@base44-preview/cli 0.0.50-pr.484.ff9acc3 → 0.0.51-pr.480.51cf06a

package/dist/cli/index.js

@@ -235098,8 +235098,8 @@ var TOKEN_REFRESH_BUFFER_MS = 60 * 1000;
 var refreshPromise = null;
 async function readAuth() {
   try {
-    const parsed = await readJsonFile(getAuthFilePath());
-    const result = AuthDataSchema.safeParse(parsed);
+    const authData = await readJsonFile(getAuthFilePath());
+    const result = AuthDataSchema.safeParse(authData);
     if (!result.success) {
       throw new SchemaValidationError("Invalid authentication data", result.error, getAuthFilePath());
     }
@@ -241591,9 +241591,13 @@ var BackendFunctionToolConfigSchema = exports_external.object({
   function_name: exports_external.string().min(1),
   description: exports_external.string().default("agent backend function")
 });
+var CodeModeToolConfigSchema = exports_external.object({
+  code_mode: exports_external.union([exports_external.boolean(), exports_external.record(exports_external.string(), exports_external.unknown())])
+});
 var ToolConfigSchema = exports_external.union([
   EntityToolConfigSchema,
-  BackendFunctionToolConfigSchema
+  BackendFunctionToolConfigSchema,
+  CodeModeToolConfigSchema
 ]);
 var AgentConfigSchema = exports_external.looseObject({
   name: exports_external.string().trim().min(1).max(100),
@@ -242133,6 +242137,16 @@ async function updateSSOConfig(authDir, provider, enable) {
   await writeAuthConfig(authDir, merged);
   return merged;
 }
+
+class MissingSSOFieldsError extends InvalidInputError {
+  missingKeys;
+  provider;
+  constructor(provider, missingKeys) {
+    super(`Missing required fields for ${provider}: ${missingKeys.join(", ")}`);
+    this.provider = provider;
+    this.missingKeys = missingKeys;
+  }
+}
 function buildSSOSecrets(provider, options) {
   const schema3 = SSO_PROVIDER_SCHEMAS[provider];
   const secrets = {};
@@ -242168,7 +242182,7 @@ function buildSSOSecrets(provider, options) {
     missing.push("sso_name" /* Name */);
   }
   if (missing.length > 0) {
-    throw new InvalidInputError(`Missing required fields for ${provider}: ${missing.join(", ")}`);
+    throw new MissingSSOFieldsError(provider, missing);
   }
   return Object.fromEntries(Object.entries(secrets).filter(([, v]) => v.length > 0));
 }
@@ -243538,7 +243552,7 @@ import { join as join9 } from "node:path";
 // package.json
 var package_default = {
   name: "base44",
-  version: "0.0.50",
+  version: "0.0.51",
   description: "Base44 CLI - Unified interface for managing Base44 applications",
   type: "module",
   bin: {
@@ -243593,6 +243607,7 @@ var package_default = {
     "@types/multer": "^2.0.0",
     "@types/node": "^22.10.5",
     "@vercel/detect-agent": "^1.1.0",
+    outdent: "^0.8.0",
     chalk: "^5.6.2",
     chokidar: "^5.0.0",
     commander: "^12.1.0",
@@ -251218,7 +251233,7 @@ function getSocialLoginCommand() {
 // src/cli/commands/auth/sso.ts
 import { dirname as dirname11, join as join16, resolve as resolve3 } from "node:path";
 var SSOConfigFileSchema = exports_external.object({
-  provider: exports_external.enum(["google", "microsoft", "github", "okta", "custom"]),
+  provider: exports_external.enum(Object.values(KNOWN_SSO_PROVIDERS)),
   clientId: exports_external.string(),
   clientSecret: exports_external.string(),
   scope: exports_external.string().optional(),
@@ -251236,10 +251251,7 @@ async function loadSSOConfigFile(filePath) {
   const raw2 = await readJsonFile(resolved);
   const result = SSOConfigFileSchema.safeParse(raw2);
   if (!result.success) {
-    const issues = result.error.issues.map((i2) => `  ${i2.path.join(".")}: ${i2.message}`).join(`
-`);
-    throw new InvalidInputError(`Invalid SSO config file ${filePath}:
-${issues}`);
+    throw new SchemaValidationError("Invalid SSO config file", result.error, filePath);
   }
   return result.data;
 }
@@ -251262,6 +251274,32 @@ function mergeFileWithFlags(fileConfig, options) {
   };
 }
 var providerNames = Object.keys(KNOWN_SSO_PROVIDERS);
+var SECRET_KEY_TO_FLAG = {
