Skip to content

feat: add CheckScopedForeignKey node type to registry#1278

Merged
pyramation merged 2 commits into
mainfrom
feat/check-scoped-foreign-key
Jun 7, 2026
Merged

feat: add CheckScopedForeignKey node type to registry#1278
pyramation merged 2 commits into
mainfrom
feat/check-scoped-foreign-key

Conversation

@pyramation
Copy link
Copy Markdown
Contributor

@pyramation pyramation commented Jun 7, 2026

Summary

Adds CheckScopedForeignKey to the node type registry — a BEFORE INSERT trigger validator that prevents cross-scope FK linking.

Problem: On junction tables (e.g. view_table with view_id + table_id), a user with access to multiple databases can INSERT a row linking records from different databases. RLS only checks "can you access this row" — it doesn't validate that all FKs point to the same scope.

Solution: New Check* category node type with parameter_schema:

{
  scope_field: 'database_id',  // optional — also validates NEW.scope_field matches
  references: [
    { field: 'view_id', ref_table: 'view', ref_scope_field: 'database_id' },
    { field: 'table_id', ref_table: 'table', ref_scope_field: 'database_id' }
  ]
}

The generator (in constructive-db) creates a BEFORE INSERT trigger that SELECTs each target's scope value and raises if any mismatch. Works for junction tables (2+ refs) and child tables (1 ref validated against the row's own scope field).

Companion PR: constructive-io/constructive-db (generator + table_module dispatch).

Link to Devin session: https://app.devin.ai/sessions/12842f98263d4815b6713291efc825ad
Requested by: @pyramation

pyramation added 2 commits June 7, 2026 01:54
@pyramation
feat: add DataDenormalized node type to registry
24a7572 
Registers denormalized field triggers as a proper node type. Creates
INSERT/UPDATE triggers that copy field values from a referenced parent
table into the current table whenever the FK changes. Used to
denormalize frequently-read columns (e.g. database_id on junction
tables) so RLS and queries can filter locally without joining.
@pyramation
feat: add CheckScopedForeignKey node type to registry
4aab4db 
BEFORE INSERT trigger validator that ensures all FK references resolve
to the same scope value (e.g. database_id). Prevents cross-scope linking
where a user with access to multiple scopes could create invalid
cross-scope references.

Works on junction tables (2+ FKs) and child tables (1 FK validated
against the row's own scope field).
@devin-ai-integration
Copy link
Copy Markdown
Contributor

devin-ai-integration Bot commented Jun 7, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@pyramation pyramation merged commit fb2f40e into main Jun 7, 2026
35 checks passed
@pyramation pyramation deleted the feat/check-scoped-foreign-key branch June 7, 2026 04:20
@pyramation pyramation mentioned this pull request Jun 7, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@pyramation pyramation

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pyramation