@nestjs-odata/typeorm 1.0.0

package/dist/index.mjs

@@ -0,0 +1,2208 @@
+import { Controller, HttpException, HttpStatus, Inject, Injectable, Module, NotFoundException, Optional, Post, Req, Res } from "@nestjs/common";
+import { Brackets, DataSource } from "typeorm";
+import { ETAG_PROVIDER, EdmRegistry, ODATA_MODULE_OPTIONS, ODataModule, ODataValidationError, SEARCH_PROVIDER, acceptVisitor, extractBoundary, getETagProperty, getEdmTypeOverrides, getEntitySetName, getExcludedProperties, getSearchableProperties, parseBatchBody, parseODataKey, pluralizeEntityName } from "@nestjs-odata/core";
+import { randomUUID } from "crypto";
+import { PATH_METADATA } from "@nestjs/common/constants.js";
+import { TypeOrmModule } from "@nestjs/typeorm";
+//#region src/batch/batch-response-builder.ts
+/**
+* OData v4 $batch response builder.
+*
+* Builds a multipart/mixed HTTP response body from per-operation results.
+* Each operation gets its own HTTP status code and body (D-03).
+*
+* Per T-05-05: failed operation responses use OData error format,
+* no stack traces or internal details.
+*
+* Wire format per OData v4 Part 1 section 11:
+*   --{boundary}\r\n
+*   Content-Type: application/http\r\n
+*   Content-Transfer-Encoding: binary\r\n
+*   \r\n
+*   HTTP/1.1 {status} {statusText}\r\n
+*   Content-Type: application/json\r\n
+*   \r\n
+*   {body}\r\n
+*   --{boundary}--\r\n
+*/
+/**
+* Map of HTTP status codes to reason phrases.
+*/
+const STATUS_TEXTS = {
+	200: "OK",
+	201: "Created",
+	204: "No Content",
+	400: "Bad Request",
+	401: "Unauthorized",
+	403: "Forbidden",
+	404: "Not Found",
+	405: "Method Not Allowed",
+	409: "Conflict",
+	422: "Unprocessable Entity",
+	429: "Too Many Requests",
+	500: "Internal Server Error",
+	501: "Not Implemented",
+	503: "Service Unavailable"
+};
+/**
+* Build a multipart/mixed batch response from individual operation results.
+*
+* @param parts - Array of per-operation response descriptors
+* @returns Object with `contentType` (for Content-Type header) and `body` (response body string)
+*/
+function buildBatchResponse(parts) {
+	const boundary = `batch_${randomUUID().replace(/-/g, "").slice(0, 16)}`;
+	const lines = [];
+	for (const part of parts) {
+		const statusText = STATUS_TEXTS[part.statusCode] ?? "Unknown";
+		lines.push(`--${boundary}`);
+		lines.push("Content-Type: application/http");
+		lines.push("Content-Transfer-Encoding: binary");
+		if (part.contentId !== void 0) lines.push(`Content-ID: ${part.contentId}`);
+		lines.push("");
+		lines.push(`HTTP/1.1 ${part.statusCode} ${statusText}`);
+		if (part.body !== void 0) {
+			lines.push("Content-Type: application/json");
+			lines.push(`Content-Length: ${Buffer.byteLength(part.body, "utf-8")}`);
+		}
+		lines.push("");
+		if (part.body !== void 0) lines.push(part.body);
+	}
+	lines.push(`--${boundary}--`);
+	lines.push("");
+	const body = lines.join("\r\n");
+	return {
+		contentType: `multipart/mixed; boundary=${boundary}`,
+		body
+	};
+}
+//#endregion
+//#region src/deriver/typeorm-type-mapper.ts
+/**
+* Complete mapping from TypeORM column types to OData v4 EDM primitive types.
+* Note: Edm.DateTime does NOT exist in OData v4 — use Edm.DateTimeOffset.
+* Source: TypeORM ColumnTypes + OData v4 OASIS spec.
+*/
+const COLUMN_TYPE_MAP = {
+	int: "Edm.Int32",
+	int2: "Edm.Int32",
+	int4: "Edm.Int32",
+	integer: "Edm.Int32",
+	tinyint: "Edm.Int32",
+	smallint: "Edm.Int32",
+	mediumint: "Edm.Int32",
+	bigint: "Edm.Int64",
+	int8: "Edm.Int64",
+	int64: "Edm.Int64",
+	"unsigned big int": "Edm.Int64",
+	float: "Edm.Double",
+	float4: "Edm.Double",
+	float8: "Edm.Double",
+	float64: "Edm.Double",
+	double: "Edm.Double",
+	real: "Edm.Double",
+	"double precision": "Edm.Double",
+	decimal: "Edm.Decimal",
+	numeric: "Edm.Decimal",
+	money: "Edm.Decimal",
+	smallmoney: "Edm.Decimal",
+	varchar: "Edm.String",
+	nvarchar: "Edm.String",
+	char: "Edm.String",
+	nchar: "Edm.String",
+	text: "Edm.String",
+	ntext: "Edm.String",
+	tinytext: "Edm.String",
+	mediumtext: "Edm.String",
+	longtext: "Edm.String",
+	clob: "Edm.String",
+	nclob: "Edm.String",
+	citext: "Edm.String",
+	shorttext: "Edm.String",
+	alphanum: "Edm.String",
+	long: "Edm.String",
+	boolean: "Edm.Boolean",
+	bool: "Edm.Boolean",
+	date: "Edm.Date",
+	datetime: "Edm.DateTimeOffset",
+	datetime2: "Edm.DateTimeOffset",
+	datetimeoffset: "Edm.DateTimeOffset",
+	timestamp: "Edm.DateTimeOffset",
+	timestamptz: "Edm.DateTimeOffset",
+	"timestamp with local time zone": "Edm.DateTimeOffset",
+	smalldatetime: "Edm.DateTimeOffset",
+	time: "Edm.TimeOfDay",
+	timetz: "Edm.TimeOfDay",
+	uuid: "Edm.Guid",
+	uniqueidentifier: "Edm.Guid",
+	blob: "Edm.Binary",
+	tinyblob: "Edm.Binary",
+	mediumblob: "Edm.Binary",
+	longblob: "Edm.Binary",
+	bytea: "Edm.Binary",
+	bytes: "Edm.Binary",
+	binary: "Edm.Binary",
+	varbinary: "Edm.Binary",
+	image: "Edm.Binary",
+	bfile: "Edm.Binary",
+	raw: "Edm.Binary",
+	"long raw": "Edm.Binary"
+};
+/**
+* Unmapped column types — require strategy handling rather than direct mapping.
+* These types cannot be automatically represented as an OData v4 primitive type.
+*/
+const UNMAPPED_COLUMN_TYPES = new Set([
+	"json",
+	"jsonb",
+	"simple-json",
+	"simple-array",
+	"simple-enum",
+	"enum",
+	"set"
+]);
+/**
+* Map a TypeORM column type to an OData v4 EDM primitive type.
+*
+* Resolution order:
+* 1. Direct lookup in the column type map
+* 2. Unmapped type — apply unmappedTypeStrategy
+* 3. JS design type fallback (Number, String, Boolean, Date)
+* 4. Unknown type — apply unmappedTypeStrategy
+*
+* CRITICAL: Edm.DateTime does NOT exist in OData v4. All datetime-like
+* types produce Edm.DateTimeOffset per the OASIS OData v4 specification.
+*
+* @param columnType - TypeORM column type string (e.g., 'varchar', 'int', 'datetime')
+* @param designType - JavaScript design-time type constructor (Number, String, Boolean, Date)
+* @param unmappedTypeStrategy - how to handle types not in the mapping table
+*/
+function mapColumnTypeToEdm(columnType, designType, unmappedTypeStrategy) {
+	const normalized = columnType.toLowerCase();
+	const mapped = COLUMN_TYPE_MAP[normalized];
+	if (mapped !== void 0) return mapped;
+	if (UNMAPPED_COLUMN_TYPES.has(normalized)) return applyUnmappedStrategy(columnType, unmappedTypeStrategy);
+	if (designType === Number) return "Edm.Int32";
+	if (designType === String) return "Edm.String";
+	if (designType === Boolean) return "Edm.Boolean";
+	if (designType === Date) return "Edm.DateTimeOffset";
+	return applyUnmappedStrategy(columnType, unmappedTypeStrategy);
+}
+function applyUnmappedStrategy(columnType, strategy) {
+	if (strategy === "skip") return;
+	if (strategy === "string-fallback") return "Edm.String";
+	throw new Error(`Column type '${columnType}' cannot be mapped to an OData v4 EDM primitive type. Use @EdmType() decorator to specify the type explicitly, or change the unmappedTypeStrategy.`);
+}
+//#endregion
+//#region src/deriver/typeorm-edm-deriver.ts
+/**
+* TypeOrmEdmDeriver — derives OData v4 EdmEntityConfig[] from TypeORM EntityMetadata.
+*
+* Respects OData decorators: @EdmType, @ODataExclude, @ODataEntitySet.
+* Detects ViewEntity and marks them read-only.
+* Navigation property types are always namespace-qualified (e.g., 'Default.Category').
+*
+* CRITICAL: Never produces Edm.DateTime — all datetime-like types produce Edm.DateTimeOffset.
+*
+* Usage (runtime):
+*   const deriver = new TypeOrmEdmDeriver('Default', 'skip')
+*   // When called by the module, metadatas come from the registered DataSource
+*
+* Usage (testing):
+*   deriver.deriveEntityTypes([Product], dataSource.entityMetadatas)
+*/
+var TypeOrmEdmDeriver = class {
+	constructor(namespace, unmappedTypeStrategy) {
+		this.namespace = namespace;
+		this.unmappedTypeStrategy = unmappedTypeStrategy;
+	}
+	deriveEntityTypes(entityClasses, entityMetadatas = []) {
+		return entityClasses.map((entityClass) => this.deriveEntity(entityClass, entityMetadatas)).filter((config) => config !== null);
+	}
+	deriveEntity(entityClass, entityMetadatas) {
+		const meta = entityMetadatas.find((m) => m.target === entityClass);
+		if (!meta) return null;
+		const excludedProps = getExcludedProperties(entityClass);
+		const edmTypeOverrides = getEdmTypeOverrides(entityClass);
+		const customSetName = getEntitySetName(entityClass);
+		const properties = this.deriveProperties(meta, excludedProps, edmTypeOverrides);
+		const navigationProperties = this.deriveNavigationProperties(meta);
+		const keyProperties = meta.primaryColumns.map((c) => c.propertyName);
+		const entitySetName = customSetName ?? pluralizeEntityName(meta.name);
+		const isReadOnly = meta.tableType === "view";
+		return {
+			entityTypeName: meta.name,
+			entitySetName,
+			properties,
+			navigationProperties,
+			keyProperties,
+			isReadOnly
+		};
+	}
+	deriveProperties(meta, excludedProps, edmTypeOverrides) {
+		return meta.columns.filter((col) => !excludedProps.has(col.propertyName)).reduce((acc, col) => {
+			const override = edmTypeOverrides[col.propertyName];
+			if (override) {
+				acc.push({
+					name: col.propertyName,
+					type: override.type,
+					nullable: col.isNullable,
+					...override.precision !== void 0 ? { precision: override.precision } : {},
+					...override.scale !== void 0 ? { scale: override.scale } : {},
+					...override.maxLength !== void 0 ? { maxLength: override.maxLength } : {}
+				});
+				return acc;
+			}
+			const isConstructor = typeof col.type === "function";
+			const edmType = mapColumnTypeToEdm(typeof col.type === "string" ? col.type : "", isConstructor ? col.type : void 0, this.unmappedTypeStrategy);
+			if (edmType === void 0) return acc;
+			acc.push({
+				name: col.propertyName,
+				type: edmType,
+				nullable: col.isNullable,
+				...col.precision !== void 0 && col.precision !== null ? { precision: col.precision } : {},
+				...col.scale !== void 0 && col.scale !== null ? { scale: col.scale } : {},
+				...col.length ? { maxLength: typeof col.length === "string" ? parseInt(col.length, 10) : col.length } : {}
+			});
+			return acc;
+		}, []);
+	}
+	deriveNavigationProperties(meta) {
+		return meta.relations.map((rel) => {
+			const isCollection = rel.isOneToMany || rel.isManyToMany;
+			const targetName = typeof rel.type === "string" ? rel.type : rel.type.name ?? String(rel.type);
+			const type = isCollection ? `Collection(${this.namespace}.${targetName})` : `${this.namespace}.${targetName}`;
+			return {
+				name: rel.propertyName,
+				type,
+				nullable: !isCollection,
+				isCollection
+			};
+		});
+	}
+};
+//#endregion
+//#region src/translator/filter-visitor.ts
+/** Map of OData comparison operators to SQL operators */
+const COMPARISON_OPS = {
+	eq: "=",
+	ne: "!=",
+	lt: "<",
+	le: "<=",
+	gt: ">",
+	ge: ">="
+};
+/** Map of OData scalar function names to SQL function names */
+const SCALAR_FUNCTIONS = {
+	length: "LENGTH",
+	tolower: "LOWER",
+	toupper: "UPPER",
+	trim: "TRIM"
+};
+/** Map of OData arithmetic operators to SQL operators */
+const ARITH_OPS = {
+	add: "+",
+	sub: "-",
+	mul: "*",
+	div: "/",
+	divby: "/",
+	mod: "%"
+};
+/** SQLite strftime format strings for date/time functions */
+const DATE_STRFTIME = {
+	year: "%Y",
+	month: "%m",
+	day: "%d",
+	hour: "%H",
+	minute: "%M",
+	second: "%S"
+};
+/** ANSI/Postgres EXTRACT field names for date/time functions */
+const DATE_EXTRACT = {
+	year: "YEAR",
+	month: "MONTH",
+	day: "DAY",
+	hour: "HOUR",
+	minute: "MINUTE",
+	second: "SECOND"
+};
+/**
+* TypeOrmFilterVisitor — translates an OData filter AST into TypeORM
+* SelectQueryBuilder.andWhere() calls with named parameters.
