@expo/entity 0.54.0 → 0.55.0

package/build/src/index.d.ts

@@ -64,9 +64,13 @@ export * from './internal/SingleFieldHolder';
 export * from './metrics/EntityMetricsUtils';
 export * from './metrics/IEntityMetricsAdapter';
 export * from './metrics/NoOpEntityMetricsAdapter';
+export * from './rules/AllowIfAllSubRulesAllowPrivacyPolicyRule';
+export * from './rules/AllowIfAnySubRuleAllowsPrivacyPolicyRule';
+export * from './rules/AllowIfInParentCascadeDeletionPrivacyPolicyRule';
 export * from './rules/AlwaysAllowPrivacyPolicyRule';
 export * from './rules/AlwaysDenyPrivacyPolicyRule';
 export * from './rules/AlwaysSkipPrivacyPolicyRule';
+export * from './rules/EvaluateIfEntityFieldPredicatePrivacyPolicyRule';
 export * from './rules/PrivacyPolicyRule';
 export * from './utils/EntityCreationUtils';
 export * from './utils/EntityPrivacyUtils';

package/build/src/index.js

@@ -81,9 +81,13 @@ __exportStar(require("./internal/SingleFieldHolder"), exports);
 __exportStar(require("./metrics/EntityMetricsUtils"), exports);
 __exportStar(require("./metrics/IEntityMetricsAdapter"), exports);
 __exportStar(require("./metrics/NoOpEntityMetricsAdapter"), exports);
+__exportStar(require("./rules/AllowIfAllSubRulesAllowPrivacyPolicyRule"), exports);
+__exportStar(require("./rules/AllowIfAnySubRuleAllowsPrivacyPolicyRule"), exports);
+__exportStar(require("./rules/AllowIfInParentCascadeDeletionPrivacyPolicyRule"), exports);
 __exportStar(require("./rules/AlwaysAllowPrivacyPolicyRule"), exports);
 __exportStar(require("./rules/AlwaysDenyPrivacyPolicyRule"), exports);
 __exportStar(require("./rules/AlwaysSkipPrivacyPolicyRule"), exports);
+__exportStar(require("./rules/EvaluateIfEntityFieldPredicatePrivacyPolicyRule"), exports);
 __exportStar(require("./rules/PrivacyPolicyRule"), exports);
 __exportStar(require("./utils/EntityCreationUtils"), exports);
 __exportStar(require("./utils/EntityPrivacyUtils"), exports);

package/build/src/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";AAAA,iCAAiC;AACjC;;;GAGG;;;;;;;;;;;;;;;;AAEH,oFAAkE;AAClE,yEAAuD;AACvD,0EAAwD;AACxD,+DAA6C;AAC7C,iEAA+C;AAC/C,qEAAmD;AACnD,2DAAyC;AACzC,2DAAyC;AACzC,0DAAwC;AACxC,2DAAyC;AACzC,2CAAyB;AACzB,4DAA0C;AAC1C,oDAAkC;AAClC,4DAA0C;AAC1C,wDAAsC;AACtC,kDAAgC;AAChC,0DAAwC;AACxC,kDAAgC;AAChC,0DAAwC;AACxC,iDAA+B;AAC/B,iDAA+B;AAC/B,wDAAsC;AACtC,sDAAoC;AACpC,uDAAqC;AACrC,uEAAqD;AACrD,yEAAuD;AACvD,yDAAuC;AACvC,wDAAsC;AACtC,uDAAqC;AACrC,+DAA6C;AAC7C,+DAA6C;AAC7C,kDAAgC;AAChC,gDAA8B;AAC9B,8DAA4C;AAC5C,gEAA8C;AAC9C,wDAAsC;AACtC,gEAA8C;AAC9C,mEAAiD;AACjD,yDAAuC;AACvC,mDAAiC;AACjC,kDAAgC;AAChC,gEAA8C;AAC9C,wEAAsD;AACtD,oEAAkD;AAClD,qEAAmD;AACnD,mEAAiD;AACjD,sEAAoD;AACpD,uDAAqC;AACrC,wEAAsD;AACtD,oEAAkD;AAClD,+DAA6C;AAC7C,kEAAgD;AAChD,oEAAkD;AAClD,+DAA6C;AAC7C,4EAA0D;AAC1D,kEAAgD;AAChD,wEAAsD;AACtD,oEAAkD;AAClD,+DAA6C;AAC7C,+DAA6C;AAC7C,kEAAgD;AAChD,qEAAmD;AACnD,uEAAqD;AACrD,sEAAoD;AACpD,sEAAoD;AACpD,4DAA0C;AAC1C,8DAA4C;AAC5C,6DAA2C;AAC3C,mFAAiE;AACjE,2DAAyC;AACzC,yEAAuD;AACvD,2DAAyC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";AAAA,iCAAiC;AACjC;;;GAGG;;;;;;;;;;;;;;;;AAEH,oFAAkE;AAClE,yEAAuD;AACvD,0EAAwD;AACxD,+DAA6C;AAC7C,iEAA+C;AAC/C,qEAAmD;AACnD,2DAAyC;AACzC,2DAAyC;AACzC,0DAAwC;AACxC,2DAAyC;AACzC,2CAAyB;AACzB,4DAA0C;AAC1C,oDAAkC;AAClC,4DAA0C;AAC1C,wDAAsC;AACtC,kDAAgC;AAChC,0DAAwC;AACxC,kDAAgC;AAChC,0DAAwC;AACxC,iDAA+B;AAC/B,iDAA+B;AAC/B,wDAAsC;AACtC,sDAAoC;AACpC,uDAAqC;AACrC,uEAAqD;AACrD,yEAAuD;AACvD,yDAAuC;AACvC,wDAAsC;AACtC,uDAAqC;AACrC,+DAA6C;AAC7C,+DAA6C;AAC7C,kDAAgC;AAChC,gDAA8B;AAC9B,8DAA4C;AAC5C,gEAA8C;AAC9C,wDAAsC;AACtC,gEAA8C;AAC9C,mEAAiD;AACjD,yDAAuC;AACvC,mDAAiC;AACjC,kDAAgC;AAChC,gEAA8C;AAC9C,wEAAsD;AACtD,oEAAkD;AAClD,qEAAmD;AACnD,mEAAiD;AACjD,sEAAoD;AACpD,uDAAqC;AACrC,wEAAsD;AACtD,oEAAkD;AAClD,+DAA6C;AAC7C,kEAAgD;AAChD,oEAAkD;AAClD,+DAA6C;AAC7C,4EAA0D;AAC1D,kEAAgD;AAChD,wEAAsD;AACtD,oEAAkD;AAClD,+DAA6C;AAC7C,+DAA6C;AAC7C,kEAAgD;AAChD,qEAAmD;AACnD,mFAAiE;AACjE,mFAAiE;AACjE,0FAAwE;AACxE,uEAAqD;AACrD,sEAAoD;AACpD,sEAAoD;AACpD,0FAAwE;AACxE,4DAA0C;AAC1C,8DAA4C;AAC5C,6DAA2C;AAC3C,mFAAiE;AACjE,2DAAyC;AACzC,yEAAuD;AACvD,2DAAyC"}

