rflib-plugin 0.18.1 → 0.19.3

package/lib/shared/permissionAggregator.js

@@ -0,0 +1,143 @@
+const QUERY_LIMIT = 24_995;
+// Query for one extra row beyond the cap so we can tell when Salesforce had more to
+// give and our LIMIT clipped it. Without the sentinel, a result set whose true size is
+// > QUERY_LIMIT comes back with exactly QUERY_LIMIT rows and `done: true`, so the
+// truncation check would silently report `false`. The sentinel row is dropped before
+// returning; its presence flips `truncated` to true.
+const FETCH_LIMIT = QUERY_LIMIT + 1;
+const FLS_FIELDS = 'SELECT Parent.Label, Parent.Profile.Name, Parent.IsOwnedByProfile, Parent.PermissionSetGroupId, ' +
+    'SobjectType, Field, PermissionsEdit, PermissionsRead';
+const OBJ_FIELDS = 'SELECT Parent.Label, Parent.Profile.Name, Parent.IsOwnedByProfile, Parent.PermissionSetGroupId, ' +
+    'SobjectType, PermissionsRead, PermissionsCreate, PermissionsEdit, PermissionsDelete, ' +
+    'PermissionsViewAllFields, PermissionsViewAllRecords, PermissionsModifyAllRecords';
+const APEX_FIELDS = 'SELECT Parent.Label, Parent.Profile.Name, Parent.IsOwnedByProfile, Parent.PermissionSetGroupId, ' +
+    'SetupEntityType, SetupEntityId';
+const FLS_TABLE = ' FROM FieldPermissions';
+const OBJ_TABLE = ' FROM ObjectPermissions';
+const APEX_TABLE = ' FROM SetupEntityAccess';
+const FLS_ORDER = ' ORDER BY Parent.Profile.Name, Parent.Label, SobjectType, Field';
+const OBJ_ORDER = ' ORDER BY Parent.Profile.Name, Parent.Label, SobjectType';
+const APEX_ORDER = ' ORDER BY Parent.Profile.Name, Parent.Label';
+const APEX_CONDITIONS = " AND (SetupEntityType = 'ApexClass' OR SetupEntityType = 'ApexPage')";
+const ID_PATTERN = /^(?:[a-zA-Z0-9]{15}|[a-zA-Z0-9]{18})$/;
+const SOBJECT_PATTERN = /^[A-Za-z][A-Za-z0-9_]*$/;
+function validateId(value, label) {
+    if (!ID_PATTERN.test(value)) {
+        throw new Error(`Invalid ${label} "${value}". Expected a 15 or 18 character Salesforce ID.`);
+    }
+}
+function escapeSingleQuotes(value) {
+    return value.replace(/\\/g, '\\\\').replace(/'/g, "\\'");
+}
+async function queryAll(conn, soql) {
+    const first = await conn.query(soql);
+    let records = [...first.records];
+    let done = first.done;
+    let nextUrl = first.nextRecordsUrl;
+    while (!done && nextUrl && records.length < QUERY_LIMIT) {
+        // eslint-disable-next-line no-await-in-loop
+        const more = await conn.queryMore(nextUrl);
+        records = records.concat(more.records);
+        done = more.done;
+        nextUrl = more.nextRecordsUrl;
+    }
+    // Truncation: either we still had pages left but bailed out of the loop because we
+    // hit the cap, or the total accumulated rows already exceeded the cap and the
+    // slice() below is about to drop some. Either way the caller is losing data.
+    const truncated = !done || records.length > QUERY_LIMIT;
+    return { records: records.slice(0, QUERY_LIMIT), truncated };
+}
+async function getUserPermDetails(conn, userId) {
+    const userRows = await conn.query(`SELECT Id, ProfileId, Profile.Name FROM User WHERE Id = '${escapeSingleQuotes(userId)}' LIMIT 1`);
+    if (userRows.records.length === 0) {
+        throw new Error(`User with Id "${userId}" was not found.`);
+    }
+    const userRow = userRows.records[0];
+    const assignmentRows = (await queryAll(conn, 'SELECT PermissionSetId, PermissionSet.Name, PermissionSet.IsOwnedByProfile, ' +
+        'PermissionSetGroupId, PermissionSet.Label ' +
+        `FROM PermissionSetAssignment WHERE AssigneeId = '${escapeSingleQuotes(userId)}'`)).records;
+    const permissionSetIds = [];
+    const permissionSetGroupIds = [];
+    const permSetLabels = [];
+    for (const psa of assignmentRows) {
+        if (psa.PermissionSet?.IsOwnedByProfile)
+            continue;
+        if (psa.PermissionSetGroupId) {
+            permissionSetGroupIds.push(psa.PermissionSetGroupId);
+        }
+        else if (psa.PermissionSetId) {
+            permissionSetIds.push(psa.PermissionSetId);
+            if (psa.PermissionSet?.Label)
+                permSetLabels.push(psa.PermissionSet.Label);
+        }
+    }
+    return {
+        profileId: userRow.ProfileId,
+        profileName: userRow.Profile?.Name ?? '',
+        permissionSetNames: permSetLabels.join(', '),
+        permissionSetIds,
+        permissionSetGroupIds,
+    };
+}
+function buildIdList(ids) {
+    return "('" + ids.map(escapeSingleQuotes).join("','") + "')";
+}
+function buildUserCondition(details) {
+    // FieldPermissions / ObjectPermissions / SetupEntityAccess rows are always keyed by
+    // ParentId = PermissionSet. Permission Set Groups don't show up under ParentId — the
+    // group's effective grants live on an auto-generated PermissionSet whose
+    // Parent.PermissionSetGroupId points back at the group. Filter accordingly.
