{"version":3,"file":"sqlite.cjs","names":[],"sources":["../../../../src/adapters/drizzle/schema/sqlite.ts"],"sourcesContent":["import { sql } from 'drizzle-orm'\nimport {\n  check,\n  foreignKey,\n  index,\n  integer,\n  primaryKey,\n  sqliteTable,\n  text,\n  unique,\n  uniqueIndex,\n} from 'drizzle-orm/sqlite-core'\nimport type { AccessControl } from '../../../core/types'\n\n/**\n * SQLite schema for the duck-iam IamDrizzle adapter.\n *\n * SQLite has no native JSON or array type, so every payload column is TEXT and\n * the adapter must run in `json: 'string'` mode (`new IamDrizzleAdapter({ ...,\n * json: 'string' })`). Columns are typed with `$type<string>()` to reflect the\n * stored JSON text. `algorithm` is constrained via a CHECK.\n *\n * SQLite treats NULL as distinct in unique indexes, so global rows (NULL scope)\n * are de-duplicated via a `COALESCE(scope, '')` expression unique index.\n *\n * No soft-delete columns; `created_by` / `updated_by` carry audit actors (left\n * NULL by the adapter). See the Postgres schema for fuller notes. Constraint\n * naming: `pk_` `fk_` `uq_` `idx_` `ch_`.\n */\n\n/** Allowed combining algorithms, kept in sync with {@link AccessControl.CombiningAlgorithm}. */\nexport const IAM_COMBINE_ALGORITHMS = [\n  'deny-overrides',\n  'allow-overrides',\n  'first-match',\n  'highest-priority',\n] as const satisfies readonly AccessControl.CombiningAlgorithm[]\n\n/** Per-row epoch-millisecond timestamp. */\nconst nowMs = sql`(unixepoch() * 1000)`\n\n/** Stored ABAC policies. JSON payloads are TEXT and parsed by the adapter. */\nexport const iamPolicies = sqliteTable(\n  'access_policies',\n  {\n    id: text('id').notNull(),\n    name: text('name').notNull(),\n    description: text('description'),\n    version: integer('version').notNull().default(1),\n    algorithm: text('algorithm').$type<AccessControl.CombiningAlgorithm>().notNull().default('deny-overrides'),\n    rules: text('rules').$type<string>().notNull(),\n    targets: text('targets').$type<string>(),\n    createdBy: text('created_by'),\n    updatedBy: text('updated_by'),\n    createdAt: integer('created_at', { mode: 'timestamp_ms' }).notNull().default(nowMs),\n    updatedAt: integer('updated_at', { mode: 'timestamp_ms' })\n      .notNull()\n      .default(nowMs)\n      .$onUpdate(() => new Date()),\n  },\n  (t) => [\n    primaryKey({ name: 'pk_access_policies', columns: [t.id] }),\n    unique('uq_access_policies_name').on(t.name),\n    check(\n      'ch_access_policies_algorithm_valid',\n      sql`${t.algorithm} IN ('deny-overrides','allow-overrides','first-match','highest-priority')`,\n    ),\n    check('ch_access_policies_name_not_blank', sql`length(trim(${t.name})) > 0`),\n    check('ch_access_policies_version_positive', sql`${t.version} >= 1`),\n  ],\n)\n\n/** Stored RBAC roles. `inherits` is JSON TEXT defaulting to `'[]'`. */\nexport const iamRoles = sqliteTable(\n  'access_roles',\n  {\n    id: text('id').notNull(),\n    name: text('name').notNull(),\n    description: text('description'),\n    permissions: text('permissions').