Added enforcedWhereClause, used for tenant columns and will be for time periods too

Author: matt-aitken

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query/route.tsx

@@ -1,12 +1,13 @@
-import { ArrowDownTrayIcon, ArrowsPointingInIcon, ArrowsPointingOutIcon, ArrowTrendingUpIcon, ClipboardIcon, TableCellsIcon } from "@heroicons/react/20/solid";
+import { ArrowDownTrayIcon, ArrowsPointingOutIcon, ArrowTrendingUpIcon, ClipboardIcon, TableCellsIcon } from "@heroicons/react/20/solid";
+import type { OutputColumnMetadata } from "@internal/clickhouse";
+import { WhereClauseCondition } from "@internal/tsql";
 import { useFetcher } from "@remix-run/react";
-import type { action as titleAction } from "~/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query.ai-title";
-import type { OutputColumnMetadata, WhereClauseFallback } from "@internal/clickhouse";
 import {
   redirect,
   type ActionFunctionArgs,
   type LoaderFunctionArgs,
 } from "@remix-run/server-runtime";
+import parse from "parse-duration";
 import { forwardRef, useCallback, useEffect, useImperativeHandle, useRef, useState } from "react";
 import { flushSync } from "react-dom";
 import { typedjson, useTypedFetcher, useTypedLoaderData } from "remix-typedjson";
@@ -23,8 +24,6 @@ import { autoFormatSQL, TSQLEditor } from "~/components/code/TSQLEditor";
 import { TSQLResultsTable } from "~/components/code/TSQLResultsTable";
 import { EnvironmentLabel } from "~/components/environments/EnvironmentLabel";
 import { PageBody, PageContainer } from "~/components/layout/AppLayout";
-import { TimeFilter, timeFilters } from "~/components/runs/v3/SharedFilters";
-import { useSearchParams } from "~/hooks/useSearchParam";
 import { Button } from "~/components/primitives/Buttons";
 import { Callout } from "~/components/primitives/Callout";
 import { Card } from "~/components/primitives/charts/Card";
@@ -34,6 +33,7 @@ import {
   ClientTabsList,
   ClientTabsTrigger,
 } from "~/components/primitives/ClientTabs";
+import { Dialog, DialogContent, DialogHeader } from "~/components/primitives/Dialog";
 import { Header3 } from "~/components/primitives/Headers";
 import { NavBar, PageTitle } from "~/components/primitives/PageHeader";
 import { Paragraph } from "~/components/primitives/Paragraph";
@@ -51,28 +51,28 @@ import {
 import { Select, SelectItem } from "~/components/primitives/Select";
 import { Spinner } from "~/components/primitives/Spinner";
 import { Switch } from "~/components/primitives/Switch";
+import { SimpleTooltip } from "~/components/primitives/Tooltip";
+import { TimeFilter, timeFilters } from "~/components/runs/v3/SharedFilters";
 import { prisma } from "~/db.server";
 import { useEnvironment } from "~/hooks/useEnvironment";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
+import { useSearchParams } from "~/hooks/useSearchParam";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
 import { QueryPresenter, type QueryHistoryItem } from "~/presenters/v3/QueryPresenter.server";
+import type { action as titleAction } from "~/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query.ai-title";
 import { executeQuery, type QueryScope } from "~/services/queryService.server";
+import { requireUser } from "~/services/session.server";
 import { downloadFile, rowsToCSV, rowsToJSON } from "~/utils/dataExport";
 import { EnvironmentParamSchema } from "~/utils/pathBuilder";
 import { FEATURE_FLAG, validateFeatureFlagValue } from "~/v3/featureFlags.server";
 import { querySchemas } from "~/v3/querySchemas";
+import { useCurrentPlan } from "../_app.orgs.$organizationSlug/route";
 import { QueryHelpSidebar } from "./QueryHelpSidebar";
 import { QueryHistoryPopover } from "./QueryHistoryPopover";
 import type { AITimeFilter } from "./types";
 import { formatQueryStats } from "./utils";
-import { requireUser } from "~/services/session.server";
-import parse from "parse-duration";
-import { SimpleTooltip } from "~/components/primitives/Tooltip";
-import { Dialog, DialogContent, DialogHeader, DialogPortal, DialogTrigger } from "~/components/primitives/Dialog";
-import { DialogOverlay } from "@radix-ui/react-dialog";
-import { useCurrentPlan } from "../_app.orgs.$organizationSlug/route";
 
 /** Convert a Date or ISO string to ISO string format */
 function toISOString(value: Date | string): string {
@@ -273,7 +273,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
     defaultPeriod: DEFAULT_PERIOD,
   });
 
