feat(sql): null-check SELECT * and recognise CTE names (L4/L2 soundness)#42
Merged
Conversation
…uarantee
Continues the flagship semantic-proof coverage (InjectionFree level 5,
SchemaBound level 2) with TypeCompat (level 3: "operand types compatible").
Adds `Typedqliser.ABI.TypeCompat`, to the same quality bar:
* a small SQL type universe (`SqlType`) and a typed column environment
(`ColEnv`) with a total `lookupType` resolver, reusing the existing
`Query`/`Pred`/`Value` AST;
* `ValueCompat`/`PredTypeCompat`/`QueryTypeCompat` — the proposition that
every WHERE comparison compares a column against a value of a matching
type (a bound parameter adopts the column's type; a literal is TInt; a
raw splice is TText). There is no constructor for a type clash, so a
mismatched comparison is uninhabited;
* `decQueryTypeCompat` — a sound + complete `Dec`, so a "Proven" TypeCompat
certificate is backed by a constructive witness and a type clash can
never be certified;
* `certifyTypeCompatSound` (a `Proven` verdict provably entails the
property); `typeCompatIsLevelThree : levelNat TypeCompat = 3`;
* positive control (a well-typed query, with the certifier computing to
`Proven`) and negative control (`name : Text` compared to an integer
literal provably cannot be certified).
Verified with idris2 0.7.0: `idris2 --build typedqliser-abi.ipkg` exits 0 with
zero warnings (all 7 modules). Adversarially checked — three deliberately-false
proofs (wrong level ordinal, a TInt literal certified against a TText column,
and a type-compatible witness for the clash query) are all rejected by the
type checker.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
Adds Typedqliser.ABI.Invariants, a second, deeper, distinct machine-checked property over the existing Semantics query model (Query/Pred/Value reused verbatim). Where the Layer-2 flagship (Semantics.InjectionFree, level 5) is a purely structural property, NullSafe (level 4) is context-sensitive: a projected nullable column is safe only if the WHERE predicate guards it, with guards discovered by union under And and intersection under Or (disjunctive weakening). Includes a sound + complete decision procedure (decQueryNullSafe : Dec ...), a certifier proven sound (certifyNullSafeSound), the level-ordinal identity plus a proof it differs from InjectionFree, three positive controls and three non-vacuity controls (unguarded projection, And/union, Or/intersection). Builds clean with zero warnings; the deliberately-false adversarial proof is rejected. No believe_me/postulate/assert_total/%hint; %default total throughout. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
Prove the FFI result-code encoding is SOUND: the C integer the Zig FFI returns faithfully round-trips back to the ABI value, and distinct ABI outcomes never collide on the wire. - intToResult / intToStatus: total decoders (if x == n over boolean Bits32 ==, which reduces on concrete literals). - resultRoundTrip / statusRoundTrip: lossless encoding, proved by Refl. - resultToIntInjective / statusToIntInjective: injectivity DERIVED from the round-trip via a local justInj + cong. - Positive controls (decodeOk/decodeNullPointer/decodeUnknown/decodeProven) and machine-checked non-vacuity controls (okNotError, schemaNotNull, provenNotRefuted) refuting collisions of distinct codes. Genuine total proof: no believe_me / postulate / assert_total / sorry. Builds clean with zero warnings; a false seam claim is rejected by --check. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
Assemble the existing per-layer proofs into one inhabited record `ABISound` and a single value `abiContractDischarged` built from the already-exported witnesses: - Layer-2 flagship: safeQueryInjectionFree (InjectionFree, level 5) - Layer-2 companions: boundQuerySchemaBound (SchemaBound, level 2), goodQueryTypeCompat (TypeCompat, level 3) - Layer-3 invariant: guardedQueryNullSafe (NullSafe, level 4) - Layer-4 FFI seam: resultToIntInjective The capstone proves no new domain theorem; its content is that the whole chain holds simultaneously — if any prior layer were unsound the value would not typecheck. Adversarial control: a false certificate (deriving Ok = Error through the seam) is rejected by the typechecker. %default total, SPDX MPL-2.0, zero warnings. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
…ble fix); port ABI-FFI gate Python->Bash (Python is estate-banned) Resolves the standing baseline CI reds (rust-ci toolchain error, governance Language/anti-pattern, governance workflow-lint) without altering the proven ABI. The Bash gate reproduces the former Python gate's verdict verbatim (validated across all -iser repos) and catches the same drift classes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A6PSzJWpRxtzGDjUCEh7Mx
…simiser) in place of the interim Bash port
…t --check + clippy -D warnings clean
Aliased column references like `u.id` in `FROM users u` were not resolved to their real table, so the schema-binding (L2), type-compatibility (L3), and null-safety (L4) checks mishandled them: L2 raised false positives on valid aliased queries, while L3/L4 silently skipped aliased columns (false negatives). Build a qualifier->table map from the FROM/JOIN clauses and resolve qualifiers through it across all three levels, including alias-qualified projections in the null check. Strengthens the previously no-op l2_valid_multi_table_join test and adds L2/L3/L4 alias-resolution tests.
Two more soundness holes in the SQL safety levels: - L4 (null-safety): `SELECT *` / `u.*` were not expanded, so nullable columns selected via a wildcard were silently not flagged. Expand a wildcard to the in-scope table columns (resolving the alias for a qualified `u.*`) and flag the nullable ones. - L2 (schema-binding): a `WITH cte AS (...)` name referenced in FROM was reported as 'table not found', a false positive. Collect CTE names and exclude them from the table-existence check. Updates l4_select_star (was a no-op documenting the gap) to assert the nullable columns are now flagged, and adds an L2 CTE test.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two more soundness holes in the SQL safety levels (continuing the typedqliser-soundness pass):
SELECT *was never null-checked. Wildcards don't produce per-columnIdentifierexpressions, soSELECT * FROM userssilently passed even thoughemail/ageare nullable (a false negative, previously documented by a no-op test). Now a wildcard is expanded to the in-scope table's columns — resolving the alias for a qualifiedu.*— and its nullable columns are flagged.WITH cte AS (…) SELECT … FROM ctereferencedcteinFROM, which was reported as "table not found in schema". CTE names are now collected from theWITHclause and excluded from the table-existence check.Changes
src/plugins/sql.rs: addextract_cte_names; skip CTE names in the L2 table check; expandSelectItem::Wildcard/QualifiedWildcardinnull_check(L4), flagging nullable columns (qualified wildcard resolved through the alias map).Testing
l4_select_star_not_flagged(a no-op documenting the gap) withl4_select_star_flags_nullable— assertsemailandageare flagged and non-nullableid/nameare not.l2_cte_name_not_flagged_as_missing_table.cargo fmt --check,cargo clippy --locked --all-targets -- -D warnings,cargo test --locked --all-targets(120 tests).RSR Quality Checklist
cargo test --locked --all-targets)cargo fmt --all -- --check)cargo clippy --locked --all-targets -- -D warnings)🤖 Generated with Claude Code
Generated by Claude Code