# v0.44.0 — Security Hardening & Code Quality

> **Full technical details:** [v0.44.0.md-full.md](v0.44.0.md-full.md)

**Status: Planned** | **Scope: Large**

> Remove `public` from IVM SECURITY DEFINER search_path, centralize dynamic SQL
> construction into a safe builder module, add RLS bypass creation-time warnings,
> harden monitoring credentials, decompose large modules, introduce
> CreateStreamTableOptions struct, and add parser typed facade with fuzzing.

---

## What is this?

The assessment found that the IVM trigger functions include `public` in their
SECURITY DEFINER search_path, dynamic SQL construction is decentralized with
inconsistent quoting patterns, RLS bypass is documented but easy to miss, and
several large modules remain hard to review safely. v0.44.0 addresses all
security and code quality findings to reduce future regression surface.

---

## IVM SECURITY DEFINER search_path hardening

IVM trigger functions set `search_path = pgtrickle_changes, pgtrickle,
pg_catalog, pg_temp, public`. The inclusion of `public` means a lower-privileged
user with CREATE rights on `public` can influence function/operator resolution
in a definer context. v0.44.0 removes `public` and schema-qualifies user
table references in generated delta SQL.

---

## Centralized SQL-building module

Dynamic SQL uses a mixture of `quote_ident`, `format('%I')`, manual `'`
escaping, and SPI parameters across CDC, WAL decoder, parser rewrites, codegen,
and API helpers. v0.44.0 creates `src/sql_builder.rs` with explicit helpers for
identifiers, qualified names, literals, regclass casts, and SPI parameter
wrappers. Ad hoc manual escaping is banned in review with a focused lint check.

---

## Module decomposition and API consolidation

Several files are multi-thousand-line modules. `create_stream_table` carries 16
parameters with validation duplicated across function variants. v0.44.0
introduces `CreateStreamTableOptions`, continues splitting large modules, adds
structured warnings in scheduler BGW paths, and improves the parser's unsafe
facade.

---

## Also in v0.44.0

- RLS bypass creation-time WARNING/NOTICE when source tables have RLS
- Monitoring demo credential hardening (`.env.example`, localhost binding)
- SECURITY DEFINER CI check for all definer functions
- Document superuser requirement and exact privileges needed

---

## Scope

v0.44.0 is a large release because it spans security (search_path, RLS, dynamic
SQL, monitoring credentials), code quality (module splits, options struct, parser
facade), and CI (security checks). The unifying theme is reducing the regression
surface for future changes.

> **Source:** [plans/PLAN_OVERALL_ASSESSMENT_9.md](../plans/PLAN_OVERALL_ASSESSMENT_9.md)
> findings SEC-01 through SEC-06, CQ-01, CQ-02, CQ-05 through CQ-08, DOC-08.

---

*Previous: [v0.43.0 — Performance Tunability, Diagnostics & Refresh Intelligence](v0.43.0.md)*
*Next: [v0.45.0 — Operational Readiness, Scalability & CI Completeness](v0.45.0.md)*