api and db basics

[anirudhisonline]

Summary by CodeRabbit

• New Features

  • Rich database workspace: connection management, lazy schema browser, paged query runner, table data viewer/editor, schema diagram, and saved-query management.
  • API workspace: inline renaming of requests and collections; improved request editor with templating and form/file support.
  • Embedded code editor with language-aware editing.

• Chores

  • Updated README roadmap with more detailed checklists.
  • Added dev script and updated project ignore rules to exclude common DB files.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 27e0dbec-385e-4848-825c-a2c0f937176b

📥 Commits

Reviewing files that changed from the base of the PR and between bb04c03 and 9c26b59.

📒 Files selected for processing (10)

• src-tauri/src/commands/api.rs
• src-tauri/src/commands/db/drivers/mysql.rs
• src-tauri/src/commands/db/drivers/postgres.rs
• src-tauri/src/commands/db/mod.rs
• src-tauri/src/error.rs
• src/lib/components/panels/ApiPanel.svelte
• src/lib/components/panels/DbPanel.svelte
• src/lib/components/workspace/DbDiagramTab.svelte
• src/lib/components/workspace/DbQueryTab.svelte
• src/lib/stores/workspace.svelte.js

---

📝 Walkthrough

Walkthrough

Updated backend and frontend to add a modular database driver layer with Postgres/MySQL/SQLite/Mongo stubs, a broad DB Tauri command surface and state, extended REST request model (path/form params, body types, OAuth2), request rename commands, many new Svelte UI components (API and DB panels/tabs, CodeMirror wrapper, SQL confirm modal), JS command wrappers, dependency changes, and documentation/plan updates.

Changes

All Changes (single cohort)

Layer / File(s)

Summary

All modified checkpoints multiple files across repository

Comprehensive checkpoint including .gitignore, README.md, package.json, src-tauri/Cargo.toml, plans/*, Tauri API changes (src-tauri/src/commands/api.rs), new DB backend module and drivers (src-tauri/src/commands/db/* and src-tauri/src/commands/db/mod.rs), error/state/lib wiring (src-tauri/src/error.rs, src-tauri/src/lib.rs, src-tauri/src/commands/mod.rs), frontend command wrappers (src/lib/commands/*.js), CodeMirror and DB UI components (src/lib/components/**), workspace store/layout routing (src/lib/stores/*, src/routes/app/+layout.svelte), and assorted docs/config updates.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• anide-app/anide#11: Shares changes around switching request storage paths to .anide/requests/ and related API command handling.
• anide-app/anide#5: Earlier PR that introduced/base-defined request frontmatter and API command scaffolding which this PR extends.

"🐰
I hopped through trees of SQL and code,
Renamed requests and set the mode,
Drivers sprout while editors gleam,
.anide holds the new dream,
A tiny hop for a rabbit — bold!"

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 45.41% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'api and db basics' is vague and generic, using non-descriptive terms that do not convey meaningful information about the changeset's primary objectives.	Consider using a more descriptive title that captures the main accomplishments, such as 'Add API request handling and database driver abstraction layer' or 'Implement REST API and multi-database support'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch api-db

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 19

🧹 Nitpick comments (7)

src-tauri/src/commands/db/mod.rs (2)

671-673: 💤 Low value

Using debug format {:?} for YAML values may cause issues with special characters.

The debug format adds escaped quotes and may produce unexpected YAML for strings containing quotes, newlines, or other special characters (e.g., "test \"name\"" instead of proper YAML escaping).

♻️ Consider using serde_yaml for consistent serialization

-    let yaml = format!("name: {:?}\ndescription: {:?}\n", query.name, query.description);
+    let mut map = serde_yaml::Mapping::new();
+    map.insert("name".into(), serde_yaml::Value::String(query.name.clone()));
+    map.insert("description".into(), serde_yaml::Value::String(query.description.clone()));
+    let yaml = serde_yaml::to_string(&serde_yaml::Value::Mapping(map))?;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src-tauri/src/commands/db/mod.rs` around lines 671 - 673, The current code
builds YAML using Rust debug formatting (yaml = format!("name: {:?}\n..."),
which inserts escaped quotes and can corrupt strings with special characters;
instead construct a proper YAML document via serde_yaml (or serialize a small
struct with fields name and description) and pass that serialized YAML string
into frontmatter::serialize along with query.sql; update references around the
variables file_name, yaml, and the call to frontmatter::serialize(&yaml,
&query.sql) so query.name and query.description are serialized safely rather
than using "{:?}" formatting.

---

355-368: ⚡ Quick win

Consider handling poisoned mutex locks gracefully.

Multiple places use .unwrap() on mutex locks (lines 357, 386, 419, 428, 444). While poisoned locks are rare, using .unwrap() will cause a panic if it occurs. Additionally, line 359 silently swallows config read errors with unwrap_or_default(), which could hide configuration issues from users.

♻️ Proposed fix for lock handling

 pub fn db_list_connections(
     project_path: String,
     state: tauri::State<'_, DbState>,
 ) -> Result<Vec<ConnectionMeta>, AppError> {
     let names = list_connections(&project_path)?;
-    let conns = state.connections.lock().unwrap();
+    let conns = state.connections.lock()
+        .map_err(|_| AppError::Db("Connection state lock poisoned".into()))?;
     let metas = names.iter().map(|name| {
-        let cfg = read_connection_config(&project_path, name).unwrap_or_default();
+        let cfg = read_connection_config(&project_path, name)
+            .unwrap_or_else(|_| ConnectionConfig { name: name.clone(), ..Default::default() });
         ConnectionMeta {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src-tauri/src/commands/db/mod.rs` around lines 355 - 368, The code currently
uses .unwrap() on state.connections.lock() and unwrap_or_default() on
read_connection_config which can panic on a poisoned mutex and silently hide
config read errors; update the code in the function producing ConnectionMeta to
handle lock poisoning by calling state.connections.lock().map_err(|_|
AppError::Internal("connections mutex poisoned".into()))? (or use
.lock().map(|g| g.into_inner())/recover via e.into_inner()) instead of unwrap(),
and replace read_connection_config(...).unwrap_or_default() with a fallible call
that returns or logs the read error (e.g., let cfg =
read_connection_config(&project_path, name).map_err(|e| AppError::from(e))? or
handle the error per policy) so ConnectionMeta creation uses a valid cfg or
explicitly handles missing/invalid configs.

src/lib/components/panels/DbPanel.svelte (1)

123-125: 💤 Low value

Consider logging env file parse errors for debugging.

Silent catch {} blocks make it hard to diagnose connection issues when env vars fail to load. A console.warn would help users understand why their {{env.VAR}} references might not resolve.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/components/panels/DbPanel.svelte` around lines 123 - 125, Replace the
empty silent catch blocks in DbPanel.svelte with logging so env parse failures
are visible: in the try/catch surrounding the env file parsing and any nested
try/catch (the blocks currently written as `catch {}`), capture the caught error
and call console.warn (or processLogger.warn) with a clear message including the
error object and context (e.g., "Failed to parse .env for DbPanel" and the
relevant env key or template like `{{env.VAR}}`). This ensures the parse failure
in the env-loading logic in DbPanel.svelte is reported for debugging.

src/lib/components/workspace/DbDataTab.svelte (2)

248-255: 💤 Low value

parseValue auto-coerces numeric strings.

parseValue("123") returns 123 (number). Users editing a varchar column containing "123" might unexpectedly get a number type sent to the backend. Consider preserving string type for text columns.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/components/workspace/DbDataTab.svelte` around lines 248 - 255, The
parseValue function currently auto-coerces numeric-looking strings to numbers;
change it to accept a context parameter (e.g., columnType or a boolean like
preserveString) and skip numeric coercion when the column type is a
text/varchar/char type so user-edited text columns keep their string value;
update call sites in DbDataTab.svelte that parse cell input to pass the column's
type (or true/false flag) to parseValue and ensure parseValue still handles
NULL/true/false conversion only when appropriate.