+*
+* All literal values are bound via named parameters (:p1, :p2, ...) — zero
+* string interpolation in WHERE clauses (T-03-04 mitigation).
+*
+* LIKE special characters (%, _) are escaped before use in contains/startswith/endswith
+* to prevent wildcard injection (T-03-05 mitigation).
+*
+* Per SEC-04: Tracks filter AST nesting depth and throws ODataValidationError when
+* depth exceeds maxFilterDepth. Prevents pathological filter expressions.
+*/
+var TypeOrmFilterVisitor = class TypeOrmFilterVisitor {
+	/** Shared param counter — passed between sibling visitors for unique names */
+	paramCount = 0;
+	/** Current nesting depth — propagated to sub-visitors for or branches */
+	currentDepth = 0;
+	/** Accumulated params from resolveExpression (e.g. arithmetic operands) to merge into andWhere */
+	pendingParams = {};
+	constructor(qb, alias, entityType, maxFilterDepth = 10, dialect = "ansi", repo) {
+		this.qb = qb;
+		this.alias = alias;
+		this.entityType = entityType;
+		this.maxFilterDepth = maxFilterDepth;
+		this.dialect = dialect;
+		this.repo = repo;
+	}
+	/** Entry point: dispatch the root FilterNode to the appropriate visit method */
+	visit(node) {
+		acceptVisitor(node, this);
+	}
+	visitBinaryExpr(node) {
+		this.currentDepth++;
+		if (this.currentDepth > this.maxFilterDepth) throw new ODataValidationError(`$filter nesting depth ${this.currentDepth} exceeds maximum of ${this.maxFilterDepth}`, this.entityType.name, "$filter");
+		const { operator, left, right } = node;
+		if (operator === "and") {
+			acceptVisitor(left, this);
+			acceptVisitor(right, this);
+			this.currentDepth--;
+			return;
+		}
+		if (operator === "or") {
+			const depthAtEntry = this.currentDepth;
+			this.qb.andWhere(new Brackets((qb) => {
+				const leftVisitor = new TypeOrmFilterVisitor(qb, this.alias, this.entityType, this.maxFilterDepth, this.dialect, this.repo);
+				leftVisitor.paramCount = this.paramCount;
+				leftVisitor.currentDepth = depthAtEntry;
+				acceptVisitor(left, leftVisitor);
+				this.paramCount = leftVisitor.paramCount;
+				const rightVisitor = new TypeOrmFilterVisitor(qb, this.alias, this.entityType, this.maxFilterDepth, this.dialect, this.repo);
+				rightVisitor.paramCount = this.paramCount;
+				rightVisitor.currentDepth = depthAtEntry;
+				acceptVisitor(right, rightVisitor);
+				this.paramCount = rightVisitor.paramCount;
+			}));
+			this.currentDepth--;
+			return;
+		}
+		const sqlOp = COMPARISON_OPS[operator];
+		if (sqlOp) {
+			this.pendingParams = {};
+			const leftExpr = this.resolveExpression(left);
+			const paramName = this.nextParam();
+			const literalValue = this.extractLiteralValue(right);
+			const allParams = {
+				...this.pendingParams,
+				[paramName]: literalValue
+			};
+			this.pendingParams = {};
+			this.qb.andWhere(`${leftExpr} ${sqlOp} :${paramName}`, allParams);
+			this.currentDepth--;
+			return;
+		}
+		this.currentDepth--;
+	}
+	visitUnaryExpr(node) {
+		if (node.operator === "not") {
+			const { expr, params, finalCount } = new InnerFilterExprBuilder(this.alias, this.entityType, this.paramCount, this.dialect).build(node.operand);
+			this.paramCount = finalCount;
+			this.qb.andWhere(`NOT (${expr})`, params);
+		}
+	}
+	visitFunctionCall(node) {
+		const name = node.name.toLowerCase();
+		if (name === "contains" || name === "startswith" || name === "endswith") {
+			this.applyLikeFunction(name, node);
+			return;
+		}
+	}
+	visitLambdaExpr(node) {
+		if (!this.repo) return;
+		const relation = this.repo.metadata.relations.find((r) => r.propertyName.toLowerCase() === node.collection.toLowerCase());
+		if (!relation) return;
+		if (relation.relationType === "many-to-many") throw new ODataValidationError(`Lambda expressions on ManyToMany relations are not supported`, this.entityType.name, "$filter");
+		if (node.operator === "all" && !node.predicate) return;
+		this.paramCount++;
+		const subAlias = `${node.variable ?? "sub"}_lambda_${this.paramCount}`;
+		const targetTable = relation.inverseEntityMetadata.tableName;
+		const fkCol = relation.inverseRelation?.joinColumns[0]?.databaseName ?? relation.joinColumns[0]?.databaseName ?? "id";
+		const pkCol = this.repo.metadata.primaryColumns[0]?.databaseName ?? "id";
+		if (node.operator === "any") this.buildAnyClause(node, subAlias, targetTable, fkCol, pkCol);
+		else this.buildAllClause(node, subAlias, targetTable, fkCol, pkCol);
+	}
+	buildAnyClause(node, subAlias, targetTable, fkCol, pkCol) {
+		const correlate = `${subAlias}.${fkCol} = ${this.alias}.${pkCol}`;
+		if (!node.predicate) {
+			this.qb.andWhere(`EXISTS (SELECT 1 FROM "${targetTable}" ${subAlias} WHERE ${correlate})`);
+			return;
+		}
+		const result = new InnerFilterExprBuilder(subAlias, this.entityType, this.paramCount, this.dialect).build(node.predicate);
+		this.paramCount = result.finalCount;
+		this.qb.andWhere(`EXISTS (SELECT 1 FROM "${targetTable}" ${subAlias} WHERE ${correlate} AND ${result.expr})`, result.params);
+	}
+	buildAllClause(node, subAlias, targetTable, fkCol, pkCol) {
+		const result = new InnerFilterExprBuilder(subAlias, this.entityType, this.paramCount, this.dialect).build(node.predicate);
+		this.paramCount = result.finalCount;
+		const correlate = `${subAlias}.${fkCol} = ${this.alias}.${pkCol}`;
+		this.qb.andWhere(`NOT EXISTS (SELECT 1 FROM "${targetTable}" ${subAlias} WHERE ${correlate} AND NOT (${result.expr}))`, result.params);
+	}
+	visitPropertyAccess(_node) {}
+	visitLiteral(_node) {}
+	nextParam() {
+		this.paramCount++;
+		return `p${this.paramCount}`;
+	}
+	/**
+	* Resolve a FilterNode to an SQL expression string (left side of comparison).
+	* Handles PropertyAccessNode (column ref) and scalar FunctionCallNode (LENGTH, LOWER, etc.).
+	*/
+	resolveExpression(node) {
+		if (node.kind === "PropertyAccess") return `${this.alias}.${node.path[0]}`;
+		if (node.kind === "BinaryExpr") {
+			const sqlArith = ARITH_OPS[node.operator];
+			if (sqlArith) return `(${this.resolveExpression(node.left)} ${sqlArith} ${this.resolveArithOperand(node.right)})`;
+		}
+		if (node.kind === "FunctionCall") {
+			const fnName = node.name.toLowerCase();
+			const dateResult = this.resolveDateFunction(fnName, node);
+			if (dateResult !== null) return dateResult;
+			const strResult = this.resolveStringFunction(fnName, node);
+			if (strResult !== null) return strResult;
+			const sqlFn = SCALAR_FUNCTIONS[fnName];
+			if (sqlFn && node.args.length >= 1) return `${sqlFn}(${this.resolveExpression(node.args[0])})`;
+		}
+		if (node.kind === "Literal") {
+			const paramName = this.nextParam();
+			this.pendingParams[paramName] = node.value;
+			return `:${paramName}`;
+		}
+		return "";
+	}
+	/** Resolve date/time function to dialect-correct SQL. Returns null if not a date function. */
+	resolveDateFunction(fnName, node) {
+		const strftimeFmt = DATE_STRFTIME[fnName];
+		const extractField = DATE_EXTRACT[fnName];
+		if (!strftimeFmt || !extractField) return null;
+		const inner = this.resolveExpression(node.args[0]);
+		if (this.dialect === "sqlite") return `CAST(strftime('${strftimeFmt}', ${inner}) AS INTEGER)`;
+		return `EXTRACT(${extractField} FROM ${inner})`;
+	}
+	/** Bind an arithmetic operand: Literal nodes become named params; others recurse. */
+	resolveArithOperand(node) {
+		if (node.kind === "Literal") {
+			const paramName = this.nextParam();
+			this.pendingParams[paramName] = node.value;
+			return `:${paramName}`;
+		}
+		return this.resolveExpression(node);
+	}
+	/** Resolve indexof/substring/concat to parameterized SQL. Returns null if not a string fn. */
+	resolveStringFunction(fnName, node) {
+		if (fnName === "indexof" && node.args.length >= 2) {
+			const str = this.resolveExpression(node.args[0]);
+			const subParam = this.nextParam();
+			this.pendingParams[subParam] = node.args[1].value;
+			return `${this.dialect === "sqlite" ? "INSTR" : "STRPOS"}(${str}, :${subParam}) - 1`;
+		}
+		if (fnName === "substring" && node.args.length >= 2) {
+			const str = this.resolveExpression(node.args[0]);
+			const startParam = this.nextParam();
+			this.pendingParams[startParam] = node.args[1].value + 1;
+			if (node.args.length >= 3) {
+				const lenParam = this.nextParam();
+				this.pendingParams[lenParam] = node.args[2].value;
+				return `SUBSTR(${str}, :${startParam}, :${lenParam})`;
+			}
+			return `SUBSTR(${str}, :${startParam})`;
+		}
+		if (fnName === "concat" && node.args.length >= 2) return `${this.resolveExpression(node.args[0])} || ${this.resolveExpression(node.args[1])}`;
+		return null;
+	}
+	/** Extract the raw JS value from a LiteralNode */
+	extractLiteralValue(node) {
+		if (node.kind === "Literal") return node.value;
+		return null;
+	}
+	/** Apply a LIKE function (contains, startswith, endswith) with escaped value */
+	applyLikeFunction(name, node) {
+		const prop = this.resolveExpression(node.args[0]);
+		const rawValue = String(this.extractLiteralValue(node.args[1]) ?? "");
+		const escaped = this.escapeLike(rawValue);
+		let pattern;
+		if (name === "contains") pattern = `%${escaped}%`;
+		else if (name === "startswith") pattern = `${escaped}%`;
+		else pattern = `%${escaped}`;
+		const paramName = this.nextParam();
+		this.qb.andWhere(`${prop} LIKE :${paramName}`, { [paramName]: pattern });
+	}
+	/**
+	* Escape LIKE special characters to prevent wildcard injection (T-03-05).
