@cyanheads/mcp-ts-core 0.8.11 → 0.8.12

package/dist/services/canvas/core/sqlGate.d.ts

@@ -1,50 +1,56 @@
 /**
  * @fileoverview Read-only SQL gate for the DataCanvas primitive. Engine-agnostic
- * pure validators that the provider invokes after pulling DuckDB-specific
- * metadata (statement extraction, prepared-statement type, EXPLAIN plan JSON).
+ * pure validators the provider invokes after pulling DuckDB-specific metadata.
  *
- * Three layers of enforcement, each authoritative on its own:
+ * Four layers of enforcement, each authoritative:
  *
- * 1. **Single-statement check.** The provider parses the input via DuckDB's
- *    `extractStatements` and passes the count here. Anything other than 1 is
- *    rejected — comment-hidden second statements, multi-statement smuggling,
- *    and Unicode tricks all collapse here because DuckDB's parser is the
- *    arbiter, not a regex.
- * 2. **Statement-type check.** The provider prepares the single statement and
- *    passes the resulting `statementType`. We require `SELECT`. Any DDL, DML,
- *    or utility (PRAGMA/ATTACH/COPY/INSTALL/LOAD/SET/EXECUTE) fails to type as
- *    SELECT and is rejected here.
- * 3. **Plan-walk allowlist.** The provider runs `EXPLAIN (FORMAT JSON)` and
- *    passes the plan JSON. We walk every node and reject if any operator
- *    name is outside the curated allowlist — defense-in-depth against future
- *    DuckDB additions that might smuggle work into a SELECT envelope.
+ * 1. **Function deny-list (text scan).** Pre-EXPLAIN regex against the SQL
+ *    (string literals stripped) for file/HTTP-reading table functions like
+ *    `read_json`, `read_parquet`. These can lower into generic SEQ_SCAN
+ *    operators that pass the operator allowlist; catching them by name closes
+ *    that bypass.
+ * 2. **Single-statement check.** Reject anything other than exactly one
+ *    statement parsed by DuckDB. Comment-hidden second statements, Unicode
+ *    tricks, and multi-statement smuggling collapse here.
+ * 3. **Statement-type check.** Require `SELECT`. DDL, DML, and utility
+ *    statements (PRAGMA/ATTACH/COPY/INSTALL/LOAD/SET/EXECUTE) fail to type as
+ *    SELECT.
+ * 4. **Plan-walk allowlist + denied-function rescan.** Walk the
+ *    `EXPLAIN (FORMAT JSON)` tree; reject any operator outside the allowlist
+ *    or any string field referencing a deny-listed function.
  *
- * Rejection paths throw `ValidationError` with a structured `data.reason`
- * suitable for surfacing to the agent.
+ * Rejection paths throw `ValidationError` with a structured `data.reason`.
  *
  * @module src/services/canvas/core/sqlGate
  */
 /**
- * DuckDB statement-type strings emitted by the Neo client. Only `SELECT` is
- * accepted by the canvas. Other values (`INSERT`, `UPDATE`, `DELETE`,
- * `CREATE`, `DROP`, `ALTER`, `COPY`, `PRAGMA`, `ATTACH`, `DETACH`, `LOAD`,
- * `INSTALL`, `SET`, `RESET`, `EXECUTE`, `EXPLAIN`, `TRANSACTION`, `VACUUM`,
- * `CHECKPOINT`, `CALL`, …) are rejected outright. This is a surface — not
- * an enum we own — so the gate matches on the literal string emitted.
+ * DuckDB statement-type string. Only `SELECT` is accepted; everything else
+ * (DDL, DML, utility) is rejected. Modeled as a string surface rather than an
+ * owned enum so the gate matches on whatever DuckDB emits.
  */
 export type DuckdbStatementType = string;
 /** Subset of statement types the gate permits. */
 export declare const ALLOWED_STATEMENT_TYPES: ReadonlySet<DuckdbStatementType>;
 /**
- * Curated allowlist of operator names that can appear in an EXPLAIN plan.
- * Sourced from DuckDB's logical/physical-plan node families (1.5.x). Not
- * every member is reachable from a SELECT — but every member is read-only.
- *
- * Pinned by `tests/canvas/sqlGate.fixtures.test.ts` against live DuckDB
- * EXPLAIN output so version bumps that add operators are caught in CI rather
- * than silently widening the gate.
- *
- * Operators **not** in this list cause rejection. Notable exclusions:
+ * Reason codes set on `validationError.data.reason` by gate assertions.
+ * Consumers can import the {@link SqlGateReason} union to translate gate
+ * denials into typed contract reasons without duplicating the strings.
+ */
+export declare const SQL_GATE_REASONS: {
+    readonly multiStatement: "multi_statement";
+    readonly nonSelectStatement: "non_select_statement";
+    readonly planOperatorNotAllowed: "plan_operator_not_allowed";
+    readonly deniedFunction: "denied_function";
+    readonly deniedFunctionInPlan: "denied_function_in_plan";
+    readonly identifierEmpty: "identifier_empty";
+    readonly identifierShape: "identifier_shape";
+    readonly identifierReserved: "identifier_reserved";
+};
+/** Union of all gate reason strings — see {@link SQL_GATE_REASONS}. */
+export type SqlGateReason = (typeof SQL_GATE_REASONS)[keyof typeof SQL_GATE_REASONS];
+/**
+ * Allowlist of read-only operator names that can appear in an EXPLAIN plan.
+ * Anything outside this set causes rejection. Notable exclusions:
  *
  * - `READ_CSV`, `READ_PARQUET`, `READ_JSON` — bypass canvas, read external files.
  * - `INSERT`, `UPDATE`, `DELETE`, `MERGE`, `CREATE_*`, `DROP_*`, `ALTER_*` — writes.
@@ -53,9 +59,21 @@ export declare const ALLOWED_STATEMENT_TYPES: ReadonlySet<DuckdbStatementType>;
  */
 export declare const ALLOWED_PLAN_OPERATORS: ReadonlySet<string>;
 /**
- * Public entry point — validates the trio of `(statementCount, statementType,
- * planJson)`. Throws on the first violation, leaving the provider to pass
- * results back to the caller untouched on success.
+ * External-data table functions (files, HTTP, S3, lakehouse formats). These
+ * lower into generic scan operators that pass the operator allowlist, so the
+ * text-scan and plan-rescan defenses in this module catch them by name
+ * regardless of how DuckDB lowers them.
+ */
+export declare const DENIED_TABLE_FUNCTIONS: ReadonlySet<string>;
+/**
+ * Layer 1: pre-EXPLAIN function deny-list. Scans the SQL (string literals
+ * stripped) for calls to any function in {@link DENIED_TABLE_FUNCTIONS} so a
+ * malicious `read_json('/etc/passwd')` is rejected before reaching the planner.
+ */
+export declare function assertNoDeniedFunctions(sql: string): void;
+/**
+ * Layers 2-4. Throws on the first violation. Layer 1
+ * ({@link assertNoDeniedFunctions}) runs separately before `extractStatements`.
  */
 export declare function assertReadOnlyQuery(input: {
     /** Number of statements DuckDB extracted from the user-supplied SQL. */
@@ -66,42 +84,48 @@ export declare function assertReadOnlyQuery(input: {
     planJson: unknown;
 }): void;
 /**
- * Pre-EXPLAIN gate: validate statement count and type. Run before the EXPLAIN
- * call so non-SELECT statements (which DuckDB's EXPLAIN can't always wrap —
- * e.g. ATTACH/PRAGMA/COPY/INSTALL) fail with a structured ValidationError
- * here rather than a confusing parser error from EXPLAIN itself.
+ * Layers 2-3: validate statement count and type before EXPLAIN. Non-SELECT
+ * statements (ATTACH/PRAGMA/COPY/INSTALL/...) fail here with a structured
+ * ValidationError rather than a confusing parser error from EXPLAIN itself.
  */
 export declare function assertSelectOnly(input: {
     statementCount: number;
     statementType: DuckdbStatementType;
 }): void;
 /**
- * Post-EXPLAIN gate: walk the plan tree and reject any operator outside the
- * curated allowlist. Defense-in-depth against future DuckDB additions that
- * smuggle work into a SELECT envelope.
+ * Layer 4: walk the plan tree and reject any operator outside the allowlist
+ * or any deny-listed table function smuggled into a generic scan operator.
  */
 export declare function assertPlanReadOnly(planJson: unknown): void;
 /**
- * Walks the EXPLAIN plan and returns the set of operator names not in
- * `ALLOWED_PLAN_OPERATORS`. Exported for fixture-driven tests that want
- * to inspect the gate's view of a plan without throwing.
- *
- * Tolerant of structural variation — DuckDB emits operator identity under
- * either `name` (logical plan) or `operator_type` (physical/profile plan)
- * depending on the EXPLAIN flavor. We honor both. Children traversal
- * supports `children`, `child`, and `inputs` arrays.
+ * Returns operator names not in `ALLOWED_PLAN_OPERATORS`. Exported for
+ * fixture-driven tests that want to inspect the gate's view without throwing.
+ * Use {@link collectPlanViolations} to also surface deny-listed function
+ * references in scan-operator metadata.
  */
 export declare function collectDisallowedOperators(planJson: unknown): Set<string>;
 /**
- * Validate an identifier for use as a canvas-local table or column name.
- * Throws `ValidationError` on rejection.
+ * Combined plan-walk: disallowed operators and deny-listed table-function
+ * references in string-valued fields, returned separately so callers can word
+ * errors appropriately.
+ */
+export declare function collectPlanViolations(planJson: unknown): {
+    offending: Set<string>;
+    deniedFunctions: Set<string>;
+};
+/**
+ * Allowed shape for canvas table/column names. SQL identifier convention:
+ * letter/underscore start, letters/digits/underscores after, max 63 chars
+ * (PostgreSQL/DuckDB cap). Exported so consumers can reuse it in Zod schemas
+ * (`z.string().regex(CANVAS_IDENTIFIER_REGEX)`).
  */
+export declare const CANVAS_IDENTIFIER_REGEX: RegExp;
+/** Validate a canvas table or column name. Throws `ValidationError` on rejection. */
 export declare function assertValidIdentifier(value: string, kind: 'table' | 'column'): void;
 /**
- * Wrap an identifier in double quotes for safe inclusion in SQL. Internal
- * double quotes are doubled per the SQL standard. Callers should still
- * validate via {@link assertValidIdentifier} before quoting — this helper
- * only escapes; it does not validate shape.
+ * Double-quote-escape an identifier for SQL embedding. Validate via
+ * {@link assertValidIdentifier} first — this helper only escapes, it does not
+ * check shape.
  */
 export declare function quoteIdentifier(value: string): string;
 //# sourceMappingURL=sqlGate.d.ts.map

package/dist/services/canvas/core/sqlGate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sqlGate.d.ts","sourceRoot":"","sources":["../../../../src/services/canvas/core/sqlGate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAIH;;;;;;;GAOG;AACH,MAAM,MAAM,mBAAmB,GAAG,MAAM,CAAC;AAEzC,kDAAkD;AAClD,eAAO,MAAM,uBAAuB,EAAE,WAAW,CAAC,mBAAmB,CAAuB,CAAC;AAE7F;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,CAwDrD,CAAC;AAEH;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE;IACzC,wEAAwE;IACxE,cAAc,EAAE,MAAM,CAAC;IACvB,iEAAiE;IACjE,aAAa,EAAE,mBAAmB,CAAC;IACnC,8CAA8C;IAC9C,QAAQ,EAAE,OAAO,CAAC;CACnB,GAAG,IAAI,CAGP;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE;IACtC,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,mBAAmB,CAAC;CACpC,GAAG,IAAI,CAaP;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,OAAO,GAAG,IAAI,CAW1D;AAED;;;;;;;;;GASG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,CAIzE;AAsFD;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,QAAQ,GAAG,IAAI,CAmBnF;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAErD"}
+{"version":3,"file":"sqlGate.d.ts","sourceRoot":"","sources":["../../../../src/services/canvas/core/sqlGate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAIH;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAAG,MAAM,CAAC;AAEzC,kDAAkD;AAClD,eAAO,MAAM,uBAAuB,EAAE,WAAW,CAAC,mBAAmB,CAAuB,CAAC;AAE7F;;;;GAIG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;CASnB,CAAC;AAEX,uEAAuE;AACvE,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,OAAO,gBAAgB,CAAC,CAAC;AAErF;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,CAwDrD,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,CAoCrD,CAAC;AA4CH;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAYzD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE;IACzC,wEAAwE;IACxE,cAAc,EAAE,MAAM,CAAC;IACvB,iEAAiE;IACjE,aAAa,EAAE,mBAAmB,CAAC;IACnC,8CAA8C;IAC9C,QAAQ,EAAE,OAAO,CAAC;CACnB,GAAG,IAAI,CAGP;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE;IACtC,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,mBAAmB,CAAC;CACpC,GAAG,IAAI,CAaP;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,OAAO,GAAG,IAAI,CAoB1D;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,CAEzE;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,OAAO,GAAG;IACxD,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACvB,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CAC9B,CAKA;AAmDD;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,QAAkC,CAAC;AA6CvE,qFAAqF;AACrF,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,QAAQ,GAAG,IAAI,CAmBnF;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAErD"}

package/dist/services/canvas/core/sqlGate.js

@@ -1,26 +1,25 @@
 /**
  * @fileoverview Read-only SQL gate for the DataCanvas primitive. Engine-agnostic
- * pure validators that the provider invokes after pulling DuckDB-specific
- * metadata (statement extraction, prepared-statement type, EXPLAIN plan JSON).
