Skip to content

refactor(sql): swing consumers to mcpg.sql, delete the vendored kernel (18.1, PR 2)#260

Merged
devopam merged 2 commits into
mainfrom
feat/devendor-sql-swing
Jul 8, 2026
Merged

refactor(sql): swing consumers to mcpg.sql, delete the vendored kernel (18.1, PR 2)#260
devopam merged 2 commits into
mainfrom
feat/devendor-sql-swing

Conversation

@devopam

@devopam devopam commented Jul 8, 2026

Copy link
Copy Markdown
Owner

Summary

PR 2 (final) of the de-vendor effort (plan, roadmap 18.1). PR 1 (#259) landed the first-party mcpg.sql kernel and proved it identical to the vendored one; this PR swings everything over and removes the vendored code.

  • Swung all ~74 from mcpg._vendor.sql import …from mcpg.sql import … across src/ + tests/ (the seam is 4 names: SqlDriver / SafeSqlDriver / DbConnPool / obfuscate_password; behaviour unchanged, tool snapshots unchanged).
  • Deleted src/mcpg/_vendor/ and tests/vendor/ wholesale, plus the temporary differential parity harness (its job — 0 divergence — is done). git grep mcpg._vendor → nothing.
  • Removed all 5 _vendor quality-gate carve-outs in pyproject.toml: the SQL kernel is now inside coverage (90% gate), mypy --strict, ruff, and bandit like every other module.
  • Docs: regenerated the architecture.md module map (drops mcpg._vendor, adds mcpg.sql.*); rewrote the "SQL-safety kernel" sections in architecture.md + CLAUDE.md to first-party; new ADR-0007 superseding ADR-0001; NOTICE reframed to design-lineage attribution; SECURITY.md now scopes the kernel in; README / adding-tools / release-process references updated; roadmap 18.1 → ✅.

MCPg now ships no vendored runtime code. (pglast, psycopg, psycopg-pool remain upstream library deps.)

Verification

Full unit + contract suite green locally (2772 pass); ruff + mypy --strict clean across 106 files; drift guard green; git grep mcpg._vendor empty. The security-review gate passed on PR 1 (docs/reviews/devendor-sql-kernel-security-review.md).

Roadmap linkage

Advances roadmap row: 18.1 (completes it; flipped to ✅ in this PR).

Checklist

  • Full unit + contract suite passes locally
  • ruff, ruff format, mypy --strict, drift guard pass
  • CHANGELOG.md updated under [Unreleased]
  • Roadmap row cited (18.1) + flipped to ✅
  • src/mcpg/_vendor/ deleted — no hand-edits, it's gone

🤖 Generated with Claude Code


Generated by Claude Code

Summary by Sourcery

Replace the vendored SQL-safety kernel with a first-party mcpg.sql package and update all consumers and docs accordingly.

Enhancements:

  • Switch all SqlDriver/SafeSqlDriver/DbConnPool/obfuscate_password consumers from mcpg._vendor.sql to mcpg.sql while preserving behaviour.
  • Bring the SQL-safety kernel into normal quality gates by removing _vendor carve-outs from coverage, mypy, ruff, and bandit.
  • Remove the vendored SQL kernel, its tests, and related licensing metadata, completing roadmap item 18.1.
  • Document the new first-party SQL kernel architecture and record ADR-0007 superseding the original vendoring ADR.

Build:

  • Drop vendor-specific license file wiring from packaging metadata.

Documentation:

  • Update architecture, contributor, security, roadmap, and README docs to describe the first-party SQL kernel and remove references to the vendored copy.

Tests:

  • Remove the differential/parity harness and vendor test suite now that the first-party kernel is the single source of truth.

claude added 2 commits July 8, 2026 09:20
…ernel (18.1, PR2)

The de-vendor swing:
- Rewrote all ~74 'from mcpg._vendor.sql import ...' -> 'from mcpg.sql import ...'
  across src + tests (SqlDriver / SafeSqlDriver / DbConnPool / obfuscate_password
  are the stable seam; behaviour unchanged, tool snapshots unchanged).
- Deleted src/mcpg/_vendor/ and tests/vendor/ wholesale, plus the temporary
  differential parity harness (its job — 0 divergence — is done).
- Removed all 5 _vendor quality-gate carve-outs in pyproject.toml: the SQL
  kernel is now inside coverage (90% gate), mypy --strict, ruff, and bandit
  like every other module.
- Regenerated the architecture.md module map (drops mcpg._vendor, adds
  mcpg.sql.{allowlist,driver,safety}); fixed generate_doc_tables.py to stop
  hardcoding the deleted _vendor row; rewrote the architecture + CLAUDE.md
  'SQL-safety kernel' sections to first-party.

Full unit + contract suite: 2754 pass. ruff + mypy --strict clean across
106 source files. git grep mcpg._vendor -> nothing.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0122yLZLJ8t4W43sdN6BmTZc
- New ADR-0007 (first-party SQL kernel) superseding ADR-0001; ADR-0001
  marked superseded with a banner.
- NOTICE rewritten: kernel is first-party, re-authored from crystaldba
  (MIT) — attribution kept as design lineage, not a vendored copy.
- SECURITY.md: the SQL-safety kernel is now in-scope MCPg code (removed the
  _vendor exclusion + the 'goes upstream to crystaldba' out-of-scope item).
- README license note, adding-tools import example, release-process
  license-files example: point at the first-party paths.
- feature-shortlist 18.1 -> ✅ Shipped.
- CHANGELOG [Unreleased]: de-vendor entry.

Left as historical record (accurate for their time): PROGRESS.md build log,
ADR-0002/0003, and the crystaldba competitor row in comparison-matrix.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0122yLZLJ8t4W43sdN6BmTZc

@gemini-code-assist-2 gemini-code-assist-2 Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request de-vendors the SQL-safety kernel (roadmap 18.1), replacing the third-party crystaldba/postgres-mcp vendored code under src/mcpg/_vendor/ with a first-party src/mcpg/sql/ package. Unused vendored modules (bind_params.py, extension_utils.py, and index.py) were deleted, and the core SQL-safety mechanism was re-architected to separate policy (sql/allowlist.py) from mechanism (sql/safety.py and sql/driver.py). All consuming modules have been updated to import from mcpg.sql. Additionally, quality gate carve-outs in pyproject.toml (for coverage, mypy, ruff, and bandit) have been removed, bringing the SQL kernel fully under first-party quality gates. Documentation, licenses, and tests have been updated accordingly, and the temporary differential parity harness has been removed. There are no review comments, so I have no feedback to provide.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!


Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@devopam devopam merged commit 5f9e3f1 into main Jul 8, 2026
14 of 19 checks passed
@devopam devopam deleted the feat/devendor-sql-swing branch July 9, 2026 06:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants