feat!: Remove deprecated context_to_roles configuration option

[ovr]

BREAKING CHANGE: The context_to_roles (contextToRoles) configuration option has been removed. It was deprecated in v1.6.4. Use context_to_groups (contextToGroups) instead.

[claude]

Claude finished @ovr's task in 2m 30s —— View job

---

Claude Code Review

Verdict: LGTM — clean, well-scoped removal. 0 high, 1 medium, 2 low.

Details

Tasks

• Read PR context
• Review diff (server-core, native, testing fixtures, docs)
• Post review

Scope check

The removal is complete and consistent across all surfaces:

• TypeScript types (ContextToRolesFn, CreateOptions.contextToRoles, CompilerApiOptions.contextToRoles)
• Joi schema (optionsValidate.ts)
• Server wiring (server.ts)
• CompilerApi.getRolesFromContext removed; userRoles now an empty set
• Python bindings (Configuration, cube_config.rs, __init__.py)
• JS bindings (PyConfiguration in js/index.ts)
• Python tests + fixtures + benchmarks
• Both docs sites (docs-mintlify and legacy docs)
• DEPRECATION.md flipped from Deprecated → Removed

A grep for contextToRoles|context_to_roles|getRolesFromContext outside CHANGELOGs returns nothing — good.

Findings

Medium — Silent no-op for any role: access policy left in user models (packages/cubejs-server-core/src/core/CompilerApi.ts:422-423)

userRoles is now hardcoded to new Set<string>(), so userHasRole(userRoles, policy.role) returns true only when policy.role === '*' (via the role === '*' short-circuit in userHasRole at line 384). Any existing accessPolicy entry using a specific role name (e.g. role: 'admin') will silently never match after upgrade — the policy is effectively dropped without any error or log.

Given this is a breaking change called out in DEPRECATION.md, this is defensible, but a one-time warning when the cube evaluator encounters policy.role with a non-'*' value would make the migration much less surprising. Consider logging via this.logger at policy evaluation or schema compile time.

Fix this →

Low — Dead role-matching machinery could be simplified (packages/cubejs-server-core/src/core/CompilerApi.ts:383-384, 452-453, 460)

With userRoles permanently empty, userHasRole is reduced to role === '*'. The policy.role branch in getApplicablePolicies is only ever true when policy.role === '*', which is semantically identical to the existing "no role/group" fallback at line 460. Leaving the branch in costs little, but a follow-up could collapse userHasRole + the two call sites and the userRoles variable entirely. Not blocking — fine to defer.

Low — DEPRECATION.md is missing a trailing newline (DEPRECATION.md:445)

No newline at end of file shown in the diff. Trivial.

Things done well

• Test fixtures (birdbox-fixtures/rbac/cube.js etc.) were carefully migrated so previously role-bearing users (admin, manager, masking_full_access, conditional_mask_role, policy2_role) are now placed into matching groups, preserving test semantics.
• Comments in smoke-rbac.test.ts were updated to say "group" instead of "role" — easy to miss but done correctly.
• Conventional commit prefix feat!: correctly signals breaking change.
• PR targets feat/release-v1.7.0, matching the DEPRECATION.md "Removed in Release: v1.7.0" entry.

· `feat/remove-context-to-roles`

[claude]

Claude finished @ovr's task in 1m 10s —— View job

---

Claude Code Review (updated for commit 1448a52)

Verdict: LGTM — clean removal. 0 high, 1 medium, 2 low. New commit is a pure test-fixture rename and looks correct.

Details

Tasks

• Read PR context
• Review base removal commit (aa324d6)
• Review follow-up rename commit (1448a52)
• Post review

What changed since the last review

Commit 1448a52 is a cosmetic rename of stale *_role-suffixed group identifiers in the RBAC test fixtures and smoke tests:

• some_role → some_group (rbac + rbac-python products.yaml)
• policy2_role → policy2_group (policy_overlap_test.yaml, cube.js, smoke-rbac.test.ts)
• conditional_mask_role / _role_extra → conditional_mask_group / _group_extra (conditional_masking_test.yaml, cube.js, smoke-rbac.test.ts)

Identifiers are renamed consistently on both producer (cube.js groups: [...]) and consumer (access_policy: - group:) sides, plus the corresponding doc-comments in smoke-rbac.test.ts. Grep for policy2_role|conditional_mask_role|some_role returns nothing in the working tree. Test semantics preserved.

Findings (carried forward from previous review — all still apply to current HEAD)

Medium — Silent no-op for any role: access policy left in user models (packages/cubejs-server-core/src/core/CompilerApi.ts:422-423)

userRoles is now hardcoded to new Set<string>(), so userHasRole(userRoles, policy.role) returns true only when policy.role === '*'. Any existing accessPolicy entry using a specific role name (e.g. role: 'admin') will silently never match after upgrade — the policy is effectively dropped without any error or log. Consider a one-time this.logger warning when a non-'*' policy.role is encountered, to make the upgrade less surprising.

Fix this →

Low — Dead role-matching machinery could be simplified (packages/cubejs-server-core/src/core/CompilerApi.ts)

With userRoles permanently empty, userHasRole reduces to role === '*', which is semantically identical to the existing "no role/group" fallback. A follow-up could collapse userHasRole, its call sites, and the userRoles variable entirely. Not blocking.

Low — DEPRECATION.md is missing a trailing newline (DEPRECATION.md:445)

Trivial.

Things done well

• Both commits together leave no *_role-suffixed identifiers behind in the test fixtures — the rename closes a small dangling-naming wart from the first commit.
• Producer/consumer sides of every group identifier renamed atomically — no risk of a half-renamed test silently passing because nothing matches.
• Doc comments in smoke-rbac.test.ts (lines 302-305, 320, 555-560, 587, 654-657) updated alongside identifiers — easy to forget, done correctly.
• Conventional commit prefixes (feat!:, test(testing):) accurate.

· `feat/remove-context-to-roles`

[claude]

Claude finished @ovr's task in 37s —— View job

---

Claude Code Review (re-checked after push)

Verdict: LGTM — no new changes since the prior review. Findings carry forward unchanged.

Details

Tasks

• Diff current HEAD against origin/feat/release-v1.7.0
• Compare to prior review state
• Re-affirm findings

What changed since the last review

Nothing substantive. The PR still contains the same two commits (now fe5a6ee removal + f47a4c1 rbac fixture rename) — git SHAs shifted due to a rebase onto feat/release-v1.7.0, but the tree contents match what was already reviewed. No new files, no new diff lines.

Findings (carried forward, all still apply)

Medium — Silent no-op for any role: access policy left in user models (packages/cubejs-server-core/src/core/CompilerApi.ts)

userRoles is hardcoded to new Set<string>(), so userHasRole(userRoles, policy.role) is true only when policy.role === '*'. Any accessPolicy entry using a specific role name will silently never match after upgrade. Consider a one-time this.logger warning when a non-'*' policy.role is encountered.

Fix this →

Low — Dead role-matching machinery could be simplified (packages/cubejs-server-core/src/core/CompilerApi.ts)

With userRoles permanently empty, userHasRole reduces to role === '*', semantically identical to the existing "no role/group" fallback. A follow-up could collapse userHasRole, its call sites, and the userRoles variable entirely. Not blocking.

Low — DEPRECATION.md trailing newline (DEPRECATION.md:445)

Trivial.

· `feat/remove-context-to-roles`

[codecov]

Codecov Report

❌ Patch coverage is 25.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.10%. Comparing base (e2d8258) to head (740032d).

Files with missing lines	Patch %	Lines
...ackages/cubejs-server-core/src/core/CompilerApi.ts	0.00%	3 Missing ⚠️

Additional details and impacted files

@@                 Coverage Diff                  @@
##           feat/release-v1.7.0   #11055   +/-   ##
====================================================
  Coverage                79.09%   79.10%           
====================================================
  Files                      470      470           
  Lines                    95766    95752   -14     
  Branches                  3500     3493    -7     
====================================================
- Hits                     75747    75745    -2     
+ Misses                   19504    19492   -12     
  Partials                   515      515           

Flag	Coverage Δ
cube-backend	58.73% <25.00%> (+0.03%)	⬆️
cubesql	83.54% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Claude finished @ovr's task in 1m 16s —— View job

---

Claude Code Review (updated for commit d8cf3f2)

Verdict: LGTM — new commit cleanly addresses the prior medium + low findings. 0 high, 0 medium, 1 low remaining.