+ * pure validators the provider invokes after pulling DuckDB-specific metadata.
  *
- * Three layers of enforcement, each authoritative on its own:
+ * Four layers of enforcement, each authoritative:
  *
- * 1. **Single-statement check.** The provider parses the input via DuckDB's
- *    `extractStatements` and passes the count here. Anything other than 1 is
- *    rejected — comment-hidden second statements, multi-statement smuggling,
- *    and Unicode tricks all collapse here because DuckDB's parser is the
- *    arbiter, not a regex.
- * 2. **Statement-type check.** The provider prepares the single statement and
- *    passes the resulting `statementType`. We require `SELECT`. Any DDL, DML,
- *    or utility (PRAGMA/ATTACH/COPY/INSTALL/LOAD/SET/EXECUTE) fails to type as
- *    SELECT and is rejected here.
- * 3. **Plan-walk allowlist.** The provider runs `EXPLAIN (FORMAT JSON)` and
- *    passes the plan JSON. We walk every node and reject if any operator
- *    name is outside the curated allowlist — defense-in-depth against future
- *    DuckDB additions that might smuggle work into a SELECT envelope.
+ * 1. **Function deny-list (text scan).** Pre-EXPLAIN regex against the SQL
+ *    (string literals stripped) for file/HTTP-reading table functions like
+ *    `read_json`, `read_parquet`. These can lower into generic SEQ_SCAN
+ *    operators that pass the operator allowlist; catching them by name closes
+ *    that bypass.
+ * 2. **Single-statement check.** Reject anything other than exactly one
+ *    statement parsed by DuckDB. Comment-hidden second statements, Unicode
+ *    tricks, and multi-statement smuggling collapse here.
+ * 3. **Statement-type check.** Require `SELECT`. DDL, DML, and utility
+ *    statements (PRAGMA/ATTACH/COPY/INSTALL/LOAD/SET/EXECUTE) fail to type as
+ *    SELECT.
+ * 4. **Plan-walk allowlist + denied-function rescan.** Walk the
+ *    `EXPLAIN (FORMAT JSON)` tree; reject any operator outside the allowlist
+ *    or any string field referencing a deny-listed function.
  *
- * Rejection paths throw `ValidationError` with a structured `data.reason`
- * suitable for surfacing to the agent.
+ * Rejection paths throw `ValidationError` with a structured `data.reason`.
  *
  * @module src/services/canvas/core/sqlGate
  */
@@ -28,15 +27,23 @@ import { validationError } from '../../../types-global/errors.js';
 /** Subset of statement types the gate permits. */
 export const ALLOWED_STATEMENT_TYPES = new Set(['SELECT']);
 /**
- * Curated allowlist of operator names that can appear in an EXPLAIN plan.
- * Sourced from DuckDB's logical/physical-plan node families (1.5.x). Not
- * every member is reachable from a SELECT — but every member is read-only.
- *
- * Pinned by `tests/canvas/sqlGate.fixtures.test.ts` against live DuckDB
- * EXPLAIN output so version bumps that add operators are caught in CI rather
- * than silently widening the gate.
- *
- * Operators **not** in this list cause rejection. Notable exclusions:
+ * Reason codes set on `validationError.data.reason` by gate assertions.
+ * Consumers can import the {@link SqlGateReason} union to translate gate
+ * denials into typed contract reasons without duplicating the strings.
+ */
+export const SQL_GATE_REASONS = {
+    multiStatement: 'multi_statement',
+    nonSelectStatement: 'non_select_statement',
+    planOperatorNotAllowed: 'plan_operator_not_allowed',
+    deniedFunction: 'denied_function',
+    deniedFunctionInPlan: 'denied_function_in_plan',
+    identifierEmpty: 'identifier_empty',
+    identifierShape: 'identifier_shape',
+    identifierReserved: 'identifier_reserved',
+};
+/**
+ * Allowlist of read-only operator names that can appear in an EXPLAIN plan.
+ * Anything outside this set causes rejection. Notable exclusions:
  *
  * - `READ_CSV`, `READ_PARQUET`, `READ_JSON` — bypass canvas, read external files.
  * - `INSERT`, `UPDATE`, `DELETE`, `MERGE`, `CREATE_*`, `DROP_*`, `ALTER_*` — writes.
@@ -44,7 +51,7 @@ export const ALLOWED_STATEMENT_TYPES = new Set(['SELECT']);
  * - `ATTACH`, `DETACH`, `LOAD`, `INSTALL`, `PRAGMA`, `SET`, `RESET` — utility.
  */
 export const ALLOWED_PLAN_OPERATORS = new Set([
-    // Scans (registered tables only — file scans like READ_CSV are excluded)
+    // Scans (registered tables only)
     'SEQ_SCAN',
     'COLUMN_DATA_SCAN',
     'CHUNK_SCAN',
@@ -101,66 +108,164 @@ export const ALLOWED_PLAN_OPERATORS = new Set([
     'PIVOT',
 ]);
 /**
- * Public entry point — validates the trio of `(statementCount, statementType,
- * planJson)`. Throws on the first violation, leaving the provider to pass
- * results back to the caller untouched on success.