+    const clauses = [`Parent.ProfileId = '${escapeSingleQuotes(details.profileId)}'`];
+    if (details.permissionSetIds.length > 0) {
+        clauses.push(`ParentId IN ${buildIdList(details.permissionSetIds)}`);
+    }
+    if (details.permissionSetGroupIds.length > 0) {
+        clauses.push(`Parent.PermissionSetGroupId IN ${buildIdList(details.permissionSetGroupIds)}`);
+    }
+    return ` WHERE (${clauses.join(' OR ')})`;
+}
+function buildSObjectFilter(sobjectType) {
+    if (!sobjectType)
+        return '';
+    if (!SOBJECT_PATTERN.test(sobjectType)) {
+        throw new Error(`Invalid sobjectType "${sobjectType}". Use a standard SObject API name (e.g. Account, Order__c).`);
+    }
+    return ` AND SobjectType = '${escapeSingleQuotes(sobjectType)}'`;
+}
+export async function getUserPermissions(conn, args) {
+    if (!args.userId) {
+        throw new Error('userId is required');
+    }
+    validateId(args.userId, 'userId');
+    const validTypes = ['FLS', 'OLS', 'APEX', 'ALL'];
+    if (!validTypes.includes(args.permissionType)) {
+        throw new Error('permissionType must be one of: FLS, OLS, APEX, ALL');
+    }
+    const details = await getUserPermDetails(conn, args.userId);
+    const condition = buildUserCondition(details);
+    const result = {
+        userId: args.userId,
+        profileName: details.profileName,
+        permissionSetNames: details.permissionSetNames,
+        permissionType: args.permissionType,
+    };
+    if (args.permissionType === 'FLS' || args.permissionType === 'ALL') {
+        const objectFilter = buildSObjectFilter(args.sobjectType);
+        const { records, truncated } = await queryAll(conn, `${FLS_FIELDS}${FLS_TABLE}${condition}${objectFilter}${FLS_ORDER} LIMIT ${FETCH_LIMIT}`);
+        result.flsPermissions = records;
+        result.flsTruncated = truncated;
+    }
+    if (args.permissionType === 'OLS' || args.permissionType === 'ALL') {
+        const objectFilter = buildSObjectFilter(args.sobjectType);
+        const { records, truncated } = await queryAll(conn, `${OBJ_FIELDS}${OBJ_TABLE}${condition}${objectFilter}${OBJ_ORDER} LIMIT ${FETCH_LIMIT}`);
+        result.olsPermissions = records;
+        result.olsTruncated = truncated;
+    }
+    if (args.permissionType === 'APEX' || args.permissionType === 'ALL') {
+        const { records, truncated } = await queryAll(conn, `${APEX_FIELDS}${APEX_TABLE}${condition}${APEX_CONDITIONS}${APEX_ORDER} LIMIT ${FETCH_LIMIT}`);
+        result.apexPermissions = records;
+        result.apexTruncated = truncated;
+    }
+    return result;
+}
+//# sourceMappingURL=permissionAggregator.js.map

package/lib/shared/permissionAggregator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionAggregator.js","sourceRoot":"","sources":["../../src/shared/permissionAggregator.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,GAAG,MAAM,CAAC;AAC3B,oFAAoF;AACpF,uFAAuF;AACvF,kFAAkF;AAClF,qFAAqF;AACrF,qDAAqD;AACrD,MAAM,WAAW,GAAG,WAAW,GAAG,CAAC,CAAC;AAEpC,MAAM,UAAU,GACd,kGAAkG;IAClG,sDAAsD,CAAC;AACzD,MAAM,UAAU,GACd,kGAAkG;IAClG,uFAAuF;IACvF,kFAAkF,CAAC;AACrF,MAAM,WAAW,GACf,kGAAkG;IAClG,gCAAgC,CAAC;AAEnC,MAAM,SAAS,GAAG,wBAAwB,CAAC;AAC3C,MAAM,SAAS,GAAG,yBAAyB,CAAC;AAC5C,MAAM,UAAU,GAAG,yBAAyB,CAAC;AAE7C,MAAM,SAAS,GAAG,iEAAiE,CAAC;AACpF,MAAM,SAAS,GAAG,0DAA0D,CAAC;AAC7E,MAAM,UAAU,GAAG,6CAA6C,CAAC;AAEjE,MAAM,eAAe,GAAG,sEAAsE,CAAC;AAE/F,MAAM,UAAU,GAAG,uCAAuC,CAAC;AAC3D,MAAM,eAAe,GAAG,yBAAyB,CAAC;AAyBlD,SAAS,UAAU,CAAC,KAAa,EAAE,KAAa;IAC9C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,WAAW,KAAK,KAAK,KAAK,iDAAiD,CAAC,CAAC;IAC/F,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAa;IACvC,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AAC3D,CAAC;AAID,KAAK,UAAU,QAAQ,CACrB,IAAgB,EAChB,IAAY;IAEZ,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAI,IAAI,CAAC,CAAC;IACxC,IAAI,OAAO,GAAQ,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;IACtC,IAAI,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC;IACtB,IAAI,OAAO,GAAG,KAAK,CAAC,cAAc,CAAC;IACnC,OAAO,CAAC,IAAI,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,WAAW,EAAE,CAAC;QACxD,4CAA4C;QAC5C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAAI,OAAO,CAAC,CAAC;QAC9C,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;QACjB,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC;IAChC,CAAC;IACD,mFAAmF;IACnF,8EAA8E;IAC9E,6EAA6E;IAC7E,MAAM,SAAS,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,MAAM,GAAG,WAAW,CAAC;IACxD,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,WAAW,CAAC,EAAE,SAAS,EAAE,CAAC;AAC/D,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,IAAgB,EAAE,MAAc;IAChE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAC/B,4DAA4D,kBAAkB,CAAC,MAAM,CAAC,WAAW,CAClG,CAAC;IACF,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,iBAAiB,MAAM,kBAAkB,CAAC,CAAC;IAC7D,CAAC;IACD,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAEpC,MAAM,cAAc,GAAG,CACrB,MAAM,QAAQ,CACZ,IAAI,EACJ,8EAA8E;QAC5E,4CAA4C;QAC5C,oDAAoD,kBAAkB,CAAC,MAAM,CAAC,GAAG,CACpF,CACF,CAAC,OAAO,CAAC;IAEV,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,MAAM,qBAAqB,GAAa,EAAE,CAAC;IAC3C,MAAM,aAAa,GAAa,EAAE,CAAC;IAEnC,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;QACjC,IAAI,GAAG,CAAC,aAAa,EAAE,gBAAgB;YAAE,SAAS;QAClD,IAAI,GAAG,CAAC,oBAAoB,EAAE,CAAC;YAC7B,qBAAqB,CAAC,IAAI,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QACvD,CAAC;aAAM,IAAI,GAAG,CAAC,eAAe,EAAE,CAAC;YAC/B,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YAC3C,IAAI,GAAG,CAAC,aAAa,EAAE,KAAK;gBAAE,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAC5E,CAAC;IACH,CAAC;IAED,OAAO;QACL,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,WAAW,EAAE,OAAO,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE;QACxC,kBAAkB,EAAE,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC;QAC5C,gBAAgB;QAChB,qBAAqB;KACtB,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,GAAsB;IACzC,OAAO,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;AAC/D,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAwB;IAClD,oFAAoF;IACpF,qFAAqF;IACrF,yEAAyE;IACzE,4EAA4E;IAC5E,MAAM,OAAO,GAAa,CAAC,uBAAuB,kBAAkB,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC5F,IAAI,OAAO,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxC,OAAO,CAAC,IAAI,CAAC,eAAe,WAAW,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,IAAI,OAAO,CAAC,qBAAqB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7C,OAAO,CAAC,IAAI,CAAC,kCAAkC,WAAW,CAAC,OAAO,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,OAAO,WAAW,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC;AAC5C,CAAC;AAED,SAAS,kBAAkB,CAAC,WAA+B;IACzD,IAAI,CAAC,WAAW;QAAE,OAAO,EAAE,CAAC;IAC5B,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,wBAAwB,WAAW,8DAA8D,CAAC,CAAC;IACrH,CAAC;IACD,OAAO,uBAAuB,kBAAkB,CAAC,WAAW,CAAC,GAAG,CAAC;AACnE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,IAAgB,EAChB,IAA4B;IAE5B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IACD,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAClC,MAAM,UAAU,GAAqB,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACnE,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5D,MAAM,SAAS,