over-zero 0.0.0

package/dist/cjs/createMutations.native.js

@@ -0,0 +1,50 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: !0 });
+}, __copyProps = (to, from, except, desc) => {
+  if (from && typeof from == "object" || typeof from == "function")
+    for (let key of __getOwnPropNames(from))
+      !__hasOwnProp.call(to, key) && key !== except && __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: !0 }), mod);
+var createMutations_exports = {};
+__export(createMutations_exports, {
+  mutations: () => mutations
+});
+module.exports = __toCommonJS(createMutations_exports);
+function mutations(table, permissions, mutations2) {
+  if (permissions) {
+    var tableName = table.schema.name, createCRUDMutation = function(action) {
+      return async function(ctx, obj) {
+        var runServerPermissionCheck = async function() {
+          ctx.didCanPermissionsRun || process.env.VITE_ENVIRONMENT === "ssr" && await ctx.can(permissions, action, obj);
+        };
+        action === "delete" && await runServerPermissionCheck();
+        var existing = mutations2 == null ? void 0 : mutations2[action];
+        existing ? await existing(ctx, obj) : await ctx.tx.mutate[tableName][action](obj), action !== "delete" && await runServerPermissionCheck();
+      };
+    }, crudMutations = {
+      insert: createCRUDMutation("insert"),
+      update: createCRUDMutation("update"),
+      delete: createCRUDMutation("delete"),
+      upsert: createCRUDMutation("upsert")
+    };
+    return {
+      ...mutations2,
+      // overwrite regular mutations but call them if they are defined by user
+      ...crudMutations
+    };
+  }
+  return table;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  mutations
+});
+//# sourceMappingURL=createMutations.js.map

package/dist/cjs/createMutations.native.js.map

@@ -0,0 +1,6 @@
+{
+  "version": 3,
+  "sources": ["../../src/createMutations.ts"],
+  "mappings": ";;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAeO,SAAS,UAAU,OAAO,aAAaA,YAAW;AACrD,MAAI,aAAa;AACb,QAAI,YAAY,MAAM,OAAO,MACzB,qBAAqB,SAAS,QAAQ;AACtC,aAAO,eAAe,KAAK,KAAK;AAG5B,YAAI,2BAA2B,iBAAiB;AAC5C,UAAI,IAAI,wBAKJ,QAAQ,IAAI,qBAAqB,SACjC,MAAM,IAAI,IAAI,aAAa,QAAQ,GAAG;AAAA,QAE9C;AACA,QAAI,WAAW,YACX,MAAM,yBAAyB;AAGnC,YAAI,WAAWA,cAAc,OAA+B,SAASA,WAAU,MAAM;AACrF,QAAI,WACA,MAAM,SAAS,KAAK,GAAG,IAEvB,MAAM,IAAI,GAAG,OAAO,SAAS,EAAE,MAAM,EAAE,GAAG,GAE1C,WAAW,YACX,MAAM,yBAAyB;AAAA,MAEvC;AAAA,IACJ,GACI,gBAAgB;AAAA,MAChB,QAAQ,mBAAmB,QAAQ;AAAA,MACnC,QAAQ,mBAAmB,QAAQ;AAAA,MACnC,QAAQ,mBAAmB,QAAQ;AAAA,MACnC,QAAQ,mBAAmB,QAAQ;AAAA,IACvC;AACA,WAAO;AAAA,MACH,GAAGA;AAAA;AAAA,MAEH,GAAG;AAAA,IACP;AAAA,EACJ;AAEA,SAAO;AACX;",
+  "names": ["mutations"]
+}

