@smallwebco/tinypivot-server 1.0.57

package/dist/index.js

@@ -0,0 +1,594 @@
+// src/validation.ts
+var FORBIDDEN_KEYWORDS = [
+  "INSERT",
+  "UPDATE",
+  "DELETE",
+  "DROP",
+  "ALTER",
+  "TRUNCATE",
+  "CREATE",
+  "GRANT",
+  "REVOKE",
+  "EXEC",
+  "EXECUTE",
+  "MERGE",
+  "UPSERT",
+  "REPLACE",
+  "CALL",
+  "SET",
+  "LOCK",
+  "UNLOCK"
+];
+var DANGEROUS_PATTERNS = [
+  /INTO\s+(?:OUTFILE|DUMPFILE)/i,
+  // File operations
+  /LOAD\s+DATA/i,
+  // File loading
+  /;\s*(?:INSERT|UPDATE|DELETE|DROP)/i
+  // Statement injection
+];
+function validateSQL(sql, allowedTables) {
+  const trimmedSQL = sql.trim();
+  const upperSQL = trimmedSQL.toUpperCase();
+  if (!upperSQL.startsWith("SELECT") && !upperSQL.startsWith("WITH")) {
+    return {
+      valid: false,
+      error: "Only SELECT queries (including CTEs with WITH) are allowed"
+    };
+  }
+  if (upperSQL.startsWith("WITH")) {
+    if (!upperSQL.includes("SELECT")) {
+      return {
+        valid: false,
+        error: "CTE queries must include a final SELECT statement"
+      };
+    }
+  }
+  for (const keyword of FORBIDDEN_KEYWORDS) {
+    const regex = new RegExp(`\\b${keyword}\\b`, "i");
+    if (regex.test(trimmedSQL)) {
+      return {
+        valid: false,
+        error: `Query contains forbidden keyword: ${keyword}`
+      };
+    }
+  }
+  for (const pattern of DANGEROUS_PATTERNS) {
+    if (pattern.test(trimmedSQL)) {
+      return {
+        valid: false,
+        error: "Query contains dangerous pattern"
+      };
+    }
+  }
+  const statements = trimmedSQL.split(";").filter((s) => s.trim().length > 0);
+  if (statements.length > 1) {
+    return {
+      valid: false,
+      error: "Multiple statements are not allowed"
+    };
+  }
+  if (/--/.test(trimmedSQL) || /\/\*/.test(trimmedSQL)) {
+    return {
+      valid: false,
+      error: "SQL comments are not allowed"
+    };
+  }
+  const extractedTables = extractTableNames(trimmedSQL);
+  const normalizedAllowed = allowedTables.map((t) => t.toLowerCase());
+  for (const table of extractedTables) {
+    if (!normalizedAllowed.includes(table.toLowerCase())) {
+      return {
+        valid: false,
+        error: `Table "${table}" is not in the allowed list`
+      };
+    }
+  }
+  return { valid: true };
+}
+function extractTableNames(sql) {
+  const tables = [];
+  const fromMatch = sql.match(/\bFROM\s+([a-z_]\w*(?:\s*,\s*[a-z_]\w*)*)/i);
+  if (fromMatch) {
+    const fromTables = fromMatch[1].split(",").map((t) => t.trim());
+    tables.push(...fromTables);
+  }
+  const joinRegex = /\b(?:LEFT|RIGHT|INNER|OUTER|CROSS|FULL)?\s*JOIN\s+([a-z_]\w*)/gi;
+  let match;
+  while ((match = joinRegex.exec(sql)) !== null) {
+    tables.push(match[1]);
+  }
+  return [...new Set(tables.map((t) => t.replace(/["`]/g, "")))];
+}
+function sanitizeTableName(name) {
+  return name.replace(/\W/g, "");
+}
+function ensureLimit(sql, maxRows) {
+  if (/\bLIMIT\s+\d+/i.test(sql)) {
+    const limitMatch = sql.match(/\bLIMIT\s+(\d+)/i);
+    if (limitMatch) {
+      const existingLimit = Number.parseInt(limitMatch[1], 10);
+      if (existingLimit > maxRows) {
+        return sql.replace(/\bLIMIT\s+\d+/i, `LIMIT ${maxRows}`);
+      }
+    }
+    return sql;
+  }
+  const trimmed = sql.replace(/;\s*$/, "").trim();
+  return `${trimmed} LIMIT ${maxRows}`;
+}
+
+// src/unified-handler.ts
+function detectProvider(apiKey) {
+  if (apiKey.startsWith("sk-ant-")) {
+    return "anthropic";
+  }
+  if (apiKey.startsWith("sk-or-")) {
+    return "openrouter";
+  }
+  return "openai";
+}
+function getProviderConfig(provider) {
+  switch (provider) {
+    case "anthropic":
+      return {
+        provider: "anthropic",
+        endpoint: "https://api.anthropic.com/v1/messages",
+        defaultModel: "claude-3-haiku-20240307",
+        buildHeaders: (apiKey) => ({
