@sovr/sql-proxy 0.0.2 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/index.cjs +840 -0
  2. package/dist/index.d.ts +239 -0
  3. package/dist/index.js +803 -0
  4. package/package.json +13 -2
  5. package/index.js +0 -1
package/dist/index.cjs ADDED
@@ -0,0 +1,840 @@
1
+ "use strict";
2
+ var __create = Object.create;
3
+ var __defProp = Object.defineProperty;
4
+ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
5
+ var __getOwnPropNames = Object.getOwnPropertyNames;
6
+ var __getProtoOf = Object.getPrototypeOf;
7
+ var __hasOwnProp = Object.prototype.hasOwnProperty;
8
+ var __export = (target, all) => {
9
+ for (var name in all)
10
+ __defProp(target, name, { get: all[name], enumerable: true });
11
+ };
12
+ var __copyProps = (to, from, except, desc) => {
13
+ if (from && typeof from === "object" || typeof from === "function") {
14
+ for (let key of __getOwnPropNames(from))
15
+ if (!__hasOwnProp.call(to, key) && key !== except)
16
+ __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
17
+ }
18
+ return to;
19
+ };
20
+ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
21
+ // If the importer is in node compatibility mode or this is not an ESM
22
+ // file that has been converted to a CommonJS file using a Babel-
23
+ // compatible transform (i.e. "__esModule" has not been set), then set
24
+ // "default" to the CommonJS "module.exports" for node compatibility.
25
+ isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
26
+ mod
27
+ ));
28
+ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
29
+
30
+ // ../sovr/packages/@sovr/proxy-sql/src/index.ts
31
+ var index_exports = {};
32
+ __export(index_exports, {
33
+ SqlProxy: () => SqlProxy,
34
+ detectSqlInjection: () => detectSqlInjection,
35
+ parseSQL: () => parseSQL
36
+ });
37
+ module.exports = __toCommonJS(index_exports);
38
+ var net = __toESM(require("net"), 1);
39
+ var import_node_events = require("events");
40
+ var PROXY_SQL_VERSION = "2.0.0";
41
+ var VERSION_CHECK_URL = "https://api.sovr.inc/api/sovr/v1/version/check";
42
+ var DEFAULT_METERING_ENDPOINT = "https://sovr-ai-mkzgqqeh.manus.space/api/v1/metering/batch";
43
+ var IRREVERSIBLE_SQL_REGEX = /^(DELETE|DROP|TRUNCATE|ALTER|UPDATE|INSERT|CREATE|GRANT|REVOKE|COPY)$/i;
44
+ var SQL_INJECTION_PATTERNS = [
45
+ { name: "union_injection", pattern: /\bUNION\s+(ALL\s+)?SELECT\b/i, severity: "critical" },
46
+ { name: "tautology", pattern: /\bOR\s+['"]?\d+['"]?\s*=\s*['"]?\d+['"]?/i, severity: "high" },
47
+ { name: "tautology_string", pattern: /\bOR\s+['"][^'"]*['"]\s*=\s*['"][^'"]*['"]/i, severity: "high" },
48
+ { name: "comment_injection", pattern: /--\s*$|\/\*.*\*\//i, severity: "high" },
49
+ { name: "stacked_queries", pattern: /;\s*(DROP|DELETE|UPDATE|INSERT|ALTER|TRUNCATE|GRANT|REVOKE)\b/i, severity: "critical" },
50
+ { name: "sleep_injection", pattern: /\b(SLEEP|WAITFOR|BENCHMARK|PG_SLEEP)\s*\(/i, severity: "critical" },
51
+ { name: "information_schema", pattern: /\bINFORMATION_SCHEMA\b/i, severity: "high" },
52
+ { name: "hex_encoding", pattern: /0x[0-9a-fA-F]{8,}/i, severity: "high" },
53
+ { name: "char_encoding", pattern: /\bCHR\s*\(\s*\d+\s*\)/i, severity: "high" },
54
+ { name: "load_file", pattern: /\b(LOAD_FILE|INTO\s+OUTFILE|INTO\s+DUMPFILE)\b/i, severity: "critical" }
55
+ ];
56
+ function parseSQL(sql) {
57
+ const trimmed = sql.trim();
58
+ const normalized = trimmed.replace(/\s+/g, " ").toUpperCase();
59
+ const isMultiStatement = trimmed.split(";").filter((s) => s.trim().length > 0).length > 1;
60
+ const type = classifyStatement(normalized);
61
+ const tables = extractTables(normalized, type);
62
+ const hasWhereClause = checkWhereClause(normalized, type);
63
+ return {
64
+ type,
65
+ tables,
66
+ hasWhereClause,
67
+ isMultiStatement,
68
+ raw: trimmed
69
+ };
70
+ }
71
+ function classifyStatement(sql) {
72
+ const first = sql.split(/\s/)[0];
73
+ switch (first) {
74
+ case "SELECT":
75
+ return "SELECT";
76
+ case "INSERT":
77
+ return "INSERT";
78
+ case "UPDATE":
79
+ return "UPDATE";
80
+ case "DELETE":
81
+ return "DELETE";
82
+ case "DROP":
83
+ return "DROP";
84
+ case "ALTER":
85
+ return "ALTER";
86
+ case "TRUNCATE":
87
+ return "TRUNCATE";
88
+ case "CREATE":
89
+ return "CREATE";
90
+ case "GRANT":
91
+ return "GRANT";
92
+ case "REVOKE":
93
+ return "REVOKE";
94
+ case "BEGIN":
95
+ case "START":
96
+ return "BEGIN";
97
+ case "COMMIT":
98
+ return "COMMIT";
99
+ case "ROLLBACK":
100
+ return "ROLLBACK";
101
+ case "SET":
102
+ return "SET";
103
+ case "SHOW":
104
+ return "SHOW";
105
+ case "EXPLAIN":
106
+ return "EXPLAIN";
107
+ case "COPY":
108
+ return "COPY";
109
+ default:
110
+ return "OTHER";
111
+ }
112
+ }
113
+ function extractTables(sql, type) {
114
+ const tables = [];
115
+ try {
116
+ switch (type) {
117
+ case "SELECT": {
118
+ const fromMatch = sql.match(/\bFROM\s+([A-Z0-9_."]+(?:\s*,\s*[A-Z0-9_."]+)*)/);
119
+ if (fromMatch) {
120
+ tables.push(
121
+ ...fromMatch[1].split(",").map((t) => t.trim().replace(/"/g, "").split(/\s/)[0])
122
+ );
123
+ }
124
+ const joinMatches = sql.matchAll(/\bJOIN\s+([A-Z0-9_."]+)/g);
125
+ for (const m of joinMatches) {
126
+ tables.push(m[1].replace(/"/g, ""));
127
+ }
128
+ break;
129
+ }
130
+ case "INSERT": {
131
+ const intoMatch = sql.match(/\bINTO\s+([A-Z0-9_."]+)/);
132
+ if (intoMatch) tables.push(intoMatch[1].replace(/"/g, ""));
133
+ break;
134
+ }
135
+ case "UPDATE": {
136
+ const updateMatch = sql.match(/\bUPDATE\s+([A-Z0-9_."]+)/);
137
+ if (updateMatch) tables.push(updateMatch[1].replace(/"/g, ""));
138
+ break;
139
+ }
140
+ case "DELETE": {
141
+ const deleteFromMatch = sql.match(/\bFROM\s+([A-Z0-9_."]+)/);
142
+ if (deleteFromMatch) tables.push(deleteFromMatch[1].replace(/"/g, ""));
143
+ break;
144
+ }
145
+ case "DROP": {
146
+ const dropMatch = sql.match(/\bDROP\s+(?:TABLE|INDEX|VIEW|SCHEMA|DATABASE)\s+(?:IF\s+EXISTS\s+)?([A-Z0-9_."]+)/);
147
+ if (dropMatch) tables.push(dropMatch[1].replace(/"/g, ""));
148
+ break;
149
+ }
150
+ case "ALTER": {
151
+ const alterMatch = sql.match(/\bALTER\s+TABLE\s+([A-Z0-9_."]+)/);
152
+ if (alterMatch) tables.push(alterMatch[1].replace(/"/g, ""));
153
+ break;
154
+ }
155
+ case "TRUNCATE": {
156
+ const truncMatch = sql.match(/\bTRUNCATE\s+(?:TABLE\s+)?([A-Z0-9_."]+)/);
157
+ if (truncMatch) tables.push(truncMatch[1].replace(/"/g, ""));
158
+ break;
159
+ }
160
+ case "CREATE": {
161
+ const createMatch = sql.match(/\bCREATE\s+(?:TABLE|INDEX|VIEW|SCHEMA|DATABASE)\s+(?:IF\s+NOT\s+EXISTS\s+)?([A-Z0-9_."]+)/);
162
+ if (createMatch) tables.push(createMatch[1].replace(/"/g, ""));
163
+ break;
164
+ }
165
+ case "COPY": {
166
+ const copyMatch = sql.match(/\bCOPY\s+([A-Z0-9_."]+)/);
167
+ if (copyMatch) tables.push(copyMatch[1].replace(/"/g, ""));
168
+ break;
169
+ }
170
+ }
171
+ } catch {
172
+ }
173
+ return tables.map((t) => t.toLowerCase()).filter(Boolean);
174
+ }
175
+ function checkWhereClause(sql, type) {
176
+ if (type === "SELECT" || type === "UPDATE" || type === "DELETE") {
177
+ return /\bWHERE\b/.test(sql);
178
+ }
179
+ return true;
180
+ }
181
+ function detectSqlInjection(sql) {
182
+ const matched = [];
183
+ let maxSeverity = "none";
184
+ for (const { name, pattern, severity } of SQL_INJECTION_PATTERNS) {
185
+ if (pattern.test(sql)) {
186
+ matched.push(name);
187
+ if (severity === "critical" || severity === "high" && maxSeverity === "none") {
188
+ maxSeverity = severity;
189
+ }
190
+ }
191
+ }
192
+ return {
193
+ detected: matched.length > 0,
194
+ patterns: matched,
195
+ severity: maxSeverity
196
+ };
197
+ }
198
+ var PG_MSG = {
199
+ QUERY: "Q".charCodeAt(0),
200
+ PARSE: "P".charCodeAt(0),
201
+ BIND: "B".charCodeAt(0),
202
+ EXECUTE: "E".charCodeAt(0),
203
+ TERMINATE: "X".charCodeAt(0),
204
+ ERROR_RESPONSE: "E".charCodeAt(0),
205
+ READY_FOR_QUERY: "Z".charCodeAt(0),
206
+ ROW_DESCRIPTION: "T".charCodeAt(0),
207
+ DATA_ROW: "D".charCodeAt(0),
208
+ COMMAND_COMPLETE: "C".charCodeAt(0),
209
+ AUTHENTICATION: "R".charCodeAt(0),
210
+ PARAMETER_STATUS: "S".charCodeAt(0),
211
+ BACKEND_KEY_DATA: "K".charCodeAt(0),
212
+ NOTICE_RESPONSE: "N".charCodeAt(0)
213
+ };
214
+ function buildPgErrorResponse(severity, code, message) {
215
+ const fields = [];
216
+ fields.push(Buffer.from("S"));
217
+ fields.push(Buffer.from(severity + "\0"));
218
+ fields.push(Buffer.from("V"));
219
+ fields.push(Buffer.from(severity + "\0"));
220
+ fields.push(Buffer.from("C"));
221
+ fields.push(Buffer.from(code + "\0"));
222
+ fields.push(Buffer.from("M"));
223
+ fields.push(Buffer.from(message + "\0"));
224
+ fields.push(Buffer.from("\0"));
225
+ const body = Buffer.concat(fields);
226
+ const header = Buffer.alloc(5);
227
+ header[0] = PG_MSG.ERROR_RESPONSE;
228
+ header.writeInt32BE(body.length + 4, 1);
229
+ return Buffer.concat([header, body]);
230
+ }
231
+ function buildPgReadyForQuery(status = "I") {
232
+ const buf = Buffer.alloc(6);
233
+ buf[0] = PG_MSG.READY_FOR_QUERY;
234
+ buf.writeInt32BE(5, 1);
235
+ buf[5] = status.charCodeAt(0);
236
+ return buf;
237
+ }
238
+ function extractQueryFromPgMessage(data) {
239
+ if (data.length < 5) return null;
240
+ if (data[0] !== PG_MSG.QUERY) return null;
241
+ const len = data.readInt32BE(1);
242
+ const sql = data.subarray(5, 1 + len - 1).toString("utf8");
243
+ return sql;
244
+ }
245
+ function extractQueryFromPgParse(data) {
246
+ if (data.length < 5) return null;
247
+ if (data[0] !== PG_MSG.PARSE) return null;
248
+ let offset = 5;
249
+ while (offset < data.length && data[offset] !== 0) offset++;
250
+ offset++;
251
+ const start = offset;
252
+ while (offset < data.length && data[offset] !== 0) offset++;
253
+ const sql = data.subarray(start, offset).toString("utf8");
254
+ return sql;
255
+ }
256
+ var SqlProxy = class extends import_node_events.EventEmitter {
257
+ engine;
258
+ apiKey;
259
+ listenPort;
260
+ listenHost;
261
+ targetHost;
262
+ targetPort;
263
+ actorId;
264
+ verbose;
265
+ onBlocked;
266
+ onEvaluated;
267
+ server = null;
268
+ // v2.0: Table ACL
269
+ tableWhitelist;
270
+ tableBlacklist;
271
+ sqlInjectionDetection;
272
+ // v2.0: Billing Reporter
273
+ billingEnabled;
274
+ billingEndpoint;
275
+ billingBuffer = [];
276
+ billingFlushTimer = null;
277
+ BILLING_FLUSH_INTERVAL;
278
+ BILLING_BUFFER_MAX;
279
+ stats;
280
+ constructor(config) {
281
+ super();
282
+ const apiKey = config.apiKey || process.env.SOVR_API_KEY || "";
283
+ if (!apiKey) {
284
+ throw new Error(
285
