runtime.mjs","names":["packageJson.version","extensionContractJson"],"sources":["../src/runtime/descriptor.ts","../src/runtime/supabase-runtime.ts","../src/runtime/supabase.ts","../src/exports/runtime.ts"],"sourcesContent":["import type { SqlRuntimeExtensionDescriptor } from '@prisma-next/sql-runtime';\nimport packageJson from '../../package.json' with { type: 'json' };\n\n/**\n * Tells the runtime that the Supabase pack's runtime component is available.\n *\n * When a contract declares the Supabase pack, the runtime checks that a\n * matching descriptor has been registered. Without this, loading a Supabase\n * contract errors with \"pack runtime component missing\". The `supabase()`\n * factory registers this descriptor automatically — app code never needs to\n * reference it directly.\n */\nexport const supabaseRuntimeDescriptor: SqlRuntimeExtensionDescriptor<'postgres'> = {\n kind: 'extension' as const,\n id: 'supabase',\n version: packageJson.version,\n familyId: 'sql' as const,\n targetId: 'postgres' as const,\n codecs: () => [],\n create() {\n return {\n familyId: 'sql' as const,\n targetId: 'postgres' as const,\n };\n },\n};\n","import type { Contract } from '@prisma-next/contract/types';\nimport type { RuntimeExecuteOptions } from '@prisma-next/framework-components/runtime';\nimport { AsyncIterableResult } from '@prisma-next/framework-components/runtime';\nimport { type PostgresRuntime, PostgresRuntimeImpl } from '@prisma-next/postgres/runtime';\nimport type { SqlStorage } from '@prisma-next/sql-contract/types';\nimport type { SqlExecutionPlan, SqlQueryPlan } from '@prisma-next/sql-relational-core/plan';\nimport type {\n PreparedStatement,\n PreparedStatementImpl,\n RuntimeConnection,\n RuntimeTransaction,\n} from '@prisma-next/sql-runtime';\nimport { blindCast } from '@prisma-next/utils/casts';\n\nexport interface SupabaseRuntime extends PostgresRuntime {}\n\nexport interface SupabaseRoleBinding {\n // TODO(TML-2501): role names move to the Supabase extension contract (roles as first-class IR) when postgres-rls lands.\n readonly role: 'anon' | 'authenticated' | 'service_role';\n readonly claims?: Record<string, unknown>;\n}\n\n/**\n * A connection with a Supabase role already bound via session-scoped set_config.\n * Implements `RuntimeConnection` so it plugs into ORM scope machinery and `withTransaction`.\n */\nexport interface RoleSession extends RuntimeConnection {}\n\nexport class SupabaseRuntimeImpl<\n TContract extends Contract<SqlStorage> = Contract<SqlStorage>,\n> extends PostgresRuntimeImpl<TContract> {\n /**\n * Opens a raw connection and applies role + JWT claims via session-scoped set_config.\n * On bind failure, destroys the connection before rethrowing — no leaked connections.\n * Not on the `SupabaseRuntime` interface; consumed by the facade, not by app code.\n */\n async openRoleSession(binding: SupabaseRoleBinding): Promise<RoleSession> {\n const conn = await this.acquireRawConnection();\n\n try {\n await conn.query('SELECT set_config($1, $2, false)', ['role', binding.role]);\n await conn.query('SELECT set_config($1, $2, false)', [\n 'request.jwt.claims',\n JSON.stringify(binding.claims ?? {}),\n ]);\n } catch (err) {\n await conn.destroy(err).catch(() => undefined);\n throw err;\n }\n\n const self = this;\n\n const session: RoleSession = {\n execute<Row>(\n plan: (SqlExecutionPlan<unknown> | SqlQueryPlan<unknown>) & { readonly _row?: Row },\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return self.executeAgainstQueryable<Row>(plan, conn, { ...options, scope: 'connection' });\n },\n\n executePrepared<Params, Row>(\n ps: PreparedStatement<Params, Row>,\n params: Params,\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return self.executePreparedAgainstQueryable(\n blindCast<\n PreparedStatementImpl<Params, Row>,\n 'PreparedStatement is PreparedStatementImpl; the impl class is the only concrete form'\n >(ps),\n blindCast<\n Record<string, unknown>,\n 'params are structurally Record<string, unknown> at runtime'\n >(params),\n conn,\n { ...options, scope: 'connection' },\n );\n },\n\n async transaction(): Promise<RuntimeTransaction> {\n const tx = await conn.beginTransaction();\n return {\n async commit(): Promise<void> {\n await tx.commit();\n },\n async rollback(): Promise<void> {\n await tx.rollback();\n },\n execute<Row>(\n plan: (SqlExecutionPlan<unknown> | SqlQueryPlan<unknown>) & { readonly _row?: Row },\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return self.executeAgainstQueryable<Row>(plan, tx, {\n ...options,\n scope: 'transaction',\n });\n },\n executePrepared<Params, Row>(\n ps: PreparedStatement<Params, Row>,\n params: Params,\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return self.executePreparedAgainstQueryable(\n blindCast<\n PreparedStatementImpl<Params, Row>,\n 'PreparedStatement is PreparedStatementImpl; the impl class is the only concrete form'\n >(ps),\n blindCast<\n Record<string, unknown>,\n 'params are structurally Record<string, unknown> at runtime'\n >(params),\n tx,\n { ...options, scope: 'transaction' },\n );\n },\n };\n },\n\n /**\n * Resets all session-local config then releases the connection back to the pool.\n * If RESET ALL fails, destroys the connection instead — pool-poisoning guarantee.\n */\n async release(): Promise<void> {\n try {\n await conn.query('RESET ALL');\n await conn.release();\n } catch (resetError) {\n await conn.destroy(resetError).catch(() => undefined);\n }\n },\n\n async destroy(reason?: unknown): Promise<void> {\n await conn.destroy(reason);\n },\n };\n\n return session;\n }\n\n /**\n * Opens a role session, executes the plan, then releases after the stream drains.\n * On mid-stream error, destroys the session instead of releasing.\n */\n executeWithRole<Row>(\n plan: SqlExecutionPlan<Row> | SqlQueryPlan<Row>,\n binding: SupabaseRoleBinding,\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n const self = this;\n\n const generator = async function* (): AsyncGenerator<Row, void, unknown> {\n const session = await self.openRoleSession(binding);\n let errored = false;\n try {\n for await (const row of session.execute(plan, options)) {\n yield row;\n }\n } catch (err) {\n errored = true;\n await session.destroy(err).catch(() => undefined);\n throw err;\n } finally {\n if (!errored) {\n await session.release();\n }\n }\n };\n\n return new AsyncIterableResult(generator());\n }\n}\n","import postgresAdapter from '@prisma-next/adapter-postgres/runtime';\nimport type { Contract } from '@prisma-next/contract/types';\nimport postgresDriver from '@prisma-next/driver-postgres/runtime';\nimport { instantiateExecutionStack } from '@prisma-next/framework-components/execution';\nimport type {\n AsyncIterableResult,\n RuntimeExecuteOptions,\n} from '@prisma-next/framework-components/runtime';\nimport {\n buildNamespacedNativeEnums,\n type NamespacedNativeEnums,\n} from '@prisma-next/postgres/runtime';\nimport { sql } from '@prisma-next/sql-builder/runtime';\nimport type { Db } from '@prisma-next/sql-builder/types';\nimport type { SqlStorage } from '@prisma-next/sql-contract/types';\nimport { orm } from '@prisma-next/sql-orm-client';\nimport type { RawSqlTag } from '@prisma-next/sql-relational-core/expression';\nimport { createRawSql } from '@prisma-next/sql-relational-core/expression';\nimport type { SqlExecutionPlan, SqlQueryPlan } from '@prisma-next/sql-relational-core/plan';\nimport type {\n ExecutionContext,\n SqlExecutionStackWithDriver,\n SqlMiddleware,\n SqlRuntimeExtensionDescriptor,\n TransactionContext,\n VerifyMarkerOption,\n} from '@prisma-next/sql-runtime';\nimport {\n createExecutionContext,\n createSqlExecutionStack,\n withTransaction,\n} from '@prisma-next/sql-runtime';\nimport postgresTarget, { PostgresContractSerializer } from '@prisma-next/target-postgres/runtime';\nimport { blindCast } from '@prisma-next/utils/casts';\nimport { ifDefined } from '@prisma-next/utils/defined';\nimport { createRemoteJWKSet, type JWTVerifyResult, jwtVerify } from 'jose';\nimport type { Client } from 'pg';\nimport { Pool } from 'pg';\nimport extensionContractJson from '../contract/contract.json' with { type: 'json' };\nimport { supabaseRuntimeDescriptor } from './descriptor';\nimport type { SupabaseExtensionContract } from './ext-contract-type';\nimport type { SupabaseRoleBinding, SupabaseRuntime } from './supabase-runtime';\nimport { SupabaseRuntimeImpl } from './supabase-runtime';\n\nexport type SupabaseTargetId = 'postgres';\n\ntype OrmClient<TContract extends Contract<SqlStorage>> = ReturnType<typeof orm<TContract>>;\n\nexport class SupabaseConfigError extends Error {\n override readonly name = 'SupabaseConfigError';\n constructor(message: string) {\n super(message);\n }\n}\n\nexport class InvalidJwtError extends Error {\n override readonly name = 'InvalidJwtError';\n readonly reason: string;\n constructor(reason: string) {\n super(`Invalid JWT: ${reason}`);\n this.reason = reason;\n }\n}\n\ntype KeyMaterial =\n | { readonly kind: 'secret'; readonly key: Uint8Array }\n | { readonly kind: 'jwks'; readonly keyset: ReturnType<typeof createRemoteJWKSet> };\n\nexport interface RoleBoundDb<TContract extends Contract<SqlStorage>> {\n readonly sql: Db<TContract>;\n readonly orm: OrmClient<TContract>;\n readonly raw: RawSqlTag;\n execute<Row>(\n plan: (SqlExecutionPlan<Row> | SqlQueryPlan<Row>) & { readonly _row?: Row },\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row>;\n transaction<R>(fn: (tx: TransactionContext) => PromiseLike<R>): Promise<R>;\n}\n\n/**\n * Query surface for the Supabase-internal contract (`auth`, `storage`). Exposed\n * as a separate secondary root — never merged into the app contract — and only\n * reachable through `service_role`, the one role with grants on those schemas\n * over a direct Postgres connection.\n *\n * Deliberately omits `transaction` (which {@link RoleBoundDb} has): the primary\n * app root and this secondary root are served by separate runtimes that do not\n * share one pinned connection, so a transaction spanning both is out of scope for v1.\n */\nexport interface SupabaseInternalDb {\n readonly sql: Db<SupabaseExtensionContract>;\n readonly orm: OrmClient<SupabaseExtensionContract>;\n readonly nativeEnums: NamespacedNativeEnums<SupabaseExtensionContract>;\n execute<Row>(\n plan: (SqlExecutionPlan<Row> | SqlQueryPlan<Row>) & { readonly _row?: Row },\n options?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row>;\n}\n\n/**\n * The `service_role` db: the app-contract role-bound surface (its `.sql` / `.orm`\n * are app-only, exactly like `asUser` / `asAnon`), plus a `.supabase` secondary\n * root for the Supabase-internal namespaces.\n */\nexport type ServiceRoleDb<TContract extends Contract<SqlStorage>> = RoleBoundDb<TContract> & {\n readonly supabase: SupabaseInternalDb;\n};\n\nexport interface SupabaseDb<TContract extends Contract<SqlStorage>> {\n readonly context: ExecutionContext<TContract>;\n readonly stack: SqlExecutionStackWithDriver<SupabaseTargetId>;\n asUser(jwt: string): Promise<RoleBoundDb<TContract>>;\n asAnon(): RoleBoundDb<TContract>;\n asServiceRole(): ServiceRoleDb<TContract>;\n close(): Promise<void>;\n [Symbol.asyncDispose](): Promise<void>;\n}\n\nexport interface SupabaseOptionsBase {\n readonly extensions?: readonly SqlRuntimeExtensionDescriptor<SupabaseTargetId>[];\n readonly middleware?: readonly SqlMiddleware[];\n readonly verifyMarker?: VerifyMarkerOption;\n readonly poolOptions?: {\n readonly connectionTimeoutMillis?: number;\n readonly idleTimeoutMillis?: number;\n };\n}\n\nexport interface SupabaseBindingOptions {\n readonly url?: string;\n readonly pg?: Pool | Client;\n}\n\ntype JwtSecretOption = {\n readonly jwtSecret: string;\n readonly jwksUrl?: never;\n};\n\ntype JwksUrlOption = {\n readonly jwksUrl: string;\n readonly jwtSecret?: never;\n};\n\nexport type SupabaseOptionsWithContract<TContract extends Contract<SqlStorage>> =\n SupabaseBindingOptions &\n SupabaseOptionsBase &\n (JwtSecretOption | JwksUrlOption) & {\n readonly contract: TContract;\n readonly contractJson?: never;\n };\n\nexport type SupabaseOptionsWithContractJson<TContract extends Contract<SqlStorage>> =\n SupabaseBindingOptions &\n SupabaseOptionsBase &\n (JwtSecretOption | JwksUrlOption) & {\n readonly contractJson: unknown;\n readonly contract?: never;\n readonly _contract?: TContract;\n };\n\nexport type SupabaseOptions<TContract extends Contract<SqlStorage>> =\n | SupabaseOptionsWithContract<TContract>\n | SupabaseOptionsWithContractJson<TContract>;\n\nfunction hasContractJson<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): options is SupabaseOptionsWithContractJson<TContract> {\n return 'contractJson' in options;\n}\n\nconst contractSerializer = new PostgresContractSerializer();\n\nfunction resolveContract<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): TContract {\n const contractJson = hasContractJson(options)\n ? options.contractJson\n : contractSerializer.serializeContract(options.contract);\n return blindCast<\n TContract,\n 'contractSerializer.deserializeContract returns a validated TContract'\n >(contractSerializer.deserializeContract(contractJson));\n}\n\nfunction resolveKeyMaterial<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): KeyMaterial {\n const jwtSecret = 'jwtSecret' in options ? options.jwtSecret : undefined;\n const jwksUrl = 'jwksUrl' in options ? options.jwksUrl : undefined;\n\n if (jwtSecret !== undefined && jwksUrl !== undefined) {\n throw new SupabaseConfigError('Provide either jwtSecret or jwksUrl, not both');\n }\n if (jwtSecret === undefined && jwksUrl === undefined) {\n throw new SupabaseConfigError('Either jwtSecret or jwksUrl is required');\n }\n\n if (jwtSecret !== undefined) {\n return { kind: 'secret', key: new TextEncoder().encode(jwtSecret) };\n }\n\n if (jwksUrl !== undefined) {\n return { kind: 'jwks', keyset: createRemoteJWKSet(new URL(jwksUrl)) };\n }\n\n throw new SupabaseConfigError('Either jwtSecret or jwksUrl is required');\n}\n\nfunction toPool<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): { pool: Pool; owned: boolean } | undefined {\n if (options.pg instanceof Pool) {\n return { pool: options.pg, owned: false };\n }\n if (typeof options.url === 'string') {\n return {\n pool: new Pool({\n connectionString: options.url,\n connectionTimeoutMillis: options.poolOptions?.connectionTimeoutMillis ?? 20_000,\n idleTimeoutMillis: options.poolOptions?.idleTimeoutMillis ?? 30_000,\n }),\n owned: true,\n };\n }\n return undefined;\n}\n\nfunction withSupabaseDescriptor(\n extensions: readonly SqlRuntimeExtensionDescriptor<SupabaseTargetId>[] | undefined,\n): readonly SqlRuntimeExtensionDescriptor<SupabaseTargetId>[] {\n const packs = extensions ?? [];\n return packs.some((pack) => pack.id === supabaseRuntimeDescriptor.id)\n ? packs\n : [...packs, supabaseRuntimeDescriptor];\n}\n\n/**\n * Deserializes the Supabase extension's own emitted contract into a runtime\n * contract: namespaces hydrate into `PostgresSchema` instances (with\n * `qualifyTable`), and `typeRef` columns (`Timestamptz`, `Uuid`) resolve\n * through the codec registry. Exposed only via `service_role`'s `.supabase`\n * secondary root — never merged into the app contract.\n */\nfunction buildExtensionContract(): SupabaseExtensionContract {\n return blindCast<\n SupabaseExtensionContract,\n 'deserializeContract hydrates JSON namespaces into PostgresSchema instances with qualifyTable'\n >(contractSerializer.deserializeContract(extensionContractJson));\n}\n\nexport default async function supabase<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptionsWithContract<TContract>,\n): Promise<SupabaseDb<TContract>>;\nexport default async function supabase<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptionsWithContractJson<TContract>,\n): Promise<SupabaseDb<TContract>>;\nexport default async function supabase<TContract extends Contract<SqlStorage>>(\n options: SupabaseOptions<TContract>,\n): Promise<SupabaseDb<TContract>> {\n const keyMaterial = resolveKeyMaterial(options);\n const contract = resolveContract(options);\n\n const stack = createSqlExecutionStack({\n target: postgresTarget,\n adapter: postgresAdapter,\n driver: postgresDriver,\n extensionPacks: withSupabaseDescriptor(options.extensions),\n });\n\n const context = createExecutionContext({ contract, stack });\n const rawCodecInferer = stack.adapter.rawCodecInferer;\n const rawSqlTag: RawSqlTag = createRawSql(rawCodecInferer);\n\n const poolEntry = toPool(options);\n let closed = false;\n\n const stackInstance = instantiateExecutionStack(stack);\n const driverDescriptor = stack.driver;\n if (!driverDescriptor) {\n throw new Error('Driver descriptor missing from execution stack');\n }\n const driver = driverDescriptor.create({ cursor: { disabled: true } });\n\n if (poolEntry) {\n await driver.connect({ kind: 'pgPool', pool: poolEntry.pool });\n }\n\n const runtime: SupabaseRuntime & SupabaseRuntimeImpl<TContract> = new SupabaseRuntimeImpl({\n context,\n adapter: stackInstance.adapter,\n driver,\n ...ifDefined('verifyMarker', options.verifyMarker),\n ...ifDefined('middleware', options.middleware),\n });\n\n async function verifyJwt(jwt: string): Promise<JWTVerifyResult> {\n try {\n if (keyMaterial.kind === 'secret') {\n return await jwtVerify(jwt, keyMaterial.key);\n }\n return await jwtVerify(jwt, keyMaterial.keyset);\n } catch (err) {\n const reason = err instanceof Error ? err.message : String(err);\n throw new InvalidJwtError(reason);\n }\n }\n\n function buildRoleBoundDbWithContext<C extends Contract<SqlStorage>>(\n binding: SupabaseRoleBinding,\n roleContext: ExecutionContext<C>,\n roleRuntime: SupabaseRuntime & SupabaseRuntimeImpl<C>,\n ): RoleBoundDb<C> {\n const roleSql: Db<C> = sql<C>({ context: roleContext, rawCodecInferer });\n const roleOrm: OrmClient<C> = orm({\n runtime: {\n execute(plan) {\n return roleRuntime.executeWithRole(plan, binding);\n },\n connection: () => roleRuntime.openRoleSession(binding),\n },\n context: roleContext,\n });\n\n return {\n sql: roleSql,\n orm: roleOrm,\n raw: rawSqlTag,\n execute<Row>(\n plan: (SqlExecutionPlan<Row> | SqlQueryPlan<Row>) & { readonly _row?: Row },\n execOptions?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return roleRuntime.executeWithRole<Row>(plan, binding, execOptions);\n },\n transaction<R>(fn: (tx: TransactionContext) => PromiseLike<R>): Promise<R> {\n return withTransaction({ connection: () => roleRuntime.openRoleSession(binding) }, fn);\n },\n };\n }\n\n function buildRoleBoundDb(binding: SupabaseRoleBinding): RoleBoundDb<TContract> {\n return buildRoleBoundDbWithContext(binding, context, runtime);\n }\n\n const serviceRoleBinding: SupabaseRoleBinding = { role: 'service_role', claims: {} };\n\n // The Supabase-internal contract (auth/storage) as a separate secondary root.\n // It is contract-bound: a plan built against it carries the extension's\n // storageHash, so it must run on a runtime bound to the extension contract —\n // the app runtime would reject it (PLAN.HASH_MISMATCH). This runtime shares\n // the same driver (one pool, no second connection) and disables marker\n // verification: the extension contract is external and owns no app-space\n // marker, so its hashes must not be checked against the DB marker.\n const extContract = buildExtensionContract();\n const extContext = createExecutionContext({ contract: extContract, stack });\n const extRuntime: SupabaseRuntime & SupabaseRuntimeImpl<SupabaseExtensionContract> =\n new SupabaseRuntimeImpl({\n context: extContext,\n adapter: stackInstance.adapter,\n driver,\n verifyMarker: false,\n ...ifDefined('middleware', options.middleware),\n });\n\n const extNativeEnums = blindCast<\n NamespacedNativeEnums<SupabaseExtensionContract>,\n 'buildNamespacedNativeEnums returns the namespace-keyed accessor map this contract types'\n >(Object.freeze(buildNamespacedNativeEnums(extContract.storage)));\n\n const supabaseInternal: SupabaseInternalDb = {\n sql: sql<SupabaseExtensionContract>({ context: extContext, rawCodecInferer }),\n orm: orm({\n runtime: {\n execute(plan) {\n return extRuntime.executeWithRole(plan, serviceRoleBinding);\n },\n connection: () => extRuntime.openRoleSession(serviceRoleBinding),\n },\n context: extContext,\n }),\n nativeEnums: extNativeEnums,\n execute<Row>(\n plan: (SqlExecutionPlan<Row> | SqlQueryPlan<Row>) & { readonly _row?: Row },\n execOptions?: RuntimeExecuteOptions,\n ): AsyncIterableResult<Row> {\n return extRuntime.executeWithRole<Row>(plan, serviceRoleBinding, execOptions);\n },\n };\n\n async function closeDb(): Promise<void> {\n if (closed) return;\n closed = true;\n await runtime.close();\n if (poolEntry?.owned) {\n await poolEntry.pool.end().catch(() => undefined);\n }\n }\n\n return {\n context,\n stack,\n\n async asUser(jwt: string): Promise<RoleBoundDb<TContract>> {\n const { payload } = await verifyJwt(jwt);\n const rawRole = payload['role'];\n const roleStr = typeof rawRole === 'string' ? rawRole : 'authenticated';\n const role: SupabaseRoleBinding['role'] =\n roleStr === 'anon' || roleStr === 'authenticated' || roleStr === 'service_role'\n ? roleStr\n : 'authenticated';\n const binding: SupabaseRoleBinding = { role, claims: payload };\n return buildRoleBoundDb(binding);\n },\n\n asAnon(): RoleBoundDb<TContract> {\n return buildRoleBoundDb({ role: 'anon', claims: {} });\n },\n\n asServiceRole(): ServiceRoleDb<TContract> {\n const roleBound = buildRoleBoundDbWithContext(serviceRoleBinding, context, runtime);\n return { ...roleBound, supabase: supabaseInternal };\n },\n\n close: closeDb,\n [Symbol.asyncDispose]: closeDb,\n };\n}\n","import { supabaseRuntimeDescriptor } from '../runtime/descriptor';\n\nexport default supabaseRuntimeDescriptor;\n\nexport type { SupabaseExtensionContract } from '../runtime/ext-contract-type';\nexport type {\n RoleBoundDb,\n ServiceRoleDb,\n SupabaseDb,\n SupabaseInternalDb,\n SupabaseOptions,\n SupabaseOptionsWithContract,\n SupabaseOptionsWithContractJson,\n SupabaseTargetId,\n} from '../runtime/supabase';\nexport { default as supabase, InvalidJwtError, SupabaseConfigError } from '../runtime/supabase';\nexport type {\n RoleSession,\n SupabaseRoleBinding,\n SupabaseRuntime,\n} from '../runtime/supabase-runtime';\nexport { SupabaseRuntimeImpl } from '../runtime/supabase-runtime';\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAYA,MAAa,4BAAuE;CAClF,MAAM;CACN,IAAI;CACKA;CACT,UAAU;CACV,UAAU;CACV,cAAc,CAAC;CACf,SAAS;EACP,OAAO;GACL,UAAU;GACV,UAAU;EACZ;CACF;AACF;;;ACGA,IAAa,sBAAb,cAEU,oBAA+B;;;;;;CAMvC,MAAM,gBAAgB,SAAoD;EACxE,MAAM,OAAO,MAAM,KAAK,qBAAqB;EAE7C,IAAI;GACF,MAAM,KAAK,MAAM,oCAAoC,CAAC,QAAQ,QAAQ,IAAI,CAAC;GAC3E,MAAM,KAAK,MAAM,oCAAoC,CACnD,sBACA,KAAK,UAAU,QAAQ,UAAU,CAAC,CAAC,CACrC,CAAC;EACH,SAAS,KAAK;GACZ,MAAM,KAAK,QAAQ,GAAG,CAAC,CAAC,YAAY,KAAA,CAAS;GAC7C,MAAM;EACR;EAEA,MAAM,OAAO;EAsFb,OAAO;GAnFL,QACE,MACA,SAC0B;IAC1B,OAAO,KAAK,wBAA6B,MAAM,MAAM;KAAE,GAAG;KAAS,OAAO;IAAa,CAAC;GAC1F;GAEA,gBACE,IACA,QACA,SAC0B;IAC1B,OAAO,KAAK,gCACV,UAGE,EAAE,GACJ,UAGE,MAAM,GACR,MACA;KAAE,GAAG;KAAS,OAAO;IAAa,CACpC;GACF;GAEA,MAAM,cAA2C;IAC/C,MAAM,KAAK,MAAM,KAAK,iBAAiB;IACvC,OAAO;KACL,MAAM,SAAwB;MAC5B,MAAM,GAAG,OAAO;KAClB;KACA,MAAM,WAA0B;MAC9B,MAAM,GAAG,SAAS;KACpB;KACA,QACE,MACA,SAC0B;MAC1B,OAAO,KAAK,wBAA6B,MAAM,IAAI;OACjD,GAAG;OACH,OAAO;MACT,CAAC;KACH;KACA,gBACE,IACA,QACA,SAC0B;MAC1B,OAAO,KAAK,gCACV,UAGE,EAAE,GACJ,UAGE,MAAM,GACR,IACA;OAAE,GAAG;OAAS,OAAO;MAAc,CACrC;KACF;IACF;GACF;;;;;GAMA,MAAM,UAAyB;IAC7B,IAAI;KACF,MAAM,KAAK,MAAM,WAAW;KAC5B,MAAM,KAAK,QAAQ;IACrB,SAAS,YAAY;KACnB,MAAM,KAAK,QAAQ,UAAU,CAAC,CAAC,YAAY,KAAA,CAAS;IACtD;GACF;GAEA,MAAM,QAAQ,QAAiC;IAC7C,MAAM,KAAK,QAAQ,MAAM;GAC3B;EAGW;CACf;;;;;CAMA,gBACE,MACA,SACA,SAC0B;EAC1B,MAAM,OAAO;EAEb,MAAM,YAAY,mBAAuD;GACvE,MAAM,UAAU,MAAM,KAAK,gBAAgB,OAAO;GAClD,IAAI,UAAU;GACd,IAAI;IACF,WAAW,MAAM,OAAO,QAAQ,QAAQ,MAAM,OAAO,GACnD,MAAM;GAEV,SAAS,KAAK;IACZ,UAAU;IACV,MAAM,QAAQ,QAAQ,GAAG,CAAC,CAAC,YAAY,KAAA,CAAS;IAChD,MAAM;GACR,UAAU;IACR,IAAI,CAAC,SACH,MAAM,QAAQ,QAAQ;GAE1B;EACF;EAEA,OAAO,IAAI,oBAAoB,UAAU,CAAC;CAC5C;AACF;;;AC1HA,IAAa,sBAAb,cAAyC,MAAM;CAC7C,OAAyB;CACzB,YAAY,SAAiB;EAC3B,MAAM,OAAO;CACf;AACF;AAEA,IAAa,kBAAb,cAAqC,MAAM;CACzC,OAAyB;CACzB;CACA,YAAY,QAAgB;EAC1B,MAAM,gBAAgB,QAAQ;EAC9B,KAAK,SAAS;CAChB;AACF;AAsGA,SAAS,gBACP,SACuD;CACvD,OAAO,kBAAkB;AAC3B;AAEA,MAAM,qBAAqB,IAAI,2BAA2B;AAE1D,SAAS,gBACP,SACW;CACX,MAAM,eAAe,gBAAgB,OAAO,IACxC,QAAQ,eACR,mBAAmB,kBAAkB,QAAQ,QAAQ;CACzD,OAAO,UAGL,mBAAmB,oBAAoB,YAAY,CAAC;AACxD;AAEA,SAAS,mBACP,SACa;CACb,MAAM,YAAY,eAAe,UAAU,QAAQ,YAAY,KAAA;CAC/D,MAAM,UAAU,aAAa,UAAU,QAAQ,UAAU,KAAA;CAEzD,IAAI,cAAc,KAAA,KAAa,YAAY,KAAA,GACzC,MAAM,IAAI,oBAAoB,+CAA+C;CAE/E,IAAI,cAAc,KAAA,KAAa,YAAY,KAAA,GACzC,MAAM,IAAI,oBAAoB,yCAAyC;CAGzE,IAAI,cAAc,KAAA,GAChB,OAAO;EAAE,MAAM;EAAU,KAAK,IAAI,YAAY,CAAC,CAAC,OAAO,SAAS;CAAE;CAGpE,IAAI,YAAY,KAAA,GACd,OAAO;EAAE,MAAM;EAAQ,QAAQ,mBAAmB,IAAI,IAAI,OAAO,CAAC;CAAE;CAGtE,MAAM,IAAI,oBAAoB,yCAAyC;AACzE;AAEA,SAAS,OACP,SAC4C;CAC5C,IAAI,QAAQ,cAAc,MACxB,OAAO;EAAE,MAAM,QAAQ;EAAI,OAAO;CAAM;CAE1C,IAAI,OAAO,QAAQ,QAAQ,UACzB,OAAO;EACL,MAAM,IAAI,KAAK;GACb,kBAAkB,QAAQ;GAC1B,yBAAyB,QAAQ,aAAa,2BAA2B;GACzE,mBAAmB,QAAQ,aAAa,qBAAqB;EAC/D,CAAC;EACD,OAAO;CACT;AAGJ;AAEA,SAAS,uBACP,YAC4D;CAC5D,MAAM,QAAQ,cAAc,CAAC;CAC7B,OAAO,MAAM,MAAM,SAAS,KAAK,OAAO,0BAA0B,EAAE,IAChE,QACA,CAAC,GAAG,OAAO,yBAAyB;AAC1C;;;;;;;;AASA,SAAS,yBAAoD;CAC3D,OAAO,UAGL,mBAAmB,oBAAoBC,gBAAqB,CAAC;AACjE;AAQA,eAA8B,SAC5B,SACgC;CAChC,MAAM,cAAc,mBAAmB,OAAO;CAC9C,MAAM,WAAW,gBAAgB,OAAO;CAExC,MAAM,QAAQ,wBAAwB;EACpC,QAAQ;EACR,SAAS;EACT,QAAQ;EACR,gBAAgB,uBAAuB,QAAQ,UAAU;CAC3D,CAAC;CAED,MAAM,UAAU,uBAAuB;EAAE;EAAU;CAAM,CAAC;CAC1D,MAAM,kBAAkB,MAAM,QAAQ;CACtC,MAAM,YAAuB,aAAa,eAAe;CAEzD,MAAM,YAAY,OAAO,OAAO;CAChC,IAAI,SAAS;CAEb,MAAM,gBAAgB,0BAA0B,KAAK;CACrD,MAAM,mBAAmB,MAAM;CAC/B,IAAI,CAAC,kBACH,MAAM,IAAI,MAAM,gDAAgD;CAElE,MAAM,SAAS,iBAAiB,OAAO,EAAE,QAAQ,EAAE,UAAU,KAAK,EAAE,CAAC;CAErE,IAAI,WACF,MAAM,OAAO,QAAQ;EAAE,MAAM;EAAU,MAAM,UAAU;CAAK,CAAC;CAG/D,MAAM,UAA4D,IAAI,oBAAoB;EACxF;EACA,SAAS,cAAc;EACvB;EACA,GAAG,UAAU,gBAAgB,QAAQ,YAAY;EACjD,GAAG,UAAU,cAAc,QAAQ,UAAU;CAC/C,CAAC;CAED,eAAe,UAAU,KAAuC;EAC9D,IAAI;GACF,IAAI,YAAY,SAAS,UACvB,OAAO,MAAM,UAAU,KAAK,YAAY,GAAG;GAE7C,OAAO,MAAM,UAAU,KAAK,YAAY,MAAM;EAChD,SAAS,KAAK;GAEZ,MAAM,IAAI,gBADK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAC9B;EAClC;CACF;CAEA,SAAS,4BACP,SACA,aACA,aACgB;EAYhB,OAAO;GACL,KAZqB,IAAO;IAAE,SAAS;IAAa;GAAgB,CAYzD;GACX,KAZ4B,IAAI;IAChC,SAAS;KACP,QAAQ,MAAM;MACZ,OAAO,YAAY,gBAAgB,MAAM,OAAO;KAClD;KACA,kBAAkB,YAAY,gBAAgB,OAAO;IACvD;IACA,SAAS;GACX,CAIa;GACX,KAAK;GACL,QACE,MACA,aAC0B;IAC1B,OAAO,YAAY,gBAAqB,MAAM,SAAS,WAAW;GACpE;GACA,YAAe,IAA4D;IACzE,OAAO,gBAAgB,EAAE,kBAAkB,YAAY,gBAAgB,OAAO,EAAE,GAAG,EAAE;GACvF;EACF;CACF;CAEA,SAAS,iBAAiB,SAAsD;EAC9E,OAAO,4BAA4B,SAAS,SAAS,OAAO;CAC9D;CAEA,MAAM,qBAA0C;EAAE,MAAM;EAAgB,QAAQ,CAAC;CAAE;CASnF,MAAM,cAAc,uBAAuB;CAC3C,MAAM,aAAa,uBAAuB;EAAE,UAAU;EAAa;CAAM,CAAC;CAC1E,MAAM,aACJ,IAAI,oBAAoB;EACtB,SAAS;EACT,SAAS,cAAc;EACvB;EACA,cAAc;EACd,GAAG,UAAU,cAAc,QAAQ,UAAU;CAC/C,CAAC;CAEH,MAAM,iBAAiB,UAGrB,OAAO,OAAO,2BAA2B,YAAY,OAAO,CAAC,CAAC;CAEhE,MAAM,mBAAuC;EAC3C,KAAK,IAA+B;GAAE,SAAS;GAAY;EAAgB,CAAC;EAC5E,KAAK,IAAI;GACP,SAAS;IACP,QAAQ,MAAM;KACZ,OAAO,WAAW,gBAAgB,MAAM,kBAAkB;IAC5D;IACA,kBAAkB,WAAW,gBAAgB,kBAAkB;GACjE;GACA,SAAS;EACX,CAAC;EACD,aAAa;EACb,QACE,MACA,aAC0B;GAC1B,OAAO,WAAW,gBAAqB,MAAM,oBAAoB,WAAW;EAC9E;CACF;CAEA,eAAe,UAAyB;EACtC,IAAI,QAAQ;EACZ,SAAS;EACT,MAAM,QAAQ,MAAM;EACpB,IAAI,WAAW,OACb,MAAM,UAAU,KAAK,IAAI,CAAC,CAAC,YAAY,KAAA,CAAS;CAEpD;CAEA,OAAO;EACL;EACA;EAEA,MAAM,OAAO,KAA8C;GACzD,MAAM,EAAE,YAAY,MAAM,UAAU,GAAG;GACvC,MAAM,UAAU,QAAQ;GACxB,MAAM,UAAU,OAAO,YAAY,WAAW,UAAU;GAMxD,OAAO,iBAAiB;IADe,MAHrC,YAAY,UAAU,YAAY,mBAAmB,YAAY,iBAC7D,UACA;IACuC,QAAQ;GACvB,CAAC;EACjC;EAEA,SAAiC;GAC/B,OAAO,iBAAiB;IAAE,MAAM;IAAQ,QAAQ,CAAC;GAAE,CAAC;EACtD;EAEA,gBAA0C;GAExC,OAAO;IAAE,GADS,4BAA4B,oBAAoB,SAAS,OACvD;IAAG,UAAU;GAAiB;EACpD;EAEA,OAAO;GACN,OAAO,eAAe;CACzB;AACF;;;ACvaA,IAAA,kBAAe"}
@@ -6,11 +6,13 @@ import { Client } from "pg";
6
6
  * functions. The caller passes an already-connected `pg.Client` — this
7
7
  * function does not open or close connections.
8
8
  *
9
- * Creates two schemas (`auth`, `storage`) and four tables whose columns
10
- * exactly match the `@prisma-next/extension-supabase` contract:
9
+ * Creates two schemas (`auth`, `storage`), the `auth.aal_level` native enum
10
+ * type, and five tables whose columns exactly match the
11
+ * `@prisma-next/extension-supabase` contract:
11
12
  *
12
13
  * - `auth.users` — id uuid PK, email text, created_at timestamptz, updated_at timestamptz
13
14
  * - `auth.identities` — id uuid PK, user_id uuid, provider text, created_at timestamptz, updated_at timestamptz
15
+ * - `auth.sessions` — id uuid PK, user_id uuid, aal auth.aal_level, created_at timestamptz
14
16
  * - `storage.buckets` — id text PK, name text, created_at timestamptz, updated_at timestamptz
15
17
  * - `storage.objects` — id uuid PK, bucket_id text, name text, created_at timestamptz, updated_at timestamptz
16
18
  *
@@ -1 +1 @@
1
- {"version":3,"file":"utils.d.mts","names":[],"sources":["../../test/supabase-bootstrap.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;iBAiDsB,qBAAA,CAAsB,MAAA,EAAQ,MAAA,GAAS,OAAO"}
1
+ {"version":3,"file":"utils.d.mts","names":[],"sources":["../../test/supabase-bootstrap.ts"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;iBAmDsB,qBAAA,CAAsB,MAAA,EAAQ,MAAA,GAAS,OAAO"}
@@ -4,11 +4,13 @@
4
4
  * functions. The caller passes an already-connected `pg.Client` — this
5
5
  * function does not open or close connections.
6
6
  *
7
- * Creates two schemas (`auth`, `storage`) and four tables whose columns
8
- * exactly match the `@prisma-next/extension-supabase` contract:
7
+ * Creates two schemas (`auth`, `storage`), the `auth.aal_level` native enum
8
+ * type, and five tables whose columns exactly match the
9
+ * `@prisma-next/extension-supabase` contract:
9
10
  *
10
11
  * - `auth.users` — id uuid PK, email text, created_at timestamptz, updated_at timestamptz
11
12
  * - `auth.identities` — id uuid PK, user_id uuid, provider text, created_at timestamptz, updated_at timestamptz
13
+ * - `auth.sessions` — id uuid PK, user_id uuid, aal auth.aal_level, created_at timestamptz
12
14
  * - `storage.buckets` — id text PK, name text, created_at timestamptz, updated_at timestamptz
13
15
  * - `storage.objects` — id uuid PK, bucket_id text, name text, created_at timestamptz, updated_at timestamptz
14
16
  *
@@ -41,6 +43,19 @@ async function bootstrapSupabaseShim(client) {
41
43
  AS $$
42
44
  SELECT (current_setting('request.jwt.claims', true)::jsonb ->> 'sub')::uuid
43
45
  $$
46
+ `);
47
+ await client.query(`
48
+ DO $$
49
+ BEGIN
50
+ IF NOT EXISTS (
51
+ SELECT 1 FROM pg_type t
52
+ JOIN pg_namespace n ON n.oid = t.typnamespace
53
+ WHERE t.typname = 'aal_level' AND n.nspname = 'auth'
54
+ ) THEN
55
+ CREATE TYPE auth.aal_level AS ENUM ('aal1', 'aal2', 'aal3');
56
+ END IF;
57
+ END
58
+ $$
44
59
  `);
45
60
  await client.query(`
46
61
  CREATE TABLE IF NOT EXISTS auth.users (
@@ -60,6 +75,15 @@ async function bootstrapSupabaseShim(client) {
60
75
  updated_at timestamptz NOT NULL,
61
76
  PRIMARY KEY (id)
62
77
  )
78
+ `);
79
+ await client.query(`
80
+ CREATE TABLE IF NOT EXISTS auth.sessions (
81
+ id uuid NOT NULL,
82
+ user_id uuid NOT NULL,
83
+ aal auth.aal_level,
84
+ created_at timestamptz NOT NULL DEFAULT now(),
85
+ PRIMARY KEY (id)
86
+ )
63
87
  `);
64
88
  await client.query(`
65
89
  CREATE TABLE IF NOT EXISTS storage.buckets (
@@ -1 +1 @@
1
- {"version":3,"file":"utils.mjs","names":[],"sources":["../../test/supabase-bootstrap.ts"],"sourcesContent":["/**\n * Shared Supabase test fixture — seeds the external schemas, tables, roles, and functions.\n *\n * Seeds a Postgres/PGlite database with the external Supabase schemas and\n * tables that the framework verifier expects when a composed contract declares\n * `auth.*` and `storage.*` tables as `external`. Without these tables present,\n * `db init`/`db update` will fail at the verify step because the framework\n * confirms declared `external` tables exist.\n *\n * Also creates the three Postgres roles (`anon`, `authenticated`, `service_role`)\n * with grants that mirror a real Supabase database. `ALTER DEFAULT PRIVILEGES`\n * ensures tables created after the shim runs (e.g. `public.profile` via `dbInit`)\n * are automatically accessible to the roles.\n *\n * The caller owns the client lifecycle — pass any already-connected `pg.Client`\n * (e.g. one the test is sharing across setup steps, or one bound to a\n * transaction for isolation). Convenience wrapper for tests that don't already\n * have one:\n *\n * @example\n * ```ts\n * import { withClient } from '@prisma-next/test-utils';\n * import { bootstrapSupabaseShim } from '@prisma-next/extension-supabase/test/utils';\n *\n * await withClient(connectionString, async (client) => {\n * await bootstrapSupabaseShim(client);\n * });\n * ```\n */\nimport type { Client } from 'pg';\n\n/**\n * Seeds the database with the external Supabase schemas, tables, roles, and\n * functions. The caller passes an already-connected `pg.Client` — this\n * function does not open or close connections.\n *\n * Creates two schemas (`auth`, `storage`) and four tables whose columns\n * exactly match the `@prisma-next/extension-supabase` contract:\n *\n * - `auth.users` — id uuid PK, email text, created_at timestamptz, updated_at timestamptz\n * - `auth.identities` — id uuid PK, user_id uuid, provider text, created_at timestamptz, updated_at timestamptz\n * - `storage.buckets` — id text PK, name text, created_at timestamptz, updated_at timestamptz\n * - `storage.objects` — id uuid PK, bucket_id text, name text, created_at timestamptz, updated_at timestamptz\n *\n * Also creates the three Supabase platform roles (`anon`, `authenticated`,\n * `service_role`) and the `auth.uid()` function that reads the current user's\n * id from the `request.jwt.claims` GUC, matching Supabase's implementation.\n * `ALTER DEFAULT PRIVILEGES` covers tables created after the shim runs (e.g. via `dbInit`).\n */\nexport async function bootstrapSupabaseShim(client: Client): Promise<void> {\n await client.query('CREATE SCHEMA IF NOT EXISTS auth');\n await client.query('CREATE SCHEMA IF NOT EXISTS storage');\n\n // Supabase platform roles — created idempotently; real Supabase provides\n // these as platform infrastructure; the shim emulates them for test DBs.\n await client.query(`\n DO $$\n BEGIN\n IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'anon') THEN\n CREATE ROLE anon NOLOGIN;\n END IF;\n IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'authenticated') THEN\n CREATE ROLE authenticated NOLOGIN;\n END IF;\n IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'service_role') THEN\n CREATE ROLE service_role NOLOGIN BYPASSRLS;\n END IF;\n END\n $$\n `);\n\n // auth.uid() — returns the current request's user id from the settable GUC\n // request.jwt.claims, matching Supabase's implementation. Returns NULL when\n // the GUC is unset (missing_ok = true).