chore: add note to createVolumeAPI usage

atilafassina · atilafassina · commit edabf4bf9472 · 2026-04-02T21:27:11.000+02:00
diff --git a/docs/docs/api/appkit/Variable.policy.md b/docs/docs/api/appkit/Variable.policy.md
@@ -8,7 +8,6 @@ const policy: {
   denyAll: FilePolicy;
   not: FilePolicy;
   publicRead: FilePolicy;
-  publicReadAndList: FilePolicy;
 };
 ```
 
@@ -105,15 +104,3 @@ Allow all read actions (list, read, download, raw, exists, metadata, preview).
 #### Returns
 
 `FilePolicy`
-
-### publicReadAndList()
-
-```ts
-readonly publicReadAndList(): FilePolicy;
-```
-
-Alias for `publicRead()` — included for discoverability.
-
-#### Returns
-
-`FilePolicy`
diff --git a/packages/appkit/src/plugins/files/plugin.ts b/packages/appkit/src/plugins/files/plugin.ts
@@ -245,7 +245,16 @@ export class FilesPlugin extends Plugin {
 
   /**
    * Creates a VolumeAPI for a specific volume key.
-   * All operations execute as the service principal.
+   * All operations execute as the service principal without policy checks.
+   *
+   * Not used internally — `_createPolicyWrappedAPI` handles all current
+   * call sites. Kept as a `protected` extension point so subclasses can
+   * override `exports()` or build custom APIs with raw connector access,
+   * e.g. background jobs or migrations that should bypass user-facing policies.
+   *
+   * @security This method skips all policy enforcement. Do not expose its
+   * return value to HTTP routes or end-user-facing code paths — use
+   * `_createPolicyWrappedAPI` for anything that serves user requests.
    */
   protected createVolumeAPI(volumeKey: string): VolumeAPI {
     const connector = this.volumeConnectors[volumeKey];
