fix: address 7 P1 findings from v0.5.16 release evaluation (#591)

* fix: address 7 P1 findings from v0.5.16 release evaluation (#590)

ClickHouse driver:
- Silently ignore `binds` param (was throwing, inconsistent with other drivers)
- Strip SQL comments before LIMIT check to prevent `-- LIMIT` bypass
- Remove redundant `hasDML` regex (dead code after `isDDL` routing)
- Replace fragile `position(type, 'Nullable')` SQL with TS regex on type string
- Add connection guard: `execute()` before `connect()` throws clear error

Query history:
- Rename `{days:UInt32}` placeholders to `__DAYS__`/`__LIMIT__` to avoid
  confusion with ClickHouse native query parameter syntax

Docs:
- Update warehouse count from 10 to 12

Tests:
- Add 39 unit tests for ClickHouse driver (DDL routing, LIMIT injection,
  truncation, nullable, connection lifecycle, binds, column mapping)
- Remove stale "ClickHouse unsupported" test

* fix: address code review findings for ClickHouse driver (#592)

SQL parsing hardening (from 6-model consensus review):
- Strip string literals before comments to prevent false matches
- Run `supportsLimit` and `isDDL` on cleaned SQL (fixes leading comment bypass)
- Append LIMIT with newline instead of space (fixes trailing comment bypass)

Nullable detection:
- Fix `LowCardinality(Nullable(T))` regression — `LowCardinality` is a storage
  optimization, not a semantic wrapper; column IS nullable

Tests:
- Fix `LowCardinality(Nullable(String))` assertion to `true`
- Add `LowCardinality(String)` non-nullable test
- Add trailing comment, leading comment, string literal LIMIT bypass tests
- Remove residual no-op comment in `driver-security.test.ts`

* fix: address CodeRabbit PR comments — docs, test assertions, await

- Add Oracle and SQLite docs sections to warehouses.md (were supported
  but undocumented, making "12 warehouse types" claim incomplete)
- Use strict `toBe` assertions for LIMIT comment bypass tests to verify
  exact query shape (not just substring)
- Add missing `await` on `rejects.toThrow` to prevent flaky test

* fix: add connection guards to listSchemas, listTables, describeTable

Add consistent not-connected guard to all ClickHouse query methods,
matching the guard already present in execute(). Without this, calling
these methods before connect() would throw an unhelpful TypeError
instead of a clear error message.

* fix: handle doubled-quote string escaping in SQL cleaning regex

The string literal stripping regex now handles ClickHouse's doubled-quote
escape convention (`'it''s'`) in addition to backslash escaping (`\'`).

* test: add WITH...SELECT LIMIT injection tests

Cover the CTE branch of LIMIT injection logic — both appending LIMIT
to a bare WITH...SELECT and skipping when one already exists.

Author: anandgupta42

docs/docs/configure/warehouses.md

@@ -1,6 +1,6 @@
 # Warehouses
 
-Altimate Code connects to 10 warehouse types. Configure them in `.altimate-code/connections.json` (project-local) or `~/.altimate-code/connections.json` (global).
+Altimate Code connects to 12 warehouse types. Configure them in `.altimate-code/connections.json` (project-local) or `~/.altimate-code/connections.json` (global).
 
 ## Configuration
 
@@ -348,6 +348,53 @@ If you're already authenticated via `gcloud`, omit `credentials_path`:
 !!! info "Server compatibility"
     The ClickHouse driver supports ClickHouse server versions 23.3 and later, covering all non-EOL releases. This includes LTS releases 23.8, 24.3, 24.8, and all stable releases through the current version.
 
+## Oracle
+
+```json
+{
+  "oracle-prod": {
+    "type": "oracle",
+    "host": "localhost",
+    "port": 1521,
+    "service_name": "ORCL",
+    "user": "analyst",
+    "password": "{env:ORACLE_PASSWORD}"
+  }
+}
+```
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| `connection_string` | No | Full connect string (alternative to individual fields, e.g. `host:1521/ORCL`) |
+| `host` | No | Hostname (default: `127.0.0.1`) |
+| `port` | No | Port (default: `1521`) |
+| `service_name` | No | Oracle service name (default: `ORCL`) |
+| `database` | No | Alias for `service_name` |
+| `user` | No | Username |
+| `password` | No | Password |
+
+!!! info "Pure JavaScript driver"
+    The Oracle driver uses `oracledb` in thin mode (pure JavaScript) — no Oracle Instant Client installation is required.
+
+## SQLite
+
+```json
+{
+  "dev-sqlite": {
+    "type": "sqlite",
+    "path": "./dev.sqlite"
+  }
+}
+```
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| `path` | No | Database file path. Omit or use `":memory:"` for in-memory |
+| `readonly` | No | Open in read-only mode (default: `false`) |
+
+!!! note
+    SQLite uses Bun's built-in `bun:sqlite` driver. WAL journal mode is enabled automatically for writable databases.
+
 ## SQL Server
 
 ```json

packages/drivers/src/clickhouse.ts

@@ -60,17 +60,25 @@ export async function connect(config: ConnectionConfig): Promise<Connector> {
       client = createClient(clientConfig)
     },
 
-    async execute(sql: string, limit?: number, binds?: any[]): Promise<ConnectorResult> {
-      if (binds && binds.length > 0) {
-        throw new Error("ClickHouse driver does not support parameterized binds — use ClickHouse query parameters instead")
+    async execute(sql: string, limit?: number, _binds?: any[]): Promise<ConnectorResult> {
+      if (!client) {
+        throw new Error("ClickHouse client not connected — call connect() first")
       }
       const effectiveLimit = limit === undefined ? 1000 : limit
       let query = sql
+
+      // Strip string literals, then comments, for accurate SQL heuristic checks.
+      // This prevents comment-like content inside strings from fooling detection,
+      // and ensures leading/trailing comments don't hide keywords.
+      const sqlCleaned = sql
+        .replace(/'(?:[^'\\]|\\.|\'{2})*'/g, "") // strip single-quoted strings (handles \' and '' escaping)
+        .replace(/--[^\n]*/g, "") // strip line comments
+        .replace(/\/\*[\s\S]*?\*\//g, "") // strip block comments
+
       // Only SELECT and WITH...SELECT support LIMIT — SHOW/DESCRIBE/EXPLAIN/EXISTS do not
-      const supportsLimit = /^\s*(SELECT|WITH)\b/i.test(sql)
+      const supportsLimit = /^\s*(SELECT|WITH)\b/i.test(sqlCleaned)
       const isDDL =
-        /^\s*(INSERT|CREATE|DROP|ALTER|TRUNCATE|RENAME|ATTACH|DETACH|OPTIMIZE|SYSTEM|SET|USE|GRANT|REVOKE)\b/i.test(sql)
-      const hasDML = /\b(INSERT|CREATE|DROP|ALTER|TRUNCATE|RENAME|ATTACH|DETACH|OPTIMIZE|SYSTEM)\b/i.test(sql)
+        /^\s*(INSERT|CREATE|DROP|ALTER|TRUNCATE|RENAME|ATTACH|DETACH|OPTIMIZE|SYSTEM|SET|USE|GRANT|REVOKE)\b/i.test(sqlCleaned)
 
       // DDL/DML: use client.command() — no result set expected
       if (isDDL) {
@@ -79,9 +87,9 @@ export async function connect(config: ConnectionConfig): Promise<Connector> {
       }
 
       // Read queries: use client.query() with JSONEachRow format
-      // Only append LIMIT for SELECT/WITH queries (not SHOW/DESCRIBE/EXPLAIN/EXISTS)
-      if (supportsLimit && !hasDML && effectiveLimit > 0 && !/\bLIMIT\b/i.test(sql)) {
-        query = `${sql.replace(/;\s*$/, "")} LIMIT ${effectiveLimit + 1}`
+      // Only append LIMIT for SELECT/WITH queries that don't already have one.
+      if (supportsLimit && effectiveLimit > 0 && !/\bLIMIT\b/i.test(sqlCleaned)) {
+        query = `${sql.replace(/;\s*$/, "")}\nLIMIT ${effectiveLimit + 1}`
       }
 
       const resultSet = await client.query({
@@ -108,6 +116,9 @@ export async function connect(config: ConnectionConfig): Promise<Connector> {
     },
 
     async listSchemas(): Promise<string[]> {
+      if (!client) {
+        throw new Error("ClickHouse client not connected — call connect() first")
+      }
       const resultSet = await client.query({
         query: "SHOW DATABASES",
         format: "JSONEachRow",
@@ -117,6 +128,9 @@ export async function connect(config: ConnectionConfig): Promise<Connector> {
     },
 
     async listTables(schema: string): Promise<Array<{ name: string; type: string }>> {
+      if (!client) {
+        throw new Error("ClickHouse client not connected — call connect() first")
+      }
       const resultSet = await client.query({
         query: `SELECT name, engine
                 FROM system.tables
@@ -133,9 +147,11 @@ export async function connect(config: ConnectionConfig): Promise<Connector> {
     },
 
     async describeTable(schema: string, table: string): Promise<SchemaColumn[]> {
+      if (!client) {
+        throw new Error("ClickHouse client not connected — call connect() first")
+      }
       const resultSet = await client.query({
-        query: `SELECT name, type,
-                       position(type, 'Nullable') > 0 AS is_nullable
+        query: `SELECT name, type
                 FROM system.columns
                 WHERE database = {db:String}
                   AND table = {tbl:String}
@@ -147,7 +163,9 @@ export async function connect(config: ConnectionConfig): Promise<Connector> {
       return rows.map((r) => ({
         name: r.name as string,
         data_type: r.type as string,
-        nullable: r.is_nullable === 1 || r.is_nullable === true || r.is_nullable === "1",
+        // Detect Nullable from the type string directly — stable across all versions.
+        // LowCardinality(Nullable(T)) is also nullable (LowCardinality is a storage optimization).
+        nullable: /^(?:LowCardinality\(\s*)?Nullable\b/i.test((r.type as string) ?? ""),
       }))
     },