@j-schreiber/sf-cli-security-audit 0.4.1 → 0.6.0

package/lib/libs/core/mdapi/namedMetadataType.js

@@ -0,0 +1,41 @@
+import { ComponentSet } from '@salesforce/source-deploy-retrieve';
+import MetadataRegistryEntry, { cleanRetrieveDir, retrieve, } from './metadataRegistryEntry.js';
+/**
+ * The entry is a typical named metadata that is organized in a dedicated source folder
+ * where all entities have the same format. The components are retrieved and organized
+ * by their developer name.
+ */
+export default class NamedMetadata extends MetadataRegistryEntry {
+    constructor(opts) {
+        super(opts);
+    }
+    /**
+     * Resolves component names, retrieves the metadata and returns
+     * as a strongly typed result.
+     *
+     * @param con
+     * @param componentNames
+     * @returns
+     */
+    async resolve(con, componentNames) {
+        const cmpSet = new ComponentSet(componentNames.map((cname) => ({ type: this.retrieveType, fullName: cname })));
+        const retrieveResult = await retrieve(cmpSet, con);
+        const resolvedFiles = this.parseSourceFiles(retrieveResult.components, componentNames);
+        cleanRetrieveDir(retrieveResult.getFileResponses());
+        return resolvedFiles;
+    }
+    parseSourceFiles(componentSet, retrievedNames) {
+        const cmps = componentSet.getSourceComponents().toArray();
+        const result = {};
+        cmps.forEach((sourceComponent) => {
+            if (sourceComponent.xml && retrievedNames.includes(sourceComponent.name)) {
+                // the available method parseXmlSync on source component does not
+                // resolve the "rootNodeProblem" from XML. Therefore, we implement
+                // our own method to parse and return the "inner xml".
+                result[sourceComponent.name] = this.parse(sourceComponent.xml);
+            }
+        });
+        return result;
+    }
+}
+//# sourceMappingURL=namedMetadataType.js.map

package/lib/libs/core/mdapi/namedMetadataType.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"namedMetadataType.js","sourceRoot":"","sources":["../../../../src/libs/core/mdapi/namedMetadataType.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAC;AAClE,OAAO,qBAAqB,EAAE,EAC5B,gBAAgB,EAEhB,QAAQ,GACT,MAAM,4BAA4B,CAAC;AAEpC;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,aAA4C,SAAQ,qBAAgC;IACvG,YAAmB,IAA0C;QAC3D,KAAK,CAAC,IAAI,CAAC,CAAC;IACd,CAAC;IACD;;;;;;;OAOG;IACI,KAAK,CAAC,OAAO,CAAC,GAAe,EAAE,cAAwB;QAC5D,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/G,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACnD,MAAM,aAAa,GAAG,IAAI,CAAC,gBAAgB,CAAC,cAAc,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;QACvF,gBAAgB,CAAC,cAAc,CAAC,gBAAgB,EAAE,CAAC,CAAC;QACpD,OAAO,aAAa,CAAC;IACvB,CAAC;IAEO,gBAAgB,CAAC,YAA0B,EAAE,cAAwB;QAC3E,MAAM,IAAI,GAAG,YAAY,CAAC,mBAAmB,EAAE,CAAC,OAAO,EAAE,CAAC;QAC1D,MAAM,MAAM,GAA8B,EAAE,CAAC;QAC7C,IAAI,CAAC,OAAO,CAAC,CAAC,eAAe,EAAE,EAAE;YAC/B,IAAI,eAAe,CAAC,GAAG,IAAI,cAAc,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzE,iEAAiE;gBACjE,kEAAkE;gBAClE,sDAAsD;gBACtD,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;YACjE,CAAC;QACH,CAAC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/lib/libs/core/mdapi/singletonMetadataType.d.ts

@@ -0,0 +1,21 @@
+import { Connection } from '@salesforce/core';
+import MetadataRegistryEntry, { MetadataRegistryEntryOpts } from './metadataRegistryEntry.js';
+/**
+ * The entry is a type that only has one single instance on the org, such as
+ * a Setting. The component is typically retrieved by a more generic name and
+ * organized & cached by the explicit name.
+ */
+export default class SingletonMetadata<Type, Key extends keyof Type> extends MetadataRegistryEntry<Type, Key> {
+    retrieveName: string;
+    constructor(opts: MetadataRegistryEntryOpts<Type, Key>);
+    /**
+     * Resolves component names, retrieves the metadata and returns
+     * as a strongly typed result.
+     *
+     * @param con
+     * @param componentNames
+     * @returns
+     */
+    resolve(con: Connection): Promise<Type[Key]>;
+    private parseSourceFile;
+}

package/lib/libs/core/mdapi/singletonMetadataType.js

@@ -0,0 +1,37 @@
+import { ComponentSet } from '@salesforce/source-deploy-retrieve';
+import MetadataRegistryEntry, { cleanRetrieveDir, retrieve, } from './metadataRegistryEntry.js';
+/**
+ * The entry is a type that only has one single instance on the org, such as
+ * a Setting. The component is typically retrieved by a more generic name and
+ * organized & cached by the explicit name.
+ */
+export default class SingletonMetadata extends MetadataRegistryEntry {
+    retrieveName;
+    constructor(opts) {
+        super(opts);
+        this.retrieveName = opts.retrieveName ?? String(this.rootNodeName);
+    }
+    /**
+     * Resolves component names, retrieves the metadata and returns
+     * as a strongly typed result.
+     *
+     * @param con
+     * @param componentNames
+     * @returns
+     */
+    async resolve(con) {
+        const cmpSet = new ComponentSet([{ type: this.retrieveType, fullName: this.retrieveName }]);
+        const retrieveResult = await retrieve(cmpSet, con);
+        const resolvedCmp = this.parseSourceFile(retrieveResult.components);
+        cleanRetrieveDir(retrieveResult.getFileResponses());
+        return resolvedCmp;
+    }
+    parseSourceFile(componentSet) {
+        const cmps = componentSet.getSourceComponents({ type: this.retrieveType, fullName: this.retrieveName }).toArray();
+        if (cmps.length > 0 && cmps[0].xml) {
+            return this.parse(cmps[0].xml);
+        }
+        throw new Error('Failed to resolve settings for: ' + this.retrieveName);
+    }
+}
+//# sourceMappingURL=singletonMetadataType.js.map

package/lib/libs/core/mdapi/singletonMetadataType.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"singletonMetadataType.js","sourceRoot":"","sources":["../../../../src/libs/core/mdapi/singletonMetadataType.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAC;AAClE,OAAO,qBAAqB,EAAE,EAC5B,gBAAgB,EAEhB,QAAQ,GACT,MAAM,4BAA4B,CAAC;AAEpC;;;;GAIG;AACH,MAAM,CAAC,OAAO,OAAO,iBAAgD,SAAQ,qBAAgC;IACpG,YAAY,CAAS;IAC5B,YAAmB,IAA0C;QAC3D,KAAK,CAAC,IAAI,CAAC,CAAC;QACZ,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACrE,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,OAAO,CAAC,GAAe;QAClC,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;QAC5F,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACnD,MAAM,WAAW,GAAG,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QACpE,gBAAgB,CAAC,cAAc,CAAC,gBAAgB,EAAE,CAAC,CAAC;QACpD,OAAO,WAAW,CAAC;IACrB,CAAC;IAEO,eAAe,CAAC,YAA0B;QAChD,MAAM,IAAI,GAAG,YAAY,CAAC,mBAAmB,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;QAClH,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACjC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,kCAAkC,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC;IAC1E,CAAC;CACF"}

package/lib/libs/core/utils.d.ts

@@ -1,3 +1,5 @@
 export declare function isEmpty(anything?: unknown): boolean;
 export declare function isNullish(anything: unknown): boolean;
+export declare function capitalize(anyString: string): string;
+export declare function uncapitalize(anyString: string): string;
 export type Optional<T, K extends keyof T> = Pick<Partial<T>, K> & Omit<T, K>;

package/lib/libs/core/utils.js

@@ -10,4 +10,10 @@ export function isEmpty(anything) {
 export function isNullish(anything) {
     return !(Boolean(anything) && anything !== null);
 }
+export function capitalize(anyString) {
+    return `${anyString[0].toUpperCase()}${anyString.slice(1)}`;
+}
+export function uncapitalize(anyString) {
+    return `${anyString[0].toLowerCase()}${anyString.slice(1)}`;
+}
 //# sourceMappingURL=utils.js.map

