Skip to content

Commit 5f9e3f1

Browse files
devopamclaude
andauthored
refactor(sql): swing consumers to mcpg.sql, delete the vendored kernel (18.1, PR 2) (#260)
* refactor(sql): swing all consumers to mcpg.sql, delete the vendored kernel (18.1, PR2) The de-vendor swing: - Rewrote all ~74 'from mcpg._vendor.sql import ...' -> 'from mcpg.sql import ...' across src + tests (SqlDriver / SafeSqlDriver / DbConnPool / obfuscate_password are the stable seam; behaviour unchanged, tool snapshots unchanged). - Deleted src/mcpg/_vendor/ and tests/vendor/ wholesale, plus the temporary differential parity harness (its job — 0 divergence — is done). - Removed all 5 _vendor quality-gate carve-outs in pyproject.toml: the SQL kernel is now inside coverage (90% gate), mypy --strict, ruff, and bandit like every other module. - Regenerated the architecture.md module map (drops mcpg._vendor, adds mcpg.sql.{allowlist,driver,safety}); fixed generate_doc_tables.py to stop hardcoding the deleted _vendor row; rewrote the architecture + CLAUDE.md 'SQL-safety kernel' sections to first-party. Full unit + contract suite: 2754 pass. ruff + mypy --strict clean across 106 source files. git grep mcpg._vendor -> nothing. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_0122yLZLJ8t4W43sdN6BmTZc * docs(sql): ADR-0007 + de-vendor doc updates + flip roadmap 18.1 (PR2) - New ADR-0007 (first-party SQL kernel) superseding ADR-0001; ADR-0001 marked superseded with a banner. - NOTICE rewritten: kernel is first-party, re-authored from crystaldba (MIT) — attribution kept as design lineage, not a vendored copy. - SECURITY.md: the SQL-safety kernel is now in-scope MCPg code (removed the _vendor exclusion + the 'goes upstream to crystaldba' out-of-scope item). - README license note, adding-tools import example, release-process license-files example: point at the first-party paths. - feature-shortlist 18.1 -> ✅ Shipped. - CHANGELOG [Unreleased]: de-vendor entry. Left as historical record (accurate for their time): PROGRESS.md build log, ADR-0002/0003, and the crystaldba competitor row in comparison-matrix. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_0122yLZLJ8t4W43sdN6BmTZc --------- Co-authored-by: Claude <noreply@anthropic.com>
1 parent 1d20639 commit 5f9e3f1

118 files changed

Lines changed: 277 additions & 4219 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

CHANGELOG.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,22 @@ adheres to [Semantic Versioning](https://semver.org/).
66

77
## [Unreleased]
88

9+
### Changed
10+
11+
- **De-vendored the SQL-safety kernel (roadmap 18.1).** The formerly-vendored
12+
`crystaldba/postgres-mcp` `sql/` subpackage (`src/mcpg/_vendor/`) is
13+
replaced by a first-party `src/mcpg/sql/` package — `allowlist.py` (the
14+
permitted statement/node/function/extension policy, as data), `safety.py`
15+
(`SafeSqlDriver`, the `pglast` allowlist validator), and `driver.py`
16+
(`SqlDriver` / `DbConnPool` / `obfuscate_password`). Behaviour is
17+
**identical** (proven by a differential parity harness — 0 divergence —
18+
plus the ported 760-LOC adversarial suite, a fuzz pass, and a
19+
`/security-review` with no findings); the public seam is unchanged, so no
20+
tool signatures moved. The kernel is now inside the coverage gate,
21+
`mypy --strict`, `ruff`, and `bandit` (the vendored code was excluded from
22+
all four). MCPg now ships no vendored runtime code. Supersedes ADR-0001
23+
with ADR-0007.
24+
925
### Added
1026

1127
- **Three more built-in NL→SQL providers (19 → 22).** `translate_nl_to_sql`

CLAUDE.md

Lines changed: 20 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -48,16 +48,27 @@ a read-only HF Spaces demo.
4848
`GITHUB_TOKEN`, `DEEPINFRA_TOKEN`). The provider table in
4949
`docs/user-guide.md` mirrors it.
5050

51-
## The vendored SQL-safety kernel
51+
## The SQL-safety kernel (first-party)
5252