package/dist/cjs/createPermissions.cjs

@@ -0,0 +1,128 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+    for (var name in all) __defProp(target, name, {
+      get: all[name],
+      enumerable: !0
+    });
+  },
+  __copyProps = (to, from, except, desc) => {
+    if (from && typeof from == "object" || typeof from == "function") for (let key of __getOwnPropNames(from)) !__hasOwnProp.call(to, key) && key !== except && __defProp(to, key, {
+      get: () => from[key],
+      enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+    });
+    return to;
+  };
+var __toCommonJS = mod => __copyProps(__defProp({}, "__esModule", {
+  value: !0
+}), mod);
+var createPermissions_exports = {};
+__export(createPermissions_exports, {
+  createPermissions: () => createPermissions
+});
+module.exports = __toCommonJS(createPermissions_exports);
+var import_helpers = require("@vxrn/helpers"),
+  import_prettyFormatZeroQuery = require("./helpers/prettyFormatZeroQuery.cjs");
+function createPermissions(schema, getContext) {
+  runEnvironmentSafetyCheck();
+  const permissionCache = (0, import_helpers.createLocalStorage)("permissions-cache", {
+    storageLimit: 24
+  });
+  function where(a, b) {
+    return b && WhereTableNameMap.set(b, a), b || a;
+  }
+  const WhereTableNameMap = /* @__PURE__ */new WeakMap();
+  function getWhereTableName(where2) {
+    return WhereTableNameMap.get(where2);
+  }
+  const fallbackActions = {
+    select: "read",
+    insert: "write",
+    update: "write",
+    upsert: "write",
+    delete: "write"
+  };
+  function buildPermissionQuery(authData, eb, permissionWhere, action, objOrId) {
+    const tableName = getWhereTableName(permissionWhere);
+    if (!tableName) throw new Error("Must use PermissionWhere for buildPermissionQuery");
+    const primaryKeys = schema.tables[tableName].primaryKey,
+      permissionQueryBuilder = permissionWhere(eb, authData),
+      fallbackAction = fallbackActions[action],
+      permissionCondition = permissionQueryBuilder[action] || (fallbackAction ? permissionQueryBuilder[fallbackAction] : void 0);
+    if (permissionCondition == null) throw new Error(`No permission defined for ${action} (or ${fallbackAction})`);
+    if (permissionCondition === !0) return eb.cmpLit(!0, "=", !0);
+    if (permissionCondition === !1) return eb.cmpLit(!0, "=", !1);
+    const primaryKeyWheres = [];
+    for (const key of primaryKeys) {
+      const value = typeof objOrId == "string" ? objOrId : objOrId[key];
+      primaryKeyWheres.push(eb.cmp(key, value));
+    }
+    return eb.and(permissionCondition, ...primaryKeyWheres);
+  }
+  async function can(where2, action, obj) {
+    const ctx = getContext(),
+      tableName = getWhereTableName(where2);
+    if (!tableName) throw new Error("Must use where('table') style where to pass to can()");
+    process.env.VITE_ENVIRONMENT === "ssr" && (await ensurePermission(ctx.tx, ctx.authData, tableName, where2, action, obj), ctx.didCanPermissionsRun = !0);
+  }
+  async function ensurePermission(tx, authData, tableName, where2, actionIn, obj) {
+    if (authData?.role === "admin") return;
+    const action = String(actionIn),
+      name = `${tableName}.${action}`,
+      queryBase = tx.query[tableName];
+    let query = null;
+    try {
+      query = queryBase.where(eb => buildPermissionQuery(authData, eb, where2, action, obj)).one(), (0, import_helpers.ensure)(await query);
+    } catch (err) {
+      const errorTitle = `${name} with auth id: ${authData?.id}`;
+      if (err instanceof import_helpers.EnsureError) {
+        let msg = `[permission] \u{1F6AB} Not Allowed: ${errorTitle}`;
+        throw process.env.NODE_ENV === "development" && query && (msg += `
+ ${(0, import_prettyFormatZeroQuery.prettyFormatZeroQuery)(query)}`), new Error(msg);
+      }
+      throw new Error(`Error running permission ${errorTitle}
+${err}`);
+    }
+  }
+  function usePermission(table, action, objOrId, enabled = typeof objOrId < "u", debug = !1) {
+    const keyBase = `${table}${action}`,
+      key = `${keyBase}${typeof objOrId == "string" ? objOrId : JSON.stringify(objOrId)}`,
+      cacheVal = permissionCache.get(key) ?? permissionCache.get(keyBase),
+      authData = useAuthData(),
+      permission = modelPermissions[table],
+      query = (() => {
+        let baseQuery = zero.query[table].one();
+        return enabled ? baseQuery.where(eb => buildPermissionQuery(authData, eb, permission, action, objOrId)) : baseQuery;
+      })(),
+      [data, status] = useQuery(query, {
+        enabled: !!(enabled && authData && objOrId)
+      });
+    debug && console.info("usePermission()", {
+      data,
+      status,
+      action,
+      authData,
+      permission
+    }, (0, import_prettyFormatZeroQuery.prettyFormatZeroQuery)(query));
+    const allowed = !!data;
+    return objOrId ? allowed : !1;
+  }
+  return {
+    where,
+    can,
+    usePermission
+  };
+}
+function runEnvironmentSafetyCheck() {
+  typeof document < "u" || typeof navigator < "u" && navigator.product === "ReactNative" || process.env.VITE_ENVIRONMENT !== "ssr" && console.error(`\u274C\u274C\u274C\u274C
+
+ERROR: VITE_ENVIRONMENT is not set to "ssr" on server, which means permissions checks won't run when they should
+This is makes Zero entirely insecure and needs to be fixed immediately.
+
+This is likely a One framework issue, unless the user Vite config is overwriting the value.
+One automatically sets this value.
+        
+        `);
+}

