npm - @zanzojs/drizzle - Versions diffs - 0.2.0 → 0.3.2 - Mend

@zanzojs/drizzle 0.2.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -9,11 +9,15 @@ The official Drizzle ORM adapter for ZanzoJS.
 `@zanzojs/drizzle` serves two distinct purposes:
-**1. Write-time tuple materialization** (`expandTuples` / `collapseTuples`)
+**1. Write-time tuple materialization** (`materializeDerivedTuples` / `removeDerivedTuples`)
 When you grant or revoke access via nested permission paths (e.g. `folder.admin`), you must pre-materialize the derived tuples in the database. This is what makes read-time evaluation fast.
 **2. SQL-filtered queries for large datasets**
 When you need to fetch a filtered list of resources (e.g. "all documents this user can read") and the dataset is too large to load entirely into memory, the adapter generates parameterized `EXISTS` subqueries that push the permission filter directly to the database.
+> [!TIP]
+> **Performance Optimized**: As of v0.3.0, the adapter automatically groups multiple permission paths into a single `EXISTS` subquery using an `IN` clause, providing significant performance gains for complex schemas.
 ```typescript
 // Without adapter — loads everything into memory and filters (inefficient for large datasets)
 const allDocs = await db.select().from(documents);
@@ -29,7 +33,7 @@ const myDocs = await db.select().from(documents)
 ## Installation
 ```bash
-pnpm add @zanzojs/core @zanzojs/drizzle drizzle-orm
+pnpm add @zanzojs/core@latest @zanzojs/drizzle@latest drizzle-orm
 ```
 ## Setup
@@ -66,13 +70,57 @@ async function getReadableDocuments(userId: string) {
 }
 ```
+## Cloudflare D1 & Edge Runtime
+Zanzo is fully compatible with Cloudflare Pages and D1. Since the D1 driver for Drizzle is asynchronous, ensuring your adapter is correctly configured is key.
+### 1. Configuration for D1
+When using Cloudflare D1, always set the `dialect` to `'sqlite'`.
+```typescript
+import { createZanzoAdapter } from '@zanzojs/drizzle';
+import { engine } from './zanzo.config';
+import { zanzoTuples } from './schema';
+// The adapter is synchronous (generates SQL filters),
+// but D1 execution is always asynchronous.
+export const withPermissions = createZanzoAdapter(engine, zanzoTuples, {
+  dialect: 'sqlite'
+});
+```
+### 2. Usage in Next.js (middleware/layout)
+When using `@cloudflare/next-on-pages`, you access the D1 binding via the Request Context.
+```typescript
+import { getRequestContext } from '@cloudflare/next-on-pages';
+import { drizzle } from 'drizzle-orm/d1';
+export const runtime = 'edge';
+export default async function Page() {
+  const { env } = getRequestContext();
+  const db = drizzle(env.DB);
+  const myDocs = await db.select()
+    .from(documents)
+    .where(withPermissions('User:alice', 'read', 'Document', documents.id));
+  return <pre>{JSON.stringify(myDocs)}</pre>;
+}
+```
+### 3. Limitations & Differences
+- **Async-only**: D1 does not support synchronous queries. While `withPermissions` returns a synchronous `SQL` object, the final `.where()` call must be awaited as part of the Drizzle query.
+- **AST Complexity**: The Edge Runtime has strict CPU and memory limits. Use `zanzo check` in your CI/CD to ensure your schema doesn't generate overly complex ASTs (standard limit: 100 conditional branches).
 ## Write Operations
-### Granting access with expandTuples
+### Granting access with materializeDerivedTuples
-When assigning a role that involves nested permission paths, use `expandTuples` to materialize all derived tuples atomically.
+When assigning a role that involves nested permission paths, use `materializeDerivedTuples` to materialize all derived tuples atomically.
 ```typescript
-import { expandTuples } from '@zanzojs/core';
+import { materializeDerivedTuples } from '@zanzojs/core';
 async function grantAccess(userId: string, relation: string, objectId: string) {
   const baseTuple = {
@@ -81,7 +129,7 @@ async function grantAccess(userId: string, relation: string, objectId: string) {
     object: objectId,
   };
-  const derived = await expandTuples({
+  const derived = await materializeDerivedTuples({
     schema: engine.getSchema(),
     newTuple: baseTuple,
     fetchChildren: async (parentObject, relation) => {
@@ -99,11 +147,11 @@ async function grantAccess(userId: string, relation: string, objectId: string) {
 }
 ```
-### Revoking access with collapseTuples
+### Revoking access with removeDerivedTuples
-`collapseTuples` is the symmetric inverse of `expandTuples`. It identifies all derived tuples to delete.
+`removeDerivedTuples` is the symmetric inverse of `materializeDerivedTuples`. It identifies all derived tuples to delete.
 ```typescript
-import { collapseTuples } from '@zanzojs/core';
+import { removeDerivedTuples } from '@zanzojs/core';
 async function revokeAccess(userId: string, relation: string, objectId: string) {
   const baseTuple = {
@@ -112,7 +160,7 @@ async function revokeAccess(userId: string, relation: string, objectId: string)
     object: objectId,
   };
-  const derived = await collapseTuples({
+  const derived = await removeDerivedTuples({
     schema: engine.getSchema(),
     revokedTuple: baseTuple,
     fetchChildren: async (parentObject, relation) => {
@@ -136,7 +184,7 @@ async function revokeAccess(userId: string, relation: string, objectId: string)
 }
 ```
-> **expandTuples and collapseTuples are symmetric.** If `expandTuples` derived a tuple, `collapseTuples` will identify it for deletion. This guarantees no orphaned tuples.
+> **materializeDerivedTuples and removeDerivedTuples are symmetric.** If `materializeDerivedTuples` derived a tuple, `removeDerivedTuples` will identify it for deletion. This guarantees no orphaned tuples.
 ## Documentation
 For full architecture details, see the [ZanzoJS Monorepo](https://github.com/GonzaloJeria/zanzo).

package/dist/index.cjs CHANGED Viewed

@@ -26,37 +26,63 @@ module.exports = __toCommonJS(index_exports);
 var import_drizzle_orm = require("drizzle-orm");
 var import_core = require("@zanzojs/core");
 function createZanzoAdapter(engine, tupleTable, options) {
-  const isDev = typeof process !== "undefined" && process.env?.NODE_ENV === "development";
+  const isDev = typeof process !== "undefined" && !!process.env && process.env.NODE_ENV === "development";
   const shouldWarn = options?.warnOnNestedConditions ?? isDev;
+  const isDebug = options?.debug ?? false;
+  const dialect = options?.dialect ?? "postgres";
+  const astCache = /* @__PURE__ */ new Map();
   return function withPermissions(actor, action, resourceType, resourceIdColumn) {
-    const ast = engine.buildDatabaseQuery(actor, action, resourceType);
+    const cacheKey = `${action}:${resourceType}`;
+    let ast = astCache.get(cacheKey);
+    if (ast === void 0) {
+      ast = engine.buildDatabaseQuery(actor, action, resourceType);
+      astCache.set(cacheKey, ast);
+    }
+    if (isDebug) {
+      console.debug(`[Zanzo Debug] Action: ${action}, Resource: ${resourceType}`);
+      console.debug(`[Zanzo Debug] Generated AST:`, JSON.stringify(ast, null, 2));
+    }
     if (ast && ast.conditions.length > 100) {
-      throw new Error(`[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches. Please optimize your schema or rely on pre-computed tuples to avoid database exhaustion.`);
+      throw new import_core.ZanzoError(import_core.ZanzoErrorCode.AST_OVERFLOW, `[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches.`);
     }
-    if (!ast) {
+    if (!ast || ast.conditions.length === 0) {
       return import_drizzle_orm.sql`1 = 0`;
     }
-    const parseCondition = (cond) => {
-      const objectString = import_drizzle_orm.sql`${resourceType} || '${import_drizzle_orm.sql.raw(import_core.ENTITY_REF_SEPARATOR)}' || ${resourceIdColumn}`;
+    const objectString = dialect === "sqlite" ? import_drizzle_orm.sql`${resourceType} || ${import_core.ENTITY_REF_SEPARATOR} || ${resourceIdColumn}` : import_drizzle_orm.sql`CONCAT(${resourceType}, ${import_core.ENTITY_REF_SEPARATOR}, ${resourceIdColumn})`;
+    const relationsBySubject = /* @__PURE__ */ new Map();
+    for (const cond of ast.conditions) {
+      const fullRelation = cond.type === "nested" ? [cond.relation, ...cond.nextRelationPath].join(import_core.RELATION_PATH_SEPARATOR) : cond.relation;
       if (cond.type === "nested" && shouldWarn) {
-        console.warn(`[Zanzo] Nested permission path detected: '${[cond.relation, ...cond.nextRelationPath].join(import_core.RELATION_PATH_SEPARATOR)}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used expandTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);
+        console.warn(`[Zanzo] Nested permission path detected: '${fullRelation}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used materializeDerivedTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);
       }
-      const relationString = cond.type === "nested" ? [cond.relation, ...cond.nextRelationPath].join(import_core.RELATION_PATH_SEPARATOR) : cond.relation;
-      return import_drizzle_orm.sql`EXISTS (
-        SELECT 1 FROM ${tupleTable}
-        WHERE ${tupleTable.object} = ${objectString}
-          AND ${tupleTable.relation} = ${relationString}
-          AND ${tupleTable.subject} = ${cond.targetSubject}
-      )`;
-    };
-    const parsedConditions = ast.conditions.map(parseCondition).filter((c) => c !== void 0);
-    if (parsedConditions.length === 0) {
-      return import_drizzle_orm.sql`1 = 0`;
+      let relations = relationsBySubject.get(actor);
+      if (!relations) {
+        relations = /* @__PURE__ */ new Set();
+        relationsBySubject.set(actor, relations);
+      }
+      relations.add(fullRelation);
+    }
+    const sqlConditions = [];
+    for (const [subject, relations] of relationsBySubject.entries()) {
+      const relationArray = Array.from(relations);
+      const condition = relationArray.length === 1 ? import_drizzle_orm.sql`EXISTS (
+            SELECT 1 FROM ${tupleTable}
+            WHERE ${tupleTable.object} = ${objectString}
+              AND ${tupleTable.relation} = ${relationArray[0]}
+              AND ${tupleTable.subject} = ${subject}
+          )` : import_drizzle_orm.sql`EXISTS (
+            SELECT 1 FROM ${tupleTable}
+            WHERE ${tupleTable.object} = ${objectString}
+              AND ${tupleTable.relation} IN (${import_drizzle_orm.sql.join(relationArray.map((r) => import_drizzle_orm.sql`${r}`), import_drizzle_orm.sql`, `)})
+              AND ${tupleTable.subject} = ${subject}
+          )`;
+      sqlConditions.push(condition);
     }
-    if (ast.operator === "AND") {
-      return (0, import_drizzle_orm.and)(...parsedConditions);
+    const finalFilter = ast.operator === "AND" ? (0, import_drizzle_orm.and)(...sqlConditions) : (0, import_drizzle_orm.or)(...sqlConditions);
+    if (isDebug) {
+      console.debug(`[Zanzo Debug] Final SQL Filter Generated.`);
     }
-    return (0, import_drizzle_orm.or)(...parsedConditions);
+    return finalFilter;
   };
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/index.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { or, and, SQL, sql, AnyColumn } from 'drizzle-orm';\nimport type { QueryAST, Condition, ZanzoEngine, SchemaData, ExtractSchemaResources, ExtractSchemaActions } from '@zanzojs/core';\nimport { ENTITY_REF_SEPARATOR, RELATION_PATH_SEPARATOR } from '@zanzojs/core';\n\n/*\n Ensures the passed Drizzle Table conforms to the mandatory Zanzibar Universal Tuple Structure.\n /\nexport interface ZanzoTupleTable {\n object: AnyColumn; // String e.g. \"Invoice:123\"\n relation: AnyColumn; // String e.g. \"owner\"\n subject: AnyColumn; // String e.g. \"User:1\"\n [key: string]: any; // Allow extensions like IDs or context\n}\n\nexport interface ZanzoAdapterOptions {\n /\n Emits a console.warn when a nested permission path (e.g. 'org.admin') is detected,\n * reminding you to use expandTuples() when writing this relationship.\n \n @default true in NODE_ENV=development, false in production\n /\n warnOnNestedConditions?: boolean;\n}\n\n/\n Creates a \"Zero-Config\" Drizzle ORM permission adapter tailored for the Zanzibar Pattern.\n * Rather than mapping individual specific columns, this queries a Universal Tuple Table resolving access instantly.\n \n @param engine The initialized ZanzoEngine instance\n * @param tupleTable The central Drizzle Table where all Relation Tuples are stored\n * @param options Optional configuration for the adapter\n * @returns A bounded `withPermissions` closure\n /\nexport function createZanzoAdapter<TSchema extends SchemaData, TTable extends ZanzoTupleTable>(\n engine: ZanzoEngine<TSchema>,\n tupleTable: TTable,\n options?: ZanzoAdapterOptions\n) {\n // Smart default: auto-enable warnings in development unless explicitly configured\n const isDev = typeof process !