@smallwebco/tinypivot-server 1.0.57

package/dist/index.cjs

@@ -0,0 +1,635 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  createTinyPivotHandler: () => createTinyPivotHandler,
+  ensureLimit: () => ensureLimit,
+  extractTableNames: () => extractTableNames,
+  sanitizeTableName: () => sanitizeTableName,
+  validateSQL: () => validateSQL
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/validation.ts
+var FORBIDDEN_KEYWORDS = [
+  "INSERT",
+  "UPDATE",
+  "DELETE",
+  "DROP",
+  "ALTER",
+  "TRUNCATE",
+  "CREATE",
+  "GRANT",
+  "REVOKE",
+  "EXEC",
+  "EXECUTE",
+  "MERGE",
+  "UPSERT",
+  "REPLACE",
+  "CALL",
+  "SET",
+  "LOCK",
+  "UNLOCK"
+];
+var DANGEROUS_PATTERNS = [
+  /INTO\s+(?:OUTFILE|DUMPFILE)/i,
+  // File operations
+  /LOAD\s+DATA/i,
+  // File loading
+  /;\s*(?:INSERT|UPDATE|DELETE|DROP)/i
+  // Statement injection
+];
+function validateSQL(sql, allowedTables) {
+  const trimmedSQL = sql.trim();
+  const upperSQL = trimmedSQL.toUpperCase();
+  if (!upperSQL.startsWith("SELECT") && !upperSQL.startsWith("WITH")) {
+    return {
+      valid: false,
+      error: "Only SELECT queries (including CTEs with WITH) are allowed"
+    };
+  }
+  if (upperSQL.startsWith("WITH")) {
+    if (!upperSQL.includes("SELECT")) {
+      return {
+        valid: false,
+        error: "CTE queries must include a final SELECT statement"
+      };
+    }
+  }
+  for (const keyword of FORBIDDEN_KEYWORDS) {
+    const regex = new RegExp(`\\b${keyword}\\b`, "i");
+    if (regex.test(trimmedSQL)) {
+      return {
+        valid: false,
+        error: `Query contains forbidden keyword: ${keyword}`
+      };
+    }
+  }
+  for (const pattern of DANGEROUS_PATTERNS) {
+    if (pattern.test(trimmedSQL)) {
+      return {
+        valid: false,
+        error: "Query contains dangerous pattern"
+      };
+    }
+  }
+  const statements = trimmedSQL.split(";").filter((s) => s.trim().length > 0);
+  if (statements.length > 1) {
+    return {
+      valid: false,
+      error: "Multiple statements are not allowed"
+    };
+  }
+  if (/--/.test(trimmedSQL) || /\/\*/.test(trimmedSQL)) {
+    return {
+      valid: false,
+      error: "SQL comments are not allowed"
+    };
+  }
+  const extractedTables = extractTableNames(trimmedSQL);
+  const normalizedAllowed = allowedTables.map((t) => t.toLowerCase());
+  for (const table of extractedTables) {
+    if (!normalizedAllowed.includes(table.toLowerCase())) {
+      return {
+        valid: false,
+        error: `Table "${table}" is not in the allowed list`
+      };
+    }
+  }
+  return { valid: true };
+}
+function extractTableNames(sql) {
+  const tables = [];
+  const fromMatch = sql.match(/\bFROM\s+([a-z_]\w*(?:\s*,\s*[a-z_]\w*)*)/i);
+  if (fromMatch) {
+    const fromTables = fromMatch[1].split(",").map((t) => t.trim());
+    tables.push(...fromTables);
+  }
+  const joinRegex = /\b(?:LEFT|RIGHT|INNER|OUTER|CROSS|FULL)?\s*JOIN\s+([a-z_]\w*)/gi;
+  let match;
+  while ((match = joinRegex.exec(sql)) !== null) {
+    tables.push(match[1]);
+  }
+  return [...new Set(tables.map((t) => t.replace(/["`]/g, "")))];
+}
+function sanitizeTableName(name) {
+  return name.replace(/\W/g, "");
+}
+function ensureLimit(sql, maxRows) {
+  if (/\bLIMIT\s+\d+/i.test(sql)) {
+    const limitMatch = sql.match(/\bLIMIT\s+(\d+)/i);
+    if (limitMatch) {
+      const existingLimit = Number.parseInt(limitMatch[1], 10);
+      if (existingLimit > maxRows) {
+        return sql.replace(/\bLIMIT\s+\d+/i, `LIMIT ${maxRows}`);
+      }
+    }
+    return sql;
+  }
+  const trimmed = sql.replace(/;\s*$/, "").trim();
+  return `${trimmed} LIMIT ${maxRows}`;
+}
+
+// src/unified-handler.ts
+function detectProvider(apiKey) {
+  if (apiKey.startsWith("sk-ant-")) {
+    return "anthropic";
+  }
+  if (apiKey.startsWith("sk-or-")) {
+    return "openrouter";
+  }
+  return "openai";
+}
+function getProviderConfig(provider) {
+  switch (provider) {
+    case "anthropic":
+      return {
+        provider: "anthropic",
+        endpoint: "https://api.anthropic.com/v1/messages",
+        defaultModel: "claude-3-haiku-20240307",
+        buildHeaders: (apiKey) => ({
+          "Content-Type": "application/json",
+          "x-api-key": apiKey,
+          "anthropic-version": "2023-06-01"
+        }),
+        extractContent: (data) => {
+          const d = data;
+          return d.content?.[0]?.text || "";
+        }
+      };
+    case "openrouter":
+      return {
+        provider: "openrouter",
+        endpoint: "https://openrouter.ai/api/v1/chat/completions",
+        defaultModel: "anthropic/claude-3-haiku",
+        buildHeaders: (apiKey) => ({
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${apiKey}`,
+          "HTTP-Referer": "https://tiny-pivot.com",
+          "X-Title": "TinyPivot AI Data Analyst"
+        }),
+        extractContent: (data) => {
+          const d = data;
+          return d.choices?.[0]?.message?.content || "";
+        }
+      };
+    case "openai":
+    default:
+      return {
+        provider: "openai",
+        endpoint: "https://api.openai.com/v1/chat/completions",
+        defaultModel: "gpt-4o-mini",
+        buildHeaders: (apiKey) => ({
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${apiKey}`
+        }),
+        extractContent: (data) => {
+          const d = data;
+          return d.choices?.[0]?.message?.content || "";
+        }
+      };
+  }
+}
+function normalizeModelForOpenRouter(model) {
+  if (model.includes("/")) {
+    return model;
+  }
+  if (model.startsWith("claude")) {
+    return `anthropic/${model}`;
+  }
+  if (model.startsWith("gpt-") || model.startsWith("o1") || model.startsWith("o3")) {
+    return `openai/${model}`;
+  }
+  if (model.startsWith("gemini")) {
+    return `google/${model}`;
+  }
+  if (model.startsWith("llama") || model.startsWith("codellama")) {
+    return `meta-llama/${model}`;
+  }
+  if (model.startsWith("mistral") || model.startsWith("mixtral") || model.startsWith("codestral")) {
+    return `mistralai/${model}`;
+  }
+  if (model.startsWith("deepseek")) {
+    return `deepseek/${model}`;
+  }
+  if (model.startsWith("qwen")) {
+    return `qwen/${model}`;
+  }
+  return model;
+}
+var PG_TYPE_MAP = {
+  "character varying": "string",
+  "varchar": "string",
+  "character": "string",
+  "char": "string",
+  "text": "string",
+  "uuid": "string",
+  "name": "string",
+  "citext": "string",
+  "integer": "number",
+  "int": "number",
+  "int2": "number",
+  "int4": "number",
+  "int8": "number",
+  "smallint": "number",
+  "bigint": "number",
+  "decimal": "number",
+  "numeric": "number",
+  "real": "number",
+  "double precision": "number",
+  "float4": "number",
+  "float8": "number",
+  "money": "number",
+  "serial": "number",
+  "bigserial": "number",
+  "boolean": "boolean",
+  "bool": "boolean",
+  "date": "date",
+  "timestamp": "date",
+  "timestamp without time zone": "date",
+  "timestamp with time zone": "date",
+  "timestamptz": "date",
+  "time": "date",
+  "time without time zone": "date",
+  "time with time zone": "date",
+  "timetz": "date",
+  "interval": "date"
+};
+function matchesPattern(tableName, pattern) {
+  if (typeof pattern === "string") {
+    return tableName.toLowerCase() === pattern.toLowerCase();
+  }
+  return pattern.test(tableName);
+}
+function filterTables(tables, options) {
+  let filtered = tables;
+  if (options.include && options.include.length > 0) {
+    filtered = filtered.filter(
+      (table) => options.include.some((pattern) => matchesPattern(table, pattern))
+    );
+  }
+  if (options.exclude && options.exclude.length > 0) {
+    filtered = filtered.filter(
+      (table) => !options.exclude.some((pattern) => matchesPattern(table, pattern))
+    );
+  }
+  return filtered;
+}
+function createTinyPivotHandler(options = {}) {
+  const {
+    connectionString = process.env.DATABASE_URL,
+    apiKey = process.env.AI_API_KEY,
+    tables: tableOptions = {},
+    maxRows,
+    timeout,
+    maxTokens = 2048,
+    onError
+  } = options;
+  const modelOverride = options.model || process.env.AI_MODEL;
+  const schemas = tableOptions.schemas || ["public"];
+  const descriptions = tableOptions.descriptions || {};
+  return async (req) => {
+    try {
+      const body = await req.json();
+      const { action } = body;
+      if (!action) {
+        return createErrorResponse("Missing action parameter", 400);
+      }
+      switch (action) {
+        case "list-tables":
+          return handleListTables(connectionString, schemas, tableOptions, descriptions, onError);
+        case "get-schema":
+          return handleGetSchema(body.tables || [], connectionString, schemas, tableOptions, onError);
+        case "query":
+          return handleQuery(
+            body.sql,
+            body.table,
+            connectionString,
+            schemas,
+            tableOptions,
+            maxRows,
+            timeout,
+            onError
+          );
+        case "chat":
+          return handleChat(body.messages || [], apiKey, modelOverride, maxTokens, onError);
+        default:
+          return createErrorResponse(`Unknown action: ${action}`, 400);
+      }
+    } catch (error) {
+      const err = error instanceof Error ? error : new Error(String(error));
+      onError?.(err);
+      return createErrorResponse(err.message, 500);
+    }
+  };
+}
+async function handleListTables(connectionString, schemas, tableOptions, descriptions, onError) {
+  let Pool;
+  try {
+    const pg = await import("pg");
+    Pool = pg.Pool;
+  } catch {
+    return createErrorResponse(
+      "PostgreSQL driver (pg) is not installed. Install it with: pnpm add pg",
+      500
+    );
+  }
+  if (!connectionString) {
+    return createErrorResponse(
+      "Database connection not configured. Set DATABASE_URL environment variable.",
+      500
+    );
+  }
+  const pool = new Pool({ connectionString });
+  try {
+    const schemaPlaceholders = schemas.map((_, i) => `$${i + 1}`).join(", ");
+    const result = await pool.query(
+      `
+      SELECT table_name, table_schema
+      FROM information_schema.tables
+      WHERE table_schema IN (${schemaPlaceholders})
+        AND table_type = 'BASE TABLE'
+      ORDER BY table_schema, table_name
+      `,
+      schemas
+    );
+    let tableNames = result.rows.map((row) => row.table_name);
+    tableNames = filterTables(tableNames, tableOptions);
+    const response = {
+      tables: tableNames.map((name) => ({
+        name,
+        description: descriptions[name]
+      }))
+    };
+    return new Response(JSON.stringify(response), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
+  } catch (error) {
+    const err = error instanceof Error ? error : new Error(String(error));
+    onError?.(err);
+    return createErrorResponse(`Failed to list tables: ${err.message}`, 500);
+  } finally {
+    await pool.end();
+  }
+}
+async function handleGetSchema(tables, connectionString, schemas, tableOptions, onError) {
+  if (!tables || !Array.isArray(tables) || tables.length === 0) {
