mirror of
https://github.com/Kaelio/ktx.git
synced 2026-06-28 08:49:38 +02:00
fix: read semantic sources safely (#284)
* fix: read semantic sources safely
* test: retarget reindex per-scope error case to a broken manifest
Reading a broken standalone source was made non-fatal in de1f1a8d (it is
surfaced for repair instead of throwing), so the reindex per-scope error
test no longer captured an error. Point it at a corrupt manifest shard,
which is the remaining fatal read failure the per-scope catch must
isolate, and assert the captured error names the offending file.
* fix(sl): decouple semantic-layer file names from warehouse naming rules
The in-file `name:` field is now the sole source identity; the filename is
a derived label that never participates in identity. This removes the
"Unsafe semantic-layer source name" failure class entirely: any warehouse
identifier (Snowflake's uppercase SIGNED_UP, EVENT$LOG, dotted names) can
be read, overlaid, edited, and deleted.
- New `source-files.ts`: one total filename derivation (safe lowercase
names verbatim; otherwise slug + sha256-hash suffix, immune to
case-insensitive-filesystem collisions) and one by-name file resolver.
- Reads resolve by name everywhere; the path-from-name fast path and
`assertSafeSourceName` are gone.
- Writes resolve-then-write: rewrites land on the file that declares the
name (human renames survive); new sources get a derived filename; a
derived path occupied by a different source fails instead of clobbering.
- `readSourceFile` returns null for missing files instead of forcing every
caller to launder IO errors; `deleteSource` distinguishes manifest-backed
sources from not-found instead of silently succeeding.
- `sl_write_source` accepts verbatim warehouse identifiers (snake_case is
now a recommendation for new sources) and rejects sourceName/source.name
mismatches; `sl_edit_source` rejects name-changing edits.
- Ingest projection commits, gate-repair allowlists, and touched-source
derivation use resolved paths / in-file names instead of interpolating
`<connId>/<name>.yaml`.
- Collapsed the five parallel path derivations and duplicated path-token
helpers onto the shared module; dropped dead service methods.
* fix(sl): resolve sources by declared name end-to-end and gate warehouse SQL with the parser-backed validator
- Key broken/renamed semantic-layer files by their recoverable in-file
name (slSourceNameForFile) so mid-edit sources stay reachable under
their real identity in reads, listings, and search
- Derive finalization touched sources from composed-source diffs and
recover deleted files' declared names from the pre-change commit
instead of parsing hash-derived filenames
- Resolve revert/rollback paths against history (listFilesAtCommit) so
human-renamed files are restored where they lived at preHead
- Validate ingest sql_execution through the daemon's sqlglot
validateReadOnly in the connection's dialect, sharing one
driver-to-dialect map (sql-analysis/dialect.ts) across MCP and ingest
- Harden the local read-only SQL backstop: accept leading comments,
reject smuggled second statements, and strip trailing
semicolons/comments before row-limit wrapping
This commit is contained in:
parent
853f39a7c3
commit
f3f893bf01
51 changed files with 1797 additions and 476 deletions
|
|
@ -5,7 +5,9 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
|
|||
import { initKtxProject } from '../../../src/context/project/project.js';
|
||||
import { KtxQueryError } from '../../../src/errors.js';
|
||||
import { createKtxConnectorCapabilities, type KtxQueryResult, type KtxScanConnector, type KtxSchemaSnapshot } from '../../../src/context/scan/types.js';
|
||||
import { writeLocalSlSource } from '../../../src/context/sl/local-sl.js';
|
||||
import { SemanticLayerService } from '../../../src/context/sl/semantic-layer.service.js';
|
||||
import type { SemanticLayerSource } from '../../../src/context/sl/types.js';
|
||||
import { seedSlSourceFile } from '../sl/sl-source-seeding.test-utils.js';
|
||||
import { createLocalProjectMcpContextPorts } from '../../../src/context/mcp/local-project-ports.js';
|
||||
|
||||
describe('createLocalProjectMcpContextPorts', () => {
|
||||
|
|
@ -739,7 +741,7 @@ describe('createLocalProjectMcpContextPorts', () => {
|
|||
|
||||
it('reads seeded semantic-layer sources', async () => {
|
||||
const project = await initKtxProject({ projectDir: tempDir });
|
||||
await writeLocalSlSource(project, {
|
||||
await seedSlSourceFile(project, {
|
||||
connectionId: 'warehouse',
|
||||
sourceName: 'orders',
|
||||
yaml: [
|
||||
|
|
@ -763,7 +765,92 @@ describe('createLocalProjectMcpContextPorts', () => {
|
|||
});
|
||||
});
|
||||
|
||||
it('rejects path traversal keys before touching the project directory', async () => {
|
||||
it('reads manifest-backed sources with uppercase warehouse identifiers', async () => {
|
||||
const project = await initKtxProject({ projectDir: tempDir });
|
||||
await project.fileStore.writeFile(
|
||||
'semantic-layer/warehouse/_schema/PUBLIC.yaml',
|
||||
[
|
||||
'tables:',
|
||||
' WIDGET_SALES:',
|
||||
' table: PUBLIC.WIDGET_SALES',
|
||||
' columns:',
|
||||
' - name: ID',
|
||||
' type: number',
|
||||
' pk: true',
|
||||
'',
|
||||
].join('\n'),
|
||||
'ktx',
|
||||
'ktx@example.com',
|
||||
'seed uppercase manifest shard',
|
||||
);
|
||||
const ports = createLocalProjectMcpContextPorts(project, { embeddingService: null });
|
||||
|
||||
await expect(
|
||||
ports.semanticLayer?.readSource({ connectionId: 'warehouse', sourceName: 'WIDGET_SALES' }),
|
||||
).resolves.toMatchObject({
|
||||
sourceName: 'WIDGET_SALES',
|
||||
yaml: expect.stringContaining('table: PUBLIC.WIDGET_SALES'),
|
||||
});
|
||||
});
|
||||
|
||||
it('composes an overlay written for an uppercase manifest source at a derived filename', async () => {
|
||||
const project = await initKtxProject({ projectDir: tempDir });
|
||||
await project.fileStore.writeFile(
|
||||
'semantic-layer/warehouse/_schema/PUBLIC.yaml',
|
||||
[
|
||||
'tables:',
|
||||
' WIDGET_SALES:',
|
||||
' table: PUBLIC.WIDGET_SALES',
|
||||
' columns:',
|
||||
' - name: ID',
|
||||
' type: number',
|
||||
' pk: true',
|
||||
'',
|
||||
].join('\n'),
|
||||
'ktx',
|
||||
'ktx@example.com',
|
||||
'seed uppercase manifest shard',
|
||||
);
|
||||
|
||||
// The production write path: agents overlay manifest sources via
|
||||
// SemanticLayerService.writeSource using the verbatim warehouse name.
|
||||
const service = new SemanticLayerService(project.fileStore as never, {} as never, {} as never);
|
||||
const overlay = {
|
||||
name: 'WIDGET_SALES',
|
||||
measures: [{ name: 'widget_sales_count', expr: 'count(*)' }],
|
||||
} as SemanticLayerSource;
|
||||
const write = await service.writeSource('warehouse', overlay, 'ktx', 'ktx@example.com');
|
||||
expect(write.path).toMatch(/^semantic-layer\/warehouse\/widget_sales-[0-9a-f]{8}\.yaml$/);
|
||||
|
||||
const ports = createLocalProjectMcpContextPorts(project, { embeddingService: null });
|
||||
await expect(
|
||||
ports.semanticLayer?.readSource({ connectionId: 'warehouse', sourceName: 'WIDGET_SALES' }),
|
||||
).resolves.toMatchObject({
|
||||
sourceName: 'WIDGET_SALES',
|
||||
yaml: expect.stringContaining('widget_sales_count'),
|
||||
});
|
||||
});
|
||||
|
||||
it('returns a standalone source verbatim even when its YAML is currently broken', async () => {
|
||||
const project = await initKtxProject({ projectDir: tempDir });
|
||||
await project.fileStore.writeFile(
|
||||
'semantic-layer/warehouse/orders.yaml',
|
||||
'name: orders\nmeasures:\n - name: revenue\n expr: [unterminated\n',
|
||||
'ktx',
|
||||
'ktx@example.com',
|
||||
'seed broken source mid-edit',
|
||||
);
|
||||
const ports = createLocalProjectMcpContextPorts(project, { embeddingService: null });
|
||||
|
||||
await expect(
|
||||
ports.semanticLayer?.readSource({ connectionId: 'warehouse', sourceName: 'orders' }),
|
||||
).resolves.toMatchObject({
|
||||
sourceName: 'orders',
|
||||
yaml: expect.stringContaining('[unterminated'),
|
||||
});
|
||||
});
|
||||
|
||||
it('keeps path-traversal keys away from the project directory', async () => {
|
||||
const project = await initKtxProject({ projectDir: tempDir });
|
||||
const ports = createLocalProjectMcpContextPorts(project, { embeddingService: null });
|
||||
|
||||
|
|
@ -774,12 +861,14 @@ describe('createLocalProjectMcpContextPorts', () => {
|
|||
}),
|
||||
).rejects.toThrow('Invalid wiki key "../outside". Wiki keys must be flat; use "outside".');
|
||||
|
||||
// Source reads never derive a file path from the name; a traversal-style
|
||||
// name simply matches no record.
|
||||
await expect(
|
||||
ports.semanticLayer?.readSource({
|
||||
connectionId: 'warehouse',
|
||||
sourceName: '../orders',
|
||||
}),
|
||||
).rejects.toThrow('Unsafe semantic-layer source name');
|
||||
).resolves.toBeNull();
|
||||
});
|
||||
|
||||
it('uses semantic compute for compile-only sl_query when supplied', async () => {
|
||||
|
|
@ -788,7 +877,7 @@ describe('createLocalProjectMcpContextPorts', () => {
|
|||
driver: 'postgres',
|
||||
url: 'env:DATABASE_URL',
|
||||
};
|
||||
await writeLocalSlSource(project, {
|
||||
await seedSlSourceFile(project, {
|
||||
connectionId: 'warehouse',
|
||||
sourceName: 'orders',
|
||||
yaml: [
|
||||
|
|
@ -850,7 +939,7 @@ describe('createLocalProjectMcpContextPorts', () => {
|
|||
driver: 'postgres',
|
||||
url: 'env:DATABASE_URL',
|
||||
};
|
||||
await writeLocalSlSource(project, {
|
||||
await seedSlSourceFile(project, {
|
||||
connectionId: 'warehouse',
|
||||
sourceName: 'orders',
|
||||
yaml: [
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue