merge: resolve conflict with origin/main in pyproject.toml

Keep both our dev dependencies and main's new security/docker/tunneling
optional dependency groups.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: anandgupta42

packages/altimate-code/src/agent/agent.ts

@@ -113,6 +113,7 @@ export namespace Agent {
             lineage_check: "allow",
             warehouse_list: "allow",
             warehouse_test: "allow",
+            warehouse_discover: "allow",
             schema_inspect: "allow",
             schema_index: "allow",
             schema_search: "allow",
@@ -169,6 +170,7 @@ export namespace Agent {
             lineage_check: "allow",
             warehouse_list: "allow",
             warehouse_test: "allow",
+            warehouse_discover: "allow",
             schema_inspect: "allow",
             schema_index: "allow",
             schema_search: "allow",

packages/altimate-code/src/bridge/protocol.ts

@@ -218,6 +218,50 @@ export interface WarehouseTestResult {
   error?: string
 }
 
+// --- Warehouse Management ---
+
+export interface WarehouseAddParams {
+  name: string
+  config: Record<string, unknown>
+}
+
+export interface WarehouseAddResult {
+  success: boolean
+  name: string
+  type: string
+  error?: string
+}
+
+export interface WarehouseRemoveParams {
+  name: string
+}
+
+export interface WarehouseRemoveResult {
+  success: boolean
+  error?: string
+}
+
+// --- Docker Discovery ---
+
+export interface DockerContainer {
+  container_id: string
+  name: string
+  image: string
+  db_type: string
+  host: string
+  port: number
+  user?: string
+  password?: string
+  database?: string
+  status: string
+}
+
+export interface WarehouseDiscoverResult {
+  containers: DockerContainer[]
+  container_count: number
+  error?: string
+}
+
 // --- Schema Cache (Indexing & Search) ---
 
 export interface SchemaIndexParams {
@@ -1000,6 +1044,9 @@ export const BridgeMethods = {
   "dbt.lineage": {} as { params: DbtLineageParams; result: DbtLineageResult },
   "warehouse.list": {} as { params: WarehouseListParams; result: WarehouseListResult },
   "warehouse.test": {} as { params: WarehouseTestParams; result: WarehouseTestResult },
+  "warehouse.add": {} as { params: WarehouseAddParams; result: WarehouseAddResult },
+  "warehouse.remove": {} as { params: WarehouseRemoveParams; result: WarehouseRemoveResult },
+  "warehouse.discover": {} as { params: Record<string, never>; result: WarehouseDiscoverResult },
   "finops.query_history": {} as { params: QueryHistoryParams; result: QueryHistoryResult },
   "finops.analyze_credits": {} as { params: CreditAnalysisParams; result: CreditAnalysisResult },
   "finops.expensive_queries": {} as { params: ExpensiveQueriesParams; result: ExpensiveQueriesResult },

packages/altimate-code/src/tool/registry.ts

@@ -32,6 +32,9 @@ import { SqlTranslateTool } from "./sql-translate"
 import { LineageCheckTool } from "./lineage-check"
 import { WarehouseListTool } from "./warehouse-list"
 import { WarehouseTestTool } from "./warehouse-test"
+import { WarehouseAddTool } from "./warehouse-add"
+import { WarehouseRemoveTool } from "./warehouse-remove"
+import { WarehouseDiscoverTool } from "./warehouse-discover"
 import { SqlRecordFeedbackTool } from "./sql-record-feedback"
 import { SqlPredictCostTool } from "./sql-predict-cost"
 import { DbtRunTool } from "./dbt-run"
@@ -190,6 +193,9 @@ export namespace ToolRegistry {
       LineageCheckTool,
       WarehouseListTool,
       WarehouseTestTool,
+      WarehouseAddTool,
+      WarehouseRemoveTool,
+      WarehouseDiscoverTool,
       SqlRecordFeedbackTool,
       SqlPredictCostTool,
       DbtRunTool,

