@zenstackhq/runtime 3.0.0-beta.4 → 3.0.0-beta.5

package/dist/plugins/policy/index.js

@@ -2,46 +2,50 @@ var __defProp = Object.defineProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
 
 // src/plugins/policy/errors.ts
+var RejectedByPolicyReason = /* @__PURE__ */ function(RejectedByPolicyReason2) {
+  RejectedByPolicyReason2["NO_ACCESS"] = "no-access";
+  RejectedByPolicyReason2["CANNOT_READ_BACK"] = "cannot-read-back";
+  RejectedByPolicyReason2["OTHER"] = "other";
+  return RejectedByPolicyReason2;
+}({});
 var RejectedByPolicyError = class extends Error {
   static {
     __name(this, "RejectedByPolicyError");
   }
   model;
   reason;
-  constructor(model, reason) {
-    super(reason ?? `Operation rejected by policy${model ? ": " + model : ""}`), this.model = model, this.reason = reason;
+  constructor(model, reason = "no-access", message) {
+    super(message ?? `Operation rejected by policy${model ? ": " + model : ""}`), this.model = model, this.reason = reason;
   }
 };
 
-// src/plugins/policy/policy-handler.ts
-import { invariant as invariant6 } from "@zenstackhq/common-helpers";
-import { AliasNode as AliasNode3, BinaryOperationNode as BinaryOperationNode3, ColumnNode as ColumnNode2, DeleteQueryNode, FromNode as FromNode2, FunctionNode as FunctionNode3, IdentifierNode as IdentifierNode2, InsertQueryNode, OperationNodeTransformer, OperatorNode as OperatorNode3, ParensNode as ParensNode2, PrimitiveValueListNode, RawNode, ReturningNode, SelectionNode as SelectionNode2, SelectQueryNode as SelectQueryNode2, TableNode as TableNode3, UpdateQueryNode, ValueListNode as ValueListNode2, ValueNode as ValueNode3, ValuesNode, WhereNode as WhereNode2 } from "kysely";
-import { match as match8 } from "ts-pattern";
-
-// src/client/crud/dialects/index.ts
-import { match as match5 } from "ts-pattern";
+// src/plugins/policy/functions.ts
+import { invariant as invariant8 } from "@zenstackhq/common-helpers";
+import { ExpressionWrapper as ExpressionWrapper2, ValueNode as ValueNode4 } from "kysely";
 
-// src/client/crud/dialects/postgresql.ts
-import { invariant as invariant2 } from "@zenstackhq/common-helpers";
-import { sql as sql2 } from "kysely";
-import { match as match3 } from "ts-pattern";
-
-// src/client/constants.ts
-var DELEGATE_JOINED_FIELD_PREFIX = "$delegate$";
-var LOGICAL_COMBINATORS = [
-  "AND",
-  "OR",
-  "NOT"
-];
-var AGGREGATE_OPERATORS = [
-  "_count",
-  "_sum",
-  "_avg",
-  "_min",
-  "_max"
+// src/client/contract.ts
+var CRUD = [
+  "create",
+  "read",
+  "update",
+  "delete"
 ];
 
+// src/client/kysely-utils.ts
+import { AliasNode, ColumnNode, ReferenceNode, TableNode } from "kysely";
+function extractFieldName(node) {
+  if (ReferenceNode.is(node) && ColumnNode.is(node.column)) {
+    return node.column.column.name;
+  } else if (ColumnNode.is(node)) {
+    return node.column.name;
+  } else {
+    return void 0;
+  }
+}
+__name(extractFieldName, "extractFieldName");
+
 // src/client/query-utils.ts
+import { invariant } from "@zenstackhq/common-helpers";
 import { match } from "ts-pattern";
 
 // src/schema/expression.ts
@@ -188,11 +192,15 @@ function requireField(schema, modelOrType, field) {
   throw new QueryError(`Model or type "${modelOrType}" not found in schema`);
 }
 __name(requireField, "requireField");
-function getIdFields(schema, model) {
+function requireIdFields(schema, model) {
   const modelDef = requireModel(schema, model);
-  return modelDef?.idFields;
+  const result = modelDef?.idFields;
+  if (!result) {
+    throw new InternalError(`Model "${model}" does not have ID field(s)`);
+  }
+  return result;
 }
-__name(getIdFields, "getIdFields");
+__name(requireIdFields, "requireIdFields");
 function getRelationForeignKeyFieldPairs(schema, model, relationField) {
   const fieldDef = requireField(schema, model, relationField);
   if (!fieldDef?.relation) {
@@ -285,7 +293,7 @@ function buildFieldRef(schema, model, field, options, eb, modelAlias, inlineComp
       throw new QueryError(`Computed field "${field}" implementation not provided for model "${model}"`);
     }
     return computer(eb, {
-      currentModel: modelAlias
+      modelAlias
     });
   }
 }
@@ -312,7 +320,7 @@ function buildJoinPairs(schema, model, modelAlias, relationField, relationModelA
 }
 __name(buildJoinPairs, "buildJoinPairs");
 function makeDefaultOrderBy(schema, model) {
-  const idFields = getIdFields(schema, model);
+  const idFields = requireIdFields(schema, model);
   return idFields.map((f) => ({
     [f]: "asc"
   }));
@@ -351,11 +359,17 @@ function getManyToManyRelation(schema, model, field) {
         "A"
       ];
     }
+    const modelIdFields = requireIdFields(schema, model);
+    invariant(modelIdFields.length === 1, "Only single-field ID is supported for many-to-many relation");
+    const otherIdFields = requireIdFields(schema, fieldDef.type);
+    invariant(otherIdFields.length === 1, "Only single-field ID is supported for many-to-many relation");
     return {
       parentFkName: orderedFK[0],
+      parentPKName: modelIdFields[0],
       otherModel: fieldDef.type,
       otherField: fieldDef.relation.opposite,
       otherFkName: orderedFK[1],
+      otherPKName: otherIdFields[0],
       joinTable: fieldDef.relation.name ? `_${fieldDef.relation.name}` : `_${sortedModelNames[0]}To${sortedModelNames[1]}`
     };
   } else {
@@ -411,8 +425,37 @@ function aggregate(eb, expr2, op) {
 }
 __name(aggregate, "aggregate");
 
+// src/plugins/policy/policy-handler.ts
+import { invariant as invariant7 } from "@zenstackhq/common-helpers";
+import { AliasNode as AliasNode4, BinaryOperationNode as BinaryOperationNode3, ColumnNode as ColumnNode3, DeleteQueryNode, expressionBuilder as expressionBuilder3, ExpressionWrapper, FromNode as FromNode2, FunctionNode as FunctionNode3, IdentifierNode as IdentifierNode2, InsertQueryNode, OperationNodeTransformer, OperatorNode as OperatorNode3, ParensNode as ParensNode2, PrimitiveValueListNode, RawNode, ReturningNode, SelectionNode as SelectionNode2, SelectQueryNode as SelectQueryNode2, sql as sql4, TableNode as TableNode4, UpdateQueryNode, ValueListNode as ValueListNode2, ValueNode as ValueNode3, ValuesNode, WhereNode as WhereNode2 } from "kysely";
+import { match as match8 } from "ts-pattern";
+
+// src/client/crud/dialects/index.ts
+import { match as match5 } from "ts-pattern";
+
+// src/client/crud/dialects/postgresql.ts
+import { invariant as invariant3 } from "@zenstackhq/common-helpers";
+import Decimal from "decimal.js";
+import { sql as sql2 } from "kysely";
+import { match as match3 } from "ts-pattern";
+
+// src/client/constants.ts
+var DELEGATE_JOINED_FIELD_PREFIX = "$delegate$";
+var LOGICAL_COMBINATORS = [
+  "AND",
+  "OR",
+  "NOT"
+];
+var AGGREGATE_OPERATORS = [
+  "_count",
+  "_sum",
+  "_avg",
+  "_min",
+  "_max"
+];
+
 // src/client/crud/dialects/base-dialect.ts
-import { invariant, isPlainObject } from "@zenstackhq/common-helpers";
+import { invariant as invariant2, isPlainObject } from "@zenstackhq/common-helpers";
 import { expressionBuilder, sql } from "kysely";
 import { match as match2, P } from "ts-pattern";
 
@@ -444,6 +487,9 @@ var BaseCrudDialect = class {
   transformPrimitive(value, _type, _forArrayField) {
     return value;
   }
+  transformOutput(value, _type) {
+    return value;
+  }
   // #region common query builders
   buildSelectModel(eb, model, modelAlias) {
     const modelDef = requireModel(this.schema, model);
@@ -611,9 +657,11 @@ var BaseCrudDialect = class {
     const buildPkFkWhereRefs = /* @__PURE__ */ __name((eb2) => {
       const m2m = getManyToManyRelation(this.schema, model, field);
       if (m2m) {
-        const modelIdField = getIdFields(this.schema, model)[0];
-        const relationIdField = getIdFields(this.schema, relationModel)[0];
-        return eb2(sql.ref(`${relationFilterSelectAlias}.${relationIdField}`), "in", eb2.selectFrom(m2m.joinTable).select(`${m2m.joinTable}.${m2m.otherFkName}`).whereRef(sql.ref(`${m2m.joinTable}.${m2m.parentFkName}`), "=", sql.ref(`${modelAlias}.${modelIdField}`)));
+        const modelIdFields = requireIdFields(this.schema, model);
+        invariant2(modelIdFields.length === 1, "many-to-many relation must have exactly one id field");
+        const relationIdFields = requireIdFields(this.schema, relationModel);
+        invariant2(relationIdFields.length === 1, "many-to-many relation must have exactly one id field");
+        return eb2(sql.ref(`${relationFilterSelectAlias}.${relationIdFields[0]}`), "in", eb2.selectFrom(m2m.joinTable).select(`${m2m.joinTable}.${m2m.otherFkName}`).whereRef(sql.ref(`${m2m.joinTable}.${m2m.parentFkName}`), "=", sql.ref(`${modelAlias}.${modelIdFields[0]}`)));
       } else {
         const relationKeyPairs = getRelationForeignKeyFieldPairs(this.schema, model, field);
         let result2 = this.true(eb2);
@@ -723,14 +771,14 @@ var BaseCrudDialect = class {
       }
       const rhs = Array.isArray(value) ? value.map(getRhs) : getRhs(value);
       const condition = match2(op).with("equals", () => rhs === null ? eb(lhs, "is", null) : eb(lhs, "=", rhs)).with("in", () => {
-        invariant(Array.isArray(rhs), "right hand side must be an array");
+        invariant2(Array.isArray(rhs), "right hand side must be an array");
         if (rhs.length === 0) {
           return this.false(eb);
         } else {
           return eb(lhs, "in", rhs);
         }
       }).with("notIn", () => {
-        invariant(Array.isArray(rhs), "right hand side must be an array");
+        invariant2(Array.isArray(rhs), "right hand side must be an array");
         if (rhs.length === 0) {
           return this.true(eb);
         } else {
@@ -848,18 +896,18 @@ var BaseCrudDialect = class {
           "_min",
           "_max"
         ].includes(field)) {
-          invariant(value && typeof value === "object", `invalid orderBy value for field "${field}"`);
+          invariant2(value && typeof value === "object", `invalid orderBy value for field "${field}"`);
           for (const [k, v] of Object.entries(value)) {
-            invariant(v === "asc" || v === "desc", `invalid orderBy value for field "${field}"`);
+            invariant2(v === "asc" || v === "desc", `invalid orderBy value for field "${field}"`);
             result = result.orderBy((eb) => aggregate(eb, this.fieldRef(model, k, eb, modelAlias), field), sql.raw(this.negateSort(v, negated)));
           }
           continue;
         }
         switch (field) {
           case "_count": {
-            invariant(value && typeof value === "object", 'invalid orderBy value for field "_count"');
+            invariant2(value && typeof value === "object", 'invalid orderBy value for field "_count"');
             for (const [k, v] of Object.entries(value)) {
-              invariant(v === "asc" || v === "desc", `invalid orderBy value for field "${field}"`);
+              invariant2(v === "asc" || v === "desc", `invalid orderBy value for field "${field}"`);
               result = result.orderBy((eb) => eb.fn.count(this.fieldRef(model, k, eb, modelAlias)), sql.raw(this.negateSort(v, negated)));
             }
             continue;
@@ -882,7 +930,7 @@ var BaseCrudDialect = class {
               throw new QueryError(`invalid orderBy value for field "${field}"`);
             }
             if ("_count" in value) {
-              invariant(value._count === "asc" || value._count === "desc", 'invalid orderBy value for field "_count"');
+              invariant2(value._count === "asc" || value._count === "desc", 'invalid orderBy value for field "_count"');
               const sort = this.negateSort(value._count, negated);
               result = result.orderBy((eb) => {
                 const subQueryAlias = `${modelAlias}$orderBy$${field}$count`;
@@ -954,7 +1002,7 @@ var BaseCrudDialect = class {
     }
   }
   buildDelegateJoin(thisModel, thisModelAlias, otherModelAlias, query) {
-    const idFields = getIdFields(this.schema, thisModel);
+    const idFields = requireIdFields(this.schema, thisModel);
     query = query.leftJoin(otherModelAlias, (qb) => {
       for (const idField of idFields) {
         qb = qb.onRef(`${thisModelAlias}.${idField}`, "=", `${otherModelAlias}.${idField}`);
@@ -976,10 +1024,16 @@ var BaseCrudDialect = class {
     for (const [field, value] of Object.entries(selections.select)) {
       const fieldDef = requireField(this.schema, model, field);
       const fieldModel = fieldDef.type;
-      const joinPairs = buildJoinPairs(this.schema, model, parentAlias, field, fieldModel);
-      let fieldCountQuery = eb.selectFrom(fieldModel).select(eb.fn.countAll().as(`_count$${field}`));
-      for (const [left, right] of joinPairs) {
-        fieldCountQuery = fieldCountQuery.whereRef(left, "=", right);
+      let fieldCountQuery;
+      const m2m = getManyToManyRelation(this.schema, model, field);
+      if (m2m) {
+        fieldCountQuery = eb.selectFrom(fieldModel).innerJoin(m2m.joinTable, (join) => join.onRef(`${m2m.joinTable}.${m2m.otherFkName}`, "=", `${fieldModel}.${m2m.otherPKName}`).onRef(`${m2m.joinTable}.${m2m.parentFkName}`, "=", `${parentAlias}.${m2m.parentPKName}`)).select(eb.fn.countAll().as(`_count$${field}`));
+      } else {
+        fieldCountQuery = eb.selectFrom(fieldModel).select(eb.fn.countAll().as(`_count$${field}`));
+        const joinPairs = buildJoinPairs(this.schema, model, parentAlias, field, fieldModel);
+        for (const [left, right] of joinPairs) {
+          fieldCountQuery = fieldCountQuery.whereRef(left, "=", right);
+        }
       }
       if (value && typeof value === "object" && "where" in value && value.where && typeof value.where === "object") {
         const filter = this.buildFilter(eb, fieldModel, fieldModel, value.where);
@@ -1059,6 +1113,9 @@ var PostgresCrudDialect = class extends BaseCrudDialect {
   static {
     __name(this, "PostgresCrudDialect");
   }
+  constructor(schema, options) {
+    super(schema, options);
+  }
   get provider() {
     return "postgresql";
   }
@@ -1073,8 +1130,40 @@ var PostgresCrudDialect = class extends BaseCrudDialect {
         return value.map((v) => this.transformPrimitive(v, type, false));
       }
     } else {
-      return match3(type).with("DateTime", () => value instanceof Date ? value : typeof value === "string" ? new Date(value) : value).with("Decimal", () => value !== null ? value.toString() : value).otherwise(() => value);
+      return match3(type).with("DateTime", () => value instanceof Date ? value.toISOString() : typeof value === "string" ? new Date(value).toISOString() : value).with("Decimal", () => value !== null ? value.toString() : value).otherwise(() => value);
+    }
+  }
+  transformOutput(value, type) {
+    if (value === null || value === void 0) {
+      return value;
     }
+    return match3(type).with("DateTime", () => this.transformOutputDate(value)).with("Bytes", () => this.transformOutputBytes(value)).with("BigInt", () => this.transformOutputBigInt(value)).with("Decimal", () => this.transformDecimal(value)).otherwise(() => super.transformOutput(value, type));
+  }
+  transformOutputBigInt(value) {
+    if (typeof value === "bigint") {
+      return value;
+    }
+    invariant3(typeof value === "string" || typeof value === "number", `Expected string or number, got ${typeof value}`);
+    return BigInt(value);
+  }
+  transformDecimal(value) {
+    if (value instanceof Decimal) {
+      return value;
+    }
+    invariant3(typeof value === "string" || typeof value === "number" || value instanceof Decimal, `Expected string, number or Decimal, got ${typeof value}`);
+    return new Decimal(value);
+  }
+  transformOutputDate(value) {
+    if (typeof value === "string") {
+      return new Date(value);
+    } else if (value instanceof Date && this.options.fixPostgresTimezone !== false) {
+      return new Date(value.getTime() - value.getTimezoneOffset() * 60 * 1e3);
+    } else {
+      return value;
+    }
+  }
+  transformOutputBytes(value) {
+    return Buffer.isBuffer(value) ? Uint8Array.from(value) : value;
   }
   buildRelationSelection(query, model, relationField, parentAlias, payload) {
     const relationResultName = `${parentAlias}$${relationField}`;
@@ -1106,10 +1195,10 @@ var PostgresCrudDialect = class extends BaseCrudDialect {
   buildRelationJoinFilter(query, model, relationField, relationModel, relationModelAlias, parentAlias) {
     const m2m = getManyToManyRelation(this.schema, model, relationField);
     if (m2m) {
-      const parentIds = getIdFields(this.schema, model);
-      const relationIds = getIdFields(this.schema, relationModel);
-      invariant2(parentIds.length === 1, "many-to-many relation must have exactly one id field");
-      invariant2(relationIds.length === 1, "many-to-many relation must have exactly one id field");
+      const parentIds = requireIdFields(this.schema, model);
+      const relationIds = requireIdFields(this.schema, relationModel);
+      invariant3(parentIds.length === 1, "many-to-many relation must have exactly one id field");
+      invariant3(relationIds.length === 1, "many-to-many relation must have exactly one id field");
       query = query.where((eb) => eb(eb.ref(`${relationModelAlias}.${relationIds[0]}`), "in", eb.selectFrom(m2m.joinTable).select(`${m2m.joinTable}.${m2m.otherFkName}`).whereRef(`${parentAlias}.${parentIds[0]}`, "=", `${m2m.joinTable}.${m2m.parentFkName}`)));
     } else {
       const joinPairs = buildJoinPairs(this.schema, model, parentAlias, relationField, relationModelAlias);
@@ -1221,10 +1310,32 @@ var PostgresCrudDialect = class extends BaseCrudDialect {
   get supportInsertWithDefault() {
     return true;
   }
+  getFieldSqlType(fieldDef) {
+    if (fieldDef.relation) {
+      throw new QueryError("Cannot get SQL type of a relation field");
+    }
+    let result;
+    if (this.schema.enums?.[fieldDef.type]) {
+      result = "text";
+    } else {
+      result = match3(fieldDef.type).with("String", () => "text").with("Boolean", () => "boolean").with("Int", () => "integer").with("BigInt", () => "bigint").with("Float", () => "double precision").with("Decimal", () => "decimal").with("DateTime", () => "timestamp").with("Bytes", () => "bytea").with("Json", () => "jsonb").otherwise(() => "text");
+    }
+    if (fieldDef.array) {
+      result += "[]";
+    }
+    return result;
+  }
+  getStringCasingBehavior() {
+    return {
+      supportsILike: true,
+      likeCaseSensitive: true
+    };
+  }
 };
 
