Config-driven SQL (no app-layer fetch)
Reference $config.acme.pagination.pageSize directly inside a SELECT. The engine resolves it as a typed value at parse time.
A pagination knob lives in the KV namespace. Every query that paginates reads it inline — operations team adjusts the page size at runtime, no deploy, no client change. The substitution is structural (typed Value through an AST function call), so SQL injection is impossible regardless of who can write the key.
sql
-- 1. Set the config (admin panel, deploy script, runbook).
SET CONFIG acme.pagination.pageSize = 100;
-- 2. Use it directly in any query.
SELECT id, name, created_at
FROM users
WHERE org_id = $1
ORDER BY id DESC
LIMIT $config.acme.pagination.pageSize;
-- 3. Tune at runtime — no app deploy.
SET CONFIG acme.pagination.pageSize = 250;
-- Subsequent queries pick up the new value on next execution.
-- Same pattern for vault secrets used inside SQL functions.
INSERT INTO notes (body) VALUES ($1)
WITH AUTO EMBED (body) USING openai;
-- The engine reads $red.secret.openai.api_key from vault internally;
-- it never appears in your application code or query string.