package/lib/libs/core/utils.js.map

@@ -1 +1 @@
-{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../src/libs/core/utils.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,OAAO,CAAC,QAAkB;IACxC,IAAI,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC,OAAO,CAAC,QAAS,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,QAAiB;IACzC,OAAO,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,KAAK,IAAI,CAAC,CAAC;AACnD,CAAC"}
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../src/libs/core/utils.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,OAAO,CAAC,QAAkB;IACxC,IAAI,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC,OAAO,CAAC,QAAS,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,QAAiB;IACzC,OAAO,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,KAAK,IAAI,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,SAAiB;IAC1C,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,SAAiB;IAC5C,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;AAC9D,CAAC"}

package/lib/libs/policies/profilePolicy.js

@@ -1,5 +1,5 @@
 import { Messages } from '@salesforce/core';
-import { isNullish } from '../core/utils.js';
+import MDAPI from '../core/mdapi/mdapiRetriever.js';
 import { RuleRegistries } from '../core/registries/types.js';
 import { ProfilesRiskPreset } from '../core/policy-types.js';
 import Policy, { getTotal } from './policy.js';
@@ -22,42 +22,35 @@ export default class ProfilePolicy extends Policy {
         });
         const successfullyResolved = {};
         const ignoredEntities = {};
-        const profileQueryResults = Array();
         const definitiveProfiles = this.config.profiles ?? {};
+        const classifiedProfiles = [];
         Object.entries(definitiveProfiles).forEach(([profileName, profileDef]) => {
-            if (profileDef.preset !== ProfilesRiskPreset.UNKNOWN) {
-                const qr = Promise.resolve(context.targetOrgConnection.tooling.query(`SELECT Name,Metadata FROM Profile WHERE Name = '${profileName}'`));
-                profileQueryResults.push(qr);
-            }
-            else {
+            if (profileDef.preset === ProfilesRiskPreset.UNKNOWN) {
                 ignoredEntities[profileName] = {
                     name: profileName,
                     message: messages.getMessage('preset-unknown', ['Profile']),
                 };
             }
-        });
-        const queryResults = await Promise.all(profileQueryResults);
-        queryResults.forEach((qr) => {
-            if (qr.records && qr.records.length > 0) {
-                const record = qr.records[0];
-                if (isNullish(record.Metadata)) {
-                    ignoredEntities[record.Name] = {
-                        name: record.Name,
-                        message: messages.getMessage('profile-invalid-no-metadata'),
-                    };
-                }
-                else {
-                    successfullyResolved[record.Name] = {
-                        name: record.Name,
-                        preset: definitiveProfiles[record.Name].preset,
-                        metadata: record.Metadata,
-                    };
-                }
+            else {
+                classifiedProfiles.push(profileName);
             }
         });
-        Object.keys(definitiveProfiles).forEach((profileName) => {
-            if (successfullyResolved[profileName] === undefined && ignoredEntities[profileName] === undefined) {
-                ignoredEntities[profileName] = { name: profileName, message: messages.getMessage('entity-not-found') };
+        const mdapi = new MDAPI(context.targetOrgConnection);
+        const resolvedProfiles = await mdapi.resolve('Profile', classifiedProfiles);
+        classifiedProfiles.forEach((profileName) => {
+            const resolvedProfile = resolvedProfiles[profileName];
+            if (!resolvedProfile) {
+                ignoredEntities[profileName] = {
+                    name: profileName,
+                    message: messages.getMessage('entity-not-found'),
+                };
+            }
+            else {
+                successfullyResolved[profileName] = {
+                    name: profileName,
+                    preset: definitiveProfiles[profileName].preset,
+                    metadata: resolvedProfile,
+                };
             }
         });
         const result = { resolvedEntities: successfullyResolved, ignoredEntities: Object.values(ignoredEntities) };

package/lib/libs/policies/profilePolicy.js.map

@@ -1 +1 @@
-{"version":3,"file":"profilePolicy.js","sourceRoot":"","sources":["../../../src/libs/policies/profilePolicy.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAgB,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC3E,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAE7D,OAAO,MAAM,EAAE,EAAE,QAAQ,EAAuB,MAAM,aAAa,CAAC;AAGpE,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAEjG,MAAM,CAAC,OAAO,OAAO,aAAc,SAAQ,MAAM;IAGtC;IACA;IAHD,aAAa,CAAS;IAC9B,YACS,MAAiC,EACjC,WAA2B,EAClC,QAAQ,GAAG,cAAc,CAAC,QAAQ;QAElC,KAAK,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAJ9B,WAAM,GAAN,MAAM,CAA2B;QACjC,gBAAW,GAAX,WAAW,CAAgB;QAIlC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3F,CAAC;IAES,KAAK,CAAC,eAAe,CAAC,OAAqB;QACnD,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,IAAI,CAAC,aAAa;YACzB,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,MAAM,oBAAoB,GAAoC,EAAE,CAAC;QACjE,MAAM,eAAe,GAAuC,EAAE,CAAC;QAE/D,MAAM,mBAAmB,GAAG,KAAK,EAAoC,CAAC;QACtE,MAAM,kBAAkB,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;QACtD,MAAM,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,EAAE,UAAU,CAAC,EAAE,EAAE;YACvE,IAAI,UAAU,CAAC,MAAM,KAAK,kBAAkB,CAAC,OAAO,EAAE,CAAC;gBACrD,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CACxB,OAAO,CAAC,mBAAmB,CAAC,OAAO,CAAC,KAAK,CACvC,mDAAmD,WAAW,GAAG,CAClE,CACF,CAAC;gBACF,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC/B,CAAC;iBAAM,CAAC;gBACN,eAAe,CAAC,WAAW,CAAC,GAAG;oBAC7B,IAAI,EAAE,WAAW;oBACjB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC,SAAS,CAAC,CAAC;iBAC5D,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;QAC5D,YAAY,CAAC,OAAO,CAAC,CAAC,EAAE,EAAE,EAAE;YAC1B,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxC,MAAM,MAAM,GAAG,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;gBAC7B,IAAI,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC/B,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG;wBAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;wBACjB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,6BAA6B,CAAC;qBAC5D,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG;wBAClC,IAAI,EAAE,MAAM,CAAC,IAAI;wBACjB,MAAM,EAAE,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM;wBAC9C,QAAQ,EAAE,MAAM,CAAC,QAAQ;qBAC1B,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,EAAE;YACtD,IAAI,oBAAoB,CAAC,WAAW,CAAC,KAAK,SAAS,IAAI,eAAe,CAAC,WAAW,CAAC,KAAK,SAAS,EAAE,CAAC;gBAClG,eAAe,CAAC,WAAW,CAAC,GAAG,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACzG,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC;QAC3G,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,IAAI,CAAC,aAAa;YACzB,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC;SAC3B,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}
+{"version":3,"file":"profilePolicy.js","sourceRoot":"","sources":["../../../src/libs/policies/profilePolicy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAG5C,OAAO,KAAK,MAAM,iCAAiC,CAAC;AACpD,OAAO,EAAgB,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC3E,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAE7D,OAAO,MAAM,EAAE,EAAE,QAAQ,EAAuB,MAAM,aAAa,CAAC;AAEpE,QAAQ,CAAC,kCAAkC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC,oCAAoC,EAAE,kBAAkB,CAAC,CAAC;AAEjG,MAAM,CAAC,OAAO,OAAO,aAAc,SAAQ,MAAM;IAGtC;IACA;IAHD,aAAa,CAAS;IAC9B,YACS,MAAiC,EACjC,WAA2B,EAClC,QAAQ,GAAG,cAAc,CAAC,QAAQ;QAElC,KAAK,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAJ9B,WAAM,GAAN,MAAM,CAA2B;QACjC,gBAAW,GAAX,WAAW,CAAgB;QAIlC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3F,CAAC;IAES,KAAK,CAAC,eAAe,CAAC,OAAqB;QACnD,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,IAAI,CAAC,aAAa;YACzB,QAAQ,EAAE,CAAC;SACZ,CAAC,CAAC;QACH,MAAM,oBAAoB,GAAoC,EAAE,CAAC;QACjE,MAAM,eAAe,GAAuC,EAAE,CAAC;QAC/D,MAAM,kBAAkB,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;QACtD,MAAM,kBAAkB,GAAa,EAAE,CAAC;QACxC,MAAM,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,EAAE,UAAU,CAAC,EAAE,EAAE;YACvE,IAAI,UAAU,CAAC,MAAM,KAAK,kBAAkB,CAAC,OAAO,EAAE,CAAC;gBACrD,eAAe,CAAC,WAAW,CAAC,GAAG;oBAC7B,IAAI,EAAE,WAAW;oBACjB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC,SAAS,CAAC,CAAC;iBAC5D,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACvC,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACrD,MAAM,gBAAgB,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;QAC5E,kBAAkB,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,EAAE;YACzC,MAAM,eAAe,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;YACtD,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,eAAe,CAAC,WAAW,CAAC,GAAG;oBAC7B,IAAI,EAAE,WAAW;oBACjB,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,kBAAkB,CAAC;iBACjD,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,oBAAoB,CAAC,WAAW,CAAC,GAAG;oBAClC,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,kBAAkB,CAAC,WAAW,CAAC,CAAC,MAAM;oBAC9C,QAAQ,EAAE,eAAe;iBAC1B,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC;QAC3G,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;YACzB,KAAK,EAAE,IAAI,CAAC,aAAa;YACzB,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC;SAC3B,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/lib/libs/quick-scan/types.d.ts

@@ -0,0 +1,17 @@
+import { Connection } from '@salesforce/core';
+export type QuickScanResult = {
+    permissions: QuickScanPermissionResult;
+    scannedProfiles: string[];
+    scannedPermissionSets: string[];
+};
+export type QuickScanPermissionResult = {
+    [permissionName: string]: PermissionScanResult;
+};
+export type PermissionScanResult = {
+    profiles: string[];
+    permissionSets: string[];
+};
+export type QuickScanOptions = {
+    targetOrg: Connection;
+    permissions: string[];
+};

package/lib/libs/quick-scan/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/lib/libs/quick-scan/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/libs/quick-scan/types.ts"],"names":[],"mappings":""}

package/lib/libs/quick-scan/userPermissionScanner.d.ts

@@ -0,0 +1,22 @@
+import { EventEmitter } from 'node:events';
+import { QuickScanOptions, QuickScanResult } from './types.js';
+export type ScanStatusEvent = {
+    profiles: EntityScanStatus;
+    permissionSets: EntityScanStatus;
+    users: EntityScanStatus;
+    status: 'Pending' | 'In Progress' | 'Completed';
+};
+export type EntityScanStatus = {
+    total?: number;
+    resolved?: number;
+    status?: string;
+};
+export default class UserPermissionScanner extends EventEmitter {
+    private status;
+    constructor();
+    quickScan(opts: QuickScanOptions): Promise<QuickScanResult>;
+    private resolveEntities;
+    private resolveProfiles;
+    private resolvePermissionSets;
+    private emitProgress;
+}

package/lib/libs/quick-scan/userPermissionScanner.js

@@ -0,0 +1,75 @@
+import { EventEmitter } from 'node:events';
+import MDAPI from '../core/mdapi/mdapiRetriever.js';
+import { PERMISSION_SETS_QUERY, PROFILES_QUERY } from '../core/constants.js';
+export default class UserPermissionScanner extends EventEmitter {
+    status = {
+        profiles: {},
+        permissionSets: {},
+        users: {},
+        status: 'Pending',
+    };
+    constructor() {
+        super();
+    }
+    async quickScan(opts) {
+        this.emitProgress({ status: 'Pending' });
+        const scannedEntities = await this.resolveEntities(opts.targetOrg);
+        const scanResult = {
+            permissions: {},
+            scannedProfiles: Object.keys(scannedEntities.profiles),
+            scannedPermissionSets: Object.keys(scannedEntities.permissionSets),
+        };
+        opts.permissions.forEach((permName) => {
+            const profiles = findGrantingEntities(permName, scannedEntities.profiles);
+            const permissionSets = findGrantingEntities(permName, scannedEntities.permissionSets);
+            scanResult.permissions[permName] = { permissionSets, profiles };
+        });
+        this.emitProgress({ status: 'Completed' });
+        return scanResult;
+    }
+    async resolveEntities(targetOrg) {
+        const promises = [];
+        this.emitProgress({ status: 'In Progress' });
+        promises.push(this.resolveProfiles(targetOrg));
+        promises.push(this.resolvePermissionSets(targetOrg));
+        const resolvedEntities = await Promise.all(promises);
+        return {
+            profiles: resolvedEntities[0],
+            permissionSets: resolvedEntities[1],
+        };
+    }
+    async resolveProfiles(targetOrg) {
+        const profiles = await targetOrg.query(PROFILES_QUERY);
+        this.emitProgress({ profiles: { total: profiles.records.length, resolved: 0 } });
+        const mdapi = MDAPI.create(targetOrg);
+        const resolved = await mdapi.resolve('Profile', profiles.records.map((permsetRecord) => permsetRecord.Profile.Name));
+        this.emitProgress({ profiles: { resolved: Object.keys(resolved).length } });
+        return resolved;
+    }
+    async resolvePermissionSets(targetOrg) {
+        const permSets = await targetOrg.query(PERMISSION_SETS_QUERY);
+        this.emitProgress({ permissionSets: { total: permSets.records.length, resolved: 0 } });
+        const mdapi = MDAPI.create(targetOrg);
+        const resolved = await mdapi.resolve('PermissionSet', permSets.records.map((permsetRecord) => permsetRecord.Name));
+        this.emitProgress({ permissionSets: { resolved: Object.keys(resolved).length } });
+        return resolved;
+    }
+    emitProgress(update) {
+        this.status.profiles = { ...this.status.profiles, ...update.profiles };
+        this.status.permissionSets = { ...this.status.permissionSets, ...update.permissionSets };
+        this.status.users = { ...this.status.users, ...update.users };
+        this.status.status = update.status ?? this.status.status;
+        this.emit('progress', structuredClone(this.status));
+    }
+}
+function findGrantingEntities(permName, resolvedEntities) {
+    const entities = new Set();
+    Object.entries(resolvedEntities).forEach(([entityName, metadata]) => {
+        const userPerms = metadata.userPermissions.map((userPerm) => userPerm.name);
+        if (userPerms.includes(permName)) {
+            entities.add(entityName);
+        }
+    });
+    return Array.from(entities);
+}
+//# sourceMappingURL=userPermissionScanner.js.map

package/lib/libs/quick-scan/userPermissionScanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"userPermissionScanner.js","sourceRoot":"","sources":["../../../src/libs/quick-scan/userPermissionScanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,OAAO,KAAK,MAAM,iCAAiC,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAsB7E,MAAM,CAAC,OAAO,OAAO,qBAAsB,SAAQ,YAAY;IACrD,MAAM,GAAoB;QAChC,QAAQ,EAAE,EAAE;QACZ,cAAc,EAAE,EAAE;QAClB,KAAK,EAAE,EAAE;QACT,MAAM,EAAE,SAAS;KAClB,CAAC;IAEF;QACE,KAAK,EAAE,CAAC;IACV,CAAC;IAEM,KAAK,CAAC,SAAS,CAAC,IAAsB;QAC3C,IAAI,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;QACzC,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACnE,MAAM,UAAU,GAAoB;YAClC,WAAW,EAAE,EAAE;YACf,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC;YACtD,qBAAqB,EAAE,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC;SACnE,CAAC;QACF,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;YACpC,MAAM,QAAQ,GAAG,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,QAAQ,CAAC,CAAC;YAC1E,MAAM,cAAc,GAAG,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,cAAc,CAAC,CAAC;YACtF,UAAU,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,EAAE,cAAc,EAAE,QAAQ,EAAE,CAAC;QAClE,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;QAC3C,OAAO,UAAU,CAAC;IACpB,CAAC;IAEO,KAAK,CAAC,eAAe,CAAC,SAAqB;QACjD,MAAM,QAAQ,GAA4B,EAAE,CAAC;QAC7C,IAAI,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAC;QAC7C,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC;QAC/C,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC,CAAC;QACrD,MAAM,gBAAgB,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACrD,OAAO;YACL,QAAQ,EAAE,gBAAgB,CAAC,CAAC,CAA4B;YACxD,cAAc,EAAE,gBAAgB,CAAC,CAAC,CAA0C;SAC7E,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,eAAe,CAAC,SAAqB;QACjD,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,KAAK,CAAgB,cAAc,CAAC,CAAC;QACtE,IAAI,CAAC,YAAY,CAAC,EAAE,QAAQ,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;QACjF,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACtC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAClC,SAAS,EACT,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,CACpE,CAAC;QACF,IAAI,CAAC,YAAY,CAAC,EAAE,QAAQ,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC5E,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,qBAAqB,CAAC,SAAqB;QACvD,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,KAAK,CAAgB,qBAAqB,CAAC,CAAC;QAC7E,IAAI,CAAC,YAAY,CAAC,EAAE,cAAc,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,QAAQ,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;QACvF,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACtC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAClC,eAAe,EACf,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CAC5D,CAAC;QACF,IAAI,CAAC,YAAY,CAAC,EAAE,cAAc,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAClF,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,YAAY,CAAC,MAAgC;QACnD,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;QACvE,IAAI,CAAC,MAAM,CAAC,cAAc,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,GAAG,MAAM,CAAC,cAAc,EAAE,CAAC;QACzF,IAAI,CAAC,MAAM,CAAC,KAAK,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC;QAC9D,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;QACzD,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IACtD,CAAC;CACF;AAED,SAAS,oBAAoB,CAC3B,QAAgB,EAChB,gBAAiE;IAEjE,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE;QAClE,MAAM,SAAS,GAAG,QAAQ,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC5E,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAC9B,CAAC"}

package/messages/org.audit.init.md

@@ -14,12 +14,24 @@ Target org to export permissions, profiles, users, etc.
 
 Directory where the audit config is initialised. If not set, the root directory will be used.
 
+# flags.preset.summary
+
+Select a preset to initialise permission classifications (risk levels).
+
+# flags.preset.description
+
+The selected preset is applied before any other default mechanisms (such as template configs). This means, values from a selected template override the preset. Consult the documentation to learn more about the rationale behind the default risk levels. The risk levels interact with the configured preset on profiles and permission sets and essentially control, if a permission is allowed in a certain profile / permission set.
+
 # examples
 
 - Initialise audit policies at the root directory
 
   <%= config.bin %> <%= command.id %> -o MyTargetOrg
 
+- Initialise audit config at custom directory with preset
+
+  <%= config.bin %> <%= command.id %> -o MyTargetOrg -d my_dir -p loose
+
 # success.perm-classification-summary
 
 Initialised %s permissions at %s.

package/messages/org.audit.run.md

@@ -35,3 +35,15 @@ At least one policy is not compliant. Review details below.
 # info.report-file-location
 
 Full report was written to: %s.
+
+# NoAuditConfigFound
+
+The target directory %s is empty or no valid audit config was found. A valid audit config must contain at least one policy.
+
+# UserPermClassificationRequiredForProfiles
+
+The "Profiles" policy requires at least userPermissions to be initialised, but none were found at the target directory.
+
+# UserPermClassificationRequiredForPermSets
+
+The "Permission Sets" policy requires at least userPermissions to be initialised, but none were found at the target directory.

package/messages/org.scan.user-perms.md

@@ -0,0 +1,31 @@
+# summary
+
+Performs a quick scan to check permission sets and profiles for user permissions.
+
+# description
+
+The quick scan does not need an audit config and does not create reports. The target org is scanned "in memory" and simply outputs information, where the searched user permissions
+
+# flags.name.summary
+
+One or more permissions to be scanned.
+
+# flags.name.description
+
+You can specify any valid user permission on your org, such as "AuthorApex", "CustomizeApplication" or "ViewSetup". If you are unsure what permissions are available on your org, initialise a new audit config and check the created userPermissions.yml.
+
+# flags.target-org.summary
+
+The target org to scan.
+
+# examples
+
+- <%= config.bin %> <%= command.id %>
+
+# success.profiles-count
+
+Scanned %s profiles.
+
+# success.permissionsets-count
+
+Scanned %s permission sets.

package/messages/policyclassifications.md

@@ -2,9 +2,25 @@
 
 Allows to modify all parts of the app, including security settings.
 
-# Packaging
+# ModifyMetadata
 
-Allows to create, manage and install packages.
+Allows to modify all parts of the app, including security settings.
+
+# Packaging2
+
+General permissions for 2nd generation packages.
+
+# InstallPackaging
+
+Install unlocked and managed packages.
+
+# Packaging2PromoteVersion
+
+Promote 2nd generation packages for distribution and install on production orgs.
+
+# Packaging2Delete
+
+Delete versions of 2nd generation packages.
 
 # ViewSetup
 
@@ -14,6 +30,10 @@ Allows to browse setup and view sensitive configurations.
 
 Bypass all sharing, making all sharing architecture obsolete.
 
+# ModifyAllData
+
+Bypass all sharing and layout permissions.
+
 # AuthorApex
 
 Apex can perform harmful actions, and deployed Apex runs in system mode.
@@ -33,3 +53,19 @@ Set up and reset the connected MFA for a user.
 # CanApproveUninstalledApps
 
 Allows to authorize new connected apps and therefore new integrations.
+
+# UseAnyApiClient
+
+Bypass all security settings and use deprecated login types.
+
+# ViewClientSecret
+
+Access and export secrets from connected apps.
+
+# ExportReport
+
+Reports allow to export classified or sensitive data.
+
+# ManageRemoteAccess
+
+Manage, create, edit, and delete connected applications.