 // src/client/crud/dialects/sqlite.ts
-import { invariant as invariant3 } from "@zenstackhq/common-helpers";
+import { invariant as invariant4 } from "@zenstackhq/common-helpers";
+import Decimal2 from "decimal.js";
 import { sql as sql3 } from "kysely";
 import { match as match4 } from "ts-pattern";
 var SqliteCrudDialect = class extends BaseCrudDialect {
@@ -1244,9 +1355,57 @@ var SqliteCrudDialect = class extends BaseCrudDialect {
       if (this.schema.typeDefs && type in this.schema.typeDefs) {
         return JSON.stringify(value);
       } else {
-        return match4(type).with("Boolean", () => value ? 1 : 0).with("DateTime", () => value instanceof Date ? value.toISOString() : value).with("Decimal", () => value.toString()).with("Bytes", () => Buffer.from(value)).with("Json", () => JSON.stringify(value)).otherwise(() => value);
+        return match4(type).with("Boolean", () => value ? 1 : 0).with("DateTime", () => value instanceof Date ? value.toISOString() : typeof value === "string" ? new Date(value).toISOString() : value).with("Decimal", () => value.toString()).with("Bytes", () => Buffer.from(value)).with("Json", () => JSON.stringify(value)).otherwise(() => value);
+      }
+    }
+  }
+  transformOutput(value, type) {
+    if (value === null || value === void 0) {
+      return value;
+    } else if (this.schema.typeDefs && type in this.schema.typeDefs) {
+      return this.transformOutputJson(value);
+    } else {
+      return match4(type).with("Boolean", () => this.transformOutputBoolean(value)).with("DateTime", () => this.transformOutputDate(value)).with("Bytes", () => this.transformOutputBytes(value)).with("Decimal", () => this.transformOutputDecimal(value)).with("BigInt", () => this.transformOutputBigInt(value)).with("Json", () => this.transformOutputJson(value)).otherwise(() => super.transformOutput(value, type));
+    }
+  }
+  transformOutputDecimal(value) {
+    if (value instanceof Decimal2) {
+      return value;
+    }
+    invariant4(typeof value === "string" || typeof value === "number" || value instanceof Decimal2, `Expected string, number or Decimal, got ${typeof value}`);
+    return new Decimal2(value);
+  }
+  transformOutputBigInt(value) {
+    if (typeof value === "bigint") {
+      return value;
+    }
+    invariant4(typeof value === "string" || typeof value === "number", `Expected string or number, got ${typeof value}`);
+    return BigInt(value);
+  }
+  transformOutputBoolean(value) {
+    return !!value;
+  }
+  transformOutputDate(value) {
+    if (typeof value === "number") {
+      return new Date(value);
+    } else if (typeof value === "string") {
+      return new Date(value);
+    } else {
+      return value;
+    }
+  }
+  transformOutputBytes(value) {
+    return Buffer.isBuffer(value) ? Uint8Array.from(value) : value;
+  }
+  transformOutputJson(value) {
+    if (typeof value === "string") {
+      try {
+        return JSON.parse(value);
+      } catch (e) {
+        throw new QueryError("Invalid JSON returned", e);
       }
     }
+    return value;
   }
   buildRelationSelection(query, model, relationField, parentAlias, payload) {
     return query.select((eb) => this.buildRelationJSON(model, eb, relationField, parentAlias, payload).as(relationField));
@@ -1329,10 +1488,10 @@ var SqliteCrudDialect = class extends BaseCrudDialect {
     const relationModel = fieldDef.type;
     const m2m = getManyToManyRelation(this.schema, model, relationField);
     if (m2m) {
-      const parentIds = getIdFields(this.schema, model);
-      const relationIds = getIdFields(this.schema, relationModel);
-      invariant3(parentIds.length === 1, "many-to-many relation must have exactly one id field");
-      invariant3(relationIds.length === 1, "many-to-many relation must have exactly one id field");
+      const parentIds = requireIdFields(this.schema, model);
+      const relationIds = requireIdFields(this.schema, relationModel);
+      invariant4(parentIds.length === 1, "many-to-many relation must have exactly one id field");
+      invariant4(relationIds.length === 1, "many-to-many relation must have exactly one id field");
       selectModelQuery = selectModelQuery.where((eb) => eb(eb.ref(`${relationModelAlias}.${relationIds[0]}`), "in", eb.selectFrom(m2m.joinTable).select(`${m2m.joinTable}.${m2m.otherFkName}`).whereRef(`${parentAlias}.${parentIds[0]}`, "=", `${m2m.joinTable}.${m2m.parentFkName}`)));
     } else {
       const { keyPairs, ownedByModel } = getRelationForeignKeyFieldPairs(this.schema, model, relationField);
@@ -1384,6 +1543,24 @@ var SqliteCrudDialect = class extends BaseCrudDialect {
   get supportInsertWithDefault() {
     return false;
   }
+  getFieldSqlType(fieldDef) {
+    if (fieldDef.relation) {
+      throw new QueryError("Cannot get SQL type of a relation field");
+    }
+    if (fieldDef.array) {
+      throw new QueryError("SQLite does not support scalar list type");
+    }
+    if (this.schema.enums?.[fieldDef.type]) {
+      return "text";
+    }
+    return match4(fieldDef.type).with("String", () => "text").with("Boolean", () => "integer").with("Int", () => "integer").with("BigInt", () => "integer").with("Float", () => "real").with("Decimal", () => "decimal").with("DateTime", () => "numeric").with("Bytes", () => "blob").with("Json", () => "jsonb").otherwise(() => "text");
+  }
+  getStringCasingBehavior() {
+    return {
+      supportsILike: false,
+      likeCaseSensitive: false
+    };
+  }
 };
 
 // src/client/crud/dialects/index.ts
@@ -1711,12 +1888,12 @@ var ColumnCollector = class extends DefaultOperationNodeVisitor {
 };
 
 // src/plugins/policy/expression-transformer.ts
-import { invariant as invariant5 } from "@zenstackhq/common-helpers";
-import { AliasNode as AliasNode2, BinaryOperationNode as BinaryOperationNode2, ColumnNode, expressionBuilder as expressionBuilder2, FromNode, FunctionNode as FunctionNode2, IdentifierNode, OperatorNode as OperatorNode2, ReferenceNode as ReferenceNode2, SelectionNode, SelectQueryNode, TableNode as TableNode2, ValueListNode, ValueNode as ValueNode2, WhereNode } from "kysely";
+import { invariant as invariant6 } from "@zenstackhq/common-helpers";
+import { AliasNode as AliasNode3, BinaryOperationNode as BinaryOperationNode2, ColumnNode as ColumnNode2, expressionBuilder as expressionBuilder2, FromNode, FunctionNode as FunctionNode2, IdentifierNode, OperatorNode as OperatorNode2, ReferenceNode as ReferenceNode3, SelectionNode, SelectQueryNode, TableNode as TableNode3, ValueListNode, ValueNode as ValueNode2, WhereNode } from "kysely";
 import { match as match7 } from "ts-pattern";
 
 // src/plugins/policy/expression-evaluator.ts
-import { invariant as invariant4 } from "@zenstackhq/common-helpers";
+import { invariant as invariant5 } from "@zenstackhq/common-helpers";
 import { match as match6 } from "ts-pattern";
 var ExpressionEvaluator = class {
   static {
@@ -1760,18 +1937,18 @@ var ExpressionEvaluator = class {
     const right = this.evaluate(expr2.right, context);
     return match6(expr2.op).with("==", () => left === right).with("!=", () => left !== right).with(">", () => left > right).with(">=", () => left >= right).with("<", () => left < right).with("<=", () => left <= right).with("&&", () => left && right).with("||", () => left || right).with("in", () => {
       const _right = right ?? [];
-      invariant4(Array.isArray(_right), 'expected array for "in" operator');
+      invariant5(Array.isArray(_right), 'expected array for "in" operator');
       return _right.includes(left);
     }).exhaustive();
   }
   evaluateCollectionPredicate(expr2, context) {
     const op = expr2.op;
-    invariant4(op === "?" || op === "!" || op === "^", 'expected "?" or "!" or "^" operator');
+    invariant5(op === "?" || op === "!" || op === "^", 'expected "?" or "!" or "^" operator');
     const left = this.evaluate(expr2.left, context);
     if (!left) {
       return false;
     }
-    invariant4(Array.isArray(left), "expected array");
+    invariant5(Array.isArray(left), "expected array");
     return match6(op).with("?", () => left.some((item) => this.evaluate(expr2.right, {
       ...context,
       thisValue: item
@@ -1786,7 +1963,7 @@ var ExpressionEvaluator = class {
 };
 
