@truto/sqlite-builder 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Truto Team
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,469 @@
+# 🏗️ truto-sqlite-builder
+
+[![npm version](https://badge.fury.io/js/%40truto%2Fsqlite-builder.svg)](https://badge.fury.io/js/%40truto%2Fsqlite-builder)
+[![CI](https://github.com/trutohq/truto-sqlite-builder/actions/workflows/ci.yml/badge.svg)](https://github.com/trutohq/truto-sqlite-builder/actions/workflows/ci.yml)
+[![codecov](https://codecov.io/gh/trutohq/truto-sqlite-builder/branch/main/graph/badge.svg)](https://codecov.io/gh/trutohq/truto-sqlite-builder)
+[![TypeScript](https://img.shields.io/badge/TypeScript-Ready-blue.svg)](https://www.typescriptlang.org/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+**Safe, zero-dependency template-literal tag for SQLite queries in any JS environment.**
+
+`truto-sqlite-builder` provides a secure and ergonomic way to build SQLite queries using tagged template literals. It prevents SQL injection attacks through parameterized queries while offering convenient helper functions for common SQL patterns.
+
+## ✨ Features
+
+- 🔒 **Injection-safe**: All values are parameterized, preventing SQL injection
+- 🚫 **Defense in depth**: Multiple security layers including stacked query detection
+- 🪶 **Zero dependencies**: Pure TypeScript/JavaScript with no runtime dependencies
+- 🌍 **Universal**: Works in Bun, Node.js, Deno, and modern browsers
+- 🎯 **TypeScript-first**: Full type safety with excellent IDE support
+- 🔧 **Helper functions**: Built-in utilities for identifiers, IN clauses, and more
+- ⚡ **Lightweight**: Minimal bundle size with tree-shaking support
+
+## 📦 Installation
+
+```bash
+bun add truto-sqlite-builder
+```
+
+```bash
+npm install truto-sqlite-builder
+```
+
+```bash
+yarn add truto-sqlite-builder
+```
+
+```bash
+pnpm add truto-sqlite-builder
+```
+
+## 🚀 Quick Start
+
+```typescript
+import sqlite3 from 'better-sqlite3'
+import { sql } from 'truto-sqlite-builder'
+
+const db = new sqlite3('database.db')
+
+// Simple query
+const name = 'Alice'
+const { text, values } = sql`SELECT * FROM users WHERE name = ${name}`
+const users = db.prepare(text).all(...values)
+
+// Complex query with helpers
+const userIds = [1, 2, 3]
+const query = sql`
+  SELECT u.*, p.title 
+  FROM ${sql.ident('users')} u
+  JOIN ${sql.ident('posts')} p ON u.id = p.user_id
+  WHERE u.id IN ${sql.in(userIds)}
+    AND u.status = ${'active'}
+`
+
+const results = db.prepare(query.text).all(...query.values)
+```
+
+## 📖 API Reference
+
+### `sql` Tagged Template
+
+The main function for building SQL queries.
+
+```typescript
+const query = sql`SELECT * FROM users WHERE id = ${userId}`
+// Returns: { text: "SELECT * FROM users WHERE id = ?", values: [userId] }
+```
+
+**Parameters:**
+
+- Template strings and interpolated values
+- Returns a frozen `SqlQuery` object with `text` and `values` properties
+
+### `sql.ident(identifier: string | readonly (string | SqlFragment)[])`
+
+Safely quotes SQL identifiers (table names, column names, etc.). Accepts single identifiers, arrays of identifiers, or mixed arrays containing both identifiers and SQL fragments.
+
+```typescript
+// Single identifier
+const table = 'users'
+const query = sql`SELECT * FROM ${sql.ident(table)}`
+// Returns: { text: 'SELECT * FROM "users"', values: [] }
+
+// Qualified identifiers (table.column)
+const qualifiedQuery = sql`SELECT ${sql.ident('u.name')}, ${sql.ident('u.email')} FROM users u`
+// Returns: { text: 'SELECT "u.name", "u.email" FROM users u', values: [] }
+
+// Array of identifiers (useful for column lists)
+const columns = ['name', 'email', 'created_at']
+const selectQuery = sql`SELECT ${sql.ident(columns)} FROM users`
+// Returns: { text: 'SELECT "name", "email", "created_at" FROM users', values: [] }
+
+// Mixed arrays with qualified and simple identifiers
+const mixedColumns = ['u.id', 'name', 'u.email', 'p.title']
+const joinQuery = sql`SELECT ${sql.ident(mixedColumns)} FROM users u JOIN posts p ON u.id = p.user_id`
+// Returns: { text: 'SELECT "u.id", "name", "u.email", "p.title" FROM users u JOIN posts p ON u.id = p.user_id', values: [] }
+
+// Mixed arrays with identifiers and SQL fragments
+const mixedColumns = ['id', 'name', sql.raw('UPPER(email) as email_upper')]
+const mixedQuery = sql`SELECT ${sql.ident(mixedColumns)} FROM users`
+// Returns: { text: 'SELECT "id", "name", UPPER(email) as email_upper FROM users', values: [] }
+
+// Mixed arrays with parameterized fragments
+const status = 'premium'
+const dynamicColumns = [
+  'id',
+  'name',
+  sql`CASE WHEN status = ${status} THEN 'Premium' ELSE 'Regular' END as user_type`,
+]
+const dynamicQuery = sql`SELECT ${sql.ident(dynamicColumns)} FROM users`
+// Returns: { text: 'SELECT "id", "name", CASE WHEN status = ? THEN \'Premium\' ELSE \'Regular\' END as user_type FROM users', values: ['premium'] }
+
+// In INSERT statements
+const insertColumns = ['name', 'email', 'age']
+const insertQuery = sql`
+  INSERT INTO users (${sql.ident(insertColumns)}) 
+  VALUES (${name}, ${email}, ${age})
+`
+// Returns: { text: 'INSERT INTO users ("name", "email", "age") VALUES (?, ?, ?)', values: [name, email, age] }
+```
+
+**Security:** Only accepts valid ANSI identifiers (simple: `name`, qualified: `table.column`) for string elements. SQL fragments are passed through as-is.
+
+### `sql.in(array: readonly unknown[])`
+
+Creates parameterized IN clauses from arrays.
+
+```typescript
+const ids = [1, 2, 3]
+const query = sql`SELECT * FROM users WHERE id IN ${sql.in(ids)}`
+// Returns: { text: "SELECT * FROM users WHERE id IN (?,?,?)", values: [1, 2, 3] }
+```
+
+**Features:**
+
+- Rejects empty arrays (would create invalid SQL)
+- Warns for arrays with >1000 items (performance consideration)
+
+### `sql.raw(rawSql: string)`
+
+Embeds raw SQL without parameterization. **⚠️ Use with extreme caution!**
+
+```typescript
+const query = sql`SELECT * FROM users WHERE created_at > ${sql.raw('datetime("now", "-1 day")')}`
+// Returns: { text: 'SELECT * FROM users WHERE created_at > datetime("now", "-1 day")', values: [] }
+```
+
+**⚠️ Warning:** Never use `sql.raw()` with user input. Only use with trusted, static SQL fragments.
+
+### `sql.join(fragments: SqlFragment[], separator?: string)`
+
+Joins multiple SQL fragments with a separator.
+
+```typescript
+const conditions = [
+  sql`name = ${'John'}`,
+  sql`age = ${30}`,
+  sql`active = ${true}`,
+]
+
+const query = sql`SELECT * FROM users WHERE ${sql.join(conditions, ' AND ')}`
+// Returns: { text: "SELECT * FROM users WHERE name = ? AND age = ? AND active = ?", values: ['John', 30, true] }
+```
+
+## 🛡️ Security Model
+
+### What's Protected
+
+- **SQL Injection**: All interpolated values are parameterized
+- **Stacked Queries**: Queries containing `;` followed by additional SQL are rejected
+- **Identifier Safety**: `sql.ident()` validates against ANSI identifier rules
+- **Length Limits**: Queries exceeding 100KB are rejected (configurable via `TRUTO_SQL_MAX_LENGTH`)
+
+### What's Your Responsibility
+
+- **Never use `sql.raw()` with user input**
+- **Validate identifiers before using `sql.ident()`** (though it has built-in validation)
+- **Use `sql.in()` instead of string concatenation** for arrays
+- **Keep your SQLite driver updated**
+
+### Supported Value Types
+
+```typescript
+// ✅ Safe types (automatically parameterized)
+const query = sql`
+  INSERT INTO users (name, age, active, created_at, data, deleted_at)
+  VALUES (
+    ${'John'},           // string
+    ${30},               // number  
+    ${true},             // boolean
+    ${new Date()},       // Date → 'YYYY-MM-DD HH:MM:SS'
+    ${null},             // null
+    ${undefined}         // undefined → null
+  )
+`
+
+// ❌ Unsafe types (will throw TypeError)
+sql`SELECT * FROM users WHERE data = ${Buffer.from('test')}` // Use sql.raw() for buffers
+sql`SELECT * FROM users WHERE id = ${Symbol('test')}` // Unsupported type
+```
+
+## 📋 Examples
+
+### Basic CRUD Operations
+
+```typescript
+import { sql } from 'truto-sqlite-builder'
+
+// CREATE with array identifiers
+const insertColumns = ['name', 'email', 'age']
+const insertUser = sql`
+  INSERT INTO users (${sql.ident(insertColumns)})
+  VALUES (${name}, ${email}, ${age})
+`
+
+// READ with specific columns
+const selectColumns = ['id', 'name', 'email', 'created_at']
+const getUser = sql`
+  SELECT ${sql.ident(selectColumns)} FROM users 
+  WHERE id = ${userId}
+`
+
+// UPDATE
+const updateUser = sql`
+  UPDATE users 
+  SET name = ${newName}, updated_at = ${new Date()}
+  WHERE id = ${userId}
+`
+
+// DELETE
+const deleteUser = sql`
+  DELETE FROM users 
+  WHERE id = ${userId}
+`
+```
+
+### Dynamic Queries
+
+```typescript
+// Dynamic WHERE conditions
+const filters = []
+if (name) filters.push(sql`name = ${name}`)
+if (minAge) filters.push(sql`age >= ${minAge}`)
+if (isActive !== undefined) filters.push(sql`active = ${isActive}`)
+
+const whereClause =
+  filters.length > 0 ? sql.join(filters, ' AND ') : sql.raw('1=1')
+
+const query = sql`
+  SELECT * FROM users 
+  WHERE ${whereClause}
+  ORDER BY created_at DESC
+`
+
+// Dynamic column selection (simplified with array support)
+const columns = ['id', 'name', 'email']
+const selectQuery = sql`SELECT ${sql.ident(columns)} FROM users`
+
+// Alternative approach for more complex column expressions
