merge dev to main (v3.6.3)

package.json

@@ -2,7 +2,7 @@
     "name": "zenstack-v3",
     "displayName": "ZenStack",
     "description": "ZenStack",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",

packages/auth-adapters/better-auth/package.json

@@ -2,7 +2,7 @@
     "name": "@zenstackhq/better-auth",
     "displayName": "ZenStack Better Auth Adapter",
     "description": "ZenStack Better Auth Adapter. This adapter is modified from better-auth's Prisma adapter.",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",
@@ -39,6 +39,16 @@
                 "default": "./dist/index.cjs"
             }
         },
+        "./schema-generator": {
+            "import": {
+                "types": "./dist/schema-generator.d.mts",
+                "default": "./dist/schema-generator.mjs"
+            },
+            "require": {
+                "types": "./dist/schema-generator.d.cts",
+                "default": "./dist/schema-generator.cjs"
+            }
+        },
         "./package.json": {
             "import": "./package.json",
             "require": "./package.json"

packages/auth-adapters/better-auth/src/adapter.ts

@@ -8,7 +8,6 @@ import {
     type AdapterFactoryCustomizeAdapterCreator,
     type AdapterFactoryOptions,
 } from 'better-auth/adapters';
-import { generateSchema } from './schema-generator';
 
 /**
  * Options for the ZenStack adapter factory.
@@ -209,6 +208,7 @@ export const zenstackAdapter = <Schema extends SchemaDef>(db: ClientContract<Sch
                 options: config,
 
                 createSchema: async ({ file, tables }) => {
+                    const generateSchema = (await import('./schema-generator')).generateSchema;
                     return generateSchema(file, tables, config, options);
                 },
             };

packages/auth-adapters/better-auth/tsdown.config.ts

@@ -1,3 +1,3 @@
 import { createConfig } from '@zenstackhq/tsdown-config';
 
-export default createConfig({ entry: { index: 'src/index.ts' } });
+export default createConfig({ entry: { index: 'src/index.ts', 'schema-generator': 'src/schema-generator.ts' } });

packages/cli/package.json

@@ -2,7 +2,7 @@
     "name": "@zenstackhq/cli",
     "displayName": "ZenStack CLI",
     "description": "FullStack database toolkit with built-in access control and automatic API generation.",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",

packages/clients/client-helpers/package.json

@@ -2,7 +2,7 @@
     "name": "@zenstackhq/client-helpers",
     "displayName": "ZenStack Client Helpers",
     "description": "Helpers for implementing clients that consume ZenStack's CRUD service",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",

packages/clients/tanstack-query/package.json

@@ -2,7 +2,7 @@
     "name": "@zenstackhq/tanstack-query",
     "displayName": "ZenStack TanStack Query Integration",
     "description": "TanStack Query Client for consuming ZenStack v3's CRUD service",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",

packages/common-helpers/package.json

@@ -2,7 +2,7 @@
     "name": "@zenstackhq/common-helpers",
     "displayName": "ZenStack Common Helpers",
     "description": "ZenStack Common Helpers",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",

packages/config/eslint-config/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@zenstackhq/eslint-config",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "private": true,
     "license": "MIT"

packages/config/tsdown-config/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@zenstackhq/tsdown-config",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "private": true,
     "type": "module",
     "license": "MIT",

packages/config/typescript-config/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@zenstackhq/typescript-config",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "private": true,
     "license": "MIT"
 }

packages/config/vitest-config/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@zenstackhq/vitest-config",
     "type": "module",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "private": true,
     "license": "MIT",
     "exports": {

packages/create-zenstack/package.json

@@ -2,7 +2,7 @@
     "name": "create-zenstack",
     "displayName": "Create ZenStack",
     "description": "Create a new ZenStack project",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",

packages/ide/vscode/package.json

@@ -1,7 +1,7 @@
 {
     "name": "zenstack-v3",
     "publisher": "zenstack",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "displayName": "ZenStack V3 Language Tools",
     "description": "VSCode extension for ZenStack (v3) ZModel language",
     "private": true,

packages/language/package.json

@@ -2,7 +2,7 @@
     "name": "@zenstackhq/language",
     "displayName": "ZenStack Language Tooling",
     "description": "ZenStack ZModel language specification",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",

packages/orm/package.json

@@ -2,7 +2,7 @@
     "name": "@zenstackhq/orm",
     "displayName": "ZenStack ORM",
     "description": "ZenStack ORM",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",

packages/plugins/policy/package.json

@@ -2,7 +2,7 @@
     "name": "@zenstackhq/plugin-policy",
     "displayName": "ZenStack Access Policy Plugin",
     "description": "ZenStack plugin that enforces access control policies defined in the schema",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",

packages/plugins/policy/src/policy-handler.ts

@@ -205,24 +205,33 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
         // filter combining model-level update policy and update where
         const updateFilter = conjunction(this.dialect, [modelLevelFilter, node.where?.where ?? trueNode(this.dialect)]);
 
