Skip to content

feat: add secure BYOD database connections#1

Open
gopalmani wants to merge 1 commit into
mainfrom
feat/byod-database-connections
Open

feat: add secure BYOD database connections#1
gopalmani wants to merge 1 commit into
mainfrom
feat/byod-database-connections

Conversation

@gopalmani

Copy link
Copy Markdown
Owner

Summary

Adds secure Bring Your Own Database support for publicly reachable PostgreSQL databases.

Changes

  • Add encrypted saved database connections
  • Support connection strings and structured connection fields
  • Add SSL, DNS resolution, and SSRF protection
  • Block localhost, private, link-local, reserved, and metadata IPs
  • Add schema introspection and deduplicated catalog snapshots
  • Separate SQL generation from explicit user-approved execution
  • Validate generated SQL and referenced tables before execution
  • Enforce read-only transactions, timeouts, and result limits
  • Add query history, audit events, and verified examples
  • Add API-backed Connections, Schema Explorer, Query Workspace, and History interfaces
  • Add signed workspace sessions and ownership checks
  • Update Alembic migrations, Docker, Render, tests, and documentation

Security

  • Credentials are encrypted using CONNECTION_ENCRYPTION_KEY
  • Credentials and result rows are never sent to the LLM
  • Raw credentials are never returned by APIs or written to logs
  • SQL is revalidated immediately before execution
  • Database permissions remain the primary security boundary
  • Private and localhost databases are blocked by default

Testing

  • 58 backend tests pass
  • Frontend lint passes
  • Frontend type-check passes
  • Frontend production build passes
  • Alembic migrations pass against PostgreSQL 16
  • Deterministic SQL evaluations pass
  • Render and Docker Compose YAML validation passes

Limitations

  • PostgreSQL only
  • Publicly reachable hosts only
  • No SSH tunnels, VPN, or private VPC connectivity
  • Signed anonymous sessions are not full account authentication
  • Application-level encryption is not a managed credential vault
  • MySQL and a customer-side private-network connector remain roadmap items

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant