@arivie/db-postgres 0.1.2 → 2.0.0

package/dist/index.js

@@ -1,236 +1,10 @@
-import { createHash } from 'crypto';
-import postgres from 'postgres';
-import { ArivieBoundaryError } from '@arivie/core/types';
-export { ArivieBoundaryError } from '@arivie/core/types';
-
-// src/adapter.ts
-var ToolError = class extends Error {
-  constructor(kind, message) {
-    super(message ?? kind);
-    this.kind = kind;
-    this.name = "ToolError";
-  }
-  kind;
-  code = "ARIVIE_TOOL_ERROR";
-};
-
-// src/compile-metric.ts
-var FILTER_COL_PATTERN = /^[a-zA-Z_][a-zA-Z0-9_]*(\.[a-zA-Z_][a-zA-Z0-9_]*)?$/;
-var ENTITY_COL_REF = /\b([a-zA-Z_][a-zA-Z0-9_]*)\.([a-zA-Z_][a-zA-Z0-9_]*)\b/g;
-function isFilterPrimitive(v) {
-  return typeof v === "string" || typeof v === "number" || typeof v === "boolean" || v === null;
-}
-function collectEntityRefs(text) {
-  const refs = /* @__PURE__ */ new Set();
-  for (const match of text.matchAll(ENTITY_COL_REF)) {
-    refs.add(match[1]);
-  }
-  return refs;
-}
-function detectJoinsNeeded(entity, dimensionSqls, filterKeys) {
-  const joinTargets = new Set((entity.joins ?? []).map((j) => j.to));
-  const refs = /* @__PURE__ */ new Set();
-  for (const sql of dimensionSqls) {
-    for (const ref of collectEntityRefs(sql)) {
-      if (joinTargets.has(ref) && ref !== entity.name) {
-        refs.add(ref);
-      }
-    }
-  }
-  for (const key of filterKeys) {
-    const dot = key.indexOf(".");
-    if (dot > 0) {
-      const refEntity = key.slice(0, dot);
-      if (joinTargets.has(refEntity) && refEntity !== entity.name) {
-        refs.add(refEntity);
-      }
-    }
-  }
-  return refs;
-}
-function buildJoinClauses(entity, joinsNeeded) {
-  const clauses = [];
-  for (const otherEntity of joinsNeeded) {
-    const matching = (entity.joins ?? []).filter((j) => j.to === otherEntity);
-    if (matching.length === 0) {
-      continue;
-    }
-    if (matching.length > 1) {
-      throw new ToolError(
-        "join-ambiguous",
-        `multiple join paths to '${otherEntity}'; specify entityHint to disambiguate`
-      );
-    }
-    const join = matching[0];
-    clauses.push(`LEFT JOIN ${join.to} ON ${join.on}`);
-  }
-  return clauses;
-}
-function compileMetricForPostgres(opts) {
-  const { entity, metric } = opts;
-  const measure = entity.measures?.find((m) => m.name === metric);
-  if (measure == null) {
-    throw new ToolError(
-      "metric-not-found",
-      `metric '${metric}' not found on entity '${entity.name}'`
-    );
-  }
-  const dimensionNames = opts.dimensions ?? [];
-  const selectExprs = [`(${measure.sql}) AS "${measure.name}"`];
-  const dimensionSqls = [];
-  for (const dimName of dimensionNames) {
-    const dim = entity.dimensions?.find((d) => d.name === dimName);
-    if (dim == null) {
-      throw new ToolError(
-        "dimension-not-found",
-        `dimension '${dimName}' not found on entity '${entity.name}'`
-      );
-    }
-    selectExprs.push(`(${dim.sql}) AS "${dim.name}"`);
-    dimensionSqls.push(dim.sql);
-  }
-  const filterKeys = Object.keys(opts.filters ?? {});
-  const joinsNeeded = detectJoinsNeeded(entity, dimensionSqls, filterKeys);
-  const joinClauses = buildJoinClauses(entity, joinsNeeded);
-  const whereClauses = [];
-  const params = [];
