parse-stack-next 5.4.1 → 5.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 842a9a2d8d24afbb8e0444d995ea6c1d8707ec5fc2c9a40405d40f71b46495b8
-  data.tar.gz: 8e54c583a6bf251818144b2ae6e1589197b4b0153093e0dd36048798a696346a
+  metadata.gz: 8fed615f71ab3b45bd9f10e2947c50ebbcba075b15b0a8786f0a269d4e59ebd6
+  data.tar.gz: e9528b3f4bc811cef21494089f6e5eb5aaed43732ddf926a64ccc2a050d8742d
 SHA512:
-  metadata.gz: 264a5574513616b8cb9ebe662c9e1109746d688c191affe3faefd11f20b0911039f09e895e535874e8715ddf5f53b30e863f6cdc5fa54f4cafabe2f5044398db
-  data.tar.gz: d61b36d12ef78eb05b701ff1e45858c7dc2f911bd548d912db9e061fe9027fed86c3b2b2808f2a89cbeb5115c603fd279425ccec2d184f567b9ef00f8eb901af
+  metadata.gz: 0d1d0ee29e3787585f246e8b006f81aa514bc85732fe32c1c175f5734d60b8fadbf5f2d127f7d7fa6df38e49303e334ad2c31a10d85cb3b7e7f8eba1a1bf836d
+  data.tar.gz: 8c032babfcc42f16327a874d4cbf358ed7aade09157da7e29dd879578454b23cff7e7cbc3e860fec7891c8e43c12b1362778039550bf3371c63786d122fb9ae7

data/CHANGELOG.md

@@ -1,5 +1,494 @@
 ## parse-stack-next Changelog
 
+### 5.5.1
+
+#### Mongo-direct reads inside `Parse.with_session` are now scoped, not master
+
+- **FIXED**: A query that auto-routes to the mongo-direct path because of a
+  direct-only constraint (for example a geo `$near` / `$geoIntersects` query)
+  now honors the ambient session token set by `Parse.with_session(token)`.
+  Previously the mongo-direct auth resolver consulted only the query's own
+  `session_token=` / `scope_to_user` / `scope_to_role` and ignored the
+  fiber-local ambient session, so in server mode it fell through to a
+  master-key read with no ACL/CLP enforcement — returning rows the session was
+  not permitted to see, even though every REST query in the same
+  `with_session` block was correctly scoped. The resolver now mirrors
+  `Parse::Client#request` precedence: an explicit per-query token wins, then
+  the ambient session, then the master-key fallback; an explicit
+  `use_master_key: true` is a deliberate admin call and still skips the
+  ambient. Routing also accepts the ambient on non-master clients
+  (`Parse.client_mode` or a user-scoped client), so such a query runs scoped
+  rather than raising.
+
+#### Boolean property coercion no longer treats the string "false" as true
+
+- **FIXED**: A `:boolean` property assigned a string now coerces via
+  ActiveModel's boolean caster instead of raw Ruby truthiness. Previously the
+  coercion was `val ? true : false`, so the strings `"false"`, `"0"`, and
+  `"off"` — exactly what arrives on a Rails-form or query-string ingestion
+  path — all coerced to `true`, silently flipping a boolean the wrong way (for
+  example an `archived` flag or an application-defined access gate). String
+  forms now map correctly (`"false"`/`"0"`/`"off"` to `false`), a blank string
+  is treated as unset (`nil`), and native booleans from Parse wire JSON pass
+  through unchanged.
+
+#### Deprecation warning for setting ACL via mass-assignment
+
+- **DEPRECATED**: Setting `acl`/`ACL` through mass-assignment
+  (`Parse::Object#attributes=`) now emits a one-time security warning. Mass-
+  assigning an ACL from a caller-supplied hash — for example a controller doing
+  `record.attributes = params` without StrongParameters — lets an attacker
+  grant unintended access by sending an `ACL` key
+  (`{"ACL" => {"*" => {"write" => true}}}`). The behavior is unchanged this
+  release (the ACL is still applied), but the supported path is the explicit
+  `record.acl = ...` setter, and a future release may block ACL mass-assignment.
