proxql 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/LICENSE +201 -0
  2. package/README.md +189 -0
  3. package/dist/index.d.mts +261 -0
  4. package/dist/index.d.ts +261 -0
  5. package/dist/index.js +766 -0
  6. package/dist/index.mjs +734 -0
  7. package/package.json +62 -0
package/dist/index.d.ts ADDED
@@ -0,0 +1,261 @@
1
+ /**
2
+ * Result of a SQL validation check.
3
+ *
4
+ * Can be used in boolean context:
5
+ * ```typescript
6
+ * const result = validate("SELECT * FROM users");
7
+ * if (result) {
8
+ * // Query is safe
9
+ * }
10
+ * ```
11
+ */
12
+ declare class ValidationResult {
13
+ /** Whether the query passed all validation checks */
14
+ readonly isSafe: boolean;
15
+ /** Explanation if the query was blocked (undefined if safe) */
16
+ readonly reason?: string;
17
+ /** The type of SQL statement (SELECT, INSERT, DROP, etc.) */
18
+ readonly statementType?: string;
19
+ /** Tables referenced in the query */
20
+ readonly tables: string[];
21
+ private constructor();
22
+ /**
23
+ * Create a safe validation result.
24
+ */
25
+ static safe(meta?: {
26
+ statementType?: string;
27
+ tables?: string[];
28
+ }): ValidationResult;
29
+ /**
30
+ * Create an unsafe validation result with a reason.
31
+ */
32
+ static unsafe(reason: string, meta?: {
33
+ statementType?: string;
34
+ tables?: string[];
35
+ }): ValidationResult;
36
+ /**
37
+ * Allow using ValidationResult in boolean context.
38
+ * Note: This is for documentation purposes; JS doesn't support operator overloading.
39
+ * Use result.isSafe directly.
40
+ */
41
+ valueOf(): boolean;
42
+ toString(): string;
43
+ }
44
+
45
+ /**
46
+ * Severity levels for security rules.
47
+ */
48
+ declare enum RuleSeverity {
49
+ /** Informational findings (e.g., metadata access) */
50
+ LOW = "LOW",
51
+ /** Suspicious patterns that may indicate attacks */
52
+ MEDIUM = "MEDIUM",
53
+ /** Likely malicious patterns */
54
+ HIGH = "HIGH",
55
+ /** Definitely malicious, immediate threat */
56
+ CRITICAL = "CRITICAL"
57
+ }
58
+ /**
59
+ * Options for SecurityConfig.
60
+ */
61
+ interface SecurityConfigOptions {
62
+ /** Enable/disable all security rules (default: true) */
63
+ enabled?: boolean;
64
+ /** Minimum severity to check (default: HIGH) */
65
+ minimumSeverity?: RuleSeverity | keyof typeof RuleSeverity;
66
+ /** Rule IDs to skip */
67
+ disabledRules?: Set<string> | string[];
68
+ /** If set, ONLY run these rules (whitelist mode) */
69
+ enabledRules?: Set<string> | string[] | null;
70
+ /** Whether LOW severity findings should block queries (default: false) */
71
+ failOnLow?: boolean;
72
+ }
73
+ /**
74
+ * Configuration for security rule behavior.
75
+ */
76
+ declare class SecurityConfig {
77
+ /** Whether security checks are enabled */
78
+ readonly enabled: boolean;
79
+ /** Minimum severity level to check */
80
+ readonly minimumSeverity: RuleSeverity;
81
+ /** Rule IDs that are disabled */
82
+ readonly disabledRules: Set<string>;
83
+ /** If set, only these rules run (whitelist mode) */
84
+ readonly enabledRules: Set<string> | null;
85
+ /** Whether LOW severity should block queries */
86
+ readonly failOnLow: boolean;
87
+ constructor(options?: SecurityConfigOptions);
88
+ /**
89
+ * Check if a rule should run based on this configuration.
90
+ */
91
+ shouldRunRule(ruleId: string, severity: RuleSeverity): boolean;
92
+ /**
93
+ * Check if a finding at this severity should fail validation.
94
+ */
95
+ shouldFail(severity: RuleSeverity): boolean;
96
+ }
97
+
98
+ /**
99
+ * Validation mode.
100
+ */
101
+ type Mode = 'read_only' | 'write_safe' | 'custom';
102
+ /**
103
+ * Options for creating a Validator.
104
+ */
105
+ interface ValidatorOptions {
106
+ /** Validation mode (default: "read_only") */
107
+ mode?: Mode;
108
+ /** Optional list of table names that can be accessed */
109
+ allowedTables?: string[];
110
+ /** For custom mode: statements to allow */
111
+ allowedStatements?: string[];
112
+ /** For custom mode: statements to block */
113
+ blockedStatements?: string[];
114
+ /** SQL dialect for parsing */
115
+ dialect?: string;
116
+ /** Security rule configuration (true/false/SecurityConfig/SecurityConfigOptions) */
117
+ securityConfig?: boolean | SecurityConfig | SecurityConfigOptions;
118
+ }
119
+ /**
120
+ * SQL query validator.
121
+ *
122
+ * For repeated validations with the same configuration, create a Validator
123
+ * instance rather than calling validate() each time.
