Fix EXPLAIN rendering, quote SQL identifiers, add loading states

- EXPLAIN: iterate over plan rows instead of rendering array as string
- Quote all SQL identifiers in migration generators to prevent injection
- Add hx-disabled-elt on forms for visual loading feedback
- Add CSS for disabled button state

Author: loglux

app/mcp/tools.py

@@ -175,42 +175,48 @@ def _index_key(index: Dict[str, Any]) -> tuple:
         unique = bool(index.get("unique", False))
         return (name, cols, unique)
 
+    def _qi(identifier: str) -> str:
+        """Quote a SQL identifier to prevent injection."""
+        sanitized = identifier.replace('"', '""')
+        return f'"{sanitized}"'
+
     def _create_index_sql(dialect: str, name: str, table: str, cols: str, unique: str) -> str:
-        return f"CREATE {unique}INDEX {name} ON {table} ({cols});"
+        return f"CREATE {unique}INDEX {_qi(name)} ON {_qi(table)} ({cols});"
 
     def _drop_index_sql(dialect: str, name: str, table: str) -> str:
         if dialect == "mysql":
-            return f"DROP INDEX {name} ON {table};"
-        return f"DROP INDEX {name};"
+            return f"DROP INDEX {_qi(name)} ON {_qi(table)};"
+        return f"DROP INDEX {_qi(name)};"
 
     def _alter_type_sql(
         dialect: str, table: str, column: str, desired: str
     ) -> tuple[str | None, str | None]:
+        t, c = _qi(table), _qi(column)
         if dialect == "postgresql":
-            return (f"ALTER TABLE {table} ALTER COLUMN {column} TYPE {desired};", None)
+            return (f"ALTER TABLE {t} ALTER COLUMN {c} TYPE {desired};", None)
         if dialect == "mysql":
-            return (f"ALTER TABLE {table} MODIFY COLUMN {column} {desired};", None)
+            return (f"ALTER TABLE {t} MODIFY COLUMN {c} {desired};", None)
         if dialect == "sqlite":
             return (None, f"SQLite does not support ALTER COLUMN TYPE for {table}.{column}")
-        return (f"ALTER TABLE {table} ALTER COLUMN {column} TYPE {desired};", None)
+        return (f"ALTER TABLE {t} ALTER COLUMN {c} TYPE {desired};", None)
 
     def _alter_nullable_sql(
         dialect: str, table: str, column: str, desired_nullable: bool
     ) -> tuple[str | None, str | None]:
+        t, c = _qi(table), _qi(column)
         if dialect == "postgresql":
             if desired_nullable:
-                return (f"ALTER TABLE {table} ALTER COLUMN {column} DROP NOT NULL;", None)
-            return (f"ALTER TABLE {table} ALTER COLUMN {column} SET NOT NULL;", None)
+                return (f"ALTER TABLE {t} ALTER COLUMN {c} DROP NOT NULL;", None)
+            return (f"ALTER TABLE {t} ALTER COLUMN {c} SET NOT NULL;", None)
         if dialect == "mysql":
-            # MySQL needs full column definition; warn user.
             return (None, f"MySQL requires full column type to change NULL for {table}.{column}")
         if dialect == "sqlite":
             return (None, f"SQLite does not support ALTER COLUMN NULL for {table}.{column}")
         return (None, f"Nullable change not supported for {dialect}")
 
     def _drop_column_sql(dialect: str, table: str, column: str) -> tuple[str | None, str | None]:
         if dialect in {"postgresql", "mysql"}:
-            return (f"ALTER TABLE {table} DROP COLUMN {column};", None)
+            return (f"ALTER TABLE {_qi(table)} DROP COLUMN {_qi(column)};", None)
         if dialect == "sqlite":
             return (None, f"SQLite does not support DROP COLUMN for {table}.{column}")
         return (None, f"DROP COLUMN not supported for {dialect}")
@@ -289,15 +295,15 @@ def db_migrate_plan(payload: Dict[str, Any]) -> Dict[str, Any]:
             for name, c in columns.items():
                 col_type = c.get("type", "TEXT")
                 nullable = c.get("nullable", True)
-                col_defs.append(f"{name} {col_type}{'' if nullable else ' NOT NULL'}")
+                col_defs.append(f"{_qi(name)} {col_type}{'' if nullable else ' NOT NULL'}")
             if col_defs:
-                statements.append(f"CREATE TABLE {table} ({', '.join(col_defs)});")
+                statements.append(f"CREATE TABLE {_qi(table)} ({', '.join(col_defs)});")
 
