@514labs/moose-lib 0.6.457 → 0.6.458

package/dist/index.mjs

@@ -384,13 +384,17 @@ var init_runtime = __esm({
         const envUseSSL = this._parseBool(
           this._env("MOOSE_CLICKHOUSE_CONFIG__USE_SSL")
         );
+        const envRlsUser = this._env("MOOSE_CLICKHOUSE_CONFIG__RLS_USER");
+        const envRlsPassword = this._env("MOOSE_CLICKHOUSE_CONFIG__RLS_PASSWORD");
         return {
           host: envHost ?? projectConfig.clickhouse_config.host,
           port: envPort ?? projectConfig.clickhouse_config.host_port.toString(),
           username: envUser ?? projectConfig.clickhouse_config.user,
           password: envPassword ?? projectConfig.clickhouse_config.password,
           database: envDb ?? projectConfig.clickhouse_config.db_name,
-          useSSL: envUseSSL !== void 0 ? envUseSSL : projectConfig.clickhouse_config.use_ssl || false
+          useSSL: envUseSSL !== void 0 ? envUseSSL : projectConfig.clickhouse_config.use_ssl || false,
+          rlsUser: envRlsUser ?? projectConfig.clickhouse_config.rls_user ?? void 0,
+          rlsPassword: envRlsPassword ?? projectConfig.clickhouse_config.rls_password ?? void 0
         };
       }
       async getStandaloneClickhouseConfig(overrides) {
@@ -405,6 +409,8 @@ var init_runtime = __esm({
         const envUseSSL = this._parseBool(
           this._env("MOOSE_CLICKHOUSE_CONFIG__USE_SSL")
         );
+        const envRlsUser = this._env("MOOSE_CLICKHOUSE_CONFIG__RLS_USER");
+        const envRlsPassword = this._env("MOOSE_CLICKHOUSE_CONFIG__RLS_PASSWORD");
         let projectConfig;
         try {
           projectConfig = await readProjectConfig();
@@ -425,7 +431,9 @@ var init_runtime = __esm({
           username: overrides?.username ?? envUser ?? projectConfig?.clickhouse_config.user ?? defaults.username,
           password: overrides?.password ?? envPassword ?? projectConfig?.clickhouse_config.password ?? defaults.password,
           database: overrides?.database ?? envDb ?? projectConfig?.clickhouse_config.db_name ?? defaults.database,
-          useSSL: overrides?.useSSL ?? envUseSSL ?? projectConfig?.clickhouse_config.use_ssl ?? defaults.useSSL
+          useSSL: overrides?.useSSL ?? envUseSSL ?? projectConfig?.clickhouse_config.use_ssl ?? defaults.useSSL,
+          rlsUser: envRlsUser ?? projectConfig?.clickhouse_config.rls_user ?? void 0,
+          rlsPassword: envRlsPassword ?? projectConfig?.clickhouse_config.rls_password ?? void 0
         };
       }
       async getKafkaConfig() {
@@ -786,7 +794,8 @@ function createRegistryFrom(existing) {
     workflows: toTrackingMap(existing?.workflows),
     webApps: toTrackingMap(existing?.webApps),
     materializedViews: toTrackingMap(existing?.materializedViews),
-    views: toTrackingMap(existing?.views)
+    views: toTrackingMap(existing?.views),
+    selectRowPolicies: toTrackingMap(existing?.selectRowPolicies)
   };
 }
 var moose_internal = {
@@ -822,7 +831,11 @@ var moose_internal = {
     void 0,
     markRegistryMutated
   ),
-  views: new MutationTrackingMap(void 0, markRegistryMutated)
+  views: new MutationTrackingMap(void 0, markRegistryMutated),
+  selectRowPolicies: new MutationTrackingMap(
+    void 0,
+    markRegistryMutated
+  )
 };
 var defaultRetentionPeriod = 60 * 60 * 24 * 7;
 var initializeMooseInternalRegistry = () => {
@@ -853,6 +866,7 @@ var loadIndex = async () => {
   registry.webApps.clear();
