refactor: make data validation a separate enhancement kind

packages/runtime/src/enhancements/create-enhancement.ts

@@ -14,12 +14,12 @@ import type { PolicyDef, ZodSchemas } from './types';
 /**
  * Kinds of enhancements to `PrismaClient`
  */
-export type EnhancementKind = 'password' | 'omit' | 'policy' | 'delegate';
+export type EnhancementKind = 'password' | 'omit' | 'policy' | 'validation' | 'delegate';
 
 /**
  * All enhancement kinds
  */
-const ALL_ENHANCEMENTS = ['password', 'omit', 'policy', 'delegate'];
+const ALL_ENHANCEMENTS: EnhancementKind[] = ['password', 'omit', 'policy', 'validation', 'delegate'];
 
 /**
  * Transaction isolation levels: https://www.prisma.io/docs/orm/prisma-client/queries/transactions#transaction-isolation-level
@@ -148,10 +148,10 @@ export function createEnhancement<DbClient extends object>(
         }
     }
 
-    // policy proxy
-    if (kinds.includes('policy')) {
+    // 'policy' and 'validation' enhancements are both enabled by `withPolicy`
+    if (kinds.includes('policy') || kinds.includes('validation')) {
         result = withPolicy(result, options, context);
-        if (hasDefaultAuth) {
+        if (kinds.includes('policy') && hasDefaultAuth) {
             // @default(auth()) proxy
             result = withDefaultAuth(result, options, context);
         }

packages/runtime/src/enhancements/policy/policy-utils.ts

@@ -230,14 +230,33 @@ export class PolicyUtil extends QueryUtils {
 
     //# Auth guard
 
+    private readonly FULLY_OPEN_AUTH_GUARD = {
+        create: true,
+        read: true,
+        update: true,
+        delete: true,
+        postUpdate: true,
+        create_input: true,
+        update_input: true,
+    };
+
+    private getModelAuthGuard(model: string): PolicyDef['guard']['string'] {
+        if (this.options.kinds && !this.options.kinds.includes('policy')) {
+            // policy enhancement not enabled, return an fully open guard
+            return this.FULLY_OPEN_AUTH_GUARD;
+        } else {
+            return this.policy.guard[lowerCaseFirst(model)];
+        }
+    }
+
     /**
      * Gets pregenerated authorization guard object for a given model and operation.
      *
      * @returns true if operation is unconditionally allowed, false if unconditionally denied,
      * otherwise returns a guard object
      */
     getAuthGuard(db: CrudContract, model: string, operation: PolicyOperationKind, preValue?: any) {
-        const guard = this.policy.guard[lowerCaseFirst(model)];
+        const guard = this.getModelAuthGuard(model);
         if (!guard) {
             throw this.unknownError(`unable to load policy guard for ${model}`);
         }
@@ -318,7 +337,7 @@ export class PolicyUtil extends QueryUtils {
      * Checks if the given model has a policy guard for the given operation.
      */
     hasAuthGuard(model: string, operation: PolicyOperationKind) {
-        const guard = this.policy.guard[lowerCaseFirst(model)];
+        const guard = this.getModelAuthGuard(model);
         if (!guard) {
             return false;
         }
@@ -347,7 +366,7 @@ export class PolicyUtil extends QueryUtils {
      * @returns boolean if static analysis is enough to determine the result, undefined if not
      */
     checkInputGuard(model: string, args: any, operation: 'create'): boolean | undefined {
-        const guard = this.policy.guard[lowerCaseFirst(model)];
+        const guard = this.getModelAuthGuard(model);
         if (!guard) {
             return undefined;
         }
@@ -1020,23 +1039,23 @@ export class PolicyUtil extends QueryUtils {
      * Gets field selection for fetching pre-update entity values for the given model.
      */
     getPreValueSelect(model: string): object | undefined {
-        const guard = this.policy.guard[lowerCaseFirst(model)];
+        const guard = this.getModelAuthGuard(model);
         if (!guard) {
             throw this.unknownError(`unable to load policy guard for ${model}`);
         }
         return guard[PRE_UPDATE_VALUE_SELECTOR];
     }
 
     private getReadFieldSelect(model: string): object | undefined {
-        const guard = this.policy.guard[lowerCaseFirst(model)];
+        const guard = this.getModelAuthGuard(model);
         if (!guard) {
             throw this.unknownError(`unable to load policy guard for ${model}`);
         }
         return guard[FIELD_LEVEL_READ_CHECKER_SELECTOR];
     }
 
     private checkReadField(model: string, field: string, entity: any) {
-        const guard = this.policy.guard[lowerCaseFirst(model)];
+        const guard = this.getModelAuthGuard(model);
         if (!guard) {
             throw this.unknownError(`unable to load policy guard for ${model}`);
         }
@@ -1053,7 +1072,7 @@ export class PolicyUtil extends QueryUtils {
     }
 
     private hasFieldLevelPolicy(model: string) {
-        const guard = this.policy.guard[lowerCaseFirst(model)];
+        const guard = this.getModelAuthGuard(model);
         if (!guard) {
             throw this.unknownError(`unable to load policy guard for ${model}`);
         }
@@ -1228,7 +1247,7 @@ export class PolicyUtil extends QueryUtils {
     }
 
     private requireGuard(model: string) {
-        const guard = this.policy.guard[lowerCaseFirst(model)];
+        const guard = this.getModelAuthGuard(model);
         if (!guard) {
             throw this.unknownError(`unable to load policy guard for ${model}`);
         }

packages/runtime/src/enhancements/query-utils.ts

@@ -13,7 +13,7 @@ import { InternalEnhancementOptions } from './create-enhancement';
 import { prismaClientUnknownRequestError, prismaClientValidationError } from './utils';
 
 export class QueryUtils {
-    constructor(private readonly prisma: DbClientContract, private readonly options: InternalEnhancementOptions) {}
+    constructor(private readonly prisma: DbClientContract, protected readonly options: InternalEnhancementOptions) {}
 
     getIdFields(model: string) {
         return getIdFields(this.options.modelMeta, model, true);