@cyanheads/mcp-ts-core 0.8.11 → 0.8.13

package/dist/services/canvas/core/DataCanvas.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"DataCanvas.d.ts","sourceRoot":"","sources":["../../../../src/services/canvas/core/DataCanvas.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAmBpE;;;;;;;;;;;GAWG;AACH,qBAAa,UAAU;IAEnB,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,QAAQ;gBADR,QAAQ,EAAE,mBAAmB,EAC7B,QAAQ,EAAE,cAAc;IAK3C;;;;OAIG;IACG,OAAO,CACX,OAAO,EAAE,MAAM,GAAG,SAAS,EAC3B,OAAO,EAAE,cAAc,EACvB,QAAQ,CAAC,EAAE,cAAc,GACxB,OAAO,CAAC,cAAc,CAAC;IAoB1B;;;OAGG;IACG,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;IAKvE,kDAAkD;IAClD,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,MAAM;IAK/C,iDAAiD;IACjD,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAI/B,kFAAkF;IAC5E,QAAQ,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;IAItD,wEAAwE;IACxE,WAAW,IAAI,mBAAmB;CAGnC"}
+{"version":3,"file":"DataCanvas.d.ts","sourceRoot":"","sources":["../../../../src/services/canvas/core/DataCanvas.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAepE;;;;;;;;;;;GAWG;AACH,qBAAa,UAAU;IAEnB,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,QAAQ;gBADR,QAAQ,EAAE,mBAAmB,EAC7B,QAAQ,EAAE,cAAc;IAK3C;;;;OAIG;IACG,OAAO,CACX,OAAO,EAAE,MAAM,GAAG,SAAS,EAC3B,OAAO,EAAE,cAAc,EACvB,QAAQ,CAAC,EAAE,cAAc,GACxB,OAAO,CAAC,cAAc,CAAC;IAoB1B;;;OAGG;IACG,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC;IAKvE,kDAAkD;IAClD,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,MAAM;IAK/C,iDAAiD;IACjD,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAI/B,kFAAkF;IAC5E,QAAQ,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;IAItD,wEAAwE;IACxE,WAAW,IAAI,mBAAmB;CAGnC"}

package/dist/services/canvas/core/DataCanvas.js

@@ -1,18 +1,13 @@
 /**
  * @fileoverview User-facing DataCanvas service. Wraps the provider and registry
- * with debug logging and tenant-id resolution; the registry handles TTL,
- * caps, and provider-keying. Mirrors the StorageService surface pattern but
- * stays OTel-free in v1 (per issue #97 scope).
+ * with debug logging and tenant-id resolution; the registry handles TTL, caps,
+ * and provider-keying.
  * @module src/services/canvas/core/DataCanvas
  */
 import { JsonRpcErrorCode, McpError } from '../../../types-global/errors.js';
 import { logger } from '../../../utils/internal/logger.js';
 import { CanvasInstance } from './CanvasInstance.js';
-/**
- * Resolve the effective tenant ID from the context, throwing when absent.
- * Mirrors `requireTenantId` in StorageService — canvas operations are
- * tenant-scoped by construction.
- */
+/** Resolve the effective tenant ID; throw when absent. */
 function requireTenantId(context) {
     const tenantId = context.tenantId;
     if (tenantId === undefined || tenantId === null || tenantId === '') {

package/dist/services/canvas/core/DataCanvas.js.map

@@ -1 +1 @@
-{"version":3,"file":"DataCanvas.js","sourceRoot":"","sources":["../../../../src/services/canvas/core/DataCanvas.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AAGpD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAIrD;;;;GAIG;AACH,SAAS,eAAe,CAAC,OAAuB;IAC9C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAClC,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,IAAI,IAAI,QAAQ,KAAK,EAAE,EAAE,CAAC;QACnE,MAAM,IAAI,QAAQ,CAChB,gBAAgB,CAAC,aAAa,EAC9B,uFAAuF,EACvF,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,oBAAoB,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,CACvF,CAAC;IACJ,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,UAAU;IAEF;IACA;IAFnB,YACmB,QAA6B,EAC7B,QAAwB;QADxB,aAAQ,GAAR,QAAQ,CAAqB;QAC7B,aAAQ,GAAR,QAAQ,CAAgB;QAEzC,MAAM,CAAC,IAAI,CAAC,yCAAyC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,OAAO,CACX,OAA2B,EAC3B,OAAuB,EACvB,QAAyB;QAEzB,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE;YAC/B,GAAG,OAAO;YACV,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ;YACR,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC,CAAC;QACH,OAAO,IAAI,cAAc,CACvB,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,KAAK,EACZ,MAAM,CAAC,SAAS,EAChB,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,QAAQ,EACb,OAAO,CACR,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,IAAI,CAAC,QAAgB,EAAE,OAAuB;QAClD,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC/D,CAAC;IAED,kDAAkD;IAClD,cAAc,CAAC,OAAuB;QACpC,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,iDAAiD;IACjD,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IACrC,CAAC;IAED,kFAAkF;IAClF,KAAK,CAAC,QAAQ,CAAC,OAAuB;QACpC,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC;IAED,wEAAwE;IACxE,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF"}
+{"version":3,"file":"DataCanvas.js","sourceRoot":"","sources":["../../../../src/services/canvas/core/DataCanvas.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACtE,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AAGpD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAIrD,0DAA0D;AAC1D,SAAS,eAAe,CAAC,OAAuB;IAC9C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAClC,IAAI,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,IAAI,IAAI,QAAQ,KAAK,EAAE,EAAE,CAAC;QACnE,MAAM,IAAI,QAAQ,CAChB,gBAAgB,CAAC,aAAa,EAC9B,uFAAuF,EACvF,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,oBAAoB,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,CACvF,CAAC;IACJ,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,UAAU;IAEF;IACA;IAFnB,YACmB,QAA6B,EAC7B,QAAwB;QADxB,aAAQ,GAAR,QAAQ,CAAqB;QAC7B,aAAQ,GAAR,QAAQ,CAAgB;QAEzC,MAAM,CAAC,IAAI,CAAC,yCAAyC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,OAAO,CACX,OAA2B,EAC3B,OAAuB,EACvB,QAAyB;QAEzB,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE;YAC/B,GAAG,OAAO;YACV,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,QAAQ;YACR,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC,CAAC;QACH,OAAO,IAAI,cAAc,CACvB,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,KAAK,EACZ,MAAM,CAAC,SAAS,EAChB,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,QAAQ,EACb,OAAO,CACR,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,IAAI,CAAC,QAAgB,EAAE,OAAuB;QAClD,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC/D,CAAC;IAED,kDAAkD;IAClD,cAAc,CAAC,OAAuB;QACpC,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED,iDAAiD;IACjD,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IACrC,CAAC;IAED,kFAAkF;IAClF,KAAK,CAAC,QAAQ,CAAC,OAAuB;QACpC,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC;IAED,wEAAwE;IACxE,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF"}

package/dist/services/canvas/core/IDataCanvasProvider.d.ts

@@ -1,13 +1,13 @@
 /**
  * @fileoverview Engine-level provider interface for the DataCanvas primitive.
- * Implementations own the physical resources backing each canvas (e.g. one
- * DuckDB instance per canvasId) and expose register/query/export/describe
- * operations keyed by canvasId. The lifecycle wrapper ({@link CanvasRegistry})
- * keys these calls by `(tenantId, canvasId)` and enforces TTL/caps.
+ * Implementations own physical resources per canvas (e.g. one DuckDB instance
+ * per canvasId) and expose register/query/export/describe keyed by canvasId.
+ * The lifecycle wrapper ({@link CanvasRegistry}) handles TTL, caps, and the
+ * tenant authorization check before any provider call.
  * @module src/services/canvas/core/IDataCanvasProvider
  */
 import type { RequestContext } from '../../../utils/internal/requestContext.js';
-import type { DescribeOptions, ExportOptions, ExportResult, ExportTarget, QueryOptions, QueryResult, RegisterRows, RegisterTableOptions, RegisterTableResult, TableInfo } from '../types.js';
+import type { DescribeOptions, ExportOptions, ExportResult, ExportTarget, ImportFromOptions, QueryOptions, QueryResult, RegisterRows, RegisterTableOptions, RegisterTableResult, RegisterViewOptions, RegisterViewResult, TableInfo } from '../types.js';
 /**
  * Engine-level contract. The lifecycle wrapper guarantees `canvasId` is
  * already validated and authorized for the caller's tenant before any of
@@ -24,12 +24,23 @@ export interface IDataCanvasProvider {
      * the canvas throw `NotFound`.
      */
     destroyCanvas(canvasId: string, context: RequestContext): Promise<void>;
-    /** Drop a single canvas table. Returns `true` when found and removed. */
+    /**
+     * Drop a single canvas table or view. Returns `true` when found and removed.
+     * The provider determines the kind from the catalog; callers don't need to
+     * distinguish.
+     */
     drop(canvasId: string, name: string, context: RequestContext): Promise<boolean>;
     /** Export a canvas table to a file or stream target. */
     export(canvasId: string, tableName: string, target: ExportTarget, context: RequestContext, options?: ExportOptions): Promise<ExportResult>;
     /** Liveness check on the underlying engine. */
     healthCheck(): Promise<boolean>;
+    /**
+     * Copy a table from another canvas (`sourceCanvasId`) into this one as
+     * `asName`. Both canvases must already be authorized for the caller —
+     * the lifecycle wrapper validates tenancy on both ids before this call.
+     * Idempotent: a pre-existing target table with the same name is replaced.
+     */
+    importFrom(targetCanvasId: string, sourceCanvasId: string, sourceTableName: string, asName: string, context: RequestContext, options?: ImportFromOptions): Promise<RegisterTableResult>;
     /**
      * Allocate engine resources for a new canvas. Idempotent — calling twice
      * with the same id is a no-op.
@@ -41,6 +52,13 @@ export interface IDataCanvasProvider {
     query(canvasId: string, sql: string, context: RequestContext, options?: QueryOptions): Promise<QueryResult>;
     /** Register a table on the canvas from in-memory or async iterator rows. */
     registerTable(canvasId: string, name: string, rows: RegisterRows, context: RequestContext, options?: RegisterTableOptions): Promise<RegisterTableResult>;
+    /**
+     * Register a SQL view on the canvas. The provider gates `selectSql` through
+     * the same read-only enforcement `query()` applies, then installs the view.
+     * Re-registering an existing view replaces it; conflicting with a base
+     * table of the same name throws `ValidationError`.
+     */
+    registerView(canvasId: string, name: string, selectSql: string, context: RequestContext, options?: RegisterViewOptions): Promise<RegisterViewResult>;
     /** Tear down all engine resources. Called from `ServerHandle.shutdown()`. */
     shutdown(): Promise<void>;
 }

