@stratal/framework 0.0.18 → 0.0.19

package/dist/{decorateMetadata-rWbWGUuO.mjs → decorateMetadata-CqtSx3_1.mjs}

@@ -1,4 +1,4 @@
-//#region \0@oxc-project+runtime@0.122.0/helpers/decorateMetadata.js
+//#region \0@oxc-project+runtime@0.127.0/helpers/decorateMetadata.js
 function __decorateMetadata(k, v) {
 	if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 }

package/dist/decorateParam-Dc5DGEpb.mjs

@@ -0,0 +1,18 @@
+//#region src/access-control/tokens.ts
+const AC_TOKENS = {
+	/** Request-scoped access service */
+	AccessService: Symbol.for("stratal:ac:service"),
+	/** Access control module options (ac, roles) */
+	Options: Symbol.for("stratal:ac:options")
+};
+//#endregion
+//#region \0@oxc-project+runtime@0.127.0/helpers/decorateParam.js
+function __decorateParam(paramIndex, decorator) {
+	return function(target, key) {
+		decorator(target, key, paramIndex);
+	};
+}
+//#endregion
+export { AC_TOKENS as n, __decorateParam as t };
+
+//# sourceMappingURL=decorateParam-Dc5DGEpb.mjs.map

package/dist/decorateParam-Dc5DGEpb.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"decorateParam-Dc5DGEpb.mjs","names":[],"sources":["../src/access-control/tokens.ts"],"sourcesContent":["export const AC_TOKENS = {\n  /** Request-scoped access service */\n  AccessService: Symbol.for('stratal:ac:service'),\n  /** Access control module options (ac, roles) */\n  Options: Symbol.for('stratal:ac:options'),\n} as const\n"],"mappings":";AAAA,MAAa,YAAY;;CAEvB,eAAe,OAAO,IAAI,qBAAqB;;CAE/C,SAAS,OAAO,IAAI,qBAAqB;CAC1C"}

package/dist/{errors-C_KIIU1v.mjs → errors-B1vVXc1T.mjs}

@@ -22,4 +22,4 @@ var UserNotAuthorizedError = class extends ApplicationError {
 //#endregion
 export { UserNotAuthenticatedError as n, ContextNotInitializedError as r, UserNotAuthorizedError as t };
 
-//# sourceMappingURL=errors-C_KIIU1v.mjs.map
+//# sourceMappingURL=errors-B1vVXc1T.mjs.map

package/dist/{errors-C_KIIU1v.mjs.map → errors-B1vVXc1T.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"errors-C_KIIU1v.mjs","names":[],"sources":["../src/context/errors/context-not-initialized.error.ts","../src/context/errors/user-not-authenticated.error.ts","../src/context/errors/user-not-authorized.error.ts"],"sourcesContent":["import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class ContextNotInitializedError extends ApplicationError {\n  constructor(contextType = 'Context') {\n    super(\n      'errors.contextNotInitialized',\n      ERROR_CODES.AUTH.CONTEXT_NOT_INITIALIZED,\n      { contextType }\n    )\n  }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class UserNotAuthenticatedError extends ApplicationError {\n  constructor() {\n    super(\n      'errors.userNotAuthenticated',\n      ERROR_CODES.AUTH.USER_NOT_AUTHENTICATED\n    )\n  }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class UserNotAuthorizedError extends ApplicationError {\n  constructor() {\n    super(\n      'errors.unauthorized',\n      ERROR_CODES.AUTHZ.FORBIDDEN\n    )\n  }\n}\n"],"mappings":";;AAEA,IAAa,6BAAb,cAAgD,iBAAiB;CAC/D,YAAY,cAAc,WAAW;AACnC,QACE,gCACA,YAAY,KAAK,yBACjB,EAAE,aAAa,CAChB;;;;;ACNL,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,cAAc;AACZ,QACE,+BACA,YAAY,KAAK,uBAClB;;;;;ACLL,IAAa,yBAAb,cAA4C,iBAAiB;CAC3D,cAAc;AACZ,QACE,uBACA,YAAY,MAAM,UACnB"}
+{"version":3,"file":"errors-B1vVXc1T.mjs","names":[],"sources":["../src/context/errors/context-not-initialized.error.ts","../src/context/errors/user-not-authenticated.error.ts","../src/context/errors/user-not-authorized.error.ts"],"sourcesContent":["import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class ContextNotInitializedError extends ApplicationError {\n  constructor(contextType = 'Context') {\n    super(\n      'errors.contextNotInitialized',\n      ERROR_CODES.AUTH.CONTEXT_NOT_INITIALIZED,\n      { contextType }\n    )\n  }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class UserNotAuthenticatedError extends ApplicationError {\n  constructor() {\n    super(\n      'errors.userNotAuthenticated',\n      ERROR_CODES.AUTH.USER_NOT_AUTHENTICATED\n    )\n  }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class UserNotAuthorizedError extends ApplicationError {\n  constructor() {\n    super(\n      'errors.unauthorized',\n      ERROR_CODES.AUTHZ.FORBIDDEN\n    )\n  }\n}\n"],"mappings":";;AAEA,IAAa,6BAAb,cAAgD,iBAAiB;CAC/D,YAAY,cAAc,WAAW;AACnC,QACE,gCACA,YAAY,KAAK,yBACjB,EAAE,aAAa,CAChB;;;;;ACNL,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,cAAc;AACZ,QACE,+BACA,YAAY,KAAK,uBAClB;;;;;ACLL,IAAa,yBAAb,cAA4C,iBAAiB;CAC3D,cAAc;AACZ,QACE,uBACA,YAAY,MAAM,UACnB"}

package/dist/factory/index.d.mts

@@ -1,4 +1,4 @@
-import { N as DatabaseService } from "../index-B1iGBJcO.mjs";
+import { M as DatabaseService } from "../index-CpFBG0Ws.mjs";
 import { Faker } from "@faker-js/faker";
 
 //#region src/factory/factory.d.ts

package/dist/guards/index.d.mts

@@ -6,17 +6,17 @@ import { AuthGuardOptions, AuthGuardOptions as AuthGuardOptions$1, CanActivate,
  *
  * Creates a guard class that enforces authentication and optional authorization.
  *
- * **Authentication (no scopes):**
+ * **Authentication (no permissions):**
  * - Checks if user is authenticated via AuthContext.isAuthenticated()
  * - Throws UserNotAuthenticatedError (401) if not authenticated
  *
- * **Authorization (with scopes):**
+ * **Authorization (with permissions):**
  * - First verifies authentication
- * - Then checks permissions via CasbinService
+ * - Then checks permissions via AccessService (reads from AuthContext — no DB hit)
  * - Throws InsufficientPermissionsError (403) if unauthorized
  *
  * @param options - Configuration options
- * @param options.scopes - Required permissions for authorization
+ * @param options.permissions - Required permissions keyed by resource
  * @returns Guard class for use with @UseGuards decorator
  *
  * @example Authentication only
@@ -27,8 +27,9 @@ import { AuthGuardOptions, AuthGuardOptions as AuthGuardOptions$1, CanActivate,
  *
  * @example Authentication with permissions
  * ```typescript
- * @UseGuards(AuthGuard({ scopes: ['students:read'] }))
- * export class StudentsController { }
+ * @UseGuards(AuthGuard({ permissions: 'posts:update' }))
+ * @UseGuards(AuthGuard({ permissions: ['posts:update', 'posts:delete'] }))
+ * export class PostsController { }
  * ```
  */
 declare function AuthGuard(options?: AuthGuardOptions$1): GuardClass$1;

package/dist/guards/index.d.mts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.mts","names":[],"sources":["../../src/guards/auth.guard.ts"],"mappings":";;;;;AAyCA;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAAgB,SAAA,CAAU,OAAA,GAAU,kBAAA,GAAmB,YAAA"}
+{"version":3,"file":"index.d.mts","names":[],"sources":["../../src/guards/auth.guard.ts"],"mappings":";;;;;AAsDA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAAgB,SAAA,CAAU,OAAA,GAAU,kBAAA,GAAmB,YAAA"}

package/dist/guards/index.mjs

@@ -1,29 +1,38 @@
-import { n as UserNotAuthenticatedError } from "../errors-C_KIIU1v.mjs";
-import { t as __decorate } from "../decorate-C12QolJF.mjs";
-import { t as __decorateMetadata } from "../decorateMetadata-rWbWGUuO.mjs";
-import { t as __decorateParam } from "../decorateParam-WGqsyT5s.mjs";
-import { n as InsufficientPermissionsError, t as RBAC_TOKENS } from "../tokens-Di1ofovy.mjs";
+import { n as AC_TOKENS, t as __decorateParam } from "../decorateParam-Dc5DGEpb.mjs";
+import { t as __decorateMetadata } from "../decorateMetadata-CqtSx3_1.mjs";
+import { t as __decorate } from "../decorate-CdfCRvAc.mjs";
+import { n as UserNotAuthenticatedError } from "../errors-B1vVXc1T.mjs";
+import { t as InsufficientPermissionsError } from "../insufficient-permissions.error-CRnOHYvq.mjs";
 import { DI_TOKENS, Transient } from "stratal/di";
 import { LOGGER_TOKENS } from "stratal/logger";
-import { inject } from "tsyringe";
+import { inject as inject$1 } from "tsyringe";
 import { GUARD_METADATA_KEY, GuardExecutionService, UseGuards, getControllerGuards, getMethodGuards } from "stratal/guards";
 //#region src/guards/auth.guard.ts
+function parsePermissions(raw) {
+	return (Array.isArray(raw) ? raw : [raw]).reduce((acc, perm) => {
+		const colon = perm.indexOf(":");
+		const resource = colon === -1 ? perm : perm.slice(0, colon);
+		const action = colon === -1 ? "*" : perm.slice(colon + 1);
+		(acc[resource] ??= []).push(action);
+		return acc;
+	}, {});
+}
 /**
 * AuthGuard Factory
 *
 * Creates a guard class that enforces authentication and optional authorization.
 *
-* **Authentication (no scopes):**
+* **Authentication (no permissions):**
 * - Checks if user is authenticated via AuthContext.isAuthenticated()
 * - Throws UserNotAuthenticatedError (401) if not authenticated
 *
-* **Authorization (with scopes):**
+* **Authorization (with permissions):**
 * - First verifies authentication
-* - Then checks permissions via CasbinService
+* - Then checks permissions via AccessService (reads from AuthContext — no DB hit)
 * - Throws InsufficientPermissionsError (403) if unauthorized
 *
 * @param options - Configuration options
-* @param options.scopes - Required permissions for authorization
+* @param options.permissions - Required permissions keyed by resource
 * @returns Guard class for use with @UseGuards decorator
 *
 * @example Authentication only
@@ -34,51 +43,51 @@ import { GUARD_METADATA_KEY, GuardExecutionService, UseGuards, getControllerGuar
 *
 * @example Authentication with permissions
 * ```typescript
-* @UseGuards(AuthGuard({ scopes: ['students:read'] }))
-* export class StudentsController { }
+* @UseGuards(AuthGuard({ permissions: 'posts:update' }))
+* @UseGuards(AuthGuard({ permissions: ['posts:update', 'posts:delete'] }))
+* export class PostsController { }
 * ```
 */
 function AuthGuard(options) {
-	const scopes = options?.scopes;
+	const rawPermissions = options?.permissions;
+	const permissions = rawPermissions ? parsePermissions(rawPermissions) : void 0;
 	let ConfiguredAuthGuard = class ConfiguredAuthGuard {
-		constructor(authContext, logger, casbinService) {
+		constructor(authContext, logger, accessService) {
 			this.authContext = authContext;
 			this.logger = logger;
-			this.casbinService = casbinService;
+			this.accessService = accessService;
 		}
-		async canActivate(context) {
+		async canActivate(_context) {
 			if (!this.authContext.isAuthenticated()) {
 				this.logger.debug("Auth guard: User not authenticated");
 				throw new UserNotAuthenticatedError();
 			}
-			if (!scopes || scopes.length === 0) {
-				this.logger.debug("Auth guard: Authentication passed (no scopes required)");
+			if (!permissions || Object.keys(permissions).length === 0) {
+				this.logger.debug("Auth guard: Authentication passed (no permissions required)");
 				return true;
 			}
 			const userId = this.authContext.getUserId();
 			if (!userId) {
 				this.logger.debug("Auth guard: No user ID in context");
-				throw new InsufficientPermissionsError(scopes, void 0);
+				throw new InsufficientPermissionsError(rawPermissions, void 0);
 			}
-			const httpMethod = context.c.req.method.toLowerCase();
-			if (this.casbinService) {
-				const hasPermission = await this.casbinService.hasAnyPermission(userId, scopes, httpMethod);
+			if (this.accessService) {
+				const allowed = await this.accessService.hasPermission(userId, permissions);
 				this.logger.debug("Auth guard: Authorization check", {
 					userId,
-					scopes,
-					httpMethod,
-					hasPermission
+					permissions,
+					allowed
 				});
-				if (!hasPermission) throw new InsufficientPermissionsError(scopes, userId);
+				if (!allowed) throw new InsufficientPermissionsError(rawPermissions, userId);
 			}
 			return true;
 		}
 	};
 	ConfiguredAuthGuard = __decorate([
 		Transient(),
-		__decorateParam(0, inject(DI_TOKENS.AuthContext)),
-		__decorateParam(1, inject(LOGGER_TOKENS.LoggerService)),
-		__decorateParam(2, inject(RBAC_TOKENS.CasbinService, { isOptional: true })),
+		__decorateParam(0, inject$1(DI_TOKENS.AuthContext)),
+		__decorateParam(1, inject$1(LOGGER_TOKENS.LoggerService)),
+		__decorateParam(2, inject$1(AC_TOKENS.AccessService, { isOptional: true })),
 		__decorateMetadata("design:paramtypes", [
 			Object,
 			Object,

