mcp-server-sqlite 1.0.0

//! Rule-based access control for the MCP SQLite server.
//!
//! This module implements the permission system that decides which SQL
//! operations the server may execute. Permissions are configured at startup
//! through the `--allow` and `--deny` CLI flags, each taking an *access control
//! selector* that identifies the operation — and optionally the exact resources
//! — the rule applies to.
//!
//! # Selector syntax
//!
//! Every SQLite authorization action (`Read`, `Insert`, `CreateTable`,
//! `DropIndex`, `Function`, etc.) has a corresponding selector type. A selector
//! is written as:
//!
//! - `Action` — matches **all** operations of that type (every field defaults
//!   to the wildcard `*`).
//! - `Action(value)` — pins the first field to a specific value; remaining
//!   fields stay as wildcards.
//! - `Action(value1.value2)` — pins both fields.
//! - `Action(*.value2)` — wildcard first field, pinned second field.
//!
//! For example, the `Read` selector has two fields (`table_name` and
//! `column_name`):
//!
//! | CLI flag                       | Meaning                        |
//! |--------------------------------|--------------------------------|
//! | `--allow Read`                 | allow all column reads         |
//! | `--deny  Read(Secrets)`        | deny reads on `Secrets`        |
//! | `--allow Read(Secrets.id)`     | allow reads on `Secrets.id`    |
//! | `--deny  Read(*.ssn)`          | deny reads on any `ssn` column |
//!
//! # Specificity
//!
//! Each selector has a *specificity* equal to the number of its fields that are
//! pinned to concrete values (i.e. not `*`). A bare `Read` has specificity 0,
//! `Read(Students)` has specificity 1, and `Read(Students.name)` has
//! specificity 2. More specific rules always outrank less specific ones.
//!
//! # Resolution algorithm
//!
//! When SQLite asks "is this operation allowed?", the [`AuthorizationResolver`]
//! evaluates rules as follows:
//!
//! 1. **Collect matching rules.** For each configured rule whose selector
//!    covers the requested operation (globs match anything, values must match
//!    exactly), note its specificity.
//!
//! 2. **Most specific wins.** Rules are evaluated from the highest specificity
//!    level to the lowest. The first level that contains at least one matching
//!    rule determines the outcome.
//!
//! 3. **Deny breaks ties.** If both allow *and* deny rules match at the same
//!    specificity level, the result is **deny** (fail-closed).
//!
//! 4. **Default fallback.** If no rule matches at any level, the per-action
//!    default is used. The default depends on how the resolver was constructed
//!    (e.g. [`AuthorizationResolver::new_allow_everything`] ).
//!
//! One sentence summary: **the most specific matching rule wins; ties go to
//! deny; no match defers to the default.**
//!
//! # Examples
//!
//! ## Read-only server with one table blocked
//!
//! ```text
//! --allow Read --deny Read(Secrets)
//! ```
//!
//! All column reads are allowed except anything touching the `Secrets` table.
//! `Read(Secrets)` has specificity 1 which beats the blanket `Read` at
//! specificity 0, so the deny wins for any column in `Secrets`.
//!
//! ## Read-only with a carve-out
//!
//! ```text
//! --allow Read --deny Read(Secrets) --allow Read(Secrets.id)
//! ```
//!
//! All reads are allowed. Reads on `Secrets` are denied — except for the `id`
//! column, which is explicitly re-allowed at specificity 2 (both fields
//! pinned), beating the specificity-1 deny.
//!
//! ## Conflicting rules at the same specificity
//!
//! ```text
//! --deny Read(Students) --allow Read(*.name)
//! ```
//!
//! A read on `Students.name` matches both rules. `Read(Students)` has
//! specificity 1 (table pinned, column glob) and `Read(*.name)` also has
//! specificity 1 (table glob, column pinned). Because both match at the same
//! level, **deny wins**. To allow `Students.name`, add a more specific rule:
//! `--allow Read(Students.name)` (specificity 2).
//!
//! ## Deny everything, allow specific functions
//!
//! ```text
//! --deny Function --allow Function(count) --allow Function(sum)
//! ```
//!
//! All SQL function calls are denied except `count` and `sum`, which win at
//! specificity 1 over the blanket deny at specificity 0.
//!
//! ## Lock down DDL while permitting reads and inserts
//!
//! ```text
//! --allow Read --allow Insert --allow Select --allow Transaction
//! ```
//!
//! With a deny-everything default, only the explicitly allowed actions proceed.
//! All DDL (`CreateTable`, `DropIndex`, etc.) remains denied because no allow
//! rule exists for those actions.
//!
//! # Code generation
//!
//! The `define_access_control_selector_types!` macro generates the selector
//! structs, the [`AccessControlSelector`] enum, the
//! [`AccessControlSelectorSet`], and the [`AuthorizationResolver`] from a set
//! of struct declarations. Each struct's field types are wrapped in
//! [`ValueOrGlob`] so that every field can independently be a concrete value or
//! a wildcard. The macro also generates `Display` / `FromStr` round-tripping,
//! builder methods, and the specificity-aware resolution logic described above.

use std::{error::Error, fmt::Display, str::FromStr};

/// Counts the number of identifier tokens passed to it at compile time.
///
/// This is used internally by `define_access_control_selector_types!` to
/// determine `FIELD_COUNT` for each generated selector struct, which in turn
/// drives field-count validation during parsing.
///
/// # Examples
///
/// ```ignore
/// count_idents!(a, b, c) // expands to 3
/// count_idents!()        // expands to 0
/// ```
macro_rules! count_idents {
    ($ident: ident, $($rest_idents: ident),* $(,)?) => {
        1 + count_idents!($($rest_idents),*)
    };
    ($ident: ident) => {
        1
    };
    () => {
        0
    };
}

/// Builds a `format!`-compatible template string with `{}` placeholders joined
/// by dots, matching the dot-separated field syntax used in selector strings.
///
/// For a selector struct with fields `table_name` and `column_name`, this
/// produces `"{}.{}"`, which is interpolated inside `format!` to render
/// something like `Students.name`.
///
/// # Examples
///
/// ```ignore
/// formatting_string_literal!(a, b)  // expands to "{}.{}"
/// formatting_string_literal!(a)     // expands to "{}"
/// formatting_string_literal!()      // expands to ""
/// ```
macro_rules! formatting_string_literal {
    ($ident: ident, $($rest_idents: ident),* $(,)?) => {
        concat!("{}.", formatting_string_literal!($($rest_idents),*))
    };
    ($ident: ident) => {
        "{}"
    };
    () => {
        ""
    };
}

/// Generates access control selector structs, an umbrella
/// [`AccessControlSelector`] enum, and all associated trait implementations
/// from a set of struct declarations.
///
/// Each struct declaration passed to this macro produces:
///
/// - A public struct whose field types are each wrapped in [`ValueOrGlob<T>`],
///   so every field can independently hold a concrete value or a wildcard glob.
/// - A variant on [`AccessControlSelector`] named `{Struct}` that wraps the
///   generated struct.
/// - `Display` formatting that round-trips with the CLI string syntax: bare
///   identifier when all fields are globs (e.g., `Read`), or identifier with
///   parenthesized dot-separated fields otherwise (e.g.,
///   `Read(Students.name)`).
/// - `FromStr` parsing that accepts the same syntax and validates field counts
///   and selector identifiers.
/// - `From<T> for String` and `TryFrom<String> for T` conversions.
/// - Builder methods: `new(...)`, `empty()`, and `with_{field}(...)` for
///   ergonomic construction.
/// - Inspection methods: `is_all_glob`, `is_all_value`, `is_any_glob`,
///   `is_any_value`.
///
/// Doc comments (`#[doc = "..."]`) and other attributes placed on the struct or
/// its fields in the macro invocation are forwarded to both the generated
/// struct and the corresponding enum variant via the `$(#[$struct_meta])*` and
/// `$(#[$field_meta])*` captures.
///
/// # Usage
///
/// ```ignore
/// define_access_control_selector_types! {
///     /// Controls read access at the table and column level.
///     pub struct Read {
///         /// The table targeted by this selector.
///         pub table_name: String,
///         /// The column targeted by this selector.
///         pub column_name: String,
///     }
/// }
/// ```
macro_rules! define_access_control_selector_types {
    (
        $(
            $(#[$struct_meta: meta])*
            $struct_vis: vis struct $struct_ident: ident {
                $(
                    $(#[$field_meta: meta])*
                    $field_vis: vis $field_ident: ident: $field_ty: ty
                ),* $(,)?
            }
        )*
    ) => {
        paste::paste! {
            /// Resolves incoming SQLite authorization requests against a set of
            /// configured allow/deny rules and per-action default permissions.
            ///
            /// The resolver holds an [`AccessControlSelectorSet`] containing
            /// all user-supplied rules, plus a default
            /// [`rusqlite::hooks::Authorization`] for each action type that is
            /// used when no rule matches. Call [`authorization`] with an
            /// [`AuthContext`] to obtain the final verdict.
            ///
            /// [`AuthContext`]: rusqlite::hooks::AuthContext
            ///
            /// [`authorization`]: AuthorizationResolver::authorization
            pub struct AuthorizationResolver {
                /// The set of allow/deny rules to evaluate.
                pub selector_set: AccessControlSelectorSet,
                $(
                    /// The fallback authorization returned when no rule in the
                    /// selector set matches this action type.
                    pub [< $struct_ident:snake _default_permissions >]: rusqlite::hooks::Authorization,
                )*
            }

            const _: () = {
                impl AuthorizationResolver {
                    /// Creates a resolver that permits every action by default.
                    /// Rules added to the selector set can then selectively
                    /// deny specific operations.
                    pub fn new_allow_everything() -> Self {
                        Self {
                            selector_set: Default::default(),
                            $(
                                [< $struct_ident:snake _default_permissions >]: rusqlite::hooks::Authorization::Allow,
                            )*
                        }
                    }

                    /// Creates a resolver that denies every action by default.
                    /// Rules added to the selector set can then selectively
                    /// allow specific operations.
                    pub fn new_deny_everything() -> Self {
                        Self {
                            selector_set: Default::default(),
                            $(
                                [< $struct_ident:snake _default_permissions >]: rusqlite::hooks::Authorization::Deny,
                            )*
                        }
                    }

                    pub fn with_selector(mut self, selector: impl Into<AccessControlSelector>, allow: bool) -> Self {
                        self.selector_set = self.selector_set.with_selector(selector, allow);
                        self
                    }

                    $(
                        #[doc = concat!(
                            "Sets the default authorization returned for [`",
                            stringify!($struct_ident),
                            "`] actions when no rule matches."
                        )]
                        pub const fn [< with_ $struct_ident:snake _default_permissions >](
                            mut self,
                            default_permissions: rusqlite::hooks::Authorization
                        ) -> Self {
                            self.[< $struct_ident:snake _default_permissions >] = default_permissions;
                            self
                        }
                    )*

                    /// Evaluates the configured rules against an incoming
                    /// SQLite authorization request. Dispatches to the
                    /// appropriate type-specific check on the selector set and
                    /// falls back to the per-action default when no rule
                    /// matches. Unrecognized actions are denied
                    /// unconditionally.
                    pub fn authorization(
                        &self,
                        ctx: rusqlite::hooks::AuthContext<'_>
                    ) -> rusqlite::hooks::Authorization {
                        match ctx.action {
                            $(
                                rusqlite::hooks::AuthAction::$struct_ident { $($field_ident,)* .. } => {
                                    self
                                        .selector_set
                                        .[< check_ $struct_ident: snake >]($(&$field_ident),*)
                                        .map(Into::into)
                                        .unwrap_or(self.[< $struct_ident:snake _default_permissions >])
                                }
                            )*,
                            _ => rusqlite::hooks::Authorization::Deny
                        }
                    }
                }
            };