+ * External-data table functions (files, HTTP, S3, lakehouse formats). These
+ * lower into generic scan operators that pass the operator allowlist, so the
+ * text-scan and plan-rescan defenses in this module catch them by name
+ * regardless of how DuckDB lowers them.
+ */
+export const DENIED_TABLE_FUNCTIONS = new Set([
+    // CSV
+    'read_csv',
+    'read_csv_auto',
+    'sniff_csv',
+    // JSON
+    'read_json',
+    'read_json_auto',
+    'read_json_objects',
+    'read_json_objects_auto',
+    'read_ndjson',
+    'read_ndjson_auto',
+    'read_ndjson_objects',
+    // Parquet
+    'read_parquet',
+    'parquet_scan',
+    'parquet_metadata',
+    'parquet_schema',
+    'parquet_file_metadata',
+    'parquet_kv_metadata',
+    // Text / blob / glob
+    'read_text',
+    'read_blob',
+    'glob',
+    // Iceberg / Delta
+    'iceberg_scan',
+    'iceberg_metadata',
+    'iceberg_snapshots',
+    'delta_scan',
+    // Postgres / MySQL / SQLite scanners (extension-loaded; defense-in-depth)
+    'postgres_scan',
+    'postgres_query',
+    'mysql_scan',
+    'mysql_query',
+    'sqlite_scan',
+    'sqlite_query',
+]);
+/**
+ * Call-shape regex (`name(`). Caller strips comments and string literals first
+ * so quoted text and comment-injected separators between a name and its `(`
+ * can't false-positive or bypass.
+ */
+const DENIED_FUNCTION_CALL_REGEX = new RegExp(String.raw `\b(${[...DENIED_TABLE_FUNCTIONS].join('|')})\s*\(`, 'gi');
+/**
+ * Bare-name regex for the plan-walk rescan only. DuckDB EXPLAIN metadata can
+ * spell out a function as `Function: read_json` without parens. Restricted to
+ * known function-name fields to avoid scanning user-projected string literals.
+ */
+const DENIED_FUNCTION_BARE_REGEX = new RegExp(String.raw `\b(${[...DENIED_TABLE_FUNCTIONS].join('|')})\b`, 'gi');
+/** Plan-node string fields where DuckDB stores lowered table-function names. */
+const FUNCTION_METADATA_KEYS = new Set([
+    'extra_info',
+    'function',
+    'function_name',
+    'table_function',
+    'source',
+]);
+/** Strip SQL block and line comments. */
+function stripSqlComments(sql) {
+    return sql.replace(/\/\*[\s\S]*?\*\//g, ' ').replace(/--[^\n]*/g, '');
+}
+/**
+ * Strip standard SQL string literals. Doesn't handle E-strings or DuckDB
+ * dollar-quoting; the plan-walk rescan catches anything that survives.
+ */
+function stripSqlStringLiterals(sql) {
+    return sql.replace(/'(?:[^']|'')*'/g, "''");
+}
+/**
+ * Layer 1: pre-EXPLAIN function deny-list. Scans the SQL (string literals
+ * stripped) for calls to any function in {@link DENIED_TABLE_FUNCTIONS} so a
+ * malicious `read_json('/etc/passwd')` is rejected before reaching the planner.
+ */
+export function assertNoDeniedFunctions(sql) {
+    if (typeof sql !== 'string' || sql.length === 0)
+        return;
+    const stripped = stripSqlStringLiterals(stripSqlComments(sql));
+    DENIED_FUNCTION_CALL_REGEX.lastIndex = 0;
+    const match = DENIED_FUNCTION_CALL_REGEX.exec(stripped);
+    if (match?.[1]) {
+        const fn = match[1].toLowerCase();
+        throw validationError(`Canvas query references disallowed table function: ${fn}. File-reading and external-data functions are not permitted.`, { reason: SQL_GATE_REASONS.deniedFunction, function: fn });
+    }
+}
+/**
+ * Layers 2-4. Throws on the first violation. Layer 1
+ * ({@link assertNoDeniedFunctions}) runs separately before `extractStatements`.
  */
 export function assertReadOnlyQuery(input) {
     assertSelectOnly(input);
     assertPlanReadOnly(input.planJson);
 }
 /**
- * Pre-EXPLAIN gate: validate statement count and type. Run before the EXPLAIN
- * call so non-SELECT statements (which DuckDB's EXPLAIN can't always wrap —
- * e.g. ATTACH/PRAGMA/COPY/INSTALL) fail with a structured ValidationError
- * here rather than a confusing parser error from EXPLAIN itself.
+ * Layers 2-3: validate statement count and type before EXPLAIN. Non-SELECT
+ * statements (ATTACH/PRAGMA/COPY/INSTALL/...) fail here with a structured
+ * ValidationError rather than a confusing parser error from EXPLAIN itself.
  */
 export function assertSelectOnly(input) {
     if (input.statementCount !== 1) {
         throw validationError('Canvas query must contain exactly one SQL statement.', {
-            reason: 'multi_statement',
+            reason: SQL_GATE_REASONS.multiStatement,
             statementCount: input.statementCount,
         });
     }
     if (!ALLOWED_STATEMENT_TYPES.has(input.statementType)) {
-        throw validationError(`Canvas query must be SELECT; got ${input.statementType}. Mutations must use registerTable, drop, or clear.`, { reason: 'non_select_statement', statementType: input.statementType });
+        throw validationError(`Canvas query must be SELECT; got ${input.statementType}. Mutations must use registerTable, drop, or clear.`, { reason: SQL_GATE_REASONS.nonSelectStatement, statementType: input.statementType });
     }
 }
 /**
- * Post-EXPLAIN gate: walk the plan tree and reject any operator outside the
- * curated allowlist. Defense-in-depth against future DuckDB additions that
- * smuggle work into a SELECT envelope.
+ * Layer 4: walk the plan tree and reject any operator outside the allowlist
+ * or any deny-listed table function smuggled into a generic scan operator.