   registry.materializedViews.clear();
   registry.views.clear();
+  registry.selectRowPolicies.clear();
   const outDir = getOutDir();
   const compiledDir = path4.isAbsolute(outDir) ? outDir : path4.join(process3.cwd(), outDir);
   Object.keys(__require.cache).forEach((key) => {
@@ -1253,10 +1267,7 @@ var OlapTable = class extends TypedBase {
     }
     tables.set(registryKey, this);
   }
-  /**
-   * Generates the versioned table name following Moose's naming convention
-   * Format: {tableName}_{version_with_dots_replaced_by_underscores}
-   */
+  /** @internal Returns the versioned ClickHouse table name (e.g., "events_1_0_0") */
   generateTableName() {
     if (this._cachedTableName) {
       return this._cachedTableName;
@@ -2965,6 +2976,47 @@ var View = class {
   }
 };
 
+// src/dmv2/sdk/selectRowPolicy.ts
+var SelectRowPolicy = class {
+  /** @internal */
+  kind = "SelectRowPolicy";
+  /** The name of the row policy */
+  name;
+  /** The policy configuration */
+  config;
+  constructor(name, config) {
+    if (!name.trim()) {
+      throw new Error("SelectRowPolicy name must not be empty");
+    }
+    if (!config.tables.length) {
+      throw new Error(`SelectRowPolicy '${name}': tables must not be empty`);
+    }
+    if (!config.column.trim()) {
+      throw new Error(`SelectRowPolicy '${name}': column must not be empty`);
+    }
+    if (!config.claim.trim()) {
+      throw new Error(`SelectRowPolicy '${name}': claim must not be empty`);
+    }
+    this.name = name;
+    this.config = Object.freeze({
+      ...config,
+      tables: Object.freeze([...config.tables])
+    });
+    const selectRowPolicies = getMooseInternal().selectRowPolicies;
+    if (!isClientOnlyMode() && selectRowPolicies.has(this.name)) {
+      throw new Error(`SelectRowPolicy with name ${this.name} already exists`);
+    }
+    selectRowPolicies.set(this.name, this);
+  }
+  /** Resolved table references for serialization */
+  get tableRefs() {
+    return this.config.tables.map((t) => ({
+      name: t.generateTableName(),
+      ...t.config.database ? { database: t.config.database } : {}
+    }));
+  }
+};
+
 // src/dmv2/sdk/lifeCycle.ts
 var LifeCycle = /* @__PURE__ */ ((LifeCycle2) => {
   LifeCycle2["FULLY_MANAGED"] = "FULLY_MANAGED";
@@ -3176,6 +3228,12 @@ function getViews() {
 function getView(name) {
   return getMooseInternal().views.get(name);
 }
+function getSelectRowPolicies() {
+  return getMooseInternal().selectRowPolicies;
+}
+function getSelectRowPolicy(name) {
+  return getMooseInternal().selectRowPolicies.get(name);
+}
 
 // src/index.ts
 init_commons();
@@ -3254,12 +3312,27 @@ var MooseClient = class {
     this.workflow = new WorkflowClient(temporalClient);
   }
 };
+var MOOSE_RLS_ROLE = "moose_rls_role";
+var MOOSE_RLS_USER = "moose_rls_user";
+var MOOSE_RLS_SETTING_PREFIX = "SQL_moose_rls_";
+function buildRowPolicyOptionsFromClaims(config, claims) {
+  const clickhouse_settings = /* @__PURE__ */ Object.create(null);
+  for (const [settingName, claimName] of Object.entries(config)) {
+    const value = claims[claimName];
+    if (value !== void 0 && value !== null) {
+      clickhouse_settings[settingName] = String(value);
+    }
+  }
+  return { role: MOOSE_RLS_ROLE, clickhouse_settings };
+}
 var QueryClient = class {
   client;
   query_id_prefix;
-  constructor(client, query_id_prefix) {
+  rowPolicyOptions;
+  constructor(client, query_id_prefix, rowPolicyOptions) {
