@getjack/jack 0.1.16 → 0.1.19

package/src/lib/services/sql-classifier.ts

@@ -0,0 +1,346 @@
+/**
+ * SQL Risk Classification
+ *
+ * Classifies SQL statements by risk level to enable security guardrails:
+ * - read: SELECT, EXPLAIN, PRAGMA (read-only) - safe to run
+ * - write: INSERT, UPDATE, DELETE (with WHERE) - requires --write flag
+ * - destructive: DROP, TRUNCATE, DELETE (no WHERE), ALTER - requires --write + confirmation
+ *
+ * Uses simple regex-based classification since D1 uses SQLite with a limited SQL surface.
+ */
+
+export type RiskLevel = "read" | "write" | "destructive";
+
+export interface ClassifiedStatement {
+	sql: string;
+	risk: RiskLevel;
+	operation: string; // SELECT, INSERT, DROP, etc.
+}
+
+/**
+ * Patterns for detecting SQL operations.
+ * Order matters for operations that might overlap.
+ */
+const SQL_PATTERNS = {
+	// Read operations (safe)
+	select: /^\s*SELECT\b/i,
+	explain: /^\s*EXPLAIN\b/i,
+	pragma_read: /^\s*PRAGMA\s+\w+\s*(?:;?\s*$|\()/i, // PRAGMA table_info(...) or PRAGMA journal_mode;
+	// CTE (WITH) - handled specially in classifyStatement based on actual operation
+
+	// Destructive operations (dangerous - require confirmation)
+	drop: /^\s*DROP\b/i,
+	truncate: /^\s*TRUNCATE\b/i,
+	alter: /^\s*ALTER\b/i,
+
+	// Write operations (require --write flag)
+	insert: /^\s*INSERT\b/i,
+	update: /^\s*UPDATE\b/i,
+	delete: /^\s*DELETE\b/i,
+	replace: /^\s*REPLACE\b/i,
+	create: /^\s*CREATE\b/i,
+	pragma_write: /^\s*PRAGMA\s+\w+\s*=\s*/i, // PRAGMA setting = value
+
+	// CTE pattern (just to detect WITH statements)
+	with_cte: /^\s*WITH\b/i,
+};
+
+/**
+ * Strip comments from SQL for classification purposes.
+ * Preserves the actual SQL content after comments.
+ */
+function stripComments(sql: string): string {
+	return sql
+		.replace(/--.*$/gm, "") // Single line comments
+		.replace(/\/\*[\s\S]*?\*\//g, "") // Multi-line comments
+		.trim();
+}
+
+/**
+ * Check if a DELETE statement has a WHERE clause.
+ * DELETE without WHERE is destructive (deletes all rows).
+ */
+function isDeleteWithoutWhere(sql: string): boolean {
+	// Remove comments and normalize whitespace
+	const cleaned = sql
+		.replace(/--.*$/gm, "") // Single line comments
+		.replace(/\/\*[\s\S]*?\*\//g, "") // Multi-line comments
+		.replace(/\s+/g, " ")
+		.trim();
+
+	// Check if it's a DELETE statement
+	if (!SQL_PATTERNS.delete.test(cleaned)) {
+		return false;
+	}
+
+	// Check for WHERE clause (case-insensitive)
+	// Match WHERE followed by anything (column name, space, etc.)
+	const hasWhere = /\bWHERE\b/i.test(cleaned);
+
+	return !hasWhere;
+}
+
+/**
+ * Extract the primary operation from a SQL statement.
+ * For CTEs (WITH clauses), finds the actual operation after the CTE definitions.
+ */
+function extractOperation(sql: string): string {
+	const cleaned = sql.trim().toUpperCase();
+
+	// Handle WITH clauses (CTEs)
+	// The actual operation comes after all the CTE definitions end
+	// Pattern: WITH name AS (...), name2 AS (...) <ACTUAL_OPERATION>
+	if (cleaned.startsWith("WITH")) {
+		// Find the main operation by looking for DML keyword after CTE definitions close
+		// CTE definitions are enclosed in parentheses, so find the operation after the
+		// last `)` that matches the CTE pattern
+		// Look for: ) followed by optional whitespace then SELECT/INSERT/UPDATE/DELETE
+		const cteEndMatch = cleaned.match(/\)\s*(SELECT|INSERT|UPDATE|DELETE)\b/i);
+		if (cteEndMatch) {
+			return cteEndMatch[1].toUpperCase();
+		}
+
+		// Fallback: if no match, look for any of these operations
+		// (handles malformed or edge cases)
+		if (/\bDELETE\b/.test(cleaned)) return "DELETE";
+		if (/\bUPDATE\b/.test(cleaned)) return "UPDATE";
+		if (/\bINSERT\b/.test(cleaned)) return "INSERT";
+		if (/\bSELECT\b/.test(cleaned)) return "SELECT";
+
+		return "WITH";
+	}
+
+	// Extract first keyword
+	const match = cleaned.match(/^\s*(\w+)/);
+	return match?.[1] ?? "UNKNOWN";
+}
+
+/**
+ * Classify a single SQL statement by risk level.
+ */
+export function classifyStatement(sql: string): ClassifiedStatement {
+	const trimmed = sql.trim();
+	// Strip comments for classification but preserve original SQL
+	const cleaned = stripComments(trimmed);
+	const operation = extractOperation(cleaned);
+
+	// Handle CTE (WITH) statements based on their actual operation
+	// This must come early because CTEs don't start with the operation keyword
+	if (SQL_PATTERNS.with_cte.test(cleaned)) {
+		// Classify based on the actual operation extracted from the CTE
+		switch (operation) {
+			case "DELETE":
+				// Check if DELETE in CTE has WHERE clause
+				// For CTEs, we check if DELETE...WHERE exists anywhere after the CTE defs
+				if (!/\bDELETE\b[^;]*\bWHERE\b/i.test(cleaned)) {
+					return { sql: trimmed, risk: "destructive", operation: "DELETE" };
+				}
+				return { sql: trimmed, risk: "write", operation: "DELETE" };
+			case "INSERT":
+				return { sql: trimmed, risk: "write", operation: "INSERT" };
+			case "UPDATE":
+				return { sql: trimmed, risk: "write", operation: "UPDATE" };
+			case "SELECT":
+				return { sql: trimmed, risk: "read", operation: "SELECT" };
+			default:
+				// Unknown CTE operation - default to write for safety
+				return { sql: trimmed, risk: "write", operation };
+		}
+	}
+
+	// Check destructive operations first (highest risk)
+	if (SQL_PATTERNS.drop.test(cleaned)) {
+		return { sql: trimmed, risk: "destructive", operation: "DROP" };
+	}
+
+	if (SQL_PATTERNS.truncate.test(cleaned)) {
+		return { sql: trimmed, risk: "destructive", operation: "TRUNCATE" };
+	}
+
+	if (SQL_PATTERNS.alter.test(cleaned)) {
+		return { sql: trimmed, risk: "destructive", operation: "ALTER" };
+	}
+
+	// DELETE without WHERE is destructive
+	if (isDeleteWithoutWhere(cleaned)) {
+		return { sql: trimmed, risk: "destructive", operation: "DELETE" };
+	}
+
+	// Check write operations
+	if (SQL_PATTERNS.insert.test(cleaned)) {
+		return { sql: trimmed, risk: "write", operation: "INSERT" };
+	}
+
+	if (SQL_PATTERNS.update.test(cleaned)) {
+		return { sql: trimmed, risk: "write", operation: "UPDATE" };
+	}
+
+	if (SQL_PATTERNS.delete.test(cleaned)) {
+		// Has WHERE clause (checked above)
+		return { sql: trimmed, risk: "write", operation: "DELETE" };
+	}
+
+	if (SQL_PATTERNS.replace.test(cleaned)) {
+		return { sql: trimmed, risk: "write", operation: "REPLACE" };
+	}
+
+	if (SQL_PATTERNS.create.test(cleaned)) {
+		return { sql: trimmed, risk: "write", operation: "CREATE" };
+	}
+
+	if (SQL_PATTERNS.pragma_write.test(cleaned)) {
+		return { sql: trimmed, risk: "write", operation: "PRAGMA" };
+	}
+
+	// Check read operations
+	if (SQL_PATTERNS.select.test(cleaned)) {
+		return { sql: trimmed, risk: "read", operation: "SELECT" };
+	}
+
+	if (SQL_PATTERNS.explain.test(cleaned)) {
+		return { sql: trimmed, risk: "read", operation: "EXPLAIN" };
+	}
+
+	if (SQL_PATTERNS.pragma_read.test(cleaned)) {
+		return { sql: trimmed, risk: "read", operation: "PRAGMA" };
+	}
+
+	// Unknown operations default to write for safety
+	return { sql: trimmed, risk: "write", operation };
+}
+
+/**
+ * Split SQL into individual statements.
+ * Handles semicolons inside strings and comments.
+ */
+export function splitStatements(sql: string): string[] {
+	const statements: string[] = [];
+	let current = "";
+	let inString: string | null = null;
+	let inComment = false;
+	let inMultilineComment = false;
+
+	for (let i = 0; i < sql.length; i++) {
+		const char = sql[i];
+		const nextChar = sql[i + 1];
+
+		// Handle multiline comments
+		if (!inString && !inComment && char === "/" && nextChar === "*") {
+			inMultilineComment = true;
+			current += char;
+			continue;
+		}
+
+		if (inMultilineComment && char === "*" && nextChar === "/") {
+			current += "*/";
+			i++; // Skip the /
+			inMultilineComment = false;
+			continue;
+		}
+
+		if (inMultilineComment) {
+			current += char;
+			continue;
+		}
+
+		// Handle single-line comments
+		if (!inString && char === "-" && nextChar === "-") {
+			inComment = true;
+			current += char;
+			continue;
+		}
+
+		if (inComment && char === "\n") {
+			inComment = false;
+			current += char;
+			continue;
+		}
+
+		if (inComment) {
+			current += char;
+			continue;
+		}
+
+		// Handle strings
+		if (!inString && (char === "'" || char === '"')) {
+			inString = char;
+			current += char;
+			continue;
+		}
+
+		if (inString === char) {
+			// Check for escaped quote
+			if (nextChar === char) {
+				current += char + char;
+				i++; // Skip the escaped quote
+				continue;
+			}
+			inString = null;
+			current += char;
+			continue;
+		}
+
+		if (inString) {
+			current += char;
+			continue;
+		}
+
+		// Handle statement terminator
+		if (char === ";") {
+			const trimmed = current.trim();
+			if (trimmed) {
+				statements.push(trimmed);
+			}
+			current = "";
+			continue;
+		}
+
+		current += char;
+	}
+
+	// Add final statement if present
+	const trimmed = current.trim();
+	if (trimmed) {
+		statements.push(trimmed);
+	}
+
+	return statements;
+}
+
+/**
+ * Classify multiple SQL statements and return the highest risk level.
+ */
+export function classifyStatements(sql: string): {
+	statements: ClassifiedStatement[];
+	highestRisk: RiskLevel;
+} {
+	const statements = splitStatements(sql).map(classifyStatement);
+
+	// Find highest risk level
+	let highestRisk: RiskLevel = "read";
+	for (const stmt of statements) {
+		if (stmt.risk === "destructive") {
+			highestRisk = "destructive";
+			break;
+		}
+		if (stmt.risk === "write" && highestRisk === "read") {
+			highestRisk = "write";
+		}
+	}
+
+	return { statements, highestRisk };
+}
+
+/**
+ * Get a human-readable description of the risk level.
+ */
+export function getRiskDescription(risk: RiskLevel): string {
+	switch (risk) {
+		case "read":
+			return "Read-only query";
+		case "write":
+			return "Write operation (modifies data)";
+		case "destructive":
+			return "Destructive operation (may cause data loss)";
+	}
+}

package/src/lib/storage/file-filter.ts

@@ -43,8 +43,12 @@ export const DEFAULT_EXCLUDES: string[] = [
 	".git/**",
 	".env",
 	".env.*",
+	"*.env",
+	".envrc",
 	".dev.vars",
 	".secrets.json",
+	"secrets.yaml",
+	"secrets.yml",
 	"*.log",
 	".DS_Store",
 	"dist/**",

package/src/lib/telemetry.ts

@@ -33,6 +33,9 @@ export const Events = {
 	AUTO_DETECT_SUCCESS: "auto_detect_success",
 	AUTO_DETECT_FAILED: "auto_detect_failed",
 	AUTO_DETECT_REJECTED: "auto_detect_rejected",
+	// Service events
+	SERVICE_CREATED: "service_created",
+	SQL_EXECUTED: "sql_executed",
 } as const;
 
 type EventName = (typeof Events)[keyof typeof Events];

package/src/lib/version-check.ts

@@ -7,6 +7,7 @@ import { join } from "node:path";
 import { $ } from "bun";
 import pkg from "../../package.json";
 import { CONFIG_DIR } from "./config.ts";
+import { debug } from "./debug.ts";
 
 const VERSION_CACHE_PATH = join(CONFIG_DIR, "version-cache.json");
 const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
@@ -123,8 +124,17 @@ export async function performUpdate(): Promise<{
 }> {
 	try {
 		// Run bun add -g to update
+		debug(`Executing: bun add -g ${PACKAGE_NAME}@latest`);
 		const result = await $`bun add -g ${PACKAGE_NAME}@latest`.nothrow().quiet();
 
+		debug(`Exit code: ${result.exitCode}`);
+		if (result.stdout.toString()) {
+			debug(`stdout: ${result.stdout.toString()}`);
+		}
+		if (result.stderr.toString()) {
+			debug(`stderr: ${result.stderr.toString()}`);
+		}
+
 		if (result.exitCode !== 0) {
 			return {
 				success: false,
@@ -133,12 +143,15 @@ export async function performUpdate(): Promise<{
 		}
 
 		// Verify the new version
+		debug("Verifying installed version...");
 		const newVersionResult = await $`bun pm ls -g`.nothrow().quiet();
 		const output = newVersionResult.stdout.toString();
+		debug(`bun pm ls -g output: ${output.slice(0, 500)}`);
 
 		// Try to extract version from output
 		const versionMatch = output.match(/@getjack\/jack@(\d+\.\d+\.\d+)/);
 		const newVersion = versionMatch?.[1];
+		debug(`Extracted version: ${newVersion ?? "not found"}`);
 
 		// Clear version cache so next check gets fresh data
 		try {
@@ -152,6 +165,7 @@ export async function performUpdate(): Promise<{
 			version: newVersion,
 		};
 	} catch (err) {
+		debug(`Update error: ${err instanceof Error ? err.message : String(err)}`);
 		return {
 			success: false,
 			error: err instanceof Error ? err.message : "Unknown error",