            /// Holds all configured access control rules, grouped by selector
            /// type and indexed by specificity.
            ///
            /// Each selector type gets its own [`BTreeMap`] keyed by the
            /// selector's [`specificity`] value (number of concrete
            /// [`Value`](ValueOrGlob::Value) fields). This layout enables the
            /// policy resolver to iterate from most-specific to least-specific
            /// rules efficiently: the highest-specificity match wins, with deny
            /// breaking ties.
            ///
            /// [`BTreeMap`]: std::collections::BTreeMap
            /// [`specificity`]: #method.specificity
            #[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Default)]
            pub struct AccessControlSelectorSet {
                $(
                    $(#[$struct_meta])*
                    pub [<$struct_ident: snake _selectors>]: std::collections::BTreeMap<usize, Vec<Permission<$struct_ident>>>,
                )*
            }

            const _: () = {
                impl AccessControlSelectorSet {
                    /// Creates an empty [`AccessControlSelectorSet`] with no
                    /// rules.
                    pub fn new() -> Self {
                        Default::default()
                    }

                    /// Adds a rule by converting any selector type into an
                    /// [`AccessControlSelector`] and dispatching it to the
                    /// appropriate type-specific builder. `allow` controls
                    /// whether the rule permits or denies the matched
                    /// operation.
                    pub fn with_selector(
                        self,
                        selector: impl Into<AccessControlSelector>,
                        allow: bool
                    ) -> Self {
                        let selector = selector.into();
                        match selector {
                            $(
                                AccessControlSelector::$struct_ident(selector)
                                    => self.[<with_ $struct_ident: snake _selector>](
                                        selector,
                                        allow
                                    )
                            ),*
                        }
                    }

                    $(
                        #[doc = concat!(
                            "Adds a [`", stringify!($struct_ident),
                            "`] rule, inserting it into the ",
                            "bucket matching its specificity."
                        )]
                        pub fn [<with_ $struct_ident: snake _selector>](
                            mut self,
                            selector: $struct_ident,
                            allow: bool
                        ) -> Self {
                            self.[<$struct_ident: snake _selectors>]
                                .entry(selector.specificity())
                                .or_default()
                                .push(Permission {
                                    selector,
                                    allow
                                });
                            self
                        }

                        #[doc = concat!(
                            "Resolves the configured [`",
                            stringify!($struct_ident),
                            "`] rules against the given field values. ",
                            "Iterates from highest to lowest specificity; ",
                            "at each level, deny wins if both allow and deny ",
                            "match. Returns `None` when no rule matches."
                        )]
                        #[allow(clippy::ptr_arg)]
                        pub fn [< check_ $struct_ident: snake >](&self, $($field_ident: &(impl PartialEq<$field_ty> + ?Sized)),*) -> Option<Authorization> {
                            for permissions in self.[<$struct_ident: snake _selectors>].values().rev() {
                                let mut allow_encountered = false;
                                let mut deny_encountered = false;
                                let authorizations = permissions.iter().filter_map(|permission| permission.check($($field_ident),*));
                                for authorization in authorizations {
                                    match authorization {
                                        Authorization::Allow => {
                                            allow_encountered = true
                                        }
                                        Authorization::Deny => {
                                            deny_encountered = true
                                        }
                                    }
                                    if allow_encountered == true && deny_encountered == true {
                                        return Some(Authorization::Deny)
                                    }
                                }
                                match (allow_encountered, deny_encountered) {
                                    (false, false) => {
                                        continue
                                    },
                                    (true, false) => {
                                        return Some(Authorization::Allow)
                                    },
                                    (_, true) => {
                                        return Some(Authorization::Deny)
                                    },
                                }
                            }
                            None
                        }
                    )*
                }
            };

            /// Umbrella enum unifying all access control selector types into a
            /// single type for use with the CLI argument parser.
            ///
            /// Each variant wraps a specific selector struct generated by
            /// `define_access_control_selector_types!`. Parsing a selector
            /// string through this enum automatically dispatches to the correct
            /// variant based on the leading identifier.
            #[allow(clippy::enum_variant_names)]
            #[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash)]
            pub enum AccessControlSelector {
                $(
                    $(#[$struct_meta])*
                    $struct_ident($struct_ident)
                ),*
            }

            const _: () = {
                use core::fmt::{Display, Formatter, Result as FmtResult};

                use $crate::access_control::AccessControlSelectorParseError;
                use $crate::access_control::AccessControlSelectorParseError::*;

                impl AccessControlSelector {
                    $(
                        #[doc = concat!(
                            "Returns `true` if this is the [`",
                            stringify!($struct_ident),
                            "`] variant."
                        )]
                        pub const fn [<is_ $struct_ident: snake>](&self) -> bool {
                            matches!(self, Self::$struct_ident(..))
                        }

                        #[doc = concat!(
                            "Returns a reference to the inner [`",
                            stringify!($struct_ident),
                            "`] if this is that variant, ",
                            "or `None` otherwise."
                        )]
                        pub const fn [<as_ $struct_ident: snake>](&self) -> Option<&$struct_ident> {
                            if let Self::$struct_ident(value) = self {
                                Some(value)
                            } else {
                                None
                            }
                        }

                        #[doc = concat!(
                            "Consumes `self` and returns the ",
                            "inner [`",
                            stringify!($struct_ident),
                            "`] if this is that variant, ",
                            "or `None` otherwise."
                        )]
                        pub fn [<into_ $struct_ident: snake>](self) -> Option<$struct_ident> {
                            if let Self::$struct_ident(value) = self {
                                Some(value)
                            } else {
                                None
                            }
                        }
                    )*
                }

                /// Delegates to the wrapped selector variant's [`Display`]
                /// implementation, producing the CLI selector syntax.
                impl Display for AccessControlSelector {
                    fn fmt(&self, f: &mut Formatter<'_>) -> FmtResult {
                        match self {
                            $(
                                Self::$struct_ident(selector) => Display::fmt(selector, f),
                            )*
                        }
                    }
                }

                /// Converts an [`AccessControlSelector`] into its string
                /// representation via [`Display`].
                impl From<AccessControlSelector> for String {
                    fn from(v: AccessControlSelector) -> Self {
                        v.to_string()
                    }
                }

                /// Parses a selector string by extracting the leading
                /// identifier and dispatching to the corresponding variant's
                /// [`FromStr`] implementation.
                ///
                /// # Errors
                ///
                /// Returns
                /// [`AccessControlSelectorParseError::InvalidAccessControlSelectorIdentifier`]
                /// when the leading identifier does not match any known
                /// selector variant, and propagates any error from the
                /// variant-level parser.
                impl FromStr for AccessControlSelector {
                    type Err = AccessControlSelectorParseError;

                    fn from_str(s: &str) -> Result<Self, Self::Err> {
                        let selector = s
                            .split("(")
                            .next()
                            .ok_or_else(|| InvalidAccessControlSelectorIdentifier {
                                found: None,
                                expected: &[$(stringify!($struct_ident)),*],
                                access_control_selector_string: s.into(),
                            })?;

                        match selector {
                            $(
                                stringify!($struct_ident) => s.parse().map(Self::$struct_ident),
                            )*
                            other => Err(InvalidAccessControlSelectorIdentifier {
                                found: Some(other.into()),
                                expected: &[$(stringify!($struct_ident)),*],
                                access_control_selector_string: s.into(),
                            })
                        }
                    }
                }

                /// Parses an owned `String` into an [`AccessControlSelector`]
                /// by delegating to [`FromStr`].
                impl TryFrom<String> for AccessControlSelector {
                    type Error = AccessControlSelectorParseError;

                    fn try_from(v: String) -> Result<Self, Self::Error> {
                        v.parse()
                    }
                }

                $(
                    #[doc = concat!(
                        "Converts a [`",
                        stringify!($struct_ident),
                        "`] into its corresponding [`",
                        "AccessControlSelector`] variant."
                    )]
                    impl From<$struct_ident> for AccessControlSelector {
                        fn from(value: $struct_ident) -> Self {
                            Self::$struct_ident(value)
                        }
                    }
                )*
            };

            $(
                $(#[$struct_meta])*
                #[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash)]
                $struct_vis struct $struct_ident {
                    $(
                        $(#[$field_meta])*
                        $field_vis $field_ident: ValueOrGlob<$field_ty>
                    ),*
                }

                const _: () = {
                    use core::fmt::{Display, Formatter, Result as FmtResult};
                    use core::convert::*;
                    use core::str::*;

                    use $crate::access_control::{AccessControlSelectorParseError};
                    use $crate::access_control::AccessControlSelectorParseError::*;

                    impl $struct_ident {
                        #[doc = concat!(
                            "The number of fields declared on [`",
                            stringify!($struct_ident),
                            "`], used for field-count validation during parsing."
                        )]
                        const FIELD_COUNT: usize = count_idents!($($field_ident),*);

                        #[doc = concat!(
                            "Creates a new [`", stringify!($struct_ident),
                            "`] with the provided field values."
                        )]
                        #[doc = ""]
                        #[doc = concat!(
                            "Each argument accepts any type that implements ",
                            "`Into<ValueOrGlob<T>>`, so callers can pass a raw ",
                            "value, a [`ValueOrGlob`], or an `Option<T>`."
                        )]
                        pub fn new(
                            $(
                                $field_ident: impl Into<ValueOrGlob<$field_ty>>
                            ),*
                        ) -> Self {
                            Self {
                                $(
                                    $field_ident: $field_ident.into()
                                ),*
                            }
                        }

                        #[doc = concat!(
                            "Creates a [`", stringify!($struct_ident),
                            "`] where every field is a [`Glob`](ValueOrGlob::Glob), ",
                            "matching all possible values."
                        )]
                        pub fn empty() -> Self {
                            Self {
                                $(
                                    $field_ident: Default::default()
                                ),*
                            }
                        }

                        $(
                            #[doc = concat!(
                                "Sets [`", stringify!($struct_ident),
                                "::", stringify!($field_ident),
                                "`] and returns `self` for method chaining."
                            )]
                            #[doc = ""]
                            $(#[$field_meta])*
                            pub fn [< with_ $field_ident >](mut self, value: impl Into<ValueOrGlob<$field_ty>>) -> Self {
                                self.$field_ident = value.into();
                                self
                            }
                        )*

                        #[doc = concat!(
                            "Returns `true` if every field on this [`",
                            stringify!($struct_ident),
                            "`] is a [`Glob`](ValueOrGlob::Glob)."
                        )]
                        pub const fn is_all_glob(&self) -> bool {
                            if Self::FIELD_COUNT != 0 {
                                true $(&& ValueOrGlob::is_glob(&self.$field_ident))*
                            } else {
                                false
                            }
                        }

                        #[doc = concat!(
                            "Returns `true` if every field on this [`",
                            stringify!($struct_ident),
                            "`] is a [`Value`](ValueOrGlob::Value)."
                        )]
                        pub const fn is_all_value(&self) -> bool {
                            if Self::FIELD_COUNT != 0 {
                                true $(&& ValueOrGlob::is_value(&self.$field_ident))*
                            } else {
                                false
                            }
                        }

                        #[doc = concat!(
                            "Returns `true` if at least one field on this [`",
                            stringify!($struct_ident),
                            "`] is a [`Glob`](ValueOrGlob::Glob)."
                        )]
                        pub const fn is_any_glob(&self) -> bool {
                            if Self::FIELD_COUNT != 0 {
                                false $(|| ValueOrGlob::is_glob(&self.$field_ident))*
                            } else {
                                false
                            }
                        }

                        #[doc = concat!(
                            "Returns `true` if at least one field on this [`",
                            stringify!($struct_ident),
                            "`] is a [`Value`](ValueOrGlob::Value)."
                        )]
                        pub const fn is_any_value(&self) -> bool {
                            if Self::FIELD_COUNT != 0 {
                               false  $(|| ValueOrGlob::is_value(&self.$field_ident))*
                            } else {
                                false
                            }
                        }

                        #[doc = concat!(
                            "Returns the number of ",
                            "[`Value`](ValueOrGlob::Value) ",
                            "fields on this [`",
                            stringify!($struct_ident),
                            "`], used to rank competing ",
                            "policy rules during resolution. ",
                            "A higher specificity means the ",
                            "rule targets a narrower set of ",
                            "operations."
                        )]
                        #[allow(unused_mut)]
                        pub const fn specificity(&self) -> usize {
                            let mut specificity = 0;

                            $(
                                if self.$field_ident.is_value() {
                                    specificity += 1
                                }
                            )*

                            specificity
                        }

                        #[doc = concat!(
                            "Returns `true` if this selector ",
                            "covers the given field values. ",
                            "A [`Glob`](ValueOrGlob::Glob) ",
                            "field matches any value; a ",
                            "[`Value`](ValueOrGlob::Value) ",
                            "field matches only when equal."
                        )]
                        #[allow(clippy::ptr_arg)]
                        pub fn matches(&self, $($field_ident: &(impl PartialEq<$field_ty> + ?Sized)),*) -> bool {
                            true $(&& (self.$field_ident.is_glob() || self.$field_ident.as_value().is_some_and(|field_value| PartialEq::<$field_ty>::eq($field_ident, field_value))))*
                        }
                    }

                    #[allow(clippy::ptr_arg)]
                    impl Permission<$struct_ident> {
                        #[doc = concat!(
                            "If the inner [`",
                            stringify!($struct_ident),
                            "`] selector matches the given ",
                            "fields, returns the ",
                            "[`Authorization`] implied by ",
                            "this permission's `allow` flag. ",
                            "Returns `None` on no match."
                        )]
                        pub fn check(&self, $($field_ident: &(impl PartialEq<$field_ty> + ?Sized)),*) -> Option<Authorization> {
                            self.selector.matches($($field_ident),*).then(|| match self.allow {
                                true => Authorization::Allow,
                                false => Authorization::Deny,
                            })
                        }
                    }

                    #[doc = concat!(
                        "Defaults to [`", stringify!($struct_ident),
                        "::empty`], producing a selector where every field ",
                        "is a glob."
                    )]
                    impl Default for $struct_ident {
                        fn default() -> Self {
                            Self::empty()
                        }
                    }

                    #[doc = concat!(
                        "Formats this [`", stringify!($struct_ident),
                        "`] using the CLI selector syntax. When all fields ",
                        "are globs, renders the bare identifier `",
                        stringify!($struct_ident),
                        "`; otherwise renders the identifier with ",
                        "parenthesized dot-separated fields."
                    )]
                    impl Display for $struct_ident {
                        fn fmt(&self, f: &mut Formatter<'_>) -> FmtResult {
                            if Self::FIELD_COUNT == 0 || self.is_all_glob() {
                                core::write!(f, stringify!($struct_ident))
                            } else {
                                core::write!(
                                    f,
                                    concat!(
                                        stringify!($struct_ident),
                                        "(",
                                        formatting_string_literal!($($field_ident),*),
                                        ")"
                                    ),
                                    $(self.$field_ident),*
                                )
                            }
                        }
                    }

                    #[doc = concat!(
                        "Converts a [`", stringify!($struct_ident),
                        "`] into its string representation via [`Display`]."
                    )]
                    impl From<$struct_ident> for String {
                        fn from(value: $struct_ident) -> Self {
                            value.to_string()
                        }
                    }

                    #[doc = concat!(
                        "Parses a selector string into a [`",
                        stringify!($struct_ident),
                        "`]. Accepts the syntax `",
                        stringify!($struct_ident),
                        "` or `", stringify!($struct_ident),
                        "(field1.field2)`."
                    )]
                    #[allow(unused_mut, unused_variables)]
                    impl FromStr for $struct_ident {
                        type Err = AccessControlSelectorParseError;

                        fn from_str(s: &str) -> Result<Self, Self::Err> {
                            let parsed_access_control_selector = ParsedAccessControlSelector::<'_, {Self::FIELD_COUNT}>::new(s)?;

                            if parsed_access_control_selector.access_control_selector_ident != stringify!($struct_ident) {
                                return Err(IncorrectAccessControlSelectorIdentifier {
                                    expected: stringify!($struct_ident).into(),
                                    found: parsed_access_control_selector.access_control_selector_ident.into(),
                                    access_control_selector_string: s.into()
                                })
                            }

                            let mut access_control_selector = Self::default();
                            let mut fields = parsed_access_control_selector.fields.into_iter().flatten().map(str::trim);
                            $(
                                let field = fields.next();
                                if let Some(field) = field {
                                    let field_value = ValueOrGlob::<$field_ty>::from_str(field).map_err(|err| FailedToParseFieldValue {
                                        field_ident: stringify!($field_ident).into(),
                                        field_value: field.into(),
                                        error: Box::new(err) as _
                                    })?;
                                    access_control_selector = access_control_selector.[< with_ $field_ident >](field_value)
                                }
                            )*

                            Ok(access_control_selector)
                        }
                    }

                    #[doc = concat!(
                        "Parses an owned `String` into a [`",
                        stringify!($struct_ident),
                        "`] by delegating to [`FromStr`]."
                    )]
                    impl TryFrom<String> for $struct_ident {
                        type Error = AccessControlSelectorParseError;

                        fn try_from(v: String) -> Result<Self, Self::Error> {
                            v.parse()
                        }
                    }
                };
            )*
        }
    };
}

define_access_control_selector_types! {
    /// Selector for `CREATE INDEX` statements, scoped to a table and index
    /// name.
    ///
    /// # String syntax examples
    ///
    /// - `CreateIndex` -- any index on any table.
    /// - `CreateIndex(Students)` -- any index on `Students`.
    /// - `CreateIndex(Students.idx_email)` -- one specific index.
    pub struct CreateIndex {
        /// The table the index is created on, or `*` for any.
        pub table_name: String,
        /// The name of the index being created, or `*` for any.
        pub index_name: String,
    }

    /// Selector for `CREATE TABLE` statements.
    ///
    /// # String syntax examples
    ///
    /// - `CreateTable` -- any table.
    /// - `CreateTable(Students)` -- only `Students`.
    pub struct CreateTable {
        /// The name of the table being created, or `*` for any.
        pub table_name: String,
    }

    /// Selector for `CREATE TEMP INDEX` statements, scoped to a table and index
    /// name.
    ///
    /// # String syntax examples
    ///
    /// - `CreateTempIndex` -- any temporary index on any table.
    /// - `CreateTempIndex(Sessions)` -- temp indexes on `Sessions`.
    pub struct CreateTempIndex {
        /// The table the temp index is created on, or `*` for any.
        pub table_name: String,
        /// The name of the temp index being created, or `*` for any.
        pub index_name: String,
    }

    /// Selector for `CREATE TEMP TABLE` statements.
    ///
    /// # String syntax examples
    ///
    /// - `CreateTempTable` -- any temporary table.
    /// - `CreateTempTable(scratch)` -- only `scratch`.
    pub struct CreateTempTable {
        /// The name of the temp table being created, or `*` for any.
        pub table_name: String,
    }

    /// Selector for `CREATE TEMP TRIGGER` statements, scoped to a table and
    /// trigger name.
    ///
    /// # String syntax examples
    ///
    /// - `CreateTempTrigger` -- any temp trigger on any table.
    /// - `CreateTempTrigger(Orders.trg_audit)` -- one specific trigger.
    pub struct CreateTempTrigger {
        /// The table the temp trigger fires on, or `*` for any.
        pub table_name: String,
        /// The name of the temp trigger, or `*` for any.
        pub trigger_name: String,
    }

    /// Selector for `CREATE TEMP VIEW` statements.
    ///
    /// # String syntax examples
    ///
    /// - `CreateTempView` -- any temporary view.
    /// - `CreateTempView(recent_orders)` -- only `recent_orders`.
    pub struct CreateTempView {
        /// The name of the temp view being created, or `*` for any.
        pub view_name: String,
    }

    /// Selector for `CREATE TRIGGER` statements, scoped to a table and trigger
    /// name.
    ///
    /// # String syntax examples
    ///
    /// - `CreateTrigger` -- any trigger on any table.
    /// - `CreateTrigger(Orders.trg_audit)` -- one specific trigger.
    pub struct CreateTrigger {
        /// The table the trigger fires on, or `*` for any.
        pub table_name: String,
        /// The name of the trigger being created, or `*` for any.
        pub trigger_name: String,
    }

    /// Selector for `CREATE VIEW` statements.
    ///
    /// # String syntax examples
    ///
    /// - `CreateView` -- any view.
    /// - `CreateView(active_users)` -- only `active_users`.
    pub struct CreateView {
        /// The name of the view being created, or `*` for any.
        pub view_name: String,
    }

    /// Selector for `DELETE` statements, scoped to a table.
    ///
    /// # String syntax examples
    ///
    /// - `Delete` -- delete from any table.
    /// - `Delete(Sessions)` -- only from `Sessions`.
    pub struct Delete {
        /// The table being deleted from, or `*` for any.
        pub table_name: String,
    }

    /// Selector for `DROP INDEX` statements, scoped to a table and index name.
    ///
    /// # String syntax examples
    ///
    /// - `DropIndex` -- any index on any table.
    /// - `DropIndex(Students.idx_email)` -- one specific index.
    pub struct DropIndex {
        /// The table the index belongs to, or `*` for any.
        pub table_name: String,
        /// The name of the index being dropped, or `*` for any.
        pub index_name: String,
    }

    /// Selector for `DROP TABLE` statements.
    ///
    /// # String syntax examples
    ///
    /// - `DropTable` -- any table.
    /// - `DropTable(Students)` -- only `Students`.
    pub struct DropTable {
        /// The name of the table being dropped, or `*` for any.
        pub table_name: String,
    }

    /// Selector for `DROP TEMP INDEX` statements, scoped to a table and index
    /// name.
    ///
    /// # String syntax examples
    ///
    /// - `DropTempIndex` -- any temporary index.
    /// - `DropTempIndex(Sessions.idx_ts)` -- one specific index.
    pub struct DropTempIndex {
        /// The table the temp index belongs to, or `*` for any.
        pub table_name: String,
        /// The name of the temp index being dropped, or `*` for any.
        pub index_name: String,
    }

    /// Selector for `DROP TEMP TABLE` statements.
    ///
    /// # String syntax examples
    ///
    /// - `DropTempTable` -- any temporary table.
    /// - `DropTempTable(scratch)` -- only `scratch`.
    pub struct DropTempTable {
        /// The name of the temp table being dropped, or `*` for any.
        pub table_name: String,
    }

    /// Selector for `DROP TEMP TRIGGER` statements, scoped to a table and
    /// trigger name.
    ///
    /// # String syntax examples
    ///
    /// - `DropTempTrigger` -- any temp trigger.
    /// - `DropTempTrigger(Orders.trg_audit)` -- one specific trigger.
    pub struct DropTempTrigger {
        /// The table the temp trigger fires on, or `*` for any.
        pub table_name: String,
        /// The name of the temp trigger being dropped, or `*`.
        pub trigger_name: String,
    }

    /// Selector for `DROP TEMP VIEW` statements.
    ///
    /// # String syntax examples
    ///
    /// - `DropTempView` -- any temporary view.
    /// - `DropTempView(recent_orders)` -- only `recent_orders`.
    pub struct DropTempView {
        /// The name of the temp view being dropped, or `*` for any.
        pub view_name: String,
    }

    /// Selector for `DROP TRIGGER` statements, scoped to a table and trigger
    /// name.
    ///
    /// # String syntax examples
    ///
    /// - `DropTrigger` -- any trigger on any table.
    /// - `DropTrigger(Orders.trg_audit)` -- one specific trigger.
    pub struct DropTrigger {
        /// The table the trigger fires on, or `*` for any.
        pub table_name: String,
        /// The name of the trigger being dropped, or `*` for any.
        pub trigger_name: String,
    }

    /// Selector for `DROP VIEW` statements.
    ///
    /// # String syntax examples
    ///
    /// - `DropView` -- any view.
    /// - `DropView(active_users)` -- only `active_users`.
    pub struct DropView {
        /// The name of the view being dropped, or `*` for any.
        pub view_name: String,
    }

    /// Selector for `INSERT` statements, scoped to a table.
    ///
    /// # String syntax examples
    ///
    /// - `Insert` -- insert into any table.
    /// - `Insert(Students)` -- only into `Students`.
    pub struct Insert {
        /// The table being inserted into, or `*` for any.
        pub table_name: String,
    }

    /// Selector for `PRAGMA` statements, scoped to a pragma name
    ///
    /// # String syntax examples
    ///
    /// - `Pragma` -- any pragma.
    /// - `Pragma(journal_mode)` -- only `journal_mode`.
    pub struct Pragma {
        /// The pragma name, or `*` for any.
        pub pragma_name: String,
    }

    /// Selector for column-level read operations, scoped to a table and column.
    ///
    /// When both fields are globs, this matches all read operations across the
    /// entire database. Specifying a `table_name` narrows the scope to a single
    /// table, and additionally specifying a `column_name` narrows it to one
    /// column.
    ///
    /// # String syntax examples
    ///
    /// - `Read` -- all tables, all columns.
    /// - `Read(Students)` -- the `Students` table, all columns.
    /// - `Read(Students.name)` -- only the `name` column of `Students`.
    /// - `Read(*.name)` -- the `name` column across every table.
    pub struct Read {
        /// The target table name, or `*` to match any table.
        pub table_name: String,
        /// The target column name, or `*` to match any column.
        pub column_name: String,
    }

    /// Selector for bare `SELECT` operations (the statement-level authorization
    /// check, not column-level reads).
    pub struct Select {}

    /// Selector for transaction control operations (`BEGIN`, `COMMIT`,
    /// `ROLLBACK`).
    ///
    /// # String syntax examples
    ///
    /// - `Transaction` -- any transaction operation.
    /// - `Transaction(BEGIN)` -- only `BEGIN` statements.
    pub struct Transaction {
        /// The transaction operation name, or `*` for any.
        pub operation: TransactionOperation,
    }

    /// Selector for `UPDATE` statements, scoped to a table and column.
    ///
    /// # String syntax examples
    ///
    /// - `Update` -- any column on any table.
    /// - `Update(Students)` -- any column on `Students`.
    /// - `Update(Students.email)` -- only the `email` column.
    pub struct Update {
        /// The table being updated, or `*` for any.
        pub table_name: String,
        /// The column being updated, or `*` for any.
        pub column_name: String,
    }

    /// Selector for `ATTACH DATABASE` statements, scoped to a filename.
    ///
    /// # String syntax examples
    ///
    /// - `Attach` -- any attachment.
    /// - `Attach(other.db)` -- only `other.db`.
    pub struct Attach {
        /// The filename being attached, or `*` for any.
        pub filename: String,
    }

    /// Selector for `DETACH DATABASE` statements, scoped to a database name.
    ///
    /// # String syntax examples
    ///
    /// - `Detach` -- any detachment.
    /// - `Detach(aux)` -- only the `aux` database.
    pub struct Detach {
        /// The database name being detached, or `*` for any.
        pub database_name: String,
    }

    /// Selector for `ALTER TABLE` statements, scoped to a database and table.
    ///
    /// # String syntax examples
    ///
    /// - `AlterTable` -- any alter on any table.
    /// - `AlterTable(main.Students)` -- `Students` in `main`.
    pub struct AlterTable {
        /// The database the table belongs to, or `*` for any.
        pub database_name: String,
        /// The table being altered, or `*` for any.
        pub table_name: String,
    }

    /// Selector for `REINDEX` statements, scoped to an index name.
    ///
    /// # String syntax examples
    ///
    /// - `Reindex` -- any index.
    /// - `Reindex(idx_email)` -- only `idx_email`.
    pub struct Reindex {
        /// The name of the index being reindexed, or `*` for any.
        pub index_name: String,
    }

    /// Selector for `ANALYZE` statements, scoped to a table.
    ///
    /// # String syntax examples
    ///
    /// - `Analyze` -- any table.
    /// - `Analyze(Students)` -- only `Students`.
    pub struct Analyze {
        /// The table being analyzed, or `*` for any.
        pub table_name: String,
    }

    /// Selector for `CREATE VIRTUAL TABLE` statements, scoped to a table and
    /// module name.
    ///
    /// # String syntax examples
    ///
    /// - `CreateVtable` -- any virtual table.
    /// - `CreateVtable(docs.fts5)` -- `docs` using `fts5`.
    pub struct CreateVtable {
        /// The name of the virtual table, or `*` for any.
        pub table_name: String,
        /// The module backing the virtual table, or `*` for any.
        pub module_name: String,
    }

    /// Selector for `DROP VIRTUAL TABLE` statements, scoped to a table and
    /// module name.
    ///
    /// # String syntax examples
    ///
    /// - `DropVtable` -- any virtual table.
    /// - `DropVtable(docs.fts5)` -- `docs` backed by `fts5`.
    pub struct DropVtable {
        /// The name of the virtual table, or `*` for any.
        pub table_name: String,
        /// The module backing the virtual table, or `*` for any.
        pub module_name: String,
    }

    /// Selector for SQL function invocations within a query.
    ///
    /// # String syntax examples
    ///
    /// - `Function` -- any function.
    /// - `Function(load_extension)` -- only `load_extension`.
    pub struct Function {
        /// The name of the function being called, or `*` for any.
        pub function_name: String,
    }

    /// Selector for `SAVEPOINT`, `RELEASE`, and `ROLLBACK TO` operations on
    /// named savepoints.
    ///
    /// # String syntax examples
    ///
    /// - `Savepoint` -- any savepoint operation.
    /// - `Savepoint(RELEASE)` -- only `RELEASE` operations.
    /// - `Savepoint(RELEASE.sp1)` -- `RELEASE` on savepoint `sp1`.
    pub struct Savepoint {
        /// The savepoint operation, or `*` for any.
        pub operation: TransactionOperation,
        /// The savepoint name, or `*` for any.
        pub savepoint_name: String,
    }

    /// Selector for recursive query authorization checks.
    pub struct Recursive {}
}

/// A wildcard marker that matches any value in a selector field.
///
/// `Glob` is the unit type behind [`ValueOrGlob::Glob`]. It displays as `*` and
/// is produced whenever a selector field is omitted or explicitly set to `*` in
/// the CLI string syntax.
#[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Default)]
pub struct Glob;

/// Renders the glob as the wildcard character `*`.
impl Display for Glob {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "*")
    }
}

/// Either a concrete value of type `T` or a wildcard [`Glob`].
///
/// Every field on a generated selector struct is wrapped in this enum so that
/// it can independently be pinned to a specific value or left as a glob to
/// match anything. This is the core abstraction that allows selectors to
/// express patterns like `Read(Students.*)` (specific table, any column) or
/// `Read(*.name)` (any table, specific column).
///
/// The `Default` implementation returns `Glob`, matching the convention that an
/// unspecified field matches everything.
#[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub enum ValueOrGlob<T> {
    /// A concrete, pinned value that this selector field must match exactly.
    Value(T),
    /// A wildcard that matches any value for this selector field.
    Glob(Glob),
}

/// Defaults to [`ValueOrGlob::Glob`] so that omitted fields match everything.
impl<T> Default for ValueOrGlob<T> {
    fn default() -> Self {
        Self::new_glob()
    }
}

impl<T> ValueOrGlob<T> {
    /// Creates a [`ValueOrGlob::Value`] by converting the argument into `T`.
    ///
    /// Accepts anything that implements `Into<T>` so callers can pass owned
    /// values, string slices (when `T = String`), and other convertible types
    /// without explicit conversion at the call site.
    pub fn new_value(value: impl Into<T>) -> Self {
        Self::Value(value.into())
    }

    /// Creates a [`ValueOrGlob::Glob`], representing a wildcard that matches
    /// any value.
    pub const fn new_glob() -> Self {
        Self::Glob(Glob)
    }

    /// Returns `true` if this is a concrete [`Value`](ValueOrGlob::Value).
    pub const fn is_value(&self) -> bool {
        matches!(self, Self::Value(..))
    }

    /// Returns `true` if this is a wildcard [`Glob`](ValueOrGlob::Glob).
    pub const fn is_glob(&self) -> bool {
        matches!(self, Self::Glob(..))
    }

    /// Returns a reference to the inner value if this is a
    /// [`Value`](ValueOrGlob::Value), or `None` if it is a glob.
    pub const fn as_value(&self) -> Option<&T> {
        match self {
            ValueOrGlob::Value(value) => Some(value),
            ValueOrGlob::Glob(_) => None,
        }
    }

    /// Returns a reference to the inner [`Glob`] if this is a
    /// [`Glob`](ValueOrGlob::Glob) variant, or `None` if it is a value.
    pub const fn as_glob(&self) -> Option<&Glob> {
        match self {
            ValueOrGlob::Value(_) => None,
            ValueOrGlob::Glob(glob) => Some(glob),
        }
    }

    /// Consumes `self` and returns the inner `T` if this is a
    /// [`Value`](ValueOrGlob::Value), or `None` if it is a glob.
    pub fn into_value(self) -> Option<T> {
        match self {
            ValueOrGlob::Value(value) => Some(value),
            ValueOrGlob::Glob(_) => None,
        }
    }

    /// Consumes `self` and returns the inner [`Glob`] if this is a
    /// [`Glob`](ValueOrGlob::Glob) variant, or `None` if it is a value.
    pub fn into_glob(self) -> Option<Glob> {
        match self {
            ValueOrGlob::Value(_) => None,
            ValueOrGlob::Glob(glob) => Some(glob),
        }
    }
}

/// Delegates to the inner value's `Display` for [`Value`](ValueOrGlob::Value),
/// or renders `*` for [`Glob`](ValueOrGlob::Glob).
impl<T> Display for ValueOrGlob<T>
where
    T: Display,
{
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            ValueOrGlob::Value(value) => Display::fmt(value, f),
            ValueOrGlob::Glob(glob) => Display::fmt(glob, f),
        }
    }
}

/// Converts a [`ValueOrGlob`] to its string representation, enabling `.into()`
/// at call sites that expect a `String`.
impl<T> From<ValueOrGlob<T>> for String
where
    T: Display,
{
    fn from(value: ValueOrGlob<T>) -> Self {
        value.to_string()
    }
}

/// Parses `"*"` as a [`Glob`](ValueOrGlob::Glob) and anything else by
/// delegating to `T::from_str`, yielding a [`Value`](ValueOrGlob::Value) on
/// success.
impl<T> FromStr for ValueOrGlob<T>
where
    T: FromStr,
{
    type Err = T::Err;

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        if s == "*" {
            Ok(Self::Glob(Glob))
        } else {
            T::from_str(s).map(Self::Value)
        }
    }
}

/// Parses an owned `String` into a [`ValueOrGlob`] by delegating to
/// [`FromStr`], enabling `value.try_into()` at call sites.
impl<T> TryFrom<String> for ValueOrGlob<T>
where
    T: FromStr,
{
    type Error = T::Err;

    fn try_from(value: String) -> Result<Self, Self::Error> {
        value.parse()
    }
}

/// Converts an `Option<T>` into a [`ValueOrGlob`]: `Some(v)` becomes
/// [`Value(v)`](ValueOrGlob::Value) and `None` becomes
/// [`Glob`](ValueOrGlob::Glob), mirroring the semantics of "present means
/// pinned, absent means match-all."
impl<T> From<Option<T>> for ValueOrGlob<T> {
    fn from(value: Option<T>) -> Self {
        match value {
            Some(value) => Self::Value(value),
            None => Self::Glob(Glob),
        }
    }
}

/// Intermediate representation produced by splitting a raw selector string into
/// its identifier and optional dot-separated field values.
///
/// This is an internal parsing helper consumed by the `FromStr` implementations
/// generated by `define_access_control_selector_types!`. The const generic
/// `FIELD_COUNT` is set to the number of fields declared on the target struct,
/// and is used to validate that the input does not contain more fields than the
/// struct expects.
struct ParsedAccessControlSelector<'a, const FIELD_COUNT: usize> {
    /// The selector identifier portion of the input string (e.g., `"Read"`).
    pub access_control_selector_ident: &'a str,
    /// The dot-separated field values inside the parentheses, if any were
    /// present. `None` when the input was a bare identifier like `"Read"`.
    pub fields: Option<std::str::Split<'a, char>>,
}

impl<'a, const FIELD_COUNT: usize>
    ParsedAccessControlSelector<'a, FIELD_COUNT>
{
    /// Parses a raw selector string into its identifier and optional fields.
    ///
    /// The input `string` is expected to follow the syntax `Identifier` or
    /// `Identifier(field1.field2)`. The method validates balanced parentheses
    /// and enforces that the number of dot-separated fields does not exceed
    /// `FIELD_COUNT`.
    ///
    /// # Errors
    ///
    /// Returns an [`AccessControlSelectorParseError`] when the identifier is
    /// missing, the closing parenthesis is absent, or there are more fields
    /// than the target struct declares.
    pub fn new(
        string: &'a str,
    ) -> Result<Self, AccessControlSelectorParseError> {
        use AccessControlSelectorParseError::*;

        let mut brace_split = string.splitn(2, '(');

        // Get the identifier of the access_control_selector. If it doesn't exist then error
        // out.
        let access_control_selector_ident = brace_split
            .next()
            .ok_or_else(|| NoAccessControlSelectorIdentifierFound {
                expected: stringify!($struct_ident).into(),
                access_control_selector_string: string.to_string(),
            })?
            .trim();

        // Check if there's a remaining portion to the string. If there isn't,
        // then it means that this was a access_control_selector identifier without anything
        // else which is accepted.
        if let Some(remaining_string) = brace_split.next() {
            // Split once at the closing brace, if we fail to do that then this
            // is a malformed access_control_selector.
            let Some((inner_fields, _)) = remaining_string.split_once(')')
            else {
                return Err(NoClosingBraceFound {
                    access_control_selector_string: string.to_string(),
                });
            };

            // Count the number of dot separators in the remaining string. This
            // number can be at most `FIELD_COUNT - 1`. For access_control_selectors with no
            // fields the subtraction fails which would return a correct invalid
            // number of fields error.
            let number_of_fields =
                inner_fields.chars().filter(|c| matches!(c, '.')).count() + 1;
            if number_of_fields > FIELD_COUNT {
                return Err(InvalidNumberOfFields {
                    found: number_of_fields,
                    maximum_expected: FIELD_COUNT,
                    access_control_selector_string: string.to_string(),
                });
            }

            // Split the inner fields (without the closing paren) by dots and return.
            let fields = inner_fields.split('.');

            Ok(Self {
                access_control_selector_ident,
                fields: Some(fields),
            })
        } else {
            Ok(Self {
                access_control_selector_ident,
                fields: None,
            })
        }
    }
}

/// Pairs a selector with a permission disposition (allow or deny).
///
/// Stored inside [`AccessControlSelectorSet`] and evaluated by the policy
/// resolver. When a [`Permission`] 's selector matches an incoming operation,
/// its `allow` flag determines whether the operation is permitted or forbidden.
#[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub struct Permission<T> {
    /// The selector that defines which operations this rule applies to.
    pub selector: T,
    /// `true` to permit the matched operation, `false` to deny it.
    pub allow: bool,
}

/// The outcome of a policy check against the configured rule set.
#[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub enum Authorization {
    /// The operation is permitted.
    Allow,
    /// The operation is forbidden.
    Deny,
}

/// Maps this crate's [`Authorization`] to rusqlite's equivalent so that policy
/// verdicts can be returned directly from the authorization hook.
impl From<Authorization> for rusqlite::hooks::Authorization {
    fn from(value: Authorization) -> Self {
        match value {
            Authorization::Allow => Self::Allow,
            Authorization::Deny => Self::Deny,
        }
    }
}

/// The type of transaction or savepoint operation being authorized.
///
/// Mirrors [`rusqlite::hooks::TransactionOperation`] but is owned by this crate
/// so it can derive [`Display`] and [`FromStr`] via `strum`, enabling
/// round-trip parsing in selector strings like `Transaction(BEGIN)`.
#[derive(
    Clone,
    Copy,
    Debug,
    Eq,
    PartialEq,
    PartialOrd,
    Ord,
    Hash,
    strum::Display,
    strum::EnumString,
)]
#[strum(serialize_all = "SCREAMING_SNAKE_CASE")]
pub enum TransactionOperation {
    /// An unrecognized or unknown operation type.
    Unknown,
    /// A `BEGIN` transaction statement.
    Begin,
    /// A `RELEASE` savepoint statement.
    Release,
    /// A `ROLLBACK` statement.
    Rollback,
}

/// Converts this crate's [`TransactionOperation`] into rusqlite's equivalent
/// for use in authorization hook responses.
impl From<TransactionOperation> for rusqlite::hooks::TransactionOperation {
    fn from(value: TransactionOperation) -> Self {
        match value {
            TransactionOperation::Unknown => Self::Unknown,
            TransactionOperation::Begin => Self::Begin,
            TransactionOperation::Release => Self::Release,
            TransactionOperation::Rollback => Self::Rollback,
        }
    }
}

/// Allows comparing this crate's [`TransactionOperation`] against rusqlite's
/// variant by converting to the rusqlite type first.
impl PartialEq<rusqlite::hooks::TransactionOperation> for TransactionOperation {
    fn eq(&self, other: &rusqlite::hooks::TransactionOperation) -> bool {
        &rusqlite::hooks::TransactionOperation::from(*self) == other
    }
}

/// Allows comparing rusqlite's `TransactionOperation` against this crate's
/// [`TransactionOperation`] by converting to the rusqlite type first.
impl PartialEq<TransactionOperation> for rusqlite::hooks::TransactionOperation {
    fn eq(&self, other: &TransactionOperation) -> bool {
        &rusqlite::hooks::TransactionOperation::from(*other) == self
    }
}

/// Enumerates the ways parsing an access control selector string can fail.
///
/// Each variant captures the original input string together with contextual
/// information about what went wrong, so that error messages can be actionable
/// and specific.
#[derive(Debug, thiserror::Error)]
pub enum AccessControlSelectorParseError {
    /// The input string could not be split into an identifier portion at all.
    ///
    /// This typically means the string was empty or otherwise malformed in a
    /// way that prevented even the first token from being extracted.
    #[error(
        "no access control selector identifier found in \"{access_control_selector_string}\", \
         expected \"{expected}\""
    )]
    NoAccessControlSelectorIdentifierFound {
        /// The identifier that was expected (set by the specific struct's
        /// `FromStr`).
        expected: String,
        /// The raw input string that failed to parse.
        access_control_selector_string: String,
    },
    /// The identifier was successfully extracted but does not match the target
    /// struct's name.
    ///
    /// Returned when parsing into a specific selector type (e.g.,
    /// `"Write".parse::<Read>()`) where the identifier does not agree with the
    /// struct being parsed into.
    #[error(
        "incorrect access control selector identifier in \"{access_control_selector_string}\": \
         expected \"{expected}\", found \"{found}\""
    )]
    IncorrectAccessControlSelectorIdentifier {
        /// The identifier that was expected.
        expected: String,
        /// The identifier that was actually found in the input.
        found: String,
        /// The raw input string that failed to parse.
        access_control_selector_string: String,
    },
    /// The identifier does not match any known selector variant in the
    /// [`AccessControlSelector`] enum.
    ///
    /// Returned when parsing through the umbrella enum and the leading token is
    /// not recognized.
    #[error(
        "invalid access control selector identifier in \"{access_control_selector_string}\": \
         found {found:?}, expected one of {expected:?}"
    )]
    InvalidAccessControlSelectorIdentifier {
        /// The identifier that was found, or `None` if extraction failed.
        found: Option<String>,
        /// The set of valid selector identifiers.
        expected: &'static [&'static str],
        /// The raw input string that failed to parse.
        access_control_selector_string: String,
    },
    /// A `(` was found but the matching `)` was missing.
    #[error(
        "no closing parenthesis found in \"{access_control_selector_string}\""
    )]
    NoClosingBraceFound {
        /// The raw input string that failed to parse.
        access_control_selector_string: String,
    },
    /// The number of dot-separated fields inside the parentheses exceeds the
    /// maximum that the target struct declares.
    #[error(
        "invalid number of fields in \"{access_control_selector_string}\": \
         found {found}, maximum expected {maximum_expected}"
    )]
    InvalidNumberOfFields {
        /// The number of fields found in the input.
        found: usize,
        /// The maximum number of fields the target struct accepts.
        maximum_expected: usize,
        /// The raw input string that failed to parse.
        access_control_selector_string: String,
    },
    /// An individual field value inside the parentheses could not be parsed
    /// into its target type.
    #[error(
        "failed to parse field \"{field_ident}\" with value \"{field_value}\": {error}"
    )]
    FailedToParseFieldValue {
        /// The name of the struct field that failed to parse.
        field_ident: String,
        /// The raw string value that could not be converted.
        field_value: String,
        /// The underlying parse error.
        error: Box<dyn Error + Send + Sync>,
    },
}

/// Predefined permission presets for common access control configurations.
///
/// Each variant maps to an [`AuthorizationResolver`] constructor that sets
/// sensible defaults for a particular use case. Variants are ordered from most
/// restrictive to least restrictive. The preset is selected via the `--preset`
/// CLI flag and determines the baseline permissions before any `--allow` /
/// `--deny` overrides are applied.
#[derive(
    Clone,
    Copy,
    Debug,
    Default,
    PartialEq,
    Eq,
    PartialOrd,
    Ord,
    Hash,
    strum::Display,
    strum::EnumString,
    clap::ValueEnum,
)]
#[strum(serialize_all = "kebab-case")]
pub enum Preset {
    /// Denies all operations. Useful as a starting point when every permitted
    /// action must be explicitly allowed via `--allow` flags.
    DenyEverything,
    /// Allows reads, selects, transactions, SQL functions, recursive CTEs, and
    /// pragmas. Denies all data modification and DDL.
    #[default]
    ReadOnly,
    /// Extends read-only with insert, update, delete, savepoints, analyze,
    /// reindex, and temporary object operations. Permanent DDL, attach, and
    /// detach remain denied.
    ReadWrite,
    /// Extends read-write with permanent DDL (create/drop tables, indexes,
    /// triggers, views, and alter table). Attach, detach, and virtual table
    /// operations remain denied.
    FullDdl,
    /// Allows all operations with no restrictions. Intended for development and
    /// testing only.
    AllowEverything,
}

/// Converts a [`Preset`] into the corresponding [`AuthorizationResolver`] by
/// calling the matching constructor.
impl From<Preset> for AuthorizationResolver {
    fn from(preset: Preset) -> Self {
        match preset {
            Preset::DenyEverything => Self::new_deny_everything(),
            Preset::ReadOnly => Self::new_read_only(),
            Preset::ReadWrite => Self::new_read_write(),
            Preset::FullDdl => Self::new_full_ddl(),
            Preset::AllowEverything => Self::new_allow_everything(),
        }
    }
}

impl AuthorizationResolver {
    /// Creates a read-only resolver.
    ///
    /// Allows reads, selects, transactions, SQL functions, recursive CTEs, and
    /// pragmas. Denies all data modification (insert, update, delete) and all
    /// DDL (create, drop, alter, attach, detach). Users can layer additional
    /// `--allow` / `--deny` rules on top to fine-tune access.
    pub fn new_read_only() -> Self {
        use rusqlite::hooks::Authorization::Allow;

        Self::new_deny_everything()
            .with_read_default_permissions(Allow)
            .with_select_default_permissions(Allow)
            .with_transaction_default_permissions(Allow)
            .with_function_default_permissions(Allow)
            .with_recursive_default_permissions(Allow)
            .with_pragma_default_permissions(Allow)
    }

    /// Creates a read-write resolver that forbids schema changes.
    ///
    /// Extends [`new_read_only`](Self::new_read_only) with insert, update,
    /// delete, savepoints, analyze, reindex, and temporary object
    /// creation/deletion. Permanent DDL (create/drop table, index, trigger,
    /// view, virtual table), attach, and detach remain denied.
    pub fn new_read_write() -> Self {
        use rusqlite::hooks::Authorization::Allow;

        Self::new_read_only()
            .with_insert_default_permissions(Allow)
            .with_update_default_permissions(Allow)
            .with_delete_default_permissions(Allow)
            .with_savepoint_default_permissions(Allow)
            .with_analyze_default_permissions(Allow)
            .with_reindex_default_permissions(Allow)
            .with_create_temp_table_default_permissions(Allow)
            .with_create_temp_index_default_permissions(Allow)
            .with_create_temp_view_default_permissions(Allow)
            .with_create_temp_trigger_default_permissions(Allow)
            .with_drop_temp_table_default_permissions(Allow)
            .with_drop_temp_index_default_permissions(Allow)
            .with_drop_temp_view_default_permissions(Allow)
            .with_drop_temp_trigger_default_permissions(Allow)
    }

    /// Creates a resolver that allows all data and DDL operations but denies
    /// operations that reach outside the database file.
    ///
    /// Extends [`new_read_write`](Self::new_read_write) with permanent DDL
    /// (create/drop tables, indexes, triggers, views, and alter table). Attach,
    /// detach, and virtual table operations remain denied because they can
    /// access the filesystem or load arbitrary code.
    pub fn new_full_ddl() -> Self {
        use rusqlite::hooks::Authorization::Allow;

