npm - @zenstackhq/plugin-policy - Versions diffs - 3.0.0-beta.9 - Mend

@zenstackhq/plugin-policy 3.0.0-beta.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,1556 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  PolicyPlugin: () => PolicyPlugin
+});
+module.exports = __toCommonJS(src_exports);
+// src/functions.ts
+var import_common_helpers4 = require("@zenstackhq/common-helpers");
+var import_runtime8 = require("@zenstackhq/runtime");
+var import_kysely4 = require("kysely");
+// src/policy-handler.ts
+var import_common_helpers3 = require("@zenstackhq/common-helpers");
+var import_runtime6 = require("@zenstackhq/runtime");
+var import_schema4 = require("@zenstackhq/runtime/schema");
+var import_sdk2 = require("@zenstackhq/sdk");
+var import_kysely3 = require("kysely");
+var import_ts_pattern3 = require("ts-pattern");
+// src/column-collector.ts
+var import_sdk = require("@zenstackhq/sdk");
+var ColumnCollector = class extends import_sdk.DefaultOperationNodeVisitor {
+  static {
+    __name(this, "ColumnCollector");
+  }
+  columns = [];
+  collect(node) {
+    this.columns = [];
+    this.visitNode(node);
+    return this.columns;
+  }
+  visitColumn(node) {
+    if (!this.columns.includes(node.column.name)) {
+      this.columns.push(node.column.name);
+    }
+  }
+};
+// src/expression-transformer.ts
+var import_common_helpers2 = require("@zenstackhq/common-helpers");
+var import_runtime4 = require("@zenstackhq/runtime");
+var import_schema3 = require("@zenstackhq/runtime/schema");
+var import_kysely2 = require("kysely");
+var import_ts_pattern2 = require("ts-pattern");
+// src/expression-evaluator.ts
+var import_common_helpers = require("@zenstackhq/common-helpers");
+var import_ts_pattern = require("ts-pattern");
+var import_schema = require("@zenstackhq/runtime/schema");
+var ExpressionEvaluator = class {
+  static {
+    __name(this, "ExpressionEvaluator");
+  }
+  evaluate(expression, context) {
+    const result = (0, import_ts_pattern.match)(expression).when(import_schema.ExpressionUtils.isArray, (expr2) => this.evaluateArray(expr2, context)).when(import_schema.ExpressionUtils.isBinary, (expr2) => this.evaluateBinary(expr2, context)).when(import_schema.ExpressionUtils.isField, (expr2) => this.evaluateField(expr2, context)).when(import_schema.ExpressionUtils.isLiteral, (expr2) => this.evaluateLiteral(expr2)).when(import_schema.ExpressionUtils.isMember, (expr2) => this.evaluateMember(expr2, context)).when(import_schema.ExpressionUtils.isUnary, (expr2) => this.evaluateUnary(expr2, context)).when(import_schema.ExpressionUtils.isCall, (expr2) => this.evaluateCall(expr2, context)).when(import_schema.ExpressionUtils.isThis, () => context.thisValue).when(import_schema.ExpressionUtils.isNull, () => null).exhaustive();
+    return result ?? null;
+  }
+  evaluateCall(expr2, context) {
+    if (expr2.function === "auth") {
+      return context.auth;
+    } else {
+      throw new Error(`Unsupported call expression function: ${expr2.function}`);
+    }
+  }
+  evaluateUnary(expr2, context) {
+    return (0, import_ts_pattern.match)(expr2.op).with("!", () => !this.evaluate(expr2.operand, context)).exhaustive();
+  }
+  evaluateMember(expr2, context) {
+    let val = this.evaluate(expr2.receiver, context);
+    for (const member of expr2.members) {
+      val = val?.[member];
+    }
+    return val;
+  }
+  evaluateLiteral(expr2) {
+    return expr2.value;
+  }
+  evaluateField(expr2, context) {
+    return context.thisValue?.[expr2.field];
+  }
+  evaluateArray(expr2, context) {
+    return expr2.items.map((item) => this.evaluate(item, context));
+  }
+  evaluateBinary(expr2, context) {
+    if (expr2.op === "?" || expr2.op === "!" || expr2.op === "^") {
+      return this.evaluateCollectionPredicate(expr2, context);
+    }
+    const left = this.evaluate(expr2.left, context);
+    const right = this.evaluate(expr2.right, context);
+    return (0, import_ts_pattern.match)(expr2.op).with("==", () => left === right).with("!=", () => left !== right).with(">", () => left > right).with(">=", () => left >= right).with("<", () => left < right).with("<=", () => left <= right).with("&&", () => left && right).with("||", () => left || right).with("in", () => {
+      const _right = right ?? [];
+      (0, import_common_helpers.invariant)(Array.isArray(_right), 'expected array for "in" operator');
+      return _right.includes(left);
+    }).exhaustive();
+  }
+  evaluateCollectionPredicate(expr2, context) {
+    const op = expr2.op;
+    (0, import_common_helpers.invariant)(op === "?" || op === "!" || op === "^", 'expected "?" or "!" or "^" operator');
+    const left = this.evaluate(expr2.left, context);
+    if (!left) {
+      return false;
+    }
+    (0, import_common_helpers.invariant)(Array.isArray(left), "expected array");
+    return (0, import_ts_pattern.match)(op).with("?", () => left.some((item) => this.evaluate(expr2.right, {
+      ...context,
+      thisValue: item
+    }))).with("!", () => left.every((item) => this.evaluate(expr2.right, {
+      ...context,
+      thisValue: item
+    }))).with("^", () => !left.some((item) => this.evaluate(expr2.right, {
+      ...context,
+      thisValue: item
+    }))).exhaustive();
+  }
+};
+// src/utils.ts
+var import_schema2 = require("@zenstackhq/runtime/schema");
+var import_kysely = require("kysely");
+function trueNode(dialect) {
+  return import_kysely.ValueNode.createImmediate(dialect.transformPrimitive(true, "Boolean", false));
+}
+__name(trueNode, "trueNode");
+function falseNode(dialect) {
+  return import_kysely.ValueNode.createImmediate(dialect.transformPrimitive(false, "Boolean", false));
+}
+__name(falseNode, "falseNode");
+function isTrueNode(node) {
+  return import_kysely.ValueNode.is(node) && (node.value === true || node.value === 1);
+}
+__name(isTrueNode, "isTrueNode");
+function isFalseNode(node) {
+  return import_kysely.ValueNode.is(node) && (node.value === false || node.value === 0);
+}
+__name(isFalseNode, "isFalseNode");
+function conjunction(dialect, nodes) {
+  if (nodes.length === 0) {
+    return trueNode(dialect);
+  }
+  if (nodes.length === 1) {
+    return nodes[0];
+  }
+  if (nodes.some(isFalseNode)) {
+    return falseNode(dialect);
+  }
+  const items = nodes.filter((n) => !isTrueNode(n));
+  if (items.length === 0) {
+    return trueNode(dialect);
+  }
+  return items.reduce((acc, node) => import_kysely.AndNode.create(wrapParensIf(acc, import_kysely.OrNode.is), wrapParensIf(node, import_kysely.OrNode.is)));
+}
+__name(conjunction, "conjunction");
+function disjunction(dialect, nodes) {
+  if (nodes.length === 0) {
+    return falseNode(dialect);
+  }
+  if (nodes.length === 1) {
+    return nodes[0];
+  }
+  if (nodes.some(isTrueNode)) {
+    return trueNode(dialect);
+  }
+  const items = nodes.filter((n) => !isFalseNode(n));
+  if (items.length === 0) {
+    return falseNode(dialect);
+  }
+  return items.reduce((acc, node) => import_kysely.OrNode.create(wrapParensIf(acc, import_kysely.AndNode.is), wrapParensIf(node, import_kysely.AndNode.is)));
+}
+__name(disjunction, "disjunction");
+function logicalNot(dialect, node) {
+  if (isTrueNode(node)) {
+    return falseNode(dialect);
+  }
+  if (isFalseNode(node)) {
+    return trueNode(dialect);
+  }
+  return import_kysely.UnaryOperationNode.create(import_kysely.OperatorNode.create("not"), wrapParensIf(node, (n) => import_kysely.AndNode.is(n) || import_kysely.OrNode.is(n)));
+}
+__name(logicalNot, "logicalNot");
+function wrapParensIf(node, predicate) {
+  return predicate(node) ? import_kysely.ParensNode.create(node) : node;
+}
+__name(wrapParensIf, "wrapParensIf");
+function buildIsFalse(node, dialect) {
+  if (isFalseNode(node)) {
+    return trueNode(dialect);
+  } else if (isTrueNode(node)) {
+    return falseNode(dialect);
+  }
+  return import_kysely.BinaryOperationNode.create(
+    // coalesce so null is treated as false
+    import_kysely.FunctionNode.create("coalesce", [
+      node,
+      falseNode(dialect)
+    ]),
+    import_kysely.OperatorNode.create("="),
+    falseNode(dialect)
+  );
+}
+__name(buildIsFalse, "buildIsFalse");
+function getTableName(node) {
+  if (!node) {
+    return node;
+  }
+  if (import_kysely.TableNode.is(node)) {
+    return node.table.identifier.name;
+  } else if (import_kysely.AliasNode.is(node)) {
+    return getTableName(node.node);
+  } else if (import_kysely.ReferenceNode.is(node) && node.table) {
+    return getTableName(node.table);
+  }
+  return void 0;
+}
+__name(getTableName, "getTableName");
+function isBeforeInvocation(expr2) {
+  return import_schema2.ExpressionUtils.isCall(expr2) && expr2.function === "before";
+}
+__name(isBeforeInvocation, "isBeforeInvocation");
+// src/expression-transformer.ts
+function _ts_decorate(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate, "_ts_decorate");
+function _ts_metadata(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+__name(_ts_metadata, "_ts_metadata");
+var expressionHandlers = /* @__PURE__ */ new Map();
+function expr(kind) {
+  return function(_target, _propertyKey, descriptor) {
+    if (!expressionHandlers.get(kind)) {
+      expressionHandlers.set(kind, descriptor);
+    }
+    return descriptor;
+  };
+}
+__name(expr, "expr");
+var ExpressionTransformer = class {
+  static {
+    __name(this, "ExpressionTransformer");
+  }
+  client;
+  dialect;
+  constructor(client) {
+    this.client = client;
+    this.dialect = (0, import_runtime4.getCrudDialect)(this.schema, this.clientOptions);
+  }
+  get schema() {
+    return this.client.$schema;
+  }
+  get clientOptions() {
+    return this.client.$options;
+  }
+  get auth() {
+    return this.client.$auth;
+  }
+  get authType() {
+    if (!this.schema.authType) {
+      throw new import_runtime4.InternalError('Schema does not have an "authType" specified');
+    }
+    return this.schema.authType;
+  }
+  transform(expression, context) {
+    const handler = expressionHandlers.get(expression.kind);
+    if (!handler) {
+      throw new Error(`Unsupported expression kind: ${expression.kind}`);
+    }
+    return handler.value.call(this, expression, context);
+  }
+  _literal(expr2) {
+    return this.transformValue(expr2.value, typeof expr2.value === "string" ? "String" : typeof expr2.value === "boolean" ? "Boolean" : "Int");
+  }
+  _array(expr2, context) {
+    return import_kysely2.ValueListNode.create(expr2.items.map((item) => this.transform(item, context)));
+  }
+  _field(expr2, context) {
+    const fieldDef = import_runtime4.QueryUtils.requireField(this.schema, context.model, expr2.field);
+    if (!fieldDef.relation) {
+      return this.createColumnRef(expr2.field, context);
+    } else {
+      const { memberFilter, memberSelect, ...restContext } = context;
+      const relation = this.transformRelationAccess(expr2.field, fieldDef.type, restContext);
+      return {
+        ...relation,
+        where: this.mergeWhere(relation.where, memberFilter),
+        selections: memberSelect ? [
+          memberSelect
+        ] : relation.selections
+      };
+    }
+  }
+  mergeWhere(where, memberFilter) {
+    if (!where) {
+      return import_kysely2.WhereNode.create(memberFilter ?? trueNode(this.dialect));
+    }
+    if (!memberFilter) {
+      return where;
+    }
+    return import_kysely2.WhereNode.create(conjunction(this.dialect, [
+      where.where,
+      memberFilter
+    ]));
+  }
+  _null() {
+    return import_kysely2.ValueNode.createImmediate(null);
+  }
+  _binary(expr2, context) {
+    if (expr2.op === "&&") {
+      return conjunction(this.dialect, [
+        this.transform(expr2.left, context),
+        this.transform(expr2.right, context)
+      ]);
+    } else if (expr2.op === "||") {
+      return disjunction(this.dialect, [
+        this.transform(expr2.left, context),
+        this.transform(expr2.right, context)
+      ]);
+    }
+    if (this.isAuthCall(expr2.left) || this.isAuthCall(expr2.right)) {
+      return this.transformAuthBinary(expr2, context);
+    }
+    const op = expr2.op;
+    if (op === "?" || op === "!" || op === "^") {
+      return this.transformCollectionPredicate(expr2, context);
+    }
+    const { normalizedLeft, normalizedRight } = this.normalizeBinaryOperationOperands(expr2, context);
+    const left = this.transform(normalizedLeft, context);
+    const right = this.transform(normalizedRight, context);
+    if (op === "in") {
+      if (this.isNullNode(left)) {
+        return this.transformValue(false, "Boolean");
+      } else {
+        if (import_kysely2.ValueListNode.is(right)) {
+          return import_kysely2.BinaryOperationNode.create(left, import_kysely2.OperatorNode.create("in"), right);
+        } else {
+          return import_kysely2.BinaryOperationNode.create(left, import_kysely2.OperatorNode.create("="), import_kysely2.FunctionNode.create("any", [
+            right
+          ]));
+        }
+      }
+    }
+    if (this.isNullNode(right)) {
+      return this.transformNullCheck(left, expr2.op);
+    } else if (this.isNullNode(left)) {
+      return this.transformNullCheck(right, expr2.op);
+    } else {
+      return import_kysely2.BinaryOperationNode.create(left, this.transformOperator(op), right);
+    }
+  }
+  transformNullCheck(expr2, operator) {
+    (0, import_common_helpers2.invariant)(operator === "==" || operator === "!=", 'operator must be "==" or "!=" for null comparison');
+    if (import_kysely2.ValueNode.is(expr2)) {
+      if (expr2.value === null) {
+        return operator === "==" ? trueNode(this.dialect) : falseNode(this.dialect);
+      } else {
+        return operator === "==" ? falseNode(this.dialect) : trueNode(this.dialect);
+      }
+    } else {
+      return operator === "==" ? import_kysely2.BinaryOperationNode.create(expr2, import_kysely2.OperatorNode.create("is"), import_kysely2.ValueNode.createImmediate(null)) : import_kysely2.BinaryOperationNode.create(expr2, import_kysely2.OperatorNode.create("is not"), import_kysely2.ValueNode.createImmediate(null));
+    }
+  }
+  normalizeBinaryOperationOperands(expr2, context) {
+    let normalizedLeft = expr2.left;
+    if (this.isRelationField(expr2.left, context.model)) {
+      (0, import_common_helpers2.invariant)(import_schema3.ExpressionUtils.isNull(expr2.right), "only null comparison is supported for relation field");
+      const leftRelDef = this.getFieldDefFromFieldRef(expr2.left, context.model);
+      (0, import_common_helpers2.invariant)(leftRelDef, "failed to get relation field definition");
+      const idFields = import_runtime4.QueryUtils.requireIdFields(this.schema, leftRelDef.type);
+      normalizedLeft = this.makeOrAppendMember(normalizedLeft, idFields[0]);
+    }
+    let normalizedRight = expr2.right;
+    if (this.isRelationField(expr2.right, context.model)) {
+      (0, import_common_helpers2.invariant)(import_schema3.ExpressionUtils.isNull(expr2.left), "only null comparison is supported for relation field");
+      const rightRelDef = this.getFieldDefFromFieldRef(expr2.right, context.model);
+      (0, import_common_helpers2.invariant)(rightRelDef, "failed to get relation field definition");
+      const idFields = import_runtime4.QueryUtils.requireIdFields(this.schema, rightRelDef.type);
+      normalizedRight = this.makeOrAppendMember(normalizedRight, idFields[0]);
+    }
+    return {
+      normalizedLeft,
+      normalizedRight
+    };
+  }
+  transformCollectionPredicate(expr2, context) {
+    (0, import_common_helpers2.invariant)(expr2.op === "?" || expr2.op === "!" || expr2.op === "^", 'expected "?" or "!" or "^" operator');
+    if (this.isAuthCall(expr2.left) || this.isAuthMember(expr2.left)) {
+      const value = new ExpressionEvaluator().evaluate(expr2, {
+        auth: this.auth
+      });
+      return this.transformValue(value, "Boolean");
+    }
+    (0, import_common_helpers2.invariant)(import_schema3.ExpressionUtils.isField(expr2.left) || import_schema3.ExpressionUtils.isMember(expr2.left), "left operand must be field or member access");
+    let newContextModel;
+    const fieldDef = this.getFieldDefFromFieldRef(expr2.left, context.model);
+    if (fieldDef) {
+      (0, import_common_helpers2.invariant)(fieldDef.relation, `field is not a relation: ${JSON.stringify(expr2.left)}`);
+      newContextModel = fieldDef.type;
+    } else {
+      (0, import_common_helpers2.invariant)(import_schema3.ExpressionUtils.isMember(expr2.left) && import_schema3.ExpressionUtils.isField(expr2.left.receiver), "left operand must be member access with field receiver");
+      const fieldDef2 = import_runtime4.QueryUtils.requireField(this.schema, context.model, expr2.left.receiver.field);
+      newContextModel = fieldDef2.type;
+      for (const member of expr2.left.members) {
+        const memberDef = import_runtime4.QueryUtils.requireField(this.schema, newContextModel, member);
+        newContextModel = memberDef.type;
+      }
+    }
+    let predicateFilter = this.transform(expr2.right, {
+      ...context,
+      model: newContextModel,
+      alias: void 0
+    });
+    if (expr2.op === "!") {
+      predicateFilter = logicalNot(this.dialect, predicateFilter);
+    }
+    const count = import_kysely2.FunctionNode.create("count", [
+      import_kysely2.ValueNode.createImmediate(1)
+    ]);
+    const predicateResult = (0, import_ts_pattern2.match)(expr2.op).with("?", () => import_kysely2.BinaryOperationNode.create(count, import_kysely2.OperatorNode.create(">"), import_kysely2.ValueNode.createImmediate(0))).with("!", () => import_kysely2.BinaryOperationNode.create(count, import_kysely2.OperatorNode.create("="), import_kysely2.ValueNode.createImmediate(0))).with("^", () => import_kysely2.BinaryOperationNode.create(count, import_kysely2.OperatorNode.create("="), import_kysely2.ValueNode.createImmediate(0))).exhaustive();
+    return this.transform(expr2.left, {
+      ...context,
+      memberSelect: import_kysely2.SelectionNode.create(import_kysely2.AliasNode.create(predicateResult, import_kysely2.IdentifierNode.create("$t"))),
+      memberFilter: predicateFilter
+    });
+  }
+  transformAuthBinary(expr2, context) {
+    if (expr2.op !== "==" && expr2.op !== "!=") {
+      throw new import_runtime4.QueryError(`Unsupported operator for \`auth()\` in policy of model "${context.model}": ${expr2.op}`);
+    }
+    let authExpr;
+    let other;
+    if (this.isAuthCall(expr2.left)) {
+      authExpr = expr2.left;
+      other = expr2.right;
+    } else {
+      authExpr = expr2.right;
+      other = expr2.left;
+    }
+    if (import_schema3.ExpressionUtils.isNull(other)) {
+      return this.transformValue(expr2.op === "==" ? !this.auth : !!this.auth, "Boolean");
+    } else {
+      const authModel = import_runtime4.QueryUtils.getModel(this.schema, this.authType);
+      if (!authModel) {
+        throw new import_runtime4.QueryError(`Unsupported use of \`auth()\` in policy of model "${context.model}", comparing with \`auth()\` is only possible when auth type is a model`);
+      }
+      const idFields = Object.values(authModel.fields).filter((f) => f.id).map((f) => f.name);
+      (0, import_common_helpers2.invariant)(idFields.length > 0, "auth type model must have at least one id field");
+      const conditions = idFields.map((fieldName) => import_schema3.ExpressionUtils.binary(import_schema3.ExpressionUtils.member(authExpr, [
+        fieldName
+      ]), "==", this.makeOrAppendMember(other, fieldName)));
+      let result = this.buildAnd(conditions);
+      if (expr2.op === "!=") {
+        result = this.buildLogicalNot(result);
+      }
+      return this.transform(result, context);
+    }
+  }
+  makeOrAppendMember(other, fieldName) {
+    if (import_schema3.ExpressionUtils.isMember(other)) {
+      return import_schema3.ExpressionUtils.member(other.receiver, [
+        ...other.members,
+        fieldName
+      ]);
+    } else {
+      return import_schema3.ExpressionUtils.member(other, [
+        fieldName
+      ]);
+    }
+  }
+  transformValue(value, type) {
+    if (value === true) {
+      return trueNode(this.dialect);
+    } else if (value === false) {
+      return falseNode(this.dialect);
+    } else {
+      return import_kysely2.ValueNode.create(this.dialect.transformPrimitive(value, type, false) ?? null);
+    }
+  }
+  _unary(expr2, context) {
+    (0, import_common_helpers2.invariant)(expr2.op === "!", 'only "!" operator is supported');
+    return logicalNot(this.dialect, this.transform(expr2.operand, context));
+  }
+  transformOperator(op) {
+    const mappedOp = (0, import_ts_pattern2.match)(op).with("==", () => "=").otherwise(() => op);
+    return import_kysely2.OperatorNode.create(mappedOp);
+  }
+  _call(expr2, context) {
+    const result = this.transformCall(expr2, context);
+    return result.toOperationNode();
+  }
+  transformCall(expr2, context) {
+    const func = this.getFunctionImpl(expr2.function);
+    if (!func) {
+      throw new import_runtime4.QueryError(`Function not implemented: ${expr2.function}`);
+    }
+    const eb = (0, import_kysely2.expressionBuilder)();
+    return func(eb, (expr2.args ?? []).map((arg) => this.transformCallArg(eb, arg, context)), {
+      client: this.client,
+      dialect: this.dialect,
+      model: context.model,
+      modelAlias: context.alias ?? context.model,
+      operation: context.operation
+    });
+  }
+  getFunctionImpl(functionName) {
+    let func = this.clientOptions.functions?.[functionName];
+    if (!func) {
+      for (const plugin of this.clientOptions.plugins ?? []) {
+        if (plugin.functions?.[functionName]) {
+          func = plugin.functions[functionName];
+          break;
+        }
+      }
+    }
+    return func;
+  }
+  transformCallArg(eb, arg, context) {
+    if (import_schema3.ExpressionUtils.isLiteral(arg)) {
+      return eb.val(arg.value);
+    }
+    if (import_schema3.ExpressionUtils.isField(arg)) {
+      return eb.ref(arg.field);
+    }
+    if (import_schema3.ExpressionUtils.isCall(arg)) {
+      return this.transformCall(arg, context);
+    }
+    if (this.isAuthMember(arg)) {
+      const valNode = this.valueMemberAccess(this.auth, arg, this.authType);
+      return valNode ? eb.val(valNode.value) : eb.val(null);
+    }
+    throw new import_runtime4.InternalError(`Unsupported argument expression: ${arg.kind}`);
+  }
+  _member(expr2, context) {
+    if (this.isAuthCall(expr2.receiver)) {
+      return this.valueMemberAccess(this.auth, expr2, this.authType);
+    }
+    if (isBeforeInvocation(expr2.receiver)) {
+      (0, import_common_helpers2.invariant)(context.operation === "post-update", "before() can only be used in post-update policy");
+      (0, import_common_helpers2.invariant)(expr2.members.length === 1, "before() can only be followed by a scalar field access");
+      return import_kysely2.ReferenceNode.create(import_kysely2.ColumnNode.create(expr2.members[0]), import_kysely2.TableNode.create("$before"));
+    }
+    (0, import_common_helpers2.invariant)(import_schema3.ExpressionUtils.isField(expr2.receiver) || import_schema3.ExpressionUtils.isThis(expr2.receiver), 'expect receiver to be field expression or "this"');
+    let members = expr2.members;
+    let receiver;
+    const { memberFilter, memberSelect, ...restContext } = context;
+    if (import_schema3.ExpressionUtils.isThis(expr2.receiver)) {
+      if (expr2.members.length === 1) {
+        return this._field(import_schema3.ExpressionUtils.field(expr2.members[0]), context);
+      } else {
+        const firstMemberFieldDef = import_runtime4.QueryUtils.requireField(this.schema, context.model, expr2.members[0]);
+        receiver = this.transformRelationAccess(expr2.members[0], firstMemberFieldDef.type, restContext);
+        members = expr2.members.slice(1);
+      }
+    } else {
+      receiver = this.transform(expr2.receiver, restContext);
+    }
+    (0, import_common_helpers2.invariant)(import_kysely2.SelectQueryNode.is(receiver), "expected receiver to be select query");
+    let startType;
+    if (import_schema3.ExpressionUtils.isField(expr2.receiver)) {
+      const receiverField = import_runtime4.QueryUtils.requireField(this.schema, context.model, expr2.receiver.field);
+      startType = receiverField.type;
+    } else {
+      startType = context.model;
+    }
+    const memberFields = [];
+    let currType = startType;
+    for (const member of members) {
+      const fieldDef = import_runtime4.QueryUtils.requireField(this.schema, currType, member);
+      memberFields.push({
+        fieldDef,
+        fromModel: currType
+      });
+      currType = fieldDef.type;
+    }
+    let currNode = void 0;
+    for (let i = members.length - 1; i >= 0; i--) {
+      const member = members[i];
+      const { fieldDef, fromModel } = memberFields[i];
+      if (fieldDef.relation) {
+        const relation = this.transformRelationAccess(member, fieldDef.type, {
+          ...restContext,
+          model: fromModel,
+          alias: void 0
+        });
+        if (currNode) {
+          currNode = {
+            ...relation,
+            selections: [
+              import_kysely2.SelectionNode.create(import_kysely2.AliasNode.create(currNode, import_kysely2.IdentifierNode.create(members[i + 1])))
+            ]
+          };
+        } else {
+          currNode = {
+            ...relation,
+            where: this.mergeWhere(relation.where, memberFilter),
+            selections: memberSelect ? [
+              memberSelect
+            ] : relation.selections
+          };
+        }
+      } else {
