@carbonorm/carbonnode 4.0.1 → 5.0.0

package/README.md

@@ -47,45 +47,104 @@ npm install @carbonorm/carbonnode
 
 ## Generate Models
 
-The command below will generate the models for the database. The models will be generated in the output directory. We do
-recommend you keep this folder separate from other work. It is also best to track the output directory in your version 
-control system. All arguments are optional. If you do not provide them the defaults will be used. The example arguments
-below are the defaults.
+The generator produces a single `C6.ts` file containing all tables, types, and REST bindings. Keep this file in version
+control and share it between server and client. All arguments are optional; the example below shows the defaults.
 
 ```bash
-npx generateRestBindings --user root --pass password --host 127.0.0.1 --port 3306 --dbname carbonPHP --prefix carbon_ --output /src/api/rest
+npx generateRestBindings --user root --pass password --host 127.0.0.1 --port 3306 --dbname carbonPHP --prefix carbon_ --output ./shared/rest/C6.ts
 ```
 
-You can view the [code generated](https://github.com/CarbonORM/CarbonORM.dev/blob/www/src/api/rest/Users.tsx) by 
-[this command](https://github.com/CarbonORM/CarbonNode/blob/main/scripts/generateRestBindings.ts) in 
-[this repository](git@github.com:CarbonORM/CarbonNode.git). We use [Handlebars templates](https://mustache.github.io/) 
-to generate the code.
+The generated file exports `C6`, `GLOBAL_REST_PARAMETERS`, `TABLES`, `ORM`, and per-table bindings (e.g. `Users`):
+
+```typescript
+import { C6, GLOBAL_REST_PARAMETERS, Users } from "./shared/rest/C6";
+```
+
+You can view the generator source in
+[CarbonNode](https://github.com/CarbonORM/CarbonNode/blob/main/scripts/generateRestBindings.ts). We use
+[Handlebars templates](https://mustache.github.io/) to generate the code.
+
+### Runtime Setup
+
+CarbonNode executes SQL directly when `GLOBAL_REST_PARAMETERS.mysqlPool` is provided. If no pool is set, it will use
+the HTTP executor (useful for frontends or non-Node runtimes).
+
+```typescript
+import mysql from "mysql2/promise";
+import { GLOBAL_REST_PARAMETERS } from "./shared/rest/C6";
+
+GLOBAL_REST_PARAMETERS.mysqlPool = mysql.createPool({
+    host: "127.0.0.1",
+    user: "root",
+    password: "password",
+    database: "carbonPHP",
+});
+
+// Optional HTTP path:
+// GLOBAL_REST_PARAMETERS.axios = axiosInstance;
+// GLOBAL_REST_PARAMETERS.restURL = "/rest/";
+
+// Optional websocket broadcast on writes:
+// GLOBAL_REST_PARAMETERS.websocketBroadcast = (payload) => wsServer.broadcast(JSON.stringify(payload));
+```
+
+### Request Flow
+
+```mermaid
+flowchart LR
+    Client["App code\nActor.Get(...)" ] --> RestRequest["restOrm + restRequest"]
+    RestRequest -->|"Node + mysqlPool"| SqlExec["SqlExecutor"] --> MySQL[("MySQL")]
+    RestRequest -->|"No pool"| HttpExec["HttpExecutor"] --> RestApi["/rest/:table"]
+    RestApi --> Express["ExpressHandler"] --> SqlExec
+```
+
+### SQL Allowlist
+
+To restrict which SQL statements can run in production, set `GLOBAL_REST_PARAMETERS.sqlAllowListPath` to a JSON file
+containing allowed SQL strings. When the path is set, `SqlExecutor` normalizes whitespace and validates each query against
+the allowlist. If the file is missing, an error is thrown; if the SQL is not listed, execution is blocked.
+
+```typescript
+GLOBAL_REST_PARAMETERS.sqlAllowListPath = "/path/to/sqlAllowList.json";
+```
+
+Allowlist format:
+
+```json
+[
+  "SELECT * FROM `actor` LIMIT 1"
+]
+```
+
+Generated tests in `src/__tests__/sakila-db/C6.test.ts` write response fixtures into `src/__tests__/sakila-db/sqlResponses/`
+and compile `src/__tests__/sakila-db/C6.sqlAllowList.json` after the suite finishes. Pass that file path to enable
+validation.
+
+When using the REST handler directly, forward the path as well:
+
+```typescript
+app.all("/rest/:table", ExpressHandler({ C6, mysqlPool, sqlAllowListPath }));
+```
 
