- Added new API routes for fetching dataset samples by ID, including validation and error handling.
- Implemented `getDatasetSampleHandler` to manage dataset access and sample query execution.
- Introduced `executeSampleQuery` utility for executing read-only SQL queries with retry logic.
- Created new schemas for dataset sample request and response types.
- Updated existing dataset access control logic to ensure proper permissions are enforced.
- Added tests for the new dataset sample functionality to ensure reliability.
- Added permission checks to metric file download handler
- Added permission checks to export-metric-data trigger task
- Created comprehensive tests for access control integration
- Updated AssetType enums to include report_file
- Resolved export conflicts in server-shared package
- Fixed AI package imports for new getPermissionedDatasets API
- Combined asset type enums from both branches
- Merged all database query exports
- Integrated access-controls package into server-shared
- Resolved conflicts in AI package instructions
Updated dataset permission tests to expect the full DatasetAccessResult
object instead of just a boolean value in cache operations. This aligns
with the PR feedback to cache the complete access result including
accessPath and userRole.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Optimized N+1 query in get-permissioned-datasets.ts using inArray for batch lookup
- Removed unused bulkRemoveAssetPermissions import
- Fixed import organization in find-user-by-email.ts
- Updated CLAUDE.md to reflect tests are written and fixed API example
- Clarified TODO comment in lookup.ts to prevent potential infinite recursion
These are style and performance improvements that don't affect functionality.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Fixed permission hierarchy: full_access (5) now correctly ranks higher than viewer (3)
- Removed 'querier' role from admin permission check as it was too permissive
- Added organizationId parameter to dashboard access checks to prevent unauthorized access
- Fixed public dashboard expiry date check to verify dates are in the future
- Added cycle detection for collection permissions to prevent infinite recursion
- Fixed bulk remove permissions to correctly filter by identityIds array
- Updated date comparison to use ISO string format for PostgreSQL timestamp columns
These fixes address critical security and logic issues identified in the PR review.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Fixed AssetTypeSchema to include all active asset types (excluding deprecated 'metric' and 'dashboard')
- Added missing 'restricted_querier' role to UserOrganizationRole type
- Fixed dataset access caching to store full result object including accessPath and userRole
- Updated count query to use SQL COUNT for better performance
- Fixed IdentityType consistency across dataset permissions
- Removed unused 'ne' import from list-asset-permissions.ts
- Updated comments to correctly reference 6 access paths instead of 5
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
This PR migrates the Rust and libraries to TypeScript in the new package.
## Changes
### New Access Controls Package
- Implemented complete asset permissions system with CRUD operations
- Added dataset permissions with all 5 access paths (admin, direct user, user→group, team→direct, team→group, org→default)
- Implemented cascading permissions (metrics inherit from dashboards/chats/collections)
- Added LRU caching to replace Redis (30-second TTL)
- Comprehensive test coverage (148 tests passing, 3 skipped pending createUser)
### Database Package Updates
- Fixed AssetType enum to include all 14 asset types
- Added missing database queries for permissions
- Fixed timestamp fields to use ISO strings
- Added getUserOrganizationsByUserId function
- Created organized query structure by table
### AI Package Updates
- Updated getPermissionedDatasets API calls to new format
- Changed property references from ymlFile to ymlContent
- Fixed all test mocks to match new API structure
### Trigger App Updates
- Updated to use new access controls API
- Fixed test mocks to match DatasetListResult structure
- Added proper type imports
### Server Shared Updates
- Added request/response types for access control endpoints
- Exported types for API consistency
## Testing
- All packages build successfully with turbo build:dry-run
- All tests pass with turbo test:unit
- Full type safety maintained throughout
## Migration Notes
- Drop-in replacement for Rust libraries
- Same permission model and roles
- Cache invalidation strategies implemented
- Soft delete pattern maintained
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Wells Bunker
Nate Kelley
dal
wellsbunk5