unlist custom sql

Author: izadoesdev

apps/api/src/index.ts

@@ -7,7 +7,7 @@ import { autumnHandler } from 'autumn-js/elysia';
 import { Elysia } from 'elysia';
 import { logger } from './lib/logger';
 import { assistant } from './routes/assistant';
-import { customSQL } from './routes/custom-sql';
+// import { customSQL } from './routes/custom-sql';
 import { exportRoute } from './routes/export';
 import { health } from './routes/health';
 import { publicApi } from './routes/public';
@@ -45,7 +45,7 @@ const app = new Elysia()
 		})
 	)
 	.use(query)
-	.use(customSQL)
+	// .use(customSQL)
 	.use(assistant)
 	.use(exportRoute)
 	.all('/trpc/*', ({ request }) => {

apps/docs/content/docs/api.mdx

@@ -377,234 +377,6 @@ Compile a query to see the generated SQL without executing it. Useful for debugg
 }`}
 />
 
-## Custom SQL API
-
-<Callout type="info">
-  **New Feature!** 🚀 Use `properties.X` syntax for easy JSON property extraction. Write `properties.browser_name` instead of `JSONExtractString(properties, 'browser_name')`. Supports type annotations like `properties.user_id:int`, `properties.is_active:bool`.
-</Callout>
-
-### Execute Custom SQL Queries
-
-Execute custom SQL queries directly against your ClickHouse analytics database with enterprise-grade security.
-
-<CodeBlock 
-  language="http"
-  code="POST /v1/custom-sql/execute"
-/>
-
-**Authentication:**
-- Requires API key with `write:custom-sql` or `read:analytics` scope
-- API key must have `read:data` access to the specified `clientId`
-
-**Request:**
-
-<CodeBlock
-  language="json"
-  code={`{
-  "query": "SELECT count() as events FROM analytics.events WHERE time >= now() - INTERVAL 7 DAY",
-  "clientId": "your-client-id",
-  "parameters": {
-    "customParam": "value"
-  }
-}`}
-/>
-
-**Example with Properties.X Syntax:**
-
-<CodeBlock
-  language="json"
-  code={`{
-  "query": "SELECT properties.browser_name AS browser_name, properties.user_id:int AS user_id, count() as events FROM analytics.custom_events WHERE properties.browser_name IS NOT NULL GROUP BY properties.browser_name, properties.user_id:int ORDER BY events DESC LIMIT 10",
-  "clientId": "your-client-id"
-}`}
-/>
-
-**Headers:**
-
-<CodeBlock 
-  language="bash"
-  code={`curl -X POST https://api.databuddy.cc/v1/custom-sql/execute \\
-  -H "Content-Type: application/json" \\
-  -H "x-api-key: dbdy_your_api_key_here" \\
-  -d '{"query": "SELECT count() FROM analytics.events", "clientId": "client_123"}'`}
-/>
-
-**Available Tables:**
-- `analytics.events` - All tracked events and page views
-- `analytics.errors` - JavaScript errors and exceptions
-- `analytics.custom_events` - Custom event tracking data
-- `analytics.web_vitals` - Core Web Vitals performance metrics
-
-**Properties.X Syntax Helper:**
-Databuddy provides a convenient syntax helper that automatically converts `properties.X` notation to ClickHouse `JSONExtract` functions:
-
-```sql
--- Instead of writing:
-SELECT JSONExtractString(properties, 'browser_name') AS browser_name FROM analytics.events
-
--- You can simply write:
-SELECT properties.browser_name AS browser_name FROM analytics.events
-```
-
-<Callout type="warn">
-  **Important:** Always use `AS` aliases when selecting properties to get clean column names in your response. Without aliases, you'll get ugly column names like `"JSONExtractString(properties, 'browser_name')"` instead of `"browser_name"`.
-</Callout>
-
-**Supported Type Annotations:**
-- `properties.property_name` → `JSONExtractString(properties, 'property_name')` (default)
-- `properties.user_id:int` → `JSONExtractInt(properties, 'user_id')`
-- `properties.is_active:bool` → `JSONExtractBool(properties, 'is_active')`
-- `properties.score:float` → `JSONExtractFloat(properties, 'score')`
-- `properties.metadata:raw` → `JSONExtractRaw(properties, 'metadata')`
-
-**Security Features:**
-- **Automatic client isolation** - All queries automatically filtered by your API key's client access
-- **Smart WHERE injection** - Client filtering added to your queries without breaking syntax
-- SQL injection prevention with parameterized queries
-- Query complexity limits (max 5 SELECT statements, 2 UNION operations, 5000 characters)
-- Forbidden operations blocked (INSERT, UPDATE, DELETE, DROP, CREATE, ALTER, etc.)
-- Attack pattern detection for known injection techniques
-- Comments and multiple statements not allowed
-- Balanced parentheses validation
-- Properties.X syntax automatically transformed to secure JSONExtract calls
-
-**Response:**
-
-<CodeBlock 
-  language="json"
-  code={`{
-  "success": true,
-  "data": [
-    {
-      "events": 15420
-    }
-  ],
-  "meta": {
-    "rowCount": 1,
-    "columns": ["events"],
-    "executionTime": 0.045,
-    "rowsRead": 15420,
-    "clientId": "client_123",
-    "apiKeyId": "key_456"
-  }
-}`}
-/>
-
-### Get Custom SQL Schema
