@open-mercato/shared 0.6.5-develop.5309.1.be1df535b3 → 0.6.5-develop.5382.1.f542de69af

package/src/lib/crud/__tests__/custom-fields.test.ts

@@ -243,6 +243,97 @@ describe('loadCustomFieldValues (encryption)', () => {
     })
     expect(values['rec-1'].cf_priority).toBe(42)
   })
+
+  it('decrypts rows concurrently rather than sequentially (regression: issue #2229)', async () => {
+    const deks: Record<string, string> = {
+      'tenant-1': Buffer.alloc(32, 1).toString('base64'),
+      'tenant-2': Buffer.alloc(32, 2).toString('base64'),
+      'tenant-3': Buffer.alloc(32, 3).toString('base64'),
+    }
+    const rows = [
+      { recordId: 'rec-1', tenantId: 'tenant-1', plaintext: 'note-1' },
+      { recordId: 'rec-2', tenantId: 'tenant-2', plaintext: 'note-2' },
+      { recordId: 'rec-3', tenantId: 'tenant-3', plaintext: 'note-3' },
+    ].map((row) => ({
+      ...row,
+      valueText: encryptWithAesGcm(row.plaintext, deks[row.tenantId]).value,
+    }))
+    const em = {
+      find: jest.fn().mockImplementation((_, where) => {
+        if ((where as any).recordId) {
+          return Promise.resolve(
+            rows.map((row) => ({
+              recordId: row.recordId,
+              fieldKey: 'note',
+              organizationId: null,
+              tenantId: row.tenantId,
+              valueText: row.valueText,
+              valueMultiline: null,
+              valueInt: null,
+              valueFloat: null,
+              valueBool: null,
+              deletedAt: null,
+            })),
+          )
+        }
+        return Promise.resolve([
+          { key: 'note', entityId: 'demo:entity', organizationId: null, tenantId: null, kind: 'text', configJson: { encrypted: true }, isActive: true },
+        ])
+      }),
+    }
+    let inFlight = 0
+    let maxInFlight = 0
+    const mockService = {
+      isEnabled: () => true,
+      getDek: jest.fn(async (tenantId: string) => {
+        inFlight += 1
+        maxInFlight = Math.max(maxInFlight, inFlight)
+        await new Promise((resolve) => setTimeout(resolve, 5))
+        inFlight -= 1
+        return { key: deks[tenantId] }
+      }),
+    }
+    const values = await loadCustomFieldValues({
+      em: em as any,
+      entityId: 'demo:entity',
+      recordIds: ['rec-1', 'rec-2', 'rec-3'],
+      tenantIdByRecord: { 'rec-1': 'tenant-1', 'rec-2': 'tenant-2', 'rec-3': 'tenant-3' },
+      encryptionService: mockService as any,
+    })
+    expect(values['rec-1'].cf_note).toBe('note-1')
+    expect(values['rec-2'].cf_note).toBe('note-2')
+    expect(values['rec-3'].cf_note).toBe('note-3')
+    // Sequential await-in-loop would cap concurrency at 1; batching lifts it.
+    expect(maxInFlight).toBeGreaterThan(1)
+  })
+
+  it('preserves multi-value grouping order for encrypted fields (regression: issue #2229)', async () => {
+    const dek = Buffer.alloc(32, 2).toString('base64')
+    const first = encryptWithAesGcm('alpha', dek).value
+    const second = encryptWithAesGcm('beta', dek).value
+    const em = {
+      find: jest.fn().mockImplementation((_, where) => {
+        if ((where as any).recordId) {
+          return Promise.resolve([
+            { recordId: 'rec-1', fieldKey: 'tags', organizationId: null, tenantId: 'tenant-1', valueText: first, valueMultiline: null, valueInt: null, valueFloat: null, valueBool: null, deletedAt: null },
+            { recordId: 'rec-1', fieldKey: 'tags', organizationId: null, tenantId: 'tenant-1', valueText: second, valueMultiline: null, valueInt: null, valueFloat: null, valueBool: null, deletedAt: null },
+          ])
+        }
+        return Promise.resolve([
+          { key: 'tags', entityId: 'demo:entity', organizationId: null, tenantId: 'tenant-1', kind: 'text', configJson: { encrypted: true, multi: true }, isActive: true },
+        ])
+      }),
+    }
+    const mockService = { isEnabled: () => true, getDek: async () => ({ key: dek }) }
+    const values = await loadCustomFieldValues({
+      em: em as any,
+      entityId: 'demo:entity',
+      recordIds: ['rec-1'],
+      tenantIdByRecord: { 'rec-1': 'tenant-1' },
+      encryptionService: mockService as any,
+    })
+    expect(values['rec-1'].cf_tags).toEqual(['alpha', 'beta'])
+  })
 })
 