package/dist/services/canvas/core/IDataCanvasProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"IDataCanvasProvider.d.ts","sourceRoot":"","sources":["../../../../src/services/canvas/core/IDataCanvasProvider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,KAAK,EACV,eAAe,EACf,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,oBAAoB,EACpB,mBAAmB,EACnB,SAAS,EACV,MAAM,aAAa,CAAC;AAErB;;;;;GAKG;AACH,MAAM,WAAW,mBAAmB;IAClC,kEAAkE;IAClE,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAElE,gDAAgD;IAChD,QAAQ,CACN,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,cAAc,EACvB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;IAExB;;;OAGG;IACH,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAExE,yEAAyE;IACzE,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEhF,wDAAwD;IACxD,MAAM,CACJ,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,YAAY,EACpB,OAAO,EAAE,cAAc,EACvB,OAAO,CAAC,EAAE,aAAa,GACtB,OAAO,CAAC,YAAY,CAAC,CAAC;IAEzB,+CAA+C;IAC/C,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAEhC;;;OAGG;IACH,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrE,uEAAuE;IACvE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,mFAAmF;IACnF,KAAK,CACH,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,cAAc,EACvB,OAAO,CAAC,EAAE,YAAY,GACrB,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB,4EAA4E;IAC5E,aAAa,CACX,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,YAAY,EAClB,OAAO,EAAE,cAAc,EACvB,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEhC,6EAA6E;IAC7E,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B"}
+{"version":3,"file":"IDataCanvasProvider.d.ts","sourceRoot":"","sources":["../../../../src/services/canvas/core/IDataCanvasProvider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,KAAK,EACV,eAAe,EACf,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,iBAAiB,EACjB,YAAY,EACZ,WAAW,EACX,YAAY,EACZ,oBAAoB,EACpB,mBAAmB,EACnB,mBAAmB,EACnB,kBAAkB,EAClB,SAAS,EACV,MAAM,aAAa,CAAC;AAErB;;;;;GAKG;AACH,MAAM,WAAW,mBAAmB;IAClC,kEAAkE;IAClE,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAElE,gDAAgD;IAChD,QAAQ,CACN,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,cAAc,EACvB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;IAExB;;;OAGG;IACH,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAExE;;;;OAIG;IACH,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEhF,wDAAwD;IACxD,MAAM,CACJ,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,YAAY,EACpB,OAAO,EAAE,cAAc,EACvB,OAAO,CAAC,EAAE,aAAa,GACtB,OAAO,CAAC,YAAY,CAAC,CAAC;IAEzB,+CAA+C;IAC/C,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAEhC;;;;;OAKG;IACH,UAAU,CACR,cAAc,EAAE,MAAM,EACtB,cAAc,EAAE,MAAM,EACtB,eAAe,EAAE,MAAM,EACvB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,cAAc,EACvB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEhC;;;OAGG;IACH,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrE,uEAAuE;IACvE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,mFAAmF;IACnF,KAAK,CACH,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,cAAc,EACvB,OAAO,CAAC,EAAE,YAAY,GACrB,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB,4EAA4E;IAC5E,aAAa,CACX,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,YAAY,EAClB,OAAO,EAAE,cAAc,EACvB,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEhC;;;;;OAKG;IACH,YAAY,CACV,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,cAAc,EACvB,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAE/B,6EAA6E;IAC7E,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B"}

package/dist/services/canvas/core/IDataCanvasProvider.js

@@ -1,9 +1,9 @@
 /**
  * @fileoverview Engine-level provider interface for the DataCanvas primitive.
- * Implementations own the physical resources backing each canvas (e.g. one
- * DuckDB instance per canvasId) and expose register/query/export/describe
- * operations keyed by canvasId. The lifecycle wrapper ({@link CanvasRegistry})
- * keys these calls by `(tenantId, canvasId)` and enforces TTL/caps.
+ * Implementations own physical resources per canvas (e.g. one DuckDB instance
+ * per canvasId) and expose register/query/export/describe keyed by canvasId.
+ * The lifecycle wrapper ({@link CanvasRegistry}) handles TTL, caps, and the
+ * tenant authorization check before any provider call.
  * @module src/services/canvas/core/IDataCanvasProvider
  */
 export {};

package/dist/services/canvas/core/canvasFactory.d.ts

@@ -1,12 +1,8 @@
 /**
- * @fileoverview Factory for the optional DataCanvas service. Mirrors the
- * pattern in `createStorageProvider` — switches on `config.canvas.providerType`,
- * fails closed in serverless environments for `duckdb`, and returns
- * `undefined` when canvas is disabled (`'none'`).
- *
- * The factory does NOT eager-load `@duckdb/node-api`; the provider lazy-loads
- * on first use via `lazyImport`. Servers that set `CANVAS_PROVIDER_TYPE=none`
- * (the default) pay zero install cost.
+ * @fileoverview Factory for the optional DataCanvas service. Switches on
+ * `config.canvas.providerType`, fails closed in serverless for `duckdb`, and
+ * returns `undefined` when canvas is disabled. The factory does not eager-load
+ * `@duckdb/node-api`; the provider lazy-loads on first use.
  *
  * @module src/services/canvas/core/canvasFactory
  */
@@ -14,13 +10,9 @@ import type { AppConfig } from '../../../config/index.js';
 import { DataCanvas } from './DataCanvas.js';
 /**
  * Construct the canvas service from configuration. Returns `undefined` when
- * canvas is disabled (`CANVAS_PROVIDER_TYPE=none`), keeping `core.canvas`
- * `undefined` on `CoreServices` for that case.
- *
- * In serverless environments, an explicit `CANVAS_PROVIDER_TYPE=duckdb`
- * fails closed with a clear ConfigurationError — DuckDB has no V8-isolate
- * build, so canvas is unavailable on Workers. (Refinement #1 in issue #97 is
- * about export-path sandboxing, separate from this Worker fail-closed.)
+ * canvas is disabled. Fails closed with `ConfigurationError` in serverless
+ * environments when `CANVAS_PROVIDER_TYPE=duckdb` — DuckDB has no V8-isolate
+ * build, so canvas is unavailable on Workers.
  */
 export declare function createCanvasService(config: AppConfig): DataCanvas | undefined;
 //# sourceMappingURL=canvasFactory.d.ts.map

package/dist/services/canvas/core/canvasFactory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"canvasFactory.d.ts","sourceRoot":"","sources":["../../../../src/services/canvas/core/canvasFactory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAOnD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAO7C;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,CAkC7E"}
+{"version":3,"file":"canvasFactory.d.ts","sourceRoot":"","sources":["../../../../src/services/canvas/core/canvasFactory.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAOnD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAO7C;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,CAiC7E"}

package/dist/services/canvas/core/canvasFactory.js

@@ -1,12 +1,8 @@
 /**
- * @fileoverview Factory for the optional DataCanvas service. Mirrors the
- * pattern in `createStorageProvider` — switches on `config.canvas.providerType`,
- * fails closed in serverless environments for `duckdb`, and returns
- * `undefined` when canvas is disabled (`'none'`).
- *
- * The factory does NOT eager-load `@duckdb/node-api`; the provider lazy-loads
- * on first use via `lazyImport`. Servers that set `CANVAS_PROVIDER_TYPE=none`
- * (the default) pay zero install cost.
+ * @fileoverview Factory for the optional DataCanvas service. Switches on
+ * `config.canvas.providerType`, fails closed in serverless for `duckdb`, and
+ * returns `undefined` when canvas is disabled. The factory does not eager-load
+ * `@duckdb/node-api`; the provider lazy-loads on first use.
  *
  * @module src/services/canvas/core/canvasFactory
  */
@@ -22,13 +18,9 @@ function isServerless() {
 }
 /**
  * Construct the canvas service from configuration. Returns `undefined` when
- * canvas is disabled (`CANVAS_PROVIDER_TYPE=none`), keeping `core.canvas`
- * `undefined` on `CoreServices` for that case.
- *
- * In serverless environments, an explicit `CANVAS_PROVIDER_TYPE=duckdb`
- * fails closed with a clear ConfigurationError — DuckDB has no V8-isolate
- * build, so canvas is unavailable on Workers. (Refinement #1 in issue #97 is
- * about export-path sandboxing, separate from this Worker fail-closed.)
+ * canvas is disabled. Fails closed with `ConfigurationError` in serverless
+ * environments when `CANVAS_PROVIDER_TYPE=duckdb` — DuckDB has no V8-isolate
+ * build, so canvas is unavailable on Workers.
  */
 export function createCanvasService(config) {
     const providerType = config.canvas.providerType;
@@ -56,7 +48,6 @@ export function createCanvasService(config) {
         });
         return new DataCanvas(provider, registry);
     }
-    // Exhaustive check for the providerType union.
     const exhaustive = providerType;
     throw configurationError(`Unhandled canvas provider type: ${String(exhaustive)}`, context);
 }

