{"version":3,"file":"mysql.cjs","names":[],"sources":["../../../../src/adapters/drizzle/schema/mysql.ts"],"sourcesContent":["import { sql } from 'drizzle-orm'\nimport {\n  check,\n  datetime,\n  foreignKey,\n  index,\n  int,\n  json,\n  mysqlEnum,\n  mysqlTable,\n  primaryKey,\n  unique,\n  uniqueIndex,\n  varchar,\n} from 'drizzle-orm/mysql-core'\nimport type { AccessControl, IamPrimitives } from '../../../core/types'\n\n/**\n * MySQL schema for the duck-iam IamDrizzle adapter.\n *\n * With the adapter's default `json: 'native'` mode, payload columns hold real\n * `json`; columns are typed with `$type<>()` for read-path safety. CHECK\n * constraints are enforced on MySQL 8.0.16+ and parsed-but-ignored below that.\n *\n * MySQL has no partial indexes and treats NULL as distinct in unique keys, so\n * global rows (NULL scope) are de-duplicated via a `COALESCE(scope, '')`\n * functional unique index - keeping uniqueness without changing the adapter's\n * `scope == null` = global semantics.\n *\n * No soft-delete columns; `created_by` / `updated_by` carry audit actors (left\n * NULL by the adapter - set via triggers or admin writes). See the Postgres\n * schema for fuller notes. Constraint naming: `pk_` `fk_` `uq_` `idx_` `ch_`.\n */\n\n/** Allowed combining algorithms, kept in sync with {@link AccessControl.CombiningAlgorithm}. */\nconst IAM_COMBINE_ALGORITHMS = [\n  'deny-overrides',\n  'allow-overrides',\n  'first-match',\n  'highest-priority',\n] as const satisfies readonly AccessControl.CombiningAlgorithm[]\n\n/** Per-row current timestamp with millisecond precision. */\nconst nowMs = sql`CURRENT_TIMESTAMP(3)`\n\n/** Stored ABAC policies. */\nexport const iamPolicies = mysqlTable(\n  'access_policies',\n  {\n    id: varchar('id', { length: 191 }).notNull(),\n    name: varchar('name', { length: 191 }).notNull(),\n    description: varchar('description', { length: 1024 }),\n    version: int('version').notNull().default(1),\n    algorithm: mysqlEnum('algorithm', IAM_COMBINE_ALGORITHMS).notNull().default('deny-overrides'),\n    rules: json('rules').$type<AccessControl.IRule[]>().notNull(),\n    targets: json('targets').$type<NonNullable<AccessControl.IPolicy['targets']>>(),\n    createdBy: varchar('created_by', { length: 191 }),\n    updatedBy: varchar('updated_by', { length: 191 }),\n    createdAt: datetime('created_at', { fsp: 3 }).notNull().default(nowMs),\n    updatedAt: datetime('updated_at', { fsp: 3 })\n      .notNull()\n      .default(nowMs)\n      .$onUpdate(() => new Date()),\n  },\n  (t) => [\n    primaryKey({ name: 'pk_access_policies', columns: [t.id] }),\n    unique('uq_access_policies_name').on(t.name),\n    check('ch_access_policies_name_not_blank', sql`length(trim(${t.name})) > 0`),\n    check('ch_access_policies_version_positive', sql`${t.version} >= 1`),\n  ],\n)\n\n/** Stored RBAC roles. `inherits` is a JSON array of parent role IDs. */\nexport const iamRoles = mysqlTable(\n  'access_roles',\n  {\n    id: varchar('id', { length: 191 }).notNull(),\n    name: varchar('name', { length: 191 }).notNull(),\n    description: varchar('description', { length: 1024 }),\n    permissions: json('permissions').