package/build/src/rules/AllowIfAllSubRulesAllowPrivacyPolicyRule.d.ts

@@ -0,0 +1,10 @@
+import { EntityPrivacyPolicyEvaluationContext } from '../EntityPrivacyPolicy';
+import { EntityQueryContext } from '../EntityQueryContext';
+import { ReadonlyEntity } from '../ReadonlyEntity';
+import { ViewerContext } from '../ViewerContext';
+import { PrivacyPolicyRule, RuleEvaluationResult } from './PrivacyPolicyRule';
+export declare class AllowIfAllSubRulesAllowPrivacyPolicyRule<TFields extends object, TIDField extends keyof NonNullable<Pick<TFields, TSelectedFields>>, TViewerContext extends ViewerContext, TEntity extends ReadonlyEntity<TFields, TIDField, TViewerContext, TSelectedFields>, TSelectedFields extends keyof TFields = keyof TFields> extends PrivacyPolicyRule<TFields, TIDField, TViewerContext, TEntity, TSelectedFields> {
+    private readonly subRules;
+    constructor(subRules: PrivacyPolicyRule<TFields, TIDField, TViewerContext, TEntity, TSelectedFields>[]);
+    evaluateAsync(viewerContext: TViewerContext, queryContext: EntityQueryContext, evaluationContext: EntityPrivacyPolicyEvaluationContext<TFields, TIDField, TViewerContext, TEntity, TSelectedFields>, entity: TEntity): Promise<RuleEvaluationResult>;
+}

package/build/src/rules/AllowIfAllSubRulesAllowPrivacyPolicyRule.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AllowIfAllSubRulesAllowPrivacyPolicyRule = void 0;
+const PrivacyPolicyRule_1 = require("./PrivacyPolicyRule");
+class AllowIfAllSubRulesAllowPrivacyPolicyRule extends PrivacyPolicyRule_1.PrivacyPolicyRule {
+    subRules;
+    constructor(subRules) {
+        super();
+        this.subRules = subRules;
+    }
+    async evaluateAsync(viewerContext, queryContext, evaluationContext, entity) {
+        const results = await Promise.all(this.subRules.map((subRule) => subRule.evaluateAsync(viewerContext, queryContext, evaluationContext, entity)));
+        return results.every((result) => result === PrivacyPolicyRule_1.RuleEvaluationResult.ALLOW)
+            ? PrivacyPolicyRule_1.RuleEvaluationResult.ALLOW
+            : PrivacyPolicyRule_1.RuleEvaluationResult.SKIP;
+    }
+}
+exports.AllowIfAllSubRulesAllowPrivacyPolicyRule = AllowIfAllSubRulesAllowPrivacyPolicyRule;
+//# sourceMappingURL=AllowIfAllSubRulesAllowPrivacyPolicyRule.js.map

package/build/src/rules/AllowIfAllSubRulesAllowPrivacyPolicyRule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AllowIfAllSubRulesAllowPrivacyPolicyRule.js","sourceRoot":"","sources":["../../../src/rules/AllowIfAllSubRulesAllowPrivacyPolicyRule.ts"],"names":[],"mappings":";;;AAIA,2DAA8E;AAE9E,MAAa,wCAMX,SAAQ,qCAA8E;IAEnE;IADnB,YACmB,QAMd;QAEH,KAAK,EAAE,CAAC;QARS,aAAQ,GAAR,QAAQ,CAMtB;IAGL,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,aAA6B,EAC7B,YAAgC,EAChC,iBAMC,EACD,MAAe;QAEf,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAC5B,OAAO,CAAC,aAAa,CAAC,aAAa,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAC9E,CACF,CAAC;QACF,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,KAAK,wCAAoB,CAAC,KAAK,CAAC;YACrE,CAAC,CAAC,wCAAoB,CAAC,KAAK;YAC5B,CAAC,CAAC,wCAAoB,CAAC,IAAI,CAAC;IAChC,CAAC;CACF;AAxCD,4FAwCC"}

package/build/src/rules/AllowIfAnySubRuleAllowsPrivacyPolicyRule.d.ts

@@ -0,0 +1,10 @@
+import { EntityPrivacyPolicyEvaluationContext } from '../EntityPrivacyPolicy';
+import { EntityQueryContext } from '../EntityQueryContext';
+import { ReadonlyEntity } from '../ReadonlyEntity';
+import { ViewerContext } from '../ViewerContext';
+import { PrivacyPolicyRule, RuleEvaluationResult } from './PrivacyPolicyRule';
+export declare class AllowIfAnySubRuleAllowsPrivacyPolicyRule<TFields extends object, TIDField extends keyof NonNullable<Pick<TFields, TSelectedFields>>, TViewerContext extends ViewerContext, TEntity extends ReadonlyEntity<TFields, TIDField, TViewerContext, TSelectedFields>, TSelectedFields extends keyof TFields = keyof TFields> extends PrivacyPolicyRule<TFields, TIDField, TViewerContext, TEntity, TSelectedFields> {
+    private readonly subRules;
+    constructor(subRules: PrivacyPolicyRule<TFields, TIDField, TViewerContext, TEntity, TSelectedFields>[]);
+    evaluateAsync(viewerContext: TViewerContext, queryContext: EntityQueryContext, evaluationContext: EntityPrivacyPolicyEvaluationContext<TFields, TIDField, TViewerContext, TEntity, TSelectedFields>, entity: TEntity): Promise<RuleEvaluationResult>;
+}

package/build/src/rules/AllowIfAnySubRuleAllowsPrivacyPolicyRule.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AllowIfAnySubRuleAllowsPrivacyPolicyRule = void 0;
+const PrivacyPolicyRule_1 = require("./PrivacyPolicyRule");
+class AllowIfAnySubRuleAllowsPrivacyPolicyRule extends PrivacyPolicyRule_1.PrivacyPolicyRule {
+    subRules;
+    constructor(subRules) {
+        super();
+        this.subRules = subRules;
+    }
+    async evaluateAsync(viewerContext, queryContext, evaluationContext, entity) {
+        const results = await Promise.all(this.subRules.map((subRule) => subRule.evaluateAsync(viewerContext, queryContext, evaluationContext, entity)));
+        return results.includes(PrivacyPolicyRule_1.RuleEvaluationResult.ALLOW)
+            ? PrivacyPolicyRule_1.RuleEvaluationResult.ALLOW
+            : PrivacyPolicyRule_1.RuleEvaluationResult.SKIP;
+    }
+}
+exports.AllowIfAnySubRuleAllowsPrivacyPolicyRule = AllowIfAnySubRuleAllowsPrivacyPolicyRule;
+//# sourceMappingURL=AllowIfAnySubRuleAllowsPrivacyPolicyRule.js.map

package/build/src/rules/AllowIfAnySubRuleAllowsPrivacyPolicyRule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AllowIfAnySubRuleAllowsPrivacyPolicyRule.js","sourceRoot":"","sources":["../../../src/rules/AllowIfAnySubRuleAllowsPrivacyPolicyRule.ts"],"names":[],"mappings":";;;AAIA,2DAA8E;AAE9E,MAAa,wCAMX,SAAQ,qCAA8E;IAEnE;IADnB,YACmB,QAMd;QAEH,KAAK,EAAE,CAAC;QARS,aAAQ,GAAR,QAAQ,CAMtB;IAGL,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,aAA6B,EAC7B,YAAgC,EAChC,iBAMC,EACD,MAAe;QAEf,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAC5B,OAAO,CAAC,aAAa,CAAC,aAAa,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAC9E,CACF,CAAC;QACF,OAAO,OAAO,CAAC,QAAQ,CAAC,wCAAoB,CAAC,KAAK,CAAC;YACjD,CAAC,CAAC,wCAAoB,CAAC,KAAK;YAC5B,CAAC,CAAC,wCAAoB,CAAC,IAAI,CAAC;IAChC,CAAC;CACF;AAxCD,4FAwCC"}