+  ["sso_name" /* Name */]: "--sso-name",
+  ["sso_client_id" /* ClientId */]: "--client-id",
+  ["sso_client_secret" /* ClientSecret */]: "--client-secret",
+  ["sso_scope" /* Scope */]: "--scope",
+  ["sso_discovery_url" /* DiscoveryUrl */]: "--discovery-url",
+  ["sso_tenant_id" /* TenantId */]: "--tenant-id",
+  ["sso_auth_endpoint" /* AuthEndpoint */]: "--auth-endpoint",
+  ["sso_token_endpoint" /* TokenEndpoint */]: "--token-endpoint",
+  ["sso_userinfo_endpoint" /* UserinfoEndpoint */]: "--userinfo-endpoint",
+  ["sso_okta_domain" /* OktaDomain */]: "--okta-domain",
+  ["sso_jwks_uri" /* JwksUri */]: "--jwks-uri"
+};
+function secretKeyToFlag(key) {
+  return SECRET_KEY_TO_FLAG[key];
+}
+function exampleCommand(provider) {
+  let cmd = `base44 auth sso enable --provider ${provider} --client-id <id> --client-secret <secret>`;
+  if (provider === KNOWN_SSO_PROVIDERS.microsoft)
+    cmd += " --tenant-id <id>";
+  if (provider === KNOWN_SSO_PROVIDERS.okta)
+    cmd += " --okta-domain <domain>";
+  if (provider === KNOWN_SSO_PROVIDERS.custom)
+    cmd += " --sso-name <name> --auth-endpoint <url> --token-endpoint <url> --userinfo-endpoint <url> --jwks-uri <url>";
+  return cmd;
+}
 function validateProvider(provider) {
   if (!provider) {
     throw new InvalidInputError("Missing --provider.", {
@@ -251273,12 +251311,12 @@ function validateProvider(provider) {
       ]
     });
   }
-  if (!(provider in KNOWN_SSO_PROVIDERS)) {
-    throw new InvalidInputError(`Unknown provider "${provider}". Valid providers: ${providerNames.join(", ")}`);
-  }
   return provider;
 }
 async function ssoEnableAction({ isNonInteractive, runTask: runTask2 }, options) {
+  if (options.file && options.envFile) {
+    throw new InvalidInputError("--file and --env-file cannot be used together. Provide the client secret either inside --file or via --env-file.");
+  }
   let merged = options;
   if (options.file) {
     const fileConfig = await loadSSOConfigFile(options.file);
@@ -251338,7 +251376,23 @@ async function ssoEnableAction({ isNonInteractive, runTask: runTask2 }, options)
     jwksUri: merged.jwksUri,
     ssoName: merged.ssoName
   };
-  const secrets = buildSSOSecrets(provider, secretOptions);
+  let secrets;
+  try {
+    secrets = buildSSOSecrets(provider, secretOptions);
+  } catch (error48) {
+    if (error48 instanceof MissingSSOFieldsError) {
+      const flagNames = error48.missingKeys.map(secretKeyToFlag);
+      throw new InvalidInputError(`Missing required fields for ${error48.provider}: ${flagNames.join(", ")}`, {
+        hints: [
+          {
+            message: `Example: ${exampleCommand(provider)}`,
+            command: exampleCommand(provider)
+          }
+        ]
+      });
+    }
+    throw error48;
+  }
   const { project: project2 } = await readProjectConfig();
   const configDir = dirname11(project2.configPath);
   const authDir = join16(configDir, project2.authDir);
@@ -251348,29 +251402,36 @@ async function ssoEnableAction({ isNonInteractive, runTask: runTask2 }, options)
     outroMessage: `SSO configured with ${provider} in local config. Run \`base44 auth push\` or \`base44 deploy\` to apply.`
   };
 }
-async function ssoDisableAction({
-  runTask: runTask2
-}) {
+function hasEnableOnlyOptions(options) {
+  return Boolean(options.provider || options.clientId || options.clientSecret || options.clientSecretStdin || options.envFile || options.file || options.scope || options.discoveryUrl || options.tenantId || options.oktaDomain || options.authEndpoint || options.tokenEndpoint || options.userinfoEndpoint || options.jwksUri || options.ssoName);
+}
+async function ssoDisableAction({ log, runTask: runTask2 }, options) {
+  if (hasEnableOnlyOptions(options)) {
+    throw new InvalidInputError("Configuration options cannot be used with disable. To disable SSO: base44 auth sso disable");
+  }
   const { project: project2 } = await readProjectConfig();
   const configDir = dirname11(project2.configPath);
   const authDir = join16(configDir, project2.authDir);
