Fix CE0066 entity access out of date errors

ako · claude · ako · commit 0b3d9c2c87e5 · 2026-03-16T22:49:29.000Z
Two root causes:

1. GRANT with READ */WRITE * wrote empty MemberAccesses array, relying on
   DefaultMemberAccessRights. Mendix requires explicit MemberAccess entries
   for every attribute/association — empty array triggers CE0066.

2. The exec command and -c flag iterated statements individually with
   Execute() instead of ExecuteProgram(), so finalizeProgramExecution()
   never ran. Stale MemberAccess entries after DROP ATTRIBUTE were never
   cleaned up by ReconcileMemberAccesses.

Verified all 9 CE0066 scenarios pass mx check with 0 errors.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/cmd/mxcli/cmd_exec.go b/cmd/mxcli/cmd_exec.go
@@ -58,14 +58,12 @@ Example:
 			os.Exit(1)
 		}
 
-		for _, stmt := range prog.Statements {
-			if err := exec.Execute(stmt); err != nil {
-				if errors.Is(err, executor.ErrExit) {
-					return
-				}
-				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
-				os.Exit(1)
+		if err := exec.ExecuteProgram(prog); err != nil {
+			if errors.Is(err, executor.ErrExit) {
+				return
 			}
+			fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+			os.Exit(1)
 		}
 	},
 }
diff --git a/cmd/mxcli/main.go b/cmd/mxcli/main.go
@@ -102,14 +102,12 @@ Examples:
 				os.Exit(1)
 			}
 
-			for _, stmt := range prog.Statements {
-				if err := exec.Execute(stmt); err != nil {
-					if errors.Is(err, executor.ErrExit) {
-						return
-					}
-					fmt.Fprintf(os.Stderr, "Error: %v\n", err)
-					os.Exit(1)
+			if err := exec.ExecuteProgram(prog); err != nil {
+				if errors.Is(err, executor.ErrExit) {
+					return
 				}
+				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+				os.Exit(1)
 			}
 		} else {
 			// Start interactive REPL
@@ -168,14 +166,12 @@ func executeMDL(projectPath, mdlCmd string) {
 		os.Exit(1)
 	}
 
-	for _, stmt := range prog.Statements {
-		if err := exec.Execute(stmt); err != nil {
-			if errors.Is(err, executor.ErrExit) {
-				return
-			}
-			fmt.Fprintf(os.Stderr, "Error: %v\n", err)
-			os.Exit(1)
+	if err := exec.ExecuteProgram(prog); err != nil {
+		if errors.Is(err, executor.ErrExit) {
+			return
 		}
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
 	}
 }
 
diff --git a/mdl/executor/cmd_security_write.go b/mdl/executor/cmd_security_write.go
@@ -310,61 +310,62 @@ func (e *Executor) execGrantEntityAccess(s *ast.GrantEntityAccessStmt) error {
 		}
 	}
 
-	// Build explicit MemberAccesses when specific members are listed
+	// Build MemberAccess entries for all entity attributes and associations.
+	// Mendix requires explicit MemberAccess entries for every member — an empty
+	// MemberAccesses array triggers CE0066 "Entity access is out of date".
 	var memberAccesses []mpr.EntityMemberAccess
-	if readMembers != nil || writeMembers != nil {
-		// Build sets for quick lookup
-		writeMemberSet := make(map[string]bool)
-		for _, m := range writeMembers {
-			writeMemberSet[m] = true
-		}
-		readMemberSet := make(map[string]bool)
-		for _, m := range readMembers {
-			readMemberSet[m] = true
+
+	// Build sets for specific member overrides (when READ (Name, Email) syntax is used)
+	writeMemberSet := make(map[string]bool)
+	for _, m := range writeMembers {
+		writeMemberSet[m] = true
+	}
+	readMemberSet := make(map[string]bool)
+	for _, m := range readMembers {
+		readMemberSet[m] = true
+	}
+
+	// Create entries for all entity attributes
+	for _, attr := range entity.Attributes {
+		rights := defaultMemberAccess
+		if writeMemberSet[attr.Name] {
+			rights = "ReadWrite"
+		} else if readMemberSet[attr.Name] {
+			rights = "ReadOnly"
 		}
+		memberAccesses = append(memberAccesses, mpr.EntityMemberAccess{
+			AttributeRef: module.Name + "." + s.Entity.Name + "." + attr.Name,
+			AccessRights: rights,
+		})
+	}
 
-		// Create entries for all entity attributes
-		for _, attr := range entity.Attributes {
+	// Create entries for associations owned by this entity
+	for _, assoc := range dm.Associations {
+		if assoc.ParentID == entity.ID {
 			rights := defaultMemberAccess
-			if writeMemberSet[attr.Name] {
+			if writeMemberSet[assoc.Name] {
 				rights = "ReadWrite"
-			} else if readMemberSet[attr.Name] {
+			} else if readMemberSet[assoc.Name] {
 				rights = "ReadOnly"
 			}
 			memberAccesses = append(memberAccesses, mpr.EntityMemberAccess{
-				AttributeRef: module.Name + "." + s.Entity.Name + "." + attr.Name,
-				AccessRights: rights,
+				AssociationRef: module.Name + "." + assoc.Name,
+				AccessRights:   rights,
 			})
 		}
-
-		// Create entries for associations owned by this entity
-		for _, assoc := range dm.Associations {
-			if assoc.ParentID == entity.ID {
-				rights := defaultMemberAccess
-				if writeMemberSet[assoc.Name] {
-					rights = "ReadWrite"
-				} else if readMemberSet[assoc.Name] {
-					rights = "ReadOnly"
-				}
-				memberAccesses = append(memberAccesses, mpr.EntityMemberAccess{
-					AssociationRef: module.Name + "." + assoc.Name,
-					AccessRights:   rights,
-				})
-			}
-		}
-		for _, ca := range dm.CrossAssociations {
-			if ca.ParentID == entity.ID {
-				rights := defaultMemberAccess
-				if writeMemberSet[ca.Name] {
-					rights = "ReadWrite"
-				} else if readMemberSet[ca.Name] {
-					rights = "ReadOnly"
-				}
-				memberAccesses = append(memberAccesses, mpr.EntityMemberAccess{
-					AssociationRef: module.Name + "." + ca.Name,
-					AccessRights:   rights,
-				})
+	}
+	for _, ca := range dm.CrossAssociations {
+		if ca.ParentID == entity.ID {
+			rights := defaultMemberAccess
+			if writeMemberSet[ca.Name] {
+				rights = "ReadWrite"
+			} else if readMemberSet[ca.Name] {
+				rights = "ReadOnly"
 			}
+			memberAccesses = append(memberAccesses, mpr.EntityMemberAccess{
+				AssociationRef: module.Name + "." + ca.Name,
+				AccessRights:   rights,
+			})
 		}
 	}
 
diff --git a/mdl/executor/roundtrip_mxcheck_test.go b/mdl/executor/roundtrip_mxcheck_test.go
@@ -297,6 +297,158 @@ END;`
 	}
 }
 
