query_console 0.2.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8c73054ef91ed2d89682d757f0ec545db4f43273b32df46b9a1f57b8f72d92a2
-  data.tar.gz: 753f12bc25e012af3233b96d0c7326f7df307219aea79740f232d9e7dda41def
+  metadata.gz: 9ea5d214eb67f13c153578fce1f001109518b6935409774d9ae343de3ee87258
+  data.tar.gz: e7f2c6c7a528ababbef441b2d548cc635222701f5903cbdd1f06b9ecbefd3bc8
 SHA512:
-  metadata.gz: 0a0eff39813e9f070ef5df3b2965b0d6c39c4bb34c958efb2511bfec614c40fed59d76406b9b119b78a8f9e9e41914810aab439f2f9ea4555843f785ac787cdf
-  data.tar.gz: d3ef86f6fd078fa1844b38212acf27def791c8031886c9132f6b476b06db344687d37b1c97930cd514f487dd25b048263f04927c9f19c71e1e4c5013253f9840
+  metadata.gz: 5780f01ddfc86f3f998ea7f67b449ff312c3e4e305a6a5c454593a9aec6d691879837171d0567d2db8def6b70503d77203eecf708e4878947463b9f0443ba5eb
+  data.tar.gz: 99f44e0e10f2c06cb428936bfeaf8757bef817353d535ef1088761c6df7ea6a546905ce12c076207a5252103ce7df37a487ff56846a7e89d92c9e37e376de813

data/README.md

@@ -1,26 +1,76 @@
 # QueryConsole
 
-A Rails engine that provides a secure, mountable web interface for running read-only SQL queries against your application's database.
+[![Gem Version](https://badge.fury.io/rb/query_console.svg)](https://badge.fury.io/rb/query_console)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](MIT-LICENSE)
+[![Ruby](https://img.shields.io/badge/ruby-%3E%3D%203.1-ruby.svg)](https://www.ruby-lang.org)
+[![Rails](https://img.shields.io/badge/rails-%3E%3D%207.0-red.svg)](https://rubyonrails.org)
+
+A Rails engine that provides a secure, mountable web interface for running SQL queries against your application's database. Read-only by default with optional DML support.
+
+![Query Console Interface](docs/images/query-execution.png)
+*Modern, responsive SQL query interface with schema explorer, query management, and real-time execution*
+
+## Table of Contents
+
+- [Features](#features)
+- [Screenshots](#screenshots)
+- [Security Features](#security-features)
+- [Installation](#installation)
+- [Configuration](#configuration)
+- [Usage](#usage)
+- [Security Considerations](#security-considerations)
+- [Development](#development)
+- [Troubleshooting](#troubleshooting)
+- [Contributing](#contributing)
+- [Changelog](#changelog)
 
 ## Features
 
-### Core Features (v0.1.0)
-- 🔒 **Security First**: Read-only queries enforced at multiple levels
+### Security & Control
+- 🔒 **Security First**: Read-only by default with multi-layer enforcement
 - 🚦 **Environment Gating**: Disabled by default in production
 - 🔑 **Flexible Authorization**: Integrate with your existing auth system
-- 📊 **Modern UI**: Clean, responsive interface with query history
-- 📝 **Audit Logging**: All queries logged with actor information
 - ⚡ **Resource Protection**: Configurable row limits and query timeouts
-- 💾 **Client-Side History**: Query history stored in browser localStorage
-- ⚡ **Hotwire-Powered**: Uses Turbo Frames and Stimulus for smooth, SPA-like experience
-- 🎨 **Zero Build Step**: CDN-hosted Hotwire, no asset compilation needed
+- 📝 **Comprehensive Audit Logging**: All queries logged with actor information and metadata
+- 🔐 **Optional DML Support**: Enable INSERT/UPDATE/DELETE with confirmation dialogs
 
-### New in v0.2.0 🚀
+### Query Execution
 - 📊 **EXPLAIN Query Plans**: Analyze query execution plans for performance debugging
+- ✅ **Smart Validation**: SQL validation with keyword blocking and statement isolation
+- 🎯 **Accurate Results**: Proper row counts for both SELECT and DML operations
+- ⏱️ **Query Timeout**: Configurable timeout to prevent long-running queries
+
+### User Interface
+- 📊 **Modern UI**: Clean, responsive interface with real-time updates
 - 🗂️ **Schema Explorer**: Browse tables, columns, types with quick actions
-- 💾 **Saved Queries**: Save, organize, import/export your important queries (client-side)
-- 🎨 **Tabbed UI**: Switch between History and Schema views seamlessly
+- 💾 **Query Management**: Save, organize, import/export queries (client-side)
+- 📜 **Query History**: Client-side history stored in browser localStorage
+- 🎨 **Tabbed Navigation**: Switch between History, Schema, and Saved Queries seamlessly
 - 🔍 **Quick Actions**: Generate queries from schema, copy names, insert WHERE clauses
+- ⚡ **Hotwire-Powered**: Turbo Frames and Stimulus for smooth, SPA-like experience
+- 🎨 **Zero Build Step**: CDN-hosted dependencies, no asset compilation needed
+
+## Screenshots
+
+### Query Execution with Results
+![Query Execution](docs/images/query-execution.png)
+*Execute SQL queries with real-time results, execution time, and row counts displayed in a clean, scrollable table*
+
+### Schema Explorer
+![Schema Browser](docs/images/schema-explorer.png)
+*Browse database tables, columns with data types, nullable status, and quick-action buttons (Insert, WHERE, Copy Table Name)*
+
+### DML Operations with Safety Features
+![DML Results Banner](docs/images/dml-results.png)
+*DML operations show "Data Modified" banner, accurate "Rows Affected" count, and permanent change confirmation. A browser confirmation dialog appears before execution (not shown - browser native UI).*
+
+### Query History
+![Query History](docs/images/query-history.png)
+*Access recent queries with timestamps - click any query to load it into the editor instantly*
+
+### Saved Queries Management
+![Saved Queries](docs/images/saved-queries.png)
+*Save important queries with names and tags, then load, export, or import them with one click*
 
 ## Security Features
 
@@ -28,12 +78,13 @@ QueryConsole implements multiple layers of security:
 
 1. **Environment Gating**: Only enabled in configured environments (development by default)
 2. **Authorization Hook**: Requires explicit authorization configuration
-3. **SQL Validation**: Only SELECT and WITH (CTE) queries allowed
-4. **Keyword Blocking**: Blocks all write operations (UPDATE, DELETE, INSERT, DROP, etc.)
-5. **Statement Isolation**: Prevents multiple statement execution
-6. **Row Limiting**: Automatic result limiting to prevent resource exhaustion
-7. **Query Timeout**: Configurable timeout to prevent long-running queries
-8. **Audit Trail**: All queries logged with structured data
+3. **Read-Only by Default**: Only SELECT and WITH (CTE) queries allowed by default
+4. **Optional DML with Safeguards**: INSERT/UPDATE/DELETE available when explicitly enabled, with mandatory user confirmation dialogs
+5. **Keyword Blocking**: Always blocks DDL operations (DROP, ALTER, CREATE, TRUNCATE, etc.)
+6. **Statement Isolation**: Prevents multiple statement execution
+7. **Row Limiting**: Automatic result limiting to prevent resource exhaustion
+8. **Query Timeout**: Configurable timeout to prevent long-running queries
+9. **Comprehensive Audit Trail**: All queries logged with actor, query type, and execution metadata
 
 ## Installation
 
@@ -79,7 +130,7 @@ QueryConsole.configure do |config|
   # config.max_rows = 1000
   # config.timeout_ms = 5000
   
-  # v0.2.0+ Features
+  # Advanced Features
   # EXPLAIN feature (default: enabled)
   # config.enable_explain = true
   # config.enable_explain_analyze = false  # Disabled by default for safety
@@ -129,6 +180,93 @@ config.authorize = ->(_controller) { true }
 | `timeout_ms` | `3000` | Query timeout in milliseconds |
 | `forbidden_keywords` | See code | SQL keywords that are blocked |
 | `allowed_starts_with` | `["select", "with"]` | Allowed query starting keywords |
+| `enable_dml` | `false` | Enable DML queries (INSERT, UPDATE, DELETE) |
+| `enable_explain` | `true` | Enable EXPLAIN query plans |
+| `enable_explain_analyze` | `false` | Enable EXPLAIN ANALYZE (use with caution) |
+| `schema_explorer` | `true` | Enable schema browser |
+| `schema_cache_seconds` | `60` | Schema cache duration in seconds |
+
+### DML (Data Manipulation Language) Support
+
+By default, Query Console is **read-only**. To enable DML operations (INSERT, UPDATE, DELETE):
+
+```ruby
+QueryConsole.configure do |config|
+  config.enable_dml = true
+  
+  # Recommended: Restrict to specific environments
+  config.enabled_environments = ["development", "staging"]
+end
+```
+
+#### Important Security Notes
+
+- **DML is disabled by default** for safety
+- When enabled, INSERT, UPDATE, DELETE, and MERGE queries are permitted
+- All DML operations are logged with actor information and query type
+- No transaction support - queries auto-commit immediately
+- Consider additional application-level authorization for production use
+
+#### What's Still Blocked
+
+Even with DML enabled, these operations remain **forbidden**:
+- `DROP`, `ALTER`, `CREATE` (schema changes)
+- `TRUNCATE` (bulk deletion)
+- `GRANT`, `REVOKE` (permission changes)
+- `EXECUTE`, `EXEC` (stored procedures)
+- `TRANSACTION`, `COMMIT`, `ROLLBACK` (manual transaction control)
+- System procedures (`sp_`, `xp_`)
+
+#### UI Behavior with DML
+
+When DML is enabled and a DML query is detected:
+- **Before execution**: A confirmation dialog appears with a clear warning about permanent data modifications
+- User must explicitly confirm to proceed (can click "Cancel" to abort)
+- **After execution**: An informational banner shows: "ℹ️ Data Modified: This query has modified the database"
+- **Rows Affected** count is displayed (e.g., "3 row(s) affected") showing how many rows were inserted/updated/deleted
+- The security banner reflects DML status
+- All changes are permanent and logged
+
+#### Database Support
+
+DML operations work on all supported databases:
+- **SQLite**: INSERT, UPDATE, DELETE
+- **PostgreSQL**: INSERT, UPDATE, DELETE, MERGE (via INSERT ... ON CONFLICT)
+- **MySQL**: INSERT, UPDATE, DELETE, REPLACE
+
+#### Enhanced Audit Logging
+
+DML queries are logged with additional metadata:
+
+```ruby
+{
+  component: "query_console",
+  actor: "user@example.com",
+  sql: "UPDATE users SET active = true WHERE id = 123",
+  duration_ms: 12.5,
+  rows: 1,
+  status: "ok",
+  query_type: "UPDATE",     # NEW: Query type classification
+  is_dml: true              # NEW: DML flag
+}
+```
+
+#### Example DML Queries
+
+```sql
+-- Insert a new record
+INSERT INTO users (name, email) VALUES ('John Doe', 'john@example.com');
+
+-- Update existing records
+UPDATE users SET active = true WHERE id = 123;
+
+-- Delete specific records
+DELETE FROM sessions WHERE expires_at < NOW();
+
+-- PostgreSQL upsert
+INSERT INTO settings (key, value) VALUES ('theme', 'dark')
+ON CONFLICT (key) DO UPDATE SET value = 'dark';
+```
 
 ## Mounting
 
@@ -166,14 +304,17 @@ Then visit: `http://localhost:3000/query_console`
 - `WITH active_users AS (SELECT * FROM users WHERE active = true) SELECT * FROM active_users`
 - Queries with JOINs, ORDER BY, GROUP BY, etc.
 
-❌ **Blocked**:
-- `UPDATE users SET name = 'test'`
-- `DELETE FROM users`
-- `INSERT INTO users VALUES (...)`
-- `DROP TABLE users`
-- `SELECT * FROM users; DELETE FROM users` (multiple statements)
+❌ **Blocked** (by default):
+- `UPDATE users SET name = 'test'` (unless `enable_dml = true`)
+- `DELETE FROM users` (unless `enable_dml = true`)
+- `INSERT INTO users VALUES (...)` (unless `enable_dml = true`)
+- `DROP TABLE users` (always blocked)
+- `TRUNCATE TABLE users` (always blocked)
+- `SELECT * FROM users; DELETE FROM users` (multiple statements always blocked)
 - Any query containing forbidden keywords
 
+**Note**: With `config.enable_dml = true`, INSERT, UPDATE, DELETE, and MERGE queries become allowed.
+
 ## Example Queries
 
 ```sql
@@ -390,12 +531,28 @@ Created by [Johnson Gnanasekar](https://github.com/JohnsonGnanasekar)
 
 ## Changelog
 
-### 0.1.0 (Initial Release)
-
-- Basic query console with read-only enforcement
-- Environment gating and authorization hooks
-- SQL validation and row limiting
-- Query timeout protection
-- Client-side history with localStorage
-- Comprehensive test suite
-- Audit logging
+See [CHANGELOG.md](CHANGELOG.md) for detailed version history.
+
+### Recent Updates
+
+#### Latest (DML Support)
+- ✨ **Optional DML Support**: INSERT/UPDATE/DELETE with mandatory confirmation dialogs
+- 🎯 **Accurate Row Counts**: Proper affected rows tracking for DML operations
+- 🔒 **Enhanced Security**: Pre-execution confirmation with detailed warnings
+- 📝 **Enhanced Audit Logging**: Query type classification and DML flags
+- 🗃️ **Multi-Database Support**: SQLite, PostgreSQL, MySQL compatibility
+
+#### v0.2.0 (January 2026)
+- 📊 **EXPLAIN Plans**: Query execution plan analysis
+- 🗂️ **Schema Explorer**: Interactive table/column browser with quick actions
+- 💾 **Saved Queries**: Client-side query management with import/export
+- 🎨 **Modern UI**: Tabbed navigation and collapsible sections
+- 🔍 **Quick Actions**: Generate queries from schema explorer
+
+#### v0.1.0 (Initial Release)
+- 🔒 Read-only query console with security enforcement
+- 🚦 Environment gating and authorization hooks
+- ✅ SQL validation and row limiting
+- ⏱️ Query timeout protection
+- 📜 Client-side history with localStorage
+- ✅ Comprehensive test suite and audit logging

data/app/controllers/query_console/explain_controller.rb

@@ -9,11 +9,11 @@ module QueryConsole
         @result = ExplainRunner::ExplainResult.new(error: "Query cannot be empty")
         respond_to do |format|
           format.turbo_stream do
-            render turbo_stream: turbo_stream.replace(
-              "explain-results",
-              partial: "explain/results",
-              locals: { result: @result }
-            )
+        render turbo_stream: turbo_stream.replace(
+          "explain-results",
+          partial: "query_console/explain/results",
+          locals: { result: @result }
+        )
           end
           format.html { render "explain/_results", layout: false, locals: { result: @result } }
         end

data/app/controllers/query_console/queries_controller.rb

@@ -21,6 +21,7 @@ module QueryConsole
       # Execute the query
       runner = Runner.new(sql)
       @result = runner.execute
+      @is_dml = @result.dml?
 
       # Log the query execution
       AuditLogger.log_query(
@@ -35,7 +36,7 @@ module QueryConsole
           render turbo_stream: turbo_stream.replace(
             "query-results",
             partial: "results",
-            locals: { result: @result }
+            locals: { result: @result, is_dml: @is_dml }
           )
         end
         format.html { render :_results, layout: false }

data/app/javascript/query_console/controllers/editor_controller.js

@@ -1,77 +1,214 @@
 import { Controller } from "@hotwired/stimulus"
+import { EditorView, keymap } from "@codemirror/view"
+import { EditorState } from "@codemirror/state"
+import { sql } from "@codemirror/lang-sql"
+import { defaultKeymap } from "@codemirror/commands"
+import { autocompletion } from "@codemirror/autocomplete"
 
-// Manages the SQL editor textarea and query execution
+// Manages the SQL editor with CodeMirror and query execution
 // Usage: <div data-controller="editor">
 export default class extends Controller {
-  static targets = ["textarea", "runButton", "clearButton", "results"]
+  static targets = ["container"]
 
   connect() {
+    this.initializeCodeMirror()
+    
     // Listen for history load events
     this.element.addEventListener('history:load', (event) => {
       this.loadQuery(event.detail.sql)
     })
   }
 
-  // Load query into textarea (from history)
+  disconnect() {
+    if (this.view) {
+      this.view.destroy()
+    }
+  }
+
+  initializeCodeMirror() {
+    const sqlLanguage = sql()
+    
+    const startState = EditorState.create({
+      doc: "SELECT * FROM users LIMIT 10;",
+      extensions: [
+        sqlLanguage.extension,
+        autocompletion(),
+        keymap.of(defaultKeymap),
+        EditorView.lineWrapping,
+        EditorView.theme({
+          "&": {
+            fontSize: "14px",
+            border: "1px solid #ddd",
+            borderRadius: "4px"
+          },
+          ".cm-content": {
+            fontFamily: "'Monaco', 'Menlo', 'Courier New', monospace",
+            minHeight: "200px",
+            padding: "12px"
+          },
+          ".cm-scroller": {
+            overflow: "auto"
+          },
+          "&.cm-focused": {
+            outline: "none"
+          }
+        })
+      ]
+    })
+
+    this.view = new EditorView({
+      state: startState,
+      parent: this.containerTarget
+    })
+  }
+
+  // Get SQL content from CodeMirror
+  getSql() {
+    return this.view.state.doc.toString()
+  }
+
+  // Set SQL content in CodeMirror
+  setSql(text) {
+    this.view.dispatch({
+      changes: {
+        from: 0,
+        to: this.view.state.doc.length,
+        insert: text
+      }
+    })
+    this.view.focus()
+  }
+
+  // Insert text at cursor position
+  insertAtCursor(text) {
+    const selection = this.view.state.selection.main
+    this.view.dispatch({
+      changes: {
+        from: selection.from,
+        to: selection.to,
+        insert: text
+      },
+      selection: {
+        anchor: selection.from + text.length
+      }
+    })
+    this.view.focus()
+  }
+
+  // Load query into editor (from history)
   loadQuery(sql) {
-    this.textareaTarget.value = sql
-    this.textareaTarget.focus()
+    this.setSql(sql)
     
     // Scroll to editor
     this.element.scrollIntoView({ behavior: 'smooth', block: 'start' })
   }
 
-  // Clear textarea
-  clear(event) {
-    event.preventDefault()
-    this.textareaTarget.value = ''
-    this.textareaTarget.focus()
+  // Clear editor
+  clearEditor() {
+    this.setSql('')
+    
+    // Clear query results
+    const queryFrame = document.querySelector('turbo-frame#query-results')
+    if (queryFrame) {
+      queryFrame.innerHTML = '<div style="color: #6c757d; text-align: center; padding: 40px; margin-top: 20px;"><p>Enter a query above and click "Run Query" to see results here.</p></div>'
+    }
+    
+    // Clear explain results
+    const explainFrame = document.querySelector('turbo-frame#explain-results')
+    if (explainFrame) {
+      explainFrame.innerHTML = ''
+    }
+  }
+
+  // Check if query is a DML operation
+  isDmlQuery(sql) {
+    const trimmed = sql.trim().toLowerCase()
+    return /^(insert|update|delete|merge)\b/.test(trimmed)
   }
 
-  // Handle form submission
-  submit(event) {
-    const sql = this.textareaTarget.value.trim()
-    
+  // Run query
+  runQuery() {
+    const sql = this.getSql().trim()
     if (!sql) {
-      event.preventDefault()
       alert('Please enter a SQL query')
       return
     }
-
-    // Show loading state
-    this.runButtonTarget.disabled = true
-    this.runButtonTarget.textContent = 'Running...'
     
-    // After Turbo completes the request, we'll handle success/error
-  }
-
-  // Called after successful query execution (via Turbo)
-  querySuccess(event) {
-    // Re-enable button
-    this.runButtonTarget.disabled = false
-    this.runButtonTarget.textContent = 'Run Query'
+    // Check if it's a DML query and confirm with user
+    if (this.isDmlQuery(sql)) {
+      const confirmed = confirm(
+        '⚠️ DATA MODIFICATION WARNING\n\n' +
+        'This query will INSERT, UPDATE, or DELETE data.\n\n' +
+        '• All changes are PERMANENT and cannot be undone\n' +
+        '• All operations are logged\n\n' +
+        'Do you want to proceed?'
+      )
+      
+      if (!confirmed) {
+        return // User cancelled
+      }
+    }
     
-    // Dispatch event to add to history
-    const sql = this.textareaTarget.value.trim()
-    this.dispatch('executed', { 
-      detail: { 
-        sql: sql,
-        timestamp: new Date().toISOString()
-      },
-      target: document.querySelector('[data-controller="history"]')
-    })
+    // Clear explain results when running query
+    const explainFrame = document.querySelector('turbo-frame#explain-results')
+    if (explainFrame) {
+      explainFrame.innerHTML = ''
+    }
+    
+    // Store for history
+    window._lastExecutedSQL = sql
+    
+    // Get CSRF token
+    const csrfToken = document.querySelector('meta[name=csrf-token]')?.content
+    
+    // Create form with Turbo Frame target
+    const form = document.createElement('form')
+    form.method = 'POST'
+    form.action = this.element.dataset.runPath
+    form.setAttribute('data-turbo-frame', 'query-results')
+    form.innerHTML = `
+      <input type="hidden" name="sql" value="${this.escapeHtml(sql)}">
+      <input type="hidden" name="authenticity_token" value="${csrfToken}">
+    `
+    document.body.appendChild(form)
+    form.requestSubmit()
+    document.body.removeChild(form)
   }
 
-  // Called after failed query execution
-  queryError(event) {
-    this.runButtonTarget.disabled = false
-    this.runButtonTarget.textContent = 'Run Query'
+  // Explain query
+  explainQuery() {
+    const sql = this.getSql().trim()
+    if (!sql) {
+      alert('Please enter a SQL query')
+      return
+    }
+    
+    // Clear query results when running explain
+    const queryFrame = document.querySelector('turbo-frame#query-results')
+    if (queryFrame) {
+      queryFrame.innerHTML = ''
+    }
+    
+    // Get CSRF token
+    const csrfToken = document.querySelector('meta[name=csrf-token]')?.content
+    
+    // Create form with Turbo Frame target
+    const form = document.createElement('form')
+    form.method = 'POST'
+    form.action = this.element.dataset.explainPath
+    form.setAttribute('data-turbo-frame', 'explain-results')
+    form.innerHTML = `
+      <input type="hidden" name="sql" value="${this.escapeHtml(sql)}">
+      <input type="hidden" name="authenticity_token" value="${csrfToken}">
+    `
+    document.body.appendChild(form)
+    form.requestSubmit()
+    document.body.removeChild(form)
   }
 
-  // Handle Turbo Frame errors
-  turboFrameError(event) {
-    console.error('Turbo Frame error:', event.detail)
-    this.runButtonTarget.disabled = false
-    this.runButtonTarget.textContent = 'Run Query'
+  escapeHtml(text) {
+    const div = document.createElement('div')
+    div.textContent = text
+    return div.innerHTML
   }
 }

data/app/services/query_console/audit_logger.rb

@@ -15,7 +15,9 @@ module QueryConsole
         actor: resolved_actor,
         sql: sql.to_s.strip,
         duration_ms: result.execution_time_ms,
-        status: result.success? ? "ok" : "error"
+        status: result.success? ? "ok" : "error",
+        query_type: determine_query_type(sql),
+        is_dml: is_dml_query?(sql)
       }
 
       # Add row count if available (for QueryResult)
@@ -36,6 +38,22 @@ module QueryConsole
       Rails.logger.info(log_data.to_json)
     end
 
+    def self.is_dml_query?(sql)
+      sql.to_s.strip.downcase.match?(/\A(insert|update|delete|merge)\b/)
+    end
+
+    def self.determine_query_type(sql)
+      case sql.to_s.strip.downcase
+      when /\Aselect\b/ then "SELECT"
+      when /\Awith\b/ then "WITH"
+      when /\Ainsert\b/ then "INSERT"
+      when /\Aupdate\b/ then "UPDATE"
+      when /\Adelete\b/ then "DELETE"
+      when /\Amerge\b/ then "MERGE"
+      else "UNKNOWN"
+      end
+    end
+
     def self.determine_error_class(error_message)
       case error_message
       when /timeout/i
@@ -46,6 +64,10 @@ module QueryConsole
         "SecurityError"
       when /must start with/i
         "ValidationError"
+      when /cannot delete/i, /cannot update/i, /cannot insert/i
+        "DMLError"
+      when /foreign key constraint/i, /constraint.*violated/i
+        "ConstraintError"
       else
         "QueryError"
       end

data/app/services/query_console/runner.rb

@@ -3,15 +3,17 @@ require 'timeout'
 module QueryConsole
   class Runner
     class QueryResult
-      attr_reader :columns, :rows, :execution_time_ms, :row_count_shown, :truncated, :error
+      attr_reader :columns, :rows, :execution_time_ms, :row_count_shown, :truncated, :error, :is_dml, :rows_affected
 
-      def initialize(columns: [], rows: [], execution_time_ms: 0, row_count_shown: 0, truncated: false, error: nil)
+      def initialize(columns: [], rows: [], execution_time_ms: 0, row_count_shown: 0, truncated: false, error: nil, is_dml: false, rows_affected: nil)
         @columns = columns
         @rows = rows
         @execution_time_ms = execution_time_ms
         @row_count_shown = row_count_shown
         @truncated = truncated
         @error = error
+        @is_dml = is_dml
+        @rows_affected = rows_affected
       end
 
       def success?
@@ -25,6 +27,10 @@ module QueryConsole
       def truncated?
         @truncated
       end
+
+      def dml?
+        @is_dml
+      end
     end
 
     def initialize(sql, config = QueryConsole.configuration)
@@ -44,6 +50,7 @@ module QueryConsole
       end
 
       sanitized_sql = validation_result.sanitized_sql
+      is_dml = validation_result.dml?
 
       # Step 2: Apply row limit
       limiter = SqlLimiter.new(sanitized_sql, @config.max_rows, @config)
@@ -56,12 +63,20 @@ module QueryConsole
         result = execute_with_timeout(final_sql)
         execution_time = ((Time.now - start_time) * 1000).round(2)
 
+        # For DML queries, capture the number of affected rows
+        rows_affected = nil
+        if is_dml
+          rows_affected = get_affected_rows_count(result)
+        end
+
         QueryResult.new(
           columns: result.columns,
           rows: result.rows,
           execution_time_ms: execution_time,
           row_count_shown: result.rows.length,
-          truncated: truncated
+          truncated: truncated,
+          is_dml: is_dml,
+          rows_affected: rows_affected
         )
       rescue Timeout::Error
         QueryResult.new(
@@ -85,5 +100,43 @@ module QueryConsole
         ActiveRecord::Base.connection.exec_query(sql)
       end
     end
+
+    # Get the number of rows affected by a DML query
+    # This is database-specific, so we try different approaches
+    def get_affected_rows_count(result)
+      conn = ActiveRecord::Base.connection
+      
+      # For SQLite, use the raw connection's changes method
+      if conn.adapter_name.downcase.include?('sqlite')
+        return conn.raw_connection.changes
+      end
+      
+      # For PostgreSQL, MySQL, and others, check if result has rows_affected
+      # Note: exec_query doesn't always provide this, but we can try
+      if result.respond_to?(:rows_affected)
+        return result.rows_affected
+      end
+      
+      # Fallback: try to get it from the connection's last result
+      begin
+        if conn.respond_to?(:raw_connection)
+          raw_conn = conn.raw_connection
+          
+          # PostgreSQL
+          if raw_conn.respond_to?(:cmd_tuples)
+            return raw_conn.cmd_tuples
+          end
+          
+          # MySQL
+          if raw_conn.respond_to?(:affected_rows)
+            return raw_conn.affected_rows
+          end
+        end
+      rescue
+        # If we can't determine affected rows, return nil
+      end
+      
+      nil
+    end
   end
 end

data/app/services/query_console/sql_limiter.rb

@@ -20,6 +20,11 @@ module QueryConsole
     end
 
     def apply_limit
+      # Skip limiting for DML queries (INSERT, UPDATE, DELETE, MERGE)
+      if is_dml_query?
+        return LimitResult.new(sql: @sql, truncated: false)
+      end
+      
       # Check if query already has a LIMIT clause
       if sql_has_limit?
         LimitResult.new(sql: @sql, truncated: false)
@@ -33,6 +38,11 @@ module QueryConsole
 
     attr_reader :sql, :max_rows, :config
 
+    def is_dml_query?
+      # Check if query is a DML operation (INSERT, UPDATE, DELETE, MERGE)
+      @sql.strip.downcase.match?(/\A(insert|update|delete|merge)\b/)
+    end
+
     def sql_has_limit?
       # Check for LIMIT clause (case-insensitive)
