@514labs/moose-lib 0.6.457 → 0.6.458

package/dist/moose-runner.mjs

@@ -333,6 +333,14 @@ var init_view = __esm({
   }
 });
 
+// src/dmv2/sdk/selectRowPolicy.ts
+var init_selectRowPolicy = __esm({
+  "src/dmv2/sdk/selectRowPolicy.ts"() {
+    "use strict";
+    init_internal();
+  }
+});
+
 // src/dmv2/sdk/lifeCycle.ts
 var init_lifeCycle = __esm({
   "src/dmv2/sdk/lifeCycle.ts"() {
@@ -350,6 +358,9 @@ var init_webApp = __esm({
 });
 
 // src/dmv2/registry.ts
+function getSelectRowPolicies() {
+  return getMooseInternal().selectRowPolicies;
+}
 var init_registry = __esm({
   "src/dmv2/registry.ts"() {
     "use strict";
@@ -372,6 +383,7 @@ var init_dmv2 = __esm({
     init_materializedView();
     init_sqlResource();
     init_view();
+    init_selectRowPolicy();
     init_lifeCycle();
     init_webApp();
     init_registry();
@@ -544,6 +556,16 @@ function formatElapsedTime(ms) {
   const remainingSeconds = seconds % 60;
   return `${minutes} minutes and ${remainingSeconds.toFixed(2)} seconds`;
 }
+function buildRowPolicyOptionsFromClaims(config, claims) {
+  const clickhouse_settings = /* @__PURE__ */ Object.create(null);
+  for (const [settingName, claimName] of Object.entries(config)) {
+    const value = claims[claimName];
+    if (value !== void 0 && value !== null) {
+      clickhouse_settings[settingName] = String(value);
+    }
+  }
+  return { role: MOOSE_RLS_ROLE, clickhouse_settings };
+}
 async function getTemporalClient(temporalUrl, namespace, clientCert, clientKey, apiKey2) {
   try {
     console.info(
@@ -580,7 +602,7 @@ async function getTemporalClient(temporalUrl, namespace, clientCert, clientKey,
     return void 0;
   }
 }
-var MooseClient, QueryClient, WorkflowClient;
+var MooseClient, MOOSE_RLS_ROLE, MOOSE_RLS_USER, MOOSE_RLS_SETTING_PREFIX, QueryClient, WorkflowClient;
 var init_helpers = __esm({
   "src/consumption-apis/helpers.ts"() {
     "use strict";
@@ -594,12 +616,17 @@ var init_helpers = __esm({
         this.workflow = new WorkflowClient(temporalClient);
       }
     };
+    MOOSE_RLS_ROLE = "moose_rls_role";
+    MOOSE_RLS_USER = "moose_rls_user";
+    MOOSE_RLS_SETTING_PREFIX = "SQL_moose_rls_";
     QueryClient = class {
       client;
       query_id_prefix;
-      constructor(client, query_id_prefix) {
+      rowPolicyOptions;
+      constructor(client, query_id_prefix, rowPolicyOptions) {
         this.client = client;
         this.query_id_prefix = query_id_prefix;
+        this.rowPolicyOptions = rowPolicyOptions;
       }
       async execute(sql3) {
         const [query, query_params] = toQuery(sql3);
@@ -614,7 +641,11 @@ var init_helpers = __esm({
           // where response buffering would harm streaming performance and concurrency
           clickhouse_settings: {
             asterisk_include_materialized_columns: 1,
-            asterisk_include_alias_columns: 1
+            asterisk_include_alias_columns: 1,
+            ...this.rowPolicyOptions?.clickhouse_settings
+          },
+          ...this.rowPolicyOptions && {
+            role: this.rowPolicyOptions.role
           }
         });
         const elapsedMs = performance.now() - start;
@@ -859,13 +890,17 @@ var init_runtime = __esm({
         const envUseSSL = this._parseBool(
           this._env("MOOSE_CLICKHOUSE_CONFIG__USE_SSL")
         );
+        const envRlsUser = this._env("MOOSE_CLICKHOUSE_CONFIG__RLS_USER");
+        const envRlsPassword = this._env("MOOSE_CLICKHOUSE_CONFIG__RLS_PASSWORD");
         return {
           host: envHost ?? projectConfig.clickhouse_config.host,
           port: envPort ?? projectConfig.clickhouse_config.host_port.toString(),
           username: envUser ?? projectConfig.clickhouse_config.user,
           password: envPassword ?? projectConfig.clickhouse_config.password,
           database: envDb ?? projectConfig.clickhouse_config.db_name,
-          useSSL: envUseSSL !== void 0 ? envUseSSL : projectConfig.clickhouse_config.use_ssl || false
+          useSSL: envUseSSL !== void 0 ? envUseSSL : projectConfig.clickhouse_config.use_ssl || false,
+          rlsUser: envRlsUser ?? projectConfig.clickhouse_config.rls_user ?? void 0,
+          rlsPassword: envRlsPassword ?? projectConfig.clickhouse_config.rls_password ?? void 0
         };
       }
       async getStandaloneClickhouseConfig(overrides) {
@@ -880,6 +915,8 @@ var init_runtime = __esm({
         const envUseSSL = this._parseBool(
           this._env("MOOSE_CLICKHOUSE_CONFIG__USE_SSL")
         );
+        const envRlsUser = this._env("MOOSE_CLICKHOUSE_CONFIG__RLS_USER");
+        const envRlsPassword = this._env("MOOSE_CLICKHOUSE_CONFIG__RLS_PASSWORD");
         let projectConfig;
         try {
           projectConfig = await readProjectConfig();
@@ -900,7 +937,9 @@ var init_runtime = __esm({
           username: overrides?.username ?? envUser ?? projectConfig?.clickhouse_config.user ?? defaults.username,
           password: overrides?.password ?? envPassword ?? projectConfig?.clickhouse_config.password ?? defaults.password,
           database: overrides?.database ?? envDb ?? projectConfig?.clickhouse_config.db_name ?? defaults.database,
-          useSSL: overrides?.useSSL ?? envUseSSL ?? projectConfig?.clickhouse_config.use_ssl ?? defaults.useSSL
+          useSSL: overrides?.useSSL ?? envUseSSL ?? projectConfig?.clickhouse_config.use_ssl ?? defaults.useSSL,
+          rlsUser: envRlsUser ?? projectConfig?.clickhouse_config.rls_user ?? void 0,
+          rlsPassword: envRlsPassword ?? projectConfig?.clickhouse_config.rls_password ?? void 0
         };
       }
       async getKafkaConfig() {
@@ -940,54 +979,145 @@ var init_runtime = __esm({
 var standalone_exports = {};
 __export(standalone_exports, {
   getMooseClients: () => getMooseClients,
-  getMooseUtils: () => getMooseUtils
+  getMooseUtils: () => getMooseUtils,
+  runWithRequestContext: () => runWithRequestContext
 });
-async function getMooseUtils(req) {
-  if (req !== void 0) {
+import { AsyncLocalStorage } from "async_hooks";
+function runWithRequestContext(context, fn) {
+  return requestContextStorage.run(context, fn);
+}
+function isLegacyRequestArg(arg) {
+  if (arg === null || typeof arg !== "object") return false;
+  const obj = arg;
+  return "method" in obj || "url" in obj || "headers" in obj;
+}
+function getRowPoliciesConfigFromRegistry() {
+  const policies = getSelectRowPolicies();
+  if (policies.size === 0) return void 0;
+  const config = /* @__PURE__ */ Object.create(null);
+  for (const policy of policies.values()) {
+    config[`${MOOSE_RLS_SETTING_PREFIX}${policy.config.column}`] = policy.config.claim;
+  }
+  return config;
+}
+async function getMooseUtils(options) {
+  if (options !== void 0 && isLegacyRequestArg(options)) {
     console.warn(
-      "[DEPRECATED] getMooseUtils(req) no longer requires a request parameter. Use getMooseUtils() instead."
+      "[DEPRECATED] getMooseUtils(req) no longer requires a request parameter. Use getMooseUtils() instead, or getMooseUtils({ rlsContext }) for row policies."