     this.client = client;
     this.query_id_prefix = query_id_prefix;
+    this.rowPolicyOptions = rowPolicyOptions;
   }
   async execute(sql3) {
     const [query, query_params] = toQuery(sql3);
@@ -3274,7 +3347,11 @@ var QueryClient = class {
       // where response buffering would harm streaming performance and concurrency
       clickhouse_settings: {
         asterisk_include_materialized_columns: 1,
-        asterisk_include_alias_columns: 1
+        asterisk_include_alias_columns: 1,
+        ...this.rowPolicyOptions?.clickhouse_settings
+      },
+      ...this.rowPolicyOptions && {
+        role: this.rowPolicyOptions.role
       }
     });
     const elapsedMs = performance.now() - start;
@@ -3727,58 +3804,148 @@ var MooseCache = class _MooseCache {
 
 // src/consumption-apis/standalone.ts
 init_commons();
+import { AsyncLocalStorage } from "async_hooks";
+var requestContextStorage = new AsyncLocalStorage();
+function isLegacyRequestArg(arg) {
+  if (arg === null || typeof arg !== "object") return false;
+  const obj = arg;
+  return "method" in obj || "url" in obj || "headers" in obj;
+}
+function getRowPoliciesConfigFromRegistry() {
+  const policies = getSelectRowPolicies();
+  if (policies.size === 0) return void 0;
+  const config = /* @__PURE__ */ Object.create(null);
+  for (const policy of policies.values()) {
+    config[`${MOOSE_RLS_SETTING_PREFIX}${policy.config.column}`] = policy.config.claim;
+  }
+  return config;
+}
 var standaloneUtils = null;
 var initPromise2 = null;
+var standaloneRlsClient = null;
+var standaloneClickhouseConfig = null;
 var toClientConfig = (config) => ({
   ...config,
   useSSL: config.useSSL ? "true" : "false"
 });
-async function getMooseUtils(req) {
-  if (req !== void 0) {
+async function getMooseUtils(options) {
+  if (options !== void 0 && isLegacyRequestArg(options)) {
     console.warn(
-      "[DEPRECATED] getMooseUtils(req) no longer requires a request parameter. Use getMooseUtils() instead."
+      "[DEPRECATED] getMooseUtils(req) no longer requires a request parameter. Use getMooseUtils() instead, or getMooseUtils({ rlsContext }) for row policies."
     );
+    options = void 0;
   }
   const runtimeContext = globalThis._mooseRuntimeContext;
   if (runtimeContext) {
-    return {
-      client: runtimeContext.client,
-      sql,
-      jwt: runtimeContext.jwt
-    };
+    return resolveRuntimeUtils(runtimeContext, options);
   }
-  if (standaloneUtils) {
-    return standaloneUtils;
+  await ensureStandaloneInit();
+  if (options?.rlsContext) {
+    return createStandaloneRlsUtils(options.rlsContext);
   }
-  if (initPromise2) {
-    return initPromise2;
-  }
-  initPromise2 = (async () => {
-    await Promise.resolve().then(() => (init_runtime(), runtime_exports));
-    const configRegistry = globalThis._mooseConfigRegistry;
-    if (!configRegistry) {
+  return standaloneUtils;
+}
+function resolveRuntimeUtils(runtimeContext, options) {
+  const reqCtx = requestContextStorage.getStore();
+  const jwt = reqCtx?.jwt ?? runtimeContext.jwt;
+  let rowPolicyOpts;
+  if (options?.rlsContext) {
+    if (!runtimeContext.rowPoliciesConfig) {
       throw new Error(
-        "Moose not initialized. Ensure you're running within a Moose app or have proper configuration set up."
+        "rlsContext was provided but no row policies are configured. Define at least one SelectRowPolicy before using rlsContext."
