query_console 0.1.0

data/app/javascript/query_console/controllers/history_controller.js

@@ -0,0 +1,124 @@
+import { Controller } from "@hotwired/stimulus"
+
+// Manages query history stored in localStorage
+// Usage: <div data-controller="history">
+export default class extends Controller {
+  static targets = ["list", "item", "emptyMessage"]
+  static values = {
+    storageKey: { type: String, default: "query_console.history.v1" },
+    maxItems: { type: Number, default: 20 }
+  }
+
+  connect() {
+    this.loadHistory()
+  }
+
+  // Add query to history after successful execution
+  add(event) {
+    const sql = event.detail.sql
+    const timestamp = event.detail.timestamp || new Date().toISOString()
+    
+    const history = this.getHistory()
+    
+    // Add new item to beginning
+    history.unshift({
+      sql: sql.trim(),
+      timestamp: timestamp
+    })
+    
+    // Keep only max items
+    const trimmed = history.slice(0, this.maxItemsValue)
+    this.saveHistory(trimmed)
+    this.renderHistory(trimmed)
+  }
+
+  // Load query from history into editor
+  load(event) {
+    event.preventDefault()
+    const sql = event.currentTarget.dataset.sql
+    
+    // Dispatch custom event that editor controller will listen to
+    this.dispatch("load", { detail: { sql } })
+  }
+
+  // Clear all history
+  clear(event) {
+    event.preventDefault()
+    
+    if (confirm("Clear all query history?")) {
+      localStorage.removeItem(this.storageKeyValue)
+      this.renderHistory([])
+    }
+  }
+
+  // Private methods
+
+  loadHistory() {
+    const history = this.getHistory()
+    this.renderHistory(history)
+  }
+
+  getHistory() {
+    const stored = localStorage.getItem(this.storageKeyValue)
+    return stored ? JSON.parse(stored) : []
+  }
+
+  saveHistory(history) {
+    localStorage.setItem(this.storageKeyValue, JSON.stringify(history))
+  }
+
+  renderHistory(history) {
+    if (history.length === 0) {
+      this.listTarget.innerHTML = '<li class="empty-history">No query history yet</li>'
+      return
+    }
+
+    this.listTarget.innerHTML = history.map((item, index) => `
+      <li class="history-item">
+        <button 
+          type="button"
+          class="history-item-button" 
+          data-action="click->history#load"
+          data-sql="${this.escapeHtml(item.sql)}"
+          title="${this.escapeHtml(item.sql)}">
+          <div class="history-item-sql">${this.escapeHtml(this.truncate(item.sql, 100))}</div>
+          <div class="history-item-time">${this.formatTime(item.timestamp)}</div>
+        </button>
+      </li>
+    `).join('')
+  }
+
+  truncate(str, length) {
+    return str.length > length ? str.substring(0, length) + '...' : str
+  }
+
+  formatTime(timestamp) {
+    const date = new Date(timestamp)
+    const now = new Date()
+    const diff = now - date
+    
+    // Less than 1 minute
+    if (diff < 60000) return 'just now'
+    
+    // Less than 1 hour
+    if (diff < 3600000) {
+      const minutes = Math.floor(diff / 60000)
+      return `${minutes}m ago`
+    }
+    
+    // Less than 24 hours
+    if (diff < 86400000) {
+      const hours = Math.floor(diff / 3600000)
+      return `${hours}h ago`
+    }
+    
+    // More than 24 hours
+    return date.toLocaleDateString()
+  }
+
+  escapeHtml(text) {
+    const div = document.createElement('div')
+    div.textContent = text
+    return div.innerHTML
+  }
+}