-  for (const segName of opts.segments ?? []) {
-    const seg = entity.segments?.find((s) => s.name === segName);
-    if (seg == null) {
-      throw new ToolError(
-        "segment-not-found",
-        `segment '${segName}' not found on entity '${entity.name}'`
-      );
-    }
-    whereClauses.push(`(${seg.sql})`);
-  }
-  for (const [col, value] of Object.entries(opts.filters ?? {})) {
-    if (!FILTER_COL_PATTERN.test(col)) {
-      throw new ToolError(
-        "filter-invalid",
-        `filter column '${col}' must be a plain identifier`
-      );
-    }
-    if (!isFilterPrimitive(value)) {
-      throw new ToolError(
-        "filter-invalid",
-        `filter value for '${col}' must be string|number|boolean|null`
-      );
-    }
-    if (value === null) {
-      whereClauses.push(`${col} IS NULL`);
-    } else {
-      whereClauses.push(`${col} = $${params.length + 1}`);
-      params.push(value);
-    }
-  }
-  const fromTable = typeof entity.source === "string" ? entity.source : entity.name;
-  const parts = [`SELECT ${selectExprs.join(", ")}`, `FROM ${fromTable}`];
-  if (joinClauses.length > 0) {
-    parts.push(...joinClauses);
-  }
-  if (whereClauses.length > 0) {
-    parts.push(`WHERE ${whereClauses.join(" AND ")}`);
-  }
-  if (dimensionNames.length > 0) {
-    parts.push(
-      `GROUP BY ${dimensionNames.map((d) => `"${d}"`).join(", ")}`
-    );
-  }
-  const query = parts.join(" ");
-  return params.length > 0 ? { query, params } : { query };
-}
-
-// src/identifier.ts
-var IDENT_RE = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
-function escapeIdent(name) {
-  if (!IDENT_RE.test(name)) {
-    throw new ToolError("sql-invalid", `invalid identifier: ${name}`);
-  }
-  return `"${name}"`;
-}
-
-// src/execute.ts
-function isPostgresError(err) {
-  return typeof err === "object" && err !== null && "code" in err;
-}
-async function executeImpl(sql, opts) {
-  const startedAt = Date.now();
-  if (!Number.isFinite(opts.timeoutMs) || !Number.isInteger(opts.timeoutMs) || opts.timeoutMs <= 0) {
-    throw new ToolError(
-      "sql-invalid",
-      `timeoutMs must be a positive integer; got ${String(opts.timeoutMs)}`
-    );
-  }
-  if (!Number.isFinite(opts.rowLimit) || !Number.isInteger(opts.rowLimit) || opts.rowLimit <= 0) {
-    throw new ToolError(
-      "sql-invalid",
-      `rowLimit must be a positive integer; got ${String(opts.rowLimit)}`
-    );
-  }
-  if (opts.runAsRole == null || opts.runAsRole === "") {
-    throw new ToolError("sql-invalid", "runAsRole is required");
-  }
-  const runAsRole = opts.runAsRole;
-  try {
-    const rows = await sql.begin(async (tx) => {
-      await tx.unsafe(`SET LOCAL ROLE ${escapeIdent(runAsRole)}`);
-      await tx.unsafe(
-        `SET LOCAL statement_timeout = ${opts.timeoutMs}`
-      );
-      let queryParams;
-      if (opts.params != null) {
-        const copy = [...opts.params];
-        for (let i = 0; i < copy.length; i++) {
-          const v = copy[i];
-          if (v !== null && typeof v !== "string" && typeof v !== "number" && typeof v !== "boolean") {
-            throw new ToolError(
-              "sql-invalid",
-              `params[${i}] must be string|number|boolean|null; got ${typeof v}`
-            );
-          }
-        }
