agent-sql 0.3.1 → 0.3.2

package/dist/index.mjs

@@ -778,7 +778,12 @@ function checkWhereExpr(expr, allowed) {
 function defineSchema(schema) {
 	return schema;
 }
-function checkJoins(ast, schema) {
+function validateJoins(ast, schema) {
+	const ast2 = checkJoinColumns(ast, schema);
+	if (!ast2.ok) return ast2;
+	return checkJoinContinuity(ast);
+}
+function checkJoinColumns(ast, schema) {
 	if (schema === void 0) {
 		if (ast.joins.length > 0) return Err(new SanitiseError("No joins allowed when using simple API without schema."));
 		return Ok(ast);
@@ -811,6 +816,122 @@ function getJoinTableRef(joinTableName, left, right) {
 		foreign: left
 	};
 }
+/**
+* Validates that all tables in the query's FROM/JOIN clauses form a single
+* connected component via the ON predicates. A disconnected table would produce
+* an implicit cross product which can leak data across tenants.
+*
+* Returns the AST unchanged if valid, or a SanitiseError listing the
+* disconnected tables.
+*/
+function checkJoinContinuity(ast) {
+	if (ast.joins.length === 0) return Ok(ast);
+	const tables = /* @__PURE__ */ new Set();
+	tables.add(ast.from.table.name);
+	for (const join of ast.joins) tables.add(join.table.name);
+	if (tables.size <= 1) return Ok(ast);
+	const adjacency = /* @__PURE__ */ new Map();
+	for (const table of tables) adjacency.set(table, /* @__PURE__ */ new Set());
+	for (const join of ast.joins) {
+		if (join.condition === null) continue;
+		if (join.condition.type === "join_using") continue;
+		const referencedTables = /* @__PURE__ */ new Set();
+		collectTableRefsFromExpr(join.condition.expr, referencedTables);
+		const relevantTables = [];
+		for (const t of referencedTables) if (tables.has(t)) relevantTables.push(t);
+		for (let i = 0; i < relevantTables.length; i++) for (let j = i + 1; j < relevantTables.length; j++) {
+			adjacency.get(relevantTables[i]).add(relevantTables[j]);
+			adjacency.get(relevantTables[j]).add(relevantTables[i]);
+		}
+	}
+	const start = ast.from.table.name;
+	const visited = /* @__PURE__ */ new Set();
+	const queue = [start];
+	visited.add(start);
+	while (queue.length > 0) {
+		const current = queue.shift();
+		for (const neighbor of adjacency.get(current) ?? []) if (!visited.has(neighbor)) {
+			visited.add(neighbor);
+			queue.push(neighbor);
+		}
+	}
+	if (visited.size === tables.size) return Ok(ast);
+	const disconnected = [];
+	for (const table of tables) if (!visited.has(table)) disconnected.push(table);
+	disconnected.sort();
+	return Err(new SanitiseError(`Disconnected table(s) in query: ${disconnected.join(", ")}. All tables must be connected via JOIN ON predicates.`));
+}
+/** Recursively collect table names from column references in a WhereExpr. */
+function collectTableRefsFromExpr(expr, out) {
+	switch (expr.type) {
+		case "where_and":
+		case "where_or":
+			collectTableRefsFromExpr(expr.left, out);
+			collectTableRefsFromExpr(expr.right, out);
+			break;
+		case "where_not":
+			collectTableRefsFromExpr(expr.expr, out);
+			break;
+		case "where_comparison":
+			collectTableRefsFromValue(expr.left, out);
+			collectTableRefsFromValue(expr.right, out);
+			break;
+		case "where_is_null":
+			collectTableRefsFromValue(expr.expr, out);
+			break;
+		case "where_is_bool":
+			collectTableRefsFromValue(expr.expr, out);
+			break;
+		case "where_between":
+			collectTableRefsFromValue(expr.expr, out);
+			collectTableRefsFromValue(expr.low, out);
+			collectTableRefsFromValue(expr.high, out);
+			break;
+		case "where_in":
+			collectTableRefsFromValue(expr.expr, out);
+			for (const v of expr.list) collectTableRefsFromValue(v, out);
+			break;
+		case "where_like":
+			collectTableRefsFromValue(expr.expr, out);
+			collectTableRefsFromValue(expr.pattern, out);
+			break;
+		case "where_ts_match":
+			collectTableRefsFromValue(expr.left, out);
+			collectTableRefsFromValue(expr.right, out);
+			break;
+	}
+}
+/** Recursively collect table names from column references in a WhereValue. */
+function collectTableRefsFromValue(val, out) {
+	switch (val.type) {
+		case "where_value":
+			if (val.kind === "column_ref" && val.ref.table) out.add(val.ref.table);
+			else if (val.kind === "func_call") {
+				if (val.func.args.kind === "args") for (const arg of val.func.args.args) collectTableRefsFromValue(arg, out);
+			}
+			break;
+		case "where_arith":
+		case "where_jsonb_op":
+		case "where_pgvector_op":
+			collectTableRefsFromValue(val.left, out);
+			collectTableRefsFromValue(val.right, out);
+			break;
+		case "where_unary_minus":
+			collectTableRefsFromValue(val.expr, out);
+			break;
+		case "case_expr":
+			if (val.subject) collectTableRefsFromValue(val.subject, out);
+			for (const w of val.whens) {
+				collectTableRefsFromValue(w.condition, out);
+				collectTableRefsFromValue(w.result, out);
+			}
+			if (val.else) collectTableRefsFromValue(val.else, out);
+			break;
+		case "cast_expr":
+			collectTableRefsFromValue(val.expr, out);
+			break;
+	}
+}
 //#endregion
 //#region src/graph.ts
 function insertNeededGuardJoins(ast, schema, guards, autoJoin) {
@@ -7375,7 +7496,7 @@ function privateAgentSql(sql, { guards: guardsRaw, schema, autoJoin, limit, pret
 	if (!guards.ok) throw guards.error;
 	const ast = parseSql(sql);
 	if (!ast.ok) return returnOrThrow(ast, throws);
-	const ast2 = checkJoins(ast.data, schema);
+	const ast2 = validateJoins(ast.data, schema);
 	if (!ast2.ok) return returnOrThrow(ast2, throws);
 	const ast3 = checkFunctions(ast2.data, db, allowExtraFunctions);
 	if (!ast3.ok) return returnOrThrow(ast3, throws);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-sql",
-  "version": "0.3.1",
+  "version": "0.3.2",
   "description": "A starter for creating a TypeScript package.",
   "keywords": [
     "agent",