+        (0, import_common_helpers2.invariant)(i === members.length - 1, "plain field access must be the last segment");
+        (0, import_common_helpers2.invariant)(!currNode, "plain field access must be the last segment");
+        currNode = import_kysely2.ColumnNode.create(member);
+      }
+    }
+    return {
+      ...receiver,
+      selections: [
+        import_kysely2.SelectionNode.create(import_kysely2.AliasNode.create(currNode, import_kysely2.IdentifierNode.create("$t")))
+      ]
+    };
+  }
+  valueMemberAccess(receiver, expr2, receiverType) {
+    if (!receiver) {
+      return import_kysely2.ValueNode.createImmediate(null);
+    }
+    if (expr2.members.length !== 1) {
+      throw new Error(`Only single member access is supported`);
+    }
+    const field = expr2.members[0];
+    const fieldDef = import_runtime4.QueryUtils.requireField(this.schema, receiverType, field);
+    const fieldValue = receiver[field] ?? null;
+    return this.transformValue(fieldValue, fieldDef.type);
+  }
+  transformRelationAccess(field, relationModel, context) {
+    const m2m = import_runtime4.QueryUtils.getManyToManyRelation(this.schema, context.model, field);
+    if (m2m) {
+      return this.transformManyToManyRelationAccess(m2m, context);
+    }
+    const fromModel = context.model;
+    const relationFieldDef = import_runtime4.QueryUtils.requireField(this.schema, fromModel, field);
+    const { keyPairs, ownedByModel } = import_runtime4.QueryUtils.getRelationForeignKeyFieldPairs(this.schema, fromModel, field);
+    let condition;
+    if (ownedByModel) {
+      condition = conjunction(this.dialect, keyPairs.map(({ fk, pk }) => {
+        let fkRef = import_kysely2.ReferenceNode.create(import_kysely2.ColumnNode.create(fk), import_kysely2.TableNode.create(context.alias ?? fromModel));
+        if (relationFieldDef.originModel && relationFieldDef.originModel !== fromModel) {
+          fkRef = this.buildDelegateBaseFieldSelect(fromModel, context.alias ?? fromModel, fk, relationFieldDef.originModel);
+        }
+        return import_kysely2.BinaryOperationNode.create(fkRef, import_kysely2.OperatorNode.create("="), import_kysely2.ReferenceNode.create(import_kysely2.ColumnNode.create(pk), import_kysely2.TableNode.create(relationModel)));
+      }));
+    } else {
+      condition = conjunction(this.dialect, keyPairs.map(({ fk, pk }) => import_kysely2.BinaryOperationNode.create(import_kysely2.ReferenceNode.create(import_kysely2.ColumnNode.create(pk), import_kysely2.TableNode.create(context.alias ?? fromModel)), import_kysely2.OperatorNode.create("="), import_kysely2.ReferenceNode.create(import_kysely2.ColumnNode.create(fk), import_kysely2.TableNode.create(relationModel)))));
+    }
+    return {
+      kind: "SelectQueryNode",
+      from: import_kysely2.FromNode.create([
+        import_kysely2.TableNode.create(relationModel)
+      ]),
+      where: import_kysely2.WhereNode.create(condition)
+    };
+  }
+  transformManyToManyRelationAccess(m2m, context) {
+    const eb = (0, import_kysely2.expressionBuilder)();
+    const relationQuery = eb.selectFrom(m2m.otherModel).innerJoin(m2m.joinTable, (join) => join.onRef(`${m2m.otherModel}.${m2m.otherPKName}`, "=", `${m2m.joinTable}.${m2m.otherFkName}`).onRef(`${m2m.joinTable}.${m2m.parentFkName}`, "=", `${context.alias ?? context.model}.${m2m.parentPKName}`));
+    return relationQuery.toOperationNode();
+  }
+  createColumnRef(column, context) {
+    const tableName = context.alias ?? context.model;
+    if (context.operation === "create") {
+      return import_kysely2.ReferenceNode.create(import_kysely2.ColumnNode.create(column), import_kysely2.TableNode.create(tableName));
+    }
+    const fieldDef = import_runtime4.QueryUtils.requireField(this.schema, context.model, column);
+    if (!fieldDef.originModel || fieldDef.originModel === context.model) {
+      return import_kysely2.ReferenceNode.create(import_kysely2.ColumnNode.create(column), import_kysely2.TableNode.create(tableName));
+    }
+    return this.buildDelegateBaseFieldSelect(context.model, tableName, column, fieldDef.originModel);
+  }
+  buildDelegateBaseFieldSelect(model, modelAlias, field, baseModel) {
+    const idFields = import_runtime4.QueryUtils.requireIdFields(this.client.$schema, model);
+    return {
+      kind: "SelectQueryNode",
+      from: import_kysely2.FromNode.create([
+        import_kysely2.TableNode.create(baseModel)
+      ]),
+      selections: [
+        import_kysely2.SelectionNode.create(import_kysely2.ReferenceNode.create(import_kysely2.ColumnNode.create(field), import_kysely2.TableNode.create(baseModel)))
+      ],
+      where: import_kysely2.WhereNode.create(conjunction(this.dialect, idFields.map((idField) => import_kysely2.BinaryOperationNode.create(import_kysely2.ReferenceNode.create(import_kysely2.ColumnNode.create(idField), import_kysely2.TableNode.create(baseModel)), import_kysely2.OperatorNode.create("="), import_kysely2.ReferenceNode.create(import_kysely2.ColumnNode.create(idField), import_kysely2.TableNode.create(modelAlias))))))
+    };
+  }
+  isAuthCall(value) {
+    return import_schema3.ExpressionUtils.isCall(value) && value.function === "auth";
+  }
+  isAuthMember(expr2) {
+    return import_schema3.ExpressionUtils.isMember(expr2) && this.isAuthCall(expr2.receiver);
+  }
+  isNullNode(node) {
+    return import_kysely2.ValueNode.is(node) && node.value === null;
+  }
+  buildLogicalNot(result) {
+    return import_schema3.ExpressionUtils.unary("!", result);
+  }
+  buildAnd(conditions) {
+    if (conditions.length === 0) {
+      return import_schema3.ExpressionUtils.literal(true);
+    } else if (conditions.length === 1) {
+      return conditions[0];
+    } else {
+      return conditions.reduce((acc, condition) => import_schema3.ExpressionUtils.binary(acc, "&&", condition));
+    }
+  }
+  isRelationField(expr2, model) {
+    const fieldDef = this.getFieldDefFromFieldRef(expr2, model);
+    return !!fieldDef?.relation;
+  }
+  getFieldDefFromFieldRef(expr2, model) {
+    if (import_schema3.ExpressionUtils.isField(expr2)) {
+      return import_runtime4.QueryUtils.requireField(this.schema, model, expr2.field);
+    } else if (import_schema3.ExpressionUtils.isMember(expr2) && expr2.members.length === 1 && import_schema3.ExpressionUtils.isThis(expr2.receiver)) {
+      return import_runtime4.QueryUtils.requireField(this.schema, model, expr2.members[0]);
+    } else {
+      return void 0;
+    }
+  }
+};
+_ts_decorate([
+  expr("literal"),
+  _ts_metadata("design:type", Function),
+  _ts_metadata("design:paramtypes", [
+    typeof LiteralExpression === "undefined" ? Object : LiteralExpression
+  ]),
+  _ts_metadata("design:returntype", void 0)
+], ExpressionTransformer.prototype, "_literal", null);
+_ts_decorate([
+  expr("array"),
+  _ts_metadata("design:type", Function),
+  _ts_metadata("design:paramtypes", [
+    typeof ArrayExpression === "undefined" ? Object : ArrayExpression,
+    typeof ExpressionTransformerContext === "undefined" ? Object : ExpressionTransformerContext
+  ]),
+  _ts_metadata("design:returntype", void 0)
+], ExpressionTransformer.prototype, "_array", null);
+_ts_decorate([
+  expr("field"),
+  _ts_metadata("design:type", Function),
+  _ts_metadata("design:paramtypes", [
+    typeof FieldExpression === "undefined" ? Object : FieldExpression,
+    typeof ExpressionTransformerContext === "undefined" ? Object : ExpressionTransformerContext
+  ]),
+  _ts_metadata("design:returntype", void 0)
+], ExpressionTransformer.prototype, "_field", null);
+_ts_decorate([
+  expr("null"),
+  _ts_metadata("design:type", Function),
+  _ts_metadata("design:paramtypes", []),
+  _ts_metadata("design:returntype", void 0)
+], ExpressionTransformer.prototype, "_null", null);
+_ts_decorate([
+  expr("binary"),
+  _ts_metadata("design:type", Function),
+  _ts_metadata("design:paramtypes", [
+    typeof BinaryExpression === "undefined" ? Object : BinaryExpression,
+    typeof ExpressionTransformerContext === "undefined" ? Object : ExpressionTransformerContext
+  ]),
+  _ts_metadata("design:returntype", void 0)
+], ExpressionTransformer.prototype, "_binary", null);
+_ts_decorate([
+  expr("unary"),
+  _ts_metadata("design:type", Function),
+  _ts_metadata("design:paramtypes", [
+    typeof UnaryExpression === "undefined" ? Object : UnaryExpression,
+    typeof ExpressionTransformerContext === "undefined" ? Object : ExpressionTransformerContext
+  ]),
+  _ts_metadata("design:returntype", void 0)
+], ExpressionTransformer.prototype, "_unary", null);
+_ts_decorate([
+  expr("call"),
+  _ts_metadata("design:type", Function),
+  _ts_metadata("design:paramtypes", [
+    typeof CallExpression === "undefined" ? Object : CallExpression,
+    typeof ExpressionTransformerContext === "undefined" ? Object : ExpressionTransformerContext
+  ]),
+  _ts_metadata("design:returntype", void 0)
+], ExpressionTransformer.prototype, "_call", null);
+_ts_decorate([
+  expr("member"),
+  _ts_metadata("design:type", Function),
+  _ts_metadata("design:paramtypes", [
+    typeof MemberExpression === "undefined" ? Object : MemberExpression,
+    typeof ExpressionTransformerContext === "undefined" ? Object : ExpressionTransformerContext
+  ]),
+  _ts_metadata("design:returntype", void 0)
+], ExpressionTransformer.prototype, "_member", null);
+// src/policy-handler.ts
+var PolicyHandler = class extends import_kysely3.OperationNodeTransformer {
+  static {
+    __name(this, "PolicyHandler");
+  }
+  client;
+  dialect;
+  constructor(client) {
+    super(), this.client = client;
+    this.dialect = (0, import_runtime6.getCrudDialect)(this.client.$schema, this.client.$options);
+  }
+  get kysely() {
+    return this.client.$qb;
+  }
+  async handle(node, proceed) {
+    if (!this.isCrudQueryNode(node)) {
+      throw new import_runtime6.RejectedByPolicyError(void 0, import_runtime6.RejectedByPolicyReason.OTHER, "non-CRUD queries are not allowed");
+    }
+    if (!this.isMutationQueryNode(node)) {
+      return proceed(this.transformNode(node));
+    }
+    const { mutationModel } = this.getMutationModel(node);
+    if (import_kysely3.InsertQueryNode.is(node)) {
+      const isManyToManyJoinTable = this.isManyToManyJoinTable(mutationModel);
+      let needCheckPreCreate = true;
+      if (!isManyToManyJoinTable) {
+        const constCondition = this.tryGetConstantPolicy(mutationModel, "create");
+        if (constCondition === true) {
+          needCheckPreCreate = false;
+        } else if (constCondition === false) {
+          throw new import_runtime6.RejectedByPolicyError(mutationModel);
+        }
+      }
+      if (needCheckPreCreate) {
+        await this.enforcePreCreatePolicy(node, mutationModel, isManyToManyJoinTable, proceed);
+      }
+    }
+    const hasPostUpdatePolicies = import_kysely3.UpdateQueryNode.is(node) && this.hasPostUpdatePolicies(mutationModel);
+    let beforeUpdateInfo;
+    if (hasPostUpdatePolicies) {
+      beforeUpdateInfo = await this.loadBeforeUpdateEntities(mutationModel, node.where, proceed);
+    }
+    const result = await proceed(this.transformNode(node));
+    if (hasPostUpdatePolicies && result.rows.length > 0) {
+      if (beforeUpdateInfo) {
+        (0, import_common_helpers3.invariant)(beforeUpdateInfo.rows.length === result.rows.length);
+        const idFields = import_runtime6.QueryUtils.requireIdFields(this.client.$schema, mutationModel);
+        for (const postRow of result.rows) {
+          const beforeRow = beforeUpdateInfo.rows.find((r) => idFields.every((f) => r[f] === postRow[f]));
+          if (!beforeRow) {
+            throw new import_runtime6.QueryError("Before-update and after-update rows do not match by id. If you have post-update policies on a model, updating id fields is not supported.");
+          }
+        }
+      }
+      const idConditions = this.buildIdConditions(mutationModel, result.rows);
+      const postUpdateFilter = this.buildPolicyFilter(mutationModel, void 0, "post-update");
+      const eb = (0, import_kysely3.expressionBuilder)();
+      const beforeUpdateTable = beforeUpdateInfo ? {
+        kind: "SelectQueryNode",
+        from: import_kysely3.FromNode.create([
+          import_kysely3.ParensNode.create(import_kysely3.ValuesNode.create(beforeUpdateInfo.rows.map((r) => import_kysely3.PrimitiveValueListNode.create(beforeUpdateInfo.fields.map((f) => r[f])))))
+        ]),
+        selections: beforeUpdateInfo.fields.map((name, index) => {
+          const def = import_runtime6.QueryUtils.requireField(this.client.$schema, mutationModel, name);
+          const castedColumnRef = import_kysely3.sql`CAST(${eb.ref(`column${index + 1}`)} as ${import_kysely3.sql.raw(this.dialect.getFieldSqlType(def))})`.as(name);
+          return import_kysely3.SelectionNode.create(castedColumnRef.toOperationNode());
+        })
+      } : void 0;
+      const postUpdateQuery = eb.selectFrom(mutationModel).select(() => [
+        eb(eb.fn("COUNT", [
+          eb.lit(1)
+        ]), "=", result.rows.length).as("$condition")
+      ]).where(() => new import_kysely3.ExpressionWrapper(conjunction(this.dialect, [
+        idConditions,
+        postUpdateFilter
+      ]))).$if(!!beforeUpdateInfo, (qb) => qb.leftJoin(() => new import_kysely3.ExpressionWrapper(beforeUpdateTable).as("$before"), (join) => {
+        const idFields = import_runtime6.QueryUtils.requireIdFields(this.client.$schema, mutationModel);
+        return idFields.reduce((acc, f) => acc.onRef(`${mutationModel}.${f}`, "=", `$before.${f}`), join);
+      }));
+      const postUpdateResult = await proceed(postUpdateQuery.toOperationNode());
+      if (!postUpdateResult.rows[0]?.$condition) {
+        throw new import_runtime6.RejectedByPolicyError(mutationModel, import_runtime6.RejectedByPolicyReason.NO_ACCESS, "some or all updated rows failed to pass post-update policy check");
+      }
+    }
+    if (!node.returning || this.onlyReturningId(node)) {
+      return this.postProcessMutationResult(result, node);
+    } else {
+      const readBackResult = await this.processReadBack(node, result, proceed);
+      if (readBackResult.rows.length !== result.rows.length) {
+        throw new import_runtime6.RejectedByPolicyError(mutationModel, import_runtime6.RejectedByPolicyReason.CANNOT_READ_BACK, "result is not allowed to be read back");
+      }
+      return readBackResult;
+    }
+  }
+  // correction to kysely mutation result may be needed because we might have added
+  // returning clause to the query and caused changes to the result shape
+  postProcessMutationResult(result, node) {
+    if (node.returning) {
+      return result;
+    } else {
+      return {
+        ...result,
+        rows: [],
+        numAffectedRows: result.numAffectedRows ?? BigInt(result.rows.length)
+      };
+    }
+  }
+  hasPostUpdatePolicies(model) {
+    const policies = this.getModelPolicies(model, "post-update");
+    return policies.length > 0;
+  }
+  async loadBeforeUpdateEntities(model, where, proceed) {
+    const beforeUpdateAccessFields = this.getFieldsAccessForBeforeUpdatePolicies(model);
+    if (!beforeUpdateAccessFields || beforeUpdateAccessFields.length === 0) {
+      return void 0;
+    }
+    const policyFilter = this.buildPolicyFilter(model, model, "update");
+    const combinedFilter = where ? conjunction(this.dialect, [
+      where.where,
+      policyFilter
+    ]) : policyFilter;
+    const query = {
+      kind: "SelectQueryNode",
+      from: import_kysely3.FromNode.create([
+        import_kysely3.TableNode.create(model)
+      ]),
+      where: import_kysely3.WhereNode.create(combinedFilter),
+      selections: [
+        ...beforeUpdateAccessFields.map((f) => import_kysely3.SelectionNode.create(import_kysely3.ColumnNode.create(f)))
+      ]
+    };
+    const result = await proceed(query);
+    return {
+      fields: beforeUpdateAccessFields,
+      rows: result.rows
+    };
+  }
+  getFieldsAccessForBeforeUpdatePolicies(model) {
+    const policies = this.getModelPolicies(model, "post-update");
+    if (policies.length === 0) {
+      return void 0;
+    }
+    const fields = /* @__PURE__ */ new Set();
+    const fieldCollector = new class extends import_sdk2.ExpressionVisitor {
+      visitMember(e) {
+        if (isBeforeInvocation(e.receiver)) {
+          (0, import_common_helpers3.invariant)(e.members.length === 1, "before() can only be followed by a scalar field access");
+          fields.add(e.members[0]);
+        }
+        super.visitMember(e);
+      }
+    }();
+    for (const policy of policies) {
+      fieldCollector.visit(policy.condition);
+    }
+    if (fields.size === 0) {
+      return void 0;
+    }
+    import_runtime6.QueryUtils.requireIdFields(this.client.$schema, model).forEach((f) => fields.add(f));
+    return Array.from(fields).sort();
+  }
+  // #region overrides
+  transformSelectQuery(node) {
+    if (!node.from) {
+      return super.transformSelectQuery(node);
+    }
+    let whereNode = this.transformNode(node.where);
