npm - @objectstack/plugin-security - Versions diffs - 9.10.0 → 9.11.0 - Mend

@objectstack/plugin-security 9.10.0 → 9.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -89,6 +89,8 @@ declare class SecurityPlugin implements Plugin {
      */
     private metadata;
     private ql;
+    /** ADR-0055: cache the resolved master-detail relation per controlled_by_parent object. */
+    private cbpRelCache;
     private dbLoader?;
     private logger;
     constructor(options?: SecurityPluginOptions);
@@ -143,6 +145,45 @@ declare class SecurityPlugin implements Plugin {
      * applies (caller adds no filter).
      */
     private computeRlsFilter;
+    /**
+     * Resolve a controlled_by_parent object's master-detail relation (the FK field
+     * key + the master object name), or null. Prefers a required `master_detail`
+     * field; falls back to any `master_detail`, then a required `lookup`. Cached.
+     */
+    private resolveCbpRelation;
+    /**
+     * ADR-0055 — master-detail "controlled by parent" READ derivation.
+     *
+     * For an object whose `sharingModel` is `controlled_by_parent`, access is
+     * derived from the master: return a filter `masterFK IN (<master ids this user
+     * can read>)`. The id set is resolved by running the MASTER's own read RLS
+     * (reused via `computeRlsFilter`) under a system context — no middleware
+     * re-entry, so no recursion. An empty set yields `{ masterFK: { $in: [] } }`,
+     * which matches no rows (fail closed). A misconfigured object (no
+     * master_detail/lookup to derive from) denies all reads (defense-in-depth;
+     * spec validation should prevent authoring it). Returns null when the object is
+     * not controlled_by_parent.
+     *
+     * v1 scope (ADR-0055): single level — the master's OWN controlled_by_parent is
+     * not traversed transitively; master accessibility is the master's RLS filter
+     * (sharing-service grants on the master are not folded in).
+     */
+    private computeControlledByParentFilter;
+    /**
+     * ADR-0055 — master-detail "controlled by parent" WRITE enforcement.
+     *
+     * A by-id write (insert/update/delete) to a controlled_by_parent detail
+     * requires EDIT access to its master: the caller must hold CRUD `update` on the
+     * master object AND the master row must be visible under the master's write RLS.
+     * This is the write-side companion to the read derivation — the RLS read filter
+     * never applies to a by-id write (the #1994 class), so without this a member
+     * could mutate a detail under a master they cannot edit. Throws on denial;
+     * no-op when the object is not controlled_by_parent.
+     *
+     * v1 scope: single-id writes. Bulk writes flow through the AST and are already
+     * scoped by the controlled-by-parent READ filter (to readable masters).
+     */
+    private assertControlledByParentWrite;
     /**
      * Collect all RLS policies from permission sets applicable to the given object/operation.
      */
@@ -235,6 +276,14 @@ interface RLSUserContext {
      * and are merged in under their own keys (see {@link RLSCompiler.compileFilter}).
      */
     org_user_ids?: string[];
+    /**
+     * The caller's unique, auth-enforced email. RLS expressions reference it as
+     * `current_user.email` for human-readable, *seedable* owner scoping
+     * (`owner = current_user.email`). Email is exposed because it is UNIQUE; the
+     * user's display `name` is deliberately NOT exposed — names collide, and a
+     * collision on an ownership predicate is an access-control leak.
+     */
+    email?: string;
     [key: string]: unknown;
 }
 /**
@@ -260,6 +309,11 @@ declare const RLS_DENY_FILTER: Record<string, unknown>;
  * Converts `using` / `check` expressions into ObjectQL-compatible filter conditions.
  */
 declare class RLSCompiler {
+    /** Optional logger so a SILENTLY-dropped (uncompilable-shape) policy is observable (ADR-0056 D4). */
+    private logger?;
+    setLogger(logger: {
+        warn?: (message: string, meta?: Record<string, unknown>) => void;
+    } | undefined): void;
     /**
      * Compile RLS policies into a query filter for the given user context.
      * Multiple policies for the same object/operation are OR-combined (any match allows access).