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAE9C,MAAM,MAAM,GAA4B;QACtC,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;QAC9C,cAAc,EAAE,IAAI,CAAC,cAAc;KACpC,CAAC;IAEF,IAAI,IAAI,CAAC,cAAc,KAAK,KAAK,IAAI,IAAI,CAAC,cAAc,KAAK,KAAK,EAAE,CAAC;QACnE,MAAM,YAAY,GAAG,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,MAAM,QAAQ,CAC3C,IAAI,EACJ,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,GAAG,YAAY,GAAG,SAAS,UAAU,WAAW,EAAE,CACxF,CAAC;QACF,MAAM,CAAC,cAAc,GAAG,OAAO,CAAC;QAChC,MAAM,CAAC,YAAY,GAAG,SAAS,CAAC;IAClC,CAAC;IACD,IAAI,IAAI,CAAC,cAAc,KAAK,KAAK,IAAI,IAAI,CAAC,cAAc,KAAK,KAAK,EAAE,CAAC;QACnE,MAAM,YAAY,GAAG,kBAAkB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,MAAM,QAAQ,CAC3C,IAAI,EACJ,GAAG,UAAU,GAAG,SAAS,GAAG,SAAS,GAAG,YAAY,GAAG,SAAS,UAAU,WAAW,EAAE,CACxF,CAAC;QACF,MAAM,CAAC,cAAc,GAAG,OAAO,CAAC;QAChC,MAAM,CAAC,YAAY,GAAG,SAAS,CAAC;IAClC,CAAC;IACD,IAAI,IAAI,CAAC,cAAc,KAAK,MAAM,IAAI,IAAI,CAAC,cAAc,KAAK,KAAK,EAAE,CAAC;QACpE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,MAAM,QAAQ,CAC3C,IAAI,EACJ,GAAG,WAAW,GAAG,UAAU,GAAG,SAAS,GAAG,eAAe,GAAG,UAAU,UAAU,WAAW,EAAE,CAC9F,CAAC;QACF,MAAM,CAAC,eAAe,GAAG,OAAO,CAAC;QACjC,MAAM,CAAC,aAAa,GAAG,SAAS,CAAC;IACnC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["import type { Connection } from '@salesforce/core';\n\nconst QUERY_LIMIT = 24_995;\n// Query for one extra row beyond the cap so we can tell when Salesforce had more to\n// give and our LIMIT clipped it. Without the sentinel, a result set whose true size is\n// > QUERY_LIMIT comes back with exactly QUERY_LIMIT rows and `done: true`, so the\n// truncation check would silently report `false`. The sentinel row is dropped before\n// returning; its presence flips `truncated` to true.\nconst FETCH_LIMIT = QUERY_LIMIT + 1;\n\nconst FLS_FIELDS =\n  'SELECT Parent.Label, Parent.Profile.Name, Parent.IsOwnedByProfile, Parent.PermissionSetGroupId, ' +\n  'SobjectType, Field, PermissionsEdit, PermissionsRead';\nconst OBJ_FIELDS =\n  'SELECT Parent.Label, Parent.Profile.Name, Parent.IsOwnedByProfile, Parent.PermissionSetGroupId, ' +\n  'SobjectType, PermissionsRead, PermissionsCreate, PermissionsEdit, PermissionsDelete, ' +\n  'PermissionsViewAllFields, PermissionsViewAllRecords, PermissionsModifyAllRecords';\nconst APEX_FIELDS =\n  'SELECT Parent.Label, Parent.Profile.Name, Parent.IsOwnedByProfile, Parent.PermissionSetGroupId, ' +\n  'SetupEntityType, SetupEntityId';\n\nconst FLS_TABLE = ' FROM FieldPermissions';\nconst OBJ_TABLE = ' FROM ObjectPermissions';\nconst APEX_TABLE = ' FROM SetupEntityAccess';\n\nconst FLS_ORDER = ' ORDER BY Parent.Profile.Name, Parent.Label, SobjectType, Field';\nconst OBJ_ORDER = ' ORDER BY Parent.Profile.Name, Parent.Label, SobjectType';\nconst APEX_ORDER = ' ORDER BY Parent.Profile.Name, Parent.Label';\n\nconst APEX_CONDITIONS = \" AND (SetupEntityType = 'ApexClass' OR SetupEntityType = 'ApexPage')\";\n\nconst ID_PATTERN = /^(?:[a-zA-Z0-9]{15}|[a-zA-Z0-9]{18})$/;\nconst SOBJECT_PATTERN = /^[A-Za-z][A-Za-z0-9_]*$/;\n\nexport type PermissionType = 'FLS' | 'OLS' | 'APEX' | 'ALL';\n\nexport type GetUserPermissionsArgs = {\n  userId: string;\n  permissionType: PermissionType;\n  sobjectType?: string;\n};\n\ntype UserPermDetails = {\n  profileId: string;\n  profileName: string;\n  permissionSetNames: string;\n  permissionSetIds: string[];\n  permissionSetGroupIds: string[];\n};\n\ntype UserRow = { Id: string; ProfileId: string; Profile?: { Name?: string } } & Record<string, unknown>;\ntype PsaRow = {\n  PermissionSetId: string | null;\n  PermissionSetGroupId: string | null;\n  PermissionSet?: { Name?: string; Label?: string; IsOwnedByProfile?: boolean };\n} & Record<string, unknown>;\n\nfunction validateId(value: string, label: string): void {\n  if (!ID_PATTERN.test(value)) {\n    throw new Error(`Invalid ${label} \"${value}\". Expected a 15 or 18 character Salesforce ID.