doc: v3 access policy and input validation

[ymc9]

Summary by CodeRabbit

• New Features

  • StackBlitz integration can open multiple files.
  • New public error for policy rejections (RejectedByPolicyError); validation error renamed to InputValidationError.

• Documentation

  • Major docs added/expanded: access control (overview, field-level, post-update, query behavior), input validation, expressions, functions, and policy plugin guides.
  • Docs switched to Docusaurus 3; deployment instructions removed and navigation metadata updated.

• Chores

  • Added additional documentation subprojects.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
zenstack-new-site	Ready	Preview	Comment	Oct 19, 2025 9:35pm

💡 Enable Vercel Agent with $100 free credit for automated AI reviews

[coderabbitai]

Walkthrough

Adds Git submodule entries and updates submodule pointers; introduces extensive v3 documentation for access control and input validation; small metadata/frontmatter edits across docs; updates StackBlitzGithub React component to accept multiple open files; renames some error names in docs (e.g., ValidationError → InputValidationError).

Changes

Cohort / File(s)	Summary
Git Configuration \.gitmodules``	Added submodule entries for code-repos/zenstackhq/v3-doc-orm-validation and code-repos/zenstackhq/v3-doc-orm-policy (existing v3-doc-orm-polymorphism retained).
Submodule Pointers code-repos/zenstackhq/... \code-repos/zenstackhq/v3-doc-orm-policy`, `code-repos/zenstackhq/v3-doc-orm-validation`, `code-repos/zenstackhq/v3-doc-quick-start``	Added/updated subproject commit references for the listed submodules (submodule commit bumps only).
Project Metadata \README.md``	Updated docs to reference Docusaurus 3 and removed previous deployment instructions from the Build section.
React Component \src/components/StackBlitzGithub.tsx``	openFile prop changed from string to `string
Access Control Docs versioned_docs/version-3.x/orm/access-control/* \versioned_docs/version-3.x/orm/access-control/index.md`, `.../write-policies.md`, `.../query.md`, `.../post-update.md`, `.../field-level.md``	Added comprehensive access control documentation pages: overview, write policies, querying behavior, post-update rules, and a field-level placeholder.
Validation Docs versioned_docs/version-3.x/orm/validation.md, versioned_docs/version-3.x/reference/zmodel/input-validation.md	Replaced placeholders with full input-validation documentation: field-level attributes, model-level @@validate, functions list, semantics, and examples.
Expression & Functions Reference versioned_docs/version-3.x/reference/zmodel/expression.md, \.../function.md``	Added expression language documentation and added admonitions/links in functions pointing to input-validation docs.
Policy Plugin Reference \versioned_docs/version-3.x/reference/plugins/policy.md``	New page documenting @zenstackhq/plugin-policy usage, @@allow/@@deny attributes, policy functions, and runtime plugin integration.
ORM Reference & Errors versioned_docs/version-3.x/orm/errors.md, \versioned_docs/version-3.x/orm/index.md`, `.../migration.md`, `.../typed-json.md``	Renamed docs' ValidationError → InputValidationError; documented new RejectedByPolicyError; frontmatter/metadata tweaks and minor formatting edits.
ZModel Reference Edits versioned_docs/version-3.x/reference/zmodel/*.md \attribute.md`, `data-field.md`, `import.md`, `plugin.md``	Adjusted relative links, sidebar_position metadata changes, and added small validation info blocks.
Minor Docs Edits \versioned_docs/version-3.x/modeling/relation.md`, `versioned_docs/version-3.x/orm/typed-json.md`, `blog/better-auth/index.mdx`, `docs/faq.md``	Small heading change ("Referential Action"), whitespace fixes, and typo corrections.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Caller as Calling Code
  participant Comp as StackBlitzGithub
  participant SB as StackBlitz

  Note over Caller,Comp #F0F8FF: Caller supplies openFile (string | string[])
  Caller->>Comp: render(openFile = "a.ts" | ["a.ts","b.ts"], plainCodeFiles?)
  alt openFile is string
    Comp->>Comp: openFiles = [openFile]
  else openFile is string[]
    Comp->>Comp: openFiles = openFile
  end
  Comp->>Comp: options.openFile = openFiles.join(',')
  alt plainCodeFiles undefined
    Comp->>Comp: plainCodeFiles = [...openFiles]
  end
  Comp->>SB: send options (openFile CSV) and plainCodeFiles
  Note right of SB #E8F5E9: StackBlitz receives comma-separated openFile list and files payload

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• docs: v3 docs structure #479 — Overlapping v3 docs changes and the same submodule additions; likely touches the same documentation/component files.
• doc: guide for custom auth #395 — Related to auth()/authentication documentation and may overlap access-control and policy docs.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "doc: v3 access policy and input validation" accurately reflects the primary objectives of this changeset. The PR introduces substantial new documentation for two major v3 features: access control policies (including write-policies.md, post-update.md, query.md, field-level.md, and policy plugin reference) and input validation (including updated validation.md and new input-validation.md with comprehensive attribute and function documentation). The title is concise, uses appropriate prefixing ("doc:") to indicate documentation changes, and clearly specifies both the version (v3) and the two main documentation focuses. While the PR also includes some infrastructure changes (Git submodules, component updates, Docusaurus version bump), the bulk of the changeset is focused on documenting these two features, which the title captures appropriately.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch doc/v3-policy

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (4)

versioned_docs/version-3.x/reference/plugins/policy.md (1)

114-122: Improve sentence variety in list function descriptions.

Three consecutive list items begin with "Checks", which triggers a style warning. While not a blocker, varying sentence structure improves readability.

Consider rewording one or more of these to vary the opening:

 - `hasSome()`
 
     ```zmodel
     function hasSome(field: Any[], search: Any[]): Boolean {
     }
     ```
 
-    Checks if the list field value has at least one element of the search list
+    Determines if the list field contains at least one element from the search list
 
 - `hasEvery()`
 
     ```zmodel
     function hasEvery(field: Any[], search: Any[]): Boolean {}
     ```
 
-    Checks if the list field value has all elements of the search list.
+    Verifies that the list field contains all elements from the search list.
 
 
 - `isEmpty()`
 
     ```zmodel
     function isEmpty(field: Any[]): Boolean {}
     ```
 
-    Checks if the list field value is empty.
+    Verifies whether the list field is empty.

versioned_docs/version-3.x/orm/access-control/01-write-policies.md (2)

206-207: Replace uncommon contraction and improve clarity.

Line 206 uses the contraction "There're" which is uncommon in formal documentation. Additionally, the phrasing "not accessible yet" on line 207 could be more direct.

-## Special Notes About `create`
-There're limitations with what relations can be accessed in `create` rules, because such rules are evaluated before the record is created, and at that time, relations are not accessible yet.
+## Special Notes About `create`
-There are limitations with what relations can be accessed in `create` rules, because such rules are evaluated before the record is created, and at that time, relations are inaccessible.

---

1-290: Consider standardizing markdown list indentation.

The file uses 4-space indentation for nested list items throughout, while Markdown convention (and markdownlint) typically expects 2-space indentation. While this may not cause rendering issues with Docusaurus, standardizing to 2-space indentation would improve consistency with markdown conventions and reduce linter warnings.

This is a low-priority style fix that could be addressed in a follow-up pass across the entire documentation set if consistency is desired.

versioned_docs/version-3.x/reference/zmodel/10-input-validation.md (1)

1-252: Consider standardizing markdown list indentation.

Similar to the policy documentation file, this reference uses 4-space indentation for nested list items throughout, while markdown conventions expect 2-space indentation. This is a low-priority consistency improvement that could be addressed across the documentation set if desired.

This formatting issue does not affect content clarity or rendering with Docusaurus but aligns with markdown best practices.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c57a1af and 6da8385.

📒 Files selected for processing (30)

• .gitmodules (1 hunks)
• README.md (1 hunks)
• code-repos/zenstackhq/v3-doc-orm-policy (1 hunks)
• code-repos/zenstackhq/v3-doc-orm-validation (1 hunks)
• code-repos/zenstackhq/v3-doc-quick-start (1 hunks)
• versioned_docs/version-3.x/orm/01-quick-start.md (0 hunks)
• versioned_docs/version-3.x/orm/02-cli.md (0 hunks)
• versioned_docs/version-3.x/orm/03-client.md (0 hunks)
• versioned_docs/version-3.x/orm/05-query-builder.md (0 hunks)
• versioned_docs/version-3.x/orm/09-validation.md (1 hunks)
• versioned_docs/version-3.x/orm/10-computed-fields.md (0 hunks)
• versioned_docs/version-3.x/orm/11-polymorphism.md (0 hunks)
• versioned_docs/version-3.x/orm/12-typed-json.md (0 hunks)
• versioned_docs/version-3.x/orm/14-logging.md (0 hunks)
• versioned_docs/version-3.x/orm/15-inferred-types.md (0 hunks)
• versioned_docs/version-3.x/orm/16-errors.md (1 hunks)
• versioned_docs/version-3.x/orm/17-migration.md (1 hunks)
• versioned_docs/version-3.x/orm/access-control/01-write-policies.md (1 hunks)
• versioned_docs/version-3.x/orm/access-control/02-query.md (1 hunks)
• versioned_docs/version-3.x/orm/access-control/03-post-update.md (1 hunks)
• versioned_docs/version-3.x/orm/access-control/04-field-level.md (1 hunks)
• versioned_docs/version-3.x/orm/access-control/index.md (1 hunks)
• versioned_docs/version-3.x/orm/index.md (0 hunks)
• versioned_docs/version-3.x/orm/validation.md (0 hunks)
• versioned_docs/version-3.x/reference/plugins/policy.md (1 hunks)
• versioned_docs/version-3.x/reference/zmodel/06-attribute.md (1 hunks)
• versioned_docs/version-3.x/reference/zmodel/07-function.md (1 hunks)
• versioned_docs/version-3.x/reference/zmodel/08-expression.md (1 hunks)
• versioned_docs/version-3.x/reference/zmodel/09-import.md (1 hunks)
• versioned_docs/version-3.x/reference/zmodel/10-input-validation.md (1 hunks)

💤 Files with no reviewable changes (11)

• versioned_docs/version-3.x/orm/02-cli.md
• versioned_docs/version-3.x/orm/10-computed-fields.md
• versioned_docs/version-3.x/orm/03-client.md
• versioned_docs/version-3.x/orm/validation.md
• versioned_docs/version-3.x/orm/12-typed-json.md
• versioned_docs/version-3.x/orm/index.md
• versioned_docs/version-3.x/orm/05-query-builder.md
• versioned_docs/version-3.x/orm/01-quick-start.md
• versioned_docs/version-3.x/orm/14-logging.md
• versioned_docs/version-3.x/orm/15-inferred-types.md
• versioned_docs/version-3.x/orm/11-polymorphism.md

🧰 Additional context used

🪛 LanguageTool

versioned_docs/version-3.x/orm/access-control/index.md

[grammar] ~13-~13: Ensure spelling is correct
Context: ... CRUD which piece of data". Having them colocated with the data model reduces redundancy,...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

versioned_docs/version-3.x/reference/zmodel/10-input-validation.md

[style] ~56-~56: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ... message: String?) ``` Requires a string field to contain a given subst...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~64-~64: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ... message: String?) ``` Requires a string field to be a valid email addr...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~72-~72: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ... message: String?) ``` Requires a string field to be a valid URL. ...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~80-~80: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...essage: String?) ``` Requires a string field to be a valid ISO 8601 d...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~88-~88: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ... message: String?) ``` Requires a string field to match a given regular...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~138-~138: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ... message: String?) ``` Requires a number field to be greater than a giv...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~146-~146: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ... message: String?) ``` Requires a number field to be greater than or eq...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~188-~188: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...h: String): Boolean {} ``` Checks if a string field contains a given subs...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~196-~196: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...l(field: String): Boolean {} ``` Checks if a string field is a valid email addr...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~204-~204: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...l(field: String): Boolean {} ``` Checks if a string field is a valid URL. - `i...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~212-~212: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...e(field: String): Boolean {} ``` Checks if a string field is a valid ISO 8601 d...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~220-~220: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...pattern: String): Boolean {} ``` Checks if a string field matches a given regul...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~228-~228: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...[], search: Any): Boolean {} ``` Checks if a list field contains a given elemen...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~236-~236: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ..., search: Any[]): Boolean {} ``` Checks if a list field contains at least one e...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~244-~244: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ..., search: Any[]): Boolean {} ``` Checks if a list field contains all elements f...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~252-~252: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...ty(field: Any[]): Boolean {} ``` Checks if a list field is empty.

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

versioned_docs/version-3.x/orm/access-control/03-post-update.md

[grammar] ~3-~3: Ensure spelling is correct
Context: ...o the "pre" state, meaning that if your polices refer to the model's fields, the fields...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

versioned_docs/version-3.x/reference/plugins/policy.md

[style] ~122-~122: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...(field: Any[]): Boolean {} ``` Checks if the list field value is empty. ## R...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

versioned_docs/version-3.x/orm/access-control/01-write-policies.md

[style] ~71-~71: ‘new records’ might be wordy. Consider a shorter alternative.
Context: ... create The permission to create new records. The rules are evaluated before the...

(EN_WORDINESS_PREMIUM_NEW_RECORDS)

---

[style] ~206-~206: The contraction ‘There’re’ is uncommon in written English.
Context: ...sals. ## Special Notes About create There're limitations with what relations can be ...

(THERE_RE_CONTRACTION_UNCOMMON)

---

[style] ~207-~207: Consider using “inaccessible” to avoid wordiness.
Context: ...reated, and at that time, relations are not accessible yet. As a result, create rules can o...

(NOT_ABLE_PREMIUM)

🪛 markdownlint-cli2 (0.18.1)

versioned_docs/version-3.x/reference/zmodel/10-input-validation.md

25-25: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

34-34: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

42-42: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

50-50: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

58-58: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

66-66: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

74-74: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

82-82: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

90-90: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

98-98: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

106-106: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

116-116: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

124-124: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

132-132: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

140-140: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

versioned_docs/version-3.x/reference/plugins/policy.md

30-30: Unordered list indentation
Expected: 2; Actual: 5

(MD007, ul-indent)

---

31-31: Unordered list indentation
Expected: 2; Actual: 5

(MD007, ul-indent)

---

40-40: Unordered list indentation
Expected: 2; Actual: 5

(MD007, ul-indent)

---

41-41: Unordered list indentation
Expected: 2; Actual: 5

(MD007, ul-indent)

versioned_docs/version-3.x/orm/access-control/01-write-policies.md

5-5: Link text should be descriptive

(MD059, descriptive-link-text)

🔇 Additional comments (14)

code-repos/zenstackhq/v3-doc-quick-start (1)

1-1: Submodule pointer update looks correct.

The commit hash is properly formatted and the update aligns with the PR objectives for v3 documentation refresh. This is a standard submodule pointer update as part of the documentation changes for access policy and input validation.

README.md (1)

3-3: Update Docusaurus version reference.

This is a straightforward version bump from Docusaurus 2 to Docusaurus 3. Ensure that the documentation build process and local development workflow are compatible with Docusaurus 3 and that any related configuration files (e.g., docusaurus.config.js) have been updated accordingly.

code-repos/zenstackhq/v3-doc-orm-policy (1)

1-1: Submodule configuration verified and commit is accessible.

All verification checks pass:

• .gitmodules entry is correctly configured with proper path and URL
• Commit 898e2dee4119947f9a6b720658f798c292642af6 is reachable in the upstream repository
• Submodule is properly initialized

No issues found.

versioned_docs/version-3.x/orm/17-migration.md (1)

1-3: Front-matter metadata reorganization is appropriate.

The transition from sidebar_position to description metadata aligns with the broader documentation restructuring mentioned in the PR summary. Verify that sidebar positioning is now managed through a central configuration (e.g., sidebars.js or similar) rather than per-file.

versioned_docs/version-3.x/reference/plugins/policy.md (1)

128-134: Verify runtime plugin integration example reflects current ZenStackClient API.

The example shows instantiation of ZenStackClient and use of PolicyPlugin. Confirm this matches the current API and that the parameter signature for new ZenStackClient(...) is appropriate.

versioned_docs/version-3.x/reference/zmodel/09-import.md (1)

1-3: Sidebar position update is correctly sequenced.

The sidebar position increment from 8 to 9 is appropriate given the insertion of a new 08-expression.md file. The documentation navigation structure remains consistent.

versioned_docs/version-3.x/orm/access-control/04-field-level.md (1)

1-3: Placeholder for future field-level policies documentation is appropriately structured.

The construction emoji (🚧) and "Coming soon." messaging clearly signal this section is pending implementation, which is a standard pattern for documentation scaffolding.

versioned_docs/version-3.x/reference/zmodel/06-attribute.md (1)

267-269: Cross-reference to input validation documentation is well-placed.

The info admonition effectively directs users to the dedicated input validation page. Ensure that versioned_docs/version-3.x/reference/zmodel/10-input-validation.md exists and is properly indexed before release.

versioned_docs/version-3.x/reference/zmodel/07-function.md (1)

85-87: Cross-reference to input validation functions documentation is consistent with pattern used in attributes.

The placement and formatting match the parallel update to 06-attribute.md. Verify that versioned_docs/version-3.x/reference/zmodel/10-input-validation.md is properly linked and indexed.

.gitmodules (1)

19-24: Both submodule repositories are accessible and properly configured.

Verification confirms:

• ✓ https://github.com/zenstackhq/v3-doc-orm-validation.git is accessible
• ✓ https://github.com/zenstackhq/v3-doc-orm-policy.git is accessible
• ✓ .gitmodules entries follow the established naming and URL patterns
• ✓ No syntax errors in the configuration

The changes are ready to merge.

code-repos/zenstackhq/v3-doc-orm-validation (1)

1-1: Submodule pointer change approved.

The submodule is correctly configured in .gitmodules with a valid commit reference that exists in the target repository.

versioned_docs/version-3.x/orm/access-control/index.md (1)

5-20: LGTM!

The new overview content is clear and well-articulated, effectively explaining ZenStack's access control philosophy and its advantages over traditional approaches like PostgreSQL RLS. The removal of the emoji and the "Coming soon" placeholder is appropriate for a completed feature.

versioned_docs/version-3.x/orm/16-errors.md (1)

9-25: LGTM!

The error class documentation is well-organized and clearly explains when each error is thrown. The addition of RejectedByPolicyError is important for users understanding access control enforcement. The renaming from ValidationError to InputValidationError provides better semantic clarity.

versioned_docs/version-3.x/orm/access-control/02-query.md (1)

1-107: LGTM!

The documentation is comprehensive and well-organized, with clear code examples showing the runtime integration pattern. The explanations of ORM vs query-builder behavior and the limitations are important for users. The mental model of "rows not satisfying policies don't exist" is well-articulated and helps set proper expectations.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (5)

versioned_docs/version-3.x/orm/09-validation.md (2)

20-20: Fix broken internal documentation link.

The link points to ../reference/zmodel/input-validation.md, but based on the past review comments, the actual file in this PR is ../reference/zmodel/10-input-validation.md (with a numbered prefix).

Apply this diff:

-However, oftentimes you want to express more fine-grained validation rules, such as field length, string format, or numeric range, etc. ZModel provides a set of built-in field-level validation attributes, like `@length`, `@email`, etc., for this purpose. See [Input Validation](../reference/zmodel/input-validation.md) for more details.
+However, oftentimes you want to express more fine-grained validation rules, such as field length, string format, or numeric range, etc. ZModel provides a set of built-in field-level validation attributes, like `@length`, `@email`, etc., for this purpose. See [Input Validation](../reference/zmodel/10-input-validation.md) for more details.

---

22-22: Fix broken internal documentation link.

Same issue as line 20—the link needs to point to the numbered file path.

Apply this diff:

-To support more complex rules, a powerful `@@validate` model-level attribute is provided to allow expression rules using multiple fields and logical operators. Inside the `@@validate` attribute, functions like `length()`, `isEmail()`, etc. are available for building up expressions. See [Input Validation](../reference/zmodel/input-validation.md) for the complete list of available functions.
+To support more complex rules, a powerful `@@validate` model-level attribute is provided to allow expression rules using multiple fields and logical operators. Inside the `@@validate` attribute, functions like `length()`, `isEmail()`, etc. are available for building up expressions. See [Input Validation](../reference/zmodel/10-input-validation.md) for the complete list of available functions.

versioned_docs/version-3.x/reference/plugins/policy.md (2)

30-31: Fix markdown list indentation.

The parameter list items are over-indented and violate markdown linting standards (MD007). Lists should use 2-space indentation.

Apply this diff:

     Defines an access policy that allows a set of operations when the given condition is true.
-     - `operation`: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
-     - `condition`: a boolean expression that controls if the operation should be allowed.
+   - `operation`: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
+   - `condition`: a boolean expression that controls if the operation should be allowed.

---

40-41: Fix markdown list indentation for @@deny attribute.

Same indentation issue as the @@allow section.

Apply this diff:

     Defines an access policy that denies a set of operations when the given condition is true.
-     - `operation`: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
-     - `condition`: a boolean expression that controls if the operation should be denied.
+   - `operation`: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
+   - `condition`: a boolean expression that controls if the operation should be denied.

versioned_docs/version-3.x/orm/access-control/03-post-update.md (1)

13-13: Fix typo: "polices" → "policies".

Apply this diff:

-Among the CRUD operations, "update" is a special one because it has a "pre" state and "post" state. The "update" policies we've seen in the previous parts refer to the "pre" state, meaning that if your polices refer to the model's fields, the fields are evaluated to their values before the update happens.
+Among the CRUD operations, "update" is a special one because it has a "pre" state and "post" state. The "update" policies we've seen in the previous parts refer to the "pre" state, meaning that if your policies refer to the model's fields, the fields are evaluated to their values before the update happens.

🧹 Nitpick comments (2)

versioned_docs/version-3.x/orm/access-control/01-write-policies.md (1)

55-60: Consider using fenced code blocks for consistency.

The numbered list at lines 57-59 is followed by indented content that markdown linters flag as an indented code block. While this renders correctly, using fenced code blocks (with triple backticks) is more explicit and consistent with the rest of the documentation.

If you'd like to address the linting warning, you can ensure the list items are properly formatted without triggering code block detection.

versioned_docs/version-3.x/orm/access-control/02-query.md (1)

56-63: Consider using fenced code blocks for consistency.

Similar to other documentation files, the indented list content is flagged by markdown linters. While functional, using fenced code blocks is more explicit and consistent with modern markdown best practices.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6da8385 and 193582b.

📒 Files selected for processing (9)

• code-repos/zenstackhq/v3-doc-orm-policy (1 hunks)
• src/components/StackBlitzGithub.tsx (2 hunks)
• versioned_docs/version-3.x/orm/09-validation.md (1 hunks)
• versioned_docs/version-3.x/orm/access-control/01-write-policies.md (1 hunks)
• versioned_docs/version-3.x/orm/access-control/02-query.md (1 hunks)
• versioned_docs/version-3.x/orm/access-control/03-post-update.md (1 hunks)
• versioned_docs/version-3.x/orm/access-control/index.md (1 hunks)
• versioned_docs/version-3.x/reference/plugins/policy.md (1 hunks)
• versioned_docs/version-3.x/reference/zmodel/08-expression.md (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• versioned_docs/version-3.x/reference/zmodel/08-expression.md
• code-repos/zenstackhq/v3-doc-orm-policy

🧰 Additional context used

🪛 LanguageTool

versioned_docs/version-3.x/orm/access-control/03-post-update.md

[grammar] ~13-~13: Ensure spelling is correct
Context: ...o the "pre" state, meaning that if your polices refer to the model's fields, the fields...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

versioned_docs/version-3.x/orm/access-control/01-write-policies.md

[style] ~71-~71: ‘new records’ might be wordy. Consider a shorter alternative.
Context: ... create The permission to create new records. The rules are evaluated before the...

(EN_WORDINESS_PREMIUM_NEW_RECORDS)

---

[style] ~209-~209: Consider using “inaccessible” to avoid wordiness.
Context: ...is created. At that time, relations are not accessible yet. As a result, create rules can o...

(NOT_ABLE_PREMIUM)

---

[grammar] ~211-~211: Ensure spelling is correct
Context: ...model where the rule is defined. During create, if the foreign key fields are set, the...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

versioned_docs/version-3.x/orm/access-control/index.md

[grammar] ~13-~13: Ensure spelling is correct
Context: ... CRUD which piece of data". Having them colocated with the data model reduces redundancy,...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

versioned_docs/version-3.x/reference/plugins/policy.md

[style] ~122-~122: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...(field: Any[]): Boolean {} ``` Checks if the list field value is empty. - `c...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

🪛 markdownlint-cli2 (0.18.1)

versioned_docs/version-3.x/orm/access-control/01-write-policies.md

58-58: Code block style
Expected: fenced; Actual: indented

(MD046, code-block-style)

versioned_docs/version-3.x/orm/access-control/02-query.md

58-58: Code block style
Expected: fenced; Actual: indented

(MD046, code-block-style)

🔇 Additional comments (3)

versioned_docs/version-3.x/orm/access-control/index.md (1)

5-20: LGTM! Well-structured overview of access control.

The content clearly explains ZenStack's access control approach, its rationale for co-locating policies with data models, and the performance comparison with PostgreSQL RLS. The writing is concise and informative.

Note: The static analysis hint about "colocated" is a false positive—this is correct technical terminology for placing related code together.

src/components/StackBlitzGithub.tsx (2)

7-7: LGTM! Backward-compatible enhancement for multiple files.

The type change from string to string | string[] allows opening multiple files in StackBlitz while maintaining backward compatibility with existing single-file usage.

---

18-27: Well-implemented multi-file support.

The logic correctly handles:

• Array input directly
• Comma-separated string fallback
• Proper spreading for plainCodeFiles initialization
• Correct joining for StackBlitz SDK options

The implementation is clean and maintains backward compatibility.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (3)

versioned_docs/version-3.x/reference/plugins/policy.md (2)

40-41: Fix markdown list indentation for @@deny attribute parameters (MD007).

Parameter list items are over-indented. Reduce from 6 spaces to 2 spaces to align with markdown lint standards.

 Defines an access policy that denies a set of operations when the given condition is true.
-      - `operation`: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
-      - `condition`: a boolean expression that controls if the operation should be denied.
+    - `operation`: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
+    - `condition`: a boolean expression that controls if the operation should be denied.

---

30-31: Fix markdown list indentation for @@allow attribute parameters (MD007).

Parameter list items are over-indented. Reduce from 6 spaces to 2 spaces to align with markdown lint standards.

 Defines an access policy that allows a set of operations when the given condition is true.
-      - `operation`: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
-      - `condition`: a boolean expression that controls if the operation should be allowed.
+    - `operation`: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
+    - `condition`: a boolean expression that controls if the operation should be allowed.

versioned_docs/version-3.x/reference/zmodel/input-validation.md (1)

7-7: Fix broken internal documentation link (previously flagged).

Line 7 still references an incorrect path. Update the link target to point to the correct validation documentation file.

-This document describes the attributes and functions available for input validation in ZModel. See [Input Validation](../../orm/validation.md) for more details on how to use them.
+This document describes the attributes and functions available for input validation in ZModel. See [Input Validation](../../orm/09-validation.md) for more details on how to use them.

Please verify that ../../orm/09-validation.md is the correct target path in this PR's documentation structure.

🧹 Nitpick comments (4)

versioned_docs/version-3.x/orm/access-control/query.md (1)

62-66: Consider refactoring indented list to use explicit nested bullet points (MD046).

The current indentation of list items under "### ORM Queries" is flagged by markdown linters as a code block. While the formatting is readable, using explicit nested bullet points would improve linting compliance and clarity.

 ### ORM Queries
 
 For the most part, the ORM query behavior is very intuitive:
 
-    - Read operations like `findMany`, `findUnique`, `count`, etc., only return/involve rows that meet the "read" policies.
+- Read operations like `findMany`, `findUnique`, `count`, etc., only return/involve rows that meet the "read" policies.
 
-    - Mutation operations that affect multiple rows, like `updateMany` and `deleteMany`, only impact rows that meet the "update" or "delete" policies respectively.
+- Mutation operations that affect multiple rows, like `updateMany` and `deleteMany`, only impact rows that meet the "update" or "delete" policies respectively.
 
-    - Mutation operations that affect a single, unique row, like `update` and `delete`, will throw an `NotFoundError` if the target row doesn't meet the "update" or "delete" policies respectively.
+- Mutation operations that affect a single, unique row, like `update` and `delete`, will throw an `NotFoundError` if the target row doesn't meet the "update" or "delete" policies respectively.

versioned_docs/version-3.x/reference/zmodel/input-validation.md (1)

23-252: Standardize markdown list indentation.

Markdown linting reports inconsistent indentation in unordered lists throughout the document (lines 25, 34, 42, 50, 58, 66, 74, 82, 90, 98, 106, 116, 124, 132, 140). The linter expects 2-space indentation for nested list items, but the document uses 4-space indentation. Adjust list indentation to follow markdown conventions.

versioned_docs/version-3.x/orm/access-control/write-policies.md (2)

75-75: Minor wording refinement (optional).

Line 75 uses "create new records"; consider the more concise "create records" for brevity.

---

213-213: Minor wording refinement (optional).

Line 213 could be phrased more concisely: "relations are not yet accessible" or "relations are inaccessible" to reduce wordiness.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 193582b and e3a8a89.

📒 Files selected for processing (17)

• versioned_docs/version-3.x/modeling/relation.md (1 hunks)
• versioned_docs/version-3.x/orm/access-control/field-level.md (1 hunks)
• versioned_docs/version-3.x/orm/access-control/post-update.md (1 hunks)
• versioned_docs/version-3.x/orm/access-control/query.md (1 hunks)
• versioned_docs/version-3.x/orm/access-control/write-policies.md (1 hunks)
• versioned_docs/version-3.x/orm/errors.md (1 hunks)
• versioned_docs/version-3.x/orm/migration.md (1 hunks)
• versioned_docs/version-3.x/orm/typed-json.md (0 hunks)
• versioned_docs/version-3.x/orm/validation.md (1 hunks)
• versioned_docs/version-3.x/reference/plugins/policy.md (1 hunks)
• versioned_docs/version-3.x/reference/zmodel/attribute.md (2 hunks)
• versioned_docs/version-3.x/reference/zmodel/data-field.md (1 hunks)
• versioned_docs/version-3.x/reference/zmodel/expression.md (1 hunks)
• versioned_docs/version-3.x/reference/zmodel/function.md (1 hunks)
• versioned_docs/version-3.x/reference/zmodel/import.md (1 hunks)
• versioned_docs/version-3.x/reference/zmodel/input-validation.md (1 hunks)
• versioned_docs/version-3.x/reference/zmodel/plugin.md (1 hunks)

💤 Files with no reviewable changes (1)

• versioned_docs/version-3.x/orm/typed-json.md

✅ Files skipped from review due to trivial changes (4)

• versioned_docs/version-3.x/orm/migration.md
• versioned_docs/version-3.x/reference/zmodel/attribute.md
• versioned_docs/version-3.x/orm/access-control/field-level.md
• versioned_docs/version-3.x/reference/zmodel/plugin.md

🚧 Files skipped from review as they are similar to previous changes (1)

• versioned_docs/version-3.x/orm/validation.md

🧰 Additional context used

🪛 LanguageTool

versioned_docs/version-3.x/reference/zmodel/data-field.md

[style] ~31-~31: To form a complete sentence, be sure to include a subject or ‘there’.
Context: ... FIELD_TYPE Type of the field. Can be a scalar type, a reference to anothe...

(MISSING_IT_THERE)

versioned_docs/version-3.x/orm/access-control/write-policies.md

[style] ~75-~75: ‘new records’ might be wordy. Consider a shorter alternative.
Context: ... create The permission to create new records. The rules are evaluated before the...

(EN_WORDINESS_PREMIUM_NEW_RECORDS)

---

[style] ~213-~213: Consider using “inaccessible” to avoid wordiness.
Context: ...is created. At that time, relations are not accessible yet. As a result, create rules can o...

