@stonyx/orm 0.2.1-beta.85 → 0.2.1-beta.87

package/dist/manage-record.js

@@ -23,8 +23,11 @@ export function createRecord(modelName, rawData = {}, userOptions = {}) {
         throw new Error(`Model store for '${modelName}' is not registered. Ensure the model is defined before creating records.`);
     assignRecordId(modelName, rawData);
     const existingRecord = modelStore.get(rawData.id);
-    if (existingRecord)
+    if (existingRecord) {
+        // Update the existing record with new data so the last entry wins
+        updateRecord(existingRecord, rawData, { ...options, update: true });
         return existingRecord;
+    }
     const recordClasses = orm.getRecordClasses(modelName);
     const modelClass = recordClasses.modelClass;
     const serializerClass = recordClasses.serializerClass;

package/dist/mysql/migration-runner.js

@@ -1,6 +1,8 @@
 import { fileExists } from '@stonyx/utils/file';
 import fs from 'fs/promises';
+import { validateIdentifier } from './query-builder.js';
 export async function ensureMigrationsTable(pool, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     await pool.execute(`
     CREATE TABLE IF NOT EXISTS \`${tableName}\` (
       id INT AUTO_INCREMENT PRIMARY KEY,
@@ -10,6 +12,7 @@ export async function ensureMigrationsTable(pool, tableName = '__migrations') {
   `);
 }
 export async function getAppliedMigrations(pool, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     const [rows] = await pool.execute(`SELECT filename FROM \`${tableName}\` ORDER BY id ASC`);
     return rows.map(row => row.filename);
 }
@@ -37,6 +40,7 @@ export function parseMigrationFile(content) {
     return { up, down };
 }
 export async function applyMigration(pool, filename, upSql, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     const connection = await pool.getConnection();
     try {
         await connection.beginTransaction();
@@ -57,6 +61,7 @@ export async function applyMigration(pool, filename, upSql, tableName = '__migra
     }
 }
 export async function rollbackMigration(pool, filename, downSql, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     const connection = await pool.getConnection();
     try {
         await connection.beginTransaction();

package/dist/postgres/connection.js

@@ -1,3 +1,4 @@
+import { validateIdentifier } from './query-builder.js';
 let pool = null;
 /**
  * Create or return the singleton pg Pool.
@@ -18,7 +19,8 @@ export async function getPool(pgConfig, extensions = ['vector']) {
     });
     // Enable requested PostgreSQL extensions
     for (const ext of extensions) {
-        await pool.query(`CREATE EXTENSION IF NOT EXISTS ${ext}`);
+        validateIdentifier(ext, 'extension name');
+        await pool.query(`CREATE EXTENSION IF NOT EXISTS "${ext}"`);
     }
     return pool;
 }

package/dist/postgres/migration-runner.js

@@ -1,6 +1,8 @@
 import { fileExists } from '@stonyx/utils/file';
 import fs from 'fs/promises';
+import { validateIdentifier } from './query-builder.js';
 export async function ensureMigrationsTable(pool, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     await pool.query(`
     CREATE TABLE IF NOT EXISTS "${tableName}" (
       id INTEGER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
@@ -10,6 +12,7 @@ export async function ensureMigrationsTable(pool, tableName = '__migrations') {
   `);
 }
 export async function getAppliedMigrations(pool, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     const result = await pool.query(`SELECT filename FROM "${tableName}" ORDER BY id ASC`);
     return result.rows.map(row => row.filename);
 }
@@ -37,6 +40,7 @@ export function parseMigrationFile(content) {
     return { up, down };
 }
 export async function applyMigration(pool, filename, upSql, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     const client = await pool.connect();
     try {
         await client.query('BEGIN');
@@ -56,6 +60,7 @@ export async function applyMigration(pool, filename, upSql, tableName = '__migra
     }
 }
 export async function rollbackMigration(pool, filename, downSql, tableName = '__migrations') {
+    validateIdentifier(tableName, 'migration table name');
     const client = await pool.connect();
     try {
         await client.query('BEGIN');

package/dist/postgres/type-map.js

@@ -36,6 +36,9 @@ export function getPgType(attrType, transformFn) {
  * Returns a vector column type for the given dimensions.
  */
 export function getVectorType(dimensions) {
+    if (!Number.isInteger(dimensions) || dimensions < 1 || dimensions > 16000) {
+        throw new Error(`Invalid vector dimensions: ${dimensions}. Must be an integer between 1 and 16000.`);
+    }
     return `vector(${dimensions})`;
 }
 function mysqlTypeToPg(mysqlType) {

