turbine-orm 0.19.0 → 0.19.2

package/dist/cjs/cli/studio.js

@@ -3,15 +3,20 @@
  * turbine-orm CLI — Studio
  *
  * A local, read-only web UI for browsing databases, exploring relations,
- * and running SELECT queries. Pure Node (built-in `http` module), no
- * runtime dependencies beyond `pg`, bound to 127.0.0.1 only.
+ * and composing queries visually. ORM-native since v0.19: there is no
+ * raw-SQL input surface — the Query tab builds `findMany` args that are
+ * validated against introspected metadata and compiled by QueryInterface
+ * (`/api/builder`). Pure Node (built-in `http` module), no runtime
+ * dependencies beyond `pg`, bound to 127.0.0.1 only.
  *
  * Security model:
  *   • Bind 127.0.0.1 only (never 0.0.0.0 — no LAN exposure)
  *   • Random auth token generated per process, required in Cookie header
- *   • SELECT/WITH-only guard on the query endpoint
+ *   • No SQL input surface at all — every identifier in a builder request is
+ *     validated against the introspected schema; all values are $N params
  *   • Every query runs in a READ ONLY transaction (belt-and-suspenders)
- *   • 30s statement timeout
+ *   • 30s statement timeout via parameterized set_config()
+ *   • Per-session rate limiting, CSP + security headers, cross-origin refusal
  *
  * Not implemented (deliberately): row editing, DDL, destructive operations.
  * Studio is for inspection. Use the CLI, migrate, or raw SQL for writes.
@@ -29,7 +34,6 @@ exports.apiBuilder = apiBuilder;
 exports.apiListSavedQueries = apiListSavedQueries;
 exports.apiCreateSavedQuery = apiCreateSavedQuery;
 exports.apiDeleteSavedQuery = apiDeleteSavedQuery;
-exports.isReadOnlyStatement = isReadOnlyStatement;
 const node_child_process_1 = require("node:child_process");
 const node_crypto_1 = require("node:crypto");
 const node_fs_1 = require("node:fs");
@@ -420,6 +424,11 @@ async function apiBuilder(req, res, ctx) {
     try {
         await client.query('BEGIN READ ONLY');
         await client.query(ctx.statementTimeout.sql, ctx.statementTimeout.params);
+        // QueryInterface emits unqualified table identifiers, which resolve via
+        // the connection's search_path. Pin it to the configured --schema so the
+        // Query tab reads the same schema as the Data tab (set_config is
+        // transaction-local and fully parameterized).
+        await client.query(`SELECT set_config('search_path', $1, true)`, [ctx.options.schema]);
         const started = Date.now();
         const result = await client.query(deferred.sql, deferred.params);
         const elapsedMs = Date.now() - started;
@@ -448,6 +457,8 @@ async function apiBuilder(req, res, ctx) {
 function savedQueriesPath(ctx) {
     return (0, node_path_1.resolve)(ctx.stateDir, 'studio-queries.json');
 }
+/** One-shot flag so the legacy saved-query notice isn't logged on every request. */
+let legacyDropNoticeShown = false;
 function loadSavedQueries(ctx) {
     const file = savedQueriesPath(ctx);
     if (!(0, node_fs_1.existsSync)(file))
@@ -457,8 +468,16 @@ function loadSavedQueries(ctx) {
         const parsed = JSON.parse(raw);
         if (!parsed.queries || !Array.isArray(parsed.queries))
             return { version: 1, queries: [] };
-        // Drop any legacy raw-SQL entries — Studio is builder-only now.
+        // Drop any legacy raw-SQL entries — Studio is builder-only now. Tell the
+        // user instead of silently discarding their saved work (the file on disk
+        // is only rewritten when a new query is saved, so this is recoverable).
         const queries = parsed.queries.filter((q) => q && q.kind === 'builder');
+        const dropped = parsed.queries.length - queries.length;
+        if (dropped > 0 && !legacyDropNoticeShown) {
+            legacyDropNoticeShown = true;
+            console.warn(`[turbine studio] Ignoring ${dropped} legacy raw-SQL saved quer${dropped === 1 ? 'y' : 'ies'} in ${file} — ` +
+                'Studio is builder-only since v0.19. The entries remain in the file until a new query is saved.');
+        }
         return { version: 1, queries };
     }
     catch {
@@ -530,35 +549,6 @@ function clampInt(value, fallback, min, max) {
         return fallback;
     return Math.min(Math.max(n, min), max);
 }
-/**
- * Accept only SELECT or WITH (CTE) statements. Reject any statement that
- * contains a semicolon followed by non-whitespace (prevents statement
- * stacking), and require the first non-comment keyword to be SELECT or WITH.
- *
- * This is a first-line filter — the transaction's READ ONLY mode is the
- * second line of defense. Both must fail before a destructive statement
- * could run.
- */
-function isReadOnlyStatement(sql) {
-    const stripped = stripSqlComments(sql).trim();
-    if (!stripped)
-        return false;
-    // Disallow statement stacking. A single trailing `;` is fine.
-    const withoutTrailingSemi = stripped.replace(/;+\s*$/, '');
-    if (withoutTrailingSemi.includes(';'))
-        return false;
-    const firstWord = withoutTrailingSemi.slice(0, 6).toUpperCase();
-    if (firstWord.startsWith('SELECT'))
-        return true;
-    if (firstWord.startsWith('WITH'))
-        return true;
-    return false;
-}
-function stripSqlComments(sql) {
-    // Strip -- line comments and /* block comments */. Not a full SQL parser,
-    // but sufficient to catch the common bypass attempts.
-    return sql.replace(/--[^\n]*/g, '').replace(/\/\*[\s\S]*?\*\//g, '');
-}
 function serializeRow(row) {
     const out = {};
     for (const [k, v] of Object.entries(row)) {

