fix(ci): allow workspace-scoped desktop queries
This commit is contained in:
@@ -15,6 +15,12 @@ EXEMPT=(
|
||||
"kol_usage.sql"
|
||||
)
|
||||
|
||||
WORKSPACE_SCOPED=(
|
||||
"desktop_account.sql"
|
||||
"desktop_client.sql"
|
||||
"desktop_task.sql"
|
||||
)
|
||||
|
||||
is_exempt() {
|
||||
local name="$1"
|
||||
for e in "${EXEMPT[@]}"; do
|
||||
@@ -25,16 +31,35 @@ is_exempt() {
|
||||
return 1
|
||||
}
|
||||
|
||||
is_workspace_scoped() {
|
||||
local name="$1"
|
||||
for e in "${WORKSPACE_SCOPED[@]}"; do
|
||||
if [[ "$name" == "$e" ]]; then
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
return 1
|
||||
}
|
||||
|
||||
for f in "$QUERY_DIR"/*.sql; do
|
||||
basename=$(basename "$f")
|
||||
if is_exempt "$basename"; then
|
||||
continue
|
||||
fi
|
||||
|
||||
# Must contain at least one tenant_id = sqlc.arg(...) or sqlc.narg(...) filter.
|
||||
if ! grep -Eq 'tenant_id[[:space:]]*=[[:space:]]*sqlc\.(n?arg)\(' "$f"; then
|
||||
echo "ERROR: $f must filter on tenant_id = sqlc.(n?arg)(...)"
|
||||
EXIT_CODE=1
|
||||
if is_workspace_scoped "$basename"; then
|
||||
# Desktop queries are scoped by workspace plus client/account identity.
|
||||
# Keep this list explicit so new query files still need tenant_id checks.
|
||||
if ! grep -Eq 'workspace_id[[:space:]]*=[[:space:]]*sqlc\.(n?arg)\(workspace_id\)' "$f"; then
|
||||
echo "ERROR: $f is workspace-scoped but missing workspace_id = sqlc.(n?arg)(workspace_id)"
|
||||
EXIT_CODE=1
|
||||
fi
|
||||
else
|
||||
# Must contain at least one tenant_id = sqlc.arg(...) or sqlc.narg(...) filter.
|
||||
if ! grep -Eq 'tenant_id[[:space:]]*=[[:space:]]*sqlc\.(n?arg)\(' "$f"; then
|
||||
echo "ERROR: $f must filter on tenant_id = sqlc.(n?arg)(...)"
|
||||
EXIT_CODE=1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Reject cosmetic "tenant_id IS NOT NULL" that bypasses actor scoping.
|
||||
@@ -45,7 +70,7 @@ for f in "$QUERY_DIR"/*.sql; do
|
||||
done
|
||||
|
||||
if [ "$EXIT_CODE" -eq 0 ]; then
|
||||
echo "All non-exempt query files contain tenant_id = sqlc.arg filters."
|
||||
echo "All non-exempt query files contain tenant_id or approved workspace_id scope filters."
|
||||
fi
|
||||
|
||||
exit $EXIT_CODE
|
||||
|
||||
Reference in New Issue
Block a user