Release v0.17.0

Author: jumpbetweenrows

CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.17.0] - 2026-04-23
+
 ### Added
 
 - **[Admin UI] Design standard and shared layout primitives** — new `admin-ui/DESIGN.md` defines four page templates (T1 sidebar detail, T2 single form, T3 list, T4 audit) plus the header / save / destructive / modal rules they share. Eight new primitives land under `src/components/` and `src/components/layout/`: `PageHeader`, `SecondaryNav` + `useSectionParam`, `SectionPane`, `DangerZone` + `DangerRow`, `ModalShell` (with focus trap, Esc, click-outside), `StatusDot` + `StatusChip`, `ConfirmDeleteModal`, and `ConfirmDialog`. Each ships with unit tests. `admin-ui/CLAUDE.md` gained a "Design standard" pointer so future sessions pick up the rules before building a new page.

Cargo.lock

@@ -1,7 +1,7 @@
 {
   "name": "admin-ui",
   "private": true,
-  "version": "0.16.2",
+  "version": "0.17.0",
   "type": "module",
   "scripts": {
     "dev": "vite",

admin-ui/package.json

@@ -14,4 +14,4 @@ export const OG_IMAGE_URL = `${WWW_URL}/og-image.png`
 // Current released proxy version. Bumped by /release alongside Cargo.toml
 // and admin-ui/package.json. Substituted into markdown via the {{VERSION}}
 // token — see the markdown.config hook in .vitepress/config.ts.
-export const VERSION = '0.16.2'
+export const VERSION = '0.17.0'

docs-site/docs/.vitepress/constants.ts

@@ -55,7 +55,7 @@ Go to **Attribute Definitions → Create** in the admin UI:
 - **Default value:** (leave empty — users without a tenant should match nothing)
 - **Description:** "Which customer tenant this user belongs to"
 
-![Attribute definition form for the tenant attribute](/screenshots/attributes-def-form-v0.15.png)
+![Attribute definition form for the tenant attribute](/screenshots/attributes-def-form-v0.17.png)
 
 ### 2. Assign the attribute to a user
 
@@ -69,7 +69,7 @@ Edit a user (e.g., `alice`) and set her attributes:
 
 Attribute assignment uses **full-replace semantics** — the entire attributes object is overwritten on each update. To add a new attribute, include all existing ones in the payload.
 
-![Assigning attribute values to a user in the admin UI](/screenshots/attributes-assignment-v0.15.png)
+![Assigning attribute values to a user in the admin UI](/screenshots/attributes-assignment-v0.17.png)
 
 ### 3. Use the attribute in a policy expression
 
@@ -188,4 +188,4 @@ If a policy references `{user.foo}` but no attribute definition named `foo` exis
 - [Users & Roles](/guides/users-roles) — how users and roles are managed
 - [Row Filters](/guides/policies/row-filters) — the most common consumer of user attributes
 
-<!-- screenshots: [attributes-def-form-v0.15.png, attributes-assignment-v0.15.png] -->
+<!-- screenshots: [attributes-def-form-v0.17.png, attributes-assignment-v0.17.png] -->

docs-site/docs/guides/attributes.md

@@ -100,7 +100,7 @@ A row is written for every mutation to the admin-plane state: users, roles, poli
    - **No WHERE clause:** the template variable may have resolved to NULL. Check Alice's `tenant` attribute value.
    - **Wrong value:** check which user attribute value Alice has set.
 
-![Query audit detail view showing rewritten SQL and applied policies](/screenshots/audit-debugging-query-detail-v0.15.png)
+![Query audit detail view showing rewritten SQL and applied policies](/screenshots/audit-debugging-query-detail-v0.17.png)
 
 ### Scenario 2: zero rows returned
 
@@ -147,7 +147,7 @@ A row is written for every mutation to the admin-plane state: users, roles, poli
    - **Action** — `create`, `update`, `delete`, `assign`, `unassign`, etc.
    - **Changes** — JSON diff of what changed (before/after for updates, full snapshot for create/delete)
 
-![Admin audit entry showing actor, action, and change diff](/screenshots/audit-debugging-admin-detail-v0.15.png)
+![Admin audit entry showing actor, action, and change diff](/screenshots/audit-debugging-admin-detail-v0.17.png)
 
 ## Patterns and recipes
 
@@ -204,4 +204,4 @@ BetweenRows is read-only. If a client sends `DELETE FROM orders`, the proxy reje
 - [Policies overview](/guides/policies/) — understanding what fires and why
 - [Troubleshooting](/operations/troubleshooting) — connection and policy diagnostic trees
 