@@ -364,7 +418,7 @@ declare const securityObjects: ((Omit<{
     abstract: boolean;
     datasource: string;
     fields: Record<string, {
-        type: "number" | "boolean" | "tags" | "select" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "email" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
+        type: "number" | "boolean" | "tags" | "select" | "email" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
         required: boolean;
         searchable: boolean;
         multiple: boolean;
@@ -985,7 +1039,7 @@ declare const securityObjects: ((Omit<{
         clone: boolean;
         apiMethods?: ("aggregate" | "update" | "delete" | "restore" | "purge" | "search" | "create" | "import" | "list" | "get" | "upsert" | "bulk" | "history" | "export")[] | undefined;
     } | undefined;
-    sharingModel?: "full" | "read" | "private" | "read_write" | undefined;
+    sharingModel?: "full" | "read" | "private" | "public_read" | "public_read_write" | "controlled_by_parent" | "read_write" | undefined;
     publicSharing?: {
         enabled: boolean;
         allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
@@ -2709,7 +2763,7 @@ declare const securityObjects: ((Omit<{
     abstract: boolean;
     datasource: string;
     fields: Record<string, {
-        type: "number" | "boolean" | "tags" | "select" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "email" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
+        type: "number" | "boolean" | "tags" | "select" | "email" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
         required: boolean;
         searchable: boolean;
         multiple: boolean;
@@ -3330,7 +3384,7 @@ declare const securityObjects: ((Omit<{
         clone: boolean;
         apiMethods?: ("aggregate" | "update" | "delete" | "restore" | "purge" | "search" | "create" | "import" | "list" | "get" | "upsert" | "bulk" | "history" | "export")[] | undefined;
     } | undefined;
-    sharingModel?: "full" | "read" | "private" | "read_write" | undefined;
+    sharingModel?: "full" | "read" | "private" | "public_read" | "public_read_write" | "controlled_by_parent" | "read_write" | undefined;
     publicSharing?: {
         enabled: boolean;
         allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
@@ -5483,7 +5537,7 @@ declare const securityObjects: ((Omit<{
     abstract: boolean;
     datasource: string;
     fields: Record<string, {
-        type: "number" | "boolean" | "tags" | "select" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "email" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
+        type: "number" | "boolean" | "tags" | "select" | "email" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
         required: boolean;
         searchable: boolean;
         multiple: boolean;
@@ -6104,7 +6158,7 @@ declare const securityObjects: ((Omit<{
         clone: boolean;
         apiMethods?: ("aggregate" | "update" | "delete" | "restore" | "purge" | "search" | "create" | "import" | "list" | "get" | "upsert" | "bulk" | "history" | "export")[] | undefined;
     } | undefined;
-    sharingModel?: "full" | "read" | "private" | "read_write" | undefined;
+    sharingModel?: "full" | "read" | "private" | "public_read" | "public_read_write" | "controlled_by_parent" | "read_write" | undefined;
     publicSharing?: {
         enabled: boolean;
         allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
@@ -7349,7 +7403,7 @@ declare const securityObjects: ((Omit<{
     abstract: boolean;
     datasource: string;
     fields: Record<string, {
-        type: "number" | "boolean" | "tags" | "select" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "email" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
+        type: "number" | "boolean" | "tags" | "select" | "email" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
         required: boolean;
         searchable: boolean;
         multiple: boolean;
@@ -7970,7 +8024,7 @@ declare const securityObjects: ((Omit<{
         clone: boolean;
         apiMethods?: ("aggregate" | "update" | "delete" | "restore" | "purge" | "search" | "create" | "import" | "list" | "get" | "upsert" | "bulk" | "history" | "export")[] | undefined;
     } | undefined;
-    sharingModel?: "full" | "read" | "private" | "read_write" | undefined;
+    sharingModel?: "full" | "read" | "private" | "public_read" | "public_read_write" | "controlled_by_parent" | "read_write" | undefined;
     publicSharing?: {
         enabled: boolean;
         allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
@@ -8901,6 +8955,7 @@ declare const securityObjects: ((Omit<{
 declare const securityDefaultPermissionSets: {
     name: string;
     isProfile: boolean;
+    isDefault: boolean;
     objects: Record<string, {
         allowCreate: boolean;
         allowRead: boolean;
@@ -9043,4 +9098,21 @@ declare function claimSeedOwnership(ql: any, adminUserId: string, options?: Clai
     count: number;
 }[]>;
-export { FieldMasker, PermissionDeniedError, PermissionEvaluator, RLSCompiler, RLS_DENY_FILTER, SECURITY_PLUGIN_ID, SECURITY_PLUGIN_VERSION, SecurityPlugin, backfillOrgAdminGrants, bootstrapPlatformAdmin, claimSeedOwnership, isPermissionDeniedError, reconcileOrgAdminGrant, securityDefaultPermissionSets, securityObjects, securityPluginManifestHeader };
+/**
+ * ADR-0056 D7 — resolve the app-declared default profile NAME from a stack's
+ * `permissions[]` array.
