#!/usr/bin/env bash # CI guard: reject tenant-scoped SQL query files missing tenant_id filters. # Usage: scripts/check_tenant_scope.sh set -euo pipefail QUERY_DIR="internal/tenant/repository/queries" EXIT_CODE=0 for f in "$QUERY_DIR"/*.sql; do # Skip files that don't need tenant_id (audit.sql has operator_id + tenant_id) basename=$(basename "$f") if [[ "$basename" == "audit.sql" ]]; then continue fi # Check each named query block for tenant_id while IFS= read -r line; do if [[ "$line" =~ ^--\ name: ]]; then query_name="${line#-- name: }" query_name="${query_name%% *}" fi done < "$f" # Simple check: file should contain tenant_id somewhere if ! grep -q 'tenant_id' "$f"; then echo "ERROR: $f is missing tenant_id filter" EXIT_CODE=1 fi done if [ "$EXIT_CODE" -eq 0 ]; then echo "All query files contain tenant_id filters." fi exit $EXIT_CODE