Replace InsecureProcessPluginNames with EnableProcessPlugins

claude · claude · commit f70fa53f91b7 · 2026-05-02T04:24:11.000Z
A single bool is enough — the previous allowlist by-name was overkill once we accepted the CLI is responsible for translating SQLCDEBUG into the option. EnableProcessPlugins=false (zero value) refuses any process plugin in the config; the CLI sets it to env.Debug.ProcessPlugins which defaults to true and flips off under SQLCDEBUG=processplugins=0. This drops the config pre-parse the CLI was doing to extract plugin names; loadConfig now just reads bytes and chdirs. https://claude.ai/code/session_01RCzB2JR5Y5ScFDUmwcxGVZ
diff --git a/internal/api/generate.go b/internal/api/generate.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"io"
 	"path/filepath"
-	"slices"
 	"strings"
 	"sync"
 
@@ -39,14 +38,14 @@ type GenerateOptions struct {
 	// labels. When empty, BaseDir defaults to the current working directory.
 	BaseDir string
 
-	// InsecureProcessPluginNames is the allowlist of process-based plugin
-	// names that Generate is permitted to invoke. Any process plugin declared
-	// in the configuration whose name is not in this list causes Generate to
-	// fail before parsing or codegen runs. Process plugins execute arbitrary
-	// local commands; the "Insecure" prefix mirrors
-	// crypto/tls.Config.InsecureSkipVerify as a reminder that callers must
-	// consciously trust each plugin name they pass here.
-	InsecureProcessPluginNames []string
+	// EnableProcessPlugins controls whether the configuration may invoke
+	// process-based plugins. When false (the zero value), Generate fails
+	// before parsing or codegen runs if the configuration declares any
+	// process plugin. Process plugins execute arbitrary local commands, so
+	// callers must opt in explicitly. The sqlc CLI populates this from
+	// SQLCDEBUG: it defaults to true, and SQLCDEBUG=processplugins=0 turns
+	// it off.
+	EnableProcessPlugins bool
 }
 
 // GenerateResult is the outcome of a Generate call.
@@ -97,15 +96,14 @@ func Generate(ctx context.Context, opts GenerateOptions) GenerateResult {
 		return res
 	}
 
-	for _, plug := range conf.Plugins {
-		if plug.Process == nil {
-			continue
-		}
-		if !slices.Contains(opts.InsecureProcessPluginNames, plug.Name) {
-			err := fmt.Errorf("process plugin %q is not in InsecureProcessPluginNames; refusing to run", plug.Name)
-			fmt.Fprintf(stderr, "error validating config: %s\n", err)
-			res.Errors = append(res.Errors, err)
-			return res
+	if !opts.EnableProcessPlugins {
+		for _, plug := range conf.Plugins {
+			if plug.Process != nil {
+				err := fmt.Errorf("process plugin %q declared but EnableProcessPlugins is false", plug.Name)
+				fmt.Fprintf(stderr, "error validating config: %s\n", err)
+				res.Errors = append(res.Errors, err)
+				return res
+			}
 		}
 	}
 
diff --git a/internal/cmd/cmd.go b/internal/cmd/cmd.go
@@ -183,13 +183,11 @@ func getConfigPath(stderr io.Writer, f *pflag.Flag) (string, string) {
 	}
 }
 
