strata-cli 0.1.11 → 0.1.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 371199d421786d4bc06748770b1155f59206d49f115eb0d2c664df2a0de139d8
-  data.tar.gz: eb1ecac2dc8e40864f5c8ad278353ed8b8924f99fc54a2dad5c356f63dacd06d
+  metadata.gz: 060e97cfbb307efe69eff087983dc1d28e3e4008bd13f5529a7560e5d7e00f06
+  data.tar.gz: 134dbf05ad0b5870433fcb3c9a90e50853ed0a9f97c3378a97d208b4f6866dae
 SHA512:
-  metadata.gz: 6f65de98ebf7994129da1cc2b6ae16a3591020e799ab61583afb1eea725f69b73fa6e35f3d8e69ebe0540bf8cdfe02f38a2f8d9f5c9e2ca606d0bf81536fa1d1
-  data.tar.gz: f6e89761a4ef0fd8586d8a82a4262594f22f95a14f814abc6b48ab2d62e20e840429ee0dbf215dc58f2c8a4d350eace329d7be6528f1a079b2fb17a223cf88c2
+  metadata.gz: bf09f28b188e03929870b14515efb76d86f9aab034d048a3e2e5c49751f722718cf6a4d37a8c7d7e2966bd080aac758956df51951758a73b98a885003cbd5bb4
+  data.tar.gz: ab72ddfa33b44cc8da63cb10c2920575030fa53a4216d8d75eb9e2a38f2eebdc3f36afd3264c6dc81c00b440c6df4eb029df86126e600d16455def0cf311efb5

data/lib/strata/cli/generators/policy.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require_relative "group"
+require_relative "../output"
+
+module Strata
+  module CLI
+    module Generators
+      # Appends a new policy entry to the project's security.yml.
+      # Receives a fully-resolved attrs hash from the Create subcommand.
+      class Policy < Group
+        argument :attrs, type: :hash
+
+        def append_policy_to_security_yml
+          security_file = "security.yml"
+
+          unless File.exist?(security_file)
+            raise Strata::CommandError,
+              "security.yml not found in the current directory. Run 'strata init' first."
+          end
+
+          content = File.read(security_file)
+          new_entry = format_policy_yaml(attrs)
+
+          updated = if content.match?(/^policies:\s*\[\]/)
+            # First policy — replace inline empty array with block sequence
+            content.sub(/^policies:\s*\[\]/, "policies:\n#{new_entry}")
+          else
+            # Subsequent policy — append after existing entries
+            content.rstrip + "\n#{new_entry}"
+          end
+
+          File.write(security_file, updated)
+          Output.print_status(:updated, security_file, type: :success, context: self)
+        end
+
+        private
+
+        def format_policy_yaml(a)
+          lines = []
+          lines << "  - name: #{a[:name]}"
+          lines << "    mode: #{a[:mode]}"
+          lines << "    mask_value: \"#{a[:mask_value]}\"" if a[:mode] == "mask_data"
+          lines << "    triggers:"
+
+          tags = Array(a[:field_tags])
+          lines << "      field_tags: [#{tags.join(", ")}]"
+
+          field_names = Array(a[:field_names]).reject(&:empty?)
+          unless field_names.empty?
+            lines << "      field_names:"
+            field_names.each { |n| lines << "        - #{n}" }
+          end
+
+          lines << "    context_dimension: #{a[:context_dimension]}"
+          lines << "    permission_resolution:"
+          lines << "      source: #{a[:permission_source]}"
+          lines << "      value_from: #{a[:value_from]}"
+          lines << "      tag_key: #{a[:tag_key]}" if a[:tag_key].to_s.strip.length > 0
+          lines << "    bypass:"
+          lines << "      system_admin: #{a[:bypass_system_admin]}"
+          lines << "      project_admin: #{a[:bypass_project_admin]}"
+          lines.join("\n") + "\n"
+        end
+      end
+    end
+  end
+end

data/lib/strata/cli/generators/project.rb

@@ -57,7 +57,7 @@ module Strata
         def create_project_structure
           return if cloned_from_git?
 
-          empty_directory uid
+          empty_directory uid unless existing_directory?
           empty_directory File.join(uid, "models")
           empty_directory File.join(uid, "tests")
         end
@@ -102,6 +102,12 @@ module Strata
           end
         end
 
+        def create_security_file
+          return if cloned_from_git?
+
+          copy_file "security.yml", "#{uid}/security.yml"
+        end
+
         def initialize_git
           return if cloned_from_git?
 
@@ -113,7 +119,8 @@ module Strata
 
         def setup_datasource
           return if cloned_from_git?
-          return if options.key?(:datasource) # Already specified via CLI option
+          return if options.key?(:datasource)
+          return if existing_directory?
 
           print_status(:setup, "Let's configure your first datasource", type: :info)
           print_info("\n")
@@ -140,6 +147,10 @@ module Strata
           @cloned_from_git ||= false
         end
 
+        def existing_directory?
+          File.directory?(name.to_s)
+        end
+
         def fetch_project_info
           conn = Faraday.new(url: options[:source]) do |f|
             f.request :authorization, "Bearer", options[:api_key]
@@ -180,6 +191,8 @@ module Strata
         def uid
           @uid ||= if options.key?(:source) && @project_info
             @project_info["uid"] || options[:source].split("/").last
+          elsif existing_directory?
+            name.to_s
           else
             Utils.url_safe_str(name)
           end

data/lib/strata/cli/generators/templates/AGENTS.md

@@ -28,11 +28,13 @@ Read this file end-to-end before creating or editing `models/**/*.yml`. Do not m
 
 These are non-negotiable. Violations break deploy, query planning, or production reports.
 
-1. **Every field `name` is unique project-wide** — one name = one dimension or measure entity across all `tbl.*.yml` files. Strata has no `table.field` namespaces; bracket references like `[Total Revenue]` resolve by name alone.
+1. **Every field `name` is unique project-wide per dimension or measure** — one name = one dimension or measure entity across all `tbl.*.yml` files. Strata has no `table.field` namespaces; bracket references like `[Total Revenue]` resolve by name alone.
 2. **`many_to_many` join cardinality is not supported.** Use a junction/bridge table with two relationships (`one_to_many` + `many_to_one`) instead.
 3. **Measures on unrelated detail facts must have distinct names** — e.g. `Store Gross Sales`, `Catalog Gross Sales`, not one `Gross Sales` on three channel facts. See [Naming conventions](#naming-conventions).
-4. **Dimensions may share names** when the business role is the same; Strata picks among tables at query time. **Measures do not combine that way** — duplicate measure names attach more SQL to the same measure entity (double-count risk).
+4. **Dimensions may share names** when the business role is the same; Strata picks among tables at query time. **Measures do not combine that way** — duplicate measure names implies varying levels of aggregation of the same basic fact. The correct table and measure combination will be determined by context (i.e. what dimensions are present in the same query.)
 5. **Cross-fact totals use compound measures or blending** — not the same measure name on multiple facts. See [Combined metrics across facts](#combined-metrics-across-facts).
+6. Security policies can be implemented in the security.yml file.  Use the guidelines documented therin.
+7. Strata supports role playing or aliasing of dimension tables.  For example, user wants date_dim table to also be used when query "Order Return Date". In that case, we simply point to the same physical_name "date_dim" but set the table name to "Order Return Date". If the user asks to alias an dimension table from an existing model we can simply copy the existing model, change the table name, and prefix all the dimensions in it with the appropriate prefix representing the role.
 
 ## Unsupported or impossible requirements
 

data/lib/strata/cli/generators/templates/security.yml

@@ -0,0 +1,77 @@
+# Semantic Security Policies
+#
+# This file defines row-level security policies enforced at query planning time.
+# Policies are branch-scoped and deployed alongside your semantic model.
+#
+# Two enforcement modes:
+#
+#   mask_data   — Sensitive column values are replaced with a mask string.
+#                 Rows remain in the result set; users can see that restricted
+#                 data exists but cannot read it.
+#
+#   filter_data — Rows for context values the user cannot access are removed
+#                 entirely. Restricted data is invisible to the user.
+#
+# How it works:
+#   1. A policy is triggered when a query projects a field tagged with one of
+#      the trigger tags (e.g. "pii").
+#   2. The context_dimension defines the security boundary (e.g. "Call Center ID").
+#      It must be reachable in every universe that contains a triggered field,
+#      otherwise the query is rejected with a hard error.
+#   3. Permission resolution determines which context dimension values the current
+#      user is allowed to see, derived from their group memberships or user record.
+#
+# Tagging fields: add a tags key to any dimension in your table YAML files:
+#
+#   fields:
+#     - type: dimension
+#       name: Agent Name
+#       tags: [pii]
+#       data_type: string
+#       expression:
+#         sql: agent_name
+
+policies: []
+
+# ── Example: mask PII dimensions scoped by call center ──────────────────────
+#
+# - name: PII Call Center Masking
+#   mode: mask_data              # mask_data | filter_data
+#   mask_value: "#######"        # Value shown to users without access (mask_data only)
+#
+#   triggers:
+#     field_tags: [pii]          # Triggers on any field tagged "pii"
+#     # field_names:             # Optional: trigger on specific fields by display name
+#     #   - Agent Name           # Resolved to UIDs at deploy time
+#
+#   # Dimension that scopes visibility. Resolved by name at deploy time.
+#   # Must be reachable in the universe for any query that includes a triggered field.
+#   context_dimension: Call Center ID
+#
+#   permission_resolution:
+#     source: groups             # groups | user
+#     value_from: tag            # groups: name | tag   /   user: email | tag
+#     tag_key: call_center_id   # Required when value_from is "tag".
+#                                # Extracts the value from group tags formatted as "call_center_id:TMNT"
+#
+#   bypass:
+#     system_admin: true         # System admins bypass this policy entirely
+#     project_admin: false
+#
+# ── Example: filter rows so each user sees only their own employee record ────
+#
+# - name: Employee Self-Service
+#   mode: filter_data
+#
+#   triggers:
+#     field_tags: [employee_pii]
+#
+#   context_dimension: Employee Email
+#
+#   permission_resolution:
+#     source: user               # Resolve from the current user's own attributes
+#     value_from: email          # Allowed value = the authenticated user's email address
+#
+#   bypass:
+#     system_admin: true
+#     project_admin: false

