fix: SECURITY_CONTEXT renders empty strings on filter with enabled Tesseract (#10576)

* fix: SECURITY_CONTEXT is not working correctly with enabled Tesseract

* IN filter fix, toString and cloud shortcuts

* Linter

* Smoke tests

* Test fixes

* Test fixes

* Test fixes

* Test fixes

* Shorthand precedence

* Fix tests

* More tests and more precise access policy match

Author: paveltiunov

packages/cubejs-schema-compiler/src/compiler/CubeSymbols.ts

@@ -1480,35 +1480,79 @@ export class CubeSymbols implements TranspilerSymbolResolver, CompilerInterface
   }
 
   public static contextSymbolsProxyFrom(symbols: object, allocateParam: (param: unknown) => unknown): object {
-    return new Proxy(symbols, {
-      get: (target, name) => {
-        const propValue = target[name];
-        const methods = (paramValue) => ({
-          filter: (column) => {
-            if (paramValue) {
-              const value = Array.isArray(paramValue) ?
-                paramValue.map(allocateParam) :
-                allocateParam(paramValue);
-              if (typeof column === 'function') {
-                return column(value);
-              } else {
-                return `${column} = ${value}`;
-              }
+    const methods = (paramValue) => ({
+      filter: (column) => {
+        if (paramValue) {
+          if (Array.isArray(paramValue)) {
+            const values = paramValue.map(allocateParam);
+            if (typeof column === 'function') {
+              return column(values);
             } else {
-              return '1 = 1';
+              return `${column} IN (${values.join(', ')})`;
             }
-          },
-          requiredFilter: (column) => {
-            if (!paramValue) {
-              throw new UserError(`Filter for ${column} is required`);
+          } else {
+            const value = allocateParam(paramValue);
+            if (typeof column === 'function') {
+              return column(value);
+            } else {
+              return `${column} = ${value}`;
             }
-            return methods(paramValue).filter(column);
-          },
-          unsafeValue: () => paramValue
-        });
-        return methods(target)[name] ||
-          typeof propValue === 'object' && propValue !== null && CubeSymbols.contextSymbolsProxyFrom(propValue, allocateParam) ||
-          methods(propValue);
+          }
+        } else {
+          return '1 = 1';
+        }
+      },
+      requiredFilter: (column) => {
+        if (!paramValue) {
+          throw new UserError(`Filter for ${column} is required`);
+        }
+        return methods(paramValue).filter(column);
+      },
+      unsafeValue: () => paramValue,
+      toString: () => {
+        if (paramValue !== undefined && paramValue !== null) {
+          return Array.isArray(paramValue)
+            ? paramValue.map(allocateParam).join(',')
+            : String(allocateParam(paramValue));
+        }
+        return '';
+      },
+      [Symbol.toPrimitive]: () => {
+        if (paramValue !== undefined && paramValue !== null) {
+          return Array.isArray(paramValue)
+            ? paramValue.map(allocateParam).join(',')
+            : String(allocateParam(paramValue));
+        }
+        return '';
+      }
+    });
+
+    // Chainable proxy for undefined/null values: supports both method calls
+    // (filter, unsafeValue, etc.) and further property chaining for deeply
+    // nested paths like SECURITY_CONTEXT.cubeCloud.tenantId.filter(...)
+    // when the security context is empty during compilation/dep resolution.
+    const undefinedChainableHandler: ProxyHandler<any> = {
+      get: (target, name) => {
+        if (name in target || typeof name === 'symbol') return target[name];
+        return new Proxy(methods(undefined), undefinedChainableHandler);
+      }
+    };
+
+    return new Proxy(symbols, {
+      get: (target, name) => {
+        const propValue = target[name];
+        const methodOnTarget = methods(target)[name];
+        if (methodOnTarget) return methodOnTarget;
+
+        if (typeof propValue === 'object' && propValue !== null) {
+          return CubeSymbols.contextSymbolsProxyFrom(propValue, allocateParam);
+        }
+
+        if (propValue !== undefined && propValue !== null) {
+          return methods(propValue);
+        }
+
+        return new Proxy(methods(undefined), undefinedChainableHandler);
       }
     });
   }

packages/cubejs-schema-compiler/src/compiler/transpilers/CubePropContextTranspiler.ts

@@ -214,17 +214,22 @@ export class CubePropContextTranspiler implements TranspilerInterface {
 
   protected static collectKnownIdentifiersAndTransform(resolveSymbol: SymbolResolver, path: NodePath): string[] {
     const identifiers: string[] = [];
+    const isAccessPolicy = this.isAccessPolicyPath(path);
 
     if (path.node.type === 'Identifier') {
-      CubePropContextTranspiler.matchAndTransformIdentifier(path, resolveSymbol, identifiers);
+      CubePropContextTranspiler.transformCubeCloudShorthandIdentifier(path as NodePath<t.Identifier>, identifiers, isAccessPolicy, resolveSymbol);
+      if (path.node.type === 'Identifier') {
+        CubePropContextTranspiler.matchAndTransformIdentifier(path, resolveSymbol, identifiers);
+      }
     }
 
     path.traverse({
       Identifier: (p) => {
+        CubePropContextTranspiler.transformCubeCloudShorthandIdentifier(p, identifiers, isAccessPolicy, resolveSymbol);
         CubePropContextTranspiler.matchAndTransformIdentifier(p, resolveSymbol, identifiers);
       },
       MemberExpression: (p) => {
-        CubePropContextTranspiler.transformUserAttributesMemberExpression(p);
+        CubePropContextTranspiler.transformCubeCloudShorthandMemberExpression(p, isAccessPolicy, resolveSymbol);
       }
     });
 
@@ -238,39 +243,83 @@ export class CubePropContextTranspiler implements TranspilerInterface {
       ) &&
       resolveSymbol(path.node.name)
     ) {
-      // Special handling for userAttributes - replace in parameter list with securityContext
-      const fullPath = this.fullPath(path);
-      if ((path.node.name === 'userAttributes' || path.node.name === 'user_attributes') && (fullPath.startsWith('accessPolicy') || fullPath.startsWith('access_policy'))) {
-        identifiers.push('securityContext');
-      } else {
-        identifiers.push(path.node.name);
+      identifiers.push(path.node.name);
+    }
+  }
+
+  private static readonly CUBE_CLOUD_SHORTHAND_IDENTIFIERS = ['userAttributes', 'user_attributes', 'groups'];
+
+  private static isAccessPolicyPath(path: NodePath): boolean {
+    // @ts-ignore
+    const target = (!path?.node?.key && path?.parentPath && t.isObjectProperty(path.parentPath.node))
+      ? path.parentPath
+      : path;
+    const fp = this.fullPath(target);
+    return fp.startsWith('accessPolicy') || fp.startsWith('access_policy');
+  }
+
+  private static securityContextIdentifier(isAccessPolicy: boolean): t.Identifier {
+    return t.identifier(isAccessPolicy ? 'securityContext' : 'SECURITY_CONTEXT');
+  }
+
+  private static isShadowedByFunctionParam(name: string, path: NodePath): boolean {
+    let current: NodePath | null = path.parentPath;
+    while (current) {
+      const { node } = current;
+      if (
+        (t.isArrowFunctionExpression(node) || t.isFunctionExpression(node)) &&
+        node.params.some(p => t.isIdentifier(p) && p.name === name)
+      ) {
+        return true;
       }
+      current = current.parentPath;
     }
+    return false;
   }
 
-  protected static transformUserAttributesMemberExpression(path: NodePath<t.MemberExpression>) {
-    // Check if this is userAttributes.someProperty (object should be identifier named 'userAttributes')
-    const fullPath = this.fullPath(path);
+  protected static transformCubeCloudShorthandIdentifier(path: NodePath<t.Identifier>, identifiers: string[], isAccessPolicy: boolean, resolveSymbol: SymbolResolver) {
+    if (!this.CUBE_CLOUD_SHORTHAND_IDENTIFIERS.includes(path.node.name)) {
+      return;
+    }
+    if (resolveSymbol(path.node.name)) {
+      return;
+    }
     if (
-      (t.isIdentifier(path.node.object, { name: 'userAttributes' }) || t.isIdentifier(path.node.object, { name: 'user_attributes' })) &&
-      (fullPath.startsWith('accessPolicy') || fullPath.startsWith('access_policy'))
+      path.parent &&
+      (path.parent.type === 'MemberExpression' || path.parent.type === 'OptionalMemberExpression') &&
+      path.key === 'property'
     ) {
-      // Replace userAttributes with securityContext.cubeCloud.userAttributes
-      const securityContext = t.identifier('securityContext');
-      const cubeCloud = t.memberExpression(securityContext, t.identifier('cubeCloud'));
-      const userAttributes = t.memberExpression(cubeCloud, t.identifier('userAttributes'));
-      const newMemberExpression = t.memberExpression(userAttributes, path.node.property, path.node.computed);
+      return;
+    }
+    if (this.isShadowedByFunctionParam(path.node.name, path)) {
+      return;
+    }
+    const contextId = this.securityContextIdentifier(isAccessPolicy);
+    const cubeCloud = t.memberExpression(contextId, t.identifier('cubeCloud'));
+    const prop = path.node.name === 'user_attributes' ? 'userAttributes' : path.node.name;
+    const newExpr = t.memberExpression(cubeCloud, t.identifier(prop));
+    path.replaceWith(newExpr);
+    identifiers.push(contextId.name);
+  }
 
+  protected static transformCubeCloudShorthandMemberExpression(path: NodePath<t.MemberExpression>, isAccessPolicy: boolean, resolveSymbol: SymbolResolver) {
+    if (
+      t.isIdentifier(path.node.object) &&
+      this.CUBE_CLOUD_SHORTHAND_IDENTIFIERS.includes(path.node.object.name) &&
+      !resolveSymbol(path.node.object.name) &&
+      !this.isShadowedByFunctionParam(path.node.object.name, path)
+    ) {
+      const contextId = this.securityContextIdentifier(isAccessPolicy);
+      const cubeCloud = t.memberExpression(contextId, t.identifier('cubeCloud'));
+      const prop = path.node.object.name === 'user_attributes' ? 'userAttributes' : path.node.object.name;
+      const shorthand = t.memberExpression(cubeCloud, t.identifier(prop));
+      const newMemberExpression = t.memberExpression(shorthand, path.node.property, path.node.computed);
       path.replaceWith(newMemberExpression);
     } else if (
-      t.isMemberExpression(path.node.object) &&
+      (t.isMemberExpression(path.node.object) || t.isOptionalMemberExpression(path.node.object)) &&
       t.isIdentifier(path.node.object.property, { name: 'user_attributes' }) &&
-      !path.node.object.computed &&
-      (fullPath.startsWith('accessPolicy') || fullPath.startsWith('access_policy'))
+      !path.node.object.computed
     ) {
-      // Also handle case where user_attributes appears within a MemberExpression chain like
-      // securityContext.cubeCloud.user_attributes
-      // We need to convert user_attributes to userAttributes in such chains
       const newObject = t.memberExpression(
         path.node.object.object,
         t.identifier('userAttributes'),