From 665806dfe8ce06621f028adc81d126fd9489291b Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 10 Jun 2026 10:03:16 -0700
Subject: [PATCH] Add some documentation; pull the override values

---
 server/routers/resource/getResource.ts    | 38 ++++++++++++++++++++---
 server/routers/resource/updateResource.ts | 38 ++++++++++++++++++++---
 2 files changed, 66 insertions(+), 10 deletions(-)

diff --git a/server/routers/resource/getResource.ts b/server/routers/resource/getResource.ts
index 62b7d51e8..708351db1 100644
--- a/server/routers/resource/getResource.ts
+++ b/server/routers/resource/getResource.ts
@@ -1,4 +1,4 @@
-import { db, resources } from "@server/db";
+import { db, resourcePolicies, resources } from "@server/db";
 import response from "@server/lib/response";
 import stoi from "@server/lib/stoi";
 import logger from "@server/logger";
@@ -41,6 +41,15 @@ async function query(resourceId?: number, niceId?: string, orgId?: string) {
     }
 }
 
+async function queryInlinePolicy(resourcePolicyId: number) {
+    const [res] = await db
+        .select()
+        .from(resourcePolicies)
+        .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId))
+        .limit(1);
+    return res;
+}
+
 export type GetResourceResponse = Omit<
     NonNullable<Awaited<ReturnType<typeof query>>>,
     "headers"
@@ -132,12 +141,31 @@ export async function getResource(
             );
         }
 
+        const isInlinePolicy =
+            resource.resourcePolicyId === null &&
+            resource.defaultResourcePolicyId !== null;
+
+        let returnData = resource;
+        if (isInlinePolicy) {
+            // get the policy
+            const policy = await queryInlinePolicy(
+                resource.defaultResourcePolicyId!
+            );
+            returnData = {
+                ...returnData,
+                sso: policy?.sso || null,
+                emailWhitelistEnabled: policy?.emailWhitelistEnabled || null,
+                applyRules: policy?.applyRules || null,
+                skipToIdpId: policy?.idpId || null
+            };
+        }
+
         return response<GetResourceResponse>(res, {
             data: {
-                ...resource,
-                headers: resource.headers
-                    ? JSON.parse(resource.headers)
-                    : resource.headers
+                ...returnData,
+                headers: returnData.headers
+                    ? JSON.parse(returnData.headers)
+                    : returnData.headers
             },
             success: true,
             error: false,
diff --git a/server/routers/resource/updateResource.ts b/server/routers/resource/updateResource.ts
index b4f67907b..6ffe3d171 100644
--- a/server/routers/resource/updateResource.ts
+++ b/server/routers/resource/updateResource.ts
@@ -66,16 +66,38 @@ const updateHttpResourceBodySchema = z
             .optional(),
         subdomain: z.string().nullable().optional(),
         ssl: z.boolean().optional(),
-        sso: z.boolean().optional(),
+        sso: z
+            .boolean()
+            .optional()
+            .describe(
+                "When no shared resource policy is assigned (resourcePolicyId is null), updates the resource's inline policy. When a shared policy is assigned, this value overrides the shared policy for this resource."
+            ),
         blockAccess: z.boolean().optional(),
-        emailWhitelistEnabled: z.boolean().optional(),
-        applyRules: z.boolean().optional(),
+        emailWhitelistEnabled: z
+            .boolean()
+            .optional()
+            .describe(
+                "When no shared resource policy is assigned (resourcePolicyId is null), updates the resource's inline policy. When a shared policy is assigned, this value overrides the shared policy for this resource."
+            ),
+        applyRules: z
+            .boolean()
+            .optional()
+            .describe(
+                "When no shared resource policy is assigned (resourcePolicyId is null), updates the resource's inline policy. When a shared policy is assigned, this value overrides the shared policy for this resource."
+            ),
         domainId: z.string().optional(),
         enabled: z.boolean().optional(),
         stickySession: z.boolean().optional(),
         tlsServerName: z.string().nullable().optional(),
         setHostHeader: z.string().nullable().optional(),
-        skipToIdpId: z.int().positive().nullable().optional(),
+        skipToIdpId: z
+            .int()
+            .positive()
+            .nullable()
+            .optional()
+            .describe(
+                "When no shared resource policy is assigned (resourcePolicyId is null), updates the resource's inline policy. When a shared policy is assigned, this value overrides the shared policy for this resource."
+            ),
         headers: z
             .array(z.strictObject({ name: z.string(), value: z.string() }))
             .nullable()
@@ -91,7 +113,13 @@ const updateHttpResourceBodySchema = z
         pamMode: z.enum(["passthrough", "push"]).optional(),
         authDaemonMode: z.enum(["site", "remote", "native"]).optional(),
         authDaemonPort: z.int().min(1).max(65535).nullable().optional(),
-        resourcePolicyId: z.number().nullable().optional()
+        resourcePolicyId: z
+            .number()
+            .nullable()
+            .optional()
+            .describe(
+                "ID of the resource policy to apply to this resource. Set to null to remove the resource policy and fall back to the inline policy settings."
+            )
     })
     .refine((data) => Object.keys(data).length > 0, {
         error: "At least one field must be provided for update"