@zanzojs/drizzle 0.1.0-beta.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +84 -47
  2. package/package.json +3 -3
package/README.md CHANGED
@@ -1,91 +1,91 @@
1
1
  # @zanzojs/drizzle
2
2
 
3
3
  [![npm version](https://img.shields.io/npm/v/@zanzojs/drizzle.svg?style=flat-square)](https://www.npmjs.com/package/@zanzojs/drizzle)
4
- [![Drizzle ORM](https://img.shields.io/badge/Drizzle-ORM-green.svg?style=flat-square)](https://orm.drizzle.team/)
4
+ [![Drizzle ORM](https://img.shields.io/badge/Drizzle-ORM-green.svg?style=flat-square)](https://orm.drizzle.team)
5
5
 
6
- The official Drizzle ORM adapter for ZanzoJS.
6
+ The official Drizzle ORM adapter for ZanzoJS.
7
7
 
8
- Translating complex relationship hierarchies into SQL `JOIN`s is historically messy and slow. This adapter implements the "Zanzibar Tuple Pattern", which translates your Zanzo authorization rules into safe, parameterized `EXISTS` subqueries targeting a single, universal table.
8
+ ## When to use this package
9
9
 
10
- ## Installation
10
+ `@zanzojs/drizzle` serves two distinct purposes:
11
+
12
+ **1. Write-time tuple materialization** (`expandTuples` / `collapseTuples`)
13
+ When you grant or revoke access via nested permission paths (e.g. `folder.admin`), you must pre-materialize the derived tuples in the database. This is what makes read-time evaluation fast.
14
+
15
+ **2. SQL-filtered queries for large datasets**
16
+ When you need to fetch a filtered list of resources (e.g. "all documents this user can read") and the dataset is too large to load entirely into memory, the adapter generates parameterized `EXISTS` subqueries that push the permission filter directly to the database.
17
+ ```typescript
18
+ // Without adapter — loads everything into memory and filters (inefficient for large datasets)
19
+ const allDocs = await db.select().from(documents);
20
+ const myDocs = allDocs.filter(d => snapshot['Document:' + d.id]?.includes('read'));
21
+
22
+ // With adapter — filter goes directly to SQL (efficient at any scale)
23
+ const myDocs = await db.select().from(documents)
24
+ .where(withPermissions('User:alice', 'read', 'Document', documents.id));
25
+ ```
26
+
27
+ > **Note:** For the frontend snapshot flow, you don't need this adapter. The snapshot is generated by loading the user's tuples with `engine.load()` and calling `createZanzoSnapshot()`. The adapter is for backend queries that need SQL-level filtering.
11
28
 
12
- This package requires `@zanzojs/core` and `drizzle-orm` as peer dependencies.
29
+ ## Installation
13
30
 
14
31
  ```bash
15
32
  pnpm add @zanzojs/core @zanzojs/drizzle drizzle-orm
16
33
  ```
17
34
 
18
- ## Setup Guide
35
+ ## Setup
19
36
 
20
- ### 1. The Universal Tuple Table
21
-
22
- Instead of spreading permission foreign keys across all your tables, you create a single table to hold all application relationships. This table structure is mandatory for the adapter to work.
37
+ ### 1. Create the Universal Tuple Table
23
38
 
39
+ All relationships live in a single table. This is the Zanzibar pattern.
24
40
  ```typescript
25
- import { sqliteTable, text } from 'drizzle-orm/sqlite-core';
41
+ import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core';
26
42
 
27
43
  export const zanzoTuples = sqliteTable('zanzo_tuples', {
28
- object: text('object').notNull(), // e.g., "Project:123"
29
- relation: text('relation').notNull(), // e.g., "owner"
30
- subject: text('subject').notNull(), // e.g., "User:999"
44
+ id: integer('id').primaryKey({ autoIncrement: true }),
45
+ object: text('object').notNull(), // e.g. "Document:doc1"
46
+ relation: text('relation').notNull(), // e.g. "owner"
47
+ subject: text('subject').notNull(), // e.g. "User:alice"
31
48
  });
32
49
  ```
33
50
 
34
- ### 2. Creating the Adapter
35
-
36
- You initialize the adapter by feeding it your core `ZanzoEngine` instance and your Drizzle tuple table reference.
37
-
51
+ ### 2. Create the adapter
38
52
  ```typescript
39
53
  import { createZanzoAdapter } from '@zanzojs/drizzle';
40
- import { engine } from './zanzo.config';
54
+ import { engine } from './zanzo.config';
41
55
  import { zanzoTuples } from './schema';
42
56
 
43
57
  export const withPermissions = createZanzoAdapter(engine, zanzoTuples);
44
58
  ```
45
59
 
46
- ### 3. Query Pushdown (Read Operations)
47
-
48
- Now, whenever you want to fetch a list of entities (like `Projects`) but only return the ones the user is allowed to read, you use the adapter to generate the `WHERE` clause dynamically.
49
-
60
+ ### 3. Query pushdown
50
61
  ```typescript
51
- import { db, projects } from './db';
52
-
53
- async function getReadableProjects(userId: string) {
54
- // Generate the AST SQL fragment
55
- const accessFilter = withPermissions(
56
- `User:${userId}`,
57
- 'read',
58
- 'Project',
59
- projects.id // The column to match against the tuple's object ID
60
- );
61
-
62
- // Apply it to your standard Drizzle query
63
- return await db.select().from(projects).where(accessFilter);
62
+ async function getReadableDocuments(userId: string) {
63
+ return await db.select()
64
+ .from(documents)
65
+ .where(withPermissions(`User:${userId}`, 'read', 'Document', documents.id));
64
66
  }
65
67
  ```
66
68
 
67
- ### Write Operations (Important!)
69
+ ## Write Operations
68
70
 
69
- The SQL adapter prioritizes extreme read performance. As a trade-off, it relies on strict string matching for nested definitions (e.g. `workspace.org.admin`).
70
-
71
- To make this work, **you must use `@zanzojs/core`'s `expandTuples()` function when writing to the database.** If you skip `expandTuples()` during mutations, deep permission paths will not resolve correctly during Drizzle queries.
71
+ ### Granting access with expandTuples
72
72
 
73
+ When assigning a role that involves nested permission paths, use `expandTuples` to materialize all derived tuples atomically.
73
74
  ```typescript
74
75
  import { expandTuples } from '@zanzojs/core';
75
76
 
76
- async function grantAccess(userId: string, projectId: string) {
77
+ async function grantAccess(userId: string, relation: string, objectId: string) {
77
78
  const baseTuple = {
78
79
  subject: `User:${userId}`,
79
- relation: 'owner',
80
- object: `Project:${projectId}`,
80
+ relation,
81
+ object: objectId,
81
82
  };
82
83
 
83
84
  const derived = await expandTuples({
84
85
  schema: engine.getSchema(),
85
86
  newTuple: baseTuple,
86
87
  fetchChildren: async (parentObject, relation) => {
87
- // Return child object IDs linked to parentObject via relation
88
- const rows = await db.select({ subject: zanzoTuples.subject })
88
+ const rows = await db.select({ object: zanzoTuples.object })
89
89
  .from(zanzoTuples)
90
90
  .where(and(
91
91
  eq(zanzoTuples.subject, parentObject),
@@ -95,11 +95,48 @@ async function grantAccess(userId: string, projectId: string) {
95
95
  },
96
96
  });
97
97
 
98
- // Insert base tuple + all derived tuples atomically
99
98
  await db.insert(zanzoTuples).values([baseTuple, ...derived]);
100
99
  }
101
100
  ```
102
101
 
103
- ## Documentation
102
+ ### Revoking access with collapseTuples
104
103
 
105
- For full architecture details, refer to the [ZanzoJS Monorepo](https://github.com/GonzaloJeria/zanzo).
104
+ `collapseTuples` is the symmetric inverse of `expandTuples`. It identifies all derived tuples to delete.
105
+ ```typescript
106
+ import { collapseTuples } from '@zanzojs/core';
107
+
108
+ async function revokeAccess(userId: string, relation: string, objectId: string) {
109
+ const baseTuple = {
110
+ subject: `User:${userId}`,
111
+ relation,
112
+ object: objectId,
113
+ };
114
+
115
+ const derived = await collapseTuples({
116
+ schema: engine.getSchema(),
117
+ revokedTuple: baseTuple,
118
+ fetchChildren: async (parentObject, relation) => {
119
+ const rows = await db.select({ object: zanzoTuples.object })
120
+ .from(zanzoTuples)
121
+ .where(and(
122
+ eq(zanzoTuples.subject, parentObject),
123
+ eq(zanzoTuples.relation, relation),
124
+ ));
125
+ return rows.map(r => r.object);
126
+ },
127
+ });
128
+
129
+ for (const tuple of [baseTuple, ...derived]) {
130
+ await db.delete(zanzoTuples).where(and(
131
+ eq(zanzoTuples.subject, tuple.subject),
132
+ eq(zanzoTuples.relation, tuple.relation),
133
+ eq(zanzoTuples.object, tuple.object),
134
+ ));
135
+ }
136
+ }
137
+ ```
138
+
139
+ > **expandTuples and collapseTuples are symmetric.** If `expandTuples` derived a tuple, `collapseTuples` will identify it for deletion. This guarantees no orphaned tuples.
140
+
141
+ ## Documentation
142
+ For full architecture details, see the [ZanzoJS Monorepo](https://github.com/GonzaloJeria/zanzo).
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@zanzojs/drizzle",
3
- "version": "0.1.0-beta.2",
3
+ "version": "0.2.0",
4
4
  "description": "Drizzle ORM adapter for Zanzo ReBAC. Zero-config Zanzibar Tuple Pattern with parameterized SQL.",
5
5
  "keywords": [
6
6
  "@zanzojs/core",
@@ -38,7 +38,7 @@
38
38
  "access": "public"
39
39
  },
40
40
  "peerDependencies": {
41
- "@zanzojs/core": "^0.1.0-beta.0",
41
+ "@zanzojs/core": "^0.2.0",
42
42
  "drizzle-orm": ">=0.29.0"
43
43
  },
44
44
  "devDependencies": {
@@ -46,7 +46,7 @@
46
46
  "typescript": "^5.7.2",
47
47
  "tsup": "latest",
48
48
  "vitest": "latest",
49
- "@zanzojs/core": "0.1.0-beta.2"
49
+ "@zanzojs/core": "0.2.0"
50
50
  },
51
51
  "scripts": {
52
52
  "build": "tsup",