package/build/src/rules/AllowIfInParentCascadeDeletionPrivacyPolicyRule.d.ts

@@ -0,0 +1,66 @@
+import { IEntityClass } from '../Entity';
+import { EntityPrivacyPolicy, EntityPrivacyPolicyEvaluationContext } from '../EntityPrivacyPolicy';
+import { EntityQueryContext } from '../EntityQueryContext';
+import { ReadonlyEntity } from '../ReadonlyEntity';
+import { ViewerContext } from '../ViewerContext';
+import { PrivacyPolicyRule, RuleEvaluationResult } from './PrivacyPolicyRule';
+/**
+ * Directive for specifying the parent relationship in AllowIfInParentCascadeDeletionPrivacyPolicyRule.
+ */
+export interface AllowIfInParentCascadeDeletionDirective<TViewerContext extends ViewerContext, TFields, TParentFields extends object, TParentIDField extends keyof NonNullable<Pick<TParentFields, TParentSelectedFields>>, TParentEntity extends ReadonlyEntity<TParentFields, TParentIDField, TViewerContext, TParentSelectedFields>, TParentPrivacyPolicy extends EntityPrivacyPolicy<TParentFields, TParentIDField, TViewerContext, TParentEntity, TParentSelectedFields>, TSelectedFields extends keyof TFields = keyof TFields, TParentSelectedFields extends keyof TParentFields = keyof TParentFields> {
+    /**
+     * Class of parent entity that should trigger a cascade set null update to a field within
+     * the entity being authorized.
+     */
+    parentEntityClass: IEntityClass<TParentFields, TParentIDField, TViewerContext, TParentEntity, TParentPrivacyPolicy, TParentSelectedFields>;
+    /**
+     * Field of the current entity with references the deleting instace of parentEntityClass.
+     */
+    fieldIdentifyingParentEntity: keyof Pick<TFields, TSelectedFields>;
+    /**
+     * Field in parentEntityClass referenced by the value of fieldIdentifyingParentEntity.
+     * If not provided, ID is assumed.
+     */
+    parentEntityLookupByField?: keyof Pick<TParentFields, TParentSelectedFields>;
+}
+/**
+ * A generic privacy policy rule that allows when an entity is being authorized
+ * as part of a cascading delete from a parent entity. Handles two cases:
+ * - When the field has not yet been null'ed out due to a cascading set null. This is often
+ *   required for read rules to authorize the initial re-read of the entity being update set null'ed.
+ * - When the field has been null'ed out due to a cascading set null. This is often required
+ *   the update rules for the field nullification.
+ *
+ * These two cases could theoretically be handled by two separate (stricter) rules, but are combined
+ * to simplify configuration since practically there are few cases where having them be combined would
+ * preset an issue.
+ *
+ * @example
+ * Billing info owned by an account, but records who created the billing info in creating_user_id. User is a member of that account.
+ * User can delete themselves, and the billing info's creating_user_id field is cascade set null'ed when the user is deleted.
+ *
+ * ```ts
+ *  class BillingInfoEntityPrivacyPolicy extends EntityPrivacyPolicy<...> {
+ *    protected override readonly readRules = [
+ *      ...,
+ *      new AllowIfInParentCascadeDeletionPrivacyPolicyRule<...>({
+ *        fieldIdentifyingParentEntity: 'creating_user_id',
+ *        parentEntityClass: UserEntity,
+ *      }),
+ *    ];
+ *
+ *    protected override readonly updateRules = [
+ *      ...,
+ *      new AllowIfInParentCascadeDeletionPrivacyPolicyRule<...>({
+ *        fieldIdentifyingParentEntity: 'creating_user_id',
+ *        parentEntityClass: UserEntity,
+ *      }),
+ *    ];
+ *  }
+ * ```
+ */
+export declare class AllowIfInParentCascadeDeletionPrivacyPolicyRule<TFields extends object, TIDField extends keyof NonNullable<Pick<TFields, TSelectedFields>>, TViewerContext extends ViewerContext, TEntity extends ReadonlyEntity<TFields, TIDField, TViewerContext, TSelectedFields>, TFields2 extends object, TIDField2 extends keyof NonNullable<Pick<TFields2, TSelectedFields2>>, TEntity2 extends ReadonlyEntity<TFields2, TIDField2, TViewerContext, TSelectedFields2>, TPrivacyPolicy2 extends EntityPrivacyPolicy<TFields2, TIDField2, TViewerContext, TEntity2, TSelectedFields2>, TSelectedFields extends keyof TFields = keyof TFields, TSelectedFields2 extends keyof TFields2 = keyof TFields2> extends PrivacyPolicyRule<TFields, TIDField, TViewerContext, TEntity, TSelectedFields> {
+    private readonly directive;
+    constructor(directive: AllowIfInParentCascadeDeletionDirective<TViewerContext, TFields, TFields2, TIDField2, TEntity2, TPrivacyPolicy2, TSelectedFields, TSelectedFields2>);
+    evaluateAsync(_viewerContext: TViewerContext, _queryContext: EntityQueryContext, evaluationContext: EntityPrivacyPolicyEvaluationContext<TFields, TIDField, TViewerContext, TEntity, TSelectedFields>, entity: TEntity): Promise<RuleEvaluationResult>;
+}

package/build/src/rules/AllowIfInParentCascadeDeletionPrivacyPolicyRule.js

@@ -0,0 +1,75 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AllowIfInParentCascadeDeletionPrivacyPolicyRule = void 0;
+const PrivacyPolicyRule_1 = require("./PrivacyPolicyRule");
+/**
+ * A generic privacy policy rule that allows when an entity is being authorized
+ * as part of a cascading delete from a parent entity. Handles two cases:
+ * - When the field has not yet been null'ed out due to a cascading set null. This is often
+ *   required for read rules to authorize the initial re-read of the entity being update set null'ed.
+ * - When the field has been null'ed out due to a cascading set null. This is often required
+ *   the update rules for the field nullification.
+ *
+ * These two cases could theoretically be handled by two separate (stricter) rules, but are combined
+ * to simplify configuration since practically there are few cases where having them be combined would
+ * preset an issue.
+ *
+ * @example
+ * Billing info owned by an account, but records who created the billing info in creating_user_id. User is a member of that account.
+ * User can delete themselves, and the billing info's creating_user_id field is cascade set null'ed when the user is deleted.
+ *
+ * ```ts
+ *  class BillingInfoEntityPrivacyPolicy extends EntityPrivacyPolicy<...> {
+ *    protected override readonly readRules = [
+ *      ...,
+ *      new AllowIfInParentCascadeDeletionPrivacyPolicyRule<...>({
+ *        fieldIdentifyingParentEntity: 'creating_user_id',
+ *        parentEntityClass: UserEntity,
+ *      }),
+ *    ];
+ *
+ *    protected override readonly updateRules = [
+ *      ...,
+ *      new AllowIfInParentCascadeDeletionPrivacyPolicyRule<...>({
+ *        fieldIdentifyingParentEntity: 'creating_user_id',
+ *        parentEntityClass: UserEntity,
+ *      }),
+ *    ];
+ *  }
+ * ```
+ */
+class AllowIfInParentCascadeDeletionPrivacyPolicyRule extends PrivacyPolicyRule_1.PrivacyPolicyRule {
+    directive;
+    constructor(directive) {
+        super();
+        this.directive = directive;
+    }
+    async evaluateAsync(_viewerContext, _queryContext, evaluationContext, entity) {
+        const parentEntityClass = this.directive.parentEntityClass;
+        const deleteCause = evaluationContext.cascadingDeleteCause;
+        if (!deleteCause || !(deleteCause.entity instanceof parentEntityClass)) {
+            return PrivacyPolicyRule_1.RuleEvaluationResult.SKIP;
+        }
+        const entityBeingDeleted = deleteCause.entity;
+        // allow if parent foreign key field matches specified field in the entity being authorized
+        const valueInThisEntityReferencingParent = entity.getField(this.directive.fieldIdentifyingParentEntity);
+        const valueInParent = this.directive.parentEntityLookupByField
+            ? entityBeingDeleted.getField(this.directive.parentEntityLookupByField)
+            : entityBeingDeleted.getID();
+        if (valueInThisEntityReferencingParent &&
+            valueInThisEntityReferencingParent === valueInParent) {
+            return PrivacyPolicyRule_1.RuleEvaluationResult.ALLOW;
+        }
+        // allow if parent foreign key field matches specified field in the entity being authorized, and the
+        // field in the entity being authorized has been null'ed out  due to cascading set null
+        const valueInPreviousValueOfThisEntityReferencingParent = evaluationContext.previousValue?.getField(this.directive.fieldIdentifyingParentEntity);
+        if (valueInPreviousValueOfThisEntityReferencingParent &&
+            valueInPreviousValueOfThisEntityReferencingParent === valueInParent &&
+            valueInThisEntityReferencingParent === null) {
+            return PrivacyPolicyRule_1.RuleEvaluationResult.ALLOW;
+        }
+        return PrivacyPolicyRule_1.RuleEvaluationResult.SKIP;
+    }
+}
+exports.AllowIfInParentCascadeDeletionPrivacyPolicyRule = AllowIfInParentCascadeDeletionPrivacyPolicyRule;
+//# sourceMappingURL=AllowIfInParentCascadeDeletionPrivacyPolicyRule.js.map

package/build/src/rules/AllowIfInParentCascadeDeletionPrivacyPolicyRule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AllowIfInParentCascadeDeletionPrivacyPolicyRule.js","sourceRoot":"","sources":["../../../src/rules/AllowIfInParentCascadeDeletionPrivacyPolicyRule.ts"],"names":[],"mappings":";;;AAKA,2DAA8E;AAmD9E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,MAAa,+CAiBX,SAAQ,qCAA8E;IAEnE;IADnB,YACmB,SAShB;QAED,KAAK,EAAE,CAAC;QAXS,cAAS,GAAT,SAAS,CASzB;IAGH,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,cAA8B,EAC9B,aAAiC,EACjC,iBAMC,EACD,MAAe;QAEf,MAAM,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAC;QAE3D,MAAM,WAAW,GAAG,iBAAiB,CAAC,oBAAoB,CAAC;QAC3D,IAAI,CAAC,WAAW,IAAI,CAAC,CAAC,WAAW,CAAC,MAAM,YAAY,iBAAiB,CAAC,EAAE,CAAC;YACvE,OAAO,wCAAoB,CAAC,IAAI,CAAC;QACnC,CAAC;QAED,MAAM,kBAAkB,GAAG,WAAW,CAAC,MAAM,CAAC;QAE9C,2FAA2F;QAC3F,MAAM,kCAAkC,GAAG,MAAM,CAAC,QAAQ,CACxD,IAAI,CAAC,SAAS,CAAC,4BAA4B,CAC5C,CAAC;QACF,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,yBAAyB;YAC5D,CAAC,CAAC,kBAAkB,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,yBAAyB,CAAC;YACvE,CAAC,CAAC,kBAAkB,CAAC,KAAK,EAAE,CAAC;QAE/B,IACE,kCAAkC;YAClC,kCAAkC,KAAK,aAAa,EACpD,CAAC;YACD,OAAO,wCAAoB,CAAC,KAAK,CAAC;QACpC,CAAC;QAED,oGAAoG;QACpG,uFAAuF;QACvF,MAAM,iDAAiD,GACrD,iBAAiB,CAAC,aAAa,EAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;QAEzF,IACE,iDAAiD;YACjD,iDAAiD,KAAK,aAAa;YACnE,kCAAkC,KAAK,IAAI,EAC3C,CAAC;YACD,OAAO,wCAAoB,CAAC,KAAK,CAAC;QACpC,CAAC;QAED,OAAO,wCAAoB,CAAC,IAAI,CAAC;IACnC,CAAC;CACF;AApFD,0GAoFC"}

package/build/src/rules/EvaluateIfEntityFieldPredicatePrivacyPolicyRule.d.ts

@@ -0,0 +1,12 @@
+import { EntityPrivacyPolicyEvaluationContext } from '../EntityPrivacyPolicy';
+import { EntityQueryContext } from '../EntityQueryContext';
+import { ReadonlyEntity } from '../ReadonlyEntity';
+import { ViewerContext } from '../ViewerContext';
+import { PrivacyPolicyRule, RuleEvaluationResult } from './PrivacyPolicyRule';
+export declare class EvaluateIfEntityFieldPredicatePrivacyPolicyRule<TFields extends object, TIDField extends keyof NonNullable<Pick<TFields, TSelectedFields>>, TViewerContext extends ViewerContext, TEntity extends ReadonlyEntity<TFields, TIDField, TViewerContext, TSelectedFields>, N extends TSelectedFields, TSelectedFields extends keyof TFields = keyof TFields> extends PrivacyPolicyRule<TFields, TIDField, TViewerContext, TEntity, TSelectedFields> {
+    private readonly fieldName;
+    private readonly shouldEvaluatePredicate;
+    private readonly rule;
+    constructor(fieldName: N, shouldEvaluatePredicate: (fieldValue: TFields[N]) => boolean, rule: PrivacyPolicyRule<TFields, TIDField, TViewerContext, TEntity, TSelectedFields>);
+    evaluateAsync(viewerContext: TViewerContext, queryContext: EntityQueryContext, evaluationContext: EntityPrivacyPolicyEvaluationContext<TFields, TIDField, TViewerContext, TEntity, TSelectedFields>, entity: TEntity): Promise<RuleEvaluationResult>;
+}

package/build/src/rules/EvaluateIfEntityFieldPredicatePrivacyPolicyRule.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EvaluateIfEntityFieldPredicatePrivacyPolicyRule = void 0;
+const PrivacyPolicyRule_1 = require("./PrivacyPolicyRule");
+class EvaluateIfEntityFieldPredicatePrivacyPolicyRule extends PrivacyPolicyRule_1.PrivacyPolicyRule {
+    fieldName;
+    shouldEvaluatePredicate;
+    rule;
+    constructor(fieldName, shouldEvaluatePredicate, rule) {
+        super();
+        this.fieldName = fieldName;
+        this.shouldEvaluatePredicate = shouldEvaluatePredicate;
+        this.rule = rule;
+    }
+    async evaluateAsync(viewerContext, queryContext, evaluationContext, entity) {
+        const fieldValue = entity.getField(this.fieldName);
+        return this.shouldEvaluatePredicate(fieldValue)
+            ? await this.rule.evaluateAsync(viewerContext, queryContext, evaluationContext, entity)
+            : PrivacyPolicyRule_1.RuleEvaluationResult.SKIP;
+    }
+}
+exports.EvaluateIfEntityFieldPredicatePrivacyPolicyRule = EvaluateIfEntityFieldPredicatePrivacyPolicyRule;
+//# sourceMappingURL=EvaluateIfEntityFieldPredicatePrivacyPolicyRule.js.map