package/dist/guards/index.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"index.mjs","names":[],"sources":["../../src/guards/auth.guard.ts"],"sourcesContent":["import { DI_TOKENS, Transient } from 'stratal/di'\nimport type { AuthGuardOptions, CanActivate, GuardClass } from 'stratal/guards'\nimport { LOGGER_TOKENS, type LoggerService } from 'stratal/logger'\nimport type { RouterContext } from 'stratal/router'\nimport { inject } from 'tsyringe'\nimport type { AuthContext } from '../context/auth-context'\nimport { UserNotAuthenticatedError } from '../context/errors'\nimport { InsufficientPermissionsError } from '../rbac/errors/insufficient-permissions.error'\nimport type { CasbinService } from '../rbac/services/casbin.service'\nimport { RBAC_TOKENS } from '../rbac/tokens'\n\n/**\n * AuthGuard Factory\n *\n * Creates a guard class that enforces authentication and optional authorization.\n *\n * **Authentication (no scopes):**\n * - Checks if user is authenticated via AuthContext.isAuthenticated()\n * - Throws UserNotAuthenticatedError (401) if not authenticated\n *\n * **Authorization (with scopes):**\n * - First verifies authentication\n * - Then checks permissions via CasbinService\n * - Throws InsufficientPermissionsError (403) if unauthorized\n *\n * @param options - Configuration options\n * @param options.scopes - Required permissions for authorization\n * @returns Guard class for use with @UseGuards decorator\n *\n * @example Authentication only\n * ```typescript\n * @UseGuards(AuthGuard())\n * export class ProfileController { }\n * ```\n *\n * @example Authentication with permissions\n * ```typescript\n * @UseGuards(AuthGuard({ scopes: ['students:read'] }))\n * export class StudentsController { }\n * ```\n */\nexport function AuthGuard(options?: AuthGuardOptions): GuardClass {\n  const scopes = options?.scopes\n\n  @Transient()\n  class ConfiguredAuthGuard implements CanActivate {\n    constructor(\n      @inject(DI_TOKENS.AuthContext) private readonly authContext: AuthContext,\n      @inject(LOGGER_TOKENS.LoggerService) private readonly logger: LoggerService,\n      @inject(RBAC_TOKENS.CasbinService, { isOptional: true }) private readonly casbinService?: CasbinService\n    ) { }\n\n    async canActivate(context: RouterContext): Promise<boolean> {\n      if (!this.authContext.isAuthenticated()) {\n        this.logger.debug('Auth guard: User not authenticated')\n        throw new UserNotAuthenticatedError()\n      }\n\n      if (!scopes || scopes.length === 0) {\n        this.logger.debug('Auth guard: Authentication passed (no scopes required)')\n        return true\n      }\n\n      const userId = this.authContext.getUserId()\n      if (!userId) {\n        this.logger.debug('Auth guard: No user ID in context')\n        throw new InsufficientPermissionsError(scopes, undefined)\n      }\n\n      const httpMethod = context.c.req.method.toLowerCase()\n\n      if (this.casbinService) {\n        const hasPermission = await this.casbinService.hasAnyPermission(\n          userId,\n          scopes,\n          httpMethod\n        )\n\n        this.logger.debug('Auth guard: Authorization check', {\n          userId,\n          scopes,\n          httpMethod,\n          hasPermission,\n        })\n\n        if (!hasPermission) {\n          throw new InsufficientPermissionsError(scopes, userId)\n        }\n      }\n\n      return true\n    }\n  }\n\n  return ConfiguredAuthGuard\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyCA,SAAgB,UAAU,SAAwC;CAChE,MAAM,SAAS,SAAS;CAExB,IAAA,sBAAA,MACM,oBAA2C;EAC/C,YACE,aACA,QACA,eACA;AAHgD,QAAA,cAAA;AACM,QAAA,SAAA;AACoB,QAAA,gBAAA;;EAG5E,MAAM,YAAY,SAA0C;AAC1D,OAAI,CAAC,KAAK,YAAY,iBAAiB,EAAE;AACvC,SAAK,OAAO,MAAM,qCAAqC;AACvD,UAAM,IAAI,2BAA2B;;AAGvC,OAAI,CAAC,UAAU,OAAO,WAAW,GAAG;AAClC,SAAK,OAAO,MAAM,yDAAyD;AAC3E,WAAO;;GAGT,MAAM,SAAS,KAAK,YAAY,WAAW;AAC3C,OAAI,CAAC,QAAQ;AACX,SAAK,OAAO,MAAM,oCAAoC;AACtD,UAAM,IAAI,6BAA6B,QAAQ,KAAA,EAAU;;GAG3D,MAAM,aAAa,QAAQ,EAAE,IAAI,OAAO,aAAa;AAErD,OAAI,KAAK,eAAe;IACtB,MAAM,gBAAgB,MAAM,KAAK,cAAc,iBAC7C,QACA,QACA,WACD;AAED,SAAK,OAAO,MAAM,mCAAmC;KACnD;KACA;KACA;KACA;KACD,CAAC;AAEF,QAAI,CAAC,cACH,OAAM,IAAI,6BAA6B,QAAQ,OAAO;;AAI1D,UAAO;;;;EA9CV,WAAW;qBAGP,OAAO,UAAU,YAAY,CAAA;qBAC7B,OAAO,cAAc,cAAc,CAAA;qBACnC,OAAO,YAAY,eAAe,EAAE,YAAY,MAAM,CAAC,CAAA;;;;;;;AA6C5D,QAAO"}
+{"version":3,"file":"index.mjs","names":["inject"],"sources":["../../src/guards/auth.guard.ts"],"sourcesContent":["import { DI_TOKENS, Transient } from 'stratal/di'\nimport type { AuthGuardOptions, CanActivate, GuardClass } from 'stratal/guards'\nimport { LOGGER_TOKENS, type LoggerService } from 'stratal/logger'\nimport type { RouterContext } from 'stratal/router'\nimport { inject } from 'tsyringe'\nimport { InsufficientPermissionsError } from '../access-control/errors/insufficient-permissions.error'\nimport type { AccessService } from '../access-control/services/access.service'\nimport { AC_TOKENS } from '../access-control/tokens'\nimport type { AuthContext } from '../context/auth-context'\nimport { UserNotAuthenticatedError } from '../context/errors'\n\nfunction parsePermissions(raw: string | string[]): Record<string, string[]> {\n  const list = Array.isArray(raw) ? raw : [raw]\n  return list.reduce<Record<string, string[]>>((acc, perm) => {\n    const colon = perm.indexOf(':')\n    const resource = colon === -1 ? perm : perm.slice(0, colon)\n    const action = colon === -1 ? '*' : perm.slice(colon + 1)\n    ;(acc[resource] ??= []).push(action)\n    return acc\n  }, {})\n}\n\n\n/**\n * AuthGuard Factory\n *\n * Creates a guard class that enforces authentication and optional authorization.\n *\n * **Authentication (no permissions):**\n * - Checks if user is authenticated via AuthContext.isAuthenticated()\n * - Throws UserNotAuthenticatedError (401) if not authenticated\n *\n * **Authorization (with permissions):**\n * - First verifies authentication\n * - Then checks permissions via AccessService (reads from AuthContext — no DB hit)\n * - Throws InsufficientPermissionsError (403) if unauthorized\n *\n * @param options - Configuration options\n * @param options.permissions - Required permissions keyed by resource\n * @returns Guard class for use with @UseGuards decorator\n *\n * @example Authentication only\n * ```typescript\n * @UseGuards(AuthGuard())\n * export class ProfileController { }\n * ```\n *\n * @example Authentication with permissions\n * ```typescript\n * @UseGuards(AuthGuard({ permissions: 'posts:update' }))\n * @UseGuards(AuthGuard({ permissions: ['posts:update', 'posts:delete'] }))\n * export class PostsController { }\n * ```\n */\nexport function AuthGuard(options?: AuthGuardOptions): GuardClass {\n  const rawPermissions = options?.permissions\n  const permissions = rawPermissions ? parsePermissions(rawPermissions) : undefined\n\n  @Transient()\n  class ConfiguredAuthGuard implements CanActivate {\n    constructor(\n      @inject(DI_TOKENS.AuthContext) private readonly authContext: AuthContext,\n      @inject(LOGGER_TOKENS.LoggerService) private readonly logger: LoggerService,\n      @inject(AC_TOKENS.AccessService, { isOptional: true }) private readonly accessService?: AccessService\n    ) { }\n\n    async canActivate(_context: RouterContext): Promise<boolean> {\n      if (!this.authContext.isAuthenticated()) {\n        this.logger.debug('Auth guard: User not authenticated')\n        throw new UserNotAuthenticatedError()\n      }\n\n      if (!permissions || Object.keys(permissions).length === 0) {\n        this.logger.debug('Auth guard: Authentication passed (no permissions required)')\n        return true\n      }\n\n      const userId = this.authContext.getUserId()\n      if (!userId) {\n        this.logger.debug('Auth guard: No user ID in context')\n        throw new InsufficientPermissionsError(rawPermissions!, undefined)\n      }\n\n      if (this.accessService) {\n        const allowed = await this.accessService.hasPermission(userId, permissions)\n\n        this.logger.debug('Auth guard: Authorization check', {\n          userId,\n          permissions,\n          allowed,\n        })\n\n        if (!allowed) {\n          throw new InsufficientPermissionsError(rawPermissions!, userId)\n        }\n      }\n\n      return true\n    }\n  }\n\n  return ConfiguredAuthGuard\n}\n"],"mappings":";;;;;;;;;;AAWA,SAAS,iBAAiB,KAAkD;AAE1E,SADa,MAAM,QAAQ,IAAI,GAAG,MAAM,CAAC,IAAI,EACjC,QAAkC,KAAK,SAAS;EAC1D,MAAM,QAAQ,KAAK,QAAQ,IAAI;EAC/B,MAAM,WAAW,UAAU,KAAK,OAAO,KAAK,MAAM,GAAG,MAAM;EAC3D,MAAM,SAAS,UAAU,KAAK,MAAM,KAAK,MAAM,QAAQ,EAAE;AACxD,GAAC,IAAI,cAAc,EAAE,EAAE,KAAK,OAAO;AACpC,SAAO;IACN,EAAE,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmCR,SAAgB,UAAU,SAAwC;CAChE,MAAM,iBAAiB,SAAS;CAChC,MAAM,cAAc,iBAAiB,iBAAiB,eAAe,GAAG,KAAA;CAExE,IAAA,sBAAA,MACM,oBAA2C;EAC/C,YACE,aACA,QACA,eACA;AAHgD,QAAA,cAAA;AACM,QAAA,SAAA;AACkB,QAAA,gBAAA;;EAG1E,MAAM,YAAY,UAA2C;AAC3D,OAAI,CAAC,KAAK,YAAY,iBAAiB,EAAE;AACvC,SAAK,OAAO,MAAM,qCAAqC;AACvD,UAAM,IAAI,2BAA2B;;AAGvC,OAAI,CAAC,eAAe,OAAO,KAAK,YAAY,CAAC,WAAW,GAAG;AACzD,SAAK,OAAO,MAAM,8DAA8D;AAChF,WAAO;;GAGT,MAAM,SAAS,KAAK,YAAY,WAAW;AAC3C,OAAI,CAAC,QAAQ;AACX,SAAK,OAAO,MAAM,oCAAoC;AACtD,UAAM,IAAI,6BAA6B,gBAAiB,KAAA,EAAU;;AAGpE,OAAI,KAAK,eAAe;IACtB,MAAM,UAAU,MAAM,KAAK,cAAc,cAAc,QAAQ,YAAY;AAE3E,SAAK,OAAO,MAAM,mCAAmC;KACnD;KACA;KACA;KACD,CAAC;AAEF,QAAI,CAAC,QACH,OAAM,IAAI,6BAA6B,gBAAiB,OAAO;;AAInE,UAAO;;;;EAvCV,WAAW;qBAGPA,SAAO,UAAU,YAAY,CAAA;qBAC7BA,SAAO,cAAc,cAAc,CAAA;qBACnCA,SAAO,UAAU,eAAe,EAAE,YAAY,MAAM,CAAC,CAAA;;;;;;;AAsC1D,QAAO"}

package/dist/{index-B1iGBJcO.d.mts → index-CpFBG0Ws.d.mts}

@@ -1,10 +1,10 @@
-import { i as InferConnectionSchema, n as DefaultConnectionName, r as InferAnySchema, t as ConnectionName } from "./types-Gjk0d2qB.mjs";
+import { a as InferConnectionSchema, i as InferConnectionExtensions, n as DefaultConnectionName, r as InferAnySchema, t as ConnectionName } from "./types-BZlcRR2M.mjs";
+import { MessageKeys } from "stratal/i18n";
 import { AsyncModuleOptions, DynamicModule, ModuleContext, OnInitialize, OnShutdown } from "stratal/module";
 import { ApplicationError, ErrorCode } from "stratal/errors";
 import { Command } from "stratal/quarry";
 import { AggregateArgs, AllCrudOperations, AnyPlugin, ClientContract, ClientOptions, CountArgs, CreateArgs, CreateManyArgs, DeleteArgs, DeleteManyArgs, FindFirstArgs, FindManyArgs, FindUniqueArgs, GroupByArgs, ModelResult, RuntimePlugin, UpdateArgs, UpdateManyArgs, UpsertArgs } from "@zenstackhq/orm";
 import { SchemaDef } from "@zenstackhq/schema";
-import { MessageKeys } from "stratal/i18n";
 import { SchemaDef as SchemaDef$1 } from "@zenstackhq/orm/schema";
 import { IEventRegistry } from "stratal/events";
 
@@ -30,18 +30,19 @@ declare class DatabaseModule implements OnInitialize, OnShutdown {
 /**
  * DatabaseService type
  *
- * Each connection has its own schema. The service is typed to the connection's schema.
+ * Each connection has its own schema and plugin extensions.
+ * Plugin extension types are automatically inferred from `StratalDatabase.plugins`.
  *
  * @example
  * ```typescript
- * // Typed to default connection
+ * // Typed to default connection (includes plugin extensions)
  * constructor(@inject(DI_TOKENS.Database) private db: DatabaseService) {}
  *
  * // Typed to a specific named connection
  * constructor(@InjectDB('analytics') private analytics: DatabaseService<'analytics'>) {}
  * ```
  */
-type DatabaseService<K extends ConnectionName = DefaultConnectionName> = ClientContract<InferConnectionSchema<K>, ClientOptions<InferConnectionSchema<K>>>;
+type DatabaseService<K extends ConnectionName = DefaultConnectionName> = ClientContract<InferConnectionSchema<K>, ClientOptions<InferConnectionSchema<K>>, InferConnectionExtensions<K>['extQueryArgs'], InferConnectionExtensions<K>['extClientMembers'], InferConnectionExtensions<K>['extResult']>;
 //#endregion
 //#region src/database/database.tokens.d.ts
 declare const DATABASE_TOKENS: {
@@ -285,8 +286,8 @@ declare module 'stratal/events' {
 }
 //#endregion
 //#region src/database/i18n/en.d.ts
-declare const databaseI18n: {
-  readonly database: {
+declare const databaseMessages: {
+  readonly en: {
     readonly connectionNameRequired: "Connection name is required";
     readonly defaultConnectionRequired: "Default connection name is required";
     readonly connectionRequired: "At least one connection is required";
@@ -295,8 +296,8 @@ declare const databaseI18n: {
   };
 };
 declare module 'stratal/i18n' {
-  interface AppMessages {
-    database: typeof databaseI18n['database'];
+  interface AppMessageNamespaces {
+    database: typeof databaseMessages['en'];
   }
 } //# sourceMappingURL=en.d.ts.map
 //#endregion
@@ -363,39 +364,20 @@ declare class EventEmitterPlugin implements RuntimePlugin<SchemaDef$1, Record<st
   }) => Promise<unknown>;
 }
 //#endregion
-//#region src/database/plugins/schema-switcher.plugin.d.ts
-interface SchemaSwitcherPluginOptions {
-  schemaName: string;
-}
+//#region src/database/plugins/schema-switcher.d.ts
 /**
- * ZenStack runtime plugin that sets PostgreSQL search_path before each query.
- * Used for tenant isolation in multi-tenant applications.
+ * Switches the active schema on a ZenStack/Kysely database client by mutating
+ * `$schema.provider.defaultSchema`. This causes ZenStack's QueryNameMapper to
+ * generate fully-qualified table references (e.g. `"tenant_123"."User"`).
  *
- * @example
- * ```typescript
- * super(schema, {
- *   dialect: new PostgresDialect({ pool }),
- *   plugins: [
- *     new SchemaSwitcherPlugin({ schemaName: `tenant_${tenantId}` })
- *   ]
- * })
- * ```
+ * Must be called BEFORE any queries are made on the client.
+ *
+ * Note: The ZenStack RuntimePlugin `onQuery` hook fires after table names are
+ * already resolved, so a plugin-based approach cannot set the schema prefix.
+ * Direct client mutation is the only supported method.
  */
-declare class SchemaSwitcherPlugin implements RuntimePlugin<SchemaDef$1, Record<string, unknown>, Record<string, unknown>, {}> {
-  private options;
-  readonly id = "schema-switcher";
-  constructor(options: SchemaSwitcherPluginOptions);
-  onQuery: ({
-    args,
-    proceed,
-    client
-  }: {
-    args: Record<string, unknown> | undefined;
-    proceed: (args: Record<string, unknown> | undefined) => Promise<unknown>;
-    client: {
-      $executeRawUnsafe: (sql: string) => Promise<unknown>;
-    };
-  }) => Promise<unknown>;
+declare class SchemaSwitcher {
+  static apply<T>(client: T, schemaName: string): T;
 }
 //#endregion
 //#region src/database/commands/zenstack.command.d.ts
@@ -456,5 +438,5 @@ declare class MigrateStatusCommand extends ZenStackCommand {
   handle(): Promise<number>;
 }
 //#endregion
-export { InjectDB as A, fromZenStackError as C, ForeignKeyConstraintError as D, InvalidErrorCodeRangeError as E, DatabaseModule as F, DatabaseModuleConfig as I, connectionSymbol as M, DatabaseService as N, DatabaseConfigError as O, DatabaseConnectionConfig as P, ParseEvent as S, RecordNotFoundError as T, DatabaseOperation as _, DbPushCommand as a, GetResult as b, ZenStackCommand as c, EventEmitterPlugin as d, EventEmitterPluginOptions as f, DatabaseEvents as g, DatabaseEventName as h, MigrateDeployCommand as i, DATABASE_TOKENS as j, DatabaseError as k, SchemaSwitcherPlugin as l, databaseI18n as m, MigrateResetCommand as n, DbPullCommand as o, ErrorHandlerPlugin as p, MigrateDevCommand as r, DbGenerateCommand as s, MigrateStatusCommand as t, SchemaSwitcherPluginOptions as u, EventPhase as v, UniqueConstraintError as w, ModelName as x, GetData as y };
-//# sourceMappingURL=index-B1iGBJcO.d.mts.map
+export { DATABASE_TOKENS as A, UniqueConstraintError as C, DatabaseConfigError as D, ForeignKeyConstraintError as E, DatabaseModuleConfig as F, DatabaseService as M, DatabaseConnectionConfig as N, DatabaseError as O, DatabaseModule as P, fromZenStackError as S, InvalidErrorCodeRangeError as T, EventPhase as _, DbPushCommand as a, ModelName as b, ZenStackCommand as c, EventEmitterPluginOptions as d, ErrorHandlerPlugin as f, DatabaseOperation as g, DatabaseEvents as h, MigrateDeployCommand as i, connectionSymbol as j, InjectDB as k, SchemaSwitcher as l, DatabaseEventName as m, MigrateResetCommand as n, DbPullCommand as o, databaseMessages as p, MigrateDevCommand as r, DbGenerateCommand as s, MigrateStatusCommand as t, EventEmitterPlugin as u, GetData as v, RecordNotFoundError as w, ParseEvent as x, GetResult as y };
+//# sourceMappingURL=index-CpFBG0Ws.d.mts.map

package/dist/index-CpFBG0Ws.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index-CpFBG0Ws.d.mts","names":[],"sources":["../src/database/database.module.ts","../src/database/database.service.ts","../src/database/database.tokens.ts","../src/database/decorators/inject-db.decorator.ts","../src/database/errors/database-error.ts","../src/database/errors/database-config.error.ts","../src/database/errors/foreign-key-constraint.error.ts","../src/database/errors/invalid-error-code-range.error.ts","../src/database/errors/record-not-found.error.ts","../src/database/errors/unique-constraint.error.ts","../src/database/errors/from-zenstack-error.ts","../src/database/event-types.ts","../src/database/i18n/en.ts","../src/database/plugins/error-handler.plugin.ts","../src/database/plugins/event-emitter.plugin.ts","../src/database/plugins/schema-switcher.ts","../src/database/commands/zenstack.command.ts","../src/database/commands/db-generate.command.ts","../src/database/commands/db-pull.command.ts","../src/database/commands/db-push.command.ts","../src/database/commands/migrate-deploy.command.ts","../src/database/commands/migrate-dev.command.ts","../src/database/commands/migrate-reset.command.ts","../src/database/commands/migrate-status.command.ts"],"mappings":";;;;;;;;;;;UA0BiB,wBAAA,gBACA,SAAA,GAAY,SAAA,eACd,cAAA,GAAiB,cAAA;EAE9B,IAAA,EAAM,IAAA;EACN,MAAA,EAAQ,MAAA;EACR,OAAA,QAAe,aAAA,CAAc,SAAA;EAC7B,OAAA,GAAU,SAAA;AAAA;AAAA,UAGK,oBAAA;EACf,OAAA,EAAS,qBAAA;EACT,WAAA,EAAa,wBAAA;AAAA;AAAA,cAiBF,cAAA,YAA0B,YAAA,EAAc,UAAA;EAAA,OAC5C,OAAA,CAAQ,MAAA,EAAQ,oBAAA,GAAuB,aAAA;EAAA,OASvC,YAAA,CAAa,OAAA,EAAS,kBAAA,CAAmB,oBAAA,IAAwB,aAAA;EAaxE,YAAA,CAAa,OAAA,EAAS,aAAA;EAmBtB,UAAA,CAAW,OAAA,EAAS,aAAA;AAAA;;;;;;;;;;;;AAvEtB;;;;;;KCRY,eAAA,WACA,cAAA,GAAiB,qBAAA,IACzB,cAAA,CACF,qBAAA,CAAsB,CAAA,GACtB,aAAA,CAAc,qBAAA,CAAsB,CAAA,IACpC,yBAAA,CAA0B,CAAA,mBAC1B,yBAAA,CAA0B,CAAA,uBAE1B,yBAAA,CAA0B,CAAA;;;cC1Bf,eAAA;EAAA,SAGH,OAAA;EAAA,SAAA,QAAA;AAAA;AAAA,iBAIM,gBAAA,CAAiB,IAAA,EAAM,cAAA;;;iBCHvB,QAAA,CAAS,IAAA,EAAM,cAAA,GAAiB,kBAAA;;;;;;;;;;;cCQnC,aAAA,SAAsB,gBAAA;cAE/B,UAAA,GAAY,WAAA,EACZ,IAAA,GAAM,SAAA,EACN,QAAA,GAAW,MAAA;AAAA;;;cCbF,mBAAA,SAA4B,aAAA;cAC3B,OAAA;AAAA;;;;;;;;;;;;cCQD,yBAAA,SAAkC,aAAA;cACjC,KAAA;AAAA;;;;;;;;;;cCJD,0BAAA,SAAmC,gBAAA;cAClC,IAAA,UAAc,aAAA;AAAA;;;;;;;;;;;;;cCGf,mBAAA,SAA4B,aAAA;cAC3B,OAAA;AAAA;;;;;;;;;;;;;cCDD,qBAAA,SAA8B,aAAA;cAC7B,MAAA;AAAA;;;;;;;;;;;;;ATYd;;;;;;;;;iBUAgB,iBAAA,CAAkB,KAAA,YAAiB,aAAA;;;;;;KCavC,UAAA;;;;KAKA,iBAAA,GAAoB,iBAAA;;;;;;KAO3B,kBAAA,MAAwB,CAAA;EAAY,MAAA;AAAA,IAAoB,OAAA,OAAc,CAAA;;;;;KAM/D,SAAA,GAAY,kBAAA,CAAmB,cAAA;;;;KAS/B,iBAAA,MACL,UAAA,IAAc,SAAA,IAAa,iBAAA,QAC3B,UAAA,IAAc,SAAA,QACd,UAAA,IAAc,iBAAA,KACjB,UAAA;;;;KASC,gBAAA,WACO,SAAA,YACA,OAAA,OAAc,CAAA,+BACd,iBAAA,IAEV,CAAA,oBAAqB,UAAA,CAAW,CAAA,EAAG,CAAA,IACnC,CAAA,wBAAyB,cAAA,CAAe,CAAA,EAAG,CAAA,IAC3C,CAAA,oBAAqB,UAAA,CAAW,CAAA,EAAG,CAAA,IACnC,CAAA,wBAAyB,cAAA,CAAe,CAAA,EAAG,CAAA,IAC3C,CAAA,oBAAqB,UAAA,CAAW,CAAA,EAAG,CAAA,IACnC,CAAA,wBAAyB,cAAA,CAAe,CAAA,EAAG,CAAA,IAC3C,CAAA,wBAAyB,cAAA,CAAe,CAAA,EAAG,CAAA,IAC3C,CAAA,uBAAwB,aAAA,CAAc,CAAA,EAAG,CAAA,IACzC,CAAA,sBAAuB,YAAA,CAAa,CAAA,EAAG,CAAA,IACvC,CAAA,oBAAqB,UAAA,CAAW,CAAA,EAAG,CAAA,IACnC,CAAA,mBAAoB,SAAA,CAAU,CAAA,EAAG,CAAA,IACjC,CAAA,uBAAwB,aAAA,CAAc,CAAA,EAAG,CAAA,IACzC,CAAA,qBAAsB,WAAA,CAAY,CAAA,EAAG,CAAA;;;;KAMlC,YAAA,gCAA4C,iBAAA,IAC/C,CAAA,SAAU,SAAA,GACR,CAAA,SAAU,OAAA,OAAc,CAAA,sBACxB,gBAAA,CAAiB,CAAA,EAAG,CAAA,EAAG,CAAA;EAAa,IAAA;AAAA,IACpC,CAAA,GACA,gBAAA,CAAiB,CAAA,EAAG,CAAA,EAAG,CAAA;EAAa,KAAA;AAAA,IACpC,CAAA,GACA,gBAAA,CAAiB,CAAA,EAAG,CAAA,EAAG,CAAA;;AXpE3B;;;KW4EY,OAAA,WAAkB,SAAA,YAAqB,iBAAA,IACjD,YAAA,CAAa,cAAA,EAAgB,CAAA,EAAG,CAAA,4BAA6B,YAAA,CAAa,cAAA,EAAgB,CAAA,EAAG,CAAA;;;;KAK1F,cAAA,gCAA8C,iBAAA,IACjD,CAAA,SAAU,SAAA,GACR,CAAA,SAAU,OAAA,OAAc,CAAA,sBACxB,CAAA,mEACA,WAAA,CAAY,CAAA,EAAG,CAAA,MACf,CAAA,4BAEA,WAAA,CAAY,CAAA,EAAG,CAAA;;;;;KAQP,SAAA,WAAoB,SAAA,YAAqB,iBAAA,IACnD,cAAA,CAAe,cAAA,EAAgB,CAAA,EAAG,CAAA,4BAA6B,cAAA,CAAe,cAAA,EAAgB,CAAA,EAAG,CAAA;;;;KASvF,UAAA,qBACV,CAAA,gCAAiC,UAAA,wBAAkC,SAAA,qBAA8B,iBAAA;EAC7F,KAAA,EAAO,KAAA;EAAO,KAAA,EAAO,KAAA;EAAO,SAAA,EAAW,EAAA;EAAI,IAAA;AAAA,IAC7C,CAAA,gCAAiC,UAAA,qBACjC,MAAA,SAAe,SAAA;EACb,KAAA,EAAO,KAAA;EAAO,KAAA,EAAO,MAAA;EAAQ,IAAA;AAAA,IAC/B,MAAA,SAAe,iBAAA;EACb,KAAA,EAAO,KAAA;EAAO,SAAA,EAAW,MAAA;EAAQ,IAAA;AAAA,YAEnC,CAAA,SAAU,UAAA;EACR,KAAA,EAAO,CAAA;EAAG,IAAA;AAAA;;UAQN,gBAAA;AVpJV;AAAA,UUwJU,yBAAA,WACE,SAAA,YACA,iBAAA,gBACI,UAAA,UACN,gBAAA;EACR,IAAA,EAAM,KAAA,oBAAyB,OAAA,CAAQ,CAAA,EAAG,CAAA,IAAK,QAAA,CAAS,OAAA,CAAQ,CAAA,EAAG,CAAA;EACnE,MAAA,EAAQ,KAAA,mBAAwB,SAAA,CAAU,CAAA,EAAG,CAAA;AAAA;;UAIrC,yBAAA,eACM,UAAA,UACN,gBAAA;EACR,SAAA,EAAW,iBAAA;EACX,IAAA,EAAM,KAAA,8BAAmC,QAAA;EACzC,MAAA,EAAQ,KAAA;AAAA;;UAIA,6BAAA,eACM,UAAA,UACN,gBAAA;EACR,KAAA,EAAO,SAAA;EACP,IAAA,EAAM,KAAA,8BAAmC,QAAA;EACzC,MAAA,EAAQ,KAAA;AAAA;;UAIA,yBAAA,eACM,UAAA,UACN,gBAAA;EACR,KAAA,EAAO,SAAA;EACP,SAAA,EAAW,iBAAA;EACX,IAAA,EAAM,KAAA,8BAAmC,QAAA;EACzC,MAAA,EAAQ,KAAA;AAAA;;;;KAUL,oBAAA,qBACH,UAAA,CAAW,CAAA;EACT,KAAA,kBAAuB,UAAA;EACvB,KAAA,kBAAuB,SAAA;EACvB,SAAA,kBAA2B,iBAAA;EAC3B,IAAA;AAAA,IAEA,yBAAA,CAA0B,CAAA,EAAG,CAAA,EAAG,CAAA,IAChC,UAAA,CAAW,CAAA;EACX,KAAA,kBAAuB,UAAA;EACvB,KAAA,mBAAwB,SAAA;EACxB,IAAA;AAAA,IAEA,yBAAA,CAA0B,CAAA,IAC1B,UAAA,CAAW,CAAA;EACX,KAAA,kBAAuB,UAAA;EACvB,SAAA,mBAA4B,iBAAA;EAC5B,IAAA;AAAA,IAEA,6BAAA,CAA8B,CAAA,IAC9B,UAAA,CAAW,CAAA;EAAa,KAAA,kBAAuB,UAAA;EAAY,IAAA;AAAA,IAC3D,yBAAA,CAA0B,CAAA,IAC1B,gBAAA;ATrOJ;;;;;;;;ACHA;;;;ADGA,KSuPY,cAAA,WACJ,iBAAA,GAAoB,oBAAA,CAAqB,CAAA;AAAA;EAAA,UAQrC,mBAAA,SAA4B,cAAA;AAAA;;;cCvQ3B,gBAAA;EAAA;;;;;;;;;YAWD,oBAAA;IACR,QAAA,SAAiB,gBAAA;EAAA;AAAA;;;;;;;;;;;;AZcrB;;caXa,kBAAA,YAA8B,aAAA,CAAc,WAAA,EAAW,MAAA,mBAAyB,MAAA;EAAA,SAClF,EAAA;EAET,OAAA;IAAiB,IAAA;IAAA;EAAA;IACf,IAAA,EAAM,MAAA;IACN,OAAA,GAAU,IAAA,EAAM,MAAA,kCAAwC,OAAA;EAAA,MACtD,OAAA;AAAA;;;UCjBW,yBAAA;EACf,aAAA,EAAe,cAAA;AAAA;;;;;;AdqBjB;;;;;;;;;;;;;;ccCa,kBAAA,YAA8B,aAAA,CAAc,WAAA,EAAW,MAAA,mBAAyB,MAAA;EAAA,QAGvE,OAAA;EAAA,SAFX,EAAA;cAEW,OAAA,EAAS,yBAAA;EAE7B,OAAA;IAAiB,KAAA;IAAA,SAAA;IAAA,IAAA;IAAA;EAAA;IACf,KAAA;IACA,SAAA;IACA,IAAA,EAAM,MAAA;IACN,OAAA,GAAU,IAAA,EAAM,MAAA,kCAAwC,OAAA;EAAA,MACtD,OAAA;AAAA;;;;;;;;;;;;;;cCrBO,cAAA;EAAA,OACJ,KAAA,GAAA,CAAS,MAAA,EAAQ,CAAA,EAAG,UAAA,WAAqB,CAAA;AAAA;;;;;;;uBCX5B,eAAA,SAAwB,OAAA;EAAA,UAC5B,QAAA,CAAS,IAAA,aAAiB,OAAA;AAAA;;;cCL/B,iBAAA,SAA0B,eAAA;EAAA,OAC9B,OAAA;EAAA,OACA,WAAA;EAED,MAAA,CAAA,GAAU,OAAA;AAAA;;;cCJL,aAAA,SAAsB,eAAA;EAAA,OAC1B,OAAA;EAAA,OACA,WAAA;EAED,MAAA,CAAA,GAAU,OAAA;AAAA;;;cCJL,aAAA,SAAsB,eAAA;EAAA,OAC1B,OAAA;EAAA,OACA,WAAA;EAED,MAAA,CAAA,GAAU,OAAA;AAAA;;;cCJL,oBAAA,SAA6B,eAAA;EAAA,OACjC,OAAA;EAAA,OACA,WAAA;EAED,MAAA,CAAA,GAAU,OAAA;AAAA;;;cCJL,iBAAA,SAA0B,eAAA;EAAA,OAC9B,OAAA;EAAA,OACA,WAAA;EAED,MAAA,CAAA,GAAU,OAAA;AAAA;;;cCJL,mBAAA,SAA4B,eAAA;EAAA,OAChC,OAAA;EAAA,OACA,WAAA;EAED,MAAA,CAAA,GAAU,OAAA;AAAA;;;cCJL,oBAAA,SAA6B,eAAA;EAAA,OACjC,OAAA;EAAA,OACA,WAAA;EAED,MAAA,CAAA,GAAU,OAAA;AAAA"}

package/dist/index.d.mts

@@ -1,3 +1,3 @@
-import { i as InferConnectionSchema, n as DefaultConnectionName, o as StratalDatabase, r as InferAnySchema, t as ConnectionName } from "./types-Gjk0d2qB.mjs";
+import { a as InferConnectionSchema, i as InferConnectionExtensions, n as DefaultConnectionName, r as InferAnySchema, s as StratalDatabase, t as ConnectionName } from "./types-BZlcRR2M.mjs";
 import { CustomEventRegistry, EventName } from "stratal/events";
-export { type ConnectionName, type CustomEventRegistry, type DefaultConnectionName, type EventName, type InferAnySchema, type InferConnectionSchema, type StratalDatabase };
+export { type ConnectionName, type CustomEventRegistry, type DefaultConnectionName, type EventName, type InferAnySchema, type InferConnectionExtensions, type InferConnectionSchema, type StratalDatabase };

package/dist/insufficient-permissions.error-CRnOHYvq.mjs

@@ -0,0 +1,23 @@
+import { ApplicationError, ERROR_CODES } from "stratal/errors";
+//#region src/access-control/errors/insufficient-permissions.error.ts
+/**
+* InsufficientPermissionsError
+*
+* Thrown when a user attempts to perform an action without the required permissions.
+* Used by AuthGuard after an authorization check fails.
+*
+* HTTP Status: 403 Forbidden
+*/
+var InsufficientPermissionsError = class extends ApplicationError {
+	constructor(requiredPermissions, userId) {
+		const summary = Array.isArray(requiredPermissions) ? requiredPermissions.join(", ") : requiredPermissions;
+		super("errors.insufficientPermissions", ERROR_CODES.AUTHZ.INSUFFICIENT_PERMISSIONS, {
+			requiredPermissions: summary,
+			userId: userId ?? "unknown"
+		});
+	}
+};
+//#endregion
+export { InsufficientPermissionsError as t };
+
+//# sourceMappingURL=insufficient-permissions.error-CRnOHYvq.mjs.map

