---
name: sec-sql-01
description: Protects against SQL Injection by enforcing parameterized queries.
version: "1.0.0"
specialist: Sindre
governance: HARD_LOCK
---

# 🛡️ SEC-SQL-01: Parameterized Only (The Sindre Protocol)
This is a HARD_LOCK architectural directive.

## 🚫 Forbidden 
Never use string interpolation or concatenation to build SQL queries.
Example of violation: `client.rpc('get_data', { query: `SELECT * FROM ${table}` })`

## ✅ Mandated
Use prepared statements or the built-in query builder.
Example: `client.rpc('get_data', { table_id: 123 })`

Frank will block the commit if any dynamic string building is detected in a database context.

---
*Provisioned by Rigstate CLI. Do not modify manually.*