sql-guard 0.1.0

package/dist/esm/index.js

@@ -0,0 +1,1001 @@
+// src/parser/adapter.ts
+import { Parser } from "node-sql-parser";
+
+// src/analysis/functions.ts
+function extractAllFunctions(ast) {
+  const functions = [];
+  const visited = new Set;
+  function addFunction(name, schema) {
+    if (typeof name !== "string" || name.length === 0)
+      return;
+    functions.push({
+      name: name.toLowerCase(),
+      schema: typeof schema === "string" && schema.length > 0 ? schema.toLowerCase() : undefined
+    });
+  }
+  function traverse(node) {
+    if (!node || typeof node !== "object")
+      return;
+    if (visited.has(node))
+      return;
+    visited.add(node);
+    const typed = node;
+    const identity = extractFunctionIdentity(typed);
+    if (identity)
+      addFunction(identity.name, identity.schema);
+    for (const value of Object.values(typed)) {
+      if (value && typeof value === "object")
+        traverse(value);
+    }
+  }
+  traverse(ast);
+  const seen = new Set;
+  return functions.filter((fn) => {
+    const key = `${fn.schema ?? ""}.${fn.name}`;
+    if (seen.has(key))
+      return false;
+    seen.add(key);
+    return true;
+  });
+}
+function extractFunctionIdentity(node) {
+  if (node.type === "aggr_func") {
+    if (typeof node.name === "string" && node.name.length > 0) {
+      return { name: node.name.toLowerCase() };
+    }
+    return null;
+  }
+  if (node.type !== "function") {
+    return null;
+  }
+  const fnName = asRecord(node.name);
+  const schemaNode = asRecord(fnName.schema);
+  const schema = typeof schemaNode.value === "string" ? schemaNode.value : undefined;
+  if (typeof fnName.name === "string" && fnName.name.length > 0) {
+    return { name: fnName.name.toLowerCase(), schema: schema?.toLowerCase() };
+  }
+  if (Array.isArray(fnName.name)) {
+    for (const part of fnName.name) {
+      const partRecord = asRecord(part);
+      if (typeof partRecord.value === "string" && partRecord.value.length > 0) {
+        return { name: partRecord.value.toLowerCase(), schema: schema?.toLowerCase() };
+      }
+    }
+  }
+  return null;
+}
+function asRecord(value) {
+  if (value && typeof value === "object") {
+    return value;
+  }
+  return {};
+}
+
+// src/analysis/relations.ts
+function extractAllTables(ast) {
+  const tables = [];
+  const visited = new Set;
+  function addTable(schema, name, alias, cteScope) {
+    if (typeof name !== "string" || name.length === 0)
+      return;
+    const hasSchema = typeof schema === "string" && schema.length > 0;
+    if (!hasSchema && cteScope.has(canonicalName(name))) {
+      return;
+    }
+    tables.push({
+      schema: hasSchema ? schema : undefined,
+      name,
+      alias: typeof alias === "string" ? alias : undefined
+    });
+  }
+  function traverse(node, inheritedCtes) {
+    if (!node || typeof node !== "object")
+      return;
+    if (visited.has(node))
+      return;
+    visited.add(node);
+    const typed = node;
+    const localCtes = buildLocalCteScope(typed.with, inheritedCtes);
+    if (Array.isArray(typed.with)) {
+      for (const cte of typed.with) {
+        const cteNode = asRecord2(cte);
+        if (cteNode.stmt) {
+          traverse(cteNode.stmt, localCtes);
+        }
+      }
+    }
+    if (Array.isArray(typed.from)) {
+      for (const item of typed.from) {
+        extractFromItem(item, localCtes, addTable, traverse);
+      }
+    }
+    if (Array.isArray(typed.join)) {
+      for (const join of typed.join) {
+        const joinItem = asRecord2(join);
+        addTable(joinItem.db, joinItem.table, joinItem.as, localCtes);
+        if (joinItem.expr) {
+          traverse(joinItem.expr, localCtes);
+        }
+      }
+    }
+    if (isRelationStatementType(typed.type)) {
+      collectStatementTableTargets(typed.table, localCtes, addTable);
+    }
+    for (const [key, value] of Object.entries(typed)) {