 // src/plugins/policy/utils.ts
-import { AliasNode, AndNode, BinaryOperationNode, FunctionNode, OperatorNode, OrNode, ParensNode, ReferenceNode, TableNode, UnaryOperationNode, ValueNode } from "kysely";
+import { AliasNode as AliasNode2, AndNode, BinaryOperationNode, FunctionNode, OperatorNode, OrNode, ParensNode, ReferenceNode as ReferenceNode2, TableNode as TableNode2, UnaryOperationNode, ValueNode } from "kysely";
 function trueNode(dialect) {
   return ValueNode.createImmediate(dialect.transformPrimitive(true, "Boolean", false));
 }
@@ -1872,11 +2049,11 @@ function getTableName(node) {
   if (!node) {
     return node;
   }
-  if (TableNode.is(node)) {
+  if (TableNode2.is(node)) {
     return node.table.identifier.name;
-  } else if (AliasNode.is(node)) {
+  } else if (AliasNode2.is(node)) {
     return getTableName(node.node);
-  } else if (ReferenceNode.is(node) && node.table) {
+  } else if (ReferenceNode2.is(node) && node.table) {
     return getTableName(node.table);
   }
   return void 0;
@@ -1909,16 +2086,21 @@ var ExpressionTransformer = class {
   static {
     __name(this, "ExpressionTransformer");
   }
-  schema;
-  clientOptions;
-  auth;
+  client;
   dialect;
-  constructor(schema, clientOptions, auth) {
-    this.schema = schema;
-    this.clientOptions = clientOptions;
-    this.auth = auth;
+  constructor(client) {
+    this.client = client;
     this.dialect = getCrudDialect(this.schema, this.clientOptions);
   }
+  get schema() {
+    return this.client.$schema;
+  }
+  get clientOptions() {
+    return this.client.$options;
+  }
+  get auth() {
+    return this.client.$auth;
+  }
   get authType() {
     if (!this.schema.authType) {
       throw new InternalError('Schema does not have an "authType" specified');
@@ -1988,8 +2170,9 @@ var ExpressionTransformer = class {
     if (op === "?" || op === "!" || op === "^") {
       return this.transformCollectionPredicate(expr2, context);
     }
-    const left = this.transform(expr2.left, context);
-    const right = this.transform(expr2.right, context);
+    const { normalizedLeft, normalizedRight } = this.normalizeBinaryOperationOperands(expr2, context);
+    const left = this.transform(normalizedLeft, context);
+    const right = this.transform(normalizedRight, context);
     if (op === "in") {
       if (this.isNullNode(left)) {
         return this.transformValue(false, "Boolean");
@@ -2004,29 +2187,65 @@ var ExpressionTransformer = class {
       }
     }
     if (this.isNullNode(right)) {
-      return expr2.op === "==" ? BinaryOperationNode2.create(left, OperatorNode2.create("is"), right) : BinaryOperationNode2.create(left, OperatorNode2.create("is not"), right);
+      return this.transformNullCheck(left, expr2.op);
     } else if (this.isNullNode(left)) {
-      return expr2.op === "==" ? BinaryOperationNode2.create(right, OperatorNode2.create("is"), ValueNode2.createImmediate(null)) : BinaryOperationNode2.create(right, OperatorNode2.create("is not"), ValueNode2.createImmediate(null));
+      return this.transformNullCheck(right, expr2.op);
+    } else {
+      return BinaryOperationNode2.create(left, this.transformOperator(op), right);
     }
-    return BinaryOperationNode2.create(left, this.transformOperator(op), right);
+  }
+  transformNullCheck(expr2, operator) {
+    invariant6(operator === "==" || operator === "!=", 'operator must be "==" or "!=" for null comparison');
+    if (ValueNode2.is(expr2)) {
+      if (expr2.value === null) {
+        return operator === "==" ? trueNode(this.dialect) : falseNode(this.dialect);
+      } else {
+        return operator === "==" ? falseNode(this.dialect) : trueNode(this.dialect);
+      }
+    } else {
+      return operator === "==" ? BinaryOperationNode2.create(expr2, OperatorNode2.create("is"), ValueNode2.createImmediate(null)) : BinaryOperationNode2.create(expr2, OperatorNode2.create("is not"), ValueNode2.createImmediate(null));
+    }
+  }
+  normalizeBinaryOperationOperands(expr2, context) {
+    let normalizedLeft = expr2.left;
+    if (this.isRelationField(expr2.left, context.model)) {
+      invariant6(ExpressionUtils.isNull(expr2.right), "only null comparison is supported for relation field");
+      const leftRelDef = this.getFieldDefFromFieldRef(expr2.left, context.model);
+      invariant6(leftRelDef, "failed to get relation field definition");
+      const idFields = requireIdFields(this.schema, leftRelDef.type);
+      normalizedLeft = this.makeOrAppendMember(normalizedLeft, idFields[0]);
+    }
+    let normalizedRight = expr2.right;
+    if (this.isRelationField(expr2.right, context.model)) {
+      invariant6(ExpressionUtils.isNull(expr2.left), "only null comparison is supported for relation field");
+      const rightRelDef = this.getFieldDefFromFieldRef(expr2.right, context.model);
+      invariant6(rightRelDef, "failed to get relation field definition");
+      const idFields = requireIdFields(this.schema, rightRelDef.type);
+      normalizedRight = this.makeOrAppendMember(normalizedRight, idFields[0]);
+    }
+    return {
+      normalizedLeft,
+      normalizedRight
+    };
   }
   transformCollectionPredicate(expr2, context) {
-    invariant5(expr2.op === "?" || expr2.op === "!" || expr2.op === "^", 'expected "?" or "!" or "^" operator');
+    invariant6(expr2.op === "?" || expr2.op === "!" || expr2.op === "^", 'expected "?" or "!" or "^" operator');
     if (this.isAuthCall(expr2.left) || this.isAuthMember(expr2.left)) {
       const value = new ExpressionEvaluator().evaluate(expr2, {
         auth: this.auth
       });
       return this.transformValue(value, "Boolean");
     }
-    invariant5(ExpressionUtils.isField(expr2.left) || ExpressionUtils.isMember(expr2.left), "left operand must be field or member access");
+    invariant6(ExpressionUtils.isField(expr2.left) || ExpressionUtils.isMember(expr2.left), "left operand must be field or member access");
     let newContextModel;
-    if (ExpressionUtils.isField(expr2.left)) {
-      const fieldDef = requireField(this.schema, context.model, expr2.left.field);
+    const fieldDef = this.getFieldDefFromFieldRef(expr2.left, context.model);
+    if (fieldDef) {
+      invariant6(fieldDef.relation, `field is not a relation: ${JSON.stringify(expr2.left)}`);
       newContextModel = fieldDef.type;
     } else {
-      invariant5(ExpressionUtils.isField(expr2.left.receiver));
-      const fieldDef = requireField(this.schema, context.model, expr2.left.receiver.field);
-      newContextModel = fieldDef.type;
+      invariant6(ExpressionUtils.isMember(expr2.left) && ExpressionUtils.isField(expr2.left.receiver), "left operand must be member access with field receiver");
+      const fieldDef2 = requireField(this.schema, context.model, expr2.left.receiver.field);
+      newContextModel = fieldDef2.type;
       for (const member of expr2.left.members) {
         const memberDef = requireField(this.schema, newContextModel, member);
         newContextModel = memberDef.type;
@@ -2046,7 +2265,7 @@ var ExpressionTransformer = class {
     const predicateResult = match7(expr2.op).with("?", () => BinaryOperationNode2.create(count, OperatorNode2.create(">"), ValueNode2.createImmediate(0))).with("!", () => BinaryOperationNode2.create(count, OperatorNode2.create("="), ValueNode2.createImmediate(0))).with("^", () => BinaryOperationNode2.create(count, OperatorNode2.create("="), ValueNode2.createImmediate(0))).exhaustive();
     return this.transform(expr2.left, {
       ...context,
-      memberSelect: SelectionNode.create(AliasNode2.create(predicateResult, IdentifierNode.create("$t"))),
+      memberSelect: SelectionNode.create(AliasNode3.create(predicateResult, IdentifierNode.create("$t"))),
       memberFilter: predicateFilter
     });
   }
@@ -2071,12 +2290,10 @@ var ExpressionTransformer = class {
         throw new QueryError(`Unsupported use of \`auth()\` in policy of model "${context.model}", comparing with \`auth()\` is only possible when auth type is a model`);
       }
       const idFields = Object.values(authModel.fields).filter((f) => f.id).map((f) => f.name);
-      invariant5(idFields.length > 0, "auth type model must have at least one id field");
+      invariant6(idFields.length > 0, "auth type model must have at least one id field");
       const conditions = idFields.map((fieldName) => ExpressionUtils.binary(ExpressionUtils.member(authExpr, [
         fieldName
-      ]), "==", ExpressionUtils.member(other, [
-        fieldName
-      ])));
+      ]), "==", this.makeOrAppendMember(other, fieldName)));
       let result = this.buildAnd(conditions);
       if (expr2.op === "!=") {
         result = this.buildLogicalNot(result);
@@ -2084,11 +2301,29 @@ var ExpressionTransformer = class {
       return this.transform(result, context);
     }
   }
+  makeOrAppendMember(other, fieldName) {
+    if (ExpressionUtils.isMember(other)) {
+      return ExpressionUtils.member(other.receiver, [
+        ...other.members,
+        fieldName
+      ]);
+    } else {
+      return ExpressionUtils.member(other, [
+        fieldName
+      ]);
+    }
+  }
   transformValue(value, type) {
-    return ValueNode2.create(this.dialect.transformPrimitive(value, type, false) ?? null);
+    if (value === true) {
+      return trueNode(this.dialect);
+    } else if (value === false) {
+      return falseNode(this.dialect);
+    } else {
+      return ValueNode2.create(this.dialect.transformPrimitive(value, type, false) ?? null);
+    }
   }
   _unary(expr2, context) {
-    invariant5(expr2.op === "!", 'only "!" operator is supported');
+    invariant6(expr2.op === "!", 'only "!" operator is supported');
     return logicalNot(this.dialect, this.transform(expr2.operand, context));
   }
   transformOperator(op) {
@@ -2100,17 +2335,31 @@ var ExpressionTransformer = class {
     return result.toOperationNode();
   }
   transformCall(expr2, context) {
-    const func = this.clientOptions.functions?.[expr2.function];
+    const func = this.getFunctionImpl(expr2.function);
     if (!func) {
       throw new QueryError(`Function not implemented: ${expr2.function}`);
     }
     const eb = expressionBuilder2();
     return func(eb, (expr2.args ?? []).map((arg) => this.transformCallArg(eb, arg, context)), {
+      client: this.client,
       dialect: this.dialect,
       model: context.model,
+      modelAlias: context.alias ?? context.model,
       operation: context.operation
     });
   }
+  getFunctionImpl(functionName) {
+    let func = this.clientOptions.functions?.[functionName];
+    if (!func) {
+      for (const plugin of this.clientOptions.plugins ?? []) {
+        if (plugin.functions?.[functionName]) {
+          func = plugin.functions[functionName];
+          break;
+        }
+      }
+    }
+    return func;
+  }
   transformCallArg(eb, arg, context) {
     if (ExpressionUtils.isLiteral(arg)) {
