Skip to content

Integrate QueryGateway into existing query paths #73

New issue
New issue
Open
Open
Integrate QueryGateway into existing query paths#73
@bordumb

Description

@bordumb
bordumb
opened on Jan 18, 2026

Overview

The principal-bound query execution infrastructure has been added (see linked PR), but integration with existing query paths is not complete. This issue tracks the remaining work to fully adopt the QueryGateway pattern.

Background

The goal is to ensure all SQL queries execute with user credentials (not service accounts), enforced by the database—not Dataing. See docs/plans/2026-01-18-principal-bound-query-execution-design.md for the full design.

Remaining Tasks

1. Temporal Activities Integration

  • Update execute_query.py activity to use QueryGateway.execute() instead of direct adapter calls
  • Add user_id to activity inputs that execute queries
  • Pass investigation_id through QueryContext for audit logging

2. API Routes Integration

  • Update POST /datasources/{id}/query in datasources.py to use QueryGateway
  • Ensure the route extracts user_id from ApiKeyContext and creates a QueryPrincipal

3. Agent Tools Integration

  • Update agent tools that execute SQL to receive principal from workflow context
  • Ensure tools pass QueryContext(source='agent') for audit attribution

4. Investigation Workflow Updates

  • Store user_id in Temporal workflow state
  • Thread user_id through child workflows to activities
  • Update InvestigationWorkflow to capture initiating user

5. Frontend Integration

  • Add credentials configuration UI under datasource settings
  • Show "credentials required" prompt when queries fail with CredentialsNotConfiguredError
  • Display last_used_at and connection status in datasource list

Files to Modify

  • dataing/src/dataing/temporal/activities/execute_query.py
  • dataing/src/dataing/temporal/workflows/investigation.py
  • dataing/src/dataing/entrypoints/api/routes/datasources.py
  • dataing/src/dataing/agents/ (tool definitions)
  • frontend/src/features/datasources/ (credentials UI)

Acceptance Criteria

  • All SQL queries go through QueryGateway.execute()
  • Every query has a QueryPrincipal with valid user_id
  • query_audit_log table captures all query executions
  • Users without configured credentials see helpful error messages
  • Existing tests pass, new integration tests added

Related

  • Design doc: docs/plans/2026-01-18-principal-bound-query-execution-design.md

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions