npm - @objectstack/plugin-security - Versions diffs - 4.0.4 → 4.1.0 - Mend

@objectstack/plugin-security 4.0.4 → 4.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/README.md +97 -27
package/dist/index.d.mts +5407 -566
package/dist/index.d.ts +5407 -566
package/dist/index.js +923 -183
package/dist/index.js.map +1 -1
package/dist/index.mjs +921 -181
package/dist/index.mjs.map +1 -1
package/package.json +33 -6
package/.turbo/turbo-build.log +0 -22
package/CHANGELOG.md +0 -264
package/src/field-masker.ts +0 -75
package/src/index.ts +0 -16
package/src/objects/index.ts +0 -10
package/src/objects/sys-permission-set.object.ts +0 -94
package/src/objects/sys-role.object.ts +0 -93
package/src/permission-evaluator.ts +0 -112
package/src/rls-compiler.ts +0 -143
package/src/security-plugin.test.ts +0 -302
package/src/security-plugin.ts +0 -181
package/tsconfig.json +0 -18

package/src/rls-compiler.ts DELETED Viewed

@@ -1,143 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-import type { RowLevelSecurityPolicy } from '@objectstack/spec/security';
-import type { ExecutionContext } from '@objectstack/spec/kernel';
-/**
- * RLS User Context
- * Variables available for RLS expression evaluation.
- */
-interface RLSUserContext {
-  id?: string;
-  tenant_id?: string;
-  roles?: string[];
-  [key: string]: unknown;
-}
-/**
- * RLSCompiler
- *
- * Compiles Row-Level Security policy expressions into query filters.
- * Converts `using` / `check` expressions into ObjectQL-compatible filter conditions.
- */
-export class RLSCompiler {
-  /**
-   * Compile RLS policies into a query filter for the given user context.
-   * Multiple policies for the same object/operation are OR-combined (any match allows access).
-   */
-  compileFilter(
-    policies: RowLevelSecurityPolicy[],
-    executionContext?: ExecutionContext
-  ): Record<string, unknown> | null {
-    if (policies.length === 0) return null;
-    const userCtx: RLSUserContext = {
-      id: executionContext?.userId,
-      tenant_id: executionContext?.tenantId,
-      roles: executionContext?.roles,
-    };
-    const filters: Record<string, unknown>[] = [];
-    for (const policy of policies) {
-      if (!policy.using) continue;
-      const filter = this.compileExpression(policy.using, userCtx);
-      if (filter) {
-        filters.push(filter);
-      }
-    }
-    if (filters.length === 0) return null;
-    if (filters.length === 1) return filters[0];
-    // Multiple policies: OR-combine (any policy allows access)
-    return { $or: filters };
-  }
-  /**
-   * Compile a single RLS expression into a query filter.
-   *
-   * Supports simple expressions like:
-   * - "field_name = current_user.property"
-   * - "field_name IN (current_user.array_property)"
-   * - "field_name = 'literal_value'"
-   */
-  compileExpression(
-    expression: string,
-    userCtx: RLSUserContext
-  ): Record<string, unknown> | null {
-    if (!expression) return null;
-    // Handle simple equality: "field = current_user.property"
-    const eqMatch = expression.match(/^\s*(\w+)\s*=\s*current_user\.(\w+)\s*$/);
-    if (eqMatch) {
-      const [, field, prop] = eqMatch;
-      const value = userCtx[prop];
-      if (value === undefined) return null;
-      return { [field]: value };
-    }
-    // Handle literal equality: "field = 'value'"
-    const litMatch = expression.match(/^\s*(\w+)\s*=\s*'([^']*)'\s*$/);
-    if (litMatch) {
-      const [, field, value] = litMatch;
-      return { [field]: value };
-    }
-    // Handle IN: "field IN (current_user.array_property)"
-    const inMatch = expression.match(/^\s*(\w+)\s+IN\s+\(\s*current_user\.(\w+)\s*\)\s*$/i);
-    if (inMatch) {
-      const [, field, prop] = inMatch;
-      const value = userCtx[prop];
-      if (!Array.isArray(value)) return null;
-      return { [field]: { $in: value } };
-    }
-    // Unsupported expression: return null (no additional RLS filter applied).
-    // Note: callers should treat absence of RLS policies as "allow all" only when
-    // no policies are defined. If policies exist but cannot be compiled, the caller
-    // may want to deny access as a safety measure.
-    return null;
-  }
-  /**
-   * Get applicable RLS policies for a given object and operation.
-   */
-  getApplicablePolicies(
-    objectName: string,
-    operation: string,
-    allPolicies: RowLevelSecurityPolicy[]
-  ): RowLevelSecurityPolicy[] {
-    // Map engine operation to RLS operation type
-    const rlsOp = this.mapOperationToRLS(operation);
-    return allPolicies.filter(policy => {
-      // Check object match
-      if (policy.object !== objectName && policy.object !== '*') return false;
-      // Check operation match
-      if (policy.operation === 'all') return true;
-      if (policy.operation === rlsOp) return true;
-      return false;
-    });
-  }
-  private mapOperationToRLS(operation: string): string {
-    switch (operation) {
-      case 'find':
-      case 'findOne':
-      case 'count':
-      case 'aggregate':
-        return 'select';
-      case 'insert':
-        return 'insert';
-      case 'update':
-        return 'update';
-      case 'delete':
-        return 'delete';
-      default:
-        return 'select';
-    }
-  }
-}

package/src/security-plugin.test.ts DELETED Viewed

@@ -1,302 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-import { describe, it, expect, vi } from 'vitest';
-import { SecurityPlugin } from './security-plugin.js';
-import { PermissionEvaluator } from './permission-evaluator.js';
-import { FieldMasker } from './field-masker.js';
-import { RLSCompiler } from './rls-compiler.js';
-import type { PermissionSet } from '@objectstack/spec/security';
-// ---------------------------------------------------------------------------
-// SecurityPlugin – basic metadata
-// ---------------------------------------------------------------------------
-describe('SecurityPlugin', () => {
-  it('should have correct metadata', () => {
-    const plugin = new SecurityPlugin();
-    expect(plugin.name).toBe('com.objectstack.security');
-    expect(plugin.type).toBe('standard');
-    expect(plugin.version).toBe('1.0.0');
-    expect(plugin.dependencies).toContain('com.objectstack.engine.objectql');
-  });
-  it('should register services during init', async () => {
-    const plugin = new SecurityPlugin();
-    const manifestService = { register: vi.fn() };
-    const ctx: any = {
-      logger: { info: vi.fn(), warn: vi.fn() },
-      registerService: vi.fn(),
-      getService: vi.fn().mockImplementation((name: string) => {
-        if (name === 'manifest') return manifestService;
-        return undefined;
-      }),
-    };
-    await plugin.init(ctx);
-    expect(ctx.registerService).toHaveBeenCalledWith('security.permissions', expect.any(PermissionEvaluator));
-    expect(ctx.registerService).toHaveBeenCalledWith('security.rls', expect.any(RLSCompiler));
-    expect(ctx.registerService).toHaveBeenCalledWith('security.fieldMasker', expect.any(FieldMasker));
-    expect(manifestService.register).toHaveBeenCalled();
-  });
-  it('should warn and return when objectql service is missing', async () => {
-    const plugin = new SecurityPlugin();
-    const manifestService = { register: vi.fn() };
-    const ctx: any = {
-      logger: { info: vi.fn(), warn: vi.fn() },
-      registerService: vi.fn(),
-      getService: vi.fn().mockImplementation((name: string) => {
-        if (name === 'manifest') return manifestService;
-        throw new Error('not found');
-      }),
-    };
-    await plugin.init(ctx);
-    await plugin.start(ctx);
-    expect(ctx.logger.warn).toHaveBeenCalled();
-  });
-  it('should warn when objectql does not support middleware', async () => {
-    const plugin = new SecurityPlugin();
-    const manifestService = { register: vi.fn() };
-    const ctx: any = {
-      logger: { info: vi.fn(), warn: vi.fn() },
-      registerService: vi.fn(),
-      getService: vi.fn().mockImplementation((name: string) => {
-        if (name === 'manifest') return manifestService;
-        return {}; // objectql without registerMiddleware
-      }),
-    };
-    await plugin.init(ctx);
-    await plugin.start(ctx);
-    expect(ctx.logger.warn).toHaveBeenCalled();
-  });
-  it('should register middleware when objectql supports it', async () => {
-    const plugin = new SecurityPlugin();
-    const registerMiddleware = vi.fn();
-    const manifestService = { register: vi.fn() };
-    const ctx: any = {
-      logger: { info: vi.fn(), warn: vi.fn() },
-      registerService: vi.fn(),
-      getService: vi.fn().mockImplementation((name: string) => {
-        if (name === 'manifest') return manifestService;
-        return { registerMiddleware };
-      }),
-    };
-    await plugin.init(ctx);
-    await plugin.start(ctx);
-    expect(registerMiddleware).toHaveBeenCalledWith(expect.any(Function));
-  });
-  it('should destroy without error', async () => {
-    const plugin = new SecurityPlugin();
-    await expect(plugin.destroy()).resolves.toBeUndefined();
-  });
-});
-// ---------------------------------------------------------------------------
-// PermissionEvaluator
-// ---------------------------------------------------------------------------
-describe('PermissionEvaluator', () => {
-  const makePermSet = (
-    name: string,
-    objects: PermissionSet['objects'] = {},
-    fields: PermissionSet['fields'] = {}
-  ): PermissionSet => ({ name, objects, fields });
-  it('should allow read when allowRead is true', () => {
-    const evaluator = new PermissionEvaluator();
-    const ps = makePermSet('admin', { contact: { allowRead: true, allowCreate: false, allowEdit: false, allowDelete: false } });
-    expect(evaluator.checkObjectPermission('find', 'contact', [ps])).toBe(true);
-    expect(evaluator.checkObjectPermission('findOne', 'contact', [ps])).toBe(true);
-    expect(evaluator.checkObjectPermission('count', 'contact', [ps])).toBe(true);
-  });
-  it('should deny when no permission set matches', () => {
-    const evaluator = new PermissionEvaluator();
-    const ps = makePermSet('readonly', { contact: { allowRead: false, allowCreate: false, allowEdit: false, allowDelete: false } });
-    expect(evaluator.checkObjectPermission('insert', 'contact', [ps])).toBe(false);
-  });
-  it('should allow unknown operations by default', () => {
-    const evaluator = new PermissionEvaluator();
-    expect(evaluator.checkObjectPermission('unknownOp', 'contact', [])).toBe(true);
-  });
-  it('should allow via viewAllRecords', () => {
-    const evaluator = new PermissionEvaluator();
-    const ps = makePermSet('viewer', { task: { allowRead: false, allowCreate: false, allowEdit: false, allowDelete: false, viewAllRecords: true } });
-    expect(evaluator.checkObjectPermission('find', 'task', [ps])).toBe(true);
-  });
-  it('should allow edit/delete via modifyAllRecords', () => {
-    const evaluator = new PermissionEvaluator();
-    const ps = makePermSet('manager', { task: { allowRead: false, allowCreate: false, allowEdit: false, allowDelete: false, modifyAllRecords: true } });
-    expect(evaluator.checkObjectPermission('update', 'task', [ps])).toBe(true);
-    expect(evaluator.checkObjectPermission('delete', 'task', [ps])).toBe(true);
-  });
-  it('should merge field permissions (most permissive)', () => {
-    const evaluator = new PermissionEvaluator();
-    const ps1 = makePermSet('ps1', {}, { 'contact.email': { readable: true, editable: false } });
-    const ps2 = makePermSet('ps2', {}, { 'contact.email': { readable: false, editable: true } });
-    const result = evaluator.getFieldPermissions('contact', [ps1, ps2]);
-    expect(result['email']).toEqual({ readable: true, editable: true });
-  });
-  it('should filter field permissions to the correct object', () => {
-    const evaluator = new PermissionEvaluator();
-    const ps = makePermSet('ps', {}, {
-      'contact.email': { readable: true, editable: false },
-      'task.title': { readable: true, editable: true },
-    });
-    const result = evaluator.getFieldPermissions('contact', [ps]);
-    expect(result['email']).toBeDefined();
-    expect(result['title']).toBeUndefined();
-  });
-  it('should resolve permission sets from metadata service by role name', () => {
-    const evaluator = new PermissionEvaluator();
-    const ps1 = { name: 'admin' };
-    const ps2 = { name: 'viewer' };
-    const metadata = { list: vi.fn().mockReturnValue([ps1, ps2]) };
-    const result = evaluator.resolvePermissionSets(['admin'], metadata);
