fix: stabilize MDL roundtrip and integration flows

Four independent stability fixes surfaced together while chasing a green
roundtrip suite. They touch different layers but are bundled here because
they all gate on the same test run — splitting would require duplicated
test fixtures across PRs.

sdk/mpr — FindOrCreate mapping roundtrip:

  Import/export mappings store "FindOrCreate" in BSON as a *pair* of
  fields: `ObjectHandling=Find` plus `ObjectHandlingBackup=Create`. The
  parser previously copied `ObjectHandling` verbatim (yielding just
  "Find"), and the export writer hardcoded `ObjectHandlingBackup=Create`
  regardless of the primary mode.

  - `parser_import_mapping.go` now recognises the `Find + Create` pair
    and promotes it to the synthetic `FindOrCreate` value the domain
    model uses elsewhere.
  - `writer_export_mapping.go` echoes the actual `ObjectHandling`
    instead of forcing "Create"; misuse produced CE6702 on describe +
    re-execute cycles.
  - `writer_import_mapping.go` inverts the split symmetrically: if the
    model says `FindOrCreate`, serialise as `Find` + `Create` so Studio
    Pro can load the mapping.

  Added parser/writer tests cover both halves and a matching fixture
  (`RestTest.PetRecord`) was added to `06-rest-client-examples.mdl`
  so the mapping has a real entity to bind to; this lets
  `roundtrip_doctype_test.go` drop CE6702 from the known-errors list.

mdl/executor — DROP + CREATE OR REPLACE preserves UnitID:

  When a script ran `DROP MICROFLOW X; CREATE OR MODIFY MICROFLOW X ...`
  in the same session, the executor deleted the Unit row and inserted
  a new one with a fresh UUID. Studio Pro treats the new UnitID as an
  unrelated document and rejects the file with ".mpr does not look like
  a Mendix Studio Pro project".

  - `executor.go` adds a `droppedMicroflows` cache on `executorCache`
    keyed by qualified name, plus `rememberDroppedMicroflow` /
    `consumeDroppedMicroflow` helpers.
  - `cmd_microflows_drop.go` records the UnitID, ContainerID, and
    AllowedModuleRoles before calling `DeleteMicroflow`.
  - `cmd_microflows_create.go` consumes the remembered entry when the
    qualified name matches, reusing the original UnitID (and
    ContainerID when no new folder is given) so the rewrite looks like
    an in-place update from the file's perspective.
  - Mock regression test
    `TestDropThenCreatePreservesMicroflowUnitID` asserts the reused
    UnitID and preserved access roles.

mdl/executor — default document access roles:

  Fresh `CREATE MICROFLOW` / `CREATE PAGE` on a module with no module
  roles tripped CE0148 ("document has no access for any role"). Rather
  than leaving every script author to define roles by hand, auto-
  provision a minimal `User` role on modules that currently have none,
  and stamp it onto new pages/microflows.

  - `cmd_security_defaults.go` (new) adds `defaultDocumentAccessRoles`,
    `remapDocumentAccessRoles` (cross-module MOVE), `documentRoleStrings`,
    `cloneRoleIDs`, and `pruneInvalidUserRoles`. The auto-created role
    carries a fixed description (`autoDocumentRoleDescription`) so
    `CREATE MODULE ROLE User` on the same module is treated as a no-op
    rather than CE0112 "already exists".
  - `cmd_microflows_create.go` and `cmd_pages_create_v3.go` stamp the
    default on new units and preserve existing roles across
    `OR REPLACE` / `OR MODIFY`.
  - `cmd_move.go` remaps access roles across cross-module moves using
    the target module's role names (falling back to the default role
    when the target has none).
  - `cmd_modules.go` and `cmd_security_write.go` call
    `pruneInvalidUserRoles` after DROP MODULE / DROP MODULE ROLE so
    orphaned user roles don't trip CE0157.
  - `cmd_microflows_builder.go` — `registerResultVariableType(nil)`
    now clears stale entity typing and marks the variable as declared
    with type `Unknown`, instead of leaving the variable un-tracked,
    so subsequent CHANGE/attribute access still resolves. Covered by
    `TestCallMicroflowUnknownResultTypeStillDeclaresVariable`.

Test and script hardening:

  - `docker/check_test.go` and `docker/detect_test.go` set
    `PATH=t.TempDir()` instead of `PATH=""` for the cache-preference
    tests. Empty `PATH` confuses `exec.LookPath` on Linux (it falls
    back to the current directory) and made the test flaky depending
    on `os.Getwd()`. An empty temp directory is a clean "mx isn't on
    PATH" signal.
  - `scripts/run-mdl-tests.sh` now validates `$PROJECT_MPR`,
    `$MXCLI_BIN`, `$TEST_SPEC`, `$BOOTSTRAP_MDL` with `[[ -f ... ]]`
    guards. `${VAR:?...}` only fires on *unset* vars, so typo'd paths
    previously produced an empty sandbox and confusing downstream
    errors.

Author: hjotha

cmd/mxcli/docker/check_test.go

@@ -122,7 +122,9 @@ func TestCheck_SkipUpdateWidgetsFlag(t *testing.T) {
 func TestResolveMxForVersion_PrefersExactCachedVersion(t *testing.T) {
 	dir := t.TempDir()
 	setTestHomeDir(t, dir)
-	t.Setenv("PATH", "")
+	// Point PATH at an empty temp dir (rather than clearing it) so exec.LookPath
+	// still works for any other testing infrastructure but can't find mx.
+	t.Setenv("PATH", t.TempDir())
 
 	versions := []string{"9.24.40.80973", "11.6.3", "11.9.0"}
 	var expected string

cmd/mxcli/docker/detect_test.go

@@ -272,7 +272,9 @@ func TestResolveMxBuild_PrefersStudioProOverCache(t *testing.T) {
 func TestResolveMxBuild_PrefersExactCachedVersion(t *testing.T) {
 	dir := t.TempDir()
 	setTestHomeDir(t, dir)
-	t.Setenv("PATH", "")
+	// Point PATH at an empty temp dir (rather than clearing it) so exec.LookPath
+	// still works for any other testing infrastructure but can't find mxbuild.
+	t.Setenv("PATH", t.TempDir())
 
 	versions := []string{"9.24.40.80973", "11.6.3", "11.9.0"}
 	var expected string

mdl-examples/doctype-tests/06-rest-client-examples.mdl

@@ -1301,10 +1301,17 @@ create import mapping RestTest.IMM_Order
 --
 -- Uses FIND OR CREATE to upsert: find existing by KEY, create if not found.
 
+create persistent entity RestTest.PetRecord (
+  PetId: Integer,
+  Name: String,
+  Status: String
+);
+/
+
 create import mapping RestTest.IMM_UpsertPet
   with json structure RestTest.JSON_Pet
 {
-  find or create RestTest.PetResponse {
+  find or create RestTest.PetRecord {
     PetId = id key,
     Name = name,
     status = status

mdl/executor/bugfix_regression_test.go

@@ -509,3 +509,25 @@ func TestCallMicroflowResultType_ResolvesSubsequentChangeMember(t *testing.T) {
 		t.Fatalf("expected qualified attribute MfTest.Product.Price, got %q", got)
 	}
 }
+
+func TestCallMicroflowUnknownResultTypeStillDeclaresVariable(t *testing.T) {
+	fb := &flowBuilder{
+		varTypes:     map[string]string{"Result": "Old.ModuleEntity"},
+		declaredVars: map[string]string{},
+	}
+
+	fb.addCallMicroflowAction(&ast.CallMicroflowStmt{
+		OutputVariable: "Result",
+		MicroflowName:  ast.QualifiedName{Module: "Missing", Name: "Unknown"},
+	})
+
+	if _, ok := fb.varTypes["Result"]; ok {
+		t.Fatalf("expected stale entity typing to be cleared, got %q", fb.varTypes["Result"])
+	}
+	if got := fb.declaredVars["Result"]; got != "Unknown" {
+		t.Fatalf("expected Result to remain declared as Unknown, got %q", got)
+	}
+	if !fb.isVariableDeclared("Result") {
+		t.Fatal("expected Result to remain declared after unresolved call return type")
+	}
+}

mdl/executor/cmd_microflows_builder.go

@@ -79,8 +79,20 @@ func (fb *flowBuilder) isVariableDeclared(varName string) bool {
 
 // registerResultVariableType records the output type of an action so later
 // statements such as CHANGE, ADD TO, or attribute access can resolve members.
+// When dt is nil (e.g. backend lookup failed), any stale entity/list typing is
+// cleared but the variable remains declared as Unknown so downstream statements
+// don't report it as undeclared.
 func (fb *flowBuilder) registerResultVariableType(varName string, dt microflows.DataType) {
-	if varName == "" || dt == nil {
+	if varName == "" {
+		return
+	}
+	if dt == nil {
+		if fb.varTypes != nil {
+			delete(fb.varTypes, varName)
+		}
+		if fb.declaredVars != nil {
+			fb.declaredVars[varName] = "Unknown"
+		}
 		return
 	}
 

mdl/executor/cmd_microflows_create.go

@@ -115,6 +115,8 @@ func execCreateMicroflow(ctx *ExecContext, s *ast.CreateMicroflowStmt) error {
 	}
 	if preserveAllowedRoles {
 		mf.AllowedModuleRoles = existingAllowedRoles
+	} else {
+		mf.AllowedModuleRoles = defaultDocumentAccessRoles(ctx, module)
 	}
 
 	// Build entity resolver function for parameter/return types

mdl/executor/cmd_modules.go

@@ -276,6 +276,9 @@ func execDropModule(ctx *ExecContext, s *ast.DropModuleStmt) error {
 					fmt.Fprintf(ctx.Output, "Removed %s from %d user role(s)\n", qualifiedRole, n)
 				}
 			}
+			if err := pruneInvalidUserRoles(ctx, ps); err != nil {
+				return mdlerrors.NewBackend("cleanup invalid user roles", err)
+			}
 		}
 	}
 

mdl/executor/cmd_move.go

@@ -56,11 +56,11 @@ func execMove(ctx *ExecContext, s *ast.MoveStmt) error {
 	// Execute move based on document type
 	switch s.DocumentType {
 	case ast.DocumentTypePage:
-		if err := movePage(ctx, s.Name, targetContainerID); err != nil {
+		if err := movePage(ctx, s.Name, targetContainerID, targetModule, isCrossModuleMove); err != nil {
 			return err
 		}
 	case ast.DocumentTypeMicroflow:
-		if err := moveMicroflow(ctx, s.Name, targetContainerID); err != nil {
+		if err := moveMicroflow(ctx, s.Name, targetContainerID, targetModule, isCrossModuleMove); err != nil {
 			return err
 		}
 	case ast.DocumentTypeSnippet:
@@ -110,7 +110,7 @@ func updateQualifiedNameRefs(ctx *ExecContext, name ast.QualifiedName, newModule
 }
 
 // movePage moves a page to a new container.
-func movePage(ctx *ExecContext, name ast.QualifiedName, targetContainerID model.ID) error {
+func movePage(ctx *ExecContext, name ast.QualifiedName, targetContainerID model.ID, targetModule *model.Module, isCrossModuleMove bool) error {
 	// Find the page
 	pages, err := ctx.Backend.ListPages()
 	if err != nil {
@@ -131,6 +131,12 @@ func movePage(ctx *ExecContext, name ast.QualifiedName, targetContainerID model.
 			if err := ctx.Backend.MovePage(p); err != nil {
 				return mdlerrors.NewBackend("move page", err)
 			}
+			if isCrossModuleMove {
+				p.AllowedRoles = remapDocumentAccessRoles(ctx, targetModule, p.AllowedRoles)
+				if err := ctx.Backend.UpdateAllowedRoles(p.ID, documentRoleStrings(p.AllowedRoles)); err != nil {
+					return mdlerrors.NewBackend("remap page access", err)
+				}
+			}
 			fmt.Fprintf(ctx.Output, "Moved page %s to new location\n", name.String())
 			return nil
 		}
@@ -140,7 +146,7 @@ func movePage(ctx *ExecContext, name ast.QualifiedName, targetContainerID model.
 }
 
 // moveMicroflow moves a microflow to a new container.
-func moveMicroflow(ctx *ExecContext, name ast.QualifiedName, targetContainerID model.ID) error {
+func moveMicroflow(ctx *ExecContext, name ast.QualifiedName, targetContainerID model.ID, targetModule *model.Module, isCrossModuleMove bool) error {
 	// Find the microflow
 	mfs, err := ctx.Backend.ListMicroflows()
 	if err != nil {
@@ -161,6 +167,12 @@ func moveMicroflow(ctx *ExecContext, name ast.QualifiedName, targetContainerID m
 			if err := ctx.Backend.MoveMicroflow(mf); err != nil {
 				return mdlerrors.NewBackend("move microflow", err)
 			}
+			if isCrossModuleMove {
+				mf.AllowedModuleRoles = remapDocumentAccessRoles(ctx, targetModule, mf.AllowedModuleRoles)
+				if err := ctx.Backend.UpdateAllowedRoles(mf.ID, documentRoleStrings(mf.AllowedModuleRoles)); err != nil {
+					return mdlerrors.NewBackend("remap microflow access", err)
+				}
+			}
 			fmt.Fprintf(ctx.Output, "Moved microflow %s to new location\n", name.String())
 			return nil
 		}

mdl/executor/cmd_pages_create_v3.go

@@ -40,13 +40,19 @@ func execCreatePageV3(ctx *ExecContext, s *ast.CreatePageStmtV3) error {
 	// Check if page already exists - collect ALL duplicates
 	existingPages, _ := ctx.Backend.ListPages()
 	var pagesToDelete []model.ID
+	var existingAllowedRoles []model.ID
+	preserveAllowedRoles := false
 	for _, p := range existingPages {
 		modID := getModuleID(ctx, p.ContainerID)
 		modName := getModuleName(ctx, modID)
 		if modName == s.Name.Module && p.Name == s.Name.Name {
 			if !s.IsReplace && !s.IsModify && len(pagesToDelete) == 0 {
 				return mdlerrors.NewAlreadyExists("page", s.Name.String())
 			}
+			if len(pagesToDelete) == 0 {
+				existingAllowedRoles = cloneRoleIDs(p.AllowedRoles)
+				preserveAllowedRoles = true
+			}
 			pagesToDelete = append(pagesToDelete, p.ID)
 		}
 	}
@@ -69,6 +75,11 @@ func execCreatePageV3(ctx *ExecContext, s *ast.CreatePageStmtV3) error {
 	if err != nil {
 		return mdlerrors.NewBackend("build page", err)
 	}
+	if preserveAllowedRoles {
+		page.AllowedRoles = existingAllowedRoles
+	} else if len(page.AllowedRoles) == 0 {
+		page.AllowedRoles = defaultDocumentAccessRoles(ctx, module)
+	}
 
