@zanzojs/drizzle 0.1.0 → 0.3.0

package/README.md

@@ -1,91 +1,116 @@
 # @zanzojs/drizzle
 
 [![npm version](https://img.shields.io/npm/v/@zanzojs/drizzle.svg?style=flat-square)](https://www.npmjs.com/package/@zanzojs/drizzle)
-[![Drizzle ORM](https://img.shields.io/badge/Drizzle-ORM-green.svg?style=flat-square)](https://orm.drizzle.team/)
+[![Drizzle ORM](https://img.shields.io/badge/Drizzle-ORM-green.svg?style=flat-square)](https://orm.drizzle.team)
 
-The official Drizzle ORM adapter for ZanzoJS. 
+The official Drizzle ORM adapter for ZanzoJS.
 
-Translating complex relationship hierarchies into SQL `JOIN`s is historically messy and slow. This adapter implements the "Zanzibar Tuple Pattern", which translates your Zanzo authorization rules into safe, parameterized `EXISTS` subqueries targeting a single, universal table.
+## When to use this package
 
-## Installation
+`@zanzojs/drizzle` serves two distinct purposes:
 
-This package requires `@zanzojs/core` and `drizzle-orm` as peer dependencies.
+**1. Write-time tuple materialization** (`materializeDerivedTuples` / `removeDerivedTuples`)
+When you grant or revoke access via nested permission paths (e.g. `folder.admin`), you must pre-materialize the derived tuples in the database. This is what makes read-time evaluation fast.
 
-```bash
-pnpm add @zanzojs/core @zanzojs/drizzle drizzle-orm
+**2. SQL-filtered queries for large datasets**
+When you need to fetch a filtered list of resources (e.g. "all documents this user can read") and the dataset is too large to load entirely into memory, the adapter generates parameterized `EXISTS` subqueries that push the permission filter directly to the database.
+
+> [!TIP]
+> **Performance Optimized**: As of v0.3.0, the adapter automatically groups multiple permission paths into a single `EXISTS` subquery using an `IN` clause, providing significant performance gains for complex schemas.
+
+```typescript
+// Without adapter — loads everything into memory and filters (inefficient for large datasets)
+const allDocs = await db.select().from(documents);
+const myDocs = allDocs.filter(d => snapshot['Document:' + d.id]?.includes('read'));
+
+// With adapter — filter goes directly to SQL (efficient at any scale)
+const myDocs = await db.select().from(documents)
+  .where(withPermissions('User:alice', 'read', 'Document', documents.id));
 ```
 
-## Setup Guide
+> **Note:** For the frontend snapshot flow, you don't need this adapter. The snapshot is generated by loading the user's tuples with `engine.load()` and calling `createZanzoSnapshot()`. The adapter is for backend queries that need SQL-level filtering.
+
+## Installation
+
+```bash
+pnpm add @zanzojs/core@latest @zanzojs/drizzle@latest drizzle-orm
+```
 
-### 1. The Universal Tuple Table
+## Setup
 
-Instead of spreading permission foreign keys across all your tables, you create a single table to hold all application relationships. This table structure is mandatory for the adapter to work.
+### 1. Create the Universal Tuple Table
 
+All relationships live in a single table. This is the Zanzibar pattern.
 ```typescript
-import { sqliteTable, text } from 'drizzle-orm/sqlite-core';
+import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core';
 
 export const zanzoTuples = sqliteTable('zanzo_tuples', {
-  object: text('object').notNull(),     // e.g., "Project:123"
-  relation: text('relation').notNull(), // e.g., "owner"
-  subject: text('subject').notNull(),   // e.g., "User:999"
+  id: integer('id').primaryKey({ autoIncrement: true }),
+  object: text('object').notNull(),     // e.g. "Document:doc1"
+  relation: text('relation').notNull(), // e.g. "owner"
+  subject: text('subject').notNull(),   // e.g. "User:alice"
 });
 ```
 
-### 2. Creating the Adapter
-
-You initialize the adapter by feeding it your core `ZanzoEngine` instance and your Drizzle tuple table reference. 
-
+### 2. Create the adapter
 ```typescript
 import { createZanzoAdapter } from '@zanzojs/drizzle';
-import { engine } from './zanzo.config'; 
+import { engine } from './zanzo.config';
 import { zanzoTuples } from './schema';
 
 export const withPermissions = createZanzoAdapter(engine, zanzoTuples);
 ```
 
-### 3. Query Pushdown (Read Operations)
+### 3. Query pushdown
+```typescript
+async function getReadableDocuments(userId: string) {
+  return await db.select()
+    .from(documents)
+    .where(withPermissions(`User:${userId}`, 'read', 'Document', documents.id));
+}
+```
+
+## Configuration Options
 
-Now, whenever you want to fetch a list of entities (like `Projects`) but only return the ones the user is allowed to read, you use the adapter to generate the `WHERE` clause dynamically.
+`createZanzoAdapter` accepts an optional `options` object:
 
 ```typescript
-import { db, projects } from './db';
-
-async function getReadableProjects(userId: string) {
-  // Generate the AST SQL fragment
-  const accessFilter = withPermissions(
-    `User:${userId}`, 
-    'read', 
-    'Project', 
-    projects.id // The column to match against the tuple's object ID
-  );
-
-  // Apply it to your standard Drizzle query
-  return await db.select().from(projects).where(accessFilter);
-}
+export const withPermissions = createZanzoAdapter(engine, zanzoTuples, {
+  dialect: 'postgres', // 'postgres' (default), 'mysql', or 'sqlite'
+  debug: false,       // Set to true to log generated SQL and AST
+  warnOnNestedConditions: true // Warns if materialized tuples are missing
+});
 ```
 
-### Write Operations (Important!)
+### 1. SQL Injection Prevention
+As of v0.3.0, the adapter avoids `sql.raw` for all resource identifiers. All inputs are handled via Drizzle's secure parameter binding.
+
+### 2. Dialect Support
+The adapter is dialect-aware. If you use SQLite, specify `{ dialect: 'sqlite' }` to use the `||` operator for string concatenation instead of `CONCAT`.
 
-The SQL adapter prioritizes extreme read performance. As a trade-off, it relies on strict string matching for nested definitions (e.g. `workspace.org.admin`). 
+### 3. AST Caching
+The adapter includes internal caching of structural permission trees (ASTs), minimizing CPU overhead for repeated queries on the same resource types.
 
-To make this work, **you must use `@zanzojs/core`'s `expandTuples()` function when writing to the database.** If you skip `expandTuples()` during mutations, deep permission paths will not resolve correctly during Drizzle queries.
+## Write Operations
 
+### Granting access with materializeDerivedTuples
+
+When assigning a role that involves nested permission paths, use `materializeDerivedTuples` to materialize all derived tuples atomically.
 ```typescript
-import { expandTuples } from '@zanzojs/core';
+import { materializeDerivedTuples } from '@zanzojs/core';
 
-async function grantAccess(userId: string, projectId: string) {
+async function grantAccess(userId: string, relation: string, objectId: string) {
   const baseTuple = {
     subject: `User:${userId}`,
-    relation: 'owner',
-    object: `Project:${projectId}`,
+    relation,
+    object: objectId,
   };
 
-  const derived = await expandTuples({
+  const derived = await materializeDerivedTuples({
     schema: engine.getSchema(),
     newTuple: baseTuple,
     fetchChildren: async (parentObject, relation) => {
-      // Return child object IDs linked to parentObject via relation
-      const rows = await db.select({ subject: zanzoTuples.subject })
+      const rows = await db.select({ object: zanzoTuples.object })
         .from(zanzoTuples)
         .where(and(
           eq(zanzoTuples.subject, parentObject),
@@ -95,11 +120,48 @@ async function grantAccess(userId: string, projectId: string) {
     },
   });
 
-  // Insert base tuple + all derived tuples atomically
   await db.insert(zanzoTuples).values([baseTuple, ...derived]);
 }
 ```
 
-## Documentation
+### Revoking access with removeDerivedTuples
 
-For full architecture details, refer to the [ZanzoJS Monorepo](https://github.com/GonzaloJeria/zanzo).