+  The constructor form `Klass.new(acl: ...)` is unaffected and does not warn.
+
+#### Redis cache values serialized as JSON instead of Marshal
+
+- **FIXED**: `Parse::Cache::Redis` now serializes cached HTTP responses as
+  JSON rather than Marshal. The Moneta-Redis store Marshals values by default,
+  so every cache hit ran `Marshal.load` on the bytes returned by Redis. Against
+  a shared, unauthenticated, or plaintext-`redis://` cache, an attacker able to
+  write the cache could plant a crafted Marshal payload that executed code on
+  deserialization. The wrapper now disables Moneta's value serializer
+  (`value_serializer: nil`) and JSON-encodes/decodes values itself; an
+  undecodable value (including any legacy Marshal entry) is treated as a cache
+  miss rather than deserialized. Cache keys are unchanged. No application code
+  changes are required; existing cached entries are transparently refetched and
+  re-stored in the new format on first access.
+- **FIXED**: The `cache: "redis://..."` shorthand on `Parse::Client.new` /
+  `Parse.setup` now builds a `Parse::Cache::Redis` store instead of a bare
+  `Moneta.new(:Redis, ...)`, so it gets the same JSON value serialization and
+  is not subject to the Marshal deserialization issue above.
+- **CHANGED**: The caching middleware stores response entries with string keys
+  so they round-trip losslessly through the JSON serialization. Reads accept
+  both string and legacy symbol keys.
+- **FIXED**: `Parse::Embeddings::Cache::MonetaStore` now JSON-encodes cached
+  embedding vectors instead of relying on the Moneta store's default Marshal
+  value serializer, closing the same `Marshal.load`-on-read deserialization
+  vector for the embedding cache (whose key is derived from often-user-supplied
+  text). It also emits a one-time warning when handed a Marshal-serializing
+  store and recommends `value_serializer: nil`.
+- **CHANGED**: Documentation for Redis-backed caches, the embedding cache, and
+  the synchronize-create lock store (`Parse.synchronize_create_store`) now
+  builds the Redis store via `Parse::Cache::Redis` or `value_serializer: nil`
+  so a raw `Moneta.new(:Redis, ...)` no longer leaves Marshal on the read path.
+
+#### Internal columns stripped from joined documents on mongo-direct reads
+
+- **FIXED**: `Parse::MongoDB.aggregate` now recursively strips Parse-internal
+  credential columns (`_hashed_password`, `_session_token`, `_auth_data_*`,
+  `_rperm`/`_wperm`, ...) from every result row **and every embedded
+  sub-document** for scoped (non-master) callers. Previously a scoped caller
+  could embed a foreign class (e.g. `_User` or `_Session`) into an arbitrary
+  alias via `$lookup` / `$graphLookup` / `$unionWith` and read back password
+  hashes, OAuth tokens, and session tokens: the per-class `protectedFields`
+  strip is keyed on the outer class, and the ACL sub-document walk only drops
+  ACL-failing sub-documents, so neither covered the aliased foreign document.
+  A new `Parse::PipelineSecurity.redact_internal_fields_deep!` runs as the final
+  redaction step. Structural columns (`_id`, `_p_*`, `_acl`, timestamps) are
+  preserved, so object and ACL reconstruction are unaffected; master-key reads
+  are unchanged.
+
+#### Hardened developer-facing mongo-direct aggregation terminals
+
+- **FIXED**: Credential columns (`_hashed_password`, `_session_token`,
+  `_auth_data_*`, `_email_verify_token`, `_perishable_token`, ...) used as a
+  `$match` field name are now refused **unconditionally** on the mongo-direct
+  path — even on a pipeline running with `allow_internal_fields: true` (the flag
+  that lets SDK-emitted `_rperm`/`_wperm` references through for
+  `readable_by_role` / `publicly_readable`). Previously the `*_direct` terminals
+  (`count_direct`, `results_direct`, `distinct_direct`, the direct group-by
+  helpers) passed `allow_internal_fields: true` unconditionally, so a query
+  whose `where` referenced a credential column compiled into a `$match` key that
+  bypassed the internal-field screen — a count/match oracle that could bisect a
+  bcrypt hash or session token. The ACL columns (`_rperm`/`_wperm`/`_tombstone`)
+  remain gated by `allow_internal_fields`, so `readable_by_role` still works.
+- **FIXED**: `Parse::Query#aggregate` and `#aggregate_from_query` now treat a
+  scoped query (`session_token` / `scope_to_user` / `scope_to_role`) as
+  authoritative over an explicit `mongo_direct: false`. Previously passing
+  `mongo_direct: false` on a scoped aggregation skipped the fail-closed guard
+  and routed to Parse Server's master-key-only REST `/aggregate` endpoint,
+  running the aggregation unscoped (no ACL, CLP, or `protectedFields`). A scoped
+  aggregation now promotes to mongo-direct, or fails closed with
+  `Parse::Query::MongoDirectRequired` when direct Mongo is unavailable; unscoped
+  callers can still opt out to REST with `mongo_direct: false`.
+
+#### Additional hardening
+
+- **FIXED**: Request/response body logging now redacts credentials. At `:debug`
+  level the logging middleware emitted login/signup request bodies (cleartext
+  `password`) and auth response bodies (`sessionToken`, `authData`, MFA
+  secrets); the body path now runs through the same `BodyBuilder.redact`
+  scrubber the header path already used, before truncation.
+- **FIXED**: The `_User` REST endpoints (`fetch_user` / `update_user` /
+  `delete_user`) now validate the `objectId` against
+  `Parse::API::PathSegment.object_id!` before interpolating it into the path,
+  matching the object endpoints. A crafted objectId (e.g. from a compromised
+  server response) can no longer traverse to a different endpoint on a
+  subsequent request.
+- **CHANGED**: `$sessionToken` / `$session_token` (the camelCase forms of the
+  session-token column) are now in `DENIED_FIELD_REFS`, so they cannot be
+  laundered through a `$`-field reference in a pipeline.
+- **IMPROVED**: The internal-collection floor (`_SCHEMA` / `_Hooks` /
+  `_GlobalConfig` / `_Audit` / ...) is now enforced unconditionally on every
+  `$lookup` / `$graphLookup` / `$unionWith` join target in
+  `Parse::ACLScope`, not only when lookup-rewriting runs. This closes a
+  defense-in-depth gap where an internal class whose CLP lookup returned no
+  policy could otherwise have been joinable on the direct path.
+- **IMPROVED**: When the MCP agent server is started on an unauthenticated
+  loopback bind with no Origin/custom-header gate configured, it now defaults
+  to a loopback-only Origin policy. A browser DNS-rebinding attack against
+  `127.0.0.1` carries a non-loopback `Origin` and is refused; native clients
+  (which send no `Origin`) and local browser UIs are unaffected. A one-time
+  warning points operators at `MCP_API_KEY` / `allowed_origins:` /
+  `require_custom_header:` for routable deployments.
+
+### 5.5.0
+
+#### Multimodal bytes-fetch path with magic-byte MIME verification
+
+- **NEW**: `Parse::Embeddings::ImageFetch` — the SDK-side image download
+  layer for image embeddings. Downloads through the existing
+  `Parse::File.safe_open_url` SSRF primitive (CIDR blocks, port allowlist,
+  DNS-rebinding re-check, size caps, timeouts — no parallel fetch mechanism),
+  determines the MIME type **exclusively by magic-byte sniffing** of the
+  leading bytes (JPEG / PNG / GIF / WebP), cross-checks the URL extension
+  against the sniffed type, and enforces a configurable
+  `Parse::Embeddings.allowed_image_types` allowlist. The HTTP `Content-Type`
+  header is never consulted, closing the file MIME-laundering gap: a `.jpg`
+  URL serving HTML (or PNG bytes behind a JPEG extension) is refused outright.
+- **NEW**: `embed_image ..., source: :bytes` declaration mode. Where the
+  default `source: :url` forwards a validated URL for the provider to fetch
+  itself (and therefore requires the `trust_provider_url_fetch` sentinel),
+  `:bytes` mode has the SDK download, verify, and metadata-strip the image,
+  then forward it to the provider as a base64 data URI. No third-party URL
+  egress occurs, so the sentinel is not required — but the file's host must
+  still be in `Parse::Embeddings.allowed_image_hosts` (deny-all when empty).