data/lib/strata/cli/helpers/prompts.rb

@@ -28,6 +28,21 @@ module Strata
       MSG_MODELS_LIST_HEADER = "\n  Semantic Models:\n"
       MSG_MODELS_COUNT = "\n  Total: %d model(s)\n"
 
+      # Policy Command Prompts
+      MSG_POLICY_NAME = "  Policy name:"
+      MSG_POLICY_MODE = "  Enforcement mode:"
+      MSG_POLICY_MASK_VALUE = "  Mask value (shown for restricted data):"
+      MSG_POLICY_FIELD_TAGS = "  Field tags that trigger this policy (comma-separated, e.g. pii,hipaa):"
+      MSG_POLICY_FIELD_NAMES = "  Specific field names (comma-separated, optional — leave blank to skip):"
+      MSG_POLICY_CONTEXT_DIM = "  Context dimension name:"
+      MSG_POLICY_PERM_SOURCE = "  Permission source:"
+      MSG_POLICY_VALUE_FROM = "  Resolve allowed values from:"
+      MSG_POLICY_TAG_KEY = "  Tag key (e.g. call_center_id):"
+      MSG_POLICY_BYPASS_ADMIN = "  Bypass for system admins?"
+      MSG_POLICY_BYPASS_PROJECT = "  Bypass for project admins?"
+      MSG_POLICY_CREATED = "\n✔ Policy '%s' added to security.yml"
+      MSG_POLICY_HINT = "\n💡 Run 'strata deploy' to activate this policy"
+
       # Migration hook options
       MIGRATION_HOOK_OPTIONS = {
         "pre (before deployment)" => "pre",

data/lib/strata/cli/sub_commands/audit.rb

@@ -30,7 +30,7 @@ module Strata
         ALLOWED_FIELD_KEYS = %w[
           type name description hidden grains data_type display_type format
           secure disable_listing value_list_size snapshot exclusion_type
-          exclusions inclusions extended_blend_group synonyms expression
+          exclusions inclusions extended_blend_group synonyms expression tags
         ].freeze
         ALLOWED_EXPRESSION_KEYS = %w[sql array lookup primary_key].freeze
         EXPRESSION_BOOLEAN_KEYS = %w[array lookup primary_key].freeze

data/lib/strata/cli/sub_commands/create.rb

@@ -51,6 +51,21 @@ module Strata
           end
         end
 
+        desc "policy [NAME]", "Scaffold a new security policy in security.yml"
+        method_option :interactive, aliases: "-i", type: :boolean, default: false,
+          desc: "Walk through all options interactively"
+        method_option :mode, type: :string, desc: "Enforcement mode: mask_data or filter_data"
+        method_option :tags, type: :array, desc: "Field tags that trigger this policy"
+        method_option :context, type: :string, desc: "Context dimension name"
+
+        def policy(name = nil)
+          attrs = policy_interactive_mode? ? collect_policy_interactive(name) : collect_policy_fast(name)
+          require_relative "../generators/policy"
+          Generators::Policy.new([attrs]).invoke_all
+          say MSG_POLICY_CREATED % attrs[:name], :green
+          say MSG_POLICY_HINT, :yellow
+        end
+
         desc "relation RELATION_PATH", "Create a relation (join) definition file"
         long_desc_from_file("create/relation")
 