package/dist/record.js

@@ -39,9 +39,23 @@ export default class Record {
         const { __data: data } = this;
         const records = {};
         for (const [key, childRecord] of Object.entries(this.__relationships)) {
-            records[key] = Array.isArray(childRecord)
-                ? childRecord.map((r) => r.serialize())
-                : childRecord?.serialize() ?? null;
+            if (Array.isArray(childRecord)) {
+                // Deduplicate by record ID — keep last occurrence (latest data wins)
+                const seen = new Set();
+                const unique = [];
+                for (let i = childRecord.length - 1; i >= 0; i--) {
+                    const r = childRecord[i];
+                    if (!seen.has(r.id)) {
+                        seen.add(r.id);
+                        unique.push(r);
+                    }
+                }
+                unique.reverse();
+                records[key] = unique.map((r) => r.serialize());
+            }
+            else {
+                records[key] = childRecord?.serialize() ?? null;
+            }
         }
         return { ...data, ...records };
     }

package/dist/timescale/query-builder.d.ts

@@ -1,4 +1,6 @@
 export { validateIdentifier, buildInsert, buildUpdate, buildDelete, buildSelect } from '../postgres/query-builder.js';
+export declare function validateInterval(interval: string, context?: string): string;
+export declare function validateAggregate(expr: string, context?: string): string;
 interface QueryResult {
     sql: string;
     values: unknown[];

package/dist/timescale/query-builder.js

@@ -1,6 +1,20 @@
 // Re-export all base PostgreSQL query builders
 export { validateIdentifier, buildInsert, buildUpdate, buildDelete, buildSelect } from '../postgres/query-builder.js';
 import { validateIdentifier } from '../postgres/query-builder.js';
+const SAFE_INTERVAL = /^\d+\s+(microsecond|millisecond|second|minute|hour|day|week|month|year)s?$/i;
+export function validateInterval(interval, context = 'interval') {
+    if (!interval || typeof interval !== 'string' || !SAFE_INTERVAL.test(interval.trim())) {
+        throw new Error(`Invalid SQL ${context}: "${interval}". Intervals must match pattern like "7 days", "1 hour", "30 minutes".`);
+    }
+    return interval.trim();
+}
+const SAFE_AGGREGATE = /^(COUNT|SUM|AVG|MIN|MAX|FIRST|LAST)\s*\(\s*("?[a-zA-Z_][a-zA-Z0-9_]*"?|\*)\s*\)\s*(AS\s+"?[a-zA-Z_][a-zA-Z0-9_]*"?)?$/i;
+export function validateAggregate(expr, context = 'aggregate') {
+    if (!expr || typeof expr !== 'string' || !SAFE_AGGREGATE.test(expr.trim())) {
+        throw new Error(`Invalid SQL ${context}: "${expr}". Aggregates must be simple function calls like "AVG(value) AS avg_value".`);
+    }
+    return expr.trim();
+}
 /**
  * Build a CREATE TABLE + hypertable conversion statement.
  * TimescaleDB hypertables are regular tables converted via create_hypertable().
@@ -9,6 +23,7 @@ export function buildCreateHypertable(table, timeColumn, options = {}) {
     validateIdentifier(table, 'table name');
     validateIdentifier(timeColumn, 'column name');
     const { chunkInterval = '7 days' } = options;
+    validateInterval(chunkInterval, 'chunk interval');
     const sql = `SELECT create_hypertable('"${table}"', '${timeColumn}', chunk_time_interval => INTERVAL '${chunkInterval}', if_not_exists => TRUE)`;
     return { sql, values: [] };
 }
@@ -24,7 +39,7 @@ export function buildTimeBucket(table, timeColumn, bucketSize, options = {}) {
     const selectCols = [`time_bucket($${paramIndex++}, "${timeColumn}") AS bucket`];
     values.push(bucketSize);
     for (const agg of aggregates) {
-        selectCols.push(agg);
+        selectCols.push(validateAggregate(agg));
     }
     const whereClauses = [];
     if (where) {
@@ -35,7 +50,17 @@ export function buildTimeBucket(table, timeColumn, bucketSize, options = {}) {
         }
     }
     const whereStr = whereClauses.length > 0 ? ` WHERE ${whereClauses.join(' AND ')}` : '';
-    const orderStr = orderBy ? ` ORDER BY ${orderBy}` : '';
+    let orderStr = '';
+    if (orderBy) {
+        const parts = orderBy.trim().split(/\s+/);
+        const col = parts[0];
+        const dir = parts[1]?.toUpperCase();
+        validateIdentifier(col, 'ORDER BY column');
+        if (dir && dir !== 'ASC' && dir !== 'DESC') {
+            throw new Error(`Invalid ORDER BY direction: "${dir}". Must be ASC or DESC.`);
+        }
+        orderStr = ` ORDER BY "${col}"${dir ? ` ${dir}` : ''}`;
+    }
     let limitStr = '';
     if (limit != null) {
         limitStr = ` LIMIT $${paramIndex++}`;
@@ -52,6 +77,8 @@ export function buildContinuousAggregate(viewName, table, timeColumn, bucketSize
     validateIdentifier(table, 'table name');
     validateIdentifier(timeColumn, 'column name');
     const { withNoData = false } = options;
+    validateInterval(bucketSize, 'bucket size');
+    aggregates.forEach(agg => validateAggregate(agg));
     const selectCols = [
         `time_bucket('${bucketSize}', "${timeColumn}") AS bucket`,
         ...aggregates,
@@ -65,6 +92,7 @@ export function buildContinuousAggregate(viewName, table, timeColumn, bucketSize
  */
 export function buildCompressionPolicy(table, compressAfter) {
     validateIdentifier(table, 'table name');
+    validateInterval(compressAfter, 'compress after interval');
     const sql = `SELECT add_compression_policy('"${table}"', INTERVAL '${compressAfter}', if_not_exists => TRUE)`;
     return { sql };
 }