+    const policyFilter = this.createPolicyFilterForFrom(node.from);
+    if (policyFilter) {
+      whereNode = import_kysely3.WhereNode.create(whereNode?.where ? conjunction(this.dialect, [
+        whereNode.where,
+        policyFilter
+      ]) : policyFilter);
+    }
+    const baseResult = super.transformSelectQuery({
+      ...node,
+      where: void 0
+    });
+    return {
+      ...baseResult,
+      where: whereNode
+    };
+  }
+  transformJoin(node) {
+    const table = this.extractTableName(node.table);
+    if (!table) {
+      return super.transformJoin(node);
+    }
+    const filter = this.buildPolicyFilter(table.model, table.alias, "read");
+    const nestedSelect = {
+      kind: "SelectQueryNode",
+      from: import_kysely3.FromNode.create([
+        node.table
+      ]),
+      selections: [
+        import_kysely3.SelectionNode.createSelectAll()
+      ],
+      where: import_kysely3.WhereNode.create(filter)
+    };
+    return {
+      ...node,
+      table: import_kysely3.AliasNode.create(import_kysely3.ParensNode.create(nestedSelect), import_kysely3.IdentifierNode.create(table.alias ?? table.model))
+    };
+  }
+  transformInsertQuery(node) {
+    let onConflict = node.onConflict;
+    if (onConflict?.updates) {
+      const { mutationModel, alias } = this.getMutationModel(node);
+      const filter = this.buildPolicyFilter(mutationModel, alias, "update");
+      if (onConflict.updateWhere) {
+        onConflict = {
+          ...onConflict,
+          updateWhere: import_kysely3.WhereNode.create(conjunction(this.dialect, [
+            onConflict.updateWhere.where,
+            filter
+          ]))
+        };
+      } else {
+        onConflict = {
+          ...onConflict,
+          updateWhere: import_kysely3.WhereNode.create(filter)
+        };
+      }
+    }
+    const processedNode = onConflict ? {
+      ...node,
+      onConflict
+    } : node;
+    const result = super.transformInsertQuery(processedNode);
+    let returning = result.returning;
+    if (returning) {
+      const { mutationModel } = this.getMutationModel(node);
+      const idFields = import_runtime6.QueryUtils.requireIdFields(this.client.$schema, mutationModel);
+      returning = import_kysely3.ReturningNode.create(idFields.map((f) => import_kysely3.SelectionNode.create(import_kysely3.ColumnNode.create(f))));
+    }
+    return {
+      ...result,
+      returning
+    };
+  }
+  transformUpdateQuery(node) {
+    const result = super.transformUpdateQuery(node);
+    const { mutationModel, alias } = this.getMutationModel(node);
+    let filter = this.buildPolicyFilter(mutationModel, alias, "update");
+    if (node.from) {
+      const joinFilter = this.createPolicyFilterForFrom(node.from);
+      if (joinFilter) {
+        filter = conjunction(this.dialect, [
+          filter,
+          joinFilter
+        ]);
+      }
+    }
+    let returning = result.returning;
+    if (returning || this.hasPostUpdatePolicies(mutationModel)) {
+      const idFields = import_runtime6.QueryUtils.requireIdFields(this.client.$schema, mutationModel);
+      returning = import_kysely3.ReturningNode.create(idFields.map((f) => import_kysely3.SelectionNode.create(import_kysely3.ColumnNode.create(f))));
+    }
+    return {
+      ...result,
+      where: import_kysely3.WhereNode.create(result.where ? conjunction(this.dialect, [
+        result.where.where,
+        filter
+      ]) : filter),
+      returning
+    };
+  }
+  transformDeleteQuery(node) {
+    const result = super.transformDeleteQuery(node);
+    const { mutationModel, alias } = this.getMutationModel(node);
+    let filter = this.buildPolicyFilter(mutationModel, alias, "delete");
+    if (node.using) {
+      const joinFilter = this.createPolicyFilterForTables(node.using.tables);
+      if (joinFilter) {
+        filter = conjunction(this.dialect, [
+          filter,
+          joinFilter
+        ]);
+      }
+    }
+    return {
+      ...result,
+      where: import_kysely3.WhereNode.create(result.where ? conjunction(this.dialect, [
+        result.where.where,
+        filter
+      ]) : filter)
+    };
+  }
+  // #endregion
+  // #region helpers
+  onlyReturningId(node) {
+    if (!node.returning) {
+      return true;
+    }
+    const { mutationModel } = this.getMutationModel(node);
+    const idFields = import_runtime6.QueryUtils.requireIdFields(this.client.$schema, mutationModel);
+    if (node.returning.selections.some((s) => import_kysely3.SelectAllNode.is(s.selection))) {
+      const modelDef = import_runtime6.QueryUtils.requireModel(this.client.$schema, mutationModel);
+      if (Object.keys(modelDef.fields).some((f) => !idFields.includes(f))) {
+        return false;
+      } else {
+        return true;
+      }
+    }
+    const collector = new ColumnCollector();
+    const selectedColumns = collector.collect(node.returning);
+    return selectedColumns.every((c) => idFields.includes(c));
+  }
+  async enforcePreCreatePolicy(node, mutationModel, isManyToManyJoinTable, proceed) {
+    const fields = node.columns?.map((c) => c.column.name) ?? [];
+    const valueRows = node.values ? this.unwrapCreateValueRows(node.values, mutationModel, fields, isManyToManyJoinTable) : [
+      []
+    ];
+    for (const values of valueRows) {
+      if (isManyToManyJoinTable) {
+        await this.enforcePreCreatePolicyForManyToManyJoinTable(mutationModel, fields, values.map((v) => v.node), proceed);
+      } else {
+        await this.enforcePreCreatePolicyForOne(mutationModel, fields, values.map((v) => v.node), proceed);
+      }
+    }
+  }
+  async enforcePreCreatePolicyForManyToManyJoinTable(tableName, fields, values, proceed) {
+    const m2m = this.resolveManyToManyJoinTable(tableName);
+    (0, import_common_helpers3.invariant)(m2m);
+    (0, import_common_helpers3.invariant)(fields.includes("A") && fields.includes("B"), "many-to-many join table must have A and B fk fields");
+    const aIndex = fields.indexOf("A");
+    const aNode = values[aIndex];
+    const bIndex = fields.indexOf("B");
+    const bNode = values[bIndex];
+    (0, import_common_helpers3.invariant)(import_kysely3.ValueNode.is(aNode) && import_kysely3.ValueNode.is(bNode), "A and B values must be ValueNode");
+    const aValue = aNode.value;
+    const bValue = bNode.value;
+    (0, import_common_helpers3.invariant)(aValue !== null && aValue !== void 0, "A value cannot be null or undefined");
+    (0, import_common_helpers3.invariant)(bValue !== null && bValue !== void 0, "B value cannot be null or undefined");
+    const eb = (0, import_kysely3.expressionBuilder)();
+    const filterA = this.buildPolicyFilter(m2m.firstModel, void 0, "update");
+    const queryA = eb.selectFrom(m2m.firstModel).where(eb(eb.ref(`${m2m.firstModel}.${m2m.firstIdField}`), "=", aValue)).select(() => new import_kysely3.ExpressionWrapper(filterA).as("$t"));
+    const filterB = this.buildPolicyFilter(m2m.secondModel, void 0, "update");
+    const queryB = eb.selectFrom(m2m.secondModel).where(eb(eb.ref(`${m2m.secondModel}.${m2m.secondIdField}`), "=", bValue)).select(() => new import_kysely3.ExpressionWrapper(filterB).as("$t"));
+    const queryNode = {
+      kind: "SelectQueryNode",
+      selections: [
+        import_kysely3.SelectionNode.create(import_kysely3.AliasNode.create(queryA.toOperationNode(), import_kysely3.IdentifierNode.create("$conditionA"))),
+        import_kysely3.SelectionNode.create(import_kysely3.AliasNode.create(queryB.toOperationNode(), import_kysely3.IdentifierNode.create("$conditionB")))
+      ]
+    };
+    const result = await proceed(queryNode);
+    if (!result.rows[0]?.$conditionA) {
+      throw new import_runtime6.RejectedByPolicyError(m2m.firstModel, import_runtime6.RejectedByPolicyReason.CANNOT_READ_BACK, `many-to-many relation participant model "${m2m.firstModel}" not updatable`);
+    }
+    if (!result.rows[0]?.$conditionB) {
+      throw new import_runtime6.RejectedByPolicyError(m2m.secondModel, import_runtime6.RejectedByPolicyReason.NO_ACCESS, `many-to-many relation participant model "${m2m.secondModel}" not updatable`);
+    }
+  }
+  async enforcePreCreatePolicyForOne(model, fields, values, proceed) {
+    const allFields = Object.entries(import_runtime6.QueryUtils.requireModel(this.client.$schema, model).fields).filter(([, def]) => !def.relation);
+    const allValues = [];
+    for (const [name, _def] of allFields) {
+      const index = fields.indexOf(name);
+      if (index >= 0) {
+        allValues.push(values[index]);