+ "\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n\u2551 SOVR API KEY REQUIRED \u2551\n\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563\n\u2551 @sovr/proxy-sql requires a valid API key to operate. \u2551\n\u2551 \u2551\n\u2551 Without a valid API key: \u2551\n\u2551 \u2022 No billing events can be reported \u2551\n\u2551 \u2022 No quota can be verified \u2551\n\u2551 \u2022 No metering data is recorded \u2551\n\u2551 \u2022 Proxy will NOT start \u2551\n\u2551 \u2551\n\u2551 Get your key: \u2551\n\u2551 1. Register at: https://sovr.inc/register \u2551\n\u2551 2. Dashboard: https://sovr.inc/dashboard/api-keys \u2551\n\u2551 3. Pass apiKey in config or set SOVR_API_KEY env var \u2551\n\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D\n"
286
+ );
287
+ }
288
+ this.apiKey = apiKey;
289
+ this._checkVersion(apiKey);
290
+ this.engine = config.engine;
291
+ this.listenPort = config.listenPort;
292
+ this.listenHost = config.listenHost ?? "127.0.0.1";
293
+ this.targetHost = config.targetHost;
294
+ this.targetPort = config.targetPort;
295
+ this.actorId = config.actorId ?? "sql-proxy";
296
+ this.verbose = config.verbose ?? false;
297
+ this.onBlocked = config.onBlocked;
298
+ this.onEvaluated = config.onEvaluated;
299
+ this.tableWhitelist = config.tableWhitelist ? new Set(config.tableWhitelist.map((t) => t.toLowerCase())) : null;
300
+ this.tableBlacklist = new Set(
301
+ (config.tableBlacklist ?? []).map((t) => t.toLowerCase())
302
+ );
303
+ this.sqlInjectionDetection = config.sqlInjectionDetection !== false;
304
+ const billing = config.billing ?? {};
305
+ this.billingEnabled = billing.enabled !== false;
306
+ this.billingEndpoint = billing.meteringEndpoint ?? DEFAULT_METERING_ENDPOINT;
307
+ this.BILLING_FLUSH_INTERVAL = billing.flushIntervalMs ?? 1e4;
308
+ this.BILLING_BUFFER_MAX = billing.bufferMax ?? 500;
309
+ this.stats = {
310
+ totalQueries: 0,
311
+ allowedQueries: 0,
312
+ blockedQueries: 0,
313
+ escalatedQueries: 0,
314
+ activeConnections: 0,
315
+ startedAt: 0,
316
+ injectionBlocks: 0,
317
+ tableAclBlocks: 0,
318
+ billingEventsReported: 0,
319
+ billingEventsDropped: 0,
320
+ billingBufferSize: 0,
321
+ billingByType: {
322
+ "gate.check": 0,
323
+ "gate.block": 0,
324
+ "irreversible.allowed": 0,
325
+ "trust_bundle.issued": 0,
326
+ "trust_bundle.exported": 0,
327
+ "replay.requested": 0,
328
+ "auditor.session": 0
329
+ }
330
+ };
331
+ }
332
+ // ============================================================================
333
+ // Lifecycle
334
+ // ============================================================================
335
+ /**
336
+ * Start the SQL proxy server + billing reporter.
337
+ */
338
+ async start() {
339
+ return new Promise((resolve, reject) => {
340
+ this.server = net.createServer((clientSocket) => {
341
+ this.handleConnection(clientSocket);
342
+ });
343
+ this.server.on("error", (err) => {
344
+ this.emit("error", err);
345
+ reject(err);
346
+ });
347
+ this.server.listen(this.listenPort, this.listenHost, () => {
348
+ this.stats.startedAt = Date.now();
349
+ if (this.billingEnabled) {
350
+ this.initBillingReporter();
351
+ }
352
+ if (this.verbose) {
353
+ process.stderr.write(
354
+ `[sovr-sql-proxy] v${PROXY_SQL_VERSION} listening on ${this.listenHost}:${this.listenPort} \u2192 ${this.targetHost}:${this.targetPort}
355
+ [sovr-sql-proxy] API Key: ${this.apiKey.slice(0, 8)}...${this.apiKey.slice(-4)}
356
+ [sovr-sql-proxy] Billing: ${this.billingEnabled ? "ENABLED" : "DISABLED"}
357
+ [sovr-sql-proxy] SQL Injection Detection: ${this.sqlInjectionDetection ? "ENABLED" : "DISABLED"}
358
+ [sovr-sql-proxy] Table Whitelist: ${this.tableWhitelist ? `${this.tableWhitelist.size} tables` : "OFF"}
359
+ [sovr-sql-proxy] Table Blacklist: ${this.tableBlacklist.size} tables
360
+ `
361
+ );
362
+ }
363
+ this.emit("listening");
364
+ resolve();
365
+ });
366
+ });
367
+ }
368
+ /**
369
+ * Stop the SQL proxy server + flush remaining billing events.
