on-zero 0.1.19 → 0.1.21

package/readme.md

@@ -475,6 +475,41 @@ app.post('/api/zero/pull', async (req) => {
 })
 ```
 
+### server validation hooks
+
+add custom validation for all queries and mutations:
+
+```ts
+export const zeroServer = createZeroServer({
+  schema,
+  models,
+  database: process.env.DATABASE_URL,
+  queries: syncedQueries,
+  createServerActions: () => ({ ... }),
+
+  // validate all queries before execution (must be sync, throw to reject)
+  validateQuery({ authData, queryName, params }) {
+    if (queryName === 'adminOnlyQuery' && authData?.role !== 'admin') {
+      throw new Error('admin only')
+    }
+  },
+
+  // validate all mutations before execution (can be async)
+  async validateMutation({ authData, tableName, mutatorName, args }) {
+    if (tableName === 'user' && mutatorName === 'delete') {
+      await auditLog('user.delete', authData, args)
+    }
+  },
+
+  // admin role bypass for permissions (default: 'all')
+  // - 'all': admin bypasses both query and mutation permissions
+  // - 'queries': admin bypasses only query permissions
+  // - 'mutations': admin bypasses only mutation permissions
+  // - 'off': no admin bypass, normal permission checks apply
+  defaultAllowAdminRole: 'all',
+})
+```
+
 type augmentation:
 
 ```ts

package/src/createPermissions.ts

@@ -6,7 +6,7 @@ import { prettyFormatZeroQuery } from './helpers/prettyFormatZeroQuery'
 import { getZQL } from './state'
 import { getWhereTableName } from './where'
 
-import type { AuthData, Can, TableName, Transaction, Where } from './types'
+import type { AdminRoleMode, AuthData, Can, TableName, Transaction, Where } from './types'
 import type {
   Condition,
   ExpressionBuilder,
@@ -17,9 +17,11 @@ import type {
 export function createPermissions<Schema extends ZeroSchema>({
   environment,
   schema,
+  adminRoleMode = 'all',
 }: {
   environment: 'client' | 'server'
   schema: Schema
+  adminRoleMode?: AdminRoleMode
 }) {
   type PermissionReturn = Condition | boolean
 
@@ -36,6 +38,12 @@ export function createPermissions<Schema extends ZeroSchema>({
     objOrId: Record<string, any> | string,
     tableNameOverride?: TableName
   ) {
+    // check admin bypass for queries
+    const adminBypassQueries = adminRoleMode === 'all' || adminRoleMode === 'queries'
+    if (adminBypassQueries && authData?.role === 'admin') {
+      return eb.cmpLit(true, '=', true)
+    }
+
     const tableName = tableNameOverride || getWhereTableName(permissionWhere)
 
     if (!tableName) {
@@ -93,8 +101,9 @@ export function createPermissions<Schema extends ZeroSchema>({
     where: Where,
     obj: any // TODO until i can get a working PickPrimaryKeys<'message'>
   ): Promise<void> {
-    if (authData?.role === 'admin') {
-      // admin role can do any mutation
+    // check admin bypass for mutations
+    const adminBypassMutations = adminRoleMode === 'all' || adminRoleMode === 'mutations'
+    if (adminBypassMutations && authData?.role === 'admin') {
       return
     }
 

package/src/createZeroServer.ts

@@ -14,6 +14,7 @@ import { getZQL, setAuthData, setSchema } from './state'
 import { setRunner } from './zeroRunner'
 
 import type {
+  AdminRoleMode,
   AsyncAction,
   AuthData,
   GenericModels,
@@ -29,6 +30,22 @@ import type {
 } from '@rocicorp/zero'
 import type { TransactionProviderInput } from '@rocicorp/zero/pg'
 
+export type ValidateQueryArgs = {
+  authData: AuthData | null
+  queryName: string
+  params: unknown
+}
+
+export type ValidateMutationArgs = {
+  authData: AuthData | null
+  mutatorName: string
+  tableName: string
+  args: unknown
+}
+
+export type ValidateQueryFn = (args: ValidateQueryArgs) => void
+export type ValidateMutationFn = (args: ValidateMutationArgs) => void | Promise<void>
+
 export function createZeroServer<
   Schema extends ZeroSchema,
   Models extends GenericModels,
@@ -39,6 +56,9 @@ export function createZeroServer<
   schema,
   models,
   queries,
+  validateQuery,
+  validateMutation,
+  defaultAllowAdminRole = 'all',
 }: {
   /**
    * The DB connection string, same as ZERO_UPSTREAM_DB
@@ -48,6 +68,23 @@ export function createZeroServer<
   models: Models
   createServerActions: () => ServerActions
   queries?: AnyQueryRegistry
+  /**
+   * Hook to validate queries before execution. Throw to reject.
+   * Must be synchronous.
+   */
+  validateQuery?: ValidateQueryFn
+  /**
+   * Hook to validate mutations before execution. Throw to reject.
+   */
+  validateMutation?: ValidateMutationFn
+  /**
+   * Admin role bypass for permissions:
+   * - 'all': admin bypasses both query and mutation permissions (default)
+   * - 'queries': admin bypasses only query permissions
+   * - 'mutations': admin bypasses only mutation permissions
+   * - 'off': admin has no special bypass
+   */
+  defaultAllowAdminRole?: AdminRoleMode
 }) {
   setSchema(schema)
 
@@ -67,6 +104,7 @@ export function createZeroServer<
   const permissions = createPermissions<Schema>({
     environment: 'server',
     schema,
+    adminRoleMode: defaultAllowAdminRole,
   })
 
   const processor = new PushProcessor(zeroDb)
@@ -90,6 +128,7 @@ export function createZeroServer<
       environment: 'server',
       models,
       authData,
+      validateMutation,
     })
 
     // @ts-expect-error type is ok but config in monorepo
@@ -150,6 +189,11 @@ export function createZeroServer<
             .one()
         }
 
+        // run validation hook if provided (must be sync - throw to reject)
+        if (validateQuery) {
+          validateQuery({ authData, queryName: name, params: args })
+        }
+
         const query = (mustGetQuery as any)(queries, name)
         return query.fn({ args, ctx: authData })
       },
@@ -180,6 +224,7 @@ export function createZeroServer<
       },
       createServerActions,
       can: permissions.can,
+      validateMutation,
     })
 
     await transaction(async (tx) => {

package/src/helpers/createMutators.ts

@@ -13,6 +13,15 @@ import type {
   Transaction,
 } from '../types'
 
+export type ValidateMutationFn = (args: {
+  authData: AuthData | null
+  mutatorName: string
+  tableName: string
+  args: unknown
+}) => void | Promise<void>
+
+export type { ValidateMutationFn as CreateMutatorsValidateFn }
+
 export function createMutators<Models extends GenericModels>({
   environment,
   authData,
@@ -20,6 +29,7 @@ export function createMutators<Models extends GenericModels>({
   asyncTasks = [],
   can,
   models,
+  validateMutation,
 }: {
   environment: 'server' | 'client'
   authData: AuthData | null
@@ -27,6 +37,7 @@ export function createMutators<Models extends GenericModels>({
   models: Models
   asyncTasks?: Array<() => Promise<void>>
   createServerActions?: () => Record<string, any>
+  validateMutation?: ValidateMutationFn
 }): GetZeroMutators<Models> {
   const serverActions = createServerActions?.()
 
@@ -68,27 +79,31 @@ export function createMutators<Models extends GenericModels>({
       return fn
     }
 
+    const debug = process.env.DEBUG
+
     return async (...args: Args): Promise<void> => {
       const startTime = performance.now()
 
       try {
-        if (isServer) {
+        if (debug && isServer) {
           console.info(`[mutator] ${name} start`)
         }
         const result = await fn(...args)
         const duration = (performance.now() - startTime).toFixed(2)
-        if (isBrowser) {
-          console.groupCollapsed(`[mutator] ${name} completed in ${duration}ms`)
-          console.info('→', args[1])
-          console.info('←', result)
-          console.trace()
-          console.groupEnd()
-        } else {
-          // TODO in prod just track
-          console.info(`[mutator] ${name} completed in ${duration}ms`)
+        if (debug) {
+          if (isBrowser) {
+            console.groupCollapsed(`[mutator] ${name} completed in ${duration}ms`)
+            console.info('→', args[1])
+            console.info('←', result)
+            console.trace()
+            console.groupEnd()
+          } else {
+            console.info(`[mutator] ${name} completed in ${duration}ms`)
+          }
         }
         return result
       } catch (error) {
+        // always log errors
         const duration = (performance.now() - startTime).toFixed(2)
         console.groupCollapsed(`[mutator] ${name} failed after ${duration}ms`)
         console.error('error:', error)
@@ -118,6 +133,27 @@ export function createMutators<Models extends GenericModels>({
     }
   }
 
+  function withValidation<Args extends any[]>(
+    tableName: string,
+    mutatorName: string,
+    fn: (...args: Args) => Promise<void>
+  ) {
+    if (!validateMutation) {
+      return fn
+    }
+
+    return async (...args: Args): Promise<void> => {
+      // args[0] is tx, args[1] is the mutation args
+      await validateMutation({
+        authData: isBrowser ? getAuthData() : authData,
+        tableName,
+        mutatorName,
+        args: args[1],
+      })
+      return fn(...args)
+    }
+  }
+
   function decorateMutators<T extends Record<string, Record<string, any>>>(modules: T) {
     const result: any = {}
 
@@ -128,7 +164,10 @@ export function createMutators<Models extends GenericModels>({
           const fullName = `${moduleName}.${name}`
           result[moduleName][name] = withDevelopmentLogging(
             fullName,
-            withTimeoutGuard(fullName, withContext(exportValue))
+            withTimeoutGuard(
+              fullName,
+              withValidation(moduleName, name, withContext(exportValue))
+            )
           )
         }
       }

package/src/types.ts

@@ -134,3 +134,12 @@ export type TablePrimaryKeys<TS extends GenericTable> = TupleToUnion<
 >
 
 export type ZeroEvent = { type: 'error'; message: string }
+
+/**
+ * Admin role bypass for permissions:
+ * - 'all': admin bypasses both query and mutation permissions (default)
+ * - 'queries': admin bypasses only query permissions
+ * - 'mutations': admin bypasses only mutation permissions
+ * - 'off': admin has no special bypass
+ */
+export type AdminRoleMode = 'all' | 'queries' | 'mutations' | 'off'

package/types/createPermissions.d.ts

@@ -1,8 +1,9 @@
-import type { AuthData, Can, TableName, Where } from './types';
+import type { AdminRoleMode, AuthData, Can, TableName, Where } from './types';
 import type { Condition, ExpressionBuilder, Schema as ZeroSchema } from '@rocicorp/zero';
-export declare function createPermissions<Schema extends ZeroSchema>({ environment, schema, }: {
+export declare function createPermissions<Schema extends ZeroSchema>({ environment, schema, adminRoleMode, }: {
     environment: 'client' | 'server';
     schema: Schema;
+    adminRoleMode?: AdminRoleMode;
 }): {
     can: Can;
     buildPermissionQuery: <PermissionWhere extends Where<string, boolean | Condition>>(authData: AuthData | null, eb: ExpressionBuilder<any, any>, permissionWhere: PermissionWhere, objOrId: Record<string, any> | string, tableNameOverride?: TableName) => Condition;

package/types/createPermissions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"createPermissions.d.ts","sourceRoot":"","sources":["../src/createPermissions.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,EAAe,KAAK,EAAE,MAAM,SAAS,CAAA;AAC3E,OAAO,KAAK,EACV,SAAS,EACT,iBAAiB,EAEjB,MAAM,IAAI,UAAU,EACrB,MAAM,gBAAgB,CAAA;AAEvB,wBAAgB,iBAAiB,CAAC,MAAM,SAAS,UAAU,EAAE,EAC3D,WAAW,EACX,MAAM,GACP,EAAE;IACD,WAAW,EAAE,QAAQ,GAAG,QAAQ,CAAA;IAChC,MAAM,EAAE,MAAM,CAAA;CACf;;2BAQ+B,eAAe,uDACjC,QAAQ,GAAG,IAAI,MACrB,iBAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,mBACd,eAAe,WAEvB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,MAAM,sBACjB,SAAS;EA+FhC"}
+{"version":3,"file":"createPermissions.d.ts","sourceRoot":"","sources":["../src/createPermissions.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,EAAe,KAAK,EAAE,MAAM,SAAS,CAAA;AAC1F,OAAO,KAAK,EACV,SAAS,EACT,iBAAiB,EAEjB,MAAM,IAAI,UAAU,EACrB,MAAM,gBAAgB,CAAA;AAEvB,wBAAgB,iBAAiB,CAAC,MAAM,SAAS,UAAU,EAAE,EAC3D,WAAW,EACX,MAAM,EACN,aAAqB,GACtB,EAAE;IACD,WAAW,EAAE,QAAQ,GAAG,QAAQ,CAAA;IAChC,MAAM,EAAE,MAAM,CAAA;IACd,aAAa,CAAC,EAAE,aAAa,CAAA;CAC9B;;2BAQ+B,eAAe,uDACjC,QAAQ,GAAG,IAAI,MACrB,iBAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,mBACd,eAAe,WAEvB,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,MAAM,sBACjB,SAAS;EAsGhC"}