       # Match: "LIMIT", " LIMIT ", etc.

data/app/services/query_console/sql_validator.rb

@@ -1,12 +1,13 @@
 module QueryConsole
   class SqlValidator
     class ValidationResult
-      attr_reader :valid, :error, :sanitized_sql
+      attr_reader :valid, :error, :sanitized_sql, :is_dml
 
-      def initialize(valid:, sanitized_sql: nil, error: nil)
+      def initialize(valid:, sanitized_sql: nil, error: nil, is_dml: false)
         @valid = valid
         @sanitized_sql = sanitized_sql
         @error = error
+        @is_dml = is_dml
       end
 
       def valid?
@@ -16,6 +17,10 @@ module QueryConsole
       def invalid?
         !@valid
       end
+
+      def dml?
+        @is_dml
+      end
     end
 
     def initialize(sql, config = QueryConsole.configuration)
@@ -41,16 +46,35 @@ module QueryConsole
 
       # Check if query starts with allowed keywords
       normalized_start = sanitized.downcase
-      unless @config.allowed_starts_with.any? { |keyword| normalized_start.start_with?(keyword) }
+      
+      # Define DML-specific keywords that are conditionally allowed
+      dml_keywords = %w[insert update delete merge]
+      
+      # Expand allowed_starts_with if DML is enabled
+      effective_allowed = if @config.enable_dml
+        @config.allowed_starts_with + dml_keywords
+      else
+        @config.allowed_starts_with
+      end
+      
+      unless effective_allowed.any? { |keyword| normalized_start.start_with?(keyword) }
         return ValidationResult.new(
           valid: false,
-          error: "Query must start with one of: #{@config.allowed_starts_with.join(', ').upcase}"
+          error: "Query must start with one of: #{effective_allowed.join(', ').upcase}"
         )
       end
 
       # Check for forbidden keywords
       normalized_query = sanitized.downcase
-      forbidden = @config.forbidden_keywords.find do |keyword|
+      
+      # Filter forbidden keywords based on DML enablement
+      effective_forbidden = if @config.enable_dml
+        @config.forbidden_keywords.reject { |kw| dml_keywords.include?(kw) || kw == 'replace' || kw == 'into' }
+      else
+        @config.forbidden_keywords
+      end
+      
+      forbidden = effective_forbidden.find do |keyword|
         # Match whole words to avoid false positives (e.g., "updates" table name)
         normalized_query.match?(/\b#{Regexp.escape(keyword.downcase)}\b/)
       end
@@ -62,7 +86,10 @@ module QueryConsole
         )
       end
 
-      ValidationResult.new(valid: true, sanitized_sql: sanitized)
+      # Detect if this is a DML query
+      is_dml_query = sanitized.downcase.match?(/\A(insert|update|delete|merge)\b/)
+
+      ValidationResult.new(valid: true, sanitized_sql: sanitized, is_dml: is_dml_query)
     end
 
     private

data/app/views/query_console/queries/_results.html.erb

@@ -116,10 +116,33 @@
       color: #999;
       font-style: italic;
     }
+
+    .dml-warning {
+      background-color: #fff3cd;
+      border-left: 4px solid #ffc107;
+      padding: 12px 16px;
+      margin-bottom: 16px;
+      border-radius: 4px;
+    }
+
+    .dml-warning-icon {
+      color: #ff6b6b;
+      font-weight: bold;
+      margin-right: 8px;
+    }
   </style>
 
   <div class="results-container">
     <% result_to_render = local_assigns[:result] || @result %>
+    <% is_dml_result = local_assigns[:is_dml] || @is_dml %>
+    
+    <% if is_dml_result %>
+      <div class="dml-warning">
+        <span class="dml-warning-icon">ℹ️</span>
+        <strong>Data Modified:</strong> 
+        This query has modified the database. All changes are logged.
+      </div>
+    <% end %>
     
     <% if result_to_render.error %>
       <div class="error-message">
@@ -136,8 +159,13 @@
           <span class="metadata-value"><%= result_to_render.execution_time_ms %>ms</span>
         </div>
         <div class="metadata-item">
-          <span class="metadata-label">Rows:</span>
-          <span class="metadata-value"><%= result_to_render.row_count_shown %></span>
+          <% if is_dml_result && result_to_render.rows_affected %>
+            <span class="metadata-label">Rows Affected:</span>
+            <span class="metadata-value"><%= result_to_render.rows_affected %></span>
+          <% else %>
+            <span class="metadata-label">Rows:</span>
+            <span class="metadata-value"><%= result_to_render.row_count_shown %></span>
+          <% end %>
         </div>
         <% if result_to_render.truncated %>
           <div class="metadata-item">
@@ -148,7 +176,11 @@
 
       <% if result_to_render.rows.empty? %>
         <div class="empty-results">
-          No rows returned
+          <% if is_dml_result && result_to_render.rows_affected %>
+            <%= result_to_render.rows_affected %> row(s) affected
+          <% else %>
+            No rows returned
+          <% end %>
         </div>
       <% else %>
         <div class="table-wrapper">

data/app/views/query_console/queries/new.html.erb

@@ -124,23 +124,66 @@
       background: #545b62;
     }
 
-    /* SQL Editor Textarea */
-    .sql-editor {
+    /* DML Warning Styles */
+    .btn-dml {
+      background-color: #ff6b6b;
+      color: white;
+      border: none;
+      padding: 8px 16px;
+      border-radius: 4px;
+      cursor: pointer;
+      font-size: 14px;
+      font-weight: 500;
+    }
+
+    .btn-dml:hover {
+      background-color: #ff5252;
+    }
+
+    .dml-warning {
+      background-color: #fff3cd;
+      border-left: 4px solid #ffc107;
+      padding: 12px 16px;
+      margin-bottom: 16px;
+      margin-top: 16px;
+      border-radius: 4px;
+    }
+
+    .dml-warning-icon {
+      color: #ff6b6b;
+      font-weight: bold;
+      margin-right: 8px;
+    }
+
+    /* SQL Editor (CodeMirror) */
+    .sql-editor-container {
       width: 100%;
       min-height: 200px;
-      padding: 12px;
-      border: 1px solid #ddd;
       border-radius: 4px;
+      overflow: hidden;
+    }
+
+    .sql-editor-container:focus-within {
+      box-shadow: 0 0 0 3px rgba(0, 123, 255, 0.1);
+    }
+
+    .cm-editor {
+      height: 100%;
+    }
+
+    .cm-scroller {
+      min-height: 200px;
       font-family: 'Monaco', 'Menlo', 'Courier New', monospace;
       font-size: 14px;
       line-height: 1.5;
-      resize: vertical;
     }
 
-    .sql-editor:focus {
-      outline: none;
-      border-color: #007bff;
-      box-shadow: 0 0 0 3px rgba(0, 123, 255, 0.1);
+    .cm-content {
+      padding: 12px;
+    }
+
+    .cm-focused {
+      outline: none !important;
     }
 
 
@@ -351,7 +394,9 @@
     {
       "imports": {
         "@hotwired/turbo-rails": "https://cdn.jsdelivr.net/npm/@hotwired/turbo@8.0.4/dist/turbo.es2017-esm.min.js",
-        "@hotwired/stimulus": "https://cdn.jsdelivr.net/npm/@hotwired/stimulus@3.2.2/dist/stimulus.min.js"
+        "@hotwired/stimulus": "https://cdn.jsdelivr.net/npm/@hotwired/stimulus@3.2.2/dist/stimulus.min.js",
+        "codemirror": "https://esm.sh/codemirror@6.0.1",
+        "@codemirror/lang-sql": "https://esm.sh/@codemirror/lang-sql@6.6.0"
       }
     }
   </script>
@@ -359,6 +404,8 @@
   <script type="module">
     import * as Turbo from "@hotwired/turbo-rails"
     import { Application, Controller } from "@hotwired/stimulus"
+    import { EditorView, basicSetup } from "codemirror"
+    import { sql } from "@codemirror/lang-sql"
 
     const application = Application.start()
 
@@ -415,34 +462,86 @@
     }
     application.register("tabs", TabsController)
 
-    // Editor Controller (Simple Textarea)
+    // Editor Controller (CodeMirror)
     class EditorController extends Controller {
-      static targets = ["textarea"]
+      static targets = ["container"]
+      
+      connect() {
+        this.initializeCodeMirror()
+      }
+      
+      disconnect() {
+        if (this.view) {
+          this.view.destroy()
+        }
+      }
+      
+      initializeCodeMirror() {
+        try {
+          this.view = new EditorView({
+            doc: "SELECT * FROM users LIMIT 10;",
+            extensions: [
+              basicSetup,
+              sql(),
+              EditorView.lineWrapping,
+              EditorView.theme({
+                "&": {
+                  fontSize: "14px"
+                },
+                ".cm-content": {
+                  fontFamily: "'Monaco', 'Menlo', 'Courier New', monospace",
+                  minHeight: "200px",
+                  padding: "12px"
+                },
+                ".cm-scroller": {
+                  overflow: "auto"
+                },
+                "&.cm-focused": {
+                  outline: "none"
+                }
+              })
+            ],
+            parent: this.containerTarget
+          })
+        } catch (error) {
+          console.error('CodeMirror initialization error:', error)
+          // Fallback to simple textarea
+          this.containerTarget.innerHTML = '<textarea class="sql-editor" style="width:100%; min-height:200px; font-family:monospace; padding:12px;">SELECT * FROM users LIMIT 10;</textarea>'
+        }
+      }
       
       getSql() {
-        return this.textareaTarget.value
+        return this.view.state.doc.toString()
       }
       
       setSql(text) {
-        this.textareaTarget.value = text
-        this.textareaTarget.focus()
+        this.view.dispatch({
+          changes: {
+            from: 0,
+            to: this.view.state.doc.length,
+            insert: text
+          }
+        })
+        this.view.focus()
       }
       
       insertAtCursor(text) {
-        const textarea = this.textareaTarget
-        const start = textarea.selectionStart
-        const end = textarea.selectionEnd
-        const before = textarea.value.substring(0, start)
-        const after = textarea.value.substring(end)
-        
-        textarea.value = before + text + after
-        textarea.selectionStart = textarea.selectionEnd = start + text.length
-        textarea.focus()
+        const selection = this.view.state.selection.main
+        this.view.dispatch({
+          changes: {
+            from: selection.from,
+            to: selection.to,
+            insert: text
+          },
+          selection: {
+            anchor: selection.from + text.length
+          }
+        })
+        this.view.focus()
       }
       
       clearEditor() {
-        this.textareaTarget.value = ''
-        this.textareaTarget.focus()
+        this.setSql('')
         
         // Clear query results
         const queryFrame = document.querySelector('turbo-frame#query-results')
@@ -457,13 +556,33 @@
         }
       }
       
+      isDmlQuery(sql) {
+        const trimmed = sql.trim().toLowerCase()
+        return /^(insert|update|delete|merge)\b/.test(trimmed)
+      }
+      
       runQuery() {
-        const sql = this.getSql()
-        if (!sql.trim()) {
+        const sql = this.getSql().trim()
+        if (!sql) {
           alert('Please enter a SQL query')
           return
         }
         
+        // Check if it's a DML query and confirm with user
+        if (this.isDmlQuery(sql)) {
+          const confirmed = confirm(
+            '⚠️ DATA MODIFICATION WARNING\n\n' +
+            'This query will INSERT, UPDATE, or DELETE data.\n\n' +
+            '• All changes are PERMANENT and cannot be undone\n' +
+            '• All operations are logged\n\n' +
+            'Do you want to proceed?'
+          )
+          
+          if (!confirmed) {
+            return // User cancelled
+          }
+        }
+        
         // Clear explain results when running query
         const explainFrame = document.querySelector('turbo-frame#explain-results')
         if (explainFrame) {
@@ -479,7 +598,7 @@
         form.action = '<%= query_console.run_path %>'
         form.setAttribute('data-turbo-frame', 'query-results')
         form.innerHTML = `
-          <input type="hidden" name="sql" value="${sql.replace(/"/g, '&quot;')}">
+          <input type="hidden" name="sql" value="${this.escapeHtml(sql)}">
           <input type="hidden" name="authenticity_token" value="${document.querySelector('meta[name=csrf-token]').content}">
         `
         document.body.appendChild(form)
@@ -488,8 +607,8 @@
       }
       
       explainQuery() {
-        const sql = this.getSql()
-        if (!sql.trim()) {
+        const sql = this.getSql().trim()
+        if (!sql) {
           alert('Please enter a SQL query')
           return
         }
@@ -506,13 +625,19 @@
         form.action = '<%= query_console.explain_path %>'
         form.setAttribute('data-turbo-frame', 'explain-results')
         form.innerHTML = `
-          <input type="hidden" name="sql" value="${sql.replace(/"/g, '&quot;')}">
+          <input type="hidden" name="sql" value="${this.escapeHtml(sql)}">
           <input type="hidden" name="authenticity_token" value="${document.querySelector('meta[name=csrf-token]').content}">
         `
         document.body.appendChild(form)
         form.requestSubmit()
         document.body.removeChild(form)
       }
+      
+      escapeHtml(text) {
+        const div = document.createElement('div')
+        div.textContent = text
+        return div.innerHTML
+      }
     }
     application.register("editor", EditorController)
 
@@ -834,9 +959,16 @@
   <div class="container">
     <!-- Banner -->
     <div class="banner" data-controller="collapsible" data-collapsible-key-value="banner">
-      <h2>🔍 Read-Only SQL Query Console <small>v0.2.0</small></h2>
+      <h2>🔍 <% if QueryConsole.configuration.enable_dml %>SQL Query Console<% else %>Read-Only SQL Query Console<% end %> <small>v0.2.0</small></h2>
       <div class="banner-content">
-        <p><strong>Security:</strong> Read-only SELECT & WITH queries only. All queries are logged.</p>
+        <p>
+          <strong>Security:</strong> 
+          <% if QueryConsole.configuration.enable_dml %>
+            DML queries (INSERT, UPDATE, DELETE) are enabled. All queries are logged. Use with caution.
+          <% else %>
+            Read-only SELECT & WITH queries only. All queries are logged.
+          <% end %>
+        </p>
         <p><strong>New in v0.2.0:</strong> EXPLAIN query plans, Interactive Schema Explorer with quick insert buttons, Saved Queries with tags, import/export, and localStorage-based Query History!</p>
       </div>
       <button class="section-toggle" data-action="click->collapsible#toggle" type="button">▼</button>
@@ -856,17 +988,8 @@
         </div>
 
         <div class="editor-content" data-collapsible-target="content">
-        <!-- SQL Editor -->
-        <textarea
-          data-editor-target="textarea"
-          class="sql-editor"
-          placeholder="Enter your SELECT or WITH query here...
-
-Examples:
-  SELECT * FROM users LIMIT 10;
-  SELECT id, name, email FROM users WHERE active = true;
-  
-Use the Schema Explorer to discover tables and columns!">SELECT * FROM users LIMIT 10;</textarea>
+        <!-- SQL Editor (CodeMirror) -->
+        <div data-editor-target="container" class="sql-editor-container"></div>
 
         <!-- Results Area -->
         <%= turbo_frame_tag "query-results" do %>

data/lib/query_console/configuration.rb

@@ -9,6 +9,7 @@ module QueryConsole
                   :allowed_starts_with,
                   :enable_explain,
                   :enable_explain_analyze,
+                  :enable_dml,
                   :schema_explorer,
                   :schema_cache_seconds,
                   :schema_table_denylist,
@@ -32,6 +33,7 @@ module QueryConsole
       # v0.2.0 additions
       @enable_explain = true
       @enable_explain_analyze = false # ANALYZE can be expensive, disabled by default
+      @enable_dml = false # DML queries disabled by default for safety
       @schema_explorer = true
       @schema_cache_seconds = 60
       @schema_table_denylist = ["schema_migrations", "ar_internal_metadata"]

data/lib/query_console/version.rb

@@ -1,3 +1,3 @@
 module QueryConsole
-  VERSION = "0.2.0"
+  VERSION = "0.2.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: query_console
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Johnson Gnanasekar
@@ -93,8 +93,10 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
-description: A Rails engine that provides a web-based SQL query console with read-only
-  enforcement, authorization hooks, and audit logging.
+description: 'A Rails engine providing a web-based SQL query console with security-first
+  design: read-only by default, optional DML (INSERT/UPDATE/DELETE) with confirmation
+  dialogs, flexible authorization, comprehensive audit logging, and query execution
+  plans.'
 email:
 - johnson@example.com
 executables: []
@@ -154,5 +156,6 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 rubygems_version: 3.6.7
 specification_version: 4
-summary: Mountable Rails engine for secure read-only SQL queries
+summary: Secure, mountable Rails SQL console with read-only enforcement and optional
+  DML support
 test_files: []