Statement Safety

tonic is not read-only, but it is explicit.

Before execution, tonic analyzes SQL, determines statement actions, checks backend support, evaluates config permissions, and only then opens or reuses a session.

Kinds And Actions

Statement kind describes execution/rendering behavior:

• query
• command
• transaction-control

Statement action describes permission behavior:

• select
• insert
• update
• delete
• merge
• replace
• create
• copy
• alter
• drop
• truncate
• attach
• detach
• show
• describe
• explain
• values
• call
• transaction

Examples:

• insert ... returning id is kind=query and action=insert.
• explain update ... requires explain and update actions.
• create table copy as select ... requires create and select actions.
• truncate table events is kind=command and action=truncate.
• Snowflake copy into raw.events from @events_stage is kind=command and action=copy.
• begin is kind=transaction-control and action=transaction.

Unsupported SQL

Statements outside the supported action set are rejected before execution. Current query execution supports broad DDL where the backend supports it and Snowflake copy into, but still rejects unsupported admin statements such as grant, revoke, set, or use.

Permissions

Permissions can be declared globally and per connection.

version: 2

permissions:
  deny:
    - "*"
  allow:
    - select
    - explain

connections:
  writer:
    backend: postgres
    permissions:
      allow:
        - update
        - transaction

If no permissions are configured, supported actions are allowed. Backend-unsupported actions cannot be allowed by config.

Evaluation starts from allowed, applies top-level permissions, then applies connection permissions. Within each scope, exact deny wins first, then exact allow, wildcard deny, wildcard allow, and otherwise no change.