+      } else {
+        allValues.push(import_kysely3.ValueNode.createImmediate(null));
+      }
+    }
+    const eb = (0, import_kysely3.expressionBuilder)();
+    const constTable = {
+      kind: "SelectQueryNode",
+      from: import_kysely3.FromNode.create([
+        import_kysely3.AliasNode.create(import_kysely3.ParensNode.create(import_kysely3.ValuesNode.create([
+          import_kysely3.ValueListNode.create(allValues)
+        ])), import_kysely3.IdentifierNode.create("$t"))
+      ]),
+      selections: allFields.map(([name, def], index) => {
+        const castedColumnRef = import_kysely3.sql`CAST(${eb.ref(`column${index + 1}`)} as ${import_kysely3.sql.raw(this.dialect.getFieldSqlType(def))})`.as(name);
+        return import_kysely3.SelectionNode.create(castedColumnRef.toOperationNode());
+      })
+    };
+    const filter = this.buildPolicyFilter(model, void 0, "create");
+    const preCreateCheck = {
+      kind: "SelectQueryNode",
+      from: import_kysely3.FromNode.create([
+        import_kysely3.AliasNode.create(constTable, import_kysely3.IdentifierNode.create(model))
+      ]),
+      selections: [
+        import_kysely3.SelectionNode.create(import_kysely3.AliasNode.create(import_kysely3.BinaryOperationNode.create(import_kysely3.FunctionNode.create("COUNT", [
+          import_kysely3.ValueNode.createImmediate(1)
+        ]), import_kysely3.OperatorNode.create(">"), import_kysely3.ValueNode.createImmediate(0)), import_kysely3.IdentifierNode.create("$condition")))
+      ],
+      where: import_kysely3.WhereNode.create(filter)
+    };
+    const result = await proceed(preCreateCheck);
+    if (!result.rows[0]?.$condition) {
+      throw new import_runtime6.RejectedByPolicyError(model);
+    }
+  }
+  unwrapCreateValueRows(node, model, fields, isManyToManyJoinTable) {
+    if (import_kysely3.ValuesNode.is(node)) {
+      return node.values.map((v) => this.unwrapCreateValueRow(v.values, model, fields, isManyToManyJoinTable));
+    } else if (import_kysely3.PrimitiveValueListNode.is(node)) {
+      return [
+        this.unwrapCreateValueRow(node.values, model, fields, isManyToManyJoinTable)
+      ];
+    } else {
+      throw new import_runtime6.InternalError(`Unexpected node kind: ${node.kind} for unwrapping create values`);
+    }
+  }
+  unwrapCreateValueRow(data, model, fields, isImplicitManyToManyJoinTable) {
+    (0, import_common_helpers3.invariant)(data.length === fields.length, "data length must match fields length");
+    const result = [];
+    for (let i = 0; i < data.length; i++) {
+      const item = data[i];
+      if (typeof item === "object" && item && "kind" in item) {
+        const fieldDef = import_runtime6.QueryUtils.requireField(this.client.$schema, model, fields[i]);
+        (0, import_common_helpers3.invariant)(item.kind === "ValueNode", "expecting a ValueNode");
+        result.push({
+          node: import_kysely3.ValueNode.create(this.dialect.transformPrimitive(item.value, fieldDef.type, !!fieldDef.array)),
+          raw: item.value
+        });
+      } else {
+        let value = item;
+        if (!isImplicitManyToManyJoinTable) {
+          const fieldDef = import_runtime6.QueryUtils.requireField(this.client.$schema, model, fields[i]);
+          value = this.dialect.transformPrimitive(item, fieldDef.type, !!fieldDef.array);
+        }
+        if (Array.isArray(value)) {
+          result.push({
+            node: import_kysely3.RawNode.createWithSql(this.dialect.buildArrayLiteralSQL(value)),
+            raw: value
+          });
+        } else {
+          result.push({
+            node: import_kysely3.ValueNode.create(value),
+            raw: value
+          });
+        }
+      }
+    }
+    return result;
+  }
+  tryGetConstantPolicy(model, operation) {
+    const policies = this.getModelPolicies(model, operation);
+    if (!policies.some((p) => p.kind === "allow")) {
+      return false;
+    } else if (
+      // unconditional deny
+      policies.some((p) => p.kind === "deny" && this.isTrueExpr(p.condition))
+    ) {
+      return false;
+    } else if (
+      // unconditional allow
+      !policies.some((p) => p.kind === "deny") && policies.some((p) => p.kind === "allow" && this.isTrueExpr(p.condition))
+    ) {
+      return true;
+    } else {
+      return void 0;
+    }
+  }
+  isTrueExpr(expr2) {
+    return import_schema4.ExpressionUtils.isLiteral(expr2) && expr2.value === true;
+  }
+  async processReadBack(node, result, proceed) {
+    if (result.rows.length === 0) {
+      return result;
+    }
+    if (!this.isMutationQueryNode(node) || !node.returning) {
+      return result;
+    }
+    const { mutationModel } = this.getMutationModel(node);
+    const idConditions = this.buildIdConditions(mutationModel, result.rows);
+    const policyFilter = this.buildPolicyFilter(mutationModel, void 0, "read");
+    const select = {
+      kind: "SelectQueryNode",
+      from: import_kysely3.FromNode.create([
+        import_kysely3.TableNode.create(mutationModel)
+      ]),
+      where: import_kysely3.WhereNode.create(conjunction(this.dialect, [
+        idConditions,
+        policyFilter
+      ])),
+      selections: node.returning.selections
+    };
+    const selectResult = await proceed(select);
+    return selectResult;
+  }
+  buildIdConditions(table, rows) {
+    const idFields = import_runtime6.QueryUtils.requireIdFields(this.client.$schema, table);
+    return disjunction(this.dialect, rows.map((row) => conjunction(this.dialect, idFields.map((field) => import_kysely3.BinaryOperationNode.create(import_kysely3.ReferenceNode.create(import_kysely3.ColumnNode.create(field), import_kysely3.TableNode.create(table)), import_kysely3.OperatorNode.create("="), import_kysely3.ValueNode.create(row[field]))))));
+  }
+  getMutationModel(node) {
+    const r = (0, import_ts_pattern3.match)(node).when(import_kysely3.InsertQueryNode.is, (node2) => ({
+      mutationModel: getTableName(node2.into),
+      alias: void 0
+    })).when(import_kysely3.UpdateQueryNode.is, (node2) => {
+      if (!node2.table) {
+        throw new import_runtime6.QueryError("Update query must have a table");
+      }
+      const r2 = this.extractTableName(node2.table);
+      return r2 ? {
+        mutationModel: r2.model,
+        alias: r2.alias
+      } : void 0;
+    }).when(import_kysely3.DeleteQueryNode.is, (node2) => {
+      if (node2.from.froms.length !== 1) {
+        throw new import_runtime6.QueryError("Only one from table is supported for delete");
+      }
+      const r2 = this.extractTableName(node2.from.froms[0]);
+      return r2 ? {
+        mutationModel: r2.model,
+        alias: r2.alias
+      } : void 0;
+    }).exhaustive();
+    if (!r) {
+      throw new import_runtime6.InternalError(`Unable to get table name for query node: ${node}`);
+    }
+    return r;
+  }
+  isCrudQueryNode(node) {
+    return import_kysely3.SelectQueryNode.is(node) || import_kysely3.InsertQueryNode.is(node) || import_kysely3.UpdateQueryNode.is(node) || import_kysely3.DeleteQueryNode.is(node);
+  }
+  isMutationQueryNode(node) {
+    return import_kysely3.InsertQueryNode.is(node) || import_kysely3.UpdateQueryNode.is(node) || import_kysely3.DeleteQueryNode.is(node);
+  }
+  buildPolicyFilter(model, alias, operation) {
+    const m2mFilter = this.getModelPolicyFilterForManyToManyJoinTable(model, alias, operation);
+    if (m2mFilter) {
+      return m2mFilter;
+    }
+    const policies = this.getModelPolicies(model, operation);
+    const allows = policies.filter((policy) => policy.kind === "allow").map((policy) => this.compilePolicyCondition(model, alias, operation, policy));
+    const denies = policies.filter((policy) => policy.kind === "deny").map((policy) => this.compilePolicyCondition(model, alias, operation, policy));
+    let combinedPolicy;
+    if (allows.length === 0) {
+      if (operation === "post-update") {
+        combinedPolicy = trueNode(this.dialect);
+      } else {
+        combinedPolicy = falseNode(this.dialect);
+      }
+    } else {
+      combinedPolicy = disjunction(this.dialect, allows);
+    }
+    if (denies.length !== 0) {
+      const combinedDenies = conjunction(this.dialect, denies.map((d) => buildIsFalse(d, this.dialect)));
+      combinedPolicy = conjunction(this.dialect, [
+        combinedPolicy,
+        combinedDenies
+      ]);
+    }
+    return combinedPolicy;
+  }
+  extractTableName(node) {
+    if (import_kysely3.TableNode.is(node)) {
+      return {
