erikdarlingdata · erikdarlingdata · Apr 22, 2026 · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026
diff --git a/server/PlanShare/Program.cs b/server/PlanShare/Program.cs
@@ -44,8 +44,14 @@ created_at TEXT NOT NULL
     cmd.ExecuteNonQuery();
 }
 
+// --- Rate limiters (in-memory) ---
+// Created before Build() so they can be DI-registered and swept by CleanupService.
+var rateLimiter = new RateLimiter(maxRequests: 10, windowSeconds: 60);
+var analyticsRateLimiter = new RateLimiter(maxRequests: 30, windowSeconds: 60);
+
 // Register the cleanup background service
 builder.Services.AddSingleton(new PlanDbConfig(connectionString));
+builder.Services.AddSingleton(new RateLimiters(rateLimiter, analyticsRateLimiter));
 builder.Services.AddHostedService<CleanupService>();
 
 // Request size limit (10 MB)
@@ -54,10 +60,6 @@ created_at TEXT NOT NULL
 var app = builder.Build();
 app.UseCors();
 
-// --- Rate limiters (in-memory) ---
-var rateLimiter = new RateLimiter(maxRequests: 10, windowSeconds: 60);
-var analyticsRateLimiter = new RateLimiter(maxRequests: 30, windowSeconds: 60);
-
 const int MaxTtlDays = 365;
 
 // --- Endpoints ---
@@ -161,9 +163,15 @@ created_at TEXT NOT NULL
         return Results.BadRequest("Invalid JSON");
     }
 
-    // Strip referrer to domain only (no full URLs with query params)
-    if (!string.IsNullOrEmpty(referrer) && Uri.TryCreate(referrer, UriKind.Absolute, out var refUri))
-        referrer = refUri.Host;
+    // Strip referrer to domain only (no full URLs with query params).
+    // If it doesn't parse as an absolute URL, drop it — never persist raw
+    // client-supplied strings, since the dashboard renders referrers in HTML.
+    if (!string.IsNullOrEmpty(referrer))
+    {
+        referrer = Uri.TryCreate(referrer, UriKind.Absolute, out var refUri)
+            ? refUri.Host
+            : null;
+    }
 
     // Visitor hash: SHA256(IP + User-Agent + date) — unique per day, no PII stored
     var ua = ctx.Request.Headers.UserAgent.FirstOrDefault() ?? "";
@@ -352,14 +360,18 @@ static string GenerateDeleteToken()
 
 record PlanDbConfig(string ConnectionString);
 
+record RateLimiters(RateLimiter Share, RateLimiter Analytics);
+
 sealed class CleanupService : BackgroundService
 {
     private readonly PlanDbConfig _config;
+    private readonly RateLimiters _rateLimiters;
     private readonly ILogger<CleanupService> _logger;
 
-    public CleanupService(PlanDbConfig config, ILogger<CleanupService> logger)
+    public CleanupService(PlanDbConfig config, RateLimiters rateLimiters, ILogger<CleanupService> logger)
     {
         _config = config;
+        _rateLimiters = rateLimiters;
         _logger = logger;
     }
 