-  await runTask2("Updating local auth config", async () => updateSSOConfig(authDir, null, false));
+  const updated = await runTask2("Updating local auth config", async () => updateSSOConfig(authDir, null, false));
   await runTask2("Removing SSO credentials", async () => deleteSSOSecrets());
+  if (!hasAnyLoginMethod(updated)) {
+    log.warn("Disabling SSO will leave no login methods enabled. Users will be locked out.");
+  }
   return {
     outroMessage: "SSO disabled in local config and credentials removed. Run `base44 auth push` or `base44 deploy` to apply."
   };
 }
 async function ssoAction(context, action, options) {
   if (action === "disable") {
-    return ssoDisableAction(context);
+    return ssoDisableAction(context, options);
   }
   return ssoEnableAction(context, options);
 }
 function getSSOCommand() {
-  return new Base44Command("sso").description("Configure SSO identity provider (google, microsoft, github, okta, custom)").addArgument(new Argument("<action>", "enable or disable SSO").choices([
+  return new Base44Command("sso").description("Configure SSO identity provider (google, microsoft, github, okta, custom). SSO and social login are mutually exclusive — enabling one disables the other in the local auth config.").addArgument(new Argument("<action>", "enable or disable SSO").choices([
     "enable",
     "disable"
-  ])).option("--provider <provider>", "SSO provider: google, microsoft, github, okta, custom").option("--client-id <id>", "OAuth client ID").option("--client-secret <secret>", "OAuth client secret").option("--client-secret-stdin", "Read client secret from stdin").option("--env-file <path>", "Read client secret from a .env file (key: sso_client_secret)").option("--file <path>", "JSON config file with all SSO settings").option("--scope <scope>", "OAuth scope (defaults per provider)").option("--discovery-url <url>", "OIDC discovery URL").option("--tenant-id <id>", "Microsoft tenant ID (required for microsoft)").option("--okta-domain <domain>", "Okta domain (required for okta)").option("--auth-endpoint <url>", "Authorization endpoint (required for custom)").option("--token-endpoint <url>", "Token endpoint (required for custom)").option("--userinfo-endpoint <url>", "Userinfo endpoint (required for custom)").option("--jwks-uri <url>", "JWKS URI (required for custom)").option("--sso-name <name>", "Provider display name (required for custom)").action(ssoAction);
+  ])).addOption(new Option("--provider <provider>", "SSO provider").choices(Object.values(KNOWN_SSO_PROVIDERS))).option("--client-id <id>", "OAuth client ID").option("--client-secret <secret>", "OAuth client secret").option("--client-secret-stdin", "Read client secret from stdin").option("--env-file <path>", "Read client secret from a .env file (key: sso_client_secret)").option("--file <path>", "JSON config file with all SSO settings").option("--scope <scope>", "OAuth scope (defaults per provider)").option("--discovery-url <url>", "OIDC discovery URL").option("--tenant-id <id>", "Microsoft tenant ID (required for microsoft)").option("--okta-domain <domain>", "Okta domain (required for okta)").option("--auth-endpoint <url>", "Authorization endpoint (required for custom)").option("--token-endpoint <url>", "Token endpoint (required for custom)").option("--userinfo-endpoint <url>", "Userinfo endpoint (required for custom)").option("--jwks-uri <url>", "JWKS URI (required for custom)").option("--sso-name <name>", "Provider display name (required for custom)").action(ssoAction);
 }
 
 // src/cli/commands/auth/index.ts
@@ -253632,15 +253693,21 @@ class FunctionManager {
     this.setupProcessHandlers(name2, process21);
     return this.waitForReady(name2, runningFunc);
   }
-  reload(functions) {
-    this.stopAll();
+  async reload(functions) {
+    await this.stopAll();
     this.functions = new Map(functions.map((f7) => [f7.name, f7]));
   }
-  stopAll() {
-    for (const [name2, { process: process21 }] of this.running) {
+  async stopAll() {
+    await Promise.all(Array.from(this.running, ([name2, { process: proc2 }]) => {
       this.logger.log(`Stopping function: ${name2}`);
-      process21.kill();
-    }
+      const exited = new Promise((r5) => proc2.once("exit", () => r5()));
+      if (process.platform === "win32" && proc2.pid) {
+        spawn2("taskkill", ["/pid", String(proc2.pid), "/T", "/F"]);
+      } else {
+        proc2.kill();
+      }
+      return exited;
+    }));
     this.running.clear();
     this.starting.clear();
   }
@@ -254028,6 +254095,9 @@ class Database {
   getCollection(name2) {
     return this.collections.get(this.normalizeName(name2));
   }
+  getSchema(entityName) {
+    return this.schemas.get(this.normalizeName(entityName));
+  }
   getCollectionNames() {
     return Array.from(this.collections.keys()).filter((name2) => {
       return !name2.startsWith(PRIVATE_COLLECTION_PREFIX);
@@ -254255,6 +254325,120 @@ In order to complete registration use this verification code: ${otpCode}
 // src/cli/dev/dev-server/routes/entities/entities-router.ts
 var import_express4 = __toESM(require_express(), 1);
 
+// src/cli/dev/dev-server/db/rls.ts
+function getRLSFieldValue(key2, source3) {
+  const DATA_FIELD_PREFIX = "data.";
+  return source3[key2.startsWith(DATA_FIELD_PREFIX) ? key2.slice(DATA_FIELD_PREFIX.length) : key2];
+}
+function resolveTemplate(value, user) {
+  return value.replace(/\{\{user\.([\w.]+)\}\}/g, (_match, path18) => {
+    return String(getRLSFieldValue(path18, user) ?? "");
+  });
+}
+function evaluateOperator(recordValue, operator) {
+  for (const [op2, opValue] of Object.entries(operator)) {
+    switch (op2) {
+      case "$in":
+        if (!Array.isArray(opValue) || !opValue.includes(recordValue)) {
+          return false;
+        }
+        break;
+      case "$nin":
+        if (!Array.isArray(opValue) || opValue.includes(recordValue)) {
+          return false;
+        }
+        break;
+      case "$ne":
+        if (recordValue === opValue)
+          return false;
+        break;
+      case "$all":
+        if (!Array.isArray(recordValue) || !Array.isArray(opValue)) {
+          return false;
+        }
+        if (!opValue.every((v10) => recordValue.includes(v10))) {
+          return false;
+        }
+        break;
+      default:
+        return false;
+    }
+  }
+  return true;
+}
+function evaluateUserCondition(condition, user) {
+  for (const [key2, expected] of Object.entries(condition)) {
+    const userValue = getRLSFieldValue(key2, user);
+    if (typeof expected === "object" && expected !== null) {
+      if (!evaluateOperator(userValue, expected))
+        return false;
+    } else {
+      if (userValue !== expected)
+        return false;
+    }
+  }
+  return true;
+}
+function evaluateCondition(condition, record2, user) {
+  for (const [key2, value] of Object.entries(condition)) {
+    if (key2 === "user_condition") {
+      if (!evaluateUserCondition(value, user))
+        return false;
+      continue;
+    }
+    if (key2 === "$or") {
+      const conditions = value;
+      if (!conditions.some((c8) => evaluateCondition(c8, record2, user)))
+        return false;
+      continue;
+    }
+    if (key2 === "$and") {
+      const conditions = value;
+      if (!conditions.every((c8) => evaluateCondition(c8, record2, user)))
+        return false;
+      continue;
+    }
+    if (key2 === "$nor") {
+      const conditions = value;
+      if (conditions.some((c8) => evaluateCondition(c8, record2, user)))
+        return false;
+      continue;
+    }
+    const recordValue = getRLSFieldValue(key2, record2);
+    const resolvedValue = typeof value === "string" ? resolveTemplate(value, user) : value;
+    if (typeof resolvedValue === "object" && resolvedValue !== null) {
+      if (!evaluateOperator(recordValue, resolvedValue))
+        return false;
+    } else {
+      if (recordValue !== resolvedValue)
+        return false;
+    }
+  }
+  return true;
+}
+function checkRLS(rule, record2, user) {
+  if (rule === undefined)
+    return true;
+  if (typeof rule === "boolean")