370
+ */
371
+ async stop() {
372
+ if (this.billingFlushTimer) {
373
+ clearInterval(this.billingFlushTimer);
374
+ this.billingFlushTimer = null;
375
+ }
376
+ await this.flushBillingBuffer().catch(() => {
377
+ });
378
+ return new Promise((resolve) => {
379
+ if (this.server) {
380
+ this.server.close(() => resolve());
381
+ } else {
382
+ resolve();
383
+ }
384
+ });
385
+ }
386
+ /**
387
+ * Get proxy statistics (including billing stats).
388
+ */
389
+ getStats() {
390
+ return {
391
+ ...this.stats,
392
+ billingBufferSize: this.billingBuffer.length
393
+ };
394
+ }
395
+ // ============================================================================
396
+ // v2.0: Billing Reporter
397
+ // 7 event types: gate.check, gate.block, irreversible.allowed,
398
+ // trust_bundle.issued, trust_bundle.exported, replay.requested, auditor.session
399
+ // ============================================================================
400
+ initBillingReporter() {
401
+ this.billingFlushTimer = setInterval(() => {
402
+ this.flushBillingBuffer().catch(() => {
403
+ });
404
+ }, this.BILLING_FLUSH_INTERVAL);
405
+ if (this.verbose) {
406
+ this.log(`Billing reporter initialized: flush every ${this.BILLING_FLUSH_INTERVAL}ms, buffer max ${this.BILLING_BUFFER_MAX}`);
407
+ }
408
+ }
409
+ /**
410
+ * Record a billing event into the buffer.
411
+ * Fire-and-forget — never blocks the main request flow.
412
+ */
413
+ recordBillingEvent(event_type, action, resource, verdict, metadata) {
414
+ if (!this.billingEnabled) return;
415
+ this.billingBuffer.push({
416
+ event_type,
417
+ action,
418
+ resource,
419
+ verdict,
420
+ api_key: this.apiKey,
421
+ timestamp: Date.now(),
422
+ metadata
423
+ });
424
+ this.stats.billingByType[event_type] = (this.stats.billingByType[event_type] || 0) + 1;
425
+ if (this.billingBuffer.length >= this.BILLING_BUFFER_MAX) {
426
+ this.flushBillingBuffer().catch(() => {
427
+ });
428
+ }
429
+ }
430
+ /**
431
+ * Flush billing buffer to the metering endpoint.
432
+ * Batch POST — fire-and-forget with re-queue on failure.
433
+ */
434
+ async flushBillingBuffer() {
435
+ if (this.billingBuffer.length === 0) return;
436
+ const batch = this.billingBuffer.splice(0, this.BILLING_BUFFER_MAX);
437
+ try {
438
+ const response = await globalThis.fetch(this.billingEndpoint, {
439
+ method: "POST",
440
+ headers: {
441
+ "Content-Type": "application/json",
442
+ "Authorization": `Bearer ${this.apiKey}`,
443
+ "X-SOVR-Source": "proxy-sql",
444
+ "X-SOVR-Version": PROXY_SQL_VERSION
445
+ },
446
+ body: JSON.stringify({ events: batch }),
447
+ signal: AbortSignal.timeout(5e3)
448
+ });
449
+ if (response.ok) {
450
+ this.stats.billingEventsReported += batch.length;
451
+ if (this.verbose) {
452
+ this.log(`Billing: flushed ${batch.length} events (total reported: ${this.stats.billingEventsReported})`);
453
+ }
454
+ } else {
455
+ throw new Error(`HTTP ${response.status}`);
456
+ }
457
+ } catch {
458
+ if (this.billingBuffer.length < this.BILLING_BUFFER_MAX * 2) {
459
+ this.billingBuffer.unshift(...batch);
460
+ } else {
461
+ this.stats.billingEventsDropped += batch.length;
462
+ }
463
+ }
464
+ }
465
+ /**
466
+ * Classify a gate-check result into the appropriate billing event type.
467
+ * Key pricing principle: "放行的不可逆动作" is the highest-price tax base.
468
+ */
469
+ classifyBillingEvent(statementType, verdict) {
470
+ if (verdict === "deny" || verdict === "block") {
471
+ return "gate.block";
472
+ }
473
+ if ((verdict === "allow" || verdict === "approve") && IRREVERSIBLE_SQL_REGEX.test(statementType)) {
474
+ return "irreversible.allowed";
475
+ }
476
+ return "gate.check";
477
+ }
478
+ /**
479
+ * Record billing event from a policy engine evaluation result.
480
+ * Automatically classifies the event type based on statement type + verdict.
481
+ */
482
+ recordGateCheckBilling(statementType, tables, decision, extraMetadata) {
483
+ const eventType = this.classifyBillingEvent(statementType, decision.verdict);
484
+ this.recordBillingEvent(eventType, statementType, tables.join(",") || "*", decision.verdict, {
485
+ risk_score: decision.risk_score,
486
+ risk_level: decision.risk_level,
487
+ decision_id: decision.decision_id,
488
+ matched_rules: decision.matched_rules?.length ?? 0,
489
+ tables,
490
+ ...extraMetadata
491
+ });
492
+ }
493
+ // ============================================================================
494
+ // v2.0: Table ACL (Whitelist / Blacklist)
495
+ // ============================================================================
496
+ /**
497
+ * Check if the queried tables pass the ACL check.
498
+ * Returns null if allowed, or a reason string if blocked.
499
+ */
500
+ checkTableAcl(tables) {
501
+ if (tables.length === 0) return null;
502
+ for (const table of tables) {
503
+ if (this.tableBlacklist.has(table)) {
504
+ return `Table '${table}' is in the blacklist`;
505
+ }
506
+ }
507
+ if (this.tableWhitelist) {
508
+ for (const table of tables) {
509
+ if (!this.tableWhitelist.has(table)) {
510
+ return `Table '${table}' is not in the whitelist`;
511
+ }
512
+ }
513
+ }
514
+ return null;
515
+ }
516
+ // ============================================================================
517
+ // Connection Handler
518
+ // ============================================================================
519
+ handleConnection(clientSocket) {
520
+ this.stats.activeConnections++;
521
+ const backendSocket = net.createConnection({
522
+ host: this.targetHost,
523
+ port: this.targetPort
524
+ });
525
+ let startupComplete = false;
526
+ let clientBuffer = Buffer.alloc(0);
527
+ clientSocket.on("data", (data) => {
528
+ if (!startupComplete) {
529
+ backendSocket.write(data);
530
+ return;
531
+ }
532
+ clientBuffer = Buffer.concat([clientBuffer, data]);
533
+ this.processClientData(clientBuffer, clientSocket, backendSocket);
534
+ clientBuffer = Buffer.alloc(0);
535
+ });
536
+ backendSocket.on("data", (data) => {
537
+ if (!startupComplete) {
538
+ for (let i = 0; i < data.length - 5; i++) {
539
+ if (data[i] === PG_MSG.READY_FOR_QUERY) {
540
+ const len = data.readInt32BE(i + 1);
541
+ if (len === 5) {
542
+ startupComplete = true;
543
+ if (this.verbose) {
544
+ process.stderr.write("[sovr-sql-proxy] Authentication complete, intercepting queries\n");
545
+ }
546
+ break;
547
+ }
548
+ }
549
+ }
550
+ }
551
+ clientSocket.write(data);
552
+ });
553
+ const cleanup = () => {
554
+ this.stats.activeConnections--;
555
+ clientSocket.destroy();
556
+ backendSocket.destroy();
557
+ };
558
+ clientSocket.on("end", cleanup);
559
+ clientSocket.on("error", cleanup);
560
+ backendSocket.on("end", cleanup);
561
+ backendSocket.on("error", cleanup);
562
+ }
563
+ // ============================================================================
564
+ // Query Interception
565
+ // ============================================================================
566
+ processClientData(data, clientSocket, backendSocket) {
567
+ if (data.length < 5) {
568
+ backendSocket.write(data);
569
+ return;
570
+ }
571
+ const msgType = data[0];
572
+ if (msgType !== PG_MSG.QUERY && msgType !== PG_MSG.PARSE) {
573
+ backendSocket.write(data);
574
+ return;
575
+ }
576
+ let sql = null;
577
+ if (msgType === PG_MSG.QUERY) {
578
+ sql = extractQueryFromPgMessage(data);
579
+ } else if (msgType === PG_MSG.PARSE) {
580
+ sql = extractQueryFromPgParse(data);
581
+ }
582
+ if (!sql || sql.trim().length === 0) {
583
+ backendSocket.write(data);
584
+ return;
585
+ }
586
+ const parsed = parseSQL(sql);
587
+ let injectionResult;
588
+ if (this.sqlInjectionDetection) {
589
+ injectionResult = detectSqlInjection(sql);
590
+ if (injectionResult.detected) {
591
+ this.stats.totalQueries++;
592
+ this.stats.blockedQueries++;
593
+ this.stats.injectionBlocks++;
594
+ const blockDecision = {
595
+ decision_id: `dec_injection_${Date.now().toString(36)}`,
596
+ verdict: "deny",
597
+ allowed: false,
598
+ risk_score: 100,
599
+ risk_level: "critical",
600
+ requires_approval: false,
601
+ reason: `SQL injection detected: ${injectionResult.patterns.join(", ")} (severity: ${injectionResult.severity})`,
602
+ matched_rules: [],
603
+ channel: "sql",
604
+ trace_id: `trace_sqli_${Date.now().toString(36)}`,
605
+ timestamp: Date.now()
606
+ };
607
+ const info2 = {
608
+ sql: sql.substring(0, 500),
609
+ statementType: parsed.type,
610
+ tables: parsed.tables,
611
+ decision: blockDecision,
612
+ timestamp: Date.now(),
613
+ injectionResult
614
+ };
615
+ this.recordGateCheckBilling(parsed.type, parsed.tables, blockDecision, {
616
+ block_reason: "sql_injection",
617
+ injection_patterns: injectionResult.patterns
618
+ });
619
+ const errorMsg = buildPgErrorResponse(
620
+ "ERROR",
621
+ "42501",
622
+ `SOVR: SQL injection detected \u2014 ${injectionResult.patterns.join(", ")} [${blockDecision.decision_id}]`
623
+ );
624
+ const readyMsg = buildPgReadyForQuery("I");
625
+ clientSocket.write(Buffer.concat([errorMsg, readyMsg]));
626
+ if (this.verbose) {
627
+ process.stderr.write(
628
+ `[sovr-sql-proxy] \x1B[31mINJECTION BLOCKED\x1B[0m: ${injectionResult.patterns.join(", ")} in ${parsed.type}
629
+ `
630
+ );
631
+ }
632
+ if (this.onBlocked) {
633
+ try {
634
+ this.onBlocked(info2);
635
+ } catch {
636
+ }
637
+ }
638
+ this.emit("injection_blocked", info2);
639
+ return;
640
+ }
641
+ }
642
+ const aclBlock = this.checkTableAcl(parsed.tables);
643
+ if (aclBlock) {
644
+ this.stats.totalQueries++;
645
+ this.stats.blockedQueries++;
646
+ this.stats.tableAclBlocks++;
647
+ const blockDecision = {
648
+ decision_id: `dec_acl_${Date.now().toString(36)}`,
649
+ verdict: "deny",
650
+ allowed: false,
651
+ risk_score: 90,
652
+ risk_level: "high",
653
+ requires_approval: false,
654
+ reason: `Table ACL violation: ${aclBlock}`,
655
+ matched_rules: [],
656
+ channel: "sql",
657
+ trace_id: `trace_acl_${Date.now().toString(36)}`,
658
+ timestamp: Date.now()
659
+ };
660
+ const info2 = {
661
+ sql: sql.substring(0, 500),
662
+ statementType: parsed.type,
663
+ tables: parsed.tables,
664
+ decision: blockDecision,
665
+ timestamp: Date.now()
666
+ };
667
+ this.recordGateCheckBilling(parsed.type, parsed.tables, blockDecision, {
668
+ block_reason: "table_acl",
669
+ acl_detail: aclBlock
670
+ });
671
+ const errorMsg = buildPgErrorResponse(
672
+ "ERROR",
673
+ "42501",
674
+ `SOVR: ${aclBlock} [${blockDecision.decision_id}]`
675
+ );
676
+ const readyMsg = buildPgReadyForQuery("I");
677
+ clientSocket.write(Buffer.concat([errorMsg, readyMsg]));
678
+ if (this.verbose) {
679
+ process.stderr.write(
680
+ `[sovr-sql-proxy] \x1B[33mACL BLOCKED\x1B[0m: ${aclBlock} \u2014 ${parsed.type} on ${parsed.tables.join(", ")}
681
+ `
682
+ );
683
+ }
684
+ if (this.onBlocked) {
685
+ try {
686
+ this.onBlocked(info2);
687
+ } catch {
688
+ }
689
+ }
690
+ this.emit("acl_blocked", info2);
691
+ return;
692
+ }
693
+ const decision = this.evaluateStatement(parsed);
694
+ this.stats.totalQueries++;
695
+ const info = {
696
+ sql: sql.substring(0, 500),
697
+ statementType: parsed.type,
698
+ tables: parsed.tables,
699
+ decision,
700
+ timestamp: Date.now(),
701
+ injectionResult
702
+ };
703
+ if (this.onEvaluated) {
704
+ try {
705
+ this.onEvaluated(info);
706
+ } catch {
707
+ }
708
+ }
709
+ this.recordGateCheckBilling(parsed.type, parsed.tables, decision);
710
+ if (decision.verdict === "deny") {
711
+ this.stats.blockedQueries++;
712
+ const errorMsg = buildPgErrorResponse(
713
+ "ERROR",
714
+ "42501",
715
+ `SOVR Policy Violation: ${decision.reason} [decision_id: ${decision.decision_id}]`
716
+ );
717
+ const readyMsg = buildPgReadyForQuery("I");