+ *
+ * A permission set marked `isProfile && isDefault` declares the app's default
+ * access posture for users with no explicit grants. The {@link SecurityPlugin}
+ * constructor scans its `defaultPermissionSets` option for that flag — but the
+ * CLI constructs `new SecurityPlugin()` with NO options, so an `isDefault`
+ * profile declared purely in app METADATA would never be honored. The CLI calls
+ * this helper to pull the name out of the stack and pass it as
+ * `fallbackPermissionSet`, wiring the declaration through to `pnpm dev`.
+ *
+ * Returns the first matching profile's `name`, or `undefined` when none is
+ * declared (callers then keep the built-in `member_default` fallback).
+ */
+declare function appDefaultProfileName(permissions: unknown): string | undefined;
+export { FieldMasker, PermissionDeniedError, PermissionEvaluator, RLSCompiler, RLS_DENY_FILTER, SECURITY_PLUGIN_ID, SECURITY_PLUGIN_VERSION, SecurityPlugin, appDefaultProfileName, backfillOrgAdminGrants, bootstrapPlatformAdmin, claimSeedOwnership, isPermissionDeniedError, reconcileOrgAdminGrant, securityDefaultPermissionSets, securityObjects, securityPluginManifestHeader };

package/dist/index.d.ts CHANGED Viewed

@@ -89,6 +89,8 @@ declare class SecurityPlugin implements Plugin {
      */
     private metadata;
     private ql;
+    /** ADR-0055: cache the resolved master-detail relation per controlled_by_parent object. */
+    private cbpRelCache;
     private dbLoader?;
     private logger;
     constructor(options?: SecurityPluginOptions);
@@ -143,6 +145,45 @@ declare class SecurityPlugin implements Plugin {
      * applies (caller adds no filter).
      */
     private computeRlsFilter;
+    /**
+     * Resolve a controlled_by_parent object's master-detail relation (the FK field
+     * key + the master object name), or null. Prefers a required `master_detail`
+     * field; falls back to any `master_detail`, then a required `lookup`. Cached.
+     */
+    private resolveCbpRelation;
+    /**
+     * ADR-0055 — master-detail "controlled by parent" READ derivation.
+     *
+     * For an object whose `sharingModel` is `controlled_by_parent`, access is
+     * derived from the master: return a filter `masterFK IN (<master ids this user
+     * can read>)`. The id set is resolved by running the MASTER's own read RLS
+     * (reused via `computeRlsFilter`) under a system context — no middleware
+     * re-entry, so no recursion. An empty set yields `{ masterFK: { $in: [] } }`,
+     * which matches no rows (fail closed). A misconfigured object (no
+     * master_detail/lookup to derive from) denies all reads (defense-in-depth;
+     * spec validation should prevent authoring it). Returns null when the object is
+     * not controlled_by_parent.
+     *
+     * v1 scope (ADR-0055): single level — the master's OWN controlled_by_parent is
+     * not traversed transitively; master accessibility is the master's RLS filter
+     * (sharing-service grants on the master are not folded in).
+     */
+    private computeControlledByParentFilter;
+    /**
+     * ADR-0055 — master-detail "controlled by parent" WRITE enforcement.
+     *
+     * A by-id write (insert/update/delete) to a controlled_by_parent detail
+     * requires EDIT access to its master: the caller must hold CRUD `update` on the
+     * master object AND the master row must be visible under the master's write RLS.
+     * This is the write-side companion to the read derivation — the RLS read filter
+     * never applies to a by-id write (the #1994 class), so without this a member
+     * could mutate a detail under a master they cannot edit. Throws on denial;
+     * no-op when the object is not controlled_by_parent.
+     *
+     * v1 scope: single-id writes. Bulk writes flow through the AST and are already
+     * scoped by the controlled-by-parent READ filter (to readable masters).
+     */
+    private assertControlledByParentWrite;
     /**
      * Collect all RLS policies from permission sets applicable to the given object/operation.
      */
@@ -235,6 +276,14 @@ interface RLSUserContext {
      * and are merged in under their own keys (see {@link RLSCompiler.compileFilter}).
      */
     org_user_ids?: string[];
+    /**
+     * The caller's unique, auth-enforced email. RLS expressions reference it as
+     * `current_user.email` for human-readable, *seedable* owner scoping
+     * (`owner = current_user.email`). Email is exposed because it is UNIQUE; the
+     * user's display `name` is deliberately NOT exposed — names collide, and a
+     * collision on an ownership predicate is an access-control leak.
+     */
+    email?: string;
     [key: string]: unknown;
 }
 /**
@@ -260,6 +309,11 @@ declare const RLS_DENY_FILTER: Record<string, unknown>;
  * Converts `using` / `check` expressions into ObjectQL-compatible filter conditions.
  */
 declare class RLSCompiler {
+    /** Optional logger so a SILENTLY-dropped (uncompilable-shape) policy is observable (ADR-0056 D4). */
+    private logger?;
+    setLogger(logger: {
+        warn?: (message: string, meta?: Record<string, unknown>) => void;
+    } | undefined): void;
     /**
      * Compile RLS policies into a query filter for the given user context.
      * Multiple policies for the same object/operation are OR-combined (any match allows access).
@@ -364,7 +418,7 @@ declare const securityObjects: ((Omit<{
     abstract: boolean;
     datasource: string;
     fields: Record<string, {
-        type: "number" | "boolean" | "tags" | "select" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "email" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
+        type: "number" | "boolean" | "tags" | "select" | "email" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
         required: boolean;
         searchable: boolean;
         multiple: boolean;
@@ -985,7 +1039,7 @@ declare const securityObjects: ((Omit<{
         clone: boolean;
         apiMethods?: ("aggregate" | "update" | "delete" | "restore" | "purge" | "search" | "create" | "import" | "list" | "get" | "upsert" | "bulk" | "history" | "export")[] | undefined;
     } | undefined;
-    sharingModel?: "full" | "read" | "private" | "read_write" | undefined;
+    sharingModel?: "full" | "read" | "private" | "public_read" | "public_read_write" | "controlled_by_parent" | "read_write" | undefined;
     publicSharing?: {
         enabled: boolean;
         allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
@@ -2709,7 +2763,7 @@ declare const securityObjects: ((Omit<{
     abstract: boolean;
     datasource: string;
     fields: Record<string, {
-        type: "number" | "boolean" | "tags" | "select" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "email" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
+        type: "number" | "boolean" | "tags" | "select" | "email" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
         required: boolean;
         searchable: boolean;
         multiple: boolean;
@@ -3330,7 +3384,7 @@ declare const securityObjects: ((Omit<{
         clone: boolean;
         apiMethods?: ("aggregate" | "update" | "delete" | "restore" | "purge" | "search" | "create" | "import" | "list" | "get" | "upsert" | "bulk" | "history" | "export")[] | undefined;
     } | undefined;
-    sharingModel?: "full" | "read" | "private" | "read_write" | undefined;
+    sharingModel?: "full" | "read" | "private" | "public_read" | "public_read_write" | "controlled_by_parent" | "read_write" | undefined;
     publicSharing?: {
         enabled: boolean;
         allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
@@ -5483,7 +5537,7 @@ declare const securityObjects: ((Omit<{
     abstract: boolean;
     datasource: string;
     fields: Record<string, {
-        type: "number" | "boolean" | "tags" | "select" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "email" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
+        type: "number" | "boolean" | "tags" | "select" | "email" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
