taurusdb-core 0.1.0 → 0.3.0

package/dist/auth/sql-profile-loader/env-source.js

@@ -17,18 +17,18 @@ export function parseEnvProfile(env) {
     let host;
     let port;
     let database;
-    let readonlyUsername;
-    let readonlyPasswordRef;
+    let username;
+    let passwordRef;
     if (dsn) {
         const url = new URL(dsn);
         engine = parseEngineFromDsnProtocol(url.protocol);
         host = url.hostname;
         port = url.port ? Number.parseInt(url.port, 10) : defaultPortForEngine(engine);
         database = asString(url.pathname.replace(/^\//, ""));
-        readonlyUsername = asString(decodeURIComponent(url.username));
+        username = asString(decodeURIComponent(url.username));
         const dsnPassword = asString(decodeURIComponent(url.password));
         if (dsnPassword) {
-            readonlyPasswordRef = parseCredentialRef(dsnPassword, "TAURUSDB_SQL_DSN.password");
+            passwordRef = parseCredentialRef(dsnPassword, "TAURUSDB_SQL_DSN.password");
         }
     }
     else {
@@ -38,41 +38,27 @@ export function parseEnvProfile(env) {
         port = explicitPort ?? defaultPortForEngine(engine);
         database = asString(env.TAURUSDB_SQL_DATABASE);
     }
-    const mutationUserName = asString(env.TAURUSDB_SQL_MUTATION_USER);
-    const mutationPasswordRaw = asString(env.TAURUSDB_SQL_MUTATION_PASSWORD);
     if (!dsn &&
         !explicitHost &&
         !asString(env.TAURUSDB_SQL_USER) &&
         !asString(env.TAURUSDB_SQL_PASSWORD) &&
-        !database &&
-        !mutationUserName &&
-        !mutationPasswordRaw) {
+        !database) {
         return undefined;
     }
     if (!port || !Number.isFinite(port) || port <= 0) {
         throw new Error("Failed to resolve SQL port from environment.");
     }
-    readonlyUsername = readonlyUsername ?? asString(env.TAURUSDB_SQL_USER);
-    if (!readonlyUsername) {
-        throw new Error("Missing readonly username in environment. Set TAURUSDB_SQL_USER or include it in DSN.");
+    username = username ?? asString(env.TAURUSDB_SQL_USER);
+    if (!username) {
+        throw new Error("Missing SQL username in environment. Set TAURUSDB_SQL_USER or include it in DSN.");
     }
-    readonlyPasswordRef =
-        readonlyPasswordRef ??
+    passwordRef =
+        passwordRef ??
             (Object.hasOwn(env, "TAURUSDB_SQL_PASSWORD")
                 ? parseCredentialRef(env.TAURUSDB_SQL_PASSWORD, "TAURUSDB_SQL_PASSWORD")
                 : undefined);
-    if (!readonlyPasswordRef) {
-        throw new Error("Missing readonly password in environment. Set TAURUSDB_SQL_PASSWORD or include it in DSN.");
-    }
-    let mutationUser;
-    if (mutationUserName || mutationPasswordRaw) {
-        if (!mutationUserName || !mutationPasswordRaw) {
-            throw new Error("Invalid mutation credentials in environment: TAURUSDB_SQL_MUTATION_USER and TAURUSDB_SQL_MUTATION_PASSWORD must be set together.");
-        }
-        mutationUser = {
-            username: mutationUserName,
-            password: parseCredentialRef(mutationPasswordRaw, "TAURUSDB_SQL_MUTATION_PASSWORD"),
-        };
+    if (!passwordRef) {
+        throw new Error("Missing SQL password in environment. Set TAURUSDB_SQL_PASSWORD or include it in DSN.");
     }
     const poolSize = asInteger(env.TAURUSDB_SQL_POOL_SIZE);
     if (poolSize !== undefined && poolSize <= 0) {
@@ -84,11 +70,10 @@ export function parseEnvProfile(env) {
         host,
         port,
         database,
-        readonlyUser: {
-            username: readonlyUsername,
-            password: readonlyPasswordRef,
+        user: {
+            username,
+            password: passwordRef,
         },
-        mutationUser,
         poolSize,
     });
 }