       );
     }
-    const clickhouseConfig = await configRegistry.getStandaloneClickhouseConfig();
-    const clickhouseClient = getClickhouseClient(
-      toClientConfig(clickhouseConfig)
+    rowPolicyOpts = buildRowPolicyOptionsFromClaims(
+      runtimeContext.rowPoliciesConfig,
+      options.rlsContext
     );
-    const queryClient = new QueryClient(clickhouseClient, "standalone");
-    const mooseClient = new MooseClient(queryClient);
-    standaloneUtils = {
-      client: mooseClient,
+  } else {
+    rowPolicyOpts = reqCtx?.rowPolicyOpts;
+  }
+  if (rowPolicyOpts) {
+    const rlsClient = runtimeContext.rlsClickhouseClient ?? runtimeContext.clickhouseClient;
+    const scopedQueryClient = new QueryClient(
+      rlsClient,
+      "rls-scoped",
+      rowPolicyOpts
+    );
+    return {
+      client: new MooseClient(scopedQueryClient, runtimeContext.temporalClient),
       sql,
-      jwt: void 0
+      jwt
     };
-    return standaloneUtils;
-  })();
-  try {
-    return await initPromise2;
-  } finally {
-    initPromise2 = null;
   }
+  return {
+    client: runtimeContext.client,
+    sql,
+    jwt
+  };
+}
+async function ensureStandaloneInit() {
+  if (standaloneUtils) return;
+  if (!initPromise2) {
+    initPromise2 = (async () => {
+      await Promise.resolve().then(() => (init_runtime(), runtime_exports));
+      const configRegistry = globalThis._mooseConfigRegistry;
+      if (!configRegistry) {
+        throw new Error(
+          "Moose not initialized. Ensure you're running within a Moose app or have proper configuration set up."
+        );
+      }
+      const clickhouseConfig = await configRegistry.getStandaloneClickhouseConfig();
+      standaloneClickhouseConfig = clickhouseConfig;
+      const clickhouseClient = getClickhouseClient(
+        toClientConfig(clickhouseConfig)
+      );
+      const queryClient = new QueryClient(clickhouseClient, "standalone");
+      const mooseClient = new MooseClient(queryClient);
+      standaloneUtils = {
+        client: mooseClient,
+        sql,
+        jwt: void 0
+      };
+      return standaloneUtils;
+    })();
+    try {
+      await initPromise2;
+    } finally {
+      initPromise2 = null;
+    }
+  } else {
+    await initPromise2;
+  }
+}
+function createStandaloneRlsUtils(rlsContext) {
+  const rowPoliciesConfig = getRowPoliciesConfigFromRegistry();
+  if (!rowPoliciesConfig) {
+    throw new Error(
+      "rlsContext was provided but no SelectRowPolicy primitives are registered. Define at least one SelectRowPolicy before using rlsContext."
+    );
+  }
+  if (!standaloneRlsClient && standaloneClickhouseConfig) {
+    standaloneRlsClient = getClickhouseClient(
+      toClientConfig({
+        ...standaloneClickhouseConfig,
+        username: standaloneClickhouseConfig.rlsUser ?? MOOSE_RLS_USER,
+        password: standaloneClickhouseConfig.rlsPassword ?? standaloneClickhouseConfig.password
+      })
+    );
+  }
+  const rowPolicyOpts = buildRowPolicyOptionsFromClaims(
+    rowPoliciesConfig,
+    rlsContext
+  );
+  const rlsClient = standaloneRlsClient ?? standaloneUtils.client.query.client;
+  const scopedQueryClient = new QueryClient(
+    rlsClient,
+    "rls-scoped",
+    rowPolicyOpts
+  );
+  return {
+    client: new MooseClient(scopedQueryClient),
+    sql,
+    jwt: void 0
+  };
 }
 async function getMooseClients(config) {
   console.warn(
@@ -4820,6 +4987,9 @@ export {
   MAX_RETRIES,
   MAX_RETRIES_PRODUCER,
   MAX_RETRY_TIME_MS,
+  MOOSE_RLS_ROLE,
+  MOOSE_RLS_SETTING_PREFIX,
+  MOOSE_RLS_USER,
   MOOSE_RUNTIME_ENV_PREFIX,
   MaterializedView,
   MooseCache,
@@ -4828,6 +4998,7 @@ export {
   QueryClient,
   RETRY_FACTOR_PRODUCER,
   RETRY_INITIAL_TIME_MS,
+  SelectRowPolicy,
   Sql,
   SqlResource,
   Stream,
@@ -4843,6 +5014,7 @@ export {
   avg,
   between,
   buildQuery,
+  buildRowPolicyOptionsFromClaims,
   cliLog,
   columnsFromTable,
   compilerLog,
@@ -4873,6 +5045,8 @@ export {
   getMooseClients,
   getMooseUtils,
   getMooseUtilsFromRequest,
+  getSelectRowPolicies,
+  getSelectRowPolicy,
   getSqlResource,
   getSqlResources,
   getStream,