+
+  ```ruby
+  class Post < Parse::Object
+    property :cover_image, :file
+    property :cover_embedding, :vector, dimensions: 1024, provider: :voyage
+    embed_image :cover_image, into: :cover_embedding, source: :bytes
+  end
+  ```
+- **NEW**: EXIF/XMP metadata stripping, **default ON** for the bytes path.
+  User-uploaded photos commonly carry GPS coordinates and device serial
+  numbers; forwarding them to an embedding provider is a PII egress. JPEG
+  APP1 segments (Exif and XMP), PNG `eXIf` chunks, and WebP `EXIF`/`XMP `
+  RIFF chunks (with the VP8X flag bits cleared) are removed before the bytes
+  leave the process. Opt out per declaration with `exif_strip: false` when
+  orientation metadata must be preserved.
+- **NEW**: `Voyage#embed_image` and `Cohere#embed_image` accept
+  `Parse::Embeddings::ImageFetch::FetchedImage` sources alongside URL
+  Strings (forms may be mixed in one batch). Fetched bytes ride Voyage's
+  `image_base64` content row and Cohere's `image_url` data-URI form.
+- **NEW**: `Parse::Embeddings.allowed_image_types=` — MIME allowlist for the
+  bytes path (default JPEG/PNG/GIF/WebP; SVG deliberately excluded as
+  script-capable active content).
+- **ENHANCED**: `Parse::Embeddings.validate_image_url!` accepts
+  `mode: :fetch` for SDK-side downloads — same host allowlist,
+  obfuscated-IP screen, port and CIDR checks as the default `:forward`
+  mode, minus the provider-egress sentinel that doesn't apply when no URL
+  is forwarded.
+
+#### Embedding-model migration tooling
+
+- **NEW**: `Class.reembed!(field:, batch_size:, limit:, where:, only_stale:,
+  save_opts:)` — bulk re-embed for provider/model migrations. Unlike
+  `embed_pending!` (which only fills null vectors), `reembed!` walks every
+  row with objectId-cursor pagination, clears the digest sibling so the
+  save-path recompute cannot elide the provider call, and saves. With
+  `only_stale: true` the walk skips rows whose recorded provenance already
+  matches the current provider, model, and dimensions — making a partially
+  failed migration resumable.
+- **NEW**: `embed` / `embed_image` auto-declare an `<into>_meta` `:object`
+  sibling property recording `{ provider, model, dimensions, modality,
+  embedded_at }` on every recompute (cleared when the source clears).
+  This is the provenance record `reembed!(only_stale: true)` reads, and it
+  tells operational tooling which model produced any stored vector.
+  Override the name with `meta_field:`.
+
+#### Bulk embedding and query-embed caching
+
+- **NEW**: `Parse::Embeddings::BatchEmbedder` — batch-level orchestration
+  for bulk embedding jobs. Wraps any registered provider with batch slicing
+  (defaulting to the provider's own batch-size hint), requests-per-minute
+  pacing between calls, and batch-level exponential backoff with jitter on
+  rate-limit / transient errors (previously backoff lived only inside each
+  provider's single HTTP call). A batch that exhausts its attempts raises
+  `BatchEmbedder::BatchFailed` carrying `batch_index` and `completed_count`
+  so a resumable job knows where to pick up. Supports `retry_on:` exception
+  overrides and an `on_progress:` callback.
+- **NEW**: `Parse::Embeddings::Cache` — process-local embedding cache keyed
+  by `(provider, model, dimensions, input_type, SHA-256(input))`, disabled by
+  default. Dimensions participate in the key so two registrations of the
+  same Matryoshka-capable model at different output widths never serve each
+  other's vectors.
+  `Parse::Embeddings::Cache.enable!(max_entries:, ttl:)` activates an LRU +
+  TTL store (or pass `store:` for a custom backend); repeated identical
+  query embeds through `find_similar(text:)`, `hybrid_search(text:)`, and
+  `Parse::Retrieval.retrieve` then skip the provider round-trip. Cache hits
+  emit the standard `parse.embeddings.embed` notification with
+  `cached: true`, so existing spend subscribers see hits and misses on one
+  stream. The input text is hashed before keying — plaintext queries never
+  land in a shared store.
+
+#### Vector index drift detection
+
+- **NEW**: first-query verification of deployed Atlas vectorSearch indexes.
+  When `find_similar` / `hybrid_search` auto-discovers an index, the SDK now
+  compares the index's `numDimensions` and `similarity` against the
+  `:vector` property declaration, and — when the class registers an
+  `agent_tenant_scope` — confirms the scope field is declared as a
+  `type: "filter"` path (without it, every tenant-scoped
+  `$vectorSearch.filter` fails Atlas-side). Findings are computed once per
+  (class, field, index) per process and governed by
+  `Parse::VectorSearch.index_drift_policy`: `:warn` (default) emits a
+  `[Parse::VectorSearch:DRIFT]` warning on the first check; `:raise` raises
+  `Parse::Core::VectorSearchable::IndexDriftError` on **every** query
+  against the drifted index, so strict deployments never serve degraded
+  results after the first failure; `:ignore` skips verification. An
+  explicit `index:` kwarg is verified best-effort when the catalog's
+  covering index carries the same name (lookup failures never fail the
+  query).
+
+#### Hybrid search hardening
+
+- **FIXED**: on the opt-in native `$rankFusion` path, a scoped (non-master)
+  caller's `_hybrid_score` is now recomputed from the post-ACL visible
+  ordering instead of surfacing the raw fused score. The raw score is
+  materialized before the ACL `$match`, so it encoded a surviving row's
+  rank among rows the caller cannot read — a cross-tenant/cross-ACL
+  inference channel for callers probing with crafted queries. The
+  recomputed score is monotone with the true fused order but is a function
+  of visible rows only. Master-key results and the default client-side RRF
+  path (which ranks from already-filtered rows) are unchanged.
+- **FIXED**: the `$rankFusion` support probe no longer classifies MongoDB
+  authorization errors as "stage unsupported". The probe's
+  unrecognized-stage matching included the broad phrase "is not allowed",
+  which also appears in auth failures ("not allowed to execute command
+  aggregate") and could cache the wrong verdict for the probe TTL. Matching
+  is narrowed to unambiguous unknown-stage phrases; any other failure is
+  treated as supported and the real query surfaces the real error, with
+  the client-side path as the standing fallback.
+
+#### Retrieval spend-cap and filter hardening
+
+- **NEW**: `Parse::Embeddings::SpendCap.configure(..., warn_at: 0.8)` —
+  soft-cap alerting. When a charge pushes a tenant's in-window usage across
+  the given fraction of its hard limit, a
+  `parse.embeddings.spend_cap_warning` ActiveSupport::Notifications event
+  is emitted (`tenant_id`, `used`, `limit`, `window`, `warn_at`,
+  `threshold`), once per crossing and re-arming as the window rolls off —
+  an operator alerting hook that fires BEFORE the hard refuse trips.
+  Disabled unless configured. Note the cap deliberately charges before the
+  query-embed cache lookup, so cache hits bill at full price: it bounds
+  query volume (an abuse control), not just provider spend.
+- **NEW**: `Parse::Embeddings::Cache::MonetaStore` — persistent-L2 adapter
+  for the embedding cache. Wraps any Moneta-compatible store (`[]`/`[]=`,
+  optional `store(key, value, expires:)`) behind the cache's `get`/`set`
+  duck, with key namespacing and TTL forwarding, so
+  `Cache.enable!(store: MonetaStore.new(moneta, ttl: 30 * 24 * 3600))`
+  shares query-embed entries across processes and restarts. Fail-open: a
+  backend error degrades to a cache miss / dropped write, never a failed
+  embed. Cache keys are input hashes — plaintext queries never land in the
+  shared store.
+- **NEW**: embedding spend-cap coverage on every query-embed path. The
+  per-tenant `Parse::Embeddings::SpendCap` was previously charged only at
+  the `semantic_search` agent-tool boundary; direct `find_similar(text:)`,
+  `hybrid_search(text:)`, and `Parse::Retrieval.retrieve` callers bypassed
+  it. The shared query-embed path now charges via
+  `SpendCap.charge_query!` — tenant identity resolves to the ambient
+  `Parse.with_cache_tenant` scope when set, else the shared default bucket.
