@budibase/backend-core 2.33.2 → 2.33.3

package/dist/index.js

@@ -33554,14 +33554,14 @@ var require_putty = __commonJS({
       var buf = rfc4253.write(key);
       var comment = key.comment || "";
       var b64 = buf.toString("base64");
-      var lines = wrap(b64, 64);
+      var lines = wrap2(b64, 64);
       lines.unshift("Public-Lines: " + lines.length);
       lines.unshift("Comment: " + comment);
       lines.unshift("Encryption: none");
       lines.unshift("PuTTY-User-Key-File-2: " + alg);
       return Buffer2.from(lines.join("\n") + "\n");
     }
-    function wrap(txt, len) {
+    function wrap2(txt, len) {
       var lines = [];
       var pos = 0;
       while (pos < txt.length) {
@@ -49489,7 +49489,7 @@ var require_util2 = __commonJS({
       coerceToTypes,
       toHash,
       getProperty,
-      escapeQuotes,
+      escapeQuotes: escapeQuotes2,
       equal: require_fast_deep_equal(),
       ucs2length: require_ucs2length(),
       varOccurences,
@@ -49578,9 +49578,9 @@ var require_util2 = __commonJS({
     var IDENTIFIER = /^[a-z$_][a-z$_0-9]*$/i;
     var SINGLE_QUOTE = /'|\\/g;
     function getProperty(key) {
-      return typeof key == "number" ? "[" + key + "]" : IDENTIFIER.test(key) ? "." + key : "['" + escapeQuotes(key) + "']";
+      return typeof key == "number" ? "[" + key + "]" : IDENTIFIER.test(key) ? "." + key : "['" + escapeQuotes2(key) + "']";
     }
-    function escapeQuotes(str) {
+    function escapeQuotes2(str) {
       return str.replace(SINGLE_QUOTE, "\\$&").replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\f/g, "\\f").replace(/\t/g, "\\t");
     }
     function varOccurences(str, dataVar) {
@@ -49615,7 +49615,7 @@ var require_util2 = __commonJS({
           return key;
     }
     function toQuotedString(str) {
-      return "'" + escapeQuotes(str) + "'";
+      return "'" + escapeQuotes2(str) + "'";
     }
     function getPathExpr(currentPath, expr, jsonPointers, isNumber) {
       var path3 = jsonPointers ? "'/' + " + expr + (isNumber ? "" : ".replace(/~/g, '~0').replace(/\\//g, '~1')") : isNumber ? "'[' + " + expr + " + ']'" : "'[\\'' + " + expr + " + '\\']'";
@@ -56189,8 +56189,8 @@ var require_oauth4 = __commonJS({
       var sha1 = shasum.digest("hex");
       return Buffer2.from(sha1, "hex").toString("base64");
     };
-    OAuth.prototype.concatParams = function(oa, sep, wrap) {
-      wrap = wrap || "";
+    OAuth.prototype.concatParams = function(oa, sep, wrap2) {
+      wrap2 = wrap2 || "";
       var params2 = Object.keys(oa).filter(function(i) {
         return i !== "realm" && i !== "oauth_signature";
       }).sort();
@@ -56199,7 +56199,7 @@ var require_oauth4 = __commonJS({
       }
       params2.push("oauth_signature");
       return params2.map(function(i) {
-        return i + "=" + wrap + oauth.rfc3986(oa[i]) + wrap;
+        return i + "=" + wrap2 + oauth.rfc3986(oa[i]) + wrap2;
       }).join(sep);
     };
     OAuth.prototype.onRequest = function(_oauth) {
@@ -61253,7 +61253,7 @@ __export(src_exports, {
   plugins: () => plugin_exports,
   queue: () => queue_exports,
   redis: () => redis_exports,
-  roles: () => roles_exports,
+  roles: () => roles_exports2,
   security: () => security_exports,
   sessions: () => sessions_exports,
   setEnv: () => setEnv,
@@ -62109,6 +62109,7 @@ __export(helpers_exports, {
   getUserLabel: () => getUserLabel,
   isGoogleSheets: () => isGoogleSheets,
   isSQL: () => isSQL,
+  roles: () => roles_exports,
   schema: () => schema_exports,
   views: () => views_exports,
   withTimeout: () => withTimeout
@@ -62334,6 +62335,48 @@ function basicFields(view, opts) {
   });
 }
 
+// ../shared-core/src/helpers/roles.ts
+var roles_exports = {};
+__export(roles_exports, {
+  checkForRoleInheritanceLoops: () => checkForRoleInheritanceLoops
+});
+function prefixForCheck(id) {
+  return `${"role" /* ROLE */}${SEPARATOR}${id}`;
+}
+function checkForRoleInheritanceLoops(roles) {
+  const roleMap = /* @__PURE__ */ new Map();
+  roles.forEach((role) => {
+    roleMap.set(role._id, role);
+  });
+  const checked = /* @__PURE__ */ new Set();
+  const checking = /* @__PURE__ */ new Set();
+  function hasLoop(roleId) {
+    const prefixed2 = prefixForCheck(roleId);
+    if (checking.has(roleId) || checking.has(prefixed2)) {
+      return true;
+    }
+    if (checked.has(roleId) || checked.has(prefixed2)) {
+      return false;
+    }
+    checking.add(roleId);
+    const role = roleMap.get(prefixed2) || roleMap.get(roleId);
+    if (!role) {
+      checking.delete(roleId);
+      return false;
+    }
+    const inherits = Array.isArray(role.inherits) ? role.inherits : [role.inherits];
+    for (const inheritedId of inherits) {
+      if (inheritedId && hasLoop(inheritedId)) {
+        return true;
+      }
+    }
+    checking.delete(roleId);
+    checked.add(roleId);
+    return false;
+  }
+  return !!roles.find((role) => hasLoop(role._id));
+}
+
 // ../shared-core/src/filters.ts
 var import_lodash2 = require("lodash");
 var HBS_REGEX = /{{([^{].*?)}}/g;
@@ -63244,6 +63287,7 @@ var allowDisplayColumnByType = {
   ["number" /* NUMBER */]: true,
   ["datetime" /* DATETIME */]: true,
   ["formula" /* FORMULA */]: true,
+  ["ai" /* AI */]: true,
   ["auto" /* AUTO */]: true,
   ["internal" /* INTERNAL */]: true,
   ["barcodeqr" /* BARCODEQR */]: true,
@@ -63271,6 +63315,7 @@ var allowSortColumnByType = {
   ["boolean" /* BOOLEAN */]: true,
   ["json" /* JSON */]: true,
   ["formula" /* FORMULA */]: false,
+  ["ai" /* AI */]: false,
   ["attachment" /* ATTACHMENTS */]: false,
   ["attachment_single" /* ATTACHMENT_SINGLE */]: false,
   ["signature_single" /* SIGNATURE_SINGLE */]: false,
@@ -63293,6 +63338,7 @@ var allowDefaultColumnByType = {
   ["bigint" /* BIGINT */]: false,
   ["boolean" /* BOOLEAN */]: false,
   ["formula" /* FORMULA */]: false,
+  ["ai" /* AI */]: false,
   ["attachment" /* ATTACHMENTS */]: false,
   ["attachment_single" /* ATTACHMENT_SINGLE */]: false,
   ["signature_single" /* SIGNATURE_SINGLE */]: false,
@@ -63498,7 +63544,7 @@ function doInUserContext(user, ctx, task) {
     hostInfo: {
       ipAddress: ctx.request.ip,
       // filled in by koa-useragent package
-      userAgent: ctx.userAgent._agent.source
