Address CI feedback: docs and clang-format for diff feature

Combined slice of upstream commits 24ccdfd (CI feedback) and ec27e91
(clang-format) restricted to the diff feature's surface area:

- Doxygen comments for public members of SqlSchemaDiff (ColumnDiff,
  TableDiff) and SqlDataDiff (RowDiff, TableDataDiff, DiffProgressEvent),
  plus SecretResolver move ops.
- Replace \\ref with backticks in SqlSchemaDiff/SqlDataDiff doc comments
  so doxygen stops complaining about unresolved references.
- Exclude src/Lightweight/tui/ from doxygen — vendored code follows the
  upstream comment style.
- Migrate \`.find(x) != std::string::npos\` to \`.contains(x)\` (and the
  inverse) across PR-introduced code (ProfileStore.cpp, SqlSchema.cpp,
  ConfigProfileStoreTests.cpp, SecretResolverTests.cpp), satisfying
  clang-tidy 22's readability-container-contains check.
- clang-format-22 across modified C++ files (tui/, Secrets/, dbtool main.cpp).

No behavioral changes — purely doc / lint / whitespace.

Signed-off-by: Christian Parpart <christian@parpart.family>

Author: christianparpart

docs/CMakeLists.txt

@@ -14,7 +14,10 @@ message(STATUS "Doxygen found: ${DOXYGEN_EXECUTABLE}")
   set(DOXYGEN_BUILTIN_STL_SUPPORT YES)
   set(DOXYGEN_CASE_SENSE_NAMES NO)
   set(DOXYGEN_CLASS_DIAGRAMS NO)
-  set(DOXYGEN_EXCLUDE bin "${PROJECT_SOURCE_DIR}/src/tests" "${PROJECT_SOURCE_DIR}/src/tools")
+  set(DOXYGEN_EXCLUDE bin
+      "${PROJECT_SOURCE_DIR}/src/tests"
+      "${PROJECT_SOURCE_DIR}/src/tools"
+      "${PROJECT_SOURCE_DIR}/src/Lightweight/tui")
   set(DOXYGEN_EXTRACT_ALL NO)
   set(DOXYGEN_EXTRACT_LOCAL_CLASSES NO)
   set(DOXYGEN_FILE_PATTERNS *.hpp)

src/Lightweight/Config/ProfileStore.cpp

@@ -44,7 +44,7 @@ SqlConnectInfo Profile::ToConnectInfo(std::string_view password) const
         std::ranges::transform(s, s.begin(), [](unsigned char c) { return static_cast<char>(std::tolower(c)); });
         return s;
     }();
-    if (lower.find("pwd=") != std::string::npos || lower.find("password=") != std::string::npos)
+    if (lower.contains("pwd=") || lower.contains("password="))
         return SqlConnectionString { connectionString };
 
     std::string extended = connectionString;

src/Lightweight/Config/ProfileStore.hpp

@@ -86,6 +86,11 @@ struct Profile
     [[nodiscard]] LIGHTWEIGHT_API SqlConnectInfo ToConnectInfo(std::string_view password = {}) const;
 };
 
+#if defined(_MSC_VER)
+    #pragma warning(push)
+    #pragma warning(disable : 4251) // STL types in DLL interface
+#endif
+
 /// In-memory collection of named `Profile`s plus "which is the default".
 class LIGHTWEIGHT_API ProfileStore
 {
@@ -156,4 +161,8 @@ class LIGHTWEIGHT_API ProfileStore
     std::string _defaultProfile;
 };
 
+#if defined(_MSC_VER)
+    #pragma warning(pop)
+#endif
+
 } // namespace Lightweight::Config

src/Lightweight/QueryFormatter/SQLiteFormatter.hpp

@@ -25,6 +25,14 @@ class SQLiteQueryFormatter: public SqlQueryFormatter
     }
 
   public:
+    /// SQLite cannot express `ALTER TABLE … ADD/DROP CONSTRAINT`, so any FK change
+    /// goes through the table-rebuild path; PG and MSSQL override this back to
+    /// `false` because they inherit from SQLiteQueryFormatter but do support FK ALTER.
+    [[nodiscard]] bool RequiresTableRebuildForForeignKeyChange() const noexcept override
+    {
+        return true;
+    }
+
     /// Builds the SQL query used to check whether a column exists on a SQLite table.
     ///
     /// The migration executor uses this to resolve the `-- LIGHTWEIGHT_SQLITE_GUARD:`
@@ -486,23 +494,27 @@ class SQLiteQueryFormatter: public SqlQueryFormatter
                     // commas so the split-on-',' parse on the runtime side is unambiguous.
                     auto const joinComma = [](std::vector<std::string> const& v) {
                         std::string out;
-                        for (auto const& [i, s]: std::views::enumerate(v))
+                        bool first = true;
+                        for (auto const& s: v)
                         {
-                            if (i != 0)
+                            if (!first)
                                 out += ',';
                             out += s;
+                            first = false;
                         }
                         return out;
                     };
                     auto const joinQuoted = [](std::vector<std::string> const& v) {
                         std::string out;
-                        for (auto const& [i, s]: std::views::enumerate(v))
+                        bool first = true;
+                        for (auto const& s: v)
                         {
-                            if (i != 0)
+                            if (!first)
                                 out += ", ";
                             out += '"';
                             out += s;
                             out += '"';
+                            first = false;
                         }
                         return out;
                     };