-<!-- screenshots: [audit-debugging-query-detail-v0.15.png, audit-debugging-admin-detail-v0.15.png, audit-debugging-filter-panel-v0.15.png] -->
+<!-- screenshots: [audit-debugging-query-detail-v0.17.png, audit-debugging-admin-detail-v0.17.png] -->

docs-site/docs/guides/audit-debugging.md

@@ -48,15 +48,15 @@ These steps use the [demo schema](/reference/demo-schema) as an example. Substit
    | Password | `postgres` |
    | SSL mode | `disable` (local dev only) |
 
-   ![Data source connection form with demo PostgreSQL details](/screenshots/data-sources-connection-form-v0.15.png)
+   ![Data source connection form with demo PostgreSQL details](/screenshots/data-sources-connection-form-v0.17.png)
 
 3. **Click Test Connection.** A green indicator confirms the proxy can reach the upstream. If it fails, check:
    - Host/port reachable from the BetweenRows container (not just your laptop)
    - Username/password correct for the upstream database
    - SSL mode matches the upstream's `pg_hba.conf` settings
    - Firewall/security group allows the connection
 
-   ![Successful connection test indicator on the data source form](/screenshots/data-sources-test-success-v0.15.png)
+   ![Successful connection test indicator on the data source form](/screenshots/data-sources-test-success-v0.17.png)
 
 4. **Save** the data source.
 
@@ -67,8 +67,8 @@ These steps use the [demo schema](/reference/demo-schema) as an example. Substit
    - **Columns** — for each selected table, select which columns to expose. Deselect columns here as a first-pass data-minimization step.
    - **Save** — persist the selections as the baseline catalog.
 
-   ![Catalog discovery wizard showing schema selection step](/screenshots/data-sources-discover-schemas-v0.15.png)
-   ![Catalog discovery wizard showing column selection step](/screenshots/data-sources-discover-columns-v0.15.png)
+   ![Catalog discovery wizard showing schema selection step](/screenshots/data-sources-discover-schemas-v0.17.png)
+   ![Catalog discovery wizard showing column selection step](/screenshots/data-sources-discover-columns-v0.17.png)
 
 6. **Grant user access.** On the data source page, add users or roles in the **User Access** section. Admin status does **not** grant data access — every user starts with zero data plane access.
 
@@ -160,4 +160,4 @@ Think of the catalog as "what can potentially exist" and policies as "what each
 - [Policies overview](/guides/policies/) — which policy types to layer on top of the data source
 - [Rename Safety](/operations/rename-safety) — what breaks when you rename
 
-<!-- screenshots: [data-sources-connection-form-v0.15.png, data-sources-test-success-v0.15.png, data-sources-discover-schemas-v0.15.png, data-sources-discover-columns-v0.15.png] -->
+<!-- screenshots: [data-sources-connection-form-v0.17.png, data-sources-test-success-v0.17.png, data-sources-discover-schemas-v0.17.png, data-sources-discover-columns-v0.17.png] -->

docs-site/docs/guides/data-sources.md

@@ -153,11 +153,11 @@ Goal: a `table_deny` policy on `salary_data` that only fires outside business ho
    }
    ```
 
-   ![Decision function editor with business hours JavaScript source](/screenshots/decision-functions-editor-v0.15.png)
+   ![Decision function editor with business hours JavaScript source](/screenshots/decision-functions-editor-v0.17.png)
 
 2. **Test the function** using the built-in test runner (`POST /decision-functions/test`). Provide a mock context with different hours/days and verify the `fire` result matches expectations.
 
-   ![Decision function test runner with mock session context](/screenshots/decision-functions-test-runner-v0.15.png)
+   ![Decision function test runner with mock session context](/screenshots/decision-functions-test-runner-v0.17.png)
 
 3. **Create the policy** — a `table_deny` on `salary_data` — and attach the decision function via `decision_function_id`.
 
@@ -235,7 +235,7 @@ The response tells you:
 
 Test with different mock contexts to cover your edge cases: different users, different times, different roles, missing attributes. The test runner compiles and executes the JS in the same WASM sandbox used in production — it's not a simulation.
 
-![Decision function test runner result showing fire value and logs](/screenshots/decision-functions-test-runner-v0.15.png)
+![Decision function test runner result showing fire value and logs](/screenshots/decision-functions-test-runner-v0.17.png)
 
 ### Logging with `log_level`
 
@@ -385,4 +385,4 @@ If a user has 5 policies and 3 have query-context decision functions, each query
 - [Policies overview](/guides/policies/) — which policy type to attach a decision function to
 - [Template Expressions](/reference/template-expressions) — the simpler alternative for attribute-based logic
 
-<!-- screenshots: [decision-functions-editor-v0.15.png, decision-functions-test-runner-v0.15.png] -->
+<!-- screenshots: [decision-functions-editor-v0.17.png, decision-functions-test-runner-v0.17.png] -->

docs-site/docs/guides/decision-functions.md

@@ -36,7 +36,7 @@ Go to **Policies → Create**:
 - **Targets:** schema `public`, table `customers`, column `ssn`
 - **Mask expression:** `'***-**-' || RIGHT(ssn, 4)`
 
-![Column mask policy editor showing SSN masking expression](/screenshots/column-masks-editor-v0.15.png)
+![Column mask policy editor showing SSN masking expression](/screenshots/column-masks-editor-v0.17.png)
 
 ### 2. Assign and verify
 
@@ -146,4 +146,4 @@ If a `column_deny` removes a column, a mask on the same column is irrelevant —
 - [Column Allow & Deny](./column-allow-deny) — for removing columns entirely
 - [Template Expressions](/reference/template-expressions) — expression syntax and `{user.KEY}` variables
 
-<!-- screenshots: [column-masks-editor-v0.15.png, column-masks-result-v0.15.png] -->
+<!-- screenshots: [column-masks-editor-v0.17.png, column-masks-result-v0.15.png] -->

docs-site/docs/guides/policies/column-masks.md

@@ -43,13 +43,13 @@ Go to **Policies → Create**:
 - **Targets:** schemas `*`, tables `*` (applies to all tables with an `org` column)
 - **Filter expression:** `org = {user.tenant}`
 
-![Row filter policy editor with tenant isolation expression](/screenshots/row-filters-policy-editor-v0.15.png)
+![Row filter policy editor with tenant isolation expression](/screenshots/row-filters-policy-editor-v0.17.png)
 
 ### 3. Assign the policy
 
 On the data source page, assign `tenant-isolation` with **scope: All users**.
 
-![Assigning a row filter policy to a data source with all-users scope](/screenshots/row-filters-assignment-v0.15.png)
+![Assigning a row filter policy to a data source with all-users scope](/screenshots/row-filters-assignment-v0.17.png)
 
 ### 4. Verify
 
@@ -73,7 +73,7 @@ Open **Query Audit** in the admin UI. Alice's query shows:
 - **Rewritten:** `SELECT DISTINCT org FROM orders WHERE org = 'acme'`
 - **Policies applied:** `tenant-isolation (v1)`
 
-![Query audit entry showing the injected WHERE clause from tenant isolation](/screenshots/row-filters-audit-v0.15.png)
+![Query audit entry showing the injected WHERE clause from tenant isolation](/screenshots/row-filters-audit-v0.17.png)
 
 ## Patterns and recipes
 
@@ -117,6 +117,64 @@ org = {user.tenant} AND status != 'deleted'
 
 A single expression can combine attribute-based and static conditions.
 
