🏠 Overview 🔌 API Contracts 🔌 RLS Policy Manager

RLS Policy Manager

API Contract

REST /api/v1/rls-policies 7 endpoints
GET /api/v1/rls-policies/api/v1/rls-policies

List all RLS policy definitions

Public

Response Example

{
  "data": [
    {
      "policy_id": "pol-001",
      "table_name": "activities",
      "policy_name": "unit_scoped_activities",
      "expression": "unit_id = ANY(current_setting('app.accessible_unit_ids')::uuid[])",
      "applied_at": "2025-11-01T00:00:00Z"
    }
  ],
  "pagination": {
    "page": 1,
    "limit": 20,
    "total": 3
  }
}
GET /api/v1/rls-policies/api/v1/rls-policies/{policyId}

Get a specific RLS policy definition

Public

Response Example

{
  "policy_id": "pol-001",
  "table_name": "activities",
  "policy_name": "unit_scoped_activities",
  "expression": "unit_id = ANY(current_setting('app.accessible_unit_ids')::uuid[])",
  "applied_at": "2025-11-01T00:00:00Z",
  "last_tested_at": "2026-03-20T10:00:00Z"
}
POST /api/v1/rls-policies/api/v1/rls-policies

Apply RLS policies to a database table

Public

Request Example

{
  "table_name": "activities",
  "policy_definitions": [
    {
      "policy_name": "unit_scoped_activities",
      "command": "SELECT",
      "expression": "unit_id = ANY(current_setting('app.accessible_unit_ids')::uuid[])"
    }
  ]
}

Response Example

{
  "policy_id": "pol-007",
  "table_name": "activities",
  "policy_name": "unit_scoped_activities",
  "applied": true,
  "applied_at": "2026-03-26T10:45:00Z"
}
PUT /api/v1/rls-policies/api/v1/rls-policies/{policyId}

Update an existing RLS policy expression

Public

Request Example

{
  "expression": "unit_id = ANY(current_setting('app.accessible_unit_ids')::uuid[]) AND deleted_at IS NULL"
}

Response Example

{
  "policy_id": "pol-001",
  "table_name": "activities",
  "policy_name": "unit_scoped_activities",
  "expression": "unit_id = ANY(current_setting('app.accessible_unit_ids')::uuid[]) AND deleted_at IS NULL",
  "updated_at": "2026-03-26T11:30:00Z"
}
DELETE /api/v1/rls-policies/api/v1/rls-policies/{policyId}

Remove an RLS policy from a table

Public

Response Example

{
  "deleted": true,
  "policy_id": "pol-001"
}
POST /api/v1/rls-policies/api/v1/rls-policies/test

Test whether a user can access a resource under current RLS policies

Public

Request Example

{
  "user_id": "usr-77",
  "resource_id": "act-9901",
  "table_name": "activities"
}

Response Example

{
  "user_id": "usr-77",
  "resource_id": "act-9901",
  "table_name": "activities",
  "access_granted": true,
  "matched_policy": "unit_scoped_activities",
  "tested_at": "2026-03-26T12:00:00Z"
}
POST /api/v1/rls-policies/api/v1/rls-policies/migrations

Generate a SQL migration file for given policy definitions

Public

Request Example

{
  "policy_definitions": [
    {
      "table_name": "reports",
      "policy_name": "unit_scoped_reports",
      "command": "ALL",
      "expression": "unit_id = ANY(current_setting('app.accessible_unit_ids')::uuid[])"
    }
  ]
}

Response Example

{
  "migration_id": "mig-20260326-001",
  "sql": "CREATE POLICY unit_scoped_reports ON reports FOR ALL USING (unit_id = ANY(current_setting('app.accessible_unit_ids')::uuid[]));\nALTER TABLE reports ENABLE ROW LEVEL SECURITY;",
  "generated_at": "2026-03-26T12:05:00Z"
}

Additional Metadata

{
  "contract_summary": {
    "total_contracts": 410,
    "total_endpoints": 2416,
    "api_styles_used": [
      "rest"
    ]
  },
  "generated_at": "2026-03-26T06:55:53.316Z"
}