+        model: node.table.identifier.name
+      };
+    }
+    if (import_kysely3.AliasNode.is(node)) {
+      const inner = this.extractTableName(node.node);
+      if (!inner) {
+        return void 0;
+      }
+      return {
+        model: inner.model,
+        alias: import_kysely3.IdentifierNode.is(node.alias) ? node.alias.name : void 0
+      };
+    } else {
+      return void 0;
+    }
+  }
+  createPolicyFilterForFrom(node) {
+    if (!node) {
+      return void 0;
+    }
+    return this.createPolicyFilterForTables(node.froms);
+  }
+  createPolicyFilterForTables(tables) {
+    return tables.reduce((acc, table) => {
+      const extractResult = this.extractTableName(table);
+      if (extractResult) {
+        const { model, alias } = extractResult;
+        const filter = this.buildPolicyFilter(model, alias, "read");
+        return acc ? conjunction(this.dialect, [
+          acc,
+          filter
+        ]) : filter;
+      }
+      return acc;
+    }, void 0);
+  }
+  compilePolicyCondition(model, alias, operation, policy) {
+    return new ExpressionTransformer(this.client).transform(policy.condition, {
+      model,
+      alias,
+      operation
+    });
+  }
+  getModelPolicies(model, operation) {
+    const modelDef = import_runtime6.QueryUtils.requireModel(this.client.$schema, model);
+    const result = [];
+    const extractOperations = /* @__PURE__ */ __name((expr2) => {
+      (0, import_common_helpers3.invariant)(import_schema4.ExpressionUtils.isLiteral(expr2), "expecting a literal");
+      (0, import_common_helpers3.invariant)(typeof expr2.value === "string", "expecting a string literal");
+      return expr2.value.split(",").filter((v) => !!v).map((v) => v.trim());
+    }, "extractOperations");
+    if (modelDef.attributes) {
+      result.push(...modelDef.attributes.filter((attr) => attr.name === "@@allow" || attr.name === "@@deny").map((attr) => ({
+        kind: attr.name === "@@allow" ? "allow" : "deny",
+        operations: extractOperations(attr.args[0].value),
+        condition: attr.args[1].value
+      })).filter((policy) => operation !== "post-update" && policy.operations.includes("all") || policy.operations.includes(operation)));
+    }
+    return result;
+  }
+  resolveManyToManyJoinTable(tableName) {
+    for (const model of Object.values(this.client.$schema.models)) {
+      for (const field of Object.values(model.fields)) {
+        const m2m = import_runtime6.QueryUtils.getManyToManyRelation(this.client.$schema, model.name, field.name);
+        if (m2m?.joinTable === tableName) {
+          const sortedRecord = [
+            {
+              model: model.name,
+              field: field.name
+            },
+            {
+              model: m2m.otherModel,
+              field: m2m.otherField
+            }
+          ].sort(this.manyToManySorter);
+          const firstIdFields = import_runtime6.QueryUtils.requireIdFields(this.client.$schema, sortedRecord[0].model);
+          const secondIdFields = import_runtime6.QueryUtils.requireIdFields(this.client.$schema, sortedRecord[1].model);
+          (0, import_common_helpers3.invariant)(firstIdFields.length === 1 && secondIdFields.length === 1, "only single-field id is supported for implicit many-to-many join table");
+          return {
+            firstModel: sortedRecord[0].model,
+            firstField: sortedRecord[0].field,
+            firstIdField: firstIdFields[0],
+            secondModel: sortedRecord[1].model,
+            secondField: sortedRecord[1].field,
+            secondIdField: secondIdFields[0]
+          };
+        }
+      }
+    }
+    return void 0;
+  }
+  manyToManySorter(a, b) {
+    return a.model !== b.model ? a.model.localeCompare(b.model) : a.field.localeCompare(b.field);
+  }
+  isManyToManyJoinTable(tableName) {
+    return !!this.resolveManyToManyJoinTable(tableName);
+  }
+  getModelPolicyFilterForManyToManyJoinTable(tableName, alias, operation) {
+    const m2m = this.resolveManyToManyJoinTable(tableName);
+    if (!m2m) {
+      return void 0;
+    }
+    const checkForOperation = operation === "read" ? "read" : "update";
+    const eb = (0, import_kysely3.expressionBuilder)();
+    const joinTable = alias ?? tableName;
+    const aQuery = eb.selectFrom(m2m.firstModel).whereRef(`${m2m.firstModel}.${m2m.firstIdField}`, "=", `${joinTable}.A`).select(() => new import_kysely3.ExpressionWrapper(this.buildPolicyFilter(m2m.firstModel, void 0, checkForOperation)).as("$conditionA"));
+    const bQuery = eb.selectFrom(m2m.secondModel).whereRef(`${m2m.secondModel}.${m2m.secondIdField}`, "=", `${joinTable}.B`).select(() => new import_kysely3.ExpressionWrapper(this.buildPolicyFilter(m2m.secondModel, void 0, checkForOperation)).as("$conditionB"));
+    return eb.and([
+      aQuery,
+      bQuery
+    ]).toOperationNode();
+  }
+};
+// src/functions.ts
+var check = /* @__PURE__ */ __name((eb, args, { client, model, modelAlias, operation }) => {
+  (0, import_common_helpers4.invariant)(args.length === 1 || args.length === 2, '"check" function requires 1 or 2 arguments');
+  const arg1Node = args[0].toOperationNode();
+  const arg2Node = args.length === 2 ? args[1].toOperationNode() : void 0;
+  if (arg2Node) {
+    (0, import_common_helpers4.invariant)(import_kysely4.ValueNode.is(arg2Node) && typeof arg2Node.value === "string", '"operation" parameter must be a string literal when provided');
+    (0, import_common_helpers4.invariant)(import_runtime8.CRUD.includes(arg2Node.value), '"operation" parameter must be one of "create", "read", "update", "delete"');
+  }
+  const fieldName = import_runtime8.QueryUtils.extractFieldName(arg1Node);
+  (0, import_common_helpers4.invariant)(fieldName, 'Failed to extract field name from the first argument of "check" function');
+  const fieldDef = import_runtime8.QueryUtils.requireField(client.$schema, model, fieldName);
+  (0, import_common_helpers4.invariant)(fieldDef.relation, `Field "${fieldName}" is not a relation field in model "${model}"`);
+  (0, import_common_helpers4.invariant)(!fieldDef.array, `Field "${fieldName}" is a to-many relation, which is not supported by "check"`);
+  const relationModel = fieldDef.type;
+  const joinConditions = [];
+  const fkInfo = import_runtime8.QueryUtils.getRelationForeignKeyFieldPairs(client.$schema, model, fieldName);
+  const idFields = import_runtime8.QueryUtils.requireIdFields(client.$schema, model);
+  const buildBaseSelect = /* @__PURE__ */ __name((baseModel, field) => {
+    return eb.selectFrom(baseModel).select(field).where(eb.and(idFields.map((idField) => eb(eb.ref(`${fieldDef.originModel}.${idField}`), "=", eb.ref(`${modelAlias}.${idField}`)))));
+  }, "buildBaseSelect");
+  if (fkInfo.ownedByModel) {
+    joinConditions.push(...fkInfo.keyPairs.map(({ fk, pk }) => {
+      let fkRef;
+      if (fieldDef.originModel && fieldDef.originModel !== model) {
+        fkRef = buildBaseSelect(fieldDef.originModel, fk);
+      } else {
+        fkRef = eb.ref(`${modelAlias}.${fk}`);
+      }
+      return eb(fkRef, "=", eb.ref(`${relationModel}.${pk}`));
+    }));
+  } else {
+    joinConditions.push(...fkInfo.keyPairs.map(({ fk, pk }) => {
+      let pkRef;
+      if (fieldDef.originModel && fieldDef.originModel !== model) {
+        pkRef = buildBaseSelect(fieldDef.originModel, pk);
+      } else {
+        pkRef = eb.ref(`${modelAlias}.${pk}`);
+      }
+      return eb(pkRef, "=", eb.ref(`${relationModel}.${fk}`));
+    }));
+  }
+  const joinCondition = joinConditions.length === 1 ? joinConditions[0] : eb.and(joinConditions);
+  const policyHandler = new PolicyHandler(client);
+  const op = arg2Node ? arg2Node.value : operation;
+  const policyCondition = policyHandler.buildPolicyFilter(relationModel, void 0, op);
+  const result = eb.selectFrom(relationModel).where(joinCondition).select(new import_kysely4.ExpressionWrapper(policyCondition).as("$condition"));
+  return result;
+}, "check");
+// src/plugin.ts
+var PolicyPlugin = class {
+  static {
+    __name(this, "PolicyPlugin");
+  }
+  get id() {
+    return "policy";
+  }
+  get name() {
+    return "Access Policy";
+  }
+  get description() {
+    return "Enforces access policies defined in the schema.";
+  }
+  get functions() {
+    return {
+      check
+    };
+  }
+  onKyselyQuery({ query, client, proceed }) {
+    const handler = new PolicyHandler(client);
+    return handler.handle(query, proceed);
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  PolicyPlugin
+});
+//# sourceMappingURL=index.cjs.map