Makes the framework's trust claims verifiable and turns the repo into an installable tool, without changing the "deterministic core, AI at the edges" design.
🔒 Security (the load-bearing change)
The NL→SQL read-only guard previously checked only the top-level statement type, which let through — even on DuckDB's read-only connection — local-file reads via table functions (read_csv('/etc/passwd'), read_parquet, read_text, glob), file writes (COPY … TO), extension loading (INSTALL/LOAD), and ;-chained multi-statements. The guard now parses all statements (rejects >1), denies those node types, and rejects any function-backed FROM source. The same guard re-checks chat-promoted SQL before it runs on the read-write sandbox, and a dataset-name slug guard blocks path traversal.
✅ Tests (tests/, 112 offline & key-free)
Adversarial SQL-guard tests, L3 static validation, build-mode governance, ingest/profile/scaffold baseline, config parsing, grounding + CTE inlining.
📊 Evals (evals/)
Golden NL→SQL questions over AnAge with result invariants. Replay mode runs known-good SQL through the deterministic layers L3–L6 (no key, CI-safe); --live runs the full L1→L7 pipeline.
🤖 CI
Lint (ruff) + test matrix on Linux & Windows × Python 3.10/3.13, plus the offline one-command reproducibility build.
📦 Packaging
pip-installable as sediment-stack (the bare name sediment is taken on PyPI), exposing the sediment command. SEDIMENT_HOME / cwd-walk-up workspace resolution + sediment init let the installed tool drive a project anywhere. The in-repo python run.py flow is unchanged. Not yet published to PyPI.
Install
pip install "git+https://github.com/camharris93/sediment.git"Full changelog: v0.1.0...v0.2.0