fix(dbapi): harden commit/rollback against message-only errors; forward max_total_rows

- ISSUE-97: commit/rollback silent no-op is now gated on the SQLite
  result code first (SQLITE_ERROR=1 or SQLITE_MISUSE=21), then on the
  "no transaction is active" substring. Previously, a malicious or
  impostor server could force the client to silently succeed on any
  failure just by crafting a message containing that substring — even
  SQLITE_FULL (disk full), SQLITE_CONSTRAINT, or other fatal codes.
  Extract the check into a shared _is_no_transaction_error helper used
  by both the sync and async connection classes.

- ISSUE-111: module-level connect() forwards max_total_rows to the
  underlying Connection. Previously users of the PEP 249 convenience
  function silently got the default; only direct Connection() use let
  them override. SQLAlchemy's URL already forwarded this — the dbapi
  convenience was the gap.

Adds regression tests in tests/test_cycle3_hardening.py covering the
disk-full-crafted-substring case, the constraint-crafted-substring
case, and connect(max_total_rows=...) forwarding.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: antoineleclair

src/dqlitedbapi/__init__.py

@@ -94,6 +94,7 @@ def connect(
     *,
     database: str = "default",
     timeout: float = 10.0,
+    max_total_rows: int | None = 10_000_000,
 ) -> Connection:
     """Connect to a dqlite database.
 
@@ -104,6 +105,9 @@ def connect(
             finite number. ``0``, negatives, and non-finite values are
             rejected here rather than silently passed through to the
             underlying connection.
+        max_total_rows: Cumulative row cap across continuation frames
+            for a single query. Forwarded to the underlying
+            :class:`Connection` (ISSUE-111). ``None`` disables the cap.
 
     Returns:
         A Connection object
@@ -112,4 +116,9 @@ def connect(
 
     if not math.isfinite(timeout) or timeout <= 0:
         raise ProgrammingError(f"timeout must be a positive finite number, got {timeout}")
-    return Connection(address, database=database, timeout=timeout)
+    return Connection(
+        address,
+        database=database,
+        timeout=timeout,
+        max_total_rows=max_total_rows,
+    )

src/dqlitedbapi/aio/connection.py

@@ -9,6 +9,7 @@
 from dqliteclient import DqliteConnection
 from dqliteclient.protocol import _validate_max_total_rows
 from dqlitedbapi.aio.cursor import AsyncCursor
+from dqlitedbapi.connection import _is_no_transaction_error
 from dqlitedbapi.exceptions import InterfaceError, OperationalError, ProgrammingError
 
 
@@ -130,7 +131,7 @@ async def commit(self) -> None:
             try:
                 await self._async_conn.execute("COMMIT")
             except (OperationalError, _client_exc.OperationalError) as e:
-                if "no transaction is active" not in str(e).lower():
+                if not _is_no_transaction_error(e):
                     raise
 
     async def rollback(self) -> None:
@@ -144,7 +145,7 @@ async def rollback(self) -> None:
             try:
                 await self._async_conn.execute("ROLLBACK")
             except (OperationalError, _client_exc.OperationalError) as e:
-                if "no transaction is active" not in str(e).lower():
+                if not _is_no_transaction_error(e):
                     raise
 
     def cursor(self) -> AsyncCursor:

src/dqlitedbapi/connection.py

@@ -14,6 +14,30 @@
 from dqlitedbapi.cursor import Cursor
 from dqlitedbapi.exceptions import InterfaceError, OperationalError, ProgrammingError
 
+# SQLite result codes for "you tried to COMMIT/ROLLBACK but there's no
+# transaction active." SQLite returns ``SQLITE_ERROR`` (1) most of the
+# time; some code paths return ``SQLITE_MISUSE`` (21). Check the
+# numeric code first so a malicious or impostor server cannot silence
+# unrelated errors just by crafting a message string that contains the
+# magic substring (ISSUE-97). The substring remains as a secondary
+# filter because SQLite has many uses of code=1.
+_NO_TX_CODES = frozenset({1, 21})
+_NO_TX_SUBSTRING = "no transaction is active"
+
+
+def _is_no_transaction_error(exc: Exception) -> bool:
+    """True if ``exc`` is a genuine "no active transaction" server reply.
+
+    Gates the silent swallow on the SQLite result code in addition to
+    the English wording. A disk-full / constraint / IO error whose
+    message happens to include the magic substring will not be
+    swallowed.
+    """
+    code = getattr(exc, "code", None)
+    if code is not None and code not in _NO_TX_CODES:
+        return False
+    return _NO_TX_SUBSTRING in str(exc).lower()
+
 
 def _cleanup_loop_thread(
     loop: asyncio.AbstractEventLoop,
@@ -273,7 +297,7 @@ async def _commit_async(self) -> None:
         try:
             await self._async_conn.execute("COMMIT")
         except (OperationalError, _client_exc.OperationalError) as e:
-            if "no transaction is active" not in str(e).lower():
+            if not _is_no_transaction_error(e):
                 raise
 
     def rollback(self) -> None:
@@ -295,7 +319,7 @@ async def _rollback_async(self) -> None:
         try:
             await self._async_conn.execute("ROLLBACK")
         except (OperationalError, _client_exc.OperationalError) as e:
-            if "no transaction is active" not in str(e).lower():
+            if not _is_no_transaction_error(e):
                 raise
 
     def cursor(self) -> Cursor:

tests/test_cycle3_hardening.py

@@ -183,6 +183,67 @@ def test_out_of_range_raises_data_error(self) -> None:
             _datetime_from_unixtime(2**63)
 
 
+class TestIsNoTransactionError:
+    """ISSUE-97: commit/rollback no-op is gated on SQLite result code first.
+
+    A malicious/impostor server must not be able to silence an unrelated
+    error just by crafting a ``message`` that contains the magic
+    substring.
+    """
+
+    def test_substring_only_with_sqlite_error_is_no_tx(self) -> None:
+        from dqliteclient.exceptions import OperationalError as ClientOpError
+        from dqlitedbapi.connection import _is_no_transaction_error
+
+        # code=1 (SQLITE_ERROR) + substring → true
+        err = ClientOpError(1, "cannot commit - no transaction is active")
+        assert _is_no_transaction_error(err)
+
+        # code=21 (SQLITE_MISUSE) + substring → true
+        err = ClientOpError(21, "misuse: no transaction is active")
+        assert _is_no_transaction_error(err)
+
+    def test_disk_full_with_matching_substring_is_not_silenced(self) -> None:
+        from dqliteclient.exceptions import OperationalError as ClientOpError
+        from dqlitedbapi.connection import _is_no_transaction_error
+
+        # Code 13 (SQLITE_FULL) must NOT be silenced even if the message
+        # happens to contain the magic substring (attacker-controlled).
+        err = ClientOpError(13, "disk full — but no transaction is active")
+        assert not _is_no_transaction_error(err)
+
+    def test_constraint_violation_is_not_silenced(self) -> None:
+        from dqliteclient.exceptions import OperationalError as ClientOpError
+        from dqlitedbapi.connection import _is_no_transaction_error
+
+        err = ClientOpError(19, "constraint: no transaction is active anywhere")
+        assert not _is_no_transaction_error(err)
+
+
+class TestConnectForwardsMaxTotalRows:
+    """ISSUE-111: module-level connect() forwards max_total_rows."""
+
+    def test_connect_forwards_max_total_rows(self) -> None:
+        from dqlitedbapi import connect
+        from dqlitedbapi.connection import Connection
+
+        conn = connect("localhost:19001", max_total_rows=500)
+        try:
+            assert isinstance(conn, Connection)
+            assert conn._max_total_rows == 500
+        finally:
+            conn.close()
+
+    def test_connect_forwards_none_for_max_total_rows(self) -> None:
+        from dqlitedbapi import connect
+
+        conn = connect("localhost:19001", max_total_rows=None)
+        try:
+            assert conn._max_total_rows is None
+        finally:
+            conn.close()
+
+
 class TestIsRowReturning:
     @pytest.mark.parametrize(
         "sql",