---

64-88: ⚖️ Poor tradeoff

Multiple field updates not atomic.

The loop at lines 78-79 executes dbUpdateRow for each changed field sequentially. If one call fails, earlier updates remain committed. Consider batching updates or documenting this behavior.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/components/workspace/DbDataTab.svelte` around lines 64 - 88,
commitSidebarEdit currently updates each changed field with separate dbUpdateRow
calls, making updates non-atomic; instead execute a single UPDATE using the
already constructed sql string (variable sql) so all changes are applied in one
transaction, or create/use a batch update API (e.g., dbUpdateRowBatch or a
dbExecute/dbQuery function) that accepts the full SET clause and runs one
statement; after that, update the local rows array (rows[sidebarRow]) and
closeSidebar() inside the same onConfirm flow and only clear confirmModal after
successful execution or handle errors to avoid partial commits.

src/lib/components/workspace/DbQueryTab.svelte (1)

221-234: ⚡ Quick win

Object URL not revoked after download.

URL.createObjectURL() creates a blob URL that persists until revoked. For repeated exports, this causes a minor memory leak.

Proposed fix

   function exportCSV() {
     if (!result) return;
     const header = result.columns.join(',');
     const body = result.rows.map(r => r.map(v => {
       if (v === null) return 'NULL';
       const s = String(v);
       return s.includes(',') || s.includes('"') ? `"${s.replace(/"/g, '""')}"` : s;
     }).join(',')).join('\n');
     const blob = new Blob([header + '\n' + body], { type: 'text/csv' });
     const a = document.createElement('a');
-    a.href = URL.createObjectURL(blob);
+    const url = URL.createObjectURL(blob);
+    a.href = url;
     a.download = `${saveForm.name || 'query-result'}.csv`;
     a.click();
+    URL.revokeObjectURL(url);
   }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/components/workspace/DbQueryTab.svelte` around lines 221 - 234, The
exportCSV function creates a blob URL with URL.createObjectURL but never revokes
it; update exportCSV to capture the object URL returned, set a.href to that URL,
trigger the download (a.click()), then revoke the URL via
URL.revokeObjectURL(objectUrl) (optionally wrapped in a setTimeout of ~0 or
1000ms to ensure the download starts), and remove the temporary anchor element;
reference the exportCSV function, the result and saveForm variables, and use
URL.revokeObjectURL to avoid the memory leak.

src/lib/components/CodeMirrorEditor.svelte (1)

99-110: 💤 Low value

Language swap skipped for readonly editors.

The readonly check at line 102 prevents language extension updates for readonly editors. If you display readonly content with dynamic language detection, the highlighting won't update after mount.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/components/CodeMirrorEditor.svelte` around lines 99 - 110, The
current effect bails out when readonly is true, preventing language extension
updates for readonly editors; remove the readonly early-return inside the
$effect and always recreate the EditorState when language changes, but preserve
editability by passing the correct flag into buildExtensions (replace
buildExtensions(lang, false, placeholder) with buildExtensions(lang, readonly,
placeholder)) or add an EditorView.editable.of(!readonly) extension so
highlighting updates while readonly behavior remains intact; update the $effect
that references $effect, view, buildExtensions, and EditorState.create
accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 13: The "tauri:dev" npm script currently calls a Windows-only PowerShell
file (tauri-dev.ps1) which breaks on non-Windows systems; replace it with a
cross-platform wrapper by updating the "tauri:dev" script in package.json to
invoke a small cross-platform launcher (for example a Node script like
scripts/tauri-dev.js or a shell script with a Windows fallback) that detects the
platform and runs the appropriate command (use child_process.spawn/exec in the
Node launcher to run the PowerShell file on Windows and a POSIX shell script or
direct tauri dev command on macOS/Linux), and keep or move the existing
tauri-dev.ps1 so Windows still uses it when detected. Ensure the updated
package.json references the new launcher (the "tauri:dev" script) and the
launcher uses platform detection (process.platform) to call tauri-dev.ps1 on
win32 and the POSIX path on other platforms.

In `@plans/db.md`:
- Around line 226-244: The fenced diagram blocks (e.g., the block starting with
"┌─────────────────────────────────┐" containing "[▼ local-postgres  ●]", the
similar "[▼ atlas-dev  ●]" block, and the "[connection > db > schema > table]"
breadcrumb block) are missing language identifiers and trigger markdownlint
MD040; update each triple-backtick fence that wraps these ASCII diagrams to use
```text (or another appropriate language tag) instead of plain ``` so the
diagrams are explicitly tagged; apply the same change to the other instances
noted (the blocks around lines with the atlas-dev and breadcrumb diagrams).
- Line 507: The TypeScript props example uses the invalid keyword "bool" for the
"destructive" prop; update the props example (the line defining the
"destructive" prop) to use TypeScript's primitive "boolean" instead of "bool" so
it reads "destructive?: boolean" (ensure the change is made in the props example
where "destructive" is declared).

In `@README.md`:
- Around line 114-115: Update the README roadmap checklist to mark PostgreSQL
and MySQL/MariaDB support as shipped by changing the unchecked items "[ ]
Connect to PostgreSQL" and "[ ] Connect to MySQL / MariaDB" to checked "[x]
Connect to PostgreSQL" and "[x] Connect to MySQL / MariaDB" (or equivalent
completed styling), ensuring the README reflects the new driver implementations
introduced in this PR.

In `@src-tauri/src/commands/api.rs`:
- Around line 51-61: The OAuth2 variant currently serializes sensitive fields:
add #[serde(skip_serializing)] to client_secret (and load it at runtime from env
or template like {{env.CLIENT_SECRET}}) to avoid persisting credentials, and
change access_token's annotation to #[serde(skip)] if the intent is to never
persist cached tokens; update any runtime code that reads OAuth2.client_secret
or OAuth2.access_token to source the secret from env/template resolution and
keep tokens in-memory only.
- Around line 864-873: substitute_path_params currently inserts KVPair.value
directly which can produce invalid URLs for values with reserved characters;
update substitute_path_params to percent-encode each path param value before
calling replace (keep the existing checks for p.enabled and !p.key.is_empty()),
e.g. use a proper percent-encoding routine (such as
percent_encoding::utf8_percent_encode with a PATH_SEGMENT encode set or
url::form_urlencoded::byte_serialize) to encode p.value into a safe path-segment
form and use that encoded string in result.replace; ensure you add the necessary
crate import and use the encoded value for substitution in the loop.
- Around line 396-428: The rename_collection function currently joins
collection_path to requests_dir without validating containment, allowing path
traversal; fix by resolving and canonicalizing the target path and ensuring it
is inside the requests_dir (like resolve_request_path() does for requests)
before proceeding: canonicalize requests_dir and the computed full_path (or use
the existing resolve_request_path helper) and return an error if full_path is
not a descendant of requests_dir; only after this containment check continue
with the existing validation (is_dir, name checks, existence, fs::rename) and
compute the relative path via strip_prefix on the canonical requests_dir.

In `@src-tauri/src/commands/db/drivers/mysql.rs`:
- Around line 190-194: In count_table, the current database.replace('`', "") and
table.replace('`', "") remove backticks and allow identifier injection; instead
escape any backtick by doubling it and then wrap identifiers in backticks.
Update the logic in async fn count_table to replace each '`' with '``' for both
database and table (e.g., database.replace('`', "``") and table.replace('`',
"``")) before building the SQL string, and keep the formatted ``SELECT COUNT(*)
FROM `{}`.`{}``` so identifiers remain quoted and safe.

In `@src-tauri/src/commands/db/drivers/postgres.rs`:
- Around line 221-226: In count_table, schema and table are interpolated
directly into the SQL and must have embedded double quotes escaped to prevent
identifier injection; before building the SQL string in function count_table,
