@tailor-platform/sdk 1.56.0 → 1.56.1

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @tailor-platform/sdk
 
+## 1.56.1
+
+### Patch Changes
+
+- [#1347](https://github.com/tailor-platform/sdk/pull/1347) [`6888110`](https://github.com/tailor-platform/sdk/commit/6888110fa61f9f3fd991e0fb44e86fd37f9536f3) Thanks [@dqn](https://github.com/dqn)! - Fix resolver field builders (`t.*`) leaking metadata between fields. `description()`, `typeName()`, and `validate()` now return a new field instead of mutating the original, so a field instance reused across places (for example shared between a resolver's `input` and `output`, or a record passed to `t.object`) no longer leaks its metadata into the other usages. This matches the existing `db.*` behavior.
+
+- [#1346](https://github.com/tailor-platform/sdk/pull/1346) [`0254e3c`](https://github.com/tailor-platform/sdk/commit/0254e3caff0d1eeb7407d8932385bf5bdbaf4356) Thanks [@dqn](https://github.com/dqn)! - Warn when a permission rule is written in object form without an explicit `permit`. Object-format rules (e.g. `read: [{ conditions: [...] }]`) default to `deny`, unlike the array shorthand which defaults to `allow`, so omitting `permit` can silently lock out access you meant to grant. The CLI now flags these rules during generate/deploy so you can set `permit: true` (allow) or `permit: false` (deny) explicitly. Runtime behavior is unchanged. This covers TailorDB record permissions, TailorDB GraphQL permissions, and IdP permissions.
+
 ## 1.56.0
 
 ### Minor Changes

package/dist/application-CC3oaSay.mjs

@@ -0,0 +1,4 @@
+
+import { n as generatePluginFilesIfNeeded, r as loadApplication, t as defineApplication } from "./application-DuT_ae02.mjs";
+
+export { defineApplication };

package/dist/{application-YHZIkjdy.mjs → application-DuT_ae02.mjs}

@@ -2560,6 +2560,29 @@ function normalizeActionPermission(permission) {
 		permit: conditionArrayPermit ? "allow" : "deny"
 	};
 }
+/**
+* Find object-format permission rules that omit `permit`.
+*
+* Object-format rules default to `deny` when `permit` is omitted, whereas the
+* array shorthand defaults to `allow`. Omitting `permit` on an object rule is
+* therefore an easy way to accidentally deny access you meant to grant, so the
+* CLI warns about these locations to nudge authors toward setting `permit`
+* explicitly.
+* @param rawPermissions - Raw permissions definition
+* @returns Dotted locations of offending rules, e.g. `record.read[0]`, `gql[1]`
+*/
+function findOmittedPermitRules(rawPermissions) {
+	const locations = [];
+	const record = rawPermissions.record;
+	if (record) for (const action of Object.keys(record)) record[action]?.forEach((rule, index) => {
+		if (isObjectFormat(rule) && rule.permit === void 0) locations.push(`record.${String(action)}[${index}]`);
+	});
+	const gql = rawPermissions.gql;
+	if (gql) gql.forEach((policy, index) => {
+		if (policy.permit === void 0) locations.push(`gql[${index}]`);
+	});
+	return locations;
+}
 
 //#endregion
 //#region src/parser/service/tailordb/relation.ts
@@ -3431,6 +3454,12 @@ function createTailorDBService(params) {
 		for (const fileTypes of Object.values(rawTypes)) for (const [typeName, type] of Object.entries(fileTypes)) allTypes[typeName] = type;
 		types = parseTypes(allTypes, namespace, typeSourceInfo);
 	};
+	const warnOmittedPermit = () => {
+		for (const fileTypes of Object.values(rawTypes)) for (const [typeName, type] of Object.entries(fileTypes)) {
+			const locations = findOmittedPermitRules(type.metadata.permissions ?? {});
+			if (locations.length > 0) logger.warn(`TailorDB type "${typeName}" has permission rule(s) ${locations.join(", ")} in object form without an explicit "permit"; they default to "deny". Set permit: true (allow) or permit: false (deny) to silence this warning.`);
+		}
+	};
 	/**
 	* Process plugins for a type and add generated types to rawTypes
 	* @param rawType - The raw TailorDB type being processed
@@ -3523,6 +3552,7 @@ function createTailorDBService(params) {
 				if (pluginManager) for (const typeFile of typeFiles) await loadTypeFile(typeFile, tsconfig);
 				else await Promise.all(typeFiles.map((typeFile) => loadTypeFile(typeFile, tsconfig)));
 				doParseTypes();
+				warnOmittedPermit();
 				return types;
 			})();
 			return loadPromise;
@@ -5806,4 +5836,4 @@ async function loadApplication(params) {
 
 //#endregion
 export { saveUserTokens as A, deleteUserTokens as C, loadWorkspaceId as D, loadConfigPath as E, readPlatformConfig as O, loadConfig as S, loadAccessToken as T, createLogLevelTreeshakeOptions as _, WorkflowJobSchema as a, getDistDir as b, createExecutorService as c, buildExecutorArgsExpr as d, buildResolverOperationHookExpr as f, composeFunctionTreeshakeOptions as g, loadFilesWithIgnores as h, resolveInlineSourcemap as i, writePlatformConfig as j, resolveTokens as k, ExecutorSchema as l, stringifyFunction as m, generatePluginFilesIfNeeded as n, ResolverSchema as o, TailorDBTypeSchema as p, loadApplication as r, HTTP_METHODS as s, defineApplication as t, INVOKER_EXPR as u, resolveBundleLogLevel as v, fetchLatestToken as w, hashFile as x, createBundleCache as y };
-//# sourceMappingURL=application-YHZIkjdy.mjs.map
+//# sourceMappingURL=application-DuT_ae02.mjs.map