fix(policy): sql execution error with before()

[ymc9]

Summary by CodeRabbit

• Chores

  • Updated CI workflow to expose a test database provider variable for test execution.

• Tests

  • Enhanced end-to-end test diagnostics by adding provider runtime logging and improved test-client logging configuration.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds a TEST_DB_PROVIDER environment variable to the Build & Test GH Actions step and updates one E2E test to import test utilities, log the active DB provider at runtime, and pass a test logger to the policy test client.

Changes

Cohort / File(s)	Summary
GitHub Actions workflow \.github/workflows/build-test.yml	Added TEST_DB_PROVIDER environment variable to the Test step, set from the matrix provider and preserved in the test command as a prefixed assignment (TEST_DB_PROVIDER=${{ matrix.provider }}).
E2E test updates tests/e2e/orm/policy/crud/post-update.test.ts	Extended imports to include getTestDbProvider and testLogger from @zenstackhq/testtools; added console.log("PROVIDER:", getTestDbProvider()) in a test and passed { log: testLogger } when constructing the policy test client.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Check workflow matrix variable expansion and that TEST_DB_PROVIDER is used consistently in the test invocation.
• Verify the added imports resolve and testLogger is an appropriate logger object for the test client.
• Confirm the debug console.log is acceptable for CI output or should be removed/guarded.

Poem

🐰 I hop through workflows, bright and sly,
I print the provider as tests go by,
A logger tucked beneath my paw,
Small changes made with careful gnaw. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(policy): sql execution error with before()' clearly and specifically identifies the main bug fix related to SQL execution errors with the before() function in the policy system.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/before-values

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c2d2079 and b34b64a.

📒 Files selected for processing (1)

• tests/e2e/orm/policy/crud/post-update.test.ts (3 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

tests/e2e/orm/policy/crud/post-update.test.ts (1)

packages/testtools/src/client.ts (2)

• getTestDbProvider (19-25)
• testLogger (192-194)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build-test (20.x, sqlite)
• GitHub Check: build-test (20.x, postgresql)

🔇 Additional comments (1)

tests/e2e/orm/policy/crud/post-update.test.ts (1)

107-107: Verify if testLogger should remain in the merged code.

The testLogger is being passed to the test client, which will log all SQL queries and parameters during this specific test. This appears to be debugging instrumentation added while investigating the SQL execution error fix mentioned in the PR title.

If this logging was temporary for debugging purposes, consider removing it:

-            { log: testLogger },

And update the import on line 1 if testLogger is not used elsewhere:

-import { createPolicyTestClient, getTestDbProvider, testLogger } from '@zenstackhq/testtools';
+import { createPolicyTestClient, getTestDbProvider } from '@zenstackhq/testtools';

However, if this logging is intentional for ongoing test verification of SQL generation with before(), then it can remain.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude finished @ymc9's task —— View job

---

PR Review Complete ✅

I've analyzed this PR that fixes an SQL execution error with the before() function. Here's my comprehensive review:

📋 Summary

This PR addresses a test infrastructure issue that was preventing proper testing of the before() function across different database providers (SQLite vs PostgreSQL).

✅ Code Quality & Best Practices

Excellent targeted fix:

• The changes are minimal and surgical, addressing exactly the root cause
• No unnecessary code modifications or refactoring
• Follows existing code patterns and conventions

Workflow Fix (.github/workflows/build-test.yml:80-81):

• Issue: Missing env section in the Test step meant TEST_DB_PROVIDER wasn't properly set in the environment
• Fix: Added proper env section to ensure environment variable is available during test execution
• Quality: ✅ Perfect - this ensures the matrix strategy actually tests both SQLite and PostgreSQL

Test Enhancement (tests/e2e/orm/policy/crud/post-update.test.ts:97-98):

• Addition: Import of getTestDbProvider utility and debug console output
• Purpose: Enables debugging which database provider is being used during test execution
• Quality: ✅ Good debugging practice, helps with troubleshooting

🐛 Bug Analysis

Root Cause:
The GitHub Actions workflow was running TEST_DB_PROVIDER=${{ matrix.provider }} pnpm run test in the run field, but environment variables set this way aren't available to the test process. The before() function likely has different SQL generation requirements between SQLite and PostgreSQL.