+	* % -> \%, _ -> \_
+	*/
+	escapeLike(value) {
+		return value.replace(/\\/g, "\\\\").replace(/%/g, "\\%").replace(/_/g, "\\_");
+	}
+};
+/**
+* Helper class that builds an SQL expression string from a FilterNode subtree
+* without directly calling qb.andWhere(). Used for NOT(...) wrapping.
+*/
+var InnerFilterExprBuilder = class {
+	paramCount;
+	params = {};
+	constructor(alias, entityType, startCount, dialect = "ansi") {
+		this.alias = alias;
+		this.entityType = entityType;
+		this.dialect = dialect;
+		this.paramCount = startCount;
+	}
+	build(node) {
+		return {
+			expr: this.buildExpr(node),
+			params: this.params,
+			finalCount: this.paramCount
+		};
+	}
+	buildExpr(node) {
+		if (node.kind === "BinaryExpr") {
+			const sqlArith = ARITH_OPS[node.operator];
+			if (sqlArith) return `(${this.buildExpr(node.left)} ${sqlArith} ${this.resolveArithOperand(node.right)})`;
+			const sqlOp = COMPARISON_OPS[node.operator];
+			if (sqlOp) return `${this.buildExpr(node.left)} ${sqlOp} ${this.buildExpr(node.right)}`;
+		}
+		if (node.kind === "FunctionCall") {
+			const name = node.name.toLowerCase();
+			if (name === "contains" || name === "startswith" || name === "endswith") {
+				const prop = this.buildExpr(node.args[0]);
+				const escaped = String(node.args[1]?.kind === "Literal" ? node.args[1].value : "").replace(/\\/g, "\\\\").replace(/%/g, "\\%").replace(/_/g, "\\_");
+				let pattern;
+				if (name === "contains") pattern = `%${escaped}%`;
+				else if (name === "startswith") pattern = `${escaped}%`;
+				else pattern = `%${escaped}`;
+				this.paramCount++;
+				const paramName = `p${this.paramCount}`;
+				this.params[paramName] = pattern;
+				return `${prop} LIKE :${paramName}`;
+			}
+			const dateResult = this.resolveDateFunction(name, node);
+			if (dateResult !== null) return dateResult;
+			const strResult = this.resolveStringFunction(name, node);
+			if (strResult !== null) return strResult;
+			const sqlFn = SCALAR_FUNCTIONS[name];
+			if (sqlFn && node.args.length >= 1) return `${sqlFn}(${this.buildExpr(node.args[0])})`;
+		}
+		if (node.kind === "PropertyAccess") return `${this.alias}.${node.path[0]}`;
+		if (node.kind === "Literal") {
+			this.paramCount++;
+			const paramName = `p${this.paramCount}`;
+			this.params[paramName] = node.value;
+			return `:${paramName}`;
+		}
+		return "";
+	}
+	/** Resolve date/time function to dialect-correct SQL. Returns null if not a date function. */
+	resolveDateFunction(fnName, node) {
+		const strftimeFmt = DATE_STRFTIME[fnName];
+		const extractField = DATE_EXTRACT[fnName];
+		if (!strftimeFmt || !extractField) return null;
+		const inner = this.buildExpr(node.args[0]);
+		if (this.dialect === "sqlite") return `CAST(strftime('${strftimeFmt}', ${inner}) AS INTEGER)`;
+		return `EXTRACT(${extractField} FROM ${inner})`;
+	}
+	/** Resolve indexof/substring/concat to parameterized SQL. Returns null if not a string fn. */
+	resolveStringFunction(fnName, node) {
+		if (fnName === "indexof" && node.args.length >= 2) {
+			const str = this.buildExpr(node.args[0]);
+			this.paramCount++;
+			const subParam = `p${this.paramCount}`;
+			this.params[subParam] = node.args[1].value;
+			return `${this.dialect === "sqlite" ? "INSTR" : "STRPOS"}(${str}, :${subParam}) - 1`;
+		}
+		if (fnName === "substring" && node.args.length >= 2) {
+			const str = this.buildExpr(node.args[0]);
+			this.paramCount++;
+			const startParam = `p${this.paramCount}`;
+			this.params[startParam] = node.args[1].value + 1;
+			if (node.args.length >= 3) {
+				this.paramCount++;
+				const lenParam = `p${this.paramCount}`;
+				this.params[lenParam] = node.args[2].value;
+				return `SUBSTR(${str}, :${startParam}, :${lenParam})`;
+			}
+			return `SUBSTR(${str}, :${startParam})`;
+		}
+		if (fnName === "concat" && node.args.length >= 2) return `${this.buildExpr(node.args[0])} || ${this.buildExpr(node.args[1])}`;
+		return null;
+	}
+	/** Bind an arithmetic operand: Literal nodes become named params; others recurse via buildExpr. */
+	resolveArithOperand(node) {
+		if (node.kind === "Literal") {
+			this.paramCount++;
+			const paramName = `p${this.paramCount}`;
+			this.params[paramName] = node.value;
+			return `:${paramName}`;
+		}
+		return this.buildExpr(node);
+	}
+};
+//#endregion
+//#region src/translator/select-visitor.ts
+/**
+* TypeOrmSelectVisitor — translates an OData $select node into a TypeORM
+* SelectQueryBuilder.select() call.
+*
+* Key properties (primary keys) are always included in the projection even if
+* not in the $select list (T-03-06 mitigation — avoids identity column gaps).
+*/
+var TypeOrmSelectVisitor = class {
+	constructor(qb, alias, entityType) {
+		this.qb = qb;
+		this.alias = alias;
+		this.entityType = entityType;
+	}
+	/**
+	* Apply the $select projection to the QueryBuilder.
+	*
+	* - If select.all is true or select.items is absent/empty, do nothing (return all columns).
+	* - Otherwise, build a deduplicated column list and call qb.select().
+	*/
+	apply(select) {
+		if (select.all || !select.items?.length) return;
+		const columns = select.items.map((item) => `${this.alias}.${item.path[0]}`);
+		for (const key of this.entityType.keyProperties) columns.push(`${this.alias}.${key}`);
+		const seen = /* @__PURE__ */ new Set();
+		const deduplicated = columns.filter((col) => {
+			if (seen.has(col)) return false;
+			seen.add(col);
+			return true;
+		});
+		this.qb.select(deduplicated);
+	}
+};
+//#endregion
+//#region src/translator/orderby-visitor.ts
+/**
+* TypeOrmOrderByVisitor — translates OData $orderby items into TypeORM
+* QueryBuilder.orderBy() / addOrderBy() calls.
+*/
+var TypeOrmOrderByVisitor = class {
+	constructor(qb, alias) {
+		this.qb = qb;
+		this.alias = alias;
+	}
+	/**
+	* Apply $orderby items to the QueryBuilder.
+	* First item uses orderBy(), subsequent items use addOrderBy().
+	*/
+	apply(items) {
+		if (!items.length) return;
+		for (let i = 0; i < items.length; i++) {
+			const item = items[i];
+			const propertyName = this.resolvePropertyName(item);
+			const direction = item.direction.toUpperCase();
+			const column = `${this.alias}.${propertyName}`;
+			if (i === 0) this.qb.orderBy(column, direction);
+			else this.qb.addOrderBy(column, direction);
+		}
+	}
+	resolvePropertyName(item) {
+		const expr = item.expression;
+		if (expr.kind === "PropertyAccess") return expr.path[0];
+		return "";
+	}
+};
+//#endregion
+//#region src/translator/pagination-visitor.ts
+/**
+* TypeOrmPaginationVisitor — applies OData $top/$skip pagination to a TypeORM
+* SelectQueryBuilder via take() and skip().
+*/
+var TypeOrmPaginationVisitor = class {
+	constructor(qb) {
+		this.qb = qb;
+	}
+	/**
+	* Apply pagination to the QueryBuilder.
+	*
+	* - top=0 is valid (returns empty result set) — applies take(0)
+	* - undefined values are skipped (no call made)
+	*/
+	paginate(top, skip) {
+		if (top !== void 0) this.qb.take(top);
+		if (skip !== void 0) this.qb.skip(skip);
+	}
+};
+//#endregion
+//#region src/translator/expand-visitor.ts
+/**
+* TypeOrmExpandVisitor — translates $expand AST nodes into TypeORM
+* leftJoinAndSelect calls. Supports nested expand with depth tracking.
+*
+* Per D-09: Uses JOINs, NOT lazy loading — one SQL query.
+* Per D-07: Enforces maxExpandDepth.
+* Per D-10: Validates navigation property names against EDM.
+* Per D-13: Records $top/$skip per expand item in expandPaginationMap for
+*   post-JOIN in-memory slicing by TypeOrmQueryTranslator after getMany().
+*
+* Alias convention: `{parentAlias}_{navigationProperty}` — unique per level
+* to prevent TypeORM alias collision when the same nav prop appears at
+* different tree paths.
+*/
+var TypeOrmExpandVisitor = class {
+	/**
+	* Records per-navigation-property $top/$skip values for post-JOIN slicing.
+	* Populated during apply() calls. Consumed by TypeOrmQueryTranslator after
+	* getMany() via applyExpandPagination().
+	*/
+	expandPaginationMap = /* @__PURE__ */ new Map();
+	constructor(qb, edmRegistry, maxExpandDepth) {
+		this.qb = qb;
+		this.edmRegistry = edmRegistry;
+		this.maxExpandDepth = maxExpandDepth;
+	}
+	/**
+	* Apply an ExpandNode to the SelectQueryBuilder starting from parentAlias.
+	*
+	* @param expandNode   - The $expand AST node to process
+	* @param parentAlias  - The QueryBuilder alias for the parent entity (e.g. 'entity')
+	* @param entityType   - EDM entity type of the parent (for validation)
+	* @param currentDepth - Current recursion depth (0 = top-level expand)
+	*/
+	apply(expandNode, parentAlias, entityType, currentDepth) {
+		if (currentDepth >= this.maxExpandDepth) throw new ODataValidationError(`$expand depth limit of ${this.maxExpandDepth} exceeded`, entityType.name, "$expand");
+		for (const item of expandNode.items) this.applyExpandItem(item, parentAlias, entityType, currentDepth);
+	}
+	applyExpandItem(item, parentAlias, entityType, currentDepth) {
+		const navProp = entityType.navigationProperties.find((np) => np.name === item.navigationProperty);
+		if (!navProp) throw new ODataValidationError(`'${item.navigationProperty}' is not a navigation property of '${entityType.name}'`, entityType.name, item.navigationProperty);
+		const joinAlias = `${parentAlias}_${item.navigationProperty}`;
+		this.qb.leftJoinAndSelect(`${parentAlias}.${item.navigationProperty}`, joinAlias);
+		const targetEntityType = this.edmRegistry.getEntityType(navProp.type);
+		if (item.filter && targetEntityType) new TypeOrmFilterVisitor(this.qb, joinAlias, targetEntityType).visit(item.filter);
+		if (item.select && targetEntityType) new TypeOrmSelectVisitor(this.qb, joinAlias, targetEntityType).apply(item.select);
+		if (item.orderBy?.length) new TypeOrmOrderByVisitor(this.qb, joinAlias).apply(item.orderBy);
+		if ((item.top !== void 0 || item.skip !== void 0) && navProp.isCollection) this.expandPaginationMap.set(item.navigationProperty, {
+			skip: item.skip,
+			top: item.top
+		});
+		if (item.expand && targetEntityType) this.apply(item.expand, joinAlias, targetEntityType, currentDepth + 1);
+	}
+};
+//#endregion
+//#region src/translator/apply-visitor.ts
+/**
+* TypeOrmApplyVisitor — translates an OData $apply pipeline AST into
+* TypeORM SelectQueryBuilder GROUP BY / aggregate SQL.
