Skip to content

feat(app-shell): CEL authoring safety for RLS policies — lint, field autocomplete, test-run #2413

Description

@os-zhuang

Context

The permission-set Studio editor (PermissionAdvancedFacets — the Row-Level Security section) lets admins author RLS policies as hand-typed CEL USING (read filter) and CHECK (write filter) expressions. A rich set is edited entirely by hand — e.g. member_default has 17 policies, each with per-operation USING/CHECK editors.

Problem

The CEL editors today have no syntax validation, no field-name autocomplete, and no way to test a policy.

RLS is a security-critical surface: a typo in a USING/CHECK predicate silently produces the wrong row scope, and some evaluation paths fail open — so a mistake widens access with no visible error. This is the highest-risk, most error-prone authoring surface in the permission model, yet it has the least authoring support.

Proposed work

  1. Client-side CEL syntax lint — surface parse errors inline before save (reuse the framework CEL parser rather than maintaining a second grammar).
  2. Field-name autocomplete — while typing, offer the target object's fields plus the scope vars (current_user, record, ctx, app, …) to prevent silent typos on unknown identifiers.
  3. Test-run affordance — "evaluate this policy against a sample record" so the author sees allow/deny before shipping.
  4. Optionally, flag where a policy fails open vs. fails closed so authors understand the blast radius of a malformed predicate.

Acceptance criteria

  • Malformed CEL is flagged inline and (optionally) blocks save.
  • Autocomplete suggests valid field/scope identifiers for the policy's object.
  • An author can dry-run a USING/CHECK predicate against a sample record and see the result.

References

Surfaced during go-live UAT while verifying the Studio RLS editor (P3).

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions