Set enforcedWhereClause

Author: matt-aitken

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query/route.tsx

@@ -73,6 +73,7 @@ import { QueryHelpSidebar } from "./QueryHelpSidebar";
 import { QueryHistoryPopover } from "./QueryHistoryPopover";
 import type { AITimeFilter } from "./types";
 import { formatQueryStats } from "./utils";
+import { getLimit } from "~/services/platform.v3.server";
 
 /** Convert a Date or ISO string to ISO string format */
 function toISOString(value: Date | string): string {
@@ -289,6 +290,16 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
     triggeredAtFallback = { op: "gte", value: new Date(Date.now() - periodMs) };
   }
 
+  const maxQueryPeriod = await getLimit(project.organizationId, "queryPeriodDays", 5);
+
+  // Force tenant isolation and time period limits
+  const enforcedWhereClause = {
+    organization_id: { op: "eq", value: project.organizationId },
+    project_id: scope === "project" || scope === "environment" ? { op: "eq", value: project.id } : undefined,
+    environment_id: scope === "environment" ? { op: "eq", value: environment.id } : undefined,
+    triggered_at: { op: "gte", value: new Date(Date.now() - maxQueryPeriod * 24 * 60 * 60 * 1000) }
+  } satisfies Record<string, WhereClauseCondition | undefined>;
+
   try {
     const [error, result, queryId] = await executeQuery({
       name: "query-page",
@@ -301,6 +312,7 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
       projectId: project.id,
       environmentId: environment.id,
       explain,
+      enforcedWhereClause,
       whereClauseFallback: {
         triggered_at: triggeredAtFallback,
       },

apps/webapp/app/services/queryService.server.ts

@@ -56,17 +56,14 @@ function getDefaultClickhouseSettings(): ClickHouseSettings {
 
 export type ExecuteQueryOptions<TOut extends z.ZodSchema> = Omit<
   ExecuteTSQLOptions<TOut>,
-  "tableSchema" | "organizationId" | "projectId" | "environmentId" | "fieldMappings" | "enforcedWhereClause"
+  "tableSchema" | "fieldMappings"
 > & {
+  organizationId: string;
+  projectId?: string;
+  environmentId?: string;
   tableSchema: TableSchema[];
   /** The scope of the query - determines tenant isolation */
   scope: QueryScope;
-  /** Organization ID (required) */
-  organizationId: string;
-  /** Project ID (required for project/environment scope) */
-  projectId: string;
-  /** Environment ID (required for environment scope) */
-  environmentId: string;
   /** History options for saving query to billing/audit */
   history?: {
     /** Where the query originated from */
@@ -109,6 +106,7 @@ export async function executeQuery<TOut extends z.ZodSchema>(
     organizationId,
     projectId,
     environmentId,
+    enforcedWhereClause,
     history,
     customOrgConcurrencyLimit,
     whereClauseFallback,
@@ -136,18 +134,6 @@ export async function executeQuery<TOut extends z.ZodSchema>(
     }
 
   try {
-    // Build tenant IDs based on scope
-    const enforcedWhereClause: {
-      organization_id: WhereClauseCondition;
-      project_id?: WhereClauseCondition;
-      environment_id?: WhereClauseCondition;
-    } = {
-      organization_id: { op: "eq", value: organizationId },
-      project_id: scope === "project" || scope === "environment" ? { op: "eq", value: projectId } : undefined,
-      environment_id: scope === "environment" ? { op: "eq", value: environmentId } : undefined,
-      //todo add plan-based time limit
-    };
-
     // Build field mappings for project_ref → project_id and environment_id → slug translation
     const projects = await prisma.project.findMany({
       where: { organizationId },

internal-packages/clickhouse/src/client/tsql.ts

@@ -56,7 +56,7 @@ export interface ExecuteTSQLOptions<TOut extends z.ZodSchema> {
    * }
    * ```
    */
-  enforcedWhereClause: Record<string, WhereClauseCondition>;
+  enforcedWhereClause: Record<string, WhereClauseCondition | undefined>;
   /** Optional ClickHouse query settings */
   clickhouseSettings?: ClickHouseSettings;
   /** Optional TSQL query settings (maxRows, timezone, etc.) */

internal-packages/tsql/src/index.ts

@@ -467,7 +467,7 @@ export interface CompileTSQLOptions {
    * }
    * ```
    */
-  enforcedWhereClause: Record<string, WhereClauseCondition>;
+  enforcedWhereClause: Record<string, WhereClauseCondition | undefined>;
   /** Optional query settings */
   settings?: Partial<QuerySettings>;
   /**
@@ -547,14 +547,20 @@ export function compileTSQL(query: string, options: CompileTSQLOptions): PrintRe
   // 3. Create schema registry from table schemas
   const schemaRegistry = createSchemaRegistry(options.tableSchema);
 
-  // 4. Create printer context with enforced WHERE clause and field mappings
+
+  // 4. Strip undefined values from enforcedWhereClause
+  const enforcedWhereClause = Object.fromEntries(
+    Object.entries(options.enforcedWhereClause).filter(([_, value]) => value !== undefined)
+  ) as Record<string, WhereClauseCondition>;
+
+  // 5. Create printer context with enforced WHERE clause and field mappings
   const context = createPrinterContext({
     schema: schemaRegistry,
     settings: options.settings,
     fieldMappings: options.fieldMappings,
-    enforcedWhereClause: options.enforcedWhereClause,
+    enforcedWhereClause,
   });
 
-  // 5. Print the AST to ClickHouse SQL (enforced conditions applied at printer level)
+  // 6. Print the AST to ClickHouse SQL (enforced conditions applied at printer level)
   return printToClickHouse(ast, context);
 }