        Self::new_read_write()
            .with_create_table_default_permissions(Allow)
            .with_drop_table_default_permissions(Allow)
            .with_alter_table_default_permissions(Allow)
            .with_create_index_default_permissions(Allow)
            .with_drop_index_default_permissions(Allow)
            .with_create_trigger_default_permissions(Allow)
            .with_drop_trigger_default_permissions(Allow)
            .with_create_view_default_permissions(Allow)
            .with_drop_view_default_permissions(Allow)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn glob_display_shows_asterisk() {
        // Arrange
        let glob = Glob;

        // Act
        let displayed = glob.to_string();

        // Assert
        assert_eq!(displayed, "*");
    }

    #[test]
    fn value_or_glob_new_value_creates_value_variant() {
        // Arrange
        let input = "hello";

        // Act
        let vog = ValueOrGlob::<String>::new_value(input);

        // Assert
        assert_eq!(vog, ValueOrGlob::Value("hello".to_string()));
    }

    #[test]
    fn value_or_glob_new_glob_creates_glob_variant() {
        // Arrange
        // (no setup needed)

        // Act
        let vog = ValueOrGlob::<String>::new_glob();

        // Assert
        assert_eq!(vog, ValueOrGlob::Glob(Glob));
    }

    #[test]
    fn value_or_glob_default_returns_glob() {
        // Arrange
        // (no setup needed)

        // Act
        let vog = ValueOrGlob::<String>::default();

        // Assert
        assert_eq!(vog, ValueOrGlob::Glob(Glob));
    }

    #[test]
    fn value_or_glob_is_value_returns_true_for_value() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_value("test");

        // Act
        let result = vog.is_value();

        // Assert
        assert!(result);
    }

    #[test]
    fn value_or_glob_is_value_returns_false_for_glob() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_glob();

        // Act
        let result = vog.is_value();

        // Assert
        assert!(!result);
    }

    #[test]
    fn value_or_glob_is_glob_returns_true_for_glob() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_glob();

        // Act
        let result = vog.is_glob();

        // Assert
        assert!(result);
    }

    #[test]
    fn value_or_glob_is_glob_returns_false_for_value() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_value("test");

        // Act
        let result = vog.is_glob();

        // Assert
        assert!(!result);
    }

    #[test]
    fn value_or_glob_as_value_returns_some_for_value() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_value("hello");

        // Act
        let result = vog.as_value();

        // Assert
        assert_eq!(result, Some(&"hello".to_string()));
    }

    #[test]
    fn value_or_glob_as_value_returns_none_for_glob() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_glob();

        // Act
        let result = vog.as_value();

        // Assert
        assert_eq!(result, None);
    }

    #[test]
    fn value_or_glob_as_glob_returns_some_for_glob() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_glob();

        // Act
        let result = vog.as_glob();

        // Assert
        assert_eq!(result, Some(&Glob));
    }

    #[test]
    fn value_or_glob_as_glob_returns_none_for_value() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_value("test");

        // Act
        let result = vog.as_glob();

        // Assert
        assert_eq!(result, None);
    }

    #[test]
    fn value_or_glob_into_value_returns_some_for_value() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_value("hello");

        // Act
        let result = vog.into_value();

        // Assert
        assert_eq!(result, Some("hello".to_string()));
    }

    #[test]
    fn value_or_glob_into_value_returns_none_for_glob() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_glob();

        // Act
        let result = vog.into_value();

        // Assert
        assert_eq!(result, None);
    }

    #[test]
    fn value_or_glob_into_glob_returns_some_for_glob() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_glob();

        // Act
        let result = vog.into_glob();

        // Assert
        assert_eq!(result, Some(Glob));
    }

    #[test]
    fn value_or_glob_into_glob_returns_none_for_value() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_value("test");

        // Act
        let result = vog.into_glob();

        // Assert
        assert_eq!(result, None);
    }

    #[test]
    fn value_or_glob_display_shows_inner_value_for_value() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_value("Students");

        // Act
        let displayed = vog.to_string();

        // Assert
        assert_eq!(displayed, "Students");
    }

    #[test]
    fn value_or_glob_display_shows_asterisk_for_glob() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_glob();

        // Act
        let displayed = vog.to_string();

        // Assert
        assert_eq!(displayed, "*");
    }

    #[test]
    fn value_or_glob_from_str_with_asterisk_returns_glob() {
        // Arrange
        let input = "*";

        // Act
        let result = input.parse::<ValueOrGlob<String>>().unwrap();

        // Assert
        assert_eq!(result, ValueOrGlob::Glob(Glob));
    }

    #[test]
    fn value_or_glob_from_str_with_text_returns_value() {
        // Arrange
        let input = "Students";

        // Act
        let result = input.parse::<ValueOrGlob<String>>().unwrap();

        // Assert
        assert_eq!(result, ValueOrGlob::Value("Students".to_string()));
    }

    #[test]
    fn value_or_glob_from_some_option_gives_value() {
        // Arrange
        let opt = Some("name".to_string());

        // Act
        let vog = ValueOrGlob::<String>::from(opt);

        // Assert
        assert_eq!(vog, ValueOrGlob::Value("name".to_string()));
    }

    #[test]
    fn value_or_glob_from_none_option_gives_glob() {
        // Arrange
        let opt = Option::<String>::None;

        // Act
        let vog = ValueOrGlob::<String>::from(opt);

        // Assert
        assert_eq!(vog, ValueOrGlob::Glob(Glob));
    }

    #[test]
    fn value_or_glob_into_string_for_value() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_value("hello");

        // Act
        let s = String::from(vog);

        // Assert
        assert_eq!(s, "hello");
    }

    #[test]
    fn value_or_glob_into_string_for_glob() {
        // Arrange
        let vog = ValueOrGlob::<String>::new_glob();

        // Act
        let s = String::from(vog);

        // Assert
        assert_eq!(s, "*");
    }

    #[test]
    fn read_new_creates_with_given_values() {
        // Arrange
        let table = ValueOrGlob::<String>::new_value("Students");
        let column = ValueOrGlob::<String>::new_value("name");

        // Act
        let read = Read::new(table, column);

        // Assert
        assert_eq!(read.table_name, ValueOrGlob::Value("Students".to_string()));
        assert_eq!(read.column_name, ValueOrGlob::Value("name".to_string()));
    }

    #[test]
    fn read_empty_creates_with_all_globs() {
        // Arrange
        // (no setup needed)

        // Act
        let read = Read::empty();

        // Assert
        assert_eq!(read.table_name, ValueOrGlob::Glob(Glob));
        assert_eq!(read.column_name, ValueOrGlob::Glob(Glob));
    }

    #[test]
    fn read_with_table_name_sets_table_name() {
        // Arrange
        let read = Read::empty();

        // Act
        let read =
            read.with_table_name(ValueOrGlob::<String>::new_value("Grades"));

        // Assert
        assert_eq!(read.table_name, ValueOrGlob::Value("Grades".to_string()));
        assert_eq!(read.column_name, ValueOrGlob::Glob(Glob));
    }

    #[test]
    fn read_with_column_name_sets_column_name() {
        // Arrange
        let read = Read::empty();

        // Act
        let read =
            read.with_column_name(ValueOrGlob::<String>::new_value("score"));

        // Assert
        assert_eq!(read.table_name, ValueOrGlob::Glob(Glob));
        assert_eq!(read.column_name, ValueOrGlob::Value("score".to_string()));
    }

    #[test]
    fn read_is_all_glob_true_when_both_glob() {
        // Arrange
        let read = Read::empty();

        // Act
        let result = read.is_all_glob();

        // Assert
        assert!(result);
    }

    #[test]
    fn read_is_all_glob_false_when_table_is_value() {
        // Arrange
        let read = Read::empty()
            .with_table_name(ValueOrGlob::<String>::new_value("Students"));

        // Act
        let result = read.is_all_glob();

        // Assert
        assert!(!result);
    }

    #[test]
    fn read_is_all_glob_false_when_column_is_value() {
        // Arrange
        let read = Read::empty()
            .with_column_name(ValueOrGlob::<String>::new_value("name"));

        // Act
        let result = read.is_all_glob();

        // Assert
        assert!(!result);
    }

    #[test]
    fn read_is_all_value_true_when_both_value() {
        // Arrange
        let read = Read::new(
            ValueOrGlob::<String>::new_value("Students"),
            ValueOrGlob::<String>::new_value("name"),
        );

        // Act
        let result = read.is_all_value();

        // Assert
        assert!(result);
    }

    #[test]
    fn read_is_all_value_false_when_one_is_glob() {
        // Arrange
        let read = Read::empty()
            .with_table_name(ValueOrGlob::<String>::new_value("Students"));

        // Act
        let result = read.is_all_value();

        // Assert
        assert!(!result);
    }

    #[test]
    fn read_is_any_glob_true_when_one_is_glob() {
        // Arrange
        let read = Read::empty()
            .with_table_name(ValueOrGlob::<String>::new_value("Students"));

        // Act
        let result = read.is_any_glob();

        // Assert
        assert!(result);
    }

    #[test]
    fn read_is_any_glob_false_when_both_value() {
        // Arrange
        let read = Read::new(
            ValueOrGlob::<String>::new_value("Students"),
            ValueOrGlob::<String>::new_value("name"),
        );

        // Act
        let result = read.is_any_glob();

        // Assert
        assert!(!result);
    }

    #[test]
    fn read_is_any_value_true_when_one_is_value() {
        // Arrange
        let read = Read::empty()
            .with_column_name(ValueOrGlob::<String>::new_value("name"));

        // Act
        let result = read.is_any_value();

        // Assert
        assert!(result);
    }

    #[test]
    fn read_is_any_value_false_when_both_glob() {
        // Arrange
        let read = Read::empty();

        // Act
        let result = read.is_any_value();

        // Assert
        assert!(!result);
    }

    #[test]
    fn read_display_all_glob_shows_read_without_parens() {
        // Arrange
        let read = Read::empty();

        // Act
        let displayed = read.to_string();

        // Assert
        assert_eq!(displayed, "Read");
    }

    #[test]
    fn read_display_specific_shows_read_with_table_and_column() {
        // Arrange
        let read = Read::new(
            ValueOrGlob::<String>::new_value("Students"),
            ValueOrGlob::<String>::new_value("name"),
        );

        // Act
        let displayed = read.to_string();

        // Assert
        assert_eq!(displayed, "Read(Students.name)");
    }

    #[test]
    fn read_display_glob_table_value_column() {
        // Arrange
        let read = Read::empty()
            .with_column_name(ValueOrGlob::<String>::new_value("name"));

        // Act
        let displayed = read.to_string();

        // Assert
        assert_eq!(displayed, "Read(*.name)");
    }

    #[test]
    fn read_display_value_table_glob_column() {
        // Arrange
        let read = Read::empty()
            .with_table_name(ValueOrGlob::<String>::new_value("Students"));

        // Act
        let displayed = read.to_string();

        // Assert
        assert_eq!(displayed, "Read(Students.*)");
    }

    #[test]
    fn read_from_str_bare_read_parses_to_all_glob() {
        // Arrange
        let input = "Read";

        // Act
        let read = input.parse::<Read>().unwrap();

        // Assert
        assert_eq!(read.table_name, ValueOrGlob::Glob(Glob));
        assert_eq!(read.column_name, ValueOrGlob::Glob(Glob));
    }

    #[test]
    fn read_from_str_specific_table_and_column_parses_correctly() {
        // Arrange
        let input = "Read(Students.name)";

        // Act
        let read = input.parse::<Read>().unwrap();

        // Assert
        assert_eq!(read.table_name, ValueOrGlob::Value("Students".to_string()));
        assert_eq!(read.column_name, ValueOrGlob::Value("name".to_string()));
    }

    #[test]
    fn read_from_str_glob_table_value_column_parses_correctly() {
        // Arrange
        let input = "Read(*.name)";

        // Act
        let read = input.parse::<Read>().unwrap();

        // Assert
        assert_eq!(read.table_name, ValueOrGlob::Glob(Glob));
        assert_eq!(read.column_name, ValueOrGlob::Value("name".to_string()));
    }