+// --- CE0066 "Entity access is out of date" scenario tests ---
+//
+// These tests enumerate mutation orderings that might trigger CE0066 when
+// entity structure changes after access rules have been written.
+//
+// Scenarios to test:
+//   S1: CREATE ENTITY (with attrs) → GRANT                      (baseline)
+//   S2: CREATE ENTITY → GRANT → ALTER ADD ATTRIBUTE             (attribute added after security)
+//   S3: CREATE ENTITY → GRANT → CREATE ASSOCIATION              (association added after security)
+//   S4: CREATE ENTITY → GRANT → ALTER DROP ATTRIBUTE            (attribute removed after security)
+//   S5: CREATE ENTITY → ALTER ADD ATTRIBUTE → GRANT             (security after mutation — should always work)
+//   S6: CREATE ENTITY → GRANT(READ *) → ALTER → GRANT(READ *)  (re-grant after mutation)
+//   S7: CREATE ENTITY + GRANT in single script                  (typical user script pattern)
+//   S8: CREATE ENTITY → GRANT multiple roles → ALTER            (multiple rules + mutation)
+//   S9: CREATE ENTITY → GRANT → ALTER + CREATE ASSOC (combined) (both attrs and assocs change)
+
+// ce0066Scenario describes a single CE0066 test case.
+type ce0066Scenario struct {
+	name  string   // subtest name
+	steps []string // MDL statements to execute in order
+}
+
+func TestMxCheck_CE0066_Scenarios(t *testing.T) {
+	if !mxCheckAvailable() {
+		t.Skip("mx command not available")
+	}
+
+	mod := testModule
+	scenarios := []ce0066Scenario{
+		{
+			name: "S1_CreateEntity_Grant",
+			steps: []string{
+				`CREATE MODULE ROLE ` + mod + `.S1Admin;`,
+				`CREATE OR MODIFY PERSISTENT ENTITY ` + mod + `.S1Entity (Name: String(100), Email: String(200));`,
+				`GRANT ` + mod + `.S1Admin ON ` + mod + `.S1Entity (CREATE, DELETE, READ *, WRITE *);`,
+			},
+		},
+		{
+			name: "S2_Grant_ThenAddAttribute",
+			steps: []string{
+				`CREATE MODULE ROLE ` + mod + `.S2Admin;`,
+				`CREATE OR MODIFY PERSISTENT ENTITY ` + mod + `.S2Entity (Name: String(100));`,
+				`GRANT ` + mod + `.S2Admin ON ` + mod + `.S2Entity (CREATE, DELETE, READ *, WRITE *);`,
+				`ALTER ENTITY ` + mod + `.S2Entity ADD ATTRIBUTE Email String(200);`,
+				`ALTER ENTITY ` + mod + `.S2Entity ADD ATTRIBUTE Active Boolean DEFAULT false;`,
+			},
+		},
+		{
+			name: "S3_Grant_ThenAddAssociation",
+			steps: []string{
+				`CREATE MODULE ROLE ` + mod + `.S3Admin;`,
+				`CREATE OR MODIFY PERSISTENT ENTITY ` + mod + `.S3Parent (Name: String(100));`,
+				`CREATE OR MODIFY PERSISTENT ENTITY ` + mod + `.S3Child (Label: String(100));`,
+				`GRANT ` + mod + `.S3Admin ON ` + mod + `.S3Parent (CREATE, DELETE, READ *, WRITE *);`,
+				`CREATE ASSOCIATION ` + mod + `.S3Child_S3Parent (` + mod + `.S3Child -> ` + mod + `.S3Parent);`,
+			},
+		},
+		{
+			name: "S4_Grant_ThenDropAttribute",
+			steps: []string{
+				`CREATE MODULE ROLE ` + mod + `.S4Admin;`,
+				`CREATE OR MODIFY PERSISTENT ENTITY ` + mod + `.S4Entity (Name: String(100), Temp: String(50));`,
+				`GRANT ` + mod + `.S4Admin ON ` + mod + `.S4Entity (CREATE, DELETE, READ *, WRITE *);`,
+				`ALTER ENTITY ` + mod + `.S4Entity DROP ATTRIBUTE Temp;`,
+			},
+		},
+		{
+			name: "S5_AddAttribute_ThenGrant",
+			steps: []string{
+				`CREATE MODULE ROLE ` + mod + `.S5Admin;`,
+				`CREATE OR MODIFY PERSISTENT ENTITY ` + mod + `.S5Entity (Name: String(100));`,
+				`ALTER ENTITY ` + mod + `.S5Entity ADD ATTRIBUTE Email String(200);`,
+				`GRANT ` + mod + `.S5Admin ON ` + mod + `.S5Entity (CREATE, DELETE, READ *, WRITE *);`,
+			},
+		},
+		{
+			name: "S6_Grant_Alter_Regrant",
+			steps: []string{
+				`CREATE MODULE ROLE ` + mod + `.S6Admin;`,
+				`CREATE OR MODIFY PERSISTENT ENTITY ` + mod + `.S6Entity (Name: String(100));`,
+				`GRANT ` + mod + `.S6Admin ON ` + mod + `.S6Entity (READ *);`,
+				`ALTER ENTITY ` + mod + `.S6Entity ADD ATTRIBUTE Code String(50);`,
+				`GRANT ` + mod + `.S6Admin ON ` + mod + `.S6Entity (CREATE, DELETE, READ *, WRITE *);`,
+			},
+		},
+		{
+			name: "S7_SingleScript_CreateAndGrant",
+			steps: []string{
+				`CREATE MODULE ROLE ` + mod + `.S7Admin;`,
+				`CREATE OR MODIFY PERSISTENT ENTITY ` + mod + `.S7Entity (
+					Code: String(50) NOT NULL,
+					Description: String(500),
+					Count: Integer DEFAULT 0
+				);` + "\n" +
+					`GRANT ` + mod + `.S7Admin ON ` + mod + `.S7Entity (CREATE, DELETE, READ *, WRITE *);`,
+			},
+		},
+		{
+			name: "S8_MultipleRoles_ThenAlter",
+			steps: []string{
+				`CREATE MODULE ROLE ` + mod + `.S8Admin;`,
+				`CREATE MODULE ROLE ` + mod + `.S8Viewer;`,
+				`CREATE OR MODIFY PERSISTENT ENTITY ` + mod + `.S8Entity (Name: String(100));`,
+				`GRANT ` + mod + `.S8Admin ON ` + mod + `.S8Entity (CREATE, DELETE, READ *, WRITE *);`,
+				`GRANT ` + mod + `.S8Viewer ON ` + mod + `.S8Entity (READ *);`,
+				`ALTER ENTITY ` + mod + `.S8Entity ADD ATTRIBUTE Status String(50);`,
+			},
+		},
+		{
+			name: "S9_Grant_ThenAlterAndAssoc",
+			steps: []string{
+				`CREATE MODULE ROLE ` + mod + `.S9Admin;`,
+				`CREATE OR MODIFY PERSISTENT ENTITY ` + mod + `.S9Main (Name: String(100));`,
+				`CREATE OR MODIFY PERSISTENT ENTITY ` + mod + `.S9Related (Value: Integer);`,
+				`GRANT ` + mod + `.S9Admin ON ` + mod + `.S9Main (CREATE, DELETE, READ *, WRITE *);`,
+				`ALTER ENTITY ` + mod + `.S9Main ADD ATTRIBUTE Extra String(200);`,
+				`CREATE ASSOCIATION ` + mod + `.S9Related_S9Main (` + mod + `.S9Related -> ` + mod + `.S9Main);`,
+			},
+		},
+	}
+
+	for _, sc := range scenarios {
+		t.Run(sc.name, func(t *testing.T) {
+			env := setupTestEnv(t)
+			defer env.teardown()
+
+			for i, step := range sc.steps {
+				if err := env.executeMDL(step); err != nil {
+					if !strings.Contains(err.Error(), "already exists") {
+						t.Fatalf("Step %d failed: %v\nMDL: %s", i+1, err, step)
+					}
+				}
+			}
+
+			env.executor.Execute(&ast.DisconnectStmt{})
+
+			output, err := runMxCheck(t, env.projectPath)
+			if err != nil {
+				if strings.Contains(output, "CE0066") || strings.Contains(output, "out of date") {
+					t.Errorf("CE0066 entity access out of date:\n%s", output)
+				} else if strings.Contains(output, "error") || strings.Contains(output, "Error") {
+					t.Errorf("mx check found errors:\n%s", output)
+				} else {
+					t.Logf("mx check output (non-zero exit but no errors):\n%s", output)
+				}
+			} else {
+				t.Logf("mx check passed")
+			}
+		})
+	}
+}
+
 // TestMxCheck_MicroflowWithCallParams tests microflow with CALL unified param syntax.
 func TestMxCheck_MicroflowWithCallParams(t *testing.T) {
 	if !mxCheckAvailable() {

