nadeem4
diff --git a/‎configs/policies.json‎
Lines changed: 59 additions & 0 deletions b/‎configs/policies.json‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎docs/architecture/security.md‎
Lines changed: 47 additions & 10 deletions b/‎docs/architecture/security.md‎
Lines changed: 47 additions & 10 deletions
diff --git a/‎docs/guides/configuration.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/guides/configuration.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/guides/deployment.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/guides/deployment.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/cli/README.md‎
Lines changed: 2 additions & 2 deletions b/‎packages/cli/README.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/cli/src/nl2sql_cli/commands/policy.py‎
Lines changed: 109 additions & 0 deletions b/‎packages/cli/src/nl2sql_cli/commands/policy.py‎
Lines changed: 109 additions & 0 deletions
diff --git a/‎packages/cli/src/nl2sql_cli/commands/run.py‎
Lines changed: 29 additions & 13 deletions b/‎packages/cli/src/nl2sql_cli/commands/run.py‎
Lines changed: 29 additions & 13 deletions
@@ -0,0 +1,59 @@
+{
+  "admin": {
+    "description": "System Administrator",
+    "role": "admin",
+    "allowed_datasources": [
+      "*"
+    ],
+    "allowed_tables": [
+      "*"
+    ]
+  },
+  "ops_manager": {
+    "description": "Operations Manager",
+    "role": "manager",
+    "allowed_datasources": [
+      "manufacturing_ops",
+      "manufacturing_ref"
+    ],
+    "allowed_tables": [
+      "manufacturing_ops.employees",
+      "manufacturing_ops.machines",
+      "manufacturing_ops.maintenance_logs",
+      "manufacturing_ops.spare_parts",
+      "manufacturing_ref.factories",
+      "manufacturing_ref.machine_types",
+      "manufacturing_ref.shifts"
+    ]
+  },
+  "sales_analyst": {
+    "description": "Sales & Supply Chain Analyst",
+    "role": "analyst",
+    "allowed_datasources": [
+      "manufacturing_history",
+      "manufacturing_supply"
+    ],
+    "allowed_tables": [
+      "manufacturing_history.customers",
+      "manufacturing_history.sales_orders",
+      "manufacturing_history.sales_order_items",
+      "manufacturing_history.production_runs",
+      "manufacturing_history.defects",
+      "manufacturing_supply.products",
+      "manufacturing_supply.inventory",
+      "manufacturing_supply.suppliers",
+      "manufacturing_supply.purchase_orders",
+      "manufacturing_supply.purchase_order_items"
+    ]
+  },
+  "guest": {
+    "description": "Guest User",
+    "role": "guest",
+    "allowed_datasources": [
+      "manufacturing_supply"
+    ],
+    "allowed_tables": [
+      "manufacturing_supply.products"
+    ]
+  }
+}
@@ -106,29 +106,66 @@ The system supports extensible providers via the `SecretProvider` protocol. You
 
 ### Strict Validation (V3)
 
-Datasource configurations are validated using Pydantic V3 models (`DatasourceProfile`). This ensures:
+Datasource configurations are validated strictly at load time. This ensures:
 
 * **Type Safety**: Malformed integers or booleans are rejected.
 * **Field Constraints**: Unknown fields are forbidden, preventing "config injection" or typos.
-* **Sanitization**: Passwords and sensitive fields are masked in logs (via `__repr__` overrides).
+* **Sanitization**: Passwords and sensitive fields are masked in logs.
+* **Adapter Specifics**: Each adapter (e.g., `PostgresAdapter`) defines and validates its own configuration schema requirements.
 
-### User Authorization Config
+### 6.1 Policy Definition (`configs/policies.json`)
 
-User roles and permissions are defined in `users.json` (pointed to by `USERS_CONFIG` setting).
+The application uses **Role-Based Access Control (RBAC)**. The `policies.json` file defines policies keyed by **Role ID** (e.g., `admin`, `analyst`).
 
