Commit 4d85821
oraclemcp P1-1: fail-closed engine-aware statement classifier (SAFETY-CRITICAL)
Beads oracle-qmwz.2.1 + .2.1.1..6 (P1-1 / a-f). Replaces the fail-OPEN
is_read_only_sql string predicate with a staged, fail-CLOSED classifier in
oraclemcp-guard (plan §5.3).
- Stage A (P1-1a): allow-list (SHA-256 normalized) -> block-list (regex) ->
PL/SQL-block + side-effect-marker detector.
- Stage B (P1-1b): sqlparser OracleDialect -> DangerLevel + required
OperatingLevel; no-WHERE DELETE/UPDATE -> Destructive; EXPLAIN -> Guarded.
- Lexer splitter (P1-1c): the Oracle tokenizer makes '..'/q'[..]'/N'..'/".."
single tokens, so embedded ;/BEGIN/END can't desync the counter (closes the
q'{..END;..}' fail-open); a BEGIN/END desync makes the whole batch Forbidden.
- SideEffectOracle port (P1-1d): in the engine-free guard, default Unknown
(fail-closed); the engine binds the real impl from the consumer side.
- Purity verdict (P1-1e): ProvenReadOnly is the ONLY clear-to-Safe; a UDF in a
SELECT consults the port (default Unknown -> Guarded, R15); statement_purity
is the trigger/VPD-walk seam.
- GuardDecision.gate(session) wires classify -> the P0-7 level gate (P1-1f).
- 33 guard tests incl SELECT billing.purge_old_rows() -> Guarded (not Safe).
clippy -D warnings + fmt clean. Adversarial corpus + fuzz -> T-CORPUS (6.2).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent fbf367e commit 4d85821
6 files changed
Lines changed: 1030 additions & 8 deletions
File tree
- .beads
- crates/oraclemcp-guard
- src
Large diffs are not rendered by default.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
| 16 | + | |
| 17 | + | |
16 | 18 | | |
17 | 19 | | |
18 | 20 | | |
| |||
0 commit comments