@memberjunction/server 5.1.0 → 5.2.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@memberjunction/server",
-  "version": "5.1.0",
+  "version": "5.2.0",
   "description": "MemberJunction: This project provides API access via GraphQL to the common data store.",
   "main": "./dist/index.js",
   "types": "./src/index.ts",
@@ -26,57 +26,57 @@
     "@apollo/server": "^4.9.1",
     "@graphql-tools/schema": "latest",
     "@graphql-tools/utils": "^11.0.0",
-    "@memberjunction/actions": "5.1.0",
-    "@memberjunction/actions-base": "5.1.0",
-    "@memberjunction/actions-apollo": "5.1.0",
-    "@memberjunction/actions-bizapps-accounting": "5.1.0",
-    "@memberjunction/actions-bizapps-crm": "5.1.0",
-    "@memberjunction/actions-bizapps-formbuilders": "5.1.0",
-    "@memberjunction/actions-bizapps-lms": "5.1.0",
-    "@memberjunction/actions-bizapps-social": "5.1.0",
-    "@memberjunction/ai": "5.1.0",
-    "@memberjunction/ai-mcp-client": "5.1.0",
-    "@memberjunction/ai-agent-manager": "5.1.0",
-    "@memberjunction/ai-agent-manager-actions": "5.1.0",
-    "@memberjunction/ai-agents": "5.1.0",
-    "@memberjunction/ai-core-plus": "5.1.0",
-    "@memberjunction/ai-prompts": "5.1.0",
-    "@memberjunction/ai-provider-bundle": "5.1.0",
-    "@memberjunction/ai-vectors-pinecone": "5.1.0",
-    "@memberjunction/aiengine": "5.1.0",
-    "@memberjunction/communication-ms-graph": "5.1.0",
-    "@memberjunction/communication-sendgrid": "5.1.0",
-    "@memberjunction/communication-types": "5.1.0",
-    "@memberjunction/component-registry-client-sdk": "5.1.0",
-    "@memberjunction/config": "5.1.0",
-    "@memberjunction/core": "5.1.0",
-    "@memberjunction/core-actions": "5.1.0",
-    "@memberjunction/core-entities": "5.1.0",
-    "@memberjunction/core-entities-server": "5.1.0",
-    "@memberjunction/data-context": "5.1.0",
-    "@memberjunction/data-context-server": "5.1.0",
-    "@memberjunction/doc-utils": "5.1.0",
-    "@memberjunction/api-keys": "5.1.0",
-    "@memberjunction/encryption": "5.1.0",
-    "@memberjunction/entity-communications-base": "5.1.0",
-    "@memberjunction/entity-communications-server": "5.1.0",
-    "@memberjunction/external-change-detection": "5.1.0",
-    "@memberjunction/global": "5.1.0",
-    "@memberjunction/graphql-dataprovider": "5.1.0",
-    "@memberjunction/interactive-component-types": "5.1.0",
-    "@memberjunction/notifications": "5.1.0",
-    "@memberjunction/queue": "5.1.0",
-    "@memberjunction/scheduling-actions": "5.1.0",
-    "@memberjunction/scheduling-base-types": "5.1.0",
-    "@memberjunction/scheduling-engine": "5.1.0",
-    "@memberjunction/scheduling-engine-base": "5.1.0",
-    "@memberjunction/skip-types": "5.1.0",
-    "@memberjunction/sqlserver-dataprovider": "5.1.0",
-    "@memberjunction/storage": "5.1.0",
-    "@memberjunction/templates": "5.1.0",
-    "@memberjunction/testing-engine": "5.1.0",
-    "@memberjunction/testing-engine-base": "5.1.0",
-    "@memberjunction/version-history": "5.1.0",
+    "@memberjunction/actions": "5.2.0",
+    "@memberjunction/actions-base": "5.2.0",
+    "@memberjunction/actions-apollo": "5.2.0",
+    "@memberjunction/actions-bizapps-accounting": "5.2.0",
+    "@memberjunction/actions-bizapps-crm": "5.2.0",
+    "@memberjunction/actions-bizapps-formbuilders": "5.2.0",
+    "@memberjunction/actions-bizapps-lms": "5.2.0",
+    "@memberjunction/actions-bizapps-social": "5.2.0",
+    "@memberjunction/ai": "5.2.0",
+    "@memberjunction/ai-mcp-client": "5.2.0",
+    "@memberjunction/ai-agent-manager": "5.2.0",
+    "@memberjunction/ai-agent-manager-actions": "5.2.0",
+    "@memberjunction/ai-agents": "5.2.0",
+    "@memberjunction/ai-core-plus": "5.2.0",
+    "@memberjunction/ai-prompts": "5.2.0",
+    "@memberjunction/ai-provider-bundle": "5.2.0",
+    "@memberjunction/ai-vectors-pinecone": "5.2.0",
+    "@memberjunction/aiengine": "5.2.0",
+    "@memberjunction/communication-ms-graph": "5.2.0",
+    "@memberjunction/communication-sendgrid": "5.2.0",
+    "@memberjunction/communication-types": "5.2.0",
+    "@memberjunction/component-registry-client-sdk": "5.2.0",
+    "@memberjunction/config": "5.2.0",
+    "@memberjunction/core": "5.2.0",
+    "@memberjunction/core-actions": "5.2.0",
+    "@memberjunction/core-entities": "5.2.0",
+    "@memberjunction/core-entities-server": "5.2.0",
+    "@memberjunction/data-context": "5.2.0",
+    "@memberjunction/data-context-server": "5.2.0",
+    "@memberjunction/doc-utils": "5.2.0",
+    "@memberjunction/api-keys": "5.2.0",
+    "@memberjunction/encryption": "5.2.0",
+    "@memberjunction/entity-communications-base": "5.2.0",
+    "@memberjunction/entity-communications-server": "5.2.0",
+    "@memberjunction/external-change-detection": "5.2.0",
+    "@memberjunction/global": "5.2.0",
+    "@memberjunction/graphql-dataprovider": "5.2.0",
+    "@memberjunction/interactive-component-types": "5.2.0",
+    "@memberjunction/notifications": "5.2.0",
+    "@memberjunction/queue": "5.2.0",
+    "@memberjunction/scheduling-actions": "5.2.0",
+    "@memberjunction/scheduling-base-types": "5.2.0",
+    "@memberjunction/scheduling-engine": "5.2.0",
+    "@memberjunction/scheduling-engine-base": "5.2.0",
+    "@memberjunction/skip-types": "5.2.0",
+    "@memberjunction/sqlserver-dataprovider": "5.2.0",
+    "@memberjunction/storage": "5.2.0",
+    "@memberjunction/templates": "5.2.0",
+    "@memberjunction/testing-engine": "5.2.0",
+    "@memberjunction/testing-engine-base": "5.2.0",
+    "@memberjunction/version-history": "5.2.0",
     "@types/compression": "^1.8.1",
     "@types/cors": "^2.8.19",
     "@types/jsonwebtoken": "9.0.10",