package/dist/services/canvas/core/canvasFactory.js.map

@@ -1 +1 @@
-{"version":3,"file":"canvasFactory.js","sourceRoot":"","sources":["../../../../src/services/canvas/core/canvasFactory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAE3E,OAAO,EAAE,cAAc,EAAE,MAAM,uCAAuC,CAAC;AACvE,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAE7C,kFAAkF;AAClF,SAAS,YAAY;IACnB,OAAO,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,MAAM,CAAC;AAChF,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAiB;IACnD,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;IAChD,IAAI,YAAY,KAAK,MAAM;QAAE,OAAO;IAEpC,MAAM,OAAO,GAAG,qBAAqB,CAAC,oBAAoB,CAAC;QACzD,SAAS,EAAE,qBAAqB;KACjC,CAAC,CAAC;IAEH,IAAI,YAAY,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,YAAY,EAAE,EAAE,CAAC;YACnB,MAAM,kBAAkB,CACtB,oHAAoH,EACpH,OAAO,CACR,CAAC;QACJ,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,iCAAiC,EAAE,OAAO,CAAC,CAAC;QACxD,MAAM,QAAQ,GAAG,IAAI,cAAc,CAAC;YAClC,aAAa,EAAE,MAAM,CAAC,MAAM,CAAC,oBAAoB;YACjD,cAAc,EAAE,MAAM,CAAC,MAAM,CAAC,cAAc;YAC5C,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,eAAe;YAC9C,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,eAAe;SAC/C,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,cAAc,CAAC,QAAQ,EAAE;YAC5C,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,KAAK;YAC1B,aAAa,EAAE,MAAM,CAAC,MAAM,CAAC,aAAa;YAC1C,oBAAoB,EAAE,MAAM,CAAC,MAAM,CAAC,oBAAoB;YACxD,iBAAiB,EAAE,MAAM,CAAC,MAAM,CAAC,iBAAiB;SACnD,CAAC,CAAC;QACH,OAAO,IAAI,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED,+CAA+C;IAC/C,MAAM,UAAU,GAAU,YAAY,CAAC;IACvC,MAAM,kBAAkB,CAAC,mCAAmC,MAAM,CAAC,UAAU,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;AAC7F,CAAC"}
+{"version":3,"file":"canvasFactory.js","sourceRoot":"","sources":["../../../../src/services/canvas/core/canvasFactory.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,EAAE,MAAM,EAAE,MAAM,4BAA4B,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,oCAAoC,CAAC;AAE3E,OAAO,EAAE,cAAc,EAAE,MAAM,uCAAuC,CAAC;AACvE,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAE7C,kFAAkF;AAClF,SAAS,YAAY;IACnB,OAAO,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,MAAM,CAAC;AAChF,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAiB;IACnD,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC;IAChD,IAAI,YAAY,KAAK,MAAM;QAAE,OAAO;IAEpC,MAAM,OAAO,GAAG,qBAAqB,CAAC,oBAAoB,CAAC;QACzD,SAAS,EAAE,qBAAqB;KACjC,CAAC,CAAC;IAEH,IAAI,YAAY,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,YAAY,EAAE,EAAE,CAAC;YACnB,MAAM,kBAAkB,CACtB,oHAAoH,EACpH,OAAO,CACR,CAAC;QACJ,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,iCAAiC,EAAE,OAAO,CAAC,CAAC;QACxD,MAAM,QAAQ,GAAG,IAAI,cAAc,CAAC;YAClC,aAAa,EAAE,MAAM,CAAC,MAAM,CAAC,oBAAoB;YACjD,cAAc,EAAE,MAAM,CAAC,MAAM,CAAC,cAAc;YAC5C,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,eAAe;YAC9C,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,eAAe;SAC/C,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,cAAc,CAAC,QAAQ,EAAE;YAC5C,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,KAAK;YAC1B,aAAa,EAAE,MAAM,CAAC,MAAM,CAAC,aAAa;YAC1C,oBAAoB,EAAE,MAAM,CAAC,MAAM,CAAC,oBAAoB;YACxD,iBAAiB,EAAE,MAAM,CAAC,MAAM,CAAC,iBAAiB;SACnD,CAAC,CAAC;QACH,OAAO,IAAI,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,UAAU,GAAU,YAAY,CAAC;IACvC,MAAM,kBAAkB,CAAC,mCAAmC,MAAM,CAAC,UAAU,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;AAC7F,CAAC"}