+## Filtering by a column on a parent table
+
+In a normalized schema, a scope column like `org`, `tenant_id`, or `workspace_id` rarely lives on every tenant-scoped table. A `customers` table has `org`, but `support_tickets` only has `customer_id` and reaches `org` through the join. A single broad `row_filter` like `org = {user.tenant}` cannot apply to both tables unless the proxy knows how to follow the foreign key. **Column anchors** tell it how.
+
+A column anchor has two shapes:
+
+- **FK walk** — the column lives on a parent table reachable via a foreign key. The proxy injects an `INNER JOIN` against the parent and rewrites the plan to `Project([target.*], Filter(expr, InnerJoin(target, parent)))`. The top projection re-emits the target's scan columns, so downstream plan nodes (including column masks) are unaffected. `INNER JOIN` semantics drop child rows whose FK is NULL, which matches the intent of tenant isolation.
+- **Same-table alias** — the column lives on the target table itself but under a different name (e.g., `customers.tenant_id` vs `accounts.org_id` for the same concept). The proxy rewrites the filter expression in place with no join.
+
+Exactly one shape per anchor. Exactly one anchor per `(table, column)` — enforced by a partial unique index, so resolution is deterministic by construction.
+
+### Register a foreign key as a relationship
+
+For the FK-walk shape, first register the join path. Go to **Data Sources → edit → Relationships**:
+
+- Click **Show FK suggestions** to see live candidates introspected from the upstream database. Only single-column FKs whose parent column is a primary key or single-column unique appear (the "at-most-one-parent-per-child" precondition) — clicking **Add** promotes a suggestion into a `table_relationship`.
+- Or click **Add manually** when the upstream FK is missing or you want a different join path.
+
+For the same-table alias shape, no relationship is needed.
+
+### Designate a column anchor
+
+On the same datasource page, go to the **Column anchors** section and click **Add anchor**:
+
+- **Child table** — the table the row filter targets (e.g., `support_tickets`).
+- **Resolved column** — the name used inside the filter expression (e.g., `org`).
+- **Resolve via** — pick **Relationship (FK walk)** to choose a registered relationship, or **Same-table alias** to enter the real column name on the target (e.g., `org_id`).
+
+For a multi-hop walk (e.g., `support_tickets → orders → customers` where `org` lives on `customers`), register one anchor per hop. The resolver walks the chain up to three hops deep.
+
+### Check coverage before shipping
+
+The policy edit page shows an **Anchor coverage** section for every `row_filter` policy. It dry-runs the same resolution the proxy will use at query time and reports one verdict per `(assigned table × column referenced in the filter)`:
+
+- **Resolves on target** — the column is literally present on the target.
+- **Resolves via relationship** — the FK walk reaches a parent that carries the column. The anchor chain is shown.
+- **Resolves via alias** — the filter column will be rewritten to the alias on this target.
+- **No anchor configured** — silent-deny. The user sees zero rows on this table until you add an anchor. Links to the datasource page where you can fix it.
+- **Alias target column missing** — the alias points at a column that does not exist on the discovered catalog. Silent-deny.
+
+A green banner means every pair resolves cleanly. A red panel lists the broken pairs. For non-`row_filter` policies the section is hidden.
+
+### Fail-secure resolution
+
+Every resolution failure produces `Filter(false)` — zero rows, no query error — plus a structured `tracing::warn!(reason="column_resolution_unresolved", ...)` for ops visibility. The five failure modes are:
+
+1. **No anchor** on the target or an intermediate hop.
+2. **Walk too deep** — more than three hops.
+3. **Cycle** in the relationship graph.
+4. **Qualified parent reference** in the filter expression (`WHERE customers.org = ...`). v1 only supports unqualified column references.
+5. **Referenced column not on the target and not resolvable via any anchor** — also catches alias anchors whose target column does not exist.
+
+Deny-wins on resolution failure means a mis-configured anchor leaks nothing, but it also means an authoring mistake is invisible until you check the coverage panel or run a query. Use the coverage panel before assigning the policy.
+
+### Trust model
+
+The anchor designation is the load-bearing trust assumption. A mis-designated anchor — an FK walk pointing at the wrong parent, or an alias pointing at an unrelated local column — can return a different tenant's rows than intended. The proxy cannot infer intent from the schema alone. Mitigations: the FK suggestions dropdown shows every live candidate (so admins see alternatives before choosing), the partial unique index removes nondeterministic path selection, and every relationship and anchor mutation flows through the admin audit log. See [Threat Model → vector 73](/concepts/threat-model) for the full write-up.
+
 ## Composition
 
 ### Multiple row filters → AND
@@ -153,7 +211,7 @@ If a `table_deny` hides a table, row filters on that table are irrelevant — th
 
 - **Filter not applied** — check: policy `is_enabled`, assigned to the user's data source, target schemas/tables match the queried table, user has data source access.
 - **Zero rows when expecting data** — check: user has the required attribute set, attribute value matches the data, no conflicting row filter AND-combining to empty. Inspect the **rewritten query** in the audit log.
-- **Filter applied to wrong tables** — check target patterns. `schemas: ["*"], tables: ["*"]` matches everything; a table without the referenced column (e.g., no `org` column) will error at query time.
+- **Filter applied to wrong tables** — check target patterns. `schemas: ["*"], tables: ["*"]` matches everything. If a matched table does not carry the referenced column (e.g., no `org` column) and no column anchor is configured, the policy fails safe: the user sees zero rows and the proxy logs a `column_resolution_unresolved` warning. See [Filtering by a column on a parent table](#filtering-by-a-column-on-a-parent-table) for how to route the filter through a foreign key or rename.
 
 → Full diagnostics: [Audit & Debugging](/guides/audit-debugging) · [Troubleshooting](/operations/troubleshooting)
 
@@ -164,4 +222,4 @@ If a `table_deny` hides a table, row filters on that table are irrelevant — th
 - [Template Expressions](/reference/template-expressions) — full expression syntax and NULL semantics
 - [User Attributes](/guides/attributes) — how to define and assign the attributes that drive filters
 
-<!-- screenshots: [row-filters-policy-editor-v0.15.png, row-filters-assignment-v0.15.png, row-filters-audit-v0.15.png] -->
+<!-- screenshots: [row-filters-policy-editor-v0.17.png, row-filters-assignment-v0.17.png, row-filters-audit-v0.17.png] -->