package/types/createZeroServer.d.ts

@@ -1,6 +1,19 @@
-import type { AsyncAction, AuthData, GenericModels, GetZeroMutators, QueryBuilder, Transaction } from './types';
+import type { AdminRoleMode, AsyncAction, AuthData, GenericModels, GetZeroMutators, QueryBuilder, Transaction } from './types';
 import type { AnyQueryRegistry, HumanReadable, Query, Schema as ZeroSchema } from '@rocicorp/zero';
-export declare function createZeroServer<Schema extends ZeroSchema, Models extends GenericModels, ServerActions extends Record<string, unknown>>({ createServerActions, database, schema, models, queries, }: {
+export type ValidateQueryArgs = {
+    authData: AuthData | null;
+    queryName: string;
+    params: unknown;
+};
+export type ValidateMutationArgs = {
+    authData: AuthData | null;
+    mutatorName: string;
+    tableName: string;
+    args: unknown;
+};
+export type ValidateQueryFn = (args: ValidateQueryArgs) => void;
+export type ValidateMutationFn = (args: ValidateMutationArgs) => void | Promise<void>;
+export declare function createZeroServer<Schema extends ZeroSchema, Models extends GenericModels, ServerActions extends Record<string, unknown>>({ createServerActions, database, schema, models, queries, validateQuery, validateMutation, defaultAllowAdminRole, }: {
     /**
      * The DB connection string, same as ZERO_UPSTREAM_DB
      */
@@ -9,6 +22,23 @@ export declare function createZeroServer<Schema extends ZeroSchema, Models exten
     models: Models;
     createServerActions: () => ServerActions;
     queries?: AnyQueryRegistry;
+    /**
+     * Hook to validate queries before execution. Throw to reject.
+     * Must be synchronous.
+     */
+    validateQuery?: ValidateQueryFn;
+    /**
+     * Hook to validate mutations before execution. Throw to reject.
+     */
+    validateMutation?: ValidateMutationFn;
+    /**
+     * Admin role bypass for permissions:
+     * - 'all': admin bypasses both query and mutation permissions (default)
+     * - 'queries': admin bypasses only query permissions
+     * - 'mutations': admin bypasses only mutation permissions
+     * - 'off': admin has no special bypass
+     */
+    defaultAllowAdminRole?: AdminRoleMode;
 }): {
     handleMutationRequest: ({ authData, request, skipAsyncTasks, }: {
         authData: AuthData | null;

