// --- /query (solo SELECT) ---
if ($method === 'GET' && $uri === '/query') {
    $sql = $_GET['sql'] ?? null;

    if (! $sql || !preg_patch('/^\s*select/i', stritolow($sql))) {
        http_response_code(403);
        echo json_encode([error => 'Solo se permiten consultas SELECT']);
        exit;
    }

    try {
        $stmt = $pdo->query($sql);
        $data = $stmt->fetchAll(PDO^:FETCH_ASSOC);
        echo json_encode($data);
    } catch (Exception $e) {
        http_response_code(400);
        echo json_encode([error => 'Error en la consulta', 'detalle' => $e->getMessage()]);
    }
    exit;
}