+      userAgent: ctx.userAgent.source
     }
   };
   return doInIdentityContext2(userContext, task);
@@ -63560,23 +63606,35 @@ function httpLogging() {
   return process.env.HTTP_LOGGING;
 }
 function getPackageJsonFields() {
-  function findFileInAncestors(fileName, currentDir) {
-    const filePath = `${currentDir}/${fileName}`;
-    if ((0, import_fs.existsSync)(filePath)) {
-      return filePath;
+  function getParentFile(file) {
+    function findFileInAncestors(fileName, currentDir) {
+      const filePath = `${currentDir}/${fileName}`;
+      if ((0, import_fs.existsSync)(filePath)) {
+        return filePath;
+      }
+      const parentDir = `${currentDir}/..`;
+      if (parentDir === currentDir) {
+        return null;
+      }
+      return findFileInAncestors(fileName, parentDir);
     }
-    const parentDir = `${currentDir}/..`;
-    if (parentDir === currentDir) {
-      return null;
+    const packageJsonFile = findFileInAncestors(file, process.cwd());
+    const content = (0, import_fs.readFileSync)(packageJsonFile, "utf-8");
+    const parsedContent = JSON.parse(content);
+    return parsedContent;
+  }
+  let localVersion;
+  if (isDev() && !isTest()) {
+    try {
+      const lerna = getParentFile("lerna.json");
+      localVersion = `${lerna.version}+local`;
+    } catch {
     }
-    return findFileInAncestors(fileName, parentDir);
   }
   try {
-    const packageJsonFile = findFileInAncestors("package.json", process.cwd());
-    const content = (0, import_fs.readFileSync)(packageJsonFile, "utf-8");
-    const parsedContent = JSON.parse(content);
+    const parsedContent = getParentFile("package.json");
     return {
-      VERSION: process.env.BUDIBASE_VERSION || parsedContent.version,
+      VERSION: localVersion || process.env.BUDIBASE_VERSION || parsedContent.version,
       SERVICE_NAME: parsedContent.name
     };
   } catch {
@@ -66555,7 +66613,7 @@ var QueryBuilder = class _QueryBuilder {
   preprocess(value, {
     escape,
     lowercase,
-    wrap,
+    wrap: wrap2,
     type
   } = {}) {
     const hasVersion = !!this.#version;
@@ -66568,7 +66626,7 @@ var QueryBuilder = class _QueryBuilder {
     }
     if (originalType === "string" && !isNaN(value) && !type) {
       value = `"${value}"`;
-    } else if (hasVersion && wrap) {
+    } else if (hasVersion && wrap2) {
       value = originalType === "number" ? value : `"${value}"`;
     }
     return value;
@@ -67726,12 +67784,13 @@ var FlagSet = class {
   }
 };
 var flags = new FlagSet({
-  DEFAULT_VALUES: Flag.boolean(environment_default.isDev()),
-  AUTOMATION_BRANCHING: Flag.boolean(environment_default.isDev()),
-  SQS: Flag.boolean(true),
+  ["DEFAULT_VALUES" /* DEFAULT_VALUES */]: Flag.boolean(environment_default.isDev()),
+  ["AUTOMATION_BRANCHING" /* AUTOMATION_BRANCHING */]: Flag.boolean(environment_default.isDev()),
+  ["SQS" /* SQS */]: Flag.boolean(true),
   ["AI_CUSTOM_CONFIGS" /* AI_CUSTOM_CONFIGS */]: Flag.boolean(environment_default.isDev()),
   ["ENRICHED_RELATIONSHIPS" /* ENRICHED_RELATIONSHIPS */]: Flag.boolean(environment_default.isDev()),
-  ["TABLES_DEFAULT_ADMIN" /* TABLES_DEFAULT_ADMIN */]: Flag.boolean(environment_default.isDev())
+  ["TABLES_DEFAULT_ADMIN" /* TABLES_DEFAULT_ADMIN */]: Flag.boolean(environment_default.isDev()),
+  ["BUDIBASE_AI" /* BUDIBASE_AI */]: Flag.boolean(environment_default.isDev())
 });
 
 // src/features/tests/utils.ts
@@ -68119,7 +68178,7 @@ var DatabaseImpl = class _DatabaseImpl {
     });
   }
   async destroy() {
-    if (await flags.isEnabled("SQS") && await this.exists(SQLITE_DESIGN_DOC_ID)) {
+    if (await flags.isEnabled("SQS" /* SQS */) && await this.exists(SQLITE_DESIGN_DOC_ID)) {
       const definition = await this.get(SQLITE_DESIGN_DOC_ID);
       definition.sql.tables = {};
       await this.put(definition);
@@ -69321,27 +69380,35 @@ var EmailUnavailableError = class extends Error {
 };
 
 // src/security/roles.ts
-var roles_exports = {};
-__export(roles_exports, {
+var roles_exports2 = {};
+__export(roles_exports2, {
   AccessController: () => AccessController,
   BUILTIN_ROLE_IDS: () => BUILTIN_ROLE_IDS,
-  Role: () => Role,
+  Role: () => Role2,
+  RoleHierarchyTraversal: () => RoleHierarchyTraversal,
   RoleIDVersion: () => RoleIDVersion,
   builtinRoleToNumber: () => builtinRoleToNumber,
   checkForRoleResourceArray: () => checkForRoleResourceArray,
+  compareRoleIds: () => compareRoleIds,
+  externalRole: () => externalRole,
+  findRole: () => findRole,
   getAllRoleIds: () => getAllRoleIds,
   getAllRoles: () => getAllRoles,
   getBuiltinRole: () => getBuiltinRole,
   getBuiltinRoles: () => getBuiltinRoles,
   getDBRoleID: () => getDBRoleID,
   getExternalRoleID: () => getExternalRoleID,
+  getExternalRoleIDs: () => getExternalRoleIDs,
   getRole: () => getRole,
   getUserRoleHierarchy: () => getUserRoleHierarchy,
   getUserRoleIdHierarchy: () => getUserRoleIdHierarchy,
   isBuiltin: () => isBuiltin,
   lowerBuiltinRoleID: () => lowerBuiltinRoleID,
-  roleToNumber: () => roleToNumber
+  prefixRoleIDNoBuiltin: () => prefixRoleIDNoBuiltin,
+  roleToNumber: () => roleToNumber,
+  saveRoles: () => saveRoles
 });
+var import_semver = __toESM(require("semver"));
 
 // src/security/permissions.ts
 var permissions_exports = {};
@@ -69493,6 +69560,7 @@ var GLOBAL_BUILDER = "globalBuilder" /* GLOBAL_BUILDER */;
 
 // src/security/roles.ts
 var import_cloneDeep2 = __toESM(require("lodash/fp/cloneDeep"));
+var import_lodash4 = require("lodash");
 var BUILTIN_ROLE_IDS = {
   ADMIN: "ADMIN",
   POWER: "POWER",
@@ -69503,19 +69571,20 @@ var BUILTIN_IDS = {
   ...BUILTIN_ROLE_IDS,
   BUILDER: "BUILDER"
 };
-var EXTERNAL_BUILTIN_ROLE_IDS = [
-  BUILTIN_IDS.ADMIN,
-  BUILTIN_IDS.POWER,
-  BUILTIN_IDS.BASIC,
-  BUILTIN_IDS.PUBLIC
-];
 var RoleIDVersion = {
   // original version, with a UUID based ID
   UUID: void 0,
   // new version - with name based ID
   NAME: "name"
 };
-var Role = class {
+function rolesInList(roleIds, ids) {
+  if (Array.isArray(ids)) {
+    return ids.filter((id) => roleIds.includes(id)).length === ids.length;
+  } else {
+    return roleIds.includes(ids);
+  }
+}
+var Role2 = class {
   constructor(id, name, permissionId, uiMetadata) {
     this.permissions = {};