-    expect(result).toEqual([ps1]);
-  });
-  it('should return empty array when metadata has no permission sets', () => {
-    const evaluator = new PermissionEvaluator();
-    const metadata = { list: vi.fn().mockReturnValue([]) };
-    expect(evaluator.resolvePermissionSets(['admin'], metadata)).toEqual([]);
-  });
-});
-// ---------------------------------------------------------------------------
-// FieldMasker
-// ---------------------------------------------------------------------------
-describe('FieldMasker', () => {
-  it('should return results unchanged when no field permissions', () => {
-    const masker = new FieldMasker();
-    const records = [{ id: '1', name: 'Alice', email: 'alice@example.com' }];
-    expect(masker.maskResults(records, {}, 'contact')).toEqual(records);
-  });
-  it('should remove non-readable fields from records', () => {
-    const masker = new FieldMasker();
-    const records = [{ id: '1', name: 'Alice', email: 'alice@example.com' }];
-    const perms = { email: { readable: false, editable: false } };
-    const result = masker.maskResults(records, perms, 'contact') as any[];
-    expect(result[0].email).toBeUndefined();
-    expect(result[0].name).toBe('Alice');
-  });
-  it('should handle single record (non-array)', () => {
-    const masker = new FieldMasker();
-    const record = { id: '1', ssn: '123-45-6789', name: 'Bob' };
-    const perms = { ssn: { readable: false, editable: false } };
-    const result = masker.maskResults(record, perms, 'person') as any;
-    expect(result.ssn).toBeUndefined();
-    expect(result.name).toBe('Bob');
-  });
-  it('should preserve readable fields', () => {
-    const masker = new FieldMasker();
-    const record = { id: '1', name: 'Carol', secret: 'x' };
-    const perms = {
-      name: { readable: true, editable: true },
-      secret: { readable: false, editable: false },
-    };
-    const result = masker.maskResults(record, perms, 'user') as any;
-    expect(result.name).toBe('Carol');
-    expect(result.secret).toBeUndefined();
-  });
-  it('should return non-editable fields', () => {
-    const masker = new FieldMasker();
-    const perms = {
-      email: { readable: true, editable: false },
-      name: { readable: true, editable: true },
-    };
-    const nonEditable = masker.getNonEditableFields(perms);
-    expect(nonEditable).toContain('email');
-    expect(nonEditable).not.toContain('name');
-  });
-  it('should strip non-editable fields from write data', () => {
-    const masker = new FieldMasker();
-    const data = { name: 'Dave', email: 'dave@example.com', createdAt: '2024' };
-    const perms = {
-      email: { readable: true, editable: false },
-      createdAt: { readable: true, editable: false },
-      name: { readable: true, editable: true },
-    };
-    const result = masker.stripNonEditableFields(data, perms);
-    expect(result.name).toBe('Dave');
-    expect(result.email).toBeUndefined();
-    expect(result.createdAt).toBeUndefined();
-  });
-});
-// ---------------------------------------------------------------------------
-// RLSCompiler
-// ---------------------------------------------------------------------------
-describe('RLSCompiler', () => {
-  it('should return null for empty policies', () => {
-    const compiler = new RLSCompiler();
-    expect(compiler.compileFilter([])).toBeNull();
-  });
-  it('should compile equality expression with current_user property', () => {
-    const compiler = new RLSCompiler();
-    const policy: any = { object: 'task', operation: 'select', using: 'owner_id = current_user.id' };
-    const ctx: any = { userId: 'user-42', tenantId: 'tenant-1', roles: [] };
-    const filter = compiler.compileFilter([policy], ctx);
-    expect(filter).toEqual({ owner_id: 'user-42' });
-  });
-  it('should compile literal equality expression', () => {
-    const compiler = new RLSCompiler();
-    const policy: any = { object: 'doc', operation: 'select', using: "status = 'published'" };
-    const filter = compiler.compileFilter([policy]);
-    expect(filter).toEqual({ status: 'published' });
-  });
-  it('should compile IN expression with array property', () => {