+`removeDerivedTuples` is the symmetric inverse of `materializeDerivedTuples`. It identifies all derived tuples to delete.
+```typescript
+import { removeDerivedTuples } from '@zanzojs/core';
+
+async function revokeAccess(userId: string, relation: string, objectId: string) {
+  const baseTuple = {
+    subject: `User:${userId}`,
+    relation,
+    object: objectId,
+  };
+
+  const derived = await removeDerivedTuples({
+    schema: engine.getSchema(),
+    revokedTuple: baseTuple,
+    fetchChildren: async (parentObject, relation) => {
+      const rows = await db.select({ object: zanzoTuples.object })
+        .from(zanzoTuples)
+        .where(and(
+          eq(zanzoTuples.subject, parentObject),
+          eq(zanzoTuples.relation, relation),
+        ));
+      return rows.map(r => r.object);
+    },
+  });
+
+  for (const tuple of [baseTuple, ...derived]) {
+    await db.delete(zanzoTuples).where(and(
+      eq(zanzoTuples.subject, tuple.subject),
+      eq(zanzoTuples.relation, tuple.relation),
+      eq(zanzoTuples.object, tuple.object),
+    ));
+  }
+}
+```
+
+> **materializeDerivedTuples and removeDerivedTuples are symmetric.** If `materializeDerivedTuples` derived a tuple, `removeDerivedTuples` will identify it for deletion. This guarantees no orphaned tuples.
+
+## Documentation
+For full architecture details, see the [ZanzoJS Monorepo](https://github.com/GonzaloJeria/zanzo).

package/dist/index.cjs

@@ -28,35 +28,63 @@ var import_core = require("@zanzojs/core");
 function createZanzoAdapter(engine, tupleTable, options) {
   const isDev = typeof process !== "undefined" && process.env?.NODE_ENV === "development";
   const shouldWarn = options?.warnOnNestedConditions ?? isDev;
+  const isDebug = options?.debug ?? false;
+  const dialect = options?.dialect ?? "postgres";
+  const astCache = /* @__PURE__ */ new Map();
   return function withPermissions(actor, action, resourceType, resourceIdColumn) {
-    const ast = engine.buildDatabaseQuery(actor, action, resourceType);
+    const cacheKey = `${action}:${resourceType}`;
+    let ast = astCache.get(cacheKey);
+    if (ast === void 0) {
+      ast = engine.buildDatabaseQuery(actor, action, resourceType);
+      astCache.set(cacheKey, ast);
+    } else if (ast) {
+    }
+    if (isDebug) {
+      console.debug(`[Zanzo Debug] Action: ${action}, Resource: ${resourceType}`);
+      console.debug(`[Zanzo Debug] Generated AST:`, JSON.stringify(ast, null, 2));
+    }
     if (ast && ast.conditions.length > 100) {
-      throw new Error(`[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches. Please optimize your schema or rely on pre-computed tuples to avoid database exhaustion.`);
+      throw new import_core.ZanzoError(import_core.ZanzoErrorCode.AST_OVERFLOW, `[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches.`);
     }
-    if (!ast) {
+    if (!ast || ast.conditions.length === 0) {
       return import_drizzle_orm.sql`1 = 0`;
     }
-    const parseCondition = (cond) => {
-      const objectString = import_drizzle_orm.sql`${resourceType} || '${import_drizzle_orm.sql.raw(import_core.ENTITY_REF_SEPARATOR)}' || ${resourceIdColumn}`;
+    const objectString = dialect === "sqlite" ? import_drizzle_orm.sql`${resourceType} || ${import_core.ENTITY_REF_SEPARATOR} || ${resourceIdColumn}` : import_drizzle_orm.sql`CONCAT(${resourceType}, ${import_core.ENTITY_REF_SEPARATOR}, ${resourceIdColumn})`;
+    const relationsBySubject = /* @__PURE__ */ new Map();
+    for (const cond of ast.conditions) {
+      const fullRelation = cond.type === "nested" ? [cond.relation, ...cond.nextRelationPath].join(import_core.RELATION_PATH_SEPARATOR) : cond.relation;
       if (cond.type === "nested" && shouldWarn) {
-        console.warn(`[Zanzo] Nested permission path detected: '${[cond.relation, ...cond.nextRelationPath].join(import_core.RELATION_PATH_SEPARATOR)}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used expandTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);
+        console.warn(`[Zanzo] Nested permission path detected: '${fullRelation}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used materializeDerivedTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);
       }
-      const relationString = cond.type === "nested" ? [cond.relation, ...cond.nextRelationPath].join(import_core.RELATION_PATH_SEPARATOR) : cond.relation;
-      return import_drizzle_orm.sql`EXISTS (
-        SELECT 1 FROM ${tupleTable} 
-        WHERE ${tupleTable.object} = ${objectString} 
-          AND ${tupleTable.relation} = ${relationString} 
-          AND ${tupleTable.subject} = ${cond.targetSubject}
-      )`;
-    };
-    const parsedConditions = ast.conditions.map(parseCondition).filter((c) => c !== void 0);
-    if (parsedConditions.length === 0) {
-      return import_drizzle_orm.sql`1 = 0`;
+      const targetSubject = cond.targetSubject === actor ? actor : cond.targetSubject;
+      let relations = relationsBySubject.get(targetSubject);
+      if (!relations) {
+        relations = /* @__PURE__ */ new Set();
+        relationsBySubject.set(targetSubject, relations);
+      }
+      relations.add(fullRelation);
+    }
+    const sqlConditions = [];
+    for (const [subject, relations] of relationsBySubject.entries()) {
+      const relationArray = Array.from(relations);
+      const condition = relationArray.length === 1 ? import_drizzle_orm.sql`EXISTS (
+            SELECT 1 FROM ${tupleTable} 
+            WHERE ${tupleTable.object} = ${objectString} 
+              AND ${tupleTable.relation} = ${relationArray[0]} 
+              AND ${tupleTable.subject} = ${subject}
+          )` : import_drizzle_orm.sql`EXISTS (
+            SELECT 1 FROM ${tupleTable} 
+            WHERE ${tupleTable.object} = ${objectString} 
+              AND ${tupleTable.relation} IN (${import_drizzle_orm.sql.join(relationArray.map((r) => import_drizzle_orm.sql`${r}`), import_drizzle_orm.sql`, `)}) 
+              AND ${tupleTable.subject} = ${subject}
+          )`;
+      sqlConditions.push(condition);
     }
-    if (ast.operator === "AND") {
-      return (0, import_drizzle_orm.and)(...parsedConditions);
+    const finalFilter = ast.operator === "AND" ? (0, import_drizzle_orm.and)(...sqlConditions) : (0, import_drizzle_orm.or)(...sqlConditions);
+    if (isDebug) {
+      console.debug(`[Zanzo Debug] Final SQL Filter Generated.`);