53-
`src/mcpg/_vendor/sql/` is copied near-verbatim from
54-
[`crystaldba/postgres-mcp`](https://github.com/crystaldba/postgres-mcp)
55-
(MIT, pinned commit `07eb329`; see ADR-0001 and
56-
`src/mcpg/_vendor/README.md`): the `pglast` allowlist validator
57-
(`safe_sql.py`), async pool/driver (`sql_driver.py`), param binding.
58-
It's excluded from the coverage gate and `mypy --strict`; its own
59-
adversarial tests live in `tests/vendor/sql/`. **Never hand-edit**
60-
local mods are tracked in the vendor README and re-applied on re-sync.
53+
`src/mcpg/sql/` is MCPg's own SQL-safety kernel (roadmap 18.1 de-vendored
54+
the former `crystaldba/postgres-mcp` copy; see ADR-0007, which supersedes
55+
ADR-0001). Three modules, policy separated from mechanism:
56+
57+
- `sql/allowlist.py` — the SQL-safety **policy as data**: permitted
58+
statement / `pglast` AST node / function / extension sets. The single
59+
auditable decision surface.
60+
- `sql/safety.py``SafeSqlDriver`: the `pglast` parse + AST-walker +
61+
read-only execute path. Reads policy from `allowlist.py`; can't widen it.
62+
- `sql/driver.py``SqlDriver` / `DbConnPool` / `obfuscate_password`
63+
(pool + execution + credential redaction; no policy).
64+
65+
Exports `SqlDriver`, `SafeSqlDriver`, `DbConnPool`, `obfuscate_password`
66+
(the seam ~74 `mcpg.*` modules depend on). Fully inside the coverage gate
67+
+ `mypy --strict` + `ruff` + `bandit` like the rest of `mcpg`. Adversarial
68+
+ fuzz tests: `tests/unit/test_sql_kernel_*.py`. Changing the allowlist is
69+
a **security-sensitive** edit — run the adversarial suite and treat the
70+
`docs/reviews/devendor-sql-kernel-security-review.md` threat model as the
71+
bar.
6172

6273
## Workflow conventions
6374

NOTICE

Lines changed: 13 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -6,19 +6,20 @@ the repository root for the full text. (Relicensed from AGPL-3.0-or-later
66
in v0.5.x.)
77

88
------------------------------------------------------------------------
9-
Third-party vendored code
9+
Attribution — SQL-safety kernel lineage
1010
------------------------------------------------------------------------
1111

12-
This product includes software developed by Crystal Corp.
12+
MCPg's SQL-safety kernel (`src/mcpg/sql/`) is first-party code, but it was
13+
re-authored from — and its allowlist policy derives from — the MIT-licensed
14+
`sql/` subpackage of:
1315

14-
Component : PostgreSQL SQL-safety kernel (the `sql/` subpackage)
15-
Location : src/mcpg/_vendor/sql/
16-
Source : https://github.com/crystaldba/postgres-mcp
17-
Commit : 07eb329c8c48e49640e0d1b5b35465d4d024c3ee
18-
License : MIT License, Copyright (c) 2025, Crystal Corp.
19-
See src/mcpg/_vendor/LICENSE for the full license text.
16+
Project : crystaldba/postgres-mcp ("Postgres MCP Pro")
17+
Source : https://github.com/crystaldba/postgres-mcp
18+
Origin : commit 07eb329c8c48e49640e0d1b5b35465d4d024c3ee (Jan 2026)
19+
License : MIT License, Copyright (c) 2025, Crystal Corp.
2020

21-
The MIT-licensed code above is incorporated under the terms of the MIT
22-
License; both this project and the vendored kernel are now MIT-licensed.
23-
See src/mcpg/_vendor/README.md for provenance details and the re-sync
24-
procedure.
21+
The original kernel was vendored under src/mcpg/_vendor/sql/ from v0.x
22+
until roadmap 18.1 replaced it with the first-party implementation (see
23+
docs/adr/0007-first-party-sql-kernel.md, which supersedes ADR-0001). This
24+
attribution acknowledges that MIT-licensed lineage; MCPg itself remains
25+
MIT-licensed.

README.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -590,9 +590,9 @@ checklist.
590590
591591
## License
592592
593-
MIT — see [`LICENSE`](https://github.com/devopam/MCPg/blob/main/LICENSE). The vendored SQL-safety kernel at
594-
`src/mcpg/_vendor/sql/` is also MIT-licensed; see [`NOTICE`](https://github.com/devopam/MCPg/blob/main/NOTICE)
595-
for provenance.
593+
MIT — see [`LICENSE`](https://github.com/devopam/MCPg/blob/main/LICENSE). The SQL-safety kernel
594+
(`src/mcpg/sql/`) is first-party, re-authored from the MIT-licensed
595+
`crystaldba/postgres-mcp`; see [`NOTICE`](https://github.com/devopam/MCPg/blob/main/NOTICE) for the lineage.
596596
597597
### Wrapped extensions — licenses you should know about
598598

SECURITY.md

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,8 @@ release notes unless they prefer otherwise.
3434

3535
**In scope:**
3636

37-
- The MCPg server code under `src/mcpg/` (excluding `src/mcpg/_vendor/`)
37+
- The MCPg server code under `src/mcpg/` — including the first-party
38+
SQL-safety kernel `src/mcpg/sql/` (the `pglast` allowlist validator)
3839
- Authentication & authorisation paths (bearer-token, OIDC,
3940
multi-tenancy `SET LOCAL ROLE`)
4041
- The capability gates that restrict tool surfaces by access mode
@@ -45,9 +46,6 @@ release notes unless they prefer otherwise.
4546
**Out of scope:**
4647

4748
- Vulnerabilities in PostgreSQL itself
48-
- Vulnerabilities in the vendored SQL-safety kernel at
49-
`src/mcpg/_vendor/sql/` — those go upstream to
50-
`crystaldba/postgres-mcp`
5149
- Issues that require an attacker to already have `unrestricted`
5250
access mode AND `MCPG_ALLOW_DDL=true` (that combination is
5351
by-design root access)

docs/adr/0001-build-approach.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,13 @@
11
# ADR-0001: Build approach — adopt `crystaldba/postgres-mcp` as a hard-forked base
22

3-
- **Status:** accepted
3+
- **Status:** superseded by [ADR-0007](0007-first-party-sql-kernel.md) (2026-07-08)
44
- **Date:** 2026-05-20
55

6+
> **Superseded.** The vendored SQL-safety kernel this ADR introduced was
7+
> replaced by a first-party implementation in roadmap 18.1 — see
8+
> [ADR-0007](0007-first-party-sql-kernel.md). The historical rationale
9+
> below is retained as the record of the original decision.
10+
611
## Context
712