  */
 export function assertPlanReadOnly(planJson) {
-    const offending = collectDisallowedOperators(planJson);
+    const { offending, deniedFunctions } = collectPlanViolations(planJson);
+    if (deniedFunctions.size > 0) {
+        throw validationError(`Canvas query references disallowed table function in plan: ${[...deniedFunctions].sort().join(', ')}.`, {
+            reason: SQL_GATE_REASONS.deniedFunctionInPlan,
+            functions: [...deniedFunctions].sort(),
+        });
+    }
     if (offending.size > 0) {
         throw validationError(`Canvas query contains disallowed operators: ${[...offending].sort().join(', ')}.`, {
-            reason: 'plan_operator_not_allowed',
+            reason: SQL_GATE_REASONS.planOperatorNotAllowed,
             operators: [...offending].sort(),
         });
     }
 }
 /**
- * Walks the EXPLAIN plan and returns the set of operator names not in
- * `ALLOWED_PLAN_OPERATORS`. Exported for fixture-driven tests that want
- * to inspect the gate's view of a plan without throwing.
- *
- * Tolerant of structural variation — DuckDB emits operator identity under
- * either `name` (logical plan) or `operator_type` (physical/profile plan)
- * depending on the EXPLAIN flavor. We honor both. Children traversal
- * supports `children`, `child`, and `inputs` arrays.
+ * Returns operator names not in `ALLOWED_PLAN_OPERATORS`. Exported for
+ * fixture-driven tests that want to inspect the gate's view without throwing.
+ * Use {@link collectPlanViolations} to also surface deny-listed function
+ * references in scan-operator metadata.
  */
 export function collectDisallowedOperators(planJson) {
+    return collectPlanViolations(planJson).offending;
+}
+/**
+ * Combined plan-walk: disallowed operators and deny-listed table-function
+ * references in string-valued fields, returned separately so callers can word
+ * errors appropriately.
+ */
+export function collectPlanViolations(planJson) {
     const offending = new Set();
-    walk(planJson, offending);
-    return offending;
+    const deniedFunctions = new Set();
+    walk(planJson, offending, deniedFunctions);
+    return { offending, deniedFunctions };
 }
-function walk(node, offending) {
+function walk(node, offending, deniedFunctions) {
     if (node === null || typeof node !== 'object')
         return;
     if (Array.isArray(node)) {
         for (const child of node)
-            walk(child, offending);
+            walk(child, offending, deniedFunctions);
         return;
     }
     const obj = node;
@@ -168,19 +273,38 @@ function walk(node, offending) {
     if (operator !== undefined && !ALLOWED_PLAN_OPERATORS.has(operator)) {
         offending.add(operator);
     }
-    // Traverse known child slots; ignore string/number leaves.
+    // read_json/read_parquet lower into generic scan operators whose source
+    // function appears in plan metadata, not the operator name. Use the bare
+    // regex on known function-name fields, the call-shape regex elsewhere.
+    for (const [key, value] of Object.entries(obj)) {
+        if (typeof value !== 'string')
+            continue;
+        const regex = FUNCTION_METADATA_KEYS.has(key)
+            ? DENIED_FUNCTION_BARE_REGEX
+            : DENIED_FUNCTION_CALL_REGEX;
+        collectDeniedFunctionMatches(value, regex, deniedFunctions);
+    }
     for (const key of ['children', 'child', 'inputs', 'plan', 'root']) {
         if (key in obj)
-            walk(obj[key], offending);
+            walk(obj[key], offending, deniedFunctions);
+    }
+}
+function collectDeniedFunctionMatches(value, regex, sink) {
+    regex.lastIndex = 0;
+    let match = regex.exec(value);
+    while (match !== null) {
+        if (match[1])
+            sink.add(match[1].toLowerCase());
+        match = regex.exec(value);
     }
 }
 function readOperatorName(obj) {
-    const candidates = ['name', 'operator_type', 'operator', 'type'];
-    for (const key of candidates) {
+    // DuckDB emits operator identity under different keys depending on the
+    // EXPLAIN flavor (logical/physical/profile).
+    for (const key of ['name', 'operator_type', 'operator', 'type']) {
         const value = obj[key];
-        if (typeof value === 'string' && value !== '') {
+        if (typeof value === 'string' && value !== '')
             return value.toUpperCase();
-        }
     }
     return;
 }
@@ -188,16 +312,15 @@ function readOperatorName(obj) {
 // Identifier validation and quoting
 // ---------------------------------------------------------------------------
 /**
- * Allowed shape for canvas-local table and column names. Matches the
- * conservative SQL identifier convention: starts with letter/underscore,
- * followed by letters/digits/underscores, max 63 chars (PostgreSQL/DuckDB cap).
+ * Allowed shape for canvas table/column names. SQL identifier convention:
+ * letter/underscore start, letters/digits/underscores after, max 63 chars
+ * (PostgreSQL/DuckDB cap). Exported so consumers can reuse it in Zod schemas
+ * (`z.string().regex(CANVAS_IDENTIFIER_REGEX)`).
  */
-const IDENTIFIER_REGEX = /^[A-Za-z_][A-Za-z0-9_]{0,62}$/;
+export const CANVAS_IDENTIFIER_REGEX = /^[A-Za-z_][A-Za-z0-9_]{0,62}$/;
 /**
- * DuckDB reserved words that must not be used as bare identifiers. Not
- * exhaustive — this is a courtesy guard so misnamed tables fail at register
- * time rather than confusing-error time. The `IDENTIFIER_REGEX` is the
- * authoritative shape gate.
+ * Courtesy guard against bare reserved words. Not exhaustive — the shape gate
+ * is authoritative; this just produces a friendlier error at register time.
  */
 const RESERVED_IDENTIFIERS = new Set([
     'select',
@@ -237,29 +360,25 @@ const RESERVED_IDENTIFIERS = new Set([
     'with',
     'recursive',
 ]);
-/**
- * Validate an identifier for use as a canvas-local table or column name.
- * Throws `ValidationError` on rejection.