Original file line number	Diff line number	Diff line change
`@@ -58,14 +58,12 @@ Example:`
`58`	`58`	`os.Exit(1)`
`59`	`59`	`}`
`60`	`60`
`61`		`- for _, stmt := range prog.Statements {`
`62`		`- if err := exec.Execute(stmt); err != nil {`
`63`		`- if errors.Is(err, executor.ErrExit) {`
`64`		`- return`
`65`		`- }`
`66`		`- fmt.Fprintf(os.Stderr, "Error: %v\n", err)`
`67`		`- os.Exit(1)`
	`61`	`+ if err := exec.ExecuteProgram(prog); err != nil {`
	`62`	`+ if errors.Is(err, executor.ErrExit) {`
	`63`	`+ return`
`68`	`64`	`}`
	`65`	`+ fmt.Fprintf(os.Stderr, "Error: %v\n", err)`
	`66`	`+ os.Exit(1)`
`69`	`67`	`}`
`70`	`68`	`},`
`71`	`69`	`}`
Original file line number	Diff line number	Diff line change
`@@ -102,14 +102,12 @@ Examples:`
`102`	`102`	`os.Exit(1)`
`103`	`103`	`}`
`104`	`104`
`105`		`- for _, stmt := range prog.Statements {`
`106`		`- if err := exec.Execute(stmt); err != nil {`
`107`		`- if errors.Is(err, executor.ErrExit) {`
`108`		`- return`
`109`		`- }`
`110`		`- fmt.Fprintf(os.Stderr, "Error: %v\n", err)`
`111`		`- os.Exit(1)`
	`105`	`+ if err := exec.ExecuteProgram(prog); err != nil {`
	`106`	`+ if errors.Is(err, executor.ErrExit) {`
	`107`	`+ return`
`112`	`108`	`}`
	`109`	`+ fmt.Fprintf(os.Stderr, "Error: %v\n", err)`
	`110`	`+ os.Exit(1)`
`113`	`111`	`}`
`114`	`112`	`} else {`
`115`	`113`	`// Start interactive REPL`
`@@ -168,14 +166,12 @@ func executeMDL(projectPath, mdlCmd string) {`
`168`	`166`	`os.Exit(1)`
`169`	`167`	`}`
`170`	`168`
`171`		`- for _, stmt := range prog.Statements {`
`172`		`- if err := exec.Execute(stmt); err != nil {`
`173`		`- if errors.Is(err, executor.ErrExit) {`
`174`		`- return`
`175`		`- }`
`176`		`- fmt.Fprintf(os.Stderr, "Error: %v\n", err)`
`177`		`- os.Exit(1)`
	`169`	`+ if err := exec.ExecuteProgram(prog); err != nil {`
	`170`	`+ if errors.Is(err, executor.ErrExit) {`
	`171`	`+ return`
`178`	`172`	`}`
	`173`	`+ fmt.Fprintf(os.Stderr, "Error: %v\n", err)`
	`174`	`+ os.Exit(1)`
`179`	`175`	`}`
`180`	`176`	`}`
`181`	`177`