The read-only proxy previously wrapped model delegates to block writes,
but left client-level raw/escape hatches ($transaction, $executeRaw,
$executeRawUnsafe, $queryRawUnsafe, $runCommandRaw) intact. A read-tool
could smuggle DML via raw SQL, or open an interactive $transaction whose
tx-scoped client (unproxied by construction) accepts writes.
- read-only-prisma: block $transaction, $executeRaw, $executeRawUnsafe,
$queryRawUnsafe, $runCommandRaw at the client level. Template-tagged
$queryRaw stays allowed (read-only by API contract).
- assistant-tools: add create_estimate to MUTATION_TOOLS — it uses
$transaction internally and was previously bypassing the proxy only
because $transaction wasn't blocked.
- shared: document isReadOnly flag on ToolContext so any scoped tRPC
caller a tool spawns keeps the proxied client.
- helpers: note the runtime wrap at assistant-tools.ts:739 is
authoritative; forwarding ctx.db verbatim is correct.
- tests: cover model writes, raw escapes, and the allowed $queryRaw
path (7 cases, all pass).
- loosen one estimate-detail test that compared the exact db instance
(fails once that instance is a proxy; the assertion's intent is the
estimate id).
Covers EGAI 4.1.1.2 / IAAI 3.6.22.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Committed assistant-tools.ts already references toolDefinition?.resultSchema
for EGAI 4.3.1.2 result validation, but the ToolDef interface in shared.ts
was missing the field declaration, breaking typecheck.
Hartmut