npm - drizzle-cube - Versions diffs - 0.4.34 → 0.4.36 - Mend

drizzle-cube 0.4.34 → 0.4.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/dist/server/index.d.ts CHANGED Viewed

@@ -1367,6 +1367,7 @@ export declare interface DrizzleDatabase {
     };
     with: (...args: any[]) => any;
     schema?: unknown;
+    transaction?: <T>(fn: (tx: any) => Promise<T>, ...args: any[]) => Promise<T>;
 }
 /**
@@ -1519,6 +1520,13 @@ export declare class DrizzleSqlBuilder {
     buildLogicalFilter(filter: Filter, cubes: Map<string, Cube>, context: QueryContext): SQL | null;
 }
+/**
+ * Transaction-scoped database instance passed to RLS setup.
+ * Structurally identical to DrizzleDatabase — the alias communicates
+ * that the value lives inside a transaction, not the root connection.
+ */
+export declare type DrizzleTransaction = DrizzleDatabase;
 export declare class DuckDBExecutor extends BaseDatabaseExecutor {
     execute<T = any[]>(query: SQL | any, numericFields?: string[]): Promise<T>;
     /**
@@ -3850,7 +3858,19 @@ export declare class QueryExecutor {
     private cacheConfig?;
     private logicalPlanBuilder;
     private planOptimiser;
-    constructor(dbExecutor: DatabaseExecutor, cacheConfig?: CacheConfig);
+    private rlsSetup?;
+    constructor(dbExecutor: DatabaseExecutor, cacheConfig?: CacheConfig, rlsSetup?: RLSSetupFn);
+    /**
+     * Execute a function within a RLS-configured transaction context.
+     * If no rlsSetup function is configured, the function is called directly.
+     * Otherwise, opens a transaction, calls rlsSetup to configure RLS, then
+     * runs fn with this.dbExecutor replaced by a transaction-scoped executor.
+     *
+     * Concurrency-safe: the dbExecutor is per-request (created fresh by
+     * SemanticLayerCompiler.createQueryExecutor), so reassigning this.dbExecutor
+     * only affects this request.
+     */
+    private withRLSContext;
     /**
      * Unified query execution method that handles both single and multi-cube queries
      * @param options.skipCache - Skip cache lookup (but still cache the fresh result)
@@ -4370,6 +4390,16 @@ export declare interface RetentionTimeDimensionMapping {
     dimension: string;
 }
+/**
+ * Row-Level Security setup function.
+ * Called inside a transaction before query execution to configure
+ * database-level RLS (e.g., setting JWT claims and switching roles in Postgres).
+ *
+ * @param tx - The transaction-scoped Drizzle database instance
+ * @param securityContext - The security context extracted from the request
+ */
+export declare type RLSSetupFn = (tx: DrizzleTransaction, securityContext: SecurityContext) => Promise<void>;
 /**
  * A link (edge) in the Sankey diagram
  * Represents a transition between two nodes
@@ -4414,9 +4444,12 @@ export declare interface SecurityContext {
 export declare class SemanticLayerCompiler {
     private cubes;
-    private dbExecutor?;
     private metadataCache?;
     private cacheConfig?;
+    private rlsSetup?;
+    private db?;
+    private schema?;
+    private engineType?;
     constructor(options?: {
         drizzle?: DatabaseExecutor['db'];
         schema?: any;
@@ -4424,9 +4457,16 @@ export declare class SemanticLayerCompiler {
         engineType?: 'postgres' | 'mysql' | 'sqlite' | 'singlestore' | 'duckdb' | 'databend' | 'snowflake';
         /** Cache configuration for query result caching */
         cache?: CacheConfig;
+        /**
+         * Row-Level Security setup function.
+         * When provided, every query execution opens a transaction, calls this function
+         * to configure RLS (e.g., set JWT claims and switch roles), then runs the query.
+         * Dry-run/SQL generation is NOT wrapped in a transaction.
+         */
+        rlsSetup?: RLSSetupFn;
     });
     /**
-     * Set or update the database executor
+     * Set or update the database connection
      */
     setDatabaseExecutor(executor: DatabaseExecutor): void;
     /**
@@ -4442,11 +4482,13 @@ export declare class SemanticLayerCompiler {
      */
     hasExecutor(): boolean;
     /**
-     * Get configured executor or throw.
+     * Create a fresh DatabaseExecutor from stored ingredients, or throw.
      */
-    private requireExecutor;
+    private createDbExecutor;
     /**
      * Create a query executor with optional cache integration.
+     * Each call creates a fresh DatabaseExecutor so concurrent requests
+     * never share mutable state.
      */
     private createQueryExecutor;
     /**

package/dist/server/index.js CHANGED Viewed

@@ -6565,7 +6565,7 @@ var Yt = class {
 //#endregion
 //#region src/server/executor.ts
 function Xt(e, t) {
-	if (process.env.DC_DEBUG) try {
+	if (!(typeof process > "u" || !process.env?.DC_DEBUG)) try {
 		let { sql: n, params: r } = t.toSQL();
 		console.log(`\n[DC_DEBUG] ${e}`), console.log(n), r.length > 0 && console.log("params:", r), console.log();
 	} catch {}
@@ -6581,11 +6581,23 @@ var Zt = class {
 	cacheConfig;
 	logicalPlanBuilder;
 	planOptimiser;
-	constructor(e, t) {
+	rlsSetup;
+	constructor(e, t, n) {
 		if (this.dbExecutor = e, this.databaseAdapter = e.databaseAdapter, !this.databaseAdapter) throw Error("DatabaseExecutor must have a databaseAdapter property");
 		this.queryBuilder = new _t(this.databaseAdapter);
-		let n = new yt(), r = new bt(this.queryBuilder);
-		this.drizzlePlanBuilder = new Yt(this.queryBuilder, r, this.databaseAdapter), this.comparisonQueryBuilder = new kt(this.databaseAdapter), this.funnelQueryBuilder = new At(this.databaseAdapter), this.flowQueryBuilder = new jt(this.databaseAdapter), this.retentionQueryBuilder = new It(this.databaseAdapter), this.logicalPlanBuilder = new Lt(n), this.planOptimiser = new Rt(), this.cacheConfig = t;
+		let r = new yt(), i = new bt(this.queryBuilder);
+		this.drizzlePlanBuilder = new Yt(this.queryBuilder, i, this.databaseAdapter), this.comparisonQueryBuilder = new kt(this.databaseAdapter), this.funnelQueryBuilder = new At(this.databaseAdapter), this.flowQueryBuilder = new jt(this.databaseAdapter), this.retentionQueryBuilder = new It(this.databaseAdapter), this.logicalPlanBuilder = new Lt(r), this.planOptimiser = new Rt(), this.cacheConfig = t, this.rlsSetup = n;
+	}
+	async withRLSContext(e, t) {
+		if (!this.rlsSetup) return t();
+		let n = this.dbExecutor.db;
+		if (!n.transaction) throw Error("rlsSetup requires a database driver that supports transactions (db.transaction)");
+		let r = this.rlsSetup;
+		return n.transaction(async (n) => {
+			await r(n, e);
+			let i = Object.create(this.dbExecutor);
+			return i.db = n, this.dbExecutor = i, t();
+		});
 	}
 	async execute(e, t, n, r) {
 		try {
@@ -6625,7 +6637,7 @@ var Zt = class {
 			} catch (e) {
 				this.cacheConfig.onError?.(e, "get");
 			}
-			return await this.executeQueryByModeWithCache(i, e, t, n, a);
+			return await this.withRLSContext(n, () => this.executeQueryByModeWithCache(i, e, t, n, a));
 		} catch (e) {
 			if (e instanceof Error) {
 				let t = e;
@@ -6825,8 +6837,8 @@ var Zt = class {
 		for (let e of i) if (!a.has(e.name)) {
 			a.add(e.name);
 			try {
-				if (e.public) continue;
-				e.sql(t).where || console.warn(`[drizzle-cube] WARNING: Cube '${e.name}' has no security filtering. If this cube contains public data, add 'public: true' to suppress this warning. Otherwise, ensure sql() returns: { from: table, where: eq(table.orgId, ctx.securityContext.orgId) }`);
+				if (e.public || this.rlsSetup) continue;
+				e.sql(t).where || console.warn(`[drizzle-cube] WARNING: Cube '${e.name}' has no security filtering. If this cube contains public data, add 'public: true' to suppress this warning. Otherwise, ensure sql() returns: { from: table, where: eq(table.orgId, ctx.securityContext.orgId) }. For databases that support Row Level Security (e.g. PostgreSQL), you can configure rlsSetup to run session-level commands (SET LOCAL, SET ROLE) instead.`);
 			} catch {}
 		}
 	}
@@ -6881,7 +6893,7 @@ var Zt = class {
 	}
 	async explainQuery(e, t, n, r) {
 		let i = await this.dryRunSQL(e, t, n);
-		return this.dbExecutor.explainQuery(i.sql, i.params || [], r);
+		return this.withRLSContext(n, () => this.dbExecutor.explainQuery(i.sql, i.params || [], r));
 	}
 	async dryRunSQL(e, t, n) {
 		let r = this.resolveQueryMode(t);
@@ -11191,33 +11203,36 @@ async function hc(e, t, n) {
 //#region src/server/compiler.ts
 var gc = class e {
 	cubes = /* @__PURE__ */ new Map();
-	dbExecutor;
 	metadataCache;
 	cacheConfig;
+	rlsSetup;
+	db;
+	schema;
+	engineType;
 	constructor(e) {
-		e?.databaseExecutor ? this.dbExecutor = e.databaseExecutor : e?.drizzle && (this.dbExecutor = Ue(e.drizzle, e.schema, e.engineType)), this.cacheConfig = e?.cache;
+		e?.databaseExecutor ? (this.db = e.databaseExecutor.db, this.schema = e.databaseExecutor.schema, this.engineType = e.databaseExecutor.getEngineType()) : e?.drizzle && (this.db = e.drizzle, this.schema = e.schema, this.engineType = e.engineType), this.cacheConfig = e?.cache, this.rlsSetup = e?.rlsSetup;
 	}
 	setDatabaseExecutor(e) {
-		this.dbExecutor = e;
+		this.db = e.db, this.schema = e.schema, this.engineType = e.getEngineType();
 	}
 	getEngineType() {
-		return this.dbExecutor?.getEngineType();
+		return this.engineType;
 	}
 	setDrizzle(e, t, n) {
-		this.dbExecutor = Ue(e, t, n);
+		this.db = e, this.schema = t, this.engineType = n;
 	}
 	hasExecutor() {
-		return !!this.dbExecutor;
+		return !!this.db;
 	}
-	requireExecutor() {
-		if (!this.dbExecutor) throw Error("Database executor not configured");
-		return this.dbExecutor;
+	createDbExecutor() {
+		if (!this.db) throw Error("Database executor not configured");
+		return Ue(this.db, this.schema, this.engineType);
 	}
 	createQueryExecutor(e = !1) {
-		return new Zt(this.requireExecutor(), e ? this.cacheConfig : void 0);
+		return new Zt(this.createDbExecutor(), e ? this.cacheConfig : void 0, this.rlsSetup);
 	}
 	formatSqlResult(e) {
-		let t = this.requireExecutor().getEngineType();
+		let t = this.getEngineType() ?? "postgres";
 		return {
 			sql: pc(e.sql, t),
 			params: e.params

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "drizzle-cube",
-  "version": "0.4.34",
+  "version": "0.4.36",
   "description": "Drizzle ORM-first semantic layer with Cube.js compatibility. Type-safe analytics and dashboards with SQL injection protection.",
   "main": "./dist/server/index.js",
   "types": "./dist/server/index.d.ts",
@@ -266,7 +266,7 @@
     "@leonardovida-md/drizzle-neo-duckdb": "^1.2.2"
   },
   "devDependencies": {
-    "@anthropic-ai/sdk": "^0.79.0",
+    "@anthropic-ai/sdk": "^0.80.0",
     "@eslint/eslintrc": "^3.3.1",
     "@eslint/js": "^10.0.0",
     "@fastify/cors": "^11.1.0",
@@ -317,7 +317,7 @@
     "globals": "^17.0.0",
     "hono": "^4.0.0",
     "html2canvas": "^1.4.1",
-    "jsdom": "^28.0.0",
+    "jsdom": "^29.0.0",
     "modern-screenshot": "^4.6.7",
     "msw": "^2.12.7",
     "mysql2": "^3.14.3",