packages/altimate-code/src/tool/warehouse-add.ts

@@ -0,0 +1,53 @@
+import z from "zod"
+import { Tool } from "./tool"
+import { Bridge } from "../bridge/client"
+
+export const WarehouseAddTool = Tool.define("warehouse_add", {
+  description:
+    "Add a new warehouse connection. Stores credentials securely in OS keyring when available, metadata in connections.json.",
+  parameters: z.object({
+    name: z.string().describe("Name for the warehouse connection"),
+    config: z
+      .record(z.string(), z.unknown())
+      .describe(
+        'Connection configuration. Must include "type" (postgres, snowflake, duckdb, etc). Example: {"type": "postgres", "host": "localhost", "port": 5432, "database": "mydb", "user": "admin", "password": "secret"}',
+      ),
+  }),
+  async execute(args, ctx) {
+    if (!args.config.type) {
+      return {
+        title: `Add '${args.name}': FAILED`,
+        metadata: { success: false, name: args.name, type: "" },
+        output: `Missing required field "type" in config. Specify the database type (postgres, snowflake, duckdb, mysql, sqlserver, bigquery, databricks, redshift).`,
+      }
+    }
+
+    try {
+      const result = await Bridge.call("warehouse.add", {
+        name: args.name,
+        config: args.config,
+      })
+
+      if (result.success) {
+        return {
+          title: `Add '${args.name}': OK`,
+          metadata: { success: true, name: result.name, type: result.type },
+          output: `Successfully added warehouse '${result.name}' (type: ${result.type}).\n\nUse warehouse_test to verify connectivity.`,
+        }
+      }
+
+      return {
+        title: `Add '${args.name}': FAILED`,
+        metadata: { success: false, name: args.name, type: "" },
+        output: `Failed to add warehouse '${args.name}'.\nError: ${result.error ?? "Unknown error"}`,
+      }
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e)
+      return {
+        title: `Add '${args.name}': ERROR`,
+        metadata: { success: false, name: args.name, type: "" },
+        output: `Failed to add warehouse: ${msg}`,
+      }
+    }
+  },
+})

packages/altimate-code/src/tool/warehouse-discover.ts

@@ -0,0 +1,55 @@
+import z from "zod"
+import { Tool } from "./tool"
+import { Bridge } from "../bridge/client"
+
+export const WarehouseDiscoverTool = Tool.define("warehouse_discover", {
+  description:
+    "Discover database containers running in Docker. Detects PostgreSQL, MySQL/MariaDB, and SQL Server containers and extracts connection details from port mappings and environment variables.",
+  parameters: z.object({}),
+  async execute(args, ctx) {
+    try {
+      const result = await Bridge.call("warehouse.discover", {})
+
+      if (result.error) {
+        return {
+          title: "Discover: ERROR",
+          metadata: { count: 0 },
+          output: `Docker discovery failed: ${result.error}`,
+        }
+      }
+
+      if (result.container_count === 0) {
+        return {
+          title: "Discover: no containers found",
+          metadata: { count: 0 },
+          output: "No supported database containers found running in Docker.\n\nSupported types: PostgreSQL, MySQL/MariaDB, SQL Server.\nEnsure Docker is running and containers have published ports.",
+        }
+      }
+
+      const lines: string[] = [
+        "Container | Type | Host:Port | User | Database | Status",
+        "----------|------|-----------|------|----------|-------",
+      ]
+      for (const c of result.containers) {
+        lines.push(
+          `${c.name} | ${c.db_type} | ${c.host}:${c.port} | ${c.user ?? "-"} | ${c.database ?? "-"} | ${c.status}`,
+        )
+      }
+      lines.push("")
+      lines.push("Use warehouse_add to save any of these as a connection.")
+
+      return {
+        title: `Discover: ${result.container_count} container(s) found`,
+        metadata: { count: result.container_count },
+        output: lines.join("\n"),
+      }
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e)
+      return {
+        title: "Discover: ERROR",
+        metadata: { count: 0 },
+        output: `Failed to discover containers: ${msg}\n\nEnsure Docker is running and the docker Python package is installed.`,
+      }
+    }
+  },
+})

packages/altimate-code/src/tool/warehouse-remove.ts

@@ -0,0 +1,36 @@
+import z from "zod"
+import { Tool } from "./tool"
+import { Bridge } from "../bridge/client"
+
+export const WarehouseRemoveTool = Tool.define("warehouse_remove", {
+  description: "Remove a warehouse connection. Deletes both the config entry and any stored keyring credentials.",
+  parameters: z.object({
+    name: z.string().describe("Name of the warehouse connection to remove"),
+  }),
+  async execute(args, ctx) {
+    try {
+      const result = await Bridge.call("warehouse.remove", { name: args.name })
+
+      if (result.success) {
+        return {
+          title: `Remove '${args.name}': OK`,
+          metadata: { success: true },
+          output: `Successfully removed warehouse '${args.name}' and its stored credentials.`,
+        }
+      }
+
+      return {
+        title: `Remove '${args.name}': FAILED`,
+        metadata: { success: false },
+        output: `Failed to remove warehouse '${args.name}'.\nError: ${result.error ?? "Connection not found or is defined via environment variable"}`,
+      }
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e)
+      return {
+        title: `Remove '${args.name}': ERROR`,
+        metadata: { success: false },
+        output: `Failed to remove warehouse: ${msg}`,
+      }
+    }
+  },
+})

packages/altimate-engine/pyproject.toml

@@ -25,7 +25,6 @@ classifiers = [
 ]
 dependencies = [
     "pydantic>=2.0",
-    "sqlglot>=25.0",
     "pyyaml>=6.0",
 ]
 
@@ -47,6 +46,9 @@ warehouses = [
     "mysql-connector-python>=8.0",
     "pyodbc>=5.0",
 ]
+security = ["keyring>=24.0"]
+docker = ["docker>=7.0"]
+tunneling = ["sshtunnel>=0.4", "paramiko>=3.0"]
 dev = [
     "pytest>=7.0",
     "ruff>=0.4",

packages/altimate-engine/src/altimate_engine/ci/cost_gate.py

@@ -1,11 +1,11 @@
 """CI cost gate — scan changed SQL files for critical issues.
 
