npm - @useatlas/create - Versions diffs - 0.0.2 → 0.0.3 - Mend

@useatlas/create 0.0.2 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (296) hide show

package/templates/nextjs-standalone/src/lib/tools/__tests__/salesforce-tool.test.ts DELETED Viewed

@@ -1,154 +0,0 @@
-/**
- * Tests for the querySalesforce agent tool.
- */
-import { describe, it, expect, beforeEach, mock } from "bun:test";
-// Mock Salesforce registry
-const mockQuery = mock(() =>
-  Promise.resolve({
-    columns: ["Id", "Name"],
-    rows: [
-      { Id: "001", Name: "Acme" },
-      { Id: "002", Name: "Widget Co" },
-    ],
-  }),
-);
-const mockSources = new Map<string, { query: typeof mockQuery; close: () => Promise<void> }>();
-mock.module("@atlas/api/lib/db/salesforce", () => ({
-  getSalesforceSource: (id: string) => {
-    const source = mockSources.get(id);
-    if (!source) throw new Error(`Salesforce source "${id}" is not registered.`);
-    return source;
-  },
-  listSalesforceSources: () => Array.from(mockSources.keys()),
-}));
-// Mock semantic layer
-mock.module("@atlas/api/lib/semantic", () => ({
-  getWhitelistedTables: () => new Set(["account", "contact", "opportunity"]),
-  _resetWhitelists: () => {},
-}));
-// Mock audit log (no-op)
-mock.module("@atlas/api/lib/auth/audit", () => ({
-  logQueryAudit: () => {},
-}));
-const { querySalesforce } = await import("@atlas/api/lib/tools/salesforce");
-// Helper to call the tool's execute function
-async function executeTool(params: {
-  soql: string;
-  explanation: string;
-  connectionId?: string;
-}) {
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  return (querySalesforce as any).execute(params);
-}
-describe("querySalesforce tool", () => {
-  beforeEach(() => {
-    mockQuery.mockClear();
-    mockQuery.mockImplementation(() =>
-      Promise.resolve({
-        columns: ["Id", "Name"],
-        rows: [
-          { Id: "001", Name: "Acme" },
-          { Id: "002", Name: "Widget Co" },
-        ],
-      }),
-    );
-    mockSources.clear();
-    mockSources.set("default", {
-      query: mockQuery,
-      close: async () => {},
-    });
-  });
-  it("executes a valid query and returns results", async () => {
-    const result = await executeTool({
-      soql: "SELECT Id, Name FROM Account",
-      explanation: "Get all accounts",
-    });
-    expect(result.success).toBe(true);
-    expect(result.columns).toEqual(["Id", "Name"]);
-    expect(result.rows).toHaveLength(2);
-    expect(result.row_count).toBe(2);
-  });
-  it("rejects invalid SOQL (mutation)", async () => {
-    const result = await executeTool({
-      soql: "DELETE FROM Account",
-      explanation: "Delete accounts",
-    });
-    expect(result.success).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("rejects queries against non-whitelisted objects", async () => {
-    const result = await executeTool({
-      soql: "SELECT Id FROM CustomObject__c",
-      explanation: "Get custom objects",
-    });
-    expect(result.success).toBe(false);
-    expect(result.error).toContain("not in the allowed list");
-  });
-  it("returns error for unregistered connection", async () => {
-    const result = await executeTool({
-      soql: "SELECT Id FROM Account",
-      explanation: "test",
-      connectionId: "nonexistent",
-    });
-    expect(result.success).toBe(false);
-    expect(result.error).toContain("not registered");
-  });
-  it("appends LIMIT when not present", async () => {
-    await executeTool({
-      soql: "SELECT Id FROM Account",
-      explanation: "test",
-    });
-    // The mockQuery should have been called with a SOQL that includes LIMIT
-    const calledWith = (mockQuery.mock.calls as unknown as string[][])[0][0];
-    expect(calledWith).toContain("LIMIT");
-  });
-  it("does not double-append LIMIT", async () => {
-    await executeTool({
-      soql: "SELECT Id FROM Account LIMIT 5",
-      explanation: "test",
-    });
-    const calledWith = (mockQuery.mock.calls as unknown as string[][])[0][0];
-    // Should not have two LIMIT clauses
-    const limitCount = (calledWith.match(/LIMIT/gi) ?? []).length;
-    expect(limitCount).toBe(1);
-  });
-  it("scrubs sensitive error messages", async () => {
-    mockQuery.mockImplementationOnce(() =>