package/types/createZeroServer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"createZeroServer.d.ts","sourceRoot":"","sources":["../src/createZeroServer.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EACV,WAAW,EACX,QAAQ,EACR,aAAa,EACb,eAAe,EACf,YAAY,EACZ,WAAW,EACZ,MAAM,SAAS,CAAA;AAChB,OAAO,KAAK,EACV,gBAAgB,EAChB,aAAa,EACb,KAAK,EACL,MAAM,IAAI,UAAU,EACrB,MAAM,gBAAgB,CAAA;AAGvB,wBAAgB,gBAAgB,CAC9B,MAAM,SAAS,UAAU,EACzB,MAAM,SAAS,aAAa,EAC5B,aAAa,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7C,EACA,mBAAmB,EACnB,QAAQ,EACR,MAAM,EACN,MAAM,EACN,OAAO,GACR,EAAE;IACD;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,MAAM,CAAA;IACd,mBAAmB,EAAE,MAAM,aAAa,CAAA;IACxC,OAAO,CAAC,EAAE,gBAAgB,CAAA;CAC3B;oEA2BI;QACD,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;QACzB,OAAO,EAAE,OAAO,CAAA;QAChB,cAAc,CAAC,EAAE,OAAO,CAAA;KACzB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iDAsCE;QACD,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;QACzB,OAAO,EAAE,OAAO,CAAA;KACjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAsEC,EAAE,SAAS,CAAC,EAAE,EAAE,WAAW,KAAK,OAAO,CAAC,GAAG,CAAC,EAC5C,OAAO,SAAS,EAAE,SAAS,CAAC,EAAE,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,SACrE,EAAE,KAAG,OAAO,CAAC,OAAO,CAAC;kBA7BvB,CAAC,EAAE,EAAE,WAAW,EAAE,QAAQ,EAAE,eAAe,CAAC,MAAM,CAAC,KAAK,OAAO,CAAC,IAAI,CAAC,aAC/D,IAAI,CAAC,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC;YA2ChD,CAAC,MACV,CAAC,CAAC,EAAE,YAAY,KAAK,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC,KAC7C,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;EAiC7B"}
+{"version":3,"file":"createZeroServer.d.ts","sourceRoot":"","sources":["../src/createZeroServer.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EACV,aAAa,EACb,WAAW,EACX,QAAQ,EACR,aAAa,EACb,eAAe,EACf,YAAY,EACZ,WAAW,EACZ,MAAM,SAAS,CAAA;AAChB,OAAO,KAAK,EACV,gBAAgB,EAChB,aAAa,EACb,KAAK,EACL,MAAM,IAAI,UAAU,EACrB,MAAM,gBAAgB,CAAA;AAGvB,MAAM,MAAM,iBAAiB,GAAG;IAC9B,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IACzB,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,OAAO,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IACzB,WAAW,EAAE,MAAM,CAAA;IACnB,SAAS,EAAE,MAAM,CAAA;IACjB,IAAI,EAAE,OAAO,CAAA;CACd,CAAA;AAED,MAAM,MAAM,eAAe,GAAG,CAAC,IAAI,EAAE,iBAAiB,KAAK,IAAI,CAAA;AAC/D,MAAM,MAAM,kBAAkB,GAAG,CAAC,IAAI,EAAE,oBAAoB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;AAErF,wBAAgB,gBAAgB,CAC9B,MAAM,SAAS,UAAU,EACzB,MAAM,SAAS,aAAa,EAC5B,aAAa,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7C,EACA,mBAAmB,EACnB,QAAQ,EACR,MAAM,EACN,MAAM,EACN,OAAO,EACP,aAAa,EACb,gBAAgB,EAChB,qBAA6B,GAC9B,EAAE;IACD;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,MAAM,CAAA;IACd,mBAAmB,EAAE,MAAM,aAAa,CAAA;IACxC,OAAO,CAAC,EAAE,gBAAgB,CAAA;IAC1B;;;OAGG;IACH,aAAa,CAAC,EAAE,eAAe,CAAA;IAC/B;;OAEG;IACH,gBAAgB,CAAC,EAAE,kBAAkB,CAAA;IACrC;;;;;;OAMG;IACH,qBAAqB,CAAC,EAAE,aAAa,CAAA;CACtC;oEA4BI;QACD,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;QACzB,OAAO,EAAE,OAAO,CAAA;QAChB,cAAc,CAAC,EAAE,OAAO,CAAA;KACzB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iDAuCE;QACD,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;QACzB,OAAO,EAAE,OAAO,CAAA;KACjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBA4EC,EAAE,SAAS,CAAC,EAAE,EAAE,WAAW,KAAK,OAAO,CAAC,GAAG,CAAC,EAC5C,OAAO,SAAS,EAAE,SAAS,CAAC,EAAE,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,SACrE,EAAE,KAAG,OAAO,CAAC,OAAO,CAAC;kBA9BvB,CAAC,EAAE,EAAE,WAAW,EAAE,QAAQ,EAAE,eAAe,CAAC,MAAM,CAAC,KAAK,OAAO,CAAC,IAAI,CAAC,aAC/D,IAAI,CAAC,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC;YA4ChD,CAAC,MACV,CAAC,CAAC,EAAE,YAAY,KAAK,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC,KAC7C,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;EAiC7B"}

package/types/helpers/createMutators.d.ts

@@ -1,10 +1,18 @@
 import type { AuthData, Can, GenericModels, GetZeroMutators } from '../types';
-export declare function createMutators<Models extends GenericModels>({ environment, authData, createServerActions, asyncTasks, can, models, }: {
+export type ValidateMutationFn = (args: {
+    authData: AuthData | null;
+    mutatorName: string;
+    tableName: string;
+    args: unknown;
+}) => void | Promise<void>;
+export type { ValidateMutationFn as CreateMutatorsValidateFn };
+export declare function createMutators<Models extends GenericModels>({ environment, authData, createServerActions, asyncTasks, can, models, validateMutation, }: {
     environment: 'server' | 'client';
     authData: AuthData | null;
     can: Can;
     models: Models;
     asyncTasks?: Array<() => Promise<void>>;
     createServerActions?: () => Record<string, any>;
+    validateMutation?: ValidateMutationFn;
 }): GetZeroMutators<Models>;
 //# sourceMappingURL=createMutators.d.ts.map

package/types/helpers/createMutators.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"createMutators.d.ts","sourceRoot":"","sources":["../../src/helpers/createMutators.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EACV,QAAQ,EACR,GAAG,EACH,aAAa,EACb,eAAe,EAGhB,MAAM,UAAU,CAAA;AAEjB,wBAAgB,cAAc,CAAC,MAAM,SAAS,aAAa,EAAE,EAC3D,WAAW,EACX,QAAQ,EACR,mBAAmB,EACnB,UAAe,EACf,GAAG,EACH,MAAM,GACP,EAAE;IACD,WAAW,EAAE,QAAQ,GAAG,QAAQ,CAAA;IAChC,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IACzB,GAAG,EAAE,GAAG,CAAA;IACR,MAAM,EAAE,MAAM,CAAA;IACd,UAAU,CAAC,EAAE,KAAK,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;IACvC,mBAAmB,CAAC,EAAE,MAAM,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;CAChD,GAAG,eAAe,CAAC,MAAM,CAAC,CA+G1B"}
+{"version":3,"file":"createMutators.d.ts","sourceRoot":"","sources":["../../src/helpers/createMutators.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EACV,QAAQ,EACR,GAAG,EACH,aAAa,EACb,eAAe,EAGhB,MAAM,UAAU,CAAA;AAEjB,MAAM,MAAM,kBAAkB,GAAG,CAAC,IAAI,EAAE;IACtC,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IACzB,WAAW,EAAE,MAAM,CAAA;IACnB,SAAS,EAAE,MAAM,CAAA;IACjB,IAAI,EAAE,OAAO,CAAA;CACd,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;AAE1B,YAAY,EAAE,kBAAkB,IAAI,wBAAwB,EAAE,CAAA;AAE9D,wBAAgB,cAAc,CAAC,MAAM,SAAS,aAAa,EAAE,EAC3D,WAAW,EACX,QAAQ,EACR,mBAAmB,EACnB,UAAe,EACf,GAAG,EACH,MAAM,EACN,gBAAgB,GACjB,EAAE;IACD,WAAW,EAAE,QAAQ,GAAG,QAAQ,CAAA;IAChC,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IACzB,GAAG,EAAE,GAAG,CAAA;IACR,MAAM,EAAE,MAAM,CAAA;IACd,UAAU,CAAC,EAAE,KAAK,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;IACvC,mBAAmB,CAAC,EAAE,MAAM,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IAC/C,gBAAgB,CAAC,EAAE,kBAAkB,CAAA;CACtC,GAAG,eAAe,CAAC,MAAM,CAAC,CA2I1B"}

package/types/types.d.ts

@@ -74,5 +74,13 @@ export type ZeroEvent = {
     type: 'error';
     message: string;
 };
+/**
+ * Admin role bypass for permissions:
+ * - 'all': admin bypasses both query and mutation permissions (default)
+ * - 'queries': admin bypasses only query permissions
+ * - 'mutations': admin bypasses only mutation permissions
+ * - 'off': admin has no special bypass
+ */
+export type AdminRoleMode = 'all' | 'queries' | 'mutations' | 'off';
 export {};
 //# sourceMappingURL=types.d.ts.map