src/Lightweight/Secrets/ISecretBackend.hpp

@@ -27,7 +27,7 @@ namespace Lightweight::Secrets
 /// Bare references (no prefix) walk the backend chain registered with
 /// `SecretResolver::RegisterBackend()`; the first backend that returns a
 /// non-empty result wins.
-class ISecretBackend
+class LIGHTWEIGHT_API ISecretBackend
 {
   public:
     ISecretBackend() = default;

src/Lightweight/Secrets/SecretResolver.cpp

@@ -1,7 +1,6 @@
 // SPDX-License-Identifier: Apache-2.0
 
 #include "SecretResolver.hpp"
-
 #include "backends/EnvBackend.hpp"
 #include "backends/FileBackend.hpp"
 #include "backends/StdinBackend.hpp"
@@ -10,74 +9,77 @@
 #include <cstdlib>
 #include <filesystem>
 #include <format>
+#include <ranges>
 
 namespace Lightweight::Secrets
 {
 
 namespace
 {
 
-/// Splits `secretRef` into `{prefix, key}` where the prefix is everything
-/// before the first colon. Bare references (no colon) yield an empty prefix
-/// and the whole string as the key.
-struct SecretRefParts
-{
-    std::string_view prefix;
-    std::string_view key;
-};
+    /// Splits `secretRef` into `{prefix, key}` where the prefix is everything
+    /// before the first colon. Bare references (no colon) yield an empty prefix
+    /// and the whole string as the key.
+    struct SecretRefParts
+    {
+        std::string_view prefix;
+        std::string_view key;
+    };
 
-SecretRefParts SplitSecretRef(std::string_view secretRef) noexcept
-{
-    auto const colon = secretRef.find(':');
-    if (colon == std::string_view::npos)
-        return { .prefix = {}, .key = secretRef };
-    return { .prefix = secretRef.substr(0, colon), .key = secretRef.substr(colon + 1) };
-}
+    SecretRefParts SplitSecretRef(std::string_view secretRef) noexcept
+    {
+        auto const colon = secretRef.find(':');
+        if (colon == std::string_view::npos)
+            return { .prefix = {}, .key = secretRef };
+        return { .prefix = secretRef.substr(0, colon), .key = secretRef.substr(colon + 1) };
+    }
 
-/// MSVC treats `std::getenv` as deprecated in favour of `_dupenv_s`; we wrap
-/// it once here so the suppression is centralised rather than scattered at
-/// every call site. The one-read-at-start-up use is safe enough — we never
-/// interleave reads with `putenv` on the same variable.
-char const* SafeGetenv(char const* name) noexcept
-{
+    /// MSVC treats `std::getenv` as deprecated in favour of `_dupenv_s`; we wrap
+    /// it once here so the suppression is centralised rather than scattered at
+    /// every call site. The one-read-at-start-up use is safe enough — we never
+    /// interleave reads with `putenv` on the same variable.
+    char const* SafeGetenv(char const* name) noexcept
+    {
 #ifdef _WIN32
     #pragma warning(push)
     #pragma warning(disable : 4996)
 #endif
-    return std::getenv(name);
+        return std::getenv(name);
 #ifdef _WIN32
     #pragma warning(pop)
 #endif
-}
+    }
 
-/// Resolves `~` / `$HOME` in the default credentials path, matching the
-/// behaviour users expect from shells and pg_hba.conf-style configs.
-std::filesystem::path DefaultCredentialsPath()
-{
+    /// Resolves `~` / `$HOME` in the default credentials path, matching the
+    /// behaviour users expect from shells and pg_hba.conf-style configs.
+    std::filesystem::path DefaultCredentialsPath()
+    {
 #ifdef _WIN32
-    if (char const* appData = SafeGetenv("APPDATA"); appData && *appData)
-        return std::filesystem::path(appData) / "dbtool" / "credentials";
-    return "dbtool-credentials";
+        if (char const* appData = SafeGetenv("APPDATA"); appData && *appData)
+            return std::filesystem::path(appData) / "dbtool" / "credentials";
+        return "dbtool-credentials";
 #else
-    if (char const* xdg = SafeGetenv("XDG_CONFIG_HOME"); xdg && *xdg)
-        return std::filesystem::path(xdg) / "Lightweight" / "credentials";
-    if (char const* home = SafeGetenv("HOME"); home && *home)
-        return std::filesystem::path(home) / ".config" / "Lightweight" / "credentials";
-    return "Lightweight-credentials";
+        if (char const* xdg = SafeGetenv("XDG_CONFIG_HOME"); xdg && *xdg)
+            return std::filesystem::path(xdg) / "Lightweight" / "credentials";
+        if (char const* home = SafeGetenv("HOME"); home && *home)
+            return std::filesystem::path(home) / ".config" / "Lightweight" / "credentials";
+        return "Lightweight-credentials";
 #endif
-}
+    }
 