-        // build a query to count rows that will be rejected by field-level policies
-        // `SELECT COALESCE(SUM((not <fieldsFilter>) as integer), 0) AS $filteredCount WHERE <updateFilter> AND <rowFilter>`
-        const preUpdateCheckQuery = this.eb
+        // check if any rows violate field-level policies: satisfying update filter but not field-level filter:
+        // `SELECT 1 FROM <table> WHERE <updateFilter> AND NOT <fieldLevelFilter>`
+        const violatingRowsQuery = this.eb
             .selectFrom(mutationModel)
-            .select((eb) =>
-                eb.fn
-                    .coalesce(
-                        eb.fn.sum(
-                            this.dialect.castInt(new ExpressionWrapper(logicalNot(this.dialect, fieldLevelFilter))),
-                        ),
-                        eb.lit(0),
-                    )
-                    .as('$filteredCount'),
-            )
-            .where(() => new ExpressionWrapper(updateFilter));
+            .select(this.eb.lit(1).as('_'))
+            .where(
+                () =>
+                    new ExpressionWrapper(
+                        conjunction(this.dialect, [updateFilter, logicalNot(this.dialect, fieldLevelFilter)]),
+                    ),
+            );
 
-        const preUpdateResult = await proceed(preUpdateCheckQuery.toOperationNode());
-        if (preUpdateResult.rows[0].$filteredCount > 0) {
+        const preUpdateResult = await proceed(
+            // `SELECT EXISTS(violatingRowsQuery) AS $condition`
+            {
+                kind: 'SelectQueryNode',
+                selections: [
+                    SelectionNode.create(
+                        AliasNode.create(
+                            this.eb.exists(violatingRowsQuery).toOperationNode(),
+                            IdentifierNode.create('$condition'),
+                        ),
+                    ),
+                ],
+            } satisfies SelectQueryNode,
+        );
+        if (preUpdateResult.rows[0].$condition) {
             throw createRejectedByPolicyError(
                 mutationModel,
                 RejectedByPolicyReason.NO_ACCESS,
@@ -918,12 +927,28 @@ export class PolicyHandler<Schema extends SchemaDef> extends OperationNodeTransf
 
         const filter = this.buildPolicyFilter(model, undefined, 'create');
 
-        const preCreateCheck = this.eb
+        // check if the provided values satisfy the create policy
+
+        // `SELECT 1 FROM (VALUES (...)) AS t(column1, column2, ...) WHERE <filter>`
+        const preCreateInner = this.eb
             .selectFrom(valuesTable.as(model))
-            .select(this.eb(this.eb.fn.count(this.eb.lit(1)), '>', 0).as('$condition'))
+            .select(this.eb.lit(1).as('_'))
             .where(() => new ExpressionWrapper(filter));
 
-        const result = await proceed(preCreateCheck.toOperationNode());
+        const result = await proceed(
+            // `SELECT EXISTS(preCreateInner) AS $condition`
+            {
+                kind: 'SelectQueryNode',
+                selections: [
+                    SelectionNode.create(
+                        AliasNode.create(
+                            this.eb.exists(preCreateInner).toOperationNode(),
+                            IdentifierNode.create('$condition'),
+                        ),
+                    ),
+                ],
+            } satisfies SelectQueryNode,
+        );
         if (!result.rows[0]?.$condition) {
             throw createRejectedByPolicyError(model, RejectedByPolicyReason.NO_ACCESS);
         }

packages/schema/package.json

@@ -2,7 +2,7 @@
     "name": "@zenstackhq/schema",
     "displayName": "ZenStack Schema Object Model",
     "description": "TypeScript representation of ZModel schema",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",

packages/sdk/package.json

@@ -2,7 +2,7 @@
     "name": "@zenstackhq/sdk",
     "displayName": "ZenStack SDK",
     "description": "Utilities for building ZenStack plugins",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",

packages/server/package.json

@@ -2,7 +2,7 @@
     "name": "@zenstackhq/server",
     "displayName": "ZenStack Automatic CRUD Server",
     "description": "ZenStack automatic CRUD API handlers and server adapters for popular frameworks",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",

packages/testtools/package.json

@@ -2,7 +2,7 @@
     "name": "@zenstackhq/testtools",
     "displayName": "ZenStack Test Tools",
     "description": "ZenStack Test Tools",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",

packages/zod/package.json

@@ -2,7 +2,7 @@
     "name": "@zenstackhq/zod",
     "displayName": "ZenStack Zod Integration",
     "description": "Automatically deriving Zod schemas from ZModel schemas",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "type": "module",
     "author": {
         "name": "ZenStack Team",

samples/orm/package.json

@@ -1,6 +1,6 @@
 {
     "name": "sample-orm",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "description": "",
     "main": "index.js",
     "private": true,

tests/e2e/package.json

@@ -1,6 +1,6 @@
 {
     "name": "e2e",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "private": true,
     "type": "module",
     "scripts": {

tests/regression/package.json

@@ -1,6 +1,6 @@
 {
     "name": "regression",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "private": true,
     "type": "module",
     "scripts": {

tests/runtimes/bun/package.json

@@ -1,6 +1,6 @@
 {
     "name": "bun-e2e",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "private": true,
     "type": "module",
     "scripts": {

tests/runtimes/edge-runtime/package.json

@@ -1,6 +1,6 @@
 {
     "name": "edge-runtime-e2e",
-    "version": "3.6.2",
+    "version": "3.6.3",
     "private": true,
     "type": "module",
     "scripts": {