pipework 0.8.20 → 0.10.0

package/dist/async/jobs/table.js

@@ -0,0 +1,115 @@
+// The queue table as a pipe.define() definition, built from queue config.
+//
+// The table shape used to live in a hand-written schema.sql that no TS code
+// referenced, so `pipework generate` could not emit it and a regenerated
+// baseline silently dropped the queue migration. Expressing it as a
+// DefinedTable puts it on the same generate path as every other table:
+// createQueue() registers the definition here, and the migration generator
+// merges this registry through its internalDefinitions hook.
+import { define } from '../../data/domain/index.js';
+import { field } from '../../data/domain/field.js';
+import { schema } from '../../data/schema/namespace.js';
+import { index } from '../../data/db/idx/index.js';
+import { quoteIdentifier } from '../../data/db/identifiers.js';
+import { sql } from '../../data/db/sql.js';
+export const QUEUE_STATUSES = ['pending', 'claimed', 'running', 'completed', 'failed', 'cancelled', 'dead_letter'];
+/** Column names every queue table owns — exclusion columns must not collide with these. */
+export const QUEUE_BASE_COLUMNS = new Set([
+    'id', 'job_type', 'priority', 'status', 'payload', 'output', 'error_payload',
+    'created_lsn', 'queued_at', 'claimed_at', 'heartbeat_at', 'completed_at',
+    'worker_id', 'attempt_count', 'max_attempts', 'next_retry_at',
+]);
+function queueFields(exclusion) {
+    const fields = {
+        id: field.uuid().primaryKey().defaultRandom(),
+        jobType: field.text(),
+        priority: field.integer().default(0),
+        status: field.enum(QUEUE_STATUSES).default('pending'),
+        payload: field.jsonb(schema.check.json()),
+        output: field.jsonb(schema.check.json()).nullable(),
+        errorPayload: field.jsonb(schema.check.json()).nullable(),
+        createdLsn: field.pgLsn().default('currentWal'),
+        queuedAt: field.timestamp().default('now'),
+        claimedAt: field.timestamp().nullable(),
+        heartbeatAt: field.timestamp().nullable(),
+        completedAt: field.timestamp().nullable(),
+        workerId: field.text().nullable(),
+        attemptCount: field.integer().default(0),
+        maxAttempts: field.integer().default(1),
+        nextRetryAt: field.timestamp().nullable(),
+    };
+    if (exclusion?.tenantColumn !== undefined) {
+        fields[exclusion.tenantColumn] = field.uuid().tenant();
+    }
+    if (exclusion?.arrayColumn !== undefined) {
+        const column = exclusion.arrayElementType === 'text'
+            ? schema.col.text(exclusion.arrayColumn).array()
+            : schema.col.uuid(exclusion.arrayColumn).array();
+        fields[exclusion.arrayColumn] = field.custom(column, schema.check.array(schema.check.string())).nullable();
+    }
+    if (exclusion?.blocksAllColumn !== undefined) {
+        fields[exclusion.blocksAllColumn] = field.boolean().default(false);
+    }
+    return fields;
+}
+const queueTables = new Map();
+/**
+ * Builds (or reuses) the DefinedTable for a queue. Cached per table name so
+ * repeated createQueue() calls share one definition; the same name with a
+ * different shape is a config error, not a silent overwrite.
+ */
+export function queueDefinition(tableName, exclusion) {
+    const configKey = JSON.stringify(exclusion ?? null);
+    const existing = queueTables.get(tableName);
+    if (existing !== undefined) {
+        if (existing.configKey !== configKey) {
+            throw new Error(`[pipework] Queue table "${tableName}" is already defined with a different exclusion config.\n\n` +
+                `  Existing: ${existing.configKey}\n` +
+                `  New:      ${configKey}\n` +
+                '  One table, one shape — give the second queue its own table name.\n');
+        }
+        return existing.definition;
+    }
+    const definition = define(tableName, queueFields(exclusion), {
+        indexes: (t) => ({
+            claimable: index(`idx_${tableName}_claimable`)
+                .on(t['priority'].desc(), t['queuedAt'].asc())
+                .where(sql.raw(`status = 'pending'`)),
+            stale: index(`idx_${tableName}_stale`)
+                .on(t['heartbeatAt'])
+                .where(sql.raw(`status IN ('claimed', 'running')`)),
+            retryable: index(`idx_${tableName}_retryable`)
+                .on(t['nextRetryAt'])
+                .where(sql.raw(`status = 'pending' AND next_retry_at IS NOT NULL`)),
+            // The claim query's exclusion checks run under SERIALIZABLE; without a
+            // matching index the overlap NOT EXISTS scans the whole claimed/running
+            // set and takes coarse predicate locks, so claimers with disjoint arrays
+            // SSI-conflict and starve. Partial GIN keeps the locks at the key level;
+            // fastupdate must be off — a GIN pending list forces relation-level
+            // predicate locks, voiding the granularity.
+            ...(exclusion?.arrayColumn !== undefined ? {
+                exclusionArray: index(`idx_${tableName}_excl_arr`)
+                    .using('gin', t[exclusion.arrayColumn])
+                    .with({ fastupdate: 'off' })
+                    .where(sql.raw(`status IN ('claimed', 'running')`)),
+            } : {}),
+            // Same starvation mechanism for the blocks-all NOT EXISTS: without its
+            // own index that check scans every claimed/running row. This partial
+            // index contains only active blocks-all jobs (normally none), so
+            // ordinary claims neither read beyond it nor insert into it — only a
+            // genuine blocks-all claim conflicts, which is the intended semantics.
+            ...(exclusion?.blocksAllColumn !== undefined ? {
+                exclusionBlocks: index(`idx_${tableName}_excl_blocks`)
+                    .on(t[exclusion.tenantColumn ?? exclusion.blocksAllColumn])
+                    .where(sql.raw(`status IN ('claimed', 'running') AND ${quoteIdentifier(exclusion.blocksAllColumn, 'exclusion column')} = true`)),
+            } : {}),
+        }),
+    });
+    queueTables.set(tableName, { definition, configKey });
+    return definition;
+}
+/** Registered queue definitions — merged into `pipework generate` via internalDefinitions. */
+export function queueDefinitions() {
+    return new Map([...queueTables].map(([name, entry]) => [name, entry.definition]));
+}
+//# sourceMappingURL=table.js.map