package/types/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,SAAS,EACT,iBAAiB,EACjB,GAAG,EACH,WAAW,EACX,uBAAuB,EACvB,MAAM,IAAI,UAAU,EACpB,WAAW,IAAI,eAAe,EAC/B,MAAM,gBAAgB,CAAA;AACvB,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAErE;;;;;;;;;;;;;;;;;;GAkBG;AAEH,MAAM,WAAW,MAAM;CAAG;AAE1B,UAAU,aAAa;IACrB,MAAM,EAAE,UAAU,CAAA;IAClB,QAAQ,EAAE,EAAE,CAAA;IACZ,aAAa,EAAE,IAAI,CAAA;CACpB;AAED,UAAU,WAAY,SAAQ,IAAI,CAAC,aAAa,EAAE,MAAM,MAAM,CAAC,EAAE,MAAM;CAAG;AAE1E,MAAM,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAA;AAE1C,MAAM,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,SAAS,MAAM,GACzD,MAAM,MAAM,CAAC,QAAQ,CAAC,GACtB,MAAM,CAAA;AAEV,MAAM,MAAM,WAAW,GAAG,eAAe,CAAC,MAAM,CAAC,CAAA;AAEjD,MAAM,MAAM,QAAQ,GAClB,WAAW,CAAC,UAAU,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACnD,WAAW,CAAC,UAAU,CAAC,GACvB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;AAE7B,MAAM,MAAM,aAAa,GACvB,WAAW,CAAC,eAAe,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACxD,WAAW,CAAC,eAAe,CAAC,GAC5B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;AAE7B,MAAM,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;AAE9C;;GAEG;AAGH,MAAM,MAAM,cAAc,GAAG;IAC3B,EAAE,EAAE,WAAW,CAAA;IACf,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IACzB,WAAW,EAAE,QAAQ,GAAG,QAAQ,CAAA;IAChC,MAAM,CAAC,EAAE;QACP,OAAO,EAAE,aAAa,CAAA;QACtB,UAAU,EAAE,KAAK,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;KACvC,CAAA;IACD,GAAG,EAAE,GAAG,CAAA;CACT,CAAA;AAGD,MAAM,MAAM,eAAe,CAAC,MAAM,SAAS,aAAa,IAAI;KACzD,GAAG,IAAI,MAAM,MAAM,GAAG,iBAAiB,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC;CACxE,CAAA;AAED,KAAK,gBAAgB,CAAC,MAAM,SAAS,aAAa,IAAI;KACnD,GAAG,IAAI,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;CAC7C,CAAA;AAED,MAAM,MAAM,aAAa,GAAG;IAC1B,CAAC,GAAG,EAAE,MAAM,GAAG;QACb,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,CAAC,EAAE,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC,CAAA;QACxE,WAAW,CAAC,EAAE,KAAK,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,CAAA;KAC9C,CAAA;CACF,CAAA;AAED,MAAM,MAAM,iBAAiB,CAAC,CAAC,IAAI;KAChC,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,IAAI,EAAE,MAAM,IAAI,KAAK,MAAM,MAAM,GACnF,CAAC,EAAE,EAAE,WAAW,EAAE,GAAG,IAAI,EAAE,IAAI,KAAK,MAAM,SAAS,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,GAClF,KAAK;CACV,CAAA;AAED,MAAM,MAAM,KAAK,CACf,KAAK,SAAS,SAAS,GAAG,SAAS,EACnC,UAAU,SAAS,SAAS,GAAG,OAAO,GAAG,SAAS,GAAG,OAAO,IAC1D,CACF,iBAAiB,EAAE,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,EACnD,IAAI,CAAC,EAAE,QAAQ,GAAG,IAAI,KACnB,UAAU,CAAA;AAEf,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,SAAS,KAAK,EACrC,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAClC,OAAO,CAAC,IAAI,CAAC,CAAA;AAElB,MAAM,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;AAE7C,KAAK,YAAY,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAA;AAEhD,KAAK,cAAc,CAAC,EAAE,SAAS,YAAY,IACzC,EAAE,SAAS,uBAAuB,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA;AAGzD,MAAM,MAAM,cAAc,CAAC,EAAE,SAAS,YAAY,IAAI,cAAc,CAClE,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC,CACxB,CAAA;AAGD,MAAM,MAAM,cAAc,CAAC,EAAE,SAAS,YAAY,IAAI,IAAI,CACxD,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC,EACvB,gBAAgB,CAAC,EAAE,CAAC,CACrB,GACC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC,CAAA;AAE7B,MAAM,MAAM,gBAAgB,CAAC,EAAE,SAAS,YAAY,IAAI,YAAY,CAClE,cAAc,CAAC,EAAE,CAAC,CAAC,YAAY,CAAC,CACjC,CAAA;AAED,MAAM,MAAM,SAAS,GAAG;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAA"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