-**Example Configuration**:
+**Strict Namespacing Rule**: To prevent namespace collisions, `allowed_tables` MUST use the format `datasource_id.table_name`. Simple table names are not supported.
+
+#### Example
 
 ```json
 {
-  "guest": {
-    "role": "guest",
-    "allowed_datasources": ["public_data"],
-    "allowed_tables": ["products", "store_locations"]
+  "sales_analyst": {
+    "description": "Access to Sales DB only",
+    "role": "analyst",
+    "allowed_datasources": ["sales_db"],
+    "allowed_tables": [
+      // Exact Match
+      "sales_db.orders",
+      
+      // Datasource Wildcard
+      "sales_db.customers_*"
+    ]
   },
   "admin": {
+    "description": "Super Admin",
     "role": "admin",
-    "allowed_datasources": ["*"],
     "allowed_tables": ["*"]
   }
 }
 ```
+
+In CLI execution: `nl2sql run ... --role sales_analyst`.
+The application assumes the identity provider has already authenticated the user and assigned this role.
+
+### 6.2 Policy Schema & Validation
+
+Policies are treated as **Configuration Code**. To prevent misconfiguration (e.g., typos, invalid types), the system validates `policies.json` against a strict **Pydantic Schema** at startup.
+
+**Schema (`nl2sql.security.policies`)**:
+
+1. **Strict Typing**: Fields like `allowed_datasources` MUST be lists of strings.
+2. **Syntax Enforcement**: `allowed_tables` values are validated ensuring they match the `datasource_id.table_name` or wildcard format.
+3. **Fail Fast**: If the configuration is invalid, the application refuses to start, printing a clear error message describing the violation.
+
+### 6.3 Policy Management CLI
+
+You can validate your policy file without running a query using the CLI.
+
+```bash
+# Validate Syntax & Integrity
+nl2sql policy validate
+```
+
+This command performs two checks:
+
+1. **Schema Check**: Validates syntax against the Pydantic model.
+2. **Integrity Check**: Verifies that referenced `datasources` and `tables` actually exist in `datasources.yaml`. Users often typo table names; this catches those errors before runtime.
@@ -172,7 +172,7 @@ You can configure the application using the following environment variables (def
 | `DATASOURCE_CONFIG` | `configs/datasources.yaml` | Path to the datasource configuration file. |
 | `SECRETS_CONFIG` | `configs/secrets.yaml` | Path to the secrets configuration file. |
 | `LLM_CONFIG` | `configs/llm.yaml` | Path to the LLM model configuration file. |
-| `USERS_CONFIG` | `users.json` | Path to the user permissions file. |
+| `POLICIES_CONFIG` | `configs/policies.json` | Path to the RBAC policies file. |
 | `VECTOR_STORE` | `./chroma_db` | Path (directory) to persist the vector store. |
 | `EMBEDDING_MODEL` | `text-embedding-3-small` | OpenAI embedding model name. |
 | `BENCHMARK_CONFIG` | `configs/benchmark_suite.yaml` | Path to accurate testing suite configuration. |
 
@@ -34,7 +34,7 @@ services:
 
 ## Production Checklist
 
-1. [ ] **Security**: Ensure `users.json` is mapped to your identity provider (e.g. OAuth) to dynamically enforce `allowed_tables`.
+1. [ ] **Security**: Ensure `configs/policies.json` is mapped to your identity provider (e.g. OAuth) to dynamically enforce `allowed_tables`.
 2. [ ] **Read-Only**: Configure the database users in `datasources.yaml` to have READ-ONLY permissions at the database level.
     > The PhysicalValidator provides a safety net, but deep defense requires DB-level grants.
 3. [ ] **Monitoring**: Enable the `PipelineMonitorCallback` to log all traces to your observability stack (e.g. LangSmith).
@@ -60,7 +60,7 @@ nl2sql chat
 Execute a query and see the result (JSON or Text streaming).
 
 ```bash
-nl2sql run "Show me the top 5 customers by revenue"
+nl2sql run "Show me the top 5 customers by revenue" --role sales_analyst
 ```
 
 ## Architecture
@@ -79,7 +79,7 @@ The CLI relies on the standard NL2SQL configuration files:
 
 - `datasources.yaml`: Connection profiles.
 - `llm_config.yaml`: LLM provider settings.
-- `users.json`: User context and permissions.
+- `configs/policies.json`: RBAC policies and permissions.
 
 Run `nl2sql doctor` to see where it expects these files to be.
 
 
@@ -0,0 +1,109 @@
+import typer
+import pathlib
+import sys
+from typing_extensions import Annotated
+from rich.console import Console
+from rich.table import Table
+
+from nl2sql.common.settings import settings
+from nl2sql.security.policies import PolicyConfig
+from nl2sql.datasources.config import load_configs
+from nl2sql.datasources import DatasourceRegistry
+from pydantic import ValidationError
+from nl2sql.secrets import secret_manager, load_secret_configs
+
+app = typer.Typer(help="Manage RBAC policies and security.")
+console = Console()
+
+@app.command("validate")
+def validate(
+    config: Annotated[pathlib.Path, typer.Option("--config", help="Path to datasource config")] = pathlib.Path(settings.datasource_config_path),
+    policies: Annotated[pathlib.Path, typer.Option("--policies", help="Path to policies.json")] = pathlib.Path(settings.policies_config_path),
+    secrets: Annotated[pathlib.Path, typer.Option("--secrets", help="Path to secrets config")] = pathlib.Path(settings.secrets_config_path),
+):
+    """
+    Validate policy syntax and integrity against defined datasources.
+    """
+    console.print(f"[bold blue]Validating Policies from:[/bold blue] {policies}")
+    
+    # 1. Load Policies (Schema Check)
+    try:
+        if not policies.exists():
+            console.print(f"[bold red]Error:[/bold red] Policy file not found at {policies}")
+            sys.exit(1)
+            
+        with open(policies, "r") as f:
+            raw_json = f.read()
+            
+        policy_cfg = PolicyConfig.model_validate_json(raw_json)
+        console.print("[green]✓ Schema Syntax Valid[/green]")
+        
+    except ValidationError as ve:
+        console.print(f"[bold red]Schema Validation Failed:[/bold red]\n{ve}")
+        sys.exit(1)
+    except Exception as e:
+        console.print(f"[bold red]Error loading policies:[/bold red] {e}")
+        sys.exit(1)
+
+    # 2. Load Datasources (Integrity Check)
+    console.print(f"[bold blue]Checking Integrity against Datasources:[/bold blue] {config}")
+    try:
+        # Secrets are needed to load datasources properly
+        if secrets.exists():
+            secret_configs = load_secret_configs(secrets)
+            secret_manager.configure(secret_configs)
+        
+        ds_configs = load_configs(config)
+        registry = DatasourceRegistry(ds_configs)
+        
+        available_ds = set(registry.list_ids())
+        console.print(f"[dim]Available Datasources: {available_ds}[/dim]")
+        
+        has_errors = False
+        
+        table = Table(title="Policy Integrity Report")
+        table.add_column("Role", style="cyan")
+        table.add_column("Target", style="magenta")
+        table.add_column("Status", style="green")
+        table.add_column("Details", style="white")
+
+        for role_id, role_def in policy_cfg.root.items():
+            # Check Datasources
+            for ds in role_def.allowed_datasources:
+                if ds == "*":
+                    table.add_row(role_id, "Datasource: *", "[green]OK[/green]", "Global Access")
+                    continue
+                    
+                if ds not in available_ds:
+                    table.add_row(role_id, f"Datasource: {ds}", "[red]MISSING[/red]", "Datasource not defined in config")
+                    has_errors = True
+                else:
+                    table.add_row(role_id, f"Datasource: {ds}", "[green]OK[/green]", "Verified")
+
+            # Check Tables (Heuristic only - we can't verify tables without checking DB connection, which is slow/expensive. 
+            # But we CAN verify the component 'datasource' part of 'datasource.table')
+            for rule in role_def.allowed_tables:
+                if rule == "*":
+                     table.add_row(role_id, "Table: *", "[green]OK[/green]", "Global Access")
+                     continue
+                
+                parts = rule.split(".")
+                if len(parts) >= 2:
+                    ds_part = parts[0]
+                    if ds_part not in available_ds and ds_part != "*":
+                         table.add_row(role_id, f"Table Rule: {rule}", "[red]INVALID DS[/red]", f"Datasource '{ds_part}' unknown")
+                         has_errors = True
+                    else:
+                        table.add_row(role_id, f"Table Rule: {rule}", "[green]OK[/green]", "DS Verified")
+        
+        console.print(table)
+        
+        if has_errors:
+            console.print("\n[bold red]Integrity Check Failed: Policies reference missing resources.[/bold red]")
+            sys.exit(1)
+        else:
+            console.print("\n[bold green]✓ Policy Integrity Verified[/bold green]")
+
+    except Exception as e:
+        console.print(f"[bold red]Integrity Check Failed:[/bold red] {e}")
+        sys.exit(1)
@@ -61,29 +61,45 @@ def _run_simple_mode(
 
