npm - @moduna/qcp - Versions diffs - 0.1.3-alpha.2 → 0.1.3-alpha.3 - Mend

@moduna/qcp 0.1.3-alpha.2 → 0.1.3-alpha.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/qcp.js CHANGED Viewed

@@ -2373,7 +2373,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "@moduna/qcp",
-    version: "0.1.3-alpha.2",
+    version: "0.1.3-alpha.3",
     description: "AI-powered CLI for querying PostgreSQL in natural language",
     type: "module",
     bin: {
@@ -80117,6 +80117,11 @@ function validateSql(sql) {
     }
     return report;
   }
+  const readOnlyViolation = findNonReadOnlyStatement(stmt);
+  if (readOnlyViolation) {
+    report.errors.push(`Dangerous operation rejected: ${readOnlyViolation} is not permitted inside this query. ` + `qcp is read-only — only SELECT and WITH are allowed.`);
+    return report;
+  }
   report.allowedStatement = true;
   report.readOnly = true;
   let processedSql = trimmedSql.replace(/;\s*$/, "");
@@ -80156,6 +80161,439 @@ function extractLimitValue(stmt) {
     return null;
   }
 }
+function findNonReadOnlyStatement(stmt) {
+  if (stmt.type === "select" || stmt.type === "values")
+    return null;
+  if (stmt.type === "union" || stmt.type === "union all") {
+    return findNonReadOnlyStatement(stmt.left) ?? findNonReadOnlyStatement(stmt.right);
+  }
+  if (stmt.type === "with") {
+    for (const binding of stmt.bind) {
+      const bindingViolation = findNonReadOnlyBinding(binding.statement);
+      if (bindingViolation)
+        return bindingViolation;
+    }
+    return findNonReadOnlyBinding(stmt.in);
+  }
+  if (stmt.type === "with recursive")
+    return "WITH RECURSIVE";
+  return DANGEROUS_STATEMENT_TYPES[stmt.type] ?? stmt.type.toUpperCase();
+}
+function findNonReadOnlyBinding(binding) {
+  if (binding.type === "select" || binding.type === "union" || binding.type === "union all" || binding.type === "values" || binding.type === "with") {
+    return findNonReadOnlyStatement(binding);
+  }
+  return DANGEROUS_STATEMENT_TYPES[binding.type] ?? binding.type.toUpperCase();
+}
+function enforceTenantIsolation(sql, schema, context) {
+  const report = {
+    safe: false,
+    errors: [],
+    warnings: [],
+    processedSql: sql.trim(),
+    injectedPredicates: [],
+    scopedTables: []
+  };
+  const contextResult = securityRequestContextSchema.safeParse(context);
+  if (!contextResult.success) {
+    report.errors.push("Trusted tenant context is required.");
+    return report;
+  }
+  let statements;
+  try {
+    statements = import_pgsql_ast_parser.parse(sql.trim(), { locationTracking: false });
+  } catch {
+    report.errors.push("SQL parsing failed during tenant isolation.");
+    return report;
+  }
+  if (statements.length !== 1) {
+    report.errors.push("Tenant isolation requires exactly one SQL statement.");
+    return report;
+  }
+  const statement = statements[0];
+  const readOnlyViolation = findNonReadOnlyStatement(statement);
+  if (readOnlyViolation) {
+    report.errors.push(`Tenant isolation rejected non-read-only statement: ${readOnlyViolation}.`);
+    return report;
+  }
+  const state = {
+    schema,
+    context: contextResult.data,
+    tableIndex: buildTableIndex(schema),
+    errors: report.errors,
+    warnings: report.warnings,
+    injectedPredicates: report.injectedPredicates,
+    scopedTables: report.scopedTables
+  };
+  const scopedStatement = scopeStatement(statement, state, new Set);
+  if (!scopedStatement || state.errors.length > 0) {
+    return report;
+  }
+  report.processedSql = import_pgsql_ast_parser.toSql.statement(scopedStatement);
+  report.safe = true;
+  return report;
+}
+function buildTableIndex(schema) {
+  const index = new Map;
+  for (const table of schema.tables) {
+    const fullName = tableKey(table.schema, table.name);
+    index.set(fullName, [table]);
+    const byName = index.get(table.name.toLowerCase()) ?? [];
+    byName.push(table);
+    index.set(table.name.toLowerCase(), byName);
+  }
+  return index;
+}
+function scopeStatement(statement, state, cteNames) {
+  if (statement.type === "with") {
+    return scopeWithStatement(statement, state, cteNames);
+  }
+  if (statement.type === "select" || statement.type === "union" || statement.type === "union all" || statement.type === "values") {
+    return scopeSelectStatement(statement, state, cteNames);
+  }
+  state.errors.push(`Tenant isolation supports SELECT and WITH only, not ${statement.type}.`);
+  return null;
+}
+function scopeWithStatement(statement, state, parentCteNames) {
+  const cteNames = new Set(parentCteNames);
+  for (const binding of statement.bind) {
+    cteNames.add(binding.alias.name.toLowerCase());
+  }
+  const bindings = statement.bind.map((binding) => {
