import type { TableSnapshot } from '../pg/introspect'; import type { Finding } from '../types'; /** * A4 / A5: Grant of INSERT/UPDATE/DELETE (A4, high) or SELECT (A5, medium) to * a role but no applicable permissive policy supplies the clause that verb * needs. A4 means "writes silently fail at runtime". A5 means "queries * silently return 0 rows". */ export declare function checkCoverageGaps(table: TableSnapshot): Finding[]; /** * A6 (informational): UPDATE coverage exists for a role but no applicable * permissive UPDATE policy pairs a `WITH CHECK`. This is defense-in-depth — * without WITH CHECK, updates can move rows out of the visible scope (a * "row smuggling" pattern). Low severity because it does not cause runtime * failures and in many designs is by construction safe (e.g. the columns * that define scope are not writable, or a trigger re-asserts scope). */ export declare function checkUpdateWithCheckCoverage(table: TableSnapshot): Finding[];