heliosdb-proxy 0.4.0

HeliosProxy - Intelligent connection router and failover manager for HeliosDB and PostgreSQL
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364

//! Query Rewriter Configuration
//!
//! Configuration types for the query rewriting system.

use super::rules::RewriteRule;
use std::time::Duration;

/// Query rewriter configuration
#[derive(Debug, Clone)]
pub struct RewriterConfig {
    /// Enable query rewriting
    pub enabled: bool,

    /// Log rewrite operations
    pub log_rewrites: bool,

    /// Log rewrite errors
    pub log_errors: bool,

    /// Rewrite rules
    pub rules: Vec<RewriteRule>,

    /// Automatically expand SELECT * to column list
    pub expand_select_star: bool,

    /// Add default LIMIT to queries without one
    pub add_default_limit: bool,

    /// Default LIMIT value
    pub default_limit: u32,

    /// Maximum query length to process
    pub max_query_length: usize,

    /// Cache rewritten queries by fingerprint
    pub cache_enabled: bool,

    /// Cache TTL
    pub cache_ttl: Duration,

    /// Maximum cache entries
    pub max_cache_entries: usize,

    /// Agent query safety rules
    pub agent_safety: AgentSafetyConfig,
}

impl Default for RewriterConfig {
    fn default() -> Self {
        Self {
            enabled: false,
            log_rewrites: false,
            log_errors: true,
            rules: Vec::new(),
            expand_select_star: false,
            add_default_limit: false,
            default_limit: 1000,
            max_query_length: 1_000_000,
            cache_enabled: true,
            cache_ttl: Duration::from_secs(300),
            max_cache_entries: 10000,
            agent_safety: AgentSafetyConfig::default(),
        }
    }
}

impl RewriterConfig {
    /// Create a new enabled config
    pub fn enabled() -> Self {
        Self {
            enabled: true,
            ..Default::default()
        }
    }

    /// Create a builder
    pub fn builder() -> RewriterConfigBuilder {
        RewriterConfigBuilder::new()
    }
}

/// Builder for RewriterConfig
#[derive(Default)]
pub struct RewriterConfigBuilder {
    config: RewriterConfig,
}

impl RewriterConfigBuilder {
    /// Create a new builder
    pub fn new() -> Self {
        Self {
            config: RewriterConfig {
                enabled: true,
                ..Default::default()
            },
        }
    }

    /// Enable/disable rewriting
    pub fn enabled(mut self, enabled: bool) -> Self {
        self.config.enabled = enabled;
        self
    }

    /// Log rewrites
    pub fn log_rewrites(mut self, log: bool) -> Self {
        self.config.log_rewrites = log;
        self
    }

    /// Log errors
    pub fn log_errors(mut self, log: bool) -> Self {
        self.config.log_errors = log;
        self
    }

    /// Add a rule
    pub fn rule(mut self, rule: RewriteRule) -> Self {
        self.config.rules.push(rule);
        self
    }

    /// Add multiple rules
    pub fn rules(mut self, rules: Vec<RewriteRule>) -> Self {
        self.config.rules.extend(rules);
        self
    }

    /// Enable SELECT * expansion
    pub fn expand_select_star(mut self, enabled: bool) -> Self {
        self.config.expand_select_star = enabled;
        self
    }

    /// Enable default LIMIT
    pub fn add_default_limit(mut self, enabled: bool) -> Self {
        self.config.add_default_limit = enabled;
        self
    }

    /// Set default LIMIT value
    pub fn default_limit(mut self, limit: u32) -> Self {
        self.config.default_limit = limit;
        self
    }

    /// Set max query length
    pub fn max_query_length(mut self, length: usize) -> Self {
        self.config.max_query_length = length;
        self
    }

    /// Enable caching
    pub fn cache_enabled(mut self, enabled: bool) -> Self {
        self.config.cache_enabled = enabled;
        self
    }

    /// Set cache TTL
    pub fn cache_ttl(mut self, ttl: Duration) -> Self {
        self.config.cache_ttl = ttl;
        self
    }

    /// Set agent safety config
    pub fn agent_safety(mut self, config: AgentSafetyConfig) -> Self {
        self.config.agent_safety = config;
        self
    }

    /// Build the config
    pub fn build(self) -> RewriterConfig {
        self.config
    }
}

/// Agent query safety configuration
#[derive(Debug, Clone)]
pub struct AgentSafetyConfig {
    /// Enable agent safety rules
    pub enabled: bool,

    /// Maximum rows for agent queries
    pub max_rows: u32,

    /// Maximum query timeout for agents
    pub max_timeout: Duration,

    /// Forbidden tables for agents
    pub forbidden_tables: Vec<String>,

    /// Required WHERE clause tables
    pub require_where_tables: Vec<String>,

    /// Block DDL for agents
    pub block_ddl: bool,

    /// Block admin commands for agents
    pub block_admin: bool,
}

impl Default for AgentSafetyConfig {
    fn default() -> Self {
        Self {
            enabled: true,
            max_rows: 10000,
            max_timeout: Duration::from_secs(30),
            forbidden_tables: vec![
                "pg_catalog.*".to_string(),
                "information_schema.*".to_string(),
                "system.*".to_string(),
                "secrets".to_string(),
                "credentials".to_string(),
            ],
            require_where_tables: Vec::new(),
            block_ddl: true,
            block_admin: true,
        }
    }
}

impl AgentSafetyConfig {
    /// Create a permissive config (for trusted agents)
    pub fn permissive() -> Self {
        Self {
            enabled: true,
            max_rows: 100000,
            max_timeout: Duration::from_secs(300),
            forbidden_tables: Vec::new(),
            require_where_tables: Vec::new(),
            block_ddl: false,
            block_admin: false,
        }
    }

    /// Create a restrictive config (for untrusted agents)
    pub fn restrictive() -> Self {
        Self {
            enabled: true,
            max_rows: 1000,
            max_timeout: Duration::from_secs(10),
            forbidden_tables: vec![
                "pg_catalog.*".to_string(),
                "information_schema.*".to_string(),
                "system.*".to_string(),
                "secrets".to_string(),
                "credentials".to_string(),
                "users".to_string(),
                "accounts".to_string(),
            ],
            require_where_tables: vec!["*".to_string()],
            block_ddl: true,
            block_admin: true,
        }
    }

    /// Check if a table is forbidden
    pub fn is_forbidden(&self, table: &str) -> bool {
        for pattern in &self.forbidden_tables {
            if pattern.ends_with("*") {
                let prefix = &pattern[..pattern.len() - 1];
                if table.starts_with(prefix) {
                    return true;
                }
            } else if pattern == table {
                return true;
            }
        }
        false
    }
}

/// Built-in rule templates
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum BuiltinRule {
    /// Add index hints
    AddIndexHints,

    /// Expand SELECT *
    ExpandSelectStar,

    /// Add default LIMIT
    AddDefaultLimit,

    /// Add tenant filter
    AddTenantFilter,

    /// Route to specific branch
    RouteToBranch,

    /// Agent safety limits
    AgentSafety,
}

impl BuiltinRule {
    /// Get rule ID
    pub fn id(&self) -> &'static str {
        match self {
            Self::AddIndexHints => "builtin:add_index_hints",
            Self::ExpandSelectStar => "builtin:expand_select_star",
            Self::AddDefaultLimit => "builtin:add_default_limit",
            Self::AddTenantFilter => "builtin:add_tenant_filter",
            Self::RouteToBranch => "builtin:route_to_branch",
            Self::AgentSafety => "builtin:agent_safety",
        }
    }

    /// Get rule description
    pub fn description(&self) -> &'static str {
        match self {
            Self::AddIndexHints => "Add index hints based on query patterns",
            Self::ExpandSelectStar => "Expand SELECT * to column list",
            Self::AddDefaultLimit => "Add LIMIT to queries without one",
            Self::AddTenantFilter => "Add tenant ID filter for multi-tenancy",
            Self::RouteToBranch => "Add branch routing hints",
            Self::AgentSafety => "Apply safety limits for AI agent queries",
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_default_config() {
        let config = RewriterConfig::default();
        assert!(!config.enabled);
        assert!(config.rules.is_empty());
    }

    #[test]
    fn test_config_builder() {
        let config = RewriterConfig::builder()
            .enabled(true)
            .log_rewrites(true)
            .add_default_limit(true)
            .default_limit(500)
            .build();

        assert!(config.enabled);
        assert!(config.log_rewrites);
        assert!(config.add_default_limit);
        assert_eq!(config.default_limit, 500);
    }

    #[test]
    fn test_agent_safety_forbidden_tables() {
        let config = AgentSafetyConfig::default();

        assert!(config.is_forbidden("pg_catalog.pg_tables"));
        assert!(config.is_forbidden("secrets"));
        assert!(!config.is_forbidden("users"));
    }

    #[test]
    fn test_restrictive_agent_config() {
        let config = AgentSafetyConfig::restrictive();

        assert!(config.is_forbidden("users"));
        assert!(config.block_ddl);
        assert_eq!(config.max_rows, 1000);
    }
}