+      if (key === "with")
+        continue;
+      if (value && typeof value === "object") {
+        traverse(value, localCtes);
+      }
+    }
+  }
+  traverse(ast, new Set);
+  const seen = new Set;
+  return tables.filter((table) => {
+    const key = `${(table.schema ?? "").toLowerCase()}.${table.name.toLowerCase()}`;
+    if (seen.has(key))
+      return false;
+    seen.add(key);
+    return true;
+  });
+}
+function extractFromItem(item, cteScope, addTable, traverse) {
+  if (!item || typeof item !== "object")
+    return;
+  const typed = item;
+  addTable(typed.db, typed.table, typed.as, cteScope);
+  if (typed.expr && typeof typed.expr === "object") {
+    traverse(typed.expr, cteScope);
+  }
+}
+function extractCteName(value) {
+  if (typeof value === "string")
+    return value;
+  if (!value || typeof value !== "object")
+    return null;
+  const typed = value;
+  if (typeof typed.value === "string" && typed.value.length > 0) {
+    return typed.value;
+  }
+  return null;
+}
+function buildLocalCteScope(withClause, inherited) {
+  const local = new Set(inherited);
+  if (!Array.isArray(withClause)) {
+    return local;
+  }
+  for (const cte of withClause) {
+    const cteNode = asRecord2(cte);
+    const cteName = extractCteName(cteNode.name);
+    if (cteName) {
+      local.add(canonicalName(cteName));
+    }
+  }
+  return local;
+}
+function collectStatementTableTargets(tableNode, cteScope, addTable) {
+  if (Array.isArray(tableNode)) {
+    for (const tableItem of tableNode) {
+      const tableRecord = asRecord2(tableItem);
+      addTable(tableRecord.db, tableRecord.table, tableRecord.as, cteScope);
+    }
+    return;
+  }
+  if (tableNode && typeof tableNode === "object") {
+    const tableRecord = asRecord2(tableNode);
+    addTable(tableRecord.db, tableRecord.table, tableRecord.as, cteScope);
+    return;
+  }
+  if (typeof tableNode === "string") {
+    addTable(undefined, tableNode, undefined, cteScope);
+  }
+}
+function isRelationStatementType(type) {
+  if (typeof type !== "string") {
+    return false;
+  }
+  const normalized = type.toLowerCase();
+  return normalized === "insert" || normalized === "update" || normalized === "delete";
+}
+function canonicalName(name) {
+  if (name.startsWith('"') && name.endsWith('"') && name.length >= 2) {
+    return name.slice(1, -1).toLowerCase();
+  }
+  return name.toLowerCase();
+}
+function asRecord2(value) {
+  if (value && typeof value === "object") {
+    return value;
+  }
+  return {};
+}
+
+// src/parser/adapter.ts
+var parser = new Parser;
+function parseSql(sql, dialect = "postgresql") {
+  try {
+    const ast = parser.astify(sql, { database: dialect });
+    const statements = Array.isArray(ast) ? ast : [ast];
+    return {
+      success: true,
+      statements: statements.map((statementAst) => astToParsedStatement(statementAst))
+    };
+  } catch (error) {
+    return {
+      success: false,
+      statements: [],
+      error: {
+        message: error instanceof Error ? error.message : "Parse error",
+        location: extractParserErrorLocation(error)
+      }
+    };
+  }
+}
+function astToParsedStatement(ast) {
+  const typed = asRecord3(ast);
+  return {
+    type: extractStatementType(typed),
+    tables: extractAllTables(ast),
+    functions: extractAllFunctions(ast),
+    raw: ast
+  };
+}
+function extractStatementType(ast) {
+  const type = String(ast.type || "").toLowerCase();
+  if (["select", "insert", "update", "delete"].includes(type)) {
+    return type;
+  }
+  return "unknown";
+}
+function asRecord3(value) {
+  if (typeof value === "object" && value !== null) {
+    return value;
+  }
+  return {};
+}
+function extractParserErrorLocation(error) {
+  if (!error || typeof error !== "object")
+    return;
+  const loc = error.location;
+  const start = loc && typeof loc === "object" ? loc.start : undefined;
+  if (start && typeof start.line === "number" && typeof start.column === "number") {
+    return { line: start.line, column: start.column };
+  }
+  if (loc && typeof loc === "object" && typeof loc.line === "number" && typeof loc.column === "number") {
+    return { line: loc.line, column: loc.column };
+  }
+  return;
+}
+
+// src/types/public.ts
+var ErrorCode;
+((ErrorCode2) => {
+  ErrorCode2["PARSE_ERROR"] = "PARSE_ERROR";
+  ErrorCode2["UNSUPPORTED_SQL_FEATURE"] = "UNSUPPORTED_SQL_FEATURE";
+  ErrorCode2["TABLE_NOT_ALLOWED"] = "TABLE_NOT_ALLOWED";
+  ErrorCode2["STATEMENT_NOT_ALLOWED"] = "STATEMENT_NOT_ALLOWED";
+  ErrorCode2["FUNCTION_NOT_ALLOWED"] = "FUNCTION_NOT_ALLOWED";
+  ErrorCode2["MULTI_STATEMENT_DISABLED"] = "MULTI_STATEMENT_DISABLED";
+  ErrorCode2["INVALID_POLICY"] = "INVALID_POLICY";
+})(ErrorCode ||= {});
+
+class SqlValidationError extends Error {
+  code;
+  violations;
+  constructor(message, code, violations) {
+    super(message);
+    this.code = code;
+    this.violations = violations;
+    this.name = "SqlValidationError";
+  }
+}
+
+// src/policy/function.ts
+function checkFunctionsAllowed(functions, policy) {
+  const allowlists = compileFunctionAllowlists(policy.allowedFunctions ?? []);
+  return checkFunctionsAllowedWithAllowlists(functions, allowlists);
+}
+function checkFunctionsAllowedCompiled(functions, policy) {
+  return checkFunctionsAllowedWithAllowlists(functions, {
+    unqualified: policy.allowedFunctionsUnqualified,
+    qualified: policy.allowedFunctionsQualified
+  });
+}
+function checkFunctionsAllowedWithAllowlists(functions, allowlists) {
+  if (functions.length === 0) {
+    return { allowed: true, violations: [] };
+  }
+  const violations = [];
+  const seenViolations = new Set;
+  for (const fn of functions) {
+    const normalizedName = fn.name.toLowerCase();
+    const normalizedSchema = typeof fn.schema === "string" ? fn.schema.toLowerCase() : undefined;
+    const allowed = normalizedSchema ? allowlists.qualified.has(`${normalizedSchema}.${normalizedName}`) : allowlists.unqualified.has(normalizedName);
+    if (allowed)
+      continue;
+    const key = `${normalizedSchema ?? ""}.${normalizedName}`;
+    if (seenViolations.has(key))
+      continue;
+    seenViolations.add(key);
+    violations.push({
+      name: normalizedName,
+      schema: normalizedSchema
+    });
+  }
+  if (violations.length === 0) {
+    return { allowed: true, violations: [] };
+  }
+  return {
+    allowed: false,
+    errorCode: "FUNCTION_NOT_ALLOWED" /* FUNCTION_NOT_ALLOWED */,
+    errorMessage: `Functions not allowed: ${violations.map(formatViolation).join(", ")}`,
+    violations
+  };
+}
+function normalize(value) {
+  return value.toLowerCase().trim();
+}
+function compileFunctionAllowlists(allowedFunctions) {
+  const unqualified = new Set;
+  const qualified = new Set;
+  for (const rawEntry of allowedFunctions) {
+    const entry = normalize(rawEntry);
+    if (!entry)
+      continue;
+    const parts = entry.split(".");
+    if (parts.length === 1 && parts[0].length > 0) {
+      unqualified.add(parts[0]);
+      continue;
+    }
+    if (parts.length === 2 && parts[0].length > 0 && parts[1].length > 0) {
+      qualified.add(`${parts[0]}.${parts[1]}`);
+    }
+  }
+  return { unqualified, qualified };
+}
+function formatViolation(violation) {
+  if (violation.schema) {
+    return `${violation.schema}.${violation.name}`;
+  }
+  return violation.name;
+}
+
+// src/normalize/qualified-name.ts
+function parseQualifiedName(value, mode = "strict") {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const segments = splitQualifiedNameSegments(value.trim());
+  if (!segments || segments.length !== 2) {
+    return null;
+  }
+  const schemaSegment = parseIdentifierSegment(segments[0]);
+  const nameSegment = parseIdentifierSegment(segments[1]);
+  if (!schemaSegment || !nameSegment) {
+    return null;
+  }
+  const schema = canonicalizeIdentifier(schemaSegment.value, mode);
+  const name = canonicalizeIdentifier(nameSegment.value, mode);
+  if (!schema || !name) {
+    return null;
+  }
+  return {
+    schema,
+    name,
+    fullyQualified: `${schema}.${name}`
+  };
+}
+function canonicalizeIdentifier(value, mode) {
+  const trimmed = value.trim();
+  return mode === "caseInsensitive" ? trimmed.toLowerCase() : trimmed;
+}
+function parseIdentifierSegment(value) {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return null;
+  }
+  const hasLeadingQuote = trimmed.startsWith('"');
+  const hasTrailingQuote = trimmed.endsWith('"');
+  if (hasLeadingQuote || hasTrailingQuote) {
+    if (!(hasLeadingQuote && hasTrailingQuote && trimmed.length >= 2)) {
+      return null;
+    }
+    const inner = trimmed.slice(1, -1).replace(/""/g, '"');
+    if (!inner) {
+      return null;
+    }
+    return { value: inner };
+  }
+  if (trimmed.includes('"')) {
+    return null;
+  }
+  return { value: trimmed };
+}
+function splitQualifiedNameSegments(value) {
+  if (!value) {
+    return null;
+  }
+  const parts = [];
+  let current = "";
+  let inQuotes = false;
+  for (let i = 0;i < value.length; i++) {
+    const ch = value[i];
+    if (ch === '"') {
+      current += ch;
+      if (inQuotes && value[i + 1] === '"') {
+        current += '"';
+        i++;
+        continue;
+      }
+      inQuotes = !inQuotes;
+      continue;
+    }
+    if (ch === "." && !inQuotes) {
+      parts.push(current);
+      current = "";
+      continue;
+    }
+    current += ch;
+  }
+  if (inQuotes) {
+    return null;
+  }
+  parts.push(current);
+  return parts;
+}
+
+// src/normalize/identifier.ts
+function normalizeTableReference(ref, policy, mode = policy.tableIdentifierMatching ?? "strict") {
+  if (ref.schema) {
+    const schema = normalizeIdentifier(ref.schema, mode);
+    const name = normalizeIdentifier(ref.name, mode);
+    return {
+      success: true,
+      table: {
+        schema,
+        name,
+        fullyQualified: `${schema}.${name}`
+      }
+    };
+  }
+  if (policy.resolver) {
+    let resolved;
+    try {
+      resolved = policy.resolver(ref.name);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      return {
+        success: false,
+        error: `Resolver threw while resolving '${ref.name}': ${msg}`
+      };
+    }
+    if (typeof resolved === "string" && resolved.trim().length > 0) {
+      const parsed = parseQualifiedName(resolved, mode);
+      if (!parsed) {
+        return {
+          success: false,
+          error: `Resolver returned invalid table '${resolved}'. Expected 'schema.table'`
+        };
+      }
+      return {
+        success: true,
+        table: {
+          schema: parsed.schema,
+          name: parsed.name,
+          fullyQualified: `${parsed.schema}.${parsed.name}`
+        }
+      };
+    }
+  }
+  return {
+    success: false,
+    error: `Unqualified table reference '${ref.name}' not allowed without resolver`
+  };
+}
+function normalizeIdentifier(ident, mode) {
+  const trimmed = ident.trim();
+  if (trimmed.startsWith('"') && trimmed.endsWith('"') && trimmed.length >= 2) {
+    return canonicalizeIdentifier(trimmed.slice(1, -1).replace(/""/g, '"'), mode);
+  }
+  return canonicalizeIdentifier(trimmed, mode);
+}
+function isTableAllowed(normalized, allowedTables, mode = "strict") {
+  const wanted = `${canonicalizeIdentifier(normalized.schema, mode)}.${canonicalizeIdentifier(normalized.name, mode)}`;
+  if (allowedTables instanceof Set) {
+    return allowedTables.has(wanted);
+  }
+  for (const table of allowedTables) {
+    const parsed = parseQualifiedName(table, mode);
+    if (parsed && parsed.fullyQualified === wanted) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/policy/statement.ts
+function isStatementAllowed(statement, policy) {
+  const type = statement.type;
+  if (type === "unknown") {
