@j-schreiber/sf-cli-security-audit 0.4.0 → 0.4.1

package/lib/libs/core/mdapi/mdapiRetriever.d.ts

@@ -0,0 +1,110 @@
+import { PathLike } from 'node:fs';
+import { Connection } from '@salesforce/core';
+import { XMLParser } from 'fast-xml-parser';
+import { ConnectedAppSettings, PermissionSet } from '@jsforce/jsforce-node/lib/api/metadata.js';
+export default class MDAPI {
+    private connection;
+    private cache;
+    constructor(connection: Connection);
+    /**
+     * Resolves one of the pre-configured metadata types and returns
+     * a map of resolved names and entire XML content of source file body.
+     *
+     * @param typeName
+     * @param componentNames
+     * @returns
+     */
+    resolve<K extends keyof typeof NamedTypesRegistry>(typeName: keyof typeof NamedTypesRegistry, componentNames: string[]): Promise<NamedReturnTypes[K]>;
+    /**
+     * Resolves one of the pre-configured metadata types and returns
+     * the entire XML content of source file body.
+     *
+     * @param typeName
+     * @returns
+     */
+    resolveSingleton<K extends keyof typeof SingletonRegistry>(typeName: keyof typeof SingletonRegistry): Promise<SingletonReturnTypes[K]>;
+    private cacheResults;
+    private fetchCached;
+}
+type MetadataRegistryEntryOpts<Type, Key extends keyof Type> = {
+    /**
+     * Metadata API name of the type.
+     */
+    retrieveType: string;
+    /**
+     * Metadata API name entity.
+     */
+    retrieveName?: string;
+    /**
+     * Optional XML parser instance. Typically used to fix errors for
+     * properties that must be parsed as list.
+     */
+    parser?: XMLParser;
+    /**
+     * Name of the root node in XML file content
+     */
+    rootNodeName: Key;
+    /**
+     * Post processor function that sanitises the XML parse result
+     */
+    parsePostProcessor?: (parseResult: Type[Key]) => Type[Key];
+};
+declare abstract class MetadataRegistryEntry<Type, Key extends keyof Type> {
+    private opts;
+    parser: XMLParser;
+    retrieveType: string;
+    rootNodeName: Key;
+    constructor(opts: MetadataRegistryEntryOpts<Type, Key>);
+    parse(fullFilePath: PathLike): Type[Key];
+}
+/**
+ * The entry is a type that only has one single instance on the org, such as
+ * a Setting. The component is retrieved by its root node name
+ * (e.g. ConnectedAppSettings, AccountSettings, etc).
+ */
+declare class SingletonMetadata<Type, Key extends keyof Type> extends MetadataRegistryEntry<Type, Key> {
+    retrieveName: string;
+    constructor(opts: MetadataRegistryEntryOpts<Type, Key>);
+    /**
+     * Resolves component names, retrieves the metadata and returns
+     * as a strongly typed result.
+     *
+     * @param con
+     * @param componentNames
+     * @returns
+     */
+    resolve(con: Connection): Promise<Type[Key]>;
+    private parseSourceFile;
+}
+declare class NamedMetadata<Type, Key extends keyof Type> extends MetadataRegistryEntry<Type, Key> {
+    constructor(opts: MetadataRegistryEntryOpts<Type, Key>);
+    /**
+     * Resolves component names, retrieves the metadata and returns
+     * as a strongly typed result.
+     *
+     * @param con
+     * @param componentNames
+     * @returns
+     */
+    resolve(con: Connection, componentNames: string[]): Promise<Record<string, Type[Key]>>;
+    private parseSourceFiles;
+}
+export declare const NamedTypesRegistry: {
+    PermissionSet: NamedMetadata<PermissionSetXml, "PermissionSet">;
+};
+export declare const SingletonRegistry: {
+    ConnectedAppSettings: SingletonMetadata<ConnectedAppSettingsXml, "ConnectedAppSettings">;
+};
+type NamedReturnTypes = {
+    [K in keyof typeof NamedTypesRegistry]: Awaited<ReturnType<(typeof NamedTypesRegistry)[K]['resolve']>>;
+};
+type SingletonReturnTypes = {
+    [K in keyof typeof SingletonRegistry]: Awaited<ReturnType<(typeof SingletonRegistry)[K]['resolve']>>;
+};
+type PermissionSetXml = {
+    PermissionSet: PermissionSet;
+};
+type ConnectedAppSettingsXml = {
+    ConnectedAppSettings: ConnectedAppSettings;
+};
+export {};

package/lib/libs/core/mdapi/mdapiRetriever.js

@@ -0,0 +1,193 @@
+import { readFileSync } from 'node:fs';
+import { ComponentSet } from '@salesforce/source-deploy-retrieve';
+import { XMLParser } from 'fast-xml-parser';
+export default class MDAPI {
+    connection;
+    cache;
+    constructor(connection) {
+        this.connection = connection;
+        this.cache = new MetadataCache();
+    }
+    /**
+     * Resolves one of the pre-configured metadata types and returns
+     * a map of resolved names and entire XML content of source file body.
+     *
+     * @param typeName
+     * @param componentNames
+     * @returns
+     */
+    async resolve(typeName, componentNames) {
+        const retriever = NamedTypesRegistry[typeName];
+        const { toRetrieve, cached } = this.fetchCached(componentNames);
+        if (toRetrieve.length > 0) {
+            const retrieveResults = await retriever.resolve(this.connection, toRetrieve);
+            this.cacheResults(retrieveResults);
+            return {
+                ...cached,
+                ...retrieveResults,
+            };
+        }
+        return cached;
+    }
+    /**
+     * Resolves one of the pre-configured metadata types and returns
+     * the entire XML content of source file body.
+     *
+     * @param typeName
+     * @returns
+     */
+    async resolveSingleton(typeName) {
+        const retriever = SingletonRegistry[typeName];
+        const { toRetrieve, cached } = this.fetchCached([typeName]);
+        if (toRetrieve.length > 0) {
+            const retrieveResults = await retriever.resolve(this.connection);
+            this.cache.set(typeName, retrieveResults);
+            return retrieveResults;
+        }
+        return cached[typeName];
+    }
+    cacheResults(results) {
+        Object.entries(results).forEach(([cname, mdata]) => {
+            this.cache.set(cname, mdata);
+        });
+    }
+    fetchCached(componentNames) {
+        const toRetrieve = [];
+        const cached = {};
+        for (const cname of componentNames) {
+            if (this.cache.isCached(cname)) {
+                cached[cname] = this.cache.fetch(cname);
+            }
+            else {
+                toRetrieve.push(cname);
+            }
+        }
+        return { toRetrieve, cached };
+    }
+}
+class MetadataCache {
+    components = {};
+    isCached(cmpName) {
+        return this.components[cmpName] !== undefined && this.components[cmpName] !== null;
+    }
+    fetch(cmpName) {
+        if (!this.isCached(cmpName)) {
+            throw new Error('Component not cached. Check first before fetching: ' + cmpName);
+        }
+        return this.components[cmpName];
+    }
+    set(cmpName, content) {
+        this.components[cmpName] = content;
+    }
+}
+class MetadataRegistryEntry {
+    opts;
+    parser;
+    retrieveType;
+    rootNodeName;
+    constructor(opts) {
+        this.opts = opts;
+        this.retrieveType = this.opts.retrieveType;
+        this.parser = this.opts.parser ?? new XMLParser();
+        this.rootNodeName = this.opts.rootNodeName;
+    }
+    parse(fullFilePath) {
+        const fileContent = readFileSync(fullFilePath, 'utf-8');
+        const parsedContent = this.parser.parse(fileContent);
+        if (this.opts.parsePostProcessor) {
+            return this.opts.parsePostProcessor(parsedContent[this.rootNodeName]);
+        }
+        return parsedContent[this.rootNodeName];
+    }
+}
+/**
+ * The entry is a type that only has one single instance on the org, such as
+ * a Setting. The component is retrieved by its root node name
+ * (e.g. ConnectedAppSettings, AccountSettings, etc).
+ */
+class SingletonMetadata extends MetadataRegistryEntry {
+    retrieveName;
+    constructor(opts) {
+        super(opts);
+        this.retrieveName = opts.retrieveName ?? String(this.rootNodeName);
+    }
+    /**
+     * Resolves component names, retrieves the metadata and returns
+     * as a strongly typed result.
+     *
+     * @param con
+     * @param componentNames
+     * @returns
+     */
+    async resolve(con) {
+        const cmpSet = new ComponentSet([{ type: this.retrieveType, fullName: this.retrieveName }]);
+        const retrieveResult = await retrieve(cmpSet, con);
+        return this.parseSourceFile(retrieveResult.components);
+    }
+    parseSourceFile(componentSet) {
+        const cmps = componentSet.getSourceComponents({ type: this.retrieveType, fullName: this.retrieveName }).toArray();
+        if (cmps.length > 0 && cmps[0].xml) {
+            return this.parse(cmps[0].xml);
+        }
+        throw new Error('Failed to resolve settings for: ' + this.retrieveName);
+    }
+}
+class NamedMetadata extends MetadataRegistryEntry {
+    constructor(opts) {
+        super(opts);
+    }
+    /**
+     * Resolves component names, retrieves the metadata and returns
+     * as a strongly typed result.
+     *
+     * @param con
+     * @param componentNames
+     * @returns
+     */
+    async resolve(con, componentNames) {
+        const cmpSet = new ComponentSet(componentNames.map((cname) => ({ type: this.retrieveType, fullName: cname })));
+        const retrieveResult = await retrieve(cmpSet, con);
+        return this.parseSourceFiles(retrieveResult.components, componentNames);
+    }
+    parseSourceFiles(componentSet, retrievedNames) {
+        const cmps = componentSet.getSourceComponents().toArray();
+        const result = {};
+        cmps.forEach((sourceComponent) => {
+            if (sourceComponent.xml && retrievedNames.includes(sourceComponent.name)) {
+                result[sourceComponent.name] = this.parse(sourceComponent.xml);
+            }
+        });
+        return result;
+    }
+}
+async function retrieve(compSet, con) {
+    const retrieveRequest = await compSet.retrieve({
+        usernameOrConnection: con,
+        output: '.jsc/retrieves',
+    });
+    const retrieveResult = await retrieveRequest.pollStatus();
+    return retrieveResult;
+}
+export const NamedTypesRegistry = {
+    PermissionSet: new NamedMetadata({
+        retrieveType: 'PermissionSet',
+        rootNodeName: 'PermissionSet',
+        parser: new XMLParser({
+            isArray: (jpath) => ['userPermissions', 'fieldPermissions', 'customPermissions', 'classAccesses'].includes(jpath),
+        }),
+        parsePostProcessor: (parseResult) => ({
+            ...parseResult,
+            userPermissions: parseResult.userPermissions ?? [],
+            customPermissions: parseResult.customPermissions ?? [],
+            classAccesses: parseResult.classAccesses ?? [],
+        }),
+    }),
+};
+export const SingletonRegistry = {
+    ConnectedAppSettings: new SingletonMetadata({
+        rootNodeName: 'ConnectedAppSettings',
+        retrieveName: 'ConnectedApp',
+        retrieveType: 'Settings',
+    }),
+};
+//# sourceMappingURL=mdapiRetriever.js.map

package/lib/libs/core/mdapi/mdapiRetriever.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mdapiRetriever.js","sourceRoot":"","sources":["../../../../src/libs/core/mdapi/mdapiRetriever.ts"],"names":[],"mappings":"AAAA,OAAO,EAAY,YAAY,EAAE,MAAM,SAAS,CAAC;AAEjD,OAAO,EAAE,YAAY,EAAkB,MAAM,oCAAoC,CAAC;AAClF,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAG5C,MAAM,CAAC,OAAO,OAAO,KAAK;IAGG;IAFnB,KAAK,CAAgB;IAE7B,YAA2B,UAAsB;QAAtB,eAAU,GAAV,UAAU,CAAY;QAC/C,IAAI,CAAC,KAAK,GAAG,IAAI,aAAa,EAAE,CAAC;IACnC,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,OAAO,CAClB,QAAyC,EACzC,cAAwB;QAExB,MAAM,SAAS,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC;QAChE,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,eAAe,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;YAC7E,IAAI,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;YACnC,OAAO;gBACL,GAAG,MAAM;gBACT,GAAG,eAAe;aACI,CAAC;QAC3B,CAAC;QACD,OAAO,MAA6B,CAAC;IACvC,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,gBAAgB,CAC3B,QAAwC;QAExC,MAAM,SAAS,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC5D,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,eAAe,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YACjE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;YAC1C,OAAO,eAA0C,CAAC;QACpD,CAAC;QACD,OAAO,MAAM,CAAC,QAAQ,CAA4B,CAAC;IACrD,CAAC;IAEO,YAAY,CAAC,OAAiC;QACpD,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,EAAE;YACjD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,WAAW,CAAC,cAAwB;QAC1C,MAAM,UAAU,GAAG,EAAE,CAAC;QACtB,MAAM,MAAM,GAA6B,EAAE,CAAC;QAC5C,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC/B,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YAC1C,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QACD,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;IAChC,CAAC;CACF;AAED,MAAM,aAAa;IACT,UAAU,GAA6B,EAAE,CAAC;IAE3C,QAAQ,CAAC,OAAe;QAC7B,OAAO,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,SAAS,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC;IACrF,CAAC;IAEM,KAAK,CAAC,OAAe;QAC1B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,qDAAqD,GAAG,OAAO,CAAC,CAAC;QACnF,CAAC;QACD,OAAO,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAClC,CAAC;IAEM,GAAG,CAAC,OAAe,EAAE,OAAiB;QAC3C,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;IACrC,CAAC;CACF;AA0BD,MAAe,qBAAqB;IAKP;IAJpB,MAAM,CAAY;IAClB,YAAY,CAAS;IACrB,YAAY,CAAM;IAEzB,YAA2B,IAA0C;QAA1C,SAAI,GAAJ,IAAI,CAAsC;QACnE,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC;QAC3C,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAClD,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC;IAC7C,CAAC;IAEM,KAAK,CAAC,YAAsB;QACjC,MAAM,WAAW,GAAG,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QACxD,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAS,CAAC;QAC7D,IAAI,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;QACxE,CAAC;QACD,OAAO,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC1C,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,iBAAgD,SAAQ,qBAAgC;IACrF,YAAY,CAAS;IAC5B,YAAmB,IAA0C;QAC3D,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACrE,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,OAAO,CAAC,GAAe;QAClC,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;QAC5F,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACnD,OAAO,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACzD,CAAC;IAEO,eAAe,CAAC,YAA0B;QAChD,MAAM,IAAI,GAAG,YAAY,CAAC,mBAAmB,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;QAClH,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACjC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,kCAAkC,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC;IAC1E,CAAC;CACF;AAED,MAAM,aAA4C,SAAQ,qBAAgC;IACxF,YAAmB,IAA0C;QAC3D,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IACD;;;;;;;OAOG;IACI,KAAK,CAAC,OAAO,CAAC,GAAe,EAAE,cAAwB;QAC5D,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/G,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACnD,OAAO,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;IAC1E,CAAC;IAEO,gBAAgB,CAAC,YAA0B,EAAE,cAAwB;QAC3E,MAAM,IAAI,GAAG,YAAY,CAAC,mBAAmB,EAAE,CAAC,OAAO,EAAE,CAAC;QAC1D,MAAM,MAAM,GAA8B,EAAE,CAAC;QAC7C,IAAI,CAAC,OAAO,CAAC,CAAC,eAAe,EAAE,EAAE;YAC/B,IAAI,eAAe,CAAC,GAAG,IAAI,cAAc,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzE,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;YACjE,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,KAAK,UAAU,QAAQ,CAAC,OAAqB,EAAE,GAAe;IAC5D,MAAM,eAAe,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC;QAC7C,oBAAoB,EAAE,GAAG;QACzB,MAAM,EAAE,gBAAgB;KACzB,CAAC,CAAC;IACH,MAAM,cAAc,GAAG,MAAM,eAAe,CAAC,UAAU,EAAE,CAAC;IAC1D,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,aAAa,EAAE,IAAI,aAAa,CAAoC;QAClE,YAAY,EAAE,eAAe;QAC7B,YAAY,EAAE,eAAe;QAC7B,MAAM,EAAE,IAAI,SAAS,CAAC;YACpB,OAAO,EAAE,CAAC,KAAK,EAAW,EAAE,CAC1B,CAAC,iBAAiB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,eAAe,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;SAChG,CAAC;QACF,kBAAkB,EAAE,CAAC,WAAW,EAAiB,EAAE,CAAC,CAAC;YACnD,GAAG,WAAW;YACd,eAAe,EAAE,WAAW,CAAC,eAAe,IAAI,EAAE;YAClD,iBAAiB,EAAE,WAAW,CAAC,iBAAiB,IAAI,EAAE;YACtD,aAAa,EAAE,WAAW,CAAC,aAAa,IAAI,EAAE;SAC/C,CAAC;KACH,CAAC;CACH,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,oBAAoB,EAAE,IAAI,iBAAiB,CAAkD;QAC3F,YAAY,EAAE,sBAAsB;QACpC,YAAY,EAAE,cAAc;QAC5B,YAAY,EAAE,UAAU;KACzB,CAAC;CACH,CAAC"}

package/lib/libs/core/policy-types.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Presets can be assigned to profiles and permission sets.
+ * A preset allows permissions up to a fixed risk level.
+ */
+export declare enum ProfilesRiskPreset {
+    /** Allows up to "Critical" permissions */
+    DEVELOPER = "Developer",
+    /** Allows up to "High" permissions */
+    ADMIN = "Admin",
+    /** Allows up to "Medium" permissions */
+    POWER_USER = "Power User",
+    /** Allows only "Low" permissions */
+    STANDARD_USER = "Standard User",
+    /** Disables the profile for audit */
+    UNKNOWN = "Unknown"
+}
+export declare function resolvePresetOrdinalValue(value: string): number;
+export declare function permissionAllowedInPreset(permClassification: string, preset: string): boolean;

package/lib/libs/core/policy-types.js

@@ -0,0 +1,28 @@
+import { PermissionRiskLevel, resolveRiskLevelOrdinalValue } from './classification-types.js';
+/**
+ * Presets can be assigned to profiles and permission sets.
+ * A preset allows permissions up to a fixed risk level.
+ */
+export var ProfilesRiskPreset;
+(function (ProfilesRiskPreset) {
+    /** Allows up to "Critical" permissions */
+    ProfilesRiskPreset["DEVELOPER"] = "Developer";
+    /** Allows up to "High" permissions */
+    ProfilesRiskPreset["ADMIN"] = "Admin";
+    /** Allows up to "Medium" permissions */
+    ProfilesRiskPreset["POWER_USER"] = "Power User";
+    /** Allows only "Low" permissions */
+    ProfilesRiskPreset["STANDARD_USER"] = "Standard User";
+    /** Disables the profile for audit */
+    ProfilesRiskPreset["UNKNOWN"] = "Unknown";
+})(ProfilesRiskPreset || (ProfilesRiskPreset = {}));
+export function resolvePresetOrdinalValue(value) {
+    return Object.keys(ProfilesRiskPreset).indexOf(value.toUpperCase().replace(' ', '_'));
+}
+export function permissionAllowedInPreset(permClassification, preset) {
+    // this works, as long as we are mindful when adding new risk levels and presets
+    const invertedPermValue = Object.keys(PermissionRiskLevel).length - resolveRiskLevelOrdinalValue(permClassification);
+    const invertedPresetValue = Object.keys(ProfilesRiskPreset).length - resolvePresetOrdinalValue(preset);
+    return invertedPresetValue >= invertedPermValue;
+}
+//# sourceMappingURL=policy-types.js.map

package/lib/libs/core/policy-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-types.js","sourceRoot":"","sources":["../../../src/libs/core/policy-types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,4BAA4B,EAAE,MAAM,2BAA2B,CAAC;AAE9F;;;GAGG;AACH,MAAM,CAAN,IAAY,kBAWX;AAXD,WAAY,kBAAkB;IAC5B,0CAA0C;IAC1C,6CAAuB,CAAA;IACvB,sCAAsC;IACtC,qCAAe,CAAA;IACf,wCAAwC;IACxC,+CAAyB,CAAA;IACzB,oCAAoC;IACpC,qDAA+B,CAAA;IAC/B,qCAAqC;IACrC,yCAAmB,CAAA;AACrB,CAAC,EAXW,kBAAkB,KAAlB,kBAAkB,QAW7B;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAa;IACrD,OAAO,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;AACxF,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,kBAA0B,EAAE,MAAc;IAClF,gFAAgF;IAChF,MAAM,iBAAiB,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,MAAM,GAAG,4BAA4B,CAAC,kBAAkB,CAAC,CAAC;IACrH,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,MAAM,GAAG,yBAAyB,CAAC,MAAM,CAAC,CAAC;IACvG,OAAO,mBAAmB,IAAI,iBAAiB,CAAC;AAClD,CAAC"}

package/lib/libs/core/registries/connectedApps.d.ts

@@ -0,0 +1,13 @@
+import RuleRegistry from './ruleRegistry.js';
+export type ResolvedConnectedApp = {
+    name: string;
+    origin: 'Installed' | 'OauthToken' | 'Owned';
+    onlyAdminApprovedUsersAllowed: boolean;
+    overrideByApiSecurityAccess: boolean;
+    useCount: number;
+    users: string[];
+};
+export default class ConnectedAppsRuleRegistry extends RuleRegistry {
+    constructor();
+}
+export declare const ConnectedAppsRegistry: ConnectedAppsRuleRegistry;

package/lib/libs/{config → core}/registries/connectedApps.js

@@ -1,5 +1,5 @@
-import AllUsedAppsUnderManagement from '../../policies/rules/allUsedAppsUnderManagement.js';
-import NoUserCanSelfAuthorize from '../../policies/rules/noUserCanSelfAuthorize.js';
+import AllUsedAppsUnderManagement from './rules/allUsedAppsUnderManagement.js';
+import NoUserCanSelfAuthorize from './rules/noUserCanSelfAuthorize.js';
 import RuleRegistry from './ruleRegistry.js';
 export default class ConnectedAppsRuleRegistry extends RuleRegistry {
     constructor() {

package/lib/libs/core/registries/connectedApps.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connectedApps.js","sourceRoot":"","sources":["../../../../src/libs/core/registries/connectedApps.ts"],"names":[],"mappings":"AAAA,OAAO,0BAA0B,MAAM,uCAAuC,CAAC;AAC/E,OAAO,sBAAsB,MAAM,mCAAmC,CAAC;AACvE,OAAO,YAAY,MAAM,mBAAmB,CAAC;AAU7C,MAAM,CAAC,OAAO,OAAO,yBAA0B,SAAQ,YAAY;IACjE;QACE,KAAK,CAAC;YACJ,0BAA0B;YAC1B,sBAAsB;SACvB,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,yBAAyB,EAAE,CAAC"}

package/lib/libs/{config → core}/registries/permissionSets.d.ts

@@ -1,4 +1,10 @@
+import { PermissionSet } from '@jsforce/jsforce-node/lib/api/metadata.js';
 import RuleRegistry from './ruleRegistry.js';
+export type ResolvedPermissionSet = {
+    name: string;
+    preset: string;
+    metadata: PermissionSet;
+};
 export default class PermSetsRuleRegistry extends RuleRegistry {
     constructor();
 }

package/lib/libs/{config → core}/registries/permissionSets.js

@@ -1,4 +1,4 @@
-import EnforceUserPermsClassificationOnPermSets from '../../policies/rules/enforceUserPermsClassificationOnPermSets.js';
+import EnforceUserPermsClassificationOnPermSets from './rules/enforceUserPermsClassificationOnPermSets.js';
 import RuleRegistry from './ruleRegistry.js';
 export default class PermSetsRuleRegistry extends RuleRegistry {
     constructor() {

package/lib/libs/core/registries/permissionSets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionSets.js","sourceRoot":"","sources":["../../../../src/libs/core/registries/permissionSets.ts"],"names":[],"mappings":"AACA,OAAO,wCAAwC,MAAM,qDAAqD,CAAC;AAC3G,OAAO,YAAY,MAAM,mBAAmB,CAAC;AAO7C,MAAM,CAAC,OAAO,OAAO,oBAAqB,SAAQ,YAAY;IAC5D;QACE,KAAK,CAAC;YACJ,oCAAoC,EAAE,wCAAwC;SAC/E,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,oBAAoB,EAAE,CAAC"}

package/lib/libs/{config → core}/registries/profiles.d.ts

@@ -1,4 +1,10 @@
+import { Profile as ProfileMetadata } from '@jsforce/jsforce-node/lib/api/metadata.js';
 import RuleRegistry from './ruleRegistry.js';
+export type ResolvedProfile = {
+    name: string;
+    preset: string;
+    metadata: ProfileMetadata;
+};
 export default class ProfilesRuleRegistry extends RuleRegistry {
     constructor();
 }

package/lib/libs/{config → core}/registries/profiles.js

@@ -1,5 +1,5 @@
-import EnforceCustomPermsClassificationOnProfiles from '../../policies/rules/enforceCustomPermsClassificationOnProfiles.js';
-import EnforceUserPermsClassificationOnProfiles from '../../policies/rules/enforceUserPermsClassificationOnProfiles.js';
+import EnforceCustomPermsClassificationOnProfiles from './rules/enforceCustomPermsClassificationOnProfiles.js';
+import EnforceUserPermsClassificationOnProfiles from './rules/enforceUserPermsClassificationOnProfiles.js';
 import RuleRegistry from './ruleRegistry.js';
 export default class ProfilesRuleRegistry extends RuleRegistry {
     constructor() {