package/dist/insufficient-permissions.error-CRnOHYvq.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"insufficient-permissions.error-CRnOHYvq.mjs","names":[],"sources":["../src/access-control/errors/insufficient-permissions.error.ts"],"sourcesContent":["import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\n/**\n * InsufficientPermissionsError\n *\n * Thrown when a user attempts to perform an action without the required permissions.\n * Used by AuthGuard after an authorization check fails.\n *\n * HTTP Status: 403 Forbidden\n */\nexport class InsufficientPermissionsError extends ApplicationError {\n  constructor(requiredPermissions: string | string[], userId?: string) {\n    const summary = Array.isArray(requiredPermissions)\n      ? requiredPermissions.join(', ')\n      : requiredPermissions\n    super('errors.insufficientPermissions', ERROR_CODES.AUTHZ.INSUFFICIENT_PERMISSIONS, {\n      requiredPermissions: summary,\n      userId: userId ?? 'unknown',\n    })\n  }\n}\n"],"mappings":";;;;;;;;;;AAUA,IAAa,+BAAb,cAAkD,iBAAiB;CACjE,YAAY,qBAAwC,QAAiB;EACnE,MAAM,UAAU,MAAM,QAAQ,oBAAoB,GAC9C,oBAAoB,KAAK,KAAK,GAC9B;AACJ,QAAM,kCAAkC,YAAY,MAAM,0BAA0B;GAClF,qBAAqB;GACrB,QAAQ,UAAU;GACnB,CAAC"}

package/dist/types-BLyu9dAd.d.mts

@@ -0,0 +1,11 @@
+import { AccessControl, Role, Statements } from "better-auth/plugins/access";
+
+//#region src/access-control/types.d.ts
+type RolePermissions<TStatements extends Statements> = { [K in keyof TStatements]?: readonly TStatements[K][number][] };
+interface AccessControlOptions<TStatements extends Statements = Statements, TRoles extends Record<string, RolePermissions<TStatements>> = Record<string, RolePermissions<TStatements>>> {
+  ac: AccessControl;
+  roles: { [K in keyof TRoles]: Role };
+}
+//#endregion
+export { RolePermissions as n, AccessControlOptions as t };
+//# sourceMappingURL=types-BLyu9dAd.d.mts.map

package/dist/types-BLyu9dAd.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types-BLyu9dAd.d.mts","names":[],"sources":["../src/access-control/types.ts"],"mappings":";;;KAEY,eAAA,qBAAoC,UAAA,kBAClC,WAAA,aAAwB,WAAA,CAAY,CAAA;AAAA,UAGjC,oBAAA,qBAAyC,UAAA,GAAa,UAAA,iBAA2B,MAAA,SAAe,eAAA,CAAgB,WAAA,KAAgB,MAAA,SAAe,eAAA,CAAgB,WAAA;EAC9K,EAAA,EAAI,aAAA;EACJ,KAAA,gBAAqB,MAAA,GAAS,IAAA;AAAA"}

package/dist/types-BZlcRR2M.d.mts

@@ -0,0 +1,92 @@
+import { RuntimePlugin } from "@zenstackhq/orm";
+import { SchemaDef } from "@zenstackhq/schema";
+
+//#region src/database/types.d.ts
+/**
+ * Augment with per-connection schemas, default connection, and plugin types.
+ *
+ * Each property can be augmented in a separate file — TypeScript merges them.
+ *
+ * @example
+ * ```typescript
+ * // db/schema.ts
+ * declare module '@stratal/framework/database' {
+ *   interface StratalDatabase {
+ *     schemas: {
+ *       main: typeof schema
+ *       tenant: typeof tenantSchema
+ *     }
+ *     defaultConnection: 'main'
+ *   }
+ * }
+ *
+ * // db/plugins.ts
+ * declare module '@stratal/framework/database' {
+ *   interface StratalDatabase {
+ *     plugins: {
+ *       main: [typeof queryResultPlugin, typeof cachePlugin]
+ *     }
+ *   }
+ * }
+ * ```
+ */
+interface StratalDatabase {}
+/** Extract `ExtQueryArgs` from a `RuntimePlugin` */
+type ExtractPluginQueryArgs<P> = P extends RuntimePlugin<infer _S, infer Q, infer _M, infer _R> ? Q : {};
+/** Extract `ExtClientMembers` from a `RuntimePlugin` */
+type ExtractPluginClientMembers<P> = P extends RuntimePlugin<infer _S, infer _Q, infer M, infer _R> ? M : {};
+/** Extract `ExtResult` from a `RuntimePlugin` */
+type ExtractPluginResult<P> = P extends RuntimePlugin<infer _S, infer _Q, infer _M, infer R> ? R : {};
+/** Recursively intersect extension types from a tuple of plugins */
+type MergePlugins<Plugins extends unknown[]> = Plugins extends [infer P, ...infer Rest] ? {
+  extQueryArgs: ExtractPluginQueryArgs<P> & MergePlugins<Rest>['extQueryArgs'];
+  extClientMembers: ExtractPluginClientMembers<P> & MergePlugins<Rest>['extClientMembers'];
+  extResult: ExtractPluginResult<P> & MergePlugins<Rest>['extResult'];
+} : {
+  extQueryArgs: {};
+  extClientMembers: {};
+  extResult: {};
+};
+/** Infer merged plugin extensions for a connection */
+type InferConnectionExtensions<K extends string> = StratalDatabase extends {
+  plugins: infer P;
+} ? K extends keyof P ? P[K] extends unknown[] ? MergePlugins<P[K]> : {
+  extQueryArgs: {};
+  extClientMembers: {};
+  extResult: {};
+} : {
+  extQueryArgs: {};
+  extClientMembers: {};
+  extResult: {};
+} : {
+  extQueryArgs: {};
+  extClientMembers: {};
+  extResult: {};
+};
+/** Infer schema type for a specific connection */
+type InferConnectionSchema<K extends string> = StratalDatabase extends {
+  schemas: infer R;
+} ? K extends keyof R ? R[K] extends SchemaDef ? R[K] : SchemaDef : SchemaDef : SchemaDef;
+/** Union of ALL schemas across connections (for events) */
+type InferAnySchema = StratalDatabase extends {
+  schemas: infer R;
+} ? R[keyof R] extends SchemaDef ? R[keyof R] : SchemaDef : SchemaDef;
+/** Connection name — derived from schemas keys */
+type ConnectionName = StratalDatabase extends {
+  schemas: infer R;
+} ? keyof R extends never ? string : Extract<keyof R, string> : string;
+/** Default connection name */
+type DefaultConnectionName = StratalDatabase extends {
+  defaultConnection: infer N extends string;
+} ? N : string;
+/**
+ * Internal context used by database service for dynamic event emission
+ * @internal
+ */
+interface InternalDatabaseEventContext {
+  data: unknown;
+  result?: unknown;
+}
+//#endregion
+export { InferConnectionSchema as a, InferConnectionExtensions as i, DefaultConnectionName as n, InternalDatabaseEventContext as o, InferAnySchema as r, StratalDatabase as s, ConnectionName as t };
+//# sourceMappingURL=types-BZlcRR2M.d.mts.map

package/dist/types-BZlcRR2M.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types-BZlcRR2M.d.mts","names":[],"sources":["../src/database/types.ts"],"mappings":";;;;;;AA+BA;;;;;AAAmC;;;;;;;;;;;;;;AAIiC;;;;;;;UAJnD,eAAA;;KAGZ,sBAAA,MACH,CAAA,SAAU,aAAA,0CAAuD,CAAA;;KAG9D,0BAAA,MACH,CAAA,SAAU,aAAA,0CAAuD,CAAA;;KAG9D,mBAAA,MACH,CAAA,SAAU,aAAA,0CAAuD,CAAA;;KAG9D,YAAA,8BACH,OAAA;EAEM,YAAA,EAAc,sBAAA,CAAuB,CAAA,IAAK,YAAA,CAAa,IAAA;EACvD,gBAAA,EAAkB,0BAAA,CAA2B,CAAA,IAAK,YAAA,CAAa,IAAA;EAC/D,SAAA,EAAW,mBAAA,CAAoB,CAAA,IAAK,YAAA,CAAa,IAAA;AAAA;EAEjD,YAAA;EAAkB,gBAAA;EAAsB,SAAA;AAAA;;KAGpC,yBAAA,qBACV,eAAA;EAA0B,OAAA;AAAA,IACtB,CAAA,eAAgB,CAAA,GACd,CAAA,CAAE,CAAA,sBACA,YAAA,CAAa,CAAA,CAAE,CAAA;EACb,YAAA;EAAkB,gBAAA;EAAsB,SAAA;AAAA;EAC1C,YAAA;EAAkB,gBAAA;EAAsB,SAAA;AAAA;EAC1C,YAAA;EAAkB,gBAAA;EAAsB,SAAA;AAAA;;KAGpC,qBAAA,qBACV,eAAA;EAA0B,OAAA;AAAA,IACtB,CAAA,eAAgB,CAAA,GAAI,CAAA,CAAE,CAAA,UAAW,SAAA,GAAY,CAAA,CAAE,CAAA,IAAK,SAAA,GAAY,SAAA,GAChE,SAAA;;KAGM,cAAA,GACV,eAAA;EAA0B,OAAA;AAAA,IACtB,CAAA,OAAQ,CAAA,UAAW,SAAA,GAAY,CAAA,OAAQ,CAAA,IAAK,SAAA,GAC5C,SAAA;;KAGM,cAAA,GACV,eAAA;EAA0B,OAAA;AAAA,UAChB,CAAA,0BAA2B,OAAA,OAAc,CAAA;;KAIzC,qBAAA,GACV,eAAA;EAA0B,iBAAA;AAAA,IAA8C,CAAA;;;;;UAMzD,4BAAA;EACf,IAAA;EACA,MAAA;AAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stratal/framework",
-  "version": "0.0.18",
+  "version": "0.0.19",
   "type": "module",
   "license": "MIT",
   "author": "Temitayo Fadojutimi",
@@ -26,6 +26,10 @@
       "types": "./dist/index.d.mts",
       "import": "./dist/index.mjs"
     },
+    "./access-control": {
+      "types": "./dist/access-control/index.d.mts",
+      "import": "./dist/access-control/index.mjs"
+    },
     "./auth": {
       "types": "./dist/auth/index.d.mts",
       "import": "./dist/auth/index.mjs"
@@ -46,10 +50,6 @@
       "types": "./dist/guards/index.d.mts",
       "import": "./dist/guards/index.mjs"
     },
-    "./rbac": {
-      "types": "./dist/rbac/index.d.mts",
-      "import": "./dist/rbac/index.mjs"
-    },
     "./package.json": "./package.json"
   },
   "scripts": {
@@ -67,36 +67,36 @@
     "lint:fix": "npx oxlint --fix ."
   },
   "dependencies": {
-    "@better-auth/core": "^1.5.6",
+    "@better-auth/core": "^1.6.9",
     "@faker-js/faker": "^10.4.0",
-    "@zenstackhq/cli": "^3.5.1",
-    "@zenstackhq/orm": "^3.5.1",
-    "better-auth": "^1.5.6",
-    "casbin": "^5.49.0",
+    "@zenstackhq/cli": "^3.6.3",
+    "@zenstackhq/orm": "^3.6.3",
+    "better-auth": "^1.6.9",
     "postgres-array": "^3.0.4"
   },
   "peerDependencies": {
     "pg": "^8.0.0",
     "reflect-metadata": "^0.2.2",
-    "stratal": "^0.0.18"
+    "stratal": "^0.0.19"
   },
   "devDependencies": {
-    "@cloudflare/vitest-pool-workers": "^0.13.5",
-    "@cloudflare/workers-types": "4.20260317.1",
+    "@cloudflare/vitest-pool-workers": "^0.15.0",
+    "@cloudflare/workers-types": "4.20260426.1",
     "@stratal/testing": "workspace:^",
-    "@types/node": "^25.5.0",
+    "@types/node": "^25.6.0",
     "@types/pg": "^8.20.0",
-    "@vitest/coverage-istanbul": "~4.1.2",
-    "@vitest/runner": "~4.1.2",
-    "@vitest/snapshot": "~4.1.2",
-    "@zenstackhq/better-auth": "^3.5.1",
+    "@vitest/coverage-istanbul": "~4.1.5",
+    "@vitest/runner": "~4.1.5",
+    "@vitest/snapshot": "~4.1.5",
+    "@zenstackhq/better-auth": "^3.6.3",
     "dotenv-cli": "^11.0.0",
+    "kysely": "0.28.16",
     "pg": "^8.20.0",
     "reflect-metadata": "^0.2.2",
     "stratal": "workspace:*",
-    "tsdown": "^0.21.6",
-    "typescript": "^6.0.2",
-    "vitest": "~4.1.2",
-    "wrangler": "^4.78.0"
+    "tsdown": "^0.21.10",
+    "typescript": "^6.0.3",
+    "vitest": "~4.1.5",
+    "wrangler": "^4.85.0"
   }
 }

package/dist/auth-context-BD2ApWg1.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-context-BD2ApWg1.d.mts","names":[],"sources":["../src/context/auth-context.ts"],"mappings":";UAMiB,QAAA;EACf,MAAA;AAAA;AAAA,cAIW,WAAA;EAAA,UACD,MAAA;EALJ;AAGR;;;EAQE,cAAA,CAAe,IAAA,EAAM,QAAA;EANX;;;;EAcV,SAAA,CAAA;EAQA;;;;EAAA,aAAA,CAAA;EA+BgB;;;EApBhB,cAAA,CAAA,GAAkB,QAAA;;;;EAYlB,eAAA,CAAA;;;;;EAQA,gBAAA,CAAA;AAAA"}

package/dist/auth-context-BfekHvM9.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-context-BfekHvM9.mjs","names":[],"sources":["../src/context/auth-context.ts"],"sourcesContent":["import { Transient, DI_TOKENS } from 'stratal/di'\nimport {\n  ContextNotInitializedError,\n  UserNotAuthenticatedError\n} from './errors'\n\nexport interface AuthInfo {\n  userId?: string\n}\n\n@Transient(DI_TOKENS.AuthContext)\nexport class AuthContext {\n  protected userId?: string\n\n  /**\n   * Set authentication context.\n   * This should be called once per request with user information.\n   */\n  setAuthContext(info: AuthInfo): void {\n    this.userId = info.userId\n  }\n\n  /**\n   * Get user ID if available.\n   * Returns undefined if no user is authenticated.\n   */\n  getUserId(): string | undefined {\n    return this.userId\n  }\n\n  /**\n   * Get user ID or throw if not authenticated.\n   * Use this when authentication is required.\n   */\n  requireUserId(): string {\n    const userId = this.getUserId()\n    if (!userId) {\n      throw new UserNotAuthenticatedError()\n    }\n    return userId\n  }\n\n  /**\n   * Get full authentication context or throw if not initialized.\n   */\n  getAuthContext(): AuthInfo {\n    if (!this.userId) {\n      throw new ContextNotInitializedError('Authentication')\n    }\n    return {\n      userId: this.userId\n    }\n  }\n\n  /**\n   * Check if user is authenticated.\n   */\n  isAuthenticated(): boolean {\n    return !!this.userId\n  }\n\n  /**\n   * Clear authentication context.\n   * Useful for testing or cleanup.\n   */\n  clearAuthContext(): void {\n    this.userId = undefined\n  }\n}\n"],"mappings":";;;;AAWO,IAAA,cAAA,MAAM,YAAY;CACvB;;;;;CAMA,eAAe,MAAsB;AACnC,OAAK,SAAS,KAAK;;;;;;CAOrB,YAAgC;AAC9B,SAAO,KAAK;;;;;;CAOd,gBAAwB;EACtB,MAAM,SAAS,KAAK,WAAW;AAC/B,MAAI,CAAC,OACH,OAAM,IAAI,2BAA2B;AAEvC,SAAO;;;;;CAMT,iBAA2B;AACzB,MAAI,CAAC,KAAK,OACR,OAAM,IAAI,2BAA2B,iBAAiB;AAExD,SAAO,EACL,QAAQ,KAAK,QACd;;;;;CAMH,kBAA2B;AACzB,SAAO,CAAC,CAAC,KAAK;;;;;;CAOhB,mBAAyB;AACvB,OAAK,SAAS,KAAA;;;0BAxDjB,UAAU,UAAU,YAAY,CAAA,EAAA,YAAA"}