package/dist/cjs/client.js

@@ -210,6 +210,14 @@ class TurbineClient {
     /** Active LISTEN subscriptions — torn down on disconnect() so it never hangs */
     activeSubscriptions = new Set();
     constructor(config = {}, schema) {
+        // Constructing without schema metadata previously crashed deep in the
+        // constructor with an opaque "Cannot read properties of undefined
+        // (reading 'tables')". Fail fast with an actionable message instead.
+        if (!schema || typeof schema !== 'object' || !schema.tables) {
+            throw new errors_js_1.ValidationError('[turbine] TurbineClient requires schema metadata as its second argument. ' +
+                'Run `npx turbine generate` and use the generated client (`turbine()` from your output dir), ' +
+                'or pass the generated `schemaMetadata` object: new TurbineClient(config, schemaMetadata).');
+        }
         /**
          * Parse int8 (bigint, OID 20) as JavaScript number instead of string.
          * Safe for values up to Number.MAX_SAFE_INTEGER (9,007,199,254,740,991).
@@ -323,12 +331,14 @@ class TurbineClient {
     // Middleware — intercept all queries
     // -------------------------------------------------------------------------
     /**
-     * Register a middleware function that runs before/after every query.
+     * Register a middleware function that runs around every query.
      *
-     * Middleware can inspect and log query parameters, modify results after execution,
-     * and measure timing. Note: query SQL is generated before middleware runs, so
-     * modifying params.args in middleware will NOT affect the executed SQL.
-     * To intercept queries before SQL generation, use the raw() method instead.
+     * Middleware can inspect and log query parameters, measure timing, and
+     * transform the result returned by `next()`. Note: query SQL is generated
+     * BEFORE middleware runs — `params.args` is a read-only snapshot, and
+     * mutating it does NOT change the executed SQL. Cross-cutting filters
+     * (e.g. soft deletes) belong in the query itself: pass an explicit
+     * `where: { deletedAt: null }` or wrap the table accessor in a small helper.
      *
      * @example
      * ```ts
@@ -340,16 +350,13 @@ class TurbineClient {
      *   return result;
      * });
      *
-     * // Soft-delete middleware
+     * // Result transformation middleware — redact a field on the way out
      * db.$use(async (params, next) => {
-     *   if (params.action === 'findMany' || params.action === 'findUnique') {
-     *     params.args.where = { ...params.args.where, deletedAt: null };
-     *   }
-     *   if (params.action === 'delete') {
-     *     params.action = 'update';
-     *     params.args = { where: params.args.where, data: { deletedAt: new Date() } };
+     *   const result = await next(params);
+     *   if (params.model === 'users' && Array.isArray(result)) {
+     *     for (const row of result as { email?: string }[]) row.email = '[redacted]';
      *   }
-     *   return next(params);
+     *   return result;
      * });
      * ```
      */