       return eb.val(arg.value);
@@ -2131,23 +2380,22 @@ var ExpressionTransformer = class {
     if (this.isAuthCall(expr2.receiver)) {
       return this.valueMemberAccess(this.auth, expr2, this.authType);
     }
-    invariant5(ExpressionUtils.isField(expr2.receiver) || ExpressionUtils.isThis(expr2.receiver), 'expect receiver to be field expression or "this"');
+    invariant6(ExpressionUtils.isField(expr2.receiver) || ExpressionUtils.isThis(expr2.receiver), 'expect receiver to be field expression or "this"');
     let members = expr2.members;
     let receiver;
     const { memberFilter, memberSelect, ...restContext } = context;
     if (ExpressionUtils.isThis(expr2.receiver)) {
       if (expr2.members.length === 1) {
-        const fieldDef = requireField(this.schema, context.model, expr2.members[0]);
-        invariant5(!fieldDef.relation, "this.relation access should have been transformed into relation access");
-        return this.createColumnRef(expr2.members[0], restContext);
+        return this._field(ExpressionUtils.field(expr2.members[0]), context);
+      } else {
+        const firstMemberFieldDef = requireField(this.schema, context.model, expr2.members[0]);
+        receiver = this.transformRelationAccess(expr2.members[0], firstMemberFieldDef.type, restContext);
+        members = expr2.members.slice(1);
       }
-      const firstMemberFieldDef = requireField(this.schema, context.model, expr2.members[0]);
-      receiver = this.transformRelationAccess(expr2.members[0], firstMemberFieldDef.type, restContext);
-      members = expr2.members.slice(1);
     } else {
       receiver = this.transform(expr2.receiver, restContext);
     }
-    invariant5(SelectQueryNode.is(receiver), "expected receiver to be select query");
+    invariant6(SelectQueryNode.is(receiver), "expected receiver to be select query");
     let startType;
     if (ExpressionUtils.isField(expr2.receiver)) {
       const receiverField = requireField(this.schema, context.model, expr2.receiver.field);
@@ -2176,11 +2424,11 @@ var ExpressionTransformer = class {
           alias: void 0
         });
         if (currNode) {
-          invariant5(SelectQueryNode.is(currNode), "expected select query node");
+          invariant6(SelectQueryNode.is(currNode), "expected select query node");
           currNode = {
             ...relation,
             selections: [
-              SelectionNode.create(AliasNode2.create(currNode, IdentifierNode.create(members[i + 1])))
+              SelectionNode.create(AliasNode3.create(currNode, IdentifierNode.create(members[i + 1])))
             ]
           };
         } else {
@@ -2193,15 +2441,15 @@ var ExpressionTransformer = class {
           };
         }
       } else {
-        invariant5(i === members.length - 1, "plain field access must be the last segment");
-        invariant5(!currNode, "plain field access must be the last segment");
-        currNode = ColumnNode.create(member);
+        invariant6(i === members.length - 1, "plain field access must be the last segment");
+        invariant6(!currNode, "plain field access must be the last segment");
+        currNode = ColumnNode2.create(member);
       }
     }
     return {
       ...receiver,
       selections: [
-        SelectionNode.create(AliasNode2.create(currNode, IdentifierNode.create("$t")))
+        SelectionNode.create(AliasNode3.create(currNode, IdentifierNode.create("$t")))
       ]
     };
   }
@@ -2218,24 +2466,33 @@ var ExpressionTransformer = class {
     return this.transformValue(fieldValue, fieldDef.type);
   }
   transformRelationAccess(field, relationModel, context) {
+    const m2m = getManyToManyRelation(this.schema, context.model, field);
+    if (m2m) {
+      return this.transformManyToManyRelationAccess(m2m, context);
+    }
     const fromModel = context.model;
     const { keyPairs, ownedByModel } = getRelationForeignKeyFieldPairs(this.schema, fromModel, field);
     let condition;
     if (ownedByModel) {
-      condition = conjunction(this.dialect, keyPairs.map(({ fk, pk }) => BinaryOperationNode2.create(ReferenceNode2.create(ColumnNode.create(fk), TableNode2.create(context.alias ?? fromModel)), OperatorNode2.create("="), ReferenceNode2.create(ColumnNode.create(pk), TableNode2.create(relationModel)))));
+      condition = conjunction(this.dialect, keyPairs.map(({ fk, pk }) => BinaryOperationNode2.create(ReferenceNode3.create(ColumnNode2.create(fk), TableNode3.create(context.alias ?? fromModel)), OperatorNode2.create("="), ReferenceNode3.create(ColumnNode2.create(pk), TableNode3.create(relationModel)))));
     } else {
-      condition = conjunction(this.dialect, keyPairs.map(({ fk, pk }) => BinaryOperationNode2.create(ReferenceNode2.create(ColumnNode.create(pk), TableNode2.create(context.alias ?? fromModel)), OperatorNode2.create("="), ReferenceNode2.create(ColumnNode.create(fk), TableNode2.create(relationModel)))));
+      condition = conjunction(this.dialect, keyPairs.map(({ fk, pk }) => BinaryOperationNode2.create(ReferenceNode3.create(ColumnNode2.create(pk), TableNode3.create(context.alias ?? fromModel)), OperatorNode2.create("="), ReferenceNode3.create(ColumnNode2.create(fk), TableNode3.create(relationModel)))));
     }
     return {
       kind: "SelectQueryNode",
       from: FromNode.create([
-        TableNode2.create(relationModel)
+        TableNode3.create(relationModel)
       ]),
       where: WhereNode.create(condition)
     };
   }
+  transformManyToManyRelationAccess(m2m, context) {
+    const eb = expressionBuilder2();
+    const relationQuery = eb.selectFrom(m2m.otherModel).innerJoin(m2m.joinTable, (join) => join.onRef(`${m2m.otherModel}.${m2m.otherPKName}`, "=", `${m2m.joinTable}.${m2m.otherFkName}`).onRef(`${m2m.joinTable}.${m2m.parentFkName}`, "=", `${context.alias ?? context.model}.${m2m.parentPKName}`));
+    return relationQuery.toOperationNode();
+  }
   createColumnRef(column, context) {
-    return ReferenceNode2.create(ColumnNode.create(column), TableNode2.create(context.alias ?? context.model));
+    return ReferenceNode3.create(ColumnNode2.create(column), TableNode3.create(context.alias ?? context.model));
   }
   isAuthCall(value) {
     return ExpressionUtils.isCall(value) && value.function === "auth";
@@ -2258,6 +2515,19 @@ var ExpressionTransformer = class {
       return conditions.reduce((acc, condition) => ExpressionUtils.binary(acc, "&&", condition));
     }
   }
+  isRelationField(expr2, model) {
+    const fieldDef = this.getFieldDefFromFieldRef(expr2, model);
+    return !!fieldDef?.relation;
+  }
+  getFieldDefFromFieldRef(expr2, model) {
+    if (ExpressionUtils.isField(expr2)) {
+      return requireField(this.schema, model, expr2.field);
+    } else if (ExpressionUtils.isMember(expr2) && expr2.members.length === 1 && ExpressionUtils.isThis(expr2.receiver)) {
+      return requireField(this.schema, model, expr2.members[0]);
+    } else {
+      return void 0;
+    }
+  }
 };
 _ts_decorate([
   expr("literal"),
@@ -2344,86 +2614,249 @@ var PolicyHandler = class extends OperationNodeTransformer {
   }
   async handle(node, proceed) {
     if (!this.isCrudQueryNode(node)) {
-      throw new RejectedByPolicyError(void 0, "non-CRUD queries are not allowed");
+      throw new RejectedByPolicyError(void 0, RejectedByPolicyReason.OTHER, "non-CRUD queries are not allowed");
     }
     if (!this.isMutationQueryNode(node)) {
       return proceed(this.transformNode(node));
     }
-    let mutationRequiresTransaction = false;
-    const mutationModel = this.getMutationModel(node);
+    const { mutationModel } = this.getMutationModel(node);
     if (InsertQueryNode.is(node)) {
-      const constCondition = this.tryGetConstantPolicy(mutationModel, "create");
-      if (constCondition === false) {
-        throw new RejectedByPolicyError(mutationModel);
-      } else if (constCondition === void 0) {
-        mutationRequiresTransaction = true;
+      const isManyToManyJoinTable = this.isManyToManyJoinTable(mutationModel);
+      let needCheckPreCreate = true;
+      if (!isManyToManyJoinTable) {
+        const constCondition = this.tryGetConstantPolicy(mutationModel, "create");
+        if (constCondition === true) {
+          needCheckPreCreate = false;
+        } else if (constCondition === false) {
+          throw new RejectedByPolicyError(mutationModel);
+        }
+      }
+      if (needCheckPreCreate) {
+        await this.enforcePreCreatePolicy(node, mutationModel, isManyToManyJoinTable, proceed);
       }
     }
-    if (!mutationRequiresTransaction && !node.returning) {
-      return proceed(this.transformNode(node));
-    }
-    if (InsertQueryNode.is(node)) {
-      await this.enforcePreCreatePolicy(node, proceed);
-    }
-    const transformedNode = this.transformNode(node);
-    const result = await proceed(transformedNode);
-    if (!this.onlyReturningId(node)) {
+    const result = await proceed(this.transformNode(node));
+    if (!node.returning || this.onlyReturningId(node)) {
+      return result;
+    } else {
       const readBackResult = await this.processReadBack(node, result, proceed);
       if (readBackResult.rows.length !== result.rows.length) {
-        throw new RejectedByPolicyError(mutationModel, "result is not allowed to be read back");
+        throw new RejectedByPolicyError(mutationModel, RejectedByPolicyReason.CANNOT_READ_BACK, "result is not allowed to be read back");
       }
       return readBackResult;
-    } else {
+    }
+  }
+  // #region overrides
+  transformSelectQuery(node) {
+    let whereNode = this.transformNode(node.where);
+    const policyFilter = this.createPolicyFilterForFrom(node.from);
+    if (policyFilter) {
+      whereNode = WhereNode2.create(whereNode?.where ? conjunction(this.dialect, [
+        whereNode.where,
+        policyFilter
+      ]) : policyFilter);
+    }
+    const baseResult = super.transformSelectQuery({
+      ...node,
+      where: void 0
+    });
+    return {
+      ...baseResult,
+      where: whereNode
+    };
+  }
+  transformJoin(node) {
+    const table = this.extractTableName(node.table);
+    if (!table) {
+      return super.transformJoin(node);
+    }
+    const filter = this.buildPolicyFilter(table.model, table.alias, "read");
+    const nestedSelect = {
+      kind: "SelectQueryNode",
+      from: FromNode2.create([
+        node.table
+      ]),
+      selections: [
+        SelectionNode2.createSelectAll()
+      ],
+      where: WhereNode2.create(filter)
+    };
+    return {
+      ...node,
+      table: AliasNode4.create(ParensNode2.create(nestedSelect), IdentifierNode2.create(table.alias ?? table.model))
+    };
+  }
+  transformInsertQuery(node) {
+    let onConflict = node.onConflict;
+    if (onConflict?.updates) {
+      const { mutationModel, alias } = this.getMutationModel(node);
+      const filter = this.buildPolicyFilter(mutationModel, alias, "update");
+      if (onConflict.updateWhere) {
+        onConflict = {
+          ...onConflict,
+          updateWhere: WhereNode2.create(conjunction(this.dialect, [
+            onConflict.updateWhere.where,
+            filter
+          ]))
+        };
+      } else {
+        onConflict = {
+          ...onConflict,
+          updateWhere: WhereNode2.create(filter)
+        };
+      }
+    }
+    const processedNode = onConflict ? {
+      ...node,
+      onConflict
+    } : node;
+    const result = super.transformInsertQuery(processedNode);
+    if (!node.returning) {
+      return result;
+    }
+    if (this.onlyReturningId(node)) {
       return result;
+    } else {
+      const { mutationModel } = this.getMutationModel(node);
+      const idFields = requireIdFields(this.client.$schema, mutationModel);
+      return {
+        ...result,
+        returning: ReturningNode.create(idFields.map((field) => SelectionNode2.create(ColumnNode3.create(field))))
+      };
+    }
+  }
+  transformUpdateQuery(node) {
+    const result = super.transformUpdateQuery(node);
+    const { mutationModel, alias } = this.getMutationModel(node);
+    let filter = this.buildPolicyFilter(mutationModel, alias, "update");
+    if (node.from) {
+      const joinFilter = this.createPolicyFilterForFrom(node.from);
+      if (joinFilter) {
+        filter = conjunction(this.dialect, [
+          filter,
+          joinFilter
+        ]);
+      }
+    }
+    return {
+      ...result,
+      where: WhereNode2.create(result.where ? conjunction(this.dialect, [
+        result.where.where,
+        filter
+      ]) : filter)
+    };
+  }
+  transformDeleteQuery(node) {
+    const result = super.transformDeleteQuery(node);
+    const { mutationModel, alias } = this.getMutationModel(node);
+    let filter = this.buildPolicyFilter(mutationModel, alias, "delete");
+    if (node.using) {
+      const joinFilter = this.createPolicyFilterForTables(node.using.tables);
+      if (joinFilter) {
+        filter = conjunction(this.dialect, [
+          filter,
+          joinFilter
+        ]);
+      }
     }
+    return {
+      ...result,
+      where: WhereNode2.create(result.where ? conjunction(this.dialect, [
+        result.where.where,
+        filter
+      ]) : filter)
+    };
   }
+  // #endregion
+  // #region helpers
   onlyReturningId(node) {
     if (!node.returning) {
       return true;
     }
-    const idFields = getIdFields(this.client.$schema, this.getMutationModel(node));
+    const { mutationModel } = this.getMutationModel(node);
+    const idFields = requireIdFields(this.client.$schema, mutationModel);
     const collector = new ColumnCollector();
     const selectedColumns = collector.collect(node.returning);
     return selectedColumns.every((c) => idFields.includes(c));
   }
-  async enforcePreCreatePolicy(node, proceed) {
-    const model = this.getMutationModel(node);
+  async enforcePreCreatePolicy(node, mutationModel, isManyToManyJoinTable, proceed) {
     const fields = node.columns?.map((c) => c.column.name) ?? [];
-    const valueRows = node.values ? this.unwrapCreateValueRows(node.values, model, fields) : [
+    const valueRows = node.values ? this.unwrapCreateValueRows(node.values, mutationModel, fields, isManyToManyJoinTable) : [
       []
     ];
     for (const values of valueRows) {
-      await this.enforcePreCreatePolicyForOne(model, fields, values.map((v) => v.node), proceed);
+      if (isManyToManyJoinTable) {
+        await this.enforcePreCreatePolicyForManyToManyJoinTable(mutationModel, fields, values.map((v) => v.node), proceed);
+      } else {
+        await this.enforcePreCreatePolicyForOne(mutationModel, fields, values.map((v) => v.node), proceed);
+      }
+    }
+  }
+  async enforcePreCreatePolicyForManyToManyJoinTable(tableName, fields, values, proceed) {
+    const m2m = this.resolveManyToManyJoinTable(tableName);
+    invariant7(m2m);
+    invariant7(fields.includes("A") && fields.includes("B"), "many-to-many join table must have A and B fk fields");
+    const aIndex = fields.indexOf("A");
+    const aNode = values[aIndex];
+    const bIndex = fields.indexOf("B");
+    const bNode = values[bIndex];
+    invariant7(ValueNode3.is(aNode) && ValueNode3.is(bNode), "A and B values must be ValueNode");
+    const aValue = aNode.value;
+    const bValue = bNode.value;
+    invariant7(aValue !== null && aValue !== void 0, "A value cannot be null or undefined");
+    invariant7(bValue !== null && bValue !== void 0, "B value cannot be null or undefined");
+    const eb = expressionBuilder3();
+    const filterA = this.buildPolicyFilter(m2m.firstModel, void 0, "update");
+    const queryA = eb.selectFrom(m2m.firstModel).where(eb(eb.ref(`${m2m.firstModel}.${m2m.firstIdField}`), "=", aValue)).select(() => new ExpressionWrapper(filterA).as("$t"));
+    const filterB = this.buildPolicyFilter(m2m.secondModel, void 0, "update");
+    const queryB = eb.selectFrom(m2m.secondModel).where(eb(eb.ref(`${m2m.secondModel}.${m2m.secondIdField}`), "=", bValue)).select(() => new ExpressionWrapper(filterB).as("$t"));
+    const queryNode = {
+      kind: "SelectQueryNode",
+      selections: [
+        SelectionNode2.create(AliasNode4.create(queryA.toOperationNode(), IdentifierNode2.create("$conditionA"))),
+        SelectionNode2.create(AliasNode4.create(queryB.toOperationNode(), IdentifierNode2.create("$conditionB")))
+      ]
+    };
+    const result = await proceed(queryNode);
+    if (!result.rows[0]?.$conditionA) {
+      throw new RejectedByPolicyError(m2m.firstModel, RejectedByPolicyReason.CANNOT_READ_BACK, `many-to-many relation participant model "${m2m.firstModel}" not updatable`);
+    }
+    if (!result.rows[0]?.$conditionB) {
+      throw new RejectedByPolicyError(m2m.secondModel, RejectedByPolicyReason.NO_ACCESS, `many-to-many relation participant model "${m2m.secondModel}" not updatable`);
     }
   }
   async enforcePreCreatePolicyForOne(model, fields, values, proceed) {
-    const allFields = Object.keys(requireModel(this.client.$schema, model).fields);
+    const allFields = Object.entries(requireModel(this.client.$schema, model).fields).filter(([, def]) => !def.relation);
     const allValues = [];
-    for (const fieldName of allFields) {
-      const index = fields.indexOf(fieldName);
+    for (const [name, _def] of allFields) {
+      const index = fields.indexOf(name);
       if (index >= 0) {
         allValues.push(values[index]);
       } else {
         allValues.push(ValueNode3.createImmediate(null));
       }
     }
+    const eb = expressionBuilder3();
     const constTable = {
       kind: "SelectQueryNode",
       from: FromNode2.create([
-        AliasNode3.create(ParensNode2.create(ValuesNode.create([
+        AliasNode4.create(ParensNode2.create(ValuesNode.create([
           ValueListNode2.create(allValues)
         ])), IdentifierNode2.create("$t"))
       ]),
-      selections: allFields.map((field, index) => SelectionNode2.create(AliasNode3.create(ColumnNode2.create(`column${index + 1}`), IdentifierNode2.create(field))))
+      selections: allFields.map(([name, def], index) => {
+        const castedColumnRef = sql4`CAST(${eb.ref(`column${index + 1}`)} as ${sql4.raw(this.dialect.getFieldSqlType(def))})`.as(name);
+        return SelectionNode2.create(castedColumnRef.toOperationNode());
+      })
     };
     const filter = this.buildPolicyFilter(model, void 0, "create");
     const preCreateCheck = {
       kind: "SelectQueryNode",
       from: FromNode2.create([
-        AliasNode3.create(constTable, IdentifierNode2.create(model))
+        AliasNode4.create(constTable, IdentifierNode2.create(model))
       ]),
       selections: [
-        SelectionNode2.create(AliasNode3.create(BinaryOperationNode3.create(FunctionNode3.create("COUNT", [
+        SelectionNode2.create(AliasNode4.create(BinaryOperationNode3.create(FunctionNode3.create("COUNT", [
           ValueNode3.createImmediate(1)
         ]), OperatorNode3.create(">"), ValueNode3.createImmediate(0)), IdentifierNode2.create("$condition")))
       ],
@@ -2434,31 +2867,35 @@ var PolicyHandler = class extends OperationNodeTransformer {
       throw new RejectedByPolicyError(model);
     }
   }
-  unwrapCreateValueRows(node, model, fields) {
+  unwrapCreateValueRows(node, model, fields, isManyToManyJoinTable) {
     if (ValuesNode.is(node)) {
-      return node.values.map((v) => this.unwrapCreateValueRow(v.values, model, fields));
+      return node.values.map((v) => this.unwrapCreateValueRow(v.values, model, fields, isManyToManyJoinTable));
     } else if (PrimitiveValueListNode.is(node)) {
       return [
-        this.unwrapCreateValueRow(node.values, model, fields)
+        this.unwrapCreateValueRow(node.values, model, fields, isManyToManyJoinTable)
       ];
     } else {
       throw new InternalError(`Unexpected node kind: ${node.kind} for unwrapping create values`);
     }
   }
-  unwrapCreateValueRow(data, model, fields) {
-    invariant6(data.length === fields.length, "data length must match fields length");
+  unwrapCreateValueRow(data, model, fields, isImplicitManyToManyJoinTable) {
+    invariant7(data.length === fields.length, "data length must match fields length");
     const result = [];
     for (let i = 0; i < data.length; i++) {
       const item = data[i];
-      const fieldDef = requireField(this.client.$schema, model, fields[i]);
       if (typeof item === "object" && item && "kind" in item) {
-        invariant6(item.kind === "ValueNode", "expecting a ValueNode");
+        const fieldDef = requireField(this.client.$schema, model, fields[i]);
+        invariant7(item.kind === "ValueNode", "expecting a ValueNode");
         result.push({
           node: ValueNode3.create(this.dialect.transformPrimitive(item.value, fieldDef.type, !!fieldDef.array)),
           raw: item.value
         });
       } else {
-        const value = this.dialect.transformPrimitive(item, fieldDef.type, !!fieldDef.array);
+        let value = item;
+        if (!isImplicitManyToManyJoinTable) {
+          const fieldDef = requireField(this.client.$schema, model, fields[i]);
+          value = this.dialect.transformPrimitive(item, fieldDef.type, !!fieldDef.array);
+        }
         if (Array.isArray(value)) {
           result.push({
             node: RawNode.createWithSql(this.dialect.buildArrayLiteralSQL(value)),
@@ -2502,16 +2939,13 @@ var PolicyHandler = class extends OperationNodeTransformer {
     if (!this.isMutationQueryNode(node) || !node.returning) {
       return result;
     }
-    const table = this.getMutationModel(node);
-    if (!table) {
-      throw new InternalError(`Unable to get table name for query node: ${node}`);
-    }
-    const idConditions = this.buildIdConditions(table, result.rows);
