PgBeam Docs
policies

policies dry-eval

Dry-eval a SQL statement against a policy

Evaluate a single SQL statement against a policy and print the decision the proxy would make: allow, block, mask, or row-filter. Supply exactly one of --policy (an existing saved policy ID) or --draft (a JSON file describing an unsaved draft policy). The evaluation reuses the data plane's own policy engine, so a what-if verdict matches real enforcement. Stateful checks a single-statement preview cannot model (per-region budgets, approvals, write routing) are reported as informational notes.

Usage

pgbeam policies dry-eval [flags]

Options

OptionDescriptionRequiredDefault
--sql <value>The single SQL statement to evaluateYes-
--policy <value>ID of an existing saved policy to evaluate againstNo-
--draft <value>Path to a JSON file with a draft policy body to evaluate againstNo-

Global options

All global options (--token, --profile, --project, --org, --json, --no-color, --debug) are also available on this command.

Examples

# Evaluate against a saved policy
pgbeam policies dry-eval --policy pol_xxx --sql "SELECT email FROM users"

# Evaluate against a draft policy from a file
pgbeam policies dry-eval --draft ./policy.json --sql "DELETE FROM users"

# Get the full verdict as JSON
pgbeam policies dry-eval --policy pol_xxx --sql "SELECT 1" --json

Output

Prints the verdict (allow/block/mask/row-filter), the rule, reason, any masked columns, injected row-filter predicate, and informational notes. With --json, returns the full result object.

On this page