import { n as IamPrimitives, t as AccessControl } from "../../../access-control-CxeWQI64.js"; //#region src/adapters/drizzle/schema/pg.d.ts /** * PostgreSQL schema for the duck-iam IamDrizzle adapter. * * Run `drizzle-kit generate` against this file to emit migrations. * * ### JSON storage * With the adapter's default `json: 'native'` mode, `rules`, `targets`, * `permissions`, `inherits`, `metadata`, and `data` hold real `jsonb` - so the * GIN indexes below work and payloads stay queryable. Columns are typed with * `$type<>()` for end-to-end safety. (Run the adapter in `json: 'string'` mode * only for text-column backends like SQLite.) * * ### Soft delete * No `deletedAt` columns: the adapter's `listRoles`/`listPolicies` do not * filter on deletion, so a soft-deleted role would keep granting access. Use * hard deletes (`deleteRole`/`deletePolicy`) to revoke. * * ### Audit * `created_by` / `updated_by` capture the actor behind a change. The adapter * has no actor context, so it leaves them NULL; set them from triggers or * direct admin writes. * * ### Constraint naming * pk_ primary key, fk_ foreign key, uq_ unique, idx_ index, ch_ check. * All declared in the table's (t) => [...] block. */ /** * Postgres enum mirroring {@link AccessControl.CombiningAlgorithm}. The * `satisfies` clause turns any drift between this list and the engine union * into a compile error. */ declare const combineAlgorithm: import("drizzle-orm/pg-core").PgEnum<["deny-overrides", "allow-overrides", "first-match", "highest-priority"]>; /** * Stored ABAC policies. `rules` and `targets` carry the policy payload as * `jsonb`; `algorithm` is constrained to the engine's combining algorithms. */ declare const iamPolicies: import("drizzle-orm/pg-core").PgTableWithColumns<{ name: "access_policies"; schema: undefined; columns: { id: import("drizzle-orm/pg-core").PgColumn<{ name: "id"; tableName: "access_policies"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: true; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; name: import("drizzle-orm/pg-core").PgColumn<{ name: "name"; tableName: "access_policies"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: true; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; description: import("drizzle-orm/pg-core").PgColumn<{ name: "description"; tableName: "access_policies"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: false; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; version: import("drizzle-orm/pg-core").PgColumn<{ name: "version"; tableName: "access_policies"; dataType: "number"; columnType: "PgInteger"; data: number; driverParam: string | number; notNull: true; hasDefault: true; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: undefined; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; algorithm: import("drizzle-orm/pg-core").PgColumn<{ name: "algorithm"; tableName: "access_policies"; dataType: "string"; columnType: "PgEnumColumn"; data: "deny-overrides" | "allow-overrides" | "first-match" | "highest-priority"; driverParam: string; notNull: true; hasDefault: true; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: ["deny-overrides", "allow-overrides", "first-match", "highest-priority"]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; rules: import("drizzle-orm/pg-core").PgColumn<{ name: "rules"; tableName: "access_policies"; dataType: "json"; columnType: "PgJsonb"; data: AccessControl.IRule[]; driverParam: unknown; notNull: true; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: undefined; baseColumn: never; identity: undefined; generated: undefined; }, {}, { $type: AccessControl.IRule[]; }>; targets: import("drizzle-orm/pg-core").PgColumn<{ name: "targets"; tableName: "access_policies"; dataType: "json"; columnType: "PgJsonb"; data: { readonly actions?: readonly string[] | undefined; readonly resources?: readonly string[] | undefined; readonly roles?: readonly string[] | undefined; }; driverParam: unknown; notNull: false; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: undefined; baseColumn: never; identity: undefined; generated: undefined; }, {}, { $type: { readonly actions?: readonly string[] | undefined; readonly resources?: readonly string[] | undefined; readonly roles?: readonly string[] | undefined; }; }>; createdBy: import("drizzle-orm/pg-core").PgColumn<{ name: "created_by"; tableName: "access_policies"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: false; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; updatedBy: import("drizzle-orm/pg-core").PgColumn<{ name: "updated_by"; tableName: "access_policies"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: false; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; createdAt: import("drizzle-orm/pg-core").PgColumn<{ name: "created_at"; tableName: "access_policies"; dataType: "date"; columnType: "PgTimestamp"; data: Date; driverParam: string; notNull: true; hasDefault: true; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: undefined; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; updatedAt: import("drizzle-orm/pg-core").PgColumn<{ name: "updated_at"; tableName: "access_policies"; dataType: "date"; columnType: "PgTimestamp"; data: Date; driverParam: string; notNull: true; hasDefault: true; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: undefined; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; }; dialect: "pg"; }>; /** * Stored RBAC roles. `permissions` and `metadata` are `jsonb`; `inherits` is a * `jsonb` array of parent role IDs. */ declare const iamRoles: import("drizzle-orm/pg-core").PgTableWithColumns<{ name: "access_roles"; schema: undefined; columns: { id: import("drizzle-orm/pg-core").PgColumn<{ name: "id"; tableName: "access_roles"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: true; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; name: import("drizzle-orm/pg-core").PgColumn<{ name: "name"; tableName: "access_roles"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: true; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; description: import("drizzle-orm/pg-core").PgColumn<{ name: "description"; tableName: "access_roles"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: false; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; permissions: import("drizzle-orm/pg-core").PgColumn<{ name: "permissions"; tableName: "access_roles"; dataType: "json"; columnType: "PgJsonb"; data: AccessControl.IPermission[]; driverParam: unknown; notNull: true; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: undefined; baseColumn: never; identity: undefined; generated: undefined; }, {}, { $type: AccessControl.IPermission[]; }>; inherits: import("drizzle-orm/pg-core").PgColumn<{ name: "inherits"; tableName: "access_roles"; dataType: "json"; columnType: "PgJsonb"; data: string[]; driverParam: unknown; notNull: true; hasDefault: true; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: undefined; baseColumn: never; identity: undefined; generated: undefined; }, {}, { $type: string[]; }>; scope: import("drizzle-orm/pg-core").PgColumn<{ name: "scope"; tableName: "access_roles"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: false; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; metadata: import("drizzle-orm/pg-core").PgColumn<{ name: "metadata"; tableName: "access_roles"; dataType: "json"; columnType: "PgJsonb"; data: IamPrimitives.Attributes; driverParam: unknown; notNull: false; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: undefined; baseColumn: never; identity: undefined; generated: undefined; }, {}, { $type: IamPrimitives.Attributes; }>; createdBy: import("drizzle-orm/pg-core").PgColumn<{ name: "created_by"; tableName: "access_roles"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: false; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; updatedBy: import("drizzle-orm/pg-core").PgColumn<{ name: "updated_by"; tableName: "access_roles"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: false; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; createdAt: import("drizzle-orm/pg-core").PgColumn<{ name: "created_at"; tableName: "access_roles"; dataType: "date"; columnType: "PgTimestamp"; data: Date; driverParam: string; notNull: true; hasDefault: true; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: undefined; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; updatedAt: import("drizzle-orm/pg-core").PgColumn<{ name: "updated_at"; tableName: "access_roles"; dataType: "date"; columnType: "PgTimestamp"; data: Date; driverParam: string; notNull: true; hasDefault: true; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: undefined; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; }; dialect: "pg"; }>; /** * Subject-to-role assignments. A `NULL` scope is a global (unscoped) * assignment; a non-null scope binds the role to that tenant/scope. Unique on * `(subject_id, role_id, scope)` with NULL scopes collapsed, so `assignRole`'s * `onConflictDoNothing` is idempotent for global grants too. */ declare const iamAssignments: import("drizzle-orm/pg-core").PgTableWithColumns<{ name: "access_assignments"; schema: undefined; columns: { id: import("drizzle-orm/pg-core").PgColumn<{ name: "id"; tableName: "access_assignments"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: false; hasDefault: true; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: true; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; subjectId: import("drizzle-orm/pg-core").PgColumn<{ name: "subject_id"; tableName: "access_assignments"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: true; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; roleId: import("drizzle-orm/pg-core").PgColumn<{ name: "role_id"; tableName: "access_assignments"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: true; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; scope: import("drizzle-orm/pg-core").PgColumn<{ name: "scope"; tableName: "access_assignments"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: false; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; createdBy: import("drizzle-orm/pg-core").PgColumn<{ name: "created_by"; tableName: "access_assignments"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: false; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; createdAt: import("drizzle-orm/pg-core").PgColumn<{ name: "created_at"; tableName: "access_assignments"; dataType: "date"; columnType: "PgTimestamp"; data: Date; driverParam: string; notNull: true; hasDefault: true; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: undefined; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; }; dialect: "pg"; }>; /** * Per-subject attribute bags, one row per subject. `data` holds the * attribute map (`jsonb`) consumed by the ABAC condition engine. */ declare const iamSubjectAttrs: import("drizzle-orm/pg-core").PgTableWithColumns<{ name: "access_subject_attrs"; schema: undefined; columns: { subjectId: import("drizzle-orm/pg-core").PgColumn<{ name: "subject_id"; tableName: "access_subject_attrs"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: true; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; data: import("drizzle-orm/pg-core").PgColumn<{ name: "data"; tableName: "access_subject_attrs"; dataType: "json"; columnType: "PgJsonb"; data: IamPrimitives.Attributes; driverParam: unknown; notNull: true; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: undefined; baseColumn: never; identity: undefined; generated: undefined; }, {}, { $type: IamPrimitives.Attributes; }>; updatedBy: import("drizzle-orm/pg-core").PgColumn<{ name: "updated_by"; tableName: "access_subject_attrs"; dataType: "string"; columnType: "PgText"; data: string; driverParam: string; notNull: false; hasDefault: false; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: [string, ...string[]]; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; createdAt: import("drizzle-orm/pg-core").PgColumn<{ name: "created_at"; tableName: "access_subject_attrs"; dataType: "date"; columnType: "PgTimestamp"; data: Date; driverParam: string; notNull: true; hasDefault: true; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: undefined; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; updatedAt: import("drizzle-orm/pg-core").PgColumn<{ name: "updated_at"; tableName: "access_subject_attrs"; dataType: "date"; columnType: "PgTimestamp"; data: Date; driverParam: string; notNull: true; hasDefault: true; isPrimaryKey: false; isAutoincrement: false; hasRuntimeDefault: false; enumValues: undefined; baseColumn: never; identity: undefined; generated: undefined; }, {}, {}>; }; dialect: "pg"; }>; //#endregion export { combineAlgorithm, iamAssignments, iamPolicies, iamRoles, iamSubjectAttrs }; //# sourceMappingURL=pg.d.ts.map