Skip to content

Add FumaDB table policy interceptors#821

Merged
RhysSullivan merged 4 commits into
codex/fumadb-cutoverfrom
codex/fumadb-policy-interceptors
May 14, 2026
Merged

Add FumaDB table policy interceptors#821
RhysSullivan merged 4 commits into
codex/fumadb-cutoverfrom
codex/fumadb-policy-interceptors

Conversation

@RhysSullivan
Copy link
Copy Markdown
Owner

@RhysSullivan RhysSullivan commented May 14, 2026

Stacked on #817.

Summary

  • add typed FumaDB table policy hooks for read/create/update/delete requests
  • enforce executor scope policy by constraining FumaDB query conditions instead of prefetching rows
  • add realistic scope-policy coverage for buggy plugin reads, counts, updates, and deletes

Verification

  • bun run format:check
  • bun run lint
  • bun run typecheck
  • bun run --cwd packages/core/sdk test -- src/scope-policy.test.ts src/credential-bindings.test.ts
  • bun run --cwd apps/local test -- src/server/sqlite-import.test.ts
  • bun run --cwd packages/plugins/openapi test -- src/sdk/plugin.test.ts

RhysSullivan
RhysSullivan commented May 14, 2026
View reviewed changes
Comment thread apps/local/src/server/sqlite-import.test.ts Outdated
expect(result.backupPath && existsSync(result.backupPath)).toBe(true);

const source = (await sqlite.db.findFirst("source", {
const db = withQueryContext(sqlite.db, { allowedScopeIds: new Set(["scope_a"]) });
Copy link
Copy Markdown
Owner Author

@RhysSullivan RhysSullivan May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are we giving raw db access that bypasses the filtering we have

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 14, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 executor-cloud 1f5b254 May 14 2026, 11:44 PM

RhysSullivan
RhysSullivan commented May 14, 2026
View reviewed changes
Comment thread apps/local/src/server/sqlite-import.ts Outdated
sqlite = new Database(options.sqlitePath, { readonly: true });
const importedTables: string[] = [];
let importedRows = 0;
const dbWithScopeContext = withQueryContext(options.db, {
Copy link
Copy Markdown
Owner Author

@RhysSullivan RhysSullivan May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

options.db probs shouldnt exist

RhysSullivan
RhysSullivan commented May 14, 2026
View reviewed changes
Comment thread packages/core/api/src/scoped-targets.test.ts Outdated
const rows = toScopeRows(
yield* Effect.promise(() =>
config.db.findMany("connection", {
withQueryContext(config.db, {
Copy link
Copy Markdown
Owner Author

@RhysSullivan RhysSullivan May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why isnt .db already scoped

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 14, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 executor-marketing 1f5b254 Commit Preview URL

Branch Preview URL		 May 14 2026, 11:44 PM

@RhysSullivan RhysSullivan merged commit 1f5b254 into codex/fumadb-cutover May 14, 2026
7 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RhysSullivan