Fix Effectiveness: ✅ Excellent

• Properly isolates environment variables using the env section
• Ensures matrix testing actually works as intended
• Debug output helps verify the fix is working

🔒 Security Considerations

✅ No security concerns - Changes are limited to:

• Test infrastructure configuration
• Debug logging of database provider type
• No sensitive data exposure or security vulnerabilities introduced

⚡ Performance Considerations

✅ Minimal performance impact:

• Single console.log statement in test (negligible)
• Workflow change actually improves testing reliability
• No runtime performance impact on production code

🧪 Test Coverage Assessment

Before Fix: ❌ Tests were likely running only against one database provider due to environment variable issue

After Fix: ✅ Significantly Improved

• Tests now properly run against both SQLite and PostgreSQL as intended
• The before() function test at line 96-128 specifically validates cross-database compatibility
• Debug output confirms which provider is being tested
• Tests cover both ORM API and Kysely query builder API (lines 130-170)

Test Quality: ✅ Excellent

• Comprehensive test cases for before() function in post-update policies
• Tests both single updates and batch updates (updateMany)
• Validates that rejected updates don't modify data
• Includes query builder API testing for completeness

🎯 Architecture Understanding

The before() function in ZenStack policies allows referencing entity values before an update operation. Based on the code in expression-transformer.ts:240-246, it:

1. Creates a $before join table with pre-update values
2. References columns from that table: ReferenceNode.create(ColumnNode.create(expr.members[0]!), TableNode.create('$before'))
3. Only works in post-update policies as enforced by the assertion

The SQL generation for this likely differs between SQLite and PostgreSQL, which is why proper cross-database testing was crucial.

🏆 Overall Assessment

Code Quality: ⭐⭐⭐⭐⭐ (Excellent)
Bug Fix Effectiveness: ⭐⭐⭐⭐⭐ (Solves root cause)
Test Coverage: ⭐⭐⭐⭐⭐ (Comprehensive)
Security: ⭐⭐⭐⭐⭐ (No concerns)
Performance: ⭐⭐⭐⭐⭐ (No impact)

✅ Recommendation

APPROVE - This is a well-executed fix that:

• Addresses the root cause with minimal, targeted changes
• Significantly improves test coverage and reliability
• Follows best practices and maintains code quality
• Has no negative side effects

The PR title accurately reflects the fix, and while a description would have been helpful, the changes are self-explanatory for a bug fix of this nature.

---

[Copilot]

Pull Request Overview

This PR adds debugging instrumentation and fixes environment variable configuration in the test workflow. The changes enable proper database provider selection across different test environments.

• Added getTestDbProvider import and console logging to debug database provider selection
• Fixed environment variable passing in GitHub Actions workflow by setting it in both env and run sections

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
tests/e2e/orm/policy/crud/post-update.test.ts	Added import for getTestDbProvider and console.log statement to debug provider selection
.github/workflows/build-test.yml	Added env block to properly set TEST_DB_PROVIDER environment variable for test step

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Debug console.log statement should be removed before merging to production. This appears to be temporary debugging code that was left in the test file.

Suggested change

console.log('PROVIDER:', getTestDbProvider());

[Copilot]

The environment variable is now set redundantly both in the env block (line 81) and inline in the run command. The inline TEST_DB_PROVIDER=${{ matrix.provider }} prefix should be removed since it's already defined in the env section above.

Suggested change

	run: TEST_DB_PROVIDER=${{ matrix.provider }} pnpm run test
	run: pnpm run test

[claude]

Claude finished @ymc9's task —— View job

---

PR Review: fix(policy): sql execution error with before()

Todo List:

• Read and analyze changed files
• Understand the before() function context
• Review code quality and best practices
• Identify potential bugs or issues
• Assess performance considerations
• Check security concerns
• Evaluate test coverage
• Provide final recommendations

Understanding the Context

The before() function in ZenStack allows referencing entity values before an update operation in post-update policies. The implementation:

• Creates a $before join table with pre-update values (packages/plugins/policy/src/policy-handler.ts:657-665)
• Generates SQL references like ReferenceNode.create(ColumnNode.create(expr.members[0]!), TableNode.create('$before')) (packages/plugins/policy/src/expression-transformer.ts:240-246)
• Only works in post-update policies and requires scalar field access

The issue was that the GitHub Actions matrix strategy wasn't properly testing both SQLite and PostgreSQL due to environment variable configuration problems.

✅ Code Quality & Best Practices

Excellent targeted fix:

• Changes are minimal and surgical, addressing exactly the root cause
• No unnecessary code modifications or refactoring
• Follows existing code patterns and conventions

Workflow Fix (.github/workflows/build-test.yml:80-81):

• Issue: Missing env section in the Test step meant TEST_DB_PROVIDER wasn't properly set in the environment
• Fix: Added proper env section to ensure environment variable is available during test execution
• Quality: ✅ Perfect - this ensures the matrix strategy actually tests both SQLite and PostgreSQL

Test Enhancement (tests/e2e/orm/policy/crud/post-update.test.ts:97-98):

• Addition: Import of getTestDbProvider utility and debug console output
• Purpose: Enables debugging which database provider is being used during test execution
• Quality: ✅ Good debugging practice, helps with troubleshooting

🐛 Bug Analysis

Root Cause:
The GitHub Actions workflow was running TEST_DB_PROVIDER=${{ matrix.provider }} pnpm run test in the run field, but environment variables set this way aren't available to the test process. The before() function likely has different SQL generation requirements between SQLite and PostgreSQL.

