npm - @kb-labs/adapters - Versions diffs - 0.5.0 - Mend

@kb-labs/adapters 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (276) hide show

package/.cursorrules +32 -0
package/.github/workflows/ci.yml +13 -0
package/.github/workflows/deploy.yml +28 -0
package/.github/workflows/docker-build.yml +25 -0
package/.github/workflows/drift-check.yml +10 -0
package/.github/workflows/profiles-validate.yml +16 -0
package/.github/workflows/release.yml +8 -0
package/.kb/devkit/agents/devkit-maintainer/context.globs +15 -0
package/.kb/devkit/agents/devkit-maintainer/permissions.yml +17 -0
package/.kb/devkit/agents/devkit-maintainer/prompt.md +28 -0
package/.kb/devkit/agents/devkit-maintainer/runbook.md +31 -0
package/.kb/devkit/agents/docs-crafter/prompt.md +24 -0
package/.kb/devkit/agents/docs-crafter/runbook.md +18 -0
package/.kb/devkit/agents/release-manager/context.globs +7 -0
package/.kb/devkit/agents/release-manager/prompt.md +27 -0
package/.kb/devkit/agents/release-manager/runbook.md +17 -0
package/.kb/devkit/agents/test-generator/context.globs +7 -0
package/.kb/devkit/agents/test-generator/prompt.md +27 -0
package/.kb/devkit/agents/test-generator/runbook.md +18 -0
package/CONTRIBUTING.md +90 -0
package/IMPLEMENTATION_COMPLETE.md +416 -0
package/LICENSE +186 -0
package/README-TEMPLATE.md +179 -0
package/README.md +306 -0
package/docs/DOCUMENTATION.md +74 -0
package/docs/adr/0000-template.md +49 -0
package/docs/adr/0001-architecture-and-repository-layout.md +33 -0
package/docs/adr/0002-plugins-and-extensibility.md +46 -0
package/docs/adr/0003-package-and-module-boundaries.md +37 -0
package/docs/adr/0004-versioning-and-release-policy.md +38 -0
package/docs/adr/0005-use-devkit-for-shared-tooling.md +48 -0
package/docs/adr/0006-adopt-devkit-sync.md +47 -0
package/docs/adr/0007-drift-kit-check.md +72 -0
package/docs/adr/0008-devkit-sync-wrapper-strategy.md +67 -0
package/docs/naming-convention.md +272 -0
package/eslint.config.js +27 -0
package/kb-labs.config.json +5 -0
package/package.json +84 -0
package/package.json.bin +25 -0
package/package.json.lib +30 -0
package/packages/adapters-analytics-duckdb/package.json +54 -0
package/packages/adapters-analytics-duckdb/scripts/migrate-from-jsonl.mjs +253 -0
package/packages/adapters-analytics-duckdb/src/index.ts +380 -0
package/packages/adapters-analytics-duckdb/src/manifest.ts +36 -0
package/packages/adapters-analytics-duckdb/src/schema.ts +161 -0
package/packages/adapters-analytics-duckdb/tsconfig.build.json +15 -0
package/packages/adapters-analytics-duckdb/tsconfig.json +9 -0
package/packages/adapters-analytics-duckdb/tsup.config.ts +9 -0
package/packages/adapters-analytics-file/README.md +32 -0
package/packages/adapters-analytics-file/eslint.config.js +27 -0
package/packages/adapters-analytics-file/package.json +50 -0
package/packages/adapters-analytics-file/src/__tests__/daily-stats.spec.ts +287 -0
package/packages/adapters-analytics-file/src/__tests__/scoped-analytics.test.ts +233 -0
package/packages/adapters-analytics-file/src/index.test.ts +214 -0
package/packages/adapters-analytics-file/src/index.ts +830 -0
package/packages/adapters-analytics-file/src/manifest.ts +45 -0
package/packages/adapters-analytics-file/tsconfig.build.json +15 -0
package/packages/adapters-analytics-file/tsconfig.json +9 -0
package/packages/adapters-analytics-file/tsup.config.ts +9 -0
package/packages/adapters-analytics-sqlite/package.json +55 -0
package/packages/adapters-analytics-sqlite/scripts/migrate-from-jsonl.mjs +194 -0
package/packages/adapters-analytics-sqlite/src/index.ts +460 -0
package/packages/adapters-analytics-sqlite/src/manifest.ts +41 -0
package/packages/adapters-analytics-sqlite/tsconfig.build.json +15 -0
package/packages/adapters-analytics-sqlite/tsconfig.json +9 -0
package/packages/adapters-analytics-sqlite/tsup.config.ts +9 -0
package/packages/adapters-environment-docker/README.md +28 -0
package/packages/adapters-environment-docker/eslint.config.js +5 -0
package/packages/adapters-environment-docker/package.json +49 -0