package/dist/cjs/createPermissions.js

@@ -0,0 +1,121 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: !0 });
+}, __copyProps = (to, from, except, desc) => {
+  if (from && typeof from == "object" || typeof from == "function")
+    for (let key of __getOwnPropNames(from))
+      !__hasOwnProp.call(to, key) && key !== except && __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: !0 }), mod);
+var createPermissions_exports = {};
+__export(createPermissions_exports, {
+  createPermissions: () => createPermissions
+});
+module.exports = __toCommonJS(createPermissions_exports);
+var import_helpers = require("@vxrn/helpers"), import_prettyFormatZeroQuery = require("./helpers/prettyFormatZeroQuery");
+function createPermissions(schema, getContext) {
+  runEnvironmentSafetyCheck();
+  const permissionCache = (0, import_helpers.createLocalStorage)("permissions-cache", {
+    storageLimit: 24
+  });
+  function where(a, b) {
+    return b && WhereTableNameMap.set(b, a), b || a;
+  }
+  const WhereTableNameMap = /* @__PURE__ */ new WeakMap();
+  function getWhereTableName(where2) {
+    return WhereTableNameMap.get(where2);
+  }
+  const fallbackActions = {
+    select: "read",
+    insert: "write",
+    update: "write",
+    upsert: "write",
+    delete: "write"
+  };
+  function buildPermissionQuery(authData, eb, permissionWhere, action, objOrId) {
+    const tableName = getWhereTableName(permissionWhere);
+    if (!tableName)
+      throw new Error("Must use PermissionWhere for buildPermissionQuery");
+    const primaryKeys = schema.tables[tableName].primaryKey, permissionQueryBuilder = permissionWhere(eb, authData), fallbackAction = fallbackActions[action], permissionCondition = permissionQueryBuilder[action] || (fallbackAction ? permissionQueryBuilder[fallbackAction] : void 0);
+    if (permissionCondition == null)
+      throw new Error(`No permission defined for ${action} (or ${fallbackAction})`);
+    if (permissionCondition === !0)
+      return eb.cmpLit(!0, "=", !0);
+    if (permissionCondition === !1)
+      return eb.cmpLit(!0, "=", !1);
+    const primaryKeyWheres = [];
+    for (const key of primaryKeys) {
+      const value = typeof objOrId == "string" ? objOrId : objOrId[key];
+      primaryKeyWheres.push(eb.cmp(key, value));
+    }
+    return eb.and(permissionCondition, ...primaryKeyWheres);
+  }
+  async function can(where2, action, obj) {
+    const ctx = getContext(), tableName = getWhereTableName(where2);
+    if (!tableName)
+      throw new Error("Must use where('table') style where to pass to can()");
+    process.env.VITE_ENVIRONMENT === "ssr" && (await ensurePermission(
+      ctx.tx,
+      ctx.authData,
+      tableName,
+      where2,
+      action,
+      obj
+    ), ctx.didCanPermissionsRun = !0);
+  }
+  async function ensurePermission(tx, authData, tableName, where2, actionIn, obj) {
+    if (authData?.role === "admin")
+      return;
+    const action = String(actionIn), name = `${tableName}.${action}`, queryBase = tx.query[tableName];
+    let query = null;
+    try {
+      query = queryBase.where((eb) => buildPermissionQuery(authData, eb, where2, action, obj)).one(), (0, import_helpers.ensure)(await query);
+    } catch (err) {
+      const errorTitle = `${name} with auth id: ${authData?.id}`;
+      if (err instanceof import_helpers.EnsureError) {
+        let msg = `[permission] \u{1F6AB} Not Allowed: ${errorTitle}`;
+        throw process.env.NODE_ENV === "development" && query && (msg += `
+ ${(0, import_prettyFormatZeroQuery.prettyFormatZeroQuery)(query)}`), new Error(msg);
+      }
+      throw new Error(`Error running permission ${errorTitle}
+${err}`);
+    }
+  }
+  function usePermission(table, action, objOrId, enabled = typeof objOrId < "u", debug = !1) {
+    const keyBase = `${table}${action}`, key = `${keyBase}${typeof objOrId == "string" ? objOrId : JSON.stringify(objOrId)}`, cacheVal = permissionCache.get(key) ?? permissionCache.get(keyBase), authData = useAuthData(), permission = modelPermissions[table], query = (() => {
+      let baseQuery = zero.query[table].one();
+      return enabled ? baseQuery.where((eb) => buildPermissionQuery(authData, eb, permission, action, objOrId)) : baseQuery;
+    })(), [data, status] = useQuery(query, {
+      enabled: !!(enabled && authData && objOrId)
+    });
+    debug && console.info(
+      "usePermission()",
+      { data, status, action, authData, permission },
+      (0, import_prettyFormatZeroQuery.prettyFormatZeroQuery)(query)
+    );
+    const allowed = !!data;
+    return objOrId ? allowed : !1;
+  }
+  return {
+    where,
+    can,
+    usePermission
+  };
+}
+function runEnvironmentSafetyCheck() {
+  typeof document < "u" || typeof navigator < "u" && navigator.product === "ReactNative" || process.env.VITE_ENVIRONMENT !== "ssr" && console.error(`\u274C\u274C\u274C\u274C
+
+ERROR: VITE_ENVIRONMENT is not set to "ssr" on server, which means permissions checks won't run when they should
+This is makes Zero entirely insecure and needs to be fixed immediately.
+
+This is likely a One framework issue, unless the user Vite config is overwriting the value.
+One automatically sets this value.
+        
+        `);
+}
+//# sourceMappingURL=createPermissions.js.map