package/dist/auth/sql-profile-loader/loader.js

@@ -3,6 +3,7 @@ import os from "node:os";
 import path from "node:path";
 import { parseEnvProfile } from "./env-source.js";
 import { parseProfilesFile } from "./file-source.js";
+import { withRedactedToString } from "./parsing.js";
 export function resolveDefaultProfilePath(config) {
     if (config.profilesPath) {
         return config.profilesPath;
@@ -67,6 +68,13 @@ export class SqlProfileLoader {
                 mergedProfiles.set(name, profile);
             }
         }
+        if (mergedProfiles.size === 0) {
+            mergedProfiles.set("taurus_mcp", withRedactedToString({
+                name: "taurus_mcp",
+                engine: "mysql",
+                port: 3306,
+            }));
+        }
         const defaultDatasource = this.config.defaultDatasource ??
             fileDefaultDatasource ??
             (mergedProfiles.size === 1 ? mergedProfiles.keys().next().value : undefined);

package/dist/auth/sql-profile-loader/parsing.js

@@ -194,13 +194,15 @@ export function parseProfileRecord(name, value, context) {
     if (poolSize !== undefined && poolSize <= 0) {
         throw new Error(`Invalid datasource profile ${name} in ${context}: poolSize must be positive.`);
     }
-    const readonlyRaw = value.readonlyUser ?? value.readonly ?? value.readOnlyUser;
-    if (readonlyRaw === undefined) {
-        throw new Error(`Invalid datasource profile ${name} in ${context}: missing readonlyUser.`);
-    }
-    const readonlyUser = parseUserCredential(readonlyRaw, `${context}.${name}.readonlyUser`);
-    const mutationRaw = value.mutationUser ?? value.writeUser ?? value.rwUser;
-    const mutationUser = mutationRaw !== undefined ? parseUserCredential(mutationRaw, `${context}.${name}.mutationUser`) : undefined;
+    // Backward compatibility for older profile field names. New configs should use `user`.
+    const userRaw = value.user ??
+        value.readonlyUser ??
+        value.readonly ??
+        value.readOnlyUser;
+    if (userRaw === undefined) {
+        throw new Error(`Invalid datasource profile ${name} in ${context}: missing user.`);
+    }
+    const user = parseUserCredential(userRaw, `${context}.${name}.user`);
     const tls = parseTlsOptions(value.tls, `${context}.${name}.tls`);
     return withRedactedToString({
         name,
@@ -208,8 +210,7 @@ export function parseProfileRecord(name, value, context) {
         host,
         port,
         database,
-        readonlyUser,
-        mutationUser,
+        user,
         tls,
         poolSize,
     });

package/dist/auth/sql-profile-loader/runtime-override.d.ts

@@ -5,6 +5,7 @@ export declare class RuntimeOverrideProfileLoader implements RuntimeTargetProfil
     private readonly runtimeTargets;
     constructor(base: ProfileLoader);
     setRuntimeTarget(name: string, target: RuntimeDataSourceTarget): void;
+    clearRuntimeUser(name: string): void;
     clearRuntimeTarget(name: string): void;
     clearAllRuntimeTargets(): void;
     getRuntimeTarget(name: string): RuntimeDataSourceTarget | undefined;

package/dist/auth/sql-profile-loader/runtime-override.js

@@ -5,8 +5,10 @@ export function applyRuntimeTarget(profile, target) {
     }
     return withRedactedToString({
         ...profile,
-        host: target.host,
+        host: target.host ?? profile.host,
         port: target.port ?? profile.port,
+        database: target.database ?? profile.database,
+        user: target.user ?? profile.user,
     });
 }
 export class RuntimeOverrideProfileLoader {
@@ -16,12 +18,24 @@ export class RuntimeOverrideProfileLoader {
         this.base = base;
     }
     setRuntimeTarget(name, target) {
-        this.runtimeTargets.set(name, {
-            host: target.host,
-            port: target.port,
-            instanceId: target.instanceId,
-            nodeId: target.nodeId,
-        });
+        const current = this.runtimeTargets.get(name);
+        const next = {
+            host: target.host ?? current?.host,
+            port: target.port ?? current?.port,
+            database: target.database ?? current?.database,
+            user: target.user ?? current?.user,
+            instanceId: target.instanceId ?? current?.instanceId,
+            nodeId: target.nodeId ?? current?.nodeId,
+        };
+        this.runtimeTargets.set(name, next);
+    }
+    clearRuntimeUser(name) {
+        const current = this.runtimeTargets.get(name);
+        if (!current) {
+            return;
+        }
+        const { user: _user, ...next } = current;
+        this.runtimeTargets.set(name, next);
     }
     clearRuntimeTarget(name) {
         this.runtimeTargets.delete(name);