+  The agent tool wraps its retrieval in the new `SpendCap.with_precharged`
+  block so a query it already charged with per-tenant identity is not
+  double-billed (and admin-exempt queries are not billed to the shared
+  bucket). As before, the cap is a no-op until configured.
+- **NEW**: pointer-value translation for caller-supplied retrieval filters.
+  `Parse::Retrieval.retrieve` (and through it the `semantic_search` agent
+  tool) now rewrites Parse pointer values — `Parse::Pointer` /
+  `Parse::Object` instances and wire-form `{"__type": "Pointer"}` hashes,
+  including inside `$in` / `$eq` / `$ne` operator hashes — into their
+  MongoDB storage form, so `{ owner: some_user }` becomes
+  `{ "_p_owner" => "_User$abc123" }` and actually matches rows. Previously
+  a pointer-valued filter silently matched nothing. Translation runs after
+  the underscore-key gate and filter-field allowlist (callers still cannot
+  name `_p_*` columns directly) and before the tenant-scope fold. The
+  standalone helper is `Parse::Retrieval.translate_pointer_filter_values`.
+- **IMPROVED**: `Parse::Schema::SearchIndexMigrator` auto-includes the
+  model's registered `agent_tenant_scope` field as a `type: "filter"` path
+  when planning or applying `vectorSearch` index declarations. Newly created
+  indexes support tenant-scoped pre-filtering out of the box; existing
+  indexes missing the path surface as `drifted:` in the plan instead of
+  failing at query time.
+
+#### Opt-in Unicode regex matching for text constraints
+
+- **NEW**: `starts_with`, `contains`, `ends_with`, and `like`/`regex` now accept
+  an opt-in `{ value:, unicode: true }` form that appends the `u` (Unicode) flag
+  to the compiled `$options`, enabling correct multibyte case-insensitive
+  matching for accented and non-Latin text (for example `café` matching
+  `CAFÉ`, or CJK characters).
+
+  ```ruby
+  Post.where(:title.starts_with => { value: "café", unicode: true })
+  # => "title": { "$regex": "^café", "$options": "iu" }
+
+  Post.where(:title.like => { value: /café/i, unicode: true })
+  # => "title": { "$regex": "café", "$options": "iu" }
+  ```
+
+  The flag is strictly opt-in: the bare-value forms
+  (`:title.starts_with => "café"`) compile exactly as before with `$options: "i"`,
+  so existing queries are unchanged. The `u` flag is honored by Parse Server
+  8.3.0+ over the REST query interface and by MongoDB 6.1+ on the mongo-direct
+  query path; older Parse Servers reject it, which is why it is never emitted
+  unless requested.
+
+#### ACL permission query hardening
+
+- **FIXED**: `readable_by`, `writable_by`, `readable_by_role`,
+  `writable_by_role`, `publicly_readable`, and `publicly_writable` no longer
+  raise a pipeline-security error when they auto-route through the direct
+  MongoDB path. These constraints compile to an aggregation `$match` on the
+  internal `_rperm` / `_wperm` permission columns, and the internal-fields
+  denylist that protects user-supplied pipelines from referencing
+  server-internal columns was also rejecting these SDK-generated references.
+  The aggregation runner now forwards the `allow_internal_fields` sanction for
+  pipelines built entirely from SDK constraint translation — matching the
+  parity already held by the `results_direct` / `count_direct` /
+  `distinct_direct` helpers — so public-read detection (`publicly_readable`,
+  `readable_by("*")`) and role/user permission filtering work again. The
+  sanction is scoped to SDK-built ACL pipelines only; caller-supplied
+  aggregation pipelines remain subject to the full denylist, so they still
+  cannot reference password hashes, session tokens, or other internal columns.
+- **FIXED**: `Query#count` now routes ACL permission filters
+  (`publicly_readable.count`, `readable_by(...).count`, and friends) through
+  the direct MongoDB path, mirroring `Query#results`. Previously `count` only
+  switched to the direct path for subquery `$lookup` stages, so an ACL count
+  was sent to Parse Server's REST aggregate endpoint, which cannot express a
+  `$match` on `_rperm` / `_wperm`.
+- **FIXED**: the scalar aggregation terminals — `Query#sum`, `#average`,
+  `#min`, `#max`, `#distinct`, and `#count_distinct` — now honor ACL
+  permission filters and scoped queries. They funnel through `Query#aggregate`,
+  which previously only switched to the direct MongoDB path for subquery
+  `$lookup` stages. An ACL filter (`readable_by(...).sum(:plays)`) was sent to
+  Parse Server's REST aggregate endpoint, which cannot express a `$match` on
+  `_rperm` / `_wperm`. More seriously, a **scoped** terminal
+  (`scope_to_user(u).sum(:plays)`, `scope_to_role`, or a `session_token`)
+  reached the same REST endpoint, which is master-key-only and enforces
+  neither ACL nor CLP — so the aggregate ran unscoped as the master key,
+  computing the result over rows the caller cannot read. `Query#aggregate` now
+  routes to mongo-direct whenever the query is scoped or the pipeline
+  references the ACL columns, and **fails closed** (raises
+  `Parse::Query::MongoDirectRequired`) for a scoped terminal when mongo-direct
+  is unavailable, rather than silently bypassing enforcement. The same
+  contract covers the inline-pipeline terminals: a scoped `Query#count` or
+  `Query#results` whose constraints compile to an aggregation pipeline
+  (e.g. `:field.size`) promotes to mongo-direct and fails closed identically
+  instead of falling back to REST `/aggregate`.
+- **FIXED**: `not_publicly_readable` / `not_publicly_writable` (and the
+  `:ACL.not_readable_by` / `:ACL.not_writable_by` constraints) no longer return
+  the rows they are meant to exclude. They compiled to `{ _rperm: { $nin:
+  [...] } }`, and MongoDB's `$nin` matches documents where the field is
+  **absent** — and a missing `_rperm` is treated by Parse Server as public.
+  A security audit using `not_publicly_writable` to find safe objects silently
+  excluded write-exposed (public-by-absence) objects. The constraints now carry
+  an `$exists: true` guard. "Not readable by X" additionally expands the
+  principal's roles and excludes publicly-readable rows (a public row is
+  readable by everyone, so it cannot be "not readable by X").
+- **FIXED**: `readable_by([])` / `writable_by([])` and the `:none` / `nil`
+  forms no longer raise `ArgumentError`; they now compile to the documented
+  "no permissions" match (an explicit empty `_rperm` / `_wperm`). Symbol
+  principals (`:public`, `:everyone`, `:world`) are accepted and map to the
+  public wildcard, matching the String forms.
+- **FIXED**: `PrivateAclConstraint` (`:ACL.private_acl` / `master_key_only`)
+  no longer classifies public-by-absence rows as private. A truly master-key-
+  only object has an explicit empty `_rperm` **and** `_wperm`; a missing
+  column is public, the opposite of private, so the missing-field branch was
+  removed. `private_acl => false` is now the exact complement.
+- **FIXED**: role expansion for `readable_by` / `writable_by` /
+  `readable_by_role` / `writable_by_role` now always includes the role's own
+  name in the permission set. The upward-inheritance walk yields nothing for
+  an unpersisted role (objectId still nil), which previously dropped the role
+  entirely and raised "no valid permissions"; the role's own `role:<name>`
+  entry is now appended idempotently, so persisted roles compile unchanged.
+- **CHANGED**: a mistyped ACL permission no longer vanishes silently. An
+  unrecognized element in a `readable_by` / `writable_by` array (or an
+  unsupported Symbol) now raises `ArgumentError` instead of being dropped from
+  the permission set, which would silently weaken the intended filter.
+- **NEW**: `strict:` option on `readable_by` / `writable_by` /
+  `readable_by_role` / `writable_by_role` (and the `:ACL.readable_by_exact` /
+  `writable_by_exact` / `*_by_role_exact` operators) for an **exact** match —
+  only rows whose `_rperm` / `_wperm` literally contains one of the resolved
+  permissions, with no implicit public `"*"` and no missing-field rows. The
+  default remains inclusive (access-simulation) semantics; `strict: true` is
+  the right choice for ownership and security audits.