data/app/services/query_console/audit_logger.rb

@@ -0,0 +1,50 @@
+module QueryConsole
+  class AuditLogger
+    def self.log_query(sql:, result:, actor: "unknown", controller: nil)
+      config = QueryConsole.configuration
+      
+      # Resolve actor from config if controller is provided
+      resolved_actor = if controller && config.current_actor.respond_to?(:call)
+        config.current_actor.call(controller)
+      else
+        actor
+      end
+
+      log_data = {
+        component: "query_console",
+        actor: resolved_actor,
+        sql: sql.to_s.strip,
+        duration_ms: result.execution_time_ms,
+        rows: result.row_count_shown,
+        status: result.success? ? "ok" : "error"
+      }
+
+      if result.failure?
+        log_data[:error] = result.error
+        log_data[:error_class] = determine_error_class(result.error)
+      end
+
+      if result.truncated?
+        log_data[:truncated] = true
+        log_data[:max_rows] = config.max_rows
+      end
+
+      Rails.logger.info(log_data.to_json)
+    end
+
+    def self.determine_error_class(error_message)
+      case error_message
+      when /timeout/i
+        "TimeoutError"
+      when /forbidden keyword/i
+        "SecurityError"
+      when /multiple statements/i
+        "SecurityError"
+      when /must start with/i
+        "ValidationError"
+      else
+        "QueryError"
+      end
+    end
+  end
+end

data/app/services/query_console/runner.rb

@@ -0,0 +1,89 @@
+require 'timeout'
+
+module QueryConsole
+  class Runner
+    class QueryResult
+      attr_reader :columns, :rows, :execution_time_ms, :row_count_shown, :truncated, :error
+
+      def initialize(columns: [], rows: [], execution_time_ms: 0, row_count_shown: 0, truncated: false, error: nil)
+        @columns = columns
+        @rows = rows
+        @execution_time_ms = execution_time_ms
+        @row_count_shown = row_count_shown
+        @truncated = truncated
+        @error = error
+      end
+
+      def success?
+        @error.nil?
+      end
+
+      def failure?
+        !success?
+      end
+
+      def truncated?
+        @truncated
+      end
+    end
+
+    def initialize(sql, config = QueryConsole.configuration)
+      @sql = sql
+      @config = config
+    end
+
+    def execute
+      start_time = Time.now
+
+      # Step 1: Validate SQL
+      validator = SqlValidator.new(@sql, @config)
+      validation_result = validator.validate
+
+      if validation_result.invalid?
+        return QueryResult.new(error: validation_result.error)
+      end
+
+      sanitized_sql = validation_result.sanitized_sql
+
+      # Step 2: Apply row limit
+      limiter = SqlLimiter.new(sanitized_sql, @config.max_rows, @config)
+      limit_result = limiter.apply_limit
+      final_sql = limit_result.sql
+      truncated = limit_result.truncated?
+
+      # Step 3: Execute query with timeout
+      begin
+        result = execute_with_timeout(final_sql)
+        execution_time = ((Time.now - start_time) * 1000).round(2)
+
+        QueryResult.new(
+          columns: result.columns,
+          rows: result.rows,
+          execution_time_ms: execution_time,
+          row_count_shown: result.rows.length,
+          truncated: truncated
+        )
+      rescue Timeout::Error
+        QueryResult.new(
+          error: "Query timeout: exceeded #{@config.timeout_ms}ms limit"
+        )
+      rescue StandardError => e
+        QueryResult.new(
+          error: "Query error: #{e.message}"
+        )
+      end
+    end
+
+    private
+
+    attr_reader :sql, :config
+
+    def execute_with_timeout(sql)
+      timeout_seconds = @config.timeout_ms / 1000.0
+      
+      Timeout.timeout(timeout_seconds) do
+        ActiveRecord::Base.connection.exec_query(sql)
+      end
+    end
+  end
+end

data/app/services/query_console/sql_limiter.rb

@@ -0,0 +1,48 @@
+module QueryConsole
+  class SqlLimiter
+    class LimitResult
+      attr_reader :sql, :truncated
+
+      def initialize(sql:, truncated:)
+        @sql = sql
+        @truncated = truncated
+      end
+
+      def truncated?
+        @truncated
+      end
+    end
+
+    def initialize(sql, max_rows, config = QueryConsole.configuration)
+      @sql = sql
+      @max_rows = max_rows
+      @config = config
+    end
+
+    def apply_limit
+      # Check if query already has a LIMIT clause
+      if sql_has_limit?
+        LimitResult.new(sql: @sql, truncated: false)
+      else
+        wrapped_sql = wrap_with_limit(@sql, @max_rows)
+        LimitResult.new(sql: wrapped_sql, truncated: true)
+      end
+    end
+
+    private
+
+    attr_reader :sql, :max_rows, :config
+
+    def sql_has_limit?
+      # Check for LIMIT clause (case-insensitive)
+      # Match: "LIMIT", " LIMIT ", etc.
+      @sql.match?(/\bLIMIT\b/i)
+    end
+
+    def wrap_with_limit(sql, limit)
+      # Wrap the query in a subquery with LIMIT
+      # This preserves most SQL semantics including ORDER BY, etc.
+      "SELECT * FROM (#{sql}) qc_subquery LIMIT #{limit}"
+    end
+  end
+end

data/app/services/query_console/sql_validator.rb

@@ -0,0 +1,72 @@
+module QueryConsole
+  class SqlValidator
+    class ValidationResult
+      attr_reader :valid, :error, :sanitized_sql
+
+      def initialize(valid:, sanitized_sql: nil, error: nil)
+        @valid = valid
+        @sanitized_sql = sanitized_sql
+        @error = error
+      end
+
+      def valid?
+        @valid
+      end
+
+      def invalid?
+        !@valid
+      end
+    end
+
+    def initialize(sql, config = QueryConsole.configuration)
+      @sql = sql
+      @config = config
+    end
+
+    def validate
+      return ValidationResult.new(valid: false, error: "Query cannot be empty") if sql.nil? || sql.strip.empty?
+
+      sanitized = sql.strip
+      
+      # Remove a single trailing semicolon if present
+      sanitized = sanitized.sub(/;\s*\z/, '')
+
+      # Check for multiple statements (any remaining semicolons)
+      if sanitized.include?(';')
+        return ValidationResult.new(
+          valid: false,
+          error: "Multiple statements are not allowed. Only single SELECT or WITH queries are permitted."
+        )
+      end
+
+      # Check if query starts with allowed keywords
+      normalized_start = sanitized.downcase
+      unless @config.allowed_starts_with.any? { |keyword| normalized_start.start_with?(keyword) }
+        return ValidationResult.new(
+          valid: false,
+          error: "Query must start with one of: #{@config.allowed_starts_with.join(', ').upcase}"
+        )
+      end
+
+      # Check for forbidden keywords
+      normalized_query = sanitized.downcase
+      forbidden = @config.forbidden_keywords.find do |keyword|
+        # Match whole words to avoid false positives (e.g., "updates" table name)
+        normalized_query.match?(/\b#{Regexp.escape(keyword.downcase)}\b/)
+      end
+
+      if forbidden
+        return ValidationResult.new(
+          valid: false,
+          error: "Forbidden keyword detected: #{forbidden.upcase}. Only read-only SELECT queries are allowed."
+        )
+      end
+
+      ValidationResult.new(valid: true, sanitized_sql: sanitized)
+    end
+
+    private
+
+    attr_reader :sql, :config
+  end
+end

data/app/views/query_console/queries/_results.html.erb

@@ -0,0 +1,191 @@
+<%= turbo_frame_tag "query-results" do %>
+  <style>
+    .results-container {
+      margin-top: 20px;
+    }
+
+    .error-message {
+      background: #f8d7da;
+      color: #721c24;
+      padding: 15px;
+      border-radius: 4px;
+      border: 1px solid #f5c6cb;
+      margin-bottom: 15px;
+    }
+
+    .success-message {
+      background: #d4edda;
+      color: #155724;
+      padding: 15px;
+      border-radius: 4px;
+      border: 1px solid #c3e6cb;
+      margin-bottom: 15px;
+    }
+
+    .metadata {
+      background: #e7f3ff;
+      padding: 12px;
+      border-radius: 4px;
+      margin-bottom: 15px;
+      font-size: 14px;
+      display: flex;
+      gap: 20px;
+      flex-wrap: wrap;
+    }
+
+    .metadata-item {
+      display: flex;
+      align-items: center;
+      gap: 5px;
+    }
+
+    .metadata-label {
+      font-weight: 600;
+      color: #495057;
+    }
+
+    .metadata-value {
+      color: #007bff;
+    }
+
+    .warning-badge {
+      background: #fff3cd;
+      color: #856404;
+      padding: 4px 8px;
+      border-radius: 3px;
+      font-size: 12px;
+      font-weight: 600;
+    }
+
+    .table-wrapper {
+      overflow: auto;
+      border: 1px solid #dee2e6;
+      border-radius: 4px;
+      max-height: 500px;
+      position: relative;
+    }
+
+    .results-table {
+      width: 100%;
+      border-collapse: collapse;
+      font-size: 14px;
+      background: white;
+    }
+
+    .results-table thead {
+      background: #f8f9fa;
+      position: sticky;
+      top: 0;
+      z-index: 10;
+    }
+
+    .results-table th {
+      padding: 12px;
+      text-align: left;
+      font-weight: 600;
+      color: #495057;
+      border-bottom: 2px solid #dee2e6;
+      white-space: nowrap;
+    }
+
+    .results-table td {
+      padding: 10px 12px;
+      border-bottom: 1px solid #dee2e6;
+      color: #212529;
+    }
+
+    .results-table tbody tr:hover {
+      background: #f8f9fa;
+    }
+
+    .results-table tbody tr:last-child td {
+      border-bottom: none;
+    }
+
+    .empty-results {
+      text-align: center;
+      padding: 40px;
+      color: #6c757d;
+    }
+
+    .null-value {
+      color: #999;
+      font-style: italic;
+    }
+  </style>
+
+  <div class="results-container">
+    <% result_to_render = local_assigns[:result] || @result %>
+    
+    <% if result_to_render.error %>
+      <div class="error-message">
+        <strong>Error:</strong> <%= result_to_render.error %>
+      </div>
+    <% else %>
+      <div class="success-message">
+        ✓ Query executed successfully
+      </div>
+
+      <div class="metadata">
+        <div class="metadata-item">
+          <span class="metadata-label">Execution Time:</span>
+          <span class="metadata-value"><%= result_to_render.execution_time_ms %>ms</span>
+        </div>
+        <div class="metadata-item">
+          <span class="metadata-label">Rows:</span>
+          <span class="metadata-value"><%= result_to_render.row_count_shown %></span>
+        </div>
+        <% if result_to_render.truncated %>
+          <div class="metadata-item">
+            <span class="warning-badge">⚠ Results limited to <%= QueryConsole.configuration.max_rows %> rows</span>
+          </div>
+        <% end %>
+      </div>
+
+      <% if result_to_render.rows.empty? %>
+        <div class="empty-results">
+          No rows returned
+        </div>
+      <% else %>
+        <div class="table-wrapper">
+          <table class="results-table">
+            <thead>
+              <tr>
+                <% result_to_render.columns.each do |column| %>
+                  <th><%= column %></th>
+                <% end %>
+              </tr>
+            </thead>
+            <tbody>
+              <% result_to_render.rows.each do |row| %>
+                <tr>
+                  <% row.each do |value| %>
+                    <td>
+                      <% if value.nil? %>
+                        <span class="null-value">NULL</span>
+                      <% else %>
+                        <%= value %>
+                      <% end %>
+                    </td>
+                  <% end %>
+                </tr>
+              <% end %>
+            </tbody>
+          </table>
+        </div>
+      <% end %>
+    <% end %>
+  </div>
+
+  <script type="module">
+    // After results are rendered, dispatch event to add to history
+    const sql = new URLSearchParams(window.location.search).get('sql')
+    if (sql) {
+      const event = new CustomEvent('editor:executed', {
+        detail: { sql: sql, timestamp: new Date().toISOString() },
+        bubbles: true
+      })
+      document.dispatchEvent(event)
+    }
+  </script>
+<% end %>