`);\n  }\n}\n\nfunction escapeSingleQuotes(value: string): string {\n  return value.replace(/\\\\/g, '\\\\\\\\').replace(/'/g, \"\\\\'\");\n}\n\ntype QueryAllResult<T> = { records: T[]; truncated: boolean };\n\nasync function queryAll<T extends Record<string, unknown>>(\n  conn: Connection,\n  soql: string,\n): Promise<QueryAllResult<T>> {\n  const first = await conn.query<T>(soql);\n  let records: T[] = [...first.records];\n  let done = first.done;\n  let nextUrl = first.nextRecordsUrl;\n  while (!done && nextUrl && records.length < QUERY_LIMIT) {\n    // eslint-disable-next-line no-await-in-loop\n    const more = await conn.queryMore<T>(nextUrl);\n    records = records.concat(more.records);\n    done = more.done;\n    nextUrl = more.nextRecordsUrl;\n  }\n  // Truncation: either we still had pages left but bailed out of the loop because we\n  // hit the cap, or the total accumulated rows already exceeded the cap and the\n  // slice() below is about to drop some. Either way the caller is losing data.\n  const truncated = !done || records.length > QUERY_LIMIT;\n  return { records: records.slice(0, QUERY_LIMIT), truncated };\n}\n\nasync function getUserPermDetails(conn: Connection, userId: string): Promise<UserPermDetails> {\n  const userRows = await conn.query<UserRow>(\n    `SELECT Id, ProfileId, Profile.Name FROM User WHERE Id = '${escapeSingleQuotes(userId)}' LIMIT 1`,\n  );\n  if (userRows.records.length === 0) {\n    throw new Error(`User with Id \"${userId}\" was not found.`);\n  }\n  const userRow = userRows.records[0];\n\n  const assignmentRows = (\n    await queryAll<PsaRow>(\n      conn,\n      'SELECT PermissionSetId, PermissionSet.Name, PermissionSet.IsOwnedByProfile, ' +\n        'PermissionSetGroupId, PermissionSet.Label ' +\n        `FROM PermissionSetAssignment WHERE AssigneeId = '${escapeSingleQuotes(userId)}'`,\n    )\n  ).records;\n\n  const permissionSetIds: string[] = [];\n  const permissionSetGroupIds: string[] = [];\n  const permSetLabels: string[] = [];\n\n  for (const psa of assignmentRows) {\n    if (psa.PermissionSet?.IsOwnedByProfile) continue;\n    if (psa.PermissionSetGroupId) {\n      permissionSetGroupIds.push(psa.PermissionSetGroupId);\n    } else if (psa.PermissionSetId) {\n      permissionSetIds.push(psa.PermissionSetId);\n      if (psa.PermissionSet?.Label) permSetLabels.push(psa.PermissionSet.Label);\n    }\n  }\n\n  return {\n    profileId: userRow.ProfileId,\n    profileName: userRow.Profile?.Name ?? '',\n    permissionSetNames: permSetLabels.join(', '),\n    permissionSetIds,\n    permissionSetGroupIds,\n  };\n}\n\nfunction buildIdList(ids: readonly string[]): string {\n  return \"('\" + ids.map(escapeSingleQuotes).join(\"','\") + \"')\";\n}\n\nfunction buildUserCondition(details: UserPermDetails): string {\n  // FieldPermissions / ObjectPermissions / SetupEntityAccess rows are always keyed by\n  // ParentId = PermissionSet. Permission Set Groups don't show up under ParentId — the\n  // group's effective grants live on an auto-generated PermissionSet whose\n  // Parent.PermissionSetGroupId points back at the group. Filter accordingly.