@@ -401,6 +413,14 @@ private void Cleanup()
                 if (deleted > 0)
                     _logger.LogInformation("Cleaned up {Count} old page views", deleted);
             }
+
+            // Evict stale rate-limiter keys so the dictionary doesn't grow forever.
+            var shareEvicted = _rateLimiters.Share.Sweep();
+            var analyticsEvicted = _rateLimiters.Analytics.Sweep();
+            if (shareEvicted + analyticsEvicted > 0)
+                _logger.LogInformation(
+                    "Evicted {Share} share + {Analytics} analytics rate-limit keys",
+                    shareEvicted, analyticsEvicted);
         }
         catch (Exception ex)
         {
@@ -441,4 +461,25 @@ public bool IsAllowed(string key)
             return true;
         }
     }
+
+    /// <summary>
+    /// Evicts keys whose timestamp lists have gone empty. Call periodically
+    /// so the dictionary doesn't grow forever across unique IPs.
+    /// Returns the number of keys evicted.
+    /// </summary>
+    public int Sweep()
+    {
+        var cutoff = DateTime.UtcNow.AddSeconds(-_windowSeconds);
+        var evicted = 0;
+        foreach (var kvp in _requests)
+        {
+            lock (kvp.Value)
+            {
+                kvp.Value.RemoveAll(t => t < cutoff);
+                if (kvp.Value.Count == 0 && _requests.TryRemove(kvp))
+                    evicted++;
+            }
+        }
+        return evicted;
+    }
 }
diff --git a/server/PlanShare/dashboard.html b/server/PlanShare/dashboard.html
@@ -275,13 +275,28 @@ <h3>Top Referrers (30 days)</h3>
     }
     function updateReferrers() {
         var tbody = document.querySelector("#referrersTable tbody");
+        tbody.replaceChildren();
         if (!planStats || !planStats.traffic.top_referrers.length) {
-            tbody.innerHTML = "<tr><td colspan='2' style='color:#484f58'>No referrer data yet</td></tr>";
+            var tr = document.createElement("tr");
+            var td = document.createElement("td");
+            td.setAttribute("colspan", "2");
+            td.style.color = "#484f58";
+            td.textContent = "No referrer data yet";
+            tr.appendChild(td);
+            tbody.appendChild(tr);
             return;
         }
-        tbody.innerHTML = planStats.traffic.top_referrers.map(function(r) {
-            return "<tr><td>" + r.referrer + "</td><td class='num'>" + fmt(r.count) + "</td></tr>";
-        }).join("");
+        planStats.traffic.top_referrers.forEach(function(r) {
+            var tr = document.createElement("tr");
+            var tdRef = document.createElement("td");
+            tdRef.textContent = r.referrer;
+            var tdCount = document.createElement("td");
+            tdCount.className = "num";
+            tdCount.textContent = fmt(r.count);
+            tr.appendChild(tdRef);
+            tr.appendChild(tdCount);
+            tbody.appendChild(tr);
+        });
     }
     function updateCharts() {
         updateChart("starsChart", "line", {

diff --git a/src/PlanViewer.App/AboutWindow.axaml.cs b/src/PlanViewer.App/AboutWindow.axaml.cs
@@ -56,7 +56,7 @@ private void SaveMcpSettings()
         }, new JsonSerializerOptions { WriteIndented = true });
 
         Directory.CreateDirectory(settingsDir);
-        File.WriteAllText(settingsFile, json);
+        Services.AtomicFile.WriteAllText(settingsFile, json);
     }
 
     private void GitHubLink_Click(object? sender, PointerPressedEventArgs e) => OpenUrl(GitHubUrl);

diff --git a/src/PlanViewer.App/Controls/PlanViewerControl.axaml.cs b/src/PlanViewer.App/Controls/PlanViewerControl.axaml.cs
@@ -801,6 +801,9 @@ private static string FormatBytes(double bytes)
         return $"{bytes / (1024L * 1024 * 1024):N1} GB";
     }
 
+    private static string FormatBenefitPercent(double pct) =>
+        pct >= 100 ? $"{pct:N0}" : $"{pct:N1}";
+
     #endregion
 
     #region Node Selection & Properties Panel
@@ -1737,7 +1740,7 @@ private void ShowPropertiesPanel(PlanNode node)
                         : w.Severity == PlanWarningSeverity.Warning ? "#FFB347" : "#6BB5FF";
                     var warnPanel = new StackPanel { Margin = new Thickness(10, 2, 10, 2) };
                     var planWarnHeader = w.MaxBenefitPercent.HasValue
-                        ? $"\u26A0 {w.WarningType} \u2014 up to {w.MaxBenefitPercent:N0}% benefit"
+                        ? $"\u26A0 {w.WarningType} \u2014 up to {FormatBenefitPercent(w.MaxBenefitPercent.Value)}% benefit"
                         : $"\u26A0 {w.WarningType}";
                     warnPanel.Children.Add(new TextBlock
                     {
@@ -1819,7 +1822,7 @@ private void ShowPropertiesPanel(PlanNode node)
                     : w.Severity == PlanWarningSeverity.Warning ? "#FFB347" : "#6BB5FF";
                 var warnPanel = new StackPanel { Margin = new Thickness(10, 2, 10, 2) };
                 var nodeWarnHeader = w.MaxBenefitPercent.HasValue
-                    ? $"\u26A0 {w.WarningType} \u2014 up to {w.MaxBenefitPercent:N0}% benefit"
+                    ? $"\u26A0 {w.WarningType} \u2014 up to {FormatBenefitPercent(w.MaxBenefitPercent.Value)}% benefit"
                     : $"\u26A0 {w.WarningType}";
                 warnPanel.Children.Add(new TextBlock
                 {

diff --git a/src/PlanViewer.App/Controls/QuerySessionControl.axaml.cs b/src/PlanViewer.App/Controls/QuerySessionControl.axaml.cs
@@ -78,11 +78,15 @@ public QuerySessionControl(ICredentialService credentialService, ConnectionStore
             QueryEditor.TextArea.Focus();
         };
 
