@getjack/jack 0.1.16 → 0.1.17

package/src/lib/services/sql-classifier.ts

@@ -0,0 +1,346 @@
+/**
+ * SQL Risk Classification
+ *
+ * Classifies SQL statements by risk level to enable security guardrails:
+ * - read: SELECT, EXPLAIN, PRAGMA (read-only) - safe to run
+ * - write: INSERT, UPDATE, DELETE (with WHERE) - requires --write flag
+ * - destructive: DROP, TRUNCATE, DELETE (no WHERE), ALTER - requires --write + confirmation
+ *
+ * Uses simple regex-based classification since D1 uses SQLite with a limited SQL surface.
+ */
+
+export type RiskLevel = "read" | "write" | "destructive";
+
+export interface ClassifiedStatement {
+	sql: string;
+	risk: RiskLevel;
+	operation: string; // SELECT, INSERT, DROP, etc.
+}
+
+/**
+ * Patterns for detecting SQL operations.
+ * Order matters for operations that might overlap.
+ */
+const SQL_PATTERNS = {
+	// Read operations (safe)
+	select: /^\s*SELECT\b/i,
+	explain: /^\s*EXPLAIN\b/i,
+	pragma_read: /^\s*PRAGMA\s+\w+\s*(?:;?\s*$|\()/i, // PRAGMA table_info(...) or PRAGMA journal_mode;
+	// CTE (WITH) - handled specially in classifyStatement based on actual operation
+
+	// Destructive operations (dangerous - require confirmation)
+	drop: /^\s*DROP\b/i,
+	truncate: /^\s*TRUNCATE\b/i,
+	alter: /^\s*ALTER\b/i,
+
+	// Write operations (require --write flag)
+	insert: /^\s*INSERT\b/i,
+	update: /^\s*UPDATE\b/i,
+	delete: /^\s*DELETE\b/i,
+	replace: /^\s*REPLACE\b/i,
+	create: /^\s*CREATE\b/i,
+	pragma_write: /^\s*PRAGMA\s+\w+\s*=\s*/i, // PRAGMA setting = value
+
+	// CTE pattern (just to detect WITH statements)
+	with_cte: /^\s*WITH\b/i,
+};
+
+/**
+ * Strip comments from SQL for classification purposes.
+ * Preserves the actual SQL content after comments.
+ */
+function stripComments(sql: string): string {
+	return sql
+		.replace(/--.*$/gm, "") // Single line comments
+		.replace(/\/\*[\s\S]*?\*\//g, "") // Multi-line comments
+		.trim();
+}
+
+/**
+ * Check if a DELETE statement has a WHERE clause.
+ * DELETE without WHERE is destructive (deletes all rows).
+ */
+function isDeleteWithoutWhere(sql: string): boolean {
+	// Remove comments and normalize whitespace
+	const cleaned = sql
+		.replace(/--.*$/gm, "") // Single line comments
+		.replace(/\/\*[\s\S]*?\*\//g, "") // Multi-line comments
+		.replace(/\s+/g, " ")
+		.trim();
+
+	// Check if it's a DELETE statement
+	if (!SQL_PATTERNS.delete.test(cleaned)) {
+		return false;
+	}
+
+	// Check for WHERE clause (case-insensitive)
+	// Match WHERE followed by anything (column name, space, etc.)
+	const hasWhere = /\bWHERE\b/i.test(cleaned);
+
+	return !hasWhere;
+}
+
+/**
+ * Extract the primary operation from a SQL statement.
+ * For CTEs (WITH clauses), finds the actual operation after the CTE definitions.
+ */
+function extractOperation(sql: string): string {
+	const cleaned = sql.trim().toUpperCase();
+
+	// Handle WITH clauses (CTEs)
+	// The actual operation comes after all the CTE definitions end
+	// Pattern: WITH name AS (...), name2 AS (...) <ACTUAL_OPERATION>
+	if (cleaned.startsWith("WITH")) {
+		// Find the main operation by looking for DML keyword after CTE definitions close
+		// CTE definitions are enclosed in parentheses, so find the operation after the
+		// last `)` that matches the CTE pattern
+		// Look for: ) followed by optional whitespace then SELECT/INSERT/UPDATE/DELETE
