Flatten user attributes in decision context and add expression editor

BREAKING: Decision function context changes from `ctx.session.user.attributes.KEY`
to `ctx.session.user.KEY`. Existing decision functions referencing the old path
must be updated.

- Flatten custom attributes as first-class fields on `ctx.session.user` object,
  with built-in fields (id, username, tenant, roles) always winning on collision
- Add ExpressionEditor component with CodeMirror, {user.*} template autocomplete,
  and server-side expression validation via new POST /policies/validate-expression
- Derive reserved attribute keys from ORM columns via LazyLock instead of hardcoded list
- Replace plain text inputs with ExpressionEditor in PolicyForm for filter/mask expressions
- Update DecisionFunctionModal autocomplete to match flattened context
- Mark Conditional Policies as resolved in roadmap (covered by CASE WHEN + decision fns)
- Add comprehensive ABAC expression patterns and conditional policy examples to docs

Author: jumpbetweenrows

README.md

@@ -449,6 +449,7 @@ All policy endpoints require admin (`is_admin = true`).
 | GET | `/policies/{id}` | Get policy + assignment count |
 | PUT | `/policies/{id}` | Update policy (requires `version` for optimistic concurrency → 409 on conflict) |
 | DELETE | `/policies/{id}` | Delete policy (cascades) |
+| POST | `/policies/validate-expression` | Validate a filter/mask expression `{ expression, is_mask }` → `{ valid, error? }` |
 | GET | `/policies/export` | Export all policies as YAML |
 | POST | `/policies/import` | Import YAML (`?dry_run=true` to preview) |
 | GET | `/datasources/{id}/policies` | List policy assignments for datasource |

admin-ui/src/api/policies.ts

@@ -65,3 +65,14 @@ export async function removeAssignment(
 ): Promise<void> {
   await client.delete(`/datasources/${datasourceId}/policies/${assignmentId}`)
 }
+
+export async function validateExpression(
+  expression: string,
+  isMask: boolean,
+): Promise<{ valid: boolean; error?: string }> {
+  const { data } = await client.post<{ valid: boolean; error?: string }>(
+    '/policies/validate-expression',
+    { expression, is_mask: isMask },
+  )
+  return data
+}

admin-ui/src/components/DecisionFunctionModal.tsx

@@ -51,7 +51,7 @@ function buildCtxCompletions(evaluateContext: EvaluateContext, configStr: string
     { label: 'ctx.session.user.username', type: 'variable' as const },
     { label: 'ctx.session.user.tenant', type: 'variable' as const },
     { label: 'ctx.session.user.roles', type: 'variable' as const, detail: 'string[]' },
-    { label: 'ctx.session.user.attributes', type: 'variable' as const, detail: 'object' },
+    { label: 'ctx.session.time.now', type: 'variable' as const, detail: 'ISO 8601 timestamp' },
     { label: 'ctx.session.time.hour', type: 'variable' as const, detail: '0-23' },
     { label: 'ctx.session.time.day_of_week', type: 'variable' as const, detail: 'Monday-Sunday' },
     { label: 'ctx.session.datasource.name', type: 'variable' as const },
@@ -62,7 +62,7 @@ function buildCtxCompletions(evaluateContext: EvaluateContext, configStr: string
   for (const def of attrDefs) {
     const detail = def.value_type === 'list' ? 'string[]' : def.value_type
     items.push({
-      label: `ctx.session.user.attributes.${def.key}`,
+      label: `ctx.session.user.${def.key}`,
       type: 'variable' as const,
       detail,
     })