813
The official `@modelcontextprotocol/server-postgres` is deprecated and archived
Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
# ADR-0007: First-party SQL-safety kernel (de-vendor `crystaldba/postgres-mcp`)
2+
3+
- **Status:** accepted
4+
- **Date:** 2026-07-08
5+
- **Supersedes:** [ADR-0001](0001-build-approach.md) (the hard-fork / vendor decision)
6+
7+
## Context
8+
9+
[ADR-0001](0001-build-approach.md) chose to hard-fork MCPg from
10+
`crystaldba/postgres-mcp` and **vendor** its `sql/` subpackage — the
11+
`pglast`-AST SQL-safety allowlist validator plus the async connection
12+
pool / driver — near-verbatim under `src/mcpg/_vendor/sql/` (MIT, pinned
13+
commit `07eb329`). That was the right call to ship fast, but it left two
14+
standing costs:
15+
16+
1. **~1.3k lines of security-critical code outside every quality gate.**
17+
The vendored kernel — including the SQL allowlist itself — was excluded
18+
from the coverage gate, `mypy --strict`, `ruff`, and `bandit`
19+
(`pyproject.toml` carve-outs).
20+
2. **Manual re-syncs.** Upstream changes had to be re-applied by hand with
21+
local modifications tracked in a vendor README.
22+
23+
It was also the last third-party runtime *code* MCPg shipped. Roadmap 18.1
24+
set out to own it.
25+
26+
## Decision
27+
28+
Replace the vendored kernel with a **first-party** `src/mcpg/sql/` package,
29+
re-authored from the MIT-licensed original (attribution retained in
30+
`NOTICE`). Recon showed three of the vendored modules (`bind_params.py`,
31+
`extension_utils.py`, `index.py`) had no consumer outside `_vendor/`, so
32+
they were **deleted, not rebuilt**. The kernel is re-architected to
33+
**separate policy from mechanism**:
34+
35+
- `sql/allowlist.py` — the permitted statement / AST-node / function /
36+
extension sets, as **data** (the single auditable decision surface).
37+
- `sql/safety.py``SafeSqlDriver`: the `pglast` parse + AST-walker +
38+
read-only execute path. Reads policy from `allowlist.py`; cannot widen it.
39+
- `sql/driver.py``SqlDriver` / `DbConnPool` / `obfuscate_password`
40+
(pool + execution + credential redaction; no policy).
41+
42+
The public seam (`SqlDriver`, `SafeSqlDriver`, `DbConnPool`,
43+
`obfuscate_password`) is unchanged, so the ~74 consuming modules only
44+
changed an import path.
45+
46+
**Faithful re-author, not a redesign.** The security *behaviour* is pinned
47+
identical to the vendored validator:
48+
49+
- A **differential parity harness** ran a safe/unsafe/malformed corpus
50+
through both validators — **0 divergence**.
51+
- The 760-LOC adversarial suite (ported) passes 100% against `mcpg.sql`.
52+
- A **fuzz pass** confirms the validator only ever returns a clean verdict
53+
(accept / `ValueError`) — never a crash / hang — on adversarial input.
54+
- A dedicated security-review gate (allowlist audit, `/security-review`,
55+
threat model) passed — see
56+
[`../reviews/devendor-sql-kernel-security-review.md`](../reviews/devendor-sql-kernel-security-review.md).
57+
58+
## Consequences
59+
60+
- The SQL-safety kernel is now inside the coverage gate (90%),
61+
`mypy --strict`, `ruff`, and `bandit` — a net security improvement over
62+
the vendored state.
63+
- `src/mcpg/_vendor/` and `tests/vendor/` are deleted; the five
64+
`pyproject.toml` `_vendor` carve-outs are removed; the module map and
65+
docs (`architecture.md`, `CLAUDE.md`, `SECURITY.md`, `NOTICE`) are
66+
first-party.
67+
- MCPg ships **no vendored runtime code**. (`pglast`, `psycopg`, and
68+
`psycopg-pool` remain upstream *library* dependencies — not vendored
69+
source.)
70+
- Attribution to `crystaldba/postgres-mcp` (MIT) is retained in `NOTICE`
71+
as the design lineage; the in-query `/* crystaldba */` marker is kept
72+
for now (a cosmetic rename is a possible follow-up).
73+
74+
## Alternatives considered
75+
76+
- **Keep vendoring.** Rejected — perpetuates the gate carve-outs and the
77+
manual re-sync burden; ADR-0001's "ship fast" rationale no longer applies.
78+
- **Redesign the validator (stricter/simpler allowlist).** Deferred — a
79+
behaviour change would need its own threat model + review. This ADR is a
80+
faithful re-author; any policy tightening is a separate, reviewed change
81+
(see the pre-existing observations in the security-review note).

docs/architecture.md

Lines changed: 26 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ flowchart TD
5151
runs the SQL and maps rows to typed dataclasses.
5252
4. The driver stack decides exactly which pool the SQL hits:
5353
- **SafeSqlDriver** — agent-supplied SQL is parsed and
54-
allowlisted via the vendored kernel before execution.
54+
allowlisted via `mcpg.sql` (the first-party kernel) before execution.
5555
- **RoutedSqlDriver** — when `MCPG_REPLICA_URLS` is set,
5656
`force_readonly=True` queries round-robin across healthy
5757
replicas; writes always go to the primary.
@@ -64,7 +64,7 @@ flowchart TD
6464
---
6565

6666
<!-- BEGIN generated: module-map (python tools/generate_doc_tables.py --modules) -->
67-
## Module map (104 modules)
67+
## Module map (103 modules)
6868

6969
Every `mcpg.*` module and what it owns, alphabetical. The layered
7070
request path through these lives in the [Overview](#overview) diagram;
@@ -73,7 +73,6 @@ this table is the exhaustive index. Regenerate with
7373

7474
| Module | Responsibility |
7575
|---|---|
76-
| `mcpg._vendor` | Vendored MIT-licensed `SafeSqlDriver` + connection-pool kernel (SQL parse / allowlist / bind). |
7776
| `mcpg.about` | MCPg self-description. |
7877
| `mcpg.advisors` | Schema advisors — codified lint rules over the PG catalog. |
7978
| `mcpg.aio` | `AIO` — PG 19 asynchronous-I/O subsystem coverage. |
@@ -184,17 +183,28 @@ this table is the exhaustive index. Regenerate with
184183

185184
---
186185

187-
## The vendored SQL-safety kernel
188-
189-
`src/mcpg/_vendor/sql/` is a pinned copy of the SQL-safety
190-
subpackage from
191-
[`crystaldba/postgres-mcp`](https://github.com/crystaldba/postgres-mcp)
192-
(MIT). It provides `SafeSqlDriver` — a `pglast`-AST allowlist
193-
validator — and the base connection pool / driver.
194-
195-
The kernel is kept near-verbatim, excluded from the coverage gate
196-
and `mypy`, and re-synced via the procedure in
197-
`src/mcpg/_vendor/README.md`. See [ADR-0001](adr/0001-build-approach.md).
186+
## The SQL-safety kernel (first-party)
187+
188+
`src/mcpg/sql/` is MCPg's own SQL-safety kernel, split into policy
189+
and mechanism:
190+
191+
- `sql/allowlist.py` — the permitted statement / `pglast` AST node /
192+
function / extension sets, **as data** (the single auditable policy
193+
surface).
194+
- `sql/safety.py``SafeSqlDriver`: the `pglast` parse + AST-walker
195+
+ read-only execute path. Reads policy from `allowlist.py`; the
196+
walker can't widen it.
197+
- `sql/driver.py``SqlDriver` / `DbConnPool` / `obfuscate_password`
198+
(pool + execution + credential redaction; no policy).
199+
200+
It's fully inside the coverage gate + `mypy --strict` + `ruff` +
201+
`bandit`. Adversarial + fuzz tests live in
202+
`tests/unit/test_sql_kernel_*.py`; the threat model and security
203+
sign-off are in
204+
[`reviews/devendor-sql-kernel-security-review.md`](reviews/devendor-sql-kernel-security-review.md).
205+
It was de-vendored from `crystaldba/postgres-mcp` (MIT) — see
206+
[ADR-0007](adr/0007-first-party-sql-kernel.md), which supersedes
207+
[ADR-0001](adr/0001-build-approach.md).
198208

199209
---
200210

@@ -294,14 +304,13 @@ otherwise.
294304

295305
## Testing approach
296306

297-
MCPg is test-driven across four suites:
307+
MCPg is test-driven across three suites:
298308

299309
| Suite | Scope |
300310
|---|---|
301-
| `tests/unit/` | Fake-driver tests with a 90% coverage gate. Authored code only — the vendored kernel keeps its own tests. |
311+
| `tests/unit/` | Fake-driver tests with a 90% coverage gate — all first-party code, including the SQL-safety kernel (`test_sql_kernel_*.py`: the adversarial allowlist suite + a fuzz/robustness pass). |
302312
| `tests/integration/` | Real PostgreSQL — requires `MCPG_TEST_DATABASE_URL`. CI runs the matrix against PostgreSQL 14, 15, 16, 17, 18 on every push (pgvector + PostGIS + AGE image), plus an **experimental PG 19** lane (pgvector built from source against `postgres:19beta1`) and a **WarehousePG** (Greenplum-derived MPP) characterisation lane. |
303313
| `tests/contract/` | Tool-surface snapshot (`tool_surface.snapshot.json`) + the doc-table drift-guard (`test_doc_tables.py`), so a new tool or module can't ship undocumented. |
304-
| `tests/vendor/` | The vendored kernel's own upstream tests, kept for adversarial SQL-injection coverage. |
305314

306315
The integration container is built from
307316
`.github/ci-postgres.Dockerfile` and includes `pgvector`,

docs/contributing/adding-tools.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,7 @@ from __future__ import annotations
4141

4242
from dataclasses import dataclass, field
4343

44-
from mcpg._vendor.sql import SqlDriver
44+
from mcpg.sql import SqlDriver
4545
from mcpg.extensions import extension_installed
4646

4747
# Module-level constants (mode allowlists, defaults). Inline so the

docs/feature-shortlist.md

Lines changed: 6 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -270,19 +270,15 @@ empty scratch database), which shows off none of the tool surface.
270270