718
+ clientSocket.write(Buffer.concat([errorMsg, readyMsg]));
719
+ if (this.verbose) {
720
+ process.stderr.write(
721
+ `[sovr-sql-proxy] \x1B[31mBLOCKED\x1B[0m: ${parsed.type} on ${parsed.tables.join(", ")} \u2014 ${decision.reason}
722
+ `
723
+ );
724
+ }
725
+ if (this.onBlocked) {
726
+ try {
727
+ this.onBlocked(info);
728
+ } catch {
729
+ }
730
+ }
731
+ this.emit("blocked", info);
732
+ } else if (decision.verdict === "escalate") {
733
+ this.stats.escalatedQueries++;
734
+ const errorMsg = buildPgErrorResponse(
735
+ "ERROR",
736
+ "42501",
737
+ `SOVR: Action requires approval \u2014 ${decision.reason} [decision_id: ${decision.decision_id}]`
738
+ );
739
+ const readyMsg = buildPgReadyForQuery("I");
740
+ clientSocket.write(Buffer.concat([errorMsg, readyMsg]));
741
+ if (this.verbose) {
742
+ process.stderr.write(
743
+ `[sovr-sql-proxy] \x1B[33mESCALATED\x1B[0m: ${parsed.type} on ${parsed.tables.join(", ")} \u2014 ${decision.reason}
744
+ `
745
+ );
746
+ }
747
+ this.emit("escalated", info);
748
+ } else {
749
+ this.stats.allowedQueries++;
750
+ backendSocket.write(data);
751
+ if (this.verbose) {
752
+ process.stderr.write(
753
+ `[sovr-sql-proxy] \x1B[32mALLOWED\x1B[0m: ${parsed.type} on ${parsed.tables.join(", ")} (risk: ${decision.risk_score})
754
+ `
755
+ );
756
+ }
757
+ }
758
+ }
759
+ // ============================================================================
760
+ // Policy Evaluation
761
+ // ============================================================================
762
+ evaluateStatement(parsed) {
763
+ const safeTypes = [
764
+ "SELECT",
765
+ "BEGIN",
766
+ "COMMIT",
767
+ "ROLLBACK",
768
+ "SET",
769
+ "SHOW",
770
+ "EXPLAIN"
771
+ ];
772
+ if (safeTypes.includes(parsed.type) && !parsed.isMultiStatement) {
773
+ if (parsed.type !== "SELECT") {
774
+ return {
775
+ decision_id: `dec_passthrough_${Date.now().toString(36)}`,
776
+ verdict: "allow",
777
+ allowed: true,
778
+ risk_score: 0,
779
+ risk_level: "none",
780
+ requires_approval: false,
781
+ reason: `Safe statement type: ${parsed.type}`,
782
+ matched_rules: [],
783
+ channel: "sql",
784
+ trace_id: `trace_sql_${Date.now().toString(36)}`,
785
+ timestamp: Date.now()
786
+ };
787
+ }
788
+ }
789
+ const context = {
790
+ statement_type: parsed.type,
791
+ tables: parsed.tables,
792
+ has_where_clause: parsed.hasWhereClause,
793
+ raw_sql: parsed.raw.substring(0, 1e3),
794
+ is_multi_statement: parsed.isMultiStatement
795
+ };
796
+ return this.engine.evaluate({
797
+ channel: "sql",
798
+ action: parsed.type,
799
+ resource: parsed.tables.join(",") || "*",
800
+ context,
801
+ actor_id: this.actorId
802
+ });
803
+ }
804
+ // ============================================================================
805
+ // Utilities
806
+ // ============================================================================
807
+ log(msg) {
808
+ process.stderr.write(`[sovr-sql-proxy] ${msg}
809
+ `);
810
+ }
811
+ /** v2.0: Async version check */
812
+ async _checkVersion(apiKey) {
813
+ try {
814
+ const res = await fetch(VERSION_CHECK_URL, {
815
+ method: "POST",
816
+ headers: { "Content-Type": "application/json", "X-SOVR-API-Key": apiKey },
817
+ body: JSON.stringify({ package: "@sovr/proxy-sql", version: PROXY_SQL_VERSION }),
818
+ signal: AbortSignal.timeout(5e3)
819
+ });
820
+ if (res.ok) {
821
+ const data = await res.json();
822
+ if (data.deprecated || data.forceUpgrade) {
823
+ console.error(
824
+ `[SOVR] @sovr/proxy-sql@${PROXY_SQL_VERSION} is deprecated.
825
+ Required: @sovr/proxy-sql@${data.minVersion || "latest"}
826
+ Run: npm install @sovr/proxy-sql@latest`
827
+ );
828
+ process.exit(1);
829
+ }
830
+ }
831
+ } catch {
832
+ }
833
+ }
834
+ };
835
+ // Annotate the CommonJS export names for ESM import in node:
836
+ 0 && (module.exports = {
837
+ SqlProxy,
838
+ detectSqlInjection,
839
+ parseSQL
840
+ });