 	// Replace or create the page in the MPR
 	if len(pagesToDelete) > 0 {

mdl/executor/cmd_security_defaults.go

@@ -0,0 +1,142 @@
+// SPDX-License-Identifier: Apache-2.0
+
+package executor
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/mendixlabs/mxcli/model"
+	"github.com/mendixlabs/mxcli/sdk/security"
+)
+
+const (
+	autoDocumentRoleName        = "User"
+	autoDocumentRoleDescription = "Auto-created default role for mxcli document access"
+)
+
+// defaultDocumentAccessRoles returns a conservative fallback role set for newly
+// created pages/microflows when the target module has no module roles at all.
+//
+// Mendix accepts document access only when it references a role from the same
+// module; using an existing role from another module causes CE0148 on freshly
+// created documents. To keep mx-check green, auto-create a local `User` module
+// role only for modules that currently have zero roles. Modules that already
+// manage their own roles keep the existing "no access by default" behavior.
+func defaultDocumentAccessRoles(ctx *ExecContext, module *model.Module) []model.ID {
+	if module == nil {
+		return nil
+	}
+
+	ms, err := ctx.Backend.GetModuleSecurity(module.ID)
+	if err != nil || ms == nil {
+		return nil
+	}
+	if moduleUsesAutoDocumentRole(ms) {
+		return []model.ID{model.ID(module.Name + "." + autoDocumentRoleName)}
+	}
+	if len(ms.ModuleRoles) > 0 {
+		return nil
+	}
+
+	if err := ctx.Backend.AddModuleRole(ms.ID, autoDocumentRoleName, autoDocumentRoleDescription); err != nil {
+		return nil
+	}
+	return []model.ID{model.ID(module.Name + "." + autoDocumentRoleName)}
+}
+
+func moduleUsesAutoDocumentRole(ms *security.ModuleSecurity) bool {
+	if ms == nil {
+		return false
+	}
+	return len(ms.ModuleRoles) == 1 &&
+		ms.ModuleRoles[0].Name == autoDocumentRoleName &&
+		ms.ModuleRoles[0].Description == autoDocumentRoleDescription
+}
+
+func remapDocumentAccessRoles(ctx *ExecContext, targetModule *model.Module, currentRoles []model.ID) []model.ID {
+	if targetModule == nil {
+		return nil
+	}
+
+	ms, err := ctx.Backend.GetModuleSecurity(targetModule.ID)
+	if err != nil || ms == nil {
+		return nil
+	}
+	if len(ms.ModuleRoles) == 0 || moduleUsesAutoDocumentRole(ms) {
+		return defaultDocumentAccessRoles(ctx, targetModule)
+	}
+
+	targetRoleNames := make(map[string]bool, len(ms.ModuleRoles))
+	for _, role := range ms.ModuleRoles {
+		targetRoleNames[role.Name] = true
+	}
+
+	var remapped []model.ID
+	seen := make(map[string]bool)
+	for _, qualifiedRole := range currentRoles {
+		roleName := string(qualifiedRole)
+		if idx := strings.LastIndex(roleName, "."); idx >= 0 {
+			roleName = roleName[idx+1:]
+		}
+		if !targetRoleNames[roleName] {
+			continue
+		}
+		targetQualifiedRole := targetModule.Name + "." + roleName
+		if seen[targetQualifiedRole] {
+			continue
+		}
+		seen[targetQualifiedRole] = true
+		remapped = append(remapped, model.ID(targetQualifiedRole))
+	}
+
+	return remapped
+}
+
+func documentRoleStrings(roles []model.ID) []string {
+	values := make([]string, 0, len(roles))
+	for _, role := range roles {
+		values = append(values, string(role))
+	}
+	return values
+}
+
+func cloneRoleIDs(roles []model.ID) []model.ID {
+	if len(roles) == 0 {
+		return nil
+	}
+	cloned := make([]model.ID, len(roles))
+	copy(cloned, roles)
+	return cloned
+}
+
+// pruneInvalidUserRoles removes user roles that no longer have any non-System
+// module role assignments. Mendix rejects those roles with CE0157.
+func pruneInvalidUserRoles(ctx *ExecContext, ps *security.ProjectSecurity) error {
+	if latest, err := ctx.Backend.GetProjectSecurity(); err == nil {
+		ps = latest
+	} else if ps == nil {
+		return err
+	}
+
+	for _, userRole := range ps.UserRoles {
+		hasNonSystemRole := false
+		for _, moduleRole := range userRole.ModuleRoles {
+			if !strings.HasPrefix(moduleRole, "System.") {
+				hasNonSystemRole = true
+				break
+			}
+		}
+		if hasNonSystemRole {
+			continue
+		}
+		if err := ctx.Backend.RemoveUserRole(ps.ID, userRole.Name); err != nil {
+			return err
+		}
+		if !ctx.Quiet {
+			fmt.Fprintf(ctx.Output, "Dropped invalid user role: %s\n", userRole.Name)
+		}
+	}
+
+	return nil
+}