 ### Generated Tests
 
-Tests are generated for each table in the database. The tests are generated in the same directory as the models. 
-Our Jest tests are not designed to run immediately. You will need to edit the tests manually to change *xdescribe* with just
-*describe*. Once a test does not have xdescribe it will no longer be updated with new generation changes.
+The generator also writes `C6.test.ts` alongside `C6.ts`. Tests use Vitest and the generated bindings. Keep or delete the
+file depending on your workflow.
 
-Note - I prefer to keep tests nested in my IDE project viewer. See the documentation for 
-[IntelliJ](https://www.jetbrains.com/help/idea/file-nesting-dialog.html) or 
-[VSCode](https://code.visualstudio.com/updates/v1_67#_explorer-file-nesting).
+The generator also writes `C6.MySqlDump.json`, `C6.mysqldump.sql`, and `C6.mysql.cnf` into the same output directory for
+debugging and inspection.
 
 ### Templates
 
-Three templates are used to generate the models. The output will be multiple files; two files for each table in the 
-database consisting of your GET PUT POST and DELETE methods and a Jest test file, a C6.tsx file which contains all 
-table information and TypeScript types, and finally a websocket file which contains references to methods that are 
-generate. Here are the templates used to generate the code:
+Two templates are used to generate the output:
 
 1) [C6.ts.handlebars](https://github.com/CarbonORM/CarbonNode/blob/main/scripts/assets/handlebars/C6.ts.handlebars)
-2) [Table.ts.handlebars](https://github.com/CarbonORM/CarbonNode/blob/main/scripts/assets/handlebars/Table.ts.handlebars)
-3) [Websocket.ts.handlebars](https://github.com/CarbonORM/CarbonNode/blob/main/scripts/assets/handlebars/C6RestApi.ts.handlebars)
+2) [C6.test.ts.handlebars](https://github.com/CarbonORM/CarbonNode/blob/main/scripts/assets/handlebars/C6.test.ts.handlebars)
 
 #### Generation Example
 
 0) **npx generateRestBindings** is executed.
-1) **The MySQL dump tool** outputs a strcture for every table.
+1) **The MySQL dump tool** outputs a structure for every table.
 
 ```mysql
 CREATE TABLE actor (
@@ -98,6 +157,7 @@ CREATE TABLE actor (
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
 ```
 
+2) **The generator** parses the table structure and creates an internal representation.
 ```typescript
 export interface iActor {
     'actor_id'?: number;
@@ -191,52 +251,102 @@ export const Actor = {
 ```
 
 3) **Profit**
-- C6 will produce 1-1 constants.
-
-Allowing you to do:
+You import from the frontend or backend using the same syntax:
 
 ```typescript
-import { Actor, C6C } from "./api/rest/Actor";
+import { Actor, C6 } from "./shared/rest/C6";
 
 // GET
-const actors = await Actor.GET({
-    [C6C.SELECT]: [
+const actors = await Actor.Get({
+    [C6.SELECT]: [
         Actor.ACTOR_ID,
         Actor.FIRST_NAME,
         Actor.LAST_NAME,
     ],
-    [C6C.WHERE]: {
+    [C6.WHERE]: {
         [Actor.LAST_NAME]: { like: "%PITT%" },
     },
-    [C6C.LIMIT]: 10,
+    [C6.PAGINATION]: { [C6.LIMIT]: 10 },
 });
 
 // POST
-await Actor.POST({
-    [C6C.DATA]: {
-        [Actor.FIRST_NAME]: "Brad",
-        [Actor.LAST_NAME]: "Pitt",
-    },
+await Actor.Post({
+    [Actor.FIRST_NAME]: "Brad",
+    [Actor.LAST_NAME]: "Pitt",
 });
 
-// PUT
-await Actor.PUT({
-    [C6C.WHERE]: {
-        [Actor.ACTOR_ID]: 42,
-    },
-    [C6C.DATA]: {
-        [Actor.LAST_NAME]: "Updated",
-    },
+// PUT (singular)
+await Actor.Put({
+    [Actor.ACTOR_ID]: 42,
+    [Actor.LAST_NAME]: "Updated",
 });
 
-// DELETE
-await Actor.DELETE({
-    [C6C.WHERE]: {
-        [Actor.ACTOR_ID]: 42,
-    },
+// DELETE (singular)
+await Actor.Delete({
+    [Actor.ACTOR_ID]: 42,
 });
 ```
 
