Harden scoped FumaDB policy tests

Author: RhysSullivan

apps/local/src/server/executor.ts

@@ -5,7 +5,14 @@ import * as fs from "node:fs";
 import { homedir } from "node:os";
 import { basename, join } from "node:path";
 
-import { Scope, ScopeId, collectTables, createExecutor, type AnyPlugin } from "@executor-js/sdk";
+import {
+  Scope,
+  ScopeId,
+  collectTables,
+  createExecutor,
+  type AnyPlugin,
+  withQueryContext,
+} from "@executor-js/sdk";
 import { loadPluginsFromJsonc } from "@executor-js/config";
 
 import executorConfig from "../../executor.config";
@@ -189,7 +196,9 @@ const importLegacySqliteIfNeeded = async (options: {
     const result = await importSqliteDataToFuma({
       sqlitePath: storage.sqlitePath,
       markerPath: storage.importMarkerPath,
-      db: target.db,
+      target: withQueryContext(target.db, {
+        allowedScopeIds: new Set([scopeId]),
+      }),
       tables,
       scopeId,
     });

apps/local/src/server/sqlite-import.test.ts

@@ -81,10 +81,11 @@ describe("importSqliteDataToFuma", () => {
       path: join(workDir, "target.db"),
     });
 
+    const scopedDb = withQueryContext(sqlite.db, { allowedScopeIds: new Set(["scope_a"]) });
     const result = await importSqliteDataToFuma({
       sqlitePath,
       markerPath,
-      db: sqlite.db,
+      target: scopedDb,
       tables,
       scopeId: "scope_a",
     });
@@ -96,9 +97,7 @@ describe("importSqliteDataToFuma", () => {
     expect(existsSync(sqlitePath)).toBe(false);
     expect(result.backupPath && existsSync(result.backupPath)).toBe(true);
 
-    const db = withQueryContext(sqlite.db, { allowedScopeIds: new Set(["scope_a"]) });
-
-    const source = (await db.findFirst("source", {
+    const source = (await scopedDb.findFirst("source", {
       where: (b) => b("id", "=", "src_1"),
     })) as Record<string, unknown>;
     expect(source.scope_id).toBe("scope_a");
@@ -107,7 +106,7 @@ describe("importSqliteDataToFuma", () => {
     expect(source.can_edit).toBe(true);
     expect(source.created_at).toBeInstanceOf(Date);
 
-    const blob = (await db.findFirst("blob", {
+    const blob = (await scopedDb.findFirst("blob", {
       where: (b) => b("id", "=", JSON.stringify(["scope_a/plugin", "spec"])),
     })) as Record<string, unknown>;
     expect(blob.value).toBe("{}");

apps/local/src/server/sqlite-import.ts

@@ -6,13 +6,7 @@ import { dirname } from "node:path";
 
 /* oxlint-disable executor/no-json-parse, executor/no-switch-statement, executor/no-try-catch-or-throw -- boundary: one-shot legacy SQLite importer normalizes unknown rows and wraps native sqlite failures */
 
-import {
-  withQueryContext,
-  type AnyColumn,
-  type AnyTable,
-  type FumaDb,
-  type FumaTables,
-} from "@executor-js/sdk";
+import { type AnyColumn, type AnyTable, type FumaTables } from "@executor-js/sdk";
 
 type SqliteRow = Record<string, unknown>;
 
@@ -31,7 +25,7 @@ export class LocalSqliteImportError extends Data.TaggedError("LocalSqliteImportE
 export interface LocalSqliteImportOptions {
   readonly sqlitePath: string;
   readonly markerPath: string;
-  readonly db: FumaDb;
+  readonly target: ImportFumaDb;
   readonly tables: FumaTables;
   readonly scopeId: string;
 }
@@ -186,11 +180,8 @@ export const importSqliteDataToFuma = async (
     sqlite = new Database(options.sqlitePath, { readonly: true });
     const importedTables: string[] = [];
     let importedRows = 0;
-    const dbWithScopeContext = withQueryContext(options.db, {
-      allowedScopeIds: new Set([options.scopeId]),
-    });
 
-    await (dbWithScopeContext as ImportFumaDb).transaction(async (db) => {
+    await options.target.transaction(async (db) => {
       for (const [tableKey, table] of Object.entries(options.tables)) {
         const tableName = table.names.sql;
         if (!tableExists(sqlite!, tableName)) continue;

packages/core/api/src/scoped-targets.test.ts

@@ -15,7 +15,6 @@ import {
   definePlugin,
   makeTestConfig,
   type Executor,
-  withQueryContext,
 } from "@executor-js/sdk";
 import { memorySecretsPlugin } from "@executor-js/sdk/testing";
 
@@ -176,9 +175,7 @@ describe("core API explicit target scopes", () => {
       expect(response.status).toBe(200);
       const rows = toScopeRows(
         yield* Effect.promise(() =>
-          withQueryContext(config.db, {
-            allowedScopeIds: new Set([String(userScope), String(orgScope)]),
-          }).findMany("connection", {
+          config.db.findMany("connection", {
             where: (b) => b("id", "=", connectionId),
           }),
         ),
@@ -225,11 +222,7 @@ describe("core API explicit target scopes", () => {
       );
 
       expect(response.status).toBe(400);
-      const sessions = yield* Effect.promise(() =>
-        withQueryContext(config.db, {
-          allowedScopeIds: new Set([String(userScope), String(orgScope)]),
-        }).findMany("oauth2_session"),
-      );
+      const sessions = yield* Effect.promise(() => config.db.findMany("oauth2_session"));
       expect(sessions).toEqual([]);
     }),
   );

packages/core/sdk/src/executor.ts

@@ -19,6 +19,7 @@ import type { OAuthEndpointUrlPolicy } from "./oauth-helpers";
 import { generateKeyBetween } from "fractional-indexing";
 import {
   StorageError,
+  isStorageFailure,
   makeFumaClient,
   type FumaDb,
   type FumaRow,
@@ -400,13 +401,20 @@ export const collectTables = (plugins: readonly AnyPlugin[]): FumaTables => {
     }
   }
 
-  for (const tableDef of Object.values(merged)) {
-    assertExecutorScopePolicyTable(tableDef);
-  }
+  validateExecutorScopePolicyTables(merged);
 
   return merged;
 };
 
+const validateExecutorScopePolicyTables = (tables: FumaTables): void => {
+  for (const tableDef of Object.values(tables)) {
+    assertExecutorScopePolicyTable(tableDef);
+  }
+};
+
+const storageFailureFromUnknown = (message: string, cause: unknown): StorageFailure =>
+  isStorageFailure(cause) ? cause : new StorageError({ message, cause });
+
 const createDefaultMemoryDb = (tables: FumaTables): ExecutorDb => {
   const version = "1.0.0";
   const latestSchema = fumaSchema<string, FumaTables, RelationsMap<FumaTables>>({
@@ -790,14 +798,22 @@ export const createExecutor = <const TPlugins extends readonly AnyPlugin[] = rea
       return empty as TPlugins;
     };
     const { scopes, plugins = defaultPlugins() } = config;
+    const tables = yield* Effect.try({
+      try: () => collectTables(plugins),
+      catch: (cause) => storageFailureFromUnknown("Failed to collect executor tables", cause),
+    });
     const dbInput = yield* Effect.suspend(() => {
-      if (!config.db) return Effect.succeed(createDefaultMemoryDb(collectTables(plugins)));
+      if (!config.db) return Effect.succeed(createDefaultMemoryDb(tables));
       if (typeof config.db !== "function") return Effect.succeed(config.db);
-      const out = config.db({ tables: collectTables(plugins) });
+      const out = config.db({ tables });
       return Effect.isEffect(out) ? out : Effect.succeed(out);
     });
     const rootDbUntyped = "db" in dbInput ? dbInput.db : dbInput;
     const closeDb = "db" in dbInput ? dbInput.close : undefined;
+    yield* Effect.try({
+      try: () => validateExecutorScopePolicyTables(rootDbUntyped.internal.tables),
+      catch: (cause) => storageFailureFromUnknown("Failed to validate executor tables", cause),
+    });
 
     if (scopes.length === 0) {
       return yield* new StorageError({