+    return createErrorResponse("Missing or invalid tables array", 400);
+  }
+  let Pool;
+  try {
+    const pg = await import("pg");
+    Pool = pg.Pool;
+  } catch {
+    return createErrorResponse(
+      "PostgreSQL driver (pg) is not installed. Install it with: pnpm add pg",
+      500
+    );
+  }
+  if (!connectionString) {
+    return createErrorResponse(
+      "Database connection not configured. Set DATABASE_URL environment variable.",
+      500
+    );
+  }
+  const pool = new Pool({ connectionString });
+  try {
+    const schemaPlaceholders = schemas.map((_, i) => `$${i + 1}`).join(", ");
+    const tablesResult = await pool.query(
+      `
+      SELECT table_name
+      FROM information_schema.tables
+      WHERE table_schema IN (${schemaPlaceholders})
+        AND table_type = 'BASE TABLE'
+      `,
+      schemas
+    );
+    let allowedTables = tablesResult.rows.map((row) => row.table_name);
+    allowedTables = filterTables(allowedTables, tableOptions);
+    const filteredTables = tables.filter(
+      (t) => allowedTables.map((a) => a.toLowerCase()).includes(t.toLowerCase())
+    );
+    if (filteredTables.length === 0) {
+      return createErrorResponse("None of the requested tables are allowed", 403);
+    }
+    const tableSchemas = [];
+    for (const table of filteredTables) {
+      const columnsResult = await pool.query(
+        `
+        SELECT 
+          column_name,
+          data_type,
+          is_nullable
+        FROM information_schema.columns 
+        WHERE table_name = $1
+          AND table_schema = ANY($2::text[])
+        ORDER BY ordinal_position
+        `,
+        [table, schemas]
+      );
+      if (columnsResult.rows.length > 0) {
+        const columns = columnsResult.rows.map((row) => ({
+          name: row.column_name,
+          type: PG_TYPE_MAP[row.data_type.toLowerCase()] || "unknown",
+          nullable: row.is_nullable === "YES"
+        }));
+        tableSchemas.push({ table, columns });
+      }
+    }
+    const response = { schemas: tableSchemas };
+    return new Response(JSON.stringify(response), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
+  } catch (error) {
+    const err = error instanceof Error ? error : new Error(String(error));
+    onError?.(err);
+    return createErrorResponse(`Failed to get schema: ${err.message}`, 500);
+  } finally {
+    await pool.end();
+  }
+}
+async function handleQuery(sql, table, connectionString, schemas, tableOptions, maxRows, timeout, onError) {
+  if (!sql || typeof sql !== "string") {
+    return createErrorResponse("Missing or invalid SQL query", 400);
+  }
+  if (!table || typeof table !== "string") {
+    return createErrorResponse("Missing or invalid table name", 400);
+  }
+  let Pool;
+  try {
+    const pg = await import("pg");
+    Pool = pg.Pool;
+  } catch {
+    return createErrorResponse(
+      "PostgreSQL driver (pg) is not installed. Install it with: pnpm add pg",
+      500
+    );
+  }
+  if (!connectionString) {
+    return createErrorResponse(
+      "Database connection not configured. Set DATABASE_URL environment variable.",
+      500
+    );
+  }
+  const poolConfig = { connectionString };
+  if (timeout !== void 0) {
+    poolConfig.statement_timeout = timeout;
+  }
+  const pool = new Pool(poolConfig);
+  try {
+    const schemaPlaceholders = schemas.map((_, i) => `$${i + 1}`).join(", ");
+    const tablesResult = await pool.query(
+      `
+      SELECT table_name
+      FROM information_schema.tables
+      WHERE table_schema IN (${schemaPlaceholders})
+        AND table_type = 'BASE TABLE'
+      `,
+      schemas
+    );
+    let allowedTables = tablesResult.rows.map((row) => row.table_name);
