sqlite-provider 0.0.2

A Rust crate that provides a high-level, backend-agnostic abstraction layer over the SQLite3 C API
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

# sqlite-provider Detailed Implementation Review (2026-02-22)

## Findings (ordered by severity)

1. None active.

## Open questions / assumptions

- No unresolved technical blockers were identified in this review pass.

## Standards Assessment

### Simplicity and module boundaries
- Safe wrapper layering remains clear and close to the design intent:
  - SPI boundary: `src/provider.rs:379`
  - connection/statement/row wrappers: `src/connection/core.rs:8`, `src/statement.rs:10`, `src/row.rs:6`
- The `connection` module is cleanly partitioned by responsibility (`core`, `extensions`, `hooks`) with stable re-exports in `src/connection/mod.rs:1`.

### Public API documentation
- Public API docs are present and strict missing-doc checks pass.
- Representative documented surfaces:
  - SPI ownership and lifetime contracts: `src/provider.rs:483`, `src/provider.rs:511`
  - raw-bytes safety contract: `src/provider.rs:252`
  - extension RAII wrappers: `src/connection/extensions.rs:13`

### Critical test coverage
- Core lifecycle and failure-path coverage is strong:
  - stale-handle callback drop ordering: `tests/integration.rs:1644`, `tests/integration.rs:1694`, `tests/integration.rs:1751`
  - registration-failure ownership cleanup: `tests/integration.rs:2064`, `tests/integration.rs:2083`
  - alignment-sensitive aggregate/window state: `tests/integration.rs:1375`, `tests/integration.rs:1416`
  - parser parity corpus and generated suffix matrix: `sqlite-provider-abi/tests/libsqlite3_end_to_end.rs:962`, `sqlite-provider-abi/tests/libsqlite3_end_to_end.rs:996`
  - optional ABI failure contract checks: `sqlite-provider-abi/tests/libsqlite3_end_to_end.rs:1119`, `tests/abi_blackbox/test_sqlite_abi.py:349`
  - no-default-backend out-param contract: `sqlite-provider-abi/tests/no_default_features_out_params.rs:11`
  - standalone Python runtime guard coverage: `tests/python_runner.rs:40`, `tests/python_runner.rs:63`

### Performance / allocation behavior
- Hot read paths stay allocation-light via borrowed views:
  - `ValueRef` and row borrowed access: `src/value.rs:95`, `src/row.rs:56`
- UDF/vtab argument processing uses inline small buffers before heap fallback:
  - `src/function.rs:63`, `src/vtab.rs:76`
- ABI boundary allocations are mostly isolated to ABI conversion points, while core iteration remains borrowed.

### Safety and FFI robustness
- Panic containment is consistently applied across callback trampolines:
  - UDF/aggregate/window: `src/function.rs:163`, `src/function.rs:236`, `src/function.rs:484`
  - hooks: `src/connection/hooks.rs:404`, `src/connection/hooks.rs:432`
  - virtual tables: `src/vtab.rs:270`, `src/vtab.rs:473`
- Callback registration tracking prevents stale-handle unregister from tearing down newer callbacks: `src/connection/hooks.rs:446`, `src/connection/hooks.rs:540`.
- ABI out-parameter sanitization for sensitive failure paths is explicit:
  - `sqlite3_open_v2`: `sqlite-provider-abi/src/exports.rs:76`
  - `sqlite3_serialize`: `sqlite-provider-abi/src/exports.rs:2061`
  - `sqlite3_blob_open`: `sqlite-provider-abi/src/exports.rs:2146`

### Backward compatibility and file formats
- No on-disk or file-format changes were identified.
- ABI surface remains exercised by black-box ctypes parity tests (`tests/abi_blackbox/test_sqlite_abi.py:30`).

## Design-Doc Conformance (`sqlite-provider.md`)

- Core goals are met: backend-agnostic SPI, safe high-level wrappers, RAII ownership, borrowed hot-path value access, and panic containment at FFI edges.
- Implementation includes additional ABI/adaptor crates (`sqlite-provider-abi`, `sqlite-provider-sqlite3`) beyond the design document’s core crate scope; this is consistent with the SPI-first architecture rather than in conflict with it.

## Validation Evidence (this pass)

- `cargo test`: pass (`11` unit, `41` integration, `2` python-runner tests).
- `cargo test -p sqlite-provider-abi`: pass (`35` unit, `28` e2e, `10` mock).
- `cargo test -p sqlite-provider-sqlite3`: pass (`4` tests).
- `cargo clippy --all-targets --all-features`: pass.
- `RUSTDOCFLAGS='-Wmissing-docs' cargo doc -p sqlite-provider --no-deps`: pass.
- `RUSTDOCFLAGS='-Wmissing-docs' cargo doc -p sqlite-provider-abi --no-deps`: pass.
- `RUSTDOCFLAGS='-Wmissing-docs' cargo doc -p sqlite-provider-sqlite3 --no-deps`: pass.
- `make test-abi-blackbox`: pass (`18/18`).
- `make test-sqlite-provider-py`: pass (`4/4`).
- `cargo test -p sqlite-provider-abi --no-default-features --test no_default_features_out_params`: pass (`1/1`).
- Additional ABI parity probe: custom destructor callbacks are not invoked for `sqlite3_result_text/blob(..., NULL, ...)` in system SQLite, matching current shim behavior.

## Residual Risks

- `sqlite3_complete`/statement splitting depends on a custom parser with finite parity corpus coverage (`sqlite-provider-abi/src/parser.rs:54`, `sqlite-provider-abi/tests/libsqlite3_end_to_end.rs:962`).
- Optional ABI families are now covered by focused failure-path regressions and black-box checks, but fuzz/stress depth remains an optional hardening area.

## Production-readiness verdict

- Production-ready for the reviewed scope, with no active defects identified.