sqry_core/query/security/mod.rs
1//! Security controls for query execution
2//!
3//! This module provides the security infrastructure for CD queries,
4//! enforcing NON-NEGOTIABLE limits specified in the security requirements:
5//!
6//! - **Timeout**: 30s hard ceiling (spec AC-8)
7//! - **Result cap**: 10k default results (spec AC-9)
8//! - **Memory limit**: 512MB default (spec AC-10)
9//!
10//! # Architecture
11//!
12//! ```text
13//! ┌─────────────────────────────────────────────────────────────────┐
14//! │ QuerySecurityConfig │
15//! │ - timeout: Duration (max 30s) │
16//! │ - result_cap: usize (default 10k) │
17//! │ - memory_limit: usize (default 512MB) │
18//! └─────────────────────────────────────────────────────────────────┘
19//! │
20//! ▼
21//! ┌─────────────────────────────────────────────────────────────────┐
22//! │ QueryGuard │
23//! │ - Tracks elapsed time, result count, memory usage │
24//! │ - should_continue() -> Result<(), QuerySecurityError> │
25//! │ - record_result(estimated_size) │
26//! └─────────────────────────────────────────────────────────────────┘
27//! │
28//! ▼
29//! ┌─────────────────────────────────────────────────────────────────┐
30//! │ QueryResultSet<T> │
31//! │ - results: Vec<T> │
32//! │ - status: QueryCompletionStatus │
33//! │ - Returns partial results when limits exceeded │
34//! └─────────────────────────────────────────────────────────────────┘
35//! ```
36//!
37//! # Example
38//!
39//! ```
40//! use sqry_core::query::security::{QuerySecurityConfig, QueryGuard};
41//! use std::time::Duration;
42//!
43//! // Create security config (30s timeout is capped automatically)
44//! let config = QuerySecurityConfig::default()
45//! .with_timeout(Duration::from_secs(10))
46//! .with_result_cap(1000);
47//!
48//! // Create guard for query execution
49//! let guard = QueryGuard::new(config);
50//!
51//! // Check limits during query execution
52//! assert!(guard.should_continue().is_ok());
53//!
54//! // Record results with estimated memory footprint
55//! guard.record_result(128); // 128 bytes per result
56//! guard.record_result(128);
57//!
58//! // Check current state
59//! assert_eq!(guard.result_count(), 2);
60//! assert_eq!(guard.memory_usage(), 256);
61//! ```
62//!
63//! For a complete usage example with partial results, see the integration pattern
64//! in [`QueryGuard`] documentation.
65
66mod audit;
67mod config;
68mod guard;
69mod recursion_guard;
70
71pub use audit::{
72 AppliedLimits, AuditLogConfig, PathValidationError, QueryAuditEntry, QueryAuditLogger,
73 QueryOutcome,
74};
75pub use config::QuerySecurityConfig;
76pub use guard::{QueryCompletionStatus, QueryGuard, QueryResultSet, QuerySecurityError};
77pub use recursion_guard::{ExprFuelCounter, RecursionError, RecursionGuard};