-      Promise.reject(new Error("INVALID_SESSION_ID: Session expired")),
-    );
-    const result = await executeTool({
-      soql: "SELECT Id FROM Account",
-      explanation: "test",
-    });
-    expect(result.success).toBe(false);
-    expect(result.error).toContain("check server logs");
-    expect(result.error).not.toContain("INVALID_SESSION_ID");
-  });
-  it("surfaces non-sensitive errors to the agent", async () => {
-    mockQuery.mockImplementationOnce(() =>
-      Promise.reject(new Error("INVALID_FIELD: No such column 'Foo'")),
-    );
-    const result = await executeTool({
-      soql: "SELECT Foo FROM Account",
-      explanation: "test",
-    });
-    expect(result.success).toBe(false);
-    expect(result.error).toContain("INVALID_FIELD");
-  });
-});

package/templates/nextjs-standalone/src/lib/tools/__tests__/soql-validation.test.ts DELETED Viewed

@@ -1,303 +0,0 @@
-import { describe, it, expect } from "bun:test";
-import { validateSOQL, appendSOQLLimit } from "../soql-validation";
-const ALLOWED = new Set(["Account", "Contact", "Opportunity", "Lead"]);
-describe("validateSOQL", () => {
-  describe("Layer 0: Empty check", () => {
-    it("rejects empty string", () => {
-      const result = validateSOQL("", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Empty");
-    });
-    it("rejects whitespace-only", () => {
-      const result = validateSOQL("   \n\t  ", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Empty");
-    });
-  });
-  describe("Layer 1: Mutation guard", () => {
-    for (const keyword of ["INSERT", "UPDATE", "DELETE", "UPSERT", "MERGE", "UNDELETE"]) {
-      it(`rejects ${keyword}`, () => {
-        const result = validateSOQL(`${keyword} INTO Account`, ALLOWED);
-        expect(result.valid).toBe(false);
-        expect(result.error).toContain("Forbidden");
-      });
-      it(`rejects ${keyword.toLowerCase()}`, () => {
-        const result = validateSOQL(`${keyword.toLowerCase()} into account`, ALLOWED);
-        expect(result.valid).toBe(false);
-        expect(result.error).toContain("Forbidden");
-      });
-    }
-  });
-  describe("Layer 2: SELECT-only", () => {
-    it("accepts SELECT query", () => {
-      const result = validateSOQL("SELECT Id FROM Account", ALLOWED);
-      expect(result.valid).toBe(true);
-    });
-    it("rejects non-SELECT query", () => {
-      const result = validateSOQL("DESCRIBE Account", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Only SELECT");
-    });
-    it("rejects semicolons", () => {
-      const result = validateSOQL("SELECT Id FROM Account;", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Semicolons");
-    });
-    it("rejects multiple statements", () => {
-      const result = validateSOQL("SELECT Id FROM Account; SELECT Id FROM Contact", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Semicolons");
-    });
-  });
-  describe("Layer 3: Object whitelist", () => {
-    it("allows whitelisted objects", () => {
-      const result = validateSOQL("SELECT Id, Name FROM Account", ALLOWED);
-      expect(result.valid).toBe(true);
-    });
-    it("rejects non-whitelisted objects", () => {
-      const result = validateSOQL("SELECT Id FROM CustomObject__c", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("not in the allowed list");
-    });
-    it("checks subquery objects", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Id IN (SELECT AccountId FROM CustomObject__c)",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("CustomObject__c");
-    });
-    it("allows subquery with whitelisted objects", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Id IN (SELECT AccountId FROM Contact)",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("is case-insensitive", () => {
-      const result = validateSOQL("SELECT Id FROM account", ALLOWED);
-      expect(result.valid).toBe(true);
-    });
-    it("rejects queries with no FROM clause", () => {
-      const result = validateSOQL("SELECT 1", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("No FROM");
-    });
-  });
-  describe("Relationship subquery whitelist bypass (parent-to-child)", () => {
-    it("accepts parent-to-child relationship subquery with plural relationship name", () => {
-      // "Contacts" is the relationship name (plural), not in the whitelist.