+    const scoped = scopeWithBinding(binding.statement, state, cteNames);
+    return scoped ? { ...binding, statement: scoped } : binding;
+  });
+  const scopedIn = scopeWithBinding(statement.in, state, cteNames);
+  if (!scopedIn)
+    return null;
+  return {
+    ...statement,
+    bind: bindings,
+    in: scopedIn
+  };
+}
+function scopeWithBinding(binding, state, cteNames) {
+  if (binding.type === "select" || binding.type === "union" || binding.type === "union all" || binding.type === "values" || binding.type === "with") {
+    return scopeSelectStatement(binding, state, cteNames);
+  }
+  state.errors.push(`Tenant isolation rejected non-read-only WITH binding: ${binding.type}.`);
+  return null;
+}
+function scopeSelectStatement(statement, state, cteNames) {
+  switch (statement.type) {
+    case "with":
+      return scopeWithStatement(statement, state, cteNames);
+    case "with recursive":
+      state.errors.push("WITH RECURSIVE is not supported by tenant isolation.");
+      return null;
+    case "union":
+    case "union all":
+      return scopeUnionStatement(statement, state, cteNames);
+    case "values":
+      return statement;
+    case "select":
+      return scopeSelectFromStatement(statement, state, cteNames);
+  }
+}
+function scopeUnionStatement(statement, state, cteNames) {
+  const left = scopeSelectStatement(statement.left, state, cteNames);
+  const right = scopeSelectStatement(statement.right, state, cteNames);
+  if (!left || !right)
+    return null;
+  return {
+    ...statement,
+    left,
+    right
+  };
+}
+function scopeSelectFromStatement(statement, state, cteNames) {
+  if (containsNestedSelect(statement)) {
+    state.errors.push("Nested subqueries are not supported by tenant isolation.");
+    return null;
+  }
+  const from = statement.from?.map((item) => scopeFrom(item, state, cteNames));
+  if (state.errors.length > 0)
+    return null;
+  const scopes = (from ?? []).flatMap((item) => collectTableScopes(item));
+  let where = statement.where;
+  for (const scope of scopes) {
+    const conflict = findConflictingScopePredicate(where, scope, state.context);
+    if (conflict) {
+      state.errors.push(conflict);
+      return null;
+    }
+    const predicates = buildScopePredicates(scope, state.context);
+    for (const predicate of predicates) {
+      where = andExpr(where, predicate.expr);
+      state.injectedPredicates.push(predicate.label);
+    }
+    state.scopedTables.push(scope.tableId);
+  }
+  return {
+    ...statement,
+    from,
+    where
+  };
+}
+function scopeFrom(from, state, cteNames) {
+  assertSafeJoin(from, state);
+  if (from.type === "call") {
+    state.errors.push("Table functions are not supported by tenant isolation.");
+    return from;
+  }
+  if (from.lateral) {
+    state.errors.push("LATERAL queries are not supported by tenant isolation.");
+    return from;
+  }
+  if (from.type === "statement") {
+    const scopedStatement = scopeSelectStatement(from.statement, state, cteNames);
+    return scopedStatement ? {
+      ...from,
+      statement: scopedStatement
+    } : from;
+  }
+  if (isCteReference(from, cteNames))
+    return from;
+  const scope = resolveTableScope(from, state);
+  return scope ? {
+    ...from,
+    __qcpScope: scope
+  } : from;
+}
+function collectTableScopes(from) {
+  const scope = from.__qcpScope;
+  return scope ? [scope] : [];
+}
+function assertSafeJoin(from, state) {
+  const joinType = from.join?.type;
+  if (!joinType)
+    return;
+  if (joinType === "INNER JOIN" || joinType === "CROSS JOIN")
+    return;
+  state.errors.push(`${joinType} is not supported by tenant isolation.`);
+}
+function isCteReference(from, cteNames) {
+  return !from.name.schema && cteNames.has(from.name.name.toLowerCase());
+}
+function resolveTableScope(from, state) {
+  const table = resolveSchemaTable(from.name, state);
+  if (!table)
+    return null;
+  const columns = new Set(table.columns.map((column) => column.name.toLowerCase()));
+  const tenantColumn = TENANT_COLUMNS.find((column) => columns.has(column));
+  const userColumn = USER_COLUMNS.find((column) => columns.has(column));
+  if (!tenantColumn && !userColumn) {
+    state.errors.push(`Table ${formatTableId(table)} has no supported tenant or user scope column.`);
+    return null;
+  }
+  return {
+    alias: from.name.alias ?? from.name.name,
+    tableId: formatTableId(table),
+    tenantColumn,
+    userColumn
+  };
+}
+function resolveSchemaTable(name, state) {
+  if (name.schema && SYSTEM_SCHEMAS.has(name.schema.toLowerCase())) {
+    return null;
+  }
+  const key = name.schema ? tableKey(name.schema, name.name) : name.name.toLowerCase();
+  const matches = state.tableIndex.get(key) ?? [];
+  if (matches.length === 1)
+    return matches[0];
+  if (matches.length > 1) {
+    state.errors.push(`Table ${name.name} is ambiguous across schemas; qualify it explicitly.`);
+    return null;
+  }
+  state.errors.push(`Unknown table rejected by tenant isolation: ${name.name}.`);
+  return null;
+}
+function buildScopePredicates(scope, context) {
+  const predicates = [];
+  if (scope.tenantColumn) {
+    predicates.push({
+      expr: equalityExpr(scope.alias, scope.tenantColumn, context.tenantId),
+      label: `${scope.tableId}.${scope.tenantColumn} = [tenantId]`
+    });
+  }
+  if (scope.userColumn) {
+    predicates.push({
+      expr: equalityExpr(scope.alias, scope.userColumn, context.userId),
+      label: `${scope.tableId}.${scope.userColumn} = [userId]`
+    });
+  }
+  return predicates;
+}
+function equalityExpr(table, column, value2) {
+  return {
+    type: "binary",
+    op: "=",
+    left: {
+      type: "ref",
+      table: { name: table },
+      name: column
+    },
+    right: {
+      type: "string",
+      value: value2
+    }
+  };
+}
+function andExpr(left, right) {
+  if (!left)
+    return right;
+  return {
+    type: "binary",
+    op: "AND",
+    left,
+    right
+  };
+}
+function findConflictingScopePredicate(expr, scope, context) {
+  if (!expr)
+    return null;
+  if (expr.type === "binary") {
+    const directConflict = scopePredicateConflict(expr, scope, context);
+    if (directConflict)
+      return directConflict;
+    return findConflictingScopePredicate(expr.left, scope, context) ?? findConflictingScopePredicate(expr.right, scope, context);
+  }
+  if (expr.type === "unary") {
+    return findConflictingScopePredicate(expr.operand, scope, context);
+  }
+  if (expr.type === "ternary") {
+    return findConflictingScopePredicate(expr.value, scope, context) ?? findConflictingScopePredicate(expr.lo, scope, context) ?? findConflictingScopePredicate(expr.hi, scope, context);
+  }
+  if (expr.type === "case") {
+    for (const when of expr.whens) {
+      const conflict = findConflictingScopePredicate(when.when, scope, context) ?? findConflictingScopePredicate(when.value, scope, context);
+      if (conflict)
+        return conflict;
+    }
+    return findConflictingScopePredicate(expr.else, scope, context);
+  }
+  if (expr.type === "list" || expr.type === "array") {
+    for (const item of expr.expressions) {
+      const conflict = findConflictingScopePredicate(item, scope, context);
+      if (conflict)
+        return conflict;
+    }
+  }
+  if (expr.type === "cast") {
+    return findConflictingScopePredicate(expr.operand, scope, context);
+  }
+  return null;
+}
+function scopePredicateConflict(expr, scope, context) {
+  if (expr.op !== "=")
+    return null;
+  const conflict = refLiteralConflict(expr.left, expr.right, scope, context) ?? refLiteralConflict(expr.right, expr.left, scope, context);
+  return conflict ? `Query attempted to override trusted ${conflict} scope.` : null;
+}
+function refLiteralConflict(ref, literal2, scope, context) {
+  if (ref.type !== "ref")
+    return null;
+  const tableName = ref.table?.name.toLowerCase();
+  if (tableName && tableName !== scope.alias.toLowerCase())
+    return null;
+  const literalValue = literalToString(literal2);
+  if (literalValue === null)
+    return null;
+  if (scope.tenantColumn && ref.name.toLowerCase() === scope.tenantColumn && literalValue !== context.tenantId) {
+    return "tenant";
+  }
+  if (scope.userColumn && ref.name.toLowerCase() === scope.userColumn && literalValue !== context.userId) {
+    return "user";
+  }
+  return null;
+}
+function literalToString(expr) {
+  if (expr.type === "string")
+    return expr.value;
+  if (expr.type === "integer" || expr.type === "numeric") {
+    return String(expr.value);
+  }
+  if (expr.type === "cast")
+    return literalToString(expr.operand);
+  return null;
+}
+function containsNestedSelect(statement) {
+  const expressions = [
+    ...statement.columns?.map((column) => column.expr) ?? [],
+    statement.where,
+    statement.having,
+    ...statement.groupBy ?? [],
+    ...statement.orderBy?.map((orderBy) => orderBy.by) ?? []
+  ].filter((expr) => !!expr);
+  return expressions.some(exprContainsSelect);
+}
+function exprContainsSelect(expr) {
+  if (expr.type === "select" || expr.type === "with" || expr.type === "union" || expr.type === "union all" || expr.type === "values" || expr.type === "array select") {
+    return true;
+  }
+  if (expr.type === "binary") {
+    return exprContainsSelect(expr.left) || exprContainsSelect(expr.right);
+  }
+  if (expr.type === "unary")
+    return exprContainsSelect(expr.operand);
+  if (expr.type === "ternary") {
+    return exprContainsSelect(expr.value) || exprContainsSelect(expr.lo) || exprContainsSelect(expr.hi);