package/dist/async/jobs/table.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"table.js","sourceRoot":"","sources":["../../../src/async/jobs/table.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,EAAE;AACF,4EAA4E;AAC5E,yEAAyE;AACzE,oEAAoE;AACpE,uEAAuE;AACvE,2EAA2E;AAC3E,6DAA6D;AAE7D,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAA;AACnD,OAAO,EAAE,KAAK,EAAE,MAAM,4BAA4B,CAAA;AAElD,OAAO,EAAE,MAAM,EAAE,MAAM,gCAAgC,CAAA;AACvD,OAAO,EAAE,KAAK,EAAE,MAAM,4BAA4B,CAAA;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAA;AAC9D,OAAO,EAAE,GAAG,EAAE,MAAM,sBAAsB,CAAA;AAG1C,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,EAAE,aAAa,CAAU,CAAA;AAE3H,2FAA2F;AAC3F,MAAM,CAAC,MAAM,kBAAkB,GAAwB,IAAI,GAAG,CAAC;IAC7D,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,eAAe;IAC5E,aAAa,EAAE,WAAW,EAAE,YAAY,EAAE,cAAc,EAAE,cAAc;IACxE,WAAW,EAAE,eAAe,EAAE,cAAc,EAAE,eAAe;CAC9D,CAAC,CAAA;AAEF,SAAS,WAAW,CAAC,SAAwC;IAC3D,MAAM,MAAM,GAAoC;QAC9C,EAAE,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU,EAAE,CAAC,aAAa,EAAE;QAC7C,OAAO,EAAE,KAAK,CAAC,IAAI,EAAE;QACrB,QAAQ,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;QACpC,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;QACrD,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE;QACnD,YAAY,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE;QACzD,UAAU,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC;QAC/C,QAAQ,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;QAC1C,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE;QACvC,WAAW,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE;QACzC,WAAW,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE;QACzC,QAAQ,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;QACjC,YAAY,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;QACxC,WAAW,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;QACvC,WAAW,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE;KAC1C,CAAA;IAED,IAAI,SAAS,EAAE,YAAY,KAAK,SAAS,EAAE,CAAC;QAC1C,MAAM,CAAC,SAAS,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,CAAA;IACxD,CAAC;IACD,IAAI,SAAS,EAAE,WAAW,KAAK,SAAS,EAAE,CAAC;QACzC,MAAM,MAAM,GAAG,SAAS,CAAC,gBAAgB,KAAK,MAAM;YAClD,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,KAAK,EAAE;YAChD,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,KAAK,EAAE,CAAA;QAClD,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAA;IAC5G,CAAC;IACD,IAAI,SAAS,EAAE,eAAe,KAAK,SAAS,EAAE,CAAC;QAC7C,MAAM,CAAC,SAAS,CAAC,eAAe,CAAC,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;IACpE,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAOD,MAAM,WAAW,GAAG,IAAI,GAAG,EAA2B,CAAA;AAEtD;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,SAAiB,EAAE,SAAwC;IACzF,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,IAAI,IAAI,CAAC,CAAA;IAEnD,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;IAC3C,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,IAAI,QAAQ,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CACb,2BAA2B,SAAS,6DAA6D;gBACjG,eAAe,QAAQ,CAAC,SAAS,IAAI;gBACrC,eAAe,SAAS,IAAI;gBAC5B,sEAAsE,CACvE,CAAA;QACH,CAAC;QACD,OAAO,QAAQ,CAAC,UAAU,CAAA;IAC5B,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,SAAS,CAAC,EAAE;QAC3D,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACf,SAAS,EAAE,KAAK,CAAC,OAAO,SAAS,YAAY,CAAC;iBAC3C,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC,GAAG,EAAE,CAAC;iBAC7C,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;YACvC,KAAK,EAAE,KAAK,CAAC,OAAO,SAAS,QAAQ,CAAC;iBACnC,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;iBACpB,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;YACrD,SAAS,EAAE,KAAK,CAAC,OAAO,SAAS,YAAY,CAAC;iBAC3C,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;iBACpB,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;YACrE,uEAAuE;YACvE,wEAAwE;YACxE,yEAAyE;YACzE,yEAAyE;YACzE,oEAAoE;YACpE,4CAA4C;YAC5C,GAAG,CAAC,SAAS,EAAE,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC;gBACzC,cAAc,EAAE,KAAK,CAAC,OAAO,SAAS,WAAW,CAAC;qBAC/C,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,SAAS,CAAC,WAAW,CAAE,CAAC;qBACvC,IAAI,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;qBAC3B,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;aACtD,CAAC,CAAC,CAAC,EAAE,CAAC;YACP,uEAAuE;YACvE,qEAAqE;YACrE,iEAAiE;YACjE,qEAAqE;YACrE,uEAAuE;YACvE,GAAG,CAAC,SAAS,EAAE,eAAe,KAAK,SAAS,CAAC,CAAC,CAAC;gBAC7C,eAAe,EAAE,KAAK,CAAC,OAAO,SAAS,cAAc,CAAC;qBACnD,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,YAAY,IAAI,SAAS,CAAC,eAAe,CAAE,CAAC;qBAC3D,KAAK,CAAC,GAAG,CAAC,GAAG,CACZ,wCAAwC,eAAe,CAAC,SAAS,CAAC,eAAe,EAAE,kBAAkB,CAAC,SAAS,CAChH,CAAC;aACL,CAAC,CAAC,CAAC,EAAE,CAAC;SACR,CAAC;KACH,CAAC,CAAA;IAEF,WAAW,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAA;IACrD,OAAO,UAAU,CAAA;AACnB,CAAC;AAED,8FAA8F;AAC9F,MAAM,UAAU,gBAAgB;IAC9B,OAAO,IAAI,GAAG,CAAC,CAAC,GAAG,WAAW,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;AACnF,CAAC"}

