sqlproof 0.1.0a1__tar.gz → 0.2.2__tar.gz

sqlproof-0.2.2/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,79 @@
+name: Bug report
+description: Something is broken or behaving unexpectedly.
+title: "fix: <one-line summary>"
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for filing a bug. The clearer the repro, the faster we can fix it.
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Summary
+      description: One or two sentences on what's wrong.
+      placeholder: "`SqlProof.check()` raises X when the schema contains Y."
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduction
+    attributes:
+      label: Minimal reproduction
+      description: |
+        Smallest code/schema/dataset that triggers the bug. A self-contained
+        Python script we can paste and run is ideal.
+      render: python
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      placeholder: "Should have returned ... / shouldn't have raised."
+    validations:
+      required: true
+
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual behavior
+      description: Include the full traceback if applicable.
+      render: shell
+    validations:
+      required: true
+
+  - type: input
+    id: sqlproof-version
+    attributes:
+      label: sqlproof version
+      placeholder: "e.g. 0.1.0a1 (or `uv pip show sqlproof`)"
+    validations:
+      required: true
+
+  - type: input
+    id: python-version
+    attributes:
+      label: Python version
+      placeholder: "e.g. 3.12.2"
+    validations:
+      required: true
+
+  - type: input
+    id: postgres-version
+    attributes:
+      label: Postgres version
+      description: Output of `SELECT version();` against your test database. Skip if not DB-related.
+      placeholder: "e.g. PostgreSQL 15.8 (Supabase)"
+    validations:
+      required: false
+
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional context
+      description: Anything else that might help — workarounds you tried, related issues, screenshots.
+    validations:
+      required: false

sqlproof-0.2.2/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/alialavia/sqlproof/security/advisories/new
+    about: Please report security issues privately via GitHub Security Advisories. See SECURITY.md.

sqlproof-0.2.2/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,43 @@
+name: Feature request
+description: Propose a new feature or capability.
+title: "feat: <one-line summary>"
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for the suggestion. Helping us understand the *problem* you're
+        solving is more useful than a fully-specified solution — we may have
+        ideas you haven't considered.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What are you trying to do that sqlproof doesn't currently let you do well? Include a concrete use case.
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposed
+    attributes:
+      label: Proposed solution
+      description: What you have in mind. Rough is fine — API sketch, behavior description, prior art elsewhere.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: What workarounds have you tried? Why aren't they good enough?
+    validations:
+      required: false
+
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional context
+      description: Links, screenshots, references to other libraries that solve this well.
+    validations:
+      required: false

sqlproof-0.2.2/.github/ISSUE_TEMPLATE/question.yml

@@ -0,0 +1,28 @@
+name: Question
+description: Ask about how to do something with sqlproof.
+title: "question: <one-line summary>"
+labels: ["question"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Questions are welcome. Before filing, please skim the [README](https://github.com/alialavia/sqlproof#readme)
+        and the [examples directory](https://github.com/alialavia/sqlproof/tree/main/examples) — the answer
+        might already be there.
+
+  - type: textarea
+    id: question
+    attributes:
+      label: Your question
+      description: What are you trying to do? What have you tried so far?
+    validations:
+      required: true
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Context
+      description: Code snippets, schema, your environment — whatever helps frame the question.
+      render: python
+    validations:
+      required: false