+  }
+  if (expr.type === "cast")
+    return exprContainsSelect(expr.operand);
+  if (expr.type === "case") {
+    return expr.whens.some((when) => exprContainsSelect(when.when) || exprContainsSelect(when.value)) || (expr.else ? exprContainsSelect(expr.else) : false);
+  }
+  if (expr.type === "call")
+    return expr.args.some(exprContainsSelect);
+  if (expr.type === "list" || expr.type === "array") {
+    return expr.expressions.some(exprContainsSelect);
+  }
+  if (expr.type === "member")
+    return exprContainsSelect(expr.operand);
+  if (expr.type === "arrayIndex") {
+    return exprContainsSelect(expr.array) || exprContainsSelect(expr.index);
+  }
+  if (expr.type === "overlay") {
+    return exprContainsSelect(expr.value) || exprContainsSelect(expr.placing) || exprContainsSelect(expr.from) || (expr.for ? exprContainsSelect(expr.for) : false);
+  }
+  if (expr.type === "substring") {
+    return exprContainsSelect(expr.value) || (expr.from ? exprContainsSelect(expr.from) : false) || (expr.for ? exprContainsSelect(expr.for) : false);
+  }
+  return false;
+}
+function tableKey(schema, name) {
+  return `${schema.toLowerCase()}.${name.toLowerCase()}`;
+}
+function formatTableId(table) {
+  return table.schema === "public" ? table.name : `${table.schema}.${table.name}`;
+}
+function sanitizeSensitiveData(value2) {
+  return sanitizeUnknown(value2);
+}
+function sanitizeUnknown(value2) {
+  if (typeof value2 === "string")
+    return sanitizeString(value2);
+  if (Array.isArray(value2))
+    return value2.map((item) => sanitizeUnknown(item));
+  if (isPlainRecord(value2)) {
+    const sanitized = {};
+    for (const [key, item] of Object.entries(value2)) {
+      sanitized[key] = sanitizeUnknown(item);
+    }
+    return sanitized;
+  }
+  return value2;
+}
+function sanitizeString(value2) {
+  return SENSITIVE_STRING_PATTERNS.reduce((current, [pattern, replacement]) => current.replace(pattern, replacement), value2);
+}
+function isPlainRecord(value2) {
+  return typeof value2 === "object" && value2 !== null && (Object.getPrototypeOf(value2) === Object.prototype || Object.getPrototypeOf(value2) === null);
+}
+function sanitizeDatabaseError(_error) {
+  return "Database query failed. The request was not completed.";
+}
 function detectSensitiveTables(sql, patterns) {
   const lower = sql.toLowerCase();
   const found = patterns.filter((p) => lower.includes(p.toLowerCase()));
@@ -80178,8 +80616,12 @@ function getApprovalReasons(sql, _report, sensitivePatterns, estimatedRows) {
   }
   return reasons;
 }
-var import_pgsql_ast_parser, ALLOWED_STATEMENT_TYPES, DANGEROUS_STATEMENT_TYPES, MAX_LIMIT = 100, EXPLAIN_REGEX;
+function requiresSensitiveApproval(sql, report, sensitivePatterns) {
+  return getApprovalReasons(sql, report, sensitivePatterns).some((reason) => reason.type === "sensitive_table");
+}
+var import_pgsql_ast_parser, ALLOWED_STATEMENT_TYPES, DANGEROUS_STATEMENT_TYPES, MAX_LIMIT = 100, TENANT_COLUMNS, USER_COLUMNS, SYSTEM_SCHEMAS, securityRequestContextSchema, EXPLAIN_REGEX, SENSITIVE_STRING_PATTERNS;
 var init_safety = __esm(() => {
+  init_zod();
   import_pgsql_ast_parser = __toESM(require_pgsql_ast_parser(), 1);
   ALLOWED_STATEMENT_TYPES = new Set(["select", "with"]);
   DANGEROUS_STATEMENT_TYPES = {
@@ -80205,7 +80647,38 @@ var init_safety = __esm(() => {
     copy: "COPY",
     do: "DO (procedural block)"
   };
+  TENANT_COLUMNS = [
+    "organization_id",
+    "tenant_id",
+    "org_id",
+    "workspace_id",
+    "account_id"
+  ];
+  USER_COLUMNS = ["user_id", "owner_id"];
+  SYSTEM_SCHEMAS = new Set(["information_schema", "pg_catalog"]);
+  securityRequestContextSchema = exports_external.object({
+    tenantId: exports_external.string().min(1),
+    userId: exports_external.string().min(1)
+  });
   EXPLAIN_REGEX = /^\s*EXPLAIN\s*(\([^)]*\))?\s*/i;
+  SENSITIVE_STRING_PATTERNS = [
+    [/\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi, "[REDACTED_EMAIL]"],
+    [
+      /\b(?:\+?1[\s.-]?)?(?:\(?\d{3}\)?[\s.-]?)\d{3}[\s.-]?\d{4}\b/g,
+      "[REDACTED_PHONE]"
+    ],
+    [/\b\d{3}-\d{2}-\d{4}\b/g, "[REDACTED_SSN]"],
+    [
+      /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g,
+      "[REDACTED_TOKEN]"
+    ],
+    [/\bBearer\s+[A-Za-z0-9._~+/=-]{16,}\b/gi, "Bearer [REDACTED_TOKEN]"],
+    [
+      /\b(api[_-]?key|token|secret|password)(["'\s:=]+)([A-Za-z0-9._~+/=-]{8,})\b/gi,
+      "$1$2[REDACTED_SECRET]"
+    ],
+    [/\b[A-Za-z0-9_-]{32,}\b/g, "[REDACTED_SECRET]"]
+  ];
 });
 // node_modules/@mastra/core/dist/chunk-TBHKQLPL.js
@@ -285476,6 +285949,7 @@ import { existsSync as existsSync7, readFileSync as readFileSync6 } from "node:f
 function createPrismaTools(options2) {
   const queryExecutor = options2.queryExecutor ?? executeQuery;