package/dist/auth/tenant/index.d.ts

@@ -2,7 +2,7 @@ export type { TenantConfig, TenantContext } from './types.js';
 export { validateTenantId, validateSessionVarName, validateSessionVarValue } from './validate.js';
 export { propagateTenantLocals } from './propagate.js';
 export { extractTenant, type TenantExtractionResult } from './extract.js';
-export { tenantIsolationPolicy, enableTenantRls, verifyTenantContext } from './rls.js';
+export { tenantIsolationPolicy, enableTenantRls, verifyPrincipalContext } from './rls.js';
 export { scopeTable, getScopeConfig, isTenantScoped, type ScopeConfig } from './scope.js';
 export { createScopedDb, createTenantGuardDb } from './scoped-db.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/auth/tenant/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/tenant/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AAC7D,OAAO,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAA;AACjG,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,aAAa,EAAE,KAAK,sBAAsB,EAAE,MAAM,cAAc,CAAA;AACzE,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAA;AACtF,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,cAAc,EAAE,KAAK,WAAW,EAAE,MAAM,YAAY,CAAA;AACzF,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/tenant/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AAC7D,OAAO,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAA;AACjG,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,aAAa,EAAE,KAAK,sBAAsB,EAAE,MAAM,cAAc,CAAA;AACzE,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAA;AACzF,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,cAAc,EAAE,KAAK,WAAW,EAAE,MAAM,YAAY,CAAA;AACzF,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAA"}

package/dist/auth/tenant/index.js

@@ -1,7 +1,7 @@
 export { validateTenantId, validateSessionVarName, validateSessionVarValue } from './validate.js';
 export { propagateTenantLocals } from './propagate.js';
 export { extractTenant } from './extract.js';
-export { tenantIsolationPolicy, enableTenantRls, verifyTenantContext } from './rls.js';
+export { tenantIsolationPolicy, enableTenantRls, verifyPrincipalContext } from './rls.js';
 export { scopeTable, getScopeConfig, isTenantScoped } from './scope.js';
 export { createScopedDb, createTenantGuardDb } from './scoped-db.js';
 //# sourceMappingURL=index.js.map

