Remove tenant details

matt-aitken · matt-aitken · commit 07e76bd6bacc · 2026-01-10T23:23:32.000Z
diff --git a/internal-packages/tsql/src/query/schema.test.ts b/internal-packages/tsql/src/query/schema.test.ts
@@ -590,11 +590,19 @@ describe("Error message sanitization", () => {
       const error =
         "Unable to query clickhouse: Code: 47. DB::Exception: Missing columns: 'friendly_id' while processing query";
       const sanitized = sanitizeErrorMessage(error, [runsSchema]);
+      // Should remove the "Unable to query clickhouse:" prefix
       expect(sanitized).toBe(
-        "Unable to query clickhouse: Code: 47. DB::Exception: Missing columns: 'run_id' while processing query"
+        "Code: 47. DB::Exception: Missing columns: 'run_id' while processing query"
       );
     });
 
+    it("should remove 'Unable to query clickhouse:' prefix", () => {
+      const error = "Unable to query clickhouse: Something went wrong";
+      const sanitized = sanitizeErrorMessage(error, [runsSchema]);
+      expect(sanitized).toBe("Something went wrong");
+      expect(sanitized).not.toContain("Unable to query clickhouse");
+    });
+
     it("should handle error with column in parentheses", () => {
       const error = "Function count(friendly_id) expects different arguments";
       const sanitized = sanitizeErrorMessage(error, [runsSchema]);
@@ -614,5 +622,160 @@ describe("Error message sanitization", () => {
       const sanitized = sanitizeErrorMessage(error, [runsSchema]);
       expect(sanitized).toBe("Error in runs.run_id");
     });
+
+    it("should remove tenant isolation filters from error messages", () => {
+      const error =
+        "Unknown identifier in scope SELECT run_id FROM runs WHERE ((organization_id = 'org123') AND (project_id = 'proj456') AND (environment_id = 'env789')) AND (status = 'Failed')";
+      const sanitized = sanitizeErrorMessage(error, [runsSchema]);
+      expect(sanitized).not.toContain("organization_id");
+      expect(sanitized).not.toContain("project_id");
+      expect(sanitized).not.toContain("environment_id");
+      expect(sanitized).toContain("status = 'Failed'");
+    });
+
+    it("should remove redundant column aliases like 'run_id AS run_id'", () => {
+      const error = "Error in SELECT run_id AS run_id, machine AS machine FROM runs";
+      const sanitized = sanitizeErrorMessage(error, [runsSchema]);
+      expect(sanitized).toBe("Error in SELECT run_id, machine FROM runs");
+    });
+
+    it("should remove redundant table aliases like 'runs AS runs'", () => {
+      const error = "Error in SELECT * FROM runs AS runs WHERE status = 'Failed'";
+      const sanitized = sanitizeErrorMessage(error, [runsSchema]);
+      expect(sanitized).toBe("Error in SELECT * FROM runs WHERE status = 'Failed'");
+    });
+
+    it("should handle real error with tenant filters and aliases", () => {
+      const error =
+        "Unable to query clickhouse: Unknown expression identifier `triggered_ata` in scope SELECT run_id AS run_id, machine AS machine FROM runs AS runs WHERE ((organization_id = 'cm5qtzpb800007cp7h6ebwt2i') AND (project_id = 'cme2p1yep00007calt8ugarkr') AND (environment_id = 'cme2p1ygj00027caln51kyiwl')) AND (status = 'Complted') ORDER BY triggered_ata DESC LIMIT 100.";
+      const sanitized = sanitizeErrorMessage(error, [runsSchema]);
+
+      // Should not contain internal prefix
+      expect(sanitized).not.toContain("Unable to query clickhouse");
+
+      // Should not contain internal IDs
+      expect(sanitized).not.toContain("cm5qtzpb800007cp7h6ebwt2i");
+      expect(sanitized).not.toContain("cme2p1yep00007calt8ugarkr");
+      expect(sanitized).not.toContain("cme2p1ygj00027caln51kyiwl");
+      expect(sanitized).not.toContain("organization_id");
+      expect(sanitized).not.toContain("project_id");
+      expect(sanitized).not.toContain("environment_id");
+
+      // Should not have redundant aliases
+      expect(sanitized).not.toContain("run_id AS run_id");
+      expect(sanitized).not.toContain("machine AS machine");
+      expect(sanitized).not.toContain("runs AS runs");
+
+      // Should still have the user's query parts
+      expect(sanitized).toContain("status = 'Complted'");
+      expect(sanitized).toContain("triggered_ata");
+      expect(sanitized).toContain("LIMIT 100");
+    });
+
+    it("should remove required filters like engine = 'V2'", () => {
+      // Schema with required filters
+      const schemaWithRequiredFilters: TableSchema = {
+        name: "runs",
+        clickhouseName: "trigger_dev.task_runs_v2",
+        description: "Task runs table",
+        tenantColumns: {
+          organizationId: "organization_id",
+          projectId: "project_id",
+          environmentId: "environment_id",
+        },
+        requiredFilters: [{ column: "engine", value: "V2" }],
+        columns: {
+          run_id: {
+            name: "run_id",
+            ...column("String"),
+          },
+        },
+      };
+
+      const error =
+        "Error in SELECT run_id FROM runs WHERE ((organization_id = 'org1') AND (engine = 'V2')) AND (status = 'Failed')";
+      const sanitized = sanitizeErrorMessage(error, [schemaWithRequiredFilters]);
+
+      expect(sanitized).not.toContain("engine = 'V2'");
+      expect(sanitized).not.toContain("organization_id");
+      expect(sanitized).toContain("status = 'Failed'");
+    });
+
+    it("should handle project and environment field mappings in tenant columns", () => {
+      // The schema uses 'project' and 'environment' as column names with field mappings
+      const schemaWithFieldMappedTenants: TableSchema = {
+        name: "runs",
+        clickhouseName: "trigger_dev.task_runs_v2",
+        description: "Task runs table",
+        tenantColumns: {
+          organizationId: "organization_id",
+          projectId: "project",
+          environmentId: "environment",
+        },
+        columns: {
+          run_id: {
+            name: "run_id",
+            ...column("String"),
+          },
+        },
+      };
+
+      const error =
+        "Error WHERE ((organization_id = 'org1') AND (project = 'proj1') AND (environment = 'env1')) AND (status = 'ok')";
+      const sanitized = sanitizeErrorMessage(error, [schemaWithFieldMappedTenants]);
+
+      expect(sanitized).not.toContain("organization_id = 'org1'");
+      expect(sanitized).not.toContain("project = 'proj1'");
+      expect(sanitized).not.toContain("environment = 'env1'");
+      expect(sanitized).toContain("status = 'ok'");
+    });
+
+    it("should handle queries with only automatic WHERE filters (no user WHERE clause)", () => {
+      // When user writes: SELECT * FROM runs LIMIT 10
+      // The compiled query becomes: SELECT * FROM runs WHERE (org_id = '...') AND (proj_id = '...') AND (env_id = '...')
+      const error =
+        "Unable to query clickhouse: Some error in SELECT run_id FROM runs WHERE ((organization_id = 'org1') AND (project_id = 'proj1') AND (environment_id = 'env1')) LIMIT 10";
+      const sanitized = sanitizeErrorMessage(error, [runsSchema]);
+
+      expect(sanitized).not.toContain("Unable to query clickhouse");
+      expect(sanitized).not.toContain("organization_id");
+      expect(sanitized).not.toContain("project_id");
+      expect(sanitized).not.toContain("environment_id");
+      expect(sanitized).not.toContain("WHERE");
+      expect(sanitized).toContain("SELECT run_id FROM runs");
+      expect(sanitized).toContain("LIMIT 10");
+    });
+
+    it("should handle queries with only automatic filters including engine filter", () => {
+      const schemaWithEngine: TableSchema = {
+        name: "runs",
+        clickhouseName: "trigger_dev.task_runs_v2",
+        description: "Task runs table",
+        tenantColumns: {
+          organizationId: "organization_id",
+          projectId: "project_id",
+          environmentId: "environment_id",
+        },
+        requiredFilters: [{ column: "engine", value: "V2" }],
+        columns: {
+          run_id: {
+            name: "run_id",
+            ...column("String"),
+          },
+        },
+      };
+
+      const error =
+        "Error in SELECT * FROM runs WHERE ((organization_id = 'org1') AND (project_id = 'proj1') AND (environment_id = 'env1') AND (engine = 'V2')) ORDER BY run_id";
+      const sanitized = sanitizeErrorMessage(error, [schemaWithEngine]);
+
+      expect(sanitized).not.toContain("organization_id");
+      expect(sanitized).not.toContain("project_id");
+      expect(sanitized).not.toContain("environment_id");
+      expect(sanitized).not.toContain("engine");
+      expect(sanitized).not.toContain("WHERE");
+      expect(sanitized).toContain("SELECT * FROM runs");
+      expect(sanitized).toContain("ORDER BY run_id");
+    });
   });
 });
diff --git a/internal-packages/tsql/src/query/schema.ts b/internal-packages/tsql/src/query/schema.ts
@@ -689,12 +689,15 @@ export function getAllTableNames(schema: SchemaRegistry): string[] {
 