+		const cteEndMatch = cleaned.match(/\)\s*(SELECT|INSERT|UPDATE|DELETE)\b/i);
+		if (cteEndMatch) {
+			return cteEndMatch[1].toUpperCase();
+		}
+
+		// Fallback: if no match, look for any of these operations
+		// (handles malformed or edge cases)
+		if (/\bDELETE\b/.test(cleaned)) return "DELETE";
+		if (/\bUPDATE\b/.test(cleaned)) return "UPDATE";
+		if (/\bINSERT\b/.test(cleaned)) return "INSERT";
+		if (/\bSELECT\b/.test(cleaned)) return "SELECT";
+
+		return "WITH";
+	}
+
+	// Extract first keyword
+	const match = cleaned.match(/^\s*(\w+)/);
+	return match?.[1] ?? "UNKNOWN";
+}
+
+/**
+ * Classify a single SQL statement by risk level.
+ */
+export function classifyStatement(sql: string): ClassifiedStatement {
+	const trimmed = sql.trim();
+	// Strip comments for classification but preserve original SQL
+	const cleaned = stripComments(trimmed);
+	const operation = extractOperation(cleaned);
+
+	// Handle CTE (WITH) statements based on their actual operation
+	// This must come early because CTEs don't start with the operation keyword
+	if (SQL_PATTERNS.with_cte.test(cleaned)) {
+		// Classify based on the actual operation extracted from the CTE
+		switch (operation) {
+			case "DELETE":
+				// Check if DELETE in CTE has WHERE clause
+				// For CTEs, we check if DELETE...WHERE exists anywhere after the CTE defs
+				if (!/\bDELETE\b[^;]*\bWHERE\b/i.test(cleaned)) {
+					return { sql: trimmed, risk: "destructive", operation: "DELETE" };
+				}
+				return { sql: trimmed, risk: "write", operation: "DELETE" };
+			case "INSERT":
+				return { sql: trimmed, risk: "write", operation: "INSERT" };
+			case "UPDATE":
+				return { sql: trimmed, risk: "write", operation: "UPDATE" };
+			case "SELECT":
+				return { sql: trimmed, risk: "read", operation: "SELECT" };
+			default:
+				// Unknown CTE operation - default to write for safety
+				return { sql: trimmed, risk: "write", operation };
+		}
+	}
+
+	// Check destructive operations first (highest risk)
+	if (SQL_PATTERNS.drop.test(cleaned)) {
+		return { sql: trimmed, risk: "destructive", operation: "DROP" };
+	}
+
+	if (SQL_PATTERNS.truncate.test(cleaned)) {
+		return { sql: trimmed, risk: "destructive", operation: "TRUNCATE" };
+	}
+
+	if (SQL_PATTERNS.alter.test(cleaned)) {
+		return { sql: trimmed, risk: "destructive", operation: "ALTER" };
+	}
+
+	// DELETE without WHERE is destructive
+	if (isDeleteWithoutWhere(cleaned)) {
+		return { sql: trimmed, risk: "destructive", operation: "DELETE" };
+	}
+
+	// Check write operations
+	if (SQL_PATTERNS.insert.test(cleaned)) {
+		return { sql: trimmed, risk: "write", operation: "INSERT" };
+	}
+
+	if (SQL_PATTERNS.update.test(cleaned)) {
+		return { sql: trimmed, risk: "write", operation: "UPDATE" };
+	}
+
+	if (SQL_PATTERNS.delete.test(cleaned)) {
+		// Has WHERE clause (checked above)
+		return { sql: trimmed, risk: "write", operation: "DELETE" };
+	}
+
+	if (SQL_PATTERNS.replace.test(cleaned)) {
+		return { sql: trimmed, risk: "write", operation: "REPLACE" };
+	}
+
+	if (SQL_PATTERNS.create.test(cleaned)) {
+		return { sql: trimmed, risk: "write", operation: "CREATE" };
+	}
+
+	if (SQL_PATTERNS.pragma_write.test(cleaned)) {
+		return { sql: trimmed, risk: "write", operation: "PRAGMA" };
+	}
+
+	// Check read operations
