npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

zenstack-electric

v1.0.2

Published

Compile ZenStack access policies into Electric SQL shape filters

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

andresberriosandresberrios

Keywords

zenstackelectricelectric-sqlaccess-controlpolicyshape-filter

Readme

zenstack-electric

npm version npm downloads bundle JSDocs License

A ZenStack plugin that compiles @@allow / @@deny access policies into Electric SQL shape filters at build time.

  • Zero runtime compilation — policies are compiled to SQL WHERE templates during zen generate
  • Auth-aware — parameterized filters resolve auth() references at runtime
  • PostgreSQL only — matches Electric SQL's database requirement
  • Supports @@allow and @@deny — with correct deny-takes-precedence semantics
  • Relation traversal — policies referencing related models compile to IN (SELECT ...) subqueries

Install

npm install zenstack-electric

Setup

Add the plugin to your schema.zmodel:

plugin electric {
  provider = 'zenstack-electric'
  output   = 'src/generated/electric-filters.ts' // optional, defaults to zen output dir
}

Then run:

npx zen generate

This produces an electric-filters.ts file with a getShapeFilter function and pre-compiled filter definitions for every model.

Usage

The generated file exports getShapeFilter(model, auth?) which returns a ShapeFilter (or null if no filtering is needed):

import { ShapeStream } from '@electric-sql/client'
import { getShapeFilter } from './generated/electric-filters'

// Get the filter for the current user
const filter = getShapeFilter('Post', { id: currentUserId })

// Use it with Electric's shape API
const stream = new ShapeStream({
  url: 'http://localhost:3000/v1/shape',
  params: {
    table: '"Post"',
    where: filter?.where,
    // Convert params object to ordered array
    params: filter
      ? Object.keys(filter.params)
          .sort((a, b) => Number(a) - Number(b))
          .map(k => filter.params[k])
      : undefined,
  },
})

Return values

| Scenario | getShapeFilter returns | |---|---| | @@allow('read', true) with no deny rules | null (no filtering needed) | | Policy with conditions | { where: '"status" = $1', params: { '1': 'ACTIVE' } } | | Auth-dependent policy | { where: '"ownerId" = $1', params: { '1': '<resolved auth value>' } } | | No read-applicable allow rules | { where: 'false', params: {} } (deny all) | | Unknown model name | Throws Error('Unknown model: ...') |

How policies compile

model Post {
  id        Int     @id
  published Boolean
  status    String
  ownerId   String
  deleted   Boolean

  @@allow('read', published == true && status == 'ACTIVE')
  @@deny('read', deleted == true)
}

Compiles to:

WHERE NOT ("deleted" = true) AND (("published" = true) AND ("status" = $1))
-- params: [{ kind: 'static', value: 'ACTIVE' }]

Supported policy patterns

| ZModel pattern | Compiled SQL | |---|---| | field == 'value' | "field" = $1 | | field == null | "field" IS NULL | | field != null | "field" IS NOT NULL | | field > 0 | "field" > $1 | | field == auth().id | "field" = $1 (auth param) | | !(condition) | NOT (...) | | cond1 && cond2 | (...) AND (...) | | cond1 \|\| cond2 | (...) OR (...) | | relation.field == value | "fk" IN (SELECT "pk" FROM "Relation" WHERE ...) | | collection?[condition] | EXISTS (SELECT 1 FROM ... WHERE ...) | | Multiple @@allow rules | Combined with OR | | Multiple @@deny rules | Combined with OR, then wrapped in NOT (...) | | @@allow + @@deny | NOT (denies) AND (allows) |

Operation filtering

Only rules with operation 'read' or 'all' are compiled, since Electric shapes are read-only. A @@allow('create', true) rule is ignored.

@@allow('create', true)       // ignored — not applicable to reads
@@allow('read', condition)    // compiled
@@allow('all', condition)     // compiled
@@allow('create,read', cond)  // compiled — includes 'read'

API

The package exports these for advanced use cases:

import type {
  ParamDef, // { kind: 'static', value: string } | { kind: 'auth', path: string[] }
  ShapeFilter, // { where: string, params: Record<string, string> }
  ShapeFilterDef, // { where: string, params: ParamDef[] }
} from 'zenstack-electric'

import {
  compileAllFilters, // SchemaDef → Record<string, ShapeFilterDef | null>
  compileModelFilter, // single model → ShapeFilterDef | null
  resolveShapeFilter, // ShapeFilterDef + auth → ShapeFilter (runtime)
} from 'zenstack-electric'

Limitations

  • PostgreSQL only — Electric SQL only supports PostgreSQL
  • Composite foreign keys are not supported (throws a descriptive error)
  • Read policies only — Electric shapes are read-only, so only read/all operations are compiled
  • auth() values are stringified — all param values are converted to strings via String(value ?? '')

License

MIT License © Andrés Berrios