Spike SQLite built-ins for parser dependency analysis#132
Conversation
commit: |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 4dd92ee. Configure here.
| (left, right) => | ||
| sourceOrder(left).localeCompare(sourceOrder(right)) || | ||
| left.relation.localeCompare(right.relation) || | ||
| left.column.localeCompare(right.column) || |
There was a problem hiding this comment.
Sort crashes on null column in localeCompare
Medium Severity
left.column.localeCompare(right.column) throws a TypeError when column is null. The Reference type explicitly declares column: string | null, and the authorizer produces null-column entries (line 159: column: column || null). The sourceOrder helper correctly handles nullable source with || '', but no equivalent null-safe handling exists for column in the sort comparator. If two references with the same source and relation but null columns need to be compared, this crashes at runtime.
Reviewed by Cursor Bugbot for commit 4dd92ee. Configure here.
| }); | ||
|
|
||
| test('column origin and explain query plan do not replace dependency analysis', () => { | ||
| using fixture = createAuthorizerFixture(); |
There was a problem hiding this comment.
Test not skipped when setAuthorizer is unavailable
Medium Severity
The "column origin and explain query plan" test on line 114 uses test instead of authorizerTest, but calls createAuthorizerFixture() which unconditionally invokes database.setAuthorizer(...). On Node versions without setAuthorizer, the other tests are correctly skipped via authorizerTest, but this one will crash with a TypeError. The test's assertions only exercise statement.columns() and explain query plan, not the authorizer itself, so it appears unintentionally coupled to the authorizer API.
Reviewed by Cursor Bugbot for commit 4dd92ee. Configure here.
1 participant
Summary
Runs the first bounded parser-task spike: check whether SQLite built-ins can narrow the need for a full SQL parser in schemadiff dependency analysis.
The result is executable evidence, not product integration.
node:sqliteauthorizer callbacks can report useful dependency facts for check constraints, partial indexes, views, triggers, and table-only reads, butDatabaseSync.setAuthorizer()only exists in Node v24.10.0+, so a future implementation needs a feature check/fallback or an explicit engine decision.Findings
sqlite3_set_authorizer()is the useful built-in for semantic dependency facts.StatementSync.columns()/sqlite3_column_origin_name()helps for result-column origins only, notwhereor other non-output dependencies.explain/explain query planis not a dependency API; the output is plan-oriented and unstable.sqlite3_stmt_scanstatus()is performance telemetry, not semantic dependency analysis.Checks
pnpm --dir packages/sqlfu exec vitest run test/schemadiff/sqlite-builtins-spike.test.tspassedpnpm exec oxfmt --check packages/sqlfu/test/schemadiff/sqlite-builtins-spike.test.ts tasks/parser.mdpassedgit diff --checkpassedFollow-up
Prototype an internal feature-gated authorizer-backed dependency probe before pulling in a parser. Keep parser adoption scoped to adapter-independent analysis, incomplete SQL fragments, and AST-level transformations that authorizer callbacks cannot cover.
Note
Low Risk
Adds a skipped-when-unsupported spec and task documentation only; no production code paths change. Risk is limited to potential CI/runtime variance due to reliance on
node:sqliteAPIs gated by Node version.Overview
Documents the completed SQLite built-ins investigation in
tasks/parser.md, including conclusions about which SQLite/Node APIs can (and cannot) support schema-body dependency analysis and what future integration decisions remain.Adds an executable Vitest spec (
sqlite-builtins-spike.test.ts) that probesnode:sqlite’sDatabaseSync.setAuthorizer()behavior for dependency reporting acrossCHECKconstraints, partial indexes, views, and triggers, and demonstrates thatStatementSync.columns()andEXPLAIN QUERY PLANdon’t capture non-result-column dependencies. The spec is feature-gated and skips whensetAuthorizeris unavailable.Reviewed by Cursor Bugbot for commit 4dd92ee. Bugbot is set up for automated code reviews on this repo. Configure here.
Package size — packed 239.4 kB (no change)
Package size
dist/vendor/*.jsbundlesvendor/sha256.jsvendor/sql-formatter/*.jsvendor/sqlfu-sqlite-parser/*.jsvendor/standard-schema/*.jsvendor/typesql/*.jsMeasured with
npm pack --dry-run --jsononsqlfu(0.0.3-7 on main vs 0.0.3-7 on this PR).