You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dogfood review found 126 raw CommandText assignments across 25 production files and 48 PRAGMA hits across 17 production files. Most are likely constant SQL with parameterized values, but the repository would benefit from a focused audit that separates safe constant SQL from dynamic identifier, PRAGMA, migration, and diagnostic paths.
DbCommandRunner, QueryCommandRunner, DbDebug, DbReader.References, DbSchemaCache: 3 each
Top PRAGMA files:
DbContext: 19
DbWriter: 5
DbCommandRunner: 4
DbReader: 3
DbSchemaCache: 3
ConsoleUi: 2
McpServer: 2
one each in CliFlagSchema, CommandErrorCodes, DiffCommandRunner, ExportImportCommandRunner, ReportCommandRunner, DbPragmaPolicy, DbReader.FilesStatus, MaintenanceGuidanceBuilder, SqliteCommandPolicy, and QueryResults.
Related positive evidence from dotnet-risk-patterns:
SqliteIdentifier.Quote appears in DbContext and SqliteCommandPolicy, which is positive evidence for identifier handling.
SqliteCommandPolicy.Add* helpers are used in many query paths, which is positive evidence for value parameterization.
Verify every value interpolation path is parameterized.
Verify dynamic identifiers use allowlisted/quoted helpers.
Verify PRAGMA command construction is centralized or constrained to known-safe names/values.
Verify migration and diagnostic SQL uses stable constants or explicit identifier policy.
Acceptance criteria
Produce a short classification table for the raw SQL call sites: constant SQL, parameterized values, quoted identifiers, PRAGMA, migration, diagnostic/debug.
Refactor risky or unclear paths through SqliteCommandPolicy / DbPragmaPolicy helpers.
Add tests for any newly centralized identifier/PRAGMA handling.
Summary
Dogfood review found 126 raw
CommandTextassignments across 25 production files and 48PRAGMAhits across 17 production files. Most are likely constant SQL with parameterized values, but the repository would benefit from a focused audit that separates safe constant SQL from dynamic identifier, PRAGMA, migration, and diagnostic paths.Evidence
Dogfood commands:
Top raw
CommandTextfiles:DbSymbolReader: 20DbReader.GraphQueries: 14DbContext: 13DbReader: 11DbWriter: 10DbReader.FilesStatus: 9DiffCommandRunner: 5ExportImportCommandRunner: 5DbReader.CSharpResolution: 5DbSearchReader: 5DbCommandRunner,QueryCommandRunner,DbDebug,DbReader.References,DbSchemaCache: 3 eachTop
PRAGMAfiles:DbContext: 19DbWriter: 5DbCommandRunner: 4DbReader: 3DbSchemaCache: 3ConsoleUi: 2McpServer: 2CliFlagSchema,CommandErrorCodes,DiffCommandRunner,ExportImportCommandRunner,ReportCommandRunner,DbPragmaPolicy,DbReader.FilesStatus,MaintenanceGuidanceBuilder,SqliteCommandPolicy, andQueryResults.Related positive evidence from
dotnet-risk-patterns:SqliteIdentifier.Quoteappears inDbContextandSqliteCommandPolicy, which is positive evidence for identifier handling.SqliteCommandPolicy.Add*helpers are used in many query paths, which is positive evidence for value parameterization.AddWithValueremains separately tracked in Replace remaining AddWithValue usage in symbol lookups #4057.Audit goals
Acceptance criteria
SqliteCommandPolicy/DbPragmaPolicyhelpers.AddWithValuecleanup.