@prisma-next/sql-runtime 0.4.1 → 0.4.3

package/src/middleware/budgets.ts

@@ -1,11 +1,11 @@
-import type { ExecutionPlan } from '@prisma-next/contract/types';
-import { type RuntimeErrorEnvelope, runtimeError } from '@prisma-next/framework-components/runtime';
-import type {
-  AfterExecuteResult,
-  Middleware,
-  MiddlewareContext,
-} from '@prisma-next/runtime-executor';
+import {
+  type AfterExecuteResult,
+  type RuntimeErrorEnvelope,
+  runtimeError,
+} from '@prisma-next/framework-components/runtime';
 import { isQueryAst, type SelectAst } from '@prisma-next/sql-relational-core/ast';
+import type { SqlExecutionPlan } from '@prisma-next/sql-relational-core/plan';
+import type { SqlMiddleware, SqlMiddlewareContext } from './sql-middleware';
 
 export interface BudgetsOptions {
   readonly maxRows?: number;
@@ -25,18 +25,28 @@ function hasAggregateWithoutGroupBy(ast: SelectAst): boolean {
   return ast.projection.some((item) => item.expr.kind === 'aggregate');
 }
 
+function primaryTableFromAst(ast: SelectAst): string | undefined {
+  switch (ast.from.kind) {
+    case 'table-source':
+      return ast.from.name;
+    case 'derived-table-source':
+      return ast.from.alias;
+    default:
+      return undefined;
+  }
+}
+
 function estimateRowsFromAst(
   ast: SelectAst,
   tableRows: Record<string, number>,
   defaultTableRows: number,
-  refs: { tables?: readonly string[] } | undefined,
   hasAggregateWithoutGroup: boolean,
 ): number | null {
   if (hasAggregateWithoutGroup) {
     return 1;
   }
 
-  const table = refs?.tables?.[0];
+  const table = primaryTableFromAst(ast);
   if (!table) {
     return null;
   }
@@ -50,34 +60,10 @@ function estimateRowsFromAst(
   return tableEstimate;
 }
 
-function estimateRowsFromHeuristics(
-  plan: ExecutionPlan,
-  tableRows: Record<string, number>,
-  defaultTableRows: number,
-): number | null {
-  const table = plan.meta.refs?.tables?.[0];
-  if (!table) {
-    return null;
-  }
-
-  const tableEstimate = tableRows[table] ?? defaultTableRows;
-
-  const limit = plan.meta.annotations?.['limit'];
-  if (typeof limit === 'number') {
-    return Math.min(limit, tableEstimate);
-  }
-
-  return tableEstimate;
-}
-
-function hasDetectableLimitFromHeuristics(plan: ExecutionPlan): boolean {
-  return typeof plan.meta.annotations?.['limit'] === 'number';
-}
-
 function emitBudgetViolation(
   error: RuntimeErrorEnvelope,
   shouldBlock: boolean,
-  ctx: MiddlewareContext<unknown>,
+  ctx: SqlMiddlewareContext,
 ): void {
   if (shouldBlock) {
     throw error;
@@ -89,37 +75,28 @@ function emitBudgetViolation(
   });
 }
 
-export function budgets<TContract = unknown>(options?: BudgetsOptions): Middleware<TContract> {
+export function budgets(options?: BudgetsOptions): SqlMiddleware {
   const maxRows = options?.maxRows ?? 10_000;
   const defaultTableRows = options?.defaultTableRows ?? 10_000;
   const tableRows = options?.tableRows ?? {};
   const maxLatencyMs = options?.maxLatencyMs ?? 1_000;
   const rowSeverity = options?.severities?.rowCount ?? 'error';
 
-  const observedRowsByPlan = new WeakMap<ExecutionPlan, { count: number }>();
+  const observedRowsByPlan = new WeakMap<SqlExecutionPlan, { count: number }>();
 
   return Object.freeze({
     name: 'budgets',
     familyId: 'sql' as const,
 
-    async beforeExecute(plan: ExecutionPlan, ctx: MiddlewareContext<TContract>) {
+    async beforeExecute(plan: SqlExecutionPlan, ctx: SqlMiddlewareContext) {
       observedRowsByPlan.set(plan, { count: 0 });
 