$type<AccessControl.IPermission[]>().notNull(),\n    inherits: json('inherits').$type<string[]>().notNull(),\n    scope: varchar('scope', { length: 191 }),\n    metadata: json('metadata').$type<IamPrimitives.Attributes>(),\n    createdBy: varchar('created_by', { length: 191 }),\n    updatedBy: varchar('updated_by', { length: 191 }),\n    createdAt: datetime('created_at', { fsp: 3 }).notNull().default(nowMs),\n    updatedAt: datetime('updated_at', { fsp: 3 })\n      .notNull()\n      .default(nowMs)\n      .$onUpdate(() => new Date()),\n  },\n  (t) => [\n    primaryKey({ name: 'pk_access_roles', columns: [t.id] }),\n    // COALESCE collapses NULL scopes so global roles are unique by name too.\n    uniqueIndex('uq_access_roles_name_scope').on(t.name, sql`(coalesce(${t.scope}, ''))`),\n    index('idx_access_roles_scope').on(t.scope),\n    check('ch_access_roles_name_not_blank', sql`length(trim(${t.name})) > 0`),\n  ],\n)\n\n/** Subject-to-role assignments. NULL scope is a global (unscoped) grant. */\nexport const iamAssignments = mysqlTable(\n  'access_assignments',\n  {\n    id: varchar('id', { length: 191 }).$defaultFn(() => crypto.randomUUID()),\n    subjectId: varchar('subject_id', { length: 191 }).notNull(),\n    roleId: varchar('role_id', { length: 191 }).notNull(),\n    scope: varchar('scope', { length: 191 }),\n    createdBy: varchar('created_by', { length: 191 }),\n    createdAt: datetime('created_at', { fsp: 3 }).notNull().default(nowMs),\n  },\n  (t) => [\n    primaryKey({ name: 'pk_access_assignments', columns: [t.id] }),\n    foreignKey({\n      name: 'fk_access_assignments_role',\n      columns: [t.roleId],\n      foreignColumns: [iamRoles.id],\n    }).onDelete('cascade'),\n    // COALESCE collapses NULL scopes so duplicate global grants conflict.\n    uniqueIndex('uq_access_assignments_subject_role_scope').on(t.subjectId, t.roleId, sql`(coalesce(${t.scope}, ''))`),\n    index('idx_access_assignments_subject').on(t.subjectId),\n    index('idx_access_assignments_role').on(t.roleId),\n    check('ch_access_assignments_subject_not_blank', sql`length(trim(${t.subjectId})) > 0`),\n  ],\n)\n\n/** Per-subject attribute bags, one row per subject. */\nexport const iamSubjectAttrs = mysqlTable(\n  'access_subject_attrs',\n  {\n    subjectId: varchar('subject_id', { length: 191 }).notNull(),\n    data: json('data').$type<IamPrimitives.Attributes>().notNull(),\n    updatedBy: varchar('updated_by', { length: 191 }),\n    createdAt: datetime('created_at', { fsp: 3 }).notNull().default(nowMs),\n    updatedAt: datetime('updated_at', { fsp: 3 })\n      .notNull()\n      .default(nowMs)\n      .$onUpdate(() => new Date()),\n  },\n  (t) => [\n    primaryKey({ name: 'pk_access_subject_attrs', columns: [t.subjectId] }),\n    check('ch_access_subject_attrs_subject_not_blank', sql`length(trim(${t.subjectId})) > 0`),\n  ],\n)\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAmCA,MAAM,yBAAyB;CAC7B;CACA;CACA;CACA;AACF;;AAGA,MAAM,QAAQ,eAAG;;AAGjB,MAAa,qDACX,mBACA;CACE,wCAAY,MAAM,EAAE,QAAQ,IAAI,CAAC,CAAC,CAAC,QAAQ;CAC3C,0CAAc,QAAQ,EAAE,QAAQ,IAAI,CAAC,CAAC,CAAC,QAAQ;CAC/C,iDAAqB,eAAe,EAAE,QAAQ,KAAK,CAAC;CACpD,yCAAa,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC;CAC3C,iDAAqB,aAAa,sBAAsB,CAAC,CAAC,QAAQ,CAAC,CAAC,QAAQ,gBAAgB;CAC5F,wCAAY,OAAO,CAAC,CAAC,MAA6B,CAAC,CAAC,QAAQ;CAC5D,0CAAc,SAAS,CAAC,CAAC,MAAqD;CAC9E,+CAAmB,cAAc,EAAE,QAAQ,IAAI,CAAC;CAChD,+CAAmB,cAAc,EAAE,QAAQ,IAAI,CAAC;CAChD,gDAAoB,cAAc,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,QAAQ,KAAK;CACrE,gDAAoB,cAAc,EAAE,KAAK,EAAE,CAAC,CAAC,CAC1C,QAAQ,CAAC,CACT,QAAQ,KAAK,CAAC,CACd,gCAAgB,IAAI,KAAK,CAAC;AAC/B,IACC,MAAM;wCACM;EAAE,MAAM;EAAsB,SAAS,CAAC,EAAE,EAAE;CAAE,CAAC;oCACnD,yBAAyB,CAAC,CAAC,GAAG,EAAE,IAAI;mCACrC,qCAAqC,eAAG,eAAe,EAAE,KAAK,OAAO;mCACrE,uCAAuC,eAAG,GAAG,EAAE,QAAQ,MAAM;AACrE,CACF;;AAGA,MAAa,kDACX,gBACA;CACE,wCAAY,MAAM,EAAE,QAAQ,IAAI,CAAC,CAAC,CAAC,QAAQ;CAC3C,0CAAc,QAAQ,EAAE,QAAQ,IAAI,CAAC,CAAC,CAAC,QAAQ;CAC/C,iDAAqB,eAAe,EAAE,QAAQ,KAAK,CAAC;CACpD,8CAAkB,aAAa,CAAC,CAAC,MAAmC,CAAC,CAAC,QAAQ;CAC9E,2CAAe,UAAU,CAAC,CAAC,MAAgB,CAAC,CAAC,QAAQ;CACrD,2CAAe,SAAS,EAAE,QAAQ,IAAI,CAAC;CACvC,2CAAe,UAAU,CAAC,CAAC,MAAgC;CAC3D,+CAAmB,cAAc,EAAE,QAAQ,IAAI,CAAC;CAChD,+CAAmB,cAAc,EAAE,QAAQ,IAAI,CAAC;CAChD,gDAAoB,cAAc,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,QAAQ,KAAK;CACrE,gDAAoB,cAAc,EAAE,KAAK,EAAE,CAAC,CAAC,CAC1C,QAAQ,CAAC,CACT,QAAQ,KAAK,CAAC,CACd,gCAAgB,IAAI,KAAK,CAAC;AAC/B,IACC,MAAM;wCACM;EAAE,MAAM;EAAmB,SAAS,CAAC,EAAE,EAAE;CAAE,CAAC;yCAE3C,4BAA4B,CAAC,CAAC,GAAG,EAAE,MAAM,eAAG,aAAa,EAAE,MAAM,OAAO;mCAC9E,wBAAwB,CAAC,CAAC,GAAG,EAAE,KAAK;mCACpC,kCAAkC,eAAG,eAAe,EAAE,KAAK,OAAO;AAC1E,CACF;;AAGA,MAAa,wDACX,sBACA;CACE,wCAAY,MAAM,EAAE,QAAQ,IAAI,CAAC,CAAC,CAAC,iBAAiB,OAAO,WAAW,CAAC;CACvE,+CAAmB,cAAc,EAAE,QAAQ,IAAI,CAAC,CAAC,CAAC,QAAQ;CAC1D,4CAAgB,WAAW,EAAE,QAAQ,IAAI,CAAC,CAAC,CAAC,QAAQ;CACpD,2CAAe,SAAS,EAAE,QAAQ,IAAI,CAAC;CACvC,+CAAmB,cAAc,EAAE,QAAQ,IAAI,CAAC;CAChD,gDAAoB,cAAc,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,QAAQ,KAAK;AACvE,IACC,MAAM;wCACM;EAAE,MAAM;EAAyB,SAAS,CAAC,EAAE,EAAE;CAAE,CAAC;wCAClD;EACT,MAAM;EACN,SAAS,CAAC,EAAE,MAAM;EAClB,gBAAgB,CAAC,SAAS,EAAE;CAC9B,CAAC,CAAC,CAAC,SAAS,SAAS;yCAET,0CAA0C,CAAC,CAAC,GAAG,EAAE,WAAW,EAAE,QAAQ,eAAG,aAAa,EAAE,MAAM,OAAO;mCAC3G,gCAAgC,CAAC,CAAC,GAAG,EAAE,SAAS;mCAChD,6BAA6B,CAAC,CAAC,GAAG,EAAE,MAAM;mCAC1C,2CAA2C,eAAG,eAAe,EAAE,UAAU,OAAO;AACxF,CACF;;AAGA,MAAa,yDACX,wBACA;CACE,+CAAmB,cAAc,EAAE,QAAQ,IAAI,CAAC,CAAC,CAAC,QAAQ;CAC1D,uCAAW,MAAM,CAAC,CAAC,MAAgC,CAAC,CAAC,QAAQ;CAC7D,+CAAmB,cAAc,EAAE,QAAQ,IAAI,CAAC;CAChD,gDAAoB,cAAc,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,QAAQ,KAAK;CACrE,gDAAoB,cAAc,EAAE,KAAK,EAAE,CAAC,CAAC,CAC1C,QAAQ,CAAC,CACT,QAAQ,KAAK,CAAC,CACd,gCAAgB,IAAI,KAAK,CAAC;AAC/B,IACC,MAAM,wCACM;CAAE,MAAM;CAA2B,SAAS,CAAC,EAAE,SAAS;AAAE,CAAC,qCAChE,6CAA6C,eAAG,eAAe,EAAE,UAAU,OAAO,CAC1F,CACF"}