     start_time = time.perf_counter()
 
-    # Load User Context
-    user_context = {}
+    # Load Role Context (RBAC)
+    policy_context = {}
     try:
         import pathlib
-        users_path = pathlib.Path(settings.users_config_path)            
-        if users_path.exists():
-            with open(users_path, "r") as f:
-                users_db = json.load(f)
-                user_context = users_db.get(config.user)
+        from nl2sql.security.policies import PolicyConfig
+        from pydantic import ValidationError
+        
+        policies_path = pathlib.Path(settings.policies_config_path)            
+        if policies_path.exists():
+            with open(policies_path, "r") as f:
+                raw_json = f.read()
+                
+            try:
+                # 1. Strict Schema Validation
+                policy_cfg = PolicyConfig.model_validate_json(raw_json)
 
-                if not user_context:
-                    presenter.print_error(f"Critical: User '{config.user}' not found in '{users_path.resolve()}'. Cannot execute without context.")
+                # 2. Look up by Role ID
+                role_policy = policy_cfg.get_role(config.role)
+                
+                if not role_policy:
+                    presenter.print_error(f"Critical: Role '{config.role}' not defined in '{policies_path.resolve()}'. Available roles: {list(policy_cfg.root.keys())}")
                     sys.exit(1)
+                    
+                # 3. Convert to Dict for Pipeline
+                policy_context = role_policy.model_dump()
+                
+            except ValidationError as ve:
+                presenter.print_error(f"Policy Configuration Error in '{policies_path}':\n{ve}")
+                sys.exit(1)
         else:
-            presenter.print_error(f"Critical: User config file not found at '{users_path}'. Cannot load context.")
+            presenter.print_error(f"Critical: Policy config file not found at '{policies_path}'. Cannot load context.")
             sys.exit(1)
 
     except Exception as e:
-        presenter.print_error(f"Failed to load user context: {e}")
+        presenter.print_error(f"Failed to load policy context: {e}")
         sys.exit(1)
 
     try:
-        print(f"User Context: {user_context}")
+        print(f"Policy Context: {policy_context}")
         final_state = run_with_graph(
             registry=datasource_registry,
             llm_registry=llm_registry,
@@ -93,7 +109,7 @@ def _run_simple_mode(
             vector_store=vector_store,
             vector_store_path=config.vector_store_path,
             callbacks=[monitor],
-            user_context=user_context
+            user_context=policy_context
         )
     except Exception as e:
         import traceback