\n await client.query(`\n CREATE OR REPLACE FUNCTION auth.uid() RETURNS uuid\n LANGUAGE sql STABLE\n AS $$\n SELECT (current_setting('request.jwt.claims', true)::jsonb ->> 'sub')::uuid\n $$\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS auth.users (\n id uuid NOT NULL,\n email text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS auth.identities (\n id uuid NOT NULL,\n user_id uuid NOT NULL,\n provider text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS storage.buckets (\n id text NOT NULL,\n name text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS storage.objects (\n id uuid NOT NULL,\n bucket_id text NOT NULL,\n name text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n // Grants mirror a real Supabase database.\n await client.query('GRANT USAGE ON SCHEMA public TO anon, authenticated, service_role');\n await client.query('GRANT USAGE ON SCHEMA auth, storage TO anon, authenticated, service_role');\n await client.query('GRANT ALL ON ALL TABLES IN SCHEMA auth TO service_role');\n await client.query('GRANT ALL ON ALL TABLES IN SCHEMA storage TO service_role');\n await client.query('GRANT SELECT ON ALL TABLES IN SCHEMA auth TO anon, authenticated');\n await client.query('GRANT SELECT ON ALL TABLES IN SCHEMA storage TO anon, authenticated');\n\n // Default privileges cover tables created after this shim runs (e.g. public.profile via dbInit).\n await client.query(\n 'ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO service_role',\n );\n await client.query(\n 'ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, UPDATE ON TABLES TO authenticated',\n );\n await client.query('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO anon');\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAiDA,eAAsB,sBAAsB,QAA+B;CACzE,MAAM,OAAO,MAAM,kCAAkC;CACrD,MAAM,OAAO,MAAM,qCAAqC;CAIxD,MAAM,OAAO,MAAM;;;;;;;;;;;;;;GAclB;CAKD,MAAM,OAAO,MAAM;;;;;;GAMlB;CAED,MAAM,OAAO,MAAM;;;;;;;;GAQlB;CAED,MAAM,OAAO,MAAM;;;;;;;;;GASlB;CAED,MAAM,OAAO,MAAM;;;;;;;;GAQlB;CAED,MAAM,OAAO,MAAM;;;;;;;;;GASlB;CAGD,MAAM,OAAO,MAAM,mEAAmE;CACtF,MAAM,OAAO,MAAM,0EAA0E;CAC7F,MAAM,OAAO,MAAM,wDAAwD;CAC3E,MAAM,OAAO,MAAM,2DAA2D;CAC9E,MAAM,OAAO,MAAM,kEAAkE;CACrF,MAAM,OAAO,MAAM,qEAAqE;CAGxF,MAAM,OAAO,MACX,+EACF;CACA,MAAM,OAAO,MACX,2FACF;CACA,MAAM,OAAO,MAAM,0EAA0E;AAC/F"}
1
+ {"version":3,"file":"utils.mjs","names":[],"sources":["../../test/supabase-bootstrap.ts"],"sourcesContent":["/**\n * Shared Supabase test fixture — seeds the external schemas, tables, roles, and functions.\n *\n * Seeds a Postgres/PGlite database with the external Supabase schemas and\n * tables that the framework verifier expects when a composed contract declares\n * `auth.*` and `storage.*` tables as `external`. Without these tables present,\n * `db init`/`db update` will fail at the verify step because the framework\n * confirms declared `external` tables exist.\n *\n * Also creates the three Postgres roles (`anon`, `authenticated`, `service_role`)\n * with grants that mirror a real Supabase database. `ALTER DEFAULT PRIVILEGES`\n * ensures tables created after the shim runs (e.g. `public.profile` via `dbInit`)\n * are automatically accessible to the roles.\n *\n * The caller owns the client lifecycle — pass any already-connected `pg.Client`\n * (e.g. one the test is sharing across setup steps, or one bound to a\n * transaction for isolation). Convenience wrapper for tests that don't already\n * have one:\n *\n * @example\n * ```ts\n * import { withClient } from '@prisma-next/test-utils';\n * import { bootstrapSupabaseShim } from '@prisma-next/extension-supabase/test/utils';\n *\n * await withClient(connectionString, async (client) => {\n * await bootstrapSupabaseShim(client);\n * });\n * ```\n */\nimport type { Client } from 'pg';\n\n/**\n * Seeds the database with the external Supabase schemas, tables, roles, and\n * functions. The caller passes an already-connected `pg.Client` — this\n * function does not open or close connections.\n *\n * Creates two schemas (`auth`, `storage`), the `auth.aal_level` native enum\n * type, and five tables whose columns exactly match the\n * `@prisma-next/extension-supabase` contract:\n *\n * - `auth.users` — id uuid PK, email text, created_at timestamptz, updated_at timestamptz\n * - `auth.identities` — id uuid PK, user_id uuid, provider text, created_at timestamptz, updated_at timestamptz\n * - `auth.sessions` — id uuid PK, user_id uuid, aal auth.aal_level, created_at timestamptz\n * - `storage.buckets` — id text PK, name text, created_at timestamptz, updated_at timestamptz\n * - `storage.objects` — id uuid PK, bucket_id text, name text, created_at timestamptz, updated_at timestamptz\n *\n * Also creates the three Supabase platform roles (`anon`, `authenticated`,\n * `service_role`) and the `auth.uid()` function that reads the current user's\n * id from the `request.jwt.claims` GUC, matching Supabase's implementation.\n * `ALTER DEFAULT PRIVILEGES` covers tables created after the shim runs (e.g. via `dbInit`).\n */\nexport async function bootstrapSupabaseShim(client: Client): Promise<void> {\n await client.query('CREATE SCHEMA IF NOT EXISTS auth');\n await client.query('CREATE SCHEMA IF NOT EXISTS storage');\n\n // Supabase platform roles — created idempotently; real Supabase provides\n // these as platform infrastructure; the shim emulates them for test DBs.\n await client.query(`\n DO $$\n BEGIN\n IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'anon') THEN\n CREATE ROLE anon NOLOGIN;\n END IF;\n IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'authenticated') THEN\n CREATE ROLE authenticated NOLOGIN;\n END IF;\n IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'service_role') THEN\n CREATE ROLE service_role NOLOGIN BYPASSRLS;\n END IF;\n END\n $$\n `);\n\n // auth.uid() — returns the current request's user id from the settable GUC\n // request.jwt.claims, matching Supabase's implementation. Returns NULL when\n // the GUC is unset (missing_ok = true).\n await client.query(`\n CREATE OR REPLACE FUNCTION auth.uid() RETURNS uuid\n LANGUAGE sql STABLE\n AS $$\n SELECT (current_setting('request.jwt.claims', true)::jsonb ->> 'sub')::uuid\n $$\n `);\n\n // auth.aal_level — a native Postgres enum type; Postgres has no `CREATE\n // TYPE IF NOT EXISTS`, so existence is checked via pg_type first, matching\n // the idempotency style used above for roles. Real Supabase ships this\n // type as platform infrastructure; the shim creates it for test DBs so the\n // externally-managed `native_enum` in the extension's contract has a type\n // to bind against (Prisma Next emits no DDL for it).\n await client.query(`\n DO $$\n BEGIN\n IF NOT EXISTS (\n SELECT 1 FROM pg_type t\n JOIN pg_namespace n ON n.oid = t.typnamespace\n WHERE t.typname = 'aal_level' AND n.nspname = 'auth'\n ) THEN\n CREATE TYPE auth.aal_level AS ENUM ('aal1', 'aal2', 'aal3');\n END IF;\n END\n $$\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS auth.users (\n id uuid NOT NULL,\n email text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS auth.identities (\n id uuid NOT NULL,\n user_id uuid NOT NULL,\n provider text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS auth.sessions (\n id uuid NOT NULL,\n user_id uuid NOT NULL,\n aal auth.aal_level,\n created_at timestamptz NOT NULL DEFAULT now(),\n PRIMARY KEY (id)\n )\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS storage.buckets (\n id text NOT NULL,\n name text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n await client.query(`\n CREATE TABLE IF NOT EXISTS storage.objects (\n id uuid NOT NULL,\n bucket_id text NOT NULL,\n name text NOT NULL,\n created_at timestamptz NOT NULL,\n updated_at timestamptz NOT NULL,\n PRIMARY KEY (id)\n )\n `);\n\n // Grants mirror a real Supabase database.