npm - @useatlas/create - Versions diffs - 0.0.1 → 0.0.3 - Mend

@useatlas/create 0.0.1 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (298) hide show

package/templates/docker/src/lib/tools/__tests__/soql-validation.test.ts DELETED Viewed

@@ -1,303 +0,0 @@
-import { describe, it, expect } from "bun:test";
-import { validateSOQL, appendSOQLLimit } from "../soql-validation";
-const ALLOWED = new Set(["Account", "Contact", "Opportunity", "Lead"]);
-describe("validateSOQL", () => {
-  describe("Layer 0: Empty check", () => {
-    it("rejects empty string", () => {
-      const result = validateSOQL("", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Empty");
-    });
-    it("rejects whitespace-only", () => {
-      const result = validateSOQL("   \n\t  ", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Empty");
-    });
-  });
-  describe("Layer 1: Mutation guard", () => {
-    for (const keyword of ["INSERT", "UPDATE", "DELETE", "UPSERT", "MERGE", "UNDELETE"]) {
-      it(`rejects ${keyword}`, () => {
-        const result = validateSOQL(`${keyword} INTO Account`, ALLOWED);
-        expect(result.valid).toBe(false);
-        expect(result.error).toContain("Forbidden");
-      });
-      it(`rejects ${keyword.toLowerCase()}`, () => {
-        const result = validateSOQL(`${keyword.toLowerCase()} into account`, ALLOWED);
-        expect(result.valid).toBe(false);
-        expect(result.error).toContain("Forbidden");
-      });
-    }
-  });
-  describe("Layer 2: SELECT-only", () => {
-    it("accepts SELECT query", () => {
-      const result = validateSOQL("SELECT Id FROM Account", ALLOWED);
-      expect(result.valid).toBe(true);
-    });
-    it("rejects non-SELECT query", () => {
-      const result = validateSOQL("DESCRIBE Account", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Only SELECT");
-    });
-    it("rejects semicolons", () => {
-      const result = validateSOQL("SELECT Id FROM Account;", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Semicolons");
-    });
-    it("rejects multiple statements", () => {
-      const result = validateSOQL("SELECT Id FROM Account; SELECT Id FROM Contact", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Semicolons");
-    });
-  });
-  describe("Layer 3: Object whitelist", () => {
-    it("allows whitelisted objects", () => {
-      const result = validateSOQL("SELECT Id, Name FROM Account", ALLOWED);
-      expect(result.valid).toBe(true);
-    });
-    it("rejects non-whitelisted objects", () => {
-      const result = validateSOQL("SELECT Id FROM CustomObject__c", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("not in the allowed list");
-    });
-    it("checks subquery objects", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Id IN (SELECT AccountId FROM CustomObject__c)",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("CustomObject__c");
-    });
-    it("allows subquery with whitelisted objects", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Id IN (SELECT AccountId FROM Contact)",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("is case-insensitive", () => {
-      const result = validateSOQL("SELECT Id FROM account", ALLOWED);
-      expect(result.valid).toBe(true);
-    });
-    it("rejects queries with no FROM clause", () => {
-      const result = validateSOQL("SELECT 1", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("No FROM");
-    });
-  });
-  describe("Relationship subquery whitelist bypass (parent-to-child)", () => {
-    it("accepts parent-to-child relationship subquery with plural relationship name", () => {
-      // "Contacts" is the relationship name (plural), not in the whitelist.
-      // Only "Contact" (singular) is whitelisted. This should pass because
-      // relationship subqueries in SELECT are not whitelist-checked.
-      const result = validateSOQL(
-        "SELECT Id, Name, (SELECT LastName FROM Contacts) FROM Account",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("accepts multiple relationship subqueries in SELECT", () => {
-      const result = validateSOQL(
-        "SELECT Id, (SELECT LastName FROM Contacts), (SELECT Amount FROM Opportunities) FROM Account",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("accepts relationship subquery with unknown relationship name", () => {
-      // Custom relationship names like "Cases" won't be in the whitelist
-      const result = validateSOQL(
-        "SELECT Id, (SELECT Subject FROM Cases) FROM Account",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("still rejects non-whitelisted objects in WHERE semi-join subqueries", () => {
-      // Semi-join subqueries in WHERE reference real object names — must be checked