Fix Effectiveness: ✅ Excellent

• Properly isolates environment variables using the env section
• Ensures matrix testing actually works as intended
• Debug output helps verify the fix is working

⚡ Performance Considerations

✅ Minimal performance impact:

• Single console.log statement in test (negligible)
• Workflow change actually improves testing reliability
• No runtime performance impact on production code

🔒 Security Considerations

✅ No security concerns - Changes are limited to:

• Test infrastructure configuration
• Debug logging of database provider type
• No sensitive data exposure or security vulnerabilities introduced

🧪 Test Coverage Assessment

Before Fix: ❌ Tests were likely running only against one database provider due to environment variable issue

After Fix: ✅ Significantly Improved

• Tests now properly run against both SQLite and PostgreSQL as intended
• The before() function test at line 96-128 specifically validates cross-database compatibility
• Debug output confirms which provider is being tested
• Tests cover both ORM API and Kysely query builder API (lines 130-170)

Test Quality: ✅ Excellent

• Comprehensive test cases for before() function in post-update policies
• Tests both single updates and batch updates (updateMany)
• Validates that rejected updates don't modify data
• Includes query builder API testing for completeness

🎯 Architecture Understanding

The before() function in ZenStack policies allows referencing entity values before an update operation. Based on the code in expression-transformer.ts:240-246, it:

1. Creates a $before join table with pre-update values
2. References columns from that table: ReferenceNode.create(ColumnNode.create(expr.members[0]!), TableNode.create('$before'))
3. Only works in post-update policies as enforced by the assertion

The SQL generation for this likely differs between SQLite and PostgreSQL, which is why proper cross-database testing was crucial.

🏆 Overall Assessment

Code Quality: ⭐⭐⭐⭐⭐ (Excellent)
Bug Fix Effectiveness: ⭐⭐⭐⭐⭐ (Solves root cause)
Test Coverage: ⭐⭐⭐⭐⭐ (Comprehensive)
Security: ⭐⭐⭐⭐⭐ (No concerns)
Performance: ⭐⭐⭐⭐⭐ (No impact)

✅ Recommendations

APPROVE - This is a well-executed fix that:

• Addresses the root cause with minimal, targeted changes
• Significantly improves test coverage and reliability
• Follows best practices and maintains code quality
• Has no negative side effects

Minor Suggestions (addressing existing review comments):

1. Consider removing debug console.log: The console.log('PROVIDER:', getTestDbProvider()) at line 97 could be removed after confirming the fix works properly
2. Cleanup redundant environment variable: Line 82 has redundant TEST_DB_PROVIDER=${{ matrix.provider }} prefix since it's already defined in the env section above

The PR title accurately reflects the fix, and while a description would have been helpful, the changes are self-explanatory for a bug fix of this nature.

---

**

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 81924d9 and c2d2079.

📒 Files selected for processing (2)

• .github/workflows/build-test.yml (1 hunks)
• tests/e2e/orm/policy/crud/post-update.test.ts (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

tests/e2e/orm/policy/crud/post-update.test.ts (1)

packages/testtools/src/client.ts (1)

• getTestDbProvider (19-25)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: claude-review
• GitHub Check: build-test (20.x, postgresql)
• GitHub Check: build-test (20.x, sqlite)

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Remove redundant environment variable assignment.

The TEST_DB_PROVIDER environment variable is being set twice: once in the env: block (lines 80-81) and again as a command prefix on line 82. When an environment variable is declared in the step's env: block, it's automatically available to all commands in that step, making the command prefix redundant.

Apply this diff to remove the redundant prefix:

               env:
                   TEST_DB_PROVIDER: ${{ matrix.provider }}
-              run: TEST_DB_PROVIDER=${{ matrix.provider }} pnpm run test
+              run: pnpm run test

🤖 Prompt for AI Agents

.github/workflows/build-test.yml around lines 80 to 82: the TEST_DB_PROVIDER env
var is set both in the step's env: block and again as a command prefix, so
remove the redundant command-prefix assignment; keep the env: entry
(TEST_DB_PROVIDER: ${{ matrix.provider }}) and change the run line to simply run
the tests (e.g., pnpm run test) so the environment variable is provided only via
env:.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Remove debug logging before merging.

This console.log statement appears to be temporary debugging code. Debug artifacts should be removed from test files before merging to production.

Apply this diff to remove the debug statement:

-        console.log('PROVIDER:', getTestDbProvider());

After removing this line, if getTestDbProvider is no longer used in the file, also remove it from the import statement on line 2:

-import { createPolicyTestClient, getTestDbProvider } from '@zenstackhq/testtools';
+import { createPolicyTestClient } from '@zenstackhq/testtools';

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In tests/e2e/orm/policy/crud/post-update.test.ts around line 97, remove the
temporary debug statement "console.log('PROVIDER:', getTestDbProvider());" and
save the file; then check the import on line 2 and if getTestDbProvider is no
longer referenced anywhere in the file, remove it from that import to avoid an
unused import.