@dbsp/core 1.0.1 → 1.0.2

package/dist/index.d.ts

@@ -4872,6 +4872,12 @@ declare class UpsertBuilder<T = void> extends MutationBuilderBase<T, UpsertInten
  * const users = await orm.nql<{ name: string; email: string }>`users | select name, email`.all();
  * ```
  *
+ * Each `${value}` interpolation is escaped into a safe NQL literal (string/number/boolean/null).
+ * Untrusted string input cannot inject NQL structure because it is always quoted and
+ * single-quotes inside are doubled (`''`). For dynamic structural fragments (table names,
+ * column names, ORDER BY direction) use the builder API (`orm.select()`). See #134 for
+ * upcoming `:param` binding and a `nqlRaw()` escape hatch.
+ *
  * @module nql
  * @since DX-040
  */
@@ -4905,6 +4911,13 @@ type NqlTag = <T>(strings: TemplateStringsArray, ...values: unknown[]) => NqlBui
 /**
  * Create an NQL template tag function.
  *
+ * Each `${value}` in the template is escaped into a safe NQL literal before parsing.
+ * Supported interpolation types: `string`, `number`, `boolean`, `null`.
+ * Untrusted string input is therefore safe from NQL-syntax injection — it is always
+ * wrapped in single-quotes with embedded quotes doubled (`''`).
+ * For dynamic structural fragments (table names, column names, ORDER BY direction)
+ * use the builder API (`orm.select()`). See issue #134 for upcoming `:param` binding.
+ *
  * @param schemaDefinition - Schema definition for validation
  * @param model - ModelIR for plan execution
  * @param adapter - Optional adapter for query execution

package/dist/index.js

@@ -5992,11 +5992,49 @@ function negotiateFeatures(model, capabilities, behavior = "warning", checkers =
 
 // src/dx/nql.ts
 import { compile as nqlCompile } from "@dbsp/nql";
+function toNqlLiteral(value, index) {
+  if (value === null) {
+    return "null";
+  }
+  switch (typeof value) {
+    case "boolean":
+      return value ? "true" : "false";
+    case "number": {
+      if (!Number.isFinite(value)) {
+        throw new Error(
+          `nql\`...\`: cannot interpolate non-finite number (${value}) at position ${index}. Only finite numbers are supported. For dynamic NQL structure use the builder API (orm.select()). See issue #134.`
+        );
+      }
+      const s = value < 0 ? `-${Math.abs(value)}` : String(value);
+      if (/[eE]/.test(s)) {
+        throw new Error(
+          `nql\`...\`: number ${value} at position ${index} has no exact NQL numeric literal form (exponential notation). Convert it yourself or use the builder API (orm.select()). See issue #134.`
+        );
+      }
+      return s;
+    }
+    case "string": {
+      if (value.includes("\n") || value.includes("\r")) {
+        throw new Error(
+          `nql\`...\`: cannot interpolate a string containing a newline at position ${index}. NQL string literals do not support raw newline characters. For dynamic NQL structure use the builder API (orm.select()). See issue #134.`
+        );
+      }
+      const escaped = value.replaceAll("'", "''");
+      return `'${escaped}'`;
+    }
+    default: {
+      const typeName = value === void 0 ? "undefined" : typeof value;
+      throw new Error(
+        `nql\`...\`: cannot interpolate value of type "${typeName}" at position ${index}. Only string, number, boolean, and null are supported; for dynamic NQL fragments use the builder API (orm.select()). See issue #134.`
+      );
+    }
+  }
+}
 function createNqlTag(schemaDefinition, model, adapter, schemaName) {
   return function nql(strings, ...values) {
     let query = strings[0] ?? "";
     for (let i = 0; i < values.length; i++) {
-      query += String(values[i]) + (strings[i + 1] ?? "");
+      query += toNqlLiteral(values[i], i) + (strings[i + 1] ?? "");
     }
     return new NqlBuilderImpl(
       query,