Statement Safety

tonic is not read-only, but it is explicit.

Before execution, tonic analyzes SQL, determines statement actions, checks backend support, evaluates config permissions, and only then opens or reuses a session.

Kinds And Actions

Statement kind describes execution/rendering behavior:

query
command
transaction-control

Statement action describes permission behavior:

select
insert
update
delete
merge
replace
show
describe
explain
values
call
transaction

Examples:

insert ... returning id is kind=query and action=insert.
explain update ... requires explain and update actions.
begin is kind=transaction-control and action=transaction.

Unsupported SQL

Statements outside the supported action set are rejected before execution. Current query execution does not run arbitrary DDL or admin statements such as create, alter, drop, truncate, grant, revoke, set, use, or copy into.

Permissions

Permissions can be declared globally and per connection.

version: 2

permissions:
  deny:
    - "*"
  allow:
    - select
    - explain

connections:
  writer:
    backend: postgres
    permissions:
      allow:
        - update
        - transaction

If no permissions are configured, supported actions are allowed. Backend-unsupported actions cannot be allowed by config.

Evaluation starts from allowed, applies top-level permissions, then applies connection permissions. Within each scope, exact deny wins first, then exact allow, wildcard deny, wildcard allow, and otherwise no change.