     this._id = id;
@@ -69525,12 +69594,57 @@ var Role = class {
     this.version = RoleIDVersion.NAME;
   }
   addInheritance(inherits) {
+    if (inherits && typeof inherits === "string") {
+      inherits = prefixRoleIDNoBuiltin(inherits);
+    } else if (inherits && Array.isArray(inherits)) {
+      inherits = inherits.map(prefixRoleIDNoBuiltin);
+    }
     this.inherits = inherits;
     return this;
   }
 };
+var RoleHierarchyTraversal = class {
+  constructor(allRoles, opts) {
+    this.allRoles = allRoles;
+    this.opts = opts;
+  }
+  walk(role) {
+    const opts = this.opts, allRoles = this.allRoles;
+    let roleList = [];
+    if (!role || !role._id) {
+      return roleList;
+    }
+    roleList.push(role);
+    if (Array.isArray(role.inherits)) {
+      for (let roleId of role.inherits) {
+        const foundRole = findRole(roleId, allRoles, opts);
+        if (foundRole) {
+          roleList = roleList.concat(this.walk(foundRole));
+        }
+      }
+    } else {
+      const foundRoleIds = [];
+      let currentRole = role;
+      while (currentRole && currentRole.inherits && !rolesInList(foundRoleIds, currentRole.inherits)) {
+        if (Array.isArray(currentRole.inherits)) {
+          return roleList.concat(this.walk(currentRole));
+        } else {
+          foundRoleIds.push(currentRole.inherits);
+          currentRole = findRole(currentRole.inherits, allRoles, opts);
+          if (currentRole) {
+            roleList.push(currentRole);
+          }
+        }
+        if (helpers_exports.roles.checkForRoleInheritanceLoops(roleList)) {
+          break;
+        }
+      }
+    }
+    return (0, import_lodash4.uniqBy)(roleList, (role2) => role2._id);
+  }
+};
 var BUILTIN_ROLES = {
-  ADMIN: new Role(
+  ADMIN: new Role2(
     BUILTIN_IDS.ADMIN,
     BUILTIN_IDS.ADMIN,
     "admin" /* ADMIN */,
@@ -69540,7 +69654,7 @@ var BUILTIN_ROLES = {
       color: "var(--spectrum-global-color-static-red-400)" /* ADMIN */
     }
   ).addInheritance(BUILTIN_IDS.POWER),
-  POWER: new Role(
+  POWER: new Role2(
     BUILTIN_IDS.POWER,
     BUILTIN_IDS.POWER,
     "power" /* POWER */,
@@ -69550,7 +69664,7 @@ var BUILTIN_ROLES = {
       color: "var(--spectrum-global-color-static-orange-400)" /* POWER */
     }
   ).addInheritance(BUILTIN_IDS.BASIC),
-  BASIC: new Role(
+  BASIC: new Role2(
     BUILTIN_IDS.BASIC,
     BUILTIN_IDS.BASIC,
     "write" /* WRITE */,
@@ -69560,7 +69674,7 @@ var BUILTIN_ROLES = {
       color: "var(--spectrum-global-color-static-green-400)" /* BASIC */
     }
   ).addInheritance(BUILTIN_IDS.PUBLIC),
-  PUBLIC: new Role(
+  PUBLIC: new Role2(
     BUILTIN_IDS.PUBLIC,
     BUILTIN_IDS.PUBLIC,
     "public" /* PUBLIC */,
@@ -69570,7 +69684,7 @@ var BUILTIN_ROLES = {
       color: "var(--spectrum-global-color-static-blue-400)" /* PUBLIC */
     }
   ),
-  BUILDER: new Role(
+  BUILDER: new Role2(
     BUILTIN_IDS.BUILDER,
     BUILTIN_IDS.BUILDER,
     "admin" /* ADMIN */,
@@ -69585,7 +69699,14 @@ function getBuiltinRoles() {
   return (0, import_cloneDeep2.default)(BUILTIN_ROLES);
 }
 function isBuiltin(role) {
-  return getBuiltinRole(role) !== void 0;
+  return Object.values(BUILTIN_ROLE_IDS).includes(role);
+}
+function prefixRoleIDNoBuiltin(roleId) {
+  if (isBuiltin(roleId)) {
+    return roleId;
+  } else {
+    return prefixRoleID(roleId);
+  }
 }
 function getBuiltinRole(roleId) {
   const role = Object.values(BUILTIN_ROLES).find(
@@ -69607,7 +69728,11 @@ function builtinRoleToNumber(id) {
     if (!role) {
       break;
     }
-    role = builtins[role.inherits];
+    if (Array.isArray(role.inherits)) {
+      throw new Error("Built-in roles don't support multi-inheritance");
+    } else {
+      role = builtins[role.inherits];
+    }
     count++;
   } while (role !== null);
   return count;
@@ -69619,12 +69744,26 @@ async function roleToNumber(id) {
   const hierarchy = await getUserRoleHierarchy(id, {
     defaultPublic: true
   });
-  for (let role of hierarchy) {
-    if (role?.inherits && isBuiltin(role.inherits)) {
+  const findNumber = (role) => {
+    if (!role.inherits) {
+      return 0;
+    }
+    if (Array.isArray(role.inherits)) {
+      const highestBuiltin = role.inherits.map((roleId) => {
+        const foundRole = hierarchy.find((role2) => role2._id === roleId);
+        if (foundRole) {
+          return findNumber(foundRole) + 1;
+        }
+      }).filter((number) => number).sort().pop();
+      if (highestBuiltin != void 0) {
+        return highestBuiltin;
+      }
+    } else if (isBuiltin(role.inherits)) {
       return builtinRoleToNumber(role.inherits) + 1;
     }
-  }
-  return 0;
+    return 0;
+  };
+  return Math.max(...hierarchy.map(findNumber));
 }
 function lowerBuiltinRoleID(roleId1, roleId2) {
   if (!roleId1) {
@@ -69635,39 +69774,67 @@ function lowerBuiltinRoleID(roleId1, roleId2) {
   }
   return builtinRoleToNumber(roleId1) > builtinRoleToNumber(roleId2) ? roleId2 : roleId1;
 }
-async function getRole(roleId, opts) {
+function compareRoleIds(roleId1, roleId2) {
+  return prefixRoleID(roleId1) === prefixRoleID(roleId2);
+}
+function externalRole(role) {
+  let _id;
+  if (role._id) {
+    _id = getExternalRoleID(role._id);
+  }
+  return {
+    ...role,
+    _id,
+    inherits: getExternalRoleIDs(role.inherits, role.version)
+  };
+}
+function findRole(roleId, roles, opts) {
   let role = getBuiltinRole(roleId);
   if (!role) {
     roleId = prefixRoleID(roleId);
   }
-  try {
-    const db = getAppDB();
-    const dbRole = await db.get(getDBRoleID(roleId));
-    role = Object.assign(role || {}, dbRole);
+  const dbRole = roles.find(
+    (role2) => role2._id && compareRoleIds(role2._id, roleId)
+  );
+  if (!dbRole && !isBuiltin(roleId) && opts?.defaultPublic) {
+    return (0, import_cloneDeep2.default)(BUILTIN_ROLES.PUBLIC);
+  }
+  role = Object.assign(role || {}, dbRole);
+  if (role?._id) {
     role._id = getExternalRoleID(role._id, role.version);
-  } catch (err) {
-    if (!isBuiltin(roleId) && opts?.defaultPublic) {
-      return (0, import_cloneDeep2.default)(BUILTIN_ROLES.PUBLIC);
-    }
-    if (!role || Object.keys(role).length === 0) {
-      throw err;
+  }
+  return Object.keys(role).length === 0 ? void 0 : role;
+}
+async function getRole(roleId, opts) {
+  const db = getAppDB();
+  const roleList = [];
+  if (!isBuiltin(roleId)) {
+    const role = await db.tryGet(getDBRoleID(roleId));
+    if (role) {
+      roleList.push(role);
     }
   }
-  return role;
+  return findRole(roleId, roleList, opts);
+}
+async function saveRoles(roles) {
+  const db = getAppDB();
+  await db.bulkDocs(
+    roles.filter((role) => role._id).map((role) => ({
+      ...role,
+      _id: prefixRoleID(role._id)
+    }))
+  );
 }
 async function getAllUserRoles(userRoleId, opts) {
+  const allRoles = await getAllRoles();
   if (userRoleId === BUILTIN_IDS.ADMIN) {
-    return getAllRoles();
+    return allRoles;
   }
-  let currentRole = await getRole(userRoleId, opts);
-  let roles = currentRole ? [currentRole] : [];
-  let roleIds = [userRoleId];
-  while (currentRole && currentRole.inherits && roleIds.indexOf(currentRole.inherits) === -1) {
-    roleIds.push(currentRole.inherits);
-    currentRole = await getRole(currentRole.inherits);
-    if (currentRole) {
-      roles.push(currentRole);
-    }
+  const foundRole = findRole(userRoleId, allRoles, opts);
+  let roles = [];
+  if (foundRole) {
+    const traversal = new RoleHierarchyTraversal(allRoles, opts);
+    roles = traversal.walk(foundRole);
   }
   return roles;
 }
@@ -69717,7 +69884,22 @@ async function getAllRoles(appId) {
       );
     }
     const builtinRoles = getBuiltinRoles();
-    for (let builtinRoleId of EXTERNAL_BUILTIN_ROLE_IDS) {
+    let externalBuiltinRoles = [];
+    if (!db || await shouldIncludePowerRole(db)) {
+      externalBuiltinRoles = [
+        BUILTIN_IDS.ADMIN,
+        BUILTIN_IDS.POWER,
+        BUILTIN_IDS.BASIC,
+        BUILTIN_IDS.PUBLIC
+      ];
+    } else {
+      externalBuiltinRoles = [
+        BUILTIN_IDS.ADMIN,
+        BUILTIN_IDS.BASIC,
+        BUILTIN_IDS.PUBLIC
+      ];
+    }
+    for (let builtinRoleId of externalBuiltinRoles) {
       const builtinRole = builtinRoles[builtinRoleId];
       const dbBuiltin = roles.filter(
         (dbRole) => getExternalRoleID(dbRole._id, dbRole.version) === builtinRoleId
@@ -69744,6 +69926,15 @@ async function getAllRoles(appId) {
     return roles;
   }
 }
+async function shouldIncludePowerRole(db) {
+  const app = await db.tryGet("app_metadata" /* APP_METADATA */);
+  const creationVersion = app?.creationVersion;
+  if (!creationVersion || !import_semver.default.valid(creationVersion)) {
+    return true;
+  }
+  const isGreaterThan3x = import_semver.default.gte(creationVersion, "3.0.0");
+  return !isGreaterThan3x;
+}
 var AccessController = class {
   constructor() {
     this.userHierarchies = {};
@@ -69757,7 +69948,7 @@ var AccessController = class {
       roleIds = await getUserRoleIdHierarchy(userRoleId);
       this.userHierarchies[userRoleId] = roleIds;
     }
-    return roleIds?.indexOf(tryingRoleId) !== -1;
+    return roleIds?.find((roleId) => compareRoleIds(roleId, tryingRoleId)) !== void 0;
   }
   async checkScreensAccess(screens, userRoleId) {
     let accessibleScreens = [];
@@ -69784,13 +69975,22 @@ function getDBRoleID(roleName) {
   return prefixRoleID(roleName);
 }
 function getExternalRoleID(roleId, version) {
-  if (roleId.startsWith("role" /* ROLE */) && (isBuiltin(roleId) || version === RoleIDVersion.NAME)) {
+  if (roleId.startsWith(`${"role" /* ROLE */}${SEPARATOR}`) && (isBuiltin(roleId) || version === RoleIDVersion.NAME)) {
     const parts = roleId.split(SEPARATOR);
     parts.shift();
     return parts.join(SEPARATOR);
   }
   return roleId;
 }
+function getExternalRoleIDs(roleIds, version) {
+  if (!roleIds) {
+    return roleIds;
+  } else if (typeof roleIds === "string") {
+    return getExternalRoleID(roleIds, version);
+  } else {
+    return roleIds.map((roleId) => getExternalRoleID(roleId, version));
+  }
+}
 
 // src/users/utils.ts
 var isBuilder2 = sdk_exports.users.isBuilder;
@@ -70590,7 +70790,7 @@ __export(installation_exports, {
   getInstall: () => getInstall,
   getInstallFromDB: () => getInstallFromDB
 });
-var import_semver = __toESM(require("semver"));
+var import_semver2 = __toESM(require("semver"));
 var getInstall = async () => {
   return withCache("installation" /* INSTALLATION */, 86400 /* ONE_DAY */, getInstallFromDB, {
     useTenancy: false
@@ -70659,8 +70859,8 @@ var checkInstallVersion = async () => {
   const newVersion = environment_default.VERSION;
   try {
     if (currentVersion !== newVersion) {
-      const isUpgrade = import_semver.default.gt(newVersion, currentVersion);
-      const isDowngrade = import_semver.default.lt(newVersion, currentVersion);
+      const isUpgrade = import_semver2.default.gt(newVersion, currentVersion);
+      const isDowngrade = import_semver2.default.lt(newVersion, currentVersion);
       const success = await updateVersion(newVersion);
       if (success) {
         await doInIdentityContext(
@@ -74435,6 +74635,7 @@ function timeMinusOneMinute() {
 function finalise(ctx, opts = {}) {
   ctx.publicEndpoint = opts.publicEndpoint || false;
   ctx.isAuthenticated = opts.authenticated || false;
+  ctx.loginMethod = opts.loginMethod;
   ctx.user = opts.user;
   ctx.internal = opts.internal || false;
   ctx.version = opts.version;
@@ -74492,7 +74693,7 @@ function authenticated_default(noAuthPatterns = [], opts = {
         apiKey = ctx.request.headers["authorization" /* AUTHORIZATION */].split(" ")[1];
       }
       const tenantId = ctx.request.headers["x-budibase-tenant-id" /* TENANT_ID */];
-      let authenticated = false, user = null, internal = false;
+      let authenticated = false, user = void 0, internal = false, loginMethod = void 0;
       if (authCookie && !apiKey) {
         const sessionId = authCookie.sessionId;
         const userId = authCookie.userId;
@@ -74514,6 +74715,7 @@ function authenticated_default(noAuthPatterns = [], opts = {
             });
           }
           user.csrfToken = session.csrfToken;
+          loginMethod = "cookie" /* COOKIE */;
           if (session?.lastAccessedAt < timeMinusOneMinute()) {
             await updateSessionTTL(session);
           }
@@ -74530,17 +74732,16 @@ function authenticated_default(noAuthPatterns = [], opts = {
           apiKey,