-// loadConfig opens the sqlc config and reads it into memory. It also chdirs
-// the process to the config's directory so that relative paths declared in the
-// config resolve correctly when api.Generate is called. Returns the config
-// bytes, the absolute config directory (for api.GenerateOptions.BaseDir), and
-// the list of process plugin names declared in the config (used to populate
-// api.GenerateOptions.InsecureProcessPluginNames).
-func loadConfig(stderr io.Writer, dir, name string) ([]byte, string, []string) {
+// loadConfig reads the sqlc config into memory and chdirs the process to its
+// directory so relative paths in the config resolve correctly. Returns the
+// config bytes and the absolute config directory (for
+// api.GenerateOptions.BaseDir).
+func loadConfig(stderr io.Writer, dir, name string) ([]byte, string) {
 	configPath, _, err := readConfig(stderr, dir, name)
 	if err != nil {
 		os.Exit(1)
@@ -204,33 +202,12 @@ func loadConfig(stderr io.Writer, dir, name string) ([]byte, string, []string) {
 		fmt.Fprintf(stderr, "error reading %s: %s\n", configPath, err)
 		os.Exit(1)
 	}
-	conf, err := config.ParseConfig(bytes.NewReader(data))
-	if err != nil {
-		fmt.Fprintf(stderr, "error parsing %s: %s\n", configPath, err)
-		os.Exit(1)
-	}
 	configDir := filepath.Dir(configPath)
 	if err := os.Chdir(configDir); err != nil {
 		fmt.Fprintf(stderr, "error changing directory: %s\n", err)
 		os.Exit(1)
 	}
-	var names []string
-	for _, p := range conf.Plugins {
-		if p.Process != nil {
-			names = append(names, p.Name)
-		}
-	}
-	return data, configDir, names
-}
-
-// allowedProcessPluginNames returns the names that should populate
-// api.GenerateOptions.InsecureProcessPluginNames. SQLCDEBUG=processplugins=0
-// disables every process plugin by returning nil.
-func allowedProcessPluginNames(env Env, declared []string) []string {
-	if !env.Debug.ProcessPlugins {
-		return nil
-	}
-	return declared
+	return data, configDir
 }
 
 var genCmd = &cobra.Command{
@@ -241,13 +218,13 @@ var genCmd = &cobra.Command{
 		stderr := cmd.ErrOrStderr()
 		dir, name := getConfigPath(stderr, cmd.Flag("file"))
 		env := ParseEnv(cmd)
-		data, baseDir, declared := loadConfig(stderr, dir, name)
+		data, baseDir := loadConfig(stderr, dir, name)
 		res := api.Generate(cmd.Context(), api.GenerateOptions{
-			Config:                     bytes.NewReader(data),
-			Stderr:                     stderr,
-			Write:                      true,
-			BaseDir:                    baseDir,
-			InsecureProcessPluginNames: allowedProcessPluginNames(env, declared),
+			Config:               bytes.NewReader(data),
+			Stderr:               stderr,
+			Write:                true,
+			BaseDir:              baseDir,
+			EnableProcessPlugins: env.Debug.ProcessPlugins,
 		})
 		if len(res.Errors) > 0 {
 			os.Exit(1)
@@ -264,12 +241,12 @@ var checkCmd = &cobra.Command{
 		stderr := cmd.ErrOrStderr()
 		dir, name := getConfigPath(stderr, cmd.Flag("file"))
 		env := ParseEnv(cmd)
-		data, baseDir, declared := loadConfig(stderr, dir, name)
+		data, baseDir := loadConfig(stderr, dir, name)
 		res := api.Generate(cmd.Context(), api.GenerateOptions{
-			Config:                     bytes.NewReader(data),
-			Stderr:                     stderr,
-			BaseDir:                    baseDir,
-			InsecureProcessPluginNames: allowedProcessPluginNames(env, declared),
+			Config:               bytes.NewReader(data),
+			Stderr:               stderr,
+			BaseDir:              baseDir,
+			EnableProcessPlugins: env.Debug.ProcessPlugins,
 		})
 		if len(res.Errors) > 0 {
 			os.Exit(1)
@@ -286,13 +263,13 @@ var diffCmd = &cobra.Command{
 		stderr := cmd.ErrOrStderr()
 		dir, name := getConfigPath(stderr, cmd.Flag("file"))
 		env := ParseEnv(cmd)
-		data, baseDir, declared := loadConfig(stderr, dir, name)
+		data, baseDir := loadConfig(stderr, dir, name)
 		res := api.Generate(cmd.Context(), api.GenerateOptions{
-			Config:                     bytes.NewReader(data),
-			Stderr:                     stderr,
-			Diff:                       true,
-			BaseDir:                    baseDir,
-			InsecureProcessPluginNames: allowedProcessPluginNames(env, declared),
+			Config:               bytes.NewReader(data),
+			Stderr:               stderr,
+			Diff:                 true,
+			BaseDir:              baseDir,
+			EnableProcessPlugins: env.Debug.ProcessPlugins,
 		})
 		if len(res.Errors) > 0 {
 			os.Exit(1)