@@ -122,6 +137,94 @@ module Strata
 
         private
 
+        # ── Policy helpers ────────────────────────────────────────────────────
+
+        def policy_interactive_mode?
+          options[:interactive] ||
+            (options[:mode].nil? && options[:tags].nil? && options[:context].nil?)
+        end
+
+        def collect_policy_fast(name)
+          {
+            name: name || "New Policy",
+            mode: options[:mode] || "mask_data",
+            mask_value: "#######",
+            field_tags: Array(options[:tags]),
+            field_names: [],
+            context_dimension: options[:context] || "<context_dimension>",
+            permission_source: "groups",
+            value_from: "tag",
+            tag_key: "<tag_key>",
+            bypass_system_admin: true,
+            bypass_project_admin: false
+          }
+        end
+
+        def collect_policy_interactive(name)
+          say "\n  Policy\n", :bold
+          policy_name = name || prompt.ask(MSG_POLICY_NAME) { |q| q.required true }
+
+          mode = prompt.select(MSG_POLICY_MODE, [
+            {name: "mask_data  — replace restricted values with a mask", value: "mask_data"},
+            {name: "filter_data — remove restricted rows entirely", value: "filter_data"}
+          ])
+
+          mask_value = if mode == "mask_data"
+            prompt.ask(MSG_POLICY_MASK_VALUE, default: "#######")
+          end
+
+          say "\n  Triggers\n", :bold
+          tags_raw = prompt.ask(MSG_POLICY_FIELD_TAGS, default: "")
+          field_tags = tags_raw.to_s.split(",").map(&:strip).reject(&:empty?)
+
+          names_raw = prompt.ask(MSG_POLICY_FIELD_NAMES, default: "")
+          field_names = names_raw.to_s.split(",").map(&:strip).reject(&:empty?)
+
+          say "\n  Context\n", :bold
+          context_dimension = prompt.ask(MSG_POLICY_CONTEXT_DIM) { |q| q.required true }
+
+          say "\n  Permission Resolution\n", :bold
+          permission_source = prompt.select(MSG_POLICY_PERM_SOURCE, [
+            {name: "groups — derive from the user's group memberships", value: "groups"},
+            {name: "user   — derive from the user's own attributes", value: "user"}
+          ])
+
+          value_from_choices = if permission_source == "groups"
+            [
+              {name: "tag  — extract value from a group tag (e.g. call_center_id:TMNT)", value: "tag"},
+              {name: "name — use the group's display name as the allowed value", value: "name"}
+            ]
+          else
+            [
+              {name: "email — the user's email address", value: "email"},
+              {name: "tag   — extract value from a user tag", value: "tag"}
+            ]
+          end
+          value_from = prompt.select(MSG_POLICY_VALUE_FROM, value_from_choices)
+
+          tag_key = if value_from == "tag"
+            prompt.ask(MSG_POLICY_TAG_KEY) { |q| q.required true }
+          end
+
+          say "\n  Bypass\n", :bold
+          bypass_system_admin = prompt.yes?(MSG_POLICY_BYPASS_ADMIN, default: true)
+          bypass_project_admin = prompt.yes?(MSG_POLICY_BYPASS_PROJECT, default: false)
+
+          {
+            name: policy_name,
+            mode: mode,
+            mask_value: mask_value,
+            field_tags: field_tags,
+            field_names: field_names,
+            context_dimension: context_dimension,
+            permission_source: permission_source,
+            value_from: value_from,
+            tag_key: tag_key,
+            bypass_system_admin: bypass_system_admin,
+            bypass_project_admin: bypass_project_admin
+          }
+        end
+
         def handle_table_creation_with_path(table_path)
           # Parse the path to extract schema, physical name, and model path
           parsed = parse_table_path(table_path)

data/lib/strata/cli/version.rb

@@ -2,6 +2,6 @@
 
 module Strata
   module CLI
-    VERSION = "0.1.11"
+    VERSION = "0.1.12"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: strata-cli
 version: !ruby/object:Gem::Version
-  version: 0.1.11
+  version: 0.1.12
 platform: ruby
 authors:
 - Ajo Abraham
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.4.2
+        version: 0.4.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.4.2
+        version: 0.4.4
 - !ruby/object:Gem::Dependency
   name: aws-sdk-athena
   requirement: !ruby/object:Gem::Requirement
@@ -268,6 +268,7 @@ files:
 - lib/strata/cli/generators/datasource.rb
 - lib/strata/cli/generators/group.rb
 - lib/strata/cli/generators/migration.rb
+- lib/strata/cli/generators/policy.rb
 - lib/strata/cli/generators/project.rb
 - lib/strata/cli/generators/relation.rb
 - lib/strata/cli/generators/table.rb
@@ -286,6 +287,7 @@ files:
 - lib/strata/cli/generators/templates/migration.swap.yml
 - lib/strata/cli/generators/templates/project.yml
 - lib/strata/cli/generators/templates/rel.domain.yml
+- lib/strata/cli/generators/templates/security.yml
 - lib/strata/cli/generators/templates/strata.yml
 - lib/strata/cli/generators/templates/table.table_name.yml
 - lib/strata/cli/generators/templates/test.yml