-    const compiler = new RLSCompiler();
-    const policy: any = { object: 'project', operation: 'select', using: 'id IN (current_user.roles)' };
-    const ctx: any = { userId: 'u1', tenantId: 't1', roles: ['role-a', 'role-b'] };
-    const filter = compiler.compileFilter([policy], ctx);
-    expect(filter).toEqual({ id: { $in: ['role-a', 'role-b'] } });
-  });
-  it('should OR-combine multiple policies', () => {
-    const compiler = new RLSCompiler();
-    const p1: any = { object: 'task', operation: 'select', using: 'owner_id = current_user.id' };
-    const p2: any = { object: 'task', operation: 'select', using: "status = 'public'" };
-    const ctx: any = { userId: 'u99', tenantId: 't1', roles: [] };
-    const filter = compiler.compileFilter([p1, p2], ctx);
-    expect(filter).toEqual({ $or: [{ owner_id: 'u99' }, { status: 'public' }] });
-  });
-  it('should return null for unsupported expression', () => {
-    const compiler = new RLSCompiler();
-    const policy: any = { object: 'x', operation: 'select', using: 'complex expression WITH unsupported syntax' };
-    const filter = compiler.compileFilter([policy]);
-    expect(filter).toBeNull();
-  });
-  it('should get applicable policies for object and operation', () => {
-    const compiler = new RLSCompiler();
-    const policies: any[] = [
-      { object: 'task', operation: 'select', using: 'owner_id = current_user.id' },
-      { object: 'task', operation: 'insert', using: "status = 'open'" },
-      { object: 'contact', operation: 'all', using: 'tenant_id = current_user.tenant_id' },
-      { object: '*', operation: 'all', using: "active = 'true'" },
-    ];
-    const taskSelect = compiler.getApplicablePolicies('task', 'find', policies);
-    expect(taskSelect).toHaveLength(2); // task select + * all
-    const taskInsert = compiler.getApplicablePolicies('task', 'insert', policies);
-    expect(taskInsert).toHaveLength(2); // task insert + * all
-    const contactFind = compiler.getApplicablePolicies('contact', 'find', policies);
-    expect(contactFind).toHaveLength(2); // contact all + * all
-  });
-});

package/src/security-plugin.ts DELETED Viewed

@@ -1,181 +0,0 @@
-// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
-import { Plugin, PluginContext } from '@objectstack/core';
-import type { PermissionSet, RowLevelSecurityPolicy } from '@objectstack/spec/security';
-import { PermissionEvaluator } from './permission-evaluator.js';
-import { RLSCompiler } from './rls-compiler.js';
-import { FieldMasker } from './field-masker.js';
-import { SysRole, SysPermissionSet } from './objects/index.js';
-/**
- * SecurityPlugin
- *
- * Provides RBAC, Row-Level Security, and Field-Level Security runtime.
- * Registers as an engine middleware on the ObjectQL engine.
- *
- * This plugin is fully optional — without it, the system operates
- * without permission checks (same as current behavior).
- *
- * Dependencies:
- * - objectql service (ObjectQL engine with middleware support)
- * - metadata service (MetadataFacade for reading permission sets and RLS policies)
- */
-export class SecurityPlugin implements Plugin {
-  name = 'com.objectstack.security';
-  type = 'standard';
-  version = '1.0.0';
-  dependencies = ['com.objectstack.engine.objectql'];
-  private permissionEvaluator = new PermissionEvaluator();
-  private rlsCompiler = new RLSCompiler();
-  private fieldMasker = new FieldMasker();
-  async init(ctx: PluginContext): Promise<void> {
-    ctx.logger.info('Initializing Security Plugin...');
-    // Register security services
-    ctx.registerService('security.permissions', this.permissionEvaluator);
-    ctx.registerService('security.rls', this.rlsCompiler);
-    ctx.registerService('security.fieldMasker', this.fieldMasker);
-    // Register security system objects via the manifest service.
-    ctx.getService<{ register(m: any): void }>('manifest').register({
-      id: 'com.objectstack.security',
-      name: 'Security',
-      version: '1.0.0',
-      type: 'plugin',
-      namespace: 'sys',
-      objects: [SysRole, SysPermissionSet],
-    });
-    // Contribute navigation items to the Setup App (if SetupPlugin is loaded).
-    try {
-      const setupNav = ctx.getService<{ contribute(c: any): void }>('setupNav');
-      if (setupNav) {
-        setupNav.contribute({
-          areaId: 'area_administration',
-          items: [
-            { id: 'nav_roles', type: 'object', label: 'Roles', objectName: 'role', icon: 'shield-check', order: 60 },
-            { id: 'nav_permission_sets', type: 'object', label: 'Permission Sets', objectName: 'permission_set', icon: 'lock', order: 70 },
-          ],
-        });
-        ctx.logger.info('Security navigation items contributed to Setup App');
-      }
-    } catch {
-      // SetupPlugin not loaded — skip silently
-    }
-    ctx.logger.info('Security Plugin initialized');
-  }
-  async start(ctx: PluginContext): Promise<void> {
-    ctx.logger.info('Starting Security Plugin...');
-    // Get required services
-    let ql: any;
-    let metadata: any;
-    try {
-      ql = ctx.getService('objectql');
-      metadata = ctx.getService('metadata');
-    } catch (e) {
-      ctx.logger.warn('ObjectQL or metadata service not available, security middleware not registered');
-      return;
-    }
-    if (!ql || typeof ql.registerMiddleware !== 'function') {
-      ctx.logger.warn('ObjectQL engine does not support middleware, security middleware not registered');
-      return;
-    }
-    // Register security middleware
-    ql.registerMiddleware(async (opCtx: any, next: () => Promise<void>) => {
-      // System operations bypass security
-      if (opCtx.context?.isSystem) {
-        return next();
-      }
-      const roles = opCtx.context?.roles ?? [];
-      // Skip security checks if no roles (anonymous/unauthenticated)
-      // The auth middleware should handle authentication separately
-      if (roles.length === 0 && !opCtx.context?.userId) {
-        return next();
-      }
-      // 1. Resolve permission sets for the user's roles
-      let permissionSets: PermissionSet[] = [];
-      try {
-        permissionSets = this.permissionEvaluator.resolvePermissionSets(roles, metadata);
-      } catch (e) {
-        // If metadata service is misconfigured, log and continue without permission checks
-        // rather than blocking all operations
-        return next();
-      }
-      // 2. CRUD permission check
-      if (permissionSets.length > 0) {
-        const allowed = this.permissionEvaluator.checkObjectPermission(
-          opCtx.operation,
-          opCtx.object,
-          permissionSets
-        );
-        if (!allowed) {
-          throw new Error(
-            `[Security] Access denied: operation '${opCtx.operation}' on object '${opCtx.object}' ` +
-            `is not permitted for roles [${roles.join(', ')}]`
-          );
-        }
-      }
-      // 3. RLS filter injection
-      const allRlsPolicies = this.collectRLSPolicies(permissionSets, opCtx.object, opCtx.operation);
-      if (allRlsPolicies.length > 0 && opCtx.ast) {
-        const rlsFilter = this.rlsCompiler.compileFilter(allRlsPolicies, opCtx.context);
-        if (rlsFilter) {
-          if (opCtx.ast.where) {
-            opCtx.ast.where = { $and: [opCtx.ast.where, rlsFilter] };
-          } else {
-            opCtx.ast.where = rlsFilter;
-          }
-        }
-      }
-      await next();
-      // 4. Field-level security: mask restricted fields in read results
-      if (opCtx.result && ['find', 'findOne'].includes(opCtx.operation)) {
-        const fieldPerms = this.permissionEvaluator.getFieldPermissions(opCtx.object, permissionSets);
-        if (Object.keys(fieldPerms).length > 0) {
-          opCtx.result = this.fieldMasker.maskResults(opCtx.result, fieldPerms, opCtx.object);
-        }
-      }
-    });
-    ctx.logger.info('Security middleware registered on ObjectQL engine');
-  }
-  async destroy(): Promise<void> {
-    // No cleanup needed
-  }
-  /**
-   * Collect all RLS policies from permission sets applicable to the given object/operation.
-   */
-  private collectRLSPolicies(
-    permissionSets: PermissionSet[],
-    objectName: string,
-    operation: string
-  ): RowLevelSecurityPolicy[] {
-    const allPolicies: RowLevelSecurityPolicy[] = [];
-    for (const ps of permissionSets) {
-      if (ps.rowLevelSecurity) {
-        allPolicies.push(...ps.rowLevelSecurity);
-      }
-    }
-    return this.rlsCompiler.getApplicablePolicies(objectName, operation, allPolicies);
-  }
-}

package/tsconfig.json DELETED Viewed

@@ -1,18 +0,0 @@
-{
-  "extends": "../../../tsconfig.json",
-  "compilerOptions": {
-    "outDir": "./dist",
-    "rootDir": "./src",
-    "types": [
-      "node"
-    ]
-  },
-  "include": [
-    "src/**/*"
-  ],
-  "exclude": [
-    "dist",
-    "node_modules",
-    "**/*.test.ts"
-  ]
-}