-        // Dispose TextMate when detached (e.g. tab switch) to release renderers/transformers
+        // Dispose TextMate when detached (e.g. tab switch) to release renderers/transformers.
+        // Also cancel any in-flight status-clear dispatch so it doesn't fire on a dead control.
         DetachedFromVisualTree += (_, _) =>
         {
             _textMateInstallation?.Dispose();
             _textMateInstallation = null;
+            _statusClearCts?.Cancel();
+            _statusClearCts?.Dispose();
+            _statusClearCts = null;
         };
 
         // Focus the editor when the Editor tab is selected; toggle plan-dependent buttons

diff --git a/src/PlanViewer.App/Dialogs/QueryStoreHistoryWindow.axaml.cs b/src/PlanViewer.App/Dialogs/QueryStoreHistoryWindow.axaml.cs
@@ -111,9 +111,9 @@

        // Select initial metric in the combo box
        var metricTag = initialMetricTag;
        foreach (ComboBoxItem item in MetricSelector.Items)
        {
            if (item.Tag?.ToString() == metricTag)
            {
                MetricSelector.SelectedItem = item;
                break;
@@ -169,6 +169,16 @@
             : "AvgCpuMs";
     }
 
+    protected override void OnClosed(EventArgs e)
+    {
+        // Cancel any in-flight history fetch so the SqlConnection doesn't sit open on the
+        // server after the dialog is dismissed.
+        _fetchCts?.Cancel();
+        _fetchCts?.Dispose();
+        _fetchCts = null;
+        base.OnClosed(e);
+    }
+
     private async System.Threading.Tasks.Task LoadHistoryAsync()
     {
         _fetchCts?.Cancel();
@@ -749,7 +759,7 @@

    private void OnHighlightLoadingRow(object? sender, DataGridRowEventArgs e)
    {
        var idx = e.Row.GetIndex();
        if (_selectedRowIndices.Contains(idx))
        {
            e.Row.Background = new SolidColorBrush(Avalonia.Media.Color.FromArgb(60, 79, 195, 247));

diff --git a/src/PlanViewer.App/PlanViewer.App.csproj b/src/PlanViewer.App/PlanViewer.App.csproj
@@ -6,7 +6,7 @@
     <ApplicationManifest>app.manifest</ApplicationManifest>
     <ApplicationIcon>EDD.ico</ApplicationIcon>
     <AvaloniaUseCompiledBindingsByDefault>true</AvaloniaUseCompiledBindingsByDefault>
-    <Version>1.7.1</Version>
+    <Version>1.7.2</Version>
     <Authors>Erik Darling</Authors>
     <Company>Darling Data LLC</Company>
     <Product>Performance Studio</Product>

diff --git a/src/PlanViewer.App/Services/AppSettingsService.cs b/src/PlanViewer.App/Services/AppSettingsService.cs
@@ -59,7 +59,7 @@ public static void Save(AppSettings settings)
         {
             Directory.CreateDirectory(SettingsDir);
             var json = JsonSerializer.Serialize(settings, JsonOptions);
-            File.WriteAllText(SettingsPath, json);
+            AtomicFile.WriteAllText(SettingsPath, json);
         }
         catch
         {