admin-ui/src/components/ExpressionEditor.test.tsx

@@ -0,0 +1,152 @@
+import { describe, it, expect, vi } from 'vitest'
+import { screen, fireEvent, waitFor } from '@testing-library/react'
+import { ExpressionEditor } from './ExpressionEditor'
+import { renderWithProviders } from '../test/test-utils'
+
+// Mock CodeMirror as a simple textarea (same pattern as PolicyForm tests)
+vi.mock('@uiw/react-codemirror', () => ({
+  default: ({
+    value,
+    onChange,
+    placeholder,
+  }: {
+    value: string
+    onChange?: (v: string) => void
+    placeholder?: string
+  }) => (
+    <textarea
+      data-testid="codemirror"
+      value={value}
+      onChange={(e) => onChange?.(e.target.value)}
+      placeholder={placeholder}
+    />
+  ),
+}))
+
+describe('ExpressionEditor', () => {
+  it('renders with placeholder', () => {
+    renderWithProviders(
+      <ExpressionEditor
+        value=""
+        onChange={() => {}}
+        placeholder="organization_id = {user.tenant}"
+        templateItems={[]}
+      />,
+    )
+    expect(screen.getByPlaceholderText('organization_id = {user.tenant}')).toBeTruthy()
+  })
+
+  it('renders with initial value', () => {
+    renderWithProviders(
+      <ExpressionEditor
+        value="tenant = {user.tenant}"
+        onChange={() => {}}
+        templateItems={[]}
+      />,
+    )
+    expect(screen.getByDisplayValue('tenant = {user.tenant}')).toBeTruthy()
+  })
+
+  it('calls onChange when value changes', () => {
+    const onChange = vi.fn()
+    renderWithProviders(
+      <ExpressionEditor value="" onChange={onChange} templateItems={[]} />,
+    )
+    fireEvent.change(screen.getByTestId('codemirror'), {
+      target: { value: 'region = {user.region}' },
+    })
+    expect(onChange).toHaveBeenCalledWith('region = {user.region}')
+  })
+
+  it('shows Check button when onValidate is provided', () => {
+    renderWithProviders(
+      <ExpressionEditor
+        value="test"
+        onChange={() => {}}
+        templateItems={[]}
+        onValidate={vi.fn().mockResolvedValue({ valid: true })}
+      />,
+    )
+    expect(screen.getByTitle('Validate expression syntax')).toBeTruthy()
+  })
+
+  it('does not show Check button when onValidate is not provided', () => {
+    renderWithProviders(
+      <ExpressionEditor value="test" onChange={() => {}} templateItems={[]} />,
+    )
+    expect(screen.queryByTitle('Validate expression syntax')).toBeNull()
+  })
+
+  it('shows green check on valid expression', async () => {
+    const onValidate = vi.fn().mockResolvedValue({ valid: true })
+    renderWithProviders(
+      <ExpressionEditor
+        value="region = {user.region}"
+        onChange={() => {}}
+        templateItems={[]}
+        onValidate={onValidate}
+      />,
+    )
+    fireEvent.click(screen.getByTitle('Validate expression syntax'))
+    await waitFor(() => {
+      expect(onValidate).toHaveBeenCalledWith('region = {user.region}')
+      expect(screen.getByText('✓')).toBeTruthy()
+    })
+  })
+
+  it('shows red X and error on invalid expression', async () => {
+    const onValidate = vi
+      .fn()
+      .mockResolvedValue({ valid: false, error: 'Unsupported syntax: EXTRACT' })
+    renderWithProviders(
+      <ExpressionEditor
+        value="EXTRACT(HOUR FROM col)"
+        onChange={() => {}}
+        templateItems={[]}
+        onValidate={onValidate}
+      />,
+    )
+    fireEvent.click(screen.getByTitle('Validate expression syntax'))
+    await waitFor(() => {
+      expect(screen.getByText('✗')).toBeTruthy()
+      expect(screen.getByText('Unsupported syntax: EXTRACT')).toBeTruthy()
+    })
+  })
+
+  it('resets validation state when expression changes', async () => {
+    const onValidate = vi
+      .fn()
+      .mockResolvedValue({ valid: false, error: 'bad' })
+    const onChange = vi.fn()
+    renderWithProviders(
+      <ExpressionEditor
+        value="bad expr"
+        onChange={onChange}
+        templateItems={[]}
+        onValidate={onValidate}
+      />,
+    )
+    // Validate first
+    fireEvent.click(screen.getByTitle('Validate expression syntax'))
+    await waitFor(() => expect(screen.getByText('bad')).toBeTruthy())
+
+    // Change expression — validation error should clear
+    fireEvent.change(screen.getByTestId('codemirror'), {
+      target: { value: 'new expr' },
+    })
+    expect(screen.queryByText('bad')).toBeNull()
+  })
+
+  it('disables Check button when expression is empty', () => {
+    renderWithProviders(
+      <ExpressionEditor
+        value=""
+        onChange={() => {}}
+        templateItems={[]}
+        onValidate={vi.fn()}
+      />,
+    )
+    const btn = screen.getByTitle('Validate expression syntax')
+    expect(btn).toHaveProperty('disabled', true)
+  })
+})