package/dist/cjs/createPermissions.js.map

@@ -0,0 +1,6 @@
+{
+  "version": 3,
+  "sources": ["../../src/createPermissions.ts"],
+  "mappings": ";;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAQA,qBAAwD,0BAGxD,+BAAsC;AAE/B,SAAS,kBACd,QACA,YACA;AACA,4BAA0B;AAO1B,QAAM,sBAAkB,mCAAoC,qBAAqB;AAAA,IAC/E,cAAc;AAAA,EAChB,CAAC;AAoBD,WAAS,MACP,GACA,GACS;AACT,WAAI,KACF,kBAAkB,IAAI,GAAG,CAAU,GAE7B,KAAK;AAAA,EACf;AAIA,QAAM,oBAAoB,oBAAI,QAA0B;AAExD,WAAS,kBAAkBA,QAAc;AACvC,WAAO,kBAAkB,IAAIA,MAAK;AAAA,EACpC;AAqBA,QAAM,kBAA0C;AAAA,IAC9C,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,QAAQ;AAAA,EACV;AAEA,WAAS,qBAIP,UACA,IACA,iBACA,QAEA,SACA;AACA,UAAM,YAAY,kBAAkB,eAAe;AAEnD,QAAI,CAAC;AACH,YAAM,IAAI,MAAM,mDAAmD;AAIrE,UAAM,cADc,OAAO,OAAO,SAAS,EACX,YAC1B,yBAAyB,gBAAgB,IAAI,QAAQ,GACrD,iBAAiB,gBAAgB,MAAM,GAEvC,sBACJ,uBAAuB,MAAM,MAC5B,iBAAiB,uBAAuB,cAAc,IAAI;AAE7D,QAAI,uBAAuB;AACzB,YAAM,IAAI,MAAM,6BAA6B,MAAM,QAAQ,cAAc,GAAG;AAG9E,QAAI,wBAAwB;AAC1B,aAAO,GAAG,OAAO,IAAM,KAAK,EAAI;AAGlC,QAAI,wBAAwB;AAC1B,aAAO,GAAG,OAAO,IAAM,KAAK,EAAK;AAGnC,UAAM,mBAAgC,CAAC;AAEvC,eAAW,OAAO,aAAa;AAC7B,YAAM,QAAQ,OAAO,WAAY,WAAW,UAAU,QAAQ,GAAG;AACjE,uBAAiB,KAAK,GAAG,IAAI,KAAY,KAAK,CAAC;AAAA,IACjD;AAEA,WAAO,GAAG,IAAI,qBAAqB,GAAG,gBAAgB;AAAA,EACxD;AAEA,iBAAe,IAGbA,QAAe,QAAgB,KAAU;AACzC,UAAM,MAAM,WAAW,GACjB,YAAY,kBAAkBA,MAAK;AACzC,QAAI,CAAC;AACH,YAAM,IAAI,MAAM,sDAAsD;AAIxE,IAAI,QAAQ,IAAI,qBAAqB,UACnC,MAAM;AAAA,MACJ,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ;AAAA,MACAA;AAAA,MACA;AAAA,MACA;AAAA,IACF,GACA,IAAI,uBAAuB;AAAA,EAE/B;AAIA,iBAAe,iBAIb,IACA,UACA,WACAA,QACA,UACA,KACe;AACf,QAAI,UAAU,SAAS;AAErB;AAGF,UAAM,SAAS,OAAO,QAAQ,GACxB,OAAO,GAAG,SAAS,IAAI,MAAM,IAC7B,YAAY,GAAG,MAAM,SAAS;AACpC,QAAI,QAAqC;AAEzC,QAAI;AACF,cAAQ,UACL,MAAM,CAAC,OACC,qBAAqB,UAAU,IAAIA,QAAO,QAAQ,GAAG,CAC7D,EACA,IAAI,OAEP,uBAAO,MAAM,KAAK;AAAA,IACpB,SAAS,KAAK;AACZ,YAAM,aAAa,GAAG,IAAI,kBAAkB,UAAU,EAAE;AAExD,UAAI,eAAe,4BAAa;AAC9B,YAAI,MAAM,uCAAgC,UAAU;AACpD,cAAI,QAAQ,IAAI,aAAa,iBAAiB,UAC5C,OAAO;AAAA,OAAM,oDAAsB,KAAK,CAAC,KAErC,IAAI,MAAM,GAAG;AAAA,MACrB;AAEA,YAAM,IAAI,MAAM,4BAA4B,UAAU;AAAA,EAAK,GAAG,EAAE;AAAA,IAClE;AAAA,EACF;AAEA,WAAS,cAIP,OACA,QACA,SACA,UAAU,OAAO,UAAY,KAC7B,QAAQ,IACQ;AAEhB,UAAM,UAAU,GAAG,KAAK,GAAG,MAAM,IAC3B,MAAM,GAAG,OAAO,GAAG,OAAO,WAAY,WAAW,UAAU,KAAK,UAAU,OAAO,CAAC,IAClF,WAAW,gBAAgB,IAAI,GAAG,KAAK,gBAAgB,IAAI,OAAO,GAClE,WAAW,YAAY,GACvB,aAAa,iBAAiB,KAAK,GAEnC,SAAS,MAAM;AACnB,UAAI,YAAY,KAAK,MAAM,KAAK,EAAE,IAAI;AAEtC,aAAK,UAIE,UAAU,MAAM,CAAC,OACf,qBAAqB,UAAU,IAAI,YAAY,QAAQ,OAAc,CAC7E,IALQ;AAAA,IAMX,GAAG,GAEG,CAAC,MAAM,MAAM,IAAI,SAAS,OAAO;AAAA,MACrC,SAAS,GAAQ,WAAW,YAAY;AAAA,IAC1C,CAAC;AAED,IAAI,SACF,QAAQ;AAAA,MACN;AAAA,MACA,EAAE,MAAM,QAAQ,QAAQ,UAAU,WAAW;AAAA,UAC7C,oDAAsB,KAAK;AAAA,IAC7B;AAKF,UAAM,UAAU,EAFD;AAIf,WAAK,UAIE,UAHE;AAAA,EAIX;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAIA,SAAS,4BAA4B;AACnC,EAAI,OAAO,WAAa,OAEb,OAAO,YAAc,OAAe,UAAU,YAAY,iBAI/D,QAAQ,IAAI,qBAAqB,SACnC,QAAQ,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAQX;AAGT;",
+  "names": ["where"]
+}