package/packages/adapters-environment-docker/src/index.test.ts +138 -0
package/packages/adapters-environment-docker/src/index.ts +439 -0
package/packages/adapters-environment-docker/src/manifest.ts +65 -0
package/packages/adapters-environment-docker/tsconfig.build.json +15 -0
package/packages/adapters-environment-docker/tsconfig.json +16 -0
package/packages/adapters-environment-docker/tsup.config.ts +9 -0
package/packages/adapters-eventbus-cache/README.md +242 -0
package/packages/adapters-eventbus-cache/eslint.config.js +27 -0
package/packages/adapters-eventbus-cache/package.json +46 -0
package/packages/adapters-eventbus-cache/src/index.test.ts +235 -0
package/packages/adapters-eventbus-cache/src/index.ts +215 -0
package/packages/adapters-eventbus-cache/src/manifest.ts +50 -0
package/packages/adapters-eventbus-cache/src/types.ts +58 -0
package/packages/adapters-eventbus-cache/tsconfig.build.json +15 -0
package/packages/adapters-eventbus-cache/tsconfig.json +9 -0
package/packages/adapters-eventbus-cache/tsup.config.ts +9 -0
package/packages/adapters-fs/README.md +171 -0
package/packages/adapters-fs/allowed.txt +1 -0
package/packages/adapters-fs/conflict.txt +1 -0
package/packages/adapters-fs/dest.txt +1 -0
package/packages/adapters-fs/eslint.config.js +27 -0
package/packages/adapters-fs/exists.txt +1 -0
package/packages/adapters-fs/not-allowed.txt +1 -0
package/packages/adapters-fs/other.txt +1 -0
package/packages/adapters-fs/package.json +55 -0
package/packages/adapters-fs/public/file1.txt +1 -0
package/packages/adapters-fs/public/file2.txt +1 -0
package/packages/adapters-fs/secret.txt +1 -0
package/packages/adapters-fs/secrets/key.txt +1 -0
package/packages/adapters-fs/src/index.test.ts +243 -0
package/packages/adapters-fs/src/index.ts +258 -0
package/packages/adapters-fs/src/manifest.ts +35 -0
package/packages/adapters-fs/src/secure-storage.test.ts +380 -0
package/packages/adapters-fs/src/secure-storage.ts +268 -0
package/packages/adapters-fs/test.json +1 -0
package/packages/adapters-fs/test.txt +1 -0
package/packages/adapters-fs/test.xyz +1 -0
package/packages/adapters-fs/test1.txt +1 -0
package/packages/adapters-fs/test2.txt +1 -0
package/packages/adapters-fs/tsconfig.build.json +15 -0
package/packages/adapters-fs/tsconfig.json +9 -0
package/packages/adapters-fs/tsup.config.ts +8 -0
package/packages/adapters-fs/vitest.config.ts +19 -0
package/packages/adapters-log-ringbuffer/README.md +228 -0
package/packages/adapters-log-ringbuffer/eslint.config.js +27 -0
package/packages/adapters-log-ringbuffer/package.json +47 -0
package/packages/adapters-log-ringbuffer/src/__tests__/ring-buffer.test.ts +450 -0
package/packages/adapters-log-ringbuffer/src/index.ts +212 -0
package/packages/adapters-log-ringbuffer/src/manifest.ts +30 -0
package/packages/adapters-log-ringbuffer/tsconfig.build.json +15 -0
package/packages/adapters-log-ringbuffer/tsconfig.json +9 -0
package/packages/adapters-log-ringbuffer/tsup.config.ts +9 -0
package/packages/adapters-log-ringbuffer/vitest.config.ts +14 -0
package/packages/adapters-log-sqlite/README.md +396 -0
package/packages/adapters-log-sqlite/eslint.config.js +27 -0
package/packages/adapters-log-sqlite/package.json +49 -0
package/packages/adapters-log-sqlite/src/__tests__/log-persistence.test.ts +718 -0
package/packages/adapters-log-sqlite/src/index.ts +1068 -0
package/packages/adapters-log-sqlite/src/manifest.ts +36 -0
package/packages/adapters-log-sqlite/src/schema.sql +46 -0
package/packages/adapters-log-sqlite/tsconfig.build.json +15 -0
package/packages/adapters-log-sqlite/tsconfig.json +9 -0
package/packages/adapters-log-sqlite/tsup.config.ts +9 -0
package/packages/adapters-log-sqlite/vitest.config.ts +15 -0
package/packages/adapters-mongodb/README.md +147 -0
package/packages/adapters-mongodb/eslint.config.js +27 -0
package/packages/adapters-mongodb/package.json +53 -0
package/packages/adapters-mongodb/src/index.ts +428 -0
package/packages/adapters-mongodb/src/manifest.ts +45 -0
package/packages/adapters-mongodb/src/secure-document.ts +231 -0
package/packages/adapters-mongodb/tsconfig.build.json +15 -0
package/packages/adapters-mongodb/tsconfig.json +9 -0
package/packages/adapters-mongodb/tsup.config.ts +8 -0
package/packages/adapters-openai/README.md +151 -0
package/packages/adapters-openai/embeddings.ts +37 -0
package/packages/adapters-openai/eslint.config.js +26 -0
package/packages/adapters-openai/index.ts +22 -0
package/packages/adapters-openai/package.json +57 -0
package/packages/adapters-openai/src/embeddings-manifest.ts +45 -0
package/packages/adapters-openai/src/embeddings.ts +104 -0
package/packages/adapters-openai/src/index.ts +13 -0
package/packages/adapters-openai/src/llm.ts +304 -0
package/packages/adapters-openai/src/manifest.ts +47 -0
package/packages/adapters-openai/tsconfig.build.json +15 -0
package/packages/adapters-openai/tsconfig.json +9 -0
package/packages/adapters-openai/tsup.config.ts +8 -0
package/packages/adapters-pino/README.md +152 -0
package/packages/adapters-pino/eslint.config.js +27 -0
package/packages/adapters-pino/package.json +49 -0
package/packages/adapters-pino/src/index.test.ts +44 -0
package/packages/adapters-pino/src/index.ts +322 -0
package/packages/adapters-pino/src/log-ring-buffer.ts +142 -0
package/packages/adapters-pino/src/manifest.ts +49 -0
package/packages/adapters-pino/tsconfig.build.json +15 -0
package/packages/adapters-pino/tsconfig.json +9 -0
package/packages/adapters-pino/tsup.config.ts +9 -0
package/packages/adapters-pino-http/README.md +141 -0
package/packages/adapters-pino-http/eslint.config.js +27 -0
package/packages/adapters-pino-http/package.json +46 -0
package/packages/adapters-pino-http/src/index.ts +229 -0
package/packages/adapters-pino-http/tsconfig.build.json +15 -0
package/packages/adapters-pino-http/tsconfig.json +9 -0
package/packages/adapters-pino-http/tsup.config.ts +9 -0
package/packages/adapters-qdrant/README.md +166 -0
package/packages/adapters-qdrant/eslint.config.js +27 -0
package/packages/adapters-qdrant/package.json +49 -0
package/packages/adapters-qdrant/src/index.ts +490 -0
package/packages/adapters-qdrant/src/manifest.ts +54 -0
package/packages/adapters-qdrant/src/retry.ts +204 -0
package/packages/adapters-qdrant/tsconfig.build.json +15 -0
package/packages/adapters-qdrant/tsconfig.json +9 -0
package/packages/adapters-qdrant/tsup.config.ts +9 -0
package/packages/adapters-redis/README.md +159 -0
package/packages/adapters-redis/eslint.config.js +27 -0
package/packages/adapters-redis/package.json +49 -0
package/packages/adapters-redis/src/index.ts +164 -0
package/packages/adapters-redis/src/manifest.ts +49 -0
package/packages/adapters-redis/tsconfig.build.json +15 -0
package/packages/adapters-redis/tsconfig.json +9 -0
package/packages/adapters-redis/tsup.config.ts +9 -0
package/packages/adapters-snapshot-localfs/README.md +10 -0
package/packages/adapters-snapshot-localfs/eslint.config.js +2 -0
package/packages/adapters-snapshot-localfs/package.json +46 -0
package/packages/adapters-snapshot-localfs/src/index.test.ts +40 -0
package/packages/adapters-snapshot-localfs/src/index.ts +292 -0
package/packages/adapters-snapshot-localfs/src/manifest.ts +32 -0
package/packages/adapters-snapshot-localfs/tsconfig.build.json +15 -0
package/packages/adapters-snapshot-localfs/tsconfig.json +16 -0
package/packages/adapters-snapshot-localfs/tsup.config.ts +11 -0
package/packages/adapters-sqlite/README.md +163 -0
package/packages/adapters-sqlite/eslint.config.js +27 -0
package/packages/adapters-sqlite/package.json +54 -0
package/packages/adapters-sqlite/src/index.test.ts +245 -0
package/packages/adapters-sqlite/src/index.ts +382 -0
package/packages/adapters-sqlite/src/manifest.ts +47 -0
package/packages/adapters-sqlite/src/secure-sql.test.ts +290 -0
package/packages/adapters-sqlite/src/secure-sql.ts +281 -0
package/packages/adapters-sqlite/tsconfig.build.json +15 -0
package/packages/adapters-sqlite/tsconfig.json +9 -0
package/packages/adapters-sqlite/tsup.config.ts +8 -0
package/packages/adapters-sqlite/vitest.config.ts +19 -0
package/packages/adapters-transport/README.md +170 -0
package/packages/adapters-transport/eslint.config.js +27 -0
package/packages/adapters-transport/package.json +49 -0
package/packages/adapters-transport/src/__tests__/unix-socket-server.test.ts +550 -0
package/packages/adapters-transport/src/index.ts +101 -0
package/packages/adapters-transport/src/ipc-transport.ts +228 -0
package/packages/adapters-transport/src/transport.ts +224 -0
package/packages/adapters-transport/src/types.ts +92 -0
package/packages/adapters-transport/src/unix-socket-server.ts +193 -0
package/packages/adapters-transport/src/unix-socket-transport.ts +280 -0
package/packages/adapters-transport/tsconfig.build.json +15 -0
package/packages/adapters-transport/tsconfig.json +9 -0
package/packages/adapters-transport/tsup.config.ts +9 -0
package/packages/adapters-vibeproxy/README.md +159 -0
package/packages/adapters-vibeproxy/eslint.config.js +27 -0
package/packages/adapters-vibeproxy/package.json +51 -0
package/packages/adapters-vibeproxy/src/index.ts +13 -0
package/packages/adapters-vibeproxy/src/llm.ts +437 -0
package/packages/adapters-vibeproxy/src/manifest.ts +51 -0
package/packages/adapters-vibeproxy/tsconfig.build.json +15 -0
package/packages/adapters-vibeproxy/tsconfig.json +9 -0
package/packages/adapters-vibeproxy/tsup.config.ts +8 -0
package/packages/adapters-workspace-agent/package.json +46 -0
package/packages/adapters-workspace-agent/src/__tests__/adapter.test.ts +212 -0
package/packages/adapters-workspace-agent/src/index.ts +220 -0
package/packages/adapters-workspace-agent/src/manifest.ts +36 -0
package/packages/adapters-workspace-agent/tsconfig.build.json +15 -0
package/packages/adapters-workspace-agent/tsconfig.json +16 -0
package/packages/adapters-workspace-agent/tsup.config.ts +11 -0
package/packages/adapters-workspace-localfs/README.md +9 -0
package/packages/adapters-workspace-localfs/eslint.config.js +2 -0
package/packages/adapters-workspace-localfs/package.json +46 -0
package/packages/adapters-workspace-localfs/src/index.test.ts +27 -0
package/packages/adapters-workspace-localfs/src/index.ts +172 -0
package/packages/adapters-workspace-localfs/src/manifest.ts +32 -0
package/packages/adapters-workspace-localfs/tsconfig.build.json +15 -0
package/packages/adapters-workspace-localfs/tsconfig.json +16 -0
package/packages/adapters-workspace-localfs/tsup.config.ts +11 -0
package/packages/adapters-workspace-worktree/README.md +9 -0
package/packages/adapters-workspace-worktree/eslint.config.js +2 -0
package/packages/adapters-workspace-worktree/package.json +46 -0
package/packages/adapters-workspace-worktree/src/index.test.ts +38 -0
package/packages/adapters-workspace-worktree/src/index.ts +245 -0
package/packages/adapters-workspace-worktree/src/manifest.ts +38 -0
package/packages/adapters-workspace-worktree/tsconfig.build.json +15 -0
package/packages/adapters-workspace-worktree/tsconfig.json +16 -0
package/packages/adapters-workspace-worktree/tsup.config.ts +11 -0
package/pnpm-workspace.yaml +2800 -0
package/prettierrc.json +1 -0
package/scripts/devkit-sync.mjs +37 -0
package/scripts/hooks/post-push +9 -0
package/scripts/hooks/pre-commit +9 -0
package/scripts/hooks/pre-push +9 -0
package/test-integration.ts +242 -0
package/test.txt +1 -0
package/tsconfig.base.json +6 -0
package/tsconfig.build.json +15 -0
package/tsconfig.json +9 -0
package/tsconfig.paths.json +26 -0
package/tsconfig.tools.json +17 -0
package/tsup.config.bin.ts +34 -0
package/tsup.config.cli.ts +41 -0
package/tsup.config.dual.ts +46 -0
package/tsup.config.ts +36 -0
package/tsup.external.json +103 -0
package/vitest.config.ts +2 -0

package/packages/adapters-sqlite/src/manifest.ts ADDED Viewed

@@ -0,0 +1,47 @@
+/**
+ * @module @kb-labs/adapters-sqlite/manifest
+ * Adapter manifest for SQLite database.
+ */
+import type { AdapterManifest } from "@kb-labs/core-platform";
+/**
+ * Adapter manifest for SQLite database.
+ */
+export const manifest: AdapterManifest = {
+  manifestVersion: "1.0.0",
+  id: "sqlite-database",
+  name: "SQLite Database",
+  version: "1.0.0",
+  description: "Lightweight embedded SQL database using better-sqlite3",
+  author: "KB Labs Team",
+  license: "KBPL-1.1",
+  type: "core",
+  implements: "ISQLDatabase",
+  contexts: ["workspace"],
+  capabilities: {
+    transactions: true,
+    search: true,
+    custom: {
+      prepared: true,
+      fts: true,
+      json: true,
+    },
+  },
+  configSchema: {
+    filename: {
+      type: "string",
+      description: "Database file path (use :memory: for in-memory database)",
+    },
+    readonly: {
+      type: "boolean",
+      default: false,
+      description: "Open database in readonly mode",
+    },
+    timeout: {
+      type: "number",
+      default: 5000,
+      description: "Busy timeout in milliseconds",
+    },
+  },
+};

package/packages/adapters-sqlite/src/secure-sql.test.ts ADDED Viewed

@@ -0,0 +1,290 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { mkdtemp, rm } from "node:fs/promises";
+import { createAdapter } from "./index.js";
+import { createSecureSQL, SQLPermissionError } from "./secure-sql.js";
+describe("SecureSQLAdapter", () => {
+  let tmpDir: string;
+  let dbPath: string;
+  beforeEach(async () => {
+    tmpDir = await mkdtemp(join(tmpdir(), "kb-test-secure-sql-"));
+    dbPath = join(tmpDir, "test.db");
+  });
+  afterEach(async () => {
+    await rm(tmpDir, { recursive: true, force: true });
+  });
+  describe("Permission Checks", () => {
+    it("should allow read when permission granted", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query(
+        "CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT)",
+        [],
+      );
+      await base.query("INSERT INTO users (name) VALUES (?)", ["Alice"]);
+      const secure = createSecureSQL(base, { read: true });
+      const result = await secure.query<{ name: string }>(
+        "SELECT * FROM users",
+        [],
+      );
+      expect(result.rows).toHaveLength(1);
+      await base.close();
+    });
+    it("should deny read when permission not granted", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query(
+        "CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT)",
+        [],
+      );
+      const secure = createSecureSQL(base, { read: false });
+      await expect(secure.query("SELECT * FROM users", [])).rejects.toThrow(
+        SQLPermissionError,
+      );
+      await base.close();
+    });
+    it("should allow write when permission granted", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query(
+        "CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT)",
+        [],
+      );
+      const secure = createSecureSQL(base, { write: true });
+      await secure.query("INSERT INTO users (name) VALUES (?)", ["Alice"]);
+      const result = await base.query<{ name: string }>(
+        "SELECT * FROM users",
+        [],
+      );
+      expect(result.rows).toHaveLength(1);
+      await base.close();
+    });
+    it("should deny write when permission not granted", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query(
+        "CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT)",
+        [],
+      );
+      const secure = createSecureSQL(base, { write: false });
+      await expect(
+        secure.query("INSERT INTO users (name) VALUES (?)", ["Alice"]),
+      ).rejects.toThrow(SQLPermissionError);
+      await base.close();
+    });
+    it("should allow delete when permission granted", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query(
+        "CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT)",
+        [],
+      );
+      await base.query("INSERT INTO users (name) VALUES (?)", ["Alice"]);
+      const secure = createSecureSQL(base, { write: true });
+      await secure.query("DELETE FROM users WHERE name = ?", ["Alice"]);
+      const result = await base.query<{ name: string }>(
+        "SELECT * FROM users",
+        [],
+      );
+      expect(result.rows).toHaveLength(0);
+      await base.close();
+    });
+    it("should deny delete when permission not granted", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query(
+        "CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT)",
+        [],
+      );
+      const secure = createSecureSQL(base, { write: false });
+      await expect(secure.query("DELETE FROM users", [])).rejects.toThrow(
+        SQLPermissionError,
+      );
+      await base.close();
+    });
+  });
+  describe("Table Allowlist", () => {
+    it("should allow access to allowlisted tables", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query("CREATE TABLE users (id INTEGER PRIMARY KEY)", []);
+      await base.query("CREATE TABLE posts (id INTEGER PRIMARY KEY)", []);
+      const secure = createSecureSQL(base, {
+        allowlist: ["users"],
+        read: true,
+      });
+      const result = await secure.query("SELECT * FROM users", []);
+      expect(result.rows).toBeDefined();
+      await base.close();
+    });