 /**
  * Sanitize a ClickHouse error message by replacing internal ClickHouse names
- * with their user-facing TSQL equivalents.
+ * with their user-facing TSQL equivalents and removing internal implementation details.
  *
  * This function handles:
  * - Fully qualified table names (e.g., `trigger_dev.task_runs_v2` → `runs`)
  * - Column names with table prefix (e.g., `trigger_dev.task_runs_v2.friendly_id` → `runs.run_id`)
  * - Standalone column names (e.g., `friendly_id` → `run_id`)
+ * - Removes tenant isolation filters (organization_id, project_id, environment_id)
+ * - Removes required filters (e.g., engine = 'V2')
+ * - Removes redundant aliases (e.g., `run_id AS run_id` → `run_id`)
  *
  * @param message - The error message from ClickHouse
  * @param schemas - The table schemas defining name mappings
@@ -714,10 +717,30 @@ export function sanitizeErrorMessage(message: string, schemas: TableSchema[]): s
   const tableNameMap = new Map<string, string>(); // clickhouseName -> tsqlName
   const columnNameMap = new Map<string, { tsqlName: string; tableTsqlName: string }>(); // clickhouseName -> { tsqlName, tableTsqlName }
 
+  // Collect tenant column names and required filter columns to strip from errors
+  const columnsToStrip: string[] = [];
+  const tableAliasPatterns: RegExp[] = [];
+
   for (const table of schemas) {
     // Map table names
     tableNameMap.set(table.clickhouseName, table.name);
 
+    // Collect tenant column names to strip
+    const tenantCols = table.tenantColumns;
+    columnsToStrip.push(tenantCols.organizationId, tenantCols.projectId, tenantCols.environmentId);
+
+    // Collect required filter columns to strip
+    if (table.requiredFilters) {
+      for (const filter of table.requiredFilters) {
+        columnsToStrip.push(filter.column);
+      }
+    }
+
+    // Build pattern to remove table aliases like "FROM runs AS runs"
+    tableAliasPatterns.push(
+      new RegExp(`\\b${escapeRegex(table.name)}\\s+AS\\s+${escapeRegex(table.name)}\\b`, "gi")
+    );
+
     // Map column names
     for (const col of Object.values(table.columns)) {
       const clickhouseColName = col.clickhouseName ?? col.name;
@@ -733,7 +756,51 @@ export function sanitizeErrorMessage(message: string, schemas: TableSchema[]): s
 
   let result = message;
 
