feat(core): enhance the error message for CLAC failure

[goldmedal]

Description

• feat(core): implement column-level access control for the model #1211 implements column-level access control (CLAC), but it will throw a column not found error when the access is invalid.
• This PR enhances the error message for the CLAC validation failure. Instaed of a column not found error, the user will get the permission denied error:

Permission Denied: No permission to access "customer"."c_name"

Summary by CodeRabbit

• New Features

  • Introduced detailed permission checks for column-level access, providing clear "Permission Denied" error messages when access is restricted.
  • Added a new error type for permission-related failures with user-friendly messages.
  • Implemented a mode-based system to differentiate between local runtime, SQL unparsing, and permission analysis during context creation and manifest analysis.

• Bug Fixes

  • Enhanced error handling to surface permission errors more transparently during SQL transformations.

• Tests

  • Added and updated tests to verify column-level access control and permission denial scenarios.

• Refactor

  • Unified context creation and analysis using a new mode-based system for improved flexibility and clarity.

• Documentation

  • Improved error messages for permission issues to help users understand access restrictions.

[coderabbitai]

Walkthrough

This change introduces a new Mode enum to control context creation and manifest analysis throughout the codebase, supporting differentiated behavior for local execution, SQL unparsing, and permission analysis. It adds column-level permission checks, a custom WrenError for permission denial, and updates error propagation and tests to surface permission-related errors clearly.

Changes

File(s)	Change Summary
wren-core/core/src/mdl/context.rs, wren-core/core/src/mdl/mod.rs, wren-core/core/src/mdl/utils.rs, wren-core/wren-example/examples/to-many-calculation.rs, wren-core/sqllogictest/src/test_context.rs	Introduced Mode enum to replace boolean flags in context creation and analysis; refactored logic to use mode-based rule selection; updated function/method signatures and usages accordingly.
wren-core/core/src/logical_plan/error.rs, wren-core/core/src/lib.rs, wren-core/core/src/logical_plan/mod.rs	Added new public WrenError enum for permission denied errors; re-exported it; introduced corresponding module.
wren-core/core/src/logical_plan/analyze/plan.rs	Added column-level permission checks in model plan node construction; returns WrenError::PermissionDenied on failure.
wren-core/core/src/mdl/mod.rs	Updated AnalyzedWrenMDL::analyze and WrenMDL::infer_and_register_remote_table to accept Mode; added permission analysis logic and error handling for permission denied cases.
wren-core-py/src/context.rs, wren-core/benchmarks/src/tpch/run.rs, wren-core/benchmarks/src/wren/run.rs, wren-core/wren-example/examples/plan-sql.rs, wren-core/wren-example/examples/view.rs	Updated calls to AnalyzedWrenMDL::analyze to supply the new Mode parameter.
wren-core-py/src/errors.rs	Enhanced error conversion from DataFusionError to CoreError to unwrap and propagate WrenError permission denied messages.
wren-core-py/tests/test_modeling_core.py	Added a test to verify that permission denied errors are raised and surfaced when access to a column is denied.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant PySessionContext
    participant AnalyzedWrenMDL
    participant Context
    participant ModelPlanNode

    User->>PySessionContext: Create new context (with manifest, properties)
    PySessionContext->>AnalyzedWrenMDL: analyze(manifest, properties, Mode)
    AnalyzedWrenMDL-->>PySessionContext: analyzed_mdl
    PySessionContext->>Context: create_ctx_with_mdl(analyzed_mdl, properties, Mode)
    Context->>ModelPlanNode: Build plan with permission checks (if Mode::PermissionAnalyze)
    ModelPlanNode-->>Context: Success or WrenError::PermissionDenied
    Context-->>PySessionContext: Context or error
    PySessionContext-->>User: Context or permission denied error

Loading

Possibly related PRs

• Canner/wren-engine#1211: Implements column-level access control, which is directly related to the new mode-based permission analysis and error handling introduced here.
• Canner/wren-engine#1161: Adds row-level access control and session property filtering, sharing code paths with the new permission analysis and session property handling.

Suggested labels

ibis

Suggested reviewers

• douenergy

Poem

In the meadow of modes, a rabbit hops with glee,
Permission checks on columns, as clear as can be!
Now errors speak truly, no secrets to hide—
“Permission Denied!” rings out, with carrots supplied.
With enum in paw and a hop in my code,
I celebrate access control on this winding road! 🥕

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1334e98 and c8ebf19.

📒 Files selected for processing (1)

• wren-core/core/src/mdl/mod.rs (51 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: goldmedal
PR: Canner/wren-engine#1250
File: wren-core/core/src/mdl/mod.rs:391-417
Timestamp: 2025-07-11T02:36:24.299Z
Learning: In Wren Engine's column-level access control (CLAC) implementation, the `permission_analyze` function is used to provide better error messages when SQL planning fails. If permission_analyze succeeds (Ok), the original planning error is returned. If permission_analyze fails (Err), the permission error is returned instead, providing more specific error messages about access control violations.

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: wren-core/core/src/logical_plan/analyze/access_control.rs:0-0
Timestamp: 2025-04-30T01:15:15.009Z
Learning: In the row-level access control implementation, separate error checks are maintained for different failure modes (missing property vs null vs empty) to provide more precise and actionable error messages, even if it means slightly more verbose code with multiple Option checks.

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: ibis-server/app/routers/v3/connector.py:78-83
Timestamp: 2025-05-05T02:27:29.829Z
Learning: The row-level access control implementation in Wren Engine filters headers with the prefix `X_WREN_VARIABLE_PREFIX` in `EmbeddedEngineRewriter.get_session_properties` and validates session property expressions in `access_control.rs` to ensure they only contain literal values, preventing SQL injection.

wren-core/core/src/mdl/mod.rs (4)

undefined

<retrieved_learning>
Learnt from: goldmedal
PR: #1250
File: wren-core/core/src/mdl/mod.rs:391-417
Timestamp: 2025-07-11T02:36:24.299Z
Learning: In Wren Engine's column-level access control (CLAC) implementation, the permission_analyze function is used to provide better error messages when SQL planning fails. If permission_analyze succeeds (Ok), the original planning error is returned. If permission_analyze fails (Err), the permission error is returned instead, providing more specific error messages about access control violations.
</retrieved_learning>

<retrieved_learning>
Learnt from: goldmedal
PR: #1161
File: ibis-server/app/routers/v3/connector.py:78-83
Timestamp: 2025-05-05T02:27:29.829Z
Learning: The row-level access control implementation in Wren Engine filters headers with the prefix X_WREN_VARIABLE_PREFIX in EmbeddedEngineRewriter.get_session_properties and validates session property expressions in access_control.rs to ensure they only contain literal values, preventing SQL injection.
</retrieved_learning>

<retrieved_learning>
Learnt from: goldmedal
PR: #1161
File: wren-core/core/src/logical_plan/analyze/access_control.rs:0-0
Timestamp: 2025-04-30T01:15:15.009Z
Learning: In the row-level access control implementation, separate error checks are maintained for different failure modes (missing property vs null vs empty) to provide more precise and actionable error messages, even if it means slightly more verbose code with multiple Option checks.
</retrieved_learning>

<retrieved_learning>
Learnt from: goldmedal
PR: #1161
File: wren-core/core/src/logical_plan/analyze/access_control.rs:0-0
Timestamp: 2025-04-30T01:18:21.776Z
Learning: In the collect_condition function of the row-level access control implementation, compound identifiers are intentionally ignored rather than causing failures when processing expressions. This is by design as confirmed by the team.
</retrieved_learning>

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: check Cargo.toml formatting
• GitHub Check: cargo test (amd64)
• GitHub Check: clippy
• GitHub Check: test
• GitHub Check: cargo test (macos-aarch64)
• GitHub Check: cargo test (macos)
• GitHub Check: ci
• GitHub Check: cargo test (win64)

🔇 Additional comments (8)

wren-core/core/src/mdl/mod.rs (8)

2-2: LGTM: Import statements correctly added

The new imports for WrenError and Mode are appropriately added to support the CLAC error message enhancement feature.