package/dist/auth/sql-profile-loader/types.d.ts

@@ -31,8 +31,7 @@ export interface DataSourceProfile {
     host?: string;
     port: number;
     database?: string;
-    readonlyUser: UserCredential;
-    mutationUser?: UserCredential;
+    user?: UserCredential;
     tls?: TlsOptions;
     poolSize?: number;
     toString(): string;
@@ -43,13 +42,16 @@ export interface ProfileLoader {
     get(name: string): Promise<DataSourceProfile | undefined>;
 }
 export interface RuntimeDataSourceTarget {
-    host: string;
+    host?: string;
     port?: number;
+    database?: string;
+    user?: UserCredential;
     instanceId?: string;
     nodeId?: string;
 }
 export interface RuntimeTargetProfileLoader extends ProfileLoader {
     setRuntimeTarget(name: string, target: RuntimeDataSourceTarget): void;
+    clearRuntimeUser(name: string): void;
     clearRuntimeTarget(name: string): void;
     clearAllRuntimeTargets(): void;
     getRuntimeTarget(name: string): RuntimeDataSourceTarget | undefined;

package/dist/capability/types.d.ts

@@ -41,9 +41,11 @@ export declare class UnsupportedFeatureError extends Error {
     readonly feature: TaurusFeatureName;
     readonly requiredVersion?: string;
     readonly currentVersion?: string;
+    readonly parameterHint?: string;
     constructor(feature: TaurusFeatureName, message: string, options?: {
         requiredVersion?: string;
         currentVersion?: string;
+        parameterHint?: string;
         cause?: unknown;
     });
 }

package/dist/capability/types.js

@@ -3,12 +3,14 @@ export class UnsupportedFeatureError extends Error {
     feature;
     requiredVersion;
     currentVersion;
+    parameterHint;
     constructor(feature, message, options = {}) {
         super(message);
         this.name = "UnsupportedFeatureError";
         this.feature = feature;
         this.requiredVersion = options.requiredVersion;
         this.currentVersion = options.currentVersion;
+        this.parameterHint = options.parameterHint;
         if (options.cause !== undefined) {
             this.cause = options.cause;
         }

package/dist/config/env.js

@@ -120,7 +120,6 @@ export function buildRawConfigFromEnv(env) {
     return {
         defaultDatasource: readString(env.TAURUSDB_DEFAULT_DATASOURCE) ?? inferredDatasourceName,
         profilesPath: expandTildePath(readString(env.TAURUSDB_SQL_PROFILES)),
-        enableMutations: parseBoolean(env.TAURUSDB_MCP_ENABLE_MUTATIONS, "TAURUSDB_MCP_ENABLE_MUTATIONS"),
         cloud: {
             provider: "huaweicloud",
             region: cloudRegion,

package/dist/config/schema.d.ts

@@ -2,7 +2,6 @@ import { z } from "zod";
 export declare const ConfigSchema: z.ZodObject<{
     defaultDatasource: z.ZodOptional<z.ZodString>;
     profilesPath: z.ZodOptional<z.ZodString>;
-    enableMutations: z.ZodDefault<z.ZodBoolean>;
     cloud: z.ZodDefault<z.ZodObject<{
         provider: z.ZodDefault<z.ZodEnum<["huaweicloud"]>>;
         region: z.ZodOptional<z.ZodString>;
@@ -270,7 +269,6 @@ export declare const ConfigSchema: z.ZodObject<{
         } | undefined;
     }>>;
 }, "strip", z.ZodTypeAny, {
-    enableMutations: boolean;
     cloud: {
         provider: "huaweicloud";
         domainSuffix: string;
@@ -344,7 +342,6 @@ export declare const ConfigSchema: z.ZodObject<{
 }, {
     defaultDatasource?: string | undefined;
     profilesPath?: string | undefined;
-    enableMutations?: boolean | undefined;
     cloud?: {
         provider?: "huaweicloud" | undefined;
         region?: string | undefined;