package/dist/services/canvas/core/sqlGate.d.ts

@@ -1,61 +1,85 @@
 /**
  * @fileoverview Read-only SQL gate for the DataCanvas primitive. Engine-agnostic
- * pure validators that the provider invokes after pulling DuckDB-specific
- * metadata (statement extraction, prepared-statement type, EXPLAIN plan JSON).
+ * pure validators the provider invokes after pulling DuckDB-specific metadata.
  *
- * Three layers of enforcement, each authoritative on its own:
+ * Four layers of enforcement, each authoritative:
  *
- * 1. **Single-statement check.** The provider parses the input via DuckDB's
- *    `extractStatements` and passes the count here. Anything other than 1 is
- *    rejected — comment-hidden second statements, multi-statement smuggling,
- *    and Unicode tricks all collapse here because DuckDB's parser is the
- *    arbiter, not a regex.
- * 2. **Statement-type check.** The provider prepares the single statement and
- *    passes the resulting `statementType`. We require `SELECT`. Any DDL, DML,
- *    or utility (PRAGMA/ATTACH/COPY/INSTALL/LOAD/SET/EXECUTE) fails to type as
- *    SELECT and is rejected here.
- * 3. **Plan-walk allowlist.** The provider runs `EXPLAIN (FORMAT JSON)` and
- *    passes the plan JSON. We walk every node and reject if any operator
- *    name is outside the curated allowlist — defense-in-depth against future
- *    DuckDB additions that might smuggle work into a SELECT envelope.
+ * 1. **Function deny-list (text scan).** Pre-EXPLAIN regex against the SQL
+ *    (string literals stripped) for file/HTTP-reading table functions like
+ *    `read_json`, `read_parquet`. These can lower into generic SEQ_SCAN
+ *    operators that pass the operator allowlist; catching them by name closes
+ *    that bypass.
+ * 2. **Single-statement check.** Reject anything other than exactly one
+ *    statement parsed by DuckDB. Comment-hidden second statements, Unicode
+ *    tricks, and multi-statement smuggling collapse here.
+ * 3. **Statement-type check.** Require `SELECT`. DDL, DML, and utility
+ *    statements (PRAGMA/ATTACH/COPY/INSTALL/LOAD/SET/EXECUTE) fail to type as
+ *    SELECT.
+ * 4. **Plan-walk allowlist + denied-function rescan.** Walk the
+ *    `EXPLAIN (FORMAT JSON)` tree; reject any operator outside the allowlist
+ *    or any string field referencing a deny-listed function.
  *
- * Rejection paths throw `ValidationError` with a structured `data.reason`
- * suitable for surfacing to the agent.
+ * Rejection paths throw `ValidationError` with a structured `data.reason`.
  *
  * @module src/services/canvas/core/sqlGate
  */
 /**
- * DuckDB statement-type strings emitted by the Neo client. Only `SELECT` is
- * accepted by the canvas. Other values (`INSERT`, `UPDATE`, `DELETE`,
- * `CREATE`, `DROP`, `ALTER`, `COPY`, `PRAGMA`, `ATTACH`, `DETACH`, `LOAD`,
- * `INSTALL`, `SET`, `RESET`, `EXECUTE`, `EXPLAIN`, `TRANSACTION`, `VACUUM`,
- * `CHECKPOINT`, `CALL`, …) are rejected outright. This is a surface — not
- * an enum we own — so the gate matches on the literal string emitted.
+ * DuckDB statement-type string. Only `SELECT` is accepted; everything else
+ * (DDL, DML, utility) is rejected. Modeled as a string surface rather than an
+ * owned enum so the gate matches on whatever DuckDB emits.
  */
 export type DuckdbStatementType = string;
 /** Subset of statement types the gate permits. */
 export declare const ALLOWED_STATEMENT_TYPES: ReadonlySet<DuckdbStatementType>;
 /**
- * Curated allowlist of operator names that can appear in an EXPLAIN plan.
- * Sourced from DuckDB's logical/physical-plan node families (1.5.x). Not
- * every member is reachable from a SELECT — but every member is read-only.
- *
- * Pinned by `tests/canvas/sqlGate.fixtures.test.ts` against live DuckDB
- * EXPLAIN output so version bumps that add operators are caught in CI rather
- * than silently widening the gate.
- *
- * Operators **not** in this list cause rejection. Notable exclusions:
+ * Reason codes set on `validationError.data.reason` by gate assertions.
+ * Consumers can import the {@link SqlGateReason} union to translate gate
+ * denials into typed contract reasons without duplicating the strings.
+ */
+export declare const SQL_GATE_REASONS: {
+    readonly multiStatement: "multi_statement";
+    readonly nonSelectStatement: "non_select_statement";
+    readonly planOperatorNotAllowed: "plan_operator_not_allowed";
+    readonly deniedFunction: "denied_function";
+    readonly deniedFunctionInPlan: "denied_function_in_plan";
+    readonly identifierEmpty: "identifier_empty";
+    readonly identifierShape: "identifier_shape";
+    readonly identifierReserved: "identifier_reserved";
+};
+/** Union of all gate reason strings — see {@link SQL_GATE_REASONS}. */
+export type SqlGateReason = (typeof SQL_GATE_REASONS)[keyof typeof SQL_GATE_REASONS];
+/**
+ * Allowlist of read-only operator names that can appear in an EXPLAIN plan.
+ * Anything outside this set causes rejection. Notable exclusions:
  *
  * - `READ_CSV`, `READ_PARQUET`, `READ_JSON` — bypass canvas, read external files.
- * - `INSERT`, `UPDATE`, `DELETE`, `MERGE`, `CREATE_*`, `DROP_*`, `ALTER_*` — writes.
- * - `COPY_TO_FILE`, `BATCH_COPY_TO_FILE` — exports a SELECT to a file.
- * - `ATTACH`, `DETACH`, `LOAD`, `INSTALL`, `PRAGMA`, `SET`, `RESET` — utility.
+ * - `INSERT`, `UPDATE`, `DELETE`, `MERGE_INTO`, `CREATE_*`, `DROP`, `ALTER` — writes.
