@libredb/studio 0.9.7

package/src/lib/seed/credential-resolver.ts

@@ -0,0 +1,62 @@
+import { logger } from '@/lib/logger';
+import type { SeedConnection } from './types';
+
+const ENV_VAR_PATTERN = /^\$\{([A-Z_][A-Z0-9_]*)\}$/;
+const RESOLVABLE_FIELDS = ['password', 'connectionString', 'user', 'host', 'database'] as const;
+
+const warnedPlaintext = new Set<string>();
+
+export function resetPlaintextWarnings(): void {
+  warnedPlaintext.clear();
+}
+
+function resolveField(value: string | undefined, fieldName: string, connId: string): string | undefined {
+  if (value === undefined) return undefined;
+
+  const match = value.match(ENV_VAR_PATTERN);
+  if (!match) {
+    if (fieldName === 'password' && value.length > 0 && !warnedPlaintext.has(connId)) {
+      warnedPlaintext.add(connId);
+      logger.warn('Seed connection has plaintext password, use ${ENV_VAR} syntax', {
+        route: 'seed/credential-resolver',
+        connectionId: connId,
+      });
+    }
+    return value;
+  }
+
+  const envVar = match[1];
+  const envValue = process.env[envVar];
+  if (envValue === undefined) {
+    throw new Error(`Environment variable ${envVar} is not defined (required by seed connection "${connId}" field "${fieldName}")`);
+  }
+
+  return envValue;
+}
+
+export function resolveConnectionCredentials(conn: SeedConnection): SeedConnection {
+  const resolved = { ...conn };
+  for (const field of RESOLVABLE_FIELDS) {
+    const value = resolved[field];
+    if (typeof value === 'string') {
+      (resolved as Record<string, unknown>)[field] = resolveField(value, field, conn.id);
+    }
+  }
+  return resolved;
+}
+
+export function resolveAllCredentials(connections: SeedConnection[]): SeedConnection[] {
+  const results: SeedConnection[] = [];
+  for (const conn of connections) {
+    try {
+      results.push(resolveConnectionCredentials(conn));
+    } catch (err) {
+      logger.error('Seed connection skipped due to credential resolution failure', {
+        route: 'seed/credential-resolver',
+        connectionId: conn.id,
+        error: (err as Error).message,
+      });
+    }
+  }
+  return results;
+}

package/src/lib/seed/index.ts

@@ -0,0 +1,40 @@
+import { loadConfig } from './config-loader';
+import { resolveAllCredentials } from './credential-resolver';
+import { filterByRoles, mergeDefaults } from './connection-filter';
+import type { ManagedConnection } from './types';
+
+export type { ManagedConnection, SeedConfig, SeedConnection, SeedDefaults } from './types';
+export { SeedConfigSchema, SeedConnectionSchema, SeedDefaultsSchema } from './types';
+export { resetCache } from './config-loader';
+export { resetPlaintextWarnings } from './credential-resolver';
+
+async function loadAndResolve(): Promise<ManagedConnection[]> {
+  const config = await loadConfig();
+  if (!config) return [];
+  const withDefaults = config.connections.map((conn) => mergeDefaults(conn, config.defaults));
+  const resolved = resolveAllCredentials(withDefaults);
+  return filterByRoles(resolved, ['*', 'admin', 'user']);
+}
+
+export async function getManagedConnections(roles: string[]): Promise<ManagedConnection[]> {
+  const config = await loadConfig();
+  if (!config) return [];
+  const withDefaults = config.connections.map((conn) => mergeDefaults(conn, config.defaults));
+  const resolved = resolveAllCredentials(withDefaults);
+  return filterByRoles(resolved, roles);
+}
+
+export async function getSeedConnectionById(
+  seedId: string,
+  roles: string[],
+): Promise<ManagedConnection | null> {
+  const all = await getManagedConnections(roles);
+  return all.find((c) => c.seedId === seedId) ?? null;
+}
+
+export async function getSeedConnectionByIdUnfiltered(
+  seedId: string,
+): Promise<ManagedConnection | null> {
+  const all = await loadAndResolve();
+  return all.find((c) => c.seedId === seedId) ?? null;
+}

package/src/lib/seed/resolve-connection.ts

@@ -0,0 +1,57 @@
+import type { DatabaseConnection } from '@/lib/types';
+import { getSeedConnectionById, getSeedConnectionByIdUnfiltered } from './index';
+import { logger } from '@/lib/logger';
+
+export class SeedConnectionError extends Error {
+  constructor(message: string, public statusCode: number) {
+    super(message);
+    this.name = 'SeedConnectionError';
+  }
+}
+
+export async function resolveConnection(
+  body: { connection?: DatabaseConnection; connectionId?: string },
+  session: { role: string; username: string },
+): Promise<DatabaseConnection> {
+  const { connection, connectionId } = body;
+
+  if (connection && !connectionId) {
+    return connection;
+  }
+
+  if (connectionId) {
+    if (!connectionId.startsWith('seed:')) {
+      throw new SeedConnectionError('Invalid connection ID format', 400);
+    }
+
+    const seedId = connectionId.slice(5);
+    const seedConn = await getSeedConnectionById(seedId, [session.role]);
+
+    if (!seedConn) {
+      const exists = await getSeedConnectionByIdUnfiltered(seedId);
+      if (exists) {
+        logger.warn('Seed connection access denied', {
+          route: 'seed/resolve-connection',
+          connectionId: seedId,
+          user: session.username,
+          role: session.role,
+        });
+        throw new SeedConnectionError(
+          `Access denied: connection "${seedId}" not available for role "${session.role}"`,
+          403,
+        );
+      }
+      throw new SeedConnectionError(`Seed connection "${seedId}" not found`, 404);
+    }
+
+    logger.debug('Resolved seed connection', {
+      route: 'seed/resolve-connection',
+      connectionId: seedId,
+      user: session.username,
+    });
+
+    return seedConn;
+  }
+
+  throw new SeedConnectionError('Either connection or connectionId is required', 400);
+}

package/src/lib/seed/types.ts

@@ -0,0 +1,69 @@
+import { z } from 'zod';
+import type { DatabaseConnection } from '@/lib/types';
+
+// SSLMode matches src/lib/types.ts line 21 — NO 'prefer'
+const SSLModeSchema = z.enum(['disable', 'require', 'verify-ca', 'verify-full']);
+
+const SSLConfigSchema = z.object({
+  mode: SSLModeSchema.optional(),
+  rejectUnauthorized: z.boolean().optional(),
+  caCert: z.string().optional(),
+  clientCert: z.string().optional(),
+  clientKey: z.string().optional(),
+}).optional();
+
+const ConnectionEnvironmentSchema = z.enum([
+  'production', 'staging', 'development', 'local', 'other',
+]);
+
+// Allowed roles in current iteration (matches JWT role: 'admin' | 'user' + wildcard)
+const AllowedRoleSchema = z.enum(['*', 'admin', 'user']);
+
+const SeedDatabaseType = z.enum([
+  'postgres', 'mysql', 'sqlite', 'mongodb', 'redis', 'oracle', 'mssql',
+]);
+
+export const SeedDefaultsSchema = z.object({
+  managed: z.boolean().optional(),
+  environment: ConnectionEnvironmentSchema.optional(),
+  ssl: SSLConfigSchema,
+});
+
+export const SeedConnectionSchema = z.object({
+  id: z.string().min(1).max(64).regex(/^[a-z0-9-]+$/, 'ID must be lowercase alphanumeric with hyphens'),
+  name: z.string().min(1).max(128),
+  type: SeedDatabaseType,
+  host: z.string().optional(),
+  port: z.number().int().min(1).max(65535).optional(),
+  database: z.string().optional(),
+  user: z.string().optional(),
+  password: z.string().optional(),
+  connectionString: z.string().optional(),
+  environment: ConnectionEnvironmentSchema.optional(),
+  group: z.string().max(64).optional(),
+  color: z.string().regex(/^#[0-9A-Fa-f]{6}$/).optional(),
+  roles: z.array(AllowedRoleSchema).min(1, 'At least one role is required'),
+  managed: z.boolean().optional(),
+  ssl: SSLConfigSchema,
+  serviceName: z.string().optional(),
+  instanceName: z.string().optional(),
+});
+
+export const SeedConfigSchema = z.object({
+  version: z.literal('1'),
+  defaults: SeedDefaultsSchema.optional(),
+  connections: z.array(SeedConnectionSchema).min(1, 'At least one connection is required'),
+}).refine(
+  (cfg) => new Set(cfg.connections.map((c) => c.id)).size === cfg.connections.length,
+  { message: 'Connection IDs must be unique' },
+);
+
+export type SeedConnection = z.infer<typeof SeedConnectionSchema>;
+export type SeedDefaults = z.infer<typeof SeedDefaultsSchema>;
+export type SeedConfig = z.infer<typeof SeedConfigSchema>;
+
+export interface ManagedConnection extends DatabaseConnection {
+  managed: boolean;
+  roles: string[];
+  seedId: string;
+}

package/src/lib/sql/alias-extractor.ts

@@ -0,0 +1,267 @@
+/**
+ * SQL Alias Extractor
+ *
+ * Lightweight SQL alias extraction for Monaco Editor completion.
+ * Extracts table aliases from SQL queries without full parsing.
+ * Designed for performance on every keystroke.
+ *
+ * @example
+ * const result = extractAliases('SELECT * FROM customer AS c JOIN orders o ON c.id = o.customer_id');
+ * // result.aliases.get('c') => { alias: 'c', tableName: 'customer', source: 'from' }
+ * // result.aliases.get('o') => { alias: 'o', tableName: 'orders', source: 'join' }
+ */
+
+import type { TableAlias, AliasExtractionResult, AliasExtractorOptions } from './types';
+
+/**
+ * SQL keywords that should not be treated as aliases
+ */
+const SQL_KEYWORDS = new Set([
+  'on', 'where', 'and', 'or', 'not', 'in', 'is', 'null', 'like', 'between',
+  'set', 'values', 'select', 'from', 'join', 'using', 'as',
+  'left', 'right', 'inner', 'outer', 'cross', 'full', 'natural', 'lateral',
+  'group', 'order', 'by', 'having', 'limit', 'offset', 'fetch', 'first', 'next',
+  'union', 'except', 'intersect', 'all', 'distinct', 'with', 'recursive',
+  'case', 'when', 'then', 'else', 'end', 'cast', 'over', 'partition',
+  'asc', 'desc', 'nulls', 'rows', 'range', 'preceding', 'following', 'current',
+  'into', 'insert', 'update', 'delete', 'truncate', 'create', 'alter', 'drop',
+  'table', 'view', 'index', 'schema', 'database', 'function', 'trigger', 'procedure',
+  'primary', 'key', 'foreign', 'references', 'unique', 'check', 'default', 'constraint',
+  'true', 'false', 'exists', 'any', 'some'
+]);
+
+/**
+ * Check if identifier is a SQL keyword (to avoid false positives)
+ */
+function isSqlKeyword(identifier: string): boolean {
+  return SQL_KEYWORDS.has(identifier.toLowerCase());
+}
+
+/**
+ * Quick check for table keywords to enable early exit
+ */
+function hasTableKeywords(sql: string): boolean {
+  const upper = sql.toUpperCase();
+  return upper.includes('FROM') || upper.includes('JOIN') || upper.includes('WITH');
+}
+
+/**
+ * Remove SQL comments and string literals to prevent false matches
+ */
+function preprocessSql(sql: string): string {
+  return sql
+    // Remove multi-line comments /* ... */
+    .replace(/\/\*[\s\S]*?\*\//g, ' ')
+    // Remove single-line comments -- ...
+    .replace(/--[^\n]*/g, ' ')
+    // Replace string literals with placeholder to preserve structure
+    .replace(/'(?:[^'\\]|\\.)*'/g, "''")
+    .replace(/"(?:[^"\\]|\\.)*"/g, '""');
+}
+
+/**
+ * Extract aliases from WITH clause (CTEs)
+ * Pattern: WITH cte_name AS (...)
+ */
+function extractCTEAliases(
+  sql: string,
+  aliases: Map<string, TableAlias>,
+  caseInsensitive: boolean
+): void {
+  // First, check if there's a WITH clause
+  const withMatch = sql.match(/\bWITH\s+(?:RECURSIVE\s+)?/i);
+  if (!withMatch) return;
+
+  // Find the CTE definitions between WITH and the main query