   const explainExecutor = options2.explainExecutor ?? explainQuery;
+  const sensitiveTablePatterns = [...options2.sensitiveTablePatterns ?? []];
   return {
     qcp_validate_sql: createTool({
       id: "qcp_validate_sql",
@@ -285498,21 +285972,37 @@ function createPrismaTools(options2) {
     qcp_execute_read_sql: createTool({
       id: "qcp_execute_read_sql",
       description: "Execute a SQL query only after qcp AST validation succeeds. Rejected SQL is returned as a structured safety error.",
+      strict: true,
       inputSchema: exports_external.object({
         sql: exports_external.string().min(1)
       }),
+      requestContextSchema: securityRequestContextSchema,
       outputSchema: exports_external.discriminatedUnion("ok", [
         exports_external.object({
           ok: exports_external.literal(true),
           safety: safetyReportSchema,
-          result: queryResultSchema
+          isolation: tenantIsolationReportSchema,
+          result: queryResultSchema,
+          approvalReasons: exports_external.array(approvalReasonSchema)
         }),
         exports_external.object({
           ok: exports_external.literal(false),
           safety: safetyReportSchema,
-          error: exports_external.string()
+          isolation: tenantIsolationReportSchema.optional(),
+          error: exports_external.string(),
+          approvalReasons: exports_external.array(approvalReasonSchema)
         })
       ]),
+      requireApproval: async ({ sql }, context2) => shouldRequirePrismaToolApproval({
+        sql,
+        databaseUrl: options2.databaseUrl,
+        schema: options2.schema,
+        sensitiveTablePatterns,
+        explainExecutor,
+        requestContext: context2?.requestContext
+      }),
+      toModelOutput: sanitizedToolModelOutput,
+      transform: secureToolTransform(),
       mcp: {
         annotations: {
           title: "Execute Read SQL",
@@ -285522,38 +286012,48 @@ function createPrismaTools(options2) {
           openWorldHint: false
         }
       },
-      execute: async ({ sql }) => {
-        const safety = validateSql(sql);
-        if (!safety.safe) {
-          return {
-            ok: false,
-            safety,
-            error: safety.errors[0] ?? "SQL rejected by qcp safety policy."
-          };
-        }
-        const result = await queryExecutor(options2.databaseUrl, safety.processedSql);
-        return { ok: true, safety, result };
-      }
+      execute: async ({ sql }, context2) => executeSecurePrismaReadQuery({
+        databaseUrl: options2.databaseUrl,
+        schema: options2.schema,
+        queryExecutor,
+        sensitiveTablePatterns
+      }, sql, context2)
     }),
     qcp_explain_read_sql: createTool({
       id: "qcp_explain_read_sql",
       description: "Run EXPLAIN for a SQL query only after qcp AST validation succeeds.",
+      strict: true,
       inputSchema: exports_external.object({
         sql: exports_external.string().min(1)
       }),
+      requestContextSchema: securityRequestContextSchema,
       outputSchema: exports_external.discriminatedUnion("ok", [
         exports_external.object({
           ok: exports_external.literal(true),
           safety: safetyReportSchema,
+          isolation: tenantIsolationReportSchema,
           plan: exports_external.string(),
-          estimatedRows: exports_external.number()
+          estimatedRows: exports_external.number(),
+          approvalReasons: exports_external.array(approvalReasonSchema)
         }),
         exports_external.object({
           ok: exports_external.literal(false),
           safety: safetyReportSchema,
-          error: exports_external.string()
+          isolation: tenantIsolationReportSchema.optional(),
+          error: exports_external.string(),
+          approvalReasons: exports_external.array(approvalReasonSchema)
         })
       ]),
+      requireApproval: async ({ sql }, context2) => shouldRequirePrismaToolApproval({
+        sql,
+        databaseUrl: options2.databaseUrl,
+        schema: options2.schema,
+        sensitiveTablePatterns,
+        explainExecutor,
+        requestContext: context2?.requestContext
+      }),
+      toModelOutput: sanitizedToolModelOutput,
+      transform: secureToolTransform(),
       mcp: {
         annotations: {
           title: "Explain Read SQL",
@@ -285563,23 +286063,12 @@ function createPrismaTools(options2) {
           openWorldHint: false
         }
       },
-      execute: async ({ sql }) => {
-        const safety = validateSql(sql);
-        if (!safety.safe) {
-          return {
-            ok: false,
-            safety,
-            error: safety.errors[0] ?? "SQL rejected by qcp safety policy."