-      // Only "Contact" (singular) is whitelisted. This should pass because
-      // relationship subqueries in SELECT are not whitelist-checked.
-      const result = validateSOQL(
-        "SELECT Id, Name, (SELECT LastName FROM Contacts) FROM Account",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("accepts multiple relationship subqueries in SELECT", () => {
-      const result = validateSOQL(
-        "SELECT Id, (SELECT LastName FROM Contacts), (SELECT Amount FROM Opportunities) FROM Account",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("accepts relationship subquery with unknown relationship name", () => {
-      // Custom relationship names like "Cases" won't be in the whitelist
-      const result = validateSOQL(
-        "SELECT Id, (SELECT Subject FROM Cases) FROM Account",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("still rejects non-whitelisted objects in WHERE semi-join subqueries", () => {
-      // Semi-join subqueries in WHERE reference real object names — must be checked
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Id IN (SELECT AccountId FROM CustomObject__c)",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("CustomObject__c");
-    });
-    it("allows whitelisted objects in WHERE semi-join subqueries", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Id IN (SELECT AccountId FROM Contact)",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("accepts relationship subquery AND valid WHERE subquery together", () => {
-      const result = validateSOQL(
-        "SELECT Id, (SELECT LastName FROM Contacts) FROM Account WHERE Id IN (SELECT AccountId FROM Opportunity)",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("rejects relationship subquery with invalid WHERE subquery", () => {
-      const result = validateSOQL(
-        "SELECT Id, (SELECT LastName FROM Contacts) FROM Account WHERE Id IN (SELECT AccountId FROM Forbidden__c)",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Forbidden__c");
-    });
-    it("still checks top-level FROM object", () => {
-      const result = validateSOQL(
-        "SELECT Id, (SELECT LastName FROM Contacts) FROM NotAllowed__c",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("NotAllowed__c");
-    });
-  });
-  describe("String literal false positives in mutation guard", () => {
-    it("allows 'delete' inside a string literal", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Name = 'delete this'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("allows 'update' inside a string literal", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Description = 'please update record'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("allows 'insert' inside a string literal", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Contact WHERE Name = 'insert coin'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("allows 'merge' inside a string literal", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Lead WHERE Status = 'merge pending'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("allows 'upsert' inside a string literal", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Name = 'upsert test'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("allows LIKE pattern with forbidden keyword", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Name LIKE '%delete%'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("still rejects actual DELETE statements", () => {
-      const result = validateSOQL("DELETE FROM Account", ALLOWED);
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Forbidden");
-    });
-    it("still rejects forbidden keyword outside string literal even with strings present", () => {
-      // The keyword DELETE appears outside the string
-      const result = validateSOQL(
-        "DELETE FROM Account WHERE Name = 'safe string'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(false);
-      expect(result.error).toContain("Forbidden");
-    });