package/build/src/rules/EvaluateIfEntityFieldPredicatePrivacyPolicyRule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"EvaluateIfEntityFieldPredicatePrivacyPolicyRule.js","sourceRoot":"","sources":["../../../src/rules/EvaluateIfEntityFieldPredicatePrivacyPolicyRule.ts"],"names":[],"mappings":";;;AAIA,2DAA8E;AAE9E,MAAa,+CAOX,SAAQ,qCAA8E;IAEnE;IACA;IACA;IAHnB,YACmB,SAAY,EACZ,uBAA4D,EAC5D,IAMhB;QAED,KAAK,EAAE,CAAC;QAVS,cAAS,GAAT,SAAS,CAAG;QACZ,4BAAuB,GAAvB,uBAAuB,CAAqC;QAC5D,SAAI,GAAJ,IAAI,CAMpB;IAGH,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,aAA6B,EAC7B,YAAgC,EAChC,iBAMC,EACD,MAAe;QAEf,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACnD,OAAO,IAAI,CAAC,uBAAuB,CAAC,UAAU,CAAC;YAC7C,CAAC,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,aAAa,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,CAAC;YACvF,CAAC,CAAC,wCAAoB,CAAC,IAAI,CAAC;IAChC,CAAC;CACF;AAvCD,0GAuCC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@expo/entity",
-  "version": "0.54.0",
+  "version": "0.55.0",
   "description": "A privacy-first data model",
   "files": [
     "build",
@@ -36,10 +36,10 @@
     "@types/invariant": "2.2.37",
     "@types/lodash": "4.17.23",
     "@types/node": "24.10.9",
-    "lodash": "4.17.21",
+    "lodash": "4.17.23",
     "ts-mockito": "2.6.1",
     "typescript": "5.9.3",
     "uuid": "13.0.0"
   },
-  "gitHead": "283c02eedbd4f5721afad96f31ada85bf92afb41"
+  "gitHead": "de7548680dbffb722fb6f5c92106392319782fef"
 }

package/src/index.ts

@@ -66,9 +66,13 @@ export * from './internal/SingleFieldHolder';
 export * from './metrics/EntityMetricsUtils';
 export * from './metrics/IEntityMetricsAdapter';
 export * from './metrics/NoOpEntityMetricsAdapter';
+export * from './rules/AllowIfAllSubRulesAllowPrivacyPolicyRule';
+export * from './rules/AllowIfAnySubRuleAllowsPrivacyPolicyRule';
+export * from './rules/AllowIfInParentCascadeDeletionPrivacyPolicyRule';
 export * from './rules/AlwaysAllowPrivacyPolicyRule';
 export * from './rules/AlwaysDenyPrivacyPolicyRule';
 export * from './rules/AlwaysSkipPrivacyPolicyRule';
+export * from './rules/EvaluateIfEntityFieldPredicatePrivacyPolicyRule';
 export * from './rules/PrivacyPolicyRule';
 export * from './utils/EntityCreationUtils';
 export * from './utils/EntityPrivacyUtils';

package/src/rules/AllowIfAllSubRulesAllowPrivacyPolicyRule.ts

@@ -0,0 +1,47 @@
+import { EntityPrivacyPolicyEvaluationContext } from '../EntityPrivacyPolicy';
+import { EntityQueryContext } from '../EntityQueryContext';
+import { ReadonlyEntity } from '../ReadonlyEntity';
+import { ViewerContext } from '../ViewerContext';
+import { PrivacyPolicyRule, RuleEvaluationResult } from './PrivacyPolicyRule';
+
+export class AllowIfAllSubRulesAllowPrivacyPolicyRule<
+  TFields extends object,
+  TIDField extends keyof NonNullable<Pick<TFields, TSelectedFields>>,
+  TViewerContext extends ViewerContext,
+  TEntity extends ReadonlyEntity<TFields, TIDField, TViewerContext, TSelectedFields>,
+  TSelectedFields extends keyof TFields = keyof TFields,
+> extends PrivacyPolicyRule<TFields, TIDField, TViewerContext, TEntity, TSelectedFields> {
+  constructor(
+    private readonly subRules: PrivacyPolicyRule<
+      TFields,
+      TIDField,
+      TViewerContext,
+      TEntity,
+      TSelectedFields
+    >[],
+  ) {
+    super();
+  }
+
+  async evaluateAsync(
+    viewerContext: TViewerContext,
+    queryContext: EntityQueryContext,
+    evaluationContext: EntityPrivacyPolicyEvaluationContext<
+      TFields,
+      TIDField,
+      TViewerContext,
+      TEntity,
+      TSelectedFields
+    >,
+    entity: TEntity,
+  ): Promise<RuleEvaluationResult> {
+    const results = await Promise.all(
+      this.subRules.map((subRule) =>
+        subRule.evaluateAsync(viewerContext, queryContext, evaluationContext, entity),
+      ),
+    );
+    return results.every((result) => result === RuleEvaluationResult.ALLOW)
+      ? RuleEvaluationResult.ALLOW
+      : RuleEvaluationResult.SKIP;
+  }
+}

package/src/rules/AllowIfAnySubRuleAllowsPrivacyPolicyRule.ts

@@ -0,0 +1,47 @@
+import { EntityPrivacyPolicyEvaluationContext } from '../EntityPrivacyPolicy';
+import { EntityQueryContext } from '../EntityQueryContext';
+import { ReadonlyEntity } from '../ReadonlyEntity';
+import { ViewerContext } from '../ViewerContext';
+import { PrivacyPolicyRule, RuleEvaluationResult } from './PrivacyPolicyRule';
+
+export class AllowIfAnySubRuleAllowsPrivacyPolicyRule<
+  TFields extends object,
+  TIDField extends keyof NonNullable<Pick<TFields, TSelectedFields>>,
+  TViewerContext extends ViewerContext,
+  TEntity extends ReadonlyEntity<TFields, TIDField, TViewerContext, TSelectedFields>,
+  TSelectedFields extends keyof TFields = keyof TFields,
+> extends PrivacyPolicyRule<TFields, TIDField, TViewerContext, TEntity, TSelectedFields> {
+  constructor(
+    private readonly subRules: PrivacyPolicyRule<
+      TFields,
+      TIDField,
+      TViewerContext,
+      TEntity,
+      TSelectedFields
+    >[],
+  ) {
+    super();
+  }
+
+  async evaluateAsync(
+    viewerContext: TViewerContext,
+    queryContext: EntityQueryContext,
+    evaluationContext: EntityPrivacyPolicyEvaluationContext<
+      TFields,
+      TIDField,
+      TViewerContext,
+      TEntity,
+      TSelectedFields
+    >,
+    entity: TEntity,
+  ): Promise<RuleEvaluationResult> {
+    const results = await Promise.all(
+      this.subRules.map((subRule) =>
+        subRule.evaluateAsync(viewerContext, queryContext, evaluationContext, entity),
+      ),
+    );
+    return results.includes(RuleEvaluationResult.ALLOW)
+      ? RuleEvaluationResult.ALLOW
+      : RuleEvaluationResult.SKIP;
+  }
+}

