✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Greptile Summary

This PR closes a privilege-escalation vulnerability in the CASL permission-boundary checker: a child role using $NEQ (e.g. "everything except dev") was incorrectly being accepted as a subset of a parent using $EQ or $IN (e.g. "only qa"), allowing a child to request access to a much broader set of resources than its parent permitted.

Key changes:

• boundary.ts — adds a concise early-return guard: if the child operator is $NEQ and the parent is $EQ or $IN, the check immediately returns false. This is logically correct because no "all-except-X" set can be a subset of a finite allow-list.
• boundary.test.ts — adds three regression tests that would fail on the old code and pass with the fix, plus corrects a pre-existing mislabeled test case (the $NEQ falsy-case row was accidentally using $GLOB: "staging" in its conditions instead of $NEQ: "staging").
• One edge-case combination is tested implicitly but not explicitly: $NEQ child where the excluded value is inside the parent's $IN list (e.g. $NEQ: "dev" vs $IN: ["dev","staging"]). Adding a test for that variant would further strengthen coverage.

Confidence Score: 5/5

• Safe to merge — the fix is minimal, logically sound, and covered by tests.
• The change is a single targeted guard in a well-isolated helper function. It correctly rejects all $NEQ child conditions against $EQ/$IN parent conditions with no false positives for previously valid cases. Tests confirm both the new behaviour and pre-existing edge cases. No API contracts, database schemas, or external interfaces are altered.
• No files require special attention.

Important Files Changed

_{Last reviewed commit: "fix: correct operato..."}