     }
-    return (0, import_drizzle_orm.or)(...parsedConditions);
+    return finalFilter;
   };
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { or, and, SQL, sql, AnyColumn } from 'drizzle-orm';\nimport type { QueryAST, Condition, ZanzoEngine, SchemaData, ExtractSchemaResources, ExtractSchemaActions } from '@zanzojs/core';\nimport { ENTITY_REF_SEPARATOR, RELATION_PATH_SEPARATOR } from '@zanzojs/core';\n\n/**\n * Ensures the passed Drizzle Table conforms to the mandatory Zanzibar Universal Tuple Structure.\n */\nexport interface ZanzoTupleTable {\n  object: AnyColumn; // String e.g. \"Invoice:123\"\n  relation: AnyColumn; // String e.g. \"owner\"\n  subject: AnyColumn;  // String e.g. \"User:1\"\n  [key: string]: any; // Allow extensions like IDs or context\n}\n\nexport interface ZanzoAdapterOptions {\n  /**\n   * Emits a console.warn when a nested permission path (e.g. 'org.admin') is detected,\n   * reminding you to use expandTuples() when writing this relationship.\n   *\n   * @default true in NODE_ENV=development, false in production\n   */\n  warnOnNestedConditions?: boolean;\n}\n\n/**\n * Creates a \"Zero-Config\" Drizzle ORM permission adapter tailored for the Zanzibar Pattern.\n * Rather than mapping individual specific columns, this queries a Universal Tuple Table resolving access instantly.\n *\n * @param engine The initialized ZanzoEngine instance\n * @param tupleTable The central Drizzle Table where all Relation Tuples are stored\n * @param options Optional configuration for the adapter\n * @returns A bounded `withPermissions` closure\n */\nexport function createZanzoAdapter<TSchema extends SchemaData, TTable extends ZanzoTupleTable>(\n  engine: ZanzoEngine<TSchema>,\n  tupleTable: TTable,\n  options?: ZanzoAdapterOptions\n) {\n  // Smart default: auto-enable warnings in development unless explicitly configured\n  const isDev = typeof process !== 'undefined' && process.env?.NODE_ENV === 'development';\n  const shouldWarn = options?.warnOnNestedConditions ?? isDev;\n\n  /**\n   * Generates a Drizzle SQL AST (subquery strategy) resolving access against the Universal Tuple Table.\n   *\n   * @param actor The Subject identifier validating access (e.g \"User:1\")\n   * @param action The protected action (e.g \"read\")\n   * @param resourceType The target Domain scope (e.g \"Invoice\")\n   * @param resourceIdColumn The specific Drizzle column representing the object's ID in the business table (e.g `invoices.id`)\n   */\n  return function withPermissions<\n    TResourceName extends Extract<ExtractSchemaResources<TSchema>, string>,\n    TAction extends ExtractSchemaActions<TSchema, TResourceName>,\n  >(\n    actor: string,\n    action: TAction,\n    resourceType: TResourceName,\n    resourceIdColumn: AnyColumn\n  ): SQL<unknown> {\n    \n    // Evaluate the underlying pure logical AST\n    const ast = engine.buildDatabaseQuery(actor, action as any, resourceType as any);\n\n    // Protection Against 'The List Problem' / Query Payload Exhaustion:\n    // If a badly designed ReBAC schema generates a monstrous combinatorial AST tree, \n    // it could exceed max SQL text limits resulting in DB crashes. Abort safely.\n    if (ast && ast.conditions.length > 100) {\n      throw new Error(`[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches. Please optimize your schema or rely on pre-computed tuples to avoid database exhaustion.`);\n    }\n\n    if (!ast) {\n      // Access totally denied\n      return sql`1 = 0`; \n    }\n\n    const parseCondition = (cond: Condition): SQL<unknown> | undefined => {\n      \n      // In the Zanzibar Pattern, ALL conditions (direct or nested) ultimately result\n      // in looking up pre-computed or dynamically queried tuples.\n      // E.g for a direct target: SELECT 1 FROM tuples WHERE object = TYPE:ID AND relation = X AND subject = TARGET\n      \n      const objectString = sql`${resourceType} || '${sql.raw(ENTITY_REF_SEPARATOR)}' || ${resourceIdColumn}`;\n\n      // In Zanzibar, nested conditions (e.g. org.admin) are evaluated using the \"Tuple Expansion\" pattern.\n      // This means the user has asynchronously written materialized tuples into the database.\n      // Therefore, both direct and nested queries are resolved identically via O(1) EXISTS lookups.\n      if (cond.type === 'nested' && shouldWarn) {\n        console.warn(`[Zanzo] Nested permission path detected: '${[cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR)}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used expandTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);\n      }\n\n      const relationString = cond.type === 'nested' \n        ? [cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR) \n        : cond.relation;\n\n      return sql`EXISTS (\n        SELECT 1 FROM ${tupleTable} \n        WHERE ${tupleTable.object} = ${objectString} \n          AND ${tupleTable.relation} = ${relationString} \n          AND ${tupleTable.subject} = ${cond.targetSubject}\n      )`;\n    };\n\n    const parsedConditions = ast.conditions\n      .map(parseCondition)\n      .filter((c): c is SQL<unknown> => c !== undefined);\n\n    if (parsedConditions.length === 0) {\n       return sql`1 = 0`;\n    }\n\n    if (ast.operator === 'AND') {\n      return and(...parsedConditions) as SQL<unknown>;\n    }\n\n    return or(...parsedConditions) as SQL<unknown>;\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,yBAA6C;AAE7C,kBAA8D;AA+BvD,SAAS,mBACd,QACA,YACA,SACA;AAEA,QAAM,QAAQ,OAAO,YAAY,eAAe,QAAQ,KAAK,aAAa;AAC1E,QAAM,aAAa,SAAS,0BAA0B;AAUtD,SAAO,SAAS,gBAId,OACA,QACA,cACA,kBACc;AAGd,UAAM,MAAM,OAAO,mBAAmB,OAAO,QAAe,YAAmB;AAK/E,QAAI,OAAO,IAAI,WAAW,SAAS,KAAK;AACtC,YAAM,IAAI,MAAM,oMAAoM;AAAA,IACtN;AAEA,QAAI,CAAC,KAAK;AAER,aAAO;AAAA,IACT;AAEA,UAAM,iBAAiB,CAAC,SAA8C;AAMpE,YAAM,eAAe,yBAAM,YAAY,QAAQ,uBAAI,IAAI,gCAAoB,CAAC,QAAQ,gBAAgB;AAKpG,UAAI,KAAK,SAAS,YAAY,YAAY;AACxC,gBAAQ,KAAK,6CAA6C,CAAC,KAAK,UAAU,GAAG,KAAK,gBAAgB,EAAE,KAAK,mCAAuB,CAAC,0LAA0L;AAAA,MAC7T;AAEA,YAAM,iBAAiB,KAAK,SAAS,WACjC,CAAC,KAAK,UAAU,GAAG,KAAK,gBAAgB,EAAE,KAAK,mCAAuB,IACtE,KAAK;AAET,aAAO;AAAA,wBACW,UAAU;AAAA,gBAClB,WAAW,MAAM,MAAM,YAAY;AAAA,gBACnC,WAAW,QAAQ,MAAM,cAAc;AAAA,gBACvC,WAAW,OAAO,MAAM,KAAK,aAAa;AAAA;AAAA,IAEtD;AAEA,UAAM,mBAAmB,IAAI,WAC1B,IAAI,cAAc,EAClB,OAAO,CAAC,MAAyB,MAAM,MAAS;AAEnD,QAAI,iBAAiB,WAAW,GAAG;AAChC,aAAO;AAAA,IACV;AAEA,QAAI,IAAI,aAAa,OAAO;AAC1B,iBAAO,wBAAI,GAAG,gBAAgB;AAAA,IAChC;AAEA,eAAO,uBAAG,GAAG,gBAAgB;AAAA,EAC/B;AACF;","names":[]}
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { or, and, SQL, sql, AnyColumn } from 'drizzle-orm';\nimport type { QueryAST, Condition, ZanzoEngine, SchemaData, ExtractSchemaResources, ExtractSchemaActions } from '@zanzojs/core';\nimport { ENTITY_REF_SEPARATOR, RELATION_PATH_SEPARATOR, ZanzoError, ZanzoErrorCode } from '@zanzojs/core';\n\n/**\n * Ensures the passed Drizzle Table conforms to the mandatory Zanzibar Universal Tuple Structure.\n */\nexport interface ZanzoTupleTable {\n  object: AnyColumn; // String e.g. \"Invoice:123\"\n  relation: AnyColumn; // String e.g. \"owner\"\n  subject: AnyColumn;  // String e.g. \"User:1\"\n  [key: string]: any; // Allow extensions like IDs or context\n}\n\nexport interface ZanzoAdapterOptions {\n  /**\n   * Emits a console.warn when a nested permission path (e.g. 'org.admin') is detected,\n   * reminding you to use materializeDerivedTuples() when writing this relationship.\n   *\n   * @default true in NODE_ENV=development, false in production\n   */\n  warnOnNestedConditions?: boolean;\n\n  /**\n   * If true, logs the generated AST and SQL conditions to the console for debugging purposes.\n   * @default false\n   */\n  debug?: boolean;\n\n  /**\n   * The database dialect. Used to optimize string concatenation.\n   * If not provided, it defaults to 'postgres' which uses standard CONCAT.\n   * @default 'postgres'\n   */\n  dialect?: 'mysql' | 'postgres' | 'sqlite';\n}\n\n/**\n * Creates a \"Zero-Config\" Drizzle ORM permission adapter tailored for the Zanzibar Pattern.\n * Rather than mapping individual specific columns, this queries a Universal Tuple Table resolving access instantly.\n *\n * @remarks\n * **Validation Contract**: This adapter assumes all identifiers (actor, resource IDs) have been \n * validated by the ZanzoEngine before calling `withPermissions`. Passing raw user input \n * directly without routing through the engine first may bypass validation and produce \n * unexpected query behavior.\n *\n * @param engine The initialized ZanzoEngine instance\n * @param tupleTable The central Drizzle Table where all Relation Tuples are stored\n * @param options Optional configuration for the adapter\n * @returns A bounded `withPermissions` closure\n */\nexport function createZanzoAdapter<TSchema extends SchemaData, TTable extends ZanzoTupleTable>(\n  engine: ZanzoEngine<TSchema>,\n  tupleTable: TTable,\n  options?: ZanzoAdapterOptions\n) {\n  // Smart default: auto-enable warnings in development unless explicitly configured\n  const isDev = typeof process !== 'undefined' && process.env?.NODE_ENV === 'development';\n  const shouldWarn = options?.warnOnNestedConditions ?? isDev;\n  const isDebug = options?.debug ?? false;\n  const dialect = options?.dialect ?? 'postgres';\n\n  // Performance Optimization: Cache structural ASTs per action+resourceType\n  // The actor is NOT part of the key as it varies per request, but the logical \n  // permission tree (AST) for a given action on a resource type is static.\n  const astCache = new Map<string, QueryAST | null>();\n\n  /**\n   * Generates a Drizzle SQL AST (subquery strategy) resolving access against the Universal Tuple Table.\n   *\n   * @remarks\n   * This function assumes all identifiers have been validated by the ZanzoEngine.\n   */\n  return function withPermissions<\n    TResourceName extends Extract<ExtractSchemaResources<TSchema>, string>,\n    TAction extends ExtractSchemaActions<TSchema, TResourceName>,\n  >(\n    actor: string,\n    action: TAction,\n    resourceType: TResourceName,\n    resourceIdColumn: AnyColumn\n  ): SQL<unknown> {\n    \n    // Check Cache first\n    const cacheKey = `${action as string}:${resourceType as string}`;\n    let ast = astCache.get(cacheKey);\n\n    if (ast === undefined) {\n      // Evaluate the underlying pure logical AST\n      // We use a dummy actor for the initial build to get the structural conditions,\n      // then we'll replace the targetSubject with the real actor if needed.\n      // Actually, buildDatabaseQuery uses the actor in the conditions.\n      ast = engine.buildDatabaseQuery(actor, action as any, resourceType as any);\n      astCache.set(cacheKey, ast);\n    } else if (ast) {\n        // If we have a cached AST, we must update the targetSubject for the current actor\n        // Since we are rebuilding the SQL conditions anyway, we can just use the actor \n        // from the function arguments.\n    }\n\n    if (isDebug) {\n      console.debug(`[Zanzo Debug] Action: ${action as string}, Resource: ${resourceType as string}`);\n      console.debug(`[Zanzo Debug] Generated AST:`, JSON.stringify(ast, null, 2));\n    }\n\n    // Protection Against 'The List Problem' / Query Payload Exhaustion\n    if (ast && ast.conditions.length > 100) {\n      throw new ZanzoError(ZanzoErrorCode.AST_OVERFLOW, `[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches.`);\n    }\n\n    if (!ast || ast.conditions.length === 0) {\n      return sql`1 = 0`; \n    }\n\n    // Dialect-agnostic/Secure concatenation for the object identifier: \"ResourceType:ID\"\n    // We avoid sql.raw to prevent injection.\n    const objectString = dialect === 'sqlite'\n      ? sql`${resourceType} || ${ENTITY_REF_SEPARATOR} || ${resourceIdColumn}`\n      : sql`CONCAT(${resourceType}, ${ENTITY_REF_SEPARATOR}, ${resourceIdColumn})`;\n\n    // OPTIMIZATION: In Zanzibar, most permissions share the same subject and object target.\n    // We group all conditions that share the same targetSubject into a single EXISTS subquery using IN.\n    const relationsBySubject = new Map<string, Set<string>>();\n\n    for (const cond of ast.conditions) {\n      // Logic for building the full relation name (e.g. \"workspace.viewer\")\n      const fullRelation = cond.type === 'nested' \n        ? [cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR) \n        : cond.relation;\n\n      if (cond.type === 'nested' && shouldWarn) {\n        console.warn(`[Zanzo] Nested permission path detected: '${fullRelation}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used materializeDerivedTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);\n      }\n\n      // Use the actual actor from arguments to ensure correctness even with cached AST\n      const targetSubject = cond.targetSubject === actor ? actor : cond.targetSubject;\n\n      let relations = relationsBySubject.get(targetSubject);\n      if (!relations) {\n        relations = new Set();\n        relationsBySubject.set(targetSubject, relations);\n      }\n      relations.add(fullRelation);\n    }\n\n    const sqlConditions: SQL<unknown>[] = [];\n\n    for (const [subject, relations] of relationsBySubject.entries()) {\n      const relationArray = Array.from(relations);\n      \n      const condition = relationArray.length === 1\n        ? sql`EXISTS (\n            SELECT 1 FROM ${tupleTable} \n            WHERE ${tupleTable.object} = ${objectString} \n              AND ${tupleTable.relation} = ${relationArray[0]} \n              AND ${tupleTable.subject} = ${subject}\n          )`\n        : sql`EXISTS (\n            SELECT 1 FROM ${tupleTable} \n            WHERE ${tupleTable.object} = ${objectString} \n              AND ${tupleTable.relation} IN (${sql.join(relationArray.map(r => sql`${r}`), sql`, `)}) \n              AND ${tupleTable.subject} = ${subject}\n          )`;\n      \n      sqlConditions.push(condition);\n    }\n\n    const finalFilter = (ast.operator === 'AND' ? and(...sqlConditions) : or(...sqlConditions)) as SQL<unknown>;\n\n    if (isDebug) {\n      console.debug(`[Zanzo Debug] Final SQL Filter Generated.`);\n    }\n\n    return finalFilter;\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,yBAA6C;AAE7C,kBAA0F;AAkDnF,SAAS,mBACd,QACA,YACA,SACA;AAEA,QAAM,QAAQ,OAAO,YAAY,eAAe,QAAQ,KAAK,aAAa;AAC1E,QAAM,aAAa,SAAS,0BAA0B;AACtD,QAAM,UAAU,SAAS,SAAS;AAClC,QAAM,UAAU,SAAS,WAAW;AAKpC,QAAM,WAAW,oBAAI,IAA6B;AAQlD,SAAO,SAAS,gBAId,OACA,QACA,cACA,kBACc;AAGd,UAAM,WAAW,GAAG,MAAgB,IAAI,YAAsB;AAC9D,QAAI,MAAM,SAAS,IAAI,QAAQ;AAE/B,QAAI,QAAQ,QAAW;AAKrB,YAAM,OAAO,mBAAmB,OAAO,QAAe,YAAmB;AACzE,eAAS,IAAI,UAAU,GAAG;AAAA,IAC5B,WAAW,KAAK;AAAA,IAIhB;AAEA,QAAI,SAAS;AACX,cAAQ,MAAM,yBAAyB,MAAgB,eAAe,YAAsB,EAAE;AAC9F,cAAQ,MAAM,gCAAgC,KAAK,UAAU,KAAK,MAAM,CAAC,CAAC;AAAA,IAC5E;AAGA,QAAI,OAAO,IAAI,WAAW,SAAS,KAAK;AACtC,YAAM,IAAI,uBAAW,2BAAe,cAAc,2GAA2G;AAAA,IAC/J;AAEA,QAAI,CAAC,OAAO,IAAI,WAAW,WAAW,GAAG;AACvC,aAAO;AAAA,IACT;AAIA,UAAM,eAAe,YAAY,WAC7B,yBAAM,YAAY,OAAO,gCAAoB,OAAO,gBAAgB,KACpE,gCAAa,YAAY,KAAK,gCAAoB,KAAK,gBAAgB;AAI3E,UAAM,qBAAqB,oBAAI,IAAyB;AAExD,eAAW,QAAQ,IAAI,YAAY;AAEjC,YAAM,eAAe,KAAK,SAAS,WAC/B,CAAC,KAAK,UAAU,GAAG,KAAK,gBAAgB,EAAE,KAAK,mCAAuB,IACtE,KAAK;AAET,UAAI,KAAK,SAAS,YAAY,YAAY;AACxC,gBAAQ,KAAK,6CAA6C,YAAY,sMAAsM;AAAA,MAC9Q;AAGA,YAAM,gBAAgB,KAAK,kBAAkB,QAAQ,QAAQ,KAAK;AAElE,UAAI,YAAY,mBAAmB,IAAI,aAAa;AACpD,UAAI,CAAC,WAAW;AACd,oBAAY,oBAAI,IAAI;AACpB,2BAAmB,IAAI,eAAe,SAAS;AAAA,MACjD;AACA,gBAAU,IAAI,YAAY;AAAA,IAC5B;AAEA,UAAM,gBAAgC,CAAC;AAEvC,eAAW,CAAC,SAAS,SAAS,KAAK,mBAAmB,QAAQ,GAAG;AAC/D,YAAM,gBAAgB,MAAM,KAAK,SAAS;AAE1C,YAAM,YAAY,cAAc,WAAW,IACvC;AAAA,4BACkB,UAAU;AAAA,oBAClB,WAAW,MAAM,MAAM,YAAY;AAAA,oBACnC,WAAW,QAAQ,MAAM,cAAc,CAAC,CAAC;AAAA,oBACzC,WAAW,OAAO,MAAM,OAAO;AAAA,eAEzC;AAAA,4BACkB,UAAU;AAAA,oBAClB,WAAW,MAAM,MAAM,YAAY;AAAA,oBACnC,WAAW,QAAQ,QAAQ,uBAAI,KAAK,cAAc,IAAI,OAAK,yBAAM,CAAC,EAAE,GAAG,0BAAO,CAAC;AAAA,oBAC/E,WAAW,OAAO,MAAM,OAAO;AAAA;AAG7C,oBAAc,KAAK,SAAS;AAAA,IAC9B;AAEA,UAAM,cAAe,IAAI,aAAa,YAAQ,wBAAI,GAAG,aAAa,QAAI,uBAAG,GAAG,aAAa;AAEzF,QAAI,SAAS;AACX,cAAQ,MAAM,2CAA2C;AAAA,IAC3D;AAEA,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/index.d.cts

@@ -13,16 +13,33 @@ interface ZanzoTupleTable {
 interface ZanzoAdapterOptions {
     /**
      * Emits a console.warn when a nested permission path (e.g. 'org.admin') is detected,
-     * reminding you to use expandTuples() when writing this relationship.
+     * reminding you to use materializeDerivedTuples() when writing this relationship.
      *
      * @default true in NODE_ENV=development, false in production
      */
     warnOnNestedConditions?: boolean;
+    /**
+     * If true, logs the generated AST and SQL conditions to the console for debugging purposes.
+     * @default false
+     */
+    debug?: boolean;
+    /**
+     * The database dialect. Used to optimize string concatenation.
+     * If not provided, it defaults to 'postgres' which uses standard CONCAT.
+     * @default 'postgres'
+     */
+    dialect?: 'mysql' | 'postgres' | 'sqlite';
 }
 /**
  * Creates a "Zero-Config" Drizzle ORM permission adapter tailored for the Zanzibar Pattern.
  * Rather than mapping individual specific columns, this queries a Universal Tuple Table resolving access instantly.
  *
+ * @remarks
+ * **Validation Contract**: This adapter assumes all identifiers (actor, resource IDs) have been
+ * validated by the ZanzoEngine before calling `withPermissions`. Passing raw user input
+ * directly without routing through the engine first may bypass validation and produce
+ * unexpected query behavior.
+ *
  * @param engine The initialized ZanzoEngine instance
  * @param tupleTable The central Drizzle Table where all Relation Tuples are stored
  * @param options Optional configuration for the adapter

package/dist/index.d.ts

@@ -13,16 +13,33 @@ interface ZanzoTupleTable {
 interface ZanzoAdapterOptions {
     /**
      * Emits a console.warn when a nested permission path (e.g. 'org.admin') is detected,
-     * reminding you to use expandTuples() when writing this relationship.
+     * reminding you to use materializeDerivedTuples() when writing this relationship.
      *
      * @default true in NODE_ENV=development, false in production
      */
     warnOnNestedConditions?: boolean;
+    /**
+     * If true, logs the generated AST and SQL conditions to the console for debugging purposes.
+     * @default false
+     */
+    debug?: boolean;
+    /**
+     * The database dialect. Used to optimize string concatenation.
+     * If not provided, it defaults to 'postgres' which uses standard CONCAT.
+     * @default 'postgres'
+     */
+    dialect?: 'mysql' | 'postgres' | 'sqlite';
 }
 /**
  * Creates a "Zero-Config" Drizzle ORM permission adapter tailored for the Zanzibar Pattern.
  * Rather than mapping individual specific columns, this queries a Universal Tuple Table resolving access instantly.
  *
+ * @remarks
+ * **Validation Contract**: This adapter assumes all identifiers (actor, resource IDs) have been
+ * validated by the ZanzoEngine before calling `withPermissions`. Passing raw user input
+ * directly without routing through the engine first may bypass validation and produce
+ * unexpected query behavior.