+Example response payloads (HTTP executor):
+
+GET
+
+```json
+{
+  "success": true,
+  "rest": [
+    { "actor_id": 1, "first_name": "PENELOPE", "last_name": "GUINESS" }
+  ],
+  "next": "Function"
+}
+```
+
+POST
+
+```json
+{
+  "success": true,
+  "created": 201,
+  "rest": { "actor_id": 201, "first_name": "Brad", "last_name": "Pitt" }
+}
+```
+
+PUT
+
+```json
+{
+  "success": true,
+  "updated": true,
+  "rest": { "actor_id": 42, "last_name": "Updated" }
+}
+```
+
+DELETE
+
+```json
+{
+  "success": true,
+  "deleted": true,
+  "rest": { "actor_id": 42 }
+}
+```
+
+SQL executor responses omit `success` and include `sql` for GETs plus `affected` for writes. Express responses from `ExpressHandler` add `success: true`.
+
+SQL executor example (GET):
+
+```json
+{
+  "rest": [
+    { "actor_id": 1, "first_name": "PENELOPE", "last_name": "GUINESS" }
+  ],
+  "sql": {
+    "sql": "SELECT * FROM `actor` LIMIT 10",
+    "values": []
+  }
+}
+```
+
 Our CarbonReact extends this solution for automatic state and pagination management.
 
 
@@ -258,4 +368,3 @@ This will configure Git to use the hooks in the `.githooks` directory. The hooks
 # Support and Issues
 
 Any issues found should be reported on [GitHub](https://github.com/CarbonORM/CarbonNode/issues).
-

package/dist/api/executors/SqlExecutor.d.ts

@@ -11,6 +11,11 @@ export declare class SqlExecutor<G extends OrmGenerics> extends Executor<G> {
         [key: string]: any;
     }): string;
     private formatValue;
+    private stripRequestMetadata;
+    private normalizeRequestPayload;
+    private extractRequestBody;
+    private extractPrimaryKeyValues;
+    private broadcastWebsocketIfConfigured;
     runQuery(): Promise<{
         rest: any;
         sql: {
@@ -26,4 +31,5 @@ export declare class SqlExecutor<G extends OrmGenerics> extends Executor<G> {
             values: any;
         };
     }>;
+    private validateSqlAllowList;
 }

package/dist/api/handlers/ExpressHandler.d.ts

@@ -1,7 +1,8 @@
 import { Request, Response, NextFunction } from "express";
 import { Pool } from "mysql2/promise";
 import { iC6Object } from "../types/ormInterfaces";
-export declare function ExpressHandler({ C6, mysqlPool }: {
+export declare function ExpressHandler({ C6, mysqlPool, sqlAllowListPath, }: {
     C6: iC6Object;
     mysqlPool: Pool;
+    sqlAllowListPath?: string;
 }): (req: Request, res: Response, next: NextFunction) => Promise<void>;