+    return {
+      allowed: false,
+      errorCode: "STATEMENT_NOT_ALLOWED" /* STATEMENT_NOT_ALLOWED */,
+      errorMessage: "Unknown statement type not allowed"
+    };
+  }
+  const allowedStatements = policy.allowedStatements ?? ["select"];
+  if (!allowedStatements.includes(type)) {
+    return {
+      allowed: false,
+      errorCode: "STATEMENT_NOT_ALLOWED" /* STATEMENT_NOT_ALLOWED */,
+      errorMessage: `Statement type '${type}' not allowed. Allowed: ${allowedStatements.join(", ")}`
+    };
+  }
+  return { allowed: true };
+}
+function checkMultiStatementPolicy(statements, policy) {
+  const allowMulti = policy.allowMultiStatement ?? false;
+  if (!allowMulti && statements.length > 1) {
+    return {
+      allowed: false,
+      errorCode: "MULTI_STATEMENT_DISABLED" /* MULTI_STATEMENT_DISABLED */,
+      errorMessage: `Multiple statements not allowed. Found ${statements.length} statements.`
+    };
+  }
+  return { allowed: true };
+}
+
+// src/policy/fail-closed.ts
+var SUPPORTED_TYPES = new Set(["select", "insert", "update", "delete"]);
+var WRITE_STATEMENT_TYPES = new Set(["insert", "update", "delete"]);
+var UNSUPPORTED_TYPES = new Set([
+  "proc",
+  "trigger",
+  "drop",
+  "create",
+  "alter",
+  "grant",
+  "revoke",
+  "truncate",
+  "merge",
+  "lock",
+  "unlock",
+  "declare",
+  "set",
+  "show",
+  "analyze",
+  "explain",
+  "copy"
+]);
+var UNCERTAINTY_KEYS = new Set([
+  "partial",
+  "ispartial",
+  "incomplete",
+  "uncertain",
+  "isuncertain",
+  "ambiguous",
+  "hasambiguity",
+  "parseruncertain",
+  "parser_uncertain"
+]);
+function checkUnsupportedFeatures(ast) {
+  const type = extractStatementType2(ast);
+  if (UNSUPPORTED_TYPES.has(type)) {
+    return {
+      supported: false,
+      errorCode: "UNSUPPORTED_SQL_FEATURE" /* UNSUPPORTED_SQL_FEATURE */,
+      errorMessage: `Statement type '${type}' is not supported`
+    };
+  }
+  if (!SUPPORTED_TYPES.has(type)) {
+    return {
+      supported: false,
+      errorCode: "UNSUPPORTED_SQL_FEATURE" /* UNSUPPORTED_SQL_FEATURE */,
+      errorMessage: `Unknown statement type '${type}' is not supported`
+    };
+  }
+  if (hasRecursiveCte(ast)) {
+    return {
+      supported: false,
+      errorCode: "UNSUPPORTED_SQL_FEATURE" /* UNSUPPORTED_SQL_FEATURE */,
+      errorMessage: "Recursive CTE is not supported"
+    };
+  }
+  if (hasSelectInto(ast, type)) {
+    return {
+      supported: false,
+      errorCode: "UNSUPPORTED_SQL_FEATURE" /* UNSUPPORTED_SQL_FEATURE */,
+      errorMessage: "SELECT INTO is not supported"
+    };
+  }
+  const nestedWrite = findNestedWriteStatement(ast);
+  if (nestedWrite) {
+    return {
+      supported: false,
+      errorCode: "UNSUPPORTED_SQL_FEATURE" /* UNSUPPORTED_SQL_FEATURE */,
+      errorMessage: `Nested write statement '${nestedWrite.type}' is not supported at '${nestedWrite.path}'`
+    };
+  }
+  const uncertaintyPath = findUncertaintyMarker(ast);
+  if (uncertaintyPath) {
+    return {
+      supported: false,
+      errorCode: "UNSUPPORTED_SQL_FEATURE" /* UNSUPPORTED_SQL_FEATURE */,
+      errorMessage: `Parser uncertainty detected at '${uncertaintyPath}'`
+    };
+  }
+  return { supported: true };
+}
+function hasRecursiveCte(ast) {
+  if (typeof ast !== "object" || ast === null) {
+    return false;
+  }
+  const root = ast;
+  const withClause = root.with;
+  if (!Array.isArray(withClause)) {
+    return false;
+  }
+  for (const withItem of withClause) {
+    const item = asRecord4(withItem);
+    if (item.recursive === true) {
+      return true;
+    }
+  }
+  return false;
+}
+function hasSelectInto(ast, statementType) {
+  if (statementType !== "select") {
+    return false;
+  }
+  if (typeof ast !== "object" || ast === null) {
+    return false;
+  }
+  const root = ast;
+  const into = root.into;
+  if (into === null || into === undefined) {
+    return false;
+  }
+  if (typeof into === "string") {