== 'undefined' && process.env?.NODE_ENV === 'development';\n const shouldWarn = options?.warnOnNestedConditions ?? isDev;\n\n /\n Generates a Drizzle SQL AST (subquery strategy) resolving access against the Universal Tuple Table.\n \n @param actor The Subject identifier validating access (e.g \"User:1\")\n * @param action The protected action (e.g \"read\")\n * @param resourceType The target Domain scope (e.g \"Invoice\")\n * @param resourceIdColumn The specific Drizzle column representing the object's ID in the business table (e.g `invoices.id`)\n */\n return function withPermissions<\n TResourceName extends Extract<ExtractSchemaResources<TSchema>, string>,\n TAction extends ExtractSchemaActions<TSchema, TResourceName>,\n >(\n actor: string,\n action: TAction,\n resourceType: TResourceName,\n resourceIdColumn: AnyColumn\n ): SQL<unknown> {\n \n // Evaluate the underlying pure logical AST\n const ast = engine.buildDatabaseQuery(actor, action as any, resourceType as any);\n\n // Protection Against 'The List Problem' / Query Payload Exhaustion:\n // If a badly designed ReBAC schema generates a monstrous combinatorial AST tree, \n // it could exceed max SQL text limits resulting in DB crashes. Abort safely.\n if (ast && ast.conditions.length > 100) {\n throw new Error(`[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches. Please optimize your schema or rely on pre-computed tuples to avoid database exhaustion.`);\n }\n\n if (!ast) {\n // Access totally denied\n return sql`1 = 0`; \n }\n\n const parseCondition = (cond: Condition): SQL<unknown> \| undefined => {\n \n // In the Zanzibar Pattern, ALL conditions (direct or nested) ultimately result\n // in looking up pre-computed or dynamically queried tuples.\n // E.g for a direct target: SELECT 1 FROM tuples WHERE object = TYPE:ID AND relation = X AND subject = TARGET\n \n const objectString = sql`${resourceType} \|\| '${sql.raw(ENTITY_REF_SEPARATOR)}' \|\| ${resourceIdColumn}`;\n\n // In Zanzibar, nested conditions (e.g. org.admin) are evaluated using the \"Tuple Expansion\" pattern.\n // This means the user has asynchronously written materialized tuples into the database.\n // Therefore, both direct and nested queries are resolved identically via O(1) EXISTS lookups.\n if (cond.type === 'nested' && shouldWarn) {\n console.warn(`[Zanzo] Nested permission path detected: '${[cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR)}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used expandTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);\n }\n\n const relationString = cond.type === 'nested' \n ? [cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR) \n : cond.relation;\n\n return sql`EXISTS (\n SELECT 1 FROM ${tupleTable} \n WHERE ${tupleTable.object} = ${objectString} \n AND ${tupleTable.relation} = ${relationString} \n AND ${tupleTable.subject} = ${cond.targetSubject}\n )`;\n };\n\n const parsedConditions = ast.conditions\n .map(parseCondition)\n .filter((c): c is SQL<unknown> => c !== undefined);\n\n if (parsedConditions.length === 0) {\n return sql`1 = 0`;\n }\n\n if (ast.operator === 'AND') {\n return and(...parsedConditions) as SQL<unknown>;\n }\n\n return or(...parsedConditions) as SQL<unknown>;\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,yBAA6C;AAE7C,kBAA8D;AA+BvD,SAAS,mBACd,QACA,YACA,SACA;AAEA,QAAM,QAAQ,OAAO,YAAY,eAAe,QAAQ,KAAK,aAAa;AAC1E,QAAM,aAAa,SAAS,0BAA0B;AAUtD,SAAO,SAAS,gBAId,OACA,QACA,cACA,kBACc;AAGd,UAAM,MAAM,OAAO,mBAAmB,OAAO,QAAe,YAAmB;AAK/E,QAAI,OAAO,IAAI,WAAW,SAAS,KAAK;AACtC,YAAM,IAAI,MAAM,oMAAoM;AAAA,IACtN;AAEA,QAAI,CAAC,KAAK;AAER,aAAO;AAAA,IACT;AAEA,UAAM,iBAAiB,CAAC,SAA8C;AAMpE,YAAM,eAAe,yBAAM,YAAY,QAAQ,uBAAI,IAAI,gCAAoB,CAAC,QAAQ,gBAAgB;AAKpG,UAAI,KAAK,SAAS,YAAY,YAAY;AACxC,gBAAQ,KAAK,6CAA6C,CAAC,KAAK,UAAU,GAAG,KAAK,gBAAgB,EAAE,KAAK,mCAAuB,CAAC,0LAA0L;AAAA,MAC7T;AAEA,YAAM,iBAAiB,KAAK,SAAS,WACjC,CAAC,KAAK,UAAU,GAAG,KAAK,gBAAgB,EAAE,KAAK,mCAAuB,IACtE,KAAK;AAET,aAAO;AAAA,wBACW,UAAU;AAAA,gBAClB,WAAW,MAAM,MAAM,YAAY;AAAA,gBACnC,WAAW,QAAQ,MAAM,cAAc;AAAA,gBACvC,WAAW,OAAO,MAAM,KAAK,aAAa;AAAA;AAAA,IAEtD;AAEA,UAAM,mBAAmB,IAAI,WAC1B,IAAI,cAAc,EAClB,OAAO,CAAC,MAAyB,MAAM,MAAS;AAEnD,QAAI,iBAAiB,WAAW,GAAG;AAChC,aAAO;AAAA,IACV;AAEA,QAAI,IAAI,aAAa,OAAO;AAC1B,iBAAO,wBAAI,GAAG,gBAAgB;AAAA,IAChC;AAEA,eAAO,uBAAG,GAAG,gBAAgB;AAAA,EAC/B;AACF;","names":[]}
1	+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { or, and, SQL, sql, AnyColumn } from 'drizzle-orm';\nimport type { QueryAST, Condition, ZanzoEngine, SchemaData, ExtractSchemaResources, ExtractSchemaActions } from '@zanzojs/core';\nimport { ENTITY_REF_SEPARATOR, RELATION_PATH_SEPARATOR, ZanzoError, ZanzoErrorCode } from '@zanzojs/core';\n\n/*\n Ensures the passed Drizzle Table conforms to the mandatory Zanzibar Universal Tuple Structure.\n /\nexport interface ZanzoTupleTable {\n object: AnyColumn; // String e.g. \"Invoice:123\"\n relation: AnyColumn; // String e.g. \"owner\"\n subject: AnyColumn; // String e.g. \"User:1\"\n [key: string]: any; // Allow extensions like IDs or context\n}\n\nexport interface ZanzoAdapterOptions {\n /\n Emits a console.warn when a nested permission path (e.g. 'org.admin') is detected,\n * reminding you to use materializeDerivedTuples() when writing this relationship.\n \n @default true in NODE_ENV=development, false in production\n /\n warnOnNestedConditions?: boolean;\n\n /\n If true, logs the generated AST and SQL conditions to the console for debugging purposes.\n * @default false\n /\n debug?: boolean;\n\n /\n The database dialect. Used to optimize string concatenation.\n * If not provided, it defaults to 'postgres' which uses standard CONCAT.\n * @default 'postgres'\n /\n dialect?: 'mysql' \| 'postgres' \| 'sqlite';\n}\n\n/\n Creates a \"Zero-Config\" Drizzle ORM permission adapter tailored for the Zanzibar Pattern.\n * Rather than mapping individual specific columns, this queries a Universal Tuple Table resolving access instantly.\n \n @remarks\n * Validation Contract: This adapter assumes all identifiers (actor, resource IDs) have been \n * validated by the ZanzoEngine before calling `withPermissions`. Passing raw user input \n * directly without routing through the engine first may bypass validation and produce \n * unexpected query behavior.\n \n @param engine The initialized ZanzoEngine instance\n * @param tupleTable The central Drizzle Table where all Relation Tuples are stored\n * @param options Optional configuration for the adapter\n * @returns A bounded `withPermissions` closure\n /\nexport function createZanzoAdapter<TSchema extends SchemaData, TTable extends ZanzoTupleTable>(\n engine: ZanzoEngine<TSchema>,\n tupleTable: TTable,\n options?: ZanzoAdapterOptions\n) {\n // Smart default: auto-enable warnings in development unless explicitly configured\n const isDev = typeof process !== 'undefined' && !!process.env && process.env.NODE_ENV === 'development';\n const shouldWarn = options?.warnOnNestedConditions ?? isDev;\n const isDebug = options?.debug ?? false;\n const dialect = options?.dialect ?? 'postgres';\n\n // Performance Optimization: Cache structural ASTs per action+resourceType.\n // The cache stores the structural shape of the AST (relations, paths, operator)\n // which is static for a given action+resourceType combination.\n //\n // SECURITY (v0.3.0 fix): The `targetSubject` stored inside cached AST conditions\n // is IGNORED during SQL generation. The actual actor is always injected from the\n // current invocation's `actor` argument. This prevents cross-user data leakage\n // when the adapter instance is shared across requests in persistent servers\n // (Express, Fastify, etc.). See: architectural_review.md §CRÍTICO drizzle.\n const astCache = new Map<string, QueryAST \| null>();\n\n /\n Generates a Drizzle SQL AST (subquery strategy) resolving access against the Universal Tuple Table.\n \n @remarks\n * This function assumes all identifiers have been validated by the ZanzoEngine.\n */\n return function withPermissions<\n TResourceName extends Extract<ExtractSchemaResources<TSchema>, string>,\n TAction extends ExtractSchemaActions<TSchema, TResourceName>,\n >(\n actor: string,\n action: TAction,\n resourceType: TResourceName,\n resourceIdColumn: AnyColumn\n ): SQL<unknown> {\n \n // Cache key is structural: action + resourceType (actor is NOT included).\n // The AST structure (which relations grant which actions) is immutable per schema.\n const cacheKey = `${action as string}:${resourceType as string}`;\n let ast = astCache.get(cacheKey);\n\n if (ast === undefined) {\n // Build the structural AST. The actor passed here is irrelevant for the cached\n // structure — only the relations and their types matter. The targetSubject baked\n // into the AST conditions will be ignored during SQL generation below.\n ast = engine.buildDatabaseQuery(actor, action as any, resourceType as any);\n astCache.set(cacheKey, ast);\n }\n\n if (isDebug) {\n console.debug(`[Zanzo Debug] Action: ${action as string}, Resource: ${resourceType as string}`);\n console.debug(`[Zanzo Debug] Generated AST:`, JSON.stringify(ast, null, 2));\n }\n\n // Protection Against 'The List Problem' / Query Payload Exhaustion\n if (ast && ast.conditions.length > 100) {\n throw new ZanzoError(ZanzoErrorCode.AST_OVERFLOW, `[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches.`);\n }\n\n if (!ast \|\| ast.conditions.length === 0) {\n return sql`1 = 0`; \n }\n\n // Dialect-agnostic/Secure concatenation for the object identifier: \"ResourceType:ID\"\n // We avoid sql.raw to prevent injection.\n const objectString = dialect === 'sqlite'\n ? sql`${resourceType} \|\| ${ENTITY_REF_SEPARATOR} \|\| ${resourceIdColumn}`\n : sql`CONCAT(${resourceType}, ${ENTITY_REF_SEPARATOR}, ${resourceIdColumn})`;\n\n // OPTIMIZATION: In Zanzibar, most permissions share the same subject and object target.\n // We group all conditions that share the same targetSubject into a single EXISTS subquery using IN.\n const relationsBySubject = new Map<string, Set<string>>();\n\n for (const cond of ast.conditions) {\n // Logic for building the full relation name (e.g. \"workspace.viewer\")\n const fullRelation = cond.type === 'nested' \n ? [cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR) \n : cond.relation;\n\n if (cond.type === 'nested' && shouldWarn) {\n console.warn(`[Zanzo] Nested permission path detected: '${fullRelation}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used materializeDerivedTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);\n }\n\n // SECURITY FIX: Always use the `actor` from the current invocation, NEVER\n // `cond.targetSubject` from the cached AST. The cached AST may contain a\n // stale actor from a previous request. This is the core of the cross-user\n // data leakage fix — the actor is bound at SQL generation time, not at\n // AST construction time.\n let relations = relationsBySubject.get(actor);\n if (!relations) {\n relations = new Set();\n relationsBySubject.set(actor, relations);\n }\n relations.add(fullRelation);\n }\n\n const sqlConditions: SQL<unknown>[] = [];\n\n for (const [subject, relations] of relationsBySubject.entries()) {\n const relationArray = Array.from(relations);\n \n const condition = relationArray.length === 1\n ? sql`EXISTS (\n SELECT 1 FROM ${tupleTable} \n WHERE ${tupleTable.object} = ${objectString} \n AND ${tupleTable.relation} = ${relationArray[0]} \n AND ${tupleTable.subject} = ${subject}\n )`\n : sql`EXISTS (\n SELECT 1 FROM ${tupleTable} \n WHERE ${tupleTable.object} = ${objectString} \n AND ${tupleTable.relation} IN (${sql.join(relationArray.map(r => sql`${r}`), sql`, `)}) \n AND ${tupleTable.subject} = ${subject}\n )`;\n \n sqlConditions.push(condition);\n }\n\n const finalFilter = (ast.operator === 'AND' ? and(...sqlConditions) : or(...sqlConditions)) as SQL<unknown>;\n\n if (isDebug) {\n console.debug(`[Zanzo Debug] Final SQL Filter Generated.`);\n }\n\n return finalFilter;\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,yBAA6C;AAE7C,kBAA0F;AAkDnF,SAAS,mBACd,QACA,YACA,SACA;AAEA,QAAM,QAAQ,OAAO,YAAY,eAAe,CAAC,CAAC,QAAQ,OAAO,QAAQ,IAAI,aAAa;AAC1F,QAAM,aAAa,SAAS,0BAA0B;AACtD,QAAM,UAAU,SAAS,SAAS;AAClC,QAAM,UAAU,SAAS,WAAW;AAWpC,QAAM,WAAW,oBAAI,IAA6B;AAQlD,SAAO,SAAS,gBAId,OACA,QACA,cACA,kBACc;AAId,UAAM,WAAW,GAAG,MAAgB,IAAI,YAAsB;AAC9D,QAAI,MAAM,SAAS,IAAI,QAAQ;AAE/B,QAAI,QAAQ,QAAW;AAIrB,YAAM,OAAO,mBAAmB,OAAO,QAAe,YAAmB;AACzE,eAAS,IAAI,UAAU,GAAG;AAAA,IAC5B;AAEA,QAAI,SAAS;AACX,cAAQ,MAAM,yBAAyB,MAAgB,eAAe,YAAsB,EAAE;AAC9F,cAAQ,MAAM,gCAAgC,KAAK,UAAU,KAAK,MAAM,CAAC,CAAC;AAAA,IAC5E;AAGA,QAAI,OAAO,IAAI,WAAW,SAAS,KAAK;AACtC,YAAM,IAAI,uBAAW,2BAAe,cAAc,2GAA2G;AAAA,IAC/J;AAEA,QAAI,CAAC,OAAO,IAAI,WAAW,WAAW,GAAG;AACvC,aAAO;AAAA,IACT;AAIA,UAAM,eAAe,YAAY,WAC7B,yBAAM,YAAY,OAAO,gCAAoB,OAAO,gBAAgB,KACpE,gCAAa,YAAY,KAAK,gCAAoB,KAAK,gBAAgB;AAI3E,UAAM,qBAAqB,oBAAI,IAAyB;AAExD,eAAW,QAAQ,IAAI,YAAY;AAEjC,YAAM,eAAe,KAAK,SAAS,WAC/B,CAAC,KAAK,UAAU,GAAG,KAAK,gBAAgB,EAAE,KAAK,mCAAuB,IACtE,KAAK;AAET,UAAI,KAAK,SAAS,YAAY,YAAY;AACxC,gBAAQ,KAAK,6CAA6C,YAAY,sMAAsM;AAAA,MAC9Q;AAOA,UAAI,YAAY,mBAAmB,IAAI,KAAK;AAC5C,UAAI,CAAC,WAAW;AACd,oBAAY,oBAAI,IAAI;AACpB,2BAAmB,IAAI,OAAO,SAAS;AAAA,MACzC;AACA,gBAAU,IAAI,YAAY;AAAA,IAC5B;AAEA,UAAM,gBAAgC,CAAC;AAEvC,eAAW,CAAC,SAAS,SAAS,KAAK,mBAAmB,QAAQ,GAAG;AAC/D,YAAM,gBAAgB,MAAM,KAAK,SAAS;AAE1C,YAAM,YAAY,cAAc,WAAW,IACvC;AAAA,4BACkB,UAAU;AAAA,oBAClB,WAAW,MAAM,MAAM,YAAY;AAAA,oBACnC,WAAW,QAAQ,MAAM,cAAc,CAAC,CAAC;AAAA,oBACzC,WAAW,OAAO,MAAM,OAAO;AAAA,eAEzC;AAAA,4BACkB,UAAU;AAAA,oBAClB,WAAW,MAAM,MAAM,YAAY;AAAA,oBACnC,WAAW,QAAQ,QAAQ,uBAAI,KAAK,cAAc,IAAI,OAAK,yBAAM,CAAC,EAAE,GAAG,0BAAO,CAAC;AAAA,oBAC/E,WAAW,OAAO,MAAM,OAAO;AAAA;AAG7C,oBAAc,KAAK,SAAS;AAAA,IAC9B;AAEA,UAAM,cAAe,IAAI,aAAa,YAAQ,wBAAI,GAAG,aAAa,QAAI,uBAAG,GAAG,aAAa;AAEzF,QAAI,SAAS;AACX,cAAQ,MAAM,2CAA2C;AAAA,IAC3D;AAEA,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/index.d.cts CHANGED Viewed

@@ -13,16 +13,33 @@ interface ZanzoTupleTable {
 interface ZanzoAdapterOptions {
     /**
      * Emits a console.warn when a nested permission path (e.g. 'org.admin') is detected,
-     * reminding you to use expandTuples() when writing this relationship.