package/package.json

@@ -4,7 +4,7 @@
     "stonyx-async",
     "stonyx-module"
   ],
-  "version": "0.2.1-beta.85",
+  "version": "0.2.1-beta.87",
   "description": "",
   "main": "dist/index.js",
   "type": "module",

package/src/manage-record.ts

@@ -44,7 +44,12 @@ export function createRecord(modelName: string, rawData: { [key: string]: unknow
 
   assignRecordId(modelName, rawData);
   const existingRecord = modelStore.get(rawData.id as number | string);
-  if (existingRecord) return existingRecord as OrmRecord;
+
+  if (existingRecord) {
+    // Update the existing record with new data so the last entry wins
+    updateRecord(existingRecord as OrmRecord, rawData, { ...options, update: true });
+    return existingRecord as OrmRecord;
+  }
 
   const recordClasses = orm.getRecordClasses(modelName);
   const modelClass = recordClasses.modelClass as (new (name: string) => { __name: string; [key: string]: unknown }) | undefined;

package/src/mysql/migration-runner.ts

@@ -2,6 +2,7 @@ import { readFile, fileExists } from '@stonyx/utils/file';
 import path from 'path';
 import fs from 'fs/promises';
 import type { Pool, PoolConnection } from 'mysql2/promise';
+import { validateIdentifier } from './query-builder.js';
 
 interface ParsedMigration {
   up: string;
@@ -9,6 +10,7 @@ interface ParsedMigration {
 }
 
 export async function ensureMigrationsTable(pool: Pool, tableName: string = '__migrations'): Promise<void> {
+  validateIdentifier(tableName, 'migration table name');
   await pool.execute(`
     CREATE TABLE IF NOT EXISTS \`${tableName}\` (
       id INT AUTO_INCREMENT PRIMARY KEY,
@@ -19,6 +21,7 @@ export async function ensureMigrationsTable(pool: Pool, tableName: string = '__m
 }
 
 export async function getAppliedMigrations(pool: Pool, tableName: string = '__migrations'): Promise<string[]> {
+  validateIdentifier(tableName, 'migration table name');
   const [rows] = await pool.execute(
     `SELECT filename FROM \`${tableName}\` ORDER BY id ASC`
   ) as [Array<{ filename: string }>, unknown];
@@ -56,6 +59,7 @@ export function parseMigrationFile(content: string): ParsedMigration {
 }
 
 export async function applyMigration(pool: Pool, filename: string, upSql: string, tableName: string = '__migrations'): Promise<void> {
+  validateIdentifier(tableName, 'migration table name');
   const connection = await pool.getConnection();
 