+          "Content-Type": "application/json",
+          "x-api-key": apiKey,
+          "anthropic-version": "2023-06-01"
+        }),
+        extractContent: (data) => {
+          const d = data;
+          return d.content?.[0]?.text || "";
+        }
+      };
+    case "openrouter":
+      return {
+        provider: "openrouter",
+        endpoint: "https://openrouter.ai/api/v1/chat/completions",
+        defaultModel: "anthropic/claude-3-haiku",
+        buildHeaders: (apiKey) => ({
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${apiKey}`,
+          "HTTP-Referer": "https://tiny-pivot.com",
+          "X-Title": "TinyPivot AI Data Analyst"
+        }),
+        extractContent: (data) => {
+          const d = data;
+          return d.choices?.[0]?.message?.content || "";
+        }
+      };
+    case "openai":
+    default:
+      return {
+        provider: "openai",
+        endpoint: "https://api.openai.com/v1/chat/completions",
+        defaultModel: "gpt-4o-mini",
+        buildHeaders: (apiKey) => ({
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${apiKey}`
+        }),
+        extractContent: (data) => {
+          const d = data;
+          return d.choices?.[0]?.message?.content || "";
+        }
+      };
+  }
+}
+function normalizeModelForOpenRouter(model) {
+  if (model.includes("/")) {
+    return model;
+  }
+  if (model.startsWith("claude")) {
+    return `anthropic/${model}`;
+  }
+  if (model.startsWith("gpt-") || model.startsWith("o1") || model.startsWith("o3")) {
+    return `openai/${model}`;
+  }
+  if (model.startsWith("gemini")) {
+    return `google/${model}`;
+  }
+  if (model.startsWith("llama") || model.startsWith("codellama")) {
+    return `meta-llama/${model}`;
+  }
+  if (model.startsWith("mistral") || model.startsWith("mixtral") || model.startsWith("codestral")) {
+    return `mistralai/${model}`;
+  }
+  if (model.startsWith("deepseek")) {
+    return `deepseek/${model}`;
+  }
+  if (model.startsWith("qwen")) {
+    return `qwen/${model}`;
+  }
+  return model;
+}
+var PG_TYPE_MAP = {
+  "character varying": "string",
+  "varchar": "string",
+  "character": "string",
+  "char": "string",
+  "text": "string",
+  "uuid": "string",
+  "name": "string",
+  "citext": "string",
+  "integer": "number",
+  "int": "number",
+  "int2": "number",
+  "int4": "number",
+  "int8": "number",
+  "smallint": "number",
+  "bigint": "number",
+  "decimal": "number",
+  "numeric": "number",
+  "real": "number",
+  "double precision": "number",
+  "float4": "number",
+  "float8": "number",
+  "money": "number",
+  "serial": "number",
+  "bigserial": "number",
+  "boolean": "boolean",
+  "bool": "boolean",
+  "date": "date",
+  "timestamp": "date",
+  "timestamp without time zone": "date",
+  "timestamp with time zone": "date",
+  "timestamptz": "date",
+  "time": "date",
+  "time without time zone": "date",
+  "time with time zone": "date",
+  "timetz": "date",
+  "interval": "date"
+};
+function matchesPattern(tableName, pattern) {
+  if (typeof pattern === "string") {
+    return tableName.toLowerCase() === pattern.toLowerCase();
+  }
+  return pattern.test(tableName);
+}
+function filterTables(tables, options) {
+  let filtered = tables;
+  if (options.include && options.include.length > 0) {
+    filtered = filtered.filter(
+      (table) => options.include.some((pattern) => matchesPattern(table, pattern))
+    );
+  }
+  if (options.exclude && options.exclude.length > 0) {
+    filtered = filtered.filter(
+      (table) => !options.exclude.some((pattern) => matchesPattern(table, pattern))
+    );
+  }
+  return filtered;
+}
+function createTinyPivotHandler(options = {}) {
+  const {
+    connectionString = process.env.DATABASE_URL,
+    apiKey = process.env.AI_API_KEY,
+    tables: tableOptions = {},
+    maxRows,
+    timeout,
+    maxTokens = 2048,
+    onError
+  } = options;
+  const modelOverride = options.model || process.env.AI_MODEL;
+  const schemas = tableOptions.schemas || ["public"];
+  const descriptions = tableOptions.descriptions || {};
+  return async (req) => {
+    try {
+      const body = await req.json();
+      const { action } = body;
+      if (!action) {
+        return createErrorResponse("Missing action parameter", 400);
+      }
+      switch (action) {
+        case "list-tables":
+          return handleListTables(connectionString, schemas, tableOptions, descriptions, onError);
+        case "get-schema":
+          return handleGetSchema(body.tables || [], connectionString, schemas, tableOptions, onError);
+        case "query":
+          return handleQuery(
+            body.sql,
+            body.table,
+            connectionString,
+            schemas,
+            tableOptions,
+            maxRows,
+            timeout,
+            onError
+          );
+        case "chat":
+          return handleChat(body.messages || [], apiKey, modelOverride, maxTokens, onError);
+        default:
+          return createErrorResponse(`Unknown action: ${action}`, 400);
+      }
+    } catch (error) {
+      const err = error instanceof Error ? error : new Error(String(error));
+      onError?.(err);
+      return createErrorResponse(err.message, 500);
+    }
+  };
+}
+async function handleListTables(connectionString, schemas, tableOptions, descriptions, onError) {
+  let Pool;
+  try {
+    const pg = await import("pg");
+    Pool = pg.Pool;
+  } catch {
+    return createErrorResponse(
+      "PostgreSQL driver (pg) is not installed. Install it with: pnpm add pg",
+      500
+    );
+  }
+  if (!connectionString) {
+    return createErrorResponse(
+      "Database connection not configured. Set DATABASE_URL environment variable.",
+      500
+    );
+  }
+  const pool = new Pool({ connectionString });
+  try {
+    const schemaPlaceholders = schemas.map((_, i) => `$${i + 1}`).join(", ");
+    const result = await pool.query(
+      `
+      SELECT table_name, table_schema
+      FROM information_schema.tables
+      WHERE table_schema IN (${schemaPlaceholders})
+        AND table_type = 'BASE TABLE'
+      ORDER BY table_schema, table_name
+      `,
+      schemas
+    );
+    let tableNames = result.rows.map((row) => row.table_name);
+    tableNames = filterTables(tableNames, tableOptions);
+    const response = {
+      tables: tableNames.map((name) => ({
+        name,
+        description: descriptions[name]
+      }))
+    };
+    return new Response(JSON.stringify(response), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
+  } catch (error) {
+    const err = error instanceof Error ? error : new Error(String(error));
+    onError?.(err);
+    return createErrorResponse(`Failed to list tables: ${err.message}`, 500);
+  } finally {
+    await pool.end();
+  }
+}
+async function handleGetSchema(tables, connectionString, schemas, tableOptions, onError) {
+  if (!tables || !Array.isArray(tables) || tables.length === 0) {
+    return createErrorResponse("Missing or invalid tables array", 400);
+  }
+  let Pool;
+  try {
+    const pg = await import("pg");
+    Pool = pg.Pool;
+  } catch {
+    return createErrorResponse(
+      "PostgreSQL driver (pg) is not installed. Install it with: pnpm add pg",
+      500
+    );
+  }
+  if (!connectionString) {
+    return createErrorResponse(
+      "Database connection not configured. Set DATABASE_URL environment variable.",
+      500
+    );
+  }
+  const pool = new Pool({ connectionString });
+  try {
+    const schemaPlaceholders = schemas.map((_, i) => `$${i + 1}`).join(", ");
+    const tablesResult = await pool.query(
+      `
+      SELECT table_name
+      FROM information_schema.tables
+      WHERE table_schema IN (${schemaPlaceholders})
+        AND table_type = 'BASE TABLE'
+      `,
+      schemas
+    );
+    let allowedTables = tablesResult.rows.map((row) => row.table_name);
+    allowedTables = filterTables(allowedTables, tableOptions);
+    const filteredTables = tables.filter(
+      (t) => allowedTables.map((a) => a.toLowerCase()).includes(t.toLowerCase())
+    );
+    if (filteredTables.length === 0) {
+      return createErrorResponse("None of the requested tables are allowed", 403);
+    }
+    const tableSchemas = [];
+    for (const table of filteredTables) {
+      const columnsResult = await pool.query(
+        `
+        SELECT 
+          column_name,
+          data_type,
+          is_nullable
+        FROM information_schema.columns 
+        WHERE table_name = $1
+          AND table_schema = ANY($2::text[])
+        ORDER BY ordinal_position
+        `,
+        [table, schemas]
+      );
+      if (columnsResult.rows.length > 0) {
+        const columns = columnsResult.rows.map((row) => ({
+          name: row.column_name,
+          type: PG_TYPE_MAP[row.data_type.toLowerCase()] || "unknown",
+          nullable: row.is_nullable === "YES"
+        }));
+        tableSchemas.push({ table, columns });
+      }
+    }
+    const response = { schemas: tableSchemas };
+    return new Response(JSON.stringify(response), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
+  } catch (error) {
+    const err = error instanceof Error ? error : new Error(String(error));
+    onError?.(err);
+    return createErrorResponse(`Failed to get schema: ${err.message}`, 500);
+  } finally {
+    await pool.end();
+  }
+}
+async function handleQuery(sql, table, connectionString, schemas, tableOptions, maxRows, timeout, onError) {
+  if (!sql || typeof sql !== "string") {
+    return createErrorResponse("Missing or invalid SQL query", 400);
+  }
+  if (!table || typeof table !== "string") {
+    return createErrorResponse("Missing or invalid table name", 400);
+  }
+  let Pool;
+  try {
+    const pg = await import("pg");
+    Pool = pg.Pool;
+  } catch {
+    return createErrorResponse(
+      "PostgreSQL driver (pg) is not installed. Install it with: pnpm add pg",
+      500
+    );
+  }
+  if (!connectionString) {
+    return createErrorResponse(
+      "Database connection not configured. Set DATABASE_URL environment variable.",
+      500
+    );
+  }
+  const poolConfig = { connectionString };
+  if (timeout !== void 0) {
+    poolConfig.statement_timeout = timeout;
+  }
+  const pool = new Pool(poolConfig);
+  try {
+    const schemaPlaceholders = schemas.map((_, i) => `$${i + 1}`).join(", ");
+    const tablesResult = await pool.query(
+      `
+      SELECT table_name
+      FROM information_schema.tables
+      WHERE table_schema IN (${schemaPlaceholders})
+        AND table_type = 'BASE TABLE'
+      `,
+      schemas
+    );
+    let allowedTables = tablesResult.rows.map((row) => row.table_name);
+    allowedTables = filterTables(allowedTables, tableOptions);
+    if (!allowedTables.map((t) => t.toLowerCase()).includes(table.toLowerCase())) {
+      return createErrorResponse(`Table "${table}" is not allowed`, 403);
+    }
+    const validation = validateSQL(sql, allowedTables);
+    if (!validation.valid) {
+      return createErrorResponse(validation.error || "Invalid SQL", 400);
+    }
+    const finalSQL = maxRows !== void 0 ? ensureLimit(sql, maxRows) : sql;
+    const startTime = Date.now();
+    const result = await pool.query(finalSQL);
+    const duration = Date.now() - startTime;
+    const truncated = maxRows !== void 0 && result.rows.length >= maxRows;
+    const response = {
+      success: true,
+      data: result.rows,
+      rowCount: result.rows.length,
+      truncated,
+      duration
+    };
+    return new Response(JSON.stringify(response), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
+  } catch (error) {
+    const err = error instanceof Error ? error : new Error(String(error));
+    onError?.(err);
+    return createErrorResponse(sanitizeErrorMessage(err.message), 500);
+  } finally {
+    await pool.end();
+  }
+}
+async function handleChat(messages, apiKey, modelOverride, maxTokens, onError) {
+  if (!messages || !Array.isArray(messages) || messages.length === 0) {
+    return createErrorResponse("Missing or invalid messages array", 400);
+  }
+  if (!apiKey) {
+    return createErrorResponse(
+      "AI API key not configured. Set AI_API_KEY environment variable.",
+      500
+    );
+  }
+  const provider = detectProvider(apiKey);
+  const config = getProviderConfig(provider);
+  let model = modelOverride || config.defaultModel;
+  if (provider === "openrouter") {
+    model = normalizeModelForOpenRouter(model);
+  }
+  try {
+    let requestBody;
+    if (provider === "anthropic") {
+      requestBody = {
+        model,
+        max_tokens: maxTokens,
+        messages: messages.map((m) => ({
+          role: m.role === "system" ? "user" : m.role,
+          content: m.content
+        }))
+      };
+    } else {
+      requestBody = {
+        model,
+        max_tokens: maxTokens,
+        messages
+      };
+    }
+    const response = await fetch(config.endpoint, {
+      method: "POST",
+      headers: config.buildHeaders(apiKey),
+      body: JSON.stringify(requestBody)
+    });
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(`AI provider error (${response.status}): ${errorText}`);
+    }
+    const data = await response.json();
+    const content = config.extractContent(data);
+    const aiResponse = { content };
+    return new Response(JSON.stringify(aiResponse), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
+  } catch (error) {
+    const err = error instanceof Error ? error : new Error(String(error));
+    onError?.(err);
+    const response = { content: "", error: err.message };
+    return new Response(JSON.stringify(response), {
+      status: 500,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+}
+function sanitizeErrorMessage(message) {
+  let sanitized = message.replace(/postgresql?:\/\/\S+/gi, "[DATABASE_URL]");
+  sanitized = sanitized.replace(/\/[^\s:]+\.(js|ts|mjs|cjs)/g, "[FILE]");
+  sanitized = sanitized.replace(/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/g, "[IP]");
+  if (sanitized.length > 200) {
+    sanitized = `${sanitized.slice(0, 200)}...`;
+  }
+  return sanitized;
+}
+function createErrorResponse(error, status) {
+  return new Response(JSON.stringify({ error }), {
+    status,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+export {
+  createTinyPivotHandler,
+  ensureLimit,
+  extractTableNames,
+  sanitizeTableName,
+  validateSQL
+};

package/package.json

@@ -0,0 +1,54 @@
+{
+  "name": "@smallwebco/tinypivot-server",
+  "type": "module",
+  "version": "1.0.57",
+  "description": "Optional backend handlers for TinyPivot AI Data Analyst",
+  "license": "MIT",
+  "homepage": "https://tiny-pivot.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/smallwebco/tinypivot.git",
+    "directory": "packages/server"
+  },
+  "keywords": [
+    "tinypivot",
+    "ai",
+    "data-analyst",
+    "postgresql",
+    "sql"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "main": "dist/index.js",
+  "module": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "peerDependencies": {
+    "pg": "^8.0.0"
+  },
+  "peerDependenciesMeta": {
+    "pg": {
+      "optional": true
+    }
+  },
+  "dependencies": {
+    "@smallwebco/tinypivot-core": "1.0.57"
+  },
+  "devDependencies": {
+    "@types/pg": "^8.11.6",
+    "tsup": "^8.0.1",
+    "typescript": "~5.6.2"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format esm,cjs --dts --clean",
+    "dev": "tsup src/index.ts --format esm,cjs --dts --watch",
+    "type-check": "tsc --noEmit"
+  }
+}