sanitize both schema and table by replacing every '"' with '""' (or otherwise
validate allowed identifier characters) and then format the SQL using the
escaped values so identifiers remain safely quoted; update references to the
local variables schema and table in count_table accordingly.

In `@src-tauri/src/commands/db/mod.rs`:
- Line 1: Remove the misplaced TypeScript directive line "// `@ts-nocheck`" from
the Rust source (it is a copy-paste artifact and has no effect in Rust); search
for and delete any other TypeScript directive comments in the same file (e.g.,
the exact string "// `@ts-nocheck`") so the file only contains valid Rust comments
and then run cargo check to ensure no unintended edits broke the build.
- Around line 659-662: join_collection_path allows ".." segments so a crafted
collection string can escape the intended base directory; update
join_collection_path to reject or sanitize any segment equal to ".." or
containing path separators (or other suspicious segments) and only join
validated segments, and additionally after constructing the path canonicalize or
resolve the resulting PathBuf and ensure it starts with the canonicalized base
to prevent traversal. Also apply validation to file-name parameters used by
db_delete_query and db_rename_query to reject names containing path separators
or ".." (or normalize and check they do not escape base) so all db_* commands
cannot operate outside the intended queries directory.

In `@src-tauri/src/error.rs`:
- Around line 27-28: The AppError enum currently exposes reqwest::Error Display
text via the Http variant which can leak URLs/query data when serialized; add an
explicit From<reqwest::Error> implementation that converts the reqwest::Error
into a redacted string (use reqwest::Error::without_url() or otherwise strip the
URL) and construct AppError::Http with that redacted text, and apply the same
pattern for any other variants handling reqwest::Error (see the other
occurrences around the 38-44 region) so that to_string()/serialization never
contains full request URLs.

In `@src/lib/commands/api.js`:
- Around line 49-60: The JSDoc for RequestData references AuthConfig but that
type lacks the OAuth2 variant; update the AuthConfig typedef to include an
OAuth2 option (e.g., add a union member or object shape for OAuth2 credentials
like access_token, refresh_token, client_id, client_secret, token_url and
scopes) so editor/type hints match runtime support; modify the AuthConfig
typedef and any related typedefs (such as where AuthConfig is referenced in this
file) to include the OAuth2 variant and document required fields and optional
fields consistently with existing auth variants.

In `@src/lib/components/panels/ApiPanel.svelte`:
- Around line 113-127: Wrap the operations in menuDelete and menuDuplicate in
try/catch blocks (while still calling closeMenu early as currently done), so
that failures from deleteRequest or duplicateRequest are caught and reported via
the same toast error pattern used in commitNew/commitRename; on success call
await load(), and on failure call toast.error(...) with the captured error
message (e.g., error.message or the shared getErrorMessage helper) to provide
user feedback; keep references to menuDelete, menuDuplicate, deleteRequest,
duplicateRequest, load, and closeMenu when editing.

In `@src/lib/components/panels/DbPanel.svelte`:
- Around line 263-275: testForm currently calls dbSaveConnection before running
dbTestConnection so failed tests persist invalid configs; change the flow in
testForm to perform buildEnvVars(), run dbTestConnection(folderPath,
formData.name, { vars }) first, and only call dbSaveConnection(folderPath,
sanitizeForm()) after dbTestConnection succeeds (or alternatively prompt the
user to confirm saving on success); ensure error handling around
dbTestConnection still sets formError and prevents calling dbSaveConnection, and
keep formTesting/formTestResult updates as before.
- Around line 408-416: confirmDeleteCollection is passing only the leaf name
(item.dir_name) to dbDeleteQueryCollection but the backend expects the full
nested path (it uses join_collection_path with queries_dir), so change the call
in confirmDeleteCollection to pass item.path (the full relative path) instead of
item.dir_name; keep the rest of the flow (clearing deleteCollectionConfirm,
calling invalidateQueriesCache) unchanged and ensure you reference
deleteCollectionConfirm, dbDeleteQueryCollection, and
join_collection_path/queries_dir semantics when updating the argument.

In `@src/lib/components/workspace/DbDiagramTab.svelte`:
- Around line 113-119: The fitView function currently uses
window.innerWidth/innerHeight which can miscalculate scale when the SVG sits
inside a smaller container; update fitView (the fitView function) to read
dimensions from a container element reference (e.g., containerEl.clientWidth and
containerEl.clientHeight), fall back to window.innerWidth/innerHeight if
containerEl is null, and compute scale using those container dimensions instead
of window; also ensure the canvas container div has bind:this={containerEl} so
the ref is populated.

In `@src/lib/components/workspace/DbQueryTab.svelte`:
- Around line 224-228: The CSV export in DbQueryTab.svelte builds `body` by
mapping `result.rows` but only quotes values when they contain commas or
double-quotes, so values with newlines break CSV rows; update the mapping used
to build `body` (the arrow function mapping `r => r.map(v => { ... })`) to also
detect newline characters (`\n`) and treat them the same as commas/quotes: wrap
the field in double quotes and escape existing double quotes by doubling them
(same approach used in DbDataTab.svelte), ensuring NULL handling remains
unchanged.

In `@src/lib/stores/workspace.svelte.js`:
- Around line 50-54: In openTab and the similar block around
updateApiRequestTab, avoid treating missing tab.data or missing relPath as
equal: change the api-request dedupe to first ensure both candidate and incoming
tab have a data object and a defined relPath (e.g. t.data && t.data.relPath !==
undefined && tab.data && tab.data.relPath !== undefined) before comparing
relPath; otherwise fall back to id-based matching. Also update
updateApiRequestTab to null-check tab.data before dereferencing tab.data.relPath
and handle the missing-data case safely (skip relPath compare or return early).
Reference symbols: openTab, updateApiRequestTab, tabs, tab.data.relPath.

---

Nitpick comments:
In `@src-tauri/src/commands/db/mod.rs`:
- Around line 671-673: The current code builds YAML using Rust debug formatting
(yaml = format!("name: {:?}\n..."), which inserts escaped quotes and can corrupt
strings with special characters; instead construct a proper YAML document via
serde_yaml (or serialize a small struct with fields name and description) and
pass that serialized YAML string into frontmatter::serialize along with
query.sql; update references around the variables file_name, yaml, and the call
to frontmatter::serialize(&yaml, &query.sql) so query.name and query.description
are serialized safely rather than using "{:?}" formatting.
- Around line 355-368: The code currently uses .unwrap() on
state.connections.lock() and unwrap_or_default() on read_connection_config which
can panic on a poisoned mutex and silently hide config read errors; update the
code in the function producing ConnectionMeta to handle lock poisoning by
calling state.connections.lock().map_err(|_| AppError::Internal("connections
mutex poisoned".into()))? (or use .lock().map(|g| g.into_inner())/recover via
e.into_inner()) instead of unwrap(), and replace
read_connection_config(...).unwrap_or_default() with a fallible call that
returns or logs the read error (e.g., let cfg =
read_connection_config(&project_path, name).map_err(|e| AppError::from(e))? or
handle the error per policy) so ConnectionMeta creation uses a valid cfg or
explicitly handles missing/invalid configs.

In `@src/lib/components/CodeMirrorEditor.svelte`:
- Around line 99-110: The current effect bails out when readonly is true,
preventing language extension updates for readonly editors; remove the readonly
early-return inside the $effect and always recreate the EditorState when
language changes, but preserve editability by passing the correct flag into
buildExtensions (replace buildExtensions(lang, false, placeholder) with
buildExtensions(lang, readonly, placeholder)) or add an
EditorView.editable.of(!readonly) extension so highlighting updates while
readonly behavior remains intact; update the $effect that references $effect,
view, buildExtensions, and EditorState.create accordingly.

In `@src/lib/components/panels/DbPanel.svelte`:
- Around line 123-125: Replace the empty silent catch blocks in DbPanel.svelte
with logging so env parse failures are visible: in the try/catch surrounding the
env file parsing and any nested try/catch (the blocks currently written as
`catch {}`), capture the caught error and call console.warn (or
processLogger.warn) with a clear message including the error object and context
(e.g., "Failed to parse .env for DbPanel" and the relevant env key or template
like `{{env.VAR}}`). This ensures the parse failure in the env-loading logic in
DbPanel.svelte is reported for debugging.

In `@src/lib/components/workspace/DbDataTab.svelte`:
- Around line 248-255: The parseValue function currently auto-coerces
numeric-looking strings to numbers; change it to accept a context parameter
(e.g., columnType or a boolean like preserveString) and skip numeric coercion
when the column type is a text/varchar/char type so user-edited text columns
keep their string value; update call sites in DbDataTab.svelte that parse cell
input to pass the column's type (or true/false flag) to parseValue and ensure
parseValue still handles NULL/true/false conversion only when appropriate.
- Around line 64-88: commitSidebarEdit currently updates each changed field with
separate dbUpdateRow calls, making updates non-atomic; instead execute a single
UPDATE using the already constructed sql string (variable sql) so all changes
are applied in one transaction, or create/use a batch update API (e.g.,
dbUpdateRowBatch or a dbExecute/dbQuery function) that accepts the full SET
clause and runs one statement; after that, update the local rows array
(rows[sidebarRow]) and closeSidebar() inside the same onConfirm flow and only
clear confirmModal after successful execution or handle errors to avoid partial
commits.

In `@src/lib/components/workspace/DbQueryTab.svelte`:
- Around line 221-234: The exportCSV function creates a blob URL with
URL.createObjectURL but never revokes it; update exportCSV to capture the object
URL returned, set a.href to that URL, trigger the download (a.click()), then
revoke the URL via URL.revokeObjectURL(objectUrl) (optionally wrapped in a
setTimeout of ~0 or 1000ms to ensure the download starts), and remove the
temporary anchor element; reference the exportCSV function, the result and
saveForm variables, and use URL.revokeObjectURL to avoid the memory leak.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 54bd48d4-db26-4aea-a11d-d3964602256c

📥 Commits

Reviewing files that changed from the base of the PR and between 6a94cf3 and bb04c03.

⛔ Files ignored due to path filters (3)

• bun.lock is excluded by !**/*.lock
• package-lock.json is excluded by !**/package-lock.json
• src-tauri/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (29)

• .gitignore
• README.md
• package.json
• plans/db.md
• plans/plan.md
• src-tauri/Cargo.toml
• src-tauri/src/commands/api.rs
• src-tauri/src/commands/db/drivers/mod.rs
• src-tauri/src/commands/db/drivers/mongo.rs
• src-tauri/src/commands/db/drivers/mysql.rs
• src-tauri/src/commands/db/drivers/postgres.rs
• src-tauri/src/commands/db/drivers/sqlite.rs
• src-tauri/src/commands/db/mod.rs
• src-tauri/src/commands/files.rs
• src-tauri/src/commands/mod.rs
• src-tauri/src/error.rs
• src-tauri/src/lib.rs
• src/lib/commands/api.js
• src/lib/commands/db.js
• src/lib/components/CodeMirrorEditor.svelte
• src/lib/components/db/SqlConfirmModal.svelte
• src/lib/components/panels/ApiPanel.svelte
• src/lib/components/panels/DbPanel.svelte
• src/lib/components/workspace/ApiTab.svelte
• src/lib/components/workspace/DbDataTab.svelte
• src/lib/components/workspace/DbDiagramTab.svelte
• src/lib/components/workspace/DbQueryTab.svelte
• src/lib/stores/workspace.svelte.js
• src/routes/app/+layout.svelte

💤 Files with no reviewable changes (1)

• src-tauri/src/commands/files.rs