@carbonorm/carbonnode 6.1.0 → 6.1.1

package/src/__tests__/sakila-db/sqlResponses/C6.payment.post.json

@@ -7,8 +7,8 @@
       "staff_id": 1,
       "rental_id": 1,
       "amount": 1,
-      "payment_date": "2026-02-14 22:07:15",
-      "last_update": "2026-02-14 22:07:15",
+      "payment_date": "2026-02-16 21:50:08",
+      "last_update": "2026-02-16 21:50:08",
       "payment_id": 16050
     }
   ],
@@ -19,8 +19,8 @@
       1,
       1,
       1,
-      "2026-02-14 22:07:15",
-      "2026-02-14 22:07:15"
+      "2026-02-16 21:50:08",
+      "2026-02-16 21:50:08"
     ]
   }
 }

package/src/__tests__/sakila-db/sqlResponses/C6.payment.post.latest.json

@@ -6,8 +6,8 @@
       "staff_id": 1,
       "rental_id": 1,
       "amount": "1.00",
-      "payment_date": "2026-02-14T22:07:15.000Z",
-      "last_update": "2026-02-14T22:07:15.000Z"
+      "payment_date": "2026-02-16T21:50:08.000Z",
+      "last_update": "2026-02-16T21:50:08.000Z"
     }
   ],
   "sql": {

package/src/__tests__/sakila-db/sqlResponses/C6.payment.put.lookup.json

@@ -6,8 +6,8 @@
       "staff_id": 1,
       "rental_id": 1,
       "amount": "1.00",
-      "payment_date": "2026-02-14T22:07:15.000Z",
-      "last_update": "2026-02-14T22:07:15.000Z"
+      "payment_date": "2026-02-16T21:50:08.000Z",
+      "last_update": "2026-02-16T21:50:08.000Z"
     }
   ],
   "sql": {

package/src/__tests__/sakila-db/sqlResponses/C6.rental.join.json

@@ -1,18 +1,18 @@
 {
   "rest": [
     {
-      "rental_id": 76,
-      "rental_date": "2005-05-25T11:30:37.000Z",
-      "inventory_id": 3021,
-      "customer_id": 1,
-      "return_date": "2005-06-03T12:00:37.000Z",
-      "staff_id": 2,
+      "rental_id": 1,
+      "rental_date": "2005-05-24T22:53:30.000Z",
+      "inventory_id": 367,
+      "customer_id": 130,
+      "return_date": "2005-05-26T22:04:30.000Z",
+      "staff_id": 1,
       "last_update": "2006-02-15T04:57:20.000Z",
       "store_id": 1,
-      "first_name": "MARY",
-      "last_name": "SMITH",
-      "email": "MARY.SMITH@sakilacustomer.org",
-      "address_id": 5,
+      "first_name": "CHARLOTTE",
+      "last_name": "HUNTER",
+      "email": "CHARLOTTE.HUNTER@sakilacustomer.org",
+      "address_id": 134,
       "active": 1,
       "create_date": "2006-02-14T22:04:36.000Z"
     }

package/src/__tests__/sakila-db/sqlResponses/C6.rental.post.json

@@ -3,24 +3,24 @@
   "insertId": 16050,
   "rest": [
     {
-      "rental_date": "2026-02-14 22:07:15",
+      "rental_date": "2026-02-16 21:50:08",
       "inventory_id": 1,
       "customer_id": 1,
-      "return_date": "2026-02-14 22:07:15",
+      "return_date": "2026-02-16 21:50:08",
       "staff_id": 1,
-      "last_update": "2026-02-14 22:07:15",
+      "last_update": "2026-02-16 21:50:08",
       "rental_id": 16050
     }
   ],
   "sql": {
     "sql": "INSERT INTO `rental` (\n            `rental_date`, `inventory_id`, `customer_id`, `return_date`, `staff_id`, `last_update`\n         ) VALUES\n            (?, ?, ?, ?, ?, ?)",
     "values": [
-      "2026-02-14 22:07:15",
+      "2026-02-16 21:50:08",
       1,
       1,
-      "2026-02-14 22:07:15",
+      "2026-02-16 21:50:08",
       1,
-      "2026-02-14 22:07:15"
+      "2026-02-16 21:50:08"
     ]
   }
 }

package/src/__tests__/sakila-db/sqlResponses/C6.rental.post.latest.json

@@ -2,12 +2,12 @@
   "rest": [
     {
       "rental_id": 16050,
-      "rental_date": "2026-02-14T22:07:15.000Z",
+      "rental_date": "2026-02-16T21:50:08.000Z",
       "inventory_id": 1,
       "customer_id": 1,
-      "return_date": "2026-02-14T22:07:15.000Z",
+      "return_date": "2026-02-16T21:50:08.000Z",
       "staff_id": 1,
-      "last_update": "2026-02-14T22:07:15.000Z"
+      "last_update": "2026-02-16T21:50:08.000Z"
     }
   ],
   "sql": {

package/src/__tests__/sakila-db/sqlResponses/C6.rental.put.json

@@ -5,7 +5,7 @@
   "sql": {
     "sql": "UPDATE `rental` SET `rental_date` = ? WHERE (rental.rental_id) = ?",
     "values": [
-      "2026-02-14 22:07:15",
+      "2026-02-16 21:50:08",
       16050
     ]
   }

package/src/__tests__/sakila-db/sqlResponses/C6.rental.put.lookup.json

@@ -2,12 +2,12 @@
   "rest": [
     {
       "rental_id": 16050,
-      "rental_date": "2026-02-14T22:07:15.000Z",
+      "rental_date": "2026-02-16T21:50:08.000Z",
       "inventory_id": 1,
       "customer_id": 1,
-      "return_date": "2026-02-14T22:07:15.000Z",
+      "return_date": "2026-02-16T21:50:08.000Z",
       "staff_id": 1,
-      "last_update": "2026-02-14T22:07:15.000Z"
+      "last_update": "2026-02-16T21:50:08.000Z"
     }
   ],
   "sql": {

package/src/__tests__/sqlAllowList.test.ts

@@ -1,6 +1,6 @@
 import {describe, expect, it, vi} from "vitest";
 import path from "node:path";
-import {mkdir, readdir, readFile, writeFile} from "node:fs/promises";
+import {mkdir, readdir, readFile, unlink, writeFile} from "node:fs/promises";
 import {Actor, C6, GLOBAL_REST_PARAMETERS} from "./sakila-db/C6.js";
 import {collectSqlAllowListEntries, compileSqlAllowList, extractSqlEntries, loadSqlAllowList, normalizeSql} from "../utils/sqlAllowList";
 
@@ -42,18 +42,21 @@ const compileSqlAllowListFromFixtures = async (): Promise<string[]> => {
 const globalRestParameters = GLOBAL_REST_PARAMETERS as typeof GLOBAL_REST_PARAMETERS & {
   mysqlPool?: unknown;
   sqlAllowListPath?: string;
+  sqlQueryNormalizer?: (sql: string) => string;
   verbose?: boolean;
 };
 
 const snapshotGlobals = () => ({
   mysqlPool: globalRestParameters.mysqlPool,
   sqlAllowListPath: globalRestParameters.sqlAllowListPath,
+  sqlQueryNormalizer: globalRestParameters.sqlQueryNormalizer,
   verbose: globalRestParameters.verbose,
 });
 
 const restoreGlobals = (snapshot: ReturnType<typeof snapshotGlobals>) => {
   globalRestParameters.mysqlPool = snapshot.mysqlPool;
   globalRestParameters.sqlAllowListPath = snapshot.sqlAllowListPath;
+  globalRestParameters.sqlQueryNormalizer = snapshot.sqlQueryNormalizer;
   globalRestParameters.verbose = snapshot.verbose;
 };
 
@@ -127,6 +130,58 @@ describe("SQL allowlist", () => {
     }
   });
 
+  it("supports custom SQL normalization via GLOBAL_REST_PARAMETERS.sqlQueryNormalizer", async () => {
+    await mkdir(fixturesDir, {recursive: true});
+    const lowerCasePath = path.join(fixturesDir, "sqlAllowList.lowercase.json");
+
+    const {pool} = buildMockPool([
+      {actor_id: 1, first_name: "PENELOPE", last_name: "GUINESS"},
+    ]);
+
+    const originalGlobals = snapshotGlobals();
+    try {
+      globalRestParameters.mysqlPool = pool as any;
+      globalRestParameters.sqlAllowListPath = undefined;
+      globalRestParameters.sqlQueryNormalizer = undefined;
+      globalRestParameters.verbose = false;
+
+      const baseline = await Actor.Get({
+        [C6.PAGINATION]: {[C6.LIMIT]: 1},
+        cacheResults: false,
+      } as any);
+
+      const normalizedBaseline = normalizeSql((baseline as any).sql.sql as string);
+      await writeFile(
+        lowerCasePath,
+        JSON.stringify([normalizedBaseline.toLowerCase()], null, 2),
+      );
+
+      globalRestParameters.sqlAllowListPath = lowerCasePath;
+      globalRestParameters.sqlQueryNormalizer = (sql: string) => sql.toLowerCase();
+
+      await expect(
+        Actor.Get({
+          [C6.PAGINATION]: {[C6.LIMIT]: 1},
+          cacheResults: false,
+        } as any),
+      ).resolves.toMatchObject({
+        rest: baseline.rest,
+      });
+
+      globalRestParameters.sqlQueryNormalizer = undefined;
+
+      await expect(
+        Actor.Get({
+          [C6.PAGINATION]: {[C6.LIMIT]: 1},
+          cacheResults: false,
+        } as any),
+      ).rejects.toThrow("SQL statement is not permitted");
+    } finally {
+      await unlink(lowerCasePath).catch(() => undefined);
+      restoreGlobals(originalGlobals);
+    }
+  });
+
   it("normalizes multi-row VALUES with variable row counts", () => {
     const oneRow = `
       INSERT INTO \`valuation_report_comparables\` (\`report_id\`, \`unit_id\`, \`subject_unit_id\`)

package/src/__tests__/sqlBuilders.test.ts

@@ -5,7 +5,7 @@ import { PostQueryBuilder } from '../orm/queries/PostQueryBuilder';
 import { UpdateQueryBuilder } from '../orm/queries/UpdateQueryBuilder';
 import { DeleteQueryBuilder } from '../orm/queries/DeleteQueryBuilder';
 import { alias, call, distinct, fn, lit, order } from '../orm/queryHelpers';
-import { buildTestConfig, buildBinaryTestConfig, buildBinaryTestConfigFqn } from './fixtures/c6.fixture';
+import { buildTestConfig, buildBinaryTestConfig, buildBinaryTestConfigFqn, buildTemporalTestConfig } from './fixtures/c6.fixture';
 
 describe('SQL Builders', () => {
   it('builds SELECT with JOIN, WHERE, GROUP BY, HAVING and default LIMIT', () => {
@@ -381,4 +381,41 @@ describe('SQL Builders', () => {
     expect(Buffer.isBuffer(buf)).toBe(true);
     expect((buf as Buffer).length).toBe(16);
   });
+
+  it('serializes ISO-8601 strings for TIMESTAMP columns in INSERT params', () => {
+    const config = buildTemporalTestConfig();
+    const qb = new PostQueryBuilder(config as any, {
+      [C6C.INSERT]: {
+        'events.read_at': '2026-02-16T21:27:06.679Z'
+      }
+    } as any, false);
+
+    const { params } = qb.build('events');
+    expect(params).toEqual(['2026-02-16 21:27:06.679']);
+  });
+
+  it('serializes ISO-8601 strings for DATE columns in UPDATE params', () => {
+    const config = buildTemporalTestConfig();
+    const qb = new UpdateQueryBuilder(config as any, {
+      [C6C.UPDATE]: {
+        'events.read_on': '2026-02-16T21:27:06.679Z'
+      },
+      WHERE: { 'events.id': [C6C.EQUAL, 1] }
+    } as any, false);
+
+    const { params } = qb.build('events');
+    expect(params).toEqual(['2026-02-16', 1]);
+  });
+
+  it('serializes offset ISO-8601 strings for TIME columns in WHERE params', () => {
+    const config = buildTemporalTestConfig();
+    const qb = new SelectQueryBuilder(config as any, {
+      WHERE: {
+        'events.read_time': [C6C.EQUAL, [C6C.LIT, '2026-02-16T16:27:06.679-05:00']]
+      }
+    } as any, false);
+
+    const { params } = qb.build('events');
+    expect(params).toEqual(['21:27:06.679']);
+  });
 });