package/dist/auth/tenant/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/auth/tenant/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAA;AACjG,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,aAAa,EAA+B,MAAM,cAAc,CAAA;AACzE,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAA;AACtF,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,cAAc,EAAoB,MAAM,YAAY,CAAA;AACzF,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/auth/tenant/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAA;AACjG,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,aAAa,EAA+B,MAAM,cAAc,CAAA;AACzE,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAA;AACzF,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,cAAc,EAAoB,MAAM,YAAY,CAAA;AACzF,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAA"}

package/dist/auth/tenant/namespace.d.ts

@@ -1,5 +1,5 @@
 import { validateTenantId } from './validate.js';
-import { enableTenantRls, tenantIsolationPolicy, verifyTenantContext } from './rls.js';
+import { enableTenantRls, tenantIsolationPolicy, verifyPrincipalContext } from './rls.js';
 import { propagateTenantLocals } from './propagate.js';
 import { extractTenant } from './extract.js';
 import { isTenantScoped } from './scope.js';
@@ -11,8 +11,8 @@ export declare const tenant: {
     rls: typeof enableTenantRls;
     /** Returns the SQL string for a tenant isolation RLS policy — use in migrations. */
     policy: typeof tenantIsolationPolicy;
-    /** Cross-checks ALS tenant against Postgres set_config('pipework.tenant_id') — defense-in-depth. */
-    verify: typeof verifyTenantContext;
+    /** Cross-checks the ALS principal (tenant, user, asOf) against the Postgres session GUCs — defense-in-depth. */
+    verify: typeof verifyPrincipalContext;
     /** Sets pipework.tenant_id on the Postgres connection via set_config(). */
     propagate: typeof propagateTenantLocals;
     /** Extracts tenant ID from auth context using the configured extraction strategy. */

package/dist/auth/tenant/namespace.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"namespace.d.ts","sourceRoot":"","sources":["../../../src/auth/tenant/namespace.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AAChD,OAAO,EAAE,eAAe,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAA;AACtF,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAC5C,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE3C,sGAAsG;AACtG,eAAO,MAAM,MAAM;IACjB,wEAAwE;;IAExE,kFAAkF;;IAElF,oFAAoF;;IAEpF,oGAAoG;;IAEpG,2EAA2E;;IAE3E,qFAAqF;;IAErF,+FAA+F;;CAEhG,CAAA"}
+{"version":3,"file":"namespace.d.ts","sourceRoot":"","sources":["../../../src/auth/tenant/namespace.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AAChD,OAAO,EAAE,eAAe,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAA;AACzF,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAC5C,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE3C,sGAAsG;AACtG,eAAO,MAAM,MAAM;IACjB,wEAAwE;;IAExE,kFAAkF;;IAElF,oFAAoF;;IAEpF,gHAAgH;;IAEhH,2EAA2E;;IAE3E,qFAAqF;;IAErF,+FAA+F;;CAEhG,CAAA"}

package/dist/auth/tenant/namespace.js

@@ -1,5 +1,5 @@
 import { validateTenantId } from './validate.js';
-import { enableTenantRls, tenantIsolationPolicy, verifyTenantContext } from './rls.js';
+import { enableTenantRls, tenantIsolationPolicy, verifyPrincipalContext } from './rls.js';
 import { propagateTenantLocals } from './propagate.js';
 import { extractTenant } from './extract.js';
 import { isTenantScoped } from './scope.js';
@@ -11,8 +11,8 @@ export const tenant = {
     rls: enableTenantRls,
     /** Returns the SQL string for a tenant isolation RLS policy — use in migrations. */
     policy: tenantIsolationPolicy,
-    /** Cross-checks ALS tenant against Postgres set_config('pipework.tenant_id') — defense-in-depth. */
-    verify: verifyTenantContext,
+    /** Cross-checks the ALS principal (tenant, user, asOf) against the Postgres session GUCs — defense-in-depth. */
+    verify: verifyPrincipalContext,
     /** Sets pipework.tenant_id on the Postgres connection via set_config(). */
     propagate: propagateTenantLocals,
     /** Extracts tenant ID from auth context using the configured extraction strategy. */

