feat(snowflake): add Snowflake loader with key-pair auth and security hardening

Snowflake database loader:
- Full schema extraction (tables, columns, PKs, FKs, relationships)
- Key-pair authentication support (bypasses MFA)
- SHOW PRIMARY KEYS / SHOW IMPORTED KEYS for constraint discovery
- Identifier validation and parameterized queries for SQL injection prevention
- Connection timeouts (login: 30s, network: 60s)

Frontend:
- Snowflake option in DatabaseModal with manual/URL entry modes
- Key-pair auth UI (password/keypair toggle with PEM textarea)
- Custom API key/model passed through ChatService to backend

Security:
- @token_required on /validate-api-key endpoint
- Vendor-specific API key format validation
- Narrowed vendor allowlist for key validation
- Upgraded fastmcp 3.0.1→3.2.0, litellm→1.83+, aiohttp→3.13.5

Other fixes:
- load_dotenv() in config.py for reliable env loading
- Memory gracefully disabled for non-Azure/OpenAI providers
- Null-safe LLM description generation
- Anthropic config fails fast without embeddings
- python-dotenv as explicit dependency

Tests: 39 tests (20 Snowflake loader + 19 settings route)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: galshubeli

api/app_factory.py

@@ -5,7 +5,6 @@
 import os
 import secrets
 
-from dotenv import load_dotenv
 from fastapi import FastAPI, Request, HTTPException
 from fastapi.responses import RedirectResponse, JSONResponse, FileResponse
 from fastapi.staticfiles import StaticFiles
@@ -23,9 +22,6 @@
 from api.routes.database import database_router
 from api.routes.tokens import tokens_router
 from api.routes.settings import settings_router
-
-# Load environment variables from .env file
-load_dotenv()
 logging.basicConfig(
     level=logging.INFO, format="%(asctime)s - %(levelname)s - %(message)s"
 )
@@ -61,17 +57,14 @@ def _is_secure_request(request: Request) -> bool:
     """Determine if the request is over HTTPS."""
     forwarded_proto = request.headers.get("x-forwarded-proto")
     if forwarded_proto:
-        # Normalize: proxies may send comma-separated or mixed-case values
-        first_proto = forwarded_proto.split(",")[0].strip().lower()
-        return first_proto == "https"
+        return forwarded_proto == "https"
     return request.url.scheme == "https"
 
 
 class CSRFMiddleware(BaseHTTPMiddleware):  # pylint: disable=too-few-public-methods
     """Double Submit Cookie CSRF protection.
 
-    Ensures a csrf_token cookie (readable by JS) exists, setting it
-    on the response if the incoming request does not already carry one.
+    Sets a csrf_token cookie (readable by JS) on every response.
     State-changing requests must echo the cookie value back
     via the X-CSRF-Token header.  Bearer-token authenticated
     requests and auth/login endpoints are exempt.
@@ -136,7 +129,7 @@ def _ensure_csrf_cookie(self, request: Request, response):
 def create_app():  # pylint: disable=too-many-statements
     """Create and configure the FastAPI application."""
 
-    # Create the FastAPI app instance with original routes
+    # Create the FastAPI app instance just to set the o routes
     # Will be merged with MCP app later if MCP is enabled
     app = FastAPI(
         title="QueryWeaver"

api/config.py

@@ -7,8 +7,13 @@
 import logging
 import dataclasses
 from typing import Union
+
+from dotenv import load_dotenv
 from litellm import embedding
 
+# Ensure .env is loaded before Config reads os.getenv() at class definition time
+load_dotenv()
+
 # Configure litellm logging to prevent sensitive data leakage
 def configure_litellm_logging():
     """Configure litellm to suppress completion logs."""
@@ -64,6 +69,9 @@ def _with_prefix(model: str, provider: str) -> str:
     return prefix + model.removeprefix(prefix)
 
 
+SUPPORTED_VENDORS = ("openai", "anthropic", "gemini", "azure", "ollama", "cohere")
+
+
 @dataclasses.dataclass
 class Config:
     """
@@ -103,7 +111,7 @@ class Config:
             EMBEDDING_MODEL_NAME = "voyage/voyage-3"
         else:
             raise ValueError(
-                "Anthropic has no native embeddings. "
+                "ANTHROPIC_API_KEY is set, but Anthropic has no native embeddings. "
                 "Set EMBEDDING_MODEL or VOYAGE_API_KEY for embeddings."
             )
     elif os.getenv("COHERE_API_KEY"):

api/core/schema_loader.py

@@ -13,6 +13,7 @@
 from api.loaders.base_loader import BaseLoader
 from api.loaders.postgres_loader import PostgresLoader
 from api.loaders.mysql_loader import MySQLLoader
+from api.loaders.snowflake_loader import SnowflakeLoader
 
 # Use the same delimiter as in the JavaScript frontend for streaming chunks
 MESSAGE_DELIMITER = "|||FALKORDB_MESSAGE_BOUNDARY|||"
@@ -44,6 +45,9 @@ def _step_detect_db_type(steps_counter: int, url: str) -> tuple[type[BaseLoader]
     elif url.startswith("mysql://"):
         db_type = "mysql"
         loader = MySQLLoader
+    elif url.startswith("snowflake://"):
+        db_type = "snowflake"
+        loader = SnowflakeLoader
     else:
         raise InvalidArgumentError("Invalid database URL format")
 

api/core/text2sql.py

@@ -15,10 +15,12 @@
 from api.agents import AnalysisAgent, RelevancyAgent, ResponseFormatterAgent, FollowUpAgent
 from api.agents.healer_agent import HealerAgent
 from api.config import Config
+from api.config import SUPPORTED_VENDORS
 from api.extensions import db
 from api.graph import find, get_db_description, get_user_rules
 from api.loaders.postgres_loader import PostgresLoader
 from api.loaders.mysql_loader import MySQLLoader
+from api.loaders.snowflake_loader import SnowflakeLoader
 from api.memory.graphiti_tool import MemoryTool
 from api.sql_utils import SQLIdentifierQuoter, DatabaseSpecificQuoter
 
@@ -83,6 +85,8 @@ def get_database_type_and_loader(db_url: str):
         return 'postgresql', PostgresLoader
     if db_url_lower.startswith('mysql://'):
         return 'mysql', MySQLLoader
+    if db_url_lower.startswith('snowflake://'):
+        return 'snowflake', SnowflakeLoader
 
     # Default to PostgresLoader for backward compatibility
     return 'postgresql', PostgresLoader
@@ -257,20 +261,28 @@ async def generate():  # pylint: disable=too-many-locals,too-many-branches,too-m
         custom_model = chat_data.custom_model
 
         # Validate custom model format (vendor/model)
-        supported_vendors = ("openai", "anthropic", "gemini", "azure", "ollama", "cohere")
         if custom_model:
             parts = custom_model.split("/", 1)
             if len(parts) != 2 or not parts[0] or not parts[1]:
                 raise InvalidArgumentError(
                     "Invalid model format. Expected 'vendor/model' (e.g. 'openai/gpt-4.1')"
                 )
-            if parts[0] not in supported_vendors:
+            if parts[0] not in SUPPORTED_VENDORS:
                 raise InvalidArgumentError(
-                    f"Unsupported vendor '{parts[0]}'. Supported: {', '.join(supported_vendors)}"
+                    f"Unsupported vendor '{parts[0]}'. Supported: {', '.join(SUPPORTED_VENDORS)}"
                 )
 
-        if custom_api_key is not None and len(custom_api_key.strip()) < 10:
-            raise InvalidArgumentError("API key is too short")
+        if custom_api_key is not None:
+            key = custom_api_key.strip()
+            if len(key) < 10:
+                raise InvalidArgumentError("API key is too short")
+            # Validate key format for known vendors
+            if custom_model:
+                vendor = custom_model.split("/", 1)[0]
+                if vendor == "openai" and not key.startswith("sk-"):
+                    raise InvalidArgumentError("Invalid OpenAI API key format (expected 'sk-' prefix)")
+                if vendor == "anthropic" and not key.startswith("sk-ant-"):
+                    raise InvalidArgumentError("Invalid Anthropic API key format (expected 'sk-ant-' prefix)")
 
         agent_rel = RelevancyAgent(queries_history, result_history, custom_api_key, custom_model)
         agent_an = AnalysisAgent(queries_history, result_history, custom_api_key, custom_model)

api/index.py

@@ -1,6 +1,10 @@
 """Main entry point for the text2sql API."""
 
-from api.app_factory import create_app
+# Load .env before any app imports that read os.getenv at module level
+from dotenv import load_dotenv
+load_dotenv()
+
+from api.app_factory import create_app  # pylint: disable=wrong-import-position
 
 app = create_app()