package/src/executors/SqlExecutor.ts

@@ -22,7 +22,7 @@ import logSql, {
 } from "../utils/logSql";
 import { normalizeSingularRequest } from "../utils/normalizeSingularRequest";
 import {sortAndSerializeQueryObject} from "../utils/sortAndSerializeQueryObject";
-import { loadSqlAllowList, normalizeSql } from "../utils/sqlAllowList";
+import { loadSqlAllowList, normalizeSqlWith } from "../utils/sqlAllowList";
 import { getLogContext, LogLevel, logWithLevel } from "../utils/logLevel";
 
 const SQL_ALLOWLIST_BLOCKED_CODE = "SQL_ALLOWLIST_BLOCKED";
@@ -1070,8 +1070,9 @@ export class SqlExecutor<
             return "not verified";
         }
 
-        const allowList = await loadSqlAllowList(allowListPath);
-        const normalized = normalizeSql(sql);
+        const sqlQueryNormalizer = this.config.sqlQueryNormalizer;
+        const allowList = await loadSqlAllowList(allowListPath, sqlQueryNormalizer);
+        const normalized = normalizeSqlWith(sql, sqlQueryNormalizer);
         if (!allowList.has(normalized)) {
             throw createSqlAllowListBlockedError({
                 tableName:

package/src/orm/builders/ConditionBuilder.ts

@@ -1,7 +1,7 @@
 import {C6C} from "../../constants/C6Constants";
 import {OrmGenerics} from "../../types/ormGenerics";
 import {DetermineResponseDataType} from "../../types/ormInterfaces";
-import {convertHexIfBinary, SqlBuilderResult} from "../utils/sqlUtils";
+import {convertSqlValueForColumn, SqlBuilderResult} from "../utils/sqlUtils";
 import {AggregateBuilder} from "./AggregateBuilder";
 import {isDerivedTableKey} from "../queryHelpers";
 import {getLogContext, LogLevel, logWithLevel} from "../../utils/logLevel";
@@ -175,15 +175,8 @@ export abstract class ConditionBuilder<
         column: string,
         value: any
     ): string {
-        // Determine column definition from C6.TABLES to support type-aware conversions (e.g., BINARY hex -> Buffer)
-        let columnDef: any | undefined;
-        if (typeof column === 'string' && column.includes('.')) {
-            const [tableName, colName] = column.split('.', 2);
-            const table = this.config.C6?.TABLES?.[tableName];
-            // Support both short-keyed and fully-qualified TYPE_VALIDATION entries
-            columnDef = table?.TYPE_VALIDATION?.[colName] ?? table?.TYPE_VALIDATION?.[`${tableName}.${colName}`];
-        }
-        const val = convertHexIfBinary(column, value, columnDef);
+        const columnDef = this.resolveColumnDefinition(column);
+        const val = convertSqlValueForColumn(column, value, columnDef);
 
         if (this.useNamedParams) {
             const key = `param${Object.keys(params).length}`;

package/src/orm/utils/sqlUtils.ts

@@ -1,6 +1,3 @@
-
-
-
 export interface SqlBuilderResult {
     sql: string;
     params: any[] | { [key: string]: any };  // params can be an array or an object for named placeholders
@@ -16,9 +13,180 @@ export function convertHexIfBinary(
         typeof val === 'string' &&
         /^[0-9a-fA-F]{32}$/.test(val) &&
         typeof columnDef === 'object' &&
-        columnDef.MYSQL_TYPE.toUpperCase().includes('BINARY')
+        String(columnDef.MYSQL_TYPE ?? '').toUpperCase().includes('BINARY')
     ) {
         return Buffer.from(val, 'hex');
     }
     return val;
 }
+
+type TemporalMysqlType = 'date' | 'datetime' | 'timestamp' | 'time' | 'year';
+
+const TEMPORAL_TYPES = new Set<TemporalMysqlType>([
+    'date',
+    'datetime',
+    'timestamp',
+    'time',
+    'year',
+]);
+
+const MYSQL_DATE_REGEX = /^\d{4}-\d{2}-\d{2}$/;
+const MYSQL_DATETIME_REGEX = /^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}(?:\.\d{1,6})?$/;
+const MYSQL_TIME_REGEX = /^-?\d{2,3}:\d{2}:\d{2}(?:\.\d{1,6})?$/;
+const ISO_DATETIME_REGEX = /^(\d{4}-\d{2}-\d{2})[Tt](\d{2}:\d{2}:\d{2})(\.\d{1,6})?([zZ]|[+-]\d{2}:\d{2})?$/;
+
+const pad2 = (value: number): string => value.toString().padStart(2, '0');
+
+function trimFraction(value: string, precision: number): string {
+    const [base, fractionRaw] = value.split('.', 2);
+    if (precision <= 0 || !fractionRaw) return base;
+    return `${base}.${fractionRaw.slice(0, precision).padEnd(precision, '0')}`;
+}
+
+function normalizeFraction(raw: string | undefined, precision: number): string {
+    if (precision <= 0) return '';
+    if (!raw) return '';
+    const digits = raw.startsWith('.') ? raw.slice(1) : raw;
+    return `.${digits.slice(0, precision).padEnd(precision, '0')}`;
+}
+
+function formatDateUtc(value: Date): string {
+    return `${value.getUTCFullYear()}-${pad2(value.getUTCMonth() + 1)}-${pad2(value.getUTCDate())}`;
+}
+
+function formatTimeUtc(value: Date, precision: number): string {
+    const base = `${pad2(value.getUTCHours())}:${pad2(value.getUTCMinutes())}:${pad2(value.getUTCSeconds())}`;
+    if (precision <= 0) return base;
+
+    const millis = value.getUTCMilliseconds().toString().padStart(3, '0');
+    const fraction = millis.slice(0, Math.min(precision, 3)).padEnd(precision, '0');
+    return `${base}.${fraction}`;
+}
+
+function formatDateTimeUtc(value: Date, precision: number): string {
+    return `${formatDateUtc(value)} ${formatTimeUtc(value, precision)}`;
+}
+
+function parseEpochNumber(value: number): Date | undefined {
+    if (!Number.isFinite(value)) return undefined;
+    const abs = Math.abs(value);
+    if (abs >= 1e12) {
+        const date = new Date(value);
+        return Number.isNaN(date.getTime()) ? undefined : date;
+    }
+    if (abs >= 1e9) {
+        const date = new Date(value * 1000);
+        return Number.isNaN(date.getTime()) ? undefined : date;
+    }
+    return undefined;
+}
+
+function parseTemporalType(columnDef?: any): { baseType?: TemporalMysqlType; precision: number } {
+    const raw = String(columnDef?.MYSQL_TYPE ?? '').trim().toLowerCase();
+    if (!raw) return { baseType: undefined, precision: 0 };
+
+    const base = raw.split(/[\s(]/, 1)[0] as TemporalMysqlType;
+    if (!TEMPORAL_TYPES.has(base)) return { baseType: undefined, precision: 0 };
+
+    const precisionMatch = raw.match(/^(?:datetime|timestamp|time)\((\d+)\)/);
+    if (!precisionMatch) return { baseType: base, precision: 0 };
+    const parsed = Number.parseInt(precisionMatch[1], 10);
+    if (!Number.isFinite(parsed)) return { baseType: base, precision: 0 };
+    return { baseType: base, precision: Math.max(0, Math.min(6, parsed)) };
+}
+
+function normalizeTemporalString(
+    value: string,
+    baseType: TemporalMysqlType,
+    precision: number,
+): string {
+    const trimmed = value.trim();
+    if (!trimmed) return value;
+
+    if (baseType === 'date') {
+        if (MYSQL_DATE_REGEX.test(trimmed)) return trimmed;
+        const iso = trimmed.match(ISO_DATETIME_REGEX);
+        if (iso) {
+            const [, datePart, , , timezonePart] = iso;
+            if (!timezonePart) return datePart;
+            const parsed = new Date(trimmed);
+            return Number.isNaN(parsed.getTime()) ? value : formatDateUtc(parsed);
+        }
+        const parsed = new Date(trimmed);
+        return Number.isNaN(parsed.getTime()) ? value : formatDateUtc(parsed);
+    }
+
+    if (baseType === 'time') {
+        if (MYSQL_TIME_REGEX.test(trimmed)) return trimFraction(trimmed, precision);
+        const iso = trimmed.match(ISO_DATETIME_REGEX);
+        if (iso) {
+            const [, , timePart, fractionPart, timezonePart] = iso;
+            if (!timezonePart) {
+                return `${timePart}${normalizeFraction(fractionPart, precision)}`;
+            }
+            const parsed = new Date(trimmed);
+            return Number.isNaN(parsed.getTime()) ? value : formatTimeUtc(parsed, precision);
+        }
+        const parsed = new Date(trimmed);
+        return Number.isNaN(parsed.getTime()) ? value : formatTimeUtc(parsed, precision);
+    }
+
+    if (baseType === 'year') {
+        if (/^\d{2,4}$/.test(trimmed)) return trimmed;
+        const parsed = new Date(trimmed);
+        return Number.isNaN(parsed.getTime()) ? value : String(parsed.getUTCFullYear());
+    }
+
+    if (MYSQL_DATETIME_REGEX.test(trimmed)) return trimFraction(trimmed, precision);
+    const iso = trimmed.match(ISO_DATETIME_REGEX);
+    if (iso) {
+        const [, datePart, timePart, fractionPart, timezonePart] = iso;
+        if (!timezonePart) {
+            return `${datePart} ${timePart}${normalizeFraction(fractionPart, precision)}`;
+        }
+        const parsed = new Date(trimmed);
+        return Number.isNaN(parsed.getTime()) ? value : formatDateTimeUtc(parsed, precision);
+    }
+
+    const parsed = new Date(trimmed);
+    return Number.isNaN(parsed.getTime()) ? value : formatDateTimeUtc(parsed, precision);
+}
+
+function convertTemporalIfNeeded(value: any, columnDef?: any): any {
+    const { baseType, precision } = parseTemporalType(columnDef);
+    if (!baseType) return value;
+
+    if (value === null || value === undefined) return value;
+    if (typeof Buffer !== 'undefined' && Buffer.isBuffer && Buffer.isBuffer(value)) return value;
+
+    if (value instanceof Date) {
+        if (baseType === 'date') return formatDateUtc(value);
+        if (baseType === 'time') return formatTimeUtc(value, precision);
+        if (baseType === 'year') return String(value.getUTCFullYear());
+        return formatDateTimeUtc(value, precision);
+    }
+
+    if (typeof value === 'number') {
+        const parsed = parseEpochNumber(value);
+        if (!parsed) return value;
+        if (baseType === 'date') return formatDateUtc(parsed);
+        if (baseType === 'time') return formatTimeUtc(parsed, precision);
+        if (baseType === 'year') return String(parsed.getUTCFullYear());
+        return formatDateTimeUtc(parsed, precision);
+    }
+
+    if (typeof value === 'string') {
+        return normalizeTemporalString(value, baseType, precision);
+    }
+
+    return value;
+}
+
+export function convertSqlValueForColumn(
+    col: string,
+    val: any,
+    columnDef?: any
+): any {
+    const binaryConverted = convertHexIfBinary(col, val, columnDef);
+    return convertTemporalIfNeeded(binaryConverted, columnDef);
+}