-    const policyFilter = this.buildPolicyFilter(table, void 0, "read");
+    const { mutationModel } = this.getMutationModel(node);
+    const idConditions = this.buildIdConditions(mutationModel, result.rows);
+    const policyFilter = this.buildPolicyFilter(mutationModel, void 0, "read");
     const select = {
       kind: "SelectQueryNode",
       from: FromNode2.create([
-        TableNode3.create(table)
+        TableNode4.create(mutationModel)
       ]),
       where: WhereNode2.create(conjunction(this.dialect, [
         idConditions,
@@ -2523,15 +2957,31 @@ var PolicyHandler = class extends OperationNodeTransformer {
     return selectResult;
   }
   buildIdConditions(table, rows) {
-    const idFields = getIdFields(this.client.$schema, table);
-    return disjunction(this.dialect, rows.map((row) => conjunction(this.dialect, idFields.map((field) => BinaryOperationNode3.create(ColumnNode2.create(field), OperatorNode3.create("="), ValueNode3.create(row[field]))))));
+    const idFields = requireIdFields(this.client.$schema, table);
+    return disjunction(this.dialect, rows.map((row) => conjunction(this.dialect, idFields.map((field) => BinaryOperationNode3.create(ColumnNode3.create(field), OperatorNode3.create("="), ValueNode3.create(row[field]))))));
   }
   getMutationModel(node) {
-    const r = match8(node).when(InsertQueryNode.is, (node2) => getTableName(node2.into)).when(UpdateQueryNode.is, (node2) => getTableName(node2.table)).when(DeleteQueryNode.is, (node2) => {
+    const r = match8(node).when(InsertQueryNode.is, (node2) => ({
+      mutationModel: getTableName(node2.into),
+      alias: void 0
+    })).when(UpdateQueryNode.is, (node2) => {
+      if (!node2.table) {
+        throw new QueryError("Update query must have a table");
+      }
+      const r2 = this.extractTableName(node2.table);
+      return r2 ? {
+        mutationModel: r2.model,
+        alias: r2.alias
+      } : void 0;
+    }).when(DeleteQueryNode.is, (node2) => {
       if (node2.from.froms.length !== 1) {
-        throw new InternalError("Only one from table is supported for delete");
+        throw new QueryError("Only one from table is supported for delete");
       }
-      return getTableName(node2.from.froms[0]);
+      const r2 = this.extractTableName(node2.from.froms[0]);
+      return r2 ? {
+        mutationModel: r2.model,
+        alias: r2.alias
+      } : void 0;
     }).exhaustive();
     if (!r) {
       throw new InternalError(`Unable to get table name for query node: ${node}`);
@@ -2545,12 +2995,16 @@ var PolicyHandler = class extends OperationNodeTransformer {
     return InsertQueryNode.is(node) || UpdateQueryNode.is(node) || DeleteQueryNode.is(node);
   }
   buildPolicyFilter(model, alias, operation) {
+    const m2mFilter = this.getModelPolicyFilterForManyToManyJoinTable(model, alias, operation);
+    if (m2mFilter) {
+      return m2mFilter;
+    }
     const policies = this.getModelPolicies(model, operation);
     if (policies.length === 0) {
       return falseNode(this.dialect);
     }
-    const allows = policies.filter((policy) => policy.kind === "allow").map((policy) => this.transformPolicyCondition(model, alias, operation, policy));
-    const denies = policies.filter((policy) => policy.kind === "deny").map((policy) => this.transformPolicyCondition(model, alias, operation, policy));
+    const allows = policies.filter((policy) => policy.kind === "allow").map((policy) => this.compilePolicyCondition(model, alias, operation, policy));
+    const denies = policies.filter((policy) => policy.kind === "deny").map((policy) => this.compilePolicyCondition(model, alias, operation, policy));
     let combinedPolicy;
     if (allows.length === 0) {
       combinedPolicy = falseNode(this.dialect);
@@ -2566,100 +3020,59 @@ var PolicyHandler = class extends OperationNodeTransformer {
     }
     return combinedPolicy;
   }
-  transformSelectQuery(node) {
-    let whereNode = node.where;
-    node.from?.froms.forEach((from) => {
-      const extractResult = this.extractTableName(from);
-      if (extractResult) {
-        const { model, alias } = extractResult;
-        const filter = this.buildPolicyFilter(model, alias, "read");
-        whereNode = WhereNode2.create(whereNode?.where ? conjunction(this.dialect, [
-          whereNode.where,
-          filter
-        ]) : filter);
-      }
-    });
-    const baseResult = super.transformSelectQuery({
-      ...node,
-      where: void 0
-    });
-    return {
-      ...baseResult,
-      where: whereNode
-    };
-  }
-  transformInsertQuery(node) {
-    const result = super.transformInsertQuery(node);
-    if (!node.returning) {
-      return result;
-    }
-    if (this.onlyReturningId(node)) {
-      return result;
-    } else {
-      const idFields = getIdFields(this.client.$schema, this.getMutationModel(node));
+  extractTableName(node) {
+    if (TableNode4.is(node)) {
       return {
-        ...result,
-        returning: ReturningNode.create(idFields.map((field) => SelectionNode2.create(ColumnNode2.create(field))))
+        model: node.table.identifier.name
       };
     }
-  }
-  transformUpdateQuery(node) {
-    const result = super.transformUpdateQuery(node);
-    const mutationModel = this.getMutationModel(node);
-    const filter = this.buildPolicyFilter(mutationModel, void 0, "update");
-    return {
-      ...result,
-      where: WhereNode2.create(result.where ? conjunction(this.dialect, [
-        result.where.where,
-        filter
-      ]) : filter)
-    };
-  }
-  transformDeleteQuery(node) {
-    const result = super.transformDeleteQuery(node);
-    const mutationModel = this.getMutationModel(node);
-    const filter = this.buildPolicyFilter(mutationModel, void 0, "delete");
-    return {
-      ...result,
-      where: WhereNode2.create(result.where ? conjunction(this.dialect, [
-        result.where.where,
-        filter
-      ]) : filter)
-    };
-  }
-  extractTableName(from) {
-    if (TableNode3.is(from)) {
-      return {
-        model: from.table.identifier.name
-      };
-    }
-    if (AliasNode3.is(from)) {
-      const inner = this.extractTableName(from.node);
+    if (AliasNode4.is(node)) {
+      const inner = this.extractTableName(node.node);
       if (!inner) {
         return void 0;
       }
       return {
         model: inner.model,
-        alias: IdentifierNode2.is(from.alias) ? from.alias.name : void 0
+        alias: IdentifierNode2.is(node.alias) ? node.alias.name : void 0
       };
     } else {
       return void 0;
     }
   }
-  transformPolicyCondition(model, alias, operation, policy) {
-    return new ExpressionTransformer(this.client.$schema, this.client.$options, this.client.$auth).transform(policy.condition, {
+  createPolicyFilterForFrom(node) {
+    if (!node) {
+      return void 0;
+    }
+    return this.createPolicyFilterForTables(node.froms);
+  }
+  createPolicyFilterForTables(tables) {
+    return tables.reduce((acc, table) => {
+      const extractResult = this.extractTableName(table);
+      if (extractResult) {
+        const { model, alias } = extractResult;
+        const filter = this.buildPolicyFilter(model, alias, "read");
+        return acc ? conjunction(this.dialect, [
+          acc,
+          filter
+        ]) : filter;
+      }
+      return acc;
+    }, void 0);
+  }
+  compilePolicyCondition(model, alias, operation, policy) {
+    return new ExpressionTransformer(this.client).transform(policy.condition, {
       model,
       alias,
       operation,
       auth: this.client.$auth
     });
   }
-  getModelPolicies(modelName, operation) {
-    const modelDef = requireModel(this.client.$schema, modelName);
+  getModelPolicies(model, operation) {
+    const modelDef = requireModel(this.client.$schema, model);
     const result = [];
     const extractOperations = /* @__PURE__ */ __name((expr2) => {
-      invariant6(ExpressionUtils.isLiteral(expr2), "expecting a literal");
-      invariant6(typeof expr2.value === "string", "expecting a string literal");
+      invariant7(ExpressionUtils.isLiteral(expr2), "expecting a literal");
+      invariant7(typeof expr2.value === "string", "expecting a string literal");
       return expr2.value.split(",").filter((v) => !!v).map((v) => v.trim());
     }, "extractOperations");
     if (modelDef.attributes) {
@@ -2671,8 +3084,84 @@ var PolicyHandler = class extends OperationNodeTransformer {
     }
     return result;
   }
+  resolveManyToManyJoinTable(tableName) {
+    for (const model of Object.values(this.client.$schema.models)) {
+      for (const field of Object.values(model.fields)) {
+        const m2m = getManyToManyRelation(this.client.$schema, model.name, field.name);
+        if (m2m?.joinTable === tableName) {
+          const sortedRecord = [
+            {
+              model: model.name,
+              field: field.name
+            },
+            {
+              model: m2m.otherModel,
+              field: m2m.otherField
+            }
+          ].sort(this.manyToManySorter);
+          const firstIdFields = requireIdFields(this.client.$schema, sortedRecord[0].model);
+          const secondIdFields = requireIdFields(this.client.$schema, sortedRecord[1].model);
+          invariant7(firstIdFields.length === 1 && secondIdFields.length === 1, "only single-field id is supported for implicit many-to-many join table");
+          return {
+            firstModel: sortedRecord[0].model,
+            firstField: sortedRecord[0].field,
+            firstIdField: firstIdFields[0],
+            secondModel: sortedRecord[1].model,
+            secondField: sortedRecord[1].field,
+            secondIdField: secondIdFields[0]
+          };
+        }
+      }
+    }
+    return void 0;
+  }
+  manyToManySorter(a, b) {
+    return a.model !== b.model ? a.model.localeCompare(b.model) : a.field.localeCompare(b.field);
+  }
+  isManyToManyJoinTable(tableName) {
+    return !!this.resolveManyToManyJoinTable(tableName);
+  }
+  getModelPolicyFilterForManyToManyJoinTable(tableName, alias, operation) {
+    const m2m = this.resolveManyToManyJoinTable(tableName);
+    if (!m2m) {
+      return void 0;
+    }
+    const checkForOperation = operation === "read" ? "read" : "update";
+    const eb = expressionBuilder3();
+    const joinTable = alias ?? tableName;
+    const aQuery = eb.selectFrom(m2m.firstModel).whereRef(`${m2m.firstModel}.${m2m.firstIdField}`, "=", `${joinTable}.A`).select(() => new ExpressionWrapper(this.buildPolicyFilter(m2m.firstModel, void 0, checkForOperation)).as("$conditionA"));
+    const bQuery = eb.selectFrom(m2m.secondModel).whereRef(`${m2m.secondModel}.${m2m.secondIdField}`, "=", `${joinTable}.B`).select(() => new ExpressionWrapper(this.buildPolicyFilter(m2m.secondModel, void 0, checkForOperation)).as("$conditionB"));
+    return eb.and([
+      aQuery,
+      bQuery
+    ]).toOperationNode();
+  }
 };
 