   try {
@@ -83,6 +87,7 @@ export async function applyMigration(pool: Pool, filename: string, upSql: string
 }
 
 export async function rollbackMigration(pool: Pool, filename: string, downSql: string, tableName: string = '__migrations'): Promise<void> {
+  validateIdentifier(tableName, 'migration table name');
   const connection = await pool.getConnection();
 
   try {

package/src/postgres/connection.ts

@@ -1,4 +1,5 @@
 import type { Pool as PgPool } from 'pg';
+import { validateIdentifier } from './query-builder.js';
 
 interface PgConfig {
   host: string;
@@ -32,7 +33,8 @@ export async function getPool(pgConfig: PgConfig, extensions: string[] = ['vecto
 
   // Enable requested PostgreSQL extensions
   for (const ext of extensions) {
-    await pool.query(`CREATE EXTENSION IF NOT EXISTS ${ext}`);
+    validateIdentifier(ext, 'extension name');
+    await pool.query(`CREATE EXTENSION IF NOT EXISTS "${ext}"`);
   }
 
   return pool;

package/src/postgres/migration-runner.ts

@@ -2,8 +2,10 @@ import { readFile, fileExists } from '@stonyx/utils/file';
 import path from 'path';
 import fs from 'fs/promises';
 import type { Pool, PoolClient } from 'pg';
+import { validateIdentifier } from './query-builder.js';
 
 export async function ensureMigrationsTable(pool: Pool, tableName: string = '__migrations'): Promise<void> {
+  validateIdentifier(tableName, 'migration table name');
   await pool.query(`
     CREATE TABLE IF NOT EXISTS "${tableName}" (
       id INTEGER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
@@ -14,6 +16,7 @@ export async function ensureMigrationsTable(pool: Pool, tableName: string = '__m
 }
 
 export async function getAppliedMigrations(pool: Pool, tableName: string = '__migrations'): Promise<string[]> {
+  validateIdentifier(tableName, 'migration table name');
   const result = await pool.query(
     `SELECT filename FROM "${tableName}" ORDER BY id ASC`
   );
@@ -51,6 +54,7 @@ export function parseMigrationFile(content: string): { up: string; down: string
 }
 
 export async function applyMigration(pool: Pool, filename: string, upSql: string, tableName: string = '__migrations'): Promise<void> {
+  validateIdentifier(tableName, 'migration table name');
   const client: PoolClient = await pool.connect();
 
   try {
@@ -77,6 +81,7 @@ export async function applyMigration(pool: Pool, filename: string, upSql: string
 }
 
 export async function rollbackMigration(pool: Pool, filename: string, downSql: string, tableName: string = '__migrations'): Promise<void> {
+  validateIdentifier(tableName, 'migration table name');
   const client: PoolClient = await pool.connect();
 
   try {

package/src/postgres/type-map.ts

@@ -42,6 +42,10 @@ export function getPgType(attrType: string, transformFn?: TransformFn): string {
  * Returns a vector column type for the given dimensions.
  */
 export function getVectorType(dimensions: number): string {
+  if (!Number.isInteger(dimensions) || dimensions < 1 || dimensions > 16000) {
+    throw new Error(`Invalid vector dimensions: ${dimensions}. Must be an integer between 1 and 16000.`);
+  }
+
   return `vector(${dimensions})`;
 }
 

package/src/record.ts

@@ -86,9 +86,24 @@ export default class Record {
     const records: { [key: string]: unknown } = {};
 
     for (const [key, childRecord] of Object.entries(this.__relationships)) {
-      records[key] = Array.isArray(childRecord)
-        ? childRecord.map((r: Record) => r.serialize())
-        : (childRecord as Record)?.serialize() ?? null;
+      if (Array.isArray(childRecord)) {
+        // Deduplicate by record ID — keep last occurrence (latest data wins)
+        const seen = new Set<unknown>();
+        const unique: Record[] = [];
+
+        for (let i = childRecord.length - 1; i >= 0; i--) {
+          const r = childRecord[i] as Record;
+          if (!seen.has(r.id)) {
+            seen.add(r.id);
+            unique.push(r);
+          }
+        }
+
+        unique.reverse();
+        records[key] = unique.map((r: Record) => r.serialize());
+      } else {
+        records[key] = (childRecord as Record)?.serialize() ?? null;
+      }
     }
 
     return { ...data, ...records };

package/src/timescale/query-builder.ts

@@ -3,6 +3,26 @@ export { validateIdentifier, buildInsert, buildUpdate, buildDelete, buildSelect
 
 import { validateIdentifier } from '../postgres/query-builder.js';
 