+*
+* Handles three step types in pipeline order:
+* - ApplyFilter: delegates to TypeOrmFilterVisitor (adds WHERE clause)
+* - ApplyGroupBy: adds GROUP BY columns + aggregate SELECT expressions
+* - ApplyAggregate: adds aggregate SELECT expressions (no GROUP BY)
+*
+* Security: aggregate property names validated against AggregateExpression.method
+* enum (constrained by parser); aliases validated by parser regex before SQL use.
+* No user input is directly interpolated into SQL — property/alias names come
+* from the validated AST (T-11-05 mitigation).
+*
+* Returns projected column names (for @odata.context URL construction).
+*/
+var TypeOrmApplyVisitor = class {
+	constructor(qb, alias, entityType, maxFilterDepth = 10, dialect = "ansi", repo) {
+		this.qb = qb;
+		this.alias = alias;
+		this.entityType = entityType;
+		this.maxFilterDepth = maxFilterDepth;
+		this.dialect = dialect;
+		this.repo = repo;
+	}
+	/**
+	* Process all steps in an $apply pipeline in order.
+	* Returns all projected column names for @odata.context construction.
+	*/
+	apply(applyNode) {
+		const projectedColumns = [];
+		for (const step of applyNode.steps) {
+			const stepColumns = this.applyStep(step);
+			projectedColumns.push(...stepColumns);
+		}
+		return projectedColumns;
+	}
+	applyStep(step) {
+		switch (step.kind) {
+			case "ApplyFilter": return this.applyFilterStep(step.filter);
+			case "ApplyGroupBy": return this.applyGroupByStep(step.properties, step.aggregate);
+			case "ApplyAggregate": return this.applyAggregateStep(step.expressions);
+		}
+	}
+	/**
+	* ApplyFilter step — delegates to TypeOrmFilterVisitor.
+	* Adds WHERE clause to the query. Returns no projected columns.
+	*/
+	applyFilterStep(filter) {
+		new TypeOrmFilterVisitor(this.qb, this.alias, this.entityType, this.maxFilterDepth, this.dialect, this.repo).visit(filter);
+		return [];
+	}
+	/**
+	* ApplyGroupBy step — adds GROUP BY columns and optional aggregate expressions.
+	* Clears existing SELECT first (replaces entity.* with explicit projections).
+	*/
+	applyGroupByStep(properties, aggregate) {
+		const projectedColumns = [];
+		this.qb.select([]);
+		for (const prop of properties) {
+			this.qb.addSelect(`${this.alias}.${prop}`, prop);
+			this.qb.addGroupBy(`${this.alias}.${prop}`);
+			projectedColumns.push(prop);
+		}
+		if (aggregate) for (const expr of aggregate) {
+			const sqlExpr = this.buildAggregateSql(expr);
+			this.qb.addSelect(sqlExpr, expr.alias);
+			projectedColumns.push(expr.alias);
+		}
+		return projectedColumns;
+	}
+	/**
+	* ApplyAggregate step (no GROUP BY) — adds aggregate SELECT expressions.
+	* Clears existing SELECT first (replaces entity.* with explicit projections).
+	*/
+	applyAggregateStep(expressions) {
+		const projectedColumns = [];
+		this.qb.select([]);
+		for (const expr of expressions) {
+			const sqlExpr = this.buildAggregateSql(expr);
+			this.qb.addSelect(sqlExpr, expr.alias);
+			projectedColumns.push(expr.alias);
+		}
+		return projectedColumns;
+	}
+	/**
+	* Build the SQL aggregate function expression for a single AggregateExpression.
+	*
+	* Method mapping:
+	* - count with $count property => COUNT(*)
+	* - count with field => COUNT(alias.field)
+	* - sum => SUM(alias.field)
+	* - avg => AVG(alias.field)
+	* - min => MIN(alias.field)
+	* - max => MAX(alias.field)
+	* - countdistinct => COUNT(DISTINCT alias.field)
+	*/
+	buildAggregateSql(expr) {
+		const { property, method } = expr;
+		switch (method) {
+			case "count": return property === "$count" ? "COUNT(*)" : `COUNT(${this.alias}.${property})`;
+			case "sum": return `SUM(${this.alias}.${property})`;
+			case "avg": return `AVG(${this.alias}.${property})`;
+			case "min": return `MIN(${this.alias}.${property})`;
+			case "max": return `MAX(${this.alias}.${property})`;
+			case "countdistinct": return `COUNT(DISTINCT ${this.alias}.${property})`;
+		}
+	}
+};
+//#endregion
+//#region src/translator/expand-pagination.ts
+/**
+* Apply post-JOIN pagination to expanded collections.
+*
+* TypeORM hydrates relations as JavaScript arrays. After getMany(),
+* this function slices each expanded collection by the per-expand-item
+* $top/$skip values recorded during ExpandVisitor traversal.
+*
+* Per D-13: In-memory slicing is the v1 approach. Acceptable for
+* single-level expand pagination. Total result set is already bounded
+* by maxTop and maxExpandDepth before slicing occurs (T-05-10 accept).
+*
+* Mutates items in-place — the hydrated array is replaced with the sliced
+* version. This avoids allocating a new top-level array.
+*/
+function applyExpandPagination(items, paginationMap) {
+	for (const [navProp, { skip = 0, top }] of paginationMap.entries()) for (const item of items) {
+		const related = item[navProp];
+		if (Array.isArray(related)) item[navProp] = related.slice(skip, top !== void 0 ? skip + top : void 0);
+	}
+}
+//#endregion
+//#region \0@oxc-project+runtime@0.122.0/helpers/decorateMetadata.js
+function __decorateMetadata(k, v) {
+	if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+//#endregion
+//#region \0@oxc-project+runtime@0.122.0/helpers/decorateParam.js
+function __decorateParam(paramIndex, decorator) {
+	return function(target, key) {
+		decorator(target, key, paramIndex);
+	};
+}
+//#endregion
+//#region \0@oxc-project+runtime@0.122.0/helpers/decorate.js
+function __decorate(decorators, target, key, desc) {
+	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+	return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+//#endregion
+//#region src/translator/typeorm-query-translator.ts
+var _ref$5;
+let TypeOrmQueryTranslator = class TypeOrmQueryTranslator {
+	constructor(repo, edmRegistry, options, searchProvider) {
+		this.repo = repo;
+		this.edmRegistry = edmRegistry;
+		this.options = options;
+		this.searchProvider = searchProvider;
+	}
+	/**
+	* Translate an ODataQuery AST into a TypeORM SelectQueryBuilder.
+	* Also returns the expandPaginationMap for post-JOIN slicing (D-13).
+	* Does not execute the query — call execute() for DB access.
+	*/
+	translate(query, entityType) {
+		const alias = "entity";
+		const qb = this.repo.createQueryBuilder(alias);
+		const dbType = this.repo.manager.connection.options.type;
+		const dialect = dbType === "sqlite" || dbType === "postgres" ? dbType : "ansi";
+		if (query.filter) new TypeOrmFilterVisitor(qb, alias, entityType, this.options.maxFilterDepth, dialect, this.repo).visit(query.filter);
+		if (query.search && this.searchProvider) {
+			const searchResult = this.searchProvider.buildSearchCondition(query.search, query.entitySetName, alias);
+			if (searchResult) qb.andWhere(searchResult.condition, searchResult.params);
+		}
+		let applyProperties;
+		if (query.apply) applyProperties = new TypeOrmApplyVisitor(qb, alias, entityType, this.options.maxFilterDepth, dialect, this.repo).apply(query.apply);
+		if (!query.apply) {
+			if (query.select) new TypeOrmSelectVisitor(qb, alias, entityType).apply(query.select);
+			if (query.orderBy?.length) new TypeOrmOrderByVisitor(qb, alias).apply(query.orderBy);
+		}
+		new TypeOrmPaginationVisitor(qb).paginate(query.top, query.skip);
+		let expandPaginationMap = /* @__PURE__ */ new Map();
+		if (!query.apply && query.expand) {
+			const expandVisitor = new TypeOrmExpandVisitor(qb, this.edmRegistry, this.options.maxExpandDepth);
+			expandVisitor.apply(query.expand, alias, entityType, 0);
+			expandPaginationMap = expandVisitor.expandPaginationMap;
+		}
+		return {
+			qb,
+			expandPaginationMap,
+			applyProperties
+		};
+	}
+	/**
+	* Execute the translated SelectQueryBuilder and return structured results.
+	* Applies post-JOIN in-memory expand pagination after getMany() (D-13).
+	* When $apply is present, uses getRawMany() to preserve aggregate aliases.
+	*
+	* @param translateResult - The result from translate() (qb + expandPaginationMap)
+	* @param includeCount - If true, uses getManyAndCount() to include total count
+	*/
+	async execute(translateResult, includeCount) {
+		let qb;
+		let expandPaginationMap;
+		let applyProperties;
+		if ("qb" in translateResult && "expandPaginationMap" in translateResult) {
+			qb = translateResult.qb;
+			expandPaginationMap = translateResult.expandPaginationMap;
+			applyProperties = translateResult.applyProperties;
+		} else {
+			qb = translateResult;
+			expandPaginationMap = /* @__PURE__ */ new Map();
+		}
+		if (applyProperties !== void 0) {
+			if (includeCount) {
+				const items = await qb.getRawMany();
+				return {
+					items,
+					count: items.length,
+					isAggregated: true,
+					applyProperties
+				};
+			}
+			return {
+				items: await qb.getRawMany(),
+				isAggregated: true,
+				applyProperties
+			};
+		}
+		if (includeCount) {
+			const [items, count] = await qb.getManyAndCount();
+			applyExpandPagination(items, expandPaginationMap);
+			return {
+				items,
+				count
+			};
+		}
+		const items = await qb.getMany();
+		applyExpandPagination(items, expandPaginationMap);
+		return { items };
+	}
+};
+TypeOrmQueryTranslator = __decorate([
+	Injectable(),
+	__decorateParam(2, Inject(ODATA_MODULE_OPTIONS)),
+	__decorateParam(3, Optional()),
+	__decorateParam(3, Inject(SEARCH_PROVIDER)),
+	__decorateMetadata("design:paramtypes", [
+		Object,
+		typeof (_ref$5 = typeof EdmRegistry !== "undefined" && EdmRegistry) === "function" ? _ref$5 : Object,
+		Object,
+		Object
+	])
+], TypeOrmQueryTranslator);
+//#endregion
+//#region src/translator/typeorm-auto-handler.ts
+var _ref$4, _ref2$2;
+let TypeOrmAutoHandler = class TypeOrmAutoHandler {
+	constructor(translator, edmRegistry, options, repo, etagProvider, dataSource) {
+		this.translator = translator;
+		this.edmRegistry = edmRegistry;
+		this.options = options;
+		this.repo = repo;
+		this.etagProvider = etagProvider;
+		this.dataSource = dataSource;
+	}
+	/**
+	* Resolve EdmEntityType from the registry at request time.
+	* Throws if the entity set is not registered.
+	*/
+	resolveEntityType(entitySetName) {
+		const entitySet = this.edmRegistry.getEntitySet(entitySetName);
+		if (!entitySet) throw new Error(`ODataAutoHandler: entity set '${entitySetName}' not found in EdmRegistry`);
+		const entityType = this.edmRegistry.getEntityType(entitySet.entityTypeName);
+		if (!entityType) throw new Error(`ODataAutoHandler: entity type '${entitySet.entityTypeName}' not found in EdmRegistry`);
+		return entityType;
+	}
+	/**
+	* Handle an OData GET collection request.
