❄️ Snowflake + Makoto Integration Concept

Stored procedures + Tasks emit DBOMs on every load and transform.

Note: This page explores how Makoto Levels could be implemented on Snowflake. It is a conceptual integration proposal — illustrative, not a shipped library. The patterns shown use real Snowflake APIs; the Makoto pieces are sketches you (or we) could build out.

What is Snowflake?

Snowflake's COPY INTO, Streams, and Tasks framework provides natural attachment points for attestations. Stored procedures can compute content hashes, sign payloads via External Functions, and publish to an attestation table — all in pure SQL.

Streams + TasksPer-batch incremental change capture maps to attestation subjects
External FunctionsCosign / KMS signing via AWS Lambda or Azure Function
COPY INTO MetadataFile-level digests already tracked in `LOAD_HISTORY`
Native AppDistribute the integration as a Snowflake Native App

Integration Approach

Primary pattern: Stored procedure + Task + External Function for signing. Below are the integration options ordered by lift required.

How Makoto attaches to Snowflake

  • MAKOTO Native App — Install from Marketplace. Drops in `MAKOTO.PUBLIC.ATTEST_TABLE(...)`, `ATTEST_LOAD(...)` and a DBOM table.
  • Stored procedure library — Plain SQL — call `CALL MAKOTO_ATTEST_TRANSFORM('SALES.STG.ORDERS', 'SALES.MART.ORDERS', 2);` from any Task.
  • Stream-driven Tasks — Use a Stream + Task to fire an attestation each time a base table changes.
  • External Function signing — Snowflake → API Gateway → cosign in Lambda → signed envelope returned, persisted in DBOM table.

Conceptual Code Example

Concept: Task-driven Transform attestation

Pure SQL — the External Function does the signing

-- 1. Capture base-table changes
CREATE OR REPLACE STREAM sales.mart.orders_changes
  ON TABLE sales.stg.orders;

-- 2. External Function for signing (via AWS Lambda + cosign)
CREATE OR REPLACE EXTERNAL FUNCTION makoto.sign_dbom(payload VARIANT)
  RETURNS VARIANT
  API_INTEGRATION = makoto_signing_api
  AS 'https://api.makoto.dev/sign';

-- 3. Task that runs the transform AND emits an attestation
CREATE OR REPLACE TASK sales.mart.refresh_orders
  WAREHOUSE = mart_xs
  SCHEDULE  = '5 MINUTE'
  WHEN SYSTEM$STREAM_HAS_DATA('sales.mart.orders_changes')
AS
BEGIN
  -- Run the transform
  INSERT INTO sales.mart.orders
  SELECT
    order_id,
    sha2(email, 256) AS email_hash,
    total_cents,
    placed_at
  FROM sales.mart.orders_changes;

  -- Emit signed Transform attestation
  INSERT INTO makoto.dbom
  SELECT makoto.sign_dbom(OBJECT_CONSTRUCT(
    '_type',     'https://makoto.dev/transform/v0.1',
    'level',      2,
    'subject',    'SALES.MART.ORDERS',
    'inputs',     ARRAY_CONSTRUCT('SALES.STG.ORDERS'),
    'row_count',  SQLROWCOUNT,
    'timestamp',  CURRENT_TIMESTAMP()
  ));
END;

ALTER TASK sales.mart.refresh_orders RESUME;

Potential Use Cases

Regulated Warehouses

Healthcare, finance, gov — every table mutation leaves a signed receipt.

Data Sharing

Snowflake data shares ship with DBOMs the consumer can verify before mounting.

Native App Distribution

Sell MAKOTO as a Native App so customers get DBOM coverage in one click.

Time Travel + DBOM

Pair Time Travel snapshots with attestations for full auditable history.

Interested in Snowflake + Makoto?

This is a conceptual integration. If you're shipping Snowflake pipelines and want to add Makoto attestations, open an issue or reach out — we'd love to scope a real implementation.

Learn about Snowflake Read Makoto Spec All Integrations