package/dist/cjs/createPermissions.native.js

@@ -0,0 +1,135 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: !0 });
+}, __copyProps = (to, from, except, desc) => {
+  if (from && typeof from == "object" || typeof from == "function")
+    for (let key of __getOwnPropNames(from))
+      !__hasOwnProp.call(to, key) && key !== except && __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: !0 }), mod);
+var createPermissions_exports = {};
+__export(createPermissions_exports, {
+  createPermissions: () => createPermissions
+});
+module.exports = __toCommonJS(createPermissions_exports);
+var import_helpers = require("@vxrn/helpers"), import_prettyFormatZeroQuery = require("./helpers/prettyFormatZeroQuery");
+function createPermissions(schema, getContext) {
+  runEnvironmentSafetyCheck();
+  var permissionCache = (0, import_helpers.createLocalStorage)("permissions-cache", {
+    storageLimit: 24
+  });
+  function where(a, b) {
+    return b && WhereTableNameMap.set(b, a), b || a;
+  }
+  var WhereTableNameMap = /* @__PURE__ */ new WeakMap();
+  function getWhereTableName(where2) {
+    return WhereTableNameMap.get(where2);
+  }
+  var fallbackActions = {
+    select: "read",
+    insert: "write",
+    update: "write",
+    upsert: "write",
+    delete: "write"
+  };
+  function buildPermissionQuery(authData, eb, permissionWhere, action, objOrId) {
+    var tableName = getWhereTableName(permissionWhere);
+    if (!tableName)
+      throw new Error("Must use PermissionWhere for buildPermissionQuery");
+    var tableSchema = schema.tables[tableName], primaryKeys = tableSchema.primaryKey, permissionQueryBuilder = permissionWhere(eb, authData), fallbackAction = fallbackActions[action], permissionCondition = permissionQueryBuilder[action] || (fallbackAction ? permissionQueryBuilder[fallbackAction] : void 0);
+    if (permissionCondition == null)
+      throw new Error(`No permission defined for ${action} (or ${fallbackAction})`);
+    if (permissionCondition === !0)
+      return eb.cmpLit(!0, "=", !0);
+    if (permissionCondition === !1)
+      return eb.cmpLit(!0, "=", !1);
+    var primaryKeyWheres = [], _iteratorNormalCompletion = !0, _didIteratorError = !1, _iteratorError = void 0;
+    try {
+      for (var _iterator = primaryKeys[Symbol.iterator](), _step; !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = !0) {
+        var key = _step.value, value = typeof objOrId == "string" ? objOrId : objOrId[key];
+        primaryKeyWheres.push(eb.cmp(key, value));
+      }
+    } catch (err) {
+      _didIteratorError = !0, _iteratorError = err;
+    } finally {
+      try {
+        !_iteratorNormalCompletion && _iterator.return != null && _iterator.return();
+      } finally {
+        if (_didIteratorError)
+          throw _iteratorError;
+      }
+    }
+    return eb.and(permissionCondition, ...primaryKeyWheres);
+  }
+  async function can(where2, action, obj) {
+    var ctx = getContext(), tableName = getWhereTableName(where2);
+    if (!tableName)
+      throw new Error("Must use where('table') style where to pass to can()");
+    process.env.VITE_ENVIRONMENT === "ssr" && (await ensurePermission(ctx.tx, ctx.authData, tableName, where2, action, obj), ctx.didCanPermissionsRun = !0);
+  }
+  async function ensurePermission(tx, authData, tableName, where2, actionIn, obj) {
+    if ((authData == null ? void 0 : authData.role) !== "admin") {
+      var action = String(actionIn), name = `${tableName}.${action}`, queryBase = tx.query[tableName], query = null;
+      try {
+        query = queryBase.where(function(eb) {
+          return buildPermissionQuery(authData, eb, where2, action, obj);
+        }).one(), (0, import_helpers.ensure)(await query);
+      } catch (err) {
+        var errorTitle = `${name} with auth id: ${authData == null ? void 0 : authData.id}`;
+        if (err instanceof import_helpers.EnsureError) {
+          var msg = `[permission] \u{1F6AB} Not Allowed: ${errorTitle}`;
+          throw process.env.NODE_ENV === "development" && query && (msg += `
+ ${(0, import_prettyFormatZeroQuery.prettyFormatZeroQuery)(query)}`), new Error(msg);
+        }
+        throw new Error(`Error running permission ${errorTitle}
+${err}`);
+      }
+    }
+  }
+  function usePermission(table, action, objOrId) {
+    var enabled = arguments.length > 3 && arguments[3] !== void 0 ? arguments[3] : typeof objOrId < "u", debug = arguments.length > 4 && arguments[4] !== void 0 ? arguments[4] : !1, keyBase = `${table}${action}`, key = `${keyBase}${typeof objOrId == "string" ? objOrId : JSON.stringify(objOrId)}`, _permissionCache_get, cacheVal = (_permissionCache_get = permissionCache.get(key)) !== null && _permissionCache_get !== void 0 ? _permissionCache_get : permissionCache.get(keyBase), authData = useAuthData(), permission = modelPermissions[table], query = (function() {
+      var baseQuery = zero.query[table].one();
+      return enabled ? baseQuery.where(function(eb) {
+        return buildPermissionQuery(authData, eb, permission, action, objOrId);
+      }) : baseQuery;
+    })(), [data, status] = useQuery(query, {
+      enabled: !!(enabled && authData && objOrId)
+    });
+    debug && console.info("usePermission()", {
+      data,
+      status,
+      action,
+      authData,
+      permission
+    }, (0, import_prettyFormatZeroQuery.prettyFormatZeroQuery)(query));
+    var result = data, allowed = !!result;
+    return objOrId ? allowed : !1;
+  }
+  return {
+    where,
+    can,
+    usePermission
+  };
+}
+function runEnvironmentSafetyCheck() {
+  typeof document < "u" || typeof navigator < "u" && navigator.product === "ReactNative" || process.env.VITE_ENVIRONMENT !== "ssr" && console.error(`\u274C\u274C\u274C\u274C
+
+ERROR: VITE_ENVIRONMENT is not set to "ssr" on server, which means permissions checks won't run when they should
+This is makes Zero entirely insecure and needs to be fixed immediately.
+
+This is likely a One framework issue, unless the user Vite config is overwriting the value.
+One automatically sets this value.
+        
+        `);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createPermissions
+});
+//# sourceMappingURL=createPermissions.js.map