+ * - `COPY_TO_FILE`, `BATCH_COPY_TO_FILE`, `COPY_DATABASE` — write a SELECT to a file/db.
+ * - `ATTACH`, `DETACH`, `LOAD`, `PRAGMA`, `SET`, `SET_VARIABLE`, `RESET`, `TRANSACTION`,
+ *   `EXECUTE`, `PREPARE`, `VACUUM`, `EXPORT`, `EXPLAIN_ANALYZE`, `CREATE_SECRET` — utility/system.
+ * - `INOUT_FUNCTION` — table-valued function lowering (read_json/read_parquet/...);
+ *   gated by the function deny-list rather than the operator allowlist.
+ *
+ * Source pinned against `PhysicalOperatorToString` in DuckDB v1.5.2:
+ * https://github.com/duckdb/duckdb/blob/v1.5.2/src/common/enums/physical_operator_type.cpp
  */
 export declare const ALLOWED_PLAN_OPERATORS: ReadonlySet<string>;
 /**
- * Public entry point — validates the trio of `(statementCount, statementType,
- * planJson)`. Throws on the first violation, leaving the provider to pass
- * results back to the caller untouched on success.
+ * External-data table functions (files, HTTP, S3, lakehouse formats). These
+ * lower into generic scan operators that pass the operator allowlist, so the
+ * text-scan and plan-rescan defenses in this module catch them by name
+ * regardless of how DuckDB lowers them.
+ */
+export declare const DENIED_TABLE_FUNCTIONS: ReadonlySet<string>;
+/**
+ * Layer 1: pre-EXPLAIN function deny-list. Scans the SQL (string literals
+ * stripped) for calls to any function in {@link DENIED_TABLE_FUNCTIONS} so a
+ * malicious `read_json('/etc/passwd')` is rejected before reaching the planner.
+ */
+export declare function assertNoDeniedFunctions(sql: string): void;
+/**
+ * Layers 2-4. Throws on the first violation. Layer 1
+ * ({@link assertNoDeniedFunctions}) runs separately before `extractStatements`.
  */
 export declare function assertReadOnlyQuery(input: {
     /** Number of statements DuckDB extracted from the user-supplied SQL. */
@@ -66,42 +90,48 @@ export declare function assertReadOnlyQuery(input: {
     planJson: unknown;
 }): void;
 /**
- * Pre-EXPLAIN gate: validate statement count and type. Run before the EXPLAIN
- * call so non-SELECT statements (which DuckDB's EXPLAIN can't always wrap —
- * e.g. ATTACH/PRAGMA/COPY/INSTALL) fail with a structured ValidationError
- * here rather than a confusing parser error from EXPLAIN itself.
+ * Layers 2-3: validate statement count and type before EXPLAIN. Non-SELECT
+ * statements (ATTACH/PRAGMA/COPY/INSTALL/...) fail here with a structured
+ * ValidationError rather than a confusing parser error from EXPLAIN itself.
  */
 export declare function assertSelectOnly(input: {
     statementCount: number;
     statementType: DuckdbStatementType;
 }): void;
 /**
- * Post-EXPLAIN gate: walk the plan tree and reject any operator outside the
- * curated allowlist. Defense-in-depth against future DuckDB additions that
- * smuggle work into a SELECT envelope.
+ * Layer 4: walk the plan tree and reject any operator outside the allowlist
+ * or any deny-listed table function smuggled into a generic scan operator.
  */
 export declare function assertPlanReadOnly(planJson: unknown): void;
 /**
- * Walks the EXPLAIN plan and returns the set of operator names not in
- * `ALLOWED_PLAN_OPERATORS`. Exported for fixture-driven tests that want
- * to inspect the gate's view of a plan without throwing.
- *
- * Tolerant of structural variation — DuckDB emits operator identity under
- * either `name` (logical plan) or `operator_type` (physical/profile plan)
- * depending on the EXPLAIN flavor. We honor both. Children traversal
- * supports `children`, `child`, and `inputs` arrays.
+ * Returns operator names not in `ALLOWED_PLAN_OPERATORS`. Exported for
+ * fixture-driven tests that want to inspect the gate's view without throwing.
+ * Use {@link collectPlanViolations} to also surface deny-listed function
+ * references in scan-operator metadata.
  */
 export declare function collectDisallowedOperators(planJson: unknown): Set<string>;
 /**
- * Validate an identifier for use as a canvas-local table or column name.
- * Throws `ValidationError` on rejection.
+ * Combined plan-walk: disallowed operators and deny-listed table-function
+ * references in string-valued fields, returned separately so callers can word
+ * errors appropriately.
+ */
+export declare function collectPlanViolations(planJson: unknown): {
+    offending: Set<string>;
+    deniedFunctions: Set<string>;
+};
+/**
+ * Allowed shape for canvas table/column names. SQL identifier convention:
+ * letter/underscore start, letters/digits/underscores after, max 63 chars
+ * (PostgreSQL/DuckDB cap). Exported so consumers can reuse it in Zod schemas
+ * (`z.string().regex(CANVAS_IDENTIFIER_REGEX)`).
  */
+export declare const CANVAS_IDENTIFIER_REGEX: RegExp;
+/** Validate a canvas table or column name. Throws `ValidationError` on rejection. */
 export declare function assertValidIdentifier(value: string, kind: 'table' | 'column'): void;
 /**
- * Wrap an identifier in double quotes for safe inclusion in SQL. Internal
- * double quotes are doubled per the SQL standard. Callers should still
- * validate via {@link assertValidIdentifier} before quoting — this helper
- * only escapes; it does not validate shape.
+ * Double-quote-escape an identifier for SQL embedding. Validate via
+ * {@link assertValidIdentifier} first — this helper only escapes, it does not
+ * check shape.
  */
 export declare function quoteIdentifier(value: string): string;
 //# sourceMappingURL=sqlGate.d.ts.map