-        queryParams = copy;
-      }
-      return await tx.unsafe(opts.query, queryParams);
-    });
-    const truncated = rows.length > opts.rowLimit;
-    const limited = rows.slice(0, opts.rowLimit);
-    return {
-      rows: limited,
-      rowCount: limited.length,
-      durationMs: Date.now() - startedAt,
-      truncated
-    };
-  } catch (err) {
-    if (isPostgresError(err)) {
-      if (err.code === "42501") {
-        throw new ToolError(
-          "sql-permission-denied",
-          "permission denied for SQL operation"
-        );
-      }
-      if (err.code === "57014") {
-        throw new ToolError("sql-timeout", "statement timeout");
-      }
-    }
-    throw err;
-  }
-}
-
-// src/introspect.ts
-var PII_RE = /email|phone|ssn|address|dob|password|secret|token|card/i;
-async function introspect(sql) {
-  const tables = await sql`
+import {createHash}from'crypto';import F from'postgres';import {ArivieBoundaryError}from'@arivie/core/types';export{ArivieBoundaryError}from'@arivie/core/types';var s=class extends Error{constructor(n,o){super(o??n);this.kind=n;this.name="ToolError";}kind;code="ARIVIE_TOOL_ERROR"};var L=/^[a-zA-Z_][a-zA-Z0-9_]*(\.[a-zA-Z_][a-zA-Z0-9_]*)?$/,$=/\b([a-zA-Z_][a-zA-Z0-9_]*)\.([a-zA-Z_][a-zA-Z0-9_]*)\b/g;function C(t){return typeof t=="string"||typeof t=="number"||typeof t=="boolean"||t===null}function I(t){let e=new Set;for(let n of t.matchAll($))e.add(n[1]);return e}function k(t,e,n){let o=new Set((t.joins??[]).map(r=>r.to)),i=new Set;for(let r of e)for(let c of I(r))o.has(c)&&c!==t.name&&i.add(c);for(let r of n){let c=r.indexOf(".");if(c>0){let l=r.slice(0,c);o.has(l)&&l!==t.name&&i.add(l);}}return i}function v(t,e){let n=[];for(let o of e){let i=(t.joins??[]).filter(c=>c.to===o);if(i.length===0)continue;if(i.length>1)throw new s("join-ambiguous",`multiple join paths to '${o}'; specify entityHint to disambiguate`);let r=i[0];n.push(`LEFT JOIN ${r.to} ON ${r.on}`);}return n}function b(t){let e=t.entity,{metric:n}=t,o=e.measures?.find(u=>u.name===n);if(o==null)throw new s("metric-not-found",`metric '${n}' not found on entity '${e.name}'`);let i=t.dimensions??[],r=[`(${o.sql}) AS "${o.name}"`],c=[];for(let u of i){let f=e.dimensions?.find(w=>w.name===u);if(f==null)throw new s("dimension-not-found",`dimension '${u}' not found on entity '${e.name}'`);r.push(`(${f.sql}) AS "${f.name}"`),c.push(f.sql);}let l=Object.keys(t.filters??{}),p=k(e,c,l),d=v(e,p),a=[],m=[];for(let u of t.segments??[]){let f=e.segments?.find(w=>w.name===u);if(f==null)throw new s("segment-not-found",`segment '${u}' not found on entity '${e.name}'`);a.push(`(${f.sql})`);}for(let[u,f]of Object.entries(t.filters??{})){if(!L.test(u))throw new s("filter-invalid",`filter column '${u}' must be a plain identifier`);if(!C(f))throw new s("filter-invalid",`filter value for '${u}' must be string|number|boolean|null`);f===null?a.push(`${u} IS NULL`):(a.push(`${u} = $${m.length+1}`),m.push(f));}let S=typeof e.source=="string"?e.source:e.name,g=[`SELECT ${r.join(", ")}`,`FROM ${S}`];d.length>0&&g.push(...d),a.length>0&&g.push(`WHERE ${a.join(" AND ")}`),i.length>0&&g.push(`GROUP BY ${i.map(u=>`"${u}"`).join(", ")}`);let h=g.join(" ");return m.length>0?