Release v0.9.0

Author: pseudosavant

.github/workflows/publish.yml

@@ -0,0 +1,51 @@
+name: publish
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+
+      - name: Build package
+        run: uv build --no-sources
+
+      - name: Upload dist artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/*
+
+  publish-pypi:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    environment:
+      name: pypi
+      url: https://pypi.org/p/sql-agent
+    steps:
+      - name: Download dist artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

.gitignore

@@ -0,0 +1,8 @@
+.venv/
+__pycache__/
+*.pyc
+build/
+dist/
+tmp_smoke.db
+test-output/
+.test-output/

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Paul
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,209 @@
+# sql-agent
+
+`sql-agent` is a read-only SQL CLI for agentic workflows.
+
+It is designed to run safe, single-statement queries against configured database targets and return deterministic output that tools like Codex CLI and Claude Code can consume reliably.
+
+V1 targets:
+
+- MySQL
+- MariaDB
+- PostgreSQL
+- SQLite
+
+## Status
+
+This repo is currently spec-first and under active development.
+
+The current behavior target is defined in [`spec.md`](./spec.md).
+
+## Install and run
+
+Local development:
+
+```text
+uv run ./sql_agent.py --help
+uv run ./sql_agent.py "SELECT 1"
+```
+
+Packaged command target:
+
+```text
+uvx sql-agent --help
+sql-agent "SELECT 1"
+```
+
+## Primary usage
+
+Default target:
+
+```text
+sql-agent "SELECT id, name FROM users LIMIT 10"
+```
+
+Named target:
+
+```text
+sql-agent --target reporting "SELECT COUNT(*) AS total FROM users"
+```
+
+Explicit query flag:
+
+```text
+sql-agent --target reporting --query "SELECT NOW()"
+```
+
+SQL file:
+
+```text
+sql-agent --target reporting --sql-file query.sql
+```
+
+Stdin:
+
+```text
+Get-Content query.sql | sql-agent --target reporting
+```
+
+One-off SQLite query without config:
+
+```text
+sql-agent --engine sqlite --path C:\data\app.db "SELECT * FROM customers LIMIT 5"
+```
+
+## Auth
+
+`sql-agent` is designed to prefer native client credential mechanisms over password arguments.
+
+Supported v1 auth patterns:
+
+- PostgreSQL: `PG*` environment variables and `.pgpass`
+- MySQL/MariaDB: option files such as `~/.my.cnf`
+- Generic fallback: `--password-stdin`
+- Optional human fallback: `--prompt-password`
+
+`sql-agent` does not document or guarantee `MYSQL_PWD` as a public credential source.
+
+### Bootstrap native auth files
+
+Seed a PostgreSQL template:
+
+```text
+sql-agent config init-native-auth --engine postgres
+sql-agent config init-native-auth --engine postgres --target reporting
+```
+
+Seed a MySQL template:
+
+```text
+sql-agent config init-native-auth --engine mysql
+sql-agent config init-native-auth --engine mysql --target dev
+```
+
+When `--target NAME` is provided, the tool should prefill non-secret fields such as host, port, database, and user where possible, while leaving the password blank.
+
+## Config
+
+User config path:
+
+```text
+~/.sql-agent/config.toml
+```
+
+Example:
+
+```toml
+[defaults]
+target = "dev"
+format = "json"
+max_rows = 200
+connect_timeout_seconds = 8
+query_timeout_seconds = 15
+
+[targets.dev]
+engine = "mysql"
+host = "az-mysql-pub-sona-asia1-dev.mysql.database.azure.com"
+port = 3306
+database = "asiadev_2794"
+user = "paul"
+ssl_mode = "required"
+
+[targets.reporting]
+engine = "postgres"
+host = "db.example.com"
+port = 5432
+database = "app"
+user = "report_reader"
+ssl_mode = "required"
+
+[targets.local_sqlite]
+engine = "sqlite"
+path = "C:/data/app.db"
+```
+
+Config commands:
+
+```text
+sql-agent config show
+sql-agent config set-default-target NAME
+sql-agent config add-target NAME [options]
+sql-agent config remove-target NAME
+sql-agent config init-native-auth --engine postgres [--target NAME]
+sql-agent config init-native-auth --engine mysql [--target NAME]
+sql-agent targets
+```
+
+`config show` should display effective target settings and credential-source hints without revealing secrets.
+
+## Output
+
+Supported formats:
+
+- `json`
+- `markdown`
+- `table`
+- `csv`
+
+Default format:
+
+- `json`
+
+Stdout is reserved for payload output. Diagnostics and errors go to stderr.
+
+## Read-only guarantee
+
+V1 is read-only by design.
+
+Intended allowed statement classes include:
+
+- `SELECT`
+- `WITH ... SELECT`
+- `SHOW`
+- `DESCRIBE` / `DESC`
+- `EXPLAIN`
+
+The tool is intended to reject mutating or administrative statements before execution and to execute exactly one statement per invocation.
+
+## SSL
+
+Secure defaults are required by default for network databases.
+
+Supported model:
+
+- `--ssl-mode required`
+- `--ssl-mode preferred`
+- `--ssl-mode disabled`
+- `--insecure` as shorthand for `--ssl-mode preferred`
+
+## Development direction
+
+Implementation choices currently targeted by the spec:
+
+- `PyMySQL[rsa]` for MySQL and MariaDB
+- `psycopg[binary]` for PostgreSQL
+- stdlib `sqlite3` for SQLite
+- `sqlglot` for parser-backed SQL validation
+
+## License
+
+MIT

pyproject.toml

@@ -0,0 +1,45 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "sql-agent"
+version = "0.9.0"
+description = "Read-only SQL CLI for agentic workflows"
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.11"
+authors = [
+  { name = "Paul" },
+]
+keywords = ["sql", "mysql", "postgresql", "sqlite", "cli", "agent"]
+classifiers = [
+  "Development Status :: 4 - Beta",
+  "Environment :: Console",
+  "Intended Audience :: Developers",
+  "License :: OSI Approved :: MIT License",
+  "Operating System :: OS Independent",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Programming Language :: Python :: 3.13",
+  "Topic :: Database",
+  "Topic :: Software Development :: Libraries :: Python Modules",
+  "Topic :: Utilities",
+]
+dependencies = [
+  "PyMySQL[rsa]>=1.1.0",
+  "psycopg[binary]>=3.2.0",
+  "sqlglot>=26.0.0",
+]
+
+[project.urls]
+Homepage = "https://github.com/pseudosavant/sql-agent"
+Repository = "https://github.com/pseudosavant/sql-agent"
+Issues = "https://github.com/pseudosavant/sql-agent/issues"
+
+[project.scripts]
+sql-agent = "sql_agent.cli:main"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/sql_agent"]