         required: boolean;
         searchable: boolean;
         multiple: boolean;
@@ -6104,7 +6158,7 @@ declare const securityObjects: ((Omit<{
         clone: boolean;
         apiMethods?: ("aggregate" | "update" | "delete" | "restore" | "purge" | "search" | "create" | "import" | "list" | "get" | "upsert" | "bulk" | "history" | "export")[] | undefined;
     } | undefined;
-    sharingModel?: "full" | "read" | "private" | "read_write" | undefined;
+    sharingModel?: "full" | "read" | "private" | "public_read" | "public_read_write" | "controlled_by_parent" | "read_write" | undefined;
     publicSharing?: {
         enabled: boolean;
         allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
@@ -7349,7 +7403,7 @@ declare const securityObjects: ((Omit<{
     abstract: boolean;
     datasource: string;
     fields: Record<string, {
-        type: "number" | "boolean" | "tags" | "select" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "email" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
+        type: "number" | "boolean" | "tags" | "select" | "email" | "date" | "record" | "file" | "code" | "datetime" | "signature" | "progress" | "url" | "lookup" | "master_detail" | "currency" | "percent" | "password" | "secret" | "time" | "text" | "textarea" | "phone" | "markdown" | "html" | "richtext" | "toggle" | "multiselect" | "radio" | "checkboxes" | "tree" | "image" | "avatar" | "video" | "audio" | "formula" | "summary" | "autonumber" | "composite" | "repeater" | "location" | "address" | "json" | "color" | "rating" | "slider" | "qrcode" | "vector";
         required: boolean;
         searchable: boolean;
         multiple: boolean;
@@ -7970,7 +8024,7 @@ declare const securityObjects: ((Omit<{
         clone: boolean;
         apiMethods?: ("aggregate" | "update" | "delete" | "restore" | "purge" | "search" | "create" | "import" | "list" | "get" | "upsert" | "bulk" | "history" | "export")[] | undefined;
     } | undefined;
-    sharingModel?: "full" | "read" | "private" | "read_write" | undefined;
+    sharingModel?: "full" | "read" | "private" | "public_read" | "public_read_write" | "controlled_by_parent" | "read_write" | undefined;
     publicSharing?: {
         enabled: boolean;
         allowedAudiences?: ("email" | "public" | "link_only" | "signed_in")[] | undefined;
@@ -8901,6 +8955,7 @@ declare const securityObjects: ((Omit<{
 declare const securityDefaultPermissionSets: {
     name: string;
     isProfile: boolean;
+    isDefault: boolean;
     objects: Record<string, {
         allowCreate: boolean;
         allowRead: boolean;
@@ -9043,4 +9098,21 @@ declare function claimSeedOwnership(ql: any, adminUserId: string, options?: Clai
     count: number;
 }[]>;
-export { FieldMasker, PermissionDeniedError, PermissionEvaluator, RLSCompiler, RLS_DENY_FILTER, SECURITY_PLUGIN_ID, SECURITY_PLUGIN_VERSION, SecurityPlugin, backfillOrgAdminGrants, bootstrapPlatformAdmin, claimSeedOwnership, isPermissionDeniedError, reconcileOrgAdminGrant, securityDefaultPermissionSets, securityObjects, securityPluginManifestHeader };
+/**
+ * ADR-0056 D7 — resolve the app-declared default profile NAME from a stack's
+ * `permissions[]` array.
+ *
+ * A permission set marked `isProfile && isDefault` declares the app's default
+ * access posture for users with no explicit grants. The {@link SecurityPlugin}
+ * constructor scans its `defaultPermissionSets` option for that flag — but the
+ * CLI constructs `new SecurityPlugin()` with NO options, so an `isDefault`
+ * profile declared purely in app METADATA would never be honored. The CLI calls
+ * this helper to pull the name out of the stack and pass it as
+ * `fallbackPermissionSet`, wiring the declaration through to `pnpm dev`.
+ *
+ * Returns the first matching profile's `name`, or `undefined` when none is
+ * declared (callers then keep the built-in `member_default` fallback).
+ */
+declare function appDefaultProfileName(permissions: unknown): string | undefined;
+export { FieldMasker, PermissionDeniedError, PermissionEvaluator, RLSCompiler, RLS_DENY_FILTER, SECURITY_PLUGIN_ID, SECURITY_PLUGIN_VERSION, SecurityPlugin, appDefaultProfileName, backfillOrgAdminGrants, bootstrapPlatformAdmin, claimSeedOwnership, isPermissionDeniedError, reconcileOrgAdminGrant, securityDefaultPermissionSets, securityObjects, securityPluginManifestHeader };