package/src/types/ormInterfaces.ts

@@ -235,6 +235,7 @@ export interface iRest<
     logLevel?: number;
     verbose?: boolean;
     sqlAllowListPath?: string;
+    sqlQueryNormalizer?: (sql: string) => string;
 }
 
 export interface iConstraint {

package/src/utils/sqlAllowList.ts

@@ -6,7 +6,12 @@ type AllowListCacheEntry = {
     size: number;
 };
 
-const allowListCache = new Map<string, AllowListCacheEntry>();
+export type SqlQueryNormalizer = (sql: string) => string;
+
+const DEFAULT_NORMALIZER_CACHE_KEY = "__default__";
+type AllowListCacheKey = SqlQueryNormalizer | typeof DEFAULT_NORMALIZER_CACHE_KEY;
+
+const allowListCache = new Map<string, Map<AllowListCacheKey, AllowListCacheEntry>>();
 
 const ANSI_ESCAPE_REGEX = /\x1b\[[0-9;]*m/g;
 const COLLAPSED_BIND_ROW_REGEX = /\(\?\s*×\d+\)/g;
@@ -91,7 +96,26 @@ export const normalizeSql = (sql: string): string => {
     return normalized.replace(/\s+/g, " ").trim();
 };
 
-const parseAllowList = (raw: string, sourcePath: string): string[] => {
+export const normalizeSqlWith = (
+    sql: string,
+    sqlQueryNormalizer?: SqlQueryNormalizer,
+): string => {
+    const normalized = normalizeSql(sql);
+    if (!sqlQueryNormalizer) return normalized;
+
+    const customized = sqlQueryNormalizer(normalized);
+    if (typeof customized !== "string") {
+        throw new Error("sqlQueryNormalizer must return a string.");
+    }
+
+    return customized.replace(/\s+/g, " ").trim();
+};
+
+const parseAllowList = (
+    raw: string,
+    sourcePath: string,
+    sqlQueryNormalizer?: SqlQueryNormalizer,
+): string[] => {
     let parsed: unknown;
     try {
         parsed = JSON.parse(raw);
@@ -105,7 +129,7 @@ const parseAllowList = (raw: string, sourcePath: string): string[] => {
 
     const sqlEntries = parsed
         .filter((entry): entry is string => typeof entry === "string")
-        .map(normalizeSql)
+        .map((entry) => normalizeSqlWith(entry, sqlQueryNormalizer))
         .filter((entry) => entry.length > 0);
 
     if (sqlEntries.length !== parsed.length) {
@@ -115,7 +139,10 @@ const parseAllowList = (raw: string, sourcePath: string): string[] => {
     return sqlEntries;
 };
 
-export const loadSqlAllowList = async (allowListPath: string): Promise<Set<string>> => {
+export const loadSqlAllowList = async (
+    allowListPath: string,
+    sqlQueryNormalizer?: SqlQueryNormalizer,
+): Promise<Set<string>> => {
     if (!isNode()) {
         throw new Error("SQL allowlist validation requires a Node runtime.");
     }
@@ -129,7 +156,10 @@ export const loadSqlAllowList = async (allowListPath: string): Promise<Set<strin
         throw new Error(`SQL allowlist file not found at ${allowListPath}.`);
     }
 
-    const cached = allowListCache.get(allowListPath);
+    const pathCache = allowListCache.get(allowListPath)
+        ?? new Map<AllowListCacheKey, AllowListCacheEntry>();
+    const cacheKey: AllowListCacheKey = sqlQueryNormalizer ?? DEFAULT_NORMALIZER_CACHE_KEY;
+    const cached = pathCache.get(cacheKey);
     if (
         cached &&
         cached.mtimeMs === fileStat.mtimeMs &&
@@ -145,13 +175,14 @@ export const loadSqlAllowList = async (allowListPath: string): Promise<Set<strin
         throw new Error(`SQL allowlist file not found at ${allowListPath}.`);
     }
 
-    const sqlEntries = parseAllowList(raw, allowListPath);
+    const sqlEntries = parseAllowList(raw, allowListPath, sqlQueryNormalizer);
     const allowList = new Set(sqlEntries);
-    allowListCache.set(allowListPath, {
+    pathCache.set(cacheKey, {
         allowList,
         mtimeMs: fileStat.mtimeMs,
         size: fileStat.size,
     });
+    allowListCache.set(allowListPath, pathCache);
     return allowList;
 };
 
@@ -186,10 +217,11 @@ export const extractSqlEntries = (payload: unknown): string[] => {
 
 export const collectSqlAllowListEntries = (
     payload: unknown,
-    entries: Set<string> = new Set<string>()
+    entries: Set<string> = new Set<string>(),
+    sqlQueryNormalizer?: SqlQueryNormalizer,
 ): Set<string> => {
     const sqlEntries = extractSqlEntries(payload)
-        .map(normalizeSql)
+        .map((entry) => normalizeSqlWith(entry, sqlQueryNormalizer))
         .filter((entry) => entry.length > 0);
 
     sqlEntries.forEach((entry) => entries.add(entry));
@@ -199,7 +231,8 @@ export const collectSqlAllowListEntries = (
 
 export const compileSqlAllowList = async (
     allowListPath: string,
-    entries: Iterable<string>
+    entries: Iterable<string>,
+    sqlQueryNormalizer?: SqlQueryNormalizer,
 ): Promise<string[]> => {
     if (!isNode()) {
         throw new Error("SQL allowlist compilation requires a Node runtime.");
@@ -212,7 +245,7 @@ export const compileSqlAllowList = async (
 
     const compiled = Array.from(new Set(
         Array.from(entries)
-            .map(normalizeSql)
+            .map((entry) => normalizeSqlWith(entry, sqlQueryNormalizer))
             .filter((entry) => entry.length > 0)
     )).sort();