- */
+/** Validate a canvas table or column name. Throws `ValidationError` on rejection. */
 export function assertValidIdentifier(value, kind) {
     if (typeof value !== 'string' || value.length === 0) {
         throw validationError(`Canvas ${kind} name must be a non-empty string.`, {
-            reason: 'identifier_empty',
+            reason: SQL_GATE_REASONS.identifierEmpty,
             kind,
         });
     }
-    if (!IDENTIFIER_REGEX.test(value)) {
-        throw validationError(`Canvas ${kind} name "${value}" is invalid. Use letters, digits, and underscores; must start with a letter or underscore; max 63 chars.`, { reason: 'identifier_shape', kind, value });
+    if (!CANVAS_IDENTIFIER_REGEX.test(value)) {
+        throw validationError(`Canvas ${kind} name "${value}" is invalid. Use letters, digits, and underscores; must start with a letter or underscore; max 63 chars.`, { reason: SQL_GATE_REASONS.identifierShape, kind, value });
     }
     if (RESERVED_IDENTIFIERS.has(value.toLowerCase())) {
-        throw validationError(`Canvas ${kind} name "${value}" is a reserved SQL keyword. Choose another name.`, { reason: 'identifier_reserved', kind, value });
+        throw validationError(`Canvas ${kind} name "${value}" is a reserved SQL keyword. Choose another name.`, { reason: SQL_GATE_REASONS.identifierReserved, kind, value });
     }
 }
 /**
- * Wrap an identifier in double quotes for safe inclusion in SQL. Internal
- * double quotes are doubled per the SQL standard. Callers should still
- * validate via {@link assertValidIdentifier} before quoting — this helper
- * only escapes; it does not validate shape.
+ * Double-quote-escape an identifier for SQL embedding. Validate via
+ * {@link assertValidIdentifier} first — this helper only escapes, it does not
+ * check shape.
  */
 export function quoteIdentifier(value) {
     return `"${value.replace(/"/g, '""')}"`;

package/dist/services/canvas/core/sqlGate.js.map

@@ -1 +1 @@
-{"version":3,"file":"sqlGate.js","sourceRoot":"","sources":["../../../../src/services/canvas/core/sqlGate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAY3D,kDAAkD;AAClD,MAAM,CAAC,MAAM,uBAAuB,GAAqC,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;AAE7F;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAwB,IAAI,GAAG,CAAC;IACjE,yEAAyE;IACzE,UAAU;IACV,kBAAkB;IAClB,YAAY;IACZ,iBAAiB;IACjB,YAAY;IACZ,cAAc;IACd,sBAAsB;IACtB,sBAAsB;IACtB,YAAY;IACZ,QAAQ;IACR,QAAQ;IACR,WAAW;IACX,kBAAkB;IAClB,mBAAmB;IACnB,SAAS;IACT,sBAAsB;IACtB,eAAe;IACf,iBAAiB;IACjB,WAAW;IACX,YAAY;IACZ,aAAa;IACb,eAAe;IACf,uBAAuB;IACvB,qBAAqB;IACrB,kBAAkB;IAClB,uBAAuB;IACvB,qBAAqB;IACrB,eAAe;IACf,UAAU;IACV,OAAO;IACP,mBAAmB;IACnB,UAAU;IACV,OAAO;IACP,OAAO;IACP,eAAe;IACf,iBAAiB;IACjB,SAAS;IACT,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,OAAO;IACP,KAAK;IACL,SAAS;IACT,eAAe;IACf,kBAAkB;IAClB,WAAW;IACX,kBAAkB;IAClB,QAAQ;IACR,kBAAkB;IAClB,iBAAiB;IACjB,kBAAkB;IAClB,SAAS;IACT,wCAAwC;IACxC,OAAO;CACR,CAAC,CAAC;AAEH;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAOnC;IACC,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACxB,kBAAkB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAGhC;IACC,IAAI,KAAK,CAAC,cAAc,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,eAAe,CAAC,sDAAsD,EAAE;YAC5E,MAAM,EAAE,iBAAiB;YACzB,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC,CAAC;IACL,CAAC;IACD,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;QACtD,MAAM,eAAe,CACnB,oCAAoC,KAAK,CAAC,aAAa,qDAAqD,EAC5G,EAAE,MAAM,EAAE,sBAAsB,EAAE,aAAa,EAAE,KAAK,CAAC,aAAa,EAAE,CACvE,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAiB;IAClD,MAAM,SAAS,GAAG,0BAA0B,CAAC,QAAQ,CAAC,CAAC;IACvD,IAAI,SAAS,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,eAAe,CACnB,+CAA+C,CAAC,GAAG,SAAS,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAClF;YACE,MAAM,EAAE,2BAA2B;YACnC,SAAS,EAAE,CAAC,GAAG,SAAS,CAAC,CAAC,IAAI,EAAE;SACjC,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,0BAA0B,CAAC,QAAiB;IAC1D,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAC1B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,IAAI,CAAC,IAAa,EAAE,SAAsB;IACjD,IAAI,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO;IACtD,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,KAAK,MAAM,KAAK,IAAI,IAAI;YAAE,IAAI,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;QACjD,OAAO;IACT,CAAC;IACD,MAAM,GAAG,GAAG,IAA+B,CAAC;IAC5C,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,QAAQ,KAAK,SAAS,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpE,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC1B,CAAC;IACD,2DAA2D;IAC3D,KAAK,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC;QAClE,IAAI,GAAG,IAAI,GAAG;YAAE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,SAAS,CAAC,CAAC;IAC5C,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,GAA4B;IACpD,MAAM,UAAU,GAAG,CAAC,MAAM,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;IACjE,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;YAC9C,OAAO,KAAK,CAAC,WAAW,EAAE,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,OAAO;AACT,CAAC;AAED,8EAA8E;AAC9E,oCAAoC;AACpC,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,gBAAgB,GAAG,+BAA+B,CAAC;AAEzD;;;;;GAKG;AACH,MAAM,oBAAoB,GAAwB,IAAI,GAAG,CAAC;IACxD,QAAQ;IACR,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;IACP,QAAQ;IACR,OAAO;IACP,QAAQ;IACR,OAAO;IACP,WAAW;IACX,QAAQ;IACR,KAAK;IACL,UAAU;IACV,IAAI;IACJ,KAAK;IACL,IAAI;IACJ,KAAK;IACL,MAAM;IACN,MAAM;IACN,OAAO;IACP,MAAM;IACN,MAAM;IACN,MAAM;IACN,MAAM;IACN,KAAK;IACL,MAAM;IACN,OAAO;IACP,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,OAAO;IACP,IAAI;IACJ,OAAO;IACP,MAAM;IACN,WAAW;CACZ,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAa,EAAE,IAAwB;IAC3E,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,eAAe,CAAC,UAAU,IAAI,mCAAmC,EAAE;YACvE,MAAM,EAAE,kBAAkB;YAC1B,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IACD,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAClC,MAAM,eAAe,CACnB,UAAU,IAAI,UAAU,KAAK,2GAA2G,EACxI,EAAE,MAAM,EAAE,kBAAkB,EAAE,IAAI,EAAE,KAAK,EAAE,CAC5C,CAAC;IACJ,CAAC;IACD,IAAI,oBAAoB,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAClD,MAAM,eAAe,CACnB,UAAU,IAAI,UAAU,KAAK,mDAAmD,EAChF,EAAE,MAAM,EAAE,qBAAqB,EAAE,IAAI,EAAE,KAAK,EAAE,CAC/C,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC;AAC1C,CAAC"}
+{"version":3,"file":"sqlGate.js","sourceRoot":"","sources":["../../../../src/services/canvas/core/sqlGate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAS3D,kDAAkD;AAClD,MAAM,CAAC,MAAM,uBAAuB,GAAqC,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;AAE7F;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,cAAc,EAAE,iBAAiB;IACjC,kBAAkB,EAAE,sBAAsB;IAC1C,sBAAsB,EAAE,2BAA2B;IACnD,cAAc,EAAE,iBAAiB;IACjC,oBAAoB,EAAE,yBAAyB;IAC/C,eAAe,EAAE,kBAAkB;IACnC,eAAe,EAAE,kBAAkB;IACnC,kBAAkB,EAAE,qBAAqB;CACjC,CAAC;AAKX;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAwB,IAAI,GAAG,CAAC;IACjE,iCAAiC;IACjC,UAAU;IACV,kBAAkB;IAClB,YAAY;IACZ,iBAAiB;IACjB,YAAY;IACZ,cAAc;IACd,sBAAsB;IACtB,sBAAsB;IACtB,YAAY;IACZ,QAAQ;IACR,QAAQ;IACR,WAAW;IACX,kBAAkB;IAClB,mBAAmB;IACnB,SAAS;IACT,sBAAsB;IACtB,eAAe;IACf,iBAAiB;IACjB,WAAW;IACX,YAAY;IACZ,aAAa;IACb,eAAe;IACf,uBAAuB;IACvB,qBAAqB;IACrB,kBAAkB;IAClB,uBAAuB;IACvB,qBAAqB;IACrB,eAAe;IACf,UAAU;IACV,OAAO;IACP,mBAAmB;IACnB,UAAU;IACV,OAAO;IACP,OAAO;IACP,eAAe;IACf,iBAAiB;IACjB,SAAS;IACT,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,OAAO;IACP,KAAK;IACL,SAAS;IACT,eAAe;IACf,kBAAkB;IAClB,WAAW;IACX,kBAAkB;IAClB,QAAQ;IACR,kBAAkB;IAClB,iBAAiB;IACjB,kBAAkB;IAClB,SAAS;IACT,wCAAwC;IACxC,OAAO;CACR,CAAC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAwB,IAAI,GAAG,CAAC;IACjE,MAAM;IACN,UAAU;IACV,eAAe;IACf,WAAW;IACX,OAAO;IACP,WAAW;IACX,gBAAgB;IAChB,mBAAmB;IACnB,wBAAwB;IACxB,aAAa;IACb,kBAAkB;IAClB,qBAAqB;IACrB,UAAU;IACV,cAAc;IACd,cAAc;IACd,kBAAkB;IAClB,gBAAgB;IAChB,uBAAuB;IACvB,qBAAqB;IACrB,qBAAqB;IACrB,WAAW;IACX,WAAW;IACX,MAAM;IACN,kBAAkB;IAClB,cAAc;IACd,kBAAkB;IAClB,mBAAmB;IACnB,YAAY;IACZ,0EAA0E;IAC1E,eAAe;IACf,gBAAgB;IAChB,YAAY;IACZ,aAAa;IACb,aAAa;IACb,cAAc;CACf,CAAC,CAAC;AAEH;;;;GAIG;AACH,MAAM,0BAA0B,GAAG,IAAI,MAAM,CAC3C,MAAM,CAAC,GAAG,CAAA,MAAM,CAAC,GAAG,sBAAsB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAC7D,IAAI,CACL,CAAC;AAEF;;;;GAIG;AACH,MAAM,0BAA0B,GAAG,IAAI,MAAM,CAC3C,MAAM,CAAC,GAAG,CAAA,MAAM,CAAC,GAAG,sBAAsB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,EAC1D,IAAI,CACL,CAAC;AAEF,gFAAgF;AAChF,MAAM,sBAAsB,GAAwB,IAAI,GAAG,CAAC;IAC1D,YAAY;IACZ,UAAU;IACV,eAAe;IACf,gBAAgB;IAChB,QAAQ;CACT,CAAC,CAAC;AAEH,yCAAyC;AACzC,SAAS,gBAAgB,CAAC,GAAW;IACnC,OAAO,GAAG,CAAC,OAAO,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;AACxE,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAAC,GAAW;IACzC,OAAO,GAAG,CAAC,OAAO,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAW;IACjD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IACxD,MAAM,QAAQ,GAAG,sBAAsB,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC;IAC/D,0BAA0B,CAAC,SAAS,GAAG,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACxD,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACf,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QAClC,MAAM,eAAe,CACnB,sDAAsD,EAAE,+DAA+D,EACvH,EAAE,MAAM,EAAE,gBAAgB,CAAC,cAAc,EAAE,QAAQ,EAAE,EAAE,EAAE,CAC1D,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAOnC;IACC,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACxB,kBAAkB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAGhC;IACC,IAAI,KAAK,CAAC,cAAc,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,eAAe,CAAC,sDAAsD,EAAE;YAC5E,MAAM,EAAE,gBAAgB,CAAC,cAAc;YACvC,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC,CAAC;IACL,CAAC;IACD,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;QACtD,MAAM,eAAe,CACnB,oCAAoC,KAAK,CAAC,aAAa,qDAAqD,EAC5G,EAAE,MAAM,EAAE,gBAAgB,CAAC,kBAAkB,EAAE,aAAa,EAAE,KAAK,CAAC,aAAa,EAAE,CACpF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAiB;IAClD,MAAM,EAAE,SAAS,EAAE,eAAe,EAAE,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IACvE,IAAI,eAAe,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