-      if (isQueryAst(plan.ast)) {
-        if (plan.ast.kind === 'select') {
-          return evaluateSelectAst(plan, plan.ast, ctx);
-        }
-        return;
+      if (isQueryAst(plan.ast) && plan.ast.kind === 'select') {
+        return evaluateSelectAst(plan.ast, ctx);
       }
-
-      return evaluateWithHeuristics(plan, ctx);
     },
 
-    async onRow(
-      _row: Record<string, unknown>,
-      plan: ExecutionPlan,
-      _ctx: MiddlewareContext<TContract>,
-    ) {
+    async onRow(_row: Record<string, unknown>, plan: SqlExecutionPlan, _ctx: SqlMiddlewareContext) {
       const state = observedRowsByPlan.get(plan);
       if (!state) return;
       state.count += 1;
@@ -133,9 +110,9 @@ export function budgets<TContract = unknown>(options?: BudgetsOptions): Middlewa
     },
 
     async afterExecute(
-      _plan: ExecutionPlan,
+      _plan: SqlExecutionPlan,
       result: AfterExecuteResult,
-      ctx: MiddlewareContext<TContract>,
+      ctx: SqlMiddlewareContext,
     ) {
       const latencyMs = result.latencyMs;
       if (latencyMs > maxLatencyMs) {
@@ -146,25 +123,15 @@ export function budgets<TContract = unknown>(options?: BudgetsOptions): Middlewa
             maxLatencyMs,
           }),
           shouldBlock,
-          ctx as MiddlewareContext<unknown>,
+          ctx,
         );
       }
     },
   });
 
-  function evaluateSelectAst(
-    plan: ExecutionPlan,
-    ast: SelectAst,
-    ctx: MiddlewareContext<TContract>,
-  ) {
+  function evaluateSelectAst(ast: SelectAst, ctx: SqlMiddlewareContext) {
     const hasAggNoGroup = hasAggregateWithoutGroupBy(ast);
-    const estimated = estimateRowsFromAst(
-      ast,
-      tableRows,
-      defaultTableRows,
-      plan.meta.refs,
-      hasAggNoGroup,
-    );
+    const estimated = estimateRowsFromAst(ast, tableRows, defaultTableRows, hasAggNoGroup);
     const isUnbounded = ast.limit === undefined && !hasAggNoGroup;
     const shouldBlock = rowSeverity === 'error' || ctx.mode === 'strict';
 
@@ -177,7 +144,7 @@ export function budgets<TContract = unknown>(options?: BudgetsOptions): Middlewa
             maxRows,
           }),
           shouldBlock,
-          ctx as MiddlewareContext<unknown>,
+          ctx,
         );
         return;
       }
@@ -188,7 +155,7 @@ export function budgets<TContract = unknown>(options?: BudgetsOptions): Middlewa
           maxRows,
         }),
         shouldBlock,
-        ctx as MiddlewareContext<unknown>,
+        ctx,
       );
       return;
     }
@@ -201,56 +168,8 @@ export function budgets<TContract = unknown>(options?: BudgetsOptions): Middlewa
           maxRows,
         }),
         shouldBlock,
-        ctx as MiddlewareContext<unknown>,
+        ctx,
       );
     }
   }
-
-  async function evaluateWithHeuristics(plan: ExecutionPlan, ctx: MiddlewareContext<TContract>) {
-    const estimated = estimateRowsFromHeuristics(plan, tableRows, defaultTableRows);
-    const isUnbounded = !hasDetectableLimitFromHeuristics(plan);
-    const sqlUpper = plan.sql.trimStart().toUpperCase();
-    const isSelect = sqlUpper.startsWith('SELECT');
-    const shouldBlock = rowSeverity === 'error' || ctx.mode === 'strict';
-
-    if (isSelect && isUnbounded) {
-      if (estimated !== null && estimated >= maxRows) {
-        emitBudgetViolation(
-          runtimeError('BUDGET.ROWS_EXCEEDED', 'Unbounded SELECT query exceeds budget', {
-            source: 'heuristic',
-            estimatedRows: estimated,
-            maxRows,
-          }),
-          shouldBlock,
-          ctx as MiddlewareContext<unknown>,
-        );
-        return;
-      }
-
-      emitBudgetViolation(
-        runtimeError('BUDGET.ROWS_EXCEEDED', 'Unbounded SELECT query exceeds budget', {
-          source: 'heuristic',
-          maxRows,
-        }),
-        shouldBlock,
-        ctx as MiddlewareContext<unknown>,
-      );
-      return;
-    }
-
-    if (estimated !== null) {
-      if (estimated > maxRows) {
-        emitBudgetViolation(
-          runtimeError('BUDGET.ROWS_EXCEEDED', 'Estimated row count exceeds budget', {
-            source: 'heuristic',
-            estimatedRows: estimated,
-            maxRows,
-          }),
-          shouldBlock,
-          ctx as MiddlewareContext<unknown>,
-        );
-      }
-      return;
-    }
-  }
 }

package/src/middleware/lints.ts

@@ -1,13 +1,13 @@
-import type { ExecutionPlan } from '@prisma-next/contract/types';
 import { runtimeError } from '@prisma-next/framework-components/runtime';
-import type { Middleware, MiddlewareContext } from '@prisma-next/runtime-executor';
-import { evaluateRawGuardrails } from '@prisma-next/runtime-executor';
 import {
   type AnyFromSource,
   type AnyQueryAst,
   isQueryAst,
 } from '@prisma-next/sql-relational-core/ast';
+import type { SqlExecutionPlan } from '@prisma-next/sql-relational-core/plan';
 import { ifDefined } from '@prisma-next/utils/defined';
+import { evaluateRawGuardrails } from '../guardrails/raw';
+import type { SqlMiddleware, SqlMiddlewareContext } from './sql-middleware';
 
 export interface LintsOptions {
   readonly severities?: {
@@ -138,14 +138,14 @@ function getConfiguredSeverity(code: string, options?: LintsOptions): 'warn' | '
  * Fallback: When ast is missing, `fallbackWhenAstMissing: 'raw'` uses heuristic
  * SQL parsing; `'skip'` skips all lints. Default is `'raw'`.
  */
-export function lints<TContract = unknown>(options?: LintsOptions): Middleware<TContract> {
+export function lints(options?: LintsOptions): SqlMiddleware {
   const fallback = options?.fallbackWhenAstMissing ?? 'raw';
 
   return Object.freeze({
     name: 'lints',
     familyId: 'sql' as const,
 
-    async beforeExecute(plan: ExecutionPlan, ctx: MiddlewareContext<TContract>) {
+    async beforeExecute(plan: SqlExecutionPlan, ctx: SqlMiddlewareContext) {
       if (isQueryAst(plan.ast)) {
         const findings = evaluateAstLints(plan.ast);
 

package/src/middleware/sql-middleware.ts

@@ -1,25 +1,55 @@
-import type { Contract, ExecutionPlan } from '@prisma-next/contract/types';
+import type { Contract, PlanMeta } from '@prisma-next/contract/types';
 import type {
   AfterExecuteResult,
   RuntimeMiddleware,
   RuntimeMiddlewareContext,
 } from '@prisma-next/framework-components/runtime';
 import type { SqlStorage } from '@prisma-next/sql-contract/types';
+import type { AnyQueryAst } from '@prisma-next/sql-relational-core/ast';
+import type { SqlExecutionPlan } from '@prisma-next/sql-relational-core/plan';
 
 export interface SqlMiddlewareContext extends RuntimeMiddlewareContext {
   readonly contract: Contract<SqlStorage>;
 }
 