package/dist/config/schema.js

@@ -82,7 +82,6 @@ const CesMetricsSourceSchema = z
 export const ConfigSchema = z.object({
     defaultDatasource: z.string().min(1).optional(),
     profilesPath: z.string().min(1).optional(),
-    enableMutations: z.boolean().default(true),
     cloud: CloudSchema,
     limits: LimitsSchema,
     audit: AuditSchema,

package/dist/engine/runtime.js

@@ -1,6 +1,6 @@
 import { UnsupportedFeatureError } from "../capability/types.js";
 import { InMemoryConfirmationStore } from "../safety/confirmation-store.js";
-import { buildFlashbackSql, FlashbackNoViewError, flashbackReadonlyOptions, formatTimestamp, resolveRelativeTimestampFromBase, resolveFlashbackTimestamp, } from "../taurus/flashback.js";
+import { buildFlashbackSql, FlashbackNoViewError, flashbackReadonlyOptions, formatTimestamp, normalizeFlashbackWhereClause, resolveRelativeTimestampFromBase, resolveFlashbackTimestamp, } from "../taurus/flashback.js";
 import { buildListRecycleBinSql, buildRestoreRecycleBinTableSql, recycleBinMutationOptions, recycleBinReadonlyOptions } from "../taurus/recycle-bin.js";
 import { normalizeSql, sqlHash } from "../utils/hash.js";
 function resolveConfirmationSql(input) {
@@ -90,7 +90,8 @@ async function buildFlashbackNoViewError(engine, ctx, input, database, requested
     }
     if (input.where?.trim()) {
         try {
-            const updatedAtResult = await engine.executor.executeReadonly(`SELECT ${quoteIdentifier("updated_at")} FROM ${quoteIdentifier(database)}.${quoteIdentifier(input.table)} WHERE (${input.where.trim()}) LIMIT 1`, ctx, { maxRows: 1, maxColumns: 1, maxFieldChars: 128 });
+            const where = normalizeFlashbackWhereClause(input.where);
+            const updatedAtResult = await engine.executor.executeReadonly(`SELECT ${quoteIdentifier("updated_at")} FROM ${quoteIdentifier(database)}.${quoteIdentifier(input.table)} WHERE (${where}) LIMIT 1`, ctx, { maxRows: 1, maxColumns: 1, maxFieldChars: 128 });
             const updatedAtRow = firstRowAsObject(updatedAtResult);
             if (typeof updatedAtRow?.updated_at === "string") {
                 details.current_row_updated_at = updatedAtRow.updated_at;
@@ -286,6 +287,7 @@ export async function flashbackQuery(engine, input, ctx, opts) {
         throw new UnsupportedFeatureError("flashback_query", flashbackFeature.reason ??
             `Flashback query requires kernel version >= ${flashbackFeature.minVersion ?? "unknown"}.`, {
             requiredVersion: flashbackFeature.minVersion,
+            parameterHint: flashbackFeature.param,
             currentVersion: (await engine.capabilityProbe.getKernelInfo(ctx))
                 .kernelVersion,
         });
@@ -318,6 +320,7 @@ export async function listRecycleBin(engine, ctx, opts) {
         throw new UnsupportedFeatureError("recycle_bin", recycleBinFeature.reason ??
             `Recycle bin requires kernel version >= ${recycleBinFeature.minVersion ?? "unknown"}.`, {
             requiredVersion: recycleBinFeature.minVersion,
+            parameterHint: recycleBinFeature.param,
             currentVersion: (await engine.capabilityProbe.getKernelInfo(ctx))
                 .kernelVersion,
         });
@@ -331,13 +334,13 @@ export async function restoreRecycleBinTable(engine, input, ctx, opts) {
         throw new UnsupportedFeatureError("recycle_bin", recycleBinFeature.reason ??
             `Recycle bin requires kernel version >= ${recycleBinFeature.minVersion ?? "unknown"}.`, {
             requiredVersion: recycleBinFeature.minVersion,
+            parameterHint: recycleBinFeature.param,
             currentVersion: (await engine.capabilityProbe.getKernelInfo(ctx))
                 .kernelVersion,
         });
     }
     return engine.executor.executeMutation(buildRestoreRecycleBinTableSql(input), ctx, {
         ...recycleBinMutationOptions(opts),
-        allowWithoutGlobalMutations: true,
         allowReadonlyFallbackForMutations: true,
     });
 }