package/dist/api/types/ormInterfaces.d.ts

@@ -135,6 +135,16 @@ export interface iGetC6RestResponse<ResponseDataType extends {
 export type DetermineResponseDataType<Method extends iRestMethods, RestTableInterface extends {
     [key: string]: any;
 }, ResponseDataOverrides = {}> = (Method extends 'POST' ? iPostC6RestResponse<RestTableInterface> : Method extends 'GET' ? iGetC6RestResponse<RestTableInterface, ResponseDataOverrides> : Method extends 'PUT' ? iPutC6RestResponse<RestTableInterface> : Method extends 'DELETE' ? iDeleteC6RestResponse<RestTableInterface> : never);
+export type iRestWebsocketPayload = {
+    REST: {
+        TABLE_NAME: string;
+        TABLE_PREFIX: string;
+        METHOD: iRestMethods;
+        REQUEST: Record<string, any>;
+        REQUEST_PRIMARY_KEY: Record<string, any> | null;
+    };
+};
+export type tWebsocketBroadcast = (payload: iRestWebsocketPayload) => void | Promise<void>;
 export interface iRest<RestShortTableName extends string = any, RestTableInterface extends Record<string, any> = any, PrimaryKey extends keyof RestTableInterface & string = keyof RestTableInterface & string> {
     C6: iC6Object;
     axios?: AxiosInstance;
@@ -146,7 +156,9 @@ export interface iRest<RestShortTableName extends string = any, RestTableInterfa
     requestMethod: iRestMethods;
     clearCache?: () => void;
     skipPrimaryCheck?: boolean;
+    websocketBroadcast?: tWebsocketBroadcast;
     verbose?: boolean;
+    sqlAllowListPath?: string;
 }
 export interface iConstraint {
     TABLE: string;

package/dist/api/utils/sqlAllowList.d.ts

@@ -0,0 +1,2 @@
+export declare const normalizeSql: (sql: string) => string;
+export declare const loadSqlAllowList: (allowListPath: string) => Promise<Set<string>>;

package/dist/index.cjs.js

@@ -2963,6 +2963,63 @@ function normalizeSingularRequest(requestMethod, request, restModel, removedPrim
     return tslib.__assign(tslib.__assign({}, normalized), { dataInsertMultipleRows: dataInsertMultipleRows, cacheResults: cacheResults, fetchDependencies: fetchDependencies, debug: debug, success: success, error: error });
 }
 
+var allowListCache = new Map();
+var normalizeSql = function (sql) {
+    return sql.replace(/\s+/g, " ").trim();
+};
+var parseAllowList = function (raw, sourcePath) {
+    var parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (error) {
+        throw new Error("SQL allowlist at ".concat(sourcePath, " is not valid JSON."));
+    }
+    if (!Array.isArray(parsed)) {
+        throw new Error("SQL allowlist at ".concat(sourcePath, " must be a JSON array of strings."));
+    }
+    var sqlEntries = parsed
+        .filter(function (entry) { return typeof entry === "string"; })
+        .map(normalizeSql)
+        .filter(function (entry) { return entry.length > 0; });
+    if (sqlEntries.length !== parsed.length) {
+        throw new Error("SQL allowlist at ".concat(sourcePath, " must contain only string entries."));
+    }
+    return sqlEntries;
+};
+var loadSqlAllowList = function (allowListPath) { return tslib.__awaiter(void 0, void 0, void 0, function () {
+    var readFile, raw, sqlEntries, allowList;
+    return tslib.__generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                if (allowListCache.has(allowListPath)) {
+                    return [2 /*return*/, allowListCache.get(allowListPath)];
+                }
+                if (!isNode()) {
+                    throw new Error("SQL allowlist validation requires a Node runtime.");
+                }
+                return [4 /*yield*/, import('node:fs/promises')];
+            case 1:
+                readFile = (_a.sent()).readFile;
+                _a.label = 2;
+            case 2:
+                _a.trys.push([2, 4, , 5]);
+                return [4 /*yield*/, readFile(allowListPath, "utf-8")];
+            case 3:
+                raw = _a.sent();
+                return [3 /*break*/, 5];
+            case 4:
+                _a.sent();
+                throw new Error("SQL allowlist file not found at ".concat(allowListPath, "."));
+            case 5:
+                sqlEntries = parseAllowList(raw, allowListPath);
+                allowList = new Set(sqlEntries);
+                allowListCache.set(allowListPath, allowList);
+                return [2 /*return*/, allowList];
+        }
+    });
+}); };
+
 var SqlExecutor = /** @class */ (function (_super) {
     tslib.__extends(SqlExecutor, _super);
     function SqlExecutor() {
@@ -2995,10 +3052,10 @@ var SqlExecutor = /** @class */ (function (_super) {
                         switch (_a) {
                             case 'GET': return [3 /*break*/, 1];
                             case 'POST': return [3 /*break*/, 3];
-                            case 'PUT': return [3 /*break*/, 5];
-                            case 'DELETE': return [3 /*break*/, 7];
+                            case 'PUT': return [3 /*break*/, 6];
+                            case 'DELETE': return [3 /*break*/, 9];
                         }
-                        return [3 /*break*/, 9];
+                        return [3 /*break*/, 12];
                     case 1: return [4 /*yield*/, this.runQuery()];
                     case 2:
                         rest = _b.sent();
@@ -3006,16 +3063,25 @@ var SqlExecutor = /** @class */ (function (_super) {
                     case 3: return [4 /*yield*/, this.runQuery()];
                     case 4:
                         result = _b.sent();
+                        return [4 /*yield*/, this.broadcastWebsocketIfConfigured()];
+                    case 5:
+                        _b.sent();
                         return [2 /*return*/, result];
-                    case 5: return [4 /*yield*/, this.runQuery()];
-                    case 6:
+                    case 6: return [4 /*yield*/, this.runQuery()];
+                    case 7:
                         result = _b.sent();
-                        return [2 /*return*/, result];
-                    case 7: return [4 /*yield*/, this.runQuery()];
+                        return [4 /*yield*/, this.broadcastWebsocketIfConfigured()];
                     case 8:
+                        _b.sent();
+                        return [2 /*return*/, result];
+                    case 9: return [4 /*yield*/, this.runQuery()];
+                    case 10:
                         result = _b.sent();
+                        return [4 /*yield*/, this.broadcastWebsocketIfConfigured()];
+                    case 11:
+                        _b.sent();
                         return [2 /*return*/, result];
-                    case 9: throw new Error("Unsupported request method: ".concat(method));
+                    case 12: throw new Error("Unsupported request method: ".concat(method));
                 }
             });
         });
@@ -3076,6 +3142,149 @@ var SqlExecutor = /** @class */ (function (_super) {
             return "'".concat(val.toISOString().slice(0, 19).replace('T', ' '), "'");
         return "'".concat(JSON.stringify(val), "'");
     };
+    SqlExecutor.prototype.stripRequestMetadata = function (source) {
+        var ignoredKeys = new Set([
+            C6Constants.SELECT,
+            C6Constants.UPDATE,
+            C6Constants.DELETE,
+            C6Constants.WHERE,
+            C6Constants.JOIN,
+            C6Constants.PAGINATION,
+            C6Constants.INSERT,
+            C6Constants.REPLACE,
+            "dataInsertMultipleRows",
+            "cacheResults",
+            "fetchDependencies",
+            "debug",
+            "success",
+            "error",
+        ]);
+        var filtered = {};
+        for (var _i = 0, _a = Object.entries(source); _i < _a.length; _i++) {
+            var _b = _a[_i], key = _b[0], value = _b[1];
+            if (!ignoredKeys.has(key)) {
+                filtered[key] = value;
+            }
+        }
+        return filtered;
+    };
+    SqlExecutor.prototype.normalizeRequestPayload = function (source) {
+        var _a;
+        var columns = this.config.restModel.COLUMNS;
+        var validColumns = new Set(Object.values(columns));
+        var normalized = {};
+        for (var _i = 0, _b = Object.entries(source); _i < _b.length; _i++) {
+            var _c = _b[_i], key = _c[0], value = _c[1];
+            var shortKey = (_a = columns[key]) !== null && _a !== void 0 ? _a : (key.includes(".") ? key.split(".").pop() : key);
+            if (validColumns.has(shortKey)) {
+                normalized[shortKey] = value;
+            }
+        }
+        return normalized;
+    };
+    SqlExecutor.prototype.extractRequestBody = function () {
+        var _a, _b;
+        var request = this.request;
+        if (this.config.requestMethod === C6Constants.POST) {
+            if (Array.isArray(request.dataInsertMultipleRows) && request.dataInsertMultipleRows.length > 0) {
+                return request.dataInsertMultipleRows[0];
+            }
+            if (C6Constants.INSERT in request) {
+                return (_a = request[C6Constants.INSERT]) !== null && _a !== void 0 ? _a : {};
+            }
+            if (C6Constants.REPLACE in request) {
+                return (_b = request[C6Constants.REPLACE]) !== null && _b !== void 0 ? _b : {};
+            }
+            return this.stripRequestMetadata(request);
+        }
+        if (this.config.requestMethod === C6Constants.PUT) {
+            if (request[C6Constants.UPDATE] && typeof request[C6Constants.UPDATE] === "object") {
+                return request[C6Constants.UPDATE];
+            }
+            return this.stripRequestMetadata(request);
+        }
+        return {};
+    };
+    SqlExecutor.prototype.extractPrimaryKeyValues = function () {
+        var _a, _b, _c;
+        var request = this.request;
+        var where = request === null || request === void 0 ? void 0 : request[C6Constants.WHERE];
+        var sources = [request, (where && typeof where === "object" && !Array.isArray(where)) ? where : undefined];
+        var columns = this.config.restModel.COLUMNS;
+        var primaryShorts = (_a = this.config.restModel.PRIMARY_SHORT) !== null && _a !== void 0 ? _a : [];
+        var primaryFulls = (_b = this.config.restModel.PRIMARY) !== null && _b !== void 0 ? _b : [];
+        var pkValues = {};
+        var _loop_1 = function (pkShort) {
+            var value = undefined;
+            for (var _d = 0, sources_1 = sources; _d < sources_1.length; _d++) {
+                var source = sources_1[_d];
+                if (source && pkShort in source) {
+                    value = source[pkShort];
+                    break;
+                }
+            }
+            if (value === undefined) {
+                var fullKey = (_c = primaryFulls.find(function (key) { return key.endsWith("." + pkShort); })) !== null && _c !== void 0 ? _c : Object.keys(columns).find(function (key) { return columns[key] === pkShort; });
+                if (fullKey) {
+                    for (var _e = 0, sources_2 = sources; _e < sources_2.length; _e++) {
+                        var source = sources_2[_e];
+                        if (source && fullKey in source) {
+                            value = source[fullKey];
+                            break;
+                        }
+                    }
+                }
+            }
+            if (value !== undefined) {
+                pkValues[pkShort] = value;
+            }
+        };
+        for (var _i = 0, primaryShorts_1 = primaryShorts; _i < primaryShorts_1.length; _i++) {
+            var pkShort = primaryShorts_1[_i];
+            _loop_1(pkShort);
+        }
+        if (primaryShorts.length > 0 && Object.keys(pkValues).length < primaryShorts.length) {
+            return null;
+        }
+        return Object.keys(pkValues).length > 0 ? pkValues : null;
+    };
+    SqlExecutor.prototype.broadcastWebsocketIfConfigured = function () {
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            var broadcast, payload, error_1;
+            var _a, _b;
+            return tslib.__generator(this, function (_c) {
+                switch (_c.label) {
+                    case 0:
+                        broadcast = this.config.websocketBroadcast;
+                        if (!broadcast || this.config.requestMethod === C6Constants.GET)
+                            return [2 /*return*/];
+                        payload = {
+                            REST: {
+                                TABLE_NAME: this.config.restModel.TABLE_NAME,
+                                TABLE_PREFIX: (_b = (_a = this.config.C6) === null || _a === void 0 ? void 0 : _a.PREFIX) !== null && _b !== void 0 ? _b : "",
+                                METHOD: this.config.requestMethod,
+                                REQUEST: this.normalizeRequestPayload(this.extractRequestBody()),
+                                REQUEST_PRIMARY_KEY: this.extractPrimaryKeyValues(),
+                            },
+                        };
+                        _c.label = 1;
+                    case 1:
+                        _c.trys.push([1, 3, , 4]);
+                        return [4 /*yield*/, broadcast(payload)];
+                    case 2:
+                        _c.sent();
+                        return [3 /*break*/, 4];
+                    case 3:
+                        error_1 = _c.sent();
+                        if (this.config.verbose) {
+                            console.error("[SQL EXECUTOR] websocketBroadcast failed", error_1);
+                        }
+                        return [3 /*break*/, 4];
+                    case 4: return [2 /*return*/];
+                }
+            });
+        });
+    };
     SqlExecutor.prototype.runQuery = function () {
         return tslib.__awaiter(this, void 0, void 0, function () {
             var TABLE_NAME, method, builder, QueryResult, formatted, toUnnamed, _a, sql, values;
@@ -3107,6 +3316,9 @@ var SqlExecutor = /** @class */ (function (_super) {
                         this.config.verbose && console.log("[SQL EXECUTOR] \uD83E\uDDE0 Formatted ".concat(method.toUpperCase(), " SQL:"), formatted);
                         toUnnamed = namedPlaceholders();
                         _a = toUnnamed(QueryResult.sql, QueryResult.params), sql = _a[0], values = _a[1];
+                        return [4 /*yield*/, this.validateSqlAllowList(sql)];
+                    case 1:
+                        _b.sent();
                         return [4 /*yield*/, this.withConnection(function (conn) { return tslib.__awaiter(_this, void 0, void 0, function () {
                                 var result;
                                 return tslib.__generator(this, function (_a) {
@@ -3131,7 +3343,29 @@ var SqlExecutor = /** @class */ (function (_super) {
                                     }
                                 });
                             }); })];
-                    case 1: return [2 /*return*/, _b.sent()];
+                    case 2: return [2 /*return*/, _b.sent()];
+                }
+            });
+        });
+    };
+    SqlExecutor.prototype.validateSqlAllowList = function (sql) {
+        return tslib.__awaiter(this, void 0, void 0, function () {
+            var allowListPath, allowList, normalized;
+            return tslib.__generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        allowListPath = this.config.sqlAllowListPath;
+                        if (!allowListPath) {
+                            return [2 /*return*/];
+                        }
+                        return [4 /*yield*/, loadSqlAllowList(allowListPath)];
+                    case 1:
+                        allowList = _a.sent();
+                        normalized = normalizeSql(sql);
+                        if (!allowList.has(normalized)) {
+                            throw new Error("SQL statement is not permitted by allowlist (".concat(allowListPath, ")."));
+                        }
+                        return [2 /*return*/];
                 }
             });
         });
@@ -3148,7 +3382,7 @@ var SqlExecutor$1 = /*#__PURE__*/Object.freeze({
 // note sure how it would help anyone actually...
 function ExpressHandler(_a) {
     var _this = this;
-    var C6 = _a.C6, mysqlPool = _a.mysqlPool;
+    var C6 = _a.C6, mysqlPool = _a.mysqlPool, sqlAllowListPath = _a.sqlAllowListPath;
     return function (req, res, next) { return tslib.__awaiter(_this, void 0, void 0, function () {
         var incomingMethod, table, primary, methodOverrideRaw, methodOverride, treatAsGet, method, payload, restModel, primaryKeys_1, primaryShortKeys_1, columnMap_1, resolveShortKey_1, hasPrimaryKeyValues, primaryKeyName, response, err_1;
         var _a, _b, _c, _d, _e, _f, _g;
@@ -3234,6 +3468,7 @@ function ExpressHandler(_a) {
                     return [4 /*yield*/, restRequest({
                             C6: C6,
                             mysqlPool: mysqlPool,
+                            sqlAllowListPath: sqlAllowListPath,
                             requestMethod: method,
                             restModel: C6.TABLES[table]
                         })(payload)];
@@ -3396,7 +3631,9 @@ exports.isLocal = isLocal;
 exports.isNode = isNode;
 exports.isTest = isTest;
 exports.isVerbose = isVerbose;
+exports.loadSqlAllowList = loadSqlAllowList;
 exports.normalizeSingularRequest = normalizeSingularRequest;
+exports.normalizeSql = normalizeSql;
 exports.onError = onError;
 exports.onSuccess = onSuccess;
 exports.removeInvalidKeys = removeInvalidKeys;