(NOT_ABLE_PREMIUM)

---

[grammar] ~215-~215: Ensure spelling is correct
Context: ...model where the rule is defined. During create, if the foreign key fields are set, the...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

versioned_docs/version-3.x/orm/access-control/post-update.md

[grammar] ~17-~17: Ensure spelling is correct
Context: ...o the "pre" state, meaning that if your polices refer to the model's fields, the fields...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

versioned_docs/version-3.x/reference/plugins/policy.md

[style] ~122-~122: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...(field: Any[]): Boolean {} ``` Checks if the list field value is empty. - `c...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

versioned_docs/version-3.x/reference/zmodel/input-validation.md

[style] ~56-~56: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ... message: String?) ``` Requires a string field to contain a given subst...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~64-~64: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ... message: String?) ``` Requires a string field to be a valid email addr...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~72-~72: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ... message: String?) ``` Requires a string field to be a valid URL. ...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~80-~80: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...essage: String?) ``` Requires a string field to be a valid ISO 8601 d...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~88-~88: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ... message: String?) ``` Requires a string field to match a given regular...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~138-~138: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ... message: String?) ``` Requires a number field to be greater than a giv...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~146-~146: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ... message: String?) ``` Requires a number field to be greater than or eq...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~188-~188: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...h: String): Boolean {} ``` Checks if a string field contains a given subs...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~196-~196: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...l(field: String): Boolean {} ``` Checks if a string field is a valid email addr...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~204-~204: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...l(field: String): Boolean {} ``` Checks if a string field is a valid URL. - `i...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~212-~212: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...e(field: String): Boolean {} ``` Checks if a string field is a valid ISO 8601 d...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~220-~220: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...pattern: String): Boolean {} ``` Checks if a string field matches a given regul...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~228-~228: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...[], search: Any): Boolean {} ``` Checks if a list field contains a given elemen...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~236-~236: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ..., search: Any[]): Boolean {} ``` Checks if a list field contains at least one e...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~244-~244: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ..., search: Any[]): Boolean {} ``` Checks if a list field contains all elements f...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

---

[style] ~252-~252: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...ty(field: Any[]): Boolean {} ``` Checks if a list field is empty.

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

🪛 markdownlint-cli2 (0.18.1)

versioned_docs/version-3.x/orm/access-control/query.md

62-62: Code block style
Expected: fenced; Actual: indented

(MD046, code-block-style)

versioned_docs/version-3.x/reference/zmodel/input-validation.md

25-25: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

34-34: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

42-42: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

50-50: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

58-58: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

66-66: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

74-74: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

82-82: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

90-90: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

98-98: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

106-106: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

116-116: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

124-124: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

132-132: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

---

140-140: Unordered list indentation
Expected: 2; Actual: 4

(MD007, ul-indent)

🔇 Additional comments (11)

versioned_docs/version-3.x/modeling/relation.md (1)

224-224: Section header rename properly coordinated with anchor updates across documentation.

The change from "Referential Actions" to "Referential Action" is complete and well-coordinated. Cross-references in versioned_docs/version-3.x/reference/zmodel/attribute.md correctly use the new anchor #referential-action, and no broken internal references remain.

versioned_docs/version-3.x/reference/zmodel/import.md (1)

2-2: Sidebar position update is consistent with documentation reorganization.

Routine metadata change aligning with broader v3 reference layout updates.

versioned_docs/version-3.x/reference/zmodel/data-field.md (1)

31-31: Link references improved for better maintainability.

Switching from in-page anchors to explicit file paths (./model.md and ./type.md) strengthens cross-references and reduces fragility during documentation reorganization.

versioned_docs/version-3.x/reference/zmodel/function.md (1)

85-87: Clear cross-reference to input validation documentation.

The admonition properly guides users to the dedicated input validation page, supporting the documentation's modular organization.

versioned_docs/version-3.x/reference/plugins/policy.md (1)

1-152: Comprehensive policy plugin documentation is well-structured.

The new documentation provides clear explanations of attributes, functions, and runtime usage. The parallel structure of function descriptions (lines 70, 79, 88 with "Checks if...") follows an established pattern for technical documentation and is acceptable.

versioned_docs/version-3.x/orm/access-control/post-update.md (2)

45-45: Verify StackBlitzGithub component supports multiple files in openFile parameter.

The component is being called with openFile as an array of two files. Ensure the updated component implementation correctly handles this parameter format.

---

1-46: Post-update rules documentation is clear and well-structured.

The documentation effectively explains the v3 breaking change, the semantics of post-update rules, and provides practical examples with the before() function and RejectedByPolicyError reference.

versioned_docs/version-3.x/orm/errors.md (1)

10-26: Error documentation updates are accurate and complete.

The changes correctly document the rename from ValidationError to InputValidationError and add documentation for the new RejectedByPolicyError. References to related documentation are properly formatted and contextually appropriate.

versioned_docs/version-3.x/reference/zmodel/expression.md (1)

1-79: Expression documentation is comprehensive and well-organized.

The new documentation thoroughly covers all expression types with clear examples and proper cross-references to functions and input validation. This successfully addresses the previous placeholder gap.

versioned_docs/version-3.x/orm/access-control/query.md (1)

1-112: Access control query documentation is thorough and well-presented.

The documentation effectively explains runtime plugin setup, authentication binding, query behavior differences (ORM vs query-builder), and important limitations. The mental model of "rows not satisfying policies don't exist" is clearly communicated, and the RejectedByPolicyError vs NotFoundError distinction is well-motivated.

versioned_docs/version-3.x/orm/access-control/write-policies.md (1)

1-109: Well-structured policy documentation with solid examples.

The documentation effectively explains the policy plugin setup, rule evaluation order, operation types, and fundamental concepts. The progression from simple rules to relation traversal to advanced patterns like check() delegation is clear and pedagogically sound.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (3)

versioned_docs/version-3.x/orm/access-control/post-update.md (1)

17-17: ** Typo already corrected.**

The past review flagged the misspelling "polices" → "policies" on this line. The current version correctly uses "policies" throughout (twice on this line), so the issue has been resolved.

versioned_docs/version-3.x/reference/plugins/policy.md (2)

30-31: ** Fix markdown list indentation for @@Allow and @@deny parameter documentation.**

These indentation issues were flagged in the prior review. The parameter lists for both @@allow (lines 30-31) and @@deny (lines 40-41) remain over-indented and violate MD007 linting standards.

Apply this diff to fix both sections:

 - `@@allow`

     ```zmodel
     attribute @@allow(_ operation: String, _ condition: Boolean)
     ```

     Defines an access policy that allows a set of operations when the given condition is true.
-      - `operation`: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
-      - `condition`: a boolean expression that controls if the operation should be allowed.
+   - `operation`: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
+   - `condition`: a boolean expression that controls if the operation should be allowed.
  
 - `@@deny`
   
     ```zmodel
     attribute @@deny(_ operation: String, _ condition: Boolean)
     ```

     Defines an access policy that denies a set of operations when the given condition is true.
-      - `operation`: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
-      - `condition`: a boolean expression that controls if the operation should be denied.
+   - `operation`: comma-separated list of "create", "read", "update", "post-update", "delete". Use "all" to denote all operations.
+   - `condition`: a boolean expression that controls if the operation should be denied.

Also applies to: 40-41

---

132-132: ** Fix indentation for currentModel() and currentOperation() casing parameters.**

These parameter descriptions for both functions are over-indented (8 spaces), causing MD046 code block style linting failures. Reduce to 2-space indentation and remove extra blank lines to render as list items.

Apply this diff:

     Returns the name of the model for which the policy rule is defined. If the rule is inherited to a sub model, this function returns the name of the sub model.
-        
-      - `casing`: parameter to control the casing of the returned value. Valid values are "original", "upper", "lower", "capitalize", "uncapitalize". Defaults to "original".

+   - `casing`: parameter to control the casing of the returned value. Valid values are "original", "upper", "lower", "capitalize", "uncapitalize". Defaults to "original".
 
 - `currentOperation()`

     ```zmodel
     function currentOperation(casing: String?): String {}
     ```

     Returns the operation for which the policy rule is defined for. Note that a rule with "all" operation is expanded to "create", "read", "update", and "delete" rules, and the function returns corresponding value for each expanded version.
-        
-      - `casing`: parameter to control the casing of the returned value. Valid values are "original", "upper", "lower", "capitalize", "uncapitalize". Defaults to "original".
+   - `casing`: parameter to control the casing of the returned value. Valid values are "original", "upper", "lower", "capitalize", "uncapitalize". Defaults to "original".

Also applies to: 142-142

🧹 Nitpick comments (1)

versioned_docs/version-3.x/reference/plugins/policy.md (1)

70-70: Reduce repetition of opening phrase "Checks if" in function descriptions.

Multiple successive function descriptions (lines 70, 79, 88, 96, 105, 113, 122) begin with "Checks if the...", which violates style guidelines for varied sentence structure. Rephrase some descriptions to improve readability.

Examples of alternative phrasings:

• Line 113: "Verifies that the list field contains all elements from the search list."
• Line 122: "Returns true if the list field is empty."

Also applies to: 79-79, 88-88, 96-96, 105-105, 113-113, 122-122

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fa1b02a and 97ecf01.

📒 Files selected for processing (4)

• blog/better-auth/index.mdx (1 hunks)
• docs/faq.md (1 hunks)
• versioned_docs/version-3.x/orm/access-control/post-update.md (1 hunks)
• versioned_docs/version-3.x/reference/plugins/policy.md (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• docs/faq.md

🧰 Additional context used

🪛 LanguageTool

versioned_docs/version-3.x/reference/plugins/policy.md

[style] ~122-~122: Three successive sentences begin with the same word. Consider rewording the sentence or use a thesaurus to find a synonym.
Context: ...(field: Any[]): Boolean {} ``` Checks if the list field value is empty. - `c...

(ENGLISH_WORD_REPEAT_BEGINNING_RULE)

🪛 markdownlint-cli2 (0.18.1)

versioned_docs/version-3.x/reference/plugins/policy.md

132-132: Code block style
Expected: fenced; Actual: indented

(MD046, code-block-style)

---

142-142: Code block style
Expected: fenced; Actual: indented

(MD046, code-block-style)

🔇 Additional comments (5)

blog/better-auth/index.mdx (1)

437-437: Typo fix looks good.

The correction from "polices" to "policies" is appropriate and aligns with the documentation quality standards. The blog post provides comprehensive guidance on integrating Better-Auth with ZenStack for access control, and the content complements the v3 policy documentation updates well.

versioned_docs/version-3.x/reference/plugins/policy.md (1)

1-143: Content and technical accuracy verified.

The documentation correctly describes the @zenstackhq/plugin-policy plugin, including:

• Plugin enablement syntax and ZModel declarations
• All attribute and function signatures with accurate parameter types and return values
• Clear explanations of function behavior and use cases
• Appropriate runtime plugin integration example

versioned_docs/version-3.x/orm/access-control/post-update.md (3)

25-39: Excellent ZModel example with clear post-update policy patterns.

The code example effectively demonstrates:

• Proper use of @@deny with "post-update" operation specifier
• Using field conditions on post-update values (e.g., published == true)
• Using before() function to reference pre-update state when needed

This clearly illustrates the key differences between "update" and "post-update" policy rules.

---

1-46: Content accuracy and clarity verified.

The documentation effectively explains:

• The distinction between pre-update ("update") and post-update rules with concrete examples
• Default behavior (post-update allowed by default unless rules exist)
• The before() function for accessing pre-update values
• Error handling via RejectedByPolicyError
• A practical working example with StackBlitz integration

The breaking change from v2 is properly acknowledged and explained.

---

45-46: No issues found—component properly supports array format for openFile.

The StackBlitzGithub component signature correctly defines openFile?: string | string[]; and the implementation handles arrays via Array.isArray(openFile) check, confirming the usage in post-update.md is valid and fully supported.