@objectstack/driver-sql 7.8.0 → 8.0.0

package/dist/index.mjs

@@ -102,6 +102,10 @@ var SqlDriver = class {
       jsonFields: true,
       arrayFields: true,
       vectorSearch: false,
+      // Persistent, atomic autonumber sequences via `_objectstack_sequences`
+      // (see fillAutoNumberFields / getNextSequenceValue). The engine defers
+      // autonumber generation to this driver — it is the single source of truth.
+      autonumber: true,
       // Schema Management
       schemaSync: true,
       batchSchemaSync: false,
@@ -509,7 +513,10 @@ var SqlDriver = class {
   async bulkCreate(object, data, options) {
     this.auditMissingTenant(object, "bulkCreate", options);
     for (const row of data) {
-      if (row && typeof row === "object") this.injectTenantOnInsert(object, row, options);
+      if (row && typeof row === "object") {
+        this.injectTenantOnInsert(object, row, options);
+        await this.fillAutoNumberFields(object, row, options);
+      }
     }
     const builder = this.getBuilder(object, options);
     return await builder.insert(data).returning("*");
@@ -804,7 +811,8 @@ var SqlDriver = class {
             ((_b = this.datetimeFields)[tableName] ?? (_b[tableName] = /* @__PURE__ */ new Set())).add(name);
           }
           if (type === "auto_number" || type === "autonumber") {
-            const fmt = typeof field.format === "string" && field.format ? field.format : "{0000}";
+            const rawFmt = typeof field.autonumberFormat === "string" && field.autonumberFormat ? field.autonumberFormat : typeof field.format === "string" && field.format ? field.format : "";
+            const fmt = rawFmt || "{0000}";
             const m = fmt.match(/\{(0+)\}/);
             const padWidth = m ? m[1].length : 4;
             const prefix = m ? fmt.slice(0, m.index ?? 0) : fmt;
@@ -1192,7 +1200,7 @@ var SqlDriver = class {
             const methodIn = nextJoin === "or" ? "orWhereIn" : "whereIn";
             const methodNotIn = nextJoin === "or" ? "orWhereNotIn" : "whereNotIn";
             if (op === "contains") {
-              b[method](field, "like", `%${value}%`);
+              this.applyContainsLike(b, method, field, value);
               return;
             }
             switch (op) {
@@ -1223,6 +1231,19 @@ var SqlDriver = class {
       }
     }
   }
+  /**
+   * Apply a `contains` substring match as a parameterized `LIKE '%…%'`, escaping
+   * the LIKE metacharacters `%` / `_` (and the escape char `\`) in the user value
+   * so they match literally instead of acting as wildcards — otherwise a value of
+   * `%` matches every row (a filter-bypass, P0). Binds an explicit `ESCAPE '\'`
+   * because SQLite does not honour a default escape character (MySQL/Postgres do,
+   * but the explicit clause is correct for all three).
+   */
+  applyContainsLike(builder, method, field, value) {
+    const escaped = String(value).replace(/[\\%_]/g, "\\$&");
+    const rawMethod = method.startsWith("or") ? "orWhereRaw" : "whereRaw";
+    builder[rawMethod]("?? LIKE ? ESCAPE ?", [field, `%${escaped}%`, "\\"]);
+  }
   applyFilterCondition(builder, condition, logicalOp = "and", tableHint) {
     if (!condition || typeof condition !== "object") return;
     const table = tableHint ?? this.tableNameForBuilder(builder);
@@ -1279,7 +1300,7 @@ var SqlDriver = class {
               break;
             }
             case "$contains":
-              builder[method](field, "like", `%${opValue}%`);
+              this.applyContainsLike(builder, method, field, opValue);
               break;
             default:
               builder[method](field, coerced);