\n  const clauses: string[] = [`Parent.ProfileId = '${escapeSingleQuotes(details.profileId)}'`];\n  if (details.permissionSetIds.length > 0) {\n    clauses.push(`ParentId IN ${buildIdList(details.permissionSetIds)}`);\n  }\n  if (details.permissionSetGroupIds.length > 0) {\n    clauses.push(`Parent.PermissionSetGroupId IN ${buildIdList(details.permissionSetGroupIds)}`);\n  }\n  return ` WHERE (${clauses.join(' OR ')})`;\n}\n\nfunction buildSObjectFilter(sobjectType: string | undefined): string {\n  if (!sobjectType) return '';\n  if (!SOBJECT_PATTERN.test(sobjectType)) {\n    throw new Error(`Invalid sobjectType \"${sobjectType}\". Use a standard SObject API name (e.g. Account, Order__c).`);\n  }\n  return ` AND SobjectType = '${escapeSingleQuotes(sobjectType)}'`;\n}\n\nexport async function getUserPermissions(\n  conn: Connection,\n  args: GetUserPermissionsArgs,\n): Promise<Record<string, unknown>> {\n  if (!args.userId) {\n    throw new Error('userId is required');\n  }\n  validateId(args.userId, 'userId');\n  const validTypes: PermissionType[] = ['FLS', 'OLS', 'APEX', 'ALL'];\n  if (!validTypes.includes(args.permissionType)) {\n    throw new Error('permissionType must be one of: FLS, OLS, APEX, ALL');\n  }\n\n  const details = await getUserPermDetails(conn, args.userId);\n  const condition = buildUserCondition(details);\n\n  const result: Record<string, unknown> = {\n    userId: args.userId,\n    profileName: details.profileName,\n    permissionSetNames: details.permissionSetNames,\n    permissionType: args.permissionType,\n  };\n\n  if (args.permissionType === 'FLS' || args.permissionType === 'ALL') {\n    const objectFilter = buildSObjectFilter(args.sobjectType);\n    const { records, truncated } = await queryAll(\n      conn,\n      `${FLS_FIELDS}${FLS_TABLE}${condition}${objectFilter}${FLS_ORDER} LIMIT ${FETCH_LIMIT}`,\n    );\n    result.flsPermissions = records;\n    result.flsTruncated = truncated;\n  }\n  if (args.permissionType === 'OLS' || args.permissionType === 'ALL') {\n    const objectFilter = buildSObjectFilter(args.sobjectType);\n    const { records, truncated } = await queryAll(\n      conn,\n      `${OBJ_FIELDS}${OBJ_TABLE}${condition}${objectFilter}${OBJ_ORDER} LIMIT ${FETCH_LIMIT}`,\n    );\n    result.olsPermissions = records;\n    result.olsTruncated = truncated;\n  }\n  if (args.permissionType === 'APEX' || args.permissionType === 'ALL') {\n    const { records, truncated } = await queryAll(\n      conn,\n      `${APEX_FIELDS}${APEX_TABLE}${condition}${APEX_CONDITIONS}${APEX_ORDER} LIMIT ${FETCH_LIMIT}`,\n    );\n    result.apexPermissions = records;\n    result.apexTruncated = truncated;\n  }\n\n  return result;\n}\n"]}

package/messages/rflib.debug.applicationevents.get.md

@@ -0,0 +1,74 @@
+# summary
+
+Query RFLIB Application Events from a Salesforce org.
+
+# description
+
+Retrieves rflib_Application_Event__c records from the target org via the Salesforce REST API.
+Application Events are business-level events used to track feature adoption, user actions, and domain-specific milestones.
+Results are ordered by Occurred_On__c descending (most recent first).
+
+Requires the RFLIB base package to be installed in the target org and the running user to be assigned the rflib_Ops_Center_Access permission set (or have equivalent read access to rflib_Application_Event__c).
+For installation instructions, visit: https://github.com/j-fischer/rflib
+
+# flags.target-org.summary
+
+Username or alias of the target org.
+
+# flags.target-org.description
+
+The username or alias of the Salesforce org containing the RFLIB base package.
+
+# flags.event-name.summary
+
+Filter by event name. Use % as a wildcard.