-export interface SqlMiddleware extends RuntimeMiddleware {
-  readonly familyId: 'sql';
-  beforeExecute?(plan: ExecutionPlan, ctx: SqlMiddlewareContext): Promise<void>;
+/**
+ * Pre-lowering query view passed to `beforeCompile`. Carries the typed SQL
+ * AST and plan metadata; `sql`/`params` are produced later by the adapter.
+ */
+export interface DraftPlan {
+  readonly ast: AnyQueryAst;
+  readonly meta: PlanMeta;
+}
+
+export interface SqlMiddleware extends RuntimeMiddleware<SqlExecutionPlan> {
+  readonly familyId?: 'sql';
+  /**
+   * Rewrite the query AST before it is lowered to SQL. Middlewares run in
+   * registration order; each sees the predecessor's output, so rewrites
+   * compose (e.g. soft-delete + tenant isolation).
+   *
+   * Return `undefined` (or a draft whose `ast` reference equals the input's)
+   * to pass through. Return a draft with a new `ast` reference to replace it;
+   * the runtime emits a `middleware.rewrite` debug log event and continues
+   * with the new draft. `adapter.lower()` runs once after the chain.
+   *
+   * Use `AstRewriter` / `SelectAst.withWhere` / `AndExpr.of` etc. to build
+   * the rewritten AST. Predicates and literals go through parameterized
+   * constructors by default — no SQL-injection surface is added. **Warning:**
+   * constructing `LiteralExpr.of(userInput)` from untrusted input bypasses
+   * that guarantee; use `ParamRef.of(userInput, ...)` instead.
+   *
+   * See `docs/architecture docs/subsystems/4. Runtime & Middleware Framework.md`.
+   */
+  beforeCompile?(draft: DraftPlan, ctx: SqlMiddlewareContext): Promise<DraftPlan | undefined>;
+  beforeExecute?(plan: SqlExecutionPlan, ctx: SqlMiddlewareContext): Promise<void>;
   onRow?(
     row: Record<string, unknown>,
-    plan: ExecutionPlan,
+    plan: SqlExecutionPlan,
     ctx: SqlMiddlewareContext,
   ): Promise<void>;
   afterExecute?(
-    plan: ExecutionPlan,
+    plan: SqlExecutionPlan,
     result: AfterExecuteResult,
     ctx: SqlMiddlewareContext,
   ): Promise<void>;

package/src/runtime-spi.ts

@@ -0,0 +1,44 @@
+import type { ContractMarkerRecord } from '@prisma-next/contract/types';
+import type { ExecutionPlan } from '@prisma-next/framework-components/runtime';
+import type { MarkerStatement } from '@prisma-next/sql-relational-core/ast';
+
+/**
+ * Reader of the SQL contract marker. SQL runtimes verify the database's
+ * `prisma_contract.marker` row against the runtime's contract by issuing
+ * this statement before executing user queries (when `verify` is enabled).
+ * Each adapter is responsible for any target-specific row decoding before
+ * delegating to the shared row schema.
+ */
+export interface MarkerReader {
+  readMarkerStatement(): MarkerStatement;
+  parseMarkerRow(row: unknown): ContractMarkerRecord;
+}
+
+/**
+ * SQL family adapter SPI consumed by `SqlRuntime`. Encapsulates the
+ * runtime contract, marker reader, and plan validation logic so the
+ * runtime can be unit-tested without a concrete SQL adapter profile.
+ *
+ * Implemented by `SqlFamilyAdapter` for production and by mock classes
+ * in tests.
+ */
+export interface RuntimeFamilyAdapter<TContract = unknown> {
+  readonly contract: TContract;
+  readonly markerReader: MarkerReader;
+  validatePlan(plan: ExecutionPlan, contract: TContract): void;
+}
+
+export interface RuntimeVerifyOptions {
+  readonly mode: 'onFirstUse' | 'startup' | 'always';
+  readonly requireMarker: boolean;
+}
+
+export type TelemetryOutcome = 'success' | 'runtime-error';
+
+export interface RuntimeTelemetryEvent {
+  readonly lane: string;
+  readonly target: string;
+  readonly fingerprint: string;
+  readonly outcome: TelemetryOutcome;
+  readonly durationMs?: number;
+}