Title: Deprecate and Remove the dbt Plugin from Backend Components
Description
Following an internal review of the project's attack surface and current deployment guidelines (per our Authentication and Security Model Documentation), we are identifying legacy or high-risk components that do not align with baseline security hardening expectations.
Specifically, the architecture of the dbt plugin relies on handling external user-supplied configurations (such as repository targets and execution parameters) and passing them to external command-line interfaces (git and dbt). While the system is explicitly designed for trusted, single-operator deployments, this design exposes the server to unexpected Server-Side Request Forgery (SSRF) and external CLI argument manipulation.
Rather than maintaining complex input-filtering rules and input validation for a changing command-line surface area, we are opting to completely deprecate and remove the dbt plugin from the backend codebase.
Scope of Work
- Remove Plugin Package: Delete the
dbt plugin source code and task registrations from the backend plugin engine.
- Clean Task Definitions: Strip out any references to
DbtOptions or related structs across pipeline and blueprint configurations.
- Database Schema Cleanup: Provide a migration script to safely clean up or migrate legacy configuration tables associated with the plugin.
- UI/Documentation Updates: Remove options for configuring
dbt tasks from the config-ui interface and remove corresponding guides from user manuals.
Acceptance Criteria
- The backend builds successfully without compiling or referencing the
dbt package.
- Any existing blueprints referencing
dbt components fail safely or skip the step with a proper deprecation notice.
- No regressions are introduced to other core backend plugins or connection management APIs.
Title: Deprecate and Remove the
dbtPlugin from Backend ComponentsDescription
Following an internal review of the project's attack surface and current deployment guidelines (per our Authentication and Security Model Documentation), we are identifying legacy or high-risk components that do not align with baseline security hardening expectations.
Specifically, the architecture of the
dbtplugin relies on handling external user-supplied configurations (such as repository targets and execution parameters) and passing them to external command-line interfaces (gitanddbt). While the system is explicitly designed for trusted, single-operator deployments, this design exposes the server to unexpected Server-Side Request Forgery (SSRF) and external CLI argument manipulation.Rather than maintaining complex input-filtering rules and input validation for a changing command-line surface area, we are opting to completely deprecate and remove the
dbtplugin from the backend codebase.Scope of Work
dbtplugin source code and task registrations from the backend plugin engine.DbtOptionsor related structs across pipeline and blueprint configurations.dbttasks from theconfig-uiinterface and remove corresponding guides from user manuals.Acceptance Criteria
dbtpackage.dbtcomponents fail safely or skip the step with a proper deprecation notice.