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Id IN (SELECT AccountId FROM CustomObject__c)",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("CustomObject__c");
-    });
-    it("allows whitelisted objects in WHERE semi-join subqueries", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Id IN (SELECT AccountId FROM Contact)",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("accepts relationship subquery AND valid WHERE subquery together", () => {
-      const result = validateSOQL(
-        "SELECT Id, (SELECT LastName FROM Contacts) FROM Account WHERE Id IN (SELECT AccountId FROM Opportunity)",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("rejects relationship subquery with invalid WHERE subquery", () => {
-      const result = validateSOQL(
-        "SELECT Id, (SELECT LastName FROM Contacts) FROM Account WHERE Id IN (SELECT AccountId FROM Forbidden__c)",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Forbidden__c");
-    });
-    it("still checks top-level FROM object", () => {
-      const result = validateSOQL(
-        "SELECT Id, (SELECT LastName FROM Contacts) FROM NotAllowed__c",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("NotAllowed__c");
-    });
-  });
-  describe("String literal false positives in mutation guard", () => {
-    it("allows 'delete' inside a string literal", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Name = 'delete this'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("allows 'update' inside a string literal", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Description = 'please update record'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("allows 'insert' inside a string literal", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Contact WHERE Name = 'insert coin'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("allows 'merge' inside a string literal", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Lead WHERE Status = 'merge pending'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("allows 'upsert' inside a string literal", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Name = 'upsert test'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("allows LIKE pattern with forbidden keyword", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Name LIKE '%delete%'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("still rejects actual DELETE statements", () => {
-      const result = validateSOQL("DELETE FROM Account", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Forbidden");
-    });
-    it("still rejects forbidden keyword outside string literal even with strings present", () => {
-      // The keyword DELETE appears outside the string
-      const result = validateSOQL(
-        "DELETE FROM Account WHERE Name = 'safe string'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Forbidden");
-    });
-    it("handles multiple string literals with forbidden keywords", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Name = 'delete' AND Type = 'update this'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("handles empty string literals", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Name = ''",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-  });
-  describe("valid queries", () => {
-    it("accepts basic query", () => {
-      const result = validateSOQL("SELECT Id, Name FROM Account LIMIT 10", ALLOWED);
-      expect(result.valid).toBe(true);
-    });
-    it("accepts query with WHERE clause", () => {
-      const result = validateSOQL(
-        "SELECT Id, Name FROM Account WHERE Name = 'Test'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("accepts query with aggregate functions", () => {
-      const result = validateSOQL(
-        "SELECT COUNT(Id) FROM Opportunity GROUP BY StageName",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-  });
-});
-describe("appendSOQLLimit", () => {
-  it("appends LIMIT when not present", () => {
-    const result = appendSOQLLimit("SELECT Id FROM Account", 100);
-    expect(result).toBe("SELECT Id FROM Account LIMIT 100");
-  });
-  it("does not append LIMIT when already present", () => {
-    const result = appendSOQLLimit("SELECT Id FROM Account LIMIT 50", 100);
-    expect(result).toBe("SELECT Id FROM Account LIMIT 50");
-  });
-  it("is case-insensitive for existing LIMIT", () => {
-    const result = appendSOQLLimit("SELECT Id FROM Account limit 50", 100);
-    expect(result).toBe("SELECT Id FROM Account limit 50");
-  });
-  it("trims whitespace", () => {
-    const result = appendSOQLLimit("  SELECT Id FROM Account  ", 100);
-    expect(result).toBe("SELECT Id FROM Account LIMIT 100");
-  });
-});