,eAAe,CACnB,8DAA8D,CAAC,GAAG,eAAe,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EACvG;YACE,MAAM,EAAE,gBAAgB,CAAC,oBAAoB;YAC7C,SAAS,EAAE,CAAC,GAAG,eAAe,CAAC,CAAC,IAAI,EAAE;SACvC,CACF,CAAC;IACJ,CAAC;IACD,IAAI,SAAS,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,eAAe,CACnB,+CAA+C,CAAC,GAAG,SAAS,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAClF;YACE,MAAM,EAAE,gBAAgB,CAAC,sBAAsB;YAC/C,SAAS,EAAE,CAAC,GAAG,SAAS,CAAC,CAAC,IAAI,EAAE;SACjC,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,0BAA0B,CAAC,QAAiB;IAC1D,OAAO,qBAAqB,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC;AACnD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAiB;IAIrD,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;IAC1C,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IAC3C,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,IAAI,CAAC,IAAa,EAAE,SAAsB,EAAE,eAA4B;IAC/E,IAAI,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO;IACtD,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,KAAK,MAAM,KAAK,IAAI,IAAI;YAAE,IAAI,CAAC,KAAK,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;QAClE,OAAO;IACT,CAAC;IACD,MAAM,GAAG,GAAG,IAA+B,CAAC;IAC5C,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,QAAQ,KAAK,SAAS,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpE,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC1B,CAAC;IACD,wEAAwE;IACxE,yEAAyE;IACzE,uEAAuE;IACvE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,SAAS;QACxC,MAAM,KAAK,GAAG,sBAAsB,CAAC,GAAG,CAAC,GAAG,CAAC;YAC3C,CAAC,CAAC,0BAA0B;YAC5B,CAAC,CAAC,0BAA0B,CAAC;QAC/B,4BAA4B,CAAC,KAAK,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;IAC9D,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC;QAClE,IAAI,GAAG,IAAI,GAAG;YAAE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IAC7D,CAAC;AACH,CAAC;AAED,SAAS,4BAA4B,CAAC,KAAa,EAAE,KAAa,EAAE,IAAiB;IACnF,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;IACpB,IAAI,KAAK,GAA2B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACtD,OAAO,KAAK,KAAK,IAAI,EAAE,CAAC;QACtB,IAAI,KAAK,CAAC,CAAC,CAAC;YAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;QAC/C,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5B,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,GAA4B;IACpD,uEAAuE;IACvE,6CAA6C;IAC7C,KAAK,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE,CAAC;QAChE,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,EAAE;YAAE,OAAO,KAAK,CAAC,WAAW,EAAE,CAAC;IAC5E,CAAC;IACD,OAAO;AACT,CAAC;AAED,8EAA8E;AAC9E,oCAAoC;AACpC,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,+BAA+B,CAAC;AAEvE;;;GAGG;AACH,MAAM,oBAAoB,GAAwB,IAAI,GAAG,CAAC;IACxD,QAAQ;IACR,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;IACP,QAAQ;IACR,OAAO;IACP,QAAQ;IACR,OAAO;IACP,WAAW;IACX,QAAQ;IACR,KAAK;IACL,UAAU;IACV,IAAI;IACJ,KAAK;IACL,IAAI;IACJ,KAAK;IACL,MAAM;IACN,MAAM;IACN,OAAO;IACP,MAAM;IACN,MAAM;IACN,MAAM;IACN,MAAM;IACN,KAAK;IACL,MAAM;IACN,OAAO;IACP,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,OAAO;IACP,IAAI;IACJ,OAAO;IACP,MAAM;IACN,WAAW;CACZ,CAAC,CAAC;AAEH,qFAAqF;AACrF,MAAM,UAAU,qBAAqB,CAAC,KAAa,EAAE,IAAwB;IAC3E,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,eAAe,CAAC,UAAU,IAAI,mCAAmC,EAAE;YACvE,MAAM,EAAE,gBAAgB,CAAC,eAAe;YACxC,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IACD,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACzC,MAAM,eAAe,CACnB,UAAU,IAAI,UAAU,KAAK,2GAA2G,EACxI,EAAE,MAAM,EAAE,gBAAgB,CAAC,eAAe,EAAE,IAAI,EAAE,KAAK,EAAE,CAC1D,CAAC;IACJ,CAAC;IACD,IAAI,oBAAoB,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAClD,MAAM,eAAe,CACnB,UAAU,IAAI,UAAU,KAAK,mDAAmD,EAChF,EAAE,MAAM,EAAE,gBAAgB,CAAC,kBAAkB,EAAE,IAAI,EAAE,KAAK,EAAE,CAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC;AAC1C,CAAC"}

package/dist/services/canvas/index.d.ts

@@ -15,7 +15,7 @@ export { type AcquireResult, CanvasRegistry, type CanvasRegistryOptions, DEFAULT
 export { createCanvasService } from './core/canvasFactory.js';
 export { DataCanvas } from './core/DataCanvas.js';
 export type { IDataCanvasProvider } from './core/IDataCanvasProvider.js';
-export { ALLOWED_PLAN_OPERATORS, ALLOWED_STATEMENT_TYPES, assertReadOnlyQuery, assertValidIdentifier, collectDisallowedOperators, type DuckdbStatementType, quoteIdentifier, } from './core/sqlGate.js';
+export { ALLOWED_PLAN_OPERATORS, ALLOWED_STATEMENT_TYPES, assertNoDeniedFunctions, assertReadOnlyQuery, assertValidIdentifier, CANVAS_IDENTIFIER_REGEX, collectDisallowedOperators, collectPlanViolations, DENIED_TABLE_FUNCTIONS, type DuckdbStatementType, quoteIdentifier, SQL_GATE_REASONS, type SqlGateReason, } from './core/sqlGate.js';
 export { DuckdbProvider, type DuckdbProviderOptions, } from './providers/duckdb/DuckdbProvider.js';
 export type { AcquireOptions, ColumnSchema, ColumnType, DescribeOptions, ExportFormat, ExportOptions, ExportResult, ExportTarget, QueryOptions, QueryResult, RegisterRows, RegisterTableOptions, RegisterTableResult, TableInfo, } from './types.js';
 //# sourceMappingURL=index.d.ts.map