+    return rule;
+  if (!user)
+    return false;
+  return evaluateCondition(rule, record2, user);
+}
+function applyFLS(record2, schema10, user, operation) {
+  if (Array.isArray(record2)) {
+    return record2.map((r5) => applyFLS(r5, schema10, user, operation));
+  }
+  const result = {};
+  for (const [key2, value] of Object.entries(record2)) {
+    const rule = schema10.properties[key2]?.rls?.[operation];
+    if (!rule || checkRLS(rule, record2, user)) {
+      result[key2] = value;
+    }
+  }
+  return result;
+}
+
 // src/cli/dev/dev-server/db/entity-queries.ts
 function parseSort(sort) {
   if (!sort) {
@@ -254312,30 +254496,54 @@ var queryEntity = async (collection, reqQuery) => {
   return cursor3;
 };
 
+// src/cli/dev/dev-server/routes/entities/current-user.ts
+var import_jsonwebtoken2 = __toESM(require_jsonwebtoken(), 1);
+function getSubject(payload) {
+  if (!payload || typeof payload === "string") {
+    return;
+  }
+  return payload.sub;
+}
+async function resolveCurrentUser(db2, req) {
+  const auth2 = req.headers.authorization;
+  if (!auth2?.startsWith("Bearer ")) {
+    return { ok: false, reason: "missing" };
+  }
+  try {
+    const decoded = import_jsonwebtoken2.default.decode(auth2.replace("Bearer ", ""), {
+      complete: true
+    });
+    const subject = getSubject(decoded?.payload);
+    if (!subject) {
+      return { ok: false, reason: "invalid" };
+    }
+    const currentUser = await db2.getCollection(USER_COLLECTION)?.findOneAsync({ email: subject });
+    if (!currentUser) {
+      return { ok: false, reason: "not_found" };
+    }
+    return { ok: true, user: currentUser };
+  } catch {
+    return { ok: false, reason: "invalid" };
+  }
+}
+
 // src/cli/dev/dev-server/routes/entities/entities-user-router.ts
 var import_express3 = __toESM(require_express(), 1);
-var import_jsonwebtoken2 = __toESM(require_jsonwebtoken(), 1);
 function createUserRouter(db2, logger2) {
   const router = import_express3.Router({ mergeParams: true });
   const parseBody = import_express3.json();
   function withAuth(handler) {
     return async (req, res) => {
-      const auth2 = req.headers.authorization;
-      if (!auth2 || !auth2.startsWith("Bearer ")) {
+      const currentUserResult = await resolveCurrentUser(db2, req);
+      if (!currentUserResult.ok && (currentUserResult.reason === "missing" || currentUserResult.reason === "invalid")) {
         res.status(401).json({ error: "Unauthorized" });
         return;
       }
-      try {
-        const { payload } = import_jsonwebtoken2.default.decode(auth2.replace("Bearer ", ""), { complete: true }) ?? {};
-        const result = await db2.getCollection(USER_COLLECTION)?.findOneAsync({ email: payload?.sub });
-        if (!result) {
-          res.status(404).json({ error: "Unable to read data for the current user" });
-          return;
-        }
-        await handler(req, res, result);
-      } catch {
-        res.status(401).json({ error: "Unauthorized" });
+      if (!currentUserResult.ok) {
+        res.status(404).json({ error: "Unable to read data for the current user" });
+        return;
       }
+      await handler(req, res, currentUserResult.user);
     };
   }
   router.get("/:id", withAuth(async (req, res, currentUser) => {
@@ -254435,12 +254643,20 @@ async function createEntityRoutes(db2, logger2, broadcast) {
   const parseBody = import_express4.json();
   function withCollection(handler) {
     return async (req, res) => {
-      const collection = db2.getCollection(req.params.entityName);
+      const { entityName } = req.params;
+      const collection = db2.getCollection(entityName);
       if (!collection) {
-        res.status(404).json({ error: `Entity "${req.params.entityName}" not found` });
+        res.status(404).json({ error: `Entity "${entityName}" not found` });
+        return;
+      }
+      const schema10 = db2.getSchema(entityName);
+      if (!schema10) {
+        res.status(404).json({ error: `Schema for "${entityName}" not found` });
         return;
       }
-      await handler(req, res, collection);
+      const currentUserResult = await resolveCurrentUser(db2, req);
+      const currentUser = currentUserResult.ok ? currentUserResult.user : undefined;
+      await handler(req, res, collection, schema10, currentUser);
     };
   }
   function emit(appId, entityName, type, data) {
@@ -254458,9 +254674,31 @@ async function createEntityRoutes(db2, logger2, broadcast) {
     }
     broadcast(appId, entityName, createData(data));
   }
+  function prepareCreateRecord(entityName, body, schema10, currentUser, now) {
+    const { _id, ...recordBody } = body;
+    const ownerFields = {
+      created_by: currentUser?.email,
+      created_by_id: currentUser?.id
+    };
+    if (!checkRLS(schema10.rls?.create, {
+      ...recordBody,
+      ...ownerFields
+    }, currentUser)) {
+      return;
+    }
+    const filteredBody = applyFLS(db2.prepareRecord(entityName, recordBody), schema10, currentUser, "write");
+    db2.validate(entityName, filteredBody);
+    return {
+      ...filteredBody,
+      id: nanoid3(),
+      ...ownerFields,
+      created_date: now,
+      updated_date: now
+    };
+  }
   const userRouter = createUserRouter(db2, logger2);
   router.use("/User", userRouter);
-  router.get("/:entityName/:id", withCollection(async (req, res, collection) => {
+  router.get("/:entityName/:id", withCollection(async (req, res, collection, schema10, currentUser) => {
     const { entityName, id: id2 } = req.params;
     try {
       const doc2 = await collection.findOneAsync({ id: id2 });
@@ -254468,16 +254706,28 @@ async function createEntityRoutes(db2, logger2, broadcast) {
         res.status(404).json({ error: `Record with id "${id2}" not found` });
         return;
       }
-      res.json(stripInternalFields(doc2));
+      if (!checkRLS(schema10.rls?.read, doc2, currentUser)) {
+        res.status(404).json({
+          message: `Entity ${entityName} with ID ${id2} not found`
+        });
+        return;
+      }
+      const result = applyFLS(stripInternalFields(doc2), schema10, currentUser, "read");
+      res.json(result);
     } catch (error48) {
       logger2.error(`Error in GET /${entityName}/${id2}:`, error48);
       res.status(500).json({ error: "Internal server error" });
     }
   }));
-  router.get("/:entityName", withCollection(async (req, res, collection) => {
+  router.get("/:entityName", withCollection(async (req, res, collection, schema10, currentUser) => {
     const { entityName } = req.params;
     try {
-      res.json(stripInternalFields(await queryEntity(collection, req.query)));
+      let results = stripInternalFields(await queryEntity(collection, req.query));
+      if (schema10.rls?.read && schema10.rls.read !== true) {
+        results = results.filter((doc2) => checkRLS(schema10.rls.read, doc2, currentUser));
+      }
+      results = results.map((doc2) => applyFLS(doc2, schema10, currentUser, "read"));
+      res.json(results);
     } catch (error48) {
       if (error48 instanceof InvalidInputError) {
         res.status(400).json({ error: error48.message });
@@ -254487,20 +254737,16 @@ async function createEntityRoutes(db2, logger2, broadcast) {
       }
     }
   }));
-  router.post("/:entityName", parseBody, withCollection(async (req, res, collection) => {
+  router.post("/:entityName", parseBody, withCollection(async (req, res, collection, schema10, currentUser) => {
     const { appId, entityName } = req.params;
     try {
       const now = new Date().toISOString();
-      const { _id, ...body } = req.body;
-      const filteredBody = db2.prepareRecord(entityName, body);
-      db2.validate(entityName, filteredBody);
-      const record2 = {
-        ...filteredBody,
-        id: nanoid3(),
-        created_date: now,
-        updated_date: now
-      };
-      const inserted = stripInternalFields(await collection.insertAsync(record2));
+      const record2 = prepareCreateRecord(entityName, req.body, schema10, currentUser, now);
+      if (!record2) {
