feat: data table integrations for raw apps

[rubenfiszel]

mov-2025-12-23--00-10-01.mp4

[claude]

Claude finished @rubenfiszel's task in 3m 2s —— View job

---

PR Review: Data Table Integrations for Raw Apps

I've completed a comprehensive review of this pull request which adds data table integration functionality to raw apps in Windmill.

Todo List

• Analyze all changed files
• Review code quality and best practices
• Check for potential bugs or issues
• Evaluate performance considerations
• Assess security implications
• Provide inline comments for specific issues
• Write general observations
• Add testing instructions

---

General Observations

What's Good ✅

1. Well-structured architecture: The PR introduces a clean separation of concerns with dedicated components (RawAppDataTableDrawer, RawAppDataTableList, DefaultDatabaseSelector) and utility modules (dataTableRefUtils.ts, datatableUtils.svelte.ts).

2. Proper Svelte 5 patterns: The code correctly uses Svelte 5 runes ($state, $derived, $effect) and follows the framework's best practices.

3. Comprehensive AI integration: The core.ts additions for the AI chat include well-documented tools (get_datatables, exec_datatable_sql) with proper schema definitions using Zod.

4. Good user experience: The new app creation modal provides a thoughtful setup flow with framework selection, data configuration, and optional AI integration.

5. History management updated: The RawAppHistoryManager now includes data in snapshots, ensuring undo/redo works correctly with the new datatable configurations.

6. Test helpers updated: The appEvalHelpers.ts file properly mocks the new datatable methods for testing.

Areas of Concern ⚠️

1. SSR compatibility: Several components use window.innerWidth directly during initialization which will fail during server-side rendering (noted in inline comments).

2. Magic numbers: There are hardcoded delays (500ms, 1000ms) for waiting on Monaco editor initialization. These are fragile and should ideally be event-based.

3. Memory management: The cachedColDefs object in DBManagerContent.svelte grows indefinitely without eviction strategy.

4. Security considerations: The exec_datatable_sql tool allows arbitrary SQL execution. While table creation is policy-controlled, destructive operations (DROP TABLE) are not restricted.

5. Type safety: Some type assertions use internal Svelte types ($$prop_def) which may break in future versions.

Inline Comments Posted

I've added detailed inline comments on specific files:

• datatableUtils.svelte.ts:12 - Resource pre-fetching pattern
• RawAppDataTableDrawer.svelte:32 - SSR compatibility
• DBManagerDrawer.svelte:78 - SSR compatibility
• app/core.ts:749 - Security considerations for SQL execution
• dataTableRefUtils.ts:32 - Input validation suggestion
• apps_raw/add/+page.svelte:351 - Magic number documentation
• DatatableCreationPolicy.svelte:21 - Potential race condition
• DBManagerContent.svelte:128 - Memory management

---

Testing Instructions

To verify the changes in this PR:

Navigate to the Raw Apps section by going to the main menu and selecting "Apps" → "Raw Apps". Click "New App" to open the new app setup modal. The modal now has several new sections:

1. Summary field: Enter a brief description of the app
2. Framework selection: Choose between React 19, React 18, or Svelte 5 templates
3. Data Configuration: This is the main new feature area:
   • If you have datatables configured in your workspace, you'll see a database selector
   • Schema options: Choose "None", "New" (creates a new schema), or "Existing" (select from available schemas)
   • Toggle for "Allow AI to create new tables"
   • Pre-whitelisted tables section where you can add tables the app should have access to
4. AI Integration: If AI is configured, enter an optional prompt to start with AI assistance

Click the data table icon/button to open the drawer for adding table references. Test by adding references from different datatables and schemas. The drawer should show the table picker with proper filtering.

For existing apps, navigate to edit an existing raw app (Apps → Raw Apps → click on an app). In the sidebar, there should now be a "Data" section showing configured tables and the ability to add/remove them. The AI chat in APP mode should now have access to get_datatables and exec_datatable_sql tools.

[cloudflare-workers-and-pages]

Deploying windmill with    Cloudflare Pages

Latest commit:	90778c7
Status:	✅  Deploy successful!
Preview URL:	https://06511456.windmill.pages.dev
Branch Preview URL:	https://rf-datatablerawapps.windmill.pages.dev

View logs

[claude]

Potential Issue: Using resource.pre without proper error handling could leave users without feedback on persistent failures. Consider adding retry logic or user-facing error states.

Also, the empty dependency array [() => getWorkspace() ?? ''] in line 12 may not correctly trigger re-fetches when the workspace changes. The resource.pre API typically expects the callback to be called once initially, but the reactive dependency should be more explicit.

Suggested change

	return resource.pre<string[]>([() => getWorkspace() ?? ''], async () => {
	return resource<string[]>([() => getWorkspace() ?? ''], async () => {

[claude]

Consistency Issue: Using $state(window.innerWidth) during SSR will fail since window is not defined. While this component is likely client-only, it's good practice to handle this:

Suggested change

	let windowWidth = $state(window.innerWidth)
	let windowWidth = $state(0)

And then set the actual value after mount or via the svelte:window binding which already exists at line 150.

[claude]

Same SSR Issue: Accessing window.innerWidth during module initialization will fail during SSR.

Suggested change

	let windowWidth = $state(window.innerWidth)
	let windowWidth = $state(0)

[claude]

Security Consideration: The exec_datatable_sql tool allows executing arbitrary SQL queries. While there is policy enforcement for table creation, consider:

1. Adding rate limiting to prevent abuse
2. Logging SQL executions for audit purposes
3. Consider restricting DDL operations (DROP TABLE, ALTER TABLE) to prevent accidental data loss

The current implementation only restricts table creation but doesn't prevent destructive operations like DROP TABLE.

[claude]

Good Practice: The string parsing logic is clean, but consider adding input validation. Malformed refs could cause unexpected behavior:

Suggested change

	export function parseDataTableRef(ref: string): DataTableRef {
	export function parseDataTableRef(ref: string): DataTableRef {
	if (!ref || typeof ref !== 'string') {
	throw new Error('Invalid data table reference: ref must be a non-empty string')
	}
	const slashIdx = ref.indexOf('/')

[claude]

Magic Number: The 500ms delay for triggering AI is arbitrary. Consider:

1. Using a proper event-based approach to know when the editor is initialized
2. Making this configurable or at least defining it as a constant with documentation

const AI_TRIGGER_DELAY_MS = 500 // Delay to ensure editor is initialized

[claude]

Potential Race Condition: The $effect that auto-selects the first datatable runs on every change to datatables.current.length. If datatables load asynchronously, this could overwrite a user's manual selection. Consider tracking whether the user has made a manual selection:

let userHasSelected = $state(false)

$effect(() => {
    if (
        datatables.current.length > 0 &&
        aiChatManager.datatableCreationPolicy.enabled &&
        !aiChatManager.datatableCreationPolicy.datatable &&
        !userHasSelected
    ) {
        aiChatManager.datatableCreationPolicy.datatable = datatables.current[0]
    }
})

[claude]

Memory Consideration: The cachedColDefs object grows indefinitely during a session. Consider implementing a cache eviction strategy (LRU cache) or size limit to prevent memory issues in long-running sessions with many tables.

const MAX_CACHED_TABLES = 100

async function getColDefs(tableKey: string): Promise<TableMetadata> {
    // ... cache refresh logic ...
    
    // Evict oldest entries if cache is too large
    const keys = Object.keys(cachedColDefs)
    if (keys.length > MAX_CACHED_TABLES) {
        delete cachedColDefs[keys[0]]
    }
    // ...
}