     );
+    options = void 0;
   }
   const runtimeContext = globalThis._mooseRuntimeContext;
   if (runtimeContext) {
-    return {
-      client: runtimeContext.client,
-      sql,
-      jwt: runtimeContext.jwt
-    };
+    return resolveRuntimeUtils(runtimeContext, options);
   }
-  if (standaloneUtils) {
-    return standaloneUtils;
+  await ensureStandaloneInit();
+  if (options?.rlsContext) {
+    return createStandaloneRlsUtils(options.rlsContext);
   }
-  if (initPromise) {
-    return initPromise;
-  }
-  initPromise = (async () => {
-    await Promise.resolve().then(() => (init_runtime(), runtime_exports));
-    const configRegistry = globalThis._mooseConfigRegistry;
-    if (!configRegistry) {
+  return standaloneUtils;
+}
+function resolveRuntimeUtils(runtimeContext, options) {
+  const reqCtx = requestContextStorage.getStore();
+  const jwt = reqCtx?.jwt ?? runtimeContext.jwt;
+  let rowPolicyOpts;
+  if (options?.rlsContext) {
+    if (!runtimeContext.rowPoliciesConfig) {
       throw new Error(
-        "Moose not initialized. Ensure you're running within a Moose app or have proper configuration set up."
+        "rlsContext was provided but no row policies are configured. Define at least one SelectRowPolicy before using rlsContext."
       );
     }
-    const clickhouseConfig = await configRegistry.getStandaloneClickhouseConfig();
-    const clickhouseClient = getClickhouseClient(
-      toClientConfig(clickhouseConfig)
+    rowPolicyOpts = buildRowPolicyOptionsFromClaims(
+      runtimeContext.rowPoliciesConfig,
+      options.rlsContext
     );
-    const queryClient = new QueryClient(clickhouseClient, "standalone");
-    const mooseClient = new MooseClient(queryClient);
-    standaloneUtils = {
-      client: mooseClient,
+  } else {
+    rowPolicyOpts = reqCtx?.rowPolicyOpts;
+  }
+  if (rowPolicyOpts) {
+    const rlsClient = runtimeContext.rlsClickhouseClient ?? runtimeContext.clickhouseClient;
+    const scopedQueryClient = new QueryClient(
+      rlsClient,
+      "rls-scoped",
+      rowPolicyOpts
+    );
+    return {
+      client: new MooseClient(scopedQueryClient, runtimeContext.temporalClient),
       sql,
-      jwt: void 0
+      jwt
     };
-    return standaloneUtils;
-  })();
-  try {
-    return await initPromise;
-  } finally {
-    initPromise = null;
   }
+  return {
+    client: runtimeContext.client,
+    sql,
+    jwt
+  };
+}
+async function ensureStandaloneInit() {
+  if (standaloneUtils) return;
+  if (!initPromise) {
+    initPromise = (async () => {
+      await Promise.resolve().then(() => (init_runtime(), runtime_exports));
+      const configRegistry = globalThis._mooseConfigRegistry;
+      if (!configRegistry) {
+        throw new Error(
+          "Moose not initialized. Ensure you're running within a Moose app or have proper configuration set up."
+        );
+      }
+      const clickhouseConfig = await configRegistry.getStandaloneClickhouseConfig();
+      standaloneClickhouseConfig = clickhouseConfig;
+      const clickhouseClient = getClickhouseClient(
+        toClientConfig(clickhouseConfig)
+      );
+      const queryClient = new QueryClient(clickhouseClient, "standalone");
+      const mooseClient = new MooseClient(queryClient);
+      standaloneUtils = {
+        client: mooseClient,
+        sql,
+        jwt: void 0
+      };
+      return standaloneUtils;
+    })();
+    try {
+      await initPromise;
+    } finally {
+      initPromise = null;
+    }
+  } else {
+    await initPromise;
+  }
+}
+function createStandaloneRlsUtils(rlsContext) {
+  const rowPoliciesConfig = getRowPoliciesConfigFromRegistry();
+  if (!rowPoliciesConfig) {
+    throw new Error(
+      "rlsContext was provided but no SelectRowPolicy primitives are registered. Define at least one SelectRowPolicy before using rlsContext."