package/lib/libs/core/registries/profiles.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"profiles.js","sourceRoot":"","sources":["../../../../src/libs/core/registries/profiles.ts"],"names":[],"mappings":"AACA,OAAO,0CAA0C,MAAM,uDAAuD,CAAC;AAC/G,OAAO,wCAAwC,MAAM,qDAAqD,CAAC;AAC3G,OAAO,YAAY,MAAM,mBAAmB,CAAC;AAQ7C,MAAM,CAAC,OAAO,OAAO,oBAAqB,SAAQ,YAAY;IAC5D;QACE,KAAK,CAAC;YACJ,sCAAsC,EAAE,0CAA0C;YAClF,oCAAoC,EAAE,wCAAwC;SAC/E,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,oBAAoB,EAAE,CAAC"}

package/lib/libs/{config → core}/registries/ruleRegistry.d.ts

@@ -1,7 +1,17 @@
-import { AuditRunConfig, RuleMap } from '../audit-run/schema.js';
-import { RowLevelPolicyRule } from '../../policies/interfaces/policyRuleInterfaces.js';
-import { RegistryRuleResolveResult } from './types.js';
+import { EntityResolveError, PolicyRuleSkipResult } from '../result-types.js';
+import { AuditRunConfig, RuleMap } from '../../core/file-mgmt/schema.js';
+import { RowLevelPolicyRule } from './types.js';
 type Constructor<T, Args extends any[] = any[]> = new (...args: Args) => T;
+/**
+ * Result contains the actually available and enabled rules
+ * from the raw config file. Rules that are not present in the
+ * policie's registry are errors, disabled rules are skipped.
+ */
+export type RegistryRuleResolveResult = {
+    enabledRules: Array<RowLevelPolicyRule<unknown>>;
+    skippedRules: PolicyRuleSkipResult[];
+    resolveErrors: EntityResolveError[];
+};
 /**
  * The rule registry holds all available rules for a given policy at run time.
  * It is designed to be extendible so we can easily register new rules and it will

package/lib/libs/core/registries/ruleRegistry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ruleRegistry.js","sourceRoot":"","sources":["../../../../src/libs/core/registries/ruleRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAK5C,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAgBjG;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,YAAY;IACL;IAA1B,YAA0B,KAA+D;QAA/D,UAAK,GAAL,KAAK,CAA0D;IAAG,CAAC;IAE7F;;;;OAIG;IACI,eAAe;QACpB,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAED;;;;;;;OAOG;IACI,YAAY,CAAC,QAAiB,EAAE,YAA4B;QACjE,MAAM,YAAY,GAAG,IAAI,KAAK,EAA+B,CAAC;QAC9D,MAAM,YAAY,GAAG,IAAI,KAAK,EAAwB,CAAC;QACvD,MAAM,aAAa,GAAG,IAAI,KAAK,EAAsB,CAAC;QACtD,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,EAAE;YAC1D,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;gBAC/C,YAAY,CAAC,IAAI,CACf,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,YAAY,EAAE,eAAe,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CACrG,CAAC;YACJ,CAAC;iBAAM,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;gBAC/B,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC;YACzG,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,mCAAmC,CAAC,EAAE,CAAC,CAAC;YAC5G,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC;IACvD,CAAC;CACF"}

package/lib/libs/{policies → core/registries}/rules/allUsedAppsUnderManagement.d.ts

@@ -1,5 +1,5 @@
-import { ResolvedConnectedApp } from '../connectedAppPolicy.js';
-import { PartialPolicyRuleResult, RuleAuditContext } from '../interfaces/policyRuleInterfaces.js';
+import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
+import { ResolvedConnectedApp } from '../connectedApps.js';
 import PolicyRule, { RuleOptions } from './policyRule.js';
 export default class AllUsedAppsUnderManagement extends PolicyRule<ResolvedConnectedApp> {
     constructor(opts: RuleOptions);

package/lib/libs/core/registries/rules/allUsedAppsUnderManagement.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"allUsedAppsUnderManagement.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/allUsedAppsUnderManagement.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,qBAAqB,CAAC,CAAC;AAEpG,MAAM,CAAC,OAAO,OAAO,0BAA2B,SAAQ,UAAgC;IACtF,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA+C;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,qBAAqB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;YACnD,IAAI,GAAG,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;gBAChC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;oBACrB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;oBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,wCAAwC,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;iBACzG,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/{policies → core/registries}/rules/enforceCustomPermsClassificationOnProfiles.d.ts

@@ -1,5 +1,5 @@
-import { PartialPolicyRuleResult, RuleAuditContext } from '../interfaces/policyRuleInterfaces.js';
-import { ResolvedProfile } from '../profilePolicy.js';
+import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
+import { ResolvedProfile } from '../profiles.js';
 import PolicyRule, { RuleOptions } from './policyRule.js';
 export default class EnforceCustomPermsClassificationOnProfiles extends PolicyRule<ResolvedProfile> {
     constructor(opts: RuleOptions);

package/lib/libs/{policies → core/registries}/rules/enforceCustomPermsClassificationOnProfiles.js