package/src/rules/AllowIfInParentCascadeDeletionPrivacyPolicyRule.ts

@@ -0,0 +1,177 @@
+import { IEntityClass } from '../Entity';
+import { EntityPrivacyPolicy, EntityPrivacyPolicyEvaluationContext } from '../EntityPrivacyPolicy';
+import { EntityQueryContext } from '../EntityQueryContext';
+import { ReadonlyEntity } from '../ReadonlyEntity';
+import { ViewerContext } from '../ViewerContext';
+import { PrivacyPolicyRule, RuleEvaluationResult } from './PrivacyPolicyRule';
+
+/**
+ * Directive for specifying the parent relationship in AllowIfInParentCascadeDeletionPrivacyPolicyRule.
+ */
+export interface AllowIfInParentCascadeDeletionDirective<
+  TViewerContext extends ViewerContext,
+  TFields,
+  TParentFields extends object,
+  TParentIDField extends keyof NonNullable<Pick<TParentFields, TParentSelectedFields>>,
+  TParentEntity extends ReadonlyEntity<
+    TParentFields,
+    TParentIDField,
+    TViewerContext,
+    TParentSelectedFields
+  >,
+  TParentPrivacyPolicy extends EntityPrivacyPolicy<
+    TParentFields,
+    TParentIDField,
+    TViewerContext,
+    TParentEntity,
+    TParentSelectedFields
+  >,
+  TSelectedFields extends keyof TFields = keyof TFields,
+  TParentSelectedFields extends keyof TParentFields = keyof TParentFields,
+> {
+  /**
+   * Class of parent entity that should trigger a cascade set null update to a field within
+   * the entity being authorized.
+   */
+  parentEntityClass: IEntityClass<
+    TParentFields,
+    TParentIDField,
+    TViewerContext,
+    TParentEntity,
+    TParentPrivacyPolicy,
+    TParentSelectedFields
+  >;
+
+  /**
+   * Field of the current entity with references the deleting instace of parentEntityClass.
+   */
+  fieldIdentifyingParentEntity: keyof Pick<TFields, TSelectedFields>;
+
+  /**
+   * Field in parentEntityClass referenced by the value of fieldIdentifyingParentEntity.
+   * If not provided, ID is assumed.
+   */
+  parentEntityLookupByField?: keyof Pick<TParentFields, TParentSelectedFields>;
+}
+
+/**
+ * A generic privacy policy rule that allows when an entity is being authorized
+ * as part of a cascading delete from a parent entity. Handles two cases:
+ * - When the field has not yet been null'ed out due to a cascading set null. This is often
+ *   required for read rules to authorize the initial re-read of the entity being update set null'ed.
+ * - When the field has been null'ed out due to a cascading set null. This is often required
+ *   the update rules for the field nullification.
+ *
+ * These two cases could theoretically be handled by two separate (stricter) rules, but are combined
+ * to simplify configuration since practically there are few cases where having them be combined would
+ * preset an issue.
+ *
+ * @example
+ * Billing info owned by an account, but records who created the billing info in creating_user_id. User is a member of that account.
+ * User can delete themselves, and the billing info's creating_user_id field is cascade set null'ed when the user is deleted.
+ *
+ * ```ts
+ *  class BillingInfoEntityPrivacyPolicy extends EntityPrivacyPolicy<...> {
+ *    protected override readonly readRules = [
+ *      ...,
+ *      new AllowIfInParentCascadeDeletionPrivacyPolicyRule<...>({
+ *        fieldIdentifyingParentEntity: 'creating_user_id',
+ *        parentEntityClass: UserEntity,
+ *      }),
+ *    ];
+ *
+ *    protected override readonly updateRules = [
+ *      ...,
+ *      new AllowIfInParentCascadeDeletionPrivacyPolicyRule<...>({
+ *        fieldIdentifyingParentEntity: 'creating_user_id',
+ *        parentEntityClass: UserEntity,
+ *      }),
+ *    ];
+ *  }
+ * ```
+ */
+export class AllowIfInParentCascadeDeletionPrivacyPolicyRule<
+  TFields extends object,
+  TIDField extends keyof NonNullable<Pick<TFields, TSelectedFields>>,
+  TViewerContext extends ViewerContext,
+  TEntity extends ReadonlyEntity<TFields, TIDField, TViewerContext, TSelectedFields>,
+  TFields2 extends object,
+  TIDField2 extends keyof NonNullable<Pick<TFields2, TSelectedFields2>>,
+  TEntity2 extends ReadonlyEntity<TFields2, TIDField2, TViewerContext, TSelectedFields2>,
+  TPrivacyPolicy2 extends EntityPrivacyPolicy<
+    TFields2,
+    TIDField2,
+    TViewerContext,
+    TEntity2,
+    TSelectedFields2
+  >,
+  TSelectedFields extends keyof TFields = keyof TFields,
+  TSelectedFields2 extends keyof TFields2 = keyof TFields2,
+> extends PrivacyPolicyRule<TFields, TIDField, TViewerContext, TEntity, TSelectedFields> {
+  constructor(
+    private readonly directive: AllowIfInParentCascadeDeletionDirective<
+      TViewerContext,
+      TFields,
+      TFields2,
+      TIDField2,
+      TEntity2,
+      TPrivacyPolicy2,
+      TSelectedFields,
+      TSelectedFields2
+    >,
+  ) {
+    super();
+  }
+
+  async evaluateAsync(
+    _viewerContext: TViewerContext,
+    _queryContext: EntityQueryContext,
+    evaluationContext: EntityPrivacyPolicyEvaluationContext<
+      TFields,
+      TIDField,
+      TViewerContext,
+      TEntity,
+      TSelectedFields
+    >,
+    entity: TEntity,
+  ): Promise<RuleEvaluationResult> {
+    const parentEntityClass = this.directive.parentEntityClass;
+
+    const deleteCause = evaluationContext.cascadingDeleteCause;
+    if (!deleteCause || !(deleteCause.entity instanceof parentEntityClass)) {
+      return RuleEvaluationResult.SKIP;
+    }
+
+    const entityBeingDeleted = deleteCause.entity;
+
+    // allow if parent foreign key field matches specified field in the entity being authorized
+    const valueInThisEntityReferencingParent = entity.getField(
+      this.directive.fieldIdentifyingParentEntity,
+    );
+    const valueInParent = this.directive.parentEntityLookupByField
+      ? entityBeingDeleted.getField(this.directive.parentEntityLookupByField)
+      : entityBeingDeleted.getID();
+
+    if (
+      valueInThisEntityReferencingParent &&
+      valueInThisEntityReferencingParent === valueInParent
+    ) {
+      return RuleEvaluationResult.ALLOW;
+    }
+
+    // allow if parent foreign key field matches specified field in the entity being authorized, and the
+    // field in the entity being authorized has been null'ed out  due to cascading set null
+    const valueInPreviousValueOfThisEntityReferencingParent =
+      evaluationContext.previousValue?.getField(this.directive.fieldIdentifyingParentEntity);
+
+    if (
+      valueInPreviousValueOfThisEntityReferencingParent &&
+      valueInPreviousValueOfThisEntityReferencingParent === valueInParent &&
+      valueInThisEntityReferencingParent === null
+    ) {
+      return RuleEvaluationResult.ALLOW;
+    }
+
+    return RuleEvaluationResult.SKIP;
+  }
+}

package/src/rules/EvaluateIfEntityFieldPredicatePrivacyPolicyRule.ts

@@ -0,0 +1,46 @@
+import { EntityPrivacyPolicyEvaluationContext } from '../EntityPrivacyPolicy';
+import { EntityQueryContext } from '../EntityQueryContext';
+import { ReadonlyEntity } from '../ReadonlyEntity';
+import { ViewerContext } from '../ViewerContext';
+import { PrivacyPolicyRule, RuleEvaluationResult } from './PrivacyPolicyRule';
+
+export class EvaluateIfEntityFieldPredicatePrivacyPolicyRule<
+  TFields extends object,
+  TIDField extends keyof NonNullable<Pick<TFields, TSelectedFields>>,
+  TViewerContext extends ViewerContext,
+  TEntity extends ReadonlyEntity<TFields, TIDField, TViewerContext, TSelectedFields>,
+  N extends TSelectedFields,
+  TSelectedFields extends keyof TFields = keyof TFields,
+> extends PrivacyPolicyRule<TFields, TIDField, TViewerContext, TEntity, TSelectedFields> {
+  constructor(
+    private readonly fieldName: N,
+    private readonly shouldEvaluatePredicate: (fieldValue: TFields[N]) => boolean,
+    private readonly rule: PrivacyPolicyRule<
+      TFields,
+      TIDField,
+      TViewerContext,
+      TEntity,
+      TSelectedFields
+    >,
+  ) {
+    super();
+  }
+
+  async evaluateAsync(
+    viewerContext: TViewerContext,
+    queryContext: EntityQueryContext,
+    evaluationContext: EntityPrivacyPolicyEvaluationContext<
+      TFields,
+      TIDField,
+      TViewerContext,
+      TEntity,
+      TSelectedFields
+    >,
+    entity: TEntity,
+  ): Promise<RuleEvaluationResult> {
+    const fieldValue = entity.getField(this.fieldName);
+    return this.shouldEvaluatePredicate(fieldValue)
+      ? await this.rule.evaluateAsync(viewerContext, queryContext, evaluationContext, entity)
+      : RuleEvaluationResult.SKIP;
+  }
+}

package/src/rules/__tests__/AllowIfAllSubRulesAllowPrivacyPolicyRule-test.ts

@@ -0,0 +1,64 @@
+import { anything, instance, mock } from 'ts-mockito';
+
+import { EntityPrivacyPolicyEvaluationContext } from '../../EntityPrivacyPolicy';
+import { EntityQueryContext } from '../../EntityQueryContext';
+import { ViewerContext } from '../../ViewerContext';
+import { describePrivacyPolicyRule } from '../../utils/__testfixtures__/PrivacyPolicyRuleTestUtils';
+import { AllowIfAllSubRulesAllowPrivacyPolicyRule } from '../AllowIfAllSubRulesAllowPrivacyPolicyRule';
+import { AlwaysAllowPrivacyPolicyRule } from '../AlwaysAllowPrivacyPolicyRule';
+import { AlwaysDenyPrivacyPolicyRule } from '../AlwaysDenyPrivacyPolicyRule';
+import { AlwaysSkipPrivacyPolicyRule } from '../AlwaysSkipPrivacyPolicyRule';
+
+describePrivacyPolicyRule(
+  new AllowIfAllSubRulesAllowPrivacyPolicyRule([
+    new AlwaysAllowPrivacyPolicyRule(),
+    new AlwaysSkipPrivacyPolicyRule(),
+  ]),
+  {
+    skipCases: [
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext:
+          instance(mock<EntityPrivacyPolicyEvaluationContext<any, any, any, any, any>>()),
+        entity: anything(),
+      },
+    ],
+  },
+);
+
+describePrivacyPolicyRule(
+  new AllowIfAllSubRulesAllowPrivacyPolicyRule([
+    new AlwaysAllowPrivacyPolicyRule(),
+    new AlwaysDenyPrivacyPolicyRule(),
+  ]),
+  {
+    skipCases: [
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext:
+          instance(mock<EntityPrivacyPolicyEvaluationContext<any, any, any, any, any>>()),
+        entity: anything(),
+      },
+    ],
+  },
+);
+
+describePrivacyPolicyRule(
+  new AllowIfAllSubRulesAllowPrivacyPolicyRule([
+    new AlwaysAllowPrivacyPolicyRule(),
+    new AlwaysAllowPrivacyPolicyRule(),
+  ]),
+  {
+    allowCases: [
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext:
+          instance(mock<EntityPrivacyPolicyEvaluationContext<any, any, any, any, any>>()),
+        entity: anything(),
+      },
+    ],
+  },
+);

package/src/rules/__tests__/AllowIfAnySubRuleAllowsPrivacyPolicyRule-test.ts

@@ -0,0 +1,64 @@
+import { anything, instance, mock } from 'ts-mockito';
+
+import { EntityPrivacyPolicyEvaluationContext } from '../../EntityPrivacyPolicy';
+import { EntityQueryContext } from '../../EntityQueryContext';
+import { ViewerContext } from '../../ViewerContext';
+import { describePrivacyPolicyRule } from '../../utils/__testfixtures__/PrivacyPolicyRuleTestUtils';
+import { AllowIfAnySubRuleAllowsPrivacyPolicyRule } from '../AllowIfAnySubRuleAllowsPrivacyPolicyRule';
+import { AlwaysAllowPrivacyPolicyRule } from '../AlwaysAllowPrivacyPolicyRule';
+import { AlwaysDenyPrivacyPolicyRule } from '../AlwaysDenyPrivacyPolicyRule';
+import { AlwaysSkipPrivacyPolicyRule } from '../AlwaysSkipPrivacyPolicyRule';
+
+describePrivacyPolicyRule(
+  new AllowIfAnySubRuleAllowsPrivacyPolicyRule([
+    new AlwaysAllowPrivacyPolicyRule(),
+    new AlwaysSkipPrivacyPolicyRule(),
+  ]),
+  {
+    allowCases: [
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext:
+          instance(mock<EntityPrivacyPolicyEvaluationContext<any, any, any, any, any>>()),
+        entity: anything(),
+      },
+    ],
+  },
+);
+
+describePrivacyPolicyRule(
+  new AllowIfAnySubRuleAllowsPrivacyPolicyRule([
+    new AlwaysAllowPrivacyPolicyRule(),
+    new AlwaysDenyPrivacyPolicyRule(),
+  ]),
+  {
+    allowCases: [
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext:
+          instance(mock<EntityPrivacyPolicyEvaluationContext<any, any, any, any, any>>()),
+        entity: anything(),
+      },
+    ],
+  },
+);
+
+describePrivacyPolicyRule(
+  new AllowIfAnySubRuleAllowsPrivacyPolicyRule([
+    new AlwaysSkipPrivacyPolicyRule(),
+    new AlwaysSkipPrivacyPolicyRule(),
+  ]),
+  {
+    skipCases: [
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext:
+          instance(mock<EntityPrivacyPolicyEvaluationContext<any, any, any, any, any>>()),
+        entity: anything(),
+      },
+    ],
+  },
+);

package/src/rules/__tests__/AllowIfInParentCascadeDeletionPrivacyPolicyRule-test.ts

