fix(client,notebooks): use fullmatch for DDL validator; cap outer LIMIT in query_facts

polaz · polaz · commit 564d7b163fea · 2026-04-15T21:46:25.000+03:00
- client.py: _CYPHER_IDENT_RE.fullmatch() instead of .match() —
  pattern is already anchored but fullmatch is explicit for DDL safety
- base.py, graph.py: add comments explaining SET r += {} is intentional
  (no-op supported since coordinode v0.3.12, removes conditional branch)
- 03_langgraph_agent.ipynb: fix LIMIT bypass in query_facts sandbox guard;
  _LIMIT_RE matched inner clauses (WITH ... LIMIT 1), leaving outer result
  unbounded; replaced with _LIMIT_AT_END_RE anchored to end of query
diff --git a/coordinode/coordinode/client.py b/coordinode/coordinode/client.py
@@ -36,7 +36,7 @@
 
 def _validate_cypher_identifier(value: str, param_name: str) -> None:
     """Raise :exc:`ValueError` if *value* is not a valid Cypher identifier."""
-    if not isinstance(value, str) or not _CYPHER_IDENT_RE.match(value):
+    if not isinstance(value, str) or not _CYPHER_IDENT_RE.fullmatch(value):
         raise ValueError(
             f"{param_name} must be a valid Cypher identifier (letters, digits, underscores, "
             f"starting with a letter or underscore); got {value!r}"
diff --git a/demo/notebooks/03_langgraph_agent.ipynb b/demo/notebooks/03_langgraph_agent.ipynb
@@ -254,11 +254,11 @@
     "    # Enforce a result cap so agents cannot dump the entire graph.\n",
     "    # Cap explicit LIMIT to 20 (preserves smaller limits like LIMIT 1),\n",
     "    # or append LIMIT 20 when no LIMIT clause is present.\n",
-    "    _LIMIT_RE = re.compile(r\"\\bLIMIT\\s+(\\d+)\\b\", re.IGNORECASE)\n",
+    "    _LIMIT_AT_END_RE = re.compile(r\"\\bLIMIT\\s+(\\d+)\\s*;?\\s*$\", re.IGNORECASE | re.DOTALL)\n",
     "    def _cap_limit(m):\n",
     "        return f\"LIMIT {min(int(m.group(1)), 20)}\"\n",
-    "    if _LIMIT_RE.search(q):\n",
-    "        q = _LIMIT_RE.sub(_cap_limit, q)\n",
+    "    if _LIMIT_AT_END_RE.search(q):\n",
+    "        q = _LIMIT_AT_END_RE.sub(_cap_limit, q)\n",
     "    else:\n",
     "        q = q.rstrip().rstrip(\";\") + \" LIMIT 20\"\n",
     "    rows = client.cypher(q, params={\"sess\": SESSION})\n",
diff --git a/langchain-coordinode/langchain_coordinode/graph.py b/langchain-coordinode/langchain_coordinode/graph.py
@@ -215,6 +215,9 @@ def _create_edge(self, rel: Any) -> None:
         dst_label = _cypher_ident(rel.target.type or "Entity")
         rel_type = _cypher_ident(rel.type)
         props = dict(rel.properties or {})
+        # SET r += $props is intentionally unconditional (even for empty dicts).
+        # CoordiNode ≥ v0.3.12 supports SET r += {} as a no-op, which lets us
+        # keep a single code path instead of branching on emptiness.
         self._client.cypher(
             f"MATCH (src:{src_label} {{name: $src}}) "
             f"MATCH (dst:{dst_label} {{name: $dst}}) "
diff --git a/llama-index-coordinode/llama_index/graph_stores/coordinode/base.py b/llama-index-coordinode/llama_index/graph_stores/coordinode/base.py
@@ -240,6 +240,9 @@ def upsert_relations(self, relations: list[Relation]) -> None:
         for rel in relations:
             props = rel.properties or {}
             label = _cypher_ident(rel.label)
+            # SET r += $props is intentionally unconditional (even for empty dicts).
+            # CoordiNode ≥ v0.3.12 supports SET r += {} as a no-op, which lets us
+            # keep a single code path instead of branching on emptiness.
             cypher = (
                 f"MATCH (src {{id: $src_id}}) MATCH (dst {{id: $dst_id}}) "
                 f"MERGE (src)-[r:{label}]->(dst) SET r += $props"
