merge dev to main (v3.8.2)

[ymc9]

Summary by CodeRabbit

• Bug Fixes

  • Improved handling of authorization and policy expressions involving related fields, nested this references, and in checks.
  • Added coverage for complex access-control scenarios to reduce regressions.

• Chores

  • Bumped the release version to 3.8.2 across the project, including packages, samples, and test tooling.

[coderabbitai]

📝 Walkthrough

Walkthrough

All packages are bumped from version 3.8.1 to 3.8.2. The policy plugin's ExpressionTransformer receives targeted fixes for this-rooted member chain compilation, in-operator handling with SelectQueryNode RHS, relation-field normalization, and collection predicate LHS evaluation. Three new e2e tests cover the fixed scenarios.

Changes

Policy Expression Transformer Fixes

Layer / File(s)	Summary
ExpressionTransformer core fixes packages/plugins/policy/src/expression-transformer.ts	Adds isThisRootedMember helper; refactors getFieldDefFromFieldRef with walkRelationChain; adds SelectQueryNode path for in-operator using buildArrayContains; removes null-only restriction on relation-field comparisons; guards collection predicate LHS from treating this-rooted members as value-tree data; clears contextValue for relation-join path; roots this.<...> multi-segment chains using context.thisType/context.thisAlias.
New e2e auth-access tests tests/e2e/orm/policy/auth-access.test.ts	Adds three tests: this.relation.field in collection predicates, this.relation.arrayField with in operator, and this-rooted collection predicates inside auth bindings.

Version Bump 3.8.1 → 3.8.2

Layer / File(s)	Summary
Version bump across all packages package.json, packages/*/package.json, samples/*/package.json, tests/*/package.json	Updates version field from 3.8.1 to 3.8.2 across all package manifests.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 A hop from .1 to .2 we go,
this.relation.field now gleams with flow,
in with subqueries finds its way,
Collection predicates brightened today,
The warren ships a tidier patch —
Version bumped, all tests attach! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the PR as a merge from dev to main and mentions the v3.8.2 release bump.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/plugins/policy/src/expression-transformer.ts (1)

340-348: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Don’t silently compare only the first id for composite relations.

idFields[0] makes direct relation comparisons ignore the remaining key columns for models with composite ids, which can over-authorize policy checks. Either expand relation equality across all id fields or reject composite-id relation comparisons here.

Minimal guard to avoid unsafe partial comparisons

 const idFields = QueryUtils.requireIdFields(this.schema, leftRelDef.type);
+invariant(
+    idFields.length === 1,
+    `direct relation comparison for composite id model "${leftRelDef.type}" must compare all id fields`,
+);
 normalizedLeft = this.makeOrAppendMember(normalizedLeft, idFields[0]!);

 const idFields = QueryUtils.requireIdFields(this.schema, rightRelDef.type);
+invariant(
+    idFields.length === 1,
+    `direct relation comparison for composite id model "${rightRelDef.type}" must compare all id fields`,
+);
 normalizedRight = this.makeOrAppendMember(normalizedRight, idFields[0]!);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/plugins/policy/src/expression-transformer.ts` around lines 340 -
348, The relation comparison logic in expression-transformer’s expression
normalization is only using the first identifier field via
QueryUtils.requireIdFields and makeOrAppendMember, which silently drops the बाकी
composite key columns. Update the handling in this comparison path to either
expand expr.left/expr.right normalization across all id fields for relation
equality or explicitly reject composite-id relation comparisons here so policy
checks cannot use partial keys.

🧹 Nitpick comments (1)

tests/e2e/orm/policy/auth-access.test.ts (1)

605-678: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add a denied assertion for the hierarchy policy.

This regression test only proves the happy path. Add an unrelated assignment/scope case that must not resolve the doc, so an over-broad relation comparison or always-true policy can’t pass.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/e2e/orm/policy/auth-access.test.ts` around lines 605 - 678, The
auth-access regression test for the Doc hierarchy policy only covers the allowed
path, so it can miss an overly broad predicate. In the existing test block
around createPolicyTestClient and reader.doc.findUnique, add a separate negative
case using a different user/assignment/scope combination that should not match
the authScope ancestry check, and assert the doc lookup does not resolve. Keep
the new assertion alongside the current happy-path setup so the @@allow on Doc
and the auth().assignments predicate are both exercised for denial as well.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/plugins/policy/src/expression-transformer.ts`:
- Around line 340-348: The relation comparison logic in expression-transformer’s
expression normalization is only using the first identifier field via
QueryUtils.requireIdFields and makeOrAppendMember, which silently drops the बाकी
composite key columns. Update the handling in this comparison path to either
expand expr.left/expr.right normalization across all id fields for relation
equality or explicitly reject composite-id relation comparisons here so policy
checks cannot use partial keys.

---

Nitpick comments:
In `@tests/e2e/orm/policy/auth-access.test.ts`:
- Around line 605-678: The auth-access regression test for the Doc hierarchy
policy only covers the allowed path, so it can miss an overly broad predicate.
In the existing test block around createPolicyTestClient and
reader.doc.findUnique, add a separate negative case using a different
user/assignment/scope combination that should not match the authScope ancestry
check, and assert the doc lookup does not resolve. Keep the new assertion
alongside the current happy-path setup so the @@allow on Doc and the
auth().assignments predicate are both exercised for denial as well.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b4a68a88-9c62-4afb-914d-842fefbf21cd

📥 Commits

Reviewing files that changed from the base of the PR and between b8a1dc2 and 05c985a.

📒 Files selected for processing (30)

• package.json
• packages/auth-adapters/better-auth/package.json
• packages/cli/package.json
• packages/clients/client-helpers/package.json
• packages/clients/fetch-client/package.json
• packages/clients/tanstack-query/package.json
• packages/common-helpers/package.json
• packages/config/eslint-config/package.json
• packages/config/tsdown-config/package.json
• packages/config/typescript-config/package.json
• packages/config/vitest-config/package.json
• packages/create-zenstack/package.json
• packages/ide/vscode/package.json
• packages/language/package.json
• packages/orm/package.json
• packages/plugins/policy/package.json
• packages/plugins/policy/src/expression-transformer.ts
• packages/plugins/soft-delete/package.json
• packages/schema/package.json
• packages/sdk/package.json
• packages/server/package.json
• packages/testtools/package.json
• packages/zod/package.json
• samples/orm/package.json
• samples/taskforge/package.json
• tests/e2e/orm/policy/auth-access.test.ts
• tests/e2e/package.json
• tests/regression/package.json
• tests/runtimes/bun/package.json
• tests/runtimes/edge-runtime/package.json