package/dist/auth/tenant/namespace.js.map

@@ -1 +1 @@
-{"version":3,"file":"namespace.js","sourceRoot":"","sources":["../../../src/auth/tenant/namespace.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AAChD,OAAO,EAAE,eAAe,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAA;AACtF,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAC5C,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE3C,sGAAsG;AACtG,MAAM,CAAC,MAAM,MAAM,GAAG;IACpB,wEAAwE;IACxE,QAAQ,EAAE,gBAAgB;IAC1B,kFAAkF;IAClF,GAAG,EAAE,eAAe;IACpB,oFAAoF;IACpF,MAAM,EAAE,qBAAqB;IAC7B,oGAAoG;IACpG,MAAM,EAAE,mBAAmB;IAC3B,2EAA2E;IAC3E,SAAS,EAAE,qBAAqB;IAChC,qFAAqF;IACrF,OAAO,EAAE,aAAa;IACtB,+FAA+F;IAC/F,cAAc;CACf,CAAA"}
+{"version":3,"file":"namespace.js","sourceRoot":"","sources":["../../../src/auth/tenant/namespace.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AAChD,OAAO,EAAE,eAAe,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAA;AACzF,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAC5C,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE3C,sGAAsG;AACtG,MAAM,CAAC,MAAM,MAAM,GAAG;IACpB,wEAAwE;IACxE,QAAQ,EAAE,gBAAgB;IAC1B,kFAAkF;IAClF,GAAG,EAAE,eAAe;IACpB,oFAAoF;IACpF,MAAM,EAAE,qBAAqB;IAC7B,gHAAgH;IAChH,MAAM,EAAE,sBAAsB;IAC9B,2EAA2E;IAC3E,SAAS,EAAE,qBAAqB;IAChC,qFAAqF;IACrF,OAAO,EAAE,aAAa;IACtB,+FAA+F;IAC/F,cAAc;CACf,CAAA"}

package/dist/auth/tenant/rls.d.ts

@@ -1,5 +1,26 @@
 import type { DB } from '../../data/db/index.js';
-export declare function tenantIsolationPolicy(table: string, column?: string, sessionVar?: string): string;
-export declare function enableTenantRls(db: DB, table: string, column?: string): Promise<void>;
-export declare function verifyTenantContext(db: DB, expectedTenant: string | null): Promise<void>;
+/**
+ * SQL types a tenant discriminator column may be. The union members are
+ * literal Postgres type names, so they double as the cast target — a tenant
+ * policy compares the column against the session GUC cast to this type. A
+ * field whose kind is not one of these cannot be a tenant key; the generate
+ * layer rejects it before reaching here (see rls-generate.ts).
+ */
+export type TenantKeyType = 'uuid' | 'text' | 'integer' | 'bigint';
+export declare function tenantIsolationPolicy(table: string, column?: string, keyType?: TenantKeyType, sessionVar?: string, force?: boolean): string;
+export declare function enableTenantRls(db: DB, table: string, column?: string, keyType?: TenantKeyType, force?: boolean): Promise<void>;
+/** The principal axes carried on the request/job context and propagated as GUCs. */
+export interface ExpectedPrincipal {
+    readonly tenant: string | null;
+    readonly user: string | null;
+    readonly asOf: string | null;
+}
+/**
+ * Cross-checks the application's principal (tenant, user, asOf) against the GUCs
+ * actually set on the Postgres session — defense-in-depth against an
+ * AsyncLocalStorage context swap propagating one principal's identity onto
+ * another's transaction. All three axes are checked together so a mismatch on
+ * any one aborts before a query can read the wrong rows.
+ */
+export declare function verifyPrincipalContext(db: DB, expected: ExpectedPrincipal): Promise<void>;
 //# sourceMappingURL=rls.d.ts.map

package/dist/auth/tenant/rls.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rls.d.ts","sourceRoot":"","sources":["../../../src/auth/tenant/rls.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,wBAAwB,CAAA;AAIhD,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,GAAE,MAAoB,EAAE,UAAU,GAAE,MAA6B,GAAG,MAAM,CAYpI;AAED,wBAAsB,eAAe,CACnC,EAAE,EAAE,EAAE,EACN,KAAK,EAAE,MAAM,EACb,MAAM,GAAE,MAAoB,GAC3B,OAAO,CAAC,IAAI,CAAC,CAaf;AAED,wBAAsB,mBAAmB,CACvC,EAAE,EAAE,EAAE,EACN,cAAc,EAAE,MAAM,GAAG,IAAI,GAC5B,OAAO,CAAC,IAAI,CAAC,CAcf"}
+{"version":3,"file":"rls.d.ts","sourceRoot":"","sources":["../../../src/auth/tenant/rls.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,wBAAwB,CAAA;AAIhD;;;;;;GAMG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,MAAM,GAAG,SAAS,GAAG,QAAQ,CAAA;AAqBlE,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,MAAM,EACb,MAAM,GAAE,MAAoB,EAC5B,OAAO,GAAE,aAAsB,EAC/B,UAAU,GAAE,MAA6B,EACzC,KAAK,GAAE,OAAc,GACpB,MAAM,CAUR;AAED,wBAAsB,eAAe,CACnC,EAAE,EAAE,EAAE,EACN,KAAK,EAAE,MAAM,EACb,MAAM,GAAE,MAAoB,EAC5B,OAAO,GAAE,aAAsB,EAC/B,KAAK,GAAE,OAAc,GACpB,OAAO,CAAC,IAAI,CAAC,CASf;AAED,oFAAoF;AACpF,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAA;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAA;CAC7B;AAED;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAC1C,EAAE,EAAE,EAAE,EACN,QAAQ,EAAE,iBAAiB,GAC1B,OAAO,CAAC,IAAI,CAAC,CAoBf"}