package/templates/docker/src/lib/tools/__tests__/sql-duckdb.test.ts DELETED Viewed

@@ -1,233 +0,0 @@
-/**
- * SQL validation tests specific to DuckDB queries.
- *
- * Verifies that:
- * - Standard SELECT queries pass validation in DuckDB mode
- * - DuckDB-specific forbidden operations (PRAGMA, ATTACH, etc.) are blocked
- * - Common DuckDB query patterns work with the PostgreSQL parser mode
- */
-import { describe, expect, it, beforeEach, afterEach, mock } from "bun:test";
-// Mock semantic layer
-mock.module("@atlas/api/lib/semantic", () => ({
-  getWhitelistedTables: () =>
-    new Set(["sales", "customers", "products", "orders"]),
-  _resetWhitelists: () => {},
-}));
-// Mock the DB connection
-const mockDBConnection = {
-  query: async () => ({ columns: [], rows: [] }),
-  close: async () => {},
-};
-const mockDetectDBType = () => {
-  const url = process.env.ATLAS_DATASOURCE_URL ?? "";
-  if (url.startsWith("duckdb://")) return "duckdb";
-  if (url.startsWith("postgresql://")) return "postgres";
-  throw new Error(`Unsupported: ${url}`);
-};
-mock.module("@atlas/api/lib/db/connection", () => ({
-  getDB: () => mockDBConnection,
-  connections: {
-    get: () => mockDBConnection,
-    getDefault: () => mockDBConnection,
-    getDBType: () => mockDetectDBType(),
-    getValidator: () => undefined,
-    list: () => ["default"],
-  },
-  detectDBType: mockDetectDBType,
-}));
-const { validateSQL } = await import("@atlas/api/lib/tools/sql");
-const origEnv = { ...process.env };
-describe("validateSQL — DuckDB mode", () => {
-  beforeEach(() => {
-    process.env.ATLAS_DATASOURCE_URL = "duckdb://:memory:";
-  });
-  afterEach(() => {
-    if (origEnv.ATLAS_DATASOURCE_URL === undefined) {
-      delete process.env.ATLAS_DATASOURCE_URL;
-    } else {
-      process.env.ATLAS_DATASOURCE_URL = origEnv.ATLAS_DATASOURCE_URL;
-    }
-  });
-  // --- Valid queries ---
-  it("allows simple SELECT", () => {
-    const result = validateSQL("SELECT * FROM sales");
-    expect(result.valid).toBe(true);
-  });
-  it("allows SELECT with aggregate functions", () => {
-    const result = validateSQL(
-      "SELECT COUNT(*), SUM(amount) FROM sales GROUP BY product_id"
-    );
-    expect(result.valid).toBe(true);
-  });
-  it("allows SELECT with CTE", () => {
-    const result = validateSQL(
-      "WITH totals AS (SELECT customer_id, SUM(amount) AS total FROM sales GROUP BY customer_id) SELECT * FROM totals"
-    );
-    expect(result.valid).toBe(true);
-  });
-  it("allows SELECT with window function", () => {
-    const result = validateSQL(
-      "SELECT *, ROW_NUMBER() OVER (PARTITION BY customer_id ORDER BY amount DESC) AS rn FROM sales"
-    );
-    expect(result.valid).toBe(true);
-  });
-  it("allows SELECT with JOIN", () => {
-    const result = validateSQL(
-      "SELECT s.*, c.name FROM sales s JOIN customers c ON s.customer_id = c.id"
-    );
-    expect(result.valid).toBe(true);
-  });
-  it("allows CAST expressions", () => {
-    const result = validateSQL(
-      "SELECT CAST(amount AS VARCHAR) FROM sales"
-    );
-    expect(result.valid).toBe(true);
-  });
-  it("allows COALESCE and CASE", () => {
-    const result = validateSQL(
-      "SELECT COALESCE(name, 'unknown'), CASE WHEN amount > 100 THEN 'high' ELSE 'low' END FROM sales"
-    );
-    expect(result.valid).toBe(true);
-  });
-  // --- Blocked operations ---
-  it("blocks PRAGMA", () => {
-    const result = validateSQL("PRAGMA database_list");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks ATTACH", () => {
-    const result = validateSQL("ATTACH '/tmp/other.duckdb' AS other");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks DETACH", () => {
-    const result = validateSQL("DETACH other");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks INSTALL", () => {
-    const result = validateSQL("INSTALL httpfs");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks EXPORT", () => {
-    const result = validateSQL("EXPORT DATABASE '/tmp/backup'");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks IMPORT", () => {
-    const result = validateSQL("IMPORT DATABASE '/tmp/backup'");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks CHECKPOINT", () => {
-    const result = validateSQL("CHECKPOINT");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks INSERT", () => {
-    const result = validateSQL("INSERT INTO sales VALUES (1, 100)");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks CREATE TABLE", () => {
-    const result = validateSQL("CREATE TABLE foo (id INT)");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks DROP TABLE", () => {
-    const result = validateSQL("DROP TABLE sales");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks DESCRIBE", () => {
-    const result = validateSQL("DESCRIBE sales");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks SHOW", () => {
-    const result = validateSQL("SHOW TABLES");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  // --- Table whitelist ---
-  it("rejects queries on non-whitelisted tables", () => {
-    const result = validateSQL("SELECT * FROM secret_data");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("not in the allowed list");
-  });
-  it("allows queries on whitelisted tables", () => {
-    const result = validateSQL("SELECT * FROM customers");
-    expect(result.valid).toBe(true);
-  });
-  // --- File-reading function blocks ---
-  it("blocks read_csv_auto", () => {
-    const result = validateSQL("SELECT * FROM read_csv_auto('/etc/passwd')");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks read_parquet", () => {
-    const result = validateSQL("SELECT * FROM read_parquet('/data/secret.parquet')");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks read_json_auto", () => {
-    const result = validateSQL("SELECT * FROM read_json_auto('/tmp/data.json')");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks SET", () => {
-    const result = validateSQL("SET memory_limit='100GB'");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks COPY ... TO (via base patterns)", () => {
-    const result = validateSQL("COPY sales TO '/tmp/exfil.csv'");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks LOAD (via base patterns)", () => {
-    const result = validateSQL("LOAD httpfs");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-});