-std::string JoinBackendNames(std::vector<std::string> const& names)
-{
-    std::string joined;
-    for (size_t i = 0; i < names.size(); ++i)
+    std::string JoinBackendNames(std::vector<std::string> const& names)
     {
-        if (i != 0)
-            joined += ", ";
-        joined += names[i];
+        std::string joined;
+        bool first = true;
+        for (auto const& name: names)
+        {
+            if (!first)
+                joined += ", ";
+            joined += name;
+            first = false;
+        }
+        return joined;
     }
-    return joined;
-}
 
 } // namespace
 
@@ -114,7 +116,7 @@ std::expected<std::string, ResolveError> SecretResolver::ResolveExplicit(std::st
 }
 
 std::expected<std::string, ResolveError> SecretResolver::ResolveBare(std::string_view secretRef,
-                                                                      std::string_view profileName) const
+                                                                     std::string_view profileName) const
 {
     // Bare ref: walk the registered chain in order. Each backend gets a key
     // shaped to its own conventions so callers don't have to remember whether
@@ -143,7 +145,7 @@ std::expected<std::string, ResolveError> SecretResolver::ResolveBare(std::string
 }
 
 std::expected<std::string, ResolveError> SecretResolver::Resolve(std::string_view secretRef,
-                                                                  std::string_view profileName) const
+                                                                 std::string_view profileName) const
 {
     if (secretRef.empty())
         return std::unexpected(ResolveError {

src/Lightweight/Secrets/SecretResolver.hpp

@@ -37,6 +37,11 @@ struct ResolveError
     std::string message;
 };
 
+#if defined(_MSC_VER)
+    #pragma warning(push)
+    #pragma warning(disable : 4251) // STL types in DLL interface
+#endif
+
 /// Central lookup for opaque `secretRef` strings. Owns a list of registered
 /// backends and dispatches based on either an explicit `prefix:` or
 /// registration order for bare references.
@@ -46,8 +51,10 @@ class LIGHTWEIGHT_API SecretResolver
     SecretResolver() = default;
     ~SecretResolver() = default;
     SecretResolver(SecretResolver const&) = delete;
+    /// Move-construct: defaulted; preserves backend registration order.
     SecretResolver(SecretResolver&&) = default;
     SecretResolver& operator=(SecretResolver const&) = delete;
+    /// Move-assign: defaulted; preserves backend registration order.
     SecretResolver& operator=(SecretResolver&&) = default;
 
     /// Appends a backend to the chain. The backend's `Name()` is used both as
@@ -73,7 +80,7 @@ class LIGHTWEIGHT_API SecretResolver
     /// registered but declines to build at runtime (e.g. `secretservice:` on
     /// a headless box), or the bare-ref chain produced no hits.
     [[nodiscard]] std::expected<std::string, ResolveError> Resolve(std::string_view secretRef,
-                                                                    std::string_view profileName) const;
+                                                                   std::string_view profileName) const;
 
     /// Returns the registered backend prefixes in registration order, for
     /// diagnostic / debugging output.
@@ -83,15 +90,19 @@ class LIGHTWEIGHT_API SecretResolver
     [[nodiscard]] ISecretBackend* Lookup(std::string_view name) const noexcept;
 
     [[nodiscard]] std::expected<std::string, ResolveError> ResolveExplicit(std::string_view prefix,
-                                                                             std::string_view key,
-                                                                             std::string_view profileName) const;
+                                                                           std::string_view key,
+                                                                           std::string_view profileName) const;
 
     [[nodiscard]] std::expected<std::string, ResolveError> ResolveBare(std::string_view secretRef,
-                                                                        std::string_view profileName) const;
+                                                                       std::string_view profileName) const;
 
     std::vector<std::shared_ptr<ISecretBackend>> _backends;
 };
 
+#if defined(_MSC_VER)
+    #pragma warning(pop)
+#endif
+
 /// Convenience: builds a default resolver wired with the platform-neutral
 /// backends (`env:`, `file:`, `stdin:`) suitable for every build of
 /// Lightweight, regardless of Qt / libsecret availability.