package/oclif.manifest.json

@@ -5,7 +5,8 @@
       "args": {},
       "description": "Exports permissions (standard and custom), permission sets, profiles, users, etc from the target org. All classifications are initialised with sane defaults that you can customize later.",
       "examples": [
-        "Initialise audit policies at the root directory\n<%= config.bin %> <%= command.id %> -o MyTargetOrg"
+        "Initialise audit policies at the root directory\n<%= config.bin %> <%= command.id %> -o MyTargetOrg",
+        "Initialise audit config at custom directory with preset\n<%= config.bin %> <%= command.id %> -o MyTargetOrg -d my_dir -p loose"
       ],
       "flags": {
         "json": {
@@ -43,6 +44,21 @@
           "multiple": false,
           "type": "option"
         },
+        "preset": {
+          "char": "p",
+          "description": "The selected preset is applied before any other default mechanisms (such as template configs). This means, values from a selected template override the preset. Consult the documentation to learn more about the rationale behind the default risk levels. The risk levels interact with the configured preset on profiles and permission sets and essentially control, if a permission is allowed in a certain profile / permission set.",
+          "name": "preset",
+          "summary": "Select a preset to initialise permission classifications (risk levels).",
+          "default": "strict",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "options": [
+            "strict",
+            "loose",
+            "none"
+          ],
+          "type": "option"
+        },
         "api-version": {
           "description": "Override the api version used for api requests made by this command",
           "name": "api-version",
@@ -155,7 +171,85 @@
         "run:org:audit",
         "run:audit:org"
       ]
+    },
+    "org:scan:user-perms": {
+      "aliases": [],
+      "args": {},
+      "description": "The quick scan does not need an audit config and does not create reports. The target org is scanned \"in memory\" and simply outputs information, where the searched user permissions",
+      "examples": [
+        "<%= config.bin %> <%= command.id %>"
+      ],
+      "flags": {
+        "json": {
+          "description": "Format output as json.",
+          "helpGroup": "GLOBAL",
+          "name": "json",
+          "allowNo": false,
+          "type": "boolean"
+        },
+        "flags-dir": {
+          "helpGroup": "GLOBAL",
+          "name": "flags-dir",
+          "summary": "Import flag values from a directory.",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "name": {
+          "char": "n",
+          "description": "You can specify any valid user permission on your org, such as \"AuthorApex\", \"CustomizeApplication\" or \"ViewSetup\". If you are unsure what permissions are available on your org, initialise a new audit config and check the created userPermissions.yml.",
+          "name": "name",
+          "required": true,
+          "summary": "One or more permissions to be scanned.",
+          "hasDynamicHelp": false,
+          "multiple": true,
+          "type": "option"
+        },
+        "target-org": {
+          "char": "o",
+          "name": "target-org",
+          "noCacheDefault": true,
+          "required": true,
+          "summary": "The target org to scan.",
+          "hasDynamicHelp": true,
+          "multiple": false,
+          "type": "option"
+        },
+        "api-version": {
+          "description": "Override the api version used for api requests made by this command",
+          "name": "api-version",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        }
+      },
+      "hasDynamicHelp": true,
+      "hiddenAliases": [],
+      "id": "org:scan:user-perms",
+      "pluginAlias": "@j-schreiber/sf-cli-security-audit",
+      "pluginName": "@j-schreiber/sf-cli-security-audit",
+      "pluginType": "core",
+      "strict": true,
+      "summary": "Performs a quick scan to check permission sets and profiles for user permissions.",
+      "enableJsonFlag": true,
+      "isESM": true,
+      "relativePath": [
+        "lib",
+        "commands",
+        "org",
+        "scan",
+        "user-perms.js"
+      ],
+      "aliasPermutations": [],
+      "permutations": [
+        "org:scan:user-perms",
+        "scan:org:user-perms",
+        "scan:user-perms:org",
+        "org:user-perms:scan",
+        "user-perms:org:scan",
+        "user-perms:scan:org"
+      ]
     }
   },
-  "version": "0.4.1"
+  "version": "0.6.0"
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@j-schreiber/sf-cli-security-audit",
   "description": "Salesforce CLI plugin to automate highly configurable security audits",
-  "version": "0.4.1",
+  "version": "0.6.0",
   "repository": {
     "type": "https",
     "url": "https://github.com/j-schreiber/js-sf-cli-security-audit"

package/lib/libs/conf-init/defaultPolicyClassification.d.ts

@@ -1,2 +0,0 @@
-import { PermissionsClassification } from '../core/file-mgmt/schema.js';
-export declare const DEFAULT_CLASSIFICATIONS: Record<string, PermissionsClassification>;