fix: resolve all v0.20.0 binary bugs (#433-#485) and prepare v0.21.0 (#486)

* fix: resolve all v0.20.0 binary bugs (#433-#485) and prepare v0.21.0

Resolve the v0.20.0 hardening bugs tracked under the roadmap (#148), grouped
by theme, each with Go regression tests and shellspec binary-level coverage.

Breaking changes:
- Reject explicit transaction control, VACUUM/VACUUM INTO, and ATTACH/DETACH
  with a clear sqly error: each statement runs in its own transaction on a
  single in-memory connection, so they cannot work across statements, and
  ATTACH would write external SQLite files outside the import/save model
  (#441, #442, #443, #444, #457, #458, #463).
- Reject a non-interactive --save/--save-dir run whose SQL changes schema or
  runs a maintenance statement (ALTER/DROP/REINDEX/ANALYZE, CREATE/DROP of a
  table/view/index/trigger, CTAS), since write-back can only persist DML on
  imported tables (#433-#438, #469-#484).

Bug fixes:
- Report neutral success for a no-rowset DDL/PRAGMA/maintenance statement
  instead of a misleading affected-row count (#439).
- Run setter and no-row command PRAGMAs on the exec path (#440, #485).
- Allow a batch/--sql-file script that imports its own input with .import and
  then modifies it under save flags (#456).
- Accept schema-qualified names in .schema/.describe/.header/.dump (#445-#448).
- List session views and TEMP tables in .tables; print CREATE VIEW for a view
  and the stored DDL for a constrained TEMP table (#449, #450, #451, #464).
- Import empty compressed JSON/JSONL as zero-row tables (#452, #453).
- Strip all compression suffixes before the ACH/Fedwire output guard
  (#459, #460).
- Accept /dev/stdin, /dev/stdout, /dev/stderr, and /proc/<pid|self>/fd/* input
  paths (#461, #462).
- Validate LTSV labels on output and reject duplicate labels on output and
  import (#465, #466, #467).
- Keep a multiline CREATE TRIGGER body as one statement in batch/--sql-file
  parsing (#468).

* fix: import pseudo-files end-to-end and adopt upstream LTSV root fix

Address review follow-ups on the v0.20.0 hardening work:

- #461/#462: a pseudo-file input (/dev/stdin, /dev/stdout, /dev/stderr,
  /proc/<pid|self>/fd/*) now imports end-to-end, not just passing path
  validation. An extensionless pseudo-file is staged as CSV; use
  --stdin FORMAT for another format.
- #467: bump filesql to v0.14.0, which rejects a duplicate label within
  an LTSV record on import (upstream root fix via fileparser v0.5.2), and
  remove the temporary sqly-side duplicate-label check. The regression
  tests now exercise filesql's rejection.
- Fix a doc comment that named the wrong test function (CodeRabbit).