             for idx in spec.get("indexes", []):
                 idx_norm = _normalize_index(idx)
                 idx_name = idx_norm.get("name") or f"idx_{table}_{'_'.join(idx_norm['columns'])}"
                 unique = "UNIQUE " if idx_norm.get("unique") else ""
-                cols = ", ".join(idx_norm.get("columns", []))
+                cols = ", ".join(_qi(c) for c in idx_norm.get("columns", []))
                 if cols:
                     statements.append(_create_index_sql(dialect, idx_name, table, cols, unique))
 
@@ -307,7 +313,8 @@ def db_migrate_plan(payload: Dict[str, Any]) -> Dict[str, Any]:
                 col_type = spec.get("type", "TEXT")
                 nullable = spec.get("nullable", True)
                 not_null = "" if nullable else " NOT NULL"
-                statements.append(f"ALTER TABLE {table} ADD COLUMN {col} {col_type}{not_null};")
+                stmt = f"ALTER TABLE {_qi(table)} ADD COLUMN {_qi(col)} {col_type}{not_null};"
+                statements.append(stmt)
 
         for table, cols in diff.get("type_mismatches", {}).items():
             for item in cols:
@@ -330,13 +337,13 @@ def db_migrate_plan(payload: Dict[str, Any]) -> Dict[str, Any]:
                 idx_norm = _normalize_index(idx)
                 idx_name = idx_norm.get("name") or f"idx_{table}_{'_'.join(idx_norm['columns'])}"
                 unique = "UNIQUE " if idx_norm.get("unique") else ""
-                cols = ", ".join(idx_norm.get("columns", []))
+                cols = ", ".join(_qi(c) for c in idx_norm.get("columns", []))
                 if cols:
                     statements.append(_create_index_sql(dialect, idx_name, table, cols, unique))
 
         if destructive:
             for table in diff.get("extra_tables", []):
-                statements.append(f"DROP TABLE {table};")
+                statements.append(f"DROP TABLE {_qi(table)};")
             for table, cols in diff.get("extra_columns", {}).items():
                 for col in cols:
                     stmt, warn = _drop_column_sql(dialect, table, col)

app/web/static/styles.css

@@ -202,6 +202,13 @@ body {
   opacity: 0.85;
 }
 
+.button:disabled,
+.button[disabled] {
+  opacity: 0.5;
+  cursor: not-allowed;
+  pointer-events: none;
+}
+
 .button.ghost {
   background: transparent;
   border: 1px solid rgb(255 255 255 / 10%);

app/web/templates/chat.html

@@ -81,7 +81,8 @@ <h2>{{ active_session.name }}</h2>
             {% elif p.command == 'explain' and p.query_result %}
               <div class="bubble-label">Explain</div>
               {% if p.query_result.plan %}
-                <pre class="sql-block">{{ p.query_result.plan }}</pre>
+                <pre class="sql-block">{% for row in p.query_result.plan %}{% for v in row.values() %}{{ v }}  {% endfor %}
+{% endfor %}</pre>
               {% elif p.query_result.error %}
                 <div class="error">{{ p.query_result.error }}</div>
               {% endif %}
@@ -129,6 +130,7 @@ <h2>{{ active_session.name }}</h2>
           hx-post="/chat/send"
           hx-target="#chat-messages"
           hx-swap="beforeend"
+          hx-disabled-elt="find button"
           hx-on::after-request="this.reset(); var el = document.getElementById('chat-messages'); el.scrollTop = el.scrollHeight; var w = document.getElementById('chat-welcome'); if(w) w.remove();">
       <input type="hidden" name="session_id" value="{{ session_id }}">
       <textarea name="message" id="chat-input" rows="2"

app/web/templates/design.html

@@ -6,7 +6,7 @@
   <h2>Design & Diff</h2>
   <p class="muted">Provide a desired schema JSON to compare with the current database.</p>
 