 describe('decorateRecordWithCustomFields', () => {

package/src/lib/crud/custom-fields.ts

@@ -632,7 +632,7 @@ export async function loadCustomFieldValues(opts: {
   type Bucket = { orgId: string | null; tenantId: string | null; values: unknown[]; def?: CustomFieldDef | null; encrypted?: boolean }
   const buckets = new Map<string, Bucket>()
 
-  for (const row of cfRows) {
+  const rowInfos = cfRows.map((row) => {
     const recordId = String(row.recordId)
     const key = String(row.fieldKey)
     const bucketKey = `${recordId}::${key}`
@@ -643,26 +643,39 @@ export async function loadCustomFieldValues(opts: {
     const def = pickDefinition(key, resolvedOrgId, resolvedTenantId)
     const encrypted = Boolean(def?.configJson && (def as any).configJson?.encrypted)
     const value = valueFromRow(row)
-    const decrypted = encrypted
-      ? await decryptCustomFieldValue(
-          value,
-          resolvedTenantId ?? tenantId ?? null,
-          getEncryptionService(),
-          encryptionCache,
-          { kind: def?.kind ?? null },
-        )
-      : value
-    const existing = buckets.get(bucketKey)
+    return { bucketKey, resolvedOrgId, resolvedTenantId, tenantId, def, encrypted, value }
+  })
+
+  // Decrypt every encrypted value concurrently so a list of N rows × M encrypted
+  // fields costs the slowest single decryption rather than the sum (issue #2229).
+  // The shared encryptionCache keeps DEK lookups deduped per tenant.
+  const decryptedValues = await Promise.all(
+    rowInfos.map((info) =>
+      info.encrypted
+        ? decryptCustomFieldValue(
+            info.value,
+            info.resolvedTenantId ?? info.tenantId ?? null,
+            getEncryptionService(),
+            encryptionCache,
+            { kind: info.def?.kind ?? null },
+          )
+        : info.value,
+    ),
+  )
+
+  rowInfos.forEach((info, index) => {
+    const decrypted = decryptedValues[index]
+    const existing = buckets.get(info.bucketKey)
     if (existing) {
-      if (existing.orgId == null && resolvedOrgId) existing.orgId = resolvedOrgId
-      if (existing.tenantId == null && resolvedTenantId) existing.tenantId = resolvedTenantId
-      if (existing.def == null && def) existing.def = def
-      existing.encrypted = existing.encrypted || encrypted
+      if (existing.orgId == null && info.resolvedOrgId) existing.orgId = info.resolvedOrgId
+      if (existing.tenantId == null && info.resolvedTenantId) existing.tenantId = info.resolvedTenantId
+      if (existing.def == null && info.def) existing.def = info.def
+      existing.encrypted = existing.encrypted || info.encrypted
       existing.values.push(decrypted)
     } else {
-      buckets.set(bucketKey, { orgId: resolvedOrgId, tenantId: resolvedTenantId, values: [decrypted], def: def ?? null, encrypted })
+      buckets.set(info.bucketKey, { orgId: info.resolvedOrgId, tenantId: info.resolvedTenantId, values: [decrypted], def: info.def ?? null, encrypted: info.encrypted })
     }
-  }
+  })
 
   const result: Record<string, Record<string, unknown>> = {}
   for (const [compoundKey, bucket] of buckets.entries()) {

package/src/lib/crud/factory.ts

@@ -944,7 +944,7 @@ export function makeCrudRoute<TCreate = any, TUpdate = any, TList = any>(opts: C
 
   // OSS opt-in optimistic locking — auto-register a generic reader for every
   // CRUD entity using the factory's own ORM config (Step 13.3 of the spec at
-  // .ai/specs/2026-05-25-oss-optimistic-locking.md). Hand-wired readers
+  // .ai/specs/implemented/2026-05-25-oss-optimistic-locking.md). Hand-wired readers
   // registered earlier via module DI (customers/sales) always win because we
   // use the `IfAbsent` variant. Skipped silently when the route has no
   // resolvable resourceKind or no ORM entity class (e.g. virtual routes).

package/src/lib/crud/optimistic-lock-command.ts

@@ -24,7 +24,7 @@
  * header keep working. Respects the same `OM_OPTIMISTIC_LOCK` env contract
  * (default ON; `off` disables; allow-list scopes by `resourceKind`).
  *
- * Spec: .ai/specs/2026-05-25-oss-optimistic-locking.md (§ command-level checks)
+ * Spec: .ai/specs/implemented/2026-05-25-oss-optimistic-locking.md (§ command-level checks)
  *       .ai/specs/2026-05-28-optimistic-locking-coverage-completion.md (Phase 4)
  */
 import { CrudHttpError } from './errors'

package/src/lib/crud/optimistic-lock-headers.ts

@@ -8,7 +8,7 @@
  * many HTTP intermediaries (nginx, some fetch implementations) strip
  * underscored header names — see RFC 7230 §3.2.6.
  *
- * Spec: .ai/specs/2026-05-25-oss-optimistic-locking.md §3.2
+ * Spec: .ai/specs/implemented/2026-05-25-oss-optimistic-locking.md §3.2
  */
 export const OPTIMISTIC_LOCK_MODULE_ID = 'optimistic_lock'
 

package/src/lib/crud/optimistic-lock-store.ts

@@ -12,7 +12,7 @@
  *
  * Mirrors the `mutation-guard-store.ts` HMR-safe globalThis pattern.
  *
- * Spec: .ai/specs/2026-05-25-oss-optimistic-locking.md
+ * Spec: .ai/specs/implemented/2026-05-25-oss-optimistic-locking.md
  */
 import type { OptimisticLockCurrentReader } from './optimistic-lock'
 

package/src/lib/crud/optimistic-lock.ts

@@ -28,7 +28,7 @@
  * container / em access. Stateful checks that need to read current DB state
  * MUST go through the DI service path (this file).
  *
- * Spec: .ai/specs/2026-05-25-oss-optimistic-locking.md
+ * Spec: .ai/specs/implemented/2026-05-25-oss-optimistic-locking.md
  */
 import type { EntityManager } from '@mikro-orm/postgresql'
 import type {

package/src/lib/db/__tests__/buildIlikeTerm.test.ts

@@ -0,0 +1,40 @@
+import { buildIlikeTerm } from '../buildIlikeTerm'
+import { escapeLikePattern } from '../escapeLikePattern'
+
+describe('buildIlikeTerm', () => {
+  it('wraps the escaped term in leading and trailing wildcards by default', () => {
+    expect(buildIlikeTerm('acme')).toBe('%acme%')
+  })
+
+  it('matches the legacy inline contains pattern exactly', () => {
+    const term = 'Acme Corp'
+    expect(buildIlikeTerm(term)).toBe(`%${escapeLikePattern(term)}%`)
+    expect(buildIlikeTerm(term, 'contains')).toBe(`%${escapeLikePattern(term)}%`)
+  })
+
+  it('builds a startsWith pattern with only a trailing wildcard', () => {
+    const term = 'user@example.com'
+    expect(buildIlikeTerm(term, 'startsWith')).toBe(`${escapeLikePattern(term)}%`)
+  })
+
+  it('builds an endsWith pattern with only a leading wildcard', () => {
+    const term = 'example.com'
+    expect(buildIlikeTerm(term, 'endsWith')).toBe(`%${escapeLikePattern(term)}`)
+  })
+
+  it('escapes LIKE metacharacters so they match literally', () => {
+    expect(buildIlikeTerm('50%_off')).toBe('%50\\%\\_off%')
+    expect(buildIlikeTerm('back\\slash')).toBe('%back\\\\slash%')
+  })
+
+  it('keeps user wildcards literal across every mode', () => {
+    expect(buildIlikeTerm('a%b', 'startsWith')).toBe('a\\%b%')
+    expect(buildIlikeTerm('a_b', 'endsWith')).toBe('%a\\_b')
+  })
+
+  it('handles an empty term as a wildcard-only pattern', () => {
+    expect(buildIlikeTerm('')).toBe('%%')
+    expect(buildIlikeTerm('', 'startsWith')).toBe('%')
+    expect(buildIlikeTerm('', 'endsWith')).toBe('%')
+  })
+})

package/src/lib/db/__tests__/escapeLikePattern.test.ts

@@ -0,0 +1,123 @@
+import { existsSync, readdirSync, readFileSync, statSync } from 'node:fs'
+import { dirname, join, relative, sep } from 'node:path'
+import { escapeLikePattern } from '../escapeLikePattern'
+
+describe('escapeLikePattern', () => {
+  it('escapes LIKE wildcards and the escape character', () => {
+    expect(escapeLikePattern('%')).toBe('\\%')
+    expect(escapeLikePattern('_')).toBe('\\_')
+    expect(escapeLikePattern('\\')).toBe('\\\\')
+    expect(escapeLikePattern('a%b_c')).toBe('a\\%b\\_c')
+  })
+
+  it('escapes the backslash before the wildcards so the escape itself is literal', () => {
+    expect(escapeLikePattern('100%\\_')).toBe('100\\%\\\\\\_')
+  })
+
+  it('leaves ordinary input untouched', () => {
+    expect(escapeLikePattern('hello world')).toBe('hello world')
+    expect(escapeLikePattern('')).toBe('')
+  })
+})
+
+/**
+ * Regression guard for #2932 (and the earlier #2734 fix).
+ *
+ * Every user-supplied value interpolated into a MikroORM `$ilike` pattern under
+ * any module's `api/**` tree MUST flow through `escapeLikePattern`, otherwise a
+ * caller can inject LIKE metacharacters (`%`, `_`, `\`) to broaden predicates or
+ * force pathological full scans. This scans the whole monorepo so a NEW unescaped
+ * `$ilike` interpolation in any package or app fails the build.
+ */
+function findRepoRoot(start: string): string {
+  let current = start
+  for (let depth = 0; depth < 12; depth += 1) {
+    if (existsSync(join(current, 'packages')) && existsSync(join(current, 'apps'))) {
+      return current
+    }
+    const parent = dirname(current)
+    if (parent === current) break
+    current = parent
+  }
+  throw new Error('[internal] could not locate monorepo root for $ilike guard')
+}
+
+const SKIP_DIRS = new Set(['node_modules', '__tests__', 'generated', 'dist', '.next', '.mercato'])
+
+function collectApiSourceFiles(dir: string, acc: string[]): void {
+  let entries: string[]
+  try {
+    entries = readdirSync(dir)
+  } catch {
+    return
+  }
+  for (const name of entries) {
+    const full = join(dir, name)
+    let stat
+    try {
+      stat = statSync(full)
+    } catch {
+      continue
+    }
+    if (stat.isDirectory()) {
+      if (SKIP_DIRS.has(name)) continue
+      collectApiSourceFiles(full, acc)
+    } else if (
+      (name.endsWith('.ts') || name.endsWith('.tsx')) &&
+      !name.endsWith('.test.ts') &&
+      !name.endsWith('.test.tsx') &&
+      full.split(sep).includes('api')
+    ) {
+      acc.push(full)
+    }
+  }
+}
+
+const BARE_IDENTIFIER = /^[A-Za-z_$][\w$]*$/
+
+function isPreEscapedVariable(expr: string, source: string): boolean {
+  if (!BARE_IDENTIFIER.test(expr)) return false
+  const assignedFromEscape = new RegExp(`\\b${expr}\\s*=\\s*escapeLikePattern\\(`)
+  return assignedFromEscape.test(source)
+}
+
+function findUnescapedIlikeInterpolations(source: string): string[] {
+  const ilikeTemplate = /\$ilike:\s*`([^`]*)`/g
+  const interpolation = /\$\{([^}]*)\}/g
+  const offenders: string[] = []
+  let templateMatch: RegExpExecArray | null
+  while ((templateMatch = ilikeTemplate.exec(source)) !== null) {
+    const literal = templateMatch[1]
+    let exprMatch: RegExpExecArray | null
+    while ((exprMatch = interpolation.exec(literal)) !== null) {
+      const expr = exprMatch[1].trim()
+      if (expr.startsWith('escapeLikePattern(')) continue
+      if (isPreEscapedVariable(expr, source)) continue
+      offenders.push(`\`${templateMatch[1]}\``)
+    }
+  }
+  return offenders
+}
+
+describe('$ilike user input must be escaped under api/** (#2932)', () => {
+  const repoRoot = findRepoRoot(__dirname)
+  const roots = [join(repoRoot, 'packages'), join(repoRoot, 'apps')]
+  const files: string[] = []
+  for (const root of roots) collectApiSourceFiles(root, files)
+
+  it('discovered api source files to scan', () => {
+    expect(files.length).toBeGreaterThan(20)
+  })
+
+  it('every $ilike pattern interpolating a variable uses escapeLikePattern', () => {
+    const violations: string[] = []
+    for (const full of files) {
+      const source = readFileSync(full, 'utf8')
+      const offenders = findUnescapedIlikeInterpolations(source)
+      if (offenders.length === 0) continue
+      const rel = relative(repoRoot, full).split(sep).join('/')
+      for (const offender of offenders) violations.push(`${rel}: ${offender}`)
+    }
+    expect(violations).toEqual([])
+  })
+})

package/src/lib/db/buildIlikeTerm.ts

@@ -0,0 +1,16 @@
+import { escapeLikePattern } from './escapeLikePattern'
+
+export type IlikeMatchMode = 'contains' | 'startsWith' | 'endsWith'
+
+export const buildIlikeTerm = (value: string, mode: IlikeMatchMode = 'contains'): string => {
+  const escaped = escapeLikePattern(value)
+  switch (mode) {
+    case 'startsWith':
+      return `${escaped}%`
+    case 'endsWith':
+      return `%${escaped}`
+    case 'contains':
+    default:
+      return `%${escaped}%`
+  }
+}

package/src/lib/di/container.ts

@@ -164,7 +164,7 @@ export async function createRequestContainer(): Promise<AppContainer> {
     // sent) it short-circuits at validateMutation. Module-level di.ts
     // registrations override this default via Awilix replace semantics —
     // see the enterprise `record_locks` module for the canonical override.
-    // Spec: .ai/specs/2026-05-25-oss-optimistic-locking.md
+    // Spec: .ai/specs/implemented/2026-05-25-oss-optimistic-locking.md
     crudMutationGuardService: asFunction(({ em: scopedEm }: { em: EntityManager }) =>
       createOptimisticLockGuardService({
         getEm: () => scopedEm,

