Context
The permission-set Studio editor (PermissionAdvancedFacets — the Row-Level Security section) lets admins author RLS policies as hand-typed CEL USING (read filter) and CHECK (write filter) expressions. A rich set is edited entirely by hand — e.g. member_default has 17 policies, each with per-operation USING/CHECK editors.
Problem
The CEL editors today have no syntax validation, no field-name autocomplete, and no way to test a policy.
RLS is a security-critical surface: a typo in a USING/CHECK predicate silently produces the wrong row scope, and some evaluation paths fail open — so a mistake widens access with no visible error. This is the highest-risk, most error-prone authoring surface in the permission model, yet it has the least authoring support.
Proposed work
- Client-side CEL syntax lint — surface parse errors inline before save (reuse the framework CEL parser rather than maintaining a second grammar).
- Field-name autocomplete — while typing, offer the target object's fields plus the scope vars (
current_user, record, ctx, app, …) to prevent silent typos on unknown identifiers.
- Test-run affordance — "evaluate this policy against a sample record" so the author sees allow/deny before shipping.
- Optionally, flag where a policy fails open vs. fails closed so authors understand the blast radius of a malformed predicate.
Acceptance criteria
References
Surfaced during go-live UAT while verifying the Studio RLS editor (P3).
Context
The permission-set Studio editor (
PermissionAdvancedFacets— the Row-Level Security section) lets admins author RLS policies as hand-typed CELUSING(read filter) andCHECK(write filter) expressions. A rich set is edited entirely by hand — e.g.member_defaulthas 17 policies, each with per-operationUSING/CHECKeditors.Problem
The CEL editors today have no syntax validation, no field-name autocomplete, and no way to test a policy.
RLS is a security-critical surface: a typo in a
USING/CHECKpredicate silently produces the wrong row scope, and some evaluation paths fail open — so a mistake widens access with no visible error. This is the highest-risk, most error-prone authoring surface in the permission model, yet it has the least authoring support.Proposed work
current_user,record,ctx,app, …) to prevent silent typos on unknown identifiers.Acceptance criteria
USING/CHECKpredicate against a sample record and see the result.References
packages/app-shell/src/views/metadata-admin/PermissionAdvancedFacets.tsx(RLS section)ExpressionEvaluator(@object-ui/core); framework CEL parserSurfaced during go-live UAT while verifying the Studio RLS editor (P3).