{query:h,params:m}:{query:h}}var x=/^[a-zA-Z_][a-zA-Z0-9_]*$/;function E(t){if(!x.test(t))throw new s("sql-invalid",`invalid identifier: ${t}`);return `"${t}"`}function M(t){return typeof t=="object"&&t!==null&&"code"in t}async function R(t,e){let n=Date.now();if(!Number.isFinite(e.timeoutMs)||!Number.isInteger(e.timeoutMs)||e.timeoutMs<=0)throw new s("sql-invalid",`timeoutMs must be a positive integer; got ${String(e.timeoutMs)}`);if(!Number.isFinite(e.rowLimit)||!Number.isInteger(e.rowLimit)||e.rowLimit<=0)throw new s("sql-invalid",`rowLimit must be a positive integer; got ${String(e.rowLimit)}`);let o=typeof e.runAsRole=="string"&&e.runAsRole.length>0?e.runAsRole:void 0;try{let i=await t.begin(async l=>{o!==void 0&&await l.unsafe(`SET LOCAL ROLE ${E(o)}`),await l.unsafe(`SET LOCAL statement_timeout = ${e.timeoutMs}`);let p;if(e.params!=null){let d=[...e.params];for(let a=0;a<d.length;a++){let m=d[a];if(m!==null&&typeof m!="string"&&typeof m!="number"&&typeof m!="boolean")throw new s("sql-invalid",`params[${a}] must be string|number|boolean|null; got ${typeof m}`)}p=d;}return await l.unsafe(e.query,p)}),r=i.length>e.rowLimit,c=i.slice(0,e.rowLimit);return {rows:c,rowCount:c.length,durationMs:Date.now()-n,truncated:r}}catch(i){if(M(i)){if(i.code==="42501")throw new s("sql-permission-denied","permission denied for SQL operation");if(i.code==="57014")throw new s("sql-timeout","statement timeout")}throw i}}var D=/email|phone|ssn|address|dob|password|secret|token|card/i;async function T(t){let e=await t`
     SELECT table_name
     FROM information_schema.tables
     WHERE table_schema = 'public'
       AND table_type = 'BASE TABLE'
     ORDER BY table_name
-  `;
-  const result = [];
-  for (const { table_name } of tables) {
-    const columns = await sql`
+  `,n=[];for(let{table_name:o}of e){let i=await t`
       SELECT
         c.column_name,
         c.data_type,
@@ -244,10 +18,9 @@ async function introspect(sql) {
         ON pgd.objoid = st.relid
         AND pgd.objsubid = c.ordinal_position
       WHERE c.table_schema = 'public'
-        AND c.table_name = ${table_name}
+        AND c.table_name = ${o}
       ORDER BY c.ordinal_position
-    `;
-    const pkRows = await sql`
+    `,r=await t`
       SELECT kcu.column_name
       FROM information_schema.table_constraints tc
       JOIN information_schema.key_column_usage kcu
@@ -255,11 +28,10 @@ async function introspect(sql) {
         AND tc.table_schema = kcu.table_schema
         AND tc.table_name = kcu.table_name
       WHERE tc.table_schema = 'public'
-        AND tc.table_name = ${table_name}
+        AND tc.table_name = ${o}
         AND tc.constraint_type = 'PRIMARY KEY'
       ORDER BY kcu.ordinal_position
-    `;
-    const fkRows = await sql`
+    `,c=await t`
       SELECT
         kcu.column_name,
         ccu.table_name AS references_table,
@@ -273,328 +45,19 @@ async function introspect(sql) {
         ON ccu.constraint_name = tc.constraint_name
         AND ccu.table_schema = tc.table_schema
       WHERE tc.table_schema = 'public'
-        AND tc.table_name = ${table_name}
+        AND tc.table_name = ${o}
         AND tc.constraint_type = 'FOREIGN KEY'
       ORDER BY kcu.ordinal_position
-    `;
-    const countRows = await sql`
+    `,p=(await t`
       SELECT reltuples::bigint AS row_count
       FROM pg_class
-      WHERE relname = ${table_name}
-    `;
-    const rowCountRaw = countRows[0]?.row_count;
-    const row_count = rowCountRaw === null || rowCountRaw === void 0 ? 0 : Number(rowCountRaw);
-    result.push({
-      schema: "public",
-      name: table_name,
-      columns: columns.map((col) => {
-        const column = {
-          name: col.column_name,
-          type: col.data_type,
-          nullable: col.is_nullable === "YES"
-        };
-        if (col.comment) {
-          column.comment = col.comment;
-        }
-        if (PII_RE.test(col.column_name)) {
-          column.isPii = true;
-        }
-        return column;
-      }),
-      primary_key: pkRows.map((r) => r.column_name),
-      foreign_keys: fkRows.map((r) => ({
-        column: r.column_name,
-        references: {
-          table: r.references_table,
-          column: r.references_column
-        }
-      })),
-      row_count
-    });
-  }
-  return result;
-}
-
-// src/setup-role.ts
-var SETUP_ROLE_LOCK_KEY = 982374623;
-function isDuplicateRoleError(err) {
-  return err != null && typeof err === "object" && "code" in err && err.code === "42710";
-}
-async function setupRole(sql, role, options) {
-  const roleIdent = escapeIdent(role);
-  await sql.unsafe(`SELECT pg_advisory_lock(${SETUP_ROLE_LOCK_KEY})`);
-  try {
-    try {
-      await sql.unsafe(`CREATE ROLE ${roleIdent} LOGIN`);
-    } catch (err) {
-      if (!isDuplicateRoleError(err)) {
-        throw err;
-      }
-    }
-    await sql.unsafe(`
+      WHERE relname = ${o}
+    `)[0]?.row_count,d=p==null?0:Number(p);n.push({schema:"public",name:o,columns:i.map(a=>{let m={name:a.column_name,type:a.data_type,nullable:a.is_nullable==="YES"};return a.comment&&(m.comment=a.comment),D.test(a.column_name)&&(m.isPii=true),m}),primary_key:r.map(a=>a.column_name),foreign_keys:c.map(a=>({column:a.column_name,references:{table:a.references_table,column:a.references_column}})),row_count:d});}return n}var y=982374623;function P(t){return t!=null&&typeof t=="object"&&"code"in t&&t.code==="42710"}async function A(t,e,n){let o=E(e);await t.unsafe(`SELECT pg_advisory_lock(${y})`);try{try{await t.unsafe(`CREATE ROLE ${o} LOGIN`);}catch(r){if(!P(r))throw r}await t.unsafe(`
       CREATE TABLE IF NOT EXISTS arivie_owner_identity (
         key TEXT PRIMARY KEY,
         value TEXT NOT NULL
       );
-    `);
-    await sql.unsafe(`GRANT USAGE ON SCHEMA public TO ${roleIdent}`);
-    const allowedTables = options?.allowedTables;
-    if (allowedTables && allowedTables.length > 0) {
-      for (const table of allowedTables) {
-        await sql.unsafe(
-          `GRANT SELECT ON TABLE public.${escapeIdent(table)} TO ${roleIdent}`
-        );
-      }
-    } else {
-      await sql.unsafe(
-        `GRANT SELECT ON ALL TABLES IN SCHEMA public TO ${roleIdent}`
-      );
-    }
-    await sql.unsafe(
-      `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO ${roleIdent}`
-    );
-    await sql.unsafe(
-      `GRANT ${roleIdent} TO CURRENT_USER WITH SET TRUE`
-    );
-  } finally {
-    await sql.unsafe(`SELECT pg_advisory_unlock(${SETUP_ROLE_LOCK_KEY})`);
-  }
-}
-
-// src/verify.ts
-async function verifyOwnerIdentity(sql, expectedOwnerId) {
-  const rows = await sql`
+    `),await t.unsafe(`GRANT USAGE ON SCHEMA public TO ${o}`);let i=n?.allowedTables;if(i&&i.length>0)for(let r of i)await t.unsafe(`GRANT SELECT ON TABLE public.${E(r)} TO ${o}`);else await t.unsafe(`GRANT SELECT ON ALL TABLES IN SCHEMA public TO ${o}`);await t.unsafe(`ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO ${o}`),await t.unsafe(`GRANT ${o} TO CURRENT_USER WITH SET TRUE`);}finally{await t.unsafe(`SELECT pg_advisory_unlock(${y})`);}}async function O(t,e){let n=await t`
     SELECT value FROM arivie_owner_identity WHERE key = 'owner_id'
-  `;
-  if (rows.length === 0) {
-    throw new ArivieBoundaryError(
-      {
-        reason: "identity-table-missing",
-        expected: expectedOwnerId
-      },
-      "arivie_owner_identity table missing or empty; run 'arivie setup' first"
-    );
-  }
-  const dbValue = rows[0]?.value;
-  if (dbValue !== expectedOwnerId) {
-    throw new ArivieBoundaryError(
-      {
-        reason: "identity-mismatch",
-        dbValue,
-        expected: expectedOwnerId
-      },
-      `owner identity mismatch: database has '${String(dbValue)}', expected '${expectedOwnerId}'`
-    );
-  }
-}
-
-// src/adapter.ts
-function derivePostgresAdapterId(url) {
-  try {
-    const parsed = new URL(url);
-    const host = parsed.hostname || "localhost";
-    const db = parsed.pathname.replace(/^\//, "") || "postgres";
-    return `postgres:${host}/${db}`;
-  } catch {
-    const hash = createHash("sha256").update(url).digest("hex").slice(0, 12);
-    return `postgres:${hash}`;
-  }
-}
-function postgresAdapter(opts) {
-  const sql = postgres(opts.url, {
-    max: opts.maxConnections ?? 10,
-    idle_timeout: (opts.idleTimeoutMs ?? 3e4) / 1e3,
-    onnotice: () => {
-    }
-  });
-  return {
-    kind: "postgres",
-    id: derivePostgresAdapterId(opts.url),
-    url: opts.url,
-    sql,
-    execute: (executeOpts) => executeImpl(sql, executeOpts),
-    introspect: () => introspect(sql),
-    verifyOwnerIdentity: (expectedOwnerId) => verifyOwnerIdentity(sql, expectedOwnerId),
-    setupRole: (role, options) => setupRole(sql, role, options),
-    compileMetric: compileMetricForPostgres,
-    close: async () => {
-      await sql.end();
-    }
-  };
-}
-
-// src/sql-guard.ts
-var FORBIDDEN_KEYWORDS = [
-  "INSERT",
-  "UPDATE",
-  "DELETE",
-  "MERGE",
-  "TRUNCATE",
-  "DROP",
-  "CREATE",
-  "ALTER",
-  "GRANT",
-  "REVOKE",
-  "REINDEX",
-  "VACUUM",
-  "CLUSTER",
-  "COPY",
-  "CALL",
-  "DO",
-  "LOCK",
-  "COMMENT",
-  "REFRESH",
-  "REASSIGN",
-  "EXECUTE",
-  "PREPARE",
-  "DEALLOCATE",
-  "DISCARD",
-  "LISTEN",
-  "NOTIFY",
-  "UNLISTEN",
-  "SET",
-  "RESET"
-];
-var SYSTEM_CATALOG_PATTERN = /\b(pg_catalog|information_schema)\b/i;
-var FORBIDDEN_PATTERN = new RegExp(
-  `\\b(${FORBIDDEN_KEYWORDS.join("|")})\\b`,
-  "i"
-);
-function stripLiteralsAndComments(sql) {
-  const out = [];
-  let i = 0;
-  const n = sql.length;
-  while (i < n) {
-    const c = sql[i];
-    if (c === void 0) {
-      break;
-    }
-    const next = i + 1 < n ? sql[i + 1] : "";
-    if (c === "-" && next === "-") {
-      while (i < n && sql[i] !== "\n") {
-        out.push(" ");
-        i += 1;
-      }
-      continue;
-    }
-    if (c === "/" && next === "*") {
-      out.push("  ");
-      i += 2;
-      while (i < n) {
-        if (sql[i] === "*" && i + 1 < n && sql[i + 1] === "/") {
-          out.push("  ");
-          i += 2;
-          break;
-        }
-        out.push(" ");
-        i += 1;
-      }
-      continue;
-    }
-    if (c === "'") {
-      out.push("'");
-      i += 1;
-      while (i < n) {
-        if (sql[i] === "'") {
-          if (i + 1 < n && sql[i + 1] === "'") {
-            out.push("  ");
-            i += 2;
-            continue;
-          }
-          out.push("'");
-          i += 1;
-          break;
-        }
-        out.push(" ");
-        i += 1;
-      }
-      continue;
-    }
-    if (c === '"') {
-      out.push('"');
-      i += 1;
-      while (i < n) {
-        if (sql[i] === '"') {
-          if (i + 1 < n && sql[i + 1] === '"') {
-            out.push("  ");
-            i += 2;
-            continue;
-          }
-          out.push('"');
-          i += 1;
-          break;
-        }
-        out.push(" ");
-        i += 1;
-      }
-      continue;
-    }
-    if (c === "$") {
-      const tagMatch = /^\$([A-Za-z_][A-Za-z_0-9]*)?\$/.exec(sql.slice(i));
-      if (tagMatch != null) {
-        const tag = tagMatch[0];
-        out.push(" ".repeat(tag.length));
-        i += tag.length;
-        const end = sql.indexOf(tag, i);
-        if (end === -1) {
-          while (i < n) {
-            out.push(" ");
-            i += 1;
-          }
-          continue;
-        }
-        while (i < end) {
-          out.push(" ");
-          i += 1;
-        }
-        out.push(" ".repeat(tag.length));
-        i += tag.length;
-        continue;
-      }
-    }
-    out.push(c);
-    i += 1;
-  }
-  return out.join("");
-}
-function firstKeyword(sql) {
-  const stripped = stripLiteralsAndComments(sql);
-  const m = /\s*\(*\s*([A-Za-z_][A-Za-z_0-9]*)/.exec(stripped);
-  return m?.[1] ? m[1].toUpperCase() : null;
-}
-function validateExecuteSql(sql) {
-  const trimmed = sql.trim();
-  if (trimmed.length === 0) {
-    throw new ToolError("sql-invalid", "empty query");
-  }
-  const stripped = stripLiteralsAndComments(trimmed);
-  if (stripped.includes(";")) {
-    const lastSemi = stripped.lastIndexOf(";");
-    const tail = stripped.slice(lastSemi + 1).trim();
-    if (tail.length > 0) {
-      throw new ToolError(
-        "sql-invalid",
-        "multi-statement queries are not allowed"
-      );
-    }
-  }
-  const head = firstKeyword(trimmed);
-  if (head !== "SELECT" && head !== "WITH") {
-    throw new ToolError(
-      "sql-invalid",
-      "only SELECT and WITH statements are allowed"
-    );
-  }
-  if (SYSTEM_CATALOG_PATTERN.test(stripped)) {
-    throw new ToolError("sql-blocked", "system catalog access is blocked");
-  }
-  const forbidden = FORBIDDEN_PATTERN.exec(stripped);
-  if (forbidden != null) {
-    throw new ToolError(
-      "sql-blocked",
-      `forbidden keyword '${forbidden[1]?.toUpperCase()}' in query`
-    );
-  }
-}
-
-export { ToolError, compileMetricForPostgres, postgresAdapter, validateExecuteSql };