+ *
  * @param engine The initialized ZanzoEngine instance
  * @param tupleTable The central Drizzle Table where all Relation Tuples are stored
  * @param options Optional configuration for the adapter

package/dist/index.js

@@ -1,38 +1,66 @@
 // src/index.ts
 import { or, and, sql } from "drizzle-orm";
-import { ENTITY_REF_SEPARATOR, RELATION_PATH_SEPARATOR } from "@zanzojs/core";
+import { ENTITY_REF_SEPARATOR, RELATION_PATH_SEPARATOR, ZanzoError, ZanzoErrorCode } from "@zanzojs/core";
 function createZanzoAdapter(engine, tupleTable, options) {
   const isDev = typeof process !== "undefined" && process.env?.NODE_ENV === "development";
   const shouldWarn = options?.warnOnNestedConditions ?? isDev;
+  const isDebug = options?.debug ?? false;
+  const dialect = options?.dialect ?? "postgres";
+  const astCache = /* @__PURE__ */ new Map();
   return function withPermissions(actor, action, resourceType, resourceIdColumn) {
-    const ast = engine.buildDatabaseQuery(actor, action, resourceType);
+    const cacheKey = `${action}:${resourceType}`;
+    let ast = astCache.get(cacheKey);
+    if (ast === void 0) {
+      ast = engine.buildDatabaseQuery(actor, action, resourceType);
+      astCache.set(cacheKey, ast);
+    } else if (ast) {
+    }
+    if (isDebug) {
+      console.debug(`[Zanzo Debug] Action: ${action}, Resource: ${resourceType}`);
+      console.debug(`[Zanzo Debug] Generated AST:`, JSON.stringify(ast, null, 2));
+    }
     if (ast && ast.conditions.length > 100) {
-      throw new Error(`[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches. Please optimize your schema or rely on pre-computed tuples to avoid database exhaustion.`);
+      throw new ZanzoError(ZanzoErrorCode.AST_OVERFLOW, `[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches.`);
     }
-    if (!ast) {
+    if (!ast || ast.conditions.length === 0) {
       return sql`1 = 0`;
     }
-    const parseCondition = (cond) => {
-      const objectString = sql`${resourceType} || '${sql.raw(ENTITY_REF_SEPARATOR)}' || ${resourceIdColumn}`;
+    const objectString = dialect === "sqlite" ? sql`${resourceType} || ${ENTITY_REF_SEPARATOR} || ${resourceIdColumn}` : sql`CONCAT(${resourceType}, ${ENTITY_REF_SEPARATOR}, ${resourceIdColumn})`;
+    const relationsBySubject = /* @__PURE__ */ new Map();
+    for (const cond of ast.conditions) {
+      const fullRelation = cond.type === "nested" ? [cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR) : cond.relation;
       if (cond.type === "nested" && shouldWarn) {
-        console.warn(`[Zanzo] Nested permission path detected: '${[cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR)}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used expandTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);
+        console.warn(`[Zanzo] Nested permission path detected: '${fullRelation}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used materializeDerivedTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);
       }
-      const relationString = cond.type === "nested" ? [cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR) : cond.relation;
-      return sql`EXISTS (
-        SELECT 1 FROM ${tupleTable} 
-        WHERE ${tupleTable.object} = ${objectString} 
-          AND ${tupleTable.relation} = ${relationString} 
-          AND ${tupleTable.subject} = ${cond.targetSubject}
-      )`;
-    };
-    const parsedConditions = ast.conditions.map(parseCondition).filter((c) => c !== void 0);
-    if (parsedConditions.length === 0) {
-      return sql`1 = 0`;
+      const targetSubject = cond.targetSubject === actor ? actor : cond.targetSubject;
+      let relations = relationsBySubject.get(targetSubject);
+      if (!relations) {
+        relations = /* @__PURE__ */ new Set();
+        relationsBySubject.set(targetSubject, relations);
+      }
+      relations.add(fullRelation);
+    }
+    const sqlConditions = [];
+    for (const [subject, relations] of relationsBySubject.entries()) {
+      const relationArray = Array.from(relations);
+      const condition = relationArray.length === 1 ? sql`EXISTS (
+            SELECT 1 FROM ${tupleTable} 
+            WHERE ${tupleTable.object} = ${objectString} 
+              AND ${tupleTable.relation} = ${relationArray[0]} 
+              AND ${tupleTable.subject} = ${subject}
+          )` : sql`EXISTS (
+            SELECT 1 FROM ${tupleTable} 
+            WHERE ${tupleTable.object} = ${objectString} 
+              AND ${tupleTable.relation} IN (${sql.join(relationArray.map((r) => sql`${r}`), sql`, `)}) 
+              AND ${tupleTable.subject} = ${subject}
+          )`;
+      sqlConditions.push(condition);
     }
-    if (ast.operator === "AND") {
-      return and(...parsedConditions);
+    const finalFilter = ast.operator === "AND" ? and(...sqlConditions) : or(...sqlConditions);
+    if (isDebug) {
+      console.debug(`[Zanzo Debug] Final SQL Filter Generated.`);
     }
-    return or(...parsedConditions);
+    return finalFilter;
   };
 }
 export {

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { or, and, SQL, sql, AnyColumn } from 'drizzle-orm';\nimport type { QueryAST, Condition, ZanzoEngine, SchemaData, ExtractSchemaResources, ExtractSchemaActions } from '@zanzojs/core';\nimport { ENTITY_REF_SEPARATOR, RELATION_PATH_SEPARATOR } from '@zanzojs/core';\n\n/**\n * Ensures the passed Drizzle Table conforms to the mandatory Zanzibar Universal Tuple Structure.\n */\nexport interface ZanzoTupleTable {\n  object: AnyColumn; // String e.g. \"Invoice:123\"\n  relation: AnyColumn; // String e.g. \"owner\"\n  subject: AnyColumn;  // String e.g. \"User:1\"\n  [key: string]: any; // Allow extensions like IDs or context\n}\n\nexport interface ZanzoAdapterOptions {\n  /**\n   * Emits a console.warn when a nested permission path (e.g. 'org.admin') is detected,\n   * reminding you to use expandTuples() when writing this relationship.\n   *\n   * @default true in NODE_ENV=development, false in production\n   */\n  warnOnNestedConditions?: boolean;\n}\n\n/**\n * Creates a \"Zero-Config\" Drizzle ORM permission adapter tailored for the Zanzibar Pattern.\n * Rather than mapping individual specific columns, this queries a Universal Tuple Table resolving access instantly.\n *\n * @param engine The initialized ZanzoEngine instance\n * @param tupleTable The central Drizzle Table where all Relation Tuples are stored\n * @param options Optional configuration for the adapter\n * @returns A bounded `withPermissions` closure\n */\nexport function createZanzoAdapter<TSchema extends SchemaData, TTable extends ZanzoTupleTable>(\n  engine: ZanzoEngine<TSchema>,\n  tupleTable: TTable,\n  options?: ZanzoAdapterOptions\n) {\n  // Smart default: auto-enable warnings in development unless explicitly configured\n  const isDev = typeof process !== 'undefined' && process.env?.NODE_ENV === 'development';\n  const shouldWarn = options?.warnOnNestedConditions ?? isDev;\n\n  /**\n   * Generates a Drizzle SQL AST (subquery strategy) resolving access against the Universal Tuple Table.\n   *\n   * @param actor The Subject identifier validating access (e.g \"User:1\")\n   * @param action The protected action (e.g \"read\")\n   * @param resourceType The target Domain scope (e.g \"Invoice\")\n   * @param resourceIdColumn The specific Drizzle column representing the object's ID in the business table (e.g `invoices.id`)\n   */\n  return function withPermissions<\n    TResourceName extends Extract<ExtractSchemaResources<TSchema>, string>,\n    TAction extends ExtractSchemaActions<TSchema, TResourceName>,\n  >(\n    actor: string,\n    action: TAction,\n    resourceType: TResourceName,\n    resourceIdColumn: AnyColumn\n  ): SQL<unknown> {\n    \n    // Evaluate the underlying pure logical AST\n    const ast = engine.buildDatabaseQuery(actor, action as any, resourceType as any);\n\n    // Protection Against 'The List Problem' / Query Payload Exhaustion:\n    // If a badly designed ReBAC schema generates a monstrous combinatorial AST tree, \n    // it could exceed max SQL text limits resulting in DB crashes. Abort safely.\n    if (ast && ast.conditions.length > 100) {\n      throw new Error(`[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches. Please optimize your schema or rely on pre-computed tuples to avoid database exhaustion.`);\n    }\n\n    if (!ast) {\n      // Access totally denied\n      return sql`1 = 0`; \n    }\n\n    const parseCondition = (cond: Condition): SQL<unknown> | undefined => {\n      \n      // In the Zanzibar Pattern, ALL conditions (direct or nested) ultimately result\n      // in looking up pre-computed or dynamically queried tuples.\n      // E.g for a direct target: SELECT 1 FROM tuples WHERE object = TYPE:ID AND relation = X AND subject = TARGET\n      \n      const objectString = sql`${resourceType} || '${sql.raw(ENTITY_REF_SEPARATOR)}' || ${resourceIdColumn}`;\n\n      // In Zanzibar, nested conditions (e.g. org.admin) are evaluated using the \"Tuple Expansion\" pattern.\n      // This means the user has asynchronously written materialized tuples into the database.\n      // Therefore, both direct and nested queries are resolved identically via O(1) EXISTS lookups.\n      if (cond.type === 'nested' && shouldWarn) {\n        console.warn(`[Zanzo] Nested permission path detected: '${[cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR)}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used expandTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);\n      }\n\n      const relationString = cond.type === 'nested' \n        ? [cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR) \n        : cond.relation;\n\n      return sql`EXISTS (\n        SELECT 1 FROM ${tupleTable} \n        WHERE ${tupleTable.object} = ${objectString} \n          AND ${tupleTable.relation} = ${relationString} \n          AND ${tupleTable.subject} = ${cond.targetSubject}\n      )`;\n    };\n\n    const parsedConditions = ast.conditions\n      .map(parseCondition)\n      .filter((c): c is SQL<unknown> => c !== undefined);\n\n    if (parsedConditions.length === 0) {\n       return sql`1 = 0`;\n    }\n\n    if (ast.operator === 'AND') {\n      return and(...parsedConditions) as SQL<unknown>;\n    }\n\n    return or(...parsedConditions) as SQL<unknown>;\n  };\n}\n"],"mappings":";AAAA,SAAS,IAAI,KAAU,WAAsB;AAE7C,SAAS,sBAAsB,+BAA+B;AA+BvD,SAAS,mBACd,QACA,YACA,SACA;AAEA,QAAM,QAAQ,OAAO,YAAY,eAAe,QAAQ,KAAK,aAAa;AAC1E,QAAM,aAAa,SAAS,0BAA0B;AAUtD,SAAO,SAAS,gBAId,OACA,QACA,cACA,kBACc;AAGd,UAAM,MAAM,OAAO,mBAAmB,OAAO,QAAe,YAAmB;AAK/E,QAAI,OAAO,IAAI,WAAW,SAAS,KAAK;AACtC,YAAM,IAAI,MAAM,oMAAoM;AAAA,IACtN;AAEA,QAAI,CAAC,KAAK;AAER,aAAO;AAAA,IACT;AAEA,UAAM,iBAAiB,CAAC,SAA8C;AAMpE,YAAM,eAAe,MAAM,YAAY,QAAQ,IAAI,IAAI,oBAAoB,CAAC,QAAQ,gBAAgB;AAKpG,UAAI,KAAK,SAAS,YAAY,YAAY;AACxC,gBAAQ,KAAK,6CAA6C,CAAC,KAAK,UAAU,GAAG,KAAK,gBAAgB,EAAE,KAAK,uBAAuB,CAAC,0LAA0L;AAAA,MAC7T;AAEA,YAAM,iBAAiB,KAAK,SAAS,WACjC,CAAC,KAAK,UAAU,GAAG,KAAK,gBAAgB,EAAE,KAAK,uBAAuB,IACtE,KAAK;AAET,aAAO;AAAA,wBACW,UAAU;AAAA,gBAClB,WAAW,MAAM,MAAM,YAAY;AAAA,gBACnC,WAAW,QAAQ,MAAM,cAAc;AAAA,gBACvC,WAAW,OAAO,MAAM,KAAK,aAAa;AAAA;AAAA,IAEtD;AAEA,UAAM,mBAAmB,IAAI,WAC1B,IAAI,cAAc,EAClB,OAAO,CAAC,MAAyB,MAAM,MAAS;AAEnD,QAAI,iBAAiB,WAAW,GAAG;AAChC,aAAO;AAAA,IACV;AAEA,QAAI,IAAI,aAAa,OAAO;AAC1B,aAAO,IAAI,GAAG,gBAAgB;AAAA,IAChC;AAEA,WAAO,GAAG,GAAG,gBAAgB;AAAA,EAC/B;AACF;","names":[]}
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { or, and, SQL, sql, AnyColumn } from 'drizzle-orm';\nimport type { QueryAST, Condition, ZanzoEngine, SchemaData, ExtractSchemaResources, ExtractSchemaActions } from '@zanzojs/core';\nimport { ENTITY_REF_SEPARATOR, RELATION_PATH_SEPARATOR, ZanzoError, ZanzoErrorCode } from '@zanzojs/core';\n\n/**\n * Ensures the passed Drizzle Table conforms to the mandatory Zanzibar Universal Tuple Structure.\n */\nexport interface ZanzoTupleTable {\n  object: AnyColumn; // String e.g. \"Invoice:123\"\n  relation: AnyColumn; // String e.g. \"owner\"\n  subject: AnyColumn;  // String e.g. \"User:1\"\n  [key: string]: any; // Allow extensions like IDs or context\n}\n\nexport interface ZanzoAdapterOptions {\n  /**\n   * Emits a console.warn when a nested permission path (e.g. 'org.admin') is detected,\n   * reminding you to use materializeDerivedTuples() when writing this relationship.\n   *\n   * @default true in NODE_ENV=development, false in production\n   */\n  warnOnNestedConditions?: boolean;\n\n  /**\n   * If true, logs the generated AST and SQL conditions to the console for debugging purposes.\n   * @default false\n   */\n  debug?: boolean;\n\n  /**\n   * The database dialect. Used to optimize string concatenation.\n   * If not provided, it defaults to 'postgres' which uses standard CONCAT.\n   * @default 'postgres'\n   */\n  dialect?: 'mysql' | 'postgres' | 'sqlite';\n}\n\n/**\n * Creates a \"Zero-Config\" Drizzle ORM permission adapter tailored for the Zanzibar Pattern.\n * Rather than mapping individual specific columns, this queries a Universal Tuple Table resolving access instantly.\n *\n * @remarks\n * **Validation Contract**: This adapter assumes all identifiers (actor, resource IDs) have been \n * validated by the ZanzoEngine before calling `withPermissions`. Passing raw user input \n * directly without routing through the engine first may bypass validation and produce \n * unexpected query behavior.\n *\n * @param engine The initialized ZanzoEngine instance\n * @param tupleTable The central Drizzle Table where all Relation Tuples are stored\n * @param options Optional configuration for the adapter\n * @returns A bounded `withPermissions` closure\n */\nexport function createZanzoAdapter<TSchema extends SchemaData, TTable extends ZanzoTupleTable>(\n  engine: ZanzoEngine<TSchema>,\n  tupleTable: TTable,\n  options?: ZanzoAdapterOptions\n) {\n  // Smart default: auto-enable warnings in development unless explicitly configured\n  const isDev = typeof process !== 'undefined' && process.env?.NODE_ENV === 'development';\n  const shouldWarn = options?.warnOnNestedConditions ?? isDev;\n  const isDebug = options?.debug ?? false;\n  const dialect = options?.dialect ?? 'postgres';\n\n  // Performance Optimization: Cache structural ASTs per action+resourceType\n  // The actor is NOT part of the key as it varies per request, but the logical \n  // permission tree (AST) for a given action on a resource type is static.\n  const astCache = new Map<string, QueryAST | null>();\n\n  /**\n   * Generates a Drizzle SQL AST (subquery strategy) resolving access against the Universal Tuple Table.