-  <form class="form" hx-post="/design/diff" hx-target="#diff-result" hx-swap="innerHTML">
+  <form class="form" hx-post="/design/diff" hx-target="#diff-result" hx-swap="innerHTML" hx-disabled-elt="find button">
     <label for="desired">Desired Schema (JSON)</label>
     <textarea id="desired" name="desired" rows="10" placeholder='{"tables": {"users": {"columns": {"id": {"type": "INTEGER", "nullable": false}}}}}'></textarea>
     <div class="actions">
@@ -22,7 +22,7 @@ <h2>Design & Diff</h2>
 <section class="panel">
   <h2>Migration Plan</h2>
   <p class="muted">Generate a SQL plan from desired schema (optional destructive).</p>
-  <form class="form" hx-post="/design/plan" hx-target="#plan-result" hx-swap="innerHTML">
+  <form class="form" hx-post="/design/plan" hx-target="#plan-result" hx-swap="innerHTML" hx-disabled-elt="find button">
     <label for="plan-desired">Desired Schema (JSON)</label>
     <textarea id="plan-desired" name="desired" rows="8" placeholder='{"tables": {"users": {"columns": {"id": {"type": "INTEGER", "nullable": false}}}}}'></textarea>
     <label class="checkbox">
@@ -42,7 +42,7 @@ <h2>Migration Plan</h2>
 <section class="panel">
   <h2>Plan & Apply</h2>
   <p class="muted">Generate a plan and apply it in one step.</p>
-  <form class="form" hx-post="/design/plan-apply" hx-target="#plan-apply-result" hx-swap="innerHTML">
+  <form class="form" hx-post="/design/plan-apply" hx-target="#plan-apply-result" hx-swap="innerHTML" hx-disabled-elt="find button">
     <label for="plan-apply-desired">Desired Schema (JSON)</label>
     <textarea id="plan-apply-desired" name="desired" rows="8" placeholder='{"tables": {"users": {"columns": {"id": {"type": "INTEGER", "nullable": false}}}}}'></textarea>
     <label class="checkbox">
@@ -67,7 +67,7 @@ <h2>Plan & Apply</h2>
 <section class="panel">
   <h2>Apply SQL</h2>
   <p class="muted">Apply a single SQL statement (requires MODE=execute).</p>
-  <form class="form" hx-post="/design/apply" hx-target="#apply-result" hx-swap="innerHTML">
+  <form class="form" hx-post="/design/apply" hx-target="#apply-result" hx-swap="innerHTML" hx-disabled-elt="find button">
     <label for="apply-sql">SQL Statement</label>
     <textarea id="apply-sql" name="sql" rows="6" placeholder="CREATE TABLE ..."></textarea>
     <div class="actions">
@@ -84,7 +84,7 @@ <h2>Apply SQL</h2>
 <section class="panel">
   <h2>Batch Migrate</h2>
   <p class="muted">Apply multiple SQL statements, optionally dry-run.</p>
-  <form class="form" hx-post="/design/migrate" hx-target="#migrate-result" hx-swap="innerHTML">
+  <form class="form" hx-post="/design/migrate" hx-target="#migrate-result" hx-swap="innerHTML" hx-disabled-elt="find button">
     <label for="migrate-sql">SQL Statements (semicolon separated)</label>
     <textarea id="migrate-sql" name="sql" rows="8" placeholder="CREATE TABLE ...; ALTER TABLE ...;"></textarea>
     <label class="checkbox">

app/web/templates/partials/chat_message.html

@@ -43,7 +43,8 @@
   {% elif command == 'explain' %}
     <div class="bubble-label">Explain</div>
     {% if query_result and query_result.plan %}
-      <pre class="sql-block">{{ query_result.plan }}</pre>
+      <pre class="sql-block">{% for row in query_result.plan %}{% for v in row.values() %}{{ v }}  {% endfor %}
+{% endfor %}</pre>
     {% elif query_result and query_result.error %}
       <div class="error">{{ query_result.error }}</div>
     {% else %}

app/web/templates/sandbox.html

@@ -5,7 +5,7 @@
 <section class="panel">
   <h2>Sandbox</h2>
   <p class="muted">Run SQL queries under the active policy.</p>
-  <form class="form" hx-post="/sandbox/run" hx-target="#result" hx-swap="innerHTML">
+  <form class="form" hx-post="/sandbox/run" hx-target="#result" hx-swap="innerHTML" hx-disabled-elt="find button">
     <label for="sql">SQL Query</label>
     <textarea id="sql" name="sql" rows="6" placeholder="SELECT * FROM ..."></textarea>
     <div class="actions">