@@ -1,5 +1,6 @@
 import { Messages } from '@salesforce/core';
-import { permissionAllowedInPreset, PolicyRiskLevel } from '../types.js';
+import { PermissionRiskLevel } from '../../classification-types.js';
+import { permissionAllowedInPreset } from '../../policy-types.js';
 import PolicyRule from './policyRule.js';
 const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
 export default class EnforceCustomPermsClassificationOnProfiles extends PolicyRule {
@@ -15,7 +16,7 @@ export default class EnforceCustomPermsClassificationOnProfiles extends PolicyRu
                 const identifier = [profile.name, perm.name];
                 const classifiedPerm = this.resolveCustomPermission(perm.name);
                 if (classifiedPerm) {
-                    if (classifiedPerm.classification === PolicyRiskLevel.BLOCKED) {
+                    if (classifiedPerm.classification === PermissionRiskLevel.BLOCKED) {
                         result.violations.push({
                             identifier,
                             message: messages.getMessage('violations.permission-is-blocked'),
@@ -30,7 +31,7 @@ export default class EnforceCustomPermsClassificationOnProfiles extends PolicyRu
                             ]),
                         });
                     }
-                    else if (classifiedPerm.classification === PolicyRiskLevel.UNKNOWN) {
+                    else if (classifiedPerm.classification === PermissionRiskLevel.UNKNOWN) {
                         result.warnings.push({
                             identifier,
                             message: messages.getMessage('warnings.permission-unknown'),

package/lib/libs/core/registries/rules/enforceCustomPermsClassificationOnProfiles.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforceCustomPermsClassificationOnProfiles.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/enforceCustomPermsClassificationOnProfiles.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAC1D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,0CAA2C,SAAQ,UAA2B;IACjG,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA0C;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAClD,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,iBAAiB,IAAI,EAAE,CAAC;YAC7D,WAAW,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;gBAC3B,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC7C,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC/D,IAAI,cAAc,EAAE,CAAC;oBACnB,IAAI,cAAc,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;wBAClE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;4BACrB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;yBACjE,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,CAAC,yBAAyB,CAAC,cAAc,CAAC,cAAc,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;wBACrF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;4BACrB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;gCACxE,cAAc,CAAC,cAAc;gCAC7B,OAAO,CAAC,MAAM;6BACf,CAAC;yBACH,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,cAAc,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;wBACzE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;4BACnB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;yBAC5D,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,+CAA+C,CAAC;qBAC9E,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnPermSets.d.ts

@@ -1,5 +1,5 @@
-import { PartialPolicyRuleResult, RuleAuditContext } from '../interfaces/policyRuleInterfaces.js';
-import { ResolvedPermissionSet } from '../permissionSetPolicy.js';
+import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
+import { ResolvedPermissionSet } from '../permissionSets.js';
 import PolicyRule, { RuleOptions } from './policyRule.js';
 export default class EnforceUserPermsClassificationOnPermSets extends PolicyRule<ResolvedPermissionSet> {
     constructor(opts: RuleOptions);

package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnPermSets.js

@@ -1,5 +1,6 @@
 import { Messages } from '@salesforce/core';
-import { permissionAllowedInPreset, PolicyRiskLevel } from '../types.js';
+import { PermissionRiskLevel } from '../../classification-types.js';
+import { permissionAllowedInPreset } from '../../policy-types.js';
 import PolicyRule from './policyRule.js';
 const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
 export default class EnforceUserPermsClassificationOnPermSets extends PolicyRule {
@@ -15,7 +16,7 @@ export default class EnforceUserPermsClassificationOnPermSets extends PolicyRule
                 const identifier = [permset.name, userPerm.name];
                 const classifiedUserPerm = this.resolveUserPermission(userPerm.name);
                 if (classifiedUserPerm) {
-                    if (classifiedUserPerm.classification === PolicyRiskLevel.BLOCKED) {
+                    if (classifiedUserPerm.classification === PermissionRiskLevel.BLOCKED) {
                         result.violations.push({
                             identifier,
                             message: messages.getMessage('violations.permission-is-blocked'),
@@ -30,7 +31,7 @@ export default class EnforceUserPermsClassificationOnPermSets extends PolicyRule
                             ]),
                         });
                     }
-                    else if (classifiedUserPerm.classification === PolicyRiskLevel.UNKNOWN) {
+                    else if (classifiedUserPerm.classification === PermissionRiskLevel.UNKNOWN) {
                         result.warnings.push({
                             identifier,
                             message: messages.getMessage('warnings.permission-unknown'),

package/lib/libs/core/registries/rules/enforceUserPermsClassificationOnPermSets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforceUserPermsClassificationOnPermSets.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/enforceUserPermsClassificationOnPermSets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,wCAAyC,SAAQ,UAAiC;IACrG,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAAgD;QACzD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAClD,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,eAAe,IAAI,EAAE,CAAC;YACzD,SAAS,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;gBAC7B,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;gBACjD,MAAM,kBAAkB,GAAG,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBACrE,IAAI,kBAAkB,EAAE,CAAC;oBACvB,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;wBACtE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;4BACrB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;yBACjE,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,CAAC,yBAAyB,CAAC,kBAAkB,CAAC,cAAc,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;wBACzF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;4BACrB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;gCACxE,kBAAkB,CAAC,cAAc;gCACjC,OAAO,CAAC,MAAM;6BACf,CAAC;yBACH,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;wBAC7E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;4BACnB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;yBAC5D,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU;wBACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,sDAAsD,CAAC;qBACrF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnProfiles.d.ts