+
+# flags.event-name.description
+
+Filter Application Events by their Event_Name__c field. Use the % character as a wildcard for partial matches, for example "order-%".
+
+# flags.start-date.summary
+
+Filter events on or after this ISO 8601 date.
+
+# flags.start-date.description
+
+Only return events where Occurred_On__c is on or after this date. Must be in ISO 8601 format, e.g. 2024-01-01T00:00:00Z.
+
+# flags.end-date.summary
+
+Filter events on or before this ISO 8601 date.
+
+# flags.end-date.description
+
+Only return events where Occurred_On__c is on or before this date. Must be in ISO 8601 format, e.g. 2024-12-31T23:59:59Z.
+
+# flags.related-record-id.summary
+
+Filter by Related_Record_ID__c (exact match).
+
+# flags.related-record-id.description
+
+Only return events associated with this specific record ID.
+
+# flags.record-limit.summary
+
+Maximum number of records to return (default 200, max 2000).
+
+# flags.record-limit.description
+
+Controls how many Application Event records are returned. Defaults to 200. Maximum allowed value is 2000.
+
+# examples
+
+- Get all application events from the default org:
+
+  $ sf rflib debug applicationevents get --target-org myOrg
+
+- Get events filtered by name and date range:
+
+  $ sf rflib debug applicationevents get --target-org myOrg --event-name "order-%" --start-date 2024-01-01T00:00:00Z
+
+- Get events related to a specific record with a custom limit:
+
+  $ sf rflib debug applicationevents get --target-org myOrg --related-record-id 0017000000XXXXXX --record-limit 50

package/messages/rflib.debug.logarchives.get.md

@@ -0,0 +1,45 @@
+# summary
+
+Query RFLIB log archives from a Salesforce org.
+
+# description
+
+Retrieves rflib_Logs_Archive__b records from the target org's big object store via the Salesforce REST API.
+Each log record contains log level, context, request ID, and full log messages in the format: [timestamp]|[LEVEL]|[TRACE_ID]|[CONTEXT]|[MESSAGE].
+
+Requires the RFLIB base package to be installed in the target org and the running user to be assigned the rflib_Ops_Center_Access permission set (or have equivalent read access to rflib_Logs_Archive__b).
+For installation instructions, visit: https://github.com/j-fischer/rflib
+
+# flags.target-org.summary
+
+Username or alias of the target org.
+
+# flags.target-org.description
+
+The username or alias of the Salesforce org containing the RFLIB base package.
+
+# flags.start-date.summary
+
+Start of the date range in ISO 8601 format. Defaults to 24 hours ago.
+
+# flags.start-date.description
+
+Only return log archives created on or after this date. Must be in ISO 8601 format, e.g. 2024-01-01T00:00:00Z. Defaults to 24 hours ago if omitted.
+
+# flags.end-date.summary
+
+End of the date range in ISO 8601 format. Defaults to now.
+
+# flags.end-date.description
+
+Only return log archives created on or before this date. Must be in ISO 8601 format, e.g. 2024-12-31T23:59:59Z. Defaults to the current time if omitted.
+
+# examples
+
+- Get log archives from the last 24 hours:
+
+  $ sf rflib debug logarchives get --target-org myOrg
+
+- Get log archives for a specific date range:
+
+  $ sf rflib debug logarchives get --target-org myOrg --start-date 2024-01-01T00:00:00Z --end-date 2024-01-02T00:00:00Z

package/messages/rflib.debug.loggersettings.get.md

@@ -0,0 +1,27 @@
+# summary
+
+Read all RFLIB Logger Settings from a Salesforce org.
+
+# description
+
+Retrieves all rflib_Logger_Settings__c hierarchy custom setting records from the target org via the Salesforce REST API.
+Returns settings across org-wide defaults, profile overrides, and user overrides, along with embedded best-practice recommendations.
+
+Use "sf rflib debug loggersettings update" to apply changes.
+
+Requires the RFLIB base package to be installed in the target org and the running user to be assigned the rflib_Ops_Center_Access permission set (or have equivalent read access to rflib_Logger_Settings__c).
+For installation instructions, visit: https://github.com/j-fischer/rflib
+
+# flags.target-org.summary
+
+Username or alias of the target org.
+
+# flags.target-org.description
+
+The username or alias of the Salesforce org containing the RFLIB base package.
+
+# examples
+
+- Read all logger settings from the target org:
+
+  $ sf rflib debug loggersettings get --target-org myOrg

package/messages/rflib.debug.loggersettings.update.md

@@ -0,0 +1,63 @@
+# summary
+
+Create or update an RFLIB Logger Setting in a Salesforce org.