+        res.status(403).json({ error: "Permission denied" });
+        return;
+      }
+      const inserted = applyFLS(stripInternalFields(await collection.insertAsync(record2)), schema10, currentUser, "read");
       emit(appId, entityName, "create", inserted);
       res.status(201).json(inserted);
     } catch (error48) {
@@ -254512,7 +254758,7 @@ async function createEntityRoutes(db2, logger2, broadcast) {
       res.status(500).json({ error: "Internal server error" });
     }
   }));
-  router.post("/:entityName/bulk", parseBody, withCollection(async (req, res, collection) => {
+  router.post("/:entityName/bulk", parseBody, withCollection(async (req, res, collection, schema10, currentUser) => {
     const { appId, entityName } = req.params;
     if (!Array.isArray(req.body)) {
       res.status(400).json({ error: "Request body must be an array" });
@@ -254521,17 +254767,15 @@ async function createEntityRoutes(db2, logger2, broadcast) {
     try {
       const now = new Date().toISOString();
       const records = [];
-      for (const record2 of req.body) {
-        const filteredRecord = db2.prepareRecord(entityName, record2);
-        db2.validate(entityName, filteredRecord);
-        records.push({
-          ...filteredRecord,
-          id: nanoid3(),
-          created_date: now,
-          updated_date: now
-        });
+      for (const body of req.body) {
+        const record2 = prepareCreateRecord(entityName, body, schema10, currentUser, now);
+        if (!record2) {
+          res.status(403).json({ error: "Permission denied" });
+          return;
+        }
+        records.push(record2);
       }
-      const inserted = stripInternalFields(await collection.insertAsync(records));
+      const inserted = applyFLS(stripInternalFields(await collection.insertAsync(records)), schema10, currentUser, "read");
       emit(appId, entityName, "create", inserted);
       res.status(201).json(inserted);
     } catch (error48) {
@@ -254543,11 +254787,24 @@ async function createEntityRoutes(db2, logger2, broadcast) {
       res.status(500).json({ error: "Internal server error" });
     }
   }));
-  router.put("/:entityName/:id", parseBody, withCollection(async (req, res, collection) => {
+  router.put("/:entityName/:id", parseBody, withCollection(async (req, res, collection, schema10, currentUser) => {
     const { appId, entityName, id: id2 } = req.params;
     const { id: _id, created_date: _created_date, ...body } = req.body;
     try {
-      const filteredBody = db2.prepareRecord(entityName, body, true);
+      if (schema10.rls?.update !== undefined) {
+        const existing = await collection.findOneAsync({ id: id2 });
+        if (!existing) {
+          res.status(404).json({ error: `Record with id "${id2}" not found` });
+          return;
+        }
+        if (!checkRLS(schema10.rls.update, existing, currentUser)) {
+          res.status(404).json({
+            message: `Entity ${entityName} with ID ${id2} not found`
+          });
+          return;
+        }
+      }
+      const filteredBody = applyFLS(db2.prepareRecord(entityName, body, true), schema10, currentUser, "write");
       db2.validate(entityName, filteredBody, true);
       const updateData = {
         ...filteredBody,
@@ -254558,7 +254815,7 @@ async function createEntityRoutes(db2, logger2, broadcast) {
         res.status(404).json({ error: `Record with id "${id2}" not found` });
         return;
       }
-      const updated = stripInternalFields(result.affectedDocuments);
+      const updated = applyFLS(stripInternalFields(result.affectedDocuments), schema10, currentUser, "read");
       emit(appId, entityName, "update", updated);
       res.json(updated);
     } catch (error48) {
@@ -254570,30 +254827,48 @@ async function createEntityRoutes(db2, logger2, broadcast) {
       res.status(500).json({ error: "Internal server error" });
     }
   }));
-  router.delete("/:entityName/:id", withCollection(async (req, res, collection) => {