+	if (SQL_PATTERNS.select.test(cleaned)) {
+		return { sql: trimmed, risk: "read", operation: "SELECT" };
+	}
+
+	if (SQL_PATTERNS.explain.test(cleaned)) {
+		return { sql: trimmed, risk: "read", operation: "EXPLAIN" };
+	}
+
+	if (SQL_PATTERNS.pragma_read.test(cleaned)) {
+		return { sql: trimmed, risk: "read", operation: "PRAGMA" };
+	}
+
+	// Unknown operations default to write for safety
+	return { sql: trimmed, risk: "write", operation };
+}
+
+/**
+ * Split SQL into individual statements.
+ * Handles semicolons inside strings and comments.
+ */
+export function splitStatements(sql: string): string[] {
+	const statements: string[] = [];
+	let current = "";
+	let inString: string | null = null;
+	let inComment = false;
+	let inMultilineComment = false;
+
+	for (let i = 0; i < sql.length; i++) {
+		const char = sql[i];
+		const nextChar = sql[i + 1];
+
+		// Handle multiline comments
+		if (!inString && !inComment && char === "/" && nextChar === "*") {
+			inMultilineComment = true;
+			current += char;
+			continue;
+		}
+
+		if (inMultilineComment && char === "*" && nextChar === "/") {
+			current += "*/";
+			i++; // Skip the /
+			inMultilineComment = false;
+			continue;
+		}
+
+		if (inMultilineComment) {
+			current += char;
+			continue;
+		}
+
+		// Handle single-line comments
+		if (!inString && char === "-" && nextChar === "-") {
+			inComment = true;
+			current += char;
+			continue;
+		}
+
+		if (inComment && char === "\n") {
+			inComment = false;
+			current += char;
+			continue;
+		}
+
+		if (inComment) {
+			current += char;
+			continue;
+		}
+
+		// Handle strings
+		if (!inString && (char === "'" || char === '"')) {
+			inString = char;
+			current += char;
+			continue;
+		}
+
+		if (inString === char) {
+			// Check for escaped quote
+			if (nextChar === char) {
+				current += char + char;
+				i++; // Skip the escaped quote
+				continue;
+			}
+			inString = null;
+			current += char;
+			continue;
+		}
+
+		if (inString) {
+			current += char;
+			continue;
+		}
+
+		// Handle statement terminator
+		if (char === ";") {
+			const trimmed = current.trim();
+			if (trimmed) {
+				statements.push(trimmed);
+			}
+			current = "";
+			continue;
+		}
+
+		current += char;
+	}
+
+	// Add final statement if present
+	const trimmed = current.trim();
+	if (trimmed) {
+		statements.push(trimmed);
+	}
+
+	return statements;
+}
+
+/**
+ * Classify multiple SQL statements and return the highest risk level.
+ */
+export function classifyStatements(sql: string): {
+	statements: ClassifiedStatement[];
+	highestRisk: RiskLevel;
+} {
+	const statements = splitStatements(sql).map(classifyStatement);
+
+	// Find highest risk level
+	let highestRisk: RiskLevel = "read";
+	for (const stmt of statements) {
+		if (stmt.risk === "destructive") {
+			highestRisk = "destructive";
+			break;
+		}
+		if (stmt.risk === "write" && highestRisk === "read") {
+			highestRisk = "write";
+		}
+	}
+
+	return { statements, highestRisk };
+}
+
+/**
+ * Get a human-readable description of the risk level.
+ */
+export function getRiskDescription(risk: RiskLevel): string {
+	switch (risk) {
+		case "read":
+			return "Read-only query";
+		case "write":
+			return "Write operation (modifies data)";
+		case "destructive":
+			return "Destructive operation (may cause data loss)";
+	}
+}