+    return into.trim().length > 0;
+  }
+  if (typeof into !== "object") {
+    return true;
+  }
+  const intoRecord = into;
+  if (Object.hasOwn(intoRecord, "expr")) {
+    const expr = intoRecord.expr;
+    if (typeof expr === "string") {
+      return expr.trim().length > 0;
+    }
+    return expr !== null && expr !== undefined;
+  }
+  if (Object.hasOwn(intoRecord, "table")) {
+    const table = intoRecord.table;
+    if (typeof table === "string") {
+      return table.trim().length > 0;
+    }
+    return table !== null && table !== undefined;
+  }
+  return false;
+}
+function findNestedWriteStatement(value, path = "ast", depth = 0, seen = new Set) {
+  if (typeof value !== "object" || value === null) {
+    return null;
+  }
+  if (seen.has(value)) {
+    return null;
+  }
+  seen.add(value);
+  if (Array.isArray(value)) {
+    for (let i = 0;i < value.length; i++) {
+      const found = findNestedWriteStatement(value[i], `${path}[${i}]`, depth + 1, seen);
+      if (found) {
+        return found;
+      }
+    }
+    return null;
+  }
+  const record = value;
+  const type = typeof record.type === "string" ? record.type.toLowerCase() : "";
+  if (depth > 0 && WRITE_STATEMENT_TYPES.has(type)) {
+    return { type, path };
+  }
+  for (const [key, nested] of Object.entries(record)) {
+    const found = findNestedWriteStatement(nested, `${path}.${key}`, depth + 1, seen);
+    if (found) {
+      return found;
+    }
+  }
+  return null;
+}
+function findUncertaintyMarker(value, path = "ast", seen = new Set) {
+  if (typeof value !== "object" || value === null) {
+    return null;
+  }
+  if (seen.has(value)) {
+    return null;
+  }
+  seen.add(value);
+  if (Array.isArray(value)) {
+    for (let i = 0;i < value.length; i++) {
+      const found = findUncertaintyMarker(value[i], `${path}[${i}]`, seen);
+      if (found) {
+        return found;
+      }
+    }
+    return null;
+  }
+  const record = value;
+  for (const [key, nestedValue] of Object.entries(record)) {
+    const normalizedKey = key.toLowerCase();
+    if (UNCERTAINTY_KEYS.has(normalizedKey) && nestedValue === true) {
+      return `${path}.${key}`;
+    }
+    if ((normalizedKey === "errors" || normalizedKey === "warnings") && Array.isArray(nestedValue) && nestedValue.length > 0) {
+      return `${path}.${key}`;
+    }
+    const found = findUncertaintyMarker(nestedValue, `${path}.${key}`, seen);
+    if (found) {
+      return found;
+    }
+  }
+  return null;
+}
+function asRecord4(value) {
+  if (typeof value === "object" && value !== null) {
+    return value;
+  }
+  return {};
+}
+function extractStatementType2(ast) {
+  if (!ast || typeof ast !== "object") {
+    return "unknown";
+  }
+  const typed = ast;
+  return String(typed.type || "unknown").toLowerCase();
+}
+
+// src/policy/compile-policy.ts
+function compilePolicy(policy) {
+  if (!Array.isArray(policy.allowedTables)) {
+    return invalidPolicy("Policy 'allowedTables' must be an array of schema-qualified names");
+  }
+  const tableIdentifierMatching = policy.tableIdentifierMatching ?? "strict";
+  if (tableIdentifierMatching !== "strict" && tableIdentifierMatching !== "caseInsensitive") {
+    return invalidPolicy("Policy 'tableIdentifierMatching' must be either 'strict' or 'caseInsensitive'");
+  }
+  const allowedTables = new Set;
+  for (const table of policy.allowedTables) {
+    const canonical = canonicalizeQualifiedName(table, tableIdentifierMatching);
+    if (!canonical) {
+      return invalidPolicy(`Policy entry '${String(table)}' is invalid. allowedTables entries must be schema-qualified as 'schema.table'`);
+    }
+    allowedTables.add(canonical);
+  }
+  const allowedFunctionsUnqualified = new Set;
+  const allowedFunctionsQualified = new Set;
+  if (policy.allowedFunctions !== undefined && !Array.isArray(policy.allowedFunctions)) {