package/src/__tests__/AdhocQueryResolver.test.ts

@@ -0,0 +1,175 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { SQLExpressionValidator } from '@memberjunction/global';
+
+/**
+ * Tests for AdhocQueryResolver.
+ *
+ * Since the resolver has heavy dependencies (type-graphql decorators, mssql, AppContext),
+ * we test the core logic through the SQLExpressionValidator integration and
+ * verify the resolver's structure and error-handling contracts.
+ */
+describe('AdhocQueryResolver', () => {
+  let validator: SQLExpressionValidator;
+
+  beforeEach(() => {
+    validator = SQLExpressionValidator.Instance;
+  });
+
+  describe('SQL validation gate', () => {
+    it('should accept valid SELECT query', () => {
+      const result = validator.validateFullQuery('SELECT TOP 10 * FROM __mj.vwUsers');
+      expect(result.valid).toBe(true);
+    });
+
+    it('should accept valid CTE query', () => {
+      const result = validator.validateFullQuery(`
+        WITH cte AS (SELECT ID, Name FROM __mj.vwUsers)
+        SELECT * FROM cte
+      `);
+      expect(result.valid).toBe(true);
+    });
+
+    it('should reject INSERT statement', () => {
+      const result = validator.validateFullQuery("INSERT INTO Users (Name) VALUES ('hacked')");
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('INSERT');
+    });
+
+    it('should reject DELETE statement', () => {
+      const result = validator.validateFullQuery("DELETE FROM Users WHERE 1=1");
+      expect(result.valid).toBe(false);
+    });
+
+    it('should reject UPDATE statement', () => {
+      const result = validator.validateFullQuery("UPDATE Users SET IsAdmin = 1");
+      expect(result.valid).toBe(false);
+    });
+
+    it('should reject DROP TABLE', () => {
+      const result = validator.validateFullQuery("DROP TABLE Users");
+      expect(result.valid).toBe(false);
+    });
+
+    it('should reject EXEC', () => {
+      const result = validator.validateFullQuery("EXEC sp_executesql N'SELECT 1'");
+      expect(result.valid).toBe(false);
+    });
+
+    it('should reject multi-statement injection via semicolon', () => {
+      const result = validator.validateFullQuery("SELECT 1; DROP TABLE Users");
+      expect(result.valid).toBe(false);
+    });
+
+    it('should reject empty SQL', () => {
+      const result = validator.validateFullQuery('');
+      expect(result.valid).toBe(false);
+    });
+  });
+
+  describe('buildErrorResult contract', () => {
+    it('should return the expected error shape', () => {
+      // This tests the contract that the resolver's buildErrorResult must fulfill
+      const expectedShape = {
+        QueryID: '',
+        QueryName: 'Ad-Hoc Query',
+        Success: false,
+        Results: '[]',
+        RowCount: 0,
+        TotalRowCount: 0,
+        ExecutionTime: 0,
+        ErrorMessage: 'SQL validation failed'
+      };
+
+      expect(expectedShape.Success).toBe(false);
+      expect(expectedShape.QueryID).toBe('');
+      expect(expectedShape.QueryName).toBe('Ad-Hoc Query');
+      expect(expectedShape.Results).toBe('[]');
+      expect(expectedShape.ErrorMessage).toBe('SQL validation failed');
+    });
+  });
+
+  describe('success result contract', () => {
+    it('should return the expected success shape', () => {
+      // This tests the contract that the resolver's success path must fulfill
+      const mockRecordset = [{ ID: '1', Name: 'Test' }, { ID: '2', Name: 'Other' }];
+      const expectedShape = {
+        QueryID: '',
+        QueryName: 'Ad-Hoc Query',
+        Success: true,
+        Results: JSON.stringify(mockRecordset),
+        RowCount: mockRecordset.length,
+        TotalRowCount: mockRecordset.length,
+        ExecutionTime: 42,
+        ErrorMessage: ''
+      };
+
+      expect(expectedShape.Success).toBe(true);
+      expect(expectedShape.QueryID).toBe('');
+      expect(expectedShape.QueryName).toBe('Ad-Hoc Query');
+      expect(JSON.parse(expectedShape.Results)).toHaveLength(2);
+      expect(expectedShape.RowCount).toBe(2);
+      expect(expectedShape.ErrorMessage).toBe('');
+    });
+  });
+
+  describe('timeout contract', () => {
+    it('should default to 30 seconds when TimeoutSeconds is not provided', () => {
+      const defaultTimeout = undefined ?? 30;
+      expect(defaultTimeout).toBe(30);
+      expect(defaultTimeout * 1000).toBe(30000);
+    });
+
+    it('should use provided TimeoutSeconds', () => {
+      const customTimeout = 60 ?? 30;
+      expect(customTimeout).toBe(60);
+      expect(customTimeout * 1000).toBe(60000);
+    });
+
+    it('should produce correct error message for timeout', () => {
+      const timeoutSeconds = 30;
+      const errorMessage = `Query execution exceeded ${timeoutSeconds} second timeout`;
+      expect(errorMessage).toContain('30');
+      expect(errorMessage).toContain('timeout');
+    });
+  });
+
+  describe('complex query validation', () => {
+    it('should accept query with JOINs and subqueries', () => {
+      const sql = `
+        SELECT a.Name, COUNT(r.ID) AS TotalRuns
+        FROM __mj.vwAIAgents a
+        INNER JOIN __mj.vwAIAgentRuns r ON r.AgentID = a.ID
+        WHERE EXISTS (SELECT 1 FROM __mj.vwUsers u WHERE u.ID = a.CreatedByUserID)
+        GROUP BY a.Name
+        ORDER BY TotalRuns DESC
+      `;
+      const result = validator.validateFullQuery(sql);
+      expect(result.valid).toBe(true);
+    });
+
+    it('should accept query with UNION', () => {
+      const sql = `
+        SELECT Name, 'Agent' AS Type FROM __mj.vwAIAgents
+        UNION ALL
+        SELECT Name, 'Model' AS Type FROM __mj.vwAIModels
+      `;
+      const result = validator.validateFullQuery(sql);
+      expect(result.valid).toBe(true);
+    });
+
+    it('should accept query with comments (agent-generated)', () => {
+      const sql = `
+        -- ============================================================
+        -- Agent Performance Report
+        -- ============================================================
+        SELECT TOP 100 a.Name, COUNT(*) AS RunCount
+        FROM __mj.vwAIAgents a
+        INNER JOIN __mj.vwAIAgentRuns r ON r.AgentID = a.ID
+        GROUP BY a.Name
+        ORDER BY RunCount DESC
+      `;
+      const result = validator.validateFullQuery(sql);
+      expect(result.valid).toBe(true);
+    });
+  });
+});

package/src/entitySubclasses/{entityPermissions.server.ts → MJEntityPermissionEntityServer.server.ts}

@@ -12,7 +12,7 @@ import { ___codeGenAPIPort, ___codeGenAPISubmissionDelay, ___codeGenAPIURL } fro
  * happens in the server. That's why it is not in the core-entities-server package.
  */
 @RegisterClass(BaseEntity, 'MJ: Entity Permissions')
-export class EntityPermissionsEntity_Server extends MJEntityPermissionEntity {
+export class MJEntityPermissionEntityServer extends MJEntityPermissionEntity {
   protected static _entityIDQueue: string[] = [];
   protected static _lastModifiedTime: Date | null = null;
   protected static _submissionTimer: NodeJS.Timeout | null = null;
@@ -89,7 +89,7 @@ export class EntityPermissionsEntity_Server extends MJEntityPermissionEntity {
 
   override Save(options?: EntitySaveOptions): Promise<boolean> {
     // simply queue up the entity ID
-    if (this.Dirty || options?.IgnoreDirtyState) EntityPermissionsEntity_Server.AddToQueue(this.EntityID);
+    if (this.Dirty || options?.IgnoreDirtyState) MJEntityPermissionEntityServer.AddToQueue(this.EntityID);
 
     return super.Save(options);
   }
@@ -98,7 +98,7 @@ export class EntityPermissionsEntity_Server extends MJEntityPermissionEntity {
     const success = await super.Delete(options);
 
     // simply queue up the entity ID if the delete worked
-    if (success) EntityPermissionsEntity_Server.AddToQueue(this.EntityID);
+    if (success) MJEntityPermissionEntityServer.AddToQueue(this.EntityID);
 
     return success;
   }

package/src/generic/ResolverBase.ts

@@ -17,7 +17,7 @@ import {
   RunViewResult,
   UserInfo,
 } from '@memberjunction/core';
-import { MJAuditLogEntity, MJErrorLogEntity, UserViewEntityExtended } from '@memberjunction/core-entities';
+import { MJAuditLogEntity, MJErrorLogEntity, MJUserViewEntityExtended } from '@memberjunction/core-entities';
 import { SQLServerDataProvider, UserCache } from '@memberjunction/sqlserver-dataprovider';
 import { PubSubEngine, AuthorizationError } from 'type-graphql';
 import { GraphQLError } from 'graphql';
@@ -274,7 +274,7 @@ export class ResolverBase {
       }
 
       const rv = provider as any as IRunViewProvider;
-      const result = await rv.RunView<UserViewEntityExtended>({
+      const result = await rv.RunView<MJUserViewEntityExtended>({
         EntityName: 'MJ: User Views',
         ExtraFilter: "Name='" + viewInput.ViewName + "'",
       }, userPayload.userRecord);
@@ -319,7 +319,7 @@ export class ResolverBase {
       }
 
       const contextUser = this.GetUserFromPayload(userPayload);
-      const viewInfo = await provider.GetEntityObject<UserViewEntityExtended>('MJ: User Views', contextUser);
+      const viewInfo = await provider.GetEntityObject<MJUserViewEntityExtended>('MJ: User Views', contextUser);
       await viewInfo.Load(viewInput.ViewID);
       return this.RunViewGenericInternal(
         provider,
@@ -358,12 +358,12 @@ export class ResolverBase {
       const entity = md.Entities.find((e) => e.Name === viewInput.EntityName);
       if (!entity) throw new Error(`Entity ${viewInput.EntityName} not found in metadata`);
 
-      const viewInfo: UserViewEntityExtended = {
+      const viewInfo: MJUserViewEntityExtended = {
         ID: '',
         Entity: viewInput.EntityName,
         EntityID: entity.ID,
         EntityBaseView: entity.BaseView as string,
-      } as UserViewEntityExtended; // only providing a few bits of data here, but it's enough to get the view to run
+      } as MJUserViewEntityExtended; // only providing a few bits of data here, but it's enough to get the view to run
 
       return this.RunViewGenericInternal(
         provider,
@@ -401,12 +401,12 @@ export class ResolverBase {
     let params: RunViewGenericParams[] = [];
     for (const viewInput of viewInputs) {
       try {
-        let viewInfo: UserViewEntityExtended | null = null;
+        let viewInfo: MJUserViewEntityExtended | null = null;
 
         if (viewInput.ViewName) {
           viewInfo = this.safeFirstArrayElement(await this.findBy(provider, 'MJ: User Views', { Name: viewInput.ViewName }, userPayload.userRecord));
         } else if (viewInput.ViewID) {
-          viewInfo = await provider.GetEntityObject<UserViewEntityExtended>('MJ: User Views', contextUser);
+          viewInfo = await provider.GetEntityObject<MJUserViewEntityExtended>('MJ: User Views', contextUser);
           await viewInfo.Load(viewInput.ViewID);
         } else if (viewInput.EntityName) {
           const entity = md.Entities.find((e) => e.Name === viewInput.EntityName);
@@ -420,7 +420,7 @@ export class ResolverBase {
             Entity: viewInput.EntityName,
             EntityID: entity.ID,
             EntityBaseView: entity.BaseView,
-          } as UserViewEntityExtended;
+          } as MJUserViewEntityExtended;
         } else {
           throw new Error('Unable to determine input type');
         }
@@ -603,7 +603,7 @@ export class ResolverBase {
    */
   protected async RunViewGenericInternal(
     provider: DatabaseProviderBase,
-    viewInfo: UserViewEntityExtended,
+    viewInfo: MJUserViewEntityExtended,
     extraFilter: string,
     orderBy: string,
     userSearchString: string,

package/src/generic/RunViewResolver.ts

@@ -4,7 +4,7 @@ import { ResolverBase } from './ResolverBase.js';
 import { LogError, LogStatus, EntityInfo, RunViewWithCacheCheckResult, RunViewsWithCacheCheckResponse, RunViewWithCacheCheckParams, AggregateResult } from '@memberjunction/core';
 import { RequireSystemUser } from '../directives/RequireSystemUser.js';
 import { GetReadOnlyProvider } from '../util.js';
-import { UserViewEntityExtended } from '@memberjunction/core-entities';
+import { MJUserViewEntityExtended } from '@memberjunction/core-entities';
 import { KeyValuePairOutputType } from './KeyInputOutputTypes.js';
 import { SQLServerDataProvider } from '@memberjunction/sqlserver-dataprovider';
 
@@ -652,7 +652,7 @@ export class RunViewResolver extends ResolverBase {
       if (rawData === null) 
         return null;
 
-      const viewInfo = super.safeFirstArrayElement<UserViewEntityExtended>(await super.findBy<UserViewEntityExtended>(provider, "MJ: User Views", { Name: input.ViewName }, userPayload.userRecord));
+      const viewInfo = super.safeFirstArrayElement<MJUserViewEntityExtended>(await super.findBy<MJUserViewEntityExtended>(provider, "MJ: User Views", { Name: input.ViewName }, userPayload.userRecord));
       const entity = provider.Entities.find((e) => e.ID === viewInfo.EntityID);
       const returnData = this.processRawData(rawData.Results, viewInfo.EntityID, entity);
       return {
@@ -683,7 +683,7 @@ export class RunViewResolver extends ResolverBase {
       if (rawData === null) 
         return null;
 
-      const viewInfo = super.safeFirstArrayElement<UserViewEntityExtended>(await super.findBy<UserViewEntityExtended>(provider, "MJ: User Views", { ID: input.ViewID }, userPayload.userRecord));
+      const viewInfo = super.safeFirstArrayElement<MJUserViewEntityExtended>(await super.findBy<MJUserViewEntityExtended>(provider, "MJ: User Views", { ID: input.ViewID }, userPayload.userRecord));
       const entity = provider.Entities.find((e) => e.ID === viewInfo.EntityID);
       const returnData = this.processRawData(rawData.Results, viewInfo.EntityID, entity);
       return {
@@ -837,7 +837,7 @@ export class RunViewResolver extends ResolverBase {
         };
       }
 
-      const viewInfo = super.safeFirstArrayElement<UserViewEntityExtended>(await super.findBy<UserViewEntityExtended>(provider, "MJ: User Views", { ID: input.ViewID }, userPayload.userRecord));
+      const viewInfo = super.safeFirstArrayElement<MJUserViewEntityExtended>(await super.findBy<MJUserViewEntityExtended>(provider, "MJ: User Views", { ID: input.ViewID }, userPayload.userRecord));
       const entity = provider.Entities.find((e) => e.ID === viewInfo.EntityID);
       const returnData = this.processRawData(rawData.Results, viewInfo.EntityID, entity);
       return {

package/src/index.ts

@@ -44,7 +44,7 @@ export * from 'type-graphql';
 export { NewUserBase } from './auth/newUsers.js';
 export { configInfo, DEFAULT_SERVER_CONFIG } from './config.js';
 export * from './directives/index.js';
-export * from './entitySubclasses/entityPermissions.server.js';
+export * from './entitySubclasses/MJEntityPermissionEntityServer.server.js';
 export * from './types.js';
 export {
     TokenExpiredError,

package/src/resolvers/AdhocQueryResolver.ts

@@ -0,0 +1,126 @@
+import { Arg, Ctx, Query, Resolver, Field, Int, InputType } from 'type-graphql';
+import { LogError } from '@memberjunction/core';
+import { SQLExpressionValidator } from '@memberjunction/global';
+import { AppContext } from '../types.js';
+import { GetReadOnlyDataSource } from '../util.js';
+import { ResolverBase } from '../generic/ResolverBase.js';
+import { RunQueryResultType } from './QueryResolver.js';
+import sql from 'mssql';
+
+/**
+ * Input type for executing ad-hoc SQL queries directly.
+ * The SQL is validated server-side to ensure it's a safe SELECT/WITH statement.
+ */
+@InputType()
+class AdhocQueryInput {
+    @Field(() => String, { description: 'SQL query to execute. Must be a SELECT or WITH (CTE) statement.' })
+    SQL: string;
+
+    @Field(() => Int, { nullable: true, description: 'Query timeout in seconds. Defaults to 30.' })
+    TimeoutSeconds?: number;
+}
+
+/**
+ * Resolver for executing ad-hoc (unsaved) SQL queries.
+ *
+ * Security:
+ * - SQL validated via SQLExpressionValidator (full_query context) — blocks mutations, dangerous operations
+ * - Executes on read-only connection pool only (no fallback to read-write)
+ * - Configurable timeout (default 30s)
+ * - Requires authenticated user (standard GraphQL auth, no @RequireSystemUser)
+ *
+ * Auto-discovered by MJServer's dynamic resolver import.
+ */
+@Resolver()
+export class AdhocQueryResolver extends ResolverBase {
+    @Query(() => RunQueryResultType)
+    async ExecuteAdhocQuery(
+        @Arg('input', () => AdhocQueryInput) input: AdhocQueryInput,
+        @Ctx() context: AppContext
+    ): Promise<RunQueryResultType> {
+        const startTime = Date.now();
+
+        try {
+            // 1. Security: validate SQL using SQLExpressionValidator
+            const validator = SQLExpressionValidator.Instance;
+            const validation = validator.validateFullQuery(input.SQL);
+            if (!validation.valid) {
+                return this.buildErrorResult(validation.error || 'SQL validation failed');
+            }
+
+            // 2. Get READ-ONLY data source (no fallback to read-write)
+            let readOnlyDS: sql.ConnectionPool;
+            try {
+                readOnlyDS = GetReadOnlyDataSource(context.dataSources, { allowFallbackToReadWrite: false });
+            } catch {
+                return this.buildErrorResult('No read-only data source available for ad-hoc query execution');
+            }
+
+            // 3. Execute with timeout
+            const timeoutMs = (input.TimeoutSeconds ?? 30) * 1000;
+            const request = new sql.Request(readOnlyDS);
+
+            const result = await Promise.race([
+                request.query(input.SQL),
+                new Promise<never>((_, reject) =>
+                    setTimeout(() => reject(new Error('Query timeout exceeded')), timeoutMs)
+                )
+            ]);
+            const executionTimeMs = Date.now() - startTime;
+
+            // 4. Return as RunQueryResultType
+            return {
+                QueryID: '',
+                QueryName: 'Ad-Hoc Query',
+                Success: true,
+                Results: JSON.stringify(result.recordset ?? []),
+                RowCount: result.recordset?.length ?? 0,
+                TotalRowCount: result.recordset?.length ?? 0,
+                ExecutionTime: executionTimeMs,
+                ErrorMessage: ''
+            };
+        } catch (err: unknown) {
+            const executionTimeMs = Date.now() - startTime;
+            const errorMessage = err instanceof Error ? err.message : String(err);
+
+            // Handle timeout
+            if (errorMessage.includes('timeout') || errorMessage.includes('Timeout')) {
+                return {
+                    QueryID: '',
+                    QueryName: 'Ad-Hoc Query',
+                    Success: false,
+                    Results: '[]',
+                    RowCount: 0,
+                    TotalRowCount: 0,
+                    ExecutionTime: executionTimeMs,
+                    ErrorMessage: `Query execution exceeded ${input.TimeoutSeconds ?? 30} second timeout`
+                };
+            }
+
+            LogError(`Ad-hoc query execution failed: ${errorMessage}`);
+            return {
+                QueryID: '',
+                QueryName: 'Ad-Hoc Query',
+                Success: false,
+                Results: '[]',
+                RowCount: 0,
+                TotalRowCount: 0,
+                ExecutionTime: executionTimeMs,
+                ErrorMessage: `Query execution failed: ${errorMessage}`
+            };
+        }
+    }
+
+    private buildErrorResult(errorMessage: string): RunQueryResultType {
+        return {
+            QueryID: '',
+            QueryName: 'Ad-Hoc Query',
+            Success: false,
+            Results: '[]',
+            RowCount: 0,
+            TotalRowCount: 0,
+            ExecutionTime: 0,
+            ErrorMessage: errorMessage
+        };
+    }
+}

package/src/resolvers/CreateQueryResolver.ts

@@ -6,7 +6,7 @@ import { MJQueryCategoryEntity, MJQueryPermissionEntity } from '@memberjunction/
 import { MJQueryResolver } from '../generated/generated.js';
 import { GetReadOnlyProvider, GetReadWriteProvider } from '../util.js';
 import { DeleteOptionsInput } from '../generic/DeleteOptionsInput.js';
-import { QueryEntityExtended } from '@memberjunction/core-entities-server';
+import { MJQueryEntityServer } from '@memberjunction/core-entities-server';
 
 /**
  * Query status enumeration for GraphQL
@@ -425,8 +425,8 @@ export class MJQueryResolverExtended extends MJQueryResolver {
                 };
             }
 
-            // Use QueryEntityExtended which handles AI processing
-            const record = await provider.GetEntityObject<QueryEntityExtended>("MJ: Queries", context.userPayload.userRecord);
+            // Use MJQueryEntityServer which handles AI processing
+            const record = await provider.GetEntityObject<MJQueryEntityServer>("MJ: Queries", context.userPayload.userRecord);
             
             // Set the fields from input, handling CategoryPath resolution
             const fieldsToSet = {
@@ -638,9 +638,9 @@ export class MJQueryResolverExtended extends MJQueryResolver {
         @PubSub() pubSub: PubSubEngine
     ): Promise<UpdateQueryResultType> {
         try {
-            // Load the existing query using QueryEntityExtended
+            // Load the existing query using MJQueryEntityServer
             const provider = GetReadWriteProvider(context.providers);
-            const queryEntity = await provider.GetEntityObject<QueryEntityExtended>('MJ: Queries', context.userPayload.userRecord);
+            const queryEntity = await provider.GetEntityObject<MJQueryEntityServer>('MJ: Queries', context.userPayload.userRecord);
             if (!queryEntity || !await queryEntity.Load(input.ID)) {
                 return {
                     Success: false,

package/src/resolvers/RunAIAgentResolver.ts

@@ -3,7 +3,7 @@ import { AppContext, UserPayload } from '../types.js';
 import { DatabaseProviderBase, LogError, LogStatus, Metadata, RunView, UserInfo } from '@memberjunction/core';
 import { MJConversationDetailEntity, MJConversationDetailAttachmentEntity } from '@memberjunction/core-entities';
 import { AgentRunner } from '@memberjunction/ai-agents';
-import { AIAgentEntityExtended, AIAgentRunEntityExtended, ExecuteAgentResult, ConversationUtility, AttachmentData } from '@memberjunction/ai-core-plus';
+import { MJAIAgentEntityExtended, MJAIAgentRunEntityExtended, ExecuteAgentResult, ConversationUtility, AttachmentData } from '@memberjunction/ai-core-plus';
 import { AIEngine } from '@memberjunction/aiengine';
 import { ChatMessage } from '@memberjunction/ai';
 import { ResolverBase } from '../generic/ResolverBase.js';
@@ -207,12 +207,12 @@ export class RunAIAgentResolver extends ResolverBase {
     /**
      * Validate the agent entity
      */
-    private async validateAgent(agentId: string, currentUser: any): Promise<AIAgentEntityExtended> {
+    private async validateAgent(agentId: string, currentUser: any): Promise<MJAIAgentEntityExtended> {
         // Use AIEngine to get cached agent data
         await AIEngine.Instance.Config(false, currentUser);
         
         // Find agent in cached collection
-        const agentEntity = AIEngine.Instance.Agents.find((a: AIAgentEntityExtended) => a.ID === agentId);
+        const agentEntity = AIEngine.Instance.Agents.find((a: MJAIAgentEntityExtended) => a.ID === agentId);
         
         if (!agentEntity) {
             throw new Error(`AI Agent with ID ${agentId} not found`);
@@ -630,7 +630,7 @@ export class RunAIAgentResolver extends ResolverBase {
      * Notification includes navigation link back to the conversation
      */
     private async createCompletionNotification(
-        agentRun: AIAgentRunEntityExtended,
+        agentRun: MJAIAgentRunEntityExtended,
         artifactInfo: { artifactId: string; versionId: string; versionNumber: number },
         conversationDetailId: string,
         contextUser: UserInfo,