diff --git a/src/PlanViewer.App/Services/AtomicFile.cs b/src/PlanViewer.App/Services/AtomicFile.cs
@@ -0,0 +1,27 @@
+using System.IO;
+
+namespace PlanViewer.App.Services;
+
+/// <summary>
+/// Helper for atomic text-file writes: write to a sibling .tmp and rename
+/// into place so a crash mid-write can't truncate the target file. Callers
+/// are responsible for creating the parent directory first.
+/// </summary>
+internal static class AtomicFile
+{
+    /// <summary>
+    /// Writes <paramref name="contents"/> to <paramref name="path"/> atomically
+    /// with respect to process crashes. If the process dies before the rename,
+    /// <paramref name="path"/> keeps its previous contents and a stray
+    /// <c>.tmp</c> sibling is left behind (cleaned up on the next call).
+    /// </summary>
+    public static void WriteAllText(string path, string contents)
+    {
+        var tmp = path + ".tmp";
+        File.WriteAllText(tmp, contents);
+        // File.Move with overwrite:true maps to MoveFileEx(MOVEFILE_REPLACE_EXISTING)
+        // on Windows and rename(2) on Unix — both atomic when source and destination
+        // live on the same filesystem, which is always the case here.
+        File.Move(tmp, path, overwrite: true);
+    }
+}
diff --git a/src/PlanViewer.App/Services/ConnectionStore.cs b/src/PlanViewer.App/Services/ConnectionStore.cs
@@ -39,7 +39,7 @@ public void Save(List<ServerConnection> connections)
     {
         Directory.CreateDirectory(ConfigDir);
         var json = JsonSerializer.Serialize(connections, JsonOptions);
-        File.WriteAllText(ConfigFile, json);
+        AtomicFile.WriteAllText(ConfigFile, json);
     }
 
     public void AddOrUpdate(ServerConnection connection)

diff --git a/src/PlanViewer.App/Services/SqlFormatSettingsService.cs b/src/PlanViewer.App/Services/SqlFormatSettingsService.cs
@@ -123,7 +123,7 @@ public static bool Save(SqlFormatSettings settings, out string? error)
         {
             Directory.CreateDirectory(SettingsDir);
             var json = JsonSerializer.Serialize(settings, JsonOptions);
-            File.WriteAllText(SettingsPath, json);
+            AtomicFile.WriteAllText(SettingsPath, json);
             return true;
         }
         catch (Exception ex)

diff --git a/src/PlanViewer.Cli/Commands/AnalyzeCommand.cs b/src/PlanViewer.Cli/Commands/AnalyzeCommand.cs
@@ -95,7 +95,11 @@ public static Command Create(ICredentialService? credentialService = null)
 
         var passwordOption = new Option<string?>(
             "--password",
-            "SQL Server password (bypasses credential store)");
+            "SQL Server password (bypasses credential store). Visible in process listings — prefer --password-stdin.");
+
+        var passwordStdinOption = new Option<bool>(
+            "--password-stdin",
+            "Read the SQL Server password from stdin (avoids process-listing exposure). Mutually exclusive with --password.");
 
         var configOption = new Option<string?>(
             "--config",
@@ -118,6 +122,7 @@ public static Command Create(ICredentialService? credentialService = null)
             timeoutOption,
             loginOption,
             passwordOption,
+            passwordStdinOption,
             configOption
         };
 
@@ -137,7 +142,8 @@ public static Command Create(ICredentialService? credentialService = null)
             var trustCert = ctx.ParseResult.GetValueForOption(trustCertOption);
             var timeout = ctx.ParseResult.GetValueForOption(timeoutOption);
             var login = ctx.ParseResult.GetValueForOption(loginOption);
-            var password = ctx.ParseResult.GetValueForOption(passwordOption);
+            var passwordInline = ctx.ParseResult.GetValueForOption(passwordOption);
+            var passwordStdin = ctx.ParseResult.GetValueForOption(passwordStdinOption);
             var configPath = ctx.ParseResult.GetValueForOption(configOption);
 
             // Load analyzer config
@@ -148,10 +154,20 @@ public static Command Create(ICredentialService? credentialService = null)
             server ??= env.GetValueOrDefault("PLANVIEW_SERVER");
             database ??= env.GetValueOrDefault("PLANVIEW_DATABASE");
             login ??= env.GetValueOrDefault("PLANVIEW_LOGIN");
-            password ??= env.GetValueOrDefault("PLANVIEW_PASSWORD");
             if (!trustCert && env.GetValueOrDefault("PLANVIEW_TRUST_CERT")?.Equals("true", StringComparison.OrdinalIgnoreCase) == true)
                 trustCert = true;
 