package/src/lib/storage/file-filter.ts

@@ -43,8 +43,12 @@ export const DEFAULT_EXCLUDES: string[] = [
 	".git/**",
 	".env",
 	".env.*",
+	"*.env",
+	".envrc",
 	".dev.vars",
 	".secrets.json",
+	"secrets.yaml",
+	"secrets.yml",
 	"*.log",
 	".DS_Store",
 	"dist/**",

package/src/lib/telemetry.ts

@@ -33,6 +33,9 @@ export const Events = {
 	AUTO_DETECT_SUCCESS: "auto_detect_success",
 	AUTO_DETECT_FAILED: "auto_detect_failed",
 	AUTO_DETECT_REJECTED: "auto_detect_rejected",
+	// Service events
+	SERVICE_CREATED: "service_created",
+	SQL_EXECUTED: "sql_executed",
 } as const;
 
 type EventName = (typeof Events)[keyof typeof Events];

package/src/lib/wrangler-config.test.ts

@@ -0,0 +1,322 @@
+/**
+ * Unit tests for wrangler-config.ts
+ *
+ * Tests adding D1 bindings to wrangler.jsonc while preserving comments.
+ */
+
+import { afterEach, beforeEach, describe, expect, it } from "bun:test";
+import { existsSync, mkdirSync, rmSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { addD1Binding, getExistingD1Bindings, type D1BindingConfig } from "./wrangler-config.ts";
+
+// ============================================================================
+// Test Helpers
+// ============================================================================
+
+let testDir: string;
+
+function createTestConfig(content: string): string {
+	const configPath = join(testDir, "wrangler.jsonc");
+	writeFileSync(configPath, content);
+	return configPath;
+}
+
+async function readTestConfig(configPath: string): Promise<string> {
+	return await Bun.file(configPath).text();
+}
+
+// ============================================================================
+// Tests
+// ============================================================================
+
+describe("wrangler-config", () => {
+	beforeEach(() => {
+		testDir = join(tmpdir(), `wrangler-config-test-${Date.now()}`);
+		mkdirSync(testDir, { recursive: true });
+	});
+
+	afterEach(() => {
+		if (existsSync(testDir)) {
+			rmSync(testDir, { recursive: true });
+		}
+	});
+
+	describe("getExistingD1Bindings", () => {
+		it("returns empty array when no d1_databases", async () => {
+			const configPath = createTestConfig(`{
+	"name": "test-app",
+	"main": "src/index.ts"
+}`);
+
+			const bindings = await getExistingD1Bindings(configPath);
+
+			expect(bindings).toHaveLength(0);
+		});
+
+		it("returns existing D1 bindings", async () => {
+			const configPath = createTestConfig(`{
+	"name": "test-app",
+	"d1_databases": [
+		{
+			"binding": "DB",
+			"database_name": "my-db",
+			"database_id": "abc-123"
+		}
+	]
+}`);
+
+			const bindings = await getExistingD1Bindings(configPath);
+
+			expect(bindings).toHaveLength(1);
+			expect(bindings[0]).toEqual({
+				binding: "DB",
+				database_name: "my-db",
+				database_id: "abc-123",
+			});
+		});
+
+		it("returns multiple D1 bindings", async () => {
+			const configPath = createTestConfig(`{
+	"name": "test-app",
+	"d1_databases": [
+		{
+			"binding": "DB",
+			"database_name": "main-db",
+			"database_id": "abc-123"
+		},
+		{
+			"binding": "ANALYTICS_DB",
+			"database_name": "analytics-db",
+			"database_id": "def-456"
+		}
+	]
+}`);
+
+			const bindings = await getExistingD1Bindings(configPath);
+
+			expect(bindings).toHaveLength(2);
+			expect(bindings[0]?.binding).toBe("DB");
+			expect(bindings[1]?.binding).toBe("ANALYTICS_DB");
+		});
+
+		it("filters out incomplete bindings", async () => {
+			const configPath = createTestConfig(`{
+	"name": "test-app",
+	"d1_databases": [
+		{
+			"binding": "DB",
+			"database_name": "my-db"
+		}
+	]
+}`);
+
+			const bindings = await getExistingD1Bindings(configPath);
+
+			expect(bindings).toHaveLength(0);
+		});
+
+		it("throws error when config file does not exist", async () => {
+			const configPath = join(testDir, "nonexistent.jsonc");
+
+			expect(getExistingD1Bindings(configPath)).rejects.toThrow("wrangler.jsonc not found");
+		});
+
+		it("handles JSONC with comments", async () => {
+			const configPath = createTestConfig(`{
+	"name": "test-app",
+	// Database configuration
+	"d1_databases": [
+		{
+			"binding": "DB",
+			"database_name": "my-db", // main database
+			"database_id": "abc-123"
+		}
+	]
+}`);
+
+			const bindings = await getExistingD1Bindings(configPath);
+
+			expect(bindings).toHaveLength(1);
+			expect(bindings[0]?.binding).toBe("DB");
+		});
+	});
+
+	describe("addD1Binding", () => {
+		const testBinding: D1BindingConfig = {
+			binding: "DB",
+			database_name: "test-db",
+			database_id: "abc-123-def-456",
+		};
+
+		it("throws error when config file does not exist", async () => {
+			const configPath = join(testDir, "nonexistent.jsonc");
+
+			expect(addD1Binding(configPath, testBinding)).rejects.toThrow("wrangler.jsonc not found");
+		});
+
+		it("adds d1_databases section when it does not exist", async () => {