+const complexColumns = [
+  sql.ident('id'),
+  sql.ident('name'),
+  sql.raw('UPPER(email) as email_upper'),
+]
+const complexQuery = sql`SELECT ${sql.join(complexColumns)} FROM users`
+```
+
+### Array Identifiers & Qualified Identifiers
+
+The `sql.ident()` function supports simple identifiers, qualified identifiers (table.column), arrays, and mixed arrays with SQL fragments:
+
+```typescript
+// ✅ Simple identifiers
+const table = 'users'
+const column = 'name'
+const simpleQuery = sql`SELECT ${sql.ident(column)} FROM ${sql.ident(table)}`
+// Result: SELECT "name" FROM "users"
+
+// ✅ Qualified identifiers (table.column)
+const qualifiedQuery = sql`SELECT ${sql.ident('u.name')}, ${sql.ident('p.title')} FROM users u JOIN posts p ON u.id = p.user_id`
+// Result: SELECT "u.name", "p.title" FROM users u JOIN posts p ON u.id = p.user_id
+
+// ✅ Pure identifier arrays (clean and concise)
+const columns = ['id', 'name', 'email', 'created_at']
+const arrayQuery = sql`SELECT ${sql.ident(columns)} FROM users`
+// Result: SELECT "id", "name", "email", "created_at" FROM users
+
+// ✅ Mixed qualified and simple identifiers in arrays
+const mixedColumns = ['u.id', 'name', 'u.email', 'p.title', 'created_at']
+const mixedQuery = sql`SELECT ${sql.ident(mixedColumns)} FROM users u LEFT JOIN posts p ON u.id = p.user_id`
+// Result: SELECT "u.id", "name", "u.email", "p.title", "created_at" FROM users u LEFT JOIN posts p ON u.id = p.user_id
+
+// ✅ NEW: Mixed arrays with identifiers and SQL fragments
+const mixedColumns = [
+  'id',
+  'name',
+  sql.raw('UPPER(email) as email_upper'),
+  sql.raw('COUNT(*) as total'),
+]
+const mixedQuery = sql`SELECT ${sql.ident(mixedColumns)} FROM users GROUP BY id, name, email`
+// Result: SELECT "id", "name", UPPER(email) as email_upper, COUNT(*) as total FROM users GROUP BY id, name, email
+
+// ✅ Mixed arrays with parameterized fragments
+const status = 'premium'
+const dynamicColumns = [
+  'id',
+  'name',
+  sql`CASE WHEN status = ${status} THEN 'Premium User' ELSE 'Regular User' END as user_type`,
+  sql.raw('created_at'),
+]
+const parameterizedQuery = sql`SELECT ${sql.ident(dynamicColumns)} FROM users WHERE active = ${true}`
+// Combines identifiers, raw SQL, and parameterized values seamlessly
+
+// ✅ Works great for INSERT statements
+const insertData = { name: 'John', email: 'john@example.com', age: 30 }
+const insertColumns = Object.keys(insertData)
+const insertValues = Object.values(insertData)
+const insertQuery = sql`
+  INSERT INTO users (${sql.ident(insertColumns)}) 
+  VALUES (${insertValues[0]}, ${insertValues[1]}, ${insertValues[2]})
+`
+
+// ✅ Dynamic column selection
+const userFields = ['name', 'email']
+const includeTimestamps = true
+if (includeTimestamps) {
+  userFields.push('created_at', 'updated_at')
+}
+const dynamicQuery = sql`SELECT ${sql.ident(userFields)} FROM users`
+
+// 🆚 OLD: Manual joining approach (still works, but much more verbose)
+const oldWay = sql`SELECT ${sql.join([
+  sql.ident('id'),
+  sql.ident('name'),
+  sql.raw('UPPER(email) as email_upper'),
+])} FROM users`
+```
+
+### Complex Joins
+
+```typescript
+const getUsersWithPosts = sql`
+  SELECT 
+    ${sql.ident('u')}.id,
+    ${sql.ident('u')}.name,
+    COUNT(${sql.ident('p')}.id) as post_count
+  FROM ${sql.ident('users')} u
+  LEFT JOIN ${sql.ident('posts')} p ON u.id = p.user_id
+  WHERE u.created_at > ${startDate}
+    AND u.status IN ${sql.in(['active', 'premium'])}
+  GROUP BY u.id
+  HAVING post_count > ${minPosts}
+  ORDER BY post_count DESC
+  LIMIT ${limit}
+`
+
+// For simpler cases, you can use array identifiers directly
+const getUsers = sql`
+  SELECT ${sql.ident(['id', 'name', 'email', 'created_at'])}
+  FROM ${sql.ident('users')}
+  WHERE status = ${'active'}
+`
+```
+
+### Transactions
+
+```typescript
+// Works great with better-sqlite3 transactions
+const insertUsers = db.transaction((users) => {
+  const stmt = db.prepare(
+    sql`
+    INSERT INTO users (name, email) 
+    VALUES (?, ?)
+  `.text,
+  )
+
+  for (const user of users) {
+    const { values } = sql`${user.name}, ${user.email}`
+    stmt.run(...values)
+  }
+})
+
+insertUsers([
+  { name: 'Alice', email: 'alice@example.com' },
+  { name: 'Bob', email: 'bob@example.com' },
+])
+```
+
+## ⚙️ Configuration
+
+### Environment Variables
+
+- `TRUTO_SQL_MAX_LENGTH`: Maximum query length in bytes (default: 102400 = 100KB)
+
+```bash
+# Increase query size limit to 1MB
+export TRUTO_SQL_MAX_LENGTH=1048576
+```
+
+## 🧪 Testing
+
+```bash
+# Run tests
+bun run test
+
+# Run tests in watch mode
+bun run dev
+
+# Run tests with coverage
+bun run test:coverage
+
+# Run tests with UI
+bun run test:ui
+```
+
+## 🤝 Contributing
+
+We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) for details.
+
+### Development Setup
+
+```bash
+git clone https://github.com/truto/truto-sqlite-builder.git
+cd truto-sqlite-builder
+bun install
+bun run dev  # Start tests in watch mode
+```
+
+### Release Process
+
+We use [changesets](https://github.com/changesets/changesets) for version management:
+
+```bash
+# Add a changeset
+bunx changeset
+
+# Release
+bunx changeset version
+bun run build
+git commit -am "Release"
+git push --follow-tags
+```
+
+## 🔒 Security Policy
+
+If you discover a security vulnerability, please email eng@truto.one or create an issue.
+
+## 📄 License
+
+MIT © [Truto](https://github.com/trutohq)
+
+## 💡 Inspiration
+
+This library was inspired by:
+
+- [sql-template-strings](https://github.com/felixfbecker/sql-template-strings)
+- [slonik](https://github.com/gajus/slonik)
+- [Postgres.js](https://github.com/porsager/postgres)
+
+Built with ❤️ for the SQLite community.

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * truto-sqlite-builder - Safe, zero-dependency template-literal tag for SQLite queries
+ */
+export { sql } from './sql';
+export type { SqlQuery } from './types';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,GAAG,EAAE,MAAM,OAAO,CAAA;AAC3B,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA"}

package/dist/index.js

@@ -0,0 +1,296 @@
+// node:process
+var C = Object.create;
+var T = Object.defineProperty;
+var q = Object.getOwnPropertyDescriptor;
+var A = Object.getOwnPropertyNames;
+var I = Object.getPrototypeOf;
+var Q = Object.prototype.hasOwnProperty;
+var S = (e, t) => () => (t || e((t = { exports: {} }).exports, t), t.exports);
+var N = (e, t) => {
+  for (var n in t)
+    T(e, n, { get: t[n], enumerable: true });
+};
+var d = (e, t, n, w) => {
+  if (t && typeof t == "object" || typeof t == "function")
+    for (let l of A(t))
+      !Q.call(e, l) && l !== n && T(e, l, { get: () => t[l], enumerable: !(w = q(t, l)) || w.enumerable });
+  return e;
+};
+var h = (e, t, n) => (d(e, t, "default"), n && d(n, t, "default"));
+var y = (e, t, n) => (n = e != null ? C(I(e)) : {}, d(t || !e || !e.__esModule ? T(n, "default", { value: e, enumerable: true }) : n, e));
+var v = S((B, E) => {
+  var r = E.exports = {}, i, u;
+  function p() {
+    throw new Error("setTimeout has not been defined");
+  }
+  function g() {
+    throw new Error("clearTimeout has not been defined");
+  }
+  (function() {
+    try {
+      typeof setTimeout == "function" ? i = setTimeout : i = p;
+    } catch {
+      i = p;
+    }
+    try {
+      typeof clearTimeout == "function" ? u = clearTimeout : u = g;
+    } catch {
+      u = g;
+    }
+  })();
+  function b(e) {
+    if (i === setTimeout)
+      return setTimeout(e, 0);
+    if ((i === p || !i) && setTimeout)
+      return i = setTimeout, setTimeout(e, 0);
+    try {
+      return i(e, 0);
+    } catch {
+      try {
+        return i.call(null, e, 0);
+      } catch {
+        return i.call(this, e, 0);
+      }
+    }
+  }
+  function O(e) {
+    if (u === clearTimeout)
+      return clearTimeout(e);
+    if ((u === g || !u) && clearTimeout)
+      return u = clearTimeout, clearTimeout(e);
+    try {
+      return u(e);
+    } catch {
+      try {
+        return u.call(null, e);
+      } catch {
+        return u.call(this, e);
+      }
+    }
+  }
+  var o = [], s = false, a, m = -1;
+  function U() {
+    !s || !a || (s = false, a.length ? o = a.concat(o) : m = -1, o.length && x());
+  }
+  function x() {
+    if (!s) {
+      var e = b(U);
+      s = true;
+      for (var t = o.length;t; ) {
+        for (a = o, o = [];++m < t; )
+          a && a[m].run();
+        m = -1, t = o.length;
+      }
+      a = null, s = false, O(e);
+    }
+  }
+  r.nextTick = function(e) {
+    var t = new Array(arguments.length - 1);
+    if (arguments.length > 1)
+      for (var n = 1;n < arguments.length; n++)
+        t[n - 1] = arguments[n];
+    o.push(new L(e, t)), o.length === 1 && !s && b(x);
+  };
+  function L(e, t) {
+    this.fun = e, this.array = t;
+  }
+  L.prototype.run = function() {
+    this.fun.apply(null, this.array);
+  };
+  r.title = "browser";
+  r.browser = true;
+  r.env = {};
+  r.argv = [];
+  r.version = "";
+  r.versions = {};
+  function c() {}
+  r.on = c;
+  r.addListener = c;
+  r.once = c;
+  r.off = c;
+  r.removeListener = c;
+  r.removeAllListeners = c;
+  r.emit = c;
+  r.prependListener = c;
+  r.prependOnceListener = c;
+  r.listeners = function(e) {
+    return [];
+  };
+  r.binding = function(e) {
+    throw new Error("process.binding is not supported");
+  };
+  r.cwd = function() {
+    return "/";
+  };
+  r.chdir = function(e) {
+    throw new Error("process.chdir is not supported");
+  };
+  r.umask = function() {
+    return 0;
+  };
+});
+var f = {};
+N(f, { default: () => j });
+h(f, y(v()));
+var j = y(v());
+
+// src/sql.ts
+function getMaxQueryLength() {
+  return parseInt(j.env.TRUTO_SQL_MAX_LENGTH || "102400", 10);
+}
+var STACKED_QUERY_REGEX = /;[\s\S]*\S/;
+var QUALIFIED_IDENTIFIER_REGEX = /^[A-Za-z_][A-Za-z0-9_]*(\.[A-Za-z_][A-Za-z0-9_]*)*$/;
+function formatDate(date) {
+  const year = date.getFullYear();
+  const month = String(date.getMonth() + 1).padStart(2, "0");
+  const day = String(date.getDate()).padStart(2, "0");
+  const hours = String(date.getHours()).padStart(2, "0");
+  const minutes = String(date.getMinutes()).padStart(2, "0");
+  const seconds = String(date.getSeconds()).padStart(2, "0");
+  return `${year}-${month}-${day} ${hours}:${minutes}:${seconds}`;
+}
+function sqlValue(value) {
+  if (value === null || value === undefined) {
+    return null;
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean") {
+    return value;
+  }
+  if (value instanceof Date) {
+    return formatDate(value);
+  }
+  if (value instanceof Buffer || value instanceof Uint8Array) {
+    throw new TypeError("Buffer/Uint8Array values must be used with sql.blob() for safe BLOB handling");
+  }
+  throw new TypeError(`Unsupported value type: ${typeof value}`);
+}
+function sqlIdent(identifier) {
+  if (Array.isArray(identifier)) {
+    if (identifier.length === 0) {
+      throw new TypeError("Identifier array cannot be empty");
+    }
+    const fragments = [];
+    for (const item of identifier) {
+      if (item && typeof item === "object" && "text" in item && "values" in item && typeof item.text === "string" && Array.isArray(item.values)) {
+        fragments.push(item);
+      } else if (typeof item === "string") {
+        if (!item) {
+          throw new TypeError("All identifiers must be non-empty strings");
+        }
+        if (!QUALIFIED_IDENTIFIER_REGEX.test(item)) {
+          throw new TypeError(`Invalid identifier: ${item}. Must be a valid identifier or qualified identifier (e.g., table.column)`);
+        }
+        fragments.push({
+          text: '"' + item + '"',
+          values: []
+        });
+      } else {
+        throw new TypeError("Array items must be strings or SQL fragments");
+      }
+    }
+    const text = fragments.map((f2) => f2.text).join(", ");
+    const values = fragments.flatMap((f2) => [...f2.values]);
+    return {
+      text,
+      values
+    };
+  }
+  if (!identifier || typeof identifier !== "string") {
+    throw new TypeError("Identifier must be a non-empty string");
+  }
+  if (!QUALIFIED_IDENTIFIER_REGEX.test(identifier)) {
+    throw new TypeError(`Invalid identifier: ${identifier}. Must be a valid identifier or qualified identifier (e.g., table.column)`);
+  }
+  return {
+    text: '"' + identifier + '"',
+    values: []
+  };
+}
+function sqlIn(array) {
+  if (!Array.isArray(array)) {
+    throw new TypeError("sql.in() requires an array");
+  }
+  if (array.length === 0) {
+    throw new TypeError("sql.in() cannot be used with empty arrays");
+  }
+  if (array.length > 1000) {
+    console.warn(`sql.in(): Large array with ${array.length} items. Consider using temporary tables for better performance.`);
+  }
+  const placeholders = array.map(() => "?").join(",");
+  const values = array.map(sqlValue);
+  return {
+    text: `(${placeholders})`,
+    values
+  };
+}
+function sqlRaw(rawSql) {
+  if (typeof rawSql !== "string") {
+    throw new TypeError("sql.raw() requires a string");
+  }
+  return {
+    text: rawSql,
+    values: []
+  };
+}
+function sqlBlob(data) {
+  if (!(data instanceof Buffer) && !(data instanceof Uint8Array)) {
+    throw new TypeError("sql.blob() requires a Buffer or Uint8Array");
+  }
+  return {
+    text: "?",
+    values: [data]
+  };
+}
+function sqlJoin(fragments, separator = ", ") {
+  if (!Array.isArray(fragments)) {
+    throw new TypeError("sql.join() requires an array of fragments");
+  }
+  if (fragments.length === 0) {
+    return { text: "", values: [] };
+  }
+  const text = fragments.map((f2) => f2.text).join(separator);
+  const values = fragments.flatMap((f2) => [...f2.values]);
+  return { text, values };
+}
+function sql(strings, ...values) {
+  let text = strings[0] || "";
+  const queryValues = [];
+  for (let i = 0;i < values.length; i++) {
+    const value = values[i];
+    if (value && typeof value === "object" && "text" in value && "values" in value && typeof value.text === "string" && Array.isArray(value.values)) {
+      const fragment = value;
+      text += fragment.text;
+      queryValues.push(...fragment.values);
+    } else {
+      text += "?";
+      queryValues.push(sqlValue(value));
+    }
+    text += strings[i + 1] || "";
+  }
+  const maxLength = getMaxQueryLength();
+  if (text.length > maxLength) {
+    throw new Error(`Query too long: ${text.length} bytes (max: ${maxLength})`);
+  }
+  if (STACKED_QUERY_REGEX.test(text)) {
+    throw new Error("Stacked queries are not allowed");
+  }
+  return Object.freeze({
+    text,
+    values: Object.freeze([...queryValues])
+  });
+}
+sql.value = sqlValue;
+sql.ident = sqlIdent;
+sql.in = sqlIn;
+sql.raw = sqlRaw;
+sql.blob = sqlBlob;
+sql.join = sqlJoin;
+export {
+  sql
+};
+
+//# debugId=9115DAB11403208364756E2164756E21
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1,11 @@
+{
+  "version": 3,
+  "sources": ["node:process", "../src/sql.ts"],
+  "sourcesContent": [
+    "var C=Object.create;var T=Object.defineProperty;var q=Object.getOwnPropertyDescriptor;var A=Object.getOwnPropertyNames;var I=Object.getPrototypeOf,Q=Object.prototype.hasOwnProperty;var S=(e,t)=>()=>(t||e((t={exports:{}}).exports,t),t.exports),N=(e,t)=>{for(var n in t)T(e,n,{get:t[n],enumerable:!0})},d=(e,t,n,w)=>{if(t&&typeof t==\"object\"||typeof t==\"function\")for(let l of A(t))!Q.call(e,l)&&l!==n&&T(e,l,{get:()=>t[l],enumerable:!(w=q(t,l))||w.enumerable});return e},h=(e,t,n)=>(d(e,t,\"default\"),n&&d(n,t,\"default\")),y=(e,t,n)=>(n=e!=null?C(I(e)):{},d(t||!e||!e.__esModule?T(n,\"default\",{value:e,enumerable:!0}):n,e));var v=S((B,E)=>{var r=E.exports={},i,u;function p(){throw new Error(\"setTimeout has not been defined\")}function g(){throw new Error(\"clearTimeout has not been defined\")}(function(){try{typeof setTimeout==\"function\"?i=setTimeout:i=p}catch{i=p}try{typeof clearTimeout==\"function\"?u=clearTimeout:u=g}catch{u=g}})();function b(e){if(i===setTimeout)return setTimeout(e,0);if((i===p||!i)&&setTimeout)return i=setTimeout,setTimeout(e,0);try{return i(e,0)}catch{try{return i.call(null,e,0)}catch{return i.call(this,e,0)}}}function O(e){if(u===clearTimeout)return clearTimeout(e);if((u===g||!u)&&clearTimeout)return u=clearTimeout,clearTimeout(e);try{return u(e)}catch{try{return u.call(null,e)}catch{return u.call(this,e)}}}var o=[],s=!1,a,m=-1;function U(){!s||!a||(s=!1,a.length?o=a.concat(o):m=-1,o.length&&x())}function x(){if(!s){var e=b(U);s=!0;for(var t=o.length;t;){for(a=o,o=[];++m<t;)a&&a[m].run();m=-1,t=o.length}a=null,s=!1,O(e)}}r.nextTick=function(e){var t=new Array(arguments.length-1);if(arguments.length>1)for(var n=1;n<arguments.length;n++)t[n-1]=arguments[n];o.push(new L(e,t)),o.length===1&&!s&&b(x)};function L(e,t){this.fun=e,this.array=t}L.prototype.run=function(){this.fun.apply(null,this.array)};r.title=\"browser\";r.browser=!0;r.env={};r.argv=[];r.version=\"\";r.versions={};function c(){}r.on=c;r.addListener=c;r.once=c;r.off=c;r.removeListener=c;r.removeAllListeners=c;r.emit=c;r.prependListener=c;r.prependOnceListener=c;r.listeners=function(e){return[]};r.binding=function(e){throw new Error(\"process.binding is not supported\")};r.cwd=function(){return\"/\"};r.chdir=function(e){throw new Error(\"process.chdir is not supported\")};r.umask=function(){return 0}});var f={};N(f,{default:()=>j});h(f,y(v()));var j=y(v());export{j as default};\n",
+    "import process from 'node:process'\nimport type { SqlFragment, SqlQuery, SqlValue } from './types'\n\n// Get max query length from environment (default 100KB)\nfunction getMaxQueryLength(): number {\n  return parseInt(process.env.TRUTO_SQL_MAX_LENGTH || '102400', 10)\n}\n\n// Regex to detect stacked queries (semicolon followed by non-whitespace)\nconst STACKED_QUERY_REGEX = /;[\\s\\S]*\\S/\n\n// ANSI identifier validation - supports qualified identifiers (e.g., table.column)\nconst QUALIFIED_IDENTIFIER_REGEX =\n  /^[A-Za-z_][A-Za-z0-9_]*(\\.[A-Za-z_][A-Za-z0-9_]*)*$/\n\n/**\n * Format a date for SQLite (YYYY-MM-DD HH:MM:SS)\n */\nfunction formatDate(date: Date): string {\n  const year = date.getFullYear()\n  const month = String(date.getMonth() + 1).padStart(2, '0')\n  const day = String(date.getDate()).padStart(2, '0')\n  const hours = String(date.getHours()).padStart(2, '0')\n  const minutes = String(date.getMinutes()).padStart(2, '0')\n  const seconds = String(date.getSeconds()).padStart(2, '0')\n\n  return `${year}-${month}-${day} ${hours}:${minutes}:${seconds}`\n}\n\n/**\n * Convert a value to its SQLite representation\n */\nfunction sqlValue(value: SqlValue): unknown {\n  if (value === null || value === undefined) {\n    return null\n  }\n\n  if (typeof value === 'string') {\n    return value\n  }\n\n  if (typeof value === 'number' || typeof value === 'boolean') {\n    return value\n  }\n\n  if (value instanceof Date) {\n    return formatDate(value)\n  }\n\n  if (value instanceof Buffer || value instanceof Uint8Array) {\n    throw new TypeError(\n      'Buffer/Uint8Array values must be used with sql.blob() for safe BLOB handling',\n    )\n  }\n\n  throw new TypeError(`Unsupported value type: ${typeof value}`)\n}\n\n/**\n * Validate and quote a SQL identifier or array of identifiers/fragments\n */\nfunction sqlIdent(\n  identifier: string | readonly (string | SqlFragment)[],\n): SqlFragment {\n  // Handle array of identifiers and fragments\n  if (Array.isArray(identifier)) {\n    if (identifier.length === 0) {\n      throw new TypeError('Identifier array cannot be empty')\n    }\n\n    const fragments: SqlFragment[] = []\n\n    for (const item of identifier) {\n      // Handle SqlFragment objects (like sql.raw())\n      if (\n        item &&\n        typeof item === 'object' &&\n        'text' in item &&\n        'values' in item &&\n        typeof (item as Record<string, unknown>).text === 'string' &&\n        Array.isArray((item as Record<string, unknown>).values)\n      ) {\n        fragments.push(item as SqlFragment)\n      } else if (typeof item === 'string') {\n        // Handle string identifiers\n        if (!item) {\n          throw new TypeError('All identifiers must be non-empty strings')\n        }\n\n        if (!QUALIFIED_IDENTIFIER_REGEX.test(item)) {\n          throw new TypeError(\n            `Invalid identifier: ${item}. Must be a valid identifier or qualified identifier (e.g., table.column)`,\n          )\n        }\n\n        fragments.push({\n          text: '\"' + item + '\"',\n          values: [],\n        })\n      } else {\n        throw new TypeError('Array items must be strings or SQL fragments')\n      }\n    }\n\n    // Join all fragments\n    const text = fragments.map((f) => f.text).join(', ')\n    const values = fragments.flatMap((f) => [...f.values])\n\n    return {\n      text,\n      values,\n    }\n  }\n\n  // Handle single identifier (existing behavior)\n  if (!identifier || typeof identifier !== 'string') {\n    throw new TypeError('Identifier must be a non-empty string')\n  }\n\n  if (!QUALIFIED_IDENTIFIER_REGEX.test(identifier)) {\n    throw new TypeError(\n      `Invalid identifier: ${identifier}. Must be a valid identifier or qualified identifier (e.g., table.column)`,\n    )\n  }\n\n  return {\n    text: '\"' + identifier + '\"',\n    values: [],\n  }\n}\n\n/**\n * Create SQL IN clause from array\n */\nfunction sqlIn(array: readonly unknown[]): SqlFragment {\n  if (!Array.isArray(array)) {\n    throw new TypeError('sql.in() requires an array')\n  }\n\n  if (array.length === 0) {\n    throw new TypeError('sql.in() cannot be used with empty arrays')\n  }\n\n  // Soft warning for large arrays\n  if (array.length > 1000) {\n    console.warn(\n      `sql.in(): Large array with ${array.length} items. Consider using temporary tables for better performance.`,\n    )\n  }\n\n  const placeholders = array.map(() => '?').join(',')\n  const values = array.map(sqlValue)\n\n  return {\n    text: `(${placeholders})`,\n    values,\n  }\n}\n\n/**\n * Create raw SQL fragment (DANGEROUS - must not contain user input)\n */\nfunction sqlRaw(rawSql: string): SqlFragment {\n  if (typeof rawSql !== 'string') {\n    throw new TypeError('sql.raw() requires a string')\n  }\n\n  return {\n    text: rawSql,\n    values: [],\n  }\n}\n\n/**\n * Create SQL fragment for BLOB data (for validated binary data)\n */\nfunction sqlBlob(data: Buffer | Uint8Array): SqlFragment {\n  if (!(data instanceof Buffer) && !(data instanceof Uint8Array)) {\n    throw new TypeError('sql.blob() requires a Buffer or Uint8Array')\n  }\n\n  return {\n    text: '?',\n    values: [data],\n  }\n}\n\n/**\n * Join SQL fragments with a separator\n */\nfunction sqlJoin(\n  fragments: readonly SqlFragment[],\n  separator = ', ',\n): SqlFragment {\n  if (!Array.isArray(fragments)) {\n    throw new TypeError('sql.join() requires an array of fragments')\n  }\n\n  if (fragments.length === 0) {\n    return { text: '', values: [] }\n  }\n\n  const text = fragments.map((f: SqlFragment) => f.text).join(separator)\n  const values = fragments.flatMap((f: SqlFragment) => [...f.values])\n\n  return { text, values }\n}\n\n/**\n * Main SQL tagged template function\n */\nfunction sql(strings: TemplateStringsArray, ...values: unknown[]): SqlQuery {\n  // Build the query text and collect values\n  let text = strings[0] || ''\n  const queryValues: unknown[] = []\n\n  for (let i = 0; i < values.length; i++) {\n    const value = values[i]\n\n    // Handle SqlFragment objects (from helper functions)\n    if (\n      value &&\n      typeof value === 'object' &&\n      'text' in value &&\n      'values' in value &&\n      typeof (value as Record<string, unknown>).text === 'string' &&\n      Array.isArray((value as Record<string, unknown>).values)\n    ) {\n      const fragment = value as SqlFragment\n      text += fragment.text\n      queryValues.push(...fragment.values)\n    } else {\n      // Regular value - add placeholder and collect value\n      text += '?'\n      queryValues.push(sqlValue(value as SqlValue))\n    }\n\n    text += strings[i + 1] || ''\n  }\n\n  // Security checks\n  const maxLength = getMaxQueryLength()\n  if (text.length > maxLength) {\n    throw new Error(`Query too long: ${text.length} bytes (max: ${maxLength})`)\n  }\n\n  if (STACKED_QUERY_REGEX.test(text)) {\n    throw new Error('Stacked queries are not allowed')\n  }\n\n  // Return frozen result\n  return Object.freeze({\n    text,\n    values: Object.freeze([...queryValues]),\n  })\n}\n\n// Attach helper functions to sql\nsql.value = sqlValue\nsql.ident = sqlIdent\nsql.in = sqlIn\nsql.raw = sqlRaw\nsql.blob = sqlBlob\nsql.join = sqlJoin\n\nexport { sql }\n"
+  ],
+  "mappings": ";AAAA,IAAI,IAAE,OAAO;AAAO,IAAI,IAAE,OAAO;AAAe,IAAI,IAAE,OAAO;AAAyB,IAAI,IAAE,OAAO;AAAoB,IAAI,IAAE,OAAO;AAAb,IAA4B,IAAE,OAAO,UAAU;AAAe,IAAI,IAAE,CAAC,GAAE,MAAI,OAAK,KAAG,GAAG,IAAE,EAAC,SAAQ,CAAC,EAAC,GAAG,SAAQ,CAAC,GAAE,EAAE;AAArD,IAA8D,IAAE,CAAC,GAAE,MAAI;AAAA,EAAC,SAAQ,KAAK;AAAA,IAAE,EAAE,GAAE,GAAE,EAAC,KAAI,EAAE,IAAG,YAAW,KAAE,CAAC;AAAA;AAArH,IAAwH,IAAE,CAAC,GAAE,GAAE,GAAE,MAAI;AAAA,EAAC,IAAG,KAAG,OAAO,KAAG,YAAU,OAAO,KAAG;AAAA,IAAW,SAAQ,KAAK,EAAE,CAAC;AAAA,OAAG,EAAE,KAAK,GAAE,CAAC,KAAG,MAAI,KAAG,EAAE,GAAE,GAAE,EAAC,KAAI,MAAI,EAAE,IAAG,cAAa,IAAE,EAAE,GAAE,CAAC,MAAI,EAAE,WAAU,CAAC;AAAA,EAAE,OAAO;AAAA;AAA9R,IAAiS,IAAE,CAAC,GAAE,GAAE,OAAK,EAAE,GAAE,GAAE,SAAS,GAAE,KAAG,EAAE,GAAE,GAAE,SAAS;AAAhV,IAAmV,IAAE,CAAC,GAAE,GAAE,OAAK,IAAE,KAAG,OAAK,EAAE,EAAE,CAAC,CAAC,IAAE,CAAC,GAAE,EAAE,MAAI,MAAI,EAAE,aAAW,EAAE,GAAE,WAAU,EAAC,OAAM,GAAE,YAAW,KAAE,CAAC,IAAE,GAAE,CAAC;AAAG,IAAI,IAAE,EAAE,CAAC,GAAE,MAAI;AAAA,EAAC,IAAI,IAAE,EAAE,UAAQ,CAAC,