124
+ *
125
+ * @example
126
+ * ```typescript
127
+ * const validator = new Validator({
128
+ * mode: "read_only",
129
+ * allowedTables: ["products", "categories"]
130
+ * });
131
+ *
132
+ * validator.validate("SELECT * FROM products").isSafe // true
133
+ * validator.validate("SELECT * FROM users").isSafe // false
134
+ * ```
135
+ */
136
+ declare class Validator {
137
+ private readonly mode;
138
+ private readonly allowedTables;
139
+ private readonly allowedStatements;
140
+ private readonly blockedStatements;
141
+ private readonly dialect;
142
+ private readonly securityConfig;
143
+ private readonly parser;
144
+ constructor(options?: ValidatorOptions);
145
+ private initAllowedStatements;
146
+ private initBlockedStatements;
147
+ /**
148
+ * Validate a SQL query.
149
+ */
150
+ validate(sql: string): ValidationResult;
151
+ private mapDialect;
152
+ private getStatementType;
153
+ private checkStatementType;
154
+ private checkTables;
155
+ private extractTables;
156
+ private extractAllTables;
157
+ private walkAst;
158
+ }
159
+
160
+ /**
161
+ * ProxQL - The Database Firewall for AI Agents
162
+ *
163
+ * A SQL validation library that blocks destructive queries from LLM-generated SQL.
164
+ *
165
+ * @example
166
+ * ```typescript
167
+ * import proxql from 'proxql';
168
+ *
169
+ * // Simple validation (read_only mode by default)
170
+ * proxql.validate("SELECT * FROM users").isSafe // true
171
+ * proxql.validate("DROP TABLE users").isSafe // false
172
+ *
173
+ * // Quick boolean check
174
+ * proxql.isSafe("SELECT * FROM users") // true
175
+ *
176
+ * // With custom configuration
177
+ * const { Validator } = proxql;
178
+ * const v = new Validator({ mode: "read_only", allowedTables: ["products"] });
179
+ * v.validate("SELECT * FROM products").isSafe // true
180
+ * v.validate("SELECT * FROM users").isSafe // false
181
+ * ```
182
+ *
183
+ * @packageDocumentation
184
+ */
185
+
186
+ /**
187
+ * Options for the validate() and isSafe() functions.
188
+ */
189
+ interface ValidateOptions {
190
+ /** Validation mode - "read_only", "write_safe", or "custom" */
191
+ mode?: 'read_only' | 'write_safe' | 'custom';
192
+ /** Optional list of table names that can be accessed */
193
+ allowedTables?: string[];
194
+ /** SQL dialect for parsing ('postgres', 'mysql', 'snowflake', etc.) */
195
+ dialect?: string;
196
+ /**
197
+ * Security rule configuration:
198
+ * - true (default): Enable default rules (HIGH+ severity)
199
+ * - false: Disable security rules
200
+ * - SecurityConfig or SecurityConfigOptions: Custom security configuration
201
+ */
202
+ security?: boolean | SecurityConfig | SecurityConfigOptions;
203
+ }
204
+ /**
205
+ * Validate a SQL query.
206
+ *
207
+ * This is the simplest way to use ProxQL. For repeated validations with the
208
+ * same configuration, create a Validator instance for better performance.
209
+ *
210
+ * @param sql - The SQL query string to validate
211
+ * @param options - Validation options
212
+ * @returns ValidationResult with isSafe=true if query passes,
213
+ * or isSafe=false with a reason explaining why it was blocked
214
+ *
215
+ * @example
216
+ * ```typescript
217
+ * import { validate } from 'proxql';
218
+ *
219
+ * // Basic validation (blocks all non-SELECT)
220
+ * validate("SELECT * FROM users").isSafe // true
221
+ * validate("DROP TABLE users").isSafe // false
222
+ *
223
+ * // Allow writes
224
+ * validate("INSERT INTO logs VALUES (1)", { mode: "write_safe" }).isSafe // true
225
+ *
226
+ * // Restrict to specific tables
227
+ * validate("SELECT * FROM users", {
228
+ * allowedTables: ["products", "categories"]
229
+ * }).isSafe // false
230
+ * ```
231
+ */
232
+ declare function validate(sql: string, options?: ValidateOptions): ValidationResult;
233
+ /**
234
+ * Check if a SQL query is safe (convenience wrapper).
235
+ *
236
+ * This is a shorthand for `validate(sql).isSafe`. Use this when you only
237
+ * need a boolean result and don't need the detailed ValidationResult.
238
+ *
239
+ * @param sql - The SQL query string to validate
240
+ * @param options - Validation options
241
+ * @returns true if the query passes all validation checks, false otherwise
242
+ *
243
+ * @example
244
+ * ```typescript
245
+ * import { isSafe } from 'proxql';
246
+ *
247
+ * if (isSafe(userQuery)) {
248
+ * executeQuery(userQuery);
249
+ * } else {
250
+ * throw new Error("Query blocked");
251
+ * }
252
+ * ```
253
+ */
254
+ declare function isSafe(sql: string, options?: ValidateOptions): boolean;
255
+ declare const _default: {
256
+ validate: typeof validate;
257
+ isSafe: typeof isSafe;
258
+ Validator: typeof Validator;
259
+ };
260
+
261
+ export { type Mode, RuleSeverity, SecurityConfig, type SecurityConfigOptions, type ValidateOptions, ValidationResult, Validator, type ValidatorOptions, _default as default, isSafe, validate };