-
-Get information about allowed tables, operations, and security constraints.
-
-<CodeBlock 
-  language="http"
-  code="GET /v1/custom-sql/schema"
-/>
-
-**Response:**
-
-<CodeBlock 
-  language="json"
-  code={`{
-  "success": true,
-  "schema": {
-    "allowedTables": [
-      "analytics.events",
-      "analytics.errors",
-      "analytics.custom_events",
-      "analytics.web_vitals"
-    ],
-    "allowedOperations": [
-      "SELECT", "WITH", "FROM", "WHERE", "GROUP BY", "ORDER BY", "HAVING", "LIMIT", "OFFSET", "JOIN", "LEFT JOIN", "RIGHT JOIN", "INNER JOIN", "UNION", "UNION ALL", "JSONExtract", "JSONExtractString", "JSONExtractInt", "JSONExtractFloat", "JSONExtractBool", "JSONExtractRaw", "CASE", "WHEN", "THEN", "ELSE", "END", "AS", "AND", "OR", "NOT", "IN", "EXISTS", "BETWEEN", "LIKE", "ILIKE"
-    ],
-    "forbiddenOperations": [
-      "INSERT", "UPDATE", "DELETE", "DROP", "CREATE", "ALTER", "TRUNCATE", "REPLACE", "MERGE", "CALL", "EXEC", "EXECUTE", "DECLARE", "SET", "USE", "SHOW", "DESCRIBE", "EXPLAIN", "ANALYZE", "OPTIMIZE", "REPAIR", "LOCK", "UNLOCK", "GRANT", "REVOKE", "COMMIT", "ROLLBACK", "SAVEPOINT", "RELEASE", "START TRANSACTION", "BEGIN", "INFORMATION_SCHEMA", "SYSTEM", "ADMIN", "SUPER", "FILE", "PROCESS", "RELOAD", "SHUTDOWN", "REFERENCES", "INDEX", "TRIGGER", "EVENT", "ROUTINE"
-    ],
-    "maxQueryLength": 5000,
-    "maxNestedSelects": 5,
-    "maxUnionOperations": 2,
-    "parameterization": {
-      "clientIdParameter": "{clientId:String}",
-      "required": "All queries must use parameterized client filtering"
-    },
-    "propertiesSyntax": {
-      "description": "Automatic JSONExtract transformation from properties.X syntax",
-      "syntax": "properties.property_name[:type]",
-      "supportedTypes": ["string", "int", "float", "bool", "raw"],
-      "examples": [
-        "properties.browser_name",
-        "properties.user_id:int",
-        "properties.is_active:bool",
-        "properties.metadata:raw"
-      ],
-      "defaultType": "string (JSONExtractString)"
-    }
-  }
-}`}
-/>
-
-### Get Query Examples
-
-Get example queries to help you get started with custom SQL.
-
-<CodeBlock 
-  language="http"
-  code="GET /v1/custom-sql/examples"
-/>
-
-**Response:**
-
-<CodeBlock
-  language="json"
-  code={`{
-  "success": true,
-  "examples": [
-    {
-      "name": "Monthly Events Count",
-      "description": "Get monthly event counts for your client",
-      "query": "SELECT toStartOfMonth(time) as month_start, count() as event_count FROM analytics.events WHERE time >= now() - INTERVAL 6 MONTH GROUP BY month_start ORDER BY month_start DESC"
-    },
-    {
-      "name": "Top Pages by Views",
-      "description": "Get most popular pages",
-      "query": "SELECT path, count() as page_views, uniq(session_id) as unique_sessions FROM analytics.events WHERE time >= now() - INTERVAL 30 DAY AND event_name = 'page_view' GROUP BY path ORDER BY page_views DESC LIMIT 10"
-    },
-    {
-      "name": "Browser Analytics (with properties.X syntax)",
-      "description": "Analyze browser usage using properties.X syntax",
-      "query": "SELECT properties.browser_name, count() as events, uniq(anonymous_id) as unique_users FROM analytics.events WHERE time >= now() - INTERVAL 7 DAY AND properties.browser_name IS NOT NULL GROUP BY properties.browser_name ORDER BY events DESC"
-    },
-    {
-      "name": "User Analytics with Typed Properties",
-      "description": "Analyze user behavior with typed property extraction",
-      "query": "SELECT properties.user_id:int as user_id, properties.is_premium:bool as is_premium, properties.session_duration:float as session_duration, count() as total_events FROM analytics.events WHERE time >= now() - INTERVAL 30 DAY AND properties.user_id:int IS NOT NULL GROUP BY properties.user_id:int, properties.is_premium:bool, properties.session_duration:float ORDER BY total_events DESC LIMIT 20"
-    },
-    {
-      "name": "Error Events Analysis",
-      "description": "Analyze error events",
-      "query": "SELECT url, count() as error_count FROM analytics.errors WHERE time >= now() - INTERVAL 7 DAY GROUP BY url ORDER BY error_count DESC LIMIT 10"
-    }
-  ]
-}`}
-/>
-
-**Error Responses:**
-
-<CodeBlock 
-  language="json"
-  code={`{
-  "success": false,
-  "error": "API key does not have access to client ID: client_123",
-  "code": "CLIENT_ACCESS_DENIED"
-}`}
-/>
-
-**Common Error Codes:**
-- `AUTH_REQUIRED` - API key missing or invalid
-- `INSUFFICIENT_SCOPE` - API key lacks required scopes
-- `CLIENT_ACCESS_DENIED` - No access to specified clientId
-- `FORBIDDEN_OPERATION` - Query contains forbidden SQL operations
-- `QUERY_TOO_COMPLEX` - Query exceeds complexity limits
-- `ATTACK_PATTERN_DETECTED` - Query matches known attack patterns
-
 ## AI Assistant
 
 ### Stream Analytics Query