-  let triggeredAtFallback: WhereClauseFallback;
+  let triggeredAtFallback: WhereClauseCondition;
   if (timeFilter.from && timeFilter.to) {
     // Both from and to specified - use BETWEEN
     triggeredAtFallback = { op: "between", low: timeFilter.from, high: timeFilter.to };

apps/webapp/app/services/queryService.server.ts

@@ -7,7 +7,7 @@ import {
   type TSQLQueryResult,
 } from "@internal/clickhouse";
 import type { CustomerQuerySource } from "@trigger.dev/database";
-import type { TableSchema } from "@internal/tsql";
+import type { TableSchema, WhereClauseCondition } from "@internal/tsql";
 import { type z } from "zod";
 import { prisma } from "~/db.server";
 import { env } from "~/env.server";
@@ -56,7 +56,7 @@ function getDefaultClickhouseSettings(): ClickHouseSettings {
 
 export type ExecuteQueryOptions<TOut extends z.ZodSchema> = Omit<
   ExecuteTSQLOptions<TOut>,
-  "tableSchema" | "organizationId" | "projectId" | "environmentId" | "fieldMappings"
+  "tableSchema" | "organizationId" | "projectId" | "environmentId" | "fieldMappings" | "enforcedWhereClause"
 > & {
   tableSchema: TableSchema[];
   /** The scope of the query - determines tenant isolation */
@@ -137,22 +137,17 @@ export async function executeQuery<TOut extends z.ZodSchema>(
 
   try {
     // Build tenant IDs based on scope
-    const tenantOptions: {
-      organizationId: string;
-      projectId?: string;
-      environmentId?: string;
+    const enforcedWhereClause: {
+      organization_id: WhereClauseCondition;
+      project_id?: WhereClauseCondition;
+      environment_id?: WhereClauseCondition;
     } = {
-      organizationId,
+      organization_id: { op: "eq", value: organizationId },
+      project_id: scope === "project" || scope === "environment" ? { op: "eq", value: projectId } : undefined,
+      environment_id: scope === "environment" ? { op: "eq", value: environmentId } : undefined,
+      //todo add plan-based time limit
     };
 
-    if (scope === "project" || scope === "environment") {
-      tenantOptions.projectId = projectId;
-    }
-
-    if (scope === "environment") {
-      tenantOptions.environmentId = environmentId;
-    }
-
     // Build field mappings for project_ref → project_id and environment_id → slug translation
     const projects = await prisma.project.findMany({
       where: { organizationId },
@@ -171,7 +166,7 @@ export async function executeQuery<TOut extends z.ZodSchema>(
 
     const result = await executeTSQL(clickhouseClient.reader, {
       ...baseOptions,
-      ...tenantOptions,
+      enforcedWhereClause,
       fieldMappings,
       whereClauseFallback,
       clickhouseSettings: {

internal-packages/clickhouse/src/client/tsql.ts

@@ -2,7 +2,7 @@
  * TSQL Query Execution for ClickHouse
  *
  * This module provides a safe interface for executing TSQL queries against ClickHouse
- * with automatic tenant isolation and SQL injection protection.
+ * with enforced WHERE clause conditions (tenant isolation + plan limits) and SQL injection protection.
  */
 
 import type { ClickHouseSettings } from "@clickhouse/client";
@@ -14,7 +14,7 @@ import {
   type TableSchema,
   type QuerySettings,
   type FieldMappings,
-  type WhereClauseFallback,
+  type WhereClauseCondition
 } from "@internal/tsql";
 import type { ClickhouseReader, QueryStats } from "./types.js";
 import { QueryError } from "./errors.js";
@@ -25,7 +25,7 @@ const logger = new Logger("tsql", "info");
 
 export type { QueryStats };
 
-export type { TableSchema, QuerySettings, FieldMappings, WhereClauseFallback };
+export type { TableSchema, QuerySettings, FieldMappings, WhereClauseCondition };
 