+  `;if(n.length===0)throw new ArivieBoundaryError({reason:"identity-table-missing",expected:e},"arivie_owner_identity table missing or empty; run 'arivie setup' first");let o=n[0]?.value;if(o!==e)throw new ArivieBoundaryError({reason:"identity-mismatch",dbValue:o,expected:e},`owner identity mismatch: database has '${String(o)}', expected '${e}'`)}function U(t){try{let e=new URL(t),n=e.hostname||"localhost",o=e.pathname.replace(/^\//,"")||"postgres";return `postgres:${n}/${o}`}catch{return `postgres:${createHash("sha256").update(t).digest("hex").slice(0,12)}`}}function Y(t){let e=F(t.url,{max:t.maxConnections??10,idle_timeout:(t.idleTimeoutMs??3e4)/1e3,onnotice:()=>{}});return {kind:"postgres",id:U(t.url),url:t.url,sql:e,execute:n=>R(e,n),introspect:()=>T(e),verifyOwnerIdentity:n=>O(e,n),setupRole:(n,o)=>A(e,n,o),compileMetric:b,close:async()=>{await e.end();}}}var B=["INSERT","UPDATE","DELETE","MERGE","TRUNCATE","DROP","CREATE","ALTER","GRANT","REVOKE","REINDEX","VACUUM","CLUSTER","COPY","CALL","DO","LOCK","COMMENT","REFRESH","REASSIGN","EXECUTE","PREPARE","DEALLOCATE","DISCARD","LISTEN","NOTIFY","UNLISTEN","SET","RESET"],H=/\b(pg_catalog|information_schema)\b/i,z=new RegExp(`\\b(${B.join("|")})\\b`,"i");function N(t){let e=[],n=0,o=t.length;for(;n<o;){let i=t[n];if(i===void 0)break;let r=n+1<o?t[n+1]:"";if(i==="-"&&r==="-"){for(;n<o&&t[n]!==`
+`;)e.push(" "),n+=1;continue}if(i==="/"&&r==="*"){for(e.push("  "),n+=2;n<o;){if(t[n]==="*"&&n+1<o&&t[n+1]==="/"){e.push("  "),n+=2;break}e.push(" "),n+=1;}continue}if(i==="'"){for(e.push("'"),n+=1;n<o;){if(t[n]==="'"){if(n+1<o&&t[n+1]==="'"){e.push("  "),n+=2;continue}e.push("'"),n+=1;break}e.push(" "),n+=1;}continue}if(i==='"'){for(e.push('"'),n+=1;n<o;){if(t[n]==='"'){if(n+1<o&&t[n+1]==='"'){e.push("  "),n+=2;continue}e.push('"'),n+=1;break}e.push(" "),n+=1;}continue}if(i==="$"){let c=/^\$([A-Za-z_][A-Za-z_0-9]*)?\$/.exec(t.slice(n));if(c!=null){let l=c[0];e.push(" ".repeat(l.length)),n+=l.length;let p=t.indexOf(l,n);if(p===-1){for(;n<o;)e.push(" "),n+=1;continue}for(;n<p;)e.push(" "),n+=1;e.push(" ".repeat(l.length)),n+=l.length;continue}}e.push(i),n+=1;}return e.join("")}function G(t){let e=N(t),n=/\s*\(*\s*([A-Za-z_][A-Za-z_0-9]*)/.exec(e);return n?.[1]?n[1].toUpperCase():null}function Z(t){let e=t.trim();if(e.length===0)throw new s("sql-invalid","empty query");let n=N(e);if(n.includes(";")){let r=n.lastIndexOf(";");if(n.slice(r+1).trim().length>0)throw new s("sql-invalid","multi-statement queries are not allowed")}let o=G(e);if(o!=="SELECT"&&o!=="WITH")throw new s("sql-invalid","only SELECT and WITH statements are allowed");if(H.test(n))throw new s("sql-blocked","system catalog access is blocked");let i=z.exec(n);if(i!=null)throw new s("sql-blocked",`forbidden keyword '${i[1]?.toUpperCase()}' in query`)}export{s as ToolError,b as compileMetricForPostgres,Y as postgresAdapter,Z as validateExecuteSql};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arivie/db-postgres",
-  "version": "0.1.2",
+  "version": "2.0.0",
   "description": "Arivie Postgres adapter — role-scoped execute, introspect, owner-identity verification.",
   "type": "module",
   "license": "Apache-2.0",
@@ -19,7 +19,7 @@
     "CHANGELOG.md"
   ],
   "dependencies": {
-    "@arivie/core": "1.1.0"
+    "@arivie/core": "2.0.0"
   },
   "peerDependencies": {
     "postgres": "^3.4.9"
@@ -32,7 +32,7 @@
     "tsup": "^8.5.1",
     "typescript": "^6.0.0",
     "vitest": "^4.1.0",
-    "@arivie/semantic": "0.1.0"
+    "@arivie/semantic": "2.0.0"
   },
   "publishConfig": {
     "access": "public",