This PR doesn't fully meet our contributing guidelines and PR template.

What needs to be fixed:

• PR description is missing required template sections. Please use the PR template.

Please edit this PR description to address the above within 2 hours, or it will be automatically closed.

If you believe this was flagged incorrectly, please let a maintainer know.

No actionable comments were generated in the recent review. 🎉

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

^{_{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}}

❌ Tests — Failures Detected

TypeScript — 15 failure(s)

• connection_refused [2.53ms]
• timeout [2.42ms]
• permission_denied [2.71ms]
• parse_error [2.39ms]
• oom [2.64ms]
• network_error [2.74ms]
• auth_failure [2.69ms]
• rate_limit [2.88ms]
• internal_error [2.90ms]
• empty_error [0.25ms]
• connection_refused [0.13ms]
• timeout [0.07ms]
• permission_denied [0.07ms]
• parse_error [0.06ms]
• oom [0.07ms]

cc @VJ-yadav
_{Tested at 40886f25 | Run log | Powered by QA Autopilot}

Review — Ready for merge

Scope: Fixes user-reported bug #589 — stored passwords with special characters (@, #, :, /) cause cryptic auth failures because the URI-style connection string was passed through unencoded.

Analysis

• Root-cause diagnosis is correct: sanitizeConnectionString() existed in normalize.ts but was never wired into normalizeConfig()
• Regex fix is important: userinfo split now uses greedy (.+)@([^@]+)$ (last @) instead of first-@ split — this was the silent bug where passwords containing @ got mis-parsed
• Defensive handling is sound:
  • Already-encoded passwords (%XX sequences) are left untouched — idempotent
  • decodeURIComponent wrapped in try/catch with raw-encode fallback for malformed input
  • Non-URI connection strings (Oracle TNS, key=value) pass through unchanged
  • Drivers using individual config fields are unaffected — only connection_string is sanitized
• Single integration point in normalizeConfig() means every URI-based driver benefits automatically (postgres, mongodb, clickhouse, redshift…)

Files changed (3): drivers/src/index.ts (export), drivers/src/normalize.ts (fix + function), tests (+202, -2)

CI status (commit 40886f25)

• ✅ TypeScript, Driver E2E, anti-slop, check-standards, Marker Guard, GitGuardian — all green
• ⚠️ centralized-test-results shows the same generic 15 failures appearing identically on every open PR in this batch — pre-existing altimate-qa flakiness, not caused by this PR

Minor observations (non-blocking)

• Character set /[@:#/?[\]%]/ check is correct but could also include & and space for belt-and-suspenders; current set catches all common breakage
• Could add JSDoc @example showing before/after sanitization — cosmetic only

Recommendation
✅ Ready for merge — rebase on main (BEHIND) and this should go in. Real user pain fix with good test coverage.

cc @anandgupta42 — ready for /release once rebased.

Consensus code-review applied — fixes pushed

Ran a 4-participant consensus review (Claude + GPT 5.4 + Gemini 3.1 Pro + self-review) and applied all flagged fixes.

Real bugs found and fixed

1. CRITICAL — greedy regex corrupted URIs with @ in query/path (Gemini)

• postgresql://u:p@host/db?email=alice@example.com — the rightmost @ was in the query string, not the userinfo separator. The sanitizer treated host/db?email=alice as part of the password and percent-encoded it, producing a broken URI.

2. MAJOR — %XX short-circuit skipped passwords with mixed encoding (both models)

• postgresql://user:p%20ss@word@host/db — partially-encoded password contained both %20 and raw @. The "already-encoded, leave alone" check bailed early and left @ unencoded.

3. MINOR — username-only userinfo skipped entirely (Gemini)

• postgresql://alice@example.com@host/db — email-as-username with unencoded @ broke URI parsing because the function returned early when no colon was present.

Fix approach

• Rewrite the parser to scan for the LAST @ in afterScheme directly rather than first extracting an "authority" segment. The URI spec disallows unencoded path/query/fragment delimiters in authority, but real-world passwords do contain them — honoring user intent over spec.
• Replace the %XX short-circuit + needsEncoding pre-check with a single idempotent encoder (decode → encode) applied to both user and password components. Round-trips already-encoded values unchanged and encodes raw values in one pass.
• Handle username-only userinfo by encoding it when no colon is present.
• Add an ambiguity guard: when the rightmost @ is preceded by /?# but not followed by any delimiter, it's in a query/path/fragment — return the URI untouched and expect the caller to pre-encode.

Test coverage added

11 new tests covering: @ in query string, path, fragment; username-only with @; partially-encoded password with raw @, #; malformed percent sequences; no-port URIs; no-path URIs; and the ambiguous case where both password AND query contain @.

134 driver-normalize tests pass. TypeScript clean. All CI green.

Pushed as 0d473659d5. Ready for merge.