+- **NEW**: `Query#not_readable_by` / `#not_writable_by` chained methods, the
+  fluent counterparts to the existing `:ACL.not_readable_by` symbol operators.
+- **BREAKING**: the British-spelled `:ACL.writeable_by` operator now resolves
+  to the same public-inclusive, role-expanding implementation as
+  `:ACL.writable_by`. Previously the one-letter spelling difference selected a
+  separate, strict, non-role-expanding constraint, so `writeable_by` and
+  `writable_by` silently produced different result sets. Code that relied on
+  the old strict behavior of `writeable_by` should pass `strict: true` (or use
+  the `:writable_by_exact` operator).
+
+#### Webhook after_save callback hardening
+
+- **FIXED**: the model's chained `after_save` / `after_create` callbacks now
+  fire exactly once per `afterSave` delivery, even when an app registers both a
+  class-specific handler (`webhook :after_save, MyClass`) and a catch-all
+  handler (`webhook :after_save, "*"`). The webhook endpoint dispatches every
+  trigger to both the class route and the `"*"` route, and the callback chain
+  previously ran inside each route — so an app with both handlers fired its
+  model `after_save` twice (e.g. two emails per save). The chain now runs once,
+  after both routes are dispatched. The existing behavior is otherwise
+  preserved: an `afterSave` for a class with no registered handler never fires
+  model callbacks, and trusted Ruby-initiated saves still skip the webhook-side
+  callbacks so the local `run_callbacks :save` is the single fire.
+- **FIXED**: a chained `after_save` or `after_create` callback that raises
+  during an `afterSave` webhook no longer crashes the webhook endpoint or
+  suppresses the other phase's side effects. Because `afterSave` fires after the
+  object is already persisted and Parse Server discards the response body, the
+  `after_create` and `after_save` phases now run independently and any
+  `StandardError` they raise is logged and swallowed (mirroring Parse Server's
+  own afterSave semantics). A raising `after_create :send_welcome_email` no
+  longer silently skips an unrelated `after_save :reindex`, and an uncaught
+  callback error can no longer return a 500 to Parse Server.
+- **FIXED**: `Parse::Webhooks::Payload#ruby_initiated?` now memoizes a `false`
+  result stably instead of re-deriving it on every call. The prior `||=`
+  memoization recomputed whenever the cached value was `false`, so a stamped
+  `false` could be re-derived inconsistently; the detection result is now cached
+  exactly once.
+
+#### `verify_password` client-side rate-limit parity
+
+- **CHANGED**: `verify_password` now participates in the same client-side login
+  rate-limit as `login`. It calls the rate-limit guard before issuing the
+  request and records the result afterward, keyed on the bare username so
+  failures share a bucket with `login` — an attacker cannot sidestep a `login`
+  lockout by pivoting to the `verify_password` credential oracle. Because the
+  bucket is shared, a run of failed step-up / re-authentication calls counts
+  toward (and can trigger) the primary login lockout for that username. As with
+  `login`, this is a convenience guard, not a security boundary — server-side
+  rate limiting remains the real control.
+
+#### Cloud function results are server-authoritative
+
+- **IMPROVED**: Documented that decoded cloud function results are treated as
+  server-authoritative. A cloud function that returns a Parse object decodes
+  through the same trusted path as every query and `fetch` result, so
+  server-set fields on the returned object (including `sessionToken` on a
+  returned user) are preserved rather than stripped — consistent with how the
+  rest of the SDK hydrates server responses. If a cloud function is expected to
+  echo back third-party-influenced data that you want to sanitize yourself,
+  call it with `raw: true` (`Parse.call_function(name, body, raw: true)`) to
+  receive the undecoded response before any object is built.
+
 ### 5.4.1
 
 #### Webhook after_save callback fix

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    parse-stack-next (5.4.1)
+    parse-stack-next (5.5.1)
       activemodel (>= 6.1, < 9)
       activesupport (>= 6.1, < 9)
       connection_pool (>= 2.2, < 4)