-    it("handles multiple string literals with forbidden keywords", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Name = 'delete' AND Type = 'update this'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("handles empty string literals", () => {
-      const result = validateSOQL(
-        "SELECT Id FROM Account WHERE Name = ''",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-  });
-  describe("valid queries", () => {
-    it("accepts basic query", () => {
-      const result = validateSOQL("SELECT Id, Name FROM Account LIMIT 10", ALLOWED);
-      expect(result.valid).toBe(true);
-    });
-    it("accepts query with WHERE clause", () => {
-      const result = validateSOQL(
-        "SELECT Id, Name FROM Account WHERE Name = 'Test'",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-    it("accepts query with aggregate functions", () => {
-      const result = validateSOQL(
-        "SELECT COUNT(Id) FROM Opportunity GROUP BY StageName",
-        ALLOWED,
-      );
-      expect(result.valid).toBe(true);
-    });
-  });
-});
-describe("appendSOQLLimit", () => {
-  it("appends LIMIT when not present", () => {
-    const result = appendSOQLLimit("SELECT Id FROM Account", 100);
-    expect(result).toBe("SELECT Id FROM Account LIMIT 100");
-  });
-  it("does not append LIMIT when already present", () => {
-    const result = appendSOQLLimit("SELECT Id FROM Account LIMIT 50", 100);
-    expect(result).toBe("SELECT Id FROM Account LIMIT 50");
-  });
-  it("is case-insensitive for existing LIMIT", () => {
-    const result = appendSOQLLimit("SELECT Id FROM Account limit 50", 100);
-    expect(result).toBe("SELECT Id FROM Account limit 50");
-  });
-  it("trims whitespace", () => {
-    const result = appendSOQLLimit("  SELECT Id FROM Account  ", 100);
-    expect(result).toBe("SELECT Id FROM Account LIMIT 100");
-  });
-});

package/templates/nextjs-standalone/src/lib/tools/__tests__/sql-duckdb.test.ts DELETED Viewed

@@ -1,233 +0,0 @@
-/**
- * SQL validation tests specific to DuckDB queries.
- *
- * Verifies that:
- * - Standard SELECT queries pass validation in DuckDB mode
- * - DuckDB-specific forbidden operations (PRAGMA, ATTACH, etc.) are blocked
- * - Common DuckDB query patterns work with the PostgreSQL parser mode
- */
-import { describe, expect, it, beforeEach, afterEach, mock } from "bun:test";
-// Mock semantic layer
-mock.module("@atlas/api/lib/semantic", () => ({
-  getWhitelistedTables: () =>
-    new Set(["sales", "customers", "products", "orders"]),
-  _resetWhitelists: () => {},
-}));
-// Mock the DB connection
-const mockDBConnection = {
-  query: async () => ({ columns: [], rows: [] }),
-  close: async () => {},
-};
-const mockDetectDBType = () => {
-  const url = process.env.ATLAS_DATASOURCE_URL ?? "";
-  if (url.startsWith("duckdb://")) return "duckdb";
-  if (url.startsWith("postgresql://")) return "postgres";
-  throw new Error(`Unsupported: ${url}`);
-};
-mock.module("@atlas/api/lib/db/connection", () => ({
-  getDB: () => mockDBConnection,
-  connections: {
-    get: () => mockDBConnection,
-    getDefault: () => mockDBConnection,
-    getDBType: () => mockDetectDBType(),
-    getValidator: () => undefined,
-    list: () => ["default"],
-  },
-  detectDBType: mockDetectDBType,
-}));
-const { validateSQL } = await import("@atlas/api/lib/tools/sql");
-const origEnv = { ...process.env };
-describe("validateSQL — DuckDB mode", () => {
-  beforeEach(() => {
-    process.env.ATLAS_DATASOURCE_URL = "duckdb://:memory:";
-  });
-  afterEach(() => {
-    if (origEnv.ATLAS_DATASOURCE_URL === undefined) {
-      delete process.env.ATLAS_DATASOURCE_URL;
-    } else {
-      process.env.ATLAS_DATASOURCE_URL = origEnv.ATLAS_DATASOURCE_URL;
-    }
-  });
-  // --- Valid queries ---
-  it("allows simple SELECT", () => {
-    const result = validateSQL("SELECT * FROM sales");
-    expect(result.valid).toBe(true);
-  });
-  it("allows SELECT with aggregate functions", () => {
-    const result = validateSQL(
-      "SELECT COUNT(*), SUM(amount) FROM sales GROUP BY product_id"
-    );
-    expect(result.valid).toBe(true);
-  });
-  it("allows SELECT with CTE", () => {
-    const result = validateSQL(
-      "WITH totals AS (SELECT customer_id, SUM(amount) AS total FROM sales GROUP BY customer_id) SELECT * FROM totals"
-    );
-    expect(result.valid).toBe(true);
-  });
-  it("allows SELECT with window function", () => {
-    const result = validateSQL(
-      "SELECT *, ROW_NUMBER() OVER (PARTITION BY customer_id ORDER BY amount DESC) AS rn FROM sales"
-    );
-    expect(result.valid).toBe(true);
-  });
-  it("allows SELECT with JOIN", () => {
-    const result = validateSQL(
-      "SELECT s.*, c.name FROM sales s JOIN customers c ON s.customer_id = c.id"
-    );
-    expect(result.valid).toBe(true);
-  });
-  it("allows CAST expressions", () => {
-    const result = validateSQL(
-      "SELECT CAST(amount AS VARCHAR) FROM sales"
-    );
-    expect(result.valid).toBe(true);
-  });
-  it("allows COALESCE and CASE", () => {
-    const result = validateSQL(
-      "SELECT COALESCE(name, 'unknown'), CASE WHEN amount > 100 THEN 'high' ELSE 'low' END FROM sales"
-    );
-    expect(result.valid).toBe(true);
-  });
-  // --- Blocked operations ---
-  it("blocks PRAGMA", () => {
-    const result = validateSQL("PRAGMA database_list");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks ATTACH", () => {
-    const result = validateSQL("ATTACH '/tmp/other.duckdb' AS other");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks DETACH", () => {
-    const result = validateSQL("DETACH other");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks INSTALL", () => {
-    const result = validateSQL("INSTALL httpfs");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks EXPORT", () => {
-    const result = validateSQL("EXPORT DATABASE '/tmp/backup'");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks IMPORT", () => {
-    const result = validateSQL("IMPORT DATABASE '/tmp/backup'");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks CHECKPOINT", () => {
-    const result = validateSQL("CHECKPOINT");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks INSERT", () => {
-    const result = validateSQL("INSERT INTO sales VALUES (1, 100)");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks CREATE TABLE", () => {
-    const result = validateSQL("CREATE TABLE foo (id INT)");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks DROP TABLE", () => {
-    const result = validateSQL("DROP TABLE sales");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks DESCRIBE", () => {
-    const result = validateSQL("DESCRIBE sales");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks SHOW", () => {
-    const result = validateSQL("SHOW TABLES");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  // --- Table whitelist ---
-  it("rejects queries on non-whitelisted tables", () => {
-    const result = validateSQL("SELECT * FROM secret_data");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("not in the allowed list");
-  });
-  it("allows queries on whitelisted tables", () => {
-    const result = validateSQL("SELECT * FROM customers");
-    expect(result.valid).toBe(true);
-  });
-  // --- File-reading function blocks ---
-  it("blocks read_csv_auto", () => {
-    const result = validateSQL("SELECT * FROM read_csv_auto('/etc/passwd')");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks read_parquet", () => {
-    const result = validateSQL("SELECT * FROM read_parquet('/data/secret.parquet')");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks read_json_auto", () => {
-    const result = validateSQL("SELECT * FROM read_json_auto('/tmp/data.json')");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks SET", () => {
-    const result = validateSQL("SET memory_limit='100GB'");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks COPY ... TO (via base patterns)", () => {
-    const result = validateSQL("COPY sales TO '/tmp/exfil.csv'");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-  it("blocks LOAD (via base patterns)", () => {
-    const result = validateSQL("LOAD httpfs");
-    expect(result.valid).toBe(false);
-    expect(result.error).toContain("Forbidden");
-  });
-});