Runtime-tunable queries via KV configs
Pagination, rate-limits, query thresholds — addressable via $config.<path> directly inside SELECT.
A canonical multi-tenant pagination + filter pattern reads its knobs from the KV store at parse time. Operations changes the value once; every query everywhere picks it up on next execution. The substitution is a typed Value (function-call AST node), not a textual splice, so SQL injection through KV writes is structurally impossible.
sql
-- Set per-tenant config in KV.
SET CONFIG acme.pagination.pageSize = 100;
SET CONFIG acme.search.maxResults = 50;
-- Reference inline. No application-layer fetch + format step.
SELECT id, name, role
FROM users
WHERE org_id = $1
AND (created_at, id) < ($2, $3)
ORDER BY created_at DESC, id DESC
LIMIT $config.acme.pagination.pageSize;
-- Vault secrets work the same way.
SELECT *
FROM hosts
WHERE deployer_token = $secret.acme.deploy.token;
-- Engine pulls the secret from vault as a typed Value;
-- nothing leaks into logs or query plans.