build(deps): migrate @casl/ability v6 → v7

[PierreBrisorgueil]

Summary

Migrates @casl/ability ^6.8.1 → ^7.0.0. Supersedes dependabot #3693 (which is red — the bare bump breaks authorization).

Root cause

v7 renames PureAbility → Ability and drops the default conditions matcher; the historical MongoDB-matching Ability class no longer exists. The policy builder did new AbilityBuilder(Ability), so condition rules like can('manage', 'Organization', { _id }) stopped matching → authorization silently denied → endpoints returned 403/422.

What changed

• lib/middlewares/policy.js — build via createMongoAbility instead of Ability (restores MongoQuery condition matching).
• JSDoc type refs Ability → MongoAbility (policy.js, lib/helpers/abilities.js).
• package.json — @casl/ability ^7.0.0.
• MIGRATIONS.md — downstream-complete upgrade notes.

Module policy files are unchanged (they use can/cannot closures, never the Ability class). Serialized rule format is unchanged (createMongoAbility keeps the MongoQuery shape) → Node→client packing stays compatible.

Test plan

• npm run test:unit — 1498 passed
• npm run test:integration — passed
• npm run test:e2e — 9 passed (incl. the org permission test that returned 422 on build(deps): bump @casl/ability from 6.8.1 to 7.0.0 #3693, now 200)
• npm run lint — clean

Summary by CodeRabbit

• Chores

  • Updated @casl/ability dependency to v7.0.0 with enhanced MongoDB-style ability handling.

• Documentation

  • Added migration guide documenting the upgrade process and associated behavioral changes.

[coderabbitai]

Warning

Rate limit exceeded

@PierreBrisorgueil has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 39 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 98682132-4b80-4213-8460-a854d8fe4e29

📥 Commits

Reviewing files that changed from the base of the PR and between ce245e6 and d54fc64.

📒 Files selected for processing (2)

• MIGRATIONS.md
• lib/middlewares/tests/policy.unit.tests.js

Walkthrough

This PR upgrades the @casl/ability dependency from v6 to v7 and updates the codebase to align with v7's breaking changes. The policy middleware now uses createMongoAbility for ability instantiation, and all JSDoc type annotations are updated to reference MongoAbility instead of the generic Ability.

Changes

@casl/ability v7 Migration

Layer / File(s)	Summary
Dependency and middleware update package.json, lib/middlewares/policy.js	Dependency bumped to v7.0.0; defineAbilityFor now uses createMongoAbility to instantiate the ability builder and returns MongoAbility type.
Type annotation alignment lib/helpers/abilities.js	JSDoc parameter type for serializeAbilities updated from Ability to MongoAbility to match the v7 contract.
Migration documentation MIGRATIONS.md	Dated migration entry (2026-05-22) documents the version bump, middleware behavior changes, type reference updates, and verification steps.

---

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: migrating @casl/ability from v6 to v7, which is the primary objective of the PR.
Description check	✅ Passed	The description covers the summary, root cause, what changed, and test plan with comprehensive details. However, the Scope section (modules impacted, cross-module impact, risk level) and Guardrails section (validation checklist, secrets check) are missing from the provided description.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/casl-v7-migration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR migrates the project from @casl/ability v6 to v7 while restoring MongoDB-style condition matching required by the app’s CASL policies (to avoid condition rules silently failing and denying authorization).

Changes:

• Bump @casl/ability to ^7.0.0 (and lockfile transitive @ucast/* updates).
• Update the policy middleware to build abilities using createMongoAbility (MongoQuery matcher) instead of the v7 Ability export (formerly PureAbility).
• Update JSDoc type references and document downstream upgrade steps in MIGRATIONS.md.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
package.json	Bumps @casl/ability to ^7.0.0.
package-lock.json	Locks @casl/ability@7.0.0 and updated @ucast/* transitive dependencies.
MIGRATIONS.md	Adds downstream-facing migration notes and rationale for the CASL v7 change.
lib/middlewares/policy.js	Switches ability construction to createMongoAbility to restore MongoQuery condition matching.
lib/helpers/abilities.js	Updates JSDoc to reflect MongoAbility usage for serialized rules.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.70%. Comparing base (1b9f7a6) to head (d54fc64).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #3696   +/-   ##
=======================================
  Coverage   89.70%   89.70%           
=======================================
  Files         142      142           
  Lines        4780     4780           
  Branches     1498     1498           
=======================================
  Hits         4288     4288           
  Misses        385      385           
  Partials      107      107           

Flag	Coverage Δ
integration	59.49% <100.00%> (ø)
unit	66.15% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1b9f7a6...d54fc64. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@MIGRATIONS.md`:
- Around line 14-21: The fenced JavaScript example block around the
AbilityBuilder/Ability -> AbilityBuilder/createMongoAbility snippet lacks
surrounding blank lines and triggers MD031; fix by adding an empty line before
the opening ```js and an empty line after the closing ``` so the code block is
isolated, ensuring the examples showing AbilityBuilder, Ability, and
createMongoAbility are properly delimited and markdownlint stops flagging the
block.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1f1ad6d3-fa25-44c1-b96d-4ef18e3b29c2

📥 Commits

Reviewing files that changed from the base of the PR and between 1b9f7a6 and ce245e6.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• MIGRATIONS.md
• lib/helpers/abilities.js
• lib/middlewares/policy.js
• package.json