Skip to content

fix: validate partial bodies at definition time#3115

Draft
ivanauth wants to merge 3 commits into
authzed:mainfrom
ivanauth:fix/issue-2982-validate-partials-on-definition
Draft

fix: validate partial bodies at definition time#3115
ivanauth wants to merge 3 commits into
authzed:mainfrom
ivanauth:fix/issue-2982-validate-partials-on-definition

Conversation

@ivanauth

@ivanauth ivanauth commented May 13, 2026

Copy link
Copy Markdown
Contributor

Fixes #2982.

@ivanauth ivanauth requested a review from a team as a code owner May 13, 2026 21:02
@github-actions github-actions Bot added area/schema Affects the Schema Language area/tooling Affects the dev or user toolchain (e.g. tests, ci, build tools) labels May 13, 2026
@codecov

codecov Bot commented May 13, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 17.42424% with 109 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
pkg/development/partials.go 3.04% 96 Missing ⚠️
pkg/schemadsl/compiler/translator.go 43.75% 9 Missing ⚠️
pkg/development/devcontext.go 20.00% 4 Missing ⚠️

📢 Thoughts on this report? Let us know!

@ivanauth ivanauth marked this pull request as draft May 13, 2026 21:48
@ivanauth ivanauth force-pushed the fix/issue-2982-validate-partials-on-definition branch from d3a795c to 792c896 Compare June 5, 2026 23:17
ivanauth and others added 3 commits June 29, 2026 15:05
Errors in a partial body (e.g. an allowedDirectRelation pointing at an
undefined object type or caveat) used to surface only when the partial
was inlined into a real definition. That deferred and misattributed the
problem: an LSP user editing the partial's file would see no error, and
once a consumer was added the diagnostic would appear in the consumer
rather than in the partial.

A pre-pass in pkg/development now walks each partial's relations and
validates the lookups it can resolve in isolation. To attribute errors
correctly across `...other_partial` splat composition, the compiler
records each *core.Relation's origin partial in a new
PartialRelationOrigins map on CompiledSchema; the validator iterates
relations by origin so each is checked exactly once against the partial
that actually declared it. Relations already inlined into an object
definition are skipped, so consumed partials don't double-report.

Partials are not runtime types, so a partial name (including the
partial's own name) is rejected as the subject type of an
allowedDirectRelation. Computed-userset / TTU checks that depend on
consumer-supplied relations remain deferred to consumer validation.

Closes authzed#2982.
- Assert Path, Line, and Column on the developer error so a regression
  to "error emitted but attributed to the wrong file" would fail loudly.
- Document the intentional scope of validateCompiledPartials by pinning
  that computed-userset and arrow references in partial permission
  bodies are not flagged at definition time (they depend on
  consumer-supplied relations and are caught at inlining).
@ivanauth ivanauth force-pushed the fix/issue-2982-validate-partials-on-definition branch from afb74b3 to 7146e28 Compare June 29, 2026 19:13
@ivanauth ivanauth closed this Jun 29, 2026
@ivanauth ivanauth reopened this Jun 29, 2026
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 29, 2026
@ivanauth ivanauth closed this Jun 29, 2026
@ivanauth ivanauth reopened this Jun 29, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

area/schema Affects the Schema Language area/tooling Affects the dev or user toolchain (e.g. tests, ci, build tools)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Validation of partials occurs only after you use the partial somewhere

1 participant