package/dist/engine/types.d.ts

@@ -17,7 +17,6 @@ export interface DataSourceInfo {
     host?: string;
     port: number;
     database?: string;
-    hasMutationUser: boolean;
     poolSize?: number;
     isDefault: boolean;
 }

package/dist/engine.js

@@ -22,7 +22,6 @@ function toDataSourceInfo(profile, defaultDatasource) {
         host: profile.host,
         port: profile.port,
         database: profile.database,
-        hasMutationUser: profile.mutationUser !== undefined,
         poolSize: profile.poolSize,
         isDefault: profile.name === defaultDatasource,
     };

package/dist/executor/connection-pool.d.ts

@@ -35,7 +35,6 @@ export interface PoolHealth {
 }
 export interface ConnectionPool {
     acquire(datasource: string, mode: PoolMode, opts?: {
-        allowWithoutGlobalMutations?: boolean;
         allowReadonlyFallbackForMutations?: boolean;
     }): Promise<Session>;
     release(session: Session): Promise<void>;
@@ -92,7 +91,6 @@ export declare class ConnectionPoolManager implements ConnectionPool {
     private readonly activeSessions;
     constructor(options: ConnectionPoolManagerOptions);
     acquire(datasource: string, mode: PoolMode, opts?: {
-        allowWithoutGlobalMutations?: boolean;
         allowReadonlyFallbackForMutations?: boolean;
     }): Promise<Session>;
     release(session: Session): Promise<void>;

package/dist/executor/connection-pool.js

@@ -32,22 +32,12 @@ async function resolveTls(tls, secretResolver) {
     }
     return resolved;
 }
-function ensureMutationAllowed(config) {
-    if (!config.enableMutations) {
-        throw new ConnectionPoolError("Mutation mode is disabled by configuration.");
+function selectCredential(profile, mode, _opts = {}) {
+    void mode;
+    if (!profile.user) {
+        throw new ConnectionPoolError(`Datasource "${profile.name}" does not define SQL credentials. Call begin_sql_login and complete the secure local login form before executing SQL.`);
     }
-}
-function selectCredential(profile, mode, opts = {}) {
-    if (mode === "ro") {
-        return profile.readonlyUser;
-    }
-    if (!profile.mutationUser) {
-        if (opts.allowReadonlyFallbackForMutations) {
-            return profile.readonlyUser;
-        }
-        throw new ConnectionPoolError(`Mutation user is not configured for datasource "${profile.name}".`);
-    }
-    return profile.mutationUser;
+    return profile.user;
 }
 async function resolveCredentialValue(ref, secretResolver, context) {
     try {
@@ -75,9 +65,6 @@ export class ConnectionPoolManager {
         if (!profile) {
             throw new ConnectionPoolError(`Datasource profile not found: "${datasource}".`);
         }
-        if (mode === "rw" && !opts.allowWithoutGlobalMutations) {
-            ensureMutationAllowed(this.config);
-        }
         const entry = await this.getOrCreatePool(profile, mode, opts);
         let driverSession;
         try {
@@ -122,16 +109,7 @@ export class ConnectionPoolManager {
     async healthCheck(datasource) {
         const modes = [];
         modes.push(await this.healthCheckMode(datasource, "ro"));
-        if (!this.config.enableMutations) {
-            modes.push({
-                mode: "rw",
-                status: "skipped",
-                message: "Mutation mode disabled by config.",
-            });
-        }
-        else {
-            modes.push(await this.healthCheckMode(datasource, "rw"));
-        }
+        modes.push(await this.healthCheckMode(datasource, "rw"));
         return {
             datasource,
             checkedAt: new Date().toISOString(),
@@ -166,9 +144,6 @@ export class ConnectionPoolManager {
             return { mode, status: "ok" };
         }
         catch (error) {
-            if (mode === "rw" && error instanceof ConnectionPoolError && /not configured/.test(error.message)) {
-                return { mode, status: "skipped", message: error.message };
-            }
             return {
                 mode,
                 status: "error",

package/dist/executor/sql-executor.js

@@ -114,7 +114,6 @@ export class SqlExecutorImpl {
         const startedAt = this.now();
         const timeoutMs = opts.timeoutMs ?? ctx.limits.timeoutMs;
         const session = await this.connectionPool.acquire(ctx.datasource, "rw", {
-            allowWithoutGlobalMutations: opts.allowWithoutGlobalMutations,
             allowReadonlyFallbackForMutations: opts.allowReadonlyFallbackForMutations,
         });
         const active = this.beginQuery(queryId, session, ctx, "rw", startedAt);

package/dist/executor/types.d.ts

@@ -15,7 +15,6 @@ export interface ReadonlyOptions {
 }
 export interface MutationOptions {
     timeoutMs?: number;
-    allowWithoutGlobalMutations?: boolean;
     allowReadonlyFallbackForMutations?: boolean;
 }
 export interface QueryResult {

package/dist/taurus/flashback.d.ts

@@ -13,6 +13,7 @@ export interface FlashbackInput {
     columns?: string[];
     limit?: number;
 }
+export declare function normalizeFlashbackWhereClause(where: string): string;
 export type FlashbackNoViewDetails = {
     database?: string;
     table?: string;

package/dist/taurus/flashback.js

@@ -1,3 +1,5 @@
+import { createSqlParser } from "../safety/parser/index.js";
+import { normalizeSql } from "../utils/hash.js";
 const IDENTIFIER_PATTERN = /^[A-Za-z_][A-Za-z0-9_$]*$/;
 const SQL_TIMESTAMP_PATTERN = /^(\d{4}-\d{2}-\d{2})[ T](\d{2}:\d{2}:\d{2})(?:\.\d{1,6})?$/;
 const RELATIVE_DURATION_PATTERN = /(\d+)\s*(ms|milliseconds?|s|sec|secs|seconds?|m|min|mins|minutes?|h|hr|hrs|hours?|d|days?)/gi;
@@ -30,6 +32,15 @@ function quoteIdentifier(identifier, fieldName) {
     }
     return `\`${identifier}\``;
 }
+export function normalizeFlashbackWhereClause(where) {
+    const parser = createSqlParser("mysql");
+    const candidate = parser.normalize(`SELECT 1 FROM placeholder WHERE (${where})`);
+    const parsed = parser.parse(candidate.normalizedSql);
+    if (!parsed.ok || parsed.isMultiStatement || parsed.ast.kind !== "select") {
+        throw new Error("Invalid flashback where clause. Provide a single SQL expression.");
+    }
+    return normalizeSql(where);
+}
 export class FlashbackNoViewError extends Error {
     details;
     constructor(message, details) {
@@ -129,7 +140,7 @@ export function buildFlashbackSql(input, defaultDatabase, now = Date.now) {
     ];
     const whereClause = input.where?.trim();
     if (whereClause) {
-        clauses.push(`WHERE (${whereClause})`);
+        clauses.push(`WHERE (${normalizeFlashbackWhereClause(whereClause)})`);
     }
     if (input.limit !== undefined) {
         if (!Number.isInteger(input.limit) || input.limit <= 0) {
@@ -137,7 +148,7 @@ export function buildFlashbackSql(input, defaultDatabase, now = Date.now) {
         }
         clauses.push(`LIMIT ${input.limit}`);
     }
-    return clauses.join(" ");
+    return normalizeSql(clauses.join(" "));
 }
 export function flashbackReadonlyOptions(limit) {
     if (limit === undefined) {

package/dist/utils/logger.js

@@ -8,6 +8,14 @@ const REDACT_PATHS = [
     "secret",
     "token",
     "*.token",
+    "accessKeyId",
+    "*.accessKeyId",
+    "secretAccessKey",
+    "*.secretAccessKey",
+    "securityToken",
+    "*.securityToken",
+    "authToken",
+    "*.authToken",
 ];
 function createDefaultDestination() {
     return pino.destination({ fd: 2, sync: false });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "taurusdb-core",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "Shared TaurusDB data-plane engine for schema, SQL execution, guardrails, and diagnostics.",
   "type": "module",
   "main": "dist/index.js",