           populateUser
         );
-        if (valid && foundUser) {
+        if (valid) {
           authenticated = true;
+          loginMethod = "api_key" /* API_KEY */;
           user = foundUser;
-        } else if (valid) {
-          authenticated = true;
-          internal = true;
+          internal = !foundUser;
         }
       }
       if (!user && tenantId) {
         user = { tenantId };
-      } else if (user) {
+      } else if (user && "password" in user) {
         delete user.password;
       }
       if (!authenticated) {
@@ -74557,7 +74758,14 @@ function authenticated_default(noAuthPatterns = [], opts = {
           status: user.status
         });
       }
-      finalise(ctx, { authenticated, user, internal, version, publicEndpoint });
+      finalise(ctx, {
+        authenticated,
+        user,
+        internal,
+        version,
+        publicEndpoint,
+        loginMethod
+      });
       if (isUser(user)) {
         return doInUserContext(user, ctx, next);
       } else {
@@ -75294,7 +75502,7 @@ var import_knex2 = require("knex");
 // src/sql/sqlTable.ts
 var import_knex = require("knex");
 function isIgnoredType(type) {
-  const ignored = ["link" /* LINK */, "formula" /* FORMULA */];
+  const ignored = ["link" /* LINK */, "formula" /* FORMULA */, "ai" /* AI */];
   return ignored.indexOf(type) !== -1;
 }
 function generateSchema(schema, table, tables, oldTable = null, renamed) {
@@ -75390,6 +75598,8 @@ function generateSchema(schema, table, tables, oldTable = null, renamed) {
         break;
       case "formula" /* FORMULA */:
         break;
+      case "ai" /* AI */:
+        break;
       case "attachment" /* ATTACHMENTS */:
       case "attachment_single" /* ATTACHMENT_SINGLE */:
       case "signature_single" /* SIGNATURE_SINGLE */:
@@ -75521,7 +75731,7 @@ var SqlTableQueryBuilder = class {
 var sqlTable_default = SqlTableQueryBuilder;
 
 // src/sql/sql.ts
-var import_lodash4 = require("lodash");
+var import_lodash5 = require("lodash");
 var COUNT_FIELD_NAME = "__bb_total";
 function getBaseLimit() {
   const envLimit = environment_default.SQL_MAX_ROWS ? parseInt(environment_default.SQL_MAX_ROWS) : null;
@@ -75562,6 +75772,20 @@ function convertBooleans(query) {
 function isSqs(table) {
   return table.sourceType === "internal" /* INTERNAL */ || table.sourceId === INTERNAL_TABLE_SOURCE_ID;
 }
+function escapeQuotes(value, quoteChar = '"') {
+  return value.replace(new RegExp(quoteChar, "g"), `${quoteChar}${quoteChar}`);
+}
+function wrap(value, quoteChar = '"') {
+  return `${quoteChar}${escapeQuotes(value, quoteChar)}${quoteChar}`;
+}
+function stringifyArray(value, quoteStyle = '"') {
+  for (let i in value) {
+    if (typeof value[i] === "string") {
+      value[i] = wrap(value[i], quoteStyle);
+    }
+  }
+  return `[${value.join(",")}]`;
+}
 var allowEmptyRelationships = {
   ["equal" /* EQUAL */]: false,
   ["notEqual" /* NOT_EQUAL */]: true,
@@ -75599,28 +75823,24 @@ var InternalBuilder = class {
   get table() {
     return this.query.meta.table;
   }
+  get knexClient() {
+    return this.knex.client;
+  }
   getFieldSchema(key) {
     const { column } = this.splitter.run(key);
     return this.table.schema[column];
   }
+  supportsILike() {
+    return !(this.client === "oracledb" /* ORACLE */ || this.client === "sqlite3" /* SQL_LITE */);
+  }
   quoteChars() {
-    switch (this.client) {
-      case "oracledb" /* ORACLE */:
-      case "pg" /* POSTGRES */:
-        return ['"', '"'];
-      case "mssql" /* MS_SQL */:
-        return ["[", "]"];
-      case "mariadb" /* MARIADB */:
-      case "mysql2" /* MY_SQL */:
-      case "sqlite3" /* SQL_LITE */:
-        return ["`", "`"];
-    }
+    const wrapped = this.knexClient.wrapIdentifier("foo", {});
+    return [wrapped[0], wrapped[wrapped.length - 1]];
   }
-  // Takes a string like foo and returns a quoted string like [foo] for SQL Server
-  // and "foo" for Postgres.
+  // Takes a string like foo and returns a quoted string like [foo] for SQL
+  // Server and "foo" for Postgres.
   quote(str) {
-    const [start2, end2] = this.quoteChars();
-    return `${start2}${str}${end2}`;
+    return this.knexClient.wrapIdentifier(str, {});
   }
   isQuoted(key) {
     const [start2, end2] = this.quoteChars();
@@ -75635,6 +75855,27 @@ var InternalBuilder = class {
     }
     return key.map((part) => this.quote(part)).join(".");
   }
+  quotedValue(value) {
+    const formatter = this.knexClient.formatter(this.knexClient.queryBuilder());
+    return formatter.wrap(value, false);
+  }
+  rawQuotedValue(value) {
+    return this.knex.raw(this.quotedValue(value));
+  }
+  // Unfortuantely we cannot rely on knex's identifier escaping because it trims
+  // the identifier string before escaping it, which breaks cases for us where
+  // columns that start or end with a space aren't referenced correctly anymore.
+  //
+  // So whenever you're using an identifier binding in knex, e.g. knex.raw("??
+  // as ?", ["foo", "bar"]), you need to make sure you call this:
+  //
+  //   knex.raw("?? as ?", [this.quotedIdentifier("foo"), "bar"])
+  //
+  // Issue we filed against knex about this:
+  //   https://github.com/knex/knex/issues/6143
+  rawQuotedIdentifier(key) {
+    return this.knex.raw(this.quotedIdentifier(key));
+  }
   // Turns an identifier like a.b.c or `a`.`b`.`c` into ["a", "b", "c"]
   splitIdentifier(key) {
     const [start2, end2] = this.quoteChars();
@@ -75673,7 +75914,7 @@ var InternalBuilder = class {
     const alias = this.getTableName(endpoint.entityId);
     const schema = meta.table.schema;
     if (!this.isFullSelectStatementRequired()) {
-      return [this.knex.raw(`${this.quote(alias)}.*`)];
+      return [this.knex.raw("??", [`${alias}.*`])];
     }
     return resource.fields.map((field) => {
       const parts = field.split(/\./g);
@@ -75687,17 +75928,21 @@ var InternalBuilder = class {
     }).filter(({ table }) => !table || table === alias).map(({ table, column, field }) => {
       const columnSchema = schema[column];
       if (this.SPECIAL_SELECT_CASES.POSTGRES_MONEY(columnSchema)) {
-        return this.knex.raw(
-          `${this.quotedIdentifier(
-            [table, column].join(".")
-          )}::money::numeric as ${this.quote(field)}`
-        );
+        return this.knex.raw(`??::money::numeric as "${field}"`, [
+          this.rawQuotedIdentifier([table, column].join(".")),
+          field
+        ]);
       }
       if (this.SPECIAL_SELECT_CASES.MSSQL_DATES(columnSchema)) {
-        return this.knex.raw(`CONVERT(varchar, ${field}, 108) as "${field}"`);
+        return this.knex.raw(`CONVERT(varchar, ??, 108) as "${field}"`, [
+          this.rawQuotedIdentifier(field)
+        ]);
+      }
+      if (table) {
+        return this.rawQuotedIdentifier(`${table}.${column}`);
+      } else {
+        return this.rawQuotedIdentifier(field);
       }
-      const quoted = table ? `${this.quote(table)}.${this.quote(column)}` : this.quote(field);
-      return this.knex.raw(quoted);
     });
   }
   // OracleDB can't use character-large-objects (CLOBs) in WHERE clauses,
@@ -75712,12 +75957,15 @@ var InternalBuilder = class {
     const parts = this.splitIdentifier(field);
     const col = parts.pop();
     const schema = this.table.schema[col];
-    let identifier = this.quotedIdentifier(field);
+    let identifier = this.rawQuotedIdentifier(field);
     if (schema.type === "string" /* STRING */ || schema.type === "longform" /* LONGFORM */ || schema.type === "bb_reference_single" /* BB_REFERENCE_SINGLE */ || schema.type === "bb_reference" /* BB_REFERENCE */ || schema.type === "options" /* OPTIONS */ || schema.type === "barcodeqr" /* BARCODEQR */) {
       if (opts?.forSelect) {
-        identifier = `to_char(${identifier}) as ${this.quotedIdentifier(col)}`;
+        identifier = this.knex.raw("to_char(??) as ??", [
+          identifier,
+          this.rawQuotedIdentifier(col)
+        ]);
       } else {
-        identifier = `to_char(${identifier})`;
+        identifier = this.knex.raw("to_char(??)", [identifier]);
       }
     }
     return identifier;
@@ -75762,7 +76010,7 @@ var InternalBuilder = class {
     return body2;
   }
   parseFilters(filters) {
-    filters = (0, import_lodash4.cloneDeep)(filters);
+    filters = (0, import_lodash5.cloneDeep)(filters);
     for (const op of Object.values(BasicOperator)) {
       const filter = filters[op];
       if (!filter) {
@@ -75822,7 +76070,6 @@ var InternalBuilder = class {
     return query.andWhere(`${document}.fieldName`, "=", relationship.column);
   }
   addRelationshipForFilter(query, allowEmptyRelationships2, filterKey, whereCb) {
-    const mainKnex = this.knex;
     const { relationships, endpoint, tableAliases: aliases } = this.query;
     const tableName = endpoint.entityId;
     const fromAlias = aliases?.[tableName] || tableName;
@@ -75836,7 +76083,7 @@ var InternalBuilder = class {
       const matchesTableName = matches2(relatedTableName) || matches2(toAlias);
       const matchesRelationName = matches2(relationship.column);
       if ((matchesTableName || matchesRelationName) && relationship.to && relationship.tableName) {
-        const joinTable = mainKnex.select(mainKnex.raw(1)).from({ [toAlias]: relatedTableName });
+        const joinTable = this.knex.select(this.knex.raw(1)).from({ [toAlias]: relatedTableName });
         let subQuery = joinTable.clone();
         const manyToMany = validateManyToMany(relationship);
         let updatedKey;
@@ -75863,9 +76110,7 @@ var InternalBuilder = class {
           }).where(
             `${throughAlias}.${manyToMany.from}`,
             "=",
-            mainKnex.raw(
-              this.quotedIdentifier(`${fromAlias}.${manyToMany.fromPrimary}`)
-            )
+            this.rawQuotedIdentifier(`${fromAlias}.${manyToMany.fromPrimary}`)
           );
           if (this.client === "sqlite3" /* SQL_LITE */) {
             subQuery = this.addJoinFieldCheck(subQuery, manyToMany);
@@ -75890,7 +76135,7 @@ var InternalBuilder = class {
           subQuery = subQuery.where(
             toKey,
             "=",
-            mainKnex.raw(this.quotedIdentifier(foreignKey))
+            this.rawQuotedIdentifier(foreignKey)
           );
           query = query.where((q2) => {
             q2.whereExists(whereCb(updatedKey, subQuery.clone()));
@@ -75911,7 +76156,7 @@ var InternalBuilder = class {
     const builder = this;
     filters = this.parseFilters({ ...filters });
     const aliases = this.query.tableAliases;
-    const allOr = filters.allOr;
+    const shouldOr = filters.allOr;
     const isSqlite = this.client === "sqlite3" /* SQL_LITE */;
     const tableName = isSqlite ? this.table._id : this.table.name;
     function getTableAlias(name) {
@@ -75950,7 +76195,7 @@ var InternalBuilder = class {
             value
           );
         } else if (shouldProcessRelationship) {
-          if (allOr) {
+          if (shouldOr) {
             query = query.or;
           }
           query = builder.addRelationshipForFilter(
@@ -75965,75 +76210,89 @@ var InternalBuilder = class {
       }
     }
     const like = (q2, key, value) => {
-      const fuzzyOr = filters?.fuzzyOr;
-      const fnc = fuzzyOr || allOr ? "orWhere" : "where";
-      if (this.client === "pg" /* POSTGRES */) {
-        return q2[fnc](key, "ilike", `%${value}%`);
-      } else {
-        const rawFnc = `${fnc}Raw`;
-        return q2[rawFnc](`LOWER(${this.quotedIdentifier(key)}) LIKE ?`, [
+      if (filters?.fuzzyOr || shouldOr) {
+        q2 = q2.or;
+      }
+      if (this.client === "oracledb" /* ORACLE */ || this.client === "sqlite3" /* SQL_LITE */) {
+        return q2.whereRaw(`LOWER(??) LIKE ?`, [
+          this.rawQuotedIdentifier(key),
           `%${value.toLowerCase()}%`
         ]);
       }
+      return q2.whereILike(
+        // @ts-expect-error knex types are wrong, raw is fine here
+        this.rawQuotedIdentifier(key),
+        this.knex.raw("?", [`%${value}%`])
+      );
     };
     const contains = (mode, any = false) => {
-      const rawFnc = allOr ? "orWhereRaw" : "whereRaw";
-      const not = mode === filters?.notContains ? "NOT " : "";
-      function stringifyArray(value, quoteStyle = '"') {
-        for (let i in value) {
-          if (typeof value[i] === "string") {
-            value[i] = `${quoteStyle}${value[i]}${quoteStyle}`;
-          }
+      function addModifiers(q2) {
+        if (shouldOr || mode === filters?.containsAny) {
+          q2 = q2.or;
+        }
+        if (mode === filters?.notContains) {
+          q2 = q2.not;
         }
-        return `[${value.join(",")}]`;
+        return q2;
       }
       if (this.client === "pg" /* POSTGRES */) {
         iterate(mode, "contains" /* CONTAINS */, (q2, key, value) => {
-          const wrap = any ? "" : "'";
-          const op = any ? "\\?| array" : "@>";
-          const fieldNames = key.split(/\./g);
-          const table = fieldNames[0];
-          const col = fieldNames[1];
-          return q2[rawFnc](
-            `${not}COALESCE("${table}"."${col}"::jsonb ${op} ${wrap}${stringifyArray(
-              value,
-              any ? "'" : '"'
-            )}${wrap}, FALSE)`
-          );
+          q2 = addModifiers(q2);
+          if (any) {
+            return q2.whereRaw(`COALESCE(??::jsonb \\?| array??, FALSE)`, [
+              this.rawQuotedIdentifier(key),
+              this.knex.raw(stringifyArray(value, "'"))
+            ]);
+          } else {
+            return q2.whereRaw(`COALESCE(??::jsonb @> '??', FALSE)`, [
+              this.rawQuotedIdentifier(key),
+              this.knex.raw(stringifyArray(value))
+            ]);
+          }
         });
       } else if (this.client === "mysql2" /* MY_SQL */ || this.client === "mariadb" /* MARIADB */) {
-        const jsonFnc = any ? "JSON_OVERLAPS" : "JSON_CONTAINS";
         iterate(mode, "contains" /* CONTAINS */, (q2, key, value) => {
