// It's more restrictive, preventing interference from unexpected callpaths.
$policies['upgrade.main'] = [
'hook_civicrm_config' => 'run',
+ // cleanupPermissions() in some UF's can be destructive. Running prematurely could be actively harmful.
+ 'hook_civicrm_permission' => 'fail',
'/^hook_civicrm_(pre|post)$/' => 'drop',
'/^hook_civicrm_/' => $strict ? 'warn-drop' : 'drop',
'/^civi\./' => 'run',