+    it("should deny access to non-allowlisted tables", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query("CREATE TABLE users (id INTEGER PRIMARY KEY)", []);
+      await base.query("CREATE TABLE restricted (id INTEGER PRIMARY KEY)", []);
+      const secure = createSecureSQL(base, {
+        allowlist: ["users"],
+        read: true,
+      });
+      await expect(
+        secure.query("SELECT * FROM restricted", []),
+      ).rejects.toThrow(SQLPermissionError);
+      await base.close();
+    });
+    it("should handle joins with allowlisted tables", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query("CREATE TABLE users (id INTEGER PRIMARY KEY)", []);
+      await base.query(
+        "CREATE TABLE posts (id INTEGER PRIMARY KEY, user_id INTEGER)",
+        [],
+      );
+      const secure = createSecureSQL(base, {
+        allowlist: ["users", "posts"],
+        read: true,
+      });
+      const result = await secure.query(
+        "SELECT * FROM users JOIN posts ON users.id = posts.user_id",
+        [],
+      );
+      expect(result.rows).toBeDefined();
+      await base.close();
+    });
+  });
+  describe("Table Denylist", () => {
+    it("should deny access to denylisted tables", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query("CREATE TABLE admin_users (id INTEGER PRIMARY KEY)", []);
+      const secure = createSecureSQL(base, {
+        denylist: ["admin_users"],
+        read: true,
+      });
+      await expect(
+        secure.query("SELECT * FROM admin_users", []),
+      ).rejects.toThrow(SQLPermissionError);
+      await base.close();
+    });
+    it("should denylist take precedence over allowlist", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query("CREATE TABLE conflict (id INTEGER PRIMARY KEY)", []);
+      const secure = createSecureSQL(base, {
+        allowlist: ["conflict"],
+        denylist: ["conflict"],
+        read: true,
+      });
+      await expect(secure.query("SELECT * FROM conflict", [])).rejects.toThrow(
+        SQLPermissionError,
+      );
+      await base.close();
+    });
+  });
+  describe("Schema Modification Prevention", () => {
+    it("should deny CREATE TABLE when schema=false", async () => {
+      const base = createAdapter({ filename: dbPath });
+      const secure = createSecureSQL(base, { schema: false });
+      await expect(
+        secure.query("CREATE TABLE bad (id INTEGER)", []),
+      ).rejects.toThrow(SQLPermissionError);
+      await base.close();
+    });
+    it("should deny ALTER TABLE when schema=false", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query("CREATE TABLE users (id INTEGER PRIMARY KEY)", []);
+      const secure = createSecureSQL(base, { schema: false });
+      await expect(
+        secure.query("ALTER TABLE users ADD COLUMN name TEXT", []),
+      ).rejects.toThrow(SQLPermissionError);
+      await base.close();
+    });
+    it("should deny DROP TABLE when schema=false", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query("CREATE TABLE users (id INTEGER PRIMARY KEY)", []);
+      const secure = createSecureSQL(base, { schema: false });
+      await expect(secure.query("DROP TABLE users", [])).rejects.toThrow(
+        SQLPermissionError,
+      );
+      await base.close();
+    });
+    it("should allow schema modifications when schema=true", async () => {
+      const base = createAdapter({ filename: dbPath });
+      const secure = createSecureSQL(base, { schema: true });
+      await secure.query("CREATE TABLE users (id INTEGER PRIMARY KEY)", []);
+      const result = await base.query(
+        "SELECT name FROM sqlite_master WHERE type='table' AND name='users'",
+        [],
+      );
+      expect(result.rows).toHaveLength(1);
+      await base.close();
+    });
+  });
+  describe("Transactions with Permissions", () => {
+    it("should enforce permissions in transactions", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query(
+        "CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT)",
+        [],
+      );
+      const secure = createSecureSQL(base, { write: false, read: true });
+      const tx = await secure.transaction();
+      await expect(
+        tx.query("INSERT INTO users (name) VALUES (?)", ["Alice"]),
+      ).rejects.toThrow(SQLPermissionError);
+      await tx.rollback();
+      await base.close();
+    });
+    it("should allow valid operations in transactions", async () => {
+      const base = createAdapter({ filename: dbPath });
+      await base.query(
+        "CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT)",
+        [],
+      );
+      const secure = createSecureSQL(base, { write: true });
+      const tx = await secure.transaction();
+      await tx.query("INSERT INTO users (name) VALUES (?)", ["Alice"]);
+      await tx.commit();
+      const result = await base.query<{ name: string }>(
+        "SELECT * FROM users",
+        [],
+      );
+      expect(result.rows).toHaveLength(1);
+      await base.close();
+    });
+  });
+});

package/packages/adapters-sqlite/src/secure-sql.ts ADDED Viewed

@@ -0,0 +1,281 @@
+/**
+ * @module @kb-labs/adapters-sqlite/secure-sql
+ * SecureSQLAdapter - ISQLDatabase wrapper with permission validation.
+ *
+ * Design Philosophy: Validation-only security (like fs-shim)
+ * - Validates table access against allowlists/denylists
+ * - Does NOT rewrite SQL queries
+ * - Fails fast with clear errors
+ * - Transparent pass-through when permitted
+ *
+ * Security Model:
+ * - Extracts table names from SQL using regex (basic, not perfect)
+ * - Checks table names against permissions
+ * - Does NOT parse SQL fully (use a SQL parser library for production)
+ *
+ * @example
+ * ```typescript
+ * import { createAdapter } from '@kb-labs/adapters-sqlite';
+ * import { SecureSQLAdapter } from '@kb-labs/adapters-sqlite/secure-sql';
+ *
+ * const base = createAdapter({ filename: 'app.db' });
+ * const secure = new SecureSQLAdapter(base, {
+ *   allowlist: ['users', 'posts', 'comments'],
+ *   denylist: ['admin_users', 'secrets'],
+ * });
+ *
+ * await secure.query('SELECT * FROM users WHERE id = ?', [123]); // ✅ Allowed
+ * await secure.query('SELECT * FROM admin_users LIMIT 1', []); // ❌ Denied
+ * ```
+ */
+import type {
+  ISQLDatabase,
+  SQLQueryResult,
+  SQLTransaction,
+} from "@kb-labs/core-platform/adapters";
+/**
+ * Permission configuration for SQL database access.
+ */
+export interface SQLPermissions {
+  /**
+   * Allowed table names (e.g., ['users', 'posts']).
+   * If empty or undefined, all tables are allowed (unless denied).
+   */
+  allowlist?: string[];
+  /**
+   * Denied table names (e.g., ['admin_users', 'secrets']).
+   * Takes precedence over allowlist.
+   */
+  denylist?: string[];
+  /**
+   * Allow read operations (SELECT, PRAGMA) (default: true)
+   */
+  read?: boolean;
+  /**
+   * Allow write operations (INSERT, UPDATE, DELETE) (default: true)
+   */
+  write?: boolean;
+  /**
+   * Allow schema modifications (CREATE, ALTER, DROP) (default: false - safer default)
+   */
+  schema?: boolean;
+}
+/**
+ * Error thrown when SQL access is denied.
+ */
+export class SQLPermissionError extends Error {
+  constructor(
+    public readonly operation: string,
+    public readonly tables: string[],
+    public readonly reason: string,
+  ) {
+    super(
+      `SQL access denied: ${operation} on tables [${tables.join(", ")}] - ${reason}`,
+    );
+    this.name = "SQLPermissionError";
+  }
+}
+/**
+ * SecureSQLAdapter - validates permissions before delegating to base database.
+ *
+ * Design:
+ * - Validation-only (no SQL rewriting)
+ * - Fails fast with clear errors
+ * - Transparent pass-through when permitted
+ * - Basic table extraction via regex (not a full SQL parser)
+ *
+ * Limitations:
+ * - Table extraction is regex-based (may miss complex queries)
+ * - Does not handle subqueries, CTEs, or dynamic SQL
+ * - For production, consider using a proper SQL parser library
+ */
+export class SecureSQLAdapter implements ISQLDatabase {
+  constructor(
+    private readonly baseDb: ISQLDatabase,
+    private readonly permissions: SQLPermissions,
+  ) {}
+  /**
+   * Extract table names from SQL query.
+   * Uses basic regex - not perfect, but good enough for validation.
+   */
+  private extractTableNames(sql: string): string[] {
+    const tables = new Set<string>();
+    // Normalize SQL: uppercase, remove extra spaces
+    const normalized = sql.toUpperCase().replace(/\s+/g, " ").trim();
+    // Pattern: FROM/JOIN/INTO/UPDATE <table_name>
+    const patterns = [
+      /FROM\s+([a-zA-Z_][a-zA-Z0-9_]*)/g,
+      /JOIN\s+([a-zA-Z_][a-zA-Z0-9_]*)/g,
+      /INTO\s+([a-zA-Z_][a-zA-Z0-9_]*)/g,
+      /UPDATE\s+([a-zA-Z_][a-zA-Z0-9_]*)/g,
+      /TABLE\s+(?:IF\s+(?:NOT\s+)?EXISTS\s+)?([a-zA-Z_][a-zA-Z0-9_]*)/g, // CREATE/DROP TABLE
+    ];
+    for (const pattern of patterns) {
+      let match: RegExpExecArray | null;
+      while ((match = pattern.exec(normalized)) !== null) {
+        if (match[1]) {
+          tables.add(match[1].toLowerCase());
+        }
+      }
+    }
+    return Array.from(tables);
+  }
+  /**
+   * Detect SQL operation type.
+   */
+  private detectOperation(sql: string): "read" | "write" | "schema" {
+    const normalized = sql.trim().toUpperCase();
+    // Schema operations
+    if (
+      normalized.startsWith("CREATE ") ||
+      normalized.startsWith("ALTER ") ||
+      normalized.startsWith("DROP ")
+    ) {
+      return "schema";
+    }
+    // Write operations
+    if (
+      normalized.startsWith("INSERT ") ||
+      normalized.startsWith("UPDATE ") ||
+      normalized.startsWith("DELETE ")
+    ) {
+      return "write";
+    }
+    // Read operations (SELECT, PRAGMA, etc.)
+    return "read";
+  }
+  /**
+   * Check if SQL query is allowed by permissions.
+   */
+  private checkPermissions(sql: string): void {
+    const operation = this.detectOperation(sql);
+    // Check operation-level permissions
+    const operationAllowed = this.permissions[operation] !== false;
+    if (!operationAllowed) {
+      throw new SQLPermissionError(
+        operation,
+        [],
+        `${operation} operations are disabled`,
+      );
+    }
+    // Extract table names
+    const tables = this.extractTableNames(sql);
+    // Check denylist first (takes precedence)
+    if (this.permissions.denylist) {
+      for (const table of tables) {
+        if (this.permissions.denylist.includes(table)) {
+          throw new SQLPermissionError(
+            operation,
+            tables,
+            `table '${table}' is in denylist`,
+          );
+        }
+      }
+    }
+    // Check allowlist (if defined)
+    if (this.permissions.allowlist && this.permissions.allowlist.length > 0) {
+      for (const table of tables) {
+        if (!this.permissions.allowlist.includes(table)) {
+          throw new SQLPermissionError(
+            operation,
+            tables,
+            `table '${table}' not in allowlist: [${this.permissions.allowlist.join(", ")}]`,
+          );
+        }
+      }
+    }
+  }
+  /**
+   * Execute a SQL query with permission checks.
+   */
+  async query<T = unknown>(
+    sql: string,
+    params?: unknown[],
+  ): Promise<SQLQueryResult<T>> {
+    this.checkPermissions(sql);
+    return this.baseDb.query<T>(sql, params);
+  }
+  /**
+   * Begin a transaction with permission checks.
+   * Each query inside the transaction is also validated.
+   */
+  async transaction(): Promise<SQLTransaction> {
+    const baseTrx = await this.baseDb.transaction();
+    // Wrap transaction object to intercept queries
+    return {
+      query: async <T = unknown>(
+        sql: string,
+        params?: unknown[],
+      ): Promise<SQLQueryResult<T>> => {
+        this.checkPermissions(sql);
+        return baseTrx.query<T>(sql, params);
+      },
+      commit: async (): Promise<void> => {
+        await baseTrx.commit();
+      },
+      rollback: async (): Promise<void> => {
+        await baseTrx.rollback();
+      },
+    };
+  }
+  /**
+   * Close the database connection.
+   */
+  async close(): Promise<void> {
+    await this.baseDb.close();
+  }
+}
+/**
+ * Create secure SQL adapter with permission validation.
+ *
+ * @param baseDb - Base SQL adapter (SQLite, PostgreSQL, etc.)
+ * @param permissions - Permission configuration
+ * @returns Wrapped SQL adapter with permission checks
+ *
+ * @example
+ * ```typescript
+ * const secure = createSecureSQL(base, {
+ *   allowlist: ['users', 'posts'],
+ *   denylist: ['admin_users'],
+ *   schema: false, // Prevent schema modifications
+ * });
+ * ```
+ */
+export function createSecureSQL(
+  baseDb: ISQLDatabase,
+  permissions: SQLPermissions,
+): SecureSQLAdapter {
+  return new SecureSQLAdapter(baseDb, permissions);
+}
+// Default export for direct import
+export default createSecureSQL;

package/packages/adapters-sqlite/tsconfig.build.json ADDED Viewed

@@ -0,0 +1,15 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "dist",
+    "baseUrl": ".",
+    "paths": {}
+  },
+  "include": [
+    "src/**/*"
+  ],
+  "exclude": [
+    "dist",
+    "node_modules"
+  ]
+}

package/packages/adapters-sqlite/tsconfig.json ADDED Viewed

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://json.schemastore.org/tsconfig",
+  "extends": "@kb-labs/devkit/tsconfig/node.json",
+  "compilerOptions": {
+    "rootDir": "src",
+    "outDir": "dist"
+  },
+  "include": ["src"]
+}

package/packages/adapters-sqlite/tsup.config.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import { defineConfig } from 'tsup';
+import nodePreset from '@kb-labs/devkit/tsup/node';
+export default defineConfig({
+  ...nodePreset,
+  tsconfig: 'tsconfig.build.json',
+  dts: true,
+});

package/packages/adapters-sqlite/vitest.config.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import { defineConfig } from 'vitest/config';
+export default defineConfig({
+  test: {
+    globals: true,
+    environment: 'node',
+    include: ['src/**/*.{test,spec}.{ts,tsx}'],
+    coverage: {
+      provider: 'v8',
+      reporter: ['text', 'json', 'html'],
+      exclude: [
+        'node_modules/',
+        'dist/',
+        '**/*.d.ts',
+        '**/*.config.*',
+      ],
+    },
+  },
+});