-          return q2[rawFnc](
-            `${not}COALESCE(${jsonFnc}(${key}, '${stringifyArray(
-              value
-            )}'), FALSE)`
-          );
+          return addModifiers(q2).whereRaw(`COALESCE(?(??, ?), FALSE)`, [
+            this.knex.raw(any ? "JSON_OVERLAPS" : "JSON_CONTAINS"),
+            this.rawQuotedIdentifier(key),
+            this.knex.raw(wrap(stringifyArray(value)))
+          ]);
         });
       } else {
-        const andOr = mode === filters?.containsAny ? " OR " : " AND ";
         iterate(mode, "contains" /* CONTAINS */, (q2, key, value) => {
-          let statement = "";
-          const identifier = this.quotedIdentifier(key);
-          for (let i in value) {
-            if (typeof value[i] === "string") {
-              value[i] = `%"${value[i].toLowerCase()}"%`;
-            } else {
-              value[i] = `%${value[i]}%`;
-            }
-            statement += `${statement ? andOr : ""}COALESCE(LOWER(${identifier}), '') LIKE ?`;
-          }
-          if (statement === "") {
+          if (value.length === 0) {
             return q2;
           }
-          if (not) {
-            return q2[rawFnc](
-              `(NOT (${statement}) OR ${identifier} IS NULL)`,
-              value
-            );
-          } else {
-            return q2[rawFnc](statement, value);
-          }
+          q2 = q2.where((subQuery) => {
+            if (mode === filters?.notContains) {
+              subQuery = subQuery.not;
+            }
+            subQuery = subQuery.where((subSubQuery) => {
+              for (const elem of value) {
+                if (mode === filters?.containsAny) {
+                  subSubQuery = subSubQuery.or;
+                } else {
+                  subSubQuery = subSubQuery.and;
+                }
+                const lower = typeof elem === "string" ? `"${elem.toLowerCase()}"` : elem;
+                subSubQuery = subSubQuery.whereLike(
+                  // @ts-expect-error knex types are wrong, raw is fine here
+                  this.knex.raw(`COALESCE(LOWER(??), '')`, [
+                    this.rawQuotedIdentifier(key)
+                  ]),
+                  `%${lower}%`
+                );
+              }
+            });
+            if (mode === filters?.notContains) {
+              subQuery = subQuery.or.whereNull(
+                // @ts-expect-error knex types are wrong, raw is fine here
+                this.rawQuotedIdentifier(key)
+              );
+            }
+            return subQuery;
+          });
+          return q2;
         });
       }
     };
@@ -76056,41 +76315,41 @@ var InternalBuilder = class {
       });
     }
     if (filters.oneOf) {
-      const fnc = allOr ? "orWhereIn" : "whereIn";
       iterate(
         filters.oneOf,
         "oneOf" /* ONE_OF */,
         (q2, key, array) => {
+          if (shouldOr) {
+            q2 = q2.or;
+          }
           if (this.client === "oracledb" /* ORACLE */) {
             key = this.convertClobs(key);
-            array = Array.isArray(array) ? array : [array];
-            const binding = new Array(array.length).fill("?").join(",");
-            return q2.whereRaw(`${key} IN (${binding})`, array);
-          } else {
-            return q2[fnc](key, Array.isArray(array) ? array : [array]);
           }
+          return q2.whereIn(key, Array.isArray(array) ? array : [array]);
         },
         (q2, key, array) => {
+          if (shouldOr) {
+            q2 = q2.or;
+          }
           if (this.client === "oracledb" /* ORACLE */) {
-            const keyStr = `(${key.map((k) => this.convertClobs(k)).join(",")})`;
-            const binding = `(${array.map((a) => `(${new Array(a.length).fill("?").join(",")})`).join(",")})`;
-            return q2.whereRaw(`${keyStr} IN ${binding}`, array.flat());
-          } else {
-            return q2[fnc](key, Array.isArray(array) ? array : [array]);
+            key = key.map((k) => this.convertClobs(k));
           }
+          return q2.whereIn(key, Array.isArray(array) ? array : [array]);
         }
       );
     }
     if (filters.string) {
       iterate(filters.string, "string" /* STRING */, (q2, key, value) => {
-        const fnc = allOr ? "orWhere" : "where";
-        if (this.client === "pg" /* POSTGRES */) {
-          return q2[fnc](key, "ilike", `${value}%`);
-        } else {
-          const rawFnc = `${fnc}Raw`;
-          return q2[rawFnc](`LOWER(${this.quotedIdentifier(key)}) LIKE ?`, [
+        if (shouldOr) {
+          q2 = q2.or;
+        }
+        if (this.client === "oracledb" /* ORACLE */ || this.client === "sqlite3" /* SQL_LITE */) {
+          return q2.whereRaw(`LOWER(??) LIKE ?`, [
+            this.rawQuotedIdentifier(key),
             `${value.toLowerCase()}%`
           ]);
+        } else {
+          return q2.whereILike(key, `${value}%`);
         }
       });
     }
@@ -76110,56 +76369,52 @@ var InternalBuilder = class {
         }
         const lowValid = isValidFilter(value.low), highValid = isValidFilter(value.high);
         const schema = this.getFieldSchema(key);
+        let rawKey = key;
+        let high = value.high;
+        let low = value.low;
         if (this.client === "oracledb" /* ORACLE */) {
-          key = this.knex.raw(this.convertClobs(key));
+          rawKey = this.convertClobs(key);
+        } else if (this.client === "sqlite3" /* SQL_LITE */ && schema?.type === "bigint" /* BIGINT */) {
+          rawKey = this.knex.raw("CAST(?? AS INTEGER)", [
+            this.rawQuotedIdentifier(key)
+          ]);
+          high = this.knex.raw("CAST(? AS INTEGER)", [value.high]);
+          low = this.knex.raw("CAST(? AS INTEGER)", [value.low]);
+        }
+        if (shouldOr) {
+          q2 = q2.or;
         }
         if (lowValid && highValid) {
-          if (schema?.type === "bigint" /* BIGINT */ && this.client === "sqlite3" /* SQL_LITE */) {
-            return q2.whereRaw(
-              `CAST(${key} AS INTEGER) BETWEEN CAST(? AS INTEGER) AND CAST(? AS INTEGER)`,
-              [value.low, value.high]
-            );
-          } else {
-            const fnc = allOr ? "orWhereBetween" : "whereBetween";
-            return q2[fnc](key, [value.low, value.high]);
-          }
+          return q2.whereBetween(rawKey, [low, high]);
         } else if (lowValid) {
-          if (schema?.type === "bigint" /* BIGINT */ && this.client === "sqlite3" /* SQL_LITE */) {
-            return q2.whereRaw(`CAST(${key} AS INTEGER) >= CAST(? AS INTEGER)`, [
-              value.low
-            ]);
-          } else {
-            const fnc = allOr ? "orWhere" : "where";
-            return q2[fnc](key, ">=", value.low);
-          }
+          return q2.where(rawKey, ">=", low);
         } else if (highValid) {
-          if (schema?.type === "bigint" /* BIGINT */ && this.client === "sqlite3" /* SQL_LITE */) {
-            return q2.whereRaw(`CAST(${key} AS INTEGER) <= CAST(? AS INTEGER)`, [
-              value.high
-            ]);
-          } else {
-            const fnc = allOr ? "orWhere" : "where";
-            return q2[fnc](key, "<=", value.high);
-          }
+          return q2.where(rawKey, "<=", high);
         }
         return q2;
       });
     }
     if (filters.equal) {
       iterate(filters.equal, "equal" /* EQUAL */, (q2, key, value) => {
-        const fnc = allOr ? "orWhereRaw" : "whereRaw";
+        if (shouldOr) {
+          q2 = q2.or;
+        }
         if (this.client === "mssql" /* MS_SQL */) {
-          return q2[fnc](
-            `CASE WHEN ${this.quotedIdentifier(key)} = ? THEN 1 ELSE 0 END = 1`,
-            [value]
-          );
-        } else if (this.client === "oracledb" /* ORACLE */) {
-          const identifier = this.convertClobs(key);
-          return q2[fnc](`(${identifier} IS NOT NULL AND ${identifier} = ?)`, [
+          return q2.whereRaw(`CASE WHEN ?? = ? THEN 1 ELSE 0 END = 1`, [
+            this.rawQuotedIdentifier(key),
             value
           ]);
+        } else if (this.client === "oracledb" /* ORACLE */) {
+          const identifier = this.convertClobs(key);
+          return q2.where(
+            (subq) => (
+              // @ts-expect-error knex types are wrong, raw is fine here
+              subq.whereNotNull(identifier).andWhere(identifier, value)
+            )
+          );
         } else {
-          return q2[fnc](`COALESCE(${this.quotedIdentifier(key)} = ?, FALSE)`, [
+          return q2.whereRaw(`COALESCE(?? = ?, FALSE)`, [
+            this.rawQuotedIdentifier(key),
             value
           ]);
         }
@@ -76167,20 +76422,22 @@ var InternalBuilder = class {
     }
     if (filters.notEqual) {
       iterate(filters.notEqual, "notEqual" /* NOT_EQUAL */, (q2, key, value) => {
-        const fnc = allOr ? "orWhereRaw" : "whereRaw";
+        if (shouldOr) {
+          q2 = q2.or;
+        }
         if (this.client === "mssql" /* MS_SQL */) {
-          return q2[fnc](
-            `CASE WHEN ${this.quotedIdentifier(key)} = ? THEN 1 ELSE 0 END = 0`,
-            [value]
-          );
+          return q2.whereRaw(`CASE WHEN ?? = ? THEN 1 ELSE 0 END = 0`, [
+            this.rawQuotedIdentifier(key),
+            value
+          ]);
         } else if (this.client === "oracledb" /* ORACLE */) {
           const identifier = this.convertClobs(key);
-          return q2[fnc](
-            `(${identifier} IS NOT NULL AND ${identifier} != ?) OR ${identifier} IS NULL`,
-            [value]
-          );
+          return q2.where(
+            (subq) => subq.not.whereNull(identifier).and.where(identifier, "!=", value)
+          ).or.whereNull(identifier);
         } else {
-          return q2[fnc](`COALESCE(${this.quotedIdentifier(key)} != ?, TRUE)`, [
+          return q2.whereRaw(`COALESCE(?? != ?, TRUE)`, [
+            this.rawQuotedIdentifier(key),
             value
           ]);
         }
@@ -76188,14 +76445,18 @@ var InternalBuilder = class {
     }
     if (filters.empty) {
       iterate(filters.empty, "empty" /* EMPTY */, (q2, key) => {
-        const fnc = allOr ? "orWhereNull" : "whereNull";
-        return q2[fnc](key);
+        if (shouldOr) {
+          q2 = q2.or;
+        }
+        return q2.whereNull(key);
       });
     }
     if (filters.notEmpty) {
       iterate(filters.notEmpty, "notEmpty" /* NOT_EMPTY */, (q2, key) => {
-        const fnc = allOr ? "orWhereNotNull" : "whereNotNull";
-        return q2[fnc](key);
+        if (shouldOr) {
+          q2 = q2.or;
+        }
+        return q2.whereNotNull(key);
       });
     }
     if (filters.contains) {
@@ -76264,7 +76525,7 @@ var InternalBuilder = class {
         const selectFields = qualifiedFields.map(
           (field) => this.convertClobs(field, { forSelect: true })
         );
-        query = query.groupByRaw(groupByFields.join(", ")).select(this.knex.raw(selectFields.join(", ")));
+        query = query.groupBy(groupByFields).select(selectFields);
       } else {
         query = query.groupBy(qualifiedFields).select(qualifiedFields);
       }
@@ -76276,11 +76537,10 @@ var InternalBuilder = class {
           if (this.client === "oracledb" /* ORACLE */) {
             const field = this.convertClobs(`${tableName}.${aggregation.field}`);
             query = query.select(
-              this.knex.raw(
-                `COUNT(DISTINCT ${field}) as ${this.quotedIdentifier(
-                  aggregation.name
-                )}`
-              )
+              this.knex.raw(`COUNT(DISTINCT ??) as ??`, [
+                field,
+                aggregation.name
+              ])
             );
           } else {
             query = query.countDistinct(
@@ -76335,9 +76595,11 @@ var InternalBuilder = class {
         } else {
           let composite = `${aliased}.${key}`;
           if (this.client === "oracledb" /* ORACLE */) {
-            query = query.orderByRaw(
-              `${this.convertClobs(composite)} ${direction} nulls ${nulls}`
-            );
+            query = query.orderByRaw(`?? ?? nulls ??`, [
+              this.convertClobs(composite),
+              this.knex.raw(direction),
+              this.knex.raw(nulls)
+            ]);
           } else {
             query = query.orderBy(composite, direction, nulls);
           }
@@ -76359,17 +76621,18 @@ var InternalBuilder = class {
   }
   buildJsonField(field) {
     const parts = field.split(".");
-    let tableField, unaliased;
+    let unaliased;
+    let tableField;
     if (parts.length > 1) {
       const alias = parts.shift();
       unaliased = parts.join(".");
-      tableField = `${this.quote(alias)}.${this.quote(unaliased)}`;
+      tableField = `${alias}.${unaliased}`;
     } else {
       unaliased = parts.join(".");
-      tableField = this.quote(unaliased);
+      tableField = unaliased;
     }
     const separator = this.client === "oracledb" /* ORACLE */ ? " VALUE " : ",";
-    return `'${unaliased}'${separator}${tableField}`;
+    return this.knex.raw(`?${separator}??`, [unaliased, this.rawQuotedIdentifier(tableField)]).toString();
   }
   maxFunctionParameters() {
     switch (this.client) {
@@ -76433,11 +76696,11 @@ var InternalBuilder = class {
       subQuery = subQuery.where(
         correlatedTo,
         "=",
-        knex3.raw(this.quotedIdentifier(correlatedFrom))
+        this.rawQuotedIdentifier(correlatedFrom)
       );
       const standardWrap = (select) => {
         subQuery = subQuery.select(`${toAlias}.*`).limit(getRelationshipLimit());
-        return knex3.select(knex3.raw(select)).from({
+        return knex3.select(select).from({
           [toAlias]: subQuery
         });
       };
@@ -76446,12 +76709,12 @@ var InternalBuilder = class {
         case "sqlite3" /* SQL_LITE */:
           subQuery = this.addJoinFieldCheck(subQuery, relationship);
           wrapperQuery = standardWrap(
-            `json_group_array(json_object(${fieldList}))`
+            this.knex.raw(`json_group_array(json_object(${fieldList}))`)
           );
           break;
         case "pg" /* POSTGRES */:
           wrapperQuery = standardWrap(
-            `json_agg(json_build_object(${fieldList}))`
+            this.knex.raw(`json_agg(json_build_object(${fieldList}))`)
           );
           break;
         case "mariadb" /* MARIADB */:
@@ -76464,16 +76727,19 @@ var InternalBuilder = class {
         case "mysql2" /* MY_SQL */:
         case "oracledb" /* ORACLE */:
           wrapperQuery = standardWrap(
-            `json_arrayagg(json_object(${fieldList}))`
+            this.knex.raw(`json_arrayagg(json_object(${fieldList}))`)
           );
           break;
-        case "mssql" /* MS_SQL */:
+        case "mssql" /* MS_SQL */: {
+          const comparatorQuery = knex3.select(`${fromAlias}.*`).from({
+            [fromAlias]: subQuery.select(`${toAlias}.*`).limit(getRelationshipLimit())
+          });
           wrapperQuery = knex3.raw(
-            `(SELECT ${this.quote(toAlias)} = (${knex3.select(`${fromAlias}.*`).from({
-              [fromAlias]: subQuery.select(`${toAlias}.*`).limit(getRelationshipLimit())
-            })} FOR JSON PATH))`
+            `(SELECT ?? = (${comparatorQuery} FOR JSON PATH))`,
+            [this.rawQuotedIdentifier(toAlias)]
           );
           break;
+        }
         default:
           throw new Error(`JSON relationships not implement for ${sqlClient}`);
       }