+  // CTEs are: name AS (...), name2 AS (...)
+  // We need to carefully match the CTE name before AS (
+  const ctePattern = /\b(\w+)\s+AS\s*\(/gi;
+
+  let match;
+  while ((match = ctePattern.exec(sql)) !== null) {
+    const cteName = match[1];
+
+    // Skip if it's a SQL keyword
+    if (isSqlKeyword(cteName)) continue;
+
+    const key = caseInsensitive ? cteName.toLowerCase() : cteName;
+
+    // Don't overwrite existing aliases (CTEs should be defined before use)
+    if (!aliases.has(key)) {
+      aliases.set(key, {
+        alias: cteName,
+        tableName: cteName, // CTE name is both alias and "table"
+        source: 'cte'
+      });
+    }
+  }
+}
+
+/**
+ * Extract aliases from FROM clause
+ * Patterns:
+ *   FROM table AS alias
+ *   FROM table alias
+ *   FROM schema.table AS alias
+ *   FROM schema.table alias
+ */
+function extractFromAliases(
+  sql: string,
+  aliases: Map<string, TableAlias>,
+  caseInsensitive: boolean
+): void {
+  // Pattern explanation:
+  // \bFROM\s+ - FROM keyword followed by whitespace
+  // (?:(\w+)\.)? - Optional schema prefix (captured group 1)
+  // (\w+) - Table name (required, captured group 2)
+  // \s+ - Required whitespace
+  // (?:AS\s+)? - Optional AS keyword
+  // (\w+) - Alias (required, captured group 3)
+  // (?=\s|,|$) - Followed by whitespace, comma, or end (lookahead to ensure complete match)
+  const fromPattern = /\bFROM\s+(?:(\w+)\.)?(\w+)\s+(?:AS\s+)?(\w+)(?=\s|,|$)/gi;
+
+  let match;
+  while ((match = fromPattern.exec(sql)) !== null) {
+    const [, schema, tableName, alias] = match;
+
+    // Skip if alias is a SQL keyword
+    if (isSqlKeyword(alias)) continue;
+
+    // Skip if alias equals table name (not actually an alias)
+    if (alias.toLowerCase() === tableName.toLowerCase()) continue;
+
+    const key = caseInsensitive ? alias.toLowerCase() : alias;
+
+    // Don't overwrite existing aliases
+    if (!aliases.has(key)) {
+      aliases.set(key, {
+        alias,
+        tableName,
+        schema,
+        source: 'from'
+      });
+    }
+  }
+}
+
+/**
+ * Extract aliases from JOIN clauses
+ * Patterns:
+ *   JOIN table AS alias
+ *   LEFT JOIN table alias
+ *   INNER JOIN schema.table AS alias
+ */
+function extractJoinAliases(
+  sql: string,
+  aliases: Map<string, TableAlias>,
+  caseInsensitive: boolean
+): void {
+  // Pattern for all JOIN types
+  // Optional join type prefix: LEFT, RIGHT, INNER, OUTER, CROSS, FULL, NATURAL
+  const joinPattern = /\b(?:LEFT|RIGHT|INNER|OUTER|CROSS|FULL|NATURAL)?\s*JOIN\s+(?:(\w+)\.)?(\w+)\s+(?:AS\s+)?(\w+)(?=\s|$)/gi;
+
+  let match;
+  while ((match = joinPattern.exec(sql)) !== null) {
+    const [, schema, tableName, alias] = match;
+
+    // Skip if alias is a SQL keyword
+    if (isSqlKeyword(alias)) continue;
+
+    // Skip if alias equals table name (not actually an alias)
+    if (alias.toLowerCase() === tableName.toLowerCase()) continue;
+
+    const key = caseInsensitive ? alias.toLowerCase() : alias;
+
+    // Don't overwrite existing aliases
+    if (!aliases.has(key)) {
+      aliases.set(key, {
+        alias,
+        tableName,
+        schema,
+        source: 'join'
+      });
+    }
+  }
+}
+
+/**
+ * Main entry point: Extract all table aliases from a SQL query
+ *
+ * @param sql - The SQL query string to parse
+ * @param options - Extraction options
+ * @returns AliasExtractionResult containing the alias map
+ *
+ * @example
+ * const { aliases } = extractAliases('SELECT * FROM customer c WHERE c.id = 1');
+ * aliases.get('c'); // { alias: 'c', tableName: 'customer', source: 'from' }
+ */
+export function extractAliases(
+  sql: string,
+  options: AliasExtractorOptions = {}
+): AliasExtractionResult {
+  const { includeCTEs = true, caseInsensitive = true } = options;
+
+  const aliases = new Map<string, TableAlias>();
+
+  // Early exit: no table references
+  if (!hasTableKeywords(sql)) {
+    return { aliases, hasTableReferences: false };
+  }
+
+  // Step 1: Preprocess - remove comments and strings
+  const cleanedSql = preprocessSql(sql);
+
+  // Step 2: Extract CTEs first (they can be referenced in FROM/JOIN)
+  if (includeCTEs) {
+    extractCTEAliases(cleanedSql, aliases, caseInsensitive);
+  }
+
+  // Step 3: Extract FROM clause aliases
+  extractFromAliases(cleanedSql, aliases, caseInsensitive);
+
+  // Step 4: Extract JOIN clause aliases
+  extractJoinAliases(cleanedSql, aliases, caseInsensitive);
+
+  return { aliases, hasTableReferences: aliases.size > 0 };
+}
+
+/**
+ * Resolve an alias to its table name
+ *
+ * Returns the table name if alias exists in the map,
+ * otherwise returns the input unchanged (for backward compatibility
+ * with direct table.column completion)
+ *
+ * @param aliasOrTable - The identifier to resolve
+ * @param aliases - The alias map from extractAliases()
+ * @returns The resolved table name or the input if not found
+ *
+ * @example
+ * const { aliases } = extractAliases('SELECT * FROM customer c');
+ * resolveAlias('c', aliases);       // 'customer'
+ * resolveAlias('customer', aliases); // 'customer' (passthrough)
+ * resolveAlias('unknown', aliases);  // 'unknown' (passthrough)
+ */
+export function resolveAlias(
+  aliasOrTable: string,
+  aliases: Map<string, TableAlias>
+): string {
+  const key = aliasOrTable.toLowerCase();
+  const tableAlias = aliases.get(key);
+  return tableAlias?.tableName ?? aliasOrTable;
+}
+
+/**
+ * Get the schema for an alias if it was specified
+ *
+ * @param aliasOrTable - The identifier to look up
+ * @param aliases - The alias map from extractAliases()
+ * @returns The schema name or undefined
+ */
+export function getAliasSchema(
+  aliasOrTable: string,
+  aliases: Map<string, TableAlias>
+): string | undefined {
+  const key = aliasOrTable.toLowerCase();
+  return aliases.get(key)?.schema;
+}

package/src/lib/sql/index.ts

@@ -0,0 +1,8 @@
+/**
+ * SQL Utilities Module
+ *
+ * Provides SQL parsing and analysis utilities for Monaco Editor integration.
+ */
+
+export { extractAliases, resolveAlias, getAliasSchema } from './alias-extractor';
+export type { TableAlias, AliasExtractionResult, AliasExtractorOptions } from './types';

package/src/lib/sql/statement-splitter.ts

@@ -0,0 +1,167 @@
+/**
+ * SQL Statement Splitter
+ * Splits a multi-statement SQL string into individual statements,
+ * correctly handling string literals, comments, and dollar-quoted strings (PostgreSQL).
+ */
+
+export interface SplitStatement {
+  sql: string;
+  /** 0-based line number where this statement starts in the original text */
+  startLine: number;
+}
+
+export function splitStatements(input: string): SplitStatement[] {
+  const statements: SplitStatement[] = [];
+  let current = '';
+  let i = 0;
+  let statementStartLine = 0;
+  let currentLine = 0;
+
+  while (i < input.length) {
+    const ch = input[i];
+    const next = input[i + 1];
+
+    // Track line numbers
+    if (ch === '\n') {
+      currentLine++;
+    }
+
+    // Single-line comment: -- ...
+    if (ch === '-' && next === '-') {
+      const lineEnd = input.indexOf('\n', i);
+      if (lineEnd === -1) {
+        current += input.slice(i);
+        i = input.length;
+      } else {
+        current += input.slice(i, lineEnd + 1);
+        currentLine++; // the \n
+        i = lineEnd + 1;
+      }
+      continue;
+    }
+
+    // Multi-line comment: /* ... */
+    if (ch === '/' && next === '*') {
+      const commentEnd = input.indexOf('*/', i + 2);
+      if (commentEnd === -1) {
+        current += input.slice(i);
+        i = input.length;
+      } else {
+        const commentBlock = input.slice(i, commentEnd + 2);
+        // Count newlines in comment
+        for (const c of commentBlock) {
+          if (c === '\n') currentLine++;
+        }
+        current += commentBlock;
+        i = commentEnd + 2;
+      }
+      continue;
+    }
+
+    // Single-quoted string: '...' with '' escape
+    if (ch === "'") {
+      let j = i + 1;
+      current += "'";
+      while (j < input.length) {
+        if (input[j] === '\n') currentLine++;
+        if (input[j] === "'" && input[j + 1] === "'") {
+          current += "''";
+          j += 2;
+        } else if (input[j] === "'") {
+          current += "'";
+          j++;
+          break;
+        } else {
+          current += input[j];
+          j++;
+        }
+      }
+      i = j;
+      continue;
+    }
+
+    // Double-quoted identifier: "..."
+    if (ch === '"') {
+      let j = i + 1;
+      current += '"';
+      while (j < input.length) {
+        if (input[j] === '\n') currentLine++;
+        if (input[j] === '"' && input[j + 1] === '"') {
+          current += '""';
+          j += 2;
+        } else if (input[j] === '"') {
+          current += '"';
+          j++;
+          break;
+        } else {
+          current += input[j];
+          j++;
+        }
+      }
+      i = j;
+      continue;
+    }
+
+    // PostgreSQL dollar-quoted string: $tag$...$tag$
+    if (ch === '$') {
+      const dollarMatch = input.slice(i).match(/^\$([A-Za-z_]*)\$/);
+      if (dollarMatch) {
+        const tag = dollarMatch[0]; // e.g. $$ or $func$
+        const endIdx = input.indexOf(tag, i + tag.length);
+        if (endIdx === -1) {
+          // No closing tag — consume rest
+          const rest = input.slice(i);
+          for (const c of rest) {
+            if (c === '\n') currentLine++;
+          }
+          current += rest;
+          i = input.length;
+        } else {
+          const block = input.slice(i, endIdx + tag.length);
+          for (const c of block) {
+            if (c === '\n') currentLine++;
+          }
+          current += block;
+          i = endIdx + tag.length;
+        }
+        continue;
+      }
+    }
+
+    // Semicolon — statement boundary
+    if (ch === ';') {
+      const trimmed = current.trim();
+      if (trimmed.length > 0) {
+        statements.push({ sql: trimmed, startLine: statementStartLine });
+      }
+      current = '';
+      i++;
+      // Skip whitespace to find next statement start
+      while (i < input.length && /\s/.test(input[i])) {
+        if (input[i] === '\n') currentLine++;
+        i++;
+      }
+      statementStartLine = currentLine;
+      continue;
+    }
+
+    // Regular character
+    current += ch;
+    i++;
+  }
+
+  // Remaining content
+  const trimmed = current.trim();
+  if (trimmed.length > 0) {
+    statements.push({ sql: trimmed, startLine: statementStartLine });
+  }
+
+  return statements;
+}
+
+/**
+ * Check if input contains multiple statements
+ */
+export function isMultiStatement(input: string): boolean {
+  return splitStatements(input).length > 1;
+}