+     * reminding you to use materializeDerivedTuples() when writing this relationship.
      *
      * @default true in NODE_ENV=development, false in production
      */
     warnOnNestedConditions?: boolean;
+    /**
+     * If true, logs the generated AST and SQL conditions to the console for debugging purposes.
+     * @default false
+     */
+    debug?: boolean;
+    /**
+     * The database dialect. Used to optimize string concatenation.
+     * If not provided, it defaults to 'postgres' which uses standard CONCAT.
+     * @default 'postgres'
+     */
+    dialect?: 'mysql' | 'postgres' | 'sqlite';
 }
 /**
  * Creates a "Zero-Config" Drizzle ORM permission adapter tailored for the Zanzibar Pattern.
  * Rather than mapping individual specific columns, this queries a Universal Tuple Table resolving access instantly.
  *
+ * @remarks
+ * **Validation Contract**: This adapter assumes all identifiers (actor, resource IDs) have been
+ * validated by the ZanzoEngine before calling `withPermissions`. Passing raw user input
+ * directly without routing through the engine first may bypass validation and produce
+ * unexpected query behavior.
+ *
  * @param engine The initialized ZanzoEngine instance
  * @param tupleTable The central Drizzle Table where all Relation Tuples are stored
  * @param options Optional configuration for the adapter

package/dist/index.d.ts CHANGED Viewed

@@ -13,16 +13,33 @@ interface ZanzoTupleTable {
 interface ZanzoAdapterOptions {
     /**
      * Emits a console.warn when a nested permission path (e.g. 'org.admin') is detected,
-     * reminding you to use expandTuples() when writing this relationship.
+     * reminding you to use materializeDerivedTuples() when writing this relationship.
      *
      * @default true in NODE_ENV=development, false in production
      */
     warnOnNestedConditions?: boolean;
+    /**
+     * If true, logs the generated AST and SQL conditions to the console for debugging purposes.
+     * @default false
+     */
+    debug?: boolean;
+    /**
+     * The database dialect. Used to optimize string concatenation.
+     * If not provided, it defaults to 'postgres' which uses standard CONCAT.
+     * @default 'postgres'
+     */
+    dialect?: 'mysql' | 'postgres' | 'sqlite';
 }
 /**
  * Creates a "Zero-Config" Drizzle ORM permission adapter tailored for the Zanzibar Pattern.
  * Rather than mapping individual specific columns, this queries a Universal Tuple Table resolving access instantly.
  *
+ * @remarks
+ * **Validation Contract**: This adapter assumes all identifiers (actor, resource IDs) have been
+ * validated by the ZanzoEngine before calling `withPermissions`. Passing raw user input
+ * directly without routing through the engine first may bypass validation and produce
+ * unexpected query behavior.
+ *
  * @param engine The initialized ZanzoEngine instance
  * @param tupleTable The central Drizzle Table where all Relation Tuples are stored
  * @param options Optional configuration for the adapter

package/dist/index.js CHANGED Viewed

@@ -1,38 +1,64 @@
 // src/index.ts
 import { or, and, sql } from "drizzle-orm";
-import { ENTITY_REF_SEPARATOR, RELATION_PATH_SEPARATOR } from "@zanzojs/core";
+import { ENTITY_REF_SEPARATOR, RELATION_PATH_SEPARATOR, ZanzoError, ZanzoErrorCode } from "@zanzojs/core";
 function createZanzoAdapter(engine, tupleTable, options) {
-  const isDev = typeof process !== "undefined" && process.env?.NODE_ENV === "development";
+  const isDev = typeof process !== "undefined" && !!process.env && process.env.NODE_ENV === "development";
   const shouldWarn = options?.warnOnNestedConditions ?? isDev;
+  const isDebug = options?.debug ?? false;
+  const dialect = options?.dialect ?? "postgres";
+  const astCache = /* @__PURE__ */ new Map();
   return function withPermissions(actor, action, resourceType, resourceIdColumn) {
-    const ast = engine.buildDatabaseQuery(actor, action, resourceType);
+    const cacheKey = `${action}:${resourceType}`;
+    let ast = astCache.get(cacheKey);
+    if (ast === void 0) {
+      ast = engine.buildDatabaseQuery(actor, action, resourceType);
+      astCache.set(cacheKey, ast);
+    }
+    if (isDebug) {
+      console.debug(`[Zanzo Debug] Action: ${action}, Resource: ${resourceType}`);
+      console.debug(`[Zanzo Debug] Generated AST:`, JSON.stringify(ast, null, 2));
+    }
     if (ast && ast.conditions.length > 100) {
-      throw new Error(`[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches. Please optimize your schema or rely on pre-computed tuples to avoid database exhaustion.`);
+      throw new ZanzoError(ZanzoErrorCode.AST_OVERFLOW, `[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches.`);
     }
-    if (!ast) {
+    if (!ast || ast.conditions.length === 0) {
       return sql`1 = 0`;
     }
-    const parseCondition = (cond) => {
-      const objectString = sql`${resourceType} || '${sql.raw(ENTITY_REF_SEPARATOR)}' || ${resourceIdColumn}`;
+    const objectString = dialect === "sqlite" ? sql`${resourceType} || ${ENTITY_REF_SEPARATOR} || ${resourceIdColumn}` : sql`CONCAT(${resourceType}, ${ENTITY_REF_SEPARATOR}, ${resourceIdColumn})`;
+    const relationsBySubject = /* @__PURE__ */ new Map();
+    for (const cond of ast.conditions) {
+      const fullRelation = cond.type === "nested" ? [cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR) : cond.relation;
       if (cond.type === "nested" && shouldWarn) {
-        console.warn(`[Zanzo] Nested permission path detected: '${[cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR)}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used expandTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);
+        console.warn(`[Zanzo] Nested permission path detected: '${fullRelation}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used materializeDerivedTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);
       }
-      const relationString = cond.type === "nested" ? [cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR) : cond.relation;
-      return sql`EXISTS (
-        SELECT 1 FROM ${tupleTable}
-        WHERE ${tupleTable.object} = ${objectString}
-          AND ${tupleTable.relation} = ${relationString}
-          AND ${tupleTable.subject} = ${cond.targetSubject}
-      )`;
-    };
-    const parsedConditions = ast.conditions.map(parseCondition).filter((c) => c !== void 0);
-    if (parsedConditions.length === 0) {
-      return sql`1 = 0`;
+      let relations = relationsBySubject.get(actor);
+      if (!relations) {
+        relations = /* @__PURE__ */ new Set();
+        relationsBySubject.set(actor, relations);
+      }
+      relations.add(fullRelation);
+    }
+    const sqlConditions = [];
+    for (const [subject, relations] of relationsBySubject.entries()) {
+      const relationArray = Array.from(relations);
+      const condition = relationArray.length === 1 ? sql`EXISTS (
+            SELECT 1 FROM ${tupleTable}
+            WHERE ${tupleTable.object} = ${objectString}
+              AND ${tupleTable.relation} = ${relationArray[0]}
+              AND ${tupleTable.subject} = ${subject}
+          )` : sql`EXISTS (
+            SELECT 1 FROM ${tupleTable}
+            WHERE ${tupleTable.object} = ${objectString}
+              AND ${tupleTable.relation} IN (${sql.join(relationArray.map((r) => sql`${r}`), sql`, `)})
+              AND ${tupleTable.subject} = ${subject}
+          )`;
+      sqlConditions.push(condition);
     }
-    if (ast.operator === "AND") {
-      return and(...parsedConditions);
+    const finalFilter = ast.operator === "AND" ? and(...sqlConditions) : or(...sqlConditions);
+    if (isDebug) {
+      console.debug(`[Zanzo Debug] Final SQL Filter Generated.`);
     }
-    return or(...parsedConditions);
+    return finalFilter;
   };
 }
 export {

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { or, and, SQL, sql, AnyColumn } from 'drizzle-orm';\nimport type { QueryAST, Condition, ZanzoEngine, SchemaData, ExtractSchemaResources, ExtractSchemaActions } from '@zanzojs/core';\nimport { ENTITY_REF_SEPARATOR, RELATION_PATH_SEPARATOR } from '@zanzojs/core';\n\n/*\n Ensures the passed Drizzle Table conforms to the mandatory Zanzibar Universal Tuple Structure.\n /\nexport interface ZanzoTupleTable {\n object: AnyColumn; // String e.g. \"Invoice:123\"\n relation: AnyColumn; // String e.g. \"owner\"\n subject: AnyColumn; // String e.g. \"User:1\"\n [key: string]: any; // Allow extensions like IDs or context\n}\n\nexport interface ZanzoAdapterOptions {\n /\n Emits a console.warn when a nested permission path (e.g. 'org.admin') is detected,\n * reminding you to use expandTuples() when writing this relationship.\n \n @default true in NODE_ENV=development, false in production\n /\n warnOnNestedConditions?: boolean;\n}\n\n/\n Creates a \"Zero-Config\" Drizzle ORM permission adapter tailored for the Zanzibar Pattern.\n * Rather than mapping individual specific columns, this queries a Universal Tuple Table resolving access instantly.\n \n @param engine The initialized ZanzoEngine instance\n * @param tupleTable The central Drizzle Table where all Relation Tuples are stored\n * @param options Optional configuration for the adapter\n * @returns A bounded `withPermissions` closure\n /\nexport function createZanzoAdapter<TSchema extends SchemaData, TTable extends ZanzoTupleTable>(\n engine: ZanzoEngine<TSchema>,\n tupleTable: TTable,\n options?: ZanzoAdapterOptions\n) {\n // Smart default: auto-enable warnings in development unless explicitly configured\n const isDev = typeof process !== 'undefined' && process.env?.NODE_ENV === 'development';\n const shouldWarn = options?.warnOnNestedConditions ?? isDev;\n\n /\n Generates a Drizzle SQL AST (subquery strategy) resolving access against the Universal Tuple Table.\n \n @param actor The Subject identifier validating access (e.g \"User:1\")\n * @param action The protected action (e.g \"read\")\n * @param resourceType The target Domain scope (e.g \"Invoice\")\n * @param resourceIdColumn The specific Drizzle column representing the object's ID in the business table (e.g `invoices.id`)\n */\n return function withPermissions<\n TResourceName extends Extract<ExtractSchemaResources<TSchema>, string>,\n TAction extends ExtractSchemaActions<TSchema, TResourceName>,\n >(\n actor: string,\n action: TAction,\n resourceType: TResourceName,\n resourceIdColumn: AnyColumn\n ): SQL<unknown> {\n \n // Evaluate the underlying pure logical AST\n const ast = engine.buildDatabaseQuery(actor, action as any, resourceType as any);\n\n // Protection Against 'The List Problem' / Query Payload Exhaustion:\n // If a badly designed ReBAC schema generates a monstrous combinatorial AST tree, \n // it could exceed max SQL text limits resulting in DB crashes. Abort safely.\n if (ast && ast.conditions.length > 100) {\n throw new Error(`[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches. Please optimize your schema or rely on pre-computed tuples to avoid database exhaustion.`);\n }\n\n if (!ast) {\n // Access totally denied\n return sql`1 = 0`; \n }\n\n const parseCondition = (cond: Condition): SQL<unknown> \| undefined => {\n \n // In the Zanzibar Pattern, ALL conditions (direct or nested) ultimately result\n // in looking up pre-computed or dynamically queried tuples.\n // E.g for a direct target: SELECT 1 FROM tuples WHERE object = TYPE:ID AND relation = X AND subject = TARGET\n \n const objectString = sql`${resourceType} \|\| '${sql.raw(ENTITY_REF_SEPARATOR)}' \|\| ${resourceIdColumn}`;\n\n // In Zanzibar, nested conditions (e.g. org.admin) are evaluated using the \"Tuple Expansion\" pattern.\n // This means the user has asynchronously written materialized tuples into the database.\n // Therefore, both direct and nested queries are resolved identically via O(1) EXISTS lookups.\n if (cond.type === 'nested' && shouldWarn) {\n console.warn(`[Zanzo] Nested permission path detected: '${[cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR)}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used expandTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);\n }\n\n const relationString = cond.type === 'nested' \n ? [cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR) \n : cond.relation;\n\n return sql`EXISTS (\n SELECT 1 FROM ${tupleTable} \n WHERE ${tupleTable.object} = ${objectString} \n AND ${tupleTable.relation} = ${relationString} \n AND ${tupleTable.subject} = ${cond.targetSubject}\n )`;\n };\n\n const parsedConditions = ast.conditions\n .map(parseCondition)\n .filter((c): c is SQL<unknown> => c !== undefined);\n\n if (parsedConditions.length === 0) {\n return sql`1 = 0`;\n }\n\n if (ast.operator === 'AND') {\n return and(...parsedConditions) as SQL<unknown>;\n }\n\n return or(...parsedConditions) as SQL<unknown>;\n };\n}\n"],"mappings":";AAAA,SAAS,IAAI,KAAU,WAAsB;AAE7C,SAAS,sBAAsB,+BAA+B;AA+BvD,SAAS,mBACd,QACA,YACA,SACA;AAEA,QAAM,QAAQ,OAAO,YAAY,eAAe,QAAQ,KAAK,aAAa;AAC1E,QAAM,aAAa,SAAS,0BAA0B;AAUtD,SAAO,SAAS,gBAId,OACA,QACA,cACA,kBACc;AAGd,UAAM,MAAM,OAAO,mBAAmB,OAAO,QAAe,YAAmB;AAK/E,QAAI,OAAO,IAAI,WAAW,SAAS,KAAK;AACtC,YAAM,IAAI,MAAM,oMAAoM;AAAA,IACtN;AAEA,QAAI,CAAC,KAAK;AAER,aAAO;AAAA,IACT;AAEA,UAAM,iBAAiB,CAAC,SAA8C;AAMpE,YAAM,eAAe,MAAM,YAAY,QAAQ,IAAI,IAAI,oBAAoB,CAAC,QAAQ,gBAAgB;AAKpG,UAAI,KAAK,SAAS,YAAY,YAAY;AACxC,gBAAQ,KAAK,6CAA6C,CAAC,KAAK,UAAU,GAAG,KAAK,gBAAgB,EAAE,KAAK,uBAAuB,CAAC,0LAA0L;AAAA,MAC7T;AAEA,YAAM,iBAAiB,KAAK,SAAS,WACjC,CAAC,KAAK,UAAU,GAAG,KAAK,gBAAgB,EAAE,KAAK,uBAAuB,IACtE,KAAK;AAET,aAAO;AAAA,wBACW,UAAU;AAAA,gBAClB,WAAW,MAAM,MAAM,YAAY;AAAA,gBACnC,WAAW,QAAQ,MAAM,cAAc;AAAA,gBACvC,WAAW,OAAO,MAAM,KAAK,aAAa;AAAA;AAAA,IAEtD;AAEA,UAAM,mBAAmB,IAAI,WAC1B,IAAI,cAAc,EAClB,OAAO,CAAC,MAAyB,MAAM,MAAS;AAEnD,QAAI,iBAAiB,WAAW,GAAG;AAChC,aAAO;AAAA,IACV;AAEA,QAAI,IAAI,aAAa,OAAO;AAC1B,aAAO,IAAI,GAAG,gBAAgB;AAAA,IAChC;AAEA,WAAO,GAAG,GAAG,gBAAgB;AAAA,EAC/B;AACF;","names":[]}
1	+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { or, and, SQL, sql, AnyColumn } from 'drizzle-orm';\nimport type { QueryAST, Condition, ZanzoEngine, SchemaData, ExtractSchemaResources, ExtractSchemaActions } from '@zanzojs/core';\nimport { ENTITY_REF_SEPARATOR, RELATION_PATH_SEPARATOR, ZanzoError, ZanzoErrorCode } from '@zanzojs/core';\n\n/*\n Ensures the passed Drizzle Table conforms to the mandatory Zanzibar Universal Tuple Structure.\n /\nexport interface ZanzoTupleTable {\n object: AnyColumn; // String e.g. \"Invoice:123\"\n relation: AnyColumn; // String e.g. \"owner\"\n subject: AnyColumn; // String e.g. \"User:1\"\n [key: string]: any; // Allow extensions like IDs or context\n}\n\nexport interface ZanzoAdapterOptions {\n /\n Emits a console.warn when a nested permission path (e.g. 'org.admin') is detected,\n * reminding you to use materializeDerivedTuples() when writing this relationship.\n \n @default true in NODE_ENV=development, false in production\n /\n warnOnNestedConditions?: boolean;\n\n /\n If true, logs the generated AST and SQL conditions to the console for debugging purposes.\n * @default false\n /\n debug?: boolean;\n\n /\n The database dialect. Used to optimize string concatenation.\n * If not provided, it defaults to 'postgres' which uses standard CONCAT.\n * @default 'postgres'\n /\n dialect?: 'mysql' \| 'postgres' \| 'sqlite';\n}\n\n/\n Creates a \"Zero-Config\" Drizzle ORM permission adapter tailored for the Zanzibar Pattern.\n * Rather than mapping individual specific columns, this queries a Universal Tuple Table resolving access instantly.\n \n @remarks\n * Validation Contract: This adapter assumes all identifiers (actor, resource IDs) have been \n * validated by the ZanzoEngine before calling `withPermissions`. Passing raw user input \n * directly without routing through the engine first may bypass validation and produce \n * unexpected query behavior.\n \n @param engine The initialized ZanzoEngine instance\n * @param tupleTable The central Drizzle Table where all Relation Tuples are stored\n * @param options Optional configuration for the adapter\n * @returns A bounded `withPermissions` closure\n /\nexport function createZanzoAdapter<TSchema extends SchemaData, TTable extends ZanzoTupleTable>(\n engine: ZanzoEngine<TSchema>,\n tupleTable: TTable,\n options?: ZanzoAdapterOptions\n) {\n // Smart default: auto-enable warnings in development unless explicitly configured\n const isDev = typeof process !== 'undefined' && !!process.env && process.env.NODE_ENV === 'development';\n const shouldWarn = options?.warnOnNestedConditions ?? isDev;\n const isDebug = options?.debug ?? false;\n const dialect = options?.dialect ?? 'postgres';\n\n // Performance Optimization: Cache structural ASTs per action+resourceType.\n // The cache stores the structural shape of the AST (relations, paths, operator)\n // which is static for a given action+resourceType combination.\n //\n // SECURITY (v0.3.0 fix): The `targetSubject` stored inside cached AST conditions\n // is IGNORED during SQL generation. The actual actor is always injected from the\n // current invocation's `actor` argument. This prevents cross-user data leakage\n // when the adapter instance is shared across requests in persistent servers\n // (Express, Fastify, etc.). See: architectural_review.md §CRÍTICO drizzle.\n const astCache = new Map<string, QueryAST \| null>();\n\n /\n Generates a Drizzle SQL AST (subquery strategy) resolving access against the Universal Tuple Table.\n \n @remarks\n * This function assumes all identifiers have been validated by the ZanzoEngine.\n */\n return function withPermissions<\n TResourceName extends Extract<ExtractSchemaResources<TSchema>, string>,\n TAction extends ExtractSchemaActions<TSchema, TResourceName>,\n >(\n actor: string,\n action: TAction,\n resourceType: TResourceName,\n resourceIdColumn: AnyColumn\n ): SQL<unknown> {\n \n // Cache key is structural: action + resourceType (actor is NOT included).\n // The AST structure (which relations grant which actions) is immutable per schema.\n const cacheKey = `${action as string}:${resourceType as string}`;\n let ast = astCache.get(cacheKey);\n\n if (ast === undefined) {\n // Build the structural AST. The actor passed here is irrelevant for the cached\n // structure — only the relations and their types matter. The targetSubject baked\n // into the AST conditions will be ignored during SQL generation below.