+    return invalidPolicy("Policy 'allowedFunctions' must be an array when provided");
+  }
+  if (policy.allowedStatements !== undefined && !Array.isArray(policy.allowedStatements)) {
+    return invalidPolicy("Policy 'allowedStatements' must be an array when provided");
+  }
+  for (const fn of policy.allowedFunctions ?? []) {
+    const canonicalFunction = canonicalizeFunctionEntry(fn);
+    if (!canonicalFunction) {
+      return invalidPolicy(`Policy entry '${String(fn)}' is invalid. allowedFunctions entries must be 'function' or 'schema.function'`);
+    }
+    if (canonicalFunction.kind === "qualified") {
+      allowedFunctionsQualified.add(canonicalFunction.value);
+    } else {
+      allowedFunctionsUnqualified.add(canonicalFunction.value);
+    }
+  }
+  return {
+    success: true,
+    compiled: {
+      allowedTables,
+      allowedFunctionsUnqualified,
+      allowedFunctionsQualified,
+      tableIdentifierMatching
+    }
+  };
+}
+function canonicalizeFunctionEntry(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const cleaned = value.trim().toLowerCase();
+  if (!cleaned) {
+    return null;
+  }
+  const parts = cleaned.split(".");
+  if (parts.length === 1 && parts[0].length > 0) {
+    return { kind: "unqualified", value: parts[0] };
+  }
+  if (parts.length === 2 && parts[0].length > 0 && parts[1].length > 0) {
+    return { kind: "qualified", value: `${parts[0]}.${parts[1]}` };
+  }
+  return null;
+}
+function canonicalizeQualifiedName(value, mode = "strict") {
+  const parsed = parseQualifiedName(value, mode);
+  return parsed?.fullyQualified ?? null;
+}
+function invalidPolicy(message) {
+  return {
+    success: false,
+    errorCode: "INVALID_POLICY" /* INVALID_POLICY */,
+    violation: {
+      type: "policy",
+      message
+    }
+  };
+}
+
+// src/policy/engine.ts
+var METADATA_SCHEMAS = new Set(["information_schema", "pg_catalog"]);
+function validateAgainstPolicy(sql, policy) {
+  const compiledPolicyResult = compilePolicy(policy);
+  if (!compiledPolicyResult.success) {
+    return {
+      ok: false,
+      violations: [compiledPolicyResult.violation],
+      errorCode: compiledPolicyResult.errorCode
+    };
+  }
+  const compiledPolicy = compiledPolicyResult.compiled;
+  const parsed = parseSql(sql);
+  if (!parsed.success) {
+    const parseViolation = {
+      type: "parse",
+      message: parsed.error?.message ?? "Parse error",
+      location: parsed.error?.location
+    };
+    return {
+      ok: false,
+      violations: [parseViolation],
+      errorCode: "PARSE_ERROR" /* PARSE_ERROR */
+    };
+  }
+  const violations = [];
+  const seenViolations = new Set;
+  const errorCodes = [];
+  for (const statement of parsed.statements) {
+    const unsupportedCheck = checkUnsupportedFeatures(statement.raw);
+    if (!unsupportedCheck.supported) {
+      return {
+        ok: false,
+        violations: [
+          {
+            type: "unsupported",
+            message: unsupportedCheck.errorMessage ?? "Unsupported SQL feature"
+          }
+        ],
+        errorCode: unsupportedCheck.errorCode ?? "UNSUPPORTED_SQL_FEATURE" /* UNSUPPORTED_SQL_FEATURE */
+      };
+    }
+  }
+  const multiStatementCheck = checkMultiStatementPolicy(parsed.statements, policy);
+  if (!multiStatementCheck.allowed) {
+    pushViolation(violations, seenViolations, {
+      type: "statement",
+      message: multiStatementCheck.errorMessage ?? "Multiple statements not allowed"
+    }, multiStatementCheck.errorCode, errorCodes);
+  }
+  for (const statement of parsed.statements) {
+    const statementCheck = isStatementAllowed(statement, policy);
+    if (!statementCheck.allowed) {
+      pushViolation(violations, seenViolations, {
+        type: "statement",
+        message: statementCheck.errorMessage ?? `Statement type '${statement.type}' not allowed`
+      }, statementCheck.errorCode, errorCodes);
+    }
+    for (const tableRef of statement.tables) {