+    );
+  }
+  if (!standaloneRlsClient && standaloneClickhouseConfig) {
+    standaloneRlsClient = getClickhouseClient(
+      toClientConfig({
+        ...standaloneClickhouseConfig,
+        username: standaloneClickhouseConfig.rlsUser ?? MOOSE_RLS_USER,
+        password: standaloneClickhouseConfig.rlsPassword ?? standaloneClickhouseConfig.password
+      })
+    );
+  }
+  const rowPolicyOpts = buildRowPolicyOptionsFromClaims(
+    rowPoliciesConfig,
+    rlsContext
+  );
+  const rlsClient = standaloneRlsClient ?? standaloneUtils.client.query.client;
+  const scopedQueryClient = new QueryClient(
+    rlsClient,
+    "rls-scoped",
+    rowPolicyOpts
+  );
+  return {
+    client: new MooseClient(scopedQueryClient),
+    sql,
+    jwt: void 0
+  };
 }
 async function getMooseClients(config) {
   console.warn(
@@ -1012,15 +1142,19 @@ async function getMooseClients(config) {
   const utils = await getMooseUtils();
   return { client: utils.client };
 }
-var standaloneUtils, initPromise, toClientConfig;
+var requestContextStorage, standaloneUtils, initPromise, standaloneRlsClient, standaloneClickhouseConfig, toClientConfig;
 var init_standalone = __esm({
   "src/consumption-apis/standalone.ts"() {
     "use strict";
     init_helpers();
     init_commons();
     init_sqlHelpers();
+    init_registry();
+    requestContextStorage = new AsyncLocalStorage();
     standaloneUtils = null;
     initPromise = null;
+    standaloneRlsClient = null;
+    standaloneClickhouseConfig = null;
     toClientConfig = (config) => ({
       ...config,
       useSSL: config.useSSL ? "true" : "false"
@@ -2917,7 +3051,8 @@ function createRegistryFrom(existing) {
     workflows: toTrackingMap(existing?.workflows),
     webApps: toTrackingMap(existing?.webApps),
     materializedViews: toTrackingMap(existing?.materializedViews),
-    views: toTrackingMap(existing?.views)
+    views: toTrackingMap(existing?.views),
+    selectRowPolicies: toTrackingMap(existing?.selectRowPolicies)
   };
 }
 function getCachedLineage(registry) {
@@ -3271,7 +3406,11 @@ var init_internal = __esm({
         void 0,
         markRegistryMutated
       ),
-      views: new MutationTrackingMap(void 0, markRegistryMutated)
+      views: new MutationTrackingMap(void 0, markRegistryMutated),
+      selectRowPolicies: new MutationTrackingMap(
+        void 0,
+        markRegistryMutated
+      )
     };
     defaultRetentionPeriod = 60 * 60 * 24 * 7;
     toInfraMap = (registry) => {
@@ -3284,6 +3423,7 @@ var init_internal = __esm({
       const webApps = {};
       const materializedViews = {};
       const views = {};
+      const selectRowPolicies = {};
       const lineage = getCachedLineage(registry);
       registry.tables.forEach((table) => {
         const id = table.config.version ? `${table.name}_${table.config.version}` : table.name;
@@ -3531,6 +3671,14 @@ var init_internal = __esm({
           metadata: view.metadata
         };
       });
+      registry.selectRowPolicies.forEach((policy) => {
+        selectRowPolicies[policy.name] = {
+          name: policy.name,
+          tables: policy.tableRefs,
+          column: policy.config.column,
+          claim: policy.config.claim
+        };
+      });
       return {
         topics,
         tables,
@@ -3541,6 +3689,7 @@ var init_internal = __esm({
         webApps,
         materializedViews,
         views,
+        selectRowPolicies,
         unloadedFiles: []
         // Will be populated by dumpMooseInternal
       };
@@ -3584,6 +3733,7 @@ var init_internal = __esm({
       registry.webApps.clear();
       registry.materializedViews.clear();
       registry.views.clear();
+      registry.selectRowPolicies.clear();
       const outDir = getOutDir();
       const compiledDir = path5.isAbsolute(outDir) ? outDir : path5.join(process3.cwd(), outDir);
       Object.keys(__require.cache).forEach((key) => {
@@ -3923,9 +4073,9 @@ init_compiler_config();
 
 // src/utils/structured-logging.ts
 import * as util from "util";
-import { AsyncLocalStorage } from "async_hooks";