+	*
+	* Strategy:
+	*  1. Resolve EdmEntityType via EdmRegistry
+	*  2. Determine effectiveTop (query.top ?? maxTop), clamped to maxTop
+	*  3. Build a modified query with top=effectiveTop+1 to detect next page
+	*  4. Translate to SelectQueryBuilder
+	*  5. Execute (with or without count per query.count)
+	*  6. Check if items.length > effectiveTop (has more pages)
+	*  7. If yes: slice to effectiveTop, build nextLink; otherwise: no nextLink
+	*
+	* @param query - Validated ODataQuery from ODataQueryPipe
+	* @param requestUrl - Base URL of the request for nextLink construction
+	*/
+	async handleGet(query, requestUrl) {
+		const entityType = this.resolveEntityType(query.entitySetName);
+		const maxTop = this.options.maxTop ?? 1e3;
+		const effectiveTop = Math.min(query.top ?? maxTop, maxTop);
+		const fetchQuery = {
+			...query,
+			top: effectiveTop + 1
+		};
+		const translateResult = this.translator.translate(fetchQuery, entityType);
+		const includeCount = query.count === true;
+		const rawResult = await this.translator.execute(translateResult, includeCount);
+		const items = rawResult.items;
+		const hasMore = items.length > effectiveTop;
+		const slicedItems = hasMore ? items.slice(0, effectiveTop) : items;
+		let nextLink;
+		if (hasMore) {
+			const currentSkip = query.skip ?? 0;
+			nextLink = this.buildNextLink(requestUrl, currentSkip + effectiveTop, effectiveTop);
+		}
+		return {
+			items: slicedItems,
+			count: rawResult.count,
+			nextLink,
+			select: query.select,
+			isAggregated: rawResult.isAggregated,
+			applyProperties: rawResult.applyProperties
+		};
+	}
+	/**
+	* Handle an OData $count route.
+	*
+	* Per Pitfall 3: strips $top/$skip/$orderby/$select from the query so count
+	* returns total matching rows for the filter, not just the current page count.
+	*
+	* @param query - Validated ODataQuery from ODataQueryPipe
+	*/
+	async handleCount(query) {
+		const entityType = this.resolveEntityType(query.entitySetName);
+		const countQuery = {
+			entitySetName: query.entitySetName,
+			filter: query.filter
+		};
+		const { qb } = this.translator.translate(countQuery, entityType);
+		return qb.getCount();
+	}
+	/**
+	* Build an OData nextLink URL with updated $skip and $top parameters.
+	*
+	* @param requestUrl - The current request URL (may contain existing query params)
+	* @param newSkip - The new $skip value for the next page
+	* @param top - The page size ($top value)
+	*/
+	buildNextLink(requestUrl, newSkip, top) {
+		let baseUrl;
+		let searchStr;
+		const qIndex = requestUrl.indexOf("?");
+		if (qIndex !== -1) {
+			baseUrl = requestUrl.slice(0, qIndex);
+			searchStr = requestUrl.slice(qIndex + 1);
+		} else {
+			baseUrl = requestUrl;
+			searchStr = "";
+		}
+		const params = /* @__PURE__ */ new Map();
+		if (searchStr) for (const part of searchStr.split("&")) {
+			const eqIdx = part.indexOf("=");
+			if (eqIdx !== -1) params.set(decodeURIComponent(part.slice(0, eqIdx)), decodeURIComponent(part.slice(eqIdx + 1)));
+		}
+		params.set("$skip", String(newSkip));
+		params.set("$top", String(top));
+		const queryParts = [];
+		for (const [key, val] of params.entries()) queryParts.push(`${key}=${encodeURIComponent(val)}`);
+		return `${baseUrl}?${queryParts.join("&")}`;
+	}
+	/**
+	* Handle OData GET by key — single entity retrieval.
+	*
+	* Per D-05: returns single entity, throws NotFoundException if not found.
+	* Per D-02: key is parsed from parenthetical format.
+	* Per T-04-08: parseODataKey returns typed values used in parameterized where clause.
+	* Per T-09-05: If-None-Match header supported — returns { __notModified, etag } signal when matched.
+	*/
+	async handleGetByKey(keyStr, entitySetName, ifNoneMatchHeader) {
+		const where = parseODataKey(keyStr, this.resolveEntityType(entitySetName).keyProperties);
+		const entity = await this.repo.findOne({ where });
+		if (!entity) throw new NotFoundException(`Entity '${entitySetName}' with key '${keyStr}' not found`);
+		if (this.etagProvider) {
+			const etagColumn = this.etagProvider.getETagColumn(entitySetName);
+			if (etagColumn) {
+				const currentEtag = this.etagProvider.computeETag(entity, etagColumn);
+				const entityWithEtag = {
+					...entity,
+					__etag: currentEtag
+				};
+				if (ifNoneMatchHeader && this.etagProvider.validateIfMatch(ifNoneMatchHeader, entity, etagColumn)) return {
+					__notModified: true,
+					etag: currentEtag
+				};
+				return entityWithEtag;
+			}
+		}
+		return entity;
+	}
+	/**
+	* Handle OData POST — create entity.
+	*
+	* Per D-03: returns 201 + Location header + created entity.
+	* Returns { entity, locationUrl } for the interceptor to set the Location header.
+	* Per T-04-07: TypeORM repo.create() only maps declared columns — unknown fields ignored.
+	* Per T-04-11: entity class acts as whitelist, preventing mass assignment.
+	*/
+	async handleCreate(body, entitySetName) {
+		const entityType = this.resolveEntityType(entitySetName);
+		const created = this.repo.create(body);
+		const saved = await this.repo.save(created);
+		const keyStr = entityType.keyProperties.map((kp) => {
+			const val = saved[kp];
+			return entityType.keyProperties.length === 1 ? String(val) : `${kp}=${String(val)}`;
+		}).join(",");
+		return {
+			entity: saved,
+			locationUrl: `${this.options.serviceRoot}/${entitySetName}(${keyStr})`
+		};
+	}
+	/**
+	* Handle OData POST with deep insert — create parent and nested children atomically.
+	*
+	* Per D-02 (deep insert): navigation property keys in the body identify child collections.
+	* All saves occur within the provided EntityManager (transaction scope).
+	*
+	* Per T-10-05: depth is checked before recursion — throws 400 if depth >= maxDeepInsertDepth.
+	* Per T-10-06: TypeORM repo.create() only maps declared columns — mass assignment safe.
+	*
+	* @param body - Request body (scalar fields + optional navigation property arrays)
+	* @param entitySetName - OData entity set name (e.g. 'Orders')
+	* @param manager - Transaction-scoped EntityManager
+	* @param depth - Current recursion depth (default 0)
+	*/
+	async handleDeepCreate(body, entitySetName, manager, depth = 0) {
+		const maxDepth = this.options.maxDeepInsertDepth ?? 5;
+		if (depth >= maxDepth) throw new HttpException({ error: {
+			code: "400",
+			message: `Deep insert exceeds maxDeepInsertDepth (${maxDepth})`
+		} }, 400);
+		const entityType = this.resolveEntityType(entitySetName);
+		const navPropNames = new Set(entityType.navigationProperties.map((p) => p.name));
+		const scalarBody = {};
+		const navData = {};
+		for (const [key, value] of Object.entries(body)) if (navPropNames.has(key) && Array.isArray(value)) navData[key] = value;
+		else if (!navPropNames.has(key)) scalarBody[key] = value;
+		const parentRepo = manager.getRepository(this.repo.target);
+		const parentCreated = parentRepo.create(scalarBody);
+		const savedParent = await parentRepo.save(parentCreated);
+		const parentKeyValue = savedParent[entityType.keyProperties[0] ?? "id"];
+		for (const [navPropName, childItems] of Object.entries(navData)) {
+			const navProp = entityType.navigationProperties.find((p) => p.name === navPropName);
+			if (!navProp) continue;
+			let rawType = navProp.type;
+			if (rawType.startsWith("Collection(") && rawType.endsWith(")")) rawType = rawType.slice(11, -1);
+			const childTypeName = rawType.split(".").pop() ?? rawType;
+			if (![...this.edmRegistry.getEntitySets().values()].find((es) => es.entityTypeName === childTypeName)) throw new HttpException({ error: {
+				code: "400",
+				message: `Deep insert: cannot resolve entity set for navigation property '${navPropName}' (type '${childTypeName}')`
+			} }, 400);
+			let fkColumnName;
+			if (this.dataSource) try {
+				const relation = this.dataSource.getMetadata(this.repo.target).relations.find((r) => r.propertyName === navPropName);
+				if (relation?.inverseRelation?.joinColumns?.[0]?.propertyName) fkColumnName = relation.inverseRelation.joinColumns[0].propertyName;
+			} catch {}
+			if (!fkColumnName) {
+				const singularParent = entitySetName.endsWith("s") ? entitySetName.slice(0, -1) : entitySetName;
+				fkColumnName = `${singularParent.charAt(0).toLowerCase()}${singularParent.slice(1)}Id`;
+			}
+			const childEntityClass = this.dataSource ? this.resolveEntityClassFromDataSource(childTypeName) : void 0;
+			for (let index = 0; index < childItems.length; index++) {
+				const childBody = {
+					...childItems[index],
+					[fkColumnName]: parentKeyValue
+				};
+				try {
+					if (childEntityClass) {
+						const childRepo = manager.getRepository(childEntityClass);
+						const childCreated = childRepo.create(childBody);
+						await childRepo.save(childCreated);
+					} else throw new Error(`Cannot resolve entity class for '${childTypeName}' — DataSource not available`);
+				} catch (err) {
+					const message = err instanceof Error ? err.message : String(err);
+					throw new HttpException({ error: {
+						code: "400",
+						message: `Deep insert failed at '${navPropName}[${index}]': ${message}`
+					} }, 400);
+				}
+			}
+		}
+		const keyStr = entityType.keyProperties.map((kp) => {
+			const val = savedParent[kp];
+			return entityType.keyProperties.length === 1 ? String(val) : `${kp}=${String(val)}`;
+		}).join(",");
+		return {
+			entity: savedParent,
+			locationUrl: `${this.options.serviceRoot}/${entitySetName}(${keyStr})`
+		};
+	}
+	/**
+	* Resolve a TypeORM entity class from an EDM entity type name.
+	* Requires DataSource to be provided.
+	*/
+	resolveEntityClassFromDataSource(entityTypeName) {
+		if (!this.dataSource) return void 0;
+		for (const meta of this.dataSource.entityMetadatas) if (meta.name === entityTypeName) return meta.target;
+	}
+	/**
+	* Handle OData PATCH — partial update (merge-patch semantics).
+	*
+	* Per D-01: send only changed fields, server merges with existing entity.
+	* Per Pitfall 4: checks preload result for undefined (entity not found case).
+	* Per T-04-08: parseODataKey returns typed values for safe parameterized queries.
+	* Per T-09-04: If-Match header enforces optimistic concurrency — 412 on stale ETag.
+	*/
+	async handleUpdate(keyStr, body, entitySetName, ifMatchHeader) {
+		const where = parseODataKey(keyStr, this.resolveEntityType(entitySetName).keyProperties);
+		if (this.etagProvider && ifMatchHeader) {
+			const etagColumn = this.etagProvider.getETagColumn(entitySetName);
+			if (etagColumn) {
+				const current = await this.repo.findOne({ where });
+				if (!current) throw new NotFoundException(`Entity '${entitySetName}' with key '${keyStr}' not found`);
+				if (!this.etagProvider.validateIfMatch(ifMatchHeader, current, etagColumn)) throw new HttpException({ error: {
+					code: "412",
+					message: "The ETag value does not match the current version of the entity"
+				} }, 412);
+			}
+		}
+		const merged = {
+			...where,
+			...body
+		};
+		const preloaded = await this.repo.preload(merged);
+		if (!preloaded) throw new NotFoundException(`Entity '${entitySetName}' with key '${keyStr}' not found`);
+		return this.repo.save(preloaded);
+	}
+	/**
+	* Handle OData PUT — full entity replacement.
+	*
+	* Per D-01 (OData v4 spec): PUT replaces ALL entity properties.
+	* Unspecified fields reset to column defaults (null for nullable, default value otherwise).
+	* This is distinct from PATCH merge semantics.
+	*
+	* Implementation:
+	*  1. Parse key from URL
+	*  2. Validate body key matches URL key (reject 400 on mismatch)
+	*  3. Find existing entity — throw 404 if not found
+	*  4. Validate ETag If-Match (412 on mismatch)
+	*  5. Build full replacement using repo.metadata.columns:
+	*     - Skip isPrimary, isCreateDate, isUpdateDate, isVersion columns
+	*     - body value > column default > null (if nullable) > absent
+	*  6. Save and return
+	*
+	* Per T-10-01: body key mismatch rejected before DB write.
+	* Per T-10-02: repo.create() only maps declared entity columns — mass assignment safe.
+	* Per T-10-03: managed columns (PK, timestamps, version) skipped.
+	* Per T-10-04: ETag If-Match enforcement identical to handleUpdate().
+	*/
+	async handleReplace(keyStr, body, entitySetName, ifMatchHeader) {
+		const entityType = this.resolveEntityType(entitySetName);
+		const where = parseODataKey(keyStr, entityType.keyProperties);
+		for (const kp of entityType.keyProperties) {
+			const bodyKeyValue = body[kp];
+			const urlKeyValue = where[kp];
+			if (bodyKeyValue !== void 0 && bodyKeyValue !== urlKeyValue) throw new HttpException({ error: {
+				code: "400",
+				message: "Key in body does not match URL key"
+			} }, 400);
+		}
+		const existing = await this.repo.findOne({ where });
+		if (!existing) throw new NotFoundException(`Entity '${entitySetName}' with key '${keyStr}' not found`);
+		if (this.etagProvider && ifMatchHeader) {
+			const etagColumn = this.etagProvider.getETagColumn(entitySetName);
+			if (etagColumn) {
+				if (!this.etagProvider.validateIfMatch(ifMatchHeader, existing, etagColumn)) throw new HttpException({ error: {
+					code: "412",
+					message: "The ETag value does not match the current version of the entity"
+				} }, 412);
+			}
+		}
+		const replacement = {};
+		for (const kp of entityType.keyProperties) replacement[kp] = where[kp];
+		for (const col of this.repo.metadata.columns) {
+			if (col.isPrimary) continue;
+			if (col.isCreateDate || col.isUpdateDate || col.isVersion) continue;
+			const propName = col.propertyName;
+			if (Object.prototype.hasOwnProperty.call(body, propName)) replacement[propName] = body[propName];
+			else if (col.default !== void 0) replacement[propName] = col.default;
+			else if (col.isNullable) replacement[propName] = null;
+		}
+		const entity = this.repo.create(replacement);
+		return this.repo.save(entity);
+	}
+	/**
+	* Handle OData DELETE — remove entity.
+	*
+	* Per D-04: returns 204 No Content (void return value).
+	* Per T-04-08: parseODataKey returns typed values for safe parameterized queries.
+	* Per T-09-04: If-Match header enforces optimistic concurrency — 412 on stale ETag.
+	*/
+	async handleDelete(keyStr, entitySetName, ifMatchHeader) {
+		const where = parseODataKey(keyStr, this.resolveEntityType(entitySetName).keyProperties);
+		if (this.etagProvider && ifMatchHeader) {
+			const etagColumn = this.etagProvider.getETagColumn(entitySetName);
+			if (etagColumn) {
+				const current = await this.repo.findOne({ where });
+				if (!current) throw new NotFoundException(`Entity '${entitySetName}' with key '${keyStr}' not found`);
+				if (!this.etagProvider.validateIfMatch(ifMatchHeader, current, etagColumn)) throw new HttpException({ error: {
+					code: "412",
+					message: "The ETag value does not match the current version of the entity"
+				} }, 412);
+			}
+		}
+		if ((await this.repo.delete(where)).affected === 0) throw new NotFoundException(`Entity '${entitySetName}' with key '${keyStr}' not found`);
+	}
+};
+TypeOrmAutoHandler = __decorate([
+	Injectable(),
+	__decorateParam(2, Inject(ODATA_MODULE_OPTIONS)),
+	__decorateParam(4, Optional()),
+	__decorateParam(4, Inject(ETAG_PROVIDER)),
+	__decorateMetadata("design:paramtypes", [
+		typeof (_ref$4 = typeof TypeOrmQueryTranslator !== "undefined" && TypeOrmQueryTranslator) === "function" ? _ref$4 : Object,
+		typeof (_ref2$2 = typeof EdmRegistry !== "undefined" && EdmRegistry) === "function" ? _ref2$2 : Object,
+		Object,
+		Object,
+		Object,
+		Object
+	])
+], TypeOrmAutoHandler);
+//#endregion
+//#region src/etag/typeorm-etag.provider.ts
+var _ref$3;
+let TypeOrmETagProvider = class TypeOrmETagProvider {
+	cache = /* @__PURE__ */ new Map();
+	constructor(dataSource, edmRegistry) {
+		this.dataSource = dataSource;
+		this.edmRegistry = edmRegistry;
+	}
+	/**
+	* Get the ETag column name for an entity set.
+	* Returns undefined if neither @ODataETag nor @UpdateDateColumn is found.
+	* Results are cached to avoid repeated metadata reflection.
+	*/
+	getETagColumn(entitySetName) {
+		if (this.cache.has(entitySetName)) return this.cache.get(entitySetName) ?? void 0;
+		const column = this.resolveETagColumn(entitySetName);
+		this.cache.set(entitySetName, column ?? null);
+		return column;
+	}
+	/**
+	* Compute a weak ETag string from an entity's ETag column value.
+	* Format: W/"<base64-encoded string value>"
+	*/
+	computeETag(entity, etagColumn) {
+		const value = entity[etagColumn];
+		let stringValue;
+		if (value instanceof Date) stringValue = value.toISOString();
+		else stringValue = String(value);
+		return `W/"${Buffer.from(stringValue).toString("base64")}"`;
+	}
+	/**
+	* Validate an If-Match header value against the current entity.
+	* Returns true if the ETag matches (safe to proceed with mutation).
+	*/
+	validateIfMatch(ifMatchValue, entity, etagColumn) {
+		const current = this.computeETag(entity, etagColumn);
+		const normalize = (s) => s.trim().replace(/^W\//, "").replace(/^"(.*)"$/, "$1");
+		return normalize(current) === normalize(ifMatchValue);
+	}
+	resolveETagColumn(entitySetName) {
+		const entitySet = this.edmRegistry.getEntitySet(entitySetName);
+		if (!entitySet) return void 0;
+		const entityTypeName = entitySet.entityTypeName;
+		const meta = this.dataSource.entityMetadatas.find((m) => m.name === entityTypeName);
+		if (!meta) return void 0;
+		const entityClass = meta.target;
+		if (typeof entityClass !== "function") return void 0;
+		const explicitProperty = getETagProperty(entityClass);
+		if (explicitProperty) return explicitProperty;
+		const updateDateCol = meta.columns.find((c) => c.isUpdateDate);
+		if (updateDateCol) return updateDateCol.propertyName;
+	}
+};
+TypeOrmETagProvider = __decorate([Injectable(), __decorateMetadata("design:paramtypes", [Object, typeof (_ref$3 = typeof EdmRegistry !== "undefined" && EdmRegistry) === "function" ? _ref$3 : Object])], TypeOrmETagProvider);
+//#endregion
+//#region src/translator/search-provider.ts
+var _ref$2;
+let TypeOrmSearchProvider = class TypeOrmSearchProvider {
+	constructor(dataSource, edmRegistry) {
+		this.dataSource = dataSource;
+		this.edmRegistry = edmRegistry;
+	}
+	/**
+	* Build a parameterized WHERE condition from a parsed $search AST node.
+	*
+	* @param searchNode - Parsed $search expression
+	* @param entitySetName - OData entity set name being searched
+	* @param alias - TypeORM QueryBuilder alias for the entity table
+	* @returns Condition string + named params, or null if unable to build
+	*/
+	buildSearchCondition(searchNode, entitySetName, alias) {
+		const entityClass = this.resolveEntityClass(entitySetName);
+		const searchableFields = entityClass ? getSearchableProperties(entityClass) : [];
+		if (searchableFields.length === 0) throw new ODataValidationError(`No searchable fields configured for entity set '${entitySetName}'. Use @ODataSearchable() decorator on entity properties.`, entitySetName, "$search");
+		const params = {};
+		let paramCounter = 0;
+		const buildCondition = (node) => {
+			if (node.kind === "SearchTerm") return this.buildTermCondition(node, searchableFields, alias, params, paramCounter++);
+			return this.buildBinaryCondition(node, buildCondition);
+		};
+		return {
+			condition: buildCondition(searchNode),
+			params
+		};
+	}
+	/**
+	* Resolve the entity class from the EdmRegistry and DataSource metadata.
+	*/
+	resolveEntityClass(entitySetName) {
+		const entitySet = this.edmRegistry.getEntitySet(entitySetName);
+		if (!entitySet) return null;
+		const meta = this.dataSource.entityMetadatas.find((m) => m.name === entitySet.entityTypeName);
+		if (!meta) return null;
+		const entityClass = meta.target;
+		if (typeof entityClass !== "function") return null;
+		return entityClass;
+	}
+	/**
+	* Build a single LIKE condition for a search term across all searchable fields.
+	* Fields are OR'd together: (alias.f1 LIKE :p OR alias.f2 LIKE :p)
+	* Negated terms are wrapped: NOT (...)
+	*/
+	buildTermCondition(node, searchableFields, alias, params, index) {
+		const paramName = `search_${index}`;
+		params[paramName] = `%${this.escapeLike(node.value)}%`;
+		const inner = `(${searchableFields.map((field) => `${alias}.${field} LIKE :${paramName}`).join(" OR ")})`;
+		return node.negated ? `NOT ${inner}` : inner;
+	}
+	/**
+	* Build a binary AND/OR condition combining two recursively-built conditions.
+	*/
+	buildBinaryCondition(node, buildCondition) {
+		const leftCond = buildCondition(node.left);
+		const rightCond = buildCondition(node.right);
+		return `(${leftCond} ${node.operator} ${rightCond})`;
+	}
+	/**
+	* Escape LIKE special characters to prevent wildcard injection (T-11-04).
+	* % -> \%, _ -> \_
+	*/
+	escapeLike(value) {
+		return value.replace(/\\/g, "\\\\").replace(/%/g, "\\%").replace(/_/g, "\\_");
+	}
+};
+TypeOrmSearchProvider = __decorate([Injectable(), __decorateMetadata("design:paramtypes", [Object, typeof (_ref$2 = typeof EdmRegistry !== "undefined" && EdmRegistry) === "function" ? _ref$2 : Object])], TypeOrmSearchProvider);
+//#endregion
+//#region src/odata-typeorm.module.ts
+var _ref$1, _ref2$1, _ODataTypeOrmModule;
+/**
+* DI injection token for the array of TypeORM entity classes
+* registered via ODataTypeOrmModule.forFeature().
+*/
+const TYPEORM_ODATA_ENTITIES = Symbol("TYPEORM_ODATA_ENTITIES");
+let TypeOrmEdmInitializer = class TypeOrmEdmInitializer {
+	constructor(dataSource, edmRegistry, options, entityClasses) {
+		this.dataSource = dataSource;
+		this.edmRegistry = edmRegistry;
+		this.options = options;
+		this.entityClasses = entityClasses;
+	}
+	onModuleInit() {
+		const deriver = new TypeOrmEdmDeriver(this.options.namespace ?? "Default", this.options.unmappedTypeStrategy ?? "skip");
+		const metadatas = this.entityClasses.map((cls) => this.dataSource.getMetadata(cls));
+		const configs = deriver.deriveEntityTypes(this.entityClasses, metadatas);
+		for (const config of configs) {
+			const namespace = this.options.namespace ?? "Default";
+			const entityType = {
+				name: config.entityTypeName,
+				namespace,
+				properties: config.properties,
+				navigationProperties: config.navigationProperties,
+				keyProperties: config.keyProperties,
+				isReadOnly: config.isReadOnly
+			};
+			const entitySet = {
+				name: config.entitySetName,
+				entityTypeName: config.entityTypeName,
+				namespace,
+				isReadOnly: config.isReadOnly
+			};
+			this.edmRegistry.register(entityType, entitySet);
+		}
+	}
+};
+TypeOrmEdmInitializer = __decorate([
+	Injectable(),
+	__decorateParam(2, Inject(ODATA_MODULE_OPTIONS)),
+	__decorateParam(3, Inject(TYPEORM_ODATA_ENTITIES)),
+	__decorateMetadata("design:paramtypes", [
+		typeof (_ref$1 = typeof DataSource !== "undefined" && DataSource) === "function" ? _ref$1 : Object,
+		typeof (_ref2$1 = typeof EdmRegistry !== "undefined" && EdmRegistry) === "function" ? _ref2$1 : Object,
+		Object,
+		Array
+	])
+], TypeOrmEdmInitializer);
+let ODataTypeOrmModule = _ODataTypeOrmModule = class ODataTypeOrmModule {
+	/**
+	* Register TypeORM entity classes for OData auto-derivation.
