Implement policy permission system with migrations, admin UI, and query auditing

Author: jumpbetweenrows

.claude/CLAUDE.md

@@ -27,3 +27,29 @@ git config core.hooksPath .githooks
 
 ## CI/CD
 Push to `main` → GitHub Actions runs Rust tests + admin-ui tests → builds Docker image → deploys to Fly.io.
+
+## Migrations (`migration/`)
+
+### Rules (violations here cause hard-to-fix production incidents)
+
+**One DDL statement per file.**
+Never combine `CREATE TABLE` + `CREATE INDEX`, multiple `ALTER TABLE`s, etc. in a single migration. SeaORM does NOT wrap SQLite migrations in a transaction — if a multi-step migration fails mid-way, the already-executed DDL commits immediately and cannot be rolled back. The migration is then not recorded in `seaql_migrations`, so on the next run it retries from the top and fails again on the already-applied step. A single-statement migration is either fully applied or not applied at all.
+
+**Always use `.if_not_exists()`.**
+Every `Table::create()` must have `.if_not_exists()`. Every `Index::create()` must have `.if_not_exists()`. This makes migrations safe to retry if a previous run applied the DDL but crashed before recording in `seaql_migrations`.
+
+**Always name indexes.**
+SQLite requires a name for every `CREATE INDEX`. A nameless `Index::create()` generates `CREATE INDEX ON ...` which is a syntax error in SQLite. Always call `.name("idx_<table>_<column>")` before `.table(...)`.
+
+**Never rename or delete a migration file that has been applied.**
+SeaORM records the file name (without extension) as the migration version in `seaql_migrations`. Renaming or deleting a file whose version is already recorded causes a fatal startup error: "Migration file of version '...' is missing". If you need to change what a migration does, add a new migration — never touch old ones.
+
+**Never touch the SQLite DB directly.**
+Never run `rm *.db`, `DROP TABLE`, `DELETE FROM`, `DROP COLUMN`, or modify `seaql_migrations` yourself. If the DB needs manual intervention (e.g. a partial migration left stale state), ask the user to do it. Describe exactly what SQL to run and why.
+
+### Checklist before writing a new migration
+1. One DDL operation only
+2. `Table::create()` → `.if_not_exists()`
+3. `Index::create()` → `.if_not_exists()` + `.name("idx_...")`
+4. `ALTER TABLE ADD COLUMN` — no idempotency guard exists in SeaORM; document that users must not interrupt this migration
+5. Register the new file in `migration/src/lib.rs` in the correct order

.claude/commands/release.md

@@ -1,6 +1,6 @@
-# Release
-
-Prepare and tag a new release for this project. Both apps (proxy and admin-ui) share a single version.
+---
+description: Prepare and tag a new release for this project. Both apps (proxy and admin-ui) share a single version.
+---
 
 ## Steps
 
@@ -13,6 +13,7 @@ Prepare and tag a new release for this project. Both apps (proxy and admin-ui) s
 ### 2. Draft changelog entries
 
 Analyse the commits from step 1 and draft changelog entries grouped by:
+
 - **Added** — new features
 - **Changed** — changes to existing behaviour
 - **Fixed** — bug fixes
@@ -43,7 +44,9 @@ Once the user confirms the version and changelog entries:
 ### 5. Finish
 
 Tell the user the release is ready and show the exact command to push:
+
 ```
 git push && git push origin vX.Y.Z
 ```
+
 Remind them that pushing the tag triggers CI to build and publish a Docker image tagged `vX.Y.Z`.

CHANGELOG.md

@@ -7,6 +7,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- **Policy system** — configurable row filtering, column masking, and column access control via named policies assigned to datasources and users
+  - `policy`, `policy_version`, `policy_obligation`, `policy_assignment`, `query_audit_log` database tables (migration 007)
+  - `PolicyHook` replaces hardcoded `RLSHook`; supports `row_filter`, `column_mask`, and `column_access` obligation types
+  - Template variables (`{user.tenant}`, `{user.username}`, `{user.id}`) with parse-then-substitute injection safety
+  - Wildcard matching (`schema: "*"`, `table: "*"`) in obligation definitions
+  - `access_mode` field on datasources: `"open"` (default) or `"policy_required"` (no policy = empty results)
+  - Optimistic concurrency on policy updates via `version` field (409 Conflict on mismatch)
+  - Immutable `policy_version` snapshots on every policy mutation for audit traceability
+  - Deny policies short-circuit with error before plan execution
+  - 60-second per-session policy cache with `invalidate_datasource` / `invalidate_user` hooks
+- **Policy CRUD API** — `GET/POST /policies`, `GET/PUT/DELETE /policies/{id}` (admin-only)
+- **Policy assignment API** — `GET/POST /datasources/{id}/policies`, `DELETE /datasources/{id}/policies/{assignment_id}`
+- **YAML import/export** — `GET /policies/export`, `POST /policies/import` (with `?dry_run=true`)
+- **Query audit log** — async logging of every proxied query; `GET /audit/queries` with pagination and filtering by user, datasource, date range
+- **Admin UI — Policies** — list, create, and edit policies with an obligation builder (row_filter, column_mask, column_access); inline enable/disable toggle
+- **Admin UI — Policy Assignments** — `PolicyAssignmentPanel` on datasource edit page; assign/remove policies with optional user scope and priority
+- **Admin UI — Query Audit** — paginated log with expandable rows showing original query, rewritten query, and applied policy snapshots
+- **Demo e-commerce schema** — `scripts/demo_ecommerce/` with schema, seed script, and example `policies.yaml` covering all P0 stories
+- **Docs** — `docs/permission-system.md` (user guide) and `docs/permission-security-tests.md` (security test plan)
+
 ## [0.3.0] - 2026-03-04
 
 ### Added