package/dist/auth/tenant/rls.js

@@ -1,35 +1,75 @@
 import { sql } from '../../data/db/sql.js';
 import { quoteIdentifier } from '../../data/db/identifiers.js';
 import { validateSessionVarName } from './validate.js';
-export function tenantIsolationPolicy(table, column = 'tenant_id', sessionVar = 'pipework.tenant_id') {
+function tenantPolicyName(table) {
+    return `pipework_tenant_isolation_${table.replace(/[^a-zA-Z0-9_]/g, '_')}`;
+}
+/**
+ * The USING predicate of a tenant isolation policy.
+ *
+ * The cast (`::uuid` etc.) is required: current_setting returns text, and
+ * Postgres will not implicitly compare `uuid = text`. NULLIF(...,'') means an
+ * unset or explicitly-empty session GUC yields NULL — a deny-by-default match —
+ * instead of throwing on `''::uuid`. (current_setting(var, true) is itself NULL
+ * when the GUC was never set; the NULLIF only guards the empty-string case that
+ * set_config can produce.)
+ */
+function tenantUsingClause(column, keyType, sessionVar) {
+    const c = quoteIdentifier(column, 'column');
+    return `${c} = NULLIF(current_setting('${sessionVar}', true), '')::${keyType}`;
+}
+export function tenantIsolationPolicy(table, column = 'tenant_id', keyType = 'uuid', sessionVar = 'pipework.tenant_id', force = true) {
     validateSessionVarName(sessionVar);
     const t = quoteIdentifier(table, 'table');
-    const c = quoteIdentifier(column, 'column');
-    const policyName = `pipework_tenant_isolation_${table.replace(/[^a-zA-Z0-9_]/g, '_')}`;
     return [
         `ALTER TABLE ${t} ENABLE ROW LEVEL SECURITY`,
-        `ALTER TABLE ${t} FORCE ROW LEVEL SECURITY`,
-        `CREATE POLICY ${quoteIdentifier(policyName, 'policy')} ON ${t} USING (${c} = current_setting('${sessionVar}', true))`,
+        ...(force ? [`ALTER TABLE ${t} FORCE ROW LEVEL SECURITY`] : []),
+        `CREATE POLICY ${quoteIdentifier(tenantPolicyName(table), 'policy')} ON ${t} USING (${tenantUsingClause(column, keyType, sessionVar)})`,
     ].join(';\n');
 }
-export async function enableTenantRls(db, table, column = 'tenant_id') {
+export async function enableTenantRls(db, table, column = 'tenant_id', keyType = 'uuid', force = true) {
     const t = quoteIdentifier(table, 'table');
-    const c = quoteIdentifier(column, 'column');
-    const policyName = quoteIdentifier(`pipework_tenant_isolation_${table.replace(/[^a-zA-Z0-9_]/g, '_')}`, 'policy');
+    const policyName = quoteIdentifier(tenantPolicyName(table), 'policy');
     await db.execute(sql.raw(`ALTER TABLE ${t} ENABLE ROW LEVEL SECURITY`));
-    await db.execute(sql.raw(`ALTER TABLE ${t} FORCE ROW LEVEL SECURITY`));
-    await db.execute(sql.raw(`CREATE POLICY ${policyName} ON ${t} USING (${c} = current_setting('pipework.tenant_id', true))`));
+    if (force)
+        await db.execute(sql.raw(`ALTER TABLE ${t} FORCE ROW LEVEL SECURITY`));
+    await db.execute(sql.raw(`CREATE POLICY ${policyName} ON ${t} USING (${tenantUsingClause(column, keyType, 'pipework.tenant_id')})`));
 }
-export async function verifyTenantContext(db, expectedTenant) {
-    const result = await db.execute(sql `SELECT current_setting('pipework.tenant_id', true) AS tenant_id`);
-    const raw = result[0]?.tenant_id ?? null;
-    const pgTenant = raw === '' ? null : raw;
-    if (pgTenant !== expectedTenant) {
-        throw new Error(`[pipework] Tenant context mismatch between application and database.\n\n` +
-            `  Application context tenant: ${expectedTenant ?? '(null)'}\n` +
-            `  PostgreSQL session tenant:  ${pgTenant ?? '(null)'}\n\n` +
+/**
+ * Cross-checks the application's principal (tenant, user, asOf) against the GUCs
+ * actually set on the Postgres session — defense-in-depth against an
+ * AsyncLocalStorage context swap propagating one principal's identity onto
+ * another's transaction. All three axes are checked together so a mismatch on
+ * any one aborts before a query can read the wrong rows.
+ */
+export async function verifyPrincipalContext(db, expected) {
+    const result = await db.execute(sql `SELECT
+    current_setting('pipework.tenant_id', true) AS tenant_id,
+    current_setting('pipework.user_id', true) AS user_id,
+    current_setting('pipework.asof', true) AS asof`);
+    const row = result[0];
+    const mismatches = [];
+    if (normalizeGuc(row?.tenant_id) !== expected.tenant)
+        mismatches.push(formatAxis('tenant', expected.tenant, normalizeGuc(row?.tenant_id)));
+    if (normalizeGuc(row?.user_id) !== expected.user)
+        mismatches.push(formatAxis('user', expected.user, normalizeGuc(row?.user_id)));
+    if (normalizeGuc(row?.asof) !== expected.asOf)
+        mismatches.push(formatAxis('asOf', expected.asOf, normalizeGuc(row?.asof)));
+    if (mismatches.length > 0) {
+        throw new Error(`[pipework] Principal context mismatch between application and database.\n\n` +
+            mismatches.join('\n') + `\n\n` +
             `  This indicates an AsyncLocalStorage context integrity failure.\n` +
-            `  The request has been aborted to prevent cross-tenant data access.\n`);
+            `  The request has been aborted to prevent cross-tenant or cross-user data access.\n`);
     }
 }
+// current_setting(var, true) is NULL when the GUC was never set; set_config can
+// also leave an empty string. Both collapse to null so they compare equal to an
+// absent application-side axis.
+function normalizeGuc(raw) {
+    const v = raw ?? null;
+    return v === '' ? null : v;
+}
+function formatAxis(axis, app, pg) {
+    return `  ${axis}: application context = ${app ?? '(null)'}, PostgreSQL session = ${pg ?? '(null)'}`;
+}
 //# sourceMappingURL=rls.js.map

package/dist/auth/tenant/rls.js.map

@@ -1 +1 @@
-{"version":3,"file":"rls.js","sourceRoot":"","sources":["../../../src/auth/tenant/rls.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,sBAAsB,CAAA;AAE1C,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAA;AAC9D,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAA;AAEtD,MAAM,UAAU,qBAAqB,CAAC,KAAa,EAAE,SAAiB,WAAW,EAAE,aAAqB,oBAAoB;IAC1H,sBAAsB,CAAC,UAAU,CAAC,CAAA;IAElC,MAAM,CAAC,GAAG,eAAe,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;IACzC,MAAM,CAAC,GAAG,eAAe,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;IAC3C,MAAM,UAAU,GAAG,6BAA6B,KAAK,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC,EAAE,CAAA;IAEtF,OAAO;QACL,eAAe,CAAC,4BAA4B;QAC5C,eAAe,CAAC,2BAA2B;QAC3C,iBAAiB,eAAe,CAAC,UAAU,EAAE,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,uBAAuB,UAAU,WAAW;KACvH,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,EAAM,EACN,KAAa,EACb,SAAiB,WAAW;IAE5B,MAAM,CAAC,GAAG,eAAe,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;IACzC,MAAM,CAAC,GAAG,eAAe,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;IAC3C,MAAM,UAAU,GAAG,eAAe,CAChC,6BAA6B,KAAK,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC,EAAE,EACnE,QAAQ,CACT,CAAA;IAED,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,4BAA4B,CAAC,CAAC,CAAA;IACvE,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,2BAA2B,CAAC,CAAC,CAAA;IACtE,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CACtB,iBAAiB,UAAU,OAAO,CAAC,WAAW,CAAC,iDAAiD,CACjG,CAAC,CAAA;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,EAAM,EACN,cAA6B;IAE7B,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAA,iEAAiE,CAAC,CAAA;IACrG,MAAM,GAAG,GAAI,MAAyD,CAAC,CAAC,CAAC,EAAE,SAAS,IAAI,IAAI,CAAA;IAC5F,MAAM,QAAQ,GAAG,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAA;IAExC,IAAI,QAAQ,KAAK,cAAc,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,0EAA0E;YAC1E,iCAAiC,cAAc,IAAI,QAAQ,IAAI;YAC/D,iCAAiC,QAAQ,IAAI,QAAQ,MAAM;YAC3D,oEAAoE;YACpE,uEAAuE,CACxE,CAAA;IACH,CAAC;AACH,CAAC"}
+{"version":3,"file":"rls.js","sourceRoot":"","sources":["../../../src/auth/tenant/rls.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,sBAAsB,CAAA;AAE1C,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAA;AAC9D,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAA;AAWtD,SAAS,gBAAgB,CAAC,KAAa;IACrC,OAAO,6BAA6B,KAAK,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC,EAAE,CAAA;AAC5E,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,iBAAiB,CAAC,MAAc,EAAE,OAAsB,EAAE,UAAkB;IACnF,MAAM,CAAC,GAAG,eAAe,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;IAC3C,OAAO,GAAG,CAAC,8BAA8B,UAAU,kBAAkB,OAAO,EAAE,CAAA;AAChF,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,KAAa,EACb,SAAiB,WAAW,EAC5B,UAAyB,MAAM,EAC/B,aAAqB,oBAAoB,EACzC,QAAiB,IAAI;IAErB,sBAAsB,CAAC,UAAU,CAAC,CAAA;IAElC,MAAM,CAAC,GAAG,eAAe,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;IAEzC,OAAO;QACL,eAAe,CAAC,4BAA4B;QAC5C,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,iBAAiB,eAAe,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC,OAAO,CAAC,WAAW,iBAAiB,CAAC,MAAM,EAAE,OAAO,EAAE,UAAU,CAAC,GAAG;KACxI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,EAAM,EACN,KAAa,EACb,SAAiB,WAAW,EAC5B,UAAyB,MAAM,EAC/B,QAAiB,IAAI;IAErB,MAAM,CAAC,GAAG,eAAe,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;IACzC,MAAM,UAAU,GAAG,eAAe,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC,CAAA;IAErE,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,4BAA4B,CAAC,CAAC,CAAA;IACvE,IAAI,KAAK;QAAE,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,2BAA2B,CAAC,CAAC,CAAA;IACjF,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CACtB,iBAAiB,UAAU,OAAO,CAAC,WAAW,iBAAiB,CAAC,MAAM,EAAE,OAAO,EAAE,oBAAoB,CAAC,GAAG,CAC1G,CAAC,CAAA;AACJ,CAAC;AASD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,EAAM,EACN,QAA2B;IAE3B,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAA;;;mDAGc,CAAC,CAAA;IAClD,MAAM,GAAG,GAAI,MAAsG,CAAC,CAAC,CAAC,CAAA;IAEtH,MAAM,UAAU,GAAa,EAAE,CAAA;IAC/B,IAAI,YAAY,CAAC,GAAG,EAAE,SAAS,CAAC,KAAK,QAAQ,CAAC,MAAM;QAAE,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC,CAAC,CAAA;IAC1I,IAAI,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,QAAQ,CAAC,IAAI;QAAE,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAAA;IAChI,IAAI,YAAY,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,QAAQ,CAAC,IAAI;QAAE,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,CAAA;IAE1H,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,6EAA6E;YAC7E,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,MAAM;YAC9B,oEAAoE;YACpE,qFAAqF,CACtF,CAAA;IACH,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,gFAAgF;AAChF,gCAAgC;AAChC,SAAS,YAAY,CAAC,GAA8B;IAClD,MAAM,CAAC,GAAG,GAAG,IAAI,IAAI,CAAA;IACrB,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAA;AAC5B,CAAC;AAED,SAAS,UAAU,CAAC,IAAY,EAAE,GAAkB,EAAE,EAAiB;IACrE,OAAO,KAAK,IAAI,2BAA2B,GAAG,IAAI,QAAQ,0BAA0B,EAAE,IAAI,QAAQ,EAAE,CAAA;AACtG,CAAC"}

package/dist/cli/commands/db.d.ts

@@ -7,4 +7,12 @@ export interface DbOptions {
     readonly adminUrl?: string | undefined;
 }
 export declare function db(opts: DbOptions): Promise<void>;
+/**
+ * The DML grants for the non-owner runtime role, applied at provision time on a
+ * connection authenticated as the owner. The two ALTER DEFAULT PRIVILEGES lines
+ * are the drift guard: every future table the owner creates via migrations is
+ * granted to the runtime role automatically, so an RLS-enabled table can never
+ * be left ungranted — which would blank the rows the app is entitled to.
+ */
+export declare function buildRuntimeGrants(schema: string, ownerRole: string, runtimeRole: string): string[];
 //# sourceMappingURL=db.d.ts.map

package/dist/cli/commands/db.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/db.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,CAAA;IACvC,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,SAAS,CAAA;IACnC,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,GAAG,SAAS,CAAA;IACtC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;CACvC;AAED,wBAAsB,EAAE,CAAC,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBvD"}
+{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/db.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,CAAA;IACvC,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,GAAG,SAAS,CAAA;IACnC,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,GAAG,SAAS,CAAA;IACtC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;CACvC;AAED,wBAAsB,EAAE,CAAC,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBvD;AAyND;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,EAAE,CAWnG"}