+	*
+	* @param entities - Array of TypeORM entity classes (decorated with @Entity())
+	* @returns DynamicModule that imports TypeOrmModule.forFeature, provides TYPEORM_ODATA_ENTITIES,
+	*          and wires TypeOrmEdmInitializer to populate the EdmRegistry at onModuleInit
+	*/
+	static forFeature(entities, options) {
+		const serviceRoot = options?.serviceRoot ?? ODataModule.registeredServiceRoot ?? "odata";
+		const root = serviceRoot.startsWith("/") ? serviceRoot.slice(1) : serviceRoot;
+		Reflect.defineMetadata(PATH_METADATA, root, BatchController);
+		return {
+			module: _ODataTypeOrmModule,
+			imports: [TypeOrmModule.forFeature(entities)],
+			controllers: [BatchController],
+			providers: [
+				{
+					provide: TYPEORM_ODATA_ENTITIES,
+					useValue: entities
+				},
+				TypeOrmEdmInitializer,
+				{
+					provide: TypeOrmSearchProvider,
+					useFactory: (dataSource, edmRegistry) => {
+						return new TypeOrmSearchProvider(dataSource, edmRegistry);
+					},
+					inject: [DataSource, EdmRegistry]
+				},
+				{
+					provide: SEARCH_PROVIDER,
+					useExisting: TypeOrmSearchProvider
+				},
+				{
+					provide: TypeOrmQueryTranslator,
+					useFactory: (dataSource, edmRegistry, options, searchProvider) => {
+						const firstEntity = entities[0];
+						if (!firstEntity) throw new Error("ODataTypeOrmModule.forFeature() requires at least one entity class");
+						return new TypeOrmQueryTranslator(dataSource.getRepository(firstEntity), edmRegistry, options, searchProvider);
+					},
+					inject: [
+						DataSource,
+						EdmRegistry,
+						ODATA_MODULE_OPTIONS,
+						{
+							token: SEARCH_PROVIDER,
+							optional: true
+						}
+					]
+				},
+				{
+					provide: TypeOrmETagProvider,
+					useFactory: (dataSource, edmRegistry) => {
+						return new TypeOrmETagProvider(dataSource, edmRegistry);
+					},
+					inject: [DataSource, EdmRegistry]
+				},
+				{
+					provide: ETAG_PROVIDER,
+					useExisting: TypeOrmETagProvider
+				},
+				{
+					provide: TypeOrmAutoHandler,
+					useFactory: (translator, edmRegistry, options, dataSource, etagProvider) => {
+						const firstEntity = entities[0];
+						if (!firstEntity) throw new Error("ODataTypeOrmModule.forFeature() requires at least one entity class");
+						return new TypeOrmAutoHandler(translator, edmRegistry, options, dataSource.getRepository(firstEntity), etagProvider, dataSource);
+					},
+					inject: [
+						TypeOrmQueryTranslator,
+						EdmRegistry,
+						ODATA_MODULE_OPTIONS,
+						DataSource,
+						TypeOrmETagProvider
+					]
+				}
+			],
+			exports: [
+				TYPEORM_ODATA_ENTITIES,
+				TypeOrmQueryTranslator,
+				TypeOrmAutoHandler,
+				TypeOrmETagProvider,
+				ETAG_PROVIDER,
+				TypeOrmSearchProvider,
+				SEARCH_PROVIDER
+			]
+		};
+	}
+};
+ODataTypeOrmModule = _ODataTypeOrmModule = __decorate([Module({})], ODataTypeOrmModule);
+//#endregion
+//#region src/batch/batch-controller.ts
+/**
+* OData v4 $batch endpoint controller.
+*
+* Accepts POST /$batch with a multipart/mixed body containing multiple
+* OData operations. Dispatches each sub-request to the appropriate CRUD
+* handler. Wraps changesets in TypeORM QueryRunner transactions for
+* atomicity (D-02, BATCH-02).
+*
+* Security:
+*   T-05-01: Boundary validation delegated to parseBatchBody (throws 400).
+*   T-05-02: MAX_BATCH_OPERATIONS limit enforced by parseBatchBody.
+*   T-05-03: Sub-request URLs parsed via regex — never passed to shell/eval.
+*   T-05-05: Error responses use OData error format, no stack traces.
+*/
+var _ref, _ref2;
+/**
+* Internal error used to signal a failed changeset operation so the
+* QueryRunner transaction can be rolled back.
+* Carries the status code and serialized body from the failed operation.
+*/
+var ChangesetOperationError = class extends Error {
+	constructor(statusCode, body) {
+		super(`Changeset operation failed with status ${statusCode}`);
+		this.statusCode = statusCode;
+		this.body = body;
+		this.name = "ChangesetOperationError";
+		Object.setPrototypeOf(this, new.target.prototype);
+	}
+};
+/**
+* Build an OData error response body (T-05-05).
+* Never exposes stack traces or internal server details.
+*/
+function buildODataError(code, message) {
+	return JSON.stringify({ error: {
+		code,
+		message,
+		details: []
+	} });
+}
+/**
+* Map HTTP status to OData error code string.
+*/
+function statusToCode(status) {
+	return {
+		400: "BadRequest",
+		401: "Unauthorized",
+		403: "Forbidden",
+		404: "NotFound",
+		409: "Conflict",
+		500: "InternalServerError"
+	}[status] ?? "Error";
+}
+/**
+* Parse entity set name and optional key from a sub-request URL.
+*
+* Strategy:
+*   1. Strip query string first.
+*   2. Try to match last segment with key: /EntitySet(key) at path end.
+*   3. Fall back to matching last path segment (no key).
+*
+* Per T-05-03: URL parsing is regex-based, never used for shell/eval.
+*
+* Returns null if the URL cannot be parsed.
+*/
+function parseEntityUrl(url) {
+	const pathOnly = url.split("?")[0];
+	const withKeyMatch = /\/([A-Za-z][A-Za-z0-9_]*)\(([^)]*)\)$/.exec(pathOnly);
+	if (withKeyMatch) return {
+		entitySetName: withKeyMatch[1] ?? "",
+		key: withKeyMatch[2]
+	};
+	const withoutKeyMatch = /\/([A-Za-z][A-Za-z0-9_]*)$/.exec(pathOnly);
+	if (withoutKeyMatch) return {
+		entitySetName: withoutKeyMatch[1] ?? "",
+		key: void 0
+	};
+	return null;
+}
+let BatchController = class BatchController {
+	constructor(dataSource, edmRegistry, options, entityClasses) {
+		this.dataSource = dataSource;
+		this.edmRegistry = edmRegistry;
+		this.options = options;
+		this.entityClasses = entityClasses;
+	}
+	/**
+	* POST {serviceRoot}/$batch
+	*
+	* Reads raw body (must be pre-configured with body-parser for text/plain or rawBody),
+	* parses multipart/mixed, dispatches sub-requests, builds multipart response.
+	*/
+	async handleBatch(req, res) {
+		let rawBody;
+		try {
+			rawBody = await this.extractRawBody(req);
+		} catch (err) {
+			res.status(HttpStatus.BAD_REQUEST).json({ error: {
+				code: "BadRequest",
+				message: String(err),
+				details: []
+			} });
+			return;
+		}
+		const contentTypeHeader = req.headers["content-type"];
+		const contentType = (Array.isArray(contentTypeHeader) ? contentTypeHeader[0] : contentTypeHeader) ?? "";
+		let boundary;
+		try {
+			boundary = extractBoundary(contentType);
+		} catch {
+			res.status(HttpStatus.BAD_REQUEST).json({ error: {
+				code: "BadRequest",
+				message: "Missing or invalid boundary in Content-Type for $batch request",
+				details: []
+			} });
+			return;
+		}
+		let parsed;
+		try {
+			parsed = parseBatchBody(rawBody, boundary);
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : "Malformed batch body";
+			res.status(HttpStatus.BAD_REQUEST).json({ error: {
+				code: "BadRequest",
+				message: msg,
+				details: []
+			} });
+			return;
+		}
+		const responseParts = [];
+		for (const part of parsed.parts) if (part.kind === "request") {
+			const responsePart = await this.dispatchIndividualRequest(part);
+			responseParts.push(responsePart);
+		} else if (part.kind === "changeset") {
+			const changesetParts = await this.executeChangeset(part.parts);
+			responseParts.push(...changesetParts);
+		}
+		const { contentType: responseContentType, body } = buildBatchResponse(responseParts);
+		res.status(HttpStatus.OK).set("Content-Type", responseContentType).send(body);
+	}
+	/**
+	* Extract the raw body string from the request.
+	*
+	* Tries multiple strategies in order:
+	*   1. req.body as string (if a text/plain body parser ran first)
+	*   2. req.rawBody Buffer (NestJS rawBody: true option)
+	*   3. Read directly from the Node.js request stream (multipart/mixed fallback)
+	*      This works because $batch sends multipart/mixed which no standard body
+	*      parser processes, leaving the stream unconsumed.
+	*/
+	extractRawBody(req) {
+		if (typeof req.body === "string" && req.body.length > 0) return req.body;
+		const rawBodyProp = req.rawBody;
+		if (rawBodyProp !== void 0) return typeof rawBodyProp === "string" ? rawBodyProp : rawBodyProp.toString("utf-8");
+		return new Promise((resolve, reject) => {
+			const chunks = [];
+			req.on("data", (chunk) => chunks.push(chunk));
+			req.on("end", () => resolve(Buffer.concat(chunks).toString("utf-8")));
+			req.on("error", reject);
+		});
+	}
+	/**
+	* Dispatch a single individual request (outside a changeset).
+	* Failures are caught and returned as per-operation error responses (BATCH-03).
+	*/
+	async dispatchIndividualRequest(part) {
+		try {
+			return await this.dispatchWithManager(part, this.dataSource.manager);
+		} catch (err) {
+			return this.buildErrorResponse(err, part.contentId);
+		}
+	}
+	/**
+	* Execute all operations in a changeset within a single QueryRunner transaction.
+	* If any operation fails, all are rolled back (BATCH-02).
+	*
+	* Per D-02: full changeset rollback on any failure.
+	* Per WRITE-03 / T-10-08: contentIdMap is local to each changeset call — never leaks across changesets.
+	*/
+	async executeChangeset(parts) {
+		const queryRunner = this.dataSource.createQueryRunner();
+		await queryRunner.connect();
+		await queryRunner.startTransaction();
+		const contentIdMap = /* @__PURE__ */ new Map();
+		try {
+			const results = [];
+			for (const part of parts) {
+				const resolvedPart = this.resolveContentIdReferences(part, contentIdMap);
+				const result = await this.dispatchWithManager(resolvedPart, queryRunner.manager);
+				results.push(result);
+				if (result.statusCode >= 400) throw new ChangesetOperationError(result.statusCode, result.body ?? "Operation failed");
+				const location = result.headers["location"];
+				if (result.statusCode === 201 && location && part.contentId !== void 0) contentIdMap.set(part.contentId, location);
+			}
+			await queryRunner.commitTransaction();
+			return results;
+		} catch (err) {
+			await queryRunner.rollbackTransaction();
+			const errorResponse = err instanceof ChangesetOperationError ? {
+				statusCode: err.statusCode,
+				headers: {},
+				body: err.body
+			} : this.buildErrorResponse(err);
+			return parts.map((p) => ({
+				...errorResponse,
+				contentId: p.contentId
+			}));
+		} finally {
+			await queryRunner.release();
+		}
+	}
+	/**
+	* Resolve Content-ID references ($N) in a BatchRequestPart's URL and body.
+	*
+	* Per WRITE-03: $N in a URL or body is substituted with the location URL recorded
+	* for content ID N from a prior 201 response in the same changeset.
+	*
+	* Fast path: returns the original part unchanged when contentIdMap is empty or
+	* no $N patterns match (avoids unnecessary object allocation).
+	*
+	* Per immutability rules: never mutates the readonly BatchRequestPart — returns a new object.
+	* Per T-10-07: substitution uses only URLs already in contentIdMap (populated by our own
+	* 201 responses) — no code evaluation, no cross-changeset leak.
