@revealui/core 0.5.0 → 0.5.3

package/README.md

@@ -145,6 +145,20 @@ pnpm test
 pnpm dev
 ```
 
+## When to Use This
+
+- You're building a content-driven app and need collections, admin UI, and CRUD out of the box
+- You need RBAC/ABAC access control, GDPR compliance, or feature gating by license tier
+- You want a rich text editor (Lexical) integrated with your CMS
+- **Not** for standalone UI components — use `@revealui/presentation`
+- **Not** for raw database queries — use `@revealui/db` directly
+
+## JOSHUA Alignment
+
+- **Sovereign**: Self-hosted CMS engine — no SaaS dependency for content management, auth, or storage
+- **Unified**: One `buildConfig()` call wires collections, globals, plugins, security, and feature gates into a single configuration
+- **Adaptive**: Plugin system and tier-based feature gating let the platform evolve without breaking existing deployments
+
 ## Related
 
 - [Contracts Package](../contracts/README.md) — Zod schemas and TypeScript types

package/dist/client/admin/layout.js

@@ -3,5 +3,5 @@ import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
 import Head from 'next/head';
 import { ServerFunctionProvider } from './context/ServerFunctionContext.js';
 export function RootLayout({ children, serverFunction }) {
-    return (_jsxs("html", { lang: "en", children: [_jsxs(Head, { children: [_jsx("meta", { charSet: "utf-8" }), _jsx("meta", { name: "viewport", content: "width=device-width, initial-scale=1" }), _jsx("title", { children: "RevealUI Admin" })] }), _jsx("body", { className: "antialiased", children: _jsx(ServerFunctionProvider, { serverFunction: serverFunction, children: _jsx("div", { id: "revealui-admin", className: "min-h-screen", children: children }) }) })] }));
+    return (_jsxs("html", { lang: "en", children: [_jsxs(Head, { children: [_jsx("meta", { charSet: "utf-8" }), _jsx("meta", { name: "viewport", content: "width=device-width, initial-scale=1" }), _jsx("title", { children: "RevealUI Admin" })] }), _jsx("body", { className: "antialiased", children: _jsx(ServerFunctionProvider, { serverFunction: serverFunction, children: _jsx("main", { id: "revealui-admin", className: "min-h-screen", children: children }) }) })] }));
 }

package/dist/collections/operations/sqlAdapter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sqlAdapter.d.ts","sourceRoot":"","sources":["../../../src/collections/operations/sqlAdapter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,MAAM,MAAM,qBAAqB,GAAG;IAClC,KAAK,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;CACvE,CAAC;AAgBF,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAM/C;AAKD,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAMvD;AAED,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE3D;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAG1D;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE1D;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE1D;AAED,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAIpF;AAED,wBAAgB,kBAAkB,CAChC,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,aAAa,EAAE,MAAM,EACrB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,MAAM,CAER;AAED,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,CAKjF;AAED,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE/D;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,CAI1E;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,CAKrF"}
+{"version":3,"file":"sqlAdapter.d.ts","sourceRoot":"","sources":["../../../src/collections/operations/sqlAdapter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,MAAM,MAAM,qBAAqB,GAAG;IAClC,KAAK,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;CACvE,CAAC;AA6BF,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAM/C;AAkBD,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAMvD;AAED,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE3D;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAG1D;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE1D;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE1D;AAED,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAIpF;AAED,wBAAgB,kBAAkB,CAChC,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,aAAa,EAAE,MAAM,EACrB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,MAAM,CAER;AAED,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,CAKjF;AAED,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE/D;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,CAI1E;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,CAKrF"}

package/dist/collections/operations/sqlAdapter.js

@@ -9,21 +9,53 @@
  * redesign the collection storage layer toward typed tables instead.
  */
 /** Only lowercase alphanumeric, hyphens, and underscores (1-63 chars, PostgreSQL identifier limit). */
-const VALID_SLUG = /^[a-z][a-z0-9_-]{0,62}$/;
+function isValidSlug(s) {
+    if (s.length < 1 || s.length > 63)
+        return false;
+    // First char must be lowercase letter
+    const first = s.charCodeAt(0);
+    if (first < 97 || first > 122)
+        return false;
+    for (let i = 1; i < s.length; i++) {
+        const c = s.charCodeAt(i);
+        const isLower = c >= 97 && c <= 122;
+        const isDigit = c >= 48 && c <= 57;
+        // underscore = 95, hyphen = 45
+        if (!(isLower || isDigit || c === 95 || c === 45))
+            return false;
+    }
+    return true;
+}
 export function validateSlug(slug) {
-    if (!VALID_SLUG.test(slug)) {
+    if (!isValidSlug(slug)) {
         throw new Error(`Invalid collection slug: "${slug}". Slugs must start with a lowercase letter and contain only lowercase alphanumeric characters, hyphens, and underscores (max 63 chars).`);
     }
 }
 /** Only lowercase alphanumeric and underscores (PostgreSQL column name safe). */
-const VALID_COLUMN = /^[a-z_][a-z0-9_]{0,62}$/;
+function isValidColumnName(s) {
+    if (s.length < 1 || s.length > 63)
+        return false;
+    // First char must be lowercase letter or underscore
+    const first = s.charCodeAt(0);
+    const firstIsLower = first >= 97 && first <= 122;
+    if (!(firstIsLower || first === 95))
+        return false;
+    for (let i = 1; i < s.length; i++) {
+        const c = s.charCodeAt(i);
+        const isLower = c >= 97 && c <= 122;
+        const isDigit = c >= 48 && c <= 57;
+        if (!(isLower || isDigit || c === 95))
+            return false;
+    }
+    return true;
+}
 export function validateColumnName(column) {
-    if (!VALID_COLUMN.test(column)) {
+    if (!isValidColumnName(column)) {
         throw new Error(`Invalid column name: "${column}". Column names must start with a lowercase letter or underscore and contain only lowercase alphanumeric characters and underscores.`);
     }
 }
 export function escapeIdentifier(identifier) {
-    return identifier.replace(/"/g, '""');
+    return identifier.split('"').join('""');
 }
 export function collectionTable(configSlug) {
     validateSlug(configSlug);

package/dist/features.d.ts

@@ -43,6 +43,12 @@ export interface FeatureFlags {
     customDomain: boolean;
     /** Analytics and conversion tracking */
     analytics: boolean;
+    /** RevVault desktop app — Tauri companion for encrypted secret management (Pro+) */
+    vaultDesktop: boolean;
+    /** RevVault rotation engine — automated credential lifecycle (Pro+) */
+    vaultRotation: boolean;
+    /** RevKit environment provisioning — tiered dev profiles (Max+) */
+    devkitProfiles: boolean;
 }
 /**
  * Returns the current feature flags based on the active license tier.

package/dist/features.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"features.d.ts","sourceRoot":"","sources":["../src/features.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAc,KAAK,WAAW,EAAE,MAAM,cAAc,CAAC;AAE5D,qCAAqC;AACrC,MAAM,WAAW,YAAY;IAC3B,iFAAiF;IACjF,OAAO,EAAE,OAAO,CAAC;IACjB,yEAAyE;IACzE,EAAE,EAAE,OAAO,CAAC;IACZ,oFAAoF;IACpF,QAAQ,EAAE,OAAO,CAAC;IAClB,6BAA6B;IAC7B,GAAG,EAAE,OAAO,CAAC;IACb,yCAAyC;IACzC,QAAQ,EAAE,OAAO,CAAC;IAClB,mCAAmC;IACnC,WAAW,EAAE,OAAO,CAAC;IACrB,kEAAkE;IAClE,UAAU,EAAE,OAAO,CAAC;IACpB,8DAA8D;IAC9D,GAAG,EAAE,OAAO,CAAC;IACb,0CAA0C;IAC1C,cAAc,EAAE,OAAO,CAAC;IACxB,uEAAuE;IACvE,eAAe,EAAE,OAAO,CAAC;IACzB,yCAAyC;IACzC,QAAQ,EAAE,OAAO,CAAC;IAClB,wEAAwE;IACxE,UAAU,EAAE,OAAO,CAAC;IACpB,mDAAmD;IACnD,YAAY,EAAE,OAAO,CAAC;IACtB,2BAA2B;IAC3B,SAAS,EAAE,OAAO,CAAC;IACnB,4BAA4B;IAC5B,YAAY,EAAE,OAAO,CAAC;IACtB,wCAAwC;IACxC,SAAS,EAAE,OAAO,CAAC;CACpB;AAsBD;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,IAAI,YAAY,CAQ1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,YAAY,GAAG,OAAO,CAGrE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,WAAW,GAAG,YAAY,CAelE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,YAAY,GAAG,WAAW,CAExE;AAED;;GAEG;AACH,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"features.d.ts","sourceRoot":"","sources":["../src/features.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAc,KAAK,WAAW,EAAE,MAAM,cAAc,CAAC;AAE5D,qCAAqC;AACrC,MAAM,WAAW,YAAY;IAC3B,iFAAiF;IACjF,OAAO,EAAE,OAAO,CAAC;IACjB,yEAAyE;IACzE,EAAE,EAAE,OAAO,CAAC;IACZ,oFAAoF;IACpF,QAAQ,EAAE,OAAO,CAAC;IAClB,6BAA6B;IAC7B,GAAG,EAAE,OAAO,CAAC;IACb,yCAAyC;IACzC,QAAQ,EAAE,OAAO,CAAC;IAClB,mCAAmC;IACnC,WAAW,EAAE,OAAO,CAAC;IACrB,kEAAkE;IAClE,UAAU,EAAE,OAAO,CAAC;IACpB,8DAA8D;IAC9D,GAAG,EAAE,OAAO,CAAC;IACb,0CAA0C;IAC1C,cAAc,EAAE,OAAO,CAAC;IACxB,uEAAuE;IACvE,eAAe,EAAE,OAAO,CAAC;IACzB,yCAAyC;IACzC,QAAQ,EAAE,OAAO,CAAC;IAClB,wEAAwE;IACxE,UAAU,EAAE,OAAO,CAAC;IACpB,mDAAmD;IACnD,YAAY,EAAE,OAAO,CAAC;IACtB,2BAA2B;IAC3B,SAAS,EAAE,OAAO,CAAC;IACnB,4BAA4B;IAC5B,YAAY,EAAE,OAAO,CAAC;IACtB,wCAAwC;IACxC,SAAS,EAAE,OAAO,CAAC;IACnB,oFAAoF;IACpF,YAAY,EAAE,OAAO,CAAC;IACtB,uEAAuE;IACvE,aAAa,EAAE,OAAO,CAAC;IACvB,mEAAmE;IACnE,cAAc,EAAE,OAAO,CAAC;CACzB;AA4BD;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,IAAI,YAAY,CAY1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,YAAY,GAAG,OAAO,CAMrE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,WAAW,GAAG,YAAY,CAmBlE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,YAAY,GAAG,WAAW,CAExE;AAED;;GAEG;AACH,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC"}

package/dist/features.js

@@ -25,8 +25,14 @@ const featureTierMap = {
     aiMultiProvider: 'max',
     auditLog: 'max',
     multiTenant: 'enterprise',
+    // NOTE: whiteLabel and sso are planned but not yet implemented.
+    // Forced to false below in getFeatures/getFeaturesForTier/isFeatureEnabled
+    // to avoid advertising features that don't exist. Re-enable when implemented.
     whiteLabel: 'enterprise',
     sso: 'enterprise',
+    vaultDesktop: 'pro',
+    vaultRotation: 'pro',
+    devkitProfiles: 'max',
 };
 /**
  * Returns the current feature flags based on the active license tier.
@@ -46,6 +52,9 @@ export function getFeatures() {
     for (const [feature, requiredTier] of Object.entries(featureTierMap)) {
         flags[feature] = isLicensed(requiredTier);
     }
+    // Planned but not yet implemented — force false to avoid false advertising
+    flags.whiteLabel = false;
+    flags.sso = false;
     return flags;
 }
 /**
@@ -61,6 +70,9 @@ export function getFeatures() {
  * ```
  */
 export function isFeatureEnabled(feature) {
+    // Planned but not yet implemented — always return false
+    if (feature === 'whiteLabel' || feature === 'sso')
+        return false;
     const requiredTier = featureTierMap[feature];
     return isLicensed(requiredTier);
 }
@@ -78,6 +90,9 @@ export function getFeaturesForTier(tier) {
     for (const [feature, requiredTier] of Object.entries(featureTierMap)) {
         flags[feature] = tierRank[tier] >= tierRank[requiredTier];
     }
+    // Planned but not yet implemented — force false to avoid false advertising
+    flags.whiteLabel = false;
+    flags.sso = false;
     return flags;
 }
 /**

package/dist/globals/GlobalOperations.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"GlobalOperations.d.ts","sourceRoot":"","sources":["../../src/globals/GlobalOperations.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,cAAc,EACd,cAAc,EACd,kBAAkB,EAClB,aAAa,EAEd,MAAM,mBAAmB,CAAC;AAG3B;;;;GAIG;AACH,qBAAa,cAAc;IACzB,MAAM,EAAE,kBAAkB,CAAC;IAC3B,EAAE,EAAE;QACF,KAAK,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;KACvE,GAAG,IAAI,CAAC;gBAGP,MAAM,EAAE,kBAAkB,EAC1B,EAAE,EAAE;QACF,KAAK,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;KACvE,GAAG,IAAI;IAMJ,IAAI,CACR,OAAO,GAAE;QACP,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,OAAO,mBAAmB,EAAE,YAAY,CAAC;QACpD,GAAG,CAAC,EAAE,aAAa,CAAC;KAChB,GACL,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAsG3B,MAAM,CAAC,OAAO,EAAE;QAAE,IAAI,EAAE,OAAO,CAAC,cAAc,CAAC,CAAA;KAAE,GAAG,OAAO,CAAC,cAAc,CAAC;CAqElF"}
+{"version":3,"file":"GlobalOperations.d.ts","sourceRoot":"","sources":["../../src/globals/GlobalOperations.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACV,cAAc,EACd,cAAc,EACd,kBAAkB,EAClB,aAAa,EAEd,MAAM,mBAAmB,CAAC;AAG3B;;;;GAIG;AACH,qBAAa,cAAc;IACzB,MAAM,EAAE,kBAAkB,CAAC;IAC3B,EAAE,EAAE;QACF,KAAK,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;KACvE,GAAG,IAAI,CAAC;gBAGP,MAAM,EAAE,kBAAkB,EAC1B,EAAE,EAAE;QACF,KAAK,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;KACvE,GAAG,IAAI;IAMJ,IAAI,CACR,OAAO,GAAE;QACP,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,OAAO,mBAAmB,EAAE,YAAY,CAAC;QACpD,GAAG,CAAC,EAAE,aAAa,CAAC;KAChB,GACL,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;IAwG3B,MAAM,CAAC,OAAO,EAAE;QAAE,IAAI,EAAE,OAAO,CAAC,cAAc,CAAC,CAAA;KAAE,GAAG,OAAO,CAAC,cAAc,CAAC;CAqElF"}

package/dist/globals/GlobalOperations.js

@@ -1,4 +1,4 @@
-import { validateColumnName, validateSlug } from '../collections/operations/sqlAdapter.js';
+import { escapeIdentifier, validateColumnName, validateSlug, } from '../collections/operations/sqlAdapter.js';
 import { afterRead } from '../fields/hooks/afterRead/index.js';
 import { getRelationshipFields } from '../relationships/analyzer.js';
 import { flattenResult } from '../utils/flattenResult.js';
@@ -22,7 +22,10 @@ export class RevealUIGlobal {
         }
         if (this.db?.query) {
             const slug = this.config.slug;
-            if (!/^[a-z][a-z0-9_-]{0,62}$/.test(slug)) {
+            try {
+                validateSlug(slug);
+            }
+            catch {
                 throw new Error(`Invalid global slug: "${slug}". Must be lowercase alphanumeric with hyphens/underscores.`);
             }
             const tableName = `global_${slug}`;
@@ -101,7 +104,10 @@ export class RevealUIGlobal {
         const { data } = options;
         if (this.db?.query) {
             const slug = this.config.slug;
-            if (!/^[a-z][a-z0-9_-]{0,62}$/.test(slug)) {
+            try {
+                validateSlug(slug);
+            }
+            catch {
                 throw new Error(`Invalid global slug: "${slug}". Must be lowercase alphanumeric with hyphens/underscores.`);
             }
             const tableName = `global_${slug}`;
@@ -114,9 +120,7 @@ export class RevealUIGlobal {
                 const keys = Object.keys(data);
                 for (const key of keys)
                     validateColumnName(key);
-                const setClause = keys
-                    .map((key, i) => `"${key.replace(/"/g, '""')}" = $${i + 1}`)
-                    .join(', ');
+                const setClause = keys.map((key, i) => `"${escapeIdentifier(key)}" = $${i + 1}`).join(', ');
                 const values = keys.map((key) => {
                     const value = data[key];
                     // Serialize non-primitive values to JSON strings for SQLite compatibility
@@ -147,7 +151,7 @@ export class RevealUIGlobal {
                     }
                     return value;
                 });
-                const query = `INSERT INTO "${tableName}" (id, ${columns.map((c) => `"${c.replace(/"/g, '""')}"`).join(', ')}) VALUES ($1, ${placeholders})`;
+                const query = `INSERT INTO "${tableName}" (id, ${columns.map((c) => `"${escapeIdentifier(c)}"`).join(', ')}) VALUES ($1, ${placeholders})`;
                 await this.db.query(query, [id, ...values]);
             }
             const updatedDoc = await this.find();

package/dist/queries/queryBuilder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"queryBuilder.d.ts","sourceRoot":"","sources":["../../src/queries/queryBuilder.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAExE;;;;;GAKG;AAEH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,YAAY,CAAC;AAEvD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;;OAGG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,WAAW,GAAG,iBAAiB,CAAC,OAAO,CAAC,GAAG,SAAS,EAC3D,MAAM,EAAE,OAAO,EAAE,EACjB,OAAO,GAAE,iBAAsB,GAC9B,MAAM,CA0NR;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,CAAC,EAAE,WAAW,GAAG,OAAO,EAAE,CAoEjE"}
+{"version":3,"file":"queryBuilder.d.ts","sourceRoot":"","sources":["../../src/queries/queryBuilder.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAExE;;;;;GAKG;AAEH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,YAAY,CAAC;AAevD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;;OAGG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,WAAW,GAAG,iBAAiB,CAAC,OAAO,CAAC,GAAG,SAAS,EAC3D,MAAM,EAAE,OAAO,EAAE,EACjB,OAAO,GAAE,iBAAsB,GAC9B,MAAM,CA0NR;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,CAAC,EAAE,WAAW,GAAG,OAAO,EAAE,CAoEjE"}

package/dist/queries/queryBuilder.js

@@ -1,3 +1,16 @@
+/** Escape SQL LIKE wildcards (%, _, \) in user input */
+function escapeLikeWildcards(value) {
+    let result = '';
+    for (const ch of value) {
+        if (ch === '%' || ch === '_' || ch === '\\') {
+            result += `\\${ch}`;
+        }
+        else {
+            result += ch;
+        }
+    }
+    return result;
+}
 /**
  * Builds a WHERE clause from a RevealWhere query object.
  * Supports nested AND/OR conditions and various operators.
@@ -27,7 +40,7 @@ export function buildWhereClause(where, params, options = {}) {
         if (!quoteFields)
             return field;
         // Escape embedded double quotes to prevent SQL injection via identifier breakout
-        const escaped = field.replace(/"/g, '""');
+        const escaped = field.split('"').join('""');
         return `"${escaped}"`;
     };
     const whereWithGroups = where;
@@ -149,7 +162,7 @@ export function buildWhereClause(where, params, options = {}) {
             if ('contains' in condition && typeof condition.contains === 'string') {
                 const placeholder = getPlaceholder();
                 // Escape LIKE wildcards (% and _) in user input to prevent wildcard injection
-                const escaped = condition.contains.replace(/[%_\\]/g, '\\$&');
+                const escaped = escapeLikeWildcards(condition.contains);
                 params.push(`%${escaped}%`);
                 conditions.push(`${quotedField} LIKE ${placeholder} ESCAPE '\\'`);
             }
@@ -168,7 +181,7 @@ export function buildWhereClause(where, params, options = {}) {
             // like (escape wildcards to prevent blind LIKE probing)
             if ('like' in condition && typeof condition.like === 'string') {
                 const placeholder = getPlaceholder();
-                const escaped = condition.like.replace(/[%_\\]/g, '\\$&');
+                const escaped = escapeLikeWildcards(condition.like);
                 params.push(escaped);
                 conditions.push(`${quotedField} LIKE ${placeholder} ESCAPE '\\'`);
             }
@@ -219,7 +232,7 @@ export function extractWhereValues(where) {
                         break;
                     case 'contains':
                         if (typeof value === 'string') {
-                            const escaped = value.replace(/[%_\\]/g, '\\$&');
+                            const escaped = escapeLikeWildcards(value);
                             values.push(`%${escaped}%`);
                         }
                         break;

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "@revealui/core",
-  "version": "0.5.0",
+  "version": "0.5.3",
+  "description": "CMS engine, REST API, auth, rich text, admin UI, and plugins for RevealUI",
   "license": "MIT",
   "dependencies": {
     "@electric-sql/pglite": "^0.4.2",
@@ -23,11 +24,11 @@
     "pg": "^8.18.0",
     "yjs": "^13.6.29",
     "zod": "^4.3.6",
-    "@revealui/cache": "0.1.0",
-    "@revealui/contracts": "1.3.1",
-    "@revealui/resilience": "0.2.0",
-    "@revealui/security": "0.2.1",
-    "@revealui/utils": "0.3.0"
+    "@revealui/cache": "0.1.1",
+    "@revealui/contracts": "1.3.4",
+    "@revealui/resilience": "0.2.1",
+    "@revealui/security": "0.2.4",
+    "@revealui/utils": "0.3.1"
   },
   "devDependencies": {
     "@types/json-schema": "^7.0.15",