Add SQL identifier validation, fix any types, and add tests for database nodes

Add validateIdentifier() to prevent SQL injection via table/column name
interpolation. Replace all `any` casts with proper types across database
nodes. Alphabetize registry registrations, mark query node count output
as hidden for consistency. Add test files for all 16 database nodes and
full coverage for database-table utility functions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: bchapuis

apps/api/src/runtime/cloudflare-node-registry.ts

@@ -65,14 +65,18 @@ import { CsvFilterRowsNode } from "@dafthunk/runtime/nodes/csv/csv-filter-rows-n
 import { CsvParseNode } from "@dafthunk/runtime/nodes/csv/csv-parse-node";
 import { CsvStringifyNode } from "@dafthunk/runtime/nodes/csv/csv-stringify-node";
 import { DatabaseCreateTableNode } from "@dafthunk/runtime/nodes/database/database-create-table-node";
+import { DatabaseDeleteRowNode } from "@dafthunk/runtime/nodes/database/database-delete-row-node";
 import { DatabaseDescribeTableNode } from "@dafthunk/runtime/nodes/database/database-describe-table-node";
 import { DatabaseDropTableNode } from "@dafthunk/runtime/nodes/database/database-drop-table-node";
 import { DatabaseExecuteNode } from "@dafthunk/runtime/nodes/database/database-execute-node";
 import { DatabaseExportTableNode } from "@dafthunk/runtime/nodes/database/database-export-table-node";
 import { DatabaseGetRowCountNode } from "@dafthunk/runtime/nodes/database/database-get-row-count-node";
+import { DatabaseGetRowNode } from "@dafthunk/runtime/nodes/database/database-get-row-node";
 import { DatabaseImportTableNode } from "@dafthunk/runtime/nodes/database/database-import-table-node";
 import { DatabaseListTablesNode } from "@dafthunk/runtime/nodes/database/database-list-tables-node";
+import { DatabasePutRowNode } from "@dafthunk/runtime/nodes/database/database-put-row-node";
 import { DatabaseQueryNode } from "@dafthunk/runtime/nodes/database/database-query-node";
+import { DatabaseRowExistsNode } from "@dafthunk/runtime/nodes/database/database-row-exists-node";
 import { DatabaseTableExistsNode } from "@dafthunk/runtime/nodes/database/database-table-exists-node";
 import { DatabaseTruncateTableNode } from "@dafthunk/runtime/nodes/database/database-truncate-table-node";
 import { ParquetQueryNode } from "@dafthunk/runtime/nodes/database/parquet-query-node";
@@ -511,16 +515,20 @@ export class CloudflareNodeRegistry extends BaseNodeRegistry<Bindings> {
     this.registerImplementation(SendQueueMessageNode);
     this.registerImplementation(SendQueueBatchNode);
     this.registerImplementation(ReceiveQueueMessageNode);
-    this.registerImplementation(DatabaseQueryNode);
-    this.registerImplementation(DatabaseExecuteNode);
     this.registerImplementation(DatabaseCreateTableNode);
-    this.registerImplementation(DatabaseImportTableNode);
-    this.registerImplementation(DatabaseExportTableNode);
+    this.registerImplementation(DatabaseDeleteRowNode);
     this.registerImplementation(DatabaseDescribeTableNode);
-    this.registerImplementation(DatabaseListTablesNode);
     this.registerImplementation(DatabaseDropTableNode);
-    this.registerImplementation(DatabaseTableExistsNode);
+    this.registerImplementation(DatabaseExecuteNode);
+    this.registerImplementation(DatabaseExportTableNode);
     this.registerImplementation(DatabaseGetRowCountNode);
+    this.registerImplementation(DatabaseGetRowNode);
+    this.registerImplementation(DatabaseImportTableNode);
+    this.registerImplementation(DatabaseListTablesNode);
+    this.registerImplementation(DatabasePutRowNode);
+    this.registerImplementation(DatabaseQueryNode);
+    this.registerImplementation(DatabaseRowExistsNode);
+    this.registerImplementation(DatabaseTableExistsNode);
     this.registerImplementation(DatabaseTruncateTableNode);
     this.registerImplementation(ParquetQueryNode);
     this.registerImplementation(ReceiveEmailNode);

packages/runtime/src/nodes/database/database-create-table-node.test.ts

@@ -0,0 +1,205 @@
+import type { Node, Schema } from "@dafthunk/types";
+import { describe, expect, it, vi } from "vitest";
+import type { NodeContext } from "../../node-types";
+import { DatabaseCreateTableNode } from "./database-create-table-node";
+
+const testSchema: Schema = {
+  name: "users",
+  fields: [
+    { name: "id", type: "integer", primaryKey: true },
+    { name: "name", type: "string" },
+    { name: "email", type: "string" },
+  ],
+};
+
+function createMockConnection() {
+  return {
+    query: vi.fn().mockResolvedValue({ results: [] }),
+    execute: vi.fn().mockResolvedValue({
+      results: [],
+      meta: { rowsAffected: 0 },
+    }),
+  };
+}
+
+function createContext(
+  inputs: Record<string, unknown>,
+  connection?: ReturnType<typeof createMockConnection>
+): NodeContext {
+  return {
+    nodeId: "database-create-table",
+    workflowId: "test-workflow",
+    organizationId: "test-org",
+    inputs,
+    getIntegration: async () => {
+      throw new Error("No integrations in test");
+    },
+    env: {},
+    databaseService: connection
+      ? { resolve: vi.fn().mockResolvedValue(connection) }
+      : undefined,
+  } as unknown as NodeContext;
+}
+
+describe("DatabaseCreateTableNode", () => {
+  const createNode = () =>
+    new DatabaseCreateTableNode({
+      nodeId: "database-create-table",
+    } as unknown as Node);
+
+  it("should create a table when it does not exist", async () => {
+    const connection = createMockConnection();
+    connection.query.mockResolvedValue({ results: [] });
+    const node = createNode();
+    const result = await node.execute(
+      createContext({ database: "db-1", schema: testSchema }, connection)
+    );
+
+    expect(result.status).toBe("completed");
+    expect(result.outputs?.created).toBe(true);
+    expect(connection.query).toHaveBeenCalled();
+    expect(connection.execute).toHaveBeenCalled();
+  });
+
+  it("should return created=false when table already exists", async () => {
+    const connection = createMockConnection();
+    connection.query.mockResolvedValue({
+      results: [{ name: "users" }],
+    });
+    const node = createNode();
+    const result = await node.execute(
+      createContext({ database: "db-1", schema: testSchema }, connection)
+    );
+
+    expect(result.status).toBe("completed");
+    expect(result.outputs?.created).toBe(false);
+    expect(connection.execute).not.toHaveBeenCalled();
+  });
+
+  it("should return error for missing database", async () => {
+    const node = createNode();
+    const result = await node.execute(createContext({ schema: testSchema }));
+
+    expect(result.status).toBe("error");
+    expect(result.error).toContain("'database' is a required input");
+  });
+
+  it("should return error for missing schema", async () => {
+    const node = createNode();
+    const connection = createMockConnection();
+    const result = await node.execute(
+      createContext({ database: "db-1" }, connection)
+    );
+
+    expect(result.status).toBe("error");
+    expect(result.error).toContain("'schema' is a required input");
+  });
+
+  it("should return error for schema without name", async () => {
+    const node = createNode();
+    const connection = createMockConnection();
+    const result = await node.execute(
+      createContext(
+        {
+          database: "db-1",
+          schema: {
+            fields: [{ name: "id", type: "integer" }],
+          },
+        },
+        connection
+      )
+    );
+
+    expect(result.status).toBe("error");
+    expect(result.error).toContain("Invalid schema");
+  });
+
+  it("should return error for schema without fields", async () => {
+    const node = createNode();
+    const connection = createMockConnection();
+    const result = await node.execute(
+      createContext(
+        {
+          database: "db-1",
+          schema: { name: "test" },
+        },
+        connection
+      )
+    );
+
+    expect(result.status).toBe("error");
+    expect(result.error).toContain("Invalid schema");
+  });
+
+  it("should return error for schema with empty fields array", async () => {
+    const node = createNode();
+    const connection = createMockConnection();
+    const result = await node.execute(
+      createContext(
+        {
+          database: "db-1",
+          schema: { name: "test", fields: [] },
+        },
+        connection
+      )
+    );
+
+    expect(result.status).toBe("error");
+    expect(result.error).toContain("'fields' array cannot be empty");
+  });
+
+  it("should return error when database service is not available", async () => {
+    const node = createNode();
+    const result = await node.execute(
+      createContext({ database: "db-1", schema: testSchema })
+    );
+
+    expect(result.status).toBe("error");
+    expect(result.error).toContain("Database service not available");
+  });
+
+  it("should return error when database is not found", async () => {
+    const node = createNode();
+    const context = {
+      nodeId: "database-create-table",
+      workflowId: "test-workflow",
+      organizationId: "test-org",
+      inputs: { database: "db-1", schema: testSchema },
+      getIntegration: async () => {
+        throw new Error("No integrations in test");
+      },
+      env: {},
+      databaseService: { resolve: vi.fn().mockResolvedValue(null) },
+    } as unknown as NodeContext;
+
+    const result = await node.execute(context);
+
+    expect(result.status).toBe("error");
+    expect(result.error).toContain("not found or does not belong");
+  });
+
+  it("should return error when execute throws", async () => {
+    const connection = createMockConnection();
+    connection.query.mockResolvedValue({ results: [] });
+    connection.execute.mockRejectedValue(new Error("disk full"));
+    const node = createNode();
+    const result = await node.execute(
+      createContext({ database: "db-1", schema: testSchema }, connection)
+    );
+
+    expect(result.status).toBe("error");
+    expect(result.error).toContain("disk full");
+  });
+
+  it("should return error when query throws during table check", async () => {
+    const connection = createMockConnection();
+    connection.query.mockRejectedValue(new Error("connection lost"));
+    const node = createNode();
+    const result = await node.execute(
+      createContext({ database: "db-1", schema: testSchema }, connection)
+    );
+
+    expect(result.status).toBe("error");
+    expect(result.error).toContain("connection lost");
+  });
+});

packages/runtime/src/nodes/database/database-create-table-node.ts

@@ -18,7 +18,7 @@ export class DatabaseCreateTableNode extends ExecutableNode {
     asTool: true,
     inputs: [
       {
-        name: "databaseId",
+        name: "database",
         type: "database",
         description: "Database ID.",
         required: true,
@@ -42,10 +42,10 @@ export class DatabaseCreateTableNode extends ExecutableNode {
   };
 
   async execute(context: NodeContext): Promise<NodeExecution> {
-    const { databaseId, schema: schemaInput } = context.inputs;
+    const { database, schema: schemaInput } = context.inputs;
 
-    if (!databaseId) {
-      return this.createErrorResult("'databaseId' is a required input.");
+    if (!database) {
+      return this.createErrorResult("'database' is a required input.");
     }
 
     if (!schemaInput) {
@@ -71,13 +71,13 @@ export class DatabaseCreateTableNode extends ExecutableNode {
       }
 
       const connection = await context.databaseService.resolve(
-        databaseId,
+        database,
         context.organizationId
       );
 
       if (!connection) {
         return this.createErrorResult(
-          `Database '${databaseId}' not found or does not belong to your organization.`
+          `Database '${database}' not found or does not belong to your organization.`
         );
       }