Details

What changed since the last review

New commit d8cf3f2 feat(schema-compiler)!: Remove deprecated role access policy property goes further than the original removal and rips out the role property from accessPolicy entirely — exactly the cleanup the previous review suggested.

Concretely:

• AccessPolicyDefinition.role? removed from CubeSymbols.ts:127
• RolePolicySchema → GroupPolicySchema in CubeValidator.ts:1130-1144, with the role-related .nand() constraints dropped and .or('group', 'groups') enforcing the new shape
• CompilerApi.userHasRole deleted; roleMeetsConditions → policyMeetsConditions
• The userRoles = new Set<string>() no-op is gone; the role/group conflict check is gone (Joi rejects role: now); fallback for policies with neither group is now userHasGroup(userGroups, '*') — semantically identical to the prior userHasRole(_, '*') short-circuit, but no longer routed through dead role plumbing
• Snapshot, fixtures (orders_big, orders_ext, orders_incorrect_acl, orders_nonexist_acl), and tests (cube-validator.test.ts, links.test.ts, transpilers.test.ts, yaml-schema.test.ts, utils.ts) updated to use group: consistently
• Both docs pages dropped the role: line from the data-access-policies example

A grep for policy.role|role:|userHasRole|RolePolicySchema|getRolesFromContext over the working tree returns only CHANGELOG noise — the surface is fully gone.

Findings

The previous medium ("silent no-op for role: policies") and low ("dead role-matching machinery") are both resolved by this commit. Authors using role: will now get a Joi validation error at schema-compile time instead of silent breakage — which is the right migration UX for a breaking release.

Low — DEPRECATION.md is missing a trailing newline (DEPRECATION.md:445)

Still present. Trivial.

Things done well

• Joi schema is the right enforcement point: role: now fails fast with a clear validator error instead of silently never matching at runtime.
• policyMeetsConditions rename is a small but correct readability improvement now that "role" no longer applies.
• Doc comment on applyRowLevelSecurity updated from "same role" → "same group" and "different roles" → "different groups" — easy to miss, done right.
• Fixture rewrites (orders_incorrect_acl.yml, orders_nonexist_acl.yml) preserve the original intent — testing invalid/nonexistent identifiers — just keyed off group now.
• The schema-compiler removal is split into its own commit with a feat(schema-compiler)!: prefix, keeping the breaking-change story per-package.

· `feat/remove-context-to-roles`

[claude]

Claude finished @ovr's task in 46s —— View job

---

Claude Code Review (re-checked after push)

Verdict: LGTM — no substantive changes since the prior review. 0 high, 0 medium, 1 low.

Details

What changed since the last review

Nothing substantive. HEAD is 740032d (same tree as the previously reviewed d8cf3f2 — SHAs shifted from a rebase onto feat/release-v1.7.0). The PR still contains three commits: the context_to_roles removal, the RBAC fixture rename, and the schema-compiler role access-policy removal.

Findings (carried forward)

The previous medium ("silent no-op for role: policies") and low ("dead role-matching machinery") were both addressed by the schema-compiler removal commit — Joi now rejects role: at compile time and the dead plumbing is gone.

Low — DEPRECATION.md is missing a trailing newline (DEPRECATION.md:445)

Still present. Trivial.

Things done well

• Joi schema is the right enforcement point: role: now fails fast with a clear validator error instead of silently never matching at runtime.
• policyMeetsConditions rename is a small but correct readability improvement now that "role" no longer applies.
• Doc comments in applyRowLevelSecurity updated from "same role" → "same group" — easy to miss, done right.
• Fixture rewrites preserve original test intent — just keyed off group now.
• Per-package breaking-change commits (feat!: + feat(schema-compiler)!:) tell the migration story cleanly.

· feat/remove-context-to-roles ·