feat(ai-proxy): add Snowflake integration with PAT authentication

[christophebrun-forest]

Summary

Adds a new Forest integration in @forestadmin/ai-proxy that exposes 3 MCP tools backed by Snowflake's REST API v2, authenticated via Programmatic Access Tokens (PAT).

Tools shipped:

• snowflake_cortex_search — semantic search via a Cortex Search service (caller passes database/schema/service as arguments).
• snowflake_cortex_analyst — natural-language analytical Q&A backed by a semantic model file (@stage/model.yaml) or a semantic view (XOR validated at runtime).
• snowflake_execute_query — synchronous SQL execution restricted to read-only statements.

Authentication: PAT bearer token (Authorization: Bearer <pat> + X-Snowflake-Authorization-Token-Type: PROGRAMMATIC_ACCESS_TOKEN). The token is passed per-request via the integration config — no shared OAuth flow.

Config shape:
```ts
{
accountIdentifier: string; // e.g. "myorg-myaccount" or account locator
programmaticAccessToken: string;
defaultWarehouse?: string;
defaultDatabase?: string;
defaultSchema?: string;
defaultRole?: string;
}
```

Read-only SQL guard (defense-in-depth):

• Allowlist of leading keywords: `SELECT | SHOW | DESCRIBE | DESC | EXPLAIN`.
• Multi-statement detection runs after stripping comments and string/identifier literals (no false positive on `SELECT 'a;b' FROM t`).
• Forbidden-keyword scan over the normalized SQL covers bypasses like `EXPLAIN INSERT …`, `WITH cte AS (…) DELETE …`, and `SELECT 1 -- ;\nDROP …`.
• Primary safety net remains the Snowflake role bound to the PAT — give it SELECT/USAGE only.

Test plan

• `yarn workspace @forestadmin/ai-proxy lint`
• `yarn workspace @forestadmin/ai-proxy build`
• `yarn workspace @forestadmin/ai-proxy test` (328 passed, 64 new)
• End-to-end smoke test against a real Snowflake account with a PAT (warehouse + role with read-only privileges)
• Verify error path: invalid PAT → `McpConnectionError` with status + URL in the message
• Verify SQL guard blocks `WITH cte … DELETE …` end-to-end via the agent

🤖 Generated with Claude Code

Note

Add Snowflake integration with PAT authentication to ai-proxy

• Adds SnowflakeConfig and three LangChain tools (snowflake_cortex_search, snowflake_cortex_analyst, snowflake_execute_query) in packages/ai-proxy/src/integrations/snowflake/, using Programmatic Access Token (PAT) authentication.
• ForestIntegrationClient now handles the 'Snowflake' integration name in both loadTools and checkConnection, routing to the new tools and a connectivity validator.
• assertReadOnlySql enforces that only SELECT/SHOW/DESCRIBE/EXPLAIN statements are executed, rejecting multi-statement and mutating SQL before any network call.
• validateSnowflakeConfig checks connectivity by issuing a SELECT 1 to the Snowflake statements API, throwing McpConnectionError on failure with HTTP status and server message.
• Risk: execute-query SQL filtering relies on comment/literal stripping and keyword matching, which may reject or permit edge-case SQL inputs.

📊 Macroscope summarized 6c73291. 6 files reviewed, 2 issues evaluated, 0 issues filtered, 2 comments posted

🗂️ Filtered Issues

[qltysh]

1 new issue

Tool	Category	Rule	Count
qlty	Structure	Function with many returns (count = 4): checkConnection	1

[qltysh]

Coverage Impact

⬆️ Merging this pull request will increase total coverage on main by 0.03%.

Modified Files with Diff Coverage (6)

Rating	File	% Diff	Uncovered Line #s
	packages/ai-proxy/src/forest-integration-client.ts	100.0%
	...ges/ai-proxy/src/integrations/snowflake/tools/execute-query.ts	100.0%
	packages/ai-proxy/src/integrations/snowflake/tools.ts	100.0%
	...ges/ai-proxy/src/integrations/snowflake/tools/cortex-search.ts	100.0%
	...es/ai-proxy/src/integrations/snowflake/tools/cortex-analyst.ts	100.0%
	packages/ai-proxy/src/integrations/snowflake/utils.ts	100.0%
	Total	100.0%

🚦 See full report on Qlty Cloud »

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

[macroscopeapp]

🟡 Medium snowflake/utils.ts:5

The tool description in execute-query.ts states that WITH statements are allowed for CTE queries, but assertReadOnlySql rejects them. READ_ONLY_LEADING_KEYWORD_RE (line 5) does not include with as a valid leading keyword, and FORBIDDEN_KEYWORD_RE (line 7) explicitly lists with as forbidden. This causes valid read-only CTE queries like WITH cte AS (SELECT 1) SELECT * FROM cte to be incorrectly rejected with "Only read-only statements (SELECT, SHOW, DESCRIBE, EXPLAIN) are allowed." despite being documented as supported.

-const READ_ONLY_LEADING_KEYWORD_RE = /^\s*(select|show|describe|desc|explain)\b/i;
+const READ_ONLY_LEADING_KEYWORD_RE = /^\s*(select|show|describe|desc|explain|with)\b/i;

🚀 Reply "fix it for me" or copy this AI Prompt for your agent:

In file packages/ai-proxy/src/integrations/snowflake/utils.ts around line 5:

The tool description in `execute-query.ts` states that `WITH` statements are allowed for CTE queries, but `assertReadOnlySql` rejects them. `READ_ONLY_LEADING_KEYWORD_RE` (line 5) does not include `with` as a valid leading keyword, and `FORBIDDEN_KEYWORD_RE` (line 7) explicitly lists `with` as forbidden. This causes valid read-only CTE queries like `WITH cte AS (SELECT 1) SELECT * FROM cte` to be incorrectly rejected with "Only read-only statements (SELECT, SHOW, DESCRIBE, EXPLAIN) are allowed." despite being documented as supported.

Evidence trail:
packages/ai-proxy/src/integrations/snowflake/tools/execute-query.ts lines 17-18: description says WITH is allowed. packages/ai-proxy/src/integrations/snowflake/utils.ts line 5: READ_ONLY_LEADING_KEYWORD_RE = /^\s*(select|show|describe|desc|explain)\b/i — no 'with'. utils.ts line 7: FORBIDDEN_KEYWORD_RE includes 'with' in the alternation. utils.ts lines 55-59: assertReadOnlySql checks against READ_ONLY_LEADING_KEYWORD_RE and throws if no match. utils.ts lines 61-66: then checks FORBIDDEN_KEYWORD_RE and throws if match found.

[macroscopeapp]

🟠 High snowflake/utils.ts:31

normalizeSql strips comments before string literals, so an attacker can hide forbidden keywords inside a string that looks like a comment. For example, SELECT '--' DELETE FROM users becomes SELECT ' after the regex removes --' DELETE FROM users, bypassing all keyword checks while the original malicious query executes. Consider normalizing string literals first (replacing them with placeholders before any comment removal), or using a proper SQL parser instead of regex.

-function normalizeSql(statement: string): string {
-  return statement
-    .replace(/\/\*[\s\S]*?\*\//g, '')
-    .replace(/--[^\n]*/g, '')
-    .replace(/'(?:''|[^'])*'/g, "''")
-    .replace(/"(?:""|[^"])*"/g, '""')
-    .trim();
-}

🚀 Reply "fix it for me" or copy this AI Prompt for your agent:

In file packages/ai-proxy/src/integrations/snowflake/utils.ts around lines 31-38:

`normalizeSql` strips comments before string literals, so an attacker can hide forbidden keywords inside a string that looks like a comment. For example, `SELECT '--' DELETE FROM users` becomes `SELECT '` after the regex removes `--' DELETE FROM users`, bypassing all keyword checks while the original malicious query executes. Consider normalizing string literals first (replacing them with placeholders before any comment removal), or using a proper SQL parser instead of regex.

Evidence trail:
packages/ai-proxy/src/integrations/snowflake/utils.ts lines 31-37 (normalizeSql function, REVIEWED_COMMIT): comment removal regexes at lines 33-34 run before string literal replacement at lines 35-36. Lines 5-8: READ_ONLY_LEADING_KEYWORD_RE and FORBIDDEN_KEYWORD_RE patterns. Lines 39-62: assertReadOnlySql uses normalizeSql output for security validation. Manual trace of `SELECT '--' DELETE FROM users` through the four regex steps confirms it normalizes to `SELECT '`, bypassing all keyword checks.