package/dist/services/canvas/core/sqlGate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sqlGate.d.ts","sourceRoot":"","sources":["../../../../src/services/canvas/core/sqlGate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAIH;;;;;;;GAOG;AACH,MAAM,MAAM,mBAAmB,GAAG,MAAM,CAAC;AAEzC,kDAAkD;AAClD,eAAO,MAAM,uBAAuB,EAAE,WAAW,CAAC,mBAAmB,CAAuB,CAAC;AAE7F;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,CAwDrD,CAAC;AAEH;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE;IACzC,wEAAwE;IACxE,cAAc,EAAE,MAAM,CAAC;IACvB,iEAAiE;IACjE,aAAa,EAAE,mBAAmB,CAAC;IACnC,8CAA8C;IAC9C,QAAQ,EAAE,OAAO,CAAC;CACnB,GAAG,IAAI,CAGP;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE;IACtC,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,mBAAmB,CAAC;CACpC,GAAG,IAAI,CAaP;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,OAAO,GAAG,IAAI,CAW1D;AAED;;;;;;;;;GASG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,CAIzE;AAsFD;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,QAAQ,GAAG,IAAI,CAmBnF;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAErD"}
+{"version":3,"file":"sqlGate.d.ts","sourceRoot":"","sources":["../../../../src/services/canvas/core/sqlGate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAIH;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAAG,MAAM,CAAC;AAEzC,kDAAkD;AAClD,eAAO,MAAM,uBAAuB,EAAE,WAAW,CAAC,mBAAmB,CAAuB,CAAC;AAE7F;;;;GAIG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;CASnB,CAAC;AAEX,uEAAuE;AACvE,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,OAAO,gBAAgB,CAAC,CAAC;AAErF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,CAuErD,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,CA2CrD,CAAC;AA4CH;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAYzD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE;IACzC,wEAAwE;IACxE,cAAc,EAAE,MAAM,CAAC;IACvB,iEAAiE;IACjE,aAAa,EAAE,mBAAmB,CAAC;IACnC,8CAA8C;IAC9C,QAAQ,EAAE,OAAO,CAAC;CACnB,GAAG,IAAI,CAGP;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE;IACtC,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,mBAAmB,CAAC;CACpC,GAAG,IAAI,CAaP;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,OAAO,GAAG,IAAI,CAoB1D;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,CAEzE;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,OAAO,GAAG;IACxD,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IACvB,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CAC9B,CAKA;AAmDD;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,QAAkC,CAAC;AA6CvE,qFAAqF;AACrF,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,QAAQ,GAAG,IAAI,CAmBnF;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAErD"}