-          };
-        }
-        const explain = await explainExecutor(options2.databaseUrl, safety.processedSql);
-        return {
-          ok: true,
-          safety,
-          plan: explain.plan,
-          estimatedRows: explain.estimatedRows
-        };
-      }
+      execute: async ({ sql }, context2) => executeSecurePrismaExplainQuery({
+        databaseUrl: options2.databaseUrl,
+        schema: options2.schema,
+        explainExecutor,
+        sensitiveTablePatterns
+      }, sql, context2)
     }),
     qcp_read_prisma_context: createTool({
       id: "qcp_read_prisma_context",
@@ -285608,6 +286097,169 @@ function createPrismaTools(options2) {
     })
   };
 }
+async function executeSecurePrismaReadQuery(options2, sql, context2) {
+  const base2 = prepareSecurePrismaQuery(sql, options2.schema, options2.sensitiveTablePatterns ?? [], context2);
+  if (!base2.ok)
+    return base2;
+  const queryExecutor = options2.queryExecutor ?? executeQuery;
+  try {
+    const result = await queryExecutor(options2.databaseUrl, base2.isolation.processedSql);
+    return {
+      ok: true,
+      safety: base2.safety,
+      isolation: base2.isolation,
+      result: sanitizeSensitiveData(result),
+      approvalReasons: base2.approvalReasons
+    };
+  } catch (err) {
+    return {
+      ok: false,
+      safety: base2.safety,
+      isolation: base2.isolation,
+      error: sanitizeDatabaseError(err),
+      approvalReasons: base2.approvalReasons
+    };
+  }
+}
+async function executeSecurePrismaExplainQuery(options2, sql, context2) {
+  const base2 = prepareSecurePrismaQuery(sql, options2.schema, options2.sensitiveTablePatterns ?? [], context2);
+  if (!base2.ok)
+    return base2;
+  const explainExecutor = options2.explainExecutor ?? explainQuery;
+  try {
+    const explain = await explainExecutor(options2.databaseUrl, base2.isolation.processedSql);
+    const approvalReasons = getApprovalReasons(base2.isolation.processedSql, base2.safety, [...options2.sensitiveTablePatterns ?? []], explain.estimatedRows);
+    return {
+      ok: true,
+      safety: base2.safety,
+      isolation: base2.isolation,
+      plan: sanitizeSensitiveData(explain.plan),
+      estimatedRows: explain.estimatedRows,
+      approvalReasons
+    };
+  } catch (err) {
+    return {
+      ok: false,
+      safety: base2.safety,
+      isolation: base2.isolation,
+      error: sanitizeDatabaseError(err),
+      approvalReasons: base2.approvalReasons
+    };
+  }
+}
+function prepareSecurePrismaQuery(sql, schema, sensitiveTablePatterns, context2) {
+  const safety = validateSql(sql);
+  if (!safety.safe) {
+    return {
+      ok: false,
+      safety,
+      error: safety.errors[0] ?? "SQL rejected by qcp safety policy.",
+      approvalReasons: []
+    };
+  }
+  const securityContext = extractSecurityRequestContext(context2);
+  if (!securityContext) {
+    return {
+      ok: false,
+      safety,
+      error: "Trusted tenant context is required.",
+      approvalReasons: []
+    };
+  }
+  const isolation = enforceTenantIsolation(safety.processedSql, schema, securityContext);
+  if (!isolation.safe) {
+    return {
+      ok: false,
+      safety,
+      isolation,
+      error: isolation.errors[0] ?? "Query rejected by qcp tenant isolation policy.",
+      approvalReasons: []
+    };
+  }
+  return {
+    ok: true,
+    safety,
+    isolation,
+    approvalReasons: getApprovalReasons(isolation.processedSql, safety, [...sensitiveTablePatterns])
+  };
+}
+async function shouldRequirePrismaToolApproval(options2) {
+  const safety = validateSql(options2.sql);
+  if (!safety.safe)
+    return false;
+  const securityContext = extractSecurityRequestContext({
+    requestContext: options2.requestContext
+  });
+  if (!securityContext)
+    return false;
+  const isolation = enforceTenantIsolation(safety.processedSql, options2.schema, securityContext);
+  if (!isolation.safe)
+    return false;
+  if (requiresSensitiveApproval(isolation.processedSql, safety, [...options2.sensitiveTablePatterns])) {
+    return true;
+  }
+  try {
+    const explain = await options2.explainExecutor(options2.databaseUrl, isolation.processedSql);
+    const reasons = getApprovalReasons(isolation.processedSql, safety, [...options2.sensitiveTablePatterns], explain.estimatedRows);
+    return reasons.some((reason) => reason.type === "high_cost");
+  } catch {
+    return true;
+  }
+}
+function extractSecurityRequestContext(context2) {
+  const requestContext = getRecordValue(context2, "requestContext") ?? context2;
+  const candidates = [];
+  if (isRequestContextLike(requestContext)) {
+    candidates.push({
+      tenantId: requestContext.get("tenantId"),
+      userId: requestContext.get("userId")
+    });
+  }
+  const all = getRecordValue(requestContext, "all");
+  if (all)
+    candidates.push(all);
+  candidates.push(requestContext);
+  for (const candidate of candidates) {
+    const result = securityRequestContextSchema.safeParse(candidate);
+    if (result.success)
+      return result.data;
+  }
+  return null;
+}
+function isRequestContextLike(value2) {
+  return typeof value2 === "object" && value2 !== null && typeof value2.get === "function";
+}
+function getRecordValue(value2, key) {
+  if (typeof value2 !== "object" || value2 === null)
+    return;
+  return value2[key];
+}
+function sanitizedToolModelOutput(output) {
+  return {
+    type: "json",
+    value: sanitizeSensitiveData(output)
+  };
+}
+function secureToolTransform() {
+  return {
+    display: {
+      input: redactedToolInput,
+      output: ({ output }) => sanitizeSensitiveData(output),
+      error: sanitizedToolError
+    },
+    transcript: {
+      input: redactedToolInput,
+      output: ({ output }) => sanitizeSensitiveData(output),
+      error: sanitizedToolError
+    }
+  };
+}
+function redactedToolInput(_payload) {
+  return { sql: "[REDACTED_SQL]" };
+}
+function sanitizedToolError() {
+  return { message: sanitizeDatabaseError(undefined) };
+}
 async function loadPrismaMcpToolsets(databaseUrl, clientFactory = createPrismaMcpClient) {
   let client = null;
   try {
@@ -285660,6 +286312,7 @@ async function generateSqlWithPrismaAgent(options2) {
     databaseUrl: options2.databaseUrl,
     schema: options2.schema,
     prismaSchemaPath: options2.prismaSchemaPath,
+    sensitiveTablePatterns: options2.config.sensitiveTablePatterns,
     instructions: [
       "Use qcp_read_prisma_context and qcp_validate_sql to improve SQL quality.",
       "Do not call qcp_execute_read_sql while generating SQL for qcp CLI output.",
@@ -285769,7 +286422,7 @@ function stringProcessEnv() {
   }
   return env4;
 }
-var safetyReportSchema, queryResultSchema, prismaContextSchema, PrismaAgent;
+var safetyReportSchema, tenantIsolationReportSchema, approvalReasonSchema, queryResultSchema, prismaContextSchema, PrismaAgent;
 var init_prisma_agent = __esm(() => {
   init_tools();
   init_dist32();
@@ -285789,6 +286442,18 @@ var init_prisma_agent = __esm(() => {
     processedSql: exports_external.string(),
     statementType: exports_external.string()
   });
+  tenantIsolationReportSchema = exports_external.object({
+    safe: exports_external.boolean(),
+    errors: exports_external.array(exports_external.string()),
+    warnings: exports_external.array(exports_external.string()),
+    processedSql: exports_external.string(),
+    injectedPredicates: exports_external.array(exports_external.string()),
+    scopedTables: exports_external.array(exports_external.string())
+  });
+  approvalReasonSchema = exports_external.object({
+    type: exports_external.enum(["sensitive_table", "large_scan", "no_limit", "high_cost"]),
+    detail: exports_external.string()
+  });
   queryResultSchema = exports_external.object({
     rows: exports_external.array(exports_external.record(exports_external.string(), exports_external.unknown())),
     rowCount: exports_external.number(),
@@ -285814,6 +286479,7 @@ var init_prisma_agent = __esm(() => {
             databaseUrl: config2.databaseUrl,
             schema: config2.schema,
             prismaSchemaPath: config2.prismaSchemaPath,
+            sensitiveTablePatterns: config2.sensitiveTablePatterns,
             queryExecutor: config2.queryExecutor,
             explainExecutor: config2.explainExecutor
           }) : {}
@@ -285875,8 +286541,12 @@ async function handlePrismaQuestion(input) {
   let estimatedRows;
   const safeMode = options2.safeMode ?? input.config.safeMode;
   if (safeMode || options2.debug) {
-    try {
-      const explain = await explainQuery(input.databaseUrl, safetyReport.processedSql);
+    const explain = await executeSecurePrismaExplainQuery({
+      databaseUrl: input.databaseUrl,
+      schema: input.schema,
+      sensitiveTablePatterns: input.config.sensitiveTablePatterns
+    }, safetyReport.processedSql);
+    if (explain.ok) {
