[codex] Add manifest-derived permissions and Postgres RLS

[willgriffin]

What changed

This adds manifest-derived permission cataloging to smrt-users, lets applications define extra permissions in config or at runtime, and wires those permissions into request-scoped Postgres RLS enforcement.

It also updates the SvelteKit integration and generated server helper path so request-scoped database access is used consistently during authenticated requests.

Why

We wanted permissions to be inferred from the SMRT manifest instead of maintained manually, while still leaving room for app-specific permissions and database-native RBAC enforcement in Postgres.

This gets the first version of that flow in place end-to-end:

• derive permissions from exposed CRUD and custom methods
• sync them into the Permission table
• merge tenant, role, group, and member overrides into effective permissions
• expose request-scoped permission/session/database context
• generate and apply Postgres RLS policies for required tenant-scoped tables

Impact

• smrt-users now exports permission catalog services, runtime registration hooks, request-scoped session permission helpers, and Postgres policy helpers
• createSessionHandler() supports enterTenantContext and postgresRls
• generated/template SvelteKit helpers prefer the request-scoped DB when present
• package docs now include examples for discovery, sync, custom config permissions, runtime registration, and Postgres RLS usage

Validation

Ran locally:

• pnpm typecheck
• pnpm lint
• pnpm build
• DATABASE_URL=postgresql://postgres:postgres@localhost:5432/test_db pnpm test
• pnpm format-check
• pnpm validate-build

Additional spot checks completed during implementation included the live Postgres RLS tests in smrt-users and the full smrt-core suite.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3f5834f7a2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

Adds manifest-derived permission discovery/sync to smrt-users and wires permissions into request-scoped context to support Postgres RLS enforcement, including updates to SvelteKit integration and generated helpers to prefer request-scoped DB access.

Changes:

• Introduces PermissionCatalogService (+ runtime registration + sync) and exports it from smrt-users.
• Adds Postgres RLS policy SQL generation/application helpers and request-scoped transaction/session variable setup.
• Updates SvelteKit handler + generated/template SvelteKit helpers to use request-scoped DB when available; adds docs and test coverage.

Reviewed changes

Copilot reviewed 20 out of 21 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
pnpm-lock.yaml	Adds lock entries for new dependencies used by smrt-users.
packages/users/src/sveltekit/index.ts	Wraps requests in session/permission context; optionally enters tenancy context and Postgres RLS transaction.
packages/users/src/services/SessionService.ts	Exposes underlying DB instance via getDatabase().
packages/users/src/services/SessionPermissionContext.ts	New AsyncLocalStorage-backed request context + optional Postgres RLS transaction/session vars.
packages/users/src/services/PostgresPermissionPolicies.ts	New Postgres helper function + RLS policy generation and apply helpers.
packages/users/src/services/PermissionResolver.ts	Merges inherited tenant permissions into resolved permissions.
packages/users/src/services/PermissionCatalogService.ts	New manifest/config/runtime permission cataloging + sync to Permission table.
packages/users/src/services/index.ts	Re-exports new services/helpers.
packages/users/src/index.ts	Public exports + package docs examples for catalog sync and Postgres RLS helpers.
packages/users/src/tests/session.test.ts	Adds coverage for tenant inherited permissions in session context.
packages/users/src/tests/session-permission-context.test.ts	Adds coverage for request-scoped DB + Postgres session variable setup in handler.
packages/users/src/tests/session-handler.integration.test.ts	Integration test for tenancy context + request-scoped DB usage in SvelteKit handler.
packages/users/src/tests/permission-resolver.test.ts	Adds coverage for tenant inherited permissions merging vs membership denies.
packages/users/src/tests/permission-postgres-rls.test.ts	Adds live Postgres RLS enforcement tests + custom binding coverage.
packages/users/src/tests/permission-catalog.test.ts	Adds tests for manifest-derived permissions, merging, sync behavior, and SQL generation.
packages/users/README.md	Documents catalog discovery/sync, runtime registration, Postgres RLS, and request-scoped DB usage.
packages/users/package.json	Adds deps and a test:postgres script.
packages/template-sveltekit/template/src/lib/server/smrt.ts	Template helper now prefers request-scoped DB when no explicit override exists.
packages/core/src/vite-plugin/sveltekit-generator.ts	Generator emits helper that prefers request-scoped DB unless overridden.
packages/core/src/vite-plugin/sveltekit-generator.test.ts	Updates generator tests to assert request-scoped DB support is emitted.
packages/core/src/vite-plugin/sveltekit-generator.runtime.test.ts	Adds runtime test validating request-scoped DB preference behavior.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.