+
+# description
+
+Creates or updates a single field on an rflib_Logger_Settings__c record in the target org via the Salesforce REST API.
+Validates field values and warns about best-practice violations.
+
+To update an existing record, provide --record-id. To create a new record, provide --setup-owner-id with an org ID (00D...), profile ID (00E...), or user ID.
+
+Requires the RFLIB base package to be installed in the target org and the running user to be assigned the rflib_Ops_Center_Access permission set (or have equivalent update access to rflib_Logger_Settings__c).
+For installation instructions, visit: https://github.com/j-fischer/rflib
+
+# flags.target-org.summary
+
+Username or alias of the target org.
+
+# flags.target-org.description
+
+The username or alias of the Salesforce org containing the RFLIB base package.
+
+# flags.field-name.summary
+
+API name of the rflib_Logger_Settings__c field to update.
+
+# flags.field-name.description
+
+The API name of the field to create or update, e.g. Log_Event_Reporting_Level__c. For log level fields, valid values are: TRACE, DEBUG, INFO, WARN, ERROR, FATAL, NONE.
+
+# flags.field-value.summary
+
+New value for the specified field.
+
+# flags.field-value.description
+
+The new value to set on the specified field. For log level fields, valid values are: TRACE, DEBUG, INFO, WARN, ERROR, FATAL, NONE.
+
+# flags.record-id.summary
+
+ID of an existing rflib_Logger_Settings__c record to update.
+
+# flags.record-id.description
+
+The Salesforce record ID of an existing rflib_Logger_Settings__c record to update. Omit this flag to create a new record (requires --setup-owner-id).
+
+# flags.setup-owner-id.summary
+
+Setup owner ID for creating a new Logger Setting record.
+
+# flags.setup-owner-id.description
+
+Required when creating a new Logger Setting record. Accepts an org ID (00D...), profile ID (00E...), or user ID. Read existing record IDs using "sf rflib debug loggersettings get".
+
+# examples
+
+- Update the Log_Event_Reporting_Level__c field on an existing record:
+
+  $ sf rflib debug loggersettings update --target-org myOrg --record-id a0A000000001234 --field-name Log_Event_Reporting_Level__c --field-value WARN
+
+- Create a new org-wide Logger Setting:
+
+  $ sf rflib debug loggersettings update --target-org myOrg --setup-owner-id 00D000000000001 --field-name Log_Event_Reporting_Level__c --field-value WARN

package/messages/rflib.debug.userpermissions.get.md

@@ -0,0 +1,63 @@
+# summary
+
+Check Salesforce permissions for a user in the target org.
+
+# description
+
+Retrieves FLS (Field-Level Security), OLS (Object-Level Security), and Apex class/page permissions for a specific user
+via the Salesforce REST API. Permissions are aggregated across the user's profile, permission sets, and permission set groups.
+
+Use --sobject-type to narrow FLS or OLS results to a specific SObject.
+
+Requires the RFLIB base package to be installed in the target org and the running user to be assigned the rflib_Ops_Center_Access permission set (or have equivalent read access to the relevant permission objects).
+For installation instructions, visit: https://github.com/j-fischer/rflib
+
+# flags.target-org.summary
+
+Username or alias of the target org.
+
+# flags.target-org.description
+
+The username or alias of the Salesforce org containing the RFLIB base package.
+
+# flags.user-id.summary
+
+Salesforce User ID (15 or 18 character) to check permissions for.
+
+# flags.user-id.description
+
+The Salesforce User ID (15 or 18 characters) of the user whose permissions should be retrieved.
+
+# flags.permission-type.summary
+
+Type of permissions to retrieve: FLS, OLS, APEX, or ALL.
+
+# flags.permission-type.description
+
+Controls which permission types are returned:
+  - FLS: Field-Level Security only
+  - OLS: Object-Level Security only
+  - APEX: Apex class and page access only
+  - ALL: All three permission types
+
+# flags.sobject-type.summary
+
+Optional SObject API name to filter FLS or OLS results.
+
+# flags.sobject-type.description
+
+Filters Field-Level Security or Object-Level Security results to a specific SObject type, e.g. Account, Contact, Opportunity.
+
+# examples
+
+- Check all permissions for a user:
+
+  $ sf rflib debug userpermissions get --target-org myOrg --user-id 0057000000XXXXXX --permission-type ALL
+
+- Check FLS for a specific object:
+
+  $ sf rflib debug userpermissions get --target-org myOrg --user-id 0057000000XXXXXX --permission-type FLS --sobject-type Account
+
+- Check Apex access:
+
+  $ sf rflib debug userpermissions get --target-org myOrg --user-id 0057000000XXXXXX --permission-type APEX