Author: nao1215

CHANGELOG.md

@@ -1,5 +1,26 @@
 # CHANGELOG
 
+## [v0.21.0](https://github.com/nao1215/sqly/compare/v0.20.0...v0.21.0) (2026-06-01)
+
+### Breaking Changes
+* Unsupported Statements Rejected Clearly: Explicit transaction control (`BEGIN`/`COMMIT`/`ROLLBACK`/`SAVEPOINT`/`RELEASE`), `VACUUM`/`VACUUM INTO`, and `ATTACH`/`DETACH DATABASE` are now rejected with a clear sqly error. sqly runs each statement in its own transaction on a single in-memory connection, so these cannot work across statements, and ATTACH would let a session read or write external SQLite files outside the import/save model (#441, #442, #443, #444, #457, #458, #463).
+* Write-Back Rejects Schema-Only Runs: A non-interactive `--save`/`--save-dir` run now fails up front when the SQL changes schema or runs a maintenance statement (ALTER, DROP, REINDEX, ANALYZE, CREATE/DROP of a table/view/index/trigger, including `CREATE TABLE AS SELECT`), since write-back can only persist `INSERT`/`UPDATE`/`DELETE` on imported tables. Previously such a run exited 0 and reported success while leaving the source unchanged (#433, #434, #435, #436, #437, #438, #469, #470, #471, #472, #473, #474, #475, #476, #477, #478, #479, #480, #481, #482, #483, #484).
+
+### Bug Fixes
+* Neutral Result Message For Non-DML: A DDL, PRAGMA, or maintenance statement now reports `statement executed successfully` instead of a misleading `affected is N row(s)` count (#439).
+* PRAGMA On The Exec Path: A setter PRAGMA (`PRAGMA user_version = 1`) and a no-row command PRAGMA (`PRAGMA incremental_vacuum`) now run successfully instead of failing with a "no records" error (#440, #485).
+* Batch .import Under Save Flags: A batch or `--sql-file` script that imports its own input with `.import` and then modifies it is now allowed under `--save`/`--save-dir`; write-back is validated after the import runs (#456).
+* Schema-Qualified Helper Commands: `.schema`, `.describe`, `.header`, and `.dump` accept schema-qualified names such as `main.user` (#445, #446, #447, #448).
+* TEMP Tables And Views In Helper Commands: `.tables` lists session-created views and TEMP tables (#449, #450); `.schema` prints the real `CREATE VIEW` for a view (#451) and reads the stored definition for a constrained TEMP table instead of a lossy reconstruction (#464).
+* Empty Compressed JSON And JSONL: An empty compressed JSON array (`.json.gz`) and an empty compressed JSONL file now import as a zero-row table, matching the uncompressed inputs (#452, #453).
+* Output Destination Safety: `--output` and `.dump` strip every trailing compression suffix before checking for an input-only ACH/Fedwire extension, so a path like `out.ach.gz.zst` is rejected instead of receiving CSV bytes (#459, #460).
+* Pseudo-File Inputs: `/dev/stdin`, `/dev/stdout`, `/dev/stderr`, and the Linux `/proc/<pid|self>/fd/*` aliases pass input-path validation and import end-to-end. An extensionless pseudo-file is staged as CSV (use `--stdin FORMAT` for another format), matching the already-allowed `/dev/fd/*` (#461, #462).
+* LTSV Label Validation: LTSV output rejects a column name that is not a valid LTSV label (for example `foo:bar`) or that duplicates another, and LTSV import rejects a row that repeats a label, so LTSV stays round-trippable instead of silently losing values (#465, #466, #467).
+* Multiline CREATE TRIGGER: Batch and `--sql-file` parsing keeps a `CREATE TRIGGER ... BEGIN ... END` body as one statement instead of splitting it at the inner semicolons (#468).
+
+### Dependencies
+* filesql: 0.13.0 → 0.14.0, which rejects a duplicate label within an LTSV record on import (the upstream root fix for #467, replacing the temporary sqly-side check) and pulls in fileparser 0.5.2.
+
 ## [v0.20.0](https://github.com/nao1215/sqly/compare/v0.19.0...v0.20.0) (2026-06-01)
 
 ### Bug Fixes

domain/model/export.go

@@ -287,23 +287,32 @@ func BuildOutputPath(path string, format ExportFormat, comp Compression) string
 
 // IsInputOnlyExtension reports whether a destination path targets an input-only
 // format that sqly can read but not write: ACH (.ach) and Fedwire (.fed), which
-// require multi-record coordination the export path cannot produce. The
-// compression suffix is stripped first, so .ach.gz and .fed.gz are detected too.
-// It lets --output and .dump reject these destinations instead of silently
-// writing CSV bytes to a misleading path. Ref #421, #422.
+// require multi-record coordination the export path cannot produce. All trailing
+// compression suffixes are stripped first, so a path that hides the extension
+// behind several codecs (".ach.gz.zst", ".fed.gz.zst") is detected too. It lets
+// --output and .dump reject these destinations instead of silently writing CSV
+// bytes to a misleading path. Ref #421, #422, #459, #460.
 func IsInputOnlyExtension(path string) bool {
-	base := path
-	if _, ok := CompressionFromExtension(filepath.Ext(path)); ok {
-		base = strings.TrimSuffix(path, filepath.Ext(path))
-	}
-	switch strings.ToLower(filepath.Ext(base)) {
+	switch strings.ToLower(filepath.Ext(stripCompressionSuffixes(path))) {
 	case ".ach", ".fed":
 		return true
 	default:
 		return false
 	}
 }
 
+// stripCompressionSuffixes removes every trailing compression extension from a
+// path (e.g. "out.ach.gz.zst" -> "out.ach"), so a check on the remaining base
+// extension is not fooled by stacked codecs. Ref #459, #460.
+func stripCompressionSuffixes(path string) string {
+	for {
+		if _, ok := CompressionFromExtension(filepath.Ext(path)); !ok {
+			return path
+		}
+		path = strings.TrimSuffix(path, filepath.Ext(path))
+	}
+}
+
 // ExportFormatFromPrintMode converts a PrintMode to an ExportFormat.
 // PrintModeTable falls back to ExportCSV since table format is display-only.
 func ExportFormatFromPrintMode(m PrintMode) ExportFormat {

domain/model/export_test.go

@@ -379,8 +379,14 @@ func TestIsInputOnlyExtension(t *testing.T) {
 		{"out.ACH", true},
 		{"out.ach.gz", true},
 		{"out.fed.zst", true},
+		// Multiple stacked compression suffixes must still be seen through. Ref
+		// #459, #460.
+		{"out.ach.gz.zst", true},
+		{"out.fed.gz.zst", true},
+		{"out.ach.gz.gz.gz", true},
 		{"out.csv", false},
 		{"out.csv.gz", false},
+		{"out.csv.gz.zst", false},
 		{"out.parquet", false},
 		{"out", false},
 	}

domain/model/table.go

@@ -413,10 +413,13 @@ func (t *Table) writeDelimited(out io.Writer, comma rune) error {
 // up front instead of emitting output that no longer round-trips as LTSV. Ref
 // #382, #383.
 func (t *Table) printLTSV(out io.Writer) error {
+	if err := EnsureLTSVHeaderWritable(t.Header()); err != nil {
+		return err
+	}
 	for _, v := range t.Records() {
 		r := make(Record, 0, len(v))
 		for i, data := range v {
-			if err := ensureLTSVRepresentable(t.Header()[i], data); err != nil {
+			if err := ensureLTSVValueRepresentable(t.Header()[i], data); err != nil {
 				return err
 			}
 			r = append(r, t.Header()[i]+":"+data)
@@ -426,13 +429,52 @@ func (t *Table) printLTSV(out io.Writer) error {
 	return nil
 }
 