$type<string>().notNull(),\n    inherits: text('inherits').$type<string>().notNull().default('[]'),\n    scope: text('scope'),\n    metadata: text('metadata').$type<string>(),\n    createdBy: text('created_by'),\n    updatedBy: text('updated_by'),\n    createdAt: integer('created_at', { mode: 'timestamp_ms' }).notNull().default(nowMs),\n    updatedAt: integer('updated_at', { mode: 'timestamp_ms' })\n      .notNull()\n      .default(nowMs)\n      .$onUpdate(() => new Date()),\n  },\n  (t) => [\n    primaryKey({ name: 'pk_access_roles', columns: [t.id] }),\n    // COALESCE collapses NULL scopes so global roles are unique by name too.\n    uniqueIndex('uq_access_roles_name_scope').on(t.name, sql`coalesce(${t.scope}, '')`),\n    // Scoped roles only.\n    index('idx_access_roles_scope').on(t.scope).where(sql`${t.scope} IS NOT NULL`),\n    check('ch_access_roles_name_not_blank', sql`length(trim(${t.name})) > 0`),\n  ],\n)\n\n/** Subject-to-role assignments. NULL scope is a global (unscoped) grant. */\nexport const iamAssignments = sqliteTable(\n  'access_assignments',\n  {\n    id: text('id').$defaultFn(() => crypto.randomUUID()),\n    subjectId: text('subject_id').notNull(),\n    roleId: text('role_id').notNull(),\n    scope: text('scope'),\n    createdBy: text('created_by'),\n    createdAt: integer('created_at', { mode: 'timestamp_ms' }).notNull().default(nowMs),\n  },\n  (t) => [\n    primaryKey({ name: 'pk_access_assignments', columns: [t.id] }),\n    foreignKey({\n      name: 'fk_access_assignments_role',\n      columns: [t.roleId],\n      foreignColumns: [iamRoles.id],\n    }).onDelete('cascade'),\n    // COALESCE collapses NULL scopes so duplicate global grants conflict.\n    uniqueIndex('uq_access_assignments_subject_role_scope').on(t.subjectId, t.roleId, sql`coalesce(${t.scope}, '')`),\n    index('idx_access_assignments_subject').on(t.subjectId),\n    index('idx_access_assignments_role').on(t.roleId),\n    // Scoped assignments only.\n    index('idx_access_assignments_subject_scope').on(t.subjectId, t.scope).where(sql`${t.scope} IS NOT NULL`),\n    check('ch_access_assignments_subject_not_blank', sql`length(trim(${t.subjectId})) > 0`),\n  ],\n)\n\n/** Per-subject attribute bags, one row per subject. JSON TEXT under `data`. */\nexport const iamSubjectAttrs = sqliteTable(\n  'access_subject_attrs',\n  {\n    subjectId: text('subject_id').notNull(),\n    data: text('data').$type<string>().notNull(),\n    updatedBy: text('updated_by'),\n    createdAt: integer('created_at', { mode: 'timestamp_ms' }).notNull().default(nowMs),\n    updatedAt: integer('updated_at', { mode: 'timestamp_ms' })\n      .notNull()\n      .default(nowMs)\n      .$onUpdate(() => new Date()),\n  },\n  (t) => [\n    primaryKey({ name: 'pk_access_subject_attrs', columns: [t.subjectId] }),\n    check('ch_access_subject_attrs_subject_not_blank', sql`length(trim(${t.subjectId})) > 0`),\n  ],\n)\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AA+BA,MAAa,yBAAyB;CACpC;CACA;CACA;CACA;AACF;;AAGA,MAAM,QAAQ,eAAG;;AAGjB,MAAa,uDACX,mBACA;CACE,sCAAS,IAAI,CAAC,CAAC,QAAQ;CACvB,wCAAW,MAAM,CAAC,CAAC,QAAQ;CAC3B,+CAAkB,aAAa;CAC/B,8CAAiB,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC;CAC/C,6CAAgB,WAAW,CAAC,CAAC,MAAwC,CAAC,CAAC,QAAQ,CAAC,CAAC,QAAQ,gBAAgB;CACzG,yCAAY,OAAO,CAAC,CAAC,MAAc,CAAC,CAAC,QAAQ;CAC7C,2CAAc,SAAS,CAAC,CAAC,MAAc;CACvC,6CAAgB,YAAY;CAC5B,6CAAgB,YAAY;CAC5B,gDAAmB,cAAc,EAAE,MAAM,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,QAAQ,KAAK;CAClF,gDAAmB,cAAc,EAAE,MAAM,eAAe,CAAC,CAAC,CACvD,QAAQ,CAAC,CACT,QAAQ,KAAK,CAAC,CACd,gCAAgB,IAAI,KAAK,CAAC;AAC/B,IACC,MAAM;yCACM;EAAE,MAAM;EAAsB,SAAS,CAAC,EAAE,EAAE;CAAE,CAAC;qCACnD,yBAAyB,CAAC,CAAC,GAAG,EAAE,IAAI;oCAEzC,sCACA,eAAG,GAAG,EAAE,UAAU,0EACpB;oCACM,qCAAqC,eAAG,eAAe,EAAE,KAAK,OAAO;oCACrE,uCAAuC,eAAG,GAAG,EAAE,QAAQ,MAAM;AACrE,CACF;;AAGA,MAAa,oDACX,gBACA;CACE,sCAAS,IAAI,CAAC,CAAC,QAAQ;CACvB,wCAAW,MAAM,CAAC,CAAC,QAAQ;CAC3B,+CAAkB,aAAa;CAC/B,+CAAkB,aAAa,CAAC,CAAC,MAAc,CAAC,CAAC,QAAQ;CACzD,4CAAe,UAAU,CAAC,CAAC,MAAc,CAAC,CAAC,QAAQ,CAAC,CAAC,QAAQ,IAAI;CACjE,yCAAY,OAAO;CACnB,4CAAe,UAAU,CAAC,CAAC,MAAc;CACzC,6CAAgB,YAAY;CAC5B,6CAAgB,YAAY;CAC5B,gDAAmB,cAAc,EAAE,MAAM,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,QAAQ,KAAK;CAClF,gDAAmB,cAAc,EAAE,MAAM,eAAe,CAAC,CAAC,CACvD,QAAQ,CAAC,CACT,QAAQ,KAAK,CAAC,CACd,gCAAgB,IAAI,KAAK,CAAC;AAC/B,IACC,MAAM;yCACM;EAAE,MAAM;EAAmB,SAAS,CAAC,EAAE,EAAE;CAAE,CAAC;0CAE3C,4BAA4B,CAAC,CAAC,GAAG,EAAE,MAAM,eAAG,YAAY,EAAE,MAAM,MAAM;oCAE5E,wBAAwB,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,MAAM,eAAG,GAAG,EAAE,MAAM,aAAa;oCACvE,kCAAkC,eAAG,eAAe,EAAE,KAAK,OAAO;AAC1E,CACF;;AAGA,MAAa,0DACX,sBACA;CACE,sCAAS,IAAI,CAAC,CAAC,iBAAiB,OAAO,WAAW,CAAC;CACnD,6CAAgB,YAAY,CAAC,CAAC,QAAQ;CACtC,0CAAa,SAAS,CAAC,CAAC,QAAQ;CAChC,yCAAY,OAAO;CACnB,6CAAgB,YAAY;CAC5B,gDAAmB,cAAc,EAAE,MAAM,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,QAAQ,KAAK;AACpF,IACC,MAAM;yCACM;EAAE,MAAM;EAAyB,SAAS,CAAC,EAAE,EAAE;CAAE,CAAC;yCAClD;EACT,MAAM;EACN,SAAS,CAAC,EAAE,MAAM;EAClB,gBAAgB,CAAC,SAAS,EAAE;CAC9B,CAAC,CAAC,CAAC,SAAS,SAAS;0CAET,0CAA0C,CAAC,CAAC,GAAG,EAAE,WAAW,EAAE,QAAQ,eAAG,YAAY,EAAE,MAAM,MAAM;oCACzG,gCAAgC,CAAC,CAAC,GAAG,EAAE,SAAS;oCAChD,6BAA6B,CAAC,CAAC,GAAG,EAAE,MAAM;oCAE1C,sCAAsC,CAAC,CAAC,GAAG,EAAE,WAAW,EAAE,KAAK,CAAC,CAAC,MAAM,eAAG,GAAG,EAAE,MAAM,aAAa;oCAClG,2CAA2C,eAAG,eAAe,EAAE,UAAU,OAAO;AACxF,CACF;;AAGA,MAAa,2DACX,wBACA;CACE,6CAAgB,YAAY,CAAC,CAAC,QAAQ;CACtC,wCAAW,MAAM,CAAC,CAAC,MAAc,CAAC,CAAC,QAAQ;CAC3C,6CAAgB,YAAY;CAC5B,gDAAmB,cAAc,EAAE,MAAM,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,QAAQ,KAAK;CAClF,gDAAmB,cAAc,EAAE,MAAM,eAAe,CAAC,CAAC,CACvD,QAAQ,CAAC,CACT,QAAQ,KAAK,CAAC,CACd,gCAAgB,IAAI,KAAK,CAAC;AAC/B,IACC,MAAM,yCACM;CAAE,MAAM;CAA2B,SAAS,CAAC,EAAE,SAAS;AAAE,CAAC,sCAChE,6CAA6C,eAAG,eAAe,EAAE,UAAU,OAAO,CAC1F,CACF"}