package/dist/cjs/createPermissions.native.js.map

@@ -0,0 +1,6 @@
+{
+  "version": 3,
+  "sources": ["../../src/createPermissions.ts"],
+  "mappings": ";;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAAwD,0BACxD,+BAAsC;AAC/B,SAAS,kBAAkB,QAAQ,YAAY;AAClD,4BAA0B;AAK1B,MAAI,sBAAkB,mCAAmB,qBAAqB;AAAA,IAC1D,cAAc;AAAA,EAClB,CAAC;AAID,WAAS,MAAM,GAAG,GAAG;AACjB,WAAI,KACA,kBAAkB,IAAI,GAAG,CAAC,GAEvB,KAAK;AAAA,EAChB;AAEA,MAAI,oBAAoB,oBAAI,QAAQ;AACpC,WAAS,kBAAkBA,QAAO;AAC9B,WAAO,kBAAkB,IAAIA,MAAK;AAAA,EACtC;AAEA,MAAI,kBAAkB;AAAA,IAClB,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,QAAQ;AAAA,EACZ;AACA,WAAS,qBAAqB,UAAU,IAAI,iBAAiB,QAC7D,SAAS;AACL,QAAI,YAAY,kBAAkB,eAAe;AACjD,QAAI,CAAC;AACD,YAAM,IAAI,MAAM,mDAAmD;AAEvE,QAAI,cAAc,OAAO,OAAO,SAAS,GACrC,cAAc,YAAY,YAC1B,yBAAyB,gBAAgB,IAAI,QAAQ,GACrD,iBAAiB,gBAAgB,MAAM,GACvC,sBAAsB,uBAAuB,MAAM,MAAM,iBAAiB,uBAAuB,cAAc,IAAI;AACvH,QAAI,uBAAuB;AACvB,YAAM,IAAI,MAAM,6BAA6B,MAAM,QAAQ,cAAc,GAAG;AAEhF,QAAI,wBAAwB;AACxB,aAAO,GAAG,OAAO,IAAM,KAAK,EAAI;AAEpC,QAAI,wBAAwB;AACxB,aAAO,GAAG,OAAO,IAAM,KAAK,EAAK;AAErC,QAAI,mBAAmB,CAAC,GACpB,4BAA4B,IAAM,oBAAoB,IAAO,iBAAiB;AAClF,QAAI;AACA,eAAQ,YAAY,YAAY,OAAO,QAAQ,EAAE,GAAG,OAAO,EAAE,6BAA6B,QAAQ,UAAU,KAAK,GAAG,OAAO,4BAA4B,IAAK;AACxJ,YAAI,MAAM,MAAM,OACZ,QAAQ,OAAO,WAAY,WAAW,UAAU,QAAQ,GAAG;AAC/D,yBAAiB,KAAK,GAAG,IAAI,KAAK,KAAK,CAAC;AAAA,MAC5C;AAAA,IACJ,SAAS,KAAK;AACV,0BAAoB,IACpB,iBAAiB;AAAA,IACrB,UAAE;AACE,UAAI;AACA,QAAI,CAAC,6BAA6B,UAAU,UAAU,QAClD,UAAU,OAAO;AAAA,MAEzB,UAAE;AACE,YAAI;AACA,gBAAM;AAAA,MAEd;AAAA,IACJ;AACA,WAAO,GAAG,IAAI,qBAAqB,GAAG,gBAAgB;AAAA,EAC1D;AACA,iBAAe,IAAIA,QAAO,QAAQ,KAAK;AACnC,QAAI,MAAM,WAAW,GACjB,YAAY,kBAAkBA,MAAK;AACvC,QAAI,CAAC;AACD,YAAM,IAAI,MAAM,sDAAsD;AAG1E,IAAI,QAAQ,IAAI,qBAAqB,UACjC,MAAM,iBAAiB,IAAI,IAAI,IAAI,UAAU,WAAWA,QAAO,QAAQ,GAAG,GAC1E,IAAI,uBAAuB;AAAA,EAEnC;AACA,iBAAe,iBAAiB,IAAI,UAAU,WAAWA,QAAO,UAAU,KAC1E;AACI,SAAK,YAAa,OAA8B,SAAS,SAAS,UAAU,SAI5E;AAAA,UAAI,SAAS,OAAO,QAAQ,GACxB,OAAO,GAAG,SAAS,IAAI,MAAM,IAC7B,YAAY,GAAG,MAAM,SAAS,GAC9B,QAAQ;AACZ,UAAI;AACA,gBAAQ,UAAU,MAAM,SAAS,IAAI;AACjC,iBAAO,qBAAqB,UAAU,IAAIA,QAAO,QAAQ,GAAG;AAAA,QAChE,CAAC,EAAE,IAAI,OACP,uBAAO,MAAM,KAAK;AAAA,MACtB,SAAS,KAAK;AACV,YAAI,aAAa,GAAG,IAAI,kBAAkB,YAAa,OAA8B,SAAS,SAAS,EAAE;AACzG,YAAI,eAAe,4BAAa;AAC5B,cAAI,MAAM,uCAAgC,UAAU;AACpD,gBAAI,QAAQ,IAAI,aAAa,iBAAiB,UAC1C,OAAO;AAAA,OAAM,oDAAsB,KAAK,CAAC,KAEvC,IAAI,MAAM,GAAG;AAAA,QACvB;AACA,cAAM,IAAI,MAAM,4BAA4B,UAAU;AAAA,EAAK,GAAG,EAAE;AAAA,MACpE;AAAA;AAAA,EACJ;AACA,WAAS,cAAc,OAAO,QAAQ,SAAS;AAC3C,QAAI,UAAU,UAAU,SAAS,KAAK,UAAU,CAAC,MAAM,SAAS,UAAU,CAAC,IAAI,OAAO,UAAY,KAAa,QAAQ,UAAU,SAAS,KAAK,UAAU,CAAC,MAAM,SAAS,UAAU,CAAC,IAAI,IAEpL,UAAU,GAAG,KAAK,GAAG,MAAM,IAC3B,MAAM,GAAG,OAAO,GAAG,OAAO,WAAY,WAAW,UAAU,KAAK,UAAU,OAAO,CAAC,IAClF,sBACA,YAAY,uBAAuB,gBAAgB,IAAI,GAAG,OAAO,QAAQ,yBAAyB,SAAS,uBAAuB,gBAAgB,IAAI,OAAO,GAC7J,WAAW,YAAY,GACvB,aAAa,iBAAiB,KAAK,GACnC,SAAQ,WAAW;AACnB,UAAI,YAAY,KAAK,MAAM,KAAK,EAAE,IAAI;AACtC,aAAK,UAGE,UAAU,MAAM,SAAS,IAAI;AAChC,eAAO,qBAAqB,UAAU,IAAI,YAAY,QAAQ,OAAO;AAAA,MACzE,CAAC,IAJU;AAAA,IAKf,GAAE,GACE,CAAC,MAAM,MAAM,IAAI,SAAS,OAAO;AAAA,MACjC,SAAS,GAAQ,WAAW,YAAY;AAAA,IAC5C,CAAC;AACD,IAAI,SACA,QAAQ,KAAK,mBAAmB;AAAA,MAC5B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACJ,OAAG,oDAAsB,KAAK,CAAC;AAEnC,QAAI,SAAS,MACT,UAAU,EAAQ;AACtB,WAAK,UAGE,UAFI;AAAA,EAGf;AACA,SAAO;AAAA,IACH;AAAA,IACA;AAAA,IACA;AAAA,EACJ;AACJ;AAGA,SAAS,4BAA4B;AACjC,EAAI,OAAO,WAAa,OACpB,OAAO,YAAc,OAAe,UAAU,YAAY,iBAGtD,QAAQ,IAAI,qBAAqB,SACjC,QAAQ,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,SAQjB;AAGT;",
+  "names": ["where"]
+}

package/dist/cjs/createServer.cjs

@@ -0,0 +1,92 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf,
+  __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+    for (var name in all) __defProp(target, name, {
+      get: all[name],
+      enumerable: !0
+    });
+  },
+  __copyProps = (to, from, except, desc) => {
+    if (from && typeof from == "object" || typeof from == "function") for (let key of __getOwnPropNames(from)) !__hasOwnProp.call(to, key) && key !== except && __defProp(to, key, {
+      get: () => from[key],
+      enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+    });
+    return to;
+  };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
+    value: mod,
+    enumerable: !0
+  }) : target, mod)),
+  __toCommonJS = mod => __copyProps(__defProp({}, "__esModule", {
+    value: !0
+  }), mod);
+var createServer_exports = {};
+__export(createServer_exports, {
+  createServer: () => createServer
+});
+module.exports = __toCommonJS(createServer_exports);
+var import_pg = require("@rocicorp/zero/pg"),
+  import_server = require("@rocicorp/zero/server"),
+  import_postgres = __toESM(require("postgres")),
+  import_context = require("src/context"),
+  import_createMutators = require("~/data/helpers/createMutators"),
+  import_schema = require("~/data/schema"),
+  import_createServerActions = require("~/data/server/createServerActions"),
+  import_helpers = require("@vxrn/helpers");
+function createServer({
+  actions
+}) {
+  const dbString = (0, import_helpers.assertString)(process.env.ZERO_UPSTREAM_DB),
+    zeroServerDatabase = new import_server.ZQLDatabase(new import_pg.PostgresJSConnection((0, import_postgres.default)(dbString)), import_schema.schema),
+    serverMutate = async (run, authData) => {
+      const asyncTasks = [],
+        mutators = (0, import_createMutators.createMutators)({
+          environment: "server",
+          asyncTasks,
+          authData: {
+            id: "",
+            email: "admin@start.chat",
+            role: "admin",
+            ...authData
+          },
+          createServerActions: import_createServerActions.createServerActions
+        });
+      await serverTransaction(async tx => {
+        await run(tx, mutators);
+      }), await Promise.all(asyncTasks.map(t => t()));
+    },
+    serverQuery = serverTransaction,
+    dummyTransactionInput = {
+      clientGroupID: "unused",
+      clientID: "unused",
+      mutationID: 42,
+      upstreamSchema: "unused"
+    };
+  async function serverTransaction(query) {
+    try {
+      if ((0, import_context.isInZeroMutation)()) {
+        const {
+          tx
+        } = (0, import_context.context)();
+        return await query(tx);
+      }
+      return await zeroServerDatabase.transaction(query, dummyTransactionInput);
+    } catch (err) {
+      throw console.error(`Error running serverTransaction(): ${err}`), err;
+    }
+  }
+  return {
+    serverTransaction,
+    serverMutate,
+    serverQuery
+  };
+}

