Examples: Block Missing “Critical Filter” (Table/Column Heuristic)

Goal: block PRs that may have removed or weakened a “critical filter” like row_status = 'A'.

Important limitation: Lexega’s diff matching currently operates on structured signals (tables, columns, change types). It does not match the exact predicate text row_status = 'A' inside WHERE.

So the end-to-end workflow is a heuristic:

  1. Detect WhereRemoved / WhereConditionChanged
  2. Scope to a specific table
  3. Scope to a specific column name (e.g., row_status)
  4. Emit a custom policy signal
  5. Block that custom rule in prod (with exceptions)

Files to commit

.lexega/
  custom_rules.yaml
  policy.yaml
  exceptions.yaml        # optional

1) Custom rules: emit a signal on dangerous WHERE changes

# yaml-language-server: $schema=/schemas/v1/custom_rules.schema.json
metadata:
  name: Critical Filters
  version: 1.0.0

rules:
  - id: CRITICAL-FILTER-001
    name: Potential critical filter change on row_status
    risk_level: High
    message: "Potential critical-filter change affecting {affected_object}. Verify row_status filtering remains correct."
    diff_triggers:
      - change_type: WhereRemoved
        match:
          tables:
            any_of: ["ANALYTICS.ORDERS"]
          columns:
            any_of: ["*row_status*"]
      - change_type: WhereConditionChanged
        match:
          tables:
            any_of: ["ANALYTICS.ORDERS"]
          columns:
            any_of: ["*row_status*"]

2) Policy: block that custom rule in prod

# yaml-language-server: $schema=/schemas/v1/policy.schema.json
schema_version: 1
policy_id: team-policy
policy_version: 1.0.0

default_action: allow

policies:
  - rule_id: CRITICAL-FILTER-001
    description: Block critical-filter changes in prod unless exception
    envs: [prod]
    action: block
    requires_exception: true

3) Run review (PR range) and gate CI

lexega-sql review main..HEAD models/ -r \
  --custom-rules .lexega/custom_rules.yaml \
  --policy .lexega/policy.yaml \
  --env prod \
  --decision-out decision.json \
  --format markdown > review.md

ALLOWED=$(jq -r '.outcome.allowed' decision.json)
test "$ALLOWED" = "true"

4) Exception (optional)

If the filter change is intentional and reviewed, grant an exception:

# yaml-language-server: $schema=/schemas/v1/exceptions.schema.json
schema_version: 1

exceptions:
  - exception_id: EX-2025-CRITFILTER-001
    policy_id: team-policy
    rule_id: CRITICAL-FILTER-001
    approved_by: data-governance@company.com
    approved_at: "2025-12-31T00:00:00Z"
    reason: "Reviewed critical-filter change; safe"
    ticket: DATA-5678
    scope:
      scoped:
        path_prefixes:
          - "models/"
        expires_at: "2026-03-01T00:00:00Z"

Run with exceptions:

lexega-sql review main..HEAD models/ -r \
  --custom-rules .lexega/custom_rules.yaml \
  --policy .lexega/policy.yaml \
  --exceptions .lexega/exceptions.yaml \
  --env prod \
  --decision-out decision.json

Key Concepts

Separation of concerns:

  • Custom rules define WHAT to detect (detection logic)
  • Policies define WHAT TO DO when a rule fires (enforcement)
  • Exceptions grant one-off permissions for specific rules

This separation keeps policies simple and detection testable.

Need Help?

Can't find what you're looking for? Check out our GitHub or reach out to support.

GitHub IssuesEmail Support