@@ -0,0 +1,258 @@
+import { instance, mock, when } from 'ts-mockito';
+
+import { EntityCompanionDefinition } from '../../EntityCompanionProvider';
+import { EntityPrivacyPolicy } from '../../EntityPrivacyPolicy';
+import { EntityQueryContext } from '../../EntityQueryContext';
+import { ReadonlyEntity } from '../../ReadonlyEntity';
+import { ViewerContext } from '../../ViewerContext';
+import { describePrivacyPolicyRule } from '../../utils/__testfixtures__/PrivacyPolicyRuleTestUtils';
+import { AllowIfInParentCascadeDeletionPrivacyPolicyRule } from '../AllowIfInParentCascadeDeletionPrivacyPolicyRule';
+
+// Define test field types
+type ParentFields = {
+  id: string;
+  name: string;
+};
+
+type ChildFields = {
+  id: string;
+  parent_id: string | null;
+  parent_name: string | null;
+};
+
+// Create a mock privacy policy for the parent entity
+class TestParentPrivacyPolicy extends EntityPrivacyPolicy<
+  ParentFields,
+  'id',
+  ViewerContext,
+  TestParentEntity
+> {
+  protected override readonly readRules = [];
+  protected override readonly createRules = [];
+  protected override readonly updateRules = [];
+  protected override readonly deleteRules = [];
+}
+
+// Create a mock parent entity class with required static method
+class TestParentEntity extends ReadonlyEntity<ParentFields, 'id', ViewerContext> {
+  static defineCompanionDefinition(): EntityCompanionDefinition<
+    ParentFields,
+    'id',
+    ViewerContext,
+    TestParentEntity,
+    TestParentPrivacyPolicy
+  > {
+    throw new Error('Not implemented for test');
+  }
+}
+
+// Create a mock child entity class
+class TestChildEntity extends ReadonlyEntity<ChildFields, 'id', ViewerContext> {}
+
+// Mock parent entities
+const parentEntityMock = mock(TestParentEntity);
+when(parentEntityMock.getID()).thenReturn('5');
+const parentEntity = instance(parentEntityMock);
+Object.setPrototypeOf(parentEntity, TestParentEntity.prototype);
+
+const otherParentEntityMock = mock(TestParentEntity);
+when(otherParentEntityMock.getID()).thenReturn('6');
+const otherParentEntity = instance(otherParentEntityMock);
+Object.setPrototypeOf(otherParentEntity, TestParentEntity.prototype);
+
+// Mock a non-parent entity (different class)
+class UnrelatedOtherEntity extends ReadonlyEntity<{ id: string }, 'id', ViewerContext> {}
+const unrelatedOtherEntityMock = mock(UnrelatedOtherEntity);
+Object.setPrototypeOf(unrelatedOtherEntityMock, UnrelatedOtherEntity.prototype);
+
+// Mock child entities
+const childEntityMock = mock(TestChildEntity);
+when(childEntityMock.getField('parent_id')).thenReturn('5');
+
+const childEntityMockWithNullifiedField = mock(TestChildEntity);
+when(childEntityMockWithNullifiedField.getField('parent_id')).thenReturn(null);
+
+const childEntityDifferentParentMock = mock(TestChildEntity);
+when(childEntityDifferentParentMock.getField('parent_id')).thenReturn('6');
+
+describePrivacyPolicyRule(
+  new AllowIfInParentCascadeDeletionPrivacyPolicyRule<
+    ChildFields,
+    'id',
+    ViewerContext,
+    TestChildEntity,
+    ParentFields,
+    'id',
+    TestParentEntity,
+    TestParentPrivacyPolicy
+  >({
+    fieldIdentifyingParentEntity: 'parent_id',
+    parentEntityClass: TestParentEntity,
+  }),
+  {
+    allowCases: [
+      // parent id matches parent being deleted, field not yet nullified
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext: {
+          previousValue: instance(childEntityMock),
+          cascadingDeleteCause: {
+            entity: parentEntity,
+            cascadingDeleteCause: null,
+          },
+        },
+        entity: instance(childEntityMock),
+      },
+      // parent id matches parent being deleted, field null in current version but filled in previous version
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext: {
+          previousValue: instance(childEntityMock),
+          cascadingDeleteCause: {
+            entity: parentEntity,
+            cascadingDeleteCause: null,
+          },
+        },
+        entity: instance(childEntityMockWithNullifiedField),
+      },
+    ],
+    skipCases: [
+      // no cascading delete
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext: {
+          previousValue: null,
+          cascadingDeleteCause: null,
+        },
+        entity: instance(childEntityMock),
+      },
+      // cascading delete not from parent entity class
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext: {
+          previousValue: null,
+          cascadingDeleteCause: {
+            entity: instance(unrelatedOtherEntityMock),
+            cascadingDeleteCause: null,
+          },
+        },
+        entity: instance(childEntityMock),
+      },
+      // cascading delete from different parent, field not nullified
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext: {
+          previousValue: null,
+          cascadingDeleteCause: {
+            entity: otherParentEntity,
+            cascadingDeleteCause: null,
+          },
+        },
+        entity: instance(childEntityMock),
+      },
+      // entity belongs to different parent
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext: {
+          previousValue: null,
+          cascadingDeleteCause: {
+            entity: parentEntity,
+            cascadingDeleteCause: null,
+          },
+        },
+        entity: instance(childEntityDifferentParentMock),
+      },
+      // parent id field undefined (null) and no previous value
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext: {
+          previousValue: null,
+          cascadingDeleteCause: {
+            entity: parentEntity,
+            cascadingDeleteCause: null,
+          },
+        },
+        entity: instance(childEntityMockWithNullifiedField),
+      },
+      // parent id now null but previous value different parent
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext: {
+          previousValue: instance(childEntityDifferentParentMock),
+          cascadingDeleteCause: {
+            entity: parentEntity,
+            cascadingDeleteCause: null,
+          },
+        },
+        entity: instance(childEntityMockWithNullifiedField),
+      },
+    ],
+  },
+);
+
+// Test with custom lookup field (parentEntityLookupByField)
+const parentEntityWithNameMock = mock(TestParentEntity);
+when(parentEntityWithNameMock.getField('name')).thenReturn('test-name');
+const parentEntityWithName = instance(parentEntityWithNameMock);
+Object.setPrototypeOf(parentEntityWithName, TestParentEntity.prototype);
+
+const childEntityWithNameRefMock = mock(TestChildEntity);
+when(childEntityWithNameRefMock.getField('parent_name')).thenReturn('test-name');
+
+const childEntityWithNameRefMockWithNullifiedField = mock(TestChildEntity);
+when(childEntityWithNameRefMockWithNullifiedField.getField('parent_name')).thenReturn(null);
+
+describePrivacyPolicyRule(
+  new AllowIfInParentCascadeDeletionPrivacyPolicyRule<
+    ChildFields,
+    'id',
+    ViewerContext,
+    TestChildEntity,
+    ParentFields,
+    'id',
+    TestParentEntity,
+    TestParentPrivacyPolicy
+  >({
+    fieldIdentifyingParentEntity: 'parent_name',
+    parentEntityClass: TestParentEntity,
+    parentEntityLookupByField: 'name',
+  }),
+  {
+    allowCases: [
+      // parent name matches parent being deleted, field not yet nullified
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext: {
+          previousValue: instance(childEntityWithNameRefMock),
+          cascadingDeleteCause: {
+            entity: parentEntityWithName,
+            cascadingDeleteCause: null,
+          },
+        },
+        entity: instance(childEntityWithNameRefMock),
+      },
+      // parent name matches parent being deleted, field null in current version but filled in previous version
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext: {
+          previousValue: instance(childEntityWithNameRefMock),
+          cascadingDeleteCause: {
+            entity: parentEntityWithName,
+            cascadingDeleteCause: null,
+          },
+        },
+        entity: instance(childEntityWithNameRefMockWithNullifiedField),
+      },
+    ],
+  },
+);

package/src/rules/__tests__/EvaluateIfEntityFieldPredicatePrivacyPolicyRule-test.ts

@@ -0,0 +1,47 @@
+import { mock, instance, when } from 'ts-mockito';
+
+import { EntityPrivacyPolicyEvaluationContext } from '../../EntityPrivacyPolicy';
+import { EntityQueryContext } from '../../EntityQueryContext';
+import { ViewerContext } from '../../ViewerContext';
+import { describePrivacyPolicyRule } from '../../utils/__testfixtures__/PrivacyPolicyRuleTestUtils';
+import { TestEntity, TestFields } from '../../utils/__testfixtures__/TestEntity';
+import { AlwaysAllowPrivacyPolicyRule } from '../AlwaysAllowPrivacyPolicyRule';
+import { EvaluateIfEntityFieldPredicatePrivacyPolicyRule } from '../EvaluateIfEntityFieldPredicatePrivacyPolicyRule';
+
+const entityBlahMock = mock(TestEntity);
+when(entityBlahMock.getField('testIndexedField')).thenReturn('1');
+const entityBlah = instance(entityBlahMock);
+
+const entityFooMock = mock(TestEntity);
+when(entityFooMock.getField('testIndexedField')).thenReturn('2');
+const entityFoo = instance(entityFooMock);
+
+describePrivacyPolicyRule<TestFields, 'customIdField', ViewerContext, TestEntity>(
+  new EvaluateIfEntityFieldPredicatePrivacyPolicyRule<
+    TestFields,
+    'customIdField',
+    ViewerContext,
+    TestEntity,
+    'testIndexedField'
+  >('testIndexedField', (val) => val === '1', new AlwaysAllowPrivacyPolicyRule()),
+  {
+    allowCases: [
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext:
+          instance(mock<EntityPrivacyPolicyEvaluationContext<any, any, any, any, any>>()),
+        entity: entityBlah,
+      },
+    ],
+    skipCases: [
+      {
+        viewerContext: instance(mock(ViewerContext)),
+        queryContext: instance(mock(EntityQueryContext)),
+        evaluationContext:
+          instance(mock<EntityPrivacyPolicyEvaluationContext<any, any, any, any, any>>()),
+        entity: entityFoo,
+      },
+    ],
+  },
+);