+            // Resolve password from --password-stdin, --password, or PLANVIEW_PASSWORD
+            // (in that order). --stdin for plan XML conflicts with --password-stdin.
+            if (!PasswordResolver.TryResolve(
+                    passwordInline, passwordStdin, stdin,
+                    env.GetValueOrDefault("PLANVIEW_PASSWORD"),
+                    out var password))
+            {
+                Environment.ExitCode = 1;
+                return;
+            }
+
             if (server != null)
             {
                 await RunLiveAsync(file, server, database, query, outputDir, estimated,

diff --git a/src/PlanViewer.Cli/Commands/CredentialCommand.cs b/src/PlanViewer.Cli/Commands/CredentialCommand.cs
@@ -36,6 +36,9 @@ private static Command CreateAddCommand(ICredentialService credentialService)
             string password;
             if (!string.IsNullOrEmpty(passwordArg))
             {
+                Console.Error.WriteLine(
+                    "Warning: --password is visible in process listings and shell history. " +
+                    "Prefer piping the password into stdin (e.g. `echo hunter2 | planview credential add ...`).");
                 password = passwordArg;
             }
             else if (Console.IsInputRedirected)

diff --git a/src/PlanViewer.Cli/Commands/QueryStoreCommand.cs b/src/PlanViewer.Cli/Commands/QueryStoreCommand.cs
@@ -72,7 +72,11 @@ public static Command Create(ICredentialService? credentialService = null)
             "--login", "SQL Server login (bypasses credential store)");
 
         var passwordOption = new Option<string?>(
-            "--password", "SQL Server password");
+            "--password", "SQL Server password. Visible in process listings — prefer --password-stdin.");
+
+        var passwordStdinOption = new Option<bool>(
+            "--password-stdin",
+            "Read the SQL Server password from stdin (avoids process-listing exposure). Mutually exclusive with --password.");
 
         var queryIdOption = new Option<long?>(
             "--query-id", "Filter by Query Store query ID");
@@ -93,7 +97,7 @@ public static Command Create(ICredentialService? credentialService = null)
         {
             serverOption, databaseOption, topOption, orderByOption, hoursBackOption,
             outputDirOption, outputOption, compactOption, warningsOnlyOption, configOption,
-            authOption, trustCertOption, loginOption, passwordOption,
+            authOption, trustCertOption, loginOption, passwordOption, passwordStdinOption,
             queryIdOption, planIdOption, queryHashOption, planHashOption, moduleOption
         };
 
@@ -112,7 +116,8 @@ public static Command Create(ICredentialService? credentialService = null)
             var auth = ctx.ParseResult.GetValueForOption(authOption);
             var trustCert = ctx.ParseResult.GetValueForOption(trustCertOption);
             var login = ctx.ParseResult.GetValueForOption(loginOption);
-            var password = ctx.ParseResult.GetValueForOption(passwordOption);
+            var passwordInline = ctx.ParseResult.GetValueForOption(passwordOption);
+            var passwordStdin = ctx.ParseResult.GetValueForOption(passwordStdinOption);
             var filterQueryId = ctx.ParseResult.GetValueForOption(queryIdOption);
             var filterPlanId = ctx.ParseResult.GetValueForOption(planIdOption);
             var filterQueryHash = ctx.ParseResult.GetValueForOption(queryHashOption);
@@ -122,10 +127,19 @@ public static Command Create(ICredentialService? credentialService = null)
             // Load .env file if present (CLI args take precedence)
             var env = ConnectionHelper.LoadEnvFile();
             login ??= env.GetValueOrDefault("PLANVIEW_LOGIN");
-            password ??= env.GetValueOrDefault("PLANVIEW_PASSWORD");
             if (!trustCert && env.GetValueOrDefault("PLANVIEW_TRUST_CERT")?.Equals("true", StringComparison.OrdinalIgnoreCase) == true)
                 trustCert = true;
 
+            // Resolve password from --password-stdin, --password, or PLANVIEW_PASSWORD
+            if (!PasswordResolver.TryResolve(
+                    passwordInline, passwordStdin, stdinAlreadyClaimed: false,
+                    env.GetValueOrDefault("PLANVIEW_PASSWORD"),
+                    out var password))
+            {
+                Environment.ExitCode = 1;
+                return;
+            }
+
             if (top < 1)
             {
                 Console.Error.WriteLine("--top must be >= 1");