sqlproof-0.2.2/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,43 @@
+<!--
+Thanks for the contribution! A few quick notes before you fill this in:
+
+1. The PR title must follow Conventional Commits (e.g. `feat(generator):`,
+   `fix(core):`, `docs(readme):`). CI will fail if it doesn't parse.
+   See CONTRIBUTING.md for the full list of accepted types.
+
+2. The PR title becomes the squash-merge commit message on main and is what
+   release-please uses to compute the next version + changelog entry. Make
+   it accurate and self-contained.
+
+3. Delete sections below that don't apply.
+-->
+
+## Summary
+
+<!-- What changed? Bullets are great. -->
+
+-
+
+## Why
+
+<!-- The motivation. What problem does this solve, or what user request does
+it satisfy? Link to the issue if there is one. -->
+
+## Test plan
+
+<!-- Checklist of what you ran/verified locally. Tick the boxes you've
+completed; leave unticked the things you'd like a reviewer to verify. -->
+
+- [ ] `uv run pytest` passes
+- [ ] `uv run ruff check src/ tests/` clean
+- [ ] `uv run pyright` clean
+- [ ] `uv run mypy src/sqlproof/` clean
+- [ ] (if integration-affecting) tested locally against `supabase/postgres:15.8.1.040`
+- [ ] (if user-facing) updated docs / README / examples
+- [ ] (if breaking) PR title includes `!` or body includes `BREAKING CHANGE:` footer
+
+## Related
+
+<!-- Issues this closes, PRs this depends on, follow-ups filed. -->
+
+- Closes #

sqlproof-0.2.2/.github/actions/setup-supabase-test-db/action.yml

@@ -0,0 +1,42 @@
+name: 'Set up Supabase-shaped test database'
+description: |
+  Apply SqlProof's Supabase test-init SQL to a running Postgres so a bare
+  `supabase/postgres` image matches managed Supabase semantics (plpgsql_check
+  extension, JSON-aware auth.uid/role/email/jwt). Call this AFTER your
+  service container's healthcheck passes and BEFORE running your tests.
+
+inputs:
+  database-url:
+    description: |
+      PostgreSQL DSN to apply the migration against. Use the same value you
+      pass to your tests as SQLPROOF_DATABASE_URL.
+    required: true
+  verbose:
+    description: |
+      If "true", print the resulting extension list and auth surface to the
+      job log so you can see what's installed. Default "false".
+    required: false
+    default: 'false'
+
+runs:
+  using: composite
+  steps:
+    - name: Apply Supabase test-init SQL
+      shell: bash
+      env:
+        DSN: ${{ inputs.database-url }}
+      run: |
+        # Resolve this action's own checkout path so the SQL file is found
+        # regardless of where the caller mounted things.
+        psql -v ON_ERROR_STOP=1 "$DSN" -f "${GITHUB_ACTION_PATH}/sql/supabase-test-init.sql"
+
+    - name: Print resulting Postgres surface
+      if: inputs.verbose == 'true'
+      shell: bash
+      env:
+        DSN: ${{ inputs.database-url }}
+      run: |
+        echo "=== installed extensions ==="
+        psql "$DSN" -c "SELECT extname, extversion FROM pg_extension ORDER BY extname;"
+        echo "=== auth schema functions ==="
+        psql "$DSN" -c "SELECT n.nspname || '.' || p.proname AS function FROM pg_proc p JOIN pg_namespace n ON n.oid = p.pronamespace WHERE n.nspname = 'auth' ORDER BY proname;"

sqlproof-0.2.2/.github/actions/setup-supabase-test-db/sql/supabase-test-init.sql

@@ -0,0 +1,52 @@
+-- Bring a bare `supabase/postgres` container into lockstep with managed
+-- Supabase semantics, so SqlProof's RLS-aware helpers (auth.uid(),
+-- auth.role(), as_rls_user) behave the same way they would in production.
+--
+-- This applies two things the bare image is missing:
+--
+-- 1. `plpgsql_check` extension. The binary ships with the image but isn't
+--    installed in the default database. Needed by
+--    sqlproof.contrib.plpgsql_coverage.
+--
+-- 2. GoTrue's `20220224000811_update_auth_functions` migration. The bare
+--    image's `auth.uid()` only reads the legacy singular GUC
+--    `request.jwt.claim.sub`. PostgREST 8+ (and SqlProof's
+--    `as_rls_user` helper) write the modern JSON `request.jwt.claims`
+--    GUC. Managed Supabase patches this at deploy time via GoTrue; we
+--    apply the same migration here so the bare image matches.
+--
+--    Source: https://github.com/supabase/auth/blob/master/migrations/20220224000811_update_auth_functions.up.sql
+
+CREATE EXTENSION IF NOT EXISTS plpgsql_check;
+
+CREATE OR REPLACE FUNCTION auth.uid()
+RETURNS uuid LANGUAGE sql STABLE AS $$
+  SELECT COALESCE(
+    NULLIF(current_setting('request.jwt.claim.sub', true), ''),
+    (NULLIF(current_setting('request.jwt.claims', true), '')::jsonb ->> 'sub')
+  )::uuid
+$$;
+
+CREATE OR REPLACE FUNCTION auth.role()
+RETURNS text LANGUAGE sql STABLE AS $$
+  SELECT COALESCE(
+    NULLIF(current_setting('request.jwt.claim.role', true), ''),
+    (NULLIF(current_setting('request.jwt.claims', true), '')::jsonb ->> 'role')
+  )::text
+$$;
+
+CREATE OR REPLACE FUNCTION auth.email()
+RETURNS text LANGUAGE sql STABLE AS $$
+  SELECT COALESCE(
+    NULLIF(current_setting('request.jwt.claim.email', true), ''),
+    (NULLIF(current_setting('request.jwt.claims', true), '')::jsonb ->> 'email')
+  )::text
+$$;
+
+CREATE OR REPLACE FUNCTION auth.jwt()
+RETURNS jsonb LANGUAGE sql STABLE AS $$
+  SELECT COALESCE(
+    NULLIF(current_setting('request.jwt.claim', true), ''),
+    NULLIF(current_setting('request.jwt.claims', true), '')
+  )::jsonb
+$$;

sqlproof-0.2.2/.github/dependabot.yml

@@ -0,0 +1,45 @@
+version: 2
+updates:
+  # Python runtime + dev dependencies declared in pyproject.toml.
+  # Dependabot bumps declared versions; uv-lock-refresh.yml regenerates
+  # uv.lock on each dependabot PR.
+  - package-ecosystem: pip
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - python
+    commit-message:
+      prefix: chore
+      include: scope
+
+  # GitHub Actions versions (actions/checkout@vN, etc.)
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - ci
+    commit-message:
+      prefix: chore
+      include: scope
+
+  # supabase/postgres image pin in workflows
+  - package-ecosystem: docker
+    directory: ".github/workflows"
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 3
+    labels:
+      - dependencies
+      - ci
+    commit-message:
+      prefix: chore
+      include: scope

sqlproof-0.2.2/.github/workflows/ci.yml

@@ -0,0 +1,73 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  python:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12", "3.13"]
+    services:
+      postgres:
+        # Supabase's Postgres image bundles plpgsql_check, pgvector,
+        # pgsodium, pgjwt, etc., and creates the `auth` schema with
+        # `auth.uid()` / `auth.jwt()` helpers on first boot. This lets
+        # the plpgsql_coverage and (future) RLS-helper integration tests
+        # run against a realistic Supabase-shaped database.
+        image: supabase/postgres:15.8.1.040
+        env:
+          POSTGRES_PASSWORD: postgres
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd "pg_isready -U postgres -d postgres"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 15
+    env:
+      SQLPROOF_TEST_DATABASE_URL: postgresql://postgres:postgres@127.0.0.1:5432/postgres
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+      - uses: astral-sh/setup-uv@v5
+      - run: uv sync --extra dev
+      - name: Bring Postgres surface into lockstep with managed Supabase
+        uses: ./.github/actions/setup-supabase-test-db
+        with:
+          database-url: ${{ env.SQLPROOF_TEST_DATABASE_URL }}
+          verbose: 'true'
+      - run: uv run ruff check src/ tests/
+      - run: uv run pyright
+      - run: uv run mypy src/sqlproof/
+      - run: uv run pytest --cov=sqlproof --cov-fail-under=94 --cov-report=xml
+      - name: Upload coverage to Codecov
+        if: matrix.python-version == '3.11'
+        uses: codecov/codecov-action@v6
+        with:
+          files: ./coverage.xml
+          fail_ci_if_error: false
+          # Codecov v4 requires a token on protected branches even for
+          # public repos. Get the token from
+          # https://app.codecov.io/gh/alialavia/sqlproof/config/general
+          # and add as repo secret CODECOV_TOKEN.
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+  website:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+          cache-dependency-path: website/package-lock.json
+      - run: npm ci
+        working-directory: website
+      - run: npm run build
+        working-directory: website

{sqlproof-0.1.0a1 → sqlproof-0.2.2}/.github/workflows/deploy-website.yml

@@ -33,6 +33,12 @@ jobs:
       - name: Build
         run: npm run build
         working-directory: website
+        env:
+          # Optional. Set under Settings → Secrets and variables → Actions
+          # to enable PostHog tracking on the deployed site. When unset
+          # the snippet is omitted from the build (see website/src/posthog.mjs).
+          PUBLIC_POSTHOG_KEY: ${{ secrets.PUBLIC_POSTHOG_KEY }}
+          PUBLIC_POSTHOG_HOST: ${{ secrets.PUBLIC_POSTHOG_HOST }}
 
       - name: Deploy to GitHub Pages
         uses: peaceiris/actions-gh-pages@v4

{sqlproof-0.1.0a1 → sqlproof-0.2.2}/.github/workflows/nightly.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: "3.11"
       - uses: astral-sh/setup-uv@v5

sqlproof-0.2.2/.github/workflows/pr-title.yml

@@ -0,0 +1,42 @@
+name: PR title
+
+on:
+  pull_request:
+    types: [opened, edited, reopened, synchronize]
+
+permissions:
+  pull-requests: read
+
+jobs:
+  lint:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          # Accepted types — keep in sync with release-please-config.json
+          # `changelog-sections`. The action validates the PR title matches
+          # `<type>(<optional-scope>)!?: <subject>` per Conventional Commits.
+          types: |
+            feat
+            fix
+            perf
+            docs
+            refactor
+            test
+            chore
+            ci
+            build
+            style
+            revert
+          # Scopes are optional; we don't enforce an allowlist (subsystem
+          # naming is too fluid to constrain at this scale).
+          requireScope: false
+          # Subject must start with a lowercase letter to match the
+          # project's existing commit style (`feat(core): skip insert ...`).
+          subjectPattern: ^[a-z].+$
+          subjectPatternError: |
+            The PR title subject must start with a lowercase letter
+            (e.g. "feat(core): add support for ..." not "Add support for ...").

sqlproof-0.2.2/.github/workflows/release-please.yml

@@ -0,0 +1,33 @@
+name: release-please
+
+on:
+  push:
+    branches: [main]
+
+# No top-level permissions: release-please acts via the GitHub App token
+# below, not the default GITHUB_TOKEN. The App's installation token
+# carries its own permissions (contents:write, pull_requests:write,
+# metadata:read) configured when the App was created.
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      # Mint a short-lived installation token from the `sqlproof-releases`
+      # GitHub App. Tags + commits pushed with this token DO trigger
+      # downstream workflows (unlike the default GITHUB_TOKEN, which
+      # GitHub Actions explicitly blocks from triggering recursive runs).
+      # That's what lets release.yml fire when release-please creates a
+      # v*.*.* tag.
+      - name: Mint release-please token from sqlproof-releases App
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.RELEASE_PLEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_PLEASE_PRIVATE_KEY }}
+
+      - uses: googleapis/release-please-action@v5
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          config-file: release-please-config.json
+          manifest-file: .release-please-manifest.json