,SAAS,EACT,iBAAiB,EACjB,GAAG,EACH,WAAW,EACX,uBAAuB,EACvB,MAAM,IAAI,UAAU,EACpB,WAAW,IAAI,eAAe,EAC/B,MAAM,gBAAgB,CAAA;AACvB,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAA;AAErE;;;;;;;;;;;;;;;;;;GAkBG;AAEH,MAAM,WAAW,MAAM;CAAG;AAE1B,UAAU,aAAa;IACrB,MAAM,EAAE,UAAU,CAAA;IAClB,QAAQ,EAAE,EAAE,CAAA;IACZ,aAAa,EAAE,IAAI,CAAA;CACpB;AAED,UAAU,WAAY,SAAQ,IAAI,CAAC,aAAa,EAAE,MAAM,MAAM,CAAC,EAAE,MAAM;CAAG;AAE1E,MAAM,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAA;AAE1C,MAAM,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,SAAS,MAAM,GACzD,MAAM,MAAM,CAAC,QAAQ,CAAC,GACtB,MAAM,CAAA;AAEV,MAAM,MAAM,WAAW,GAAG,eAAe,CAAC,MAAM,CAAC,CAAA;AAEjD,MAAM,MAAM,QAAQ,GAClB,WAAW,CAAC,UAAU,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACnD,WAAW,CAAC,UAAU,CAAC,GACvB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;AAE7B,MAAM,MAAM,aAAa,GACvB,WAAW,CAAC,eAAe,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACxD,WAAW,CAAC,eAAe,CAAC,GAC5B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;AAE7B,MAAM,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;AAE9C;;GAEG;AAGH,MAAM,MAAM,cAAc,GAAG;IAC3B,EAAE,EAAE,WAAW,CAAA;IACf,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IACzB,WAAW,EAAE,QAAQ,GAAG,QAAQ,CAAA;IAChC,MAAM,CAAC,EAAE;QACP,OAAO,EAAE,aAAa,CAAA;QACtB,UAAU,EAAE,KAAK,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC,CAAA;KACvC,CAAA;IACD,GAAG,EAAE,GAAG,CAAA;CACT,CAAA;AAGD,MAAM,MAAM,eAAe,CAAC,MAAM,SAAS,aAAa,IAAI;KACzD,GAAG,IAAI,MAAM,MAAM,GAAG,iBAAiB,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC;CACxE,CAAA;AAED,KAAK,gBAAgB,CAAC,MAAM,SAAS,aAAa,IAAI;KACnD,GAAG,IAAI,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;CAC7C,CAAA;AAED,MAAM,MAAM,aAAa,GAAG;IAC1B,CAAC,GAAG,EAAE,MAAM,GAAG;QACb,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,CAAC,EAAE,GAAG,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC,CAAA;QACxE,WAAW,CAAC,EAAE,KAAK,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,CAAA;KAC9C,CAAA;CACF,CAAA;AAED,MAAM,MAAM,iBAAiB,CAAC,CAAC,IAAI;KAChC,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,IAAI,EAAE,MAAM,IAAI,KAAK,MAAM,MAAM,GACnF,CAAC,EAAE,EAAE,WAAW,EAAE,GAAG,IAAI,EAAE,IAAI,KAAK,MAAM,SAAS,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,GAClF,KAAK;CACV,CAAA;AAED,MAAM,MAAM,KAAK,CACf,KAAK,SAAS,SAAS,GAAG,SAAS,EACnC,UAAU,SAAS,SAAS,GAAG,OAAO,GAAG,SAAS,GAAG,OAAO,IAC1D,CACF,iBAAiB,EAAE,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,EACnD,IAAI,CAAC,EAAE,QAAQ,GAAG,IAAI,KACnB,UAAU,CAAA;AAEf,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,SAAS,KAAK,EACrC,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAClC,OAAO,CAAC,IAAI,CAAC,CAAA;AAElB,MAAM,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;AAE7C,KAAK,YAAY,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAA;AAEhD,KAAK,cAAc,CAAC,EAAE,SAAS,YAAY,IACzC,EAAE,SAAS,uBAAuB,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA;AAGzD,MAAM,MAAM,cAAc,CAAC,EAAE,SAAS,YAAY,IAAI,cAAc,CAClE,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC,CACxB,CAAA;AAGD,MAAM,MAAM,cAAc,CAAC,EAAE,SAAS,YAAY,IAAI,IAAI,CACxD,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC,EACvB,gBAAgB,CAAC,EAAE,CAAC,CACrB,GACC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC,CAAA;AAE7B,MAAM,MAAM,gBAAgB,CAAC,EAAE,SAAS,YAAY,IAAI,YAAY,CAClE,cAAc,CAAC,EAAE,CAAC,CAAC,YAAY,CAAC,CACjC,CAAA;AAED,MAAM,MAAM,SAAS,GAAG;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAA;AAE1D;;;;;;GAMG;AACH,MAAM,MAAM,aAAa,GAAG,KAAK,GAAG,SAAS,GAAG,WAAW,GAAG,KAAK,CAAA"}