package/templates/docker/src/lib/tools/salesforce.ts DELETED Viewed

@@ -1,138 +0,0 @@
-/**
- * Salesforce SOQL query tool for the Atlas agent.
- *
- * Parallel to executeSQL but for Salesforce objects via SOQL.
- * Uses the SalesforceDataSource instead of DBConnection.
- */
-import { tool } from "ai";
-import { z } from "zod";
-import {
-  getSalesforceSource,
-  listSalesforceSources,
-} from "@atlas/api/lib/db/salesforce";
-import { validateSOQL, appendSOQLLimit } from "./soql-validation";
-import { getWhitelistedTables } from "@atlas/api/lib/semantic";
-import { logQueryAudit } from "@atlas/api/lib/auth/audit";
-import { SENSITIVE_PATTERNS } from "@atlas/api/lib/security";
-import { createLogger } from "@atlas/api/lib/logger";
-const log = createLogger("salesforce-tool");
-const ROW_LIMIT = parseInt(process.env.ATLAS_ROW_LIMIT ?? "1000", 10);
-const QUERY_TIMEOUT = parseInt(
-  process.env.ATLAS_QUERY_TIMEOUT ?? "30000",
-  10,
-);
-export const querySalesforce = tool({
-  description: `Execute a read-only SOQL query against Salesforce. Only SELECT queries are allowed.
-Rules:
-- Always read the relevant entity schema from the semantic layer BEFORE writing SOQL
-- Use exact field names from the schema — never guess
-- SOQL does not support JOINs — use relationship queries instead (e.g. Account.Name)
-- Include a LIMIT clause for large result sets
-- If a query fails, fix the issue — do not retry the same SOQL`,
-  inputSchema: z.object({
-    soql: z.string().describe("The SELECT SOQL query to execute"),
-    explanation: z
-      .string()
-      .describe("Brief explanation of what this query does and why"),
-    connectionId: z
-      .string()
-      .optional()
-      .describe(
-        "Target Salesforce connection ID. Omit for the default Salesforce connection.",
-      ),
-  }),
-  execute: async ({ soql, explanation, connectionId }) => {
-    // Resolve which Salesforce source to use
-    const sources = listSalesforceSources();
-    const connId = connectionId ?? (sources.length > 0 ? sources[0] : "default");
-    let source;
-    try {
-      source = getSalesforceSource(connId);
-    } catch {
-      return {
-        success: false,
-        error: `Salesforce source "${connId}" is not registered. Available: ${sources.join(", ") || "(none)"}`,
-      };
-    }
-    // Get whitelist for this connection
-    const allowed = getWhitelistedTables(connId);
-    // Validate SOQL
-    const validation = validateSOQL(soql, allowed);
-    if (!validation.valid) {
-      logQueryAudit({
-        sql: soql.slice(0, 2000),
-        durationMs: 0,
-        rowCount: null,
-        success: false,
-        error: `Validation rejected: ${validation.error}`,
-      });
-      return { success: false, error: validation.error };
-    }
-    // Auto-append LIMIT
-    const querySoql = appendSOQLLimit(soql.trim(), ROW_LIMIT);
-    const start = performance.now();
-    try {
-      const result = await source.query(querySoql, QUERY_TIMEOUT);
-      const durationMs = Math.round(performance.now() - start);
-      const truncated = result.rows.length >= ROW_LIMIT;
-      try {
-        logQueryAudit({
-          sql: querySoql,
-          durationMs,
-          rowCount: result.rows.length,
-          success: true,
-        });
-      } catch (auditErr) {
-        log.warn({ err: auditErr }, "Failed to write query audit log");
-      }
-      return {
-        success: true,
-        explanation,
-        row_count: result.rows.length,
-        columns: result.columns,
-        rows: result.rows,
-        truncated,
-      };
-    } catch (err) {
-      const durationMs = Math.round(performance.now() - start);
-      const message =
-        err instanceof Error ? err.message : "Unknown Salesforce error";
-      try {
-        logQueryAudit({
-          sql: querySoql,
-          durationMs,
-          rowCount: null,
-          success: false,
-          error: message,
-        });
-      } catch (auditErr) {
-        log.warn({ err: auditErr }, "Failed to write query audit log");
-      }
-      // Block errors that might expose connection details or internal state
-      if (SENSITIVE_PATTERNS.test(message)) {
-        return {
-          success: false,
-          error: "Salesforce query failed — check server logs for details.",
-        };
-      }
-      return { success: false, error: message };
-    }
-  },
-});