-// ensureLTSVRepresentable reports an error when a label or value contains a byte
-// LTSV cannot represent (tab or newline), so the caller rejects it before writing
-// output that cannot be re-imported as LTSV. Ref #382, #383.
-func ensureLTSVRepresentable(label, value string) error {
-	if strings.ContainsAny(label, "\t\n\r") {
-		return fmt.Errorf("ltsv: column name %q contains a tab or newline, which LTSV cannot represent", label)
+// isValidLTSVLabel reports whether label matches the LTSV label grammar
+// [0-9A-Za-z_.-]+ (https://ltsv.org). A label outside this set — empty, or
+// containing ':', a space, a tab, or any other character — cannot be written as a
+// distinct "label:value" field that re-imports to the same column, so the LTSV
+// writers reject it. Ref #465.
+func isValidLTSVLabel(label string) bool {
+	if label == "" {
+		return false
 	}
+	for _, r := range label {
+		switch {
+		case r >= '0' && r <= '9',
+			r >= 'a' && r <= 'z',
+			r >= 'A' && r <= 'Z',
+			r == '_', r == '.', r == '-':
+		default:
+			return false
+		}
+	}
+	return true
+}
+
+// EnsureLTSVHeaderWritable validates a header for LTSV output: every column name
+// must be a valid LTSV label, and the names must be unique. LTSV encodes each
+// column as a "label:value" field with no escaping, so an invalid label (e.g.
+// "foo:bar") is ambiguous on re-import and a duplicate label silently keeps only
+// the last value. Rejecting both up front keeps LTSV output round-trippable.
+// Ref #465, #466.
+func EnsureLTSVHeaderWritable(header Header) error {
+	seen := make(map[string]struct{}, len(header))
+	for _, label := range header {
+		if !isValidLTSVLabel(label) {
+			return fmt.Errorf("ltsv: column name %q is not a valid LTSV label (allowed: letters, digits, '_', '.', '-')", label)
+		}
+		if _, ok := seen[label]; ok {
+			return fmt.Errorf("ltsv: duplicate column name %q; LTSV labels must be unique or earlier values are lost on re-import", label)
+		}
+		seen[label] = struct{}{}
+	}
+	return nil
+}
+
+// ensureLTSVValueRepresentable reports an error when a value contains a byte LTSV
+// cannot represent (tab or newline), so the caller rejects it before writing
+// output that cannot be re-imported as LTSV. Ref #382, #383.
+func ensureLTSVValueRepresentable(label, value string) error {
 	if strings.ContainsAny(value, "\t\n\r") {
 		return fmt.Errorf("ltsv: value for column %q contains a tab or newline, which LTSV cannot represent; use csv/tsv/json for such values", label)
 	}

domain/model/table_test.go

@@ -870,3 +870,80 @@ func TestTablePrintEscaping(t *testing.T) {
 		}
 	})
 }
+
+// TestEnsureLTSVHeaderWritable verifies that LTSV output rejects column names that
+// are not valid LTSV labels and rejects duplicate labels, so LTSV output stays
+// valid and round-trippable. Ref #465, #466.
+func TestEnsureLTSVHeaderWritable(t *testing.T) {
+	t.Parallel()
+
+	valid := []Header{
+		{"x"},
+		{"user_name", "identifier"},
+		{"a.b", "c-d", "e_f"},
+		{"Col1", "Col2"},
+	}
+	for _, h := range valid {
+		if err := EnsureLTSVHeaderWritable(h); err != nil {
+			t.Errorf("EnsureLTSVHeaderWritable(%v) = %v, want nil", h, err)
+		}
+	}
+
+	invalid := []struct {
+		name   string
+		header Header
+	}{
+		{"colon in label", Header{"foo:bar"}},
+		{"space in label", Header{"foo bar"}},
+		{"tab in label", Header{"foo\tbar"}},
+		{"newline in label", Header{"foo\nbar"}},
+		{"empty label", Header{""}},
+		{"duplicate labels", Header{"x", "x"}},
+		{"duplicate among valid", Header{"a", "b", "a"}},
+	}
+	for _, tt := range invalid {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			if err := EnsureLTSVHeaderWritable(tt.header); err == nil {
+				t.Errorf("EnsureLTSVHeaderWritable(%v) = nil, want an error", tt.header)
+			}
+		})
+	}
+}
+
+// TestTablePrintLTSV_RejectsInvalidLabels verifies that printing a table as LTSV
+// fails for an invalid or duplicate label rather than emitting ambiguous output.
+// Ref #465, #466.
+func TestTablePrintLTSV_RejectsInvalidLabels(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name   string
+		header Header
+	}{
+		{"label with colon", Header{"foo:bar"}},
+		{"duplicate labels", Header{"x", "x"}},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			tbl := NewTable("t", tt.header, []Record{make(Record, len(tt.header))})
+			var buf bytes.Buffer
+			if err := tbl.Print(&buf, PrintModeLTSV); err == nil {
+				t.Errorf("Print(LTSV) for header %v = nil error, want rejection; output=%q", tt.header, buf.String())
+			}
+		})
+	}
+
+	t.Run("valid labels still print", func(t *testing.T) {
+		t.Parallel()
+		tbl := NewTable("t", Header{"a", "b"}, []Record{{"1", "2"}})
+		var buf bytes.Buffer
+		if err := tbl.Print(&buf, PrintModeLTSV); err != nil {
+			t.Fatalf("Print(LTSV) for a valid header returned error: %v", err)
+		}
+		if got := buf.String(); got != "a:1\tb:2\n" {
+			t.Errorf("Print(LTSV) = %q, want %q", got, "a:1\tb:2\n")
+		}
+	})
+}

domain/repository/sqlite.go

@@ -3,10 +3,17 @@ package repository
 
 import (
 	"context"
+	"errors"
 
 	"github.com/nao1215/sqly/domain/model"
 )
 
+// ErrNoRows is returned by SQLite3Repository.Query when a statement produced no
+// result columns (for example a setter or command PRAGMA routed through the query
+// path). It is part of the Query contract so callers in any layer can detect the
+// no-rowset case with errors.Is without depending on the infrastructure layer.
+var ErrNoRows = errors.New("execute query, however return no records")
+
 //go:generate mockgen -typed -source=$GOFILE -destination=../../infrastructure/mock/$GOFILE -package mock
 
 // SQLite3Repository is a repository that handles SQLite3.
@@ -15,6 +22,9 @@ type SQLite3Repository interface {
 	CreateTable(ctx context.Context, t *model.Table) error
 	// TablesName return all table name.
 	TablesName(ctx context.Context) ([]*model.Table, error)
+	// SchemaObjects returns every queryable table and view in the session,
+	// including TEMP tables and views, for enumeration by .tables.
+	SchemaObjects(ctx context.Context) ([]*model.Table, error)
 	// Insert set records in DB
 	Insert(ctx context.Context, t *model.Table) error
 	// List get records in the specified table

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/google/wire v0.7.0
 	github.com/mattn/go-colorable v0.1.15
-	github.com/nao1215/filesql v0.13.0
+	github.com/nao1215/filesql v0.14.0
 	github.com/nao1215/prompt v0.0.5
 	github.com/olekukonko/tablewriter v1.1.4
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
@@ -46,12 +46,12 @@ require (
 	github.com/mattn/go-tty v0.0.8 // indirect
 	github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8 // indirect
 	github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3 // indirect
-	github.com/moov-io/ach v1.60.1 // indirect
-	github.com/moov-io/base v0.61.1 // indirect
+	github.com/moov-io/ach v1.61.0 // indirect
+	github.com/moov-io/base v0.61.2 // indirect
 	github.com/moov-io/iso3166 v0.4.0 // indirect
 	github.com/moov-io/iso4217 v0.3.2 // indirect
 	github.com/moov-io/wire v0.15.7 // indirect
-	github.com/nao1215/fileparser v0.5.1 // indirect
+	github.com/nao1215/fileparser v0.5.2 // indirect
 	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
 	github.com/olekukonko/errors v1.3.0 // indirect
@@ -71,13 +71,13 @@ require (
 	golang.org/x/mod v0.35.0 // indirect
 	golang.org/x/net v0.53.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/sys v0.44.0 // indirect
 	golang.org/x/telemetry v0.0.0-20260428171046-76f71b9afea0 // indirect
-	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
 	golang.org/x/tools v0.44.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260427160629-7cedc36a6bc4 // indirect
-	google.golang.org/grpc v1.80.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260504160031-60b97b32f348 // indirect
+	google.golang.org/grpc v1.81.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	modernc.org/libc v1.72.3 // indirect