package/src/lib/query/__tests__/engine.count-distinct.test.ts

@@ -0,0 +1,229 @@
+import { BasicQueryEngine } from '../engine'
+import { registerModules } from '../../i18n/server'
+
+// One entity extension on auth:user so includeExtensions exercises the joined-aggregate path.
+registerModules([
+  { id: 'auth', entityExtensions: [{ base: 'auth:user', extension: 'my_module:user_profile', join: { baseKey: 'id', extensionKey: 'user_id' } }] },
+] as any)
+
+type FakeData = Record<string, any[]>
+
+function cloneRows(rows: any[] | undefined): any[] {
+  if (!rows) return []
+  return rows.map((row) => ({ ...row }))
+}
+
+// Reads the SQL text of a Kysely raw/aliased expression by walking its operation node.
+function rawSqlText(expr: any): string {
+  const node = typeof expr?.toOperationNode === 'function' ? expr.toOperationNode() : expr
+  const inner = node?.node ?? node
+  const fragments = inner?.sqlFragments
+  return Array.isArray(fragments) ? fragments.join(' ? ') : ''
+}
+
+function aliasName(expr: any): string | undefined {
+  const node = typeof expr?.toOperationNode === 'function' ? expr.toOperationNode() : expr
+  const alias = node?.alias
+  return alias?.name ?? alias?.column?.name
+}
+
+function createFakeKysely(selectsSink: any[], overrides?: FakeData) {
+  const calls: any[] = []
+  const defaultData: FakeData = { custom_field_defs: [], custom_field_values: [] }
+  const sourceData = { ...defaultData, ...(overrides || {}) }
+  const data: FakeData = Object.fromEntries(
+    Object.entries(sourceData).map(([table, rows]) => [table, cloneRows(rows)]),
+  )
+
+  function parseTableSpec(spec: unknown): { table: string; alias: string | null } {
+    if (typeof spec !== 'string') return { table: String(spec || ''), alias: null }
+    const asMatch = /^(.+?)\s+as\s+(.+)$/i.exec(spec)
+    if (asMatch) return { table: asMatch[1].trim(), alias: asMatch[2].trim() }
+    return { table: spec, alias: null }
+  }
+
+  function createExpressionBuilder() {
+    const eb: any = (column: any, op: any, value: any) => ({ kind: 'cmp', column, op, value })
+    eb.and = (parts: any[]) => ({ kind: 'and', parts })
+    eb.or = (parts: any[]) => ({ kind: 'or', parts })
+    eb.not = (part: any) => ({ kind: 'not', part })
+    eb.exists = (sub: any) => ({ kind: 'exists', sub })
+    eb.val = (value: any) => ({ kind: 'val', value })
+    eb.ref = (name: string) => ({ kind: 'ref', name })
+    eb.selectFrom = (spec: any) => builderFor(spec)
+    return eb
+  }
+
+  function normalizeWhereArgs(args: any[]): any[] {
+    if (args.length === 1 && typeof args[0] === 'function') {
+      const produced = args[0](createExpressionBuilder())
+      if (produced && produced.kind === 'or') return ['or', produced.parts]
+      if (produced && produced.kind === 'and') return ['and', produced.parts]
+      if (produced && produced.kind === 'exists') return ['exists', produced.sub]
+      if (produced && produced.kind === 'not' && produced.part?.kind === 'exists') return ['notExists', produced.part.sub]
+      return ['expr', produced]
+    }
+    return args
+  }
+
+  function recordJoin(ops: any, type: 'left' | 'inner', spec: any, fn: Function) {
+    const parsed = parseTableSpec(spec)
+    const aliasObj = parsed.alias ? { [parsed.alias]: parsed.table } : { [parsed.table]: parsed.table }
+    const entry: any = { type, aliasObj, conditions: [] as any[] }
+    const ctx: any = {}
+    ctx.on = (left: any, op?: any, right?: any) => {
+      if (typeof left === 'function') entry.conditions.push({ method: 'on', expr: left(createExpressionBuilder()) })
+      else entry.conditions.push({ method: 'on', args: [left, op, right] })
+      return ctx
+    }
+    ctx.onRef = (left: any, op: any, right: any) => {
+      entry.conditions.push({ method: 'on', args: [left, op, right] })
+      return ctx
+    }
+    fn(ctx)
+    ops.joins.push(entry)
+  }
+
+  function makeBuilder(ops: any, record: boolean): any {
+    const b: any = {
+      _ops: ops,
+      select(this: any, ...cols: any[]) {
+        const flat = cols.length === 1 && Array.isArray(cols[0]) ? cols[0] : cols
+        this._ops.selects.push(...flat)
+        selectsSink.push(...flat)
+        return this
+      },
+      distinct(this: any) { return this },
+      where(this: any, ...args: any[]) { this._ops.wheres.push(normalizeWhereArgs(args)); return this },
+      whereRef(this: any, left: any, op: any, right: any) { this._ops.wheres.push(['ref', left, op, right]); return this },
+      leftJoin(this: any, spec: any, fn: Function) { recordJoin(this._ops, 'left', spec, fn); return this },
+      innerJoin(this: any, spec: any, fn: Function) { recordJoin(this._ops, 'inner', spec, fn); return this },
+      groupBy(this: any, arg: any) {
+        if (Array.isArray(arg)) this._ops.groups.push(...arg)
+        else this._ops.groups.push(arg)
+        return this
+      },
+      having(this: any) { return this },
+      orderBy(this: any, col: any, dir?: any) { this._ops.orderBys.push([col, dir]); return this },
+      limit(this: any, n: number) { this._ops.limits = n; return this },
+      offset(this: any, n: number) { this._ops.offsets = n; return this },
+      clearSelect(this: any) { return makeBuilder({ ...this._ops, selects: [] }, false) },
+      clearOrderBy(this: any) { return makeBuilder({ ...this._ops, orderBys: [] }, false) },
+      clearGroupBy(this: any) { return makeBuilder({ ...this._ops, groups: [] }, false) },
+      as(this: any, alias: string) { this._ops.alias = alias; return this },
+      async execute(this: any) { return cloneRows(data[this._ops.table]) },
+      async executeTakeFirst(this: any) {
+        const localOps = this._ops
+        if (localOps.table === 'information_schema.columns') {
+          const infoRows = data['information_schema.columns']
+          if (!Array.isArray(infoRows)) return undefined
+          const targetTable = extractEqValue(localOps.wheres, 'table_name')
+          const targetColumn = extractEqValue(localOps.wheres, 'column_name')
+          return infoRows.find((row: any) =>
+            (!targetTable || row.table_name === targetTable) && (!targetColumn || row.column_name === targetColumn))
+        }
+        if (localOps.table === 'information_schema.tables') {
+          const infoRows = data['information_schema.tables']
+          if (!Array.isArray(infoRows)) return undefined
+          const targetTable = extractEqValue(localOps.wheres, 'table_name')
+          return infoRows.find((row: any) => !targetTable || row.table_name === targetTable)
+        }
+        if (localOps.selects.some((s: any) => aliasName(s) === 'count')) return { count: '0' }
+        const rows = data[localOps.table] || []
+        if (rows.length === 0) return { count: '0' }
+        return rows[0]
+      },
+    }
+    if (record) calls.push(b)
+    return b
+  }
+
+  function builderFor(tableArg: any): any {
+    const parsed = parseTableSpec(tableArg)
+    const ops = {
+      table: parsed.table,
+      alias: parsed.alias,
+      wheres: [] as any[],
+      joins: [] as any[],
+      selects: [] as any[],
+      orderBys: [] as any[],
+      groups: [] as any[],
+      limits: 0,
+      offsets: 0,
+    }
+    return makeBuilder(ops, true)
+  }
+
+  function extractEqValue(wheres: any[], column: string): any {
+    for (const entry of wheres) {
+      if (!Array.isArray(entry)) continue
+      if (entry[0] === column && entry[1] === '=') return entry[2]
+    }
+    return undefined
+  }
+
+  const db: any = { selectFrom(spec: any) { return builderFor(spec) } }
+  db._calls = calls
+  return db
+}
+
+function findCountSql(selectsSink: any[]): string {
+  const countExprs = selectsSink.filter((s) => aliasName(s) === 'count')
+  expect(countExprs.length).toBeGreaterThan(0)
+  return rawSqlText(countExprs[countExprs.length - 1]).toLowerCase()
+}
+
+describe('BasicQueryEngine — list COUNT query (issue #2227)', () => {
+  test('uses count(*) and no group-by when no joins can multiply base rows', async () => {
+    const selects: any[] = []
+    const fakeDb = createFakeKysely(selects)
+    const engine = new BasicQueryEngine({} as any, () => fakeDb as any)
+    await engine.query('scheduler:scheduled_job', { tenantId: 't1', fields: ['id'], page: { page: 1, pageSize: 20 } })
+
+    const countSql = findCountSql(selects)
+    expect(countSql).toContain('count(*)')
+    expect(countSql).not.toContain('distinct')
+
+    const baseCall = fakeDb._calls.find((b: any) => b._ops.table === 'scheduled_jobs')
+    expect(baseCall._ops.groups.length).toBe(0)
+  })
+
+  test('keeps count(distinct base.id) with group-by when extensions are joined', async () => {
+    const selects: any[] = []
+    const fakeDb = createFakeKysely(selects)
+    const engine = new BasicQueryEngine({} as any, () => fakeDb as any)
+    await engine.query('auth:user', {
+      tenantId: 't1',
+      organizationId: '1',
+      fields: ['id'],
+      includeExtensions: true,
+      page: { page: 1, pageSize: 20 },
+    })
+
+    const countSql = findCountSql(selects)
+    expect(countSql).toContain('count(distinct')
+    expect(countSql).not.toContain('count(*)')
+
+    const baseCall = fakeDb._calls.find((b: any) => b._ops.table === 'users')
+    expect(baseCall._ops.groups.length).toBeGreaterThan(0)
+  })
+
+  test('keeps count(distinct base.id) without group-by when an explicit relation join is configured', async () => {
+    const selects: any[] = []
+    const fakeDb = createFakeKysely(selects)
+    const engine = new BasicQueryEngine({} as any, () => fakeDb as any)
+    await engine.query('scheduler:scheduled_job', {
+      tenantId: 't1',
+      fields: ['id'],
+      joins: [{ alias: 'owner', table: 'users', from: { field: 'owner_id' }, to: { field: 'id' } }],
+      page: { page: 1, pageSize: 20 },
+    })
+
+    const countSql = findCountSql(selects)
+    expect(countSql).toContain('count(distinct')
+    expect(countSql).not.toContain('count(*)')
+
+    const baseCall = fakeDb._calls.find((b: any) => b._ops.table === 'scheduled_jobs')
+    expect(baseCall._ops.groups.length).toBe(0)
+  })
+})

package/src/lib/query/advanced-filter-tree.ts

@@ -1,7 +1,7 @@
 // packages/shared/src/lib/query/advanced-filter-tree.ts
 import type { FilterOperator } from './advanced-filter'
 import { isValuelessOperator } from './advanced-filter'
-import { escapeLikePattern } from '../db/escapeLikePattern'
+import { buildIlikeTerm } from '../db/buildIlikeTerm'
 
 export type FilterCombinator = 'and' | 'or'
 
@@ -102,22 +102,22 @@ function compileRule(rule: FilterRule): Record<string, unknown> | null {
     case 'contains': {
       const v = normalizeSingleValue(rule.value)
       if (v === null) return null
-      filter[rule.field] = { $ilike: `%${escapeLikePattern(String(v))}%` }; break
+      filter[rule.field] = { $ilike: buildIlikeTerm(String(v)) }; break
     }
     case 'does_not_contain': {
       const v = normalizeSingleValue(rule.value)
       if (v === null) return null
-      filter[rule.field] = { $not: { $ilike: `%${escapeLikePattern(String(v))}%` } }; break
+      filter[rule.field] = { $not: { $ilike: buildIlikeTerm(String(v)) } }; break
     }
     case 'starts_with': {
       const v = normalizeSingleValue(rule.value)
       if (v === null) return null
-      filter[rule.field] = { $ilike: `${escapeLikePattern(String(v))}%` }; break
+      filter[rule.field] = { $ilike: buildIlikeTerm(String(v), 'startsWith') }; break
     }
     case 'ends_with': {
       const v = normalizeSingleValue(rule.value)
       if (v === null) return null
-      filter[rule.field] = { $ilike: `%${escapeLikePattern(String(v))}` }; break
+      filter[rule.field] = { $ilike: buildIlikeTerm(String(v), 'endsWith') }; break
     }
     case 'is_empty': filter[rule.field] = { $exists: false }; break
     case 'is_not_empty': filter[rule.field] = { $exists: true }; break