+      const normalized = normalizeTableReference(tableRef, policy, compiledPolicy.tableIdentifierMatching);
+      if (!normalized.success || !normalized.table) {
+        pushViolation(violations, seenViolations, {
+          type: "table",
+          message: normalized.error ?? `Table '${tableRef.name}' is not allowed`,
+          location: tableRef.location
+        }, "TABLE_NOT_ALLOWED" /* TABLE_NOT_ALLOWED */, errorCodes);
+        continue;
+      }
+      const metadataDenied = isMetadataTableDenied(normalized.table.schema, normalized.table.fullyQualified, compiledPolicy);
+      const tableAllowed = isTableAllowed(normalized.table, compiledPolicy.allowedTables, compiledPolicy.tableIdentifierMatching);
+      if (metadataDenied || !tableAllowed) {
+        const message = metadataDenied ? `Metadata table '${normalized.table.fullyQualified}' is not allowed` : `Table '${normalized.table.fullyQualified}' is not allowed`;
+        pushViolation(violations, seenViolations, {
+          type: "table",
+          message,
+          location: tableRef.location
+        }, "TABLE_NOT_ALLOWED" /* TABLE_NOT_ALLOWED */, errorCodes);
+      }
+    }
+    const functionCheck = checkFunctionsAllowedCompiled(statement.functions, compiledPolicy);
+    if (!functionCheck.allowed) {
+      for (const violation of functionCheck.violations) {
+        pushViolation(violations, seenViolations, {
+          type: "function",
+          message: violation.schema ? `Function '${violation.schema}.${violation.name}' is not allowed` : `Function '${violation.name}' is not allowed`
+        }, functionCheck.errorCode, errorCodes);
+      }
+    }
+  }
+  if (violations.length === 0) {
+    return { ok: true, violations: [] };
+  }
+  return {
+    ok: false,
+    violations,
+    errorCode: pickErrorCode(errorCodes)
+  };
+}
+function isMetadataTableDenied(schema, fullyQualified, policy) {
+  if (!METADATA_SCHEMAS.has(schema.toLowerCase())) {
+    return false;
+  }
+  return !policy.allowedTables.has(fullyQualified);
+}
+function pushViolation(violations, seenViolations, violation, errorCode, errorCodes) {
+  const key = `${violation.type}:${violation.message}:${violation.location?.line ?? ""}:${violation.location?.column ?? ""}`;
+  if (seenViolations.has(key)) {
+    return;
+  }
+  seenViolations.add(key);
+  violations.push(violation);
+  if (errorCode) {
+    errorCodes.push(errorCode);
+  }
+}
+function pickErrorCode(errorCodes) {
+  if (errorCodes.length === 0) {
+    return;
+  }
+  return [...errorCodes].sort((left, right) => precedenceOf(left) - precedenceOf(right))[0];
+}
+function precedenceOf(errorCode) {
+  switch (errorCode) {
+    case "PARSE_ERROR" /* PARSE_ERROR */:
+      return 0;
+    case "INVALID_POLICY" /* INVALID_POLICY */:
+      return 1;
+    case "STATEMENT_NOT_ALLOWED" /* STATEMENT_NOT_ALLOWED */:
+      return 2;
+    case "TABLE_NOT_ALLOWED" /* TABLE_NOT_ALLOWED */:
+      return 3;
+    case "FUNCTION_NOT_ALLOWED" /* FUNCTION_NOT_ALLOWED */:
+      return 4;
+    case "MULTI_STATEMENT_DISABLED" /* MULTI_STATEMENT_DISABLED */:
+      return 5;
+    case "UNSUPPORTED_SQL_FEATURE" /* UNSUPPORTED_SQL_FEATURE */:
+    default:
+      return 6;
+  }
+}
+
+// src/index.ts
+function validate(sql, policy) {
+  return validateAgainstPolicy(sql, policy);
+}
+function assertSafeSql(sql, policy) {
+  const result = validate(sql, policy);
+  if (!result.ok) {
+    throw new SqlValidationError(`SQL validation failed: ${result.errorCode}`, result.errorCode || "UNSUPPORTED_SQL_FEATURE" /* UNSUPPORTED_SQL_FEATURE */, result.violations);
+  }
+}
+export {
+  validateAgainstPolicy,
+  validate,
+  parseSql,
+  normalizeTableReference,
+  isTableAllowed,
+  isStatementAllowed,
+  extractAllTables,
+  extractAllFunctions,
+  checkMultiStatementPolicy,
+  checkFunctionsAllowed,
+  assertSafeSql,
+  SqlValidationError,
+  ErrorCode
+};