+const SAFE_INTERVAL = /^\d+\s+(microsecond|millisecond|second|minute|hour|day|week|month|year)s?$/i;
+
+export function validateInterval(interval: string, context: string = 'interval'): string {
+  if (!interval || typeof interval !== 'string' || !SAFE_INTERVAL.test(interval.trim())) {
+    throw new Error(`Invalid SQL ${context}: "${interval}". Intervals must match pattern like "7 days", "1 hour", "30 minutes".`);
+  }
+
+  return interval.trim();
+}
+
+const SAFE_AGGREGATE = /^(COUNT|SUM|AVG|MIN|MAX|FIRST|LAST)\s*\(\s*("?[a-zA-Z_][a-zA-Z0-9_]*"?|\*)\s*\)\s*(AS\s+"?[a-zA-Z_][a-zA-Z0-9_]*"?)?$/i;
+
+export function validateAggregate(expr: string, context: string = 'aggregate'): string {
+  if (!expr || typeof expr !== 'string' || !SAFE_AGGREGATE.test(expr.trim())) {
+    throw new Error(`Invalid SQL ${context}: "${expr}". Aggregates must be simple function calls like "AVG(value) AS avg_value".`);
+  }
+
+  return expr.trim();
+}
+
 interface QueryResult {
   sql: string;
   values: unknown[];
@@ -36,6 +56,7 @@ export function buildCreateHypertable(table: string, timeColumn: string, options
   validateIdentifier(timeColumn, 'column name');
 
   const { chunkInterval = '7 days' } = options;
+  validateInterval(chunkInterval, 'chunk interval');
 
   const sql = `SELECT create_hypertable('"${table}"', '${timeColumn}', chunk_time_interval => INTERVAL '${chunkInterval}', if_not_exists => TRUE)`;
 
@@ -57,7 +78,7 @@ export function buildTimeBucket(table: string, timeColumn: string, bucketSize: s
   values.push(bucketSize);
 
   for (const agg of aggregates) {
-    selectCols.push(agg);
+    selectCols.push(validateAggregate(agg));
   }
 
   const whereClauses: string[] = [];
@@ -70,7 +91,20 @@ export function buildTimeBucket(table: string, timeColumn: string, bucketSize: s
   }
 
   const whereStr = whereClauses.length > 0 ? ` WHERE ${whereClauses.join(' AND ')}` : '';
-  const orderStr = orderBy ? ` ORDER BY ${orderBy}` : '';
+  let orderStr = '';
+  if (orderBy) {
+    const parts = orderBy.trim().split(/\s+/);
+    const col = parts[0];
+    const dir = parts[1]?.toUpperCase();
+
+    validateIdentifier(col, 'ORDER BY column');
+
+    if (dir && dir !== 'ASC' && dir !== 'DESC') {
+      throw new Error(`Invalid ORDER BY direction: "${dir}". Must be ASC or DESC.`);
+    }
+
+    orderStr = ` ORDER BY "${col}"${dir ? ` ${dir}` : ''}`;
+  }
   let limitStr = '';
   if (limit != null) {
     limitStr = ` LIMIT $${paramIndex++}`;
@@ -91,6 +125,8 @@ export function buildContinuousAggregate(viewName: string, table: string, timeCo
   validateIdentifier(timeColumn, 'column name');
 
   const { withNoData = false } = options;
+  validateInterval(bucketSize, 'bucket size');
+  aggregates.forEach(agg => validateAggregate(agg));
 
   const selectCols: string[] = [
     `time_bucket('${bucketSize}', "${timeColumn}") AS bucket`,
@@ -109,6 +145,7 @@ export function buildContinuousAggregate(viewName: string, table: string, timeCo
  */
 export function buildCompressionPolicy(table: string, compressAfter: string): SqlResult {
   validateIdentifier(table, 'table name');
+  validateInterval(compressAfter, 'compress after interval');
 
   const sql = `SELECT add_compression_policy('"${table}"', INTERVAL '${compressAfter}', if_not_exists => TRUE)`;