\n await client.query('GRANT USAGE ON SCHEMA public TO anon, authenticated, service_role');\n await client.query('GRANT USAGE ON SCHEMA auth, storage TO anon, authenticated, service_role');\n await client.query('GRANT ALL ON ALL TABLES IN SCHEMA auth TO service_role');\n await client.query('GRANT ALL ON ALL TABLES IN SCHEMA storage TO service_role');\n await client.query('GRANT SELECT ON ALL TABLES IN SCHEMA auth TO anon, authenticated');\n await client.query('GRANT SELECT ON ALL TABLES IN SCHEMA storage TO anon, authenticated');\n\n // Default privileges cover tables created after this shim runs (e.g. public.profile via dbInit).\n await client.query(\n 'ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO service_role',\n );\n await client.query(\n 'ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, UPDATE ON TABLES TO authenticated',\n );\n await client.query('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO anon');\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAmDA,eAAsB,sBAAsB,QAA+B;CACzE,MAAM,OAAO,MAAM,kCAAkC;CACrD,MAAM,OAAO,MAAM,qCAAqC;CAIxD,MAAM,OAAO,MAAM;;;;;;;;;;;;;;GAclB;CAKD,MAAM,OAAO,MAAM;;;;;;GAMlB;CAQD,MAAM,OAAO,MAAM;;;;;;;;;;;;GAYlB;CAED,MAAM,OAAO,MAAM;;;;;;;;GAQlB;CAED,MAAM,OAAO,MAAM;;;;;;;;;GASlB;CAED,MAAM,OAAO,MAAM;;;;;;;;GAQlB;CAED,MAAM,OAAO,MAAM;;;;;;;;GAQlB;CAED,MAAM,OAAO,MAAM;;;;;;;;;GASlB;CAGD,MAAM,OAAO,MAAM,mEAAmE;CACtF,MAAM,OAAO,MAAM,0EAA0E;CAC7F,MAAM,OAAO,MAAM,wDAAwD;CAC3E,MAAM,OAAO,MAAM,2DAA2D;CAC9E,MAAM,OAAO,MAAM,kEAAkE;CACrF,MAAM,OAAO,MAAM,qEAAqE;CAGxF,MAAM,OAAO,MACX,+EACF;CACA,MAAM,OAAO,MACX,2FACF;CACA,MAAM,OAAO,MAAM,0EAA0E;AAC/F"}
package/package.json CHANGED
@@ -1,47 +1,48 @@
1
1
  {
2
2
  "name": "@prisma-next/extension-supabase",
3
- "version": "0.14.0-dev.44",
3
+ "version": "0.14.0-dev.46",
4
4
  "license": "Apache-2.0",
5
5
  "type": "module",
6
6
  "sideEffects": false,
7
7
  "dependencies": {
8
- "@prisma-next/adapter-postgres": "0.14.0-dev.44",
9
- "@prisma-next/contract": "0.14.0-dev.44",
10
- "@prisma-next/driver-postgres": "0.14.0-dev.44",
11
- "@prisma-next/postgres": "0.14.0-dev.44",
12
- "@prisma-next/sql-builder": "0.14.0-dev.44",
13
- "@prisma-next/sql-orm-client": "0.14.0-dev.44",
14
- "@prisma-next/target-postgres": "0.14.0-dev.44",
8
+ "@prisma-next/adapter-postgres": "0.14.0-dev.46",
9
+ "@prisma-next/contract": "0.14.0-dev.46",
10
+ "@prisma-next/driver-postgres": "0.14.0-dev.46",
11
+ "@prisma-next/postgres": "0.14.0-dev.46",
12
+ "@prisma-next/sql-builder": "0.14.0-dev.46",
13
+ "@prisma-next/sql-orm-client": "0.14.0-dev.46",
14
+ "@prisma-next/target-postgres": "0.14.0-dev.46",
15
15
  "jose": "^6",
16
16
  "pg": "8.21.0",
17
- "@prisma-next/contract-authoring": "0.14.0-dev.44",
18
- "@prisma-next/family-sql": "0.14.0-dev.44",
19
- "@prisma-next/framework-components": "0.14.0-dev.44",
20
- "@prisma-next/migration-tools": "0.14.0-dev.44",
21
- "@prisma-next/sql-contract": "0.14.0-dev.44",
22
- "@prisma-next/sql-contract-ts": "0.14.0-dev.44",
23
- "@prisma-next/sql-operations": "0.14.0-dev.44",
24
- "@prisma-next/sql-relational-core": "0.14.0-dev.44",
25
- "@prisma-next/sql-runtime": "0.14.0-dev.44",
26
- "@prisma-next/sql-schema-ir": "0.14.0-dev.44",
27
- "@prisma-next/utils": "0.14.0-dev.44",
17
+ "@prisma-next/contract-authoring": "0.14.0-dev.46",
18
+ "@prisma-next/family-sql": "0.14.0-dev.46",
19
+ "@prisma-next/framework-components": "0.14.0-dev.46",
20
+ "@prisma-next/migration-tools": "0.14.0-dev.46",
21
+ "@prisma-next/sql-contract": "0.14.0-dev.46",
22
+ "@prisma-next/sql-contract-ts": "0.14.0-dev.46",
23
+ "@prisma-next/sql-operations": "0.14.0-dev.46",
24
+ "@prisma-next/sql-relational-core": "0.14.0-dev.46",
25
+ "@prisma-next/sql-runtime": "0.14.0-dev.46",
26
+ "@prisma-next/sql-schema-ir": "0.14.0-dev.46",
27
+ "@prisma-next/utils": "0.14.0-dev.46",
28
28
  "@standard-schema/spec": "^1.1.0",
29
29
  "arktype": "^2.2.0"
30
30
  },
31
31
  "devDependencies": {
32
- "@prisma-next/cli": "0.14.0-dev.44",
33
- "@prisma-next/operations": "0.14.0-dev.44",
34
- "@prisma-next/sql-contract-psl": "0.14.0-dev.44",
35
- "@prisma-next/test-utils": "0.14.0-dev.44",
36
- "@prisma-next/tsconfig": "0.14.0-dev.44",
37
- "@prisma-next/tsdown": "0.14.0-dev.44",
32
+ "@prisma-next/cli": "0.14.0-dev.46",
33
+ "@prisma-next/operations": "0.14.0-dev.46",
34
+ "@prisma-next/psl-printer": "0.14.0-dev.46",
35
+ "@prisma-next/sql-contract-psl": "0.14.0-dev.46",
36
+ "@prisma-next/test-utils": "0.14.0-dev.46",
37
+ "@prisma-next/tsconfig": "0.14.0-dev.46",
38
+ "@prisma-next/tsdown": "0.14.0-dev.46",
38
39
  "@types/pg": "8.20.0",
39
40
  "tsdown": "0.22.1",
40
41
  "typescript": "5.9.3",
41
42
  "vitest": "4.1.8"
42
43
  },
43
44
  "peerDependencies": {
44
- "@prisma-next/adapter-postgres": "0.14.0-dev.44",
45
+ "@prisma-next/adapter-postgres": "0.14.0-dev.46",
45
46
  "typescript": ">=5.9"
46
47
  },
47
48
  "peerDependenciesMeta": {
@@ -30,7 +30,7 @@ import type {
30
30
  } from '@prisma-next/contract/types';
31
31
 
32
32
  export type StorageHash =
33
- StorageHashBase<'sha256:61dac13aa56bcb5b7f1c5441c2bd8fc07d88f6c870c80b4c1640fd0d180fb423'>;
33
+ StorageHashBase<'sha256:31cf0e2bc6efafc1d3c6c55148f6665700205dba671b16a5d6d5f6db693d97f6'>;
34
34
  export type ExecutionHash = ExecutionHashBase<string>;
35
35
  export type ProfileHash =
36
36
  ProfileHashBase<'sha256:9c8aa3114e84ed3b7ea2bd57526d9c2e1bf7c5292be694e9d3801f566fda7ccb'>;
@@ -51,6 +51,12 @@ export type FieldOutputTypes = {
51
51
  readonly created_at: CodecTypes['pg/timestamptz@1']['output'];
52
52
  readonly updated_at: CodecTypes['pg/timestamptz@1']['output'];
53
53
  };
54
+ readonly AuthSession: {
55
+ readonly id: CodecTypes['pg/uuid@1']['output'];
56
+ readonly user_id: CodecTypes['pg/uuid@1']['output'];
57
+ readonly aal: 'aal1' | 'aal2' | 'aal3' | null;
58
+ readonly created_at: CodecTypes['pg/timestamptz@1']['output'];
59
+ };
54
60
  readonly AuthUser: {
55
61
  readonly id: CodecTypes['pg/uuid@1']['output'];
56
62
  readonly email: CodecTypes['pg/text@1']['output'];
@@ -83,6 +89,12 @@ export type FieldInputTypes = {
83
89
  readonly created_at: CodecTypes['pg/timestamptz@1']['input'];
84
90
  readonly updated_at: CodecTypes['pg/timestamptz@1']['input'];
85
91
  };
92
+ readonly AuthSession: {
93
+ readonly id: CodecTypes['pg/uuid@1']['input'];
94
+ readonly user_id: CodecTypes['pg/uuid@1']['input'];
95
+ readonly aal: 'aal1' | 'aal2' | 'aal3' | null;
96
+ readonly created_at: CodecTypes['pg/timestamptz@1']['input'];
97
+ };
86
98
  readonly AuthUser: {
87
99
  readonly id: CodecTypes['pg/uuid@1']['input'];
88
100
  readonly email: CodecTypes['pg/text@1']['input'];
@@ -115,6 +127,12 @@ export type StorageColumnTypes = {
115
127
  readonly updated_at: CodecTypes['pg/timestamptz@1']['output'];
116
128
  readonly user_id: CodecTypes['pg/uuid@1']['output'];
117
129
  };
130
+ readonly sessions: {
131
+ readonly aal: 'aal1' | 'aal2' | 'aal3' | null;
132