admin-ui/src/components/ExpressionEditor.tsx

@@ -0,0 +1,154 @@
+import { useState, useCallback, useMemo } from 'react'
+import CodeMirror from '@uiw/react-codemirror'
+import { autocompletion, type CompletionContext, type CompletionResult } from '@codemirror/autocomplete'
+import { EditorView } from '@codemirror/view'
+
+export interface TemplateItem {
+  key: string
+  valueType: string
+}
+
+interface ExpressionEditorProps {
+  value: string
+  onChange: (value: string) => void
+  placeholder?: string
+  templateItems: TemplateItem[]
+  onValidate?: (expression: string) => Promise<{ valid: boolean; error?: string }>
+}
+
+const BUILTIN_VARS = [
+  { label: '{user.tenant}', detail: 'string', apply: '{user.tenant}' },
+  { label: '{user.username}', detail: 'string', apply: '{user.username}' },
+  { label: '{user.id}', detail: 'string', apply: '{user.id}' },
+]
+
+function templateCompletionSource(items: TemplateItem[]) {
+  return (context: CompletionContext): CompletionResult | null => {
+    // Match {user. followed by optional word chars and optional closing brace
+    const match = context.matchBefore(/\{user\.[\w]*\}?/)
+    if (!match) return null
+
+    const custom = items.map((a) => ({
+      label: `{user.${a.key}}`,
+      detail: a.valueType === 'list' ? 'list (use with IN)' : a.valueType,
+      apply: `{user.${a.key}}`,
+    }))
+
+    return {
+      from: match.from,
+      options: [...BUILTIN_VARS, ...custom],
+      filter: true,
+    }
+  }
+}
+
+const compactTheme = EditorView.theme({
+  '&': { fontSize: '14px' },
+  '.cm-editor': { maxHeight: '120px', overflow: 'auto' },
+  '.cm-content': { padding: '6px 10px', fontFamily: 'ui-monospace, monospace' },
+  '.cm-line': { lineHeight: '1.5' },
+  '.cm-placeholder': { color: '#9ca3af' },
+  '.cm-focused': { outline: 'none' },
+})
+
+export function ExpressionEditor({
+  value,
+  onChange,
+  placeholder,
+  templateItems,
+  onValidate,
+}: ExpressionEditorProps) {
+  const [validationState, setValidationState] = useState<
+    'idle' | 'loading' | 'valid' | 'invalid'
+  >('idle')
+  const [validationError, setValidationError] = useState<string>('')
+
+  const handleChange = useCallback(
+    (val: string) => {
+      onChange(val)
+      // Reset validation state when expression changes
+      if (validationState !== 'idle') {
+        setValidationState('idle')
+        setValidationError('')
+      }
+    },
+    [onChange, validationState],
+  )
+
+  const handleValidate = useCallback(async () => {
+    if (!onValidate || !value.trim()) return
+    setValidationState('loading')
+    try {
+      const result = await onValidate(value)
+      if (result.valid) {
+        setValidationState('valid')
+        setValidationError('')
+      } else {
+        setValidationState('invalid')
+        setValidationError(result.error ?? 'Invalid expression')
+      }
+    } catch {
+      setValidationState('invalid')
+      setValidationError('Validation request failed')
+    }
+  }, [onValidate, value])
+
+  const extensions = useMemo(
+    () => [
+      autocompletion({ override: [templateCompletionSource(templateItems)] }),
+      compactTheme,
+    ],
+    [templateItems],
+  )
+
+  return (
+    <div>
+      <div className="flex items-center gap-2">
+        <div
+          className={`flex-1 border rounded-lg overflow-hidden ${
+            validationState === 'invalid'
+              ? 'border-red-400'
+              : validationState === 'valid'
+                ? 'border-green-400'
+                : 'border-gray-300 focus-within:ring-2 focus-within:ring-blue-500 focus-within:border-blue-500'
+          }`}
+        >
+          <CodeMirror
+            value={value}
+            onChange={handleChange}
+            placeholder={placeholder}
+            basicSetup={{
+              lineNumbers: false,
+              foldGutter: false,
+              highlightActiveLine: false,
+              autocompletion: false,
+            }}
+            extensions={extensions}
+          />
+        </div>
+        {onValidate && (
+          <button
+            type="button"
+            onClick={handleValidate}
+            disabled={validationState === 'loading' || !value.trim()}
+            className="shrink-0 px-2 py-1.5 text-xs font-medium rounded-md border border-gray-300 bg-white text-gray-600 hover:bg-gray-50 disabled:opacity-40 disabled:cursor-not-allowed"
+            title="Validate expression syntax"
+          >
+            {validationState === 'loading' ? (
+              <span className="inline-block w-4 h-4 border-2 border-gray-300 border-t-gray-600 rounded-full animate-spin" />
+            ) : validationState === 'valid' ? (
+              <span className="text-green-600">&#10003;</span>
+            ) : validationState === 'invalid' ? (
+              <span className="text-red-600">&#10007;</span>
+            ) : (
+              'Check'
+            )}
+          </button>
+        )}
+      </div>
+      {validationState === 'invalid' && validationError && (
+        <p className="text-xs text-red-500 mt-1">{validationError}</p>
+      )}
+    </div>
+  )
+}

admin-ui/src/components/PolicyForm.test.tsx

@@ -27,6 +27,10 @@ vi.mock('../api/attributeDefinitions', () => ({
   listAttributeDefinitions: vi.fn().mockResolvedValue({ data: [], total: 0, page: 1, page_size: 200 }),
 }))
 
+vi.mock('../api/policies', () => ({
+  validateExpression: vi.fn().mockResolvedValue({ valid: true }),
+}))
+
 vi.mock('../api/decisionFunctions', () => ({
   listDecisionFunctions: (...args: unknown[]) => mockListDecisionFunctions(...args),
   getDecisionFunction: (...args: unknown[]) => mockGetDecisionFunction(...args),
@@ -568,7 +572,9 @@ describe('PolicyForm — decision function validation', () => {
     // Modal should be open — fill code and save
     await waitFor(() => expect(screen.getByText('Create Function')).toBeTruthy())
     const editors = screen.getAllByTestId('codemirror')
-    fireEvent.change(editors[0], { target: { value: 'function evaluate(ctx) { return { fire: true }; }' } })
+    // editors[0] is the filter expression editor; modal JS editor follows it
+    const jsEditor = editors.length > 1 ? editors[1] : editors[0]
+    fireEvent.change(jsEditor, { target: { value: 'function evaluate(ctx) { return { fire: true }; }' } })
     await userEvent.click(screen.getByText('Create Function'))
 
     // Wait for modal to close and function to be attached