271271
## 18. De-vendor the SQL-safety kernel — build our own
272272

273-
MCPg's SQL-safety core is currently **vendored** from a third party
274-
(see [ADR-0001](adr/) and [`src/mcpg/_vendor/README.md`](../src/mcpg/_vendor/README.md)):
275-
the `pglast`-based allowlist validator, async connection pool / driver,
276-
and parameter binding all live under `src/mcpg/_vendor/sql/`, copied
277-
near-verbatim from
278-
[`crystaldba/postgres-mcp`](https://github.com/crystaldba/postgres-mcp)
279-
(MIT, pinned commit `07eb329`, Copyright © 2025 Crystal Corp). The goal
280-
is to **own this layer outright** — remove the upstream dependency and
281-
replace it with a first-party implementation MCPg fully controls.
273+
MCPg's SQL-safety core was **vendored** from `crystaldba/postgres-mcp`
274+
(MIT) under `src/mcpg/_vendor/sql/`. Roadmap 18.1 replaced it with a
275+
first-party implementation MCPg fully controls — removing the last
276+
vendored runtime code and folding the SQL allowlist into every quality
277+
gate.
282278

283279
| # | Item | Effort | Value | Notes |
284280
|---|---|---|---|---|
285-
| 18.1 | ⬜ **Planned (agenda, no commitment yet).** **Replace the vendored `crystaldba/postgres-mcp` SQL-safety kernel with a first-party implementation.** In scope: `safe_sql.py` (the `pglast` parse + statement/keyword allowlist that every agent-supplied query passes through), `sql_driver.py` (the async psycopg pool + `DbConnPool`, incl. MCPg's ADR-0003 pool-sizing local mod), `bind_params.py`, `extension_utils.py`, `index.py`. Constraints: (a) **no safety regression** — the adversarial SQL-injection suite in `tests/vendor/sql/test_safe_sql.py` must be preserved (or re-implemented) and kept green, and the tool-surface contract test must not change; (b) preserve the `SafeSqlDriver` / pool public API the rest of `mcpg.*` depends on, or migrate call sites in the same effort; (c) fold the code into the coverage gate + `mypy --strict` once it's ours (the `_vendor/` carve-outs go away); (d) drop the vendored dir, its `README.md`/`LICENSE`, and the ADR-0001 rationale, and record the change in a new ADR. Likely a multi-PR effort: first re-home + test-parity, then simplify/own. **Phased plan: [`plans/devendor-sql-kernel.md`](plans/devendor-sql-kernel.md)** — recon found `bind_params.py` / `extension_utils.py` / `index.py` are **dead** (no consumer outside `_vendor/`), so they're deleted not rebuilt; the real rebuild is just `safe_sql.py` + `sql_driver.py`, and the consumer seam is 4 names (`SqlDriver` / `SafeSqlDriver` / `DbConnPool` / `obfuscate_password`). | L | Medium | Removes the last third-party runtime core; full control over the safety semantics. Revisit ADR-0001's "why vendor" reasoning when we start. |
281+
| 18.1 | ✅ **Shipped.** Replaced the vendored `crystaldba/postgres-mcp` kernel with a first-party `src/mcpg/sql/` package — `allowlist.py` (policy as data), `safety.py` (`SafeSqlDriver` walker), `driver.py` (`SqlDriver`/`DbConnPool`/`obfuscate_password`). The dead `bind_params.py` / `extension_utils.py` / `index.py` were deleted, not rebuilt. All ~74 consumers swung to `mcpg.sql`; `_vendor/` + `tests/vendor/` deleted; the 5 quality-gate carve-outs removed (the kernel is now inside coverage + `mypy --strict` + `ruff` + `bandit`). Faithful re-author, proven identical by a differential parity harness (0 divergence) + the ported 760-LOC adversarial suite + a fuzz pass + `/security-review` (no findings). Supersedes ADR-0001 with [ADR-0007](adr/0007-first-party-sql-kernel.md); plan in [`plans/devendor-sql-kernel.md`](plans/devendor-sql-kernel.md), sign-off in [`reviews/devendor-sql-kernel-security-review.md`](reviews/devendor-sql-kernel-security-review.md). | L | Medium | Removes the last third-party runtime core; full control over the safety semantics. |
286282

287283
---
288284

0 commit comments

Comments
 (0)