+  router.delete("/:entityName/:id", withCollection(async (req, res, collection, schema10, currentUser) => {
     const { appId, entityName, id: id2 } = req.params;
     try {
       const doc2 = await collection.findOneAsync({ id: id2 });
-      const numRemoved = await collection.removeAsync({ id: id2 }, { multi: false });
-      if (numRemoved === 0) {
+      if (!doc2) {
         res.status(404).json({ error: `Record with id "${id2}" not found` });
         return;
       }
-      if (doc2) {
-        emit(appId, entityName, "delete", stripInternalFields(doc2));
+      if (!checkRLS(schema10.rls?.delete, doc2, currentUser)) {
+        res.status(404).json({
+          message: `Entity ${entityName} with ID ${id2} not found`
+        });
+        return;
       }
+      await collection.removeAsync({ id: id2 }, { multi: false });
+      emit(appId, entityName, "delete", stripInternalFields(doc2));
       res.json({ success: true });
     } catch (error48) {
       logger2.error(`Error in DELETE /${entityName}/${id2}:`, error48);
       res.status(500).json({ error: "Internal server error" });
     }
   }));
-  router.delete("/:entityName", parseBody, withCollection(async (req, res, collection) => {
+  router.delete("/:entityName", parseBody, withCollection(async (req, res, collection, schema10, currentUser) => {
     const { entityName } = req.params;
     try {
       const query = req.body || {};
-      const numRemoved = await collection.removeAsync(query, { multi: true });
-      res.json({ success: true, deleted: numRemoved });
+      const rlsDelete = schema10?.rls?.delete;
+      if (rlsDelete !== undefined && rlsDelete !== true) {
+        if (rlsDelete === false) {
+          res.status(403).json({ error: "Permission denied" });
+          return;
+        }
+        const docs = await collection.findAsync(query);
+        const allowedIds = docs.filter((doc2) => checkRLS(rlsDelete, doc2, currentUser)).map((doc2) => doc2.id);
+        const numRemoved = await collection.removeAsync({ id: { $in: allowedIds } }, { multi: true });
+        res.json({ success: true, deleted: numRemoved });
+      } else {
+        const numRemoved = await collection.removeAsync(query, {
+          multi: true
+        });
+        res.json({ success: true, deleted: numRemoved });
+      }
     } catch (error48) {
       logger2.error(`Error in DELETE /${entityName}:`, error48);
       res.status(500).json({ error: "Internal server error" });
@@ -256393,7 +256668,9 @@ var DEFAULT_PORT = 4400;
 var BASE44_APP_URL = "https://base44.app";
 async function createDevServer(options8) {
   const { port: userPort } = options8;
-  const port = userPort ?? await getPorts({ port: DEFAULT_PORT });
+  const port = userPort ?? await getPorts({
+    port: process.env.IS_TEST === "true" ? undefined : DEFAULT_PORT
+  });
   const baseUrl = `http://localhost:${port}`;
   const { functions, entities, project: project2 } = await options8.loadResources();
   const app = import_express6.default();
@@ -256486,7 +256763,7 @@ async function createDevServer(options8) {
       const { functions: functions2, entities: entities2 } = await options8.loadResources();
       if (name2 === "functions") {
         const previousFunctionCount = functionManager.getFunctionNames().length;
-        functionManager.reload(functions2);
+        await functionManager.reload(functions2);
         const names = functionManager.getFunctionNames();
         if (names.length > 0) {
           devLogger.log(`Reloaded functions: ${names.sort().join(", ")}`);
@@ -256511,10 +256788,10 @@ async function createDevServer(options8) {
     }
   });
   await base44ConfigWatcher.start();
-  const shutdown = () => {
+  const shutdown = async () => {
     base44ConfigWatcher.close();
     io6.close();
-    functionManager.stopAll();
+    await functionManager.stopAll();
     server.close();
   };
   process.on("SIGINT", shutdown);
@@ -261005,4 +261282,4 @@ export {
   CLIExitError
 };
 
-//# debugId=3D7486B2A6408CC364756E2164756E21
+//# debugId=827C7659385FB39764756E2164756E21