+ readonly created_at: CodecTypes['pg/timestamptz@1']['output'];
133
+ readonly id: CodecTypes['pg/uuid@1']['output'];
134
+ readonly user_id: CodecTypes['pg/uuid@1']['output'];
135
+ };
118
136
  readonly users: {
119
137
  readonly created_at: CodecTypes['pg/timestamptz@1']['output'];
120
138
  readonly email: CodecTypes['pg/text@1']['output'];
@@ -148,6 +166,12 @@ export type StorageColumnInputTypes = {
148
166
  readonly updated_at: CodecTypes['pg/timestamptz@1']['input'];
149
167
  readonly user_id: CodecTypes['pg/uuid@1']['input'];
150
168
  };
169
+ readonly sessions: {
170
+ readonly aal: 'aal1' | 'aal2' | 'aal3' | null;
171
+ readonly created_at: CodecTypes['pg/timestamptz@1']['input'];
172
+ readonly id: CodecTypes['pg/uuid@1']['input'];
173
+ readonly user_id: CodecTypes['pg/uuid@1']['input'];
174
+ };
151
175
  readonly users: {
152
176
  readonly created_at: CodecTypes['pg/timestamptz@1']['input'];
153
177
  readonly email: CodecTypes['pg/text@1']['input'];
@@ -226,6 +250,38 @@ type ContractBase = Omit<
226
250
  indexes: readonly [];
227
251
  foreignKeys: readonly [];
228
252
  };
253
+ readonly sessions: {
254
+ columns: {
255
+ readonly id: {
256
+ readonly nativeType: 'uuid';
257
+ readonly codecId: 'pg/uuid@1';
258
+ readonly nullable: false;
259
+ readonly typeRef: 'Uuid';
260
+ };
261
+ readonly user_id: {
262
+ readonly nativeType: 'uuid';
263
+ readonly codecId: 'pg/uuid@1';
264
+ readonly nullable: false;
265
+ readonly typeRef: 'Uuid';
266
+ };
267
+ readonly aal: {
268
+ readonly nativeType: 'auth.aal_level';
269
+ readonly codecId: 'pg/enum@1';
270
+ readonly nullable: true;
271
+ readonly typeParams: { readonly typeName: 'auth.aal_level' };
272
+ };
273
+ readonly created_at: {
274
+ readonly nativeType: 'timestamptz';
275
+ readonly codecId: 'pg/timestamptz@1';
276
+ readonly nullable: false;
277
+ readonly typeRef: 'Timestamptz';
278
+ };
279
+ };
280
+ primaryKey: { readonly columns: readonly ['id'] };
281
+ uniques: readonly [];
282
+ indexes: readonly [];
283
+ foreignKeys: readonly [];
284
+ };
229
285
  readonly users: {
230
286
  columns: {
231
287
  readonly id: {
@@ -258,6 +314,12 @@ type ContractBase = Omit<
258
314
  foreignKeys: readonly [];
259
315
  };
260
316
  };
317
+ readonly valueSet: {
318
+ readonly AalLevel: {
319
+ readonly kind: 'valueSet';
320
+ readonly values: readonly ['aal1', 'aal2', 'aal3'];
321
+ };
322
+ };
261
323
  };
262
324
  };
263
325
  readonly public: {
@@ -366,6 +428,7 @@ type ContractBase = Omit<
366
428
  readonly namespace: 'auth' & NamespaceId;
367
429
  readonly model: 'AuthIdentity';
368
430
  };
431
+ readonly sessions: { readonly namespace: 'auth' & NamespaceId; readonly model: 'AuthSession' };
369
432
  readonly buckets: {
370
433
  readonly namespace: 'storage' & NamespaceId;
371
434
  readonly model: 'StorageBucket';
@@ -415,6 +478,41 @@ type ContractBase = Omit<
415
478
  };
416
479
  };
417
480
  };
481
+ readonly AuthSession: {
482
+ readonly fields: {
483
+ readonly id: {
484
+ readonly nullable: false;
485
+ readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/uuid@1' };
486
+ };
487
+ readonly user_id: {
488
+ readonly nullable: false;
489
+ readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/uuid@1' };
490
+ };
491
+ readonly aal: {
492
+ readonly nullable: true;
493
+ readonly type: {
494
+ readonly kind: 'scalar';
495
+ readonly codecId: 'pg/enum@1';
496
+ readonly typeParams: { readonly typeName: 'auth.aal_level' };
497
+ };
498
+ };
499
+ readonly created_at: {
500
+ readonly nullable: false;
501
+ readonly type: { readonly kind: 'scalar'; readonly codecId: 'pg/timestamptz@1' };
502
+ };
503
+ };
504
+ readonly relations: Record<string, never>;
505
+ readonly storage: {
506
+ readonly table: 'sessions';
507
+ readonly namespaceId: 'auth';
508
+ readonly fields: {
509
+ readonly id: { readonly column: 'id' };
510
+ readonly user_id: { readonly column: 'user_id' };
511
+ readonly aal: { readonly column: 'aal' };
512
+ readonly created_at: { readonly column: 'created_at' };
513
+ };
514
+ };
515
+ };
418
516
  readonly AuthUser: {
419
517
  readonly fields: {
420
518
  readonly id: {
@@ -16,6 +16,10 @@
16
16
  "model": "StorageObject",
17
17
  "namespace": "storage"
18
18
  },
19
+ "sessions": {
20
+ "model": "AuthSession",
21
+ "namespace": "auth"
22
+ },
19
23
  "users": {
20
24
  "model": "AuthUser",
21
25
  "namespace": "auth"
@@ -86,6 +90,60 @@
86
90
  "table": "identities"
87
91
  }
88
92
  },
93
+ "AuthSession": {
94
+ "fields": {
95
+ "aal": {
96
+ "nullable": true,
97
+ "type": {
98
+ "codecId": "pg/enum@1",
99
+ "kind": "scalar",
100
+ "typeParams": {
101
+ "typeName": "auth.aal_level"
102
+ }
103
+ }
104
+ },
105
+ "created_at": {
106
+ "nullable": false,
107
+ "type": {
108
+ "codecId": "pg/timestamptz@1",
109
+ "kind": "scalar"
110
+ }
111
+ },
112
+ "id": {
113
+ "nullable": false,
114
+ "type": {
115
+ "codecId": "pg/uuid@1",
116
+ "kind": "scalar"
117
+ }
118
+ },
119
+ "user_id": {
120
+ "nullable": false,
121
+ "type": {
122
+ "codecId": "pg/uuid@1",
123
+ "kind": "scalar"
124
+ }
125
+ }
126
+ },
127
+ "relations": {},
128
+ "storage": {
129
+ "fields": {
130
+ "aal": {
131
+ "column": "aal"
132
+ },
133
+ "created_at": {
134
+ "column": "created_at"
135
+ },
136
+ "id": {
137
+ "column": "id"
138
+ },
139
+ "user_id": {
140
+ "column": "user_id"
141
+ }
142
+ },
143
+ "namespaceId": "auth",
144
+ "table": "sessions"
145
+ }
146
+ },
89
147
  "AuthUser": {
90
148
  "fields": {
91
149
  "created_at": {
@@ -303,6 +361,50 @@
303
361
  },
304
362
  "uniques": []
305
363
  },
364
+ "sessions": {
365
+ "columns": {
366
+ "aal": {
367
+ "codecId": "pg/enum@1",
368
+ "nativeType": "auth.aal_level",
369
+ "nullable": true,
370
+ "typeParams": {
371
+ "typeName": "auth.aal_level"
372
+ },
373
+ "valueSet": {
374
+ "entityKind": "valueSet",
375
+ "entityName": "AalLevel",
376
+ "namespaceId": "auth",
377
+ "plane": "storage"
378
+ }
379
+ },
380
+ "created_at": {
381
+ "codecId": "pg/timestamptz@1",
382
+ "nativeType": "timestamptz",
383
+ "nullable": false,
384
+ "typeRef": "Timestamptz"
385
+ },
386
+ "id": {
387
+ "codecId": "pg/uuid@1",
388
+ "nativeType": "uuid",
389
+ "nullable": false,
390
+ "typeRef": "Uuid"
391
+ },
392
+ "user_id": {
393
+ "codecId": "pg/uuid@1",
394
+ "nativeType": "uuid",
395
+ "nullable": false,
396
+ "typeRef": "Uuid"
397
+ }
398
+ },
399
+ "foreignKeys": [],
400
+ "indexes": [],
401
+ "primaryKey": {
402
+ "columns": [
403
+ "id"
404
+ ]
405
+ },
406
+ "uniques": []
407
+ },
306
408
  "users": {
307
409
  "columns": {
308
410
  "created_at": {
@@ -338,6 +440,16 @@
338
440
  },
339
441
  "uniques": []
340
442
  }
443
+ },
444
+ "valueSet": {
445
+ "AalLevel": {
446
+ "kind": "valueSet",
447
+ "values": [
448
+ "aal1",
449
+ "aal2",
450
+ "aal3"
451
+ ]
452
+ }
341
453
  }
342
454
  },
343
455
  "id": "auth",
@@ -433,7 +545,7 @@
433
545
  "kind": "postgres-schema"
434
546
  }
435
547
  },
436
- "storageHash": "sha256:61dac13aa56bcb5b7f1c5441c2bd8fc07d88f6c870c80b4c1640fd0d180fb423",
548
+ "storageHash": "sha256:31cf0e2bc6efafc1d3c6c55148f6665700205dba671b16a5d6d5f6db693d97f6",
437
549
  "types": {
438
550
  "Timestamptz": {
439
551
  "codecId": "pg/timestamptz@1",