+import { AsyncLocalStorage as AsyncLocalStorage2 } from "async_hooks";
 function setupStructuredConsole(getContextField, contextFieldName) {
-  const contextStorage = new AsyncLocalStorage();
+  const contextStorage = new AsyncLocalStorage2();
   const originalConsole = {
     log: console.log,
     info: console.info,
@@ -4065,7 +4215,61 @@ var apiContextStorage = setupStructuredConsole(
   (ctx) => ctx.apiName,
   "api_name"
 );
-var apiHandler = async (publicKey, clickhouseClient, temporalClient, enforceAuth, jwtConfig) => {
+async function authenticateRequest(req, res, publicKey, jwtConfig, enforceAuth, rowPoliciesConfig) {
+  const requireAuth = enforceAuth || !!rowPoliciesConfig;
+  let jwtPayload;
+  if (publicKey && jwtConfig) {
+    const jwt = req.headers.authorization?.split(" ")[1];
+    if (jwt) {
+      try {
+        const { payload } = await jose.jwtVerify(jwt, publicKey, {
+          issuer: jwtConfig.issuer,
+          audience: jwtConfig.audience
+        });
+        jwtPayload = payload;
+      } catch (_error) {
+        console.log("JWT verification failed");
+        if (requireAuth) {
+          res.writeHead(401, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Unauthorized" }));
+          return null;
+        }
+      }
+    } else if (requireAuth) {
+      res.writeHead(401, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Unauthorized" }));
+      return null;
+    }
+  } else if (requireAuth) {
+    if (rowPoliciesConfig) {
+      res.writeHead(403, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          error: "Forbidden",
+          message: "Row policies require JWT authentication. Configure jwt.secret in moose.config.toml."
+        })
+      );
+    } else {
+      res.writeHead(401, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          error: "Unauthorized",
+          message: "Authentication is enforced but no JWT configuration is available."
+        })
+      );
+    }
+    return null;
+  }
+  let rowPolicyOpts;
+  if (rowPoliciesConfig && jwtPayload) {
+    rowPolicyOpts = buildRowPolicyOptionsFromClaims(
+      rowPoliciesConfig,
+      jwtPayload
+    );
+  }
+  return { jwtPayload, rowPolicyOpts };
+}
+var apiHandler = async (publicKey, clickhouseClient, temporalClient, enforceAuth, jwtConfig, rowPoliciesConfig, rlsClickhouseClient) => {
   const sourceDir = getSourceDir();
   const outDir = getOutDir();
   const outRoot = path6.isAbsolute(outDir) ? outDir : path6.join(process.cwd(), outDir);
@@ -4077,37 +4281,19 @@ var apiHandler = async (publicKey, clickhouseClient, temporalClient, enforceAuth
     try {
       const url = new URL(req.url || "", "http://localhost");
       const fileName = url.pathname;
-      let jwtPayload;
-      if (publicKey && jwtConfig) {
-        const jwt = req.headers.authorization?.split(" ")[1];
-        if (jwt) {
-          try {
-            const { payload } = await jose.jwtVerify(jwt, publicKey, {
-              issuer: jwtConfig.issuer,
-              audience: jwtConfig.audience
-            });
-            jwtPayload = payload;
-          } catch (error) {
-            console.log("JWT verification failed");
-            if (enforceAuth) {
-              res.writeHead(401, { "Content-Type": "application/json" });
-              res.end(JSON.stringify({ error: "Unauthorized" }));
-              httpLogger(req, res, start);
-              return;
-            }
-          }
-        } else if (enforceAuth) {
-          res.writeHead(401, { "Content-Type": "application/json" });
-          res.end(JSON.stringify({ error: "Unauthorized" }));
-          httpLogger(req, res, start);
-          return;
-        }
-      } else if (enforceAuth) {
-        res.writeHead(401, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ error: "Unauthorized" }));
+      const authResult = await authenticateRequest(
+        req,
+        res,
+        publicKey,
+        jwtConfig,
+        enforceAuth,
+        rowPoliciesConfig
+      );
+      if (!authResult) {
         httpLogger(req, res, start);
         return;
       }
+      const { jwtPayload, rowPolicyOpts } = authResult;
       const pathName = createPath(actualApisDir, fileName);
       const paramsObject = Array.from(url.searchParams.entries()).reduce(
         (obj, [key, value]) => {
@@ -4177,7 +4363,12 @@ var apiHandler = async (publicKey, clickhouseClient, temporalClient, enforceAuth
           console.log(`[API] | Executing API: ${matchedApiName}`);
         });
       }
-      const queryClient = new QueryClient(clickhouseClient, fileName);
+      const queryClickhouseClient = rowPolicyOpts && rlsClickhouseClient ? rlsClickhouseClient : clickhouseClient;
+      const queryClient = new QueryClient(
+        queryClickhouseClient,
+        fileName,
+        rowPolicyOpts
+      );
       const apiName = matchedApiName;
       const result = await apiContextStorage.run({ apiName }, async () => {
         return await userFuncModule(paramsObject, {
@@ -4233,13 +4424,15 @@ var apiHandler = async (publicKey, clickhouseClient, temporalClient, enforceAuth
     }
   };
 };
-var createMainRouter = async (publicKey, clickhouseClient, temporalClient, enforceAuth, jwtConfig) => {
+var createMainRouter = async (publicKey, clickhouseClient, temporalClient, enforceAuth, jwtConfig, rowPoliciesConfig, rlsClickhouseClient) => {
   const apiRequestHandler = await apiHandler(
     publicKey,
     clickhouseClient,
     temporalClient,
     enforceAuth,
-    jwtConfig
+    jwtConfig,
+    rowPoliciesConfig,
+    rlsClickhouseClient
   );
   const webApps = await getWebApps2();
   const sortedWebApps = Array.from(webApps.values()).sort((a, b) => {
@@ -4261,30 +4454,22 @@ var createMainRouter = async (publicKey, clickhouseClient, temporalClient, enfor
       );
       return;
     }
-    let jwtPayload;
-    if (publicKey && jwtConfig) {
-      const jwt = req.headers.authorization?.split(" ")[1];
-      if (jwt) {
-        try {
-          const { payload } = await jose.jwtVerify(jwt, publicKey, {
-            issuer: jwtConfig.issuer,
-            audience: jwtConfig.audience
-          });
-          jwtPayload = payload;
-        } catch (error) {
-          console.log("JWT verification failed for WebApp route");
-        }
-      }
-    }
+    const authResult = await authenticateRequest(
+      req,
+      res,
+      publicKey,
+      jwtConfig,
+      enforceAuth,
+      rowPoliciesConfig
+    );
+    if (!authResult) return;
+    const { jwtPayload, rowPolicyOpts } = authResult;
     for (const webApp of sortedWebApps) {
       const mountPath = webApp.config.mountPath || "/";
       const normalizedMount = mountPath.endsWith("/") && mountPath !== "/" ? mountPath.slice(0, -1) : mountPath;
       const matches = pathname === normalizedMount || pathname.startsWith(normalizedMount + "/");
       if (matches) {
-        if (webApp.config.injectMooseUtils !== false) {
-          const { getMooseUtils: getMooseUtils2 } = await Promise.resolve().then(() => (init_standalone(), standalone_exports));
-          req.moose = await getMooseUtils2();
-        }
+        const { getMooseUtils: getMooseUtils2, runWithRequestContext: runWithRequestContext2 } = await Promise.resolve().then(() => (init_standalone(), standalone_exports));
         let proxiedUrl = req.url;
         if (normalizedMount !== "/") {
           const pathWithoutMount = pathname.substring(normalizedMount.length) || "/";
@@ -4298,7 +4483,15 @@ var createMainRouter = async (publicKey, clickhouseClient, temporalClient, enfor
               url: proxiedUrl
             }
           );
-          await webApp.handler(modifiedReq, res);
+          await runWithRequestContext2(
+            { rowPolicyOpts, jwt: jwtPayload },
+            async () => {
+              if (webApp.config.injectMooseUtils !== false) {
+                modifiedReq.moose = await getMooseUtils2();
+              }
+              await webApp.handler(modifiedReq, res);
+            }
+          );
           return;
         } catch (error) {
           console.error(`Error in WebApp ${webApp.name}:`, error);
@@ -4349,14 +4542,33 @@ var runApis = async (config) => {
       const clickhouseClient = getClickhouseClient(
         toClientConfig2(config.clickhouseConfig)
       );
+      let rlsClickhouseClient;
+      if (config.rowPoliciesConfig) {
+        rlsClickhouseClient = getClickhouseClient(
+          toClientConfig2({
+            ...config.clickhouseConfig,
+            username: config.clickhouseConfig.rlsUser ?? MOOSE_RLS_USER,
+            password: config.clickhouseConfig.rlsPassword ?? config.clickhouseConfig.password
+          })
+        );
+      }
       let publicKey;
       if (config.jwtConfig?.secret) {
         console.log("Importing JWT public key...");
         publicKey = await jose.importSPKI(config.jwtConfig.secret, "RS256");
       }
+      if (config.rowPoliciesConfig && !publicKey) {
+        console.error(
+          "WARNING: Row policies are configured but no JWT public key is set. All consumption API requests will be rejected with 403. Configure jwt.secret in moose.config.toml to enable authentication."
+        );
+      }
       const runtimeQueryClient = new QueryClient(clickhouseClient, "runtime");
       globalThis._mooseRuntimeContext = {
-        client: new MooseClient(runtimeQueryClient, temporalClient)
+        client: new MooseClient(runtimeQueryClient, temporalClient),
+        clickhouseClient,
+        rlsClickhouseClient,
+        temporalClient,
+        rowPoliciesConfig: config.rowPoliciesConfig
       };
       const server = http.createServer(
         await createMainRouter(
@@ -4364,7 +4576,9 @@ var runApis = async (config) => {
           clickhouseClient,
           temporalClient,
           config.enforceAuth,
-          config.jwtConfig
+          config.jwtConfig,
+          config.rowPoliciesConfig,
+          rlsClickhouseClient
         )
       );
       const port = config.proxyPort !== void 0 ? config.proxyPort : 4001;
@@ -5383,7 +5597,10 @@ program.command("consumption-apis").description("Run consumption APIs").argument
   "--worker-count <count>",
   "Number of worker processes for the consumption API cluster",
   parseInt
-).action(
+).option(
+  "--row-policies <json>",
+  "JSON map of ClickHouse setting names to JWT claim names for row policy enforcement"
+).option("--rls-user <user>", "ClickHouse username for RLS queries").option("--rls-password <password>", "ClickHouse password for RLS queries").action(
   (clickhouseDb, clickhouseHost, clickhousePort, clickhouseUsername, clickhousePassword, options) => {
     runApis({
       clickhouseConfig: {
@@ -5392,7 +5609,9 @@ program.command("consumption-apis").description("Run consumption APIs").argument
         port: clickhousePort,
         username: clickhouseUsername,
         password: clickhousePassword,
-        useSSL: options.clickhouseUseSsl
+        useSSL: options.clickhouseUseSsl,
+        rlsUser: options.rlsUser,
+        rlsPassword: options.rlsPassword
       },
       jwtConfig: {
         secret: options.jwtSecret,
@@ -5408,7 +5627,27 @@ program.command("consumption-apis").description("Run consumption APIs").argument
       } : void 0,
       enforceAuth: options.enforceAuth,
       proxyPort: options.proxyPort,
-      workerCount: options.workerCount
+      workerCount: options.workerCount,
+      rowPoliciesConfig: options.rowPolicies ? (() => {
+        let parsed;
+        try {
+          parsed = JSON.parse(options.rowPolicies);
+        } catch (e) {
+          console.error(
+            `Failed to parse --row-policies JSON: ${e.message}`
+          );
+          process.exit(1);
+        }
+        if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed) || !Object.values(parsed).every(
+          (v) => typeof v === "string"
+        )) {
+          console.error(
+            `Invalid --row-policies JSON: expected a flat object with string values`
+          );
+          process.exit(1);
+        }
+        return parsed;
+      })() : void 0
     });
   }
 );