-Reads SQL files, runs existing analyze_sql(), and returns
+Reads SQL files, runs lint analysis, and returns
 pass/fail based on whether CRITICAL severity issues are found.
 
 Skips:
   - Jinja templates ({{ }}, {% %})
-  - sqlglot parse errors (likely Jinja or non-standard SQL)
+  - Parse errors (likely Jinja or non-standard SQL)
   - Non-SQL files
 """
 
@@ -15,7 +15,7 @@
 import re
 from typing import Any
 
-from altimate_engine.sql.analyzer import analyze_sql
+from altimate_engine.sql.guard import guard_lint
 
 
 # Jinja pattern: {{ ... }} or {% ... %} or {# ... #}
@@ -119,19 +119,19 @@ def scan_files(
         file_issues: list[dict[str, Any]] = []
 
         for stmt in statements:
-            # Run analyzer
-            analysis = analyze_sql(stmt, dialect)
-            if not analysis.get("success", True):
+            # Run lint analysis
+            lint_result = guard_lint(stmt)
+            if lint_result.get("error"):
                 # Parse error — skip this statement (likely incomplete SQL)
                 continue
 
-            for issue in analysis.get("issues", []):
-                severity = issue.get("severity", "warning")
+            for finding in lint_result.get("findings", lint_result.get("issues", [])):
+                severity = finding.get("severity", "warning")
                 file_issues.append({
-                    "type": issue.get("type", "UNKNOWN"),
+                    "type": finding.get("rule", finding.get("type", "UNKNOWN")),
                     "severity": severity,
-                    "message": issue.get("message", ""),
-                    "source": "analyzer",
+                    "message": finding.get("message", ""),
+                    "source": "lint",
                 })
                 total_issues += 1
                 if severity in ("error", "critical"):

packages/altimate-engine/src/altimate_engine/connections.py

@@ -6,6 +6,17 @@
 from typing import Any
 
 from altimate_engine.connectors.base import Connector
+from altimate_engine.credential_store import resolve_config
+from altimate_engine.ssh_tunnel import start, stop
+
+SSH_FIELDS = {
+    "ssh_host",
+    "ssh_port",
+    "ssh_user",
+    "ssh_auth_type",
+    "ssh_key_path",
+    "ssh_password",
+}
 
 
 class ConnectionRegistry:
@@ -44,7 +55,33 @@ def get(cls, name: str) -> Connector:
         if name not in cls._connections:
             raise ValueError(f"Connection '{name}' not found in registry")
 
-        config = cls._connections[name]
+        config = dict(cls._connections[name])
+        config = resolve_config(name, config)
+
+        ssh_host = config.get("ssh_host")
+        if ssh_host:
+            if config.get("connection_string"):
+                raise ValueError(
+                    "SSH tunneling requires explicit host/port — "
+                    "cannot be used with connection_string"
+                )
+            ssh_config = {
+                k: config.pop(k) for k in list(config.keys()) if k in SSH_FIELDS
+            }
+            local_port = start(
+                name=name,
+                ssh_host=ssh_config.get("ssh_host", ""),
+                remote_host=config.get("host", "localhost"),
+                remote_port=config.get("port", 5432),
+                ssh_port=ssh_config.get("ssh_port", 22),
+                ssh_user=ssh_config.get("ssh_user"),
+                ssh_auth_type=ssh_config.get("ssh_auth_type", "key"),
+                ssh_key_path=ssh_config.get("ssh_key_path"),
+                ssh_password=ssh_config.get("ssh_password"),
+            )
+            config["host"] = "127.0.0.1"
+            config["port"] = local_port
+
         dialect = config.get("type", "duckdb")
 
         if dialect == "duckdb":
@@ -219,3 +256,26 @@ def test(cls, name: str) -> dict[str, Any]:
             return {"connected": True, "error": None}
         except Exception as e:
             return {"connected": False, "error": str(e)}
+        finally:
+            stop(name)
+
+    @classmethod
+    def add(cls, name: str, config: dict[str, Any]) -> dict[str, Any]:
+        from altimate_engine.credential_store import save_connection
+
+        result = save_connection(name, config)
+        cls._loaded = False
+        return result
+
+    @classmethod
+    def remove(cls, name: str) -> bool:
+        from altimate_engine.credential_store import remove_connection
+
+        result = remove_connection(name)
+        cls._loaded = False
+        return result
+
+    @classmethod
+    def reload(cls) -> None:
+        cls._loaded = False
+        cls._connections.clear()