\n   *\n   * @remarks\n   * This function assumes all identifiers have been validated by the ZanzoEngine.\n   */\n  return function withPermissions<\n    TResourceName extends Extract<ExtractSchemaResources<TSchema>, string>,\n    TAction extends ExtractSchemaActions<TSchema, TResourceName>,\n  >(\n    actor: string,\n    action: TAction,\n    resourceType: TResourceName,\n    resourceIdColumn: AnyColumn\n  ): SQL<unknown> {\n    \n    // Check Cache first\n    const cacheKey = `${action as string}:${resourceType as string}`;\n    let ast = astCache.get(cacheKey);\n\n    if (ast === undefined) {\n      // Evaluate the underlying pure logical AST\n      // We use a dummy actor for the initial build to get the structural conditions,\n      // then we'll replace the targetSubject with the real actor if needed.\n      // Actually, buildDatabaseQuery uses the actor in the conditions.\n      ast = engine.buildDatabaseQuery(actor, action as any, resourceType as any);\n      astCache.set(cacheKey, ast);\n    } else if (ast) {\n        // If we have a cached AST, we must update the targetSubject for the current actor\n        // Since we are rebuilding the SQL conditions anyway, we can just use the actor \n        // from the function arguments.\n    }\n\n    if (isDebug) {\n      console.debug(`[Zanzo Debug] Action: ${action as string}, Resource: ${resourceType as string}`);\n      console.debug(`[Zanzo Debug] Generated AST:`, JSON.stringify(ast, null, 2));\n    }\n\n    // Protection Against 'The List Problem' / Query Payload Exhaustion\n    if (ast && ast.conditions.length > 100) {\n      throw new ZanzoError(ZanzoErrorCode.AST_OVERFLOW, `[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches.`);\n    }\n\n    if (!ast || ast.conditions.length === 0) {\n      return sql`1 = 0`; \n    }\n\n    // Dialect-agnostic/Secure concatenation for the object identifier: \"ResourceType:ID\"\n    // We avoid sql.raw to prevent injection.\n    const objectString = dialect === 'sqlite'\n      ? sql`${resourceType} || ${ENTITY_REF_SEPARATOR} || ${resourceIdColumn}`\n      : sql`CONCAT(${resourceType}, ${ENTITY_REF_SEPARATOR}, ${resourceIdColumn})`;\n\n    // OPTIMIZATION: In Zanzibar, most permissions share the same subject and object target.\n    // We group all conditions that share the same targetSubject into a single EXISTS subquery using IN.\n    const relationsBySubject = new Map<string, Set<string>>();\n\n    for (const cond of ast.conditions) {\n      // Logic for building the full relation name (e.g. \"workspace.viewer\")\n      const fullRelation = cond.type === 'nested' \n        ? [cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR) \n        : cond.relation;\n\n      if (cond.type === 'nested' && shouldWarn) {\n        console.warn(`[Zanzo] Nested permission path detected: '${fullRelation}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used materializeDerivedTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);\n      }\n\n      // Use the actual actor from arguments to ensure correctness even with cached AST\n      const targetSubject = cond.targetSubject === actor ? actor : cond.targetSubject;\n\n      let relations = relationsBySubject.get(targetSubject);\n      if (!relations) {\n        relations = new Set();\n        relationsBySubject.set(targetSubject, relations);\n      }\n      relations.add(fullRelation);\n    }\n\n    const sqlConditions: SQL<unknown>[] = [];\n\n    for (const [subject, relations] of relationsBySubject.entries()) {\n      const relationArray = Array.from(relations);\n      \n      const condition = relationArray.length === 1\n        ? sql`EXISTS (\n            SELECT 1 FROM ${tupleTable} \n            WHERE ${tupleTable.object} = ${objectString} \n              AND ${tupleTable.relation} = ${relationArray[0]} \n              AND ${tupleTable.subject} = ${subject}\n          )`\n        : sql`EXISTS (\n            SELECT 1 FROM ${tupleTable} \n            WHERE ${tupleTable.object} = ${objectString} \n              AND ${tupleTable.relation} IN (${sql.join(relationArray.map(r => sql`${r}`), sql`, `)}) \n              AND ${tupleTable.subject} = ${subject}\n          )`;\n      \n      sqlConditions.push(condition);\n    }\n\n    const finalFilter = (ast.operator === 'AND' ? and(...sqlConditions) : or(...sqlConditions)) as SQL<unknown>;\n\n    if (isDebug) {\n      console.debug(`[Zanzo Debug] Final SQL Filter Generated.`);\n    }\n\n    return finalFilter;\n  };\n}\n"],"mappings":";AAAA,SAAS,IAAI,KAAU,WAAsB;AAE7C,SAAS,sBAAsB,yBAAyB,YAAY,sBAAsB;AAkDnF,SAAS,mBACd,QACA,YACA,SACA;AAEA,QAAM,QAAQ,OAAO,YAAY,eAAe,QAAQ,KAAK,aAAa;AAC1E,QAAM,aAAa,SAAS,0BAA0B;AACtD,QAAM,UAAU,SAAS,SAAS;AAClC,QAAM,UAAU,SAAS,WAAW;AAKpC,QAAM,WAAW,oBAAI,IAA6B;AAQlD,SAAO,SAAS,gBAId,OACA,QACA,cACA,kBACc;AAGd,UAAM,WAAW,GAAG,MAAgB,IAAI,YAAsB;AAC9D,QAAI,MAAM,SAAS,IAAI,QAAQ;AAE/B,QAAI,QAAQ,QAAW;AAKrB,YAAM,OAAO,mBAAmB,OAAO,QAAe,YAAmB;AACzE,eAAS,IAAI,UAAU,GAAG;AAAA,IAC5B,WAAW,KAAK;AAAA,IAIhB;AAEA,QAAI,SAAS;AACX,cAAQ,MAAM,yBAAyB,MAAgB,eAAe,YAAsB,EAAE;AAC9F,cAAQ,MAAM,gCAAgC,KAAK,UAAU,KAAK,MAAM,CAAC,CAAC;AAAA,IAC5E;AAGA,QAAI,OAAO,IAAI,WAAW,SAAS,KAAK;AACtC,YAAM,IAAI,WAAW,eAAe,cAAc,2GAA2G;AAAA,IAC/J;AAEA,QAAI,CAAC,OAAO,IAAI,WAAW,WAAW,GAAG;AACvC,aAAO;AAAA,IACT;AAIA,UAAM,eAAe,YAAY,WAC7B,MAAM,YAAY,OAAO,oBAAoB,OAAO,gBAAgB,KACpE,aAAa,YAAY,KAAK,oBAAoB,KAAK,gBAAgB;AAI3E,UAAM,qBAAqB,oBAAI,IAAyB;AAExD,eAAW,QAAQ,IAAI,YAAY;AAEjC,YAAM,eAAe,KAAK,SAAS,WAC/B,CAAC,KAAK,UAAU,GAAG,KAAK,gBAAgB,EAAE,KAAK,uBAAuB,IACtE,KAAK;AAET,UAAI,KAAK,SAAS,YAAY,YAAY;AACxC,gBAAQ,KAAK,6CAA6C,YAAY,sMAAsM;AAAA,MAC9Q;AAGA,YAAM,gBAAgB,KAAK,kBAAkB,QAAQ,QAAQ,KAAK;AAElE,UAAI,YAAY,mBAAmB,IAAI,aAAa;AACpD,UAAI,CAAC,WAAW;AACd,oBAAY,oBAAI,IAAI;AACpB,2BAAmB,IAAI,eAAe,SAAS;AAAA,MACjD;AACA,gBAAU,IAAI,YAAY;AAAA,IAC5B;AAEA,UAAM,gBAAgC,CAAC;AAEvC,eAAW,CAAC,SAAS,SAAS,KAAK,mBAAmB,QAAQ,GAAG;AAC/D,YAAM,gBAAgB,MAAM,KAAK,SAAS;AAE1C,YAAM,YAAY,cAAc,WAAW,IACvC;AAAA,4BACkB,UAAU;AAAA,oBAClB,WAAW,MAAM,MAAM,YAAY;AAAA,oBACnC,WAAW,QAAQ,MAAM,cAAc,CAAC,CAAC;AAAA,oBACzC,WAAW,OAAO,MAAM,OAAO;AAAA,eAEzC;AAAA,4BACkB,UAAU;AAAA,oBAClB,WAAW,MAAM,MAAM,YAAY;AAAA,oBACnC,WAAW,QAAQ,QAAQ,IAAI,KAAK,cAAc,IAAI,OAAK,MAAM,CAAC,EAAE,GAAG,OAAO,CAAC;AAAA,oBAC/E,WAAW,OAAO,MAAM,OAAO;AAAA;AAG7C,oBAAc,KAAK,SAAS;AAAA,IAC9B;AAEA,UAAM,cAAe,IAAI,aAAa,QAAQ,IAAI,GAAG,aAAa,IAAI,GAAG,GAAG,aAAa;AAEzF,QAAI,SAAS;AACX,cAAQ,MAAM,2CAA2C;AAAA,IAC3D;AAEA,WAAO;AAAA,EACT;AACF;","names":[]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zanzojs/drizzle",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "Drizzle ORM adapter for Zanzo ReBAC. Zero-config Zanzibar Tuple Pattern with parameterized SQL.",
   "keywords": [
     "@zanzojs/core",
@@ -21,9 +21,9 @@
   "type": "module",
   "exports": {
     ".": {
+      "types": "./dist/index.d.ts",
       "import": "./dist/index.js",
-      "require": "./dist/index.cjs",
-      "types": "./dist/index.d.ts"
+      "require": "./dist/index.cjs"
     }
   },
   "main": "./dist/index.cjs",
@@ -38,7 +38,7 @@
     "access": "public"
   },
   "peerDependencies": {
-    "@zanzojs/core": "^0.1.0-beta.0",
+    "@zanzojs/core": "^0.3.0",
     "drizzle-orm": ">=0.29.0"
   },
   "devDependencies": {
@@ -46,7 +46,7 @@
     "typescript": "^5.7.2",
     "tsup": "latest",
     "vitest": "latest",
-    "@zanzojs/core": "0.1.0"
+    "@zanzojs/core": "0.3.0"
   },
   "scripts": {
     "build": "tsup",