package/dist/cjs/createServer.js

@@ -0,0 +1,71 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf, __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: !0 });
+}, __copyProps = (to, from, except, desc) => {
+  if (from && typeof from == "object" || typeof from == "function")
+    for (let key of __getOwnPropNames(from))
+      !__hasOwnProp.call(to, key) && key !== except && __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: !0 }) : target,
+  mod
+)), __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: !0 }), mod);
+var createServer_exports = {};
+__export(createServer_exports, {
+  createServer: () => createServer
+});
+module.exports = __toCommonJS(createServer_exports);
+var import_pg = require("@rocicorp/zero/pg"), import_server = require("@rocicorp/zero/server"), import_postgres = __toESM(require("postgres")), import_context = require("src/context"), import_createMutators = require("~/data/helpers/createMutators"), import_schema = require("~/data/schema"), import_createServerActions = require("~/data/server/createServerActions"), import_helpers = require("@vxrn/helpers");
+function createServer({ actions }) {
+  const dbString = (0, import_helpers.assertString)(process.env.ZERO_UPSTREAM_DB), zeroServerDatabase = new import_server.ZQLDatabase(
+    new import_pg.PostgresJSConnection((0, import_postgres.default)(dbString)),
+    import_schema.schema
+  ), serverMutate = async (run, authData) => {
+    const asyncTasks = [], mutators = (0, import_createMutators.createMutators)({
+      environment: "server",
+      asyncTasks,
+      authData: {
+        id: "",
+        email: "admin@start.chat",
+        role: "admin",
+        ...authData
+      },
+      createServerActions: import_createServerActions.createServerActions
+    });
+    await serverTransaction(async (tx) => {
+      await run(tx, mutators);
+    }), await Promise.all(asyncTasks.map((t) => t()));
+  }, serverQuery = serverTransaction, dummyTransactionInput = {
+    clientGroupID: "unused",
+    clientID: "unused",
+    mutationID: 42,
+    upstreamSchema: "unused"
+  };
+  async function serverTransaction(query) {
+    try {
+      if ((0, import_context.isInZeroMutation)()) {
+        const { tx } = (0, import_context.context)();
+        return await query(tx);
+      }
+      return await zeroServerDatabase.transaction(query, dummyTransactionInput);
+    } catch (err) {
+      throw console.error(`Error running serverTransaction(): ${err}`), err;
+    }
+  }
+  return {
+    serverTransaction,
+    serverMutate,
+    serverQuery
+  };
+}
+//# sourceMappingURL=createServer.js.map

package/dist/cjs/createServer.js.map

@@ -0,0 +1,6 @@
+{
+  "version": 3,
+  "sources": ["../../src/createServer.ts"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,gBAAqC,8BACrC,gBAA4B,kCAC5B,kBAAqB,8BACrB,iBAA0C,wBAE1C,wBAA8C,0CAC9C,gBAAuB,0BACvB,6BAAoC,8CAEpC,iBAA6B;AAEtB,SAAS,aAAa,EAAE,QAAQ,GAAqB;AAC1D,QAAM,eAAW,6BAAa,QAAQ,IAAI,gBAAgB,GAEpD,qBAAqB,IAAI;AAAA,IAC7B,IAAI,mCAAqB,gBAAAA,SAAS,QAAQ,CAAC;AAAA,IAC3C;AAAA,EACF,GAEM,eAAe,OACnB,KACA,aACG;AACH,UAAM,aAAyC,CAAC,GAE1C,eAAW,sCAAe;AAAA,MAC9B,aAAa;AAAA,MACb;AAAA,MACA,UAAU;AAAA,QACR,IAAI;AAAA,QACJ,OAAO;AAAA,QACP,MAAM;AAAA,QACN,GAAG;AAAA,MACL;AAAA,MACA;AAAA,IACF,CAAC;AAED,UAAM,kBAAkB,OAAO,OAAO;AACpC,YAAM,IAAI,IAAI,QAAQ;AAAA,IACxB,CAAC,GAED,MAAM,QAAQ,IAAI,WAAW,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;AAAA,EAC9C,GAIM,cAAc,mBAGd,wBAAkD;AAAA,IACtD,eAAe;AAAA,IACf,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,gBAAgB;AAAA,EAClB;AAEA,iBAAe,kBAGb,OAA6B;AAC7B,QAAI;AACF,cAAI,iCAAiB,GAAG;AACtB,cAAM,EAAE,GAAG,QAAI,wBAAQ;AACvB,eAAO,MAAM,MAAM,EAAE;AAAA,MACvB;AACA,aAAQ,MAAM,mBAAmB,YAAY,OAAO,qBAAqB;AAAA,IAC3E,SAAS,KAAK;AACZ,oBAAQ,MAAM,sCAAsC,GAAG,EAAE,GACnD;AAAA,IACR;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;",
+  "names": ["postgres"]
+}