+// src/plugins/policy/functions.ts
+var check = /* @__PURE__ */ __name((eb, args, { client, model, modelAlias, operation }) => {
+  invariant8(args.length === 1 || args.length === 2, '"check" function requires 1 or 2 arguments');
+  const arg1Node = args[0].toOperationNode();
+  const arg2Node = args.length === 2 ? args[1].toOperationNode() : void 0;
+  if (arg2Node) {
+    invariant8(ValueNode4.is(arg2Node) && typeof arg2Node.value === "string", '"operation" parameter must be a string literal when provided');
+    invariant8(CRUD.includes(arg2Node.value), '"operation" parameter must be one of "create", "read", "update", "delete"');
+  }
+  const fieldName = extractFieldName(arg1Node);
+  invariant8(fieldName, 'Failed to extract field name from the first argument of "check" function');
+  const fieldDef = requireField(client.$schema, model, fieldName);
+  invariant8(fieldDef.relation, `Field "${fieldName}" is not a relation field in model "${model}"`);
+  invariant8(!fieldDef.array, `Field "${fieldName}" is a to-many relation, which is not supported by "check"`);
+  const relationModel = fieldDef.type;
+  const op = arg2Node ? arg2Node.value : operation;
+  const policyHandler = new PolicyHandler(client);
+  const joinPairs = buildJoinPairs(client.$schema, model, modelAlias, fieldName, relationModel);
+  const joinCondition = joinPairs.length === 1 ? eb(eb.ref(joinPairs[0][0]), "=", eb.ref(joinPairs[0][1])) : eb.and(joinPairs.map(([left, right]) => eb(eb.ref(left), "=", eb.ref(right))));
+  const policyCondition = policyHandler.buildPolicyFilter(relationModel, void 0, op);
+  const result = eb.selectFrom(relationModel).where(joinCondition).select(new ExpressionWrapper2(policyCondition).as("$condition"));
+  return result;
+}, "check");
+
 // src/plugins/policy/plugin.ts
 var PolicyPlugin = class {
   static {
@@ -2687,6 +3176,11 @@ var PolicyPlugin = class {
   get description() {
     return "Enforces access policies defined in the schema.";
   }
+  get functions() {
+    return {
+      check
+    };
+  }
   onKyselyQuery({
     query,
     client,
@@ -2703,6 +3197,7 @@ var PolicyPlugin = class {
 };
 export {
   PolicyPlugin,
-  RejectedByPolicyError
+  RejectedByPolicyError,
+  RejectedByPolicyReason
 };
 //# sourceMappingURL=index.js.map