       estimatedRows = explain.estimatedRows;
       if (options2.debug) {
         console.log(source_default.dim(`
@@ -285884,7 +286554,9 @@ async function handlePrismaQuestion(input) {
         console.log(source_default.dim(explain.plan.slice(0, 1200)));
         console.log();
       }
-    } catch {}
+    } else if (options2.debug) {
+      console.log(source_default.dim(`EXPLAIN unavailable: ${explain.error}`));
+    }
   }
   if (safeMode && !options2.noConfirm) {
     const approvalReasons = getApprovalReasons(safetyReport.processedSql, safetyReport, input.config.sensitiveTablePatterns, estimatedRows);
@@ -285908,13 +286580,13 @@ async function handlePrismaQuestion(input) {
   const queryResult = await executePrismaQuery(input, safetyReport.processedSql);
   if (!queryResult)
     return false;
-  printResults(queryResult);
-  const summaryResult = await summarizePrismaResults(input, sqlResult, queryResult);
+  printResults(queryResult.result);
+  const summaryResult = await summarizePrismaResults(input, sqlResult, queryResult.result, queryResult.isolation.processedSql);
   if (summaryResult)
     printSummary(summaryResult.summary);
   if (sqlResult.explanation)
     printExplanation(sqlResult.explanation);
-  const totalMs = sqlResult.latencyMs + queryResult.executionTimeMs + (summaryResult?.latencyMs ?? 0);
+  const totalMs = sqlResult.latencyMs + queryResult.result.executionTimeMs + (summaryResult?.latencyMs ?? 0);
   trackQuery({
     provider: input.config.provider,
     model: input.config.model,
@@ -285926,7 +286598,7 @@ async function handlePrismaQuestion(input) {
       tokensOut: (sqlResult.tokensOut ?? 0) + (summaryResult?.tokensOut ?? 0),
       totalLatencyMs: totalMs,
       sqlGenerationMs: sqlResult.latencyMs,
-      executionMs: queryResult.executionTimeMs,
+      executionMs: queryResult.result.executionTimeMs,
       summaryMs: summaryResult?.latencyMs ?? 0,
       provider: input.config.provider,
       model: input.config.model
@@ -285936,7 +286608,7 @@ async function handlePrismaQuestion(input) {
   log3("info", "Prisma query completed", {
     provider: input.config.provider,
     model: input.config.model,
-    rows: queryResult.rowCount,
+    rows: queryResult.result.rowCount,
     latencyMs: totalMs
   });
   return true;
@@ -285963,22 +286635,24 @@ async function generateSql(input) {
 }
 async function executePrismaQuery(input, sql) {
   const spinner = ora(input.commandName === "chat" ? "Executing..." : "Executing query...").start();
-  try {
-    const queryResult = await executeQuery(input.databaseUrl, sql);
-    spinner.succeed(input.commandName === "chat" ? `${queryResult.rowCount} row(s) · ${queryResult.executionTimeMs}ms` : `Query executed · ${queryResult.rowCount} row(s) · ${queryResult.executionTimeMs}ms`);
-    return queryResult;
-  } catch (err) {
+  const queryResult = await executeSecurePrismaReadQuery({
+    databaseUrl: input.databaseUrl,
+    schema: input.schema,
+    sensitiveTablePatterns: input.config.sensitiveTablePatterns
+  }, sql);
+  if (!queryResult.ok) {
     spinner.fail(input.commandName === "chat" ? "Execution failed" : "Query execution failed");
-    const message = err instanceof Error ? err.message : String(err);
-    printError(message);
+    printError(queryResult.error);
     trackError(input.commandName, "prisma_query_execution_failed");
     return;
   }
+  spinner.succeed(input.commandName === "chat" ? `${queryResult.result.rowCount} row(s) · ${queryResult.result.executionTimeMs}ms` : `Query executed · ${queryResult.result.rowCount} row(s) · ${queryResult.result.executionTimeMs}ms`);
+  return queryResult;
 }
-async function summarizePrismaResults(input, sqlResult, queryResult) {
+async function summarizePrismaResults(input, sqlResult, queryResult, executedSql) {
   const spinner = ora(input.commandName === "chat" ? "Summarizing..." : "Generating summary...").start();
   try {
-    const summaryResult = await input.provider.generateSummary(input.question, sqlResult.sql, queryResult, (chunk) => {
+    const summaryResult = await input.provider.generateSummary(input.question, executedSql, queryResult, (chunk) => {
       if (input.options?.debug)
         process.stderr.write(source_default.dim(chunk));
     });
@@ -285998,7 +286672,6 @@ var init_prisma_query = __esm(() => {
   init_dist18();
   init_ora();
   init_prisma_agent();
-  init_db();
   init_logger2();
   init_output();
   init_safety();