Enforcement

When federiq query or federiq serve sees a SQL statement against a table with active policies, it parses the SQL with sqlparser-rs, applies each policy as an AST transformation, and emits the rewritten SQL for DuckDB to execute.

Row filters

-- User input
SELECT id FROM events WHERE user_id = 42;

-- After policy `row_filter: "status = 'active'"`
SELECT id FROM events WHERE user_id = 42 AND status = 'active';

Column masking

-- User input
SELECT name, email FROM users;

-- After policy `mask_columns: { email: "'***@***.com'" }`
SELECT name, '***@***.com' AS email FROM users;

The masking expression is valid SQL. The column is aliased back to its original name so callers don't see a schema change.

`SELECT *` limitation

Star projection cannot be masked without schema expansion. For now, FederIQ returns an error:

SELECT * cannot be enforced against policy 'mask_pii'
(masks columns on 'users'); list columns explicitly

List the columns explicitly, or upgrade when the schema-aware rewriter ships (tracked on the roadmap).

Region pinning

Region mismatches fail the rewrite:

policy 'pin_to_us_east' requires region='us-east-1'
but current context has eu-west-1

Static checking

Before running a query, preview violations:

federiq policy check "SELECT email, ssn FROM users"

Disabling enforcement

Policies auto-apply when the catalog declares any. To opt out on a per-call basis:

federiq query --enforce-policy=false "SELECT ..."

Use sparingly — this bypass is primarily for development and debugging.

FederIQ