\n ast = engine.buildDatabaseQuery(actor, action as any, resourceType as any);\n astCache.set(cacheKey, ast);\n }\n\n if (isDebug) {\n console.debug(`[Zanzo Debug] Action: ${action as string}, Resource: ${resourceType as string}`);\n console.debug(`[Zanzo Debug] Generated AST:`, JSON.stringify(ast, null, 2));\n }\n\n // Protection Against 'The List Problem' / Query Payload Exhaustion\n if (ast && ast.conditions.length > 100) {\n throw new ZanzoError(ZanzoErrorCode.AST_OVERFLOW, `[Zanzo] Security Exception: The resulting AST exceeds the maximum safe limit of 100 conditional branches.`);\n }\n\n if (!ast \|\| ast.conditions.length === 0) {\n return sql`1 = 0`; \n }\n\n // Dialect-agnostic/Secure concatenation for the object identifier: \"ResourceType:ID\"\n // We avoid sql.raw to prevent injection.\n const objectString = dialect === 'sqlite'\n ? sql`${resourceType} \|\| ${ENTITY_REF_SEPARATOR} \|\| ${resourceIdColumn}`\n : sql`CONCAT(${resourceType}, ${ENTITY_REF_SEPARATOR}, ${resourceIdColumn})`;\n\n // OPTIMIZATION: In Zanzibar, most permissions share the same subject and object target.\n // We group all conditions that share the same targetSubject into a single EXISTS subquery using IN.\n const relationsBySubject = new Map<string, Set<string>>();\n\n for (const cond of ast.conditions) {\n // Logic for building the full relation name (e.g. \"workspace.viewer\")\n const fullRelation = cond.type === 'nested' \n ? [cond.relation, ...cond.nextRelationPath].join(RELATION_PATH_SEPARATOR) \n : cond.relation;\n\n if (cond.type === 'nested' && shouldWarn) {\n console.warn(`[Zanzo] Nested permission path detected: '${fullRelation}'. The SQL adapter resolves this via pre-materialized tuples. Ensure you used materializeDerivedTuples() when writing this relationship to the database. See: https://zanzo.dev/docs/tuple-expansion`);\n }\n\n // SECURITY FIX: Always use the `actor` from the current invocation, NEVER\n // `cond.targetSubject` from the cached AST. The cached AST may contain a\n // stale actor from a previous request. This is the core of the cross-user\n // data leakage fix — the actor is bound at SQL generation time, not at\n // AST construction time.\n let relations = relationsBySubject.get(actor);\n if (!relations) {\n relations = new Set();\n relationsBySubject.set(actor, relations);\n }\n relations.add(fullRelation);\n }\n\n const sqlConditions: SQL<unknown>[] = [];\n\n for (const [subject, relations] of relationsBySubject.entries()) {\n const relationArray = Array.from(relations);\n \n const condition = relationArray.length === 1\n ? sql`EXISTS (\n SELECT 1 FROM ${tupleTable} \n WHERE ${tupleTable.object} = ${objectString} \n AND ${tupleTable.relation} = ${relationArray[0]} \n AND ${tupleTable.subject} = ${subject}\n )`\n : sql`EXISTS (\n SELECT 1 FROM ${tupleTable} \n WHERE ${tupleTable.object} = ${objectString} \n AND ${tupleTable.relation} IN (${sql.join(relationArray.map(r => sql`${r}`), sql`, `)}) \n AND ${tupleTable.subject} = ${subject}\n )`;\n \n sqlConditions.push(condition);\n }\n\n const finalFilter = (ast.operator === 'AND' ? and(...sqlConditions) : or(...sqlConditions)) as SQL<unknown>;\n\n if (isDebug) {\n console.debug(`[Zanzo Debug] Final SQL Filter Generated.`);\n }\n\n return finalFilter;\n };\n}\n"],"mappings":";AAAA,SAAS,IAAI,KAAU,WAAsB;AAE7C,SAAS,sBAAsB,yBAAyB,YAAY,sBAAsB;AAkDnF,SAAS,mBACd,QACA,YACA,SACA;AAEA,QAAM,QAAQ,OAAO,YAAY,eAAe,CAAC,CAAC,QAAQ,OAAO,QAAQ,IAAI,aAAa;AAC1F,QAAM,aAAa,SAAS,0BAA0B;AACtD,QAAM,UAAU,SAAS,SAAS;AAClC,QAAM,UAAU,SAAS,WAAW;AAWpC,QAAM,WAAW,oBAAI,IAA6B;AAQlD,SAAO,SAAS,gBAId,OACA,QACA,cACA,kBACc;AAId,UAAM,WAAW,GAAG,MAAgB,IAAI,YAAsB;AAC9D,QAAI,MAAM,SAAS,IAAI,QAAQ;AAE/B,QAAI,QAAQ,QAAW;AAIrB,YAAM,OAAO,mBAAmB,OAAO,QAAe,YAAmB;AACzE,eAAS,IAAI,UAAU,GAAG;AAAA,IAC5B;AAEA,QAAI,SAAS;AACX,cAAQ,MAAM,yBAAyB,MAAgB,eAAe,YAAsB,EAAE;AAC9F,cAAQ,MAAM,gCAAgC,KAAK,UAAU,KAAK,MAAM,CAAC,CAAC;AAAA,IAC5E;AAGA,QAAI,OAAO,IAAI,WAAW,SAAS,KAAK;AACtC,YAAM,IAAI,WAAW,eAAe,cAAc,2GAA2G;AAAA,IAC/J;AAEA,QAAI,CAAC,OAAO,IAAI,WAAW,WAAW,GAAG;AACvC,aAAO;AAAA,IACT;AAIA,UAAM,eAAe,YAAY,WAC7B,MAAM,YAAY,OAAO,oBAAoB,OAAO,gBAAgB,KACpE,aAAa,YAAY,KAAK,oBAAoB,KAAK,gBAAgB;AAI3E,UAAM,qBAAqB,oBAAI,IAAyB;AAExD,eAAW,QAAQ,IAAI,YAAY;AAEjC,YAAM,eAAe,KAAK,SAAS,WAC/B,CAAC,KAAK,UAAU,GAAG,KAAK,gBAAgB,EAAE,KAAK,uBAAuB,IACtE,KAAK;AAET,UAAI,KAAK,SAAS,YAAY,YAAY;AACxC,gBAAQ,KAAK,6CAA6C,YAAY,sMAAsM;AAAA,MAC9Q;AAOA,UAAI,YAAY,mBAAmB,IAAI,KAAK;AAC5C,UAAI,CAAC,WAAW;AACd,oBAAY,oBAAI,IAAI;AACpB,2BAAmB,IAAI,OAAO,SAAS;AAAA,MACzC;AACA,gBAAU,IAAI,YAAY;AAAA,IAC5B;AAEA,UAAM,gBAAgC,CAAC;AAEvC,eAAW,CAAC,SAAS,SAAS,KAAK,mBAAmB,QAAQ,GAAG;AAC/D,YAAM,gBAAgB,MAAM,KAAK,SAAS;AAE1C,YAAM,YAAY,cAAc,WAAW,IACvC;AAAA,4BACkB,UAAU;AAAA,oBAClB,WAAW,MAAM,MAAM,YAAY;AAAA,oBACnC,WAAW,QAAQ,MAAM,cAAc,CAAC,CAAC;AAAA,oBACzC,WAAW,OAAO,MAAM,OAAO;AAAA,eAEzC;AAAA,4BACkB,UAAU;AAAA,oBAClB,WAAW,MAAM,MAAM,YAAY;AAAA,oBACnC,WAAW,QAAQ,QAAQ,IAAI,KAAK,cAAc,IAAI,OAAK,MAAM,CAAC,EAAE,GAAG,OAAO,CAAC;AAAA,oBAC/E,WAAW,OAAO,MAAM,OAAO;AAAA;AAG7C,oBAAc,KAAK,SAAS;AAAA,IAC9B;AAEA,UAAM,cAAe,IAAI,aAAa,QAAQ,IAAI,GAAG,aAAa,IAAI,GAAG,GAAG,aAAa;AAEzF,QAAI,SAAS;AACX,cAAQ,MAAM,2CAA2C;AAAA,IAC3D;AAEA,WAAO;AAAA,EACT;AACF;","names":[]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@zanzojs/drizzle",
-  "version": "0.2.0",
+  "version": "0.3.2",
   "description": "Drizzle ORM adapter for Zanzo ReBAC. Zero-config Zanzibar Tuple Pattern with parameterized SQL.",
   "keywords": [
     "@zanzojs/core",
@@ -21,9 +21,9 @@
   "type": "module",
   "exports": {
     ".": {
+      "types": "./dist/index.d.ts",
       "import": "./dist/index.js",
-      "require": "./dist/index.cjs",
-      "types": "./dist/index.d.ts"
+      "require": "./dist/index.cjs"
     }
   },
   "main": "./dist/index.cjs",
@@ -38,7 +38,7 @@
     "access": "public"
   },
   "peerDependencies": {
-    "@zanzojs/core": "^0.2.0",
+    "@zanzojs/core": "^0.3.0",
     "drizzle-orm": ">=0.29.0"
   },
   "devDependencies": {
@@ -46,7 +46,7 @@
     "typescript": "^5.7.2",
     "tsup": "latest",
     "vitest": "latest",
-    "@zanzojs/core": "0.2.0"
+    "@zanzojs/core": "0.3.1"
   },
   "scripts": {
     "build": "tsup",