@@ -1,5 +1,5 @@
-import { PartialPolicyRuleResult, RuleAuditContext } from '../interfaces/policyRuleInterfaces.js';
-import { ResolvedProfile } from '../profilePolicy.js';
+import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
+import { ResolvedProfile } from '../profiles.js';
 import PolicyRule, { RuleOptions } from './policyRule.js';
 export default class EnforceUserPermsClassificationOnProfiles extends PolicyRule<ResolvedProfile> {
     constructor(opts: RuleOptions);

package/lib/libs/{policies → core/registries}/rules/enforceUserPermsClassificationOnProfiles.js

@@ -1,6 +1,7 @@
 import { Messages } from '@salesforce/core';
 import { isNullish } from '../../utils.js';
-import { permissionAllowedInPreset, PolicyRiskLevel } from '../types.js';
+import { PermissionRiskLevel } from '../../classification-types.js';
+import { permissionAllowedInPreset } from '../../policy-types.js';
 import PolicyRule from './policyRule.js';
 const messages = Messages.loadMessages('@j-schreiber/sf-cli-security-audit', 'rules.enforceClassificationPresets');
 export default class EnforceUserPermsClassificationOnProfiles extends PolicyRule {
@@ -16,7 +17,7 @@ export default class EnforceUserPermsClassificationOnProfiles extends PolicyRule
                     const identifier = [profile.name, userPerm.name];
                     const classifiedUserPerm = this.resolveUserPermission(userPerm.name);
                     if (classifiedUserPerm) {
-                        if (classifiedUserPerm.classification === PolicyRiskLevel.BLOCKED) {
+                        if (classifiedUserPerm.classification === PermissionRiskLevel.BLOCKED) {
                             result.violations.push({
                                 identifier,
                                 message: messages.getMessage('violations.permission-is-blocked'),
@@ -31,7 +32,7 @@ export default class EnforceUserPermsClassificationOnProfiles extends PolicyRule
                                 ]),
                             });
                         }
-                        else if (classifiedUserPerm.classification === PolicyRiskLevel.UNKNOWN) {
+                        else if (classifiedUserPerm.classification === PermissionRiskLevel.UNKNOWN) {
                             result.warnings.push({
                                 identifier,
                                 message: messages.getMessage('warnings.permission-unknown'),

package/lib/libs/core/registries/rules/enforceUserPermsClassificationOnProfiles.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enforceUserPermsClassificationOnProfiles.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/enforceUserPermsClassificationOnProfiles.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE5C,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,oCAAoC,CAAC,CAAC;AAEnH,MAAM,CAAC,OAAO,OAAO,wCAAyC,SAAQ,UAA2B;IAC/F,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA0C;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAClD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;gBACjD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;oBACpD,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;oBACjD,MAAM,kBAAkB,GAAG,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;oBACrE,IAAI,kBAAkB,EAAE,CAAC;wBACvB,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;4BACtE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gCACrB,UAAU;gCACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kCAAkC,CAAC;6BACjE,CAAC,CAAC;wBACL,CAAC;6BAAM,IAAI,CAAC,yBAAyB,CAAC,kBAAkB,CAAC,cAAc,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;4BACzF,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;gCACrB,UAAU;gCACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,2CAA2C,EAAE;oCACxE,kBAAkB,CAAC,cAAc;oCACjC,OAAO,CAAC,MAAM;iCACf,CAAC;6BACH,CAAC,CAAC;wBACL,CAAC;6BAAM,IAAI,kBAAkB,CAAC,cAAc,KAAK,mBAAmB,CAAC,OAAO,EAAE,CAAC;4BAC7E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;gCACnB,UAAU;gCACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;6BAC5D,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;4BACnB,UAAU;4BACV,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,+CAA+C,CAAC;yBAC9E,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}

package/lib/libs/{policies → core/registries}/rules/noUserCanSelfAuthorize.d.ts

@@ -1,5 +1,5 @@
-import { PartialPolicyRuleResult, RuleAuditContext } from '../interfaces/policyRuleInterfaces.js';
-import { ResolvedConnectedApp } from '../connectedAppPolicy.js';
+import { PartialPolicyRuleResult, RuleAuditContext } from '../types.js';
+import { ResolvedConnectedApp } from '../connectedApps.js';
 import PolicyRule, { RuleOptions } from './policyRule.js';
 export default class NoUserCanSelfAuthorize extends PolicyRule<ResolvedConnectedApp> {
     constructor(opts: RuleOptions);

package/lib/libs/core/registries/rules/noUserCanSelfAuthorize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"noUserCanSelfAuthorize.js","sourceRoot":"","sources":["../../../../../src/libs/core/registries/rules/noUserCanSelfAuthorize.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,UAA2B,MAAM,iBAAiB,CAAC;AAE1D,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,qBAAqB,CAAC,CAAC;AAEpG,MAAM,CAAC,OAAO,OAAO,sBAAuB,SAAQ,UAAgC;IAClF,YAAmB,IAAiB;QAClC,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IAEM,GAAG,CAAC,OAA+C;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,qBAAqB,GAAG,OAAO,CAAC,gBAAgB,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;YACnD,IAAI,CAAC,GAAG,CAAC,6BAA6B,EAAE,CAAC;gBACvC,IAAI,GAAG,CAAC,2BAA2B,EAAE,CAAC;oBACpC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACnB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;wBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,yDAAyD,CAAC;qBACxF,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;wBACrB,UAAU,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;wBACtB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,qCAAqC,CAAC;qBACpE,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF"}