    #[test]
    fn read_from_str_value_table_glob_column_parses_correctly() {
        // Arrange
        let input = "Read(Students.*)";

        // Act
        let read = input.parse::<Read>().unwrap();

        // Assert
        assert_eq!(read.table_name, ValueOrGlob::Value("Students".to_string()));
        assert_eq!(read.column_name, ValueOrGlob::Glob(Glob));
    }

    #[test]
    fn read_from_str_round_trip_produces_same_result() {
        // Arrange
        let input = "Read(Students.name)";

        // Act
        let read = input.parse::<Read>().unwrap();
        let displayed = read.to_string();
        let reparsed = displayed.parse::<Read>().unwrap();

        // Assert
        assert_eq!(
            reparsed.table_name,
            ValueOrGlob::Value("Students".to_string())
        );
        assert_eq!(
            reparsed.column_name,
            ValueOrGlob::Value("name".to_string())
        );
    }

    #[test]
    fn read_from_str_round_trip_bare_read_produces_same_result() {
        // Arrange
        let input = "Read";

        // Act
        let read = input.parse::<Read>().unwrap();
        let displayed = read.to_string();
        let reparsed = displayed.parse::<Read>().unwrap();

        // Assert
        assert_eq!(reparsed.table_name, ValueOrGlob::Glob(Glob));
        assert_eq!(reparsed.column_name, ValueOrGlob::Glob(Glob));
        assert_eq!(displayed, "Read");
    }

    #[test]
    fn read_into_string_works() {
        // Arrange
        let read = Read::new(
            ValueOrGlob::<String>::new_value("Students"),
            ValueOrGlob::<String>::new_value("name"),
        );

        // Act
        let s = String::from(read);

        // Assert
        assert_eq!(s, "Read(Students.name)");
    }

    #[test]
    fn read_try_from_string_works() {
        // Arrange
        let input = "Read(Students.name)".to_string();

        // Act
        let read = Read::try_from(input).unwrap();

        // Assert
        assert_eq!(read.table_name, ValueOrGlob::Value("Students".to_string()));
        assert_eq!(read.column_name, ValueOrGlob::Value("name".to_string()));
    }

    #[test]
    fn access_control_selector_from_str_bare_read_parses_to_read_selector() {
        // Arrange
        let input = "Read";

        // Act
        let selector = input.parse::<AccessControlSelector>().unwrap();

        // Assert
        match selector {
            AccessControlSelector::Read(read) => {
                assert_eq!(read.table_name, ValueOrGlob::Glob(Glob));
                assert_eq!(read.column_name, ValueOrGlob::Glob(Glob));
            }
            other => panic!("expected ReadSelector, got {other}"),
        }
    }

    #[test]
    fn access_control_selector_from_str_specific_parses_correctly() {
        // Arrange
        let input = "Read(Students.name)";

        // Act
        let selector = input.parse::<AccessControlSelector>().unwrap();

        // Assert
        match selector {
            AccessControlSelector::Read(read) => {
                assert_eq!(
                    read.table_name,
                    ValueOrGlob::Value("Students".to_string())
                );
                assert_eq!(
                    read.column_name,
                    ValueOrGlob::Value("name".to_string())
                );
            }
            other => panic!("expected ReadSelector, got {other}"),
        }
    }

    #[test]
    fn access_control_selector_display_round_trip_works() {
        // Arrange
        let input = "Read(Students.name)";

        // Act
        let selector = input.parse::<AccessControlSelector>().unwrap();
        let displayed = selector.to_string();
        let reparsed = displayed.parse::<AccessControlSelector>().unwrap();

        // Assert
        match reparsed {
            AccessControlSelector::Read(read) => {
                assert_eq!(
                    read.table_name,
                    ValueOrGlob::Value("Students".to_string())
                );
                assert_eq!(
                    read.column_name,
                    ValueOrGlob::Value("name".to_string())
                );
            }
            other => panic!("expected ReadSelector, got {other}"),
        }
    }

    #[test]
    fn access_control_selector_try_from_string_works() {
        // Arrange
        let input = "Read(Students.name)".to_string();

        // Act
        let selector = AccessControlSelector::try_from(input).unwrap();

        // Assert
        match selector {
            AccessControlSelector::Read(read) => {
                assert_eq!(
                    read.table_name,
                    ValueOrGlob::Value("Students".to_string())
                );
                assert_eq!(
                    read.column_name,
                    ValueOrGlob::Value("name".to_string())
                );
            }
            other => panic!("expected ReadSelector, got {other}"),
        }
    }

    #[test]
    fn parsing_with_missing_closing_paren_returns_error() {
        // Arrange
        let input = "Read(Students.name";

        // Act
        let result = input.parse::<Read>();

        // Assert
        assert!(matches!(
            result,
            Err(AccessControlSelectorParseError::NoClosingBraceFound { .. })
        ));
    }

    #[test]
    fn parsing_with_too_many_fields_returns_error() {
        // Arrange
        let input = "Read(Students.name.extra)";

        // Act
        let result = input.parse::<Read>();

        // Assert
        assert!(matches!(
            result,
            Err(AccessControlSelectorParseError::InvalidNumberOfFields { .. })
        ));
    }

    #[test]
    fn parsing_with_wrong_identifier_returns_error_for_struct() {
        // Arrange
        let input = "Write(Students.name)";

        // Act
        let result = input.parse::<Read>();

        // Assert
        assert!(matches!(
            result,
            Err(
                AccessControlSelectorParseError::IncorrectAccessControlSelectorIdentifier {
                    ..
                }
            )
        ));
    }

    #[test]
    fn parsing_with_wrong_identifier_returns_error_for_enum() {
        // Arrange
        let input = "Write(Students.name)";

        // Act
        let result = input.parse::<AccessControlSelector>();

        // Assert
        assert!(matches!(
            result,
            Err(
                AccessControlSelectorParseError::InvalidAccessControlSelectorIdentifier {
                    ..
                }
            )
        ));
    }

    #[test]
    fn parsing_empty_string_returns_error_for_enum() {
        // Arrange
        let input = "";

        // Act
        let result = input.parse::<AccessControlSelector>();

        // Assert
        assert!(result.is_err());
    }

    #[test]
    fn parsing_empty_string_returns_error_for_struct() {
        // Arrange
        let input = "";

        // Act
        let result = input.parse::<Read>();

        // Assert
        assert!(matches!(
            result,
            Err(
                AccessControlSelectorParseError::IncorrectAccessControlSelectorIdentifier {
                    ..
                }
            )
        ));
    }

    #[test]
    fn empty_selector_set_returns_none_for_read() {
        // Arrange
        let set = AccessControlSelectorSet::new();

        // Act
        let result = set.check_read("Students", "name");

        // Assert
        assert_eq!(result, None);
    }

    #[test]
    fn single_allow_rule_matches_and_returns_allow() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(Read::empty(), true);

        // Act
        let result = set.check_read("Students", "name");

        // Assert
        assert_eq!(result, Some(Authorization::Allow));
    }

    #[test]
    fn single_deny_rule_matches_and_returns_deny() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(Read::empty(), false);

        // Act
        let result = set.check_read("Students", "name");

        // Assert
        assert_eq!(result, Some(Authorization::Deny));
    }

    #[test]
    fn single_allow_rule_that_does_not_match_returns_none() {
        // Arrange
        let set = AccessControlSelectorSet::new().with_read_selector(
            Read::new(
                ValueOrGlob::new_value("Secrets"),
                ValueOrGlob::new_glob(),
            ),
            true,
        );

        // Act
        let result = set.check_read("Students", "name");

        // Assert
        assert_eq!(result, None);
    }

    #[test]
    fn single_deny_rule_that_does_not_match_returns_none() {
        // Arrange
        let set = AccessControlSelectorSet::new().with_read_selector(
            Read::new(
                ValueOrGlob::new_value("Secrets"),
                ValueOrGlob::new_glob(),
            ),
            false,
        );

        // Act
        let result = set.check_read("Students", "name");

        // Assert
        assert_eq!(result, None);
    }

    #[test]
    fn higher_specificity_allow_beats_lower_specificity_deny() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(Read::empty(), false)
            .with_read_selector(
                Read::new(
                    ValueOrGlob::new_value("Students"),
                    ValueOrGlob::new_glob(),
                ),
                true,
            );

        // Act
        let result = set.check_read("Students", "name");

        // Assert
        assert_eq!(result, Some(Authorization::Allow));
    }

    #[test]
    fn higher_specificity_deny_beats_lower_specificity_allow() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(Read::empty(), true)
            .with_read_selector(
                Read::new(
                    ValueOrGlob::new_value("Secrets"),
                    ValueOrGlob::new_glob(),
                ),
                false,
            );

        // Act
        let result = set.check_read("Secrets", "ssn");

        // Assert
        assert_eq!(result, Some(Authorization::Deny));
    }

    #[test]
    fn specificity_2_beats_specificity_1_beats_specificity_0() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(Read::empty(), true)
            .with_read_selector(
                Read::new(
                    ValueOrGlob::new_value("Secrets"),
                    ValueOrGlob::new_glob(),
                ),
                false,
            )
            .with_read_selector(
                Read::new(
                    ValueOrGlob::new_value("Secrets"),
                    ValueOrGlob::new_value("id"),
                ),
                true,
            );

        // Act
        let allow_all = set.check_read("Public", "data");
        let deny_table = set.check_read("Secrets", "ssn");
        let allow_carveout = set.check_read("Secrets", "id");

        // Assert
        assert_eq!(allow_all, Some(Authorization::Allow));
        assert_eq!(deny_table, Some(Authorization::Deny));
        assert_eq!(allow_carveout, Some(Authorization::Allow));
    }

    #[test]
    fn same_specificity_allow_and_deny_resolves_to_deny() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(
                Read::new(
                    ValueOrGlob::new_value("Students"),
                    ValueOrGlob::new_glob(),
                ),
                true,
            )
            .with_read_selector(
                Read::new(
                    ValueOrGlob::new_glob(),
                    ValueOrGlob::new_value("name"),
                ),
                false,
            );

        // Act
        let result = set.check_read("Students", "name");

        // Assert
        assert_eq!(result, Some(Authorization::Deny));
    }

    #[test]
    fn same_specificity_multiple_allows_no_deny_returns_allow() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(
                Read::new(ValueOrGlob::new_value("A"), ValueOrGlob::new_glob()),
                true,
            )
            .with_read_selector(
                Read::new(ValueOrGlob::new_glob(), ValueOrGlob::new_value("x")),
                true,
            );

        // Act
        let result = set.check_read("A", "x");

        // Assert
        assert_eq!(result, Some(Authorization::Allow));
    }

    #[test]
    fn same_specificity_multiple_denys_no_allow_returns_deny() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(
                Read::new(ValueOrGlob::new_value("A"), ValueOrGlob::new_glob()),
                false,
            )
            .with_read_selector(
                Read::new(ValueOrGlob::new_glob(), ValueOrGlob::new_value("x")),
                false,
            );

        // Act
        let result = set.check_read("A", "x");

        // Assert
        assert_eq!(result, Some(Authorization::Deny));
    }

    #[test]
    fn non_matching_rules_are_skipped_to_lower_specificity() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(Read::empty(), true)
            .with_read_selector(
                Read::new(
                    ValueOrGlob::new_value("Other"),
                    ValueOrGlob::new_glob(),
                ),
                false,
            );

        // Act
        let result = set.check_read("Students", "name");

        // Assert
        assert_eq!(result, Some(Authorization::Allow));
    }

    #[test]
    fn rules_with_specificity_gap_still_resolve_correctly() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(Read::empty(), false)
            .with_read_selector(
                Read::new(
                    ValueOrGlob::new_value("Students"),
                    ValueOrGlob::new_value("name"),
                ),
                true,
            );

        // Act
        let carveout = set.check_read("Students", "name");
        let blocked = set.check_read("Students", "ssn");

        // Assert
        assert_eq!(carveout, Some(Authorization::Allow));
        assert_eq!(blocked, Some(Authorization::Deny));
    }

    #[test]
    fn glob_table_pinned_column_matches_any_table() {
        // Arrange
        let set = AccessControlSelectorSet::new().with_read_selector(
            Read::new(ValueOrGlob::new_glob(), ValueOrGlob::new_value("ssn")),
            false,
        );

        // Act
        let result_a = set.check_read("Students", "ssn");
        let result_b = set.check_read("Employees", "ssn");
        let result_c = set.check_read("Students", "name");

        // Assert
        assert_eq!(result_a, Some(Authorization::Deny));
        assert_eq!(result_b, Some(Authorization::Deny));
        assert_eq!(result_c, None);
    }

    #[test]
    fn pinned_table_glob_column_matches_any_column() {
        // Arrange
        let set = AccessControlSelectorSet::new().with_read_selector(
            Read::new(
                ValueOrGlob::new_value("Secrets"),
                ValueOrGlob::new_glob(),
            ),
            false,
        );

        // Act
        let result_a = set.check_read("Secrets", "ssn");
        let result_b = set.check_read("Secrets", "id");
        let result_c = set.check_read("Public", "data");

        // Assert
        assert_eq!(result_a, Some(Authorization::Deny));
        assert_eq!(result_b, Some(Authorization::Deny));
        assert_eq!(result_c, None);
    }

    #[test]
    fn fully_pinned_selector_matches_only_exact_pair() {
        // Arrange
        let set = AccessControlSelectorSet::new().with_read_selector(
            Read::new(
                ValueOrGlob::new_value("Students"),
                ValueOrGlob::new_value("name"),
            ),
            false,
        );

        // Act
        let exact = set.check_read("Students", "name");
        let wrong_col = set.check_read("Students", "id");
        let wrong_table = set.check_read("Other", "name");

        // Assert
        assert_eq!(exact, Some(Authorization::Deny));
        assert_eq!(wrong_col, None);
        assert_eq!(wrong_table, None);
    }

    #[test]
    fn read_rules_do_not_affect_delete_checks() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(Read::empty(), false);

        // Act
        let read_result = set.check_read("Students", "name");
        let delete_result = set.check_delete("Students");

        // Assert
        assert_eq!(read_result, Some(Authorization::Deny));
        assert_eq!(delete_result, None);
    }

    #[test]
    fn delete_single_field_selector_works() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_delete_selector(Delete::empty(), true)
            .with_delete_selector(
                Delete::new(ValueOrGlob::new_value("AuditLog")),
                false,
            );

        // Act
        let allowed = set.check_delete("Students");
        let denied = set.check_delete("AuditLog");

        // Assert
        assert_eq!(allowed, Some(Authorization::Allow));
        assert_eq!(denied, Some(Authorization::Deny));
    }

    #[test]
    fn select_zero_field_selector_allow_works() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_select_selector(Select {}, true);

        // Act
        let result = set.check_select();

        // Assert
        assert_eq!(result, Some(Authorization::Allow));
    }

    #[test]
    fn select_zero_field_allow_and_deny_resolves_to_deny() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_select_selector(Select {}, true)
            .with_select_selector(Select {}, false);

        // Act
        let result = set.check_select();

        // Assert
        assert_eq!(result, Some(Authorization::Deny));
    }

    #[test]
    fn with_selector_dispatches_to_correct_type() {
        // Arrange
        let read = AccessControlSelector::from(Read::empty());
        let set = AccessControlSelectorSet::new().with_selector(read, false);

        // Act
        let result = set.check_read("anything", "anything");

        // Assert
        assert_eq!(result, Some(Authorization::Deny));
    }

    #[test]
    fn resolver_allow_everything_defaults_to_allow() {
        // Arrange
        let resolver = AuthorizationResolver::new_allow_everything();

        // Act
        let result = resolver.selector_set.check_read("X", "Y");

        // Assert
        assert_eq!(result, None);
        assert_eq!(
            resolver.read_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
    }

    #[test]
    fn resolver_deny_everything_defaults_to_deny() {
        // Arrange
        let resolver = AuthorizationResolver::new_deny_everything();

        // Act
        let result = resolver.selector_set.check_read("X", "Y");

        // Assert
        assert_eq!(result, None);
        assert_eq!(
            resolver.read_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
    }

    #[test]
    fn resolver_per_action_default_override_works() {
        // Arrange
        let resolver = AuthorizationResolver::new_allow_everything()
            .with_read_default_permissions(
                rusqlite::hooks::Authorization::Deny,
            );

        // Act / Assert
        assert_eq!(
            resolver.read_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
        assert_eq!(
            resolver.insert_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
    }

    #[test]
    fn doc_example_read_only_with_table_blocked() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_selector("Read".parse::<Read>().unwrap(), true)
            .with_selector("Read(Secrets)".parse::<Read>().unwrap(), false);

        // Act
        let public_read = set.check_read("Public", "data");
        let secrets_read = set.check_read("Secrets", "ssn");

        // Assert
        assert_eq!(public_read, Some(Authorization::Allow));
        assert_eq!(secrets_read, Some(Authorization::Deny));
    }

    #[test]
    fn doc_example_read_only_with_carveout() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_selector("Read".parse::<Read>().unwrap(), true)
            .with_selector("Read(Secrets)".parse::<Read>().unwrap(), false)
            .with_selector("Read(Secrets.id)".parse::<Read>().unwrap(), true);

        // Act
        let public = set.check_read("Public", "data");
        let secrets_ssn = set.check_read("Secrets", "ssn");
        let secrets_id = set.check_read("Secrets", "id");

        // Assert
        assert_eq!(public, Some(Authorization::Allow));
        assert_eq!(secrets_ssn, Some(Authorization::Deny));
        assert_eq!(secrets_id, Some(Authorization::Allow));
    }

    #[test]
    fn doc_example_conflicting_same_specificity() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_selector("Read(Students)".parse::<Read>().unwrap(), false)
            .with_selector("Read(*.name)".parse::<Read>().unwrap(), true);

        // Act
        let result = set.check_read("Students", "name");

        // Assert
        assert_eq!(result, Some(Authorization::Deny));
    }

    #[test]
    fn doc_example_deny_functions_allow_specific() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_selector("Function".parse::<Function>().unwrap(), false)
            .with_selector("Function(count)".parse::<Function>().unwrap(), true)
            .with_selector("Function(sum)".parse::<Function>().unwrap(), true);

        // Act
        let count = set.check_function("count");
        let sum = set.check_function("sum");
        let evil = set.check_function("load_extension");

        // Assert
        assert_eq!(count, Some(Authorization::Allow));
        assert_eq!(sum, Some(Authorization::Allow));
        assert_eq!(evil, Some(Authorization::Deny));
    }

    #[test]
    fn multiple_non_matching_rules_returns_none() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(
                Read::new(
                    ValueOrGlob::new_value("A"),
                    ValueOrGlob::new_value("x"),
                ),
                true,
            )
            .with_read_selector(
                Read::new(
                    ValueOrGlob::new_value("B"),
                    ValueOrGlob::new_value("y"),
                ),
                false,
            );

        // Act
        let result = set.check_read("C", "z");

        // Assert
        assert_eq!(result, None);
    }

    #[test]
    fn deny_at_higher_specificity_is_not_overridden_by_lower_allow() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(Read::empty(), true)
            .with_read_selector(
                Read::new(
                    ValueOrGlob::new_value("Secrets"),
                    ValueOrGlob::new_value("ssn"),
                ),
                false,
            );

        // Act
        let result = set.check_read("Secrets", "ssn");

        // Assert
        assert_eq!(result, Some(Authorization::Deny));
    }

    #[test]
    fn only_matching_rules_at_a_level_contribute_to_verdict() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(
                Read::new(ValueOrGlob::new_value("A"), ValueOrGlob::new_glob()),
                false,
            )
            .with_read_selector(
                Read::new(ValueOrGlob::new_value("B"), ValueOrGlob::new_glob()),
                true,
            );

        // Act
        let result_a = set.check_read("A", "x");
        let result_b = set.check_read("B", "x");

        // Assert
        assert_eq!(result_a, Some(Authorization::Deny));
        assert_eq!(result_b, Some(Authorization::Allow));
    }

    #[test]
    fn insertion_order_does_not_affect_specificity_ranking() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(
                Read::new(
                    ValueOrGlob::new_value("T"),
                    ValueOrGlob::new_value("c"),
                ),
                true,
            )
            .with_read_selector(Read::empty(), false);

        // Act
        let result = set.check_read("T", "c");

        // Assert
        assert_eq!(result, Some(Authorization::Allow));
    }

    #[test]
    fn three_specificity_levels_middle_deny_overridden_by_top() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(Read::empty(), true)
            .with_read_selector(
                Read::new(ValueOrGlob::new_value("T"), ValueOrGlob::new_glob()),
                false,
            )
            .with_read_selector(
                Read::new(
                    ValueOrGlob::new_value("T"),
                    ValueOrGlob::new_value("ok"),
                ),
                true,
            );

        // Act
        let other_table = set.check_read("X", "y");
        let denied_col = set.check_read("T", "secret");
        let carveout = set.check_read("T", "ok");

        // Assert
        assert_eq!(other_table, Some(Authorization::Allow));
        assert_eq!(denied_col, Some(Authorization::Deny));
        assert_eq!(carveout, Some(Authorization::Allow));
    }

    #[test]
    fn duplicate_allow_rules_still_return_allow() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(Read::empty(), true)
            .with_read_selector(Read::empty(), true);

        // Act
        let result = set.check_read("T", "c");

        // Assert
        assert_eq!(result, Some(Authorization::Allow));
    }

    #[test]
    fn duplicate_deny_rules_still_return_deny() {
        // Arrange
        let set = AccessControlSelectorSet::new()
            .with_read_selector(Read::empty(), false)
            .with_read_selector(Read::empty(), false);

        // Act
        let result = set.check_read("T", "c");

        // Assert
        assert_eq!(result, Some(Authorization::Deny));
    }

    #[test]
    fn read_only_allows_reads_and_selects() {
        // Arrange
        let r = AuthorizationResolver::new_read_only();

        // Act / Assert
        assert_eq!(
            r.read_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.select_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.transaction_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.function_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.recursive_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.pragma_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
    }

    #[test]
    fn read_only_denies_writes_and_ddl() {
        // Arrange
        let r = AuthorizationResolver::new_read_only();

        // Act / Assert
        assert_eq!(
            r.insert_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
        assert_eq!(
            r.update_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
        assert_eq!(
            r.delete_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
        assert_eq!(
            r.create_table_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
        assert_eq!(
            r.drop_table_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
        assert_eq!(
            r.attach_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
    }

    #[test]
    fn read_write_allows_data_modification() {
        // Arrange
        let r = AuthorizationResolver::new_read_write();

        // Act / Assert
        assert_eq!(
            r.insert_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.update_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.delete_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.savepoint_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.analyze_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
    }

    #[test]
    fn read_write_allows_temp_objects_but_denies_permanent_ddl() {
        // Arrange
        let r = AuthorizationResolver::new_read_write();

        // Act / Assert
        assert_eq!(
            r.create_temp_table_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.drop_temp_table_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.create_table_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
        assert_eq!(
            r.drop_table_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
        assert_eq!(
            r.alter_table_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
        assert_eq!(
            r.attach_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
    }

    #[test]
    fn full_ddl_allows_permanent_schema_changes() {
        // Arrange
        let r = AuthorizationResolver::new_full_ddl();

        // Act / Assert
        assert_eq!(
            r.create_table_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.drop_table_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.alter_table_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.create_index_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.create_view_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.create_trigger_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
    }

    #[test]
    fn full_ddl_still_denies_attach_detach_and_vtables() {
        // Arrange
        let r = AuthorizationResolver::new_full_ddl();

        // Act / Assert
        assert_eq!(
            r.attach_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
        assert_eq!(
            r.detach_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
        assert_eq!(
            r.create_vtable_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
        assert_eq!(
            r.drop_vtable_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
    }

    #[test]
    fn presets_are_composable_with_per_action_overrides() {
        // Arrange
        let r = AuthorizationResolver::new_read_only()
            .with_insert_default_permissions(
                rusqlite::hooks::Authorization::Allow,
            );

        // Act / Assert
        assert_eq!(
            r.insert_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
        assert_eq!(
            r.update_default_permissions,
            rusqlite::hooks::Authorization::Deny,
        );
        assert_eq!(
            r.read_default_permissions,
            rusqlite::hooks::Authorization::Allow,
        );
    }
}