-  // Replace fully qualified column references first (table.column)
+  // Step 0: Remove internal prefixes that leak implementation details
+  result = result.replace(/^Unable to query clickhouse:\s*/i, "");
+
+  // Step 1: Remove tenant isolation and required filter conditions
+  // We need to handle multiple patterns:
+  // - (column = 'value') AND ...
+  // - ... AND (column = 'value')
+  // - (column = 'value') at end of expression
+  for (const colName of columnsToStrip) {
+    const escaped = escapeRegex(colName);
+    // Match: (column = 'value') AND  (with optional surrounding parens)
+    result = result.replace(new RegExp(`\\(${escaped}\\s*=\\s*'[^']*'\\)\\s*AND\\s*`, "gi"), "");
+    // Match: AND (column = 'value') (handles middle/end conditions)
+    result = result.replace(new RegExp(`\\s*AND\\s*\\(${escaped}\\s*=\\s*'[^']*'\\)`, "gi"), "");
+    // Match standalone: (column = 'value') with no AND (for when it's the only/last condition)
+    result = result.replace(new RegExp(`\\(${escaped}\\s*=\\s*'[^']*'\\)`, "gi"), "");
+  }
+
+  // Step 2: Clean up any leftover empty WHERE conditions or double parentheses
+  // Clean up empty nested parens: "(())" or "( () )" -> ""
+  result = result.replace(/\(\s*\(\s*\)\s*\)/g, "");
+  // Clean up empty parens: "()" -> ""
+  result = result.replace(/\(\s*\)/g, "");
+  // Clean up "WHERE  AND" -> "WHERE"
+  result = result.replace(/\bWHERE\s+AND\b/gi, "WHERE");
+  // Clean up double ANDs: "AND AND" -> "AND"
+  result = result.replace(/\bAND\s+AND\b/gi, "AND");
+  // Clean up "WHERE ((" with user condition "))" -> "WHERE (condition)"
+  // First normalize: "(( (condition) ))" patterns
+  result = result.replace(/\(\(\s*\(/g, "(");
+  result = result.replace(/\)\s*\)\)/g, ")");
+  // Clean double parens around single condition
+  result = result.replace(/\(\(([^()]+)\)\)/g, "($1)");
+  // Remove "WHERE ()" if the whole WHERE is now empty
+  result = result.replace(/\bWHERE\s*\(\s*\)\s*/gi, "");
+  // Clean up trailing " )" before ORDER/LIMIT/etc
+  result = result.replace(/\s+\)\s*(ORDER|LIMIT|GROUP|HAVING)/gi, " $1");
+  // Remove empty WHERE clause: "WHERE  ORDER" or "WHERE  LIMIT" -> just "ORDER" or "LIMIT"
+  result = result.replace(/\bWHERE\s+(ORDER|LIMIT|GROUP|HAVING)\b/gi, "$1");
+  // Remove empty WHERE at end of string: "WHERE " at end -> ""
+  result = result.replace(/\bWHERE\s*$/gi, "");
+  // Clean up multiple spaces
+  result = result.replace(/\s{2,}/g, " ");
+
+  // Step 3: Replace fully qualified column references first (table.column)
   // This handles patterns like: trigger_dev.task_runs_v2.friendly_id
   for (const table of schemas) {
     for (const col of Object.values(table.columns)) {
@@ -748,7 +815,7 @@ export function sanitizeErrorMessage(message: string, schemas: TableSchema[]): s
     }
   }
 
-  // Replace standalone table names (after column references to avoid partial matches)
+  // Step 4: Replace standalone table names (after column references to avoid partial matches)
   // Sort by length descending to replace longer names first
   const sortedTableNames = [...tableNameMap.entries()].sort((a, b) => b[0].length - a[0].length);
   for (const [clickhouseName, tsqlName] of sortedTableNames) {
@@ -757,31 +824,40 @@ export function sanitizeErrorMessage(message: string, schemas: TableSchema[]): s
     }
   }
 
-  // Replace standalone column names (for unqualified references)
+  // Step 5: Replace standalone column names (for unqualified references)
   // Sort by length descending to replace longer names first
   const sortedColumnNames = [...columnNameMap.entries()].sort((a, b) => b[0].length - a[0].length);
   for (const [clickhouseName, { tsqlName }] of sortedColumnNames) {
     result = replaceAllOccurrences(result, clickhouseName, tsqlName);
   }
 
+  // Step 6: Remove redundant column aliases like "run_id AS run_id"
+  result = result.replace(/\b(\w+)\s+AS\s+\1\b/gi, "$1");
+
+  // Step 7: Remove table aliases like "runs AS runs"
+  for (const pattern of tableAliasPatterns) {
+    result = result.replace(pattern, (match) => match.split(/\s+AS\s+/i)[0]);
+  }
+
   return result;
 }
 
+/**
+ * Escape special regex characters in a string
+ */
+function escapeRegex(str: string): string {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
 /**
  * Replace all occurrences of a string, respecting word boundaries where sensible.
  * Uses word-boundary matching to avoid replacing substrings within larger identifiers.
  */
 function replaceAllOccurrences(text: string, search: string, replacement: string): string {
-  // Escape special regex characters in the search string
-  const escaped = search.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-
   // Use word boundary matching - identifiers are typically surrounded by
   // non-identifier characters (spaces, quotes, parentheses, operators, etc.)
   // We use a pattern that matches the identifier when it's not part of a larger identifier
-  const pattern = new RegExp(
-    `(?<![a-zA-Z0-9_])${escaped}(?![a-zA-Z0-9_])`,
-    "g"
-  );
+  const pattern = new RegExp(`(?<![a-zA-Z0-9_])${escapeRegex(search)}(?![a-zA-Z0-9_])`, "g");
 
   return text.replace(pattern, replacement);
 }