+	*/
+	resolveContentIdReferences(part, contentIdMap) {
+		if (contentIdMap.size === 0) return part;
+		let url = part.url;
+		let body = part.body;
+		for (const [id, resolvedUrl] of contentIdMap) {
+			const urlPattern = new RegExp(`\\$${id}(?=[/?#]|$)`, "g");
+			url = url.replace(urlPattern, resolvedUrl);
+			if (body) {
+				const bodyPattern = new RegExp(`\\$${id}(?=\\D|$)`, "g");
+				body = body.replace(bodyPattern, resolvedUrl);
+			}
+		}
+		if (url === part.url && body === part.body) return part;
+		return {
+			...part,
+			url,
+			...body !== part.body ? { body } : {}
+		};
+	}
+	/**
+	* Dispatch a parsed sub-request to the appropriate handler using the given EntityManager.
+	* Uses the EntityManager so changesets can use a transaction-scoped manager.
+	*
+	* Per T-05-03: URL parsing is regex-based, entity operations go through TypeORM parameterized queries.
+	*/
+	async dispatchWithManager(part, manager) {
+		const parsed = parseEntityUrl(part.url);
+		if (!parsed) return {
+			contentId: part.contentId,
+			statusCode: 400,
+			headers: {},
+			body: buildODataError("BadRequest", `Cannot parse entity URL: ${part.url}`)
+		};
+		const { entitySetName, key } = parsed;
+		const entitySet = this.edmRegistry.getEntitySet(entitySetName);
+		if (!entitySet) return {
+			contentId: part.contentId,
+			statusCode: 404,
+			headers: {},
+			body: buildODataError("NotFound", `Entity set '${entitySetName}' not found`)
+		};
+		const entityType = this.edmRegistry.getEntityType(entitySet.entityTypeName);
+		if (!entityType) return {
+			contentId: part.contentId,
+			statusCode: 404,
+			headers: {},
+			body: buildODataError("NotFound", `Entity type '${entitySet.entityTypeName}' not found`)
+		};
+		const entityClass = this.resolveEntityClass(entityType.name);
+		if (!entityClass) return {
+			contentId: part.contentId,
+			statusCode: 500,
+			headers: {},
+			body: buildODataError("InternalServerError", `Entity class not found for '${entityType.name}'`)
+		};
+		const method = part.method.toUpperCase();
+		try {
+			if (method === "GET") {
+				if (key !== void 0) return await this.dispatchGetByKey(key, entitySetName, entityType.keyProperties, entityClass, manager, part.contentId);
+				return await this.dispatchGetCollection(entityClass, manager, part.contentId);
+			} else if (method === "POST") return await this.dispatchCreate(part, entitySetName, entityType.keyProperties, entityClass, manager);
+			else if (method === "PATCH") {
+				if (key === void 0) return {
+					contentId: part.contentId,
+					statusCode: 400,
+					headers: {},
+					body: buildODataError("BadRequest", `PATCH requires a key: ${part.url}`)
+				};
+				return await this.dispatchUpdate(key, part, entitySetName, entityType.keyProperties, entityClass, manager);
+			} else if (method === "PUT") {
+				if (key === void 0) return {
+					contentId: part.contentId,
+					statusCode: 400,
+					headers: {},
+					body: buildODataError("BadRequest", `PUT requires a key: ${part.url}`)
+				};
+				return await this.dispatchReplace(key, part, entitySetName, entityType, entityClass, manager);
+			} else if (method === "DELETE") {
+				if (key === void 0) return {
+					contentId: part.contentId,
+					statusCode: 400,
+					headers: {},
+					body: buildODataError("BadRequest", `DELETE requires a key: ${part.url}`)
+				};
+				return await this.dispatchDelete(key, entitySetName, entityType.keyProperties, entityClass, manager, part.contentId);
+			}
+			return {
+				contentId: part.contentId,
+				statusCode: 405,
+				headers: {},
+				body: buildODataError("MethodNotAllowed", `Method '${method}' not supported in $batch`)
+			};
+		} catch (err) {
+			return this.buildErrorResponse(err, part.contentId);
+		}
+	}
+	/** GET /EntitySet(key) */
+	async dispatchGetByKey(keyStr, entitySetName, keyProperties, entityClass, manager, contentId) {
+		const where = parseODataKey(keyStr, keyProperties);
+		const entity = await manager.findOne(entityClass, { where });
+		if (!entity) return {
+			contentId,
+			statusCode: 404,
+			headers: {},
+			body: buildODataError("NotFound", `Entity '${entitySetName}' with key '${keyStr}' not found`)
+		};
+		return {
+			contentId,
+			statusCode: 200,
+			headers: {},
+			body: JSON.stringify(entity)
+		};
+	}
+	/** GET /EntitySet (collection — basic support) */
+	async dispatchGetCollection(entityClass, manager, contentId) {
+		const items = await manager.find(entityClass);
+		return {
+			contentId,
+			statusCode: 200,
+			headers: {},
+			body: JSON.stringify({ value: items })
+		};
+	}
+	/** POST /EntitySet */
+	async dispatchCreate(part, entitySetName, keyProperties, entityClass, manager) {
+		const body = part.body ? JSON.parse(part.body) : {};
+		const repo = manager.getRepository(entityClass);
+		const created = repo.create(body);
+		const saved = await repo.save(created);
+		const keyStr = keyProperties.map((kp) => {
+			const val = saved[kp];
+			return keyProperties.length === 1 ? String(val) : `${kp}=${String(val)}`;
+		}).join(",");
+		const locationUrl = `${this.options.serviceRoot}/${entitySetName}(${keyStr})`;
+		return {
+			contentId: part.contentId,
+			statusCode: 201,
+			headers: { location: locationUrl },
+			body: JSON.stringify(saved)
+		};
+	}
+	/** PATCH /EntitySet(key) */
+	async dispatchUpdate(keyStr, part, entitySetName, keyProperties, entityClass, manager) {
+		const body = part.body ? JSON.parse(part.body) : {};
+		const where = parseODataKey(keyStr, keyProperties);
+		const EntityCls = entityClass;
+		const existing = await manager.findOne(EntityCls, { where });
+		if (!existing) return {
+			contentId: part.contentId,
+			statusCode: 404,
+			headers: {},
+			body: buildODataError("NotFound", `Entity '${entitySetName}' with key '${keyStr}' not found`)
+		};
+		const merged = manager.merge(EntityCls, existing, body);
+		const saved = await manager.save(EntityCls, merged);
+		return {
+			contentId: part.contentId,
+			statusCode: 200,
+			headers: {},
+			body: JSON.stringify(saved)
+		};
+	}
+	/**
+	* PUT /EntitySet(key) — full entity replacement.
+	*
+	* Per OData v4 spec (D-01): all entity properties replaced.
+	* Unspecified fields reset to column defaults (null for nullable, default value otherwise).
+	* Distinct from PATCH merge semantics used by dispatchUpdate().
+	*
+	* Uses repo.metadata.columns for column introspection — same pattern as handleReplace().
+	*/
+	async dispatchReplace(keyStr, part, entitySetName, entityType, entityClass, manager) {
+		const body = part.body ? JSON.parse(part.body) : {};
+		const where = parseODataKey(keyStr, entityType.keyProperties);
+		const EntityCls = entityClass;
+		for (const kp of entityType.keyProperties) {
+			const bodyKeyValue = body[kp];
+			const urlKeyValue = where[kp];
+			if (bodyKeyValue !== void 0 && bodyKeyValue !== urlKeyValue) return {
+				contentId: part.contentId,
+				statusCode: 400,
+				headers: {},
+				body: buildODataError("BadRequest", "Key in body does not match URL key")
+			};
+		}
+		if (!await manager.findOne(EntityCls, { where })) return {
+			contentId: part.contentId,
+			statusCode: 404,
+			headers: {},
+			body: buildODataError("NotFound", `Entity '${entitySetName}' with key '${keyStr}' not found`)
+		};
+		const meta = this.dataSource.getMetadata(entityClass);
+		const replacement = {};
+		for (const kp of entityType.keyProperties) replacement[kp] = where[kp];
+		for (const col of meta.columns) {
+			if (col.isPrimary) continue;
+			if (col.isCreateDate || col.isUpdateDate || col.isVersion) continue;
+			const propName = col.propertyName;
+			if (Object.prototype.hasOwnProperty.call(body, propName)) replacement[propName] = body[propName];
+			else if (col.default !== void 0) replacement[propName] = col.default;
+			else if (col.isNullable) replacement[propName] = null;
+		}
+		const entity = manager.getRepository(EntityCls).create(replacement);
+		const saved = await manager.save(EntityCls, entity);
+		return {
+			contentId: part.contentId,
+			statusCode: 200,
+			headers: {},
+			body: JSON.stringify(saved)
+		};
+	}
+	/** DELETE /EntitySet(key) */
+	async dispatchDelete(keyStr, entitySetName, keyProperties, entityClass, manager, contentId) {
+		const where = parseODataKey(keyStr, keyProperties);
+		if ((await manager.delete(entityClass, where)).affected === 0) return {
+			contentId,
+			statusCode: 404,
+			headers: {},
+			body: buildODataError("NotFound", `Entity '${entitySetName}' with key '${keyStr}' not found`)
+		};
+		return {
+			contentId,
+			statusCode: 204,
+			headers: {},
+			body: void 0
+		};
+	}
+	/**
+	* Build an OData error response part from an exception.
+	* Never exposes stack traces (T-05-05).
+	*/
+	buildErrorResponse(err, contentId) {
+		if (err instanceof Error) {
+			if (err.constructor.name === "NotFoundException" || err.status === 404) return {
+				contentId,
+				statusCode: 404,
+				headers: {},
+				body: buildODataError("NotFound", err.message)
+			};
+			if (err.constructor.name === "ODataValidationError" || err.constructor.name === "ODataParseError" || err.status === 400) return {
+				contentId,
+				statusCode: 400,
+				headers: {},
+				body: buildODataError("BadRequest", err.message)
+			};
+		}
+		const status = err?.status;
+		if (typeof status === "number" && status >= 400 && status < 500) return {
+			contentId,
+			statusCode: status,
+			headers: {},
+			body: buildODataError(statusToCode(status), err.message ?? "Request error")
+		};
+		return {
+			contentId,
+			statusCode: 500,
+			headers: {},
+			body: buildODataError("InternalServerError", "An unexpected error occurred.")
+		};
+	}
+	/**
+	* Resolve a TypeORM entity class from an EDM entity type name.
+	* Matches by checking DataSource metadata for each registered entity class.
+	*/
+	resolveEntityClass(entityTypeName) {
+		for (const cls of this.entityClasses) try {
+			if (this.dataSource.getMetadata(cls).name === entityTypeName) return cls;
+		} catch {}
+	}
+};
+__decorate([
+	Post("$batch"),
+	__decorateParam(0, Req()),
+	__decorateParam(1, Res()),
+	__decorateMetadata("design:type", Function),
+	__decorateMetadata("design:paramtypes", [Object, Object]),
+	__decorateMetadata("design:returntype", Promise)
+], BatchController.prototype, "handleBatch", null);
+BatchController = __decorate([
+	Controller(),
+	__decorateParam(2, Inject(ODATA_MODULE_OPTIONS)),
+	__decorateParam(3, Inject(TYPEORM_ODATA_ENTITIES)),
+	__decorateMetadata("design:paramtypes", [
+		typeof (_ref = typeof DataSource !== "undefined" && DataSource) === "function" ? _ref : Object,
+		typeof (_ref2 = typeof EdmRegistry !== "undefined" && EdmRegistry) === "function" ? _ref2 : Object,
+		Object,
+		Array
+	])
+], BatchController);
+//#endregion
+//#region src/index.ts
+const VERSION = "0.0.1";
+//#endregion
+export { BatchController, ODataTypeOrmModule, TYPEORM_ODATA_ENTITIES, TypeOrmApplyVisitor, TypeOrmAutoHandler, TypeOrmETagProvider, TypeOrmEdmDeriver, TypeOrmEdmInitializer, TypeOrmFilterVisitor, TypeOrmOrderByVisitor, TypeOrmPaginationVisitor, TypeOrmQueryTranslator, TypeOrmSearchProvider, TypeOrmSelectVisitor, VERSION, applyExpandPagination, buildBatchResponse };
+
+//# sourceMappingURL=index.mjs.map