sqlproof-0.2.2/.github/workflows/release.yml

@@ -0,0 +1,71 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+  # Manual fallback. Use this to publish a tag that was created before
+  # the sqlproof-releases GitHub App was wired into release-please.yml
+  # (where tag-push didn't auto-trigger this workflow), or to retry a
+  # failed publish without re-tagging. Specify the tag in the input.
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to build and publish (e.g. v0.2.0)'
+        required: true
+        type: string
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        # Mirror the CI service container so pre-publish testing
+        # exercises the same integration surface that PR CI does.
+        image: supabase/postgres:15.8.1.040
+        env:
+          POSTGRES_PASSWORD: postgres
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd "pg_isready -U postgres -d postgres"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 15
+    env:
+      SQLPROOF_TEST_DATABASE_URL: postgresql://postgres:postgres@127.0.0.1:5432/postgres
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # For workflow_dispatch, check out the tag the operator passed
+          # as input. For push events, default behavior checks out the
+          # tag-ref that triggered the workflow (no override needed).
+          ref: ${{ inputs.tag || github.ref }}
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+      - uses: astral-sh/setup-uv@v5
+      - run: uv sync --extra dev
+      - name: Bring Postgres surface into lockstep with managed Supabase
+        uses: ./.github/actions/setup-supabase-test-db
+        with:
+          database-url: ${{ env.SQLPROOF_TEST_DATABASE_URL }}
+      - run: uv run pytest -m "not nocover"
+      - run: uv build
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1

sqlproof-0.2.2/.github/workflows/uv-lock-refresh.yml

@@ -0,0 +1,45 @@
+name: uv-lock-refresh
+
+# Dependabot's `pip` ecosystem bumps declared deps in pyproject.toml but
+# doesn't know how to regenerate uv.lock. This workflow runs `uv lock` on
+# every dependabot PR and pushes the updated lockfile back to the PR
+# branch so the merge is internally consistent.
+
+on:
+  pull_request:
+    paths:
+      - pyproject.toml
+
+permissions:
+  contents: write
+
+jobs:
+  refresh:
+    # Only run on PRs opened by Dependabot. Other PRs that touch
+    # pyproject.toml should update uv.lock manually (and reviewers can
+    # catch drift).
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+          # GH Actions can't push back to a PR branch by default; use a
+          # PAT-less approach via `actions/checkout` with the default
+          # token, which works because we're pushing to the same repo
+          # the workflow runs in.
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: astral-sh/setup-uv@v5
+      - name: Refresh uv.lock
+        run: uv lock
+      - name: Commit and push if lockfile changed
+        run: |
+          if git diff --quiet uv.lock; then
+            echo "uv.lock unchanged; nothing to do."
+            exit 0
+          fi
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add uv.lock
+          git commit -m "chore(deps): refresh uv.lock"
+          git push

{sqlproof-0.1.0a1 → sqlproof-0.2.2}/.gitignore

@@ -10,4 +10,6 @@ __pycache__/
 .pytest_cache/
 .hypothesis/
 .coverage
+coverage.xml
+htmlcov/
 .venv/

sqlproof-0.2.2/.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "0.2.2"
+}

sqlproof-0.2.2/.sqlproof/failures/property_fails.json

@@ -0,0 +1,24 @@
+{
+  "$schema": "https://sqlproof.dev/schemas/counterexample-v1.json",
+  "dataset": {
+    "orders": [
+      {
+        "id": 1,
+        "total": 0
+      }
+    ]
+  },
+  "failure": {
+    "kind": "UndefinedTable",
+    "locals": {},
+    "message": "relation \"orders\" does not exist\nLINE 1: SELECT id FROM orders\n                       ^",
+    "traceback": []
+  },
+  "property_name": "property_fails",
+  "row_context": {},
+  "runs": 110,
+  "schema_fingerprint": "sha256:10216d67c52fe4492028569c0a44ea070c450fb3488ad02a3599c35192366658",
+  "seed": null,
+  "shrink_steps": 0,
+  "version": 1
+}