Also applies to: 5-5

---

74-81: LGTM: Method signature correctly updated

The analyze method signature is properly updated to accept a Mode parameter, which is consistently passed through to the infer_and_register_remote_table method.

---

189-193: LGTM: Method signature correctly updated

The infer_and_register_remote_table method signature is properly updated to accept the Mode parameter for controlling column validation behavior.

---

204-211: LGTM: Column access control logic is well-implemented

The mode-based column filtering logic correctly handles two scenarios:

• In permission analysis mode: includes all columns to enable detection of permission issues
• In normal mode: respects CLAC validation rules

This dual behavior is essential for the permission analysis feature to work correctly.

---

391-417: LGTM: Error handling logic is correct

The error handling logic properly implements the CLAC enhancement by:

• Attempting normal SQL planning first
• On failure, calling permission_analyze to check for permission issues
• Returning the original error if permission analysis succeeds (no permission issues found)
• Returning the permission error if permission analysis fails (permission issues detected)

This provides more specific error messages when access control violations occur.

---

439-489: LGTM: Permission analysis function is well-structured

The permission_analyze function correctly:

• Creates a new analyzed MDL in PermissionAnalyze mode
• Registers remote functions consistently
• Creates the appropriate context
• Attempts to optimize the logical plan
• Properly extracts and returns WrenError from nested DataFusionError structures

The error extraction logic on lines 479-485 correctly handles the nested error structure to surface permission denied errors.

---

576-580: LGTM: Test updates are consistent

The test method calls are consistently updated to pass the appropriate Mode parameter (Mode::Unparse for most cases). The updates maintain the existing test logic while accommodating the new API.

Also applies to: 601-605, 648-652

---

2554-2618: LGTM: Test demonstrates the permission denied error enhancement

This test effectively demonstrates the new permission denied error functionality:

• Creates a model with column-level access control
• Shows successful access when permission is granted
• Shows the enhanced error message when permission is denied: "Permission Denied: No permission to access "customer"."c_name""

This validates that the CLAC enhancement is working as intended.

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d58efb2 and f542c57.

📒 Files selected for processing (16)

• wren-core-py/src/context.rs (2 hunks)
• wren-core-py/src/errors.rs (2 hunks)
• wren-core-py/tests/test_modeling_core.py (1 hunks)
• wren-core/benchmarks/src/tpch/run.rs (2 hunks)
• wren-core/benchmarks/src/wren/run.rs (2 hunks)
• wren-core/core/src/lib.rs (1 hunks)
• wren-core/core/src/logical_plan/analyze/plan.rs (2 hunks)
• wren-core/core/src/logical_plan/error.rs (1 hunks)
• wren-core/core/src/logical_plan/mod.rs (1 hunks)
• wren-core/core/src/mdl/context.rs (5 hunks)
• wren-core/core/src/mdl/mod.rs (51 hunks)
• wren-core/core/src/mdl/utils.rs (5 hunks)
• wren-core/sqllogictest/src/test_context.rs (3 hunks)
• wren-core/wren-example/examples/plan-sql.rs (2 hunks)
• wren-core/wren-example/examples/to-many-calculation.rs (2 hunks)
• wren-core/wren-example/examples/view.rs (2 hunks)

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: wren-core/core/src/logical_plan/analyze/access_control.rs:0-0
Timestamp: 2025-04-30T01:15:15.009Z
Learning: In the row-level access control implementation, separate error checks are maintained for different failure modes (missing property vs null vs empty) to provide more precise and actionable error messages, even if it means slightly more verbose code with multiple Option checks.

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: ibis-server/app/routers/v3/connector.py:78-83
Timestamp: 2025-05-05T02:27:29.829Z
Learning: The row-level access control implementation in Wren Engine filters headers with the prefix `X_WREN_VARIABLE_PREFIX` in `EmbeddedEngineRewriter.get_session_properties` and validates session property expressions in `access_control.rs` to ensure they only contain literal values, preventing SQL injection.

wren-core/core/src/logical_plan/analyze/plan.rs (2)

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: ibis-server/app/routers/v3/connector.py:78-83
Timestamp: 2025-05-05T02:27:29.829Z
Learning: The row-level access control implementation in Wren Engine filters headers with the prefix `X_WREN_VARIABLE_PREFIX` in `EmbeddedEngineRewriter.get_session_properties` and validates session property expressions in `access_control.rs` to ensure they only contain literal values, preventing SQL injection.

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: wren-core/core/src/logical_plan/analyze/access_control.rs:0-0
Timestamp: 2025-04-30T01:15:15.009Z
Learning: In the row-level access control implementation, separate error checks are maintained for different failure modes (missing property vs null vs empty) to provide more precise and actionable error messages, even if it means slightly more verbose code with multiple Option checks.

wren-core-py/tests/test_modeling_core.py (1)

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: ibis-server/app/routers/v3/connector.py:78-83
Timestamp: 2025-05-05T02:27:29.829Z
Learning: The row-level access control implementation in Wren Engine filters headers with the prefix `X_WREN_VARIABLE_PREFIX` in `EmbeddedEngineRewriter.get_session_properties` and validates session property expressions in `access_control.rs` to ensure they only contain literal values, preventing SQL injection.

wren-core/core/src/logical_plan/error.rs (2)

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: wren-core/core/src/logical_plan/analyze/access_control.rs:0-0
Timestamp: 2025-04-30T01:15:15.009Z
Learning: In the row-level access control implementation, separate error checks are maintained for different failure modes (missing property vs null vs empty) to provide more precise and actionable error messages, even if it means slightly more verbose code with multiple Option checks.

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: ibis-server/app/routers/v3/connector.py:78-83
Timestamp: 2025-05-05T02:27:29.829Z
Learning: The row-level access control implementation in Wren Engine filters headers with the prefix `X_WREN_VARIABLE_PREFIX` in `EmbeddedEngineRewriter.get_session_properties` and validates session property expressions in `access_control.rs` to ensure they only contain literal values, preventing SQL injection.

wren-core/core/src/mdl/context.rs (1)

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: ibis-server/app/routers/v3/connector.py:78-83
Timestamp: 2025-05-05T02:27:29.829Z
Learning: The row-level access control implementation in Wren Engine filters headers with the prefix `X_WREN_VARIABLE_PREFIX` in `EmbeddedEngineRewriter.get_session_properties` and validates session property expressions in `access_control.rs` to ensure they only contain literal values, preventing SQL injection.

wren-core/core/src/mdl/mod.rs (2)

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: ibis-server/app/routers/v3/connector.py:78-83
Timestamp: 2025-05-05T02:27:29.829Z
Learning: The row-level access control implementation in Wren Engine filters headers with the prefix `X_WREN_VARIABLE_PREFIX` in `EmbeddedEngineRewriter.get_session_properties` and validates session property expressions in `access_control.rs` to ensure they only contain literal values, preventing SQL injection.

Learnt from: goldmedal
PR: Canner/wren-engine#1161
File: wren-core/core/src/logical_plan/analyze/access_control.rs:0-0
Timestamp: 2025-04-30T01:15:15.009Z
Learning: In the row-level access control implementation, separate error checks are maintained for different failure modes (missing property vs null vs empty) to provide more precise and actionable error messages, even if it means slightly more verbose code with multiple Option checks.

🧬 Code Graph Analysis (2)

wren-core-py/tests/test_modeling_core.py (3)

ibis-server/tests/routers/v3/connector/local_file/test_query.py (1)

• manifest_str (72-73)

wren-core-py/src/context.rs (1)

• transform_sql (192-208)

wren-core/core/src/mdl/mod.rs (1)

• transform_sql (359-373)

wren-core/core/src/mdl/utils.rs (3)

wren-core/core/src/mdl/mod.rs (5)

• mdl (195-224)
• new (126-181)
• new (529-531)
• analyze (74-84)
• default (62-70)

wren-core-py/src/context.rs (2)

• new (79-188)
• default (61-68)

wren-core/core/src/mdl/context.rs (1)

• new (335-357)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: cargo test (macos)
• GitHub Check: cargo test (macos-aarch64)
• GitHub Check: test
• GitHub Check: cargo test (win64)
• GitHub Check: cargo check
• GitHub Check: ci

🔇 Additional comments (37)

wren-core/wren-example/examples/view.rs (2)

9-9: LGTM: Correct import addition.

The import of Mode enum is appropriately placed with other wren_core imports.

---

19-19: LGTM: Appropriate mode selection for SQL unparsing.

Using Mode::Unparse is correct for this example since it demonstrates SQL transformation functionality rather than permission analysis.

wren-core/wren-example/examples/plan-sql.rs (2)

7-7: LGTM: Consistent import addition.

The import is correctly placed and consistent with other example files.

---

17-17: LGTM: Appropriate mode selection.

Using Mode::Unparse is correct for this SQL planning example.

wren-core/core/src/logical_plan/mod.rs (1)

2-2: LGTM: Proper module organization.

Adding the error module is appropriate for centralizing permission-related error handling within the logical plan module.

wren-core/core/src/lib.rs (1)

9-9: LGTM: Appropriate public re-export.

Re-exporting WrenError at the crate level enables external usage of the permission-related error type and follows standard Rust practices.

wren-core/benchmarks/src/wren/run.rs (2)

12-12: LGTM: Consistent import addition.

The import is correctly placed and follows the same pattern as other files updated in this PR.

---

67-67: LGTM: Appropriate mode for benchmarking.

Using Mode::Unparse is correct for this benchmark scenario focused on SQL transformation performance.

wren-core/benchmarks/src/tpch/run.rs (2)

11-11: LGTM: Mode enum import added correctly.

The import follows the consistent pattern established across the codebase for the Mode enum refactoring.

---

54-58: LGTM: Mode::Unparse usage is appropriate for benchmarking.

The explicit Mode::Unparse parameter is correctly used in the benchmark context where SQL unparsing is the primary operation being measured.

wren-core/wren-example/examples/to-many-calculation.rs (2)

10-10: LGTM: Mode enum import added correctly.

The import is consistent with the Mode enum refactoring across the codebase.

---

79-85: LGTM: Mode::LocalRuntime usage is appropriate for local execution.

The explicit Mode::LocalRuntime parameter correctly replaces the boolean flag for local execution contexts in this example.

wren-core/sqllogictest/src/test_context.rs (3)

31-31: LGTM: Mode enum import added correctly.

The import is consistent with the Mode enum refactoring pattern used throughout the codebase.

---

308-308: LGTM: Mode::LocalRuntime usage is appropriate for test contexts.

The explicit Mode::LocalRuntime parameter correctly replaces the boolean flag for the ecommerce test context.

---

544-544: LGTM: Mode::LocalRuntime usage is appropriate for test contexts.

The explicit Mode::LocalRuntime parameter correctly replaces the boolean flag for the TPC-H test context.

wren-core-py/tests/test_modeling_core.py (1)

368-376: LGTM: Permission denial test case validates the improved CLAC error messaging.

This test case correctly validates the PR's main objective by ensuring that accessing a restricted column (c_name) raises a specific permission denied error message instead of a generic "column not found" error. The expected error message format matches the improved CLAC error handling described in the PR objectives.

wren-core/core/src/mdl/utils.rs (5)

270-270: LGTM: Mode enum import added correctly.

The import is consistent with the Mode enum refactoring pattern used throughout the codebase.

---

282-286: LGTM: Mode::Unparse usage is appropriate for expression analysis tests.

The explicit Mode::Unparse parameter is correctly used in the test context where expression analysis and unparsing operations are being tested.

---

314-318: LGTM: Mode::Unparse usage is appropriate for expression analysis tests.

Consistent with the other test functions, Mode::Unparse is correctly used for expression analysis testing.

---

367-371: LGTM: Mode::Unparse usage is appropriate for expression analysis tests.

The Mode::Unparse parameter is correctly applied for model expression testing.

---

391-395: LGTM: Mode::Unparse usage is appropriate for expression analysis tests.

The final test function correctly uses Mode::Unparse for remote expression testing, maintaining consistency with the other test functions.

wren-core/core/src/logical_plan/error.rs (1)

1-16: LGTM! Clean and focused error type implementation.

The WrenError enum provides a dedicated error type for permission-related failures. The implementation follows Rust conventions with proper trait implementations and a clear user-friendly error message format.

wren-core/core/src/logical_plan/analyze/plan.rs (2)

22-25: LGTM! Proper imports added for permission checking.

The imports for validate_clac_rule and WrenError are correctly added to support the new permission checking functionality.

---

151-162: LGTM! Well-implemented permission checking logic.

The permission validation logic is correctly implemented:

• Only performs checks in PermissionAnalyze mode as documented
• Returns a clear WrenError::PermissionDenied with model and column information
• Comments explain the mode-specific behavior differences
• Error message format is consistent with PR objectives

wren-core-py/src/context.rs (2)

161-167: LGTM! Correctly updated to use Mode enum.

The AnalyzedWrenMDL::analyze call has been properly updated to use the new Mode::Unparse enum instead of a boolean flag, which aligns with the broader refactoring effort.

---

177-177: LGTM! Consistent Mode enum usage.

The create_ctx_with_mdl call correctly uses Mode::Unparse, maintaining consistency with the session context initialization pattern.

wren-core-py/src/errors.rs (2)

7-8: LGTM! Proper imports added for enhanced error handling.

The imports for DataFusionError and WrenError are correctly added to support the enhanced error conversion functionality.

---

54-65: LGTM! Enhanced error conversion for better user experience.

The improved From<DataFusionError> implementation correctly handles the nested error structure:

• Safely extracts WrenError from DataFusionError::Context -> External chain
• Uses downcast_ref for safe type checking
• Preserves original error message as fallback
• Surfaces permission-specific messages to improve user experience

This aligns perfectly with the PR objective of providing clearer permission-related error messages.

wren-core/core/src/mdl/mod.rs (5)

1-5: LGTM!

The new imports for WrenError and Mode are properly organized and necessary for the enhanced error handling functionality.

---

74-84: LGTM!

The function signature update to accept Mode parameter is well-integrated and properly propagated to infer_and_register_remote_table.

---

189-229: LGTM!

The column validation logic correctly bypasses access control checks when in PermissionAnalyze mode, allowing the system to differentiate between permission errors and missing column errors.

---

439-490: LGTM!

The permission_analyze function correctly implements a two-pass approach to detect permission errors. The logic properly distinguishes between general errors and permission-specific errors, providing clearer error messages to users.

---

546-580: LGTM!

The test updates correctly use the new Mode parameter, and the new test case properly validates that permission denied errors are surfaced with user-friendly messages.

Also applies to: 2591-2619

wren-core/core/src/mdl/context.rs (4)

49-106: LGTM!

The refactoring from boolean parameter to Mode enum improves code clarity and extensibility. The mode-based rule selection is well-structured.

---

108-161: LGTM!

The Mode enum is well-designed with clear documentation and appropriate helper methods. The encapsulation of mode-specific rule selection improves maintainability.

---

278-298: LGTM!

The analyze_rule_for_permission function correctly includes only the essential analyzer rules needed for permission checking, avoiding unnecessary transformations.

---

335-357: LGTM!

The WrenDataSource constructor correctly implements mode-aware column filtering, bypassing access control checks in PermissionAnalyze mode to enable proper permission error detection.

[douenergy]

Error will be handled in AnalyzedWrenMDL.analyze()