 /**
  * Options for executing a TSQL query
@@ -37,14 +37,26 @@ export interface ExecuteTSQLOptions<TOut extends z.ZodSchema> {
   query: string;
   /** The Zod schema for validating output rows */
   schema: TOut;
-  /** The organization ID for tenant isolation (required) */
-  organizationId: string;
-  /** The project ID for tenant isolation (optional - omit to query across all projects) */
-  projectId?: string;
-  /** The environment ID for tenant isolation (optional - omit to query across all environments) */
-  environmentId?: string;
   /** Schema registry defining allowed tables and columns */
   tableSchema: TableSchema[];
+  /**
+   * REQUIRED: Conditions always applied at the table level.
+   * Must include tenant columns (e.g., organization_id) for multi-tenant tables.
+   * Applied to every table reference including subqueries, CTEs, and JOINs.
+   *
+   * @example
+   * ```typescript
+   * {
+   *   // Tenant isolation
+   *   organization_id: { op: "eq", value: "org_123" },
+   *   project_id: { op: "eq", value: "proj_456" },
+   *   environment_id: { op: "eq", value: "env_789" },
+   *   // Plan-based time limit
+   *   triggered_at: { op: "gte", value: new Date(Date.now() - 7 * 24 * 60 * 60 * 1000) }
+   * }
+   * ```
+   */
+  enforcedWhereClause: Record<string, WhereClauseCondition>;
   /** Optional ClickHouse query settings */
   clickhouseSettings?: ClickHouseSettings;
   /** Optional TSQL query settings (maxRows, timezone, etc.) */
@@ -78,6 +90,7 @@ export interface ExecuteTSQLOptions<TOut extends z.ZodSchema> {
   /**
    * Fallback WHERE conditions to apply when the user hasn't filtered on a column.
    * Key is the column name, value is the fallback condition.
+   * These are applied at the AST level (top-level query only).
    *
    * @example
    * ```typescript
@@ -87,7 +100,7 @@ export interface ExecuteTSQLOptions<TOut extends z.ZodSchema> {
    * }
    * ```
    */
-  whereClauseFallback?: Record<string, WhereClauseFallback>;
+  whereClauseFallback?: Record<string, WhereClauseCondition>;
 }
 
 /**
@@ -123,7 +136,7 @@ export type TSQLQueryResult<T> = [QueryError, null] | [null, TSQLQuerySuccess<T>
  * Execute a TSQL query against ClickHouse
  *
  * This function:
- * 1. Compiles the TSQL query to ClickHouse SQL (parse, validate, inject tenant guards)
+ * 1. Compiles the TSQL query to ClickHouse SQL (parse, validate, inject enforced WHERE clauses)
  * 2. Executes the query and returns validated results
  *
  * @example
@@ -132,10 +145,12 @@ export type TSQLQueryResult<T> = [QueryError, null] | [null, TSQLQuerySuccess<T>
  *   name: "get_task_runs",
  *   query: "SELECT id, status FROM task_runs WHERE status = 'completed' ORDER BY created_at DESC LIMIT 100",
  *   schema: z.object({ id: z.string(), status: z.string() }),
- *   organizationId: "org_123",
- *   projectId: "proj_456",
- *   environmentId: "env_789",
  *   tableSchema: [taskRunsSchema],
+ *   enforcedWhereClause: {
+ *     organization_id: { op: "eq", value: "org_123" },
+ *     project_id: { op: "eq", value: "proj_456" },
+ *     environment_id: { op: "eq", value: "env_789" },
+ *   },
  * });
  * ```
  */
@@ -152,10 +167,8 @@ export async function executeTSQL<TOut extends z.ZodSchema>(
   try {
     // 1. Compile the TSQL query to ClickHouse SQL
     const { sql, params, columns, hiddenColumns } = compileTSQL(options.query, {
-      organizationId: options.organizationId,
-      projectId: options.projectId,
-      environmentId: options.environmentId,
       tableSchema: options.tableSchema,
+      enforcedWhereClause: options.enforcedWhereClause,
       settings: options.querySettings,
       fieldMappings: options.fieldMappings,
       whereClauseFallback: options.whereClauseFallback,
@@ -284,9 +297,11 @@ export async function executeTSQL<TOut extends z.ZodSchema>(
  *   name: "get_task_runs",
  *   query: "SELECT * FROM task_runs LIMIT 10",
  *   schema: taskRunRowSchema,
- *   organizationId: "org_123",
- *   projectId: "proj_456",
- *   environmentId: "env_789",
+ *   enforcedWhereClause: {
+ *     organization_id: { op: "eq", value: "org_123" },
+ *     project_id: { op: "eq", value: "proj_456" },
+ *     environment_id: { op: "eq", value: "env_789" },
+ *   },
  * });
  * ```
  */

internal-packages/clickhouse/src/index.ts

@@ -56,7 +56,7 @@ export {
   type TSQLQuerySuccess,
   type QueryStats,
   type FieldMappings,
-  type WhereClauseFallback,
+  type WhereClauseCondition,
 } from "./client/tsql.js";
 export type { OutputColumnMetadata } from "@internal/tsql";