+			const configPath = createTestConfig(`{
+	"name": "test-app",
+	"main": "src/index.ts"
+}`);
+
+			await addD1Binding(configPath, testBinding);
+
+			const content = await readTestConfig(configPath);
+			expect(content).toContain('"d1_databases"');
+			expect(content).toContain('"binding": "DB"');
+			expect(content).toContain('"database_name": "test-db"');
+			expect(content).toContain('"database_id": "abc-123-def-456"');
+		});
+
+		it("appends to existing d1_databases array", async () => {
+			const configPath = createTestConfig(`{
+	"name": "test-app",
+	"d1_databases": [
+		{
+			"binding": "MAIN_DB",
+			"database_name": "main-db",
+			"database_id": "existing-id"
+		}
+	]
+}`);
+
+			await addD1Binding(configPath, {
+				binding: "SECONDARY_DB",
+				database_name: "secondary-db",
+				database_id: "new-id",
+			});
+
+			const content = await readTestConfig(configPath);
+			expect(content).toContain('"binding": "MAIN_DB"');
+			expect(content).toContain('"binding": "SECONDARY_DB"');
+		});
+
+		it("preserves comments when adding d1_databases section", async () => {
+			const configPath = createTestConfig(`{
+	"name": "test-app",
+	// This is the main entry point
+	"main": "src/index.ts"
+}`);
+
+			await addD1Binding(configPath, testBinding);
+
+			const content = await readTestConfig(configPath);
+			expect(content).toContain("// This is the main entry point");
+			expect(content).toContain('"d1_databases"');
+		});
+
+		it("preserves comments when appending to existing array", async () => {
+			const configPath = createTestConfig(`{
+	"name": "test-app",
+	// Database configuration
+	"d1_databases": [
+		{
+			"binding": "MAIN_DB",
+			"database_name": "main-db", // Primary database
+			"database_id": "existing-id"
+		}
+	]
+}`);
+
+			await addD1Binding(configPath, {
+				binding: "SECONDARY_DB",
+				database_name: "secondary-db",
+				database_id: "new-id",
+			});
+
+			const content = await readTestConfig(configPath);
+			expect(content).toContain("// Database configuration");
+			expect(content).toContain("// Primary database");
+			expect(content).toContain('"binding": "SECONDARY_DB"');
+		});
+
+		it("handles empty d1_databases array", async () => {
+			const configPath = createTestConfig(`{
+	"name": "test-app",
+	"d1_databases": []
+}`);
+
+			await addD1Binding(configPath, testBinding);
+
+			const content = await readTestConfig(configPath);
+			expect(content).toContain('"binding": "DB"');
+		});
+
+		it("handles real-world miniapp template format", async () => {
+			const configPath = createTestConfig(`{
+	"name": "jack-template",
+	"main": "src/worker.ts",
+	"compatibility_date": "2024-12-01",
+	"assets": {
+		"binding": "ASSETS",
+		"directory": "dist/client",
+		"not_found_handling": "single-page-application",
+		// Required for dynamic routes (/share, /api/og) to work alongside static assets
+		// Without this, Cloudflare serves static files directly, bypassing the worker
+		"run_worker_first": true
+	},
+	"d1_databases": [
+		{
+			"binding": "DB",
+			"database_name": "jack-template-db"
+		}
+	],
+	"ai": {
+		"binding": "AI"
+	},
+	"vars": {
+		// Set this after first deploy - required for share embeds
+		// Get your URL from: jack projects or wrangler deployments list
+		// Example: "APP_URL": "https://my-app.username.workers.dev"
+		"APP_URL": ""
+	}
+}`);
+
+			await addD1Binding(configPath, {
+				binding: "ANALYTICS_DB",
+				database_name: "analytics-db",
+				database_id: "analytics-uuid",
+			});
+
+			const content = await readTestConfig(configPath);
+			// Verify original comments preserved
+			expect(content).toContain("// Required for dynamic routes");
+			expect(content).toContain("// Set this after first deploy");
+			// Verify new binding added
+			expect(content).toContain('"binding": "ANALYTICS_DB"');
+			expect(content).toContain('"database_name": "analytics-db"');
+		});
+
+		it("produces valid JSON output", async () => {
+			const configPath = createTestConfig(`{
+	"name": "test-app",
+	"main": "src/index.ts"
+}`);
+
+			await addD1Binding(configPath, testBinding);
+
+			const content = await readTestConfig(configPath);
+			// Strip comments and parse
+			const { parseJsonc } = await import("./jsonc.ts");
+			const parsed = parseJsonc<{ d1_databases: D1BindingConfig[] }>(content);
+			expect(parsed.d1_databases).toBeDefined();
+			expect(parsed.d1_databases[0]?.binding).toBe("DB");
+		});
+
+		it("handles config with trailing comma", async () => {
+			const configPath = createTestConfig(`{
+	"name": "test-app",
+	"main": "src/index.ts",
+}`);
+
+			await addD1Binding(configPath, testBinding);
+
+			const content = await readTestConfig(configPath);
+			const { parseJsonc } = await import("./jsonc.ts");
+			const parsed = parseJsonc<{ d1_databases: D1BindingConfig[] }>(content);
+			expect(parsed.d1_databases).toBeDefined();
+		});
+	});
+});