+    allowedTables = filterTables(allowedTables, tableOptions);
+    if (!allowedTables.map((t) => t.toLowerCase()).includes(table.toLowerCase())) {
+      return createErrorResponse(`Table "${table}" is not allowed`, 403);
+    }
+    const validation = validateSQL(sql, allowedTables);
+    if (!validation.valid) {
+      return createErrorResponse(validation.error || "Invalid SQL", 400);
+    }
+    const finalSQL = maxRows !== void 0 ? ensureLimit(sql, maxRows) : sql;
+    const startTime = Date.now();
+    const result = await pool.query(finalSQL);
+    const duration = Date.now() - startTime;
+    const truncated = maxRows !== void 0 && result.rows.length >= maxRows;
+    const response = {
+      success: true,
+      data: result.rows,
+      rowCount: result.rows.length,
+      truncated,
+      duration
+    };
+    return new Response(JSON.stringify(response), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
+  } catch (error) {
+    const err = error instanceof Error ? error : new Error(String(error));
+    onError?.(err);
+    return createErrorResponse(sanitizeErrorMessage(err.message), 500);
+  } finally {
+    await pool.end();
+  }
+}
+async function handleChat(messages, apiKey, modelOverride, maxTokens, onError) {
+  if (!messages || !Array.isArray(messages) || messages.length === 0) {
+    return createErrorResponse("Missing or invalid messages array", 400);
+  }
+  if (!apiKey) {
+    return createErrorResponse(
+      "AI API key not configured. Set AI_API_KEY environment variable.",
+      500
+    );
+  }
+  const provider = detectProvider(apiKey);
+  const config = getProviderConfig(provider);
+  let model = modelOverride || config.defaultModel;
+  if (provider === "openrouter") {
+    model = normalizeModelForOpenRouter(model);
+  }
+  try {
+    let requestBody;
+    if (provider === "anthropic") {
+      requestBody = {
+        model,
+        max_tokens: maxTokens,
+        messages: messages.map((m) => ({
+          role: m.role === "system" ? "user" : m.role,
+          content: m.content
+        }))
+      };
+    } else {
+      requestBody = {
+        model,
+        max_tokens: maxTokens,
+        messages
+      };
+    }
+    const response = await fetch(config.endpoint, {
+      method: "POST",
+      headers: config.buildHeaders(apiKey),
+      body: JSON.stringify(requestBody)
+    });
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(`AI provider error (${response.status}): ${errorText}`);
+    }
+    const data = await response.json();
+    const content = config.extractContent(data);
+    const aiResponse = { content };
+    return new Response(JSON.stringify(aiResponse), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
+  } catch (error) {
+    const err = error instanceof Error ? error : new Error(String(error));
+    onError?.(err);
+    const response = { content: "", error: err.message };
+    return new Response(JSON.stringify(response), {
+      status: 500,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+}
+function sanitizeErrorMessage(message) {
+  let sanitized = message.replace(/postgresql?:\/\/\S+/gi, "[DATABASE_URL]");
+  sanitized = sanitized.replace(/\/[^\s:]+\.(js|ts|mjs|cjs)/g, "[FILE]");
+  sanitized = sanitized.replace(/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/g, "[IP]");
+  if (sanitized.length > 200) {
+    sanitized = `${sanitized.slice(0, 200)}...`;
+  }
+  return sanitized;
+}
+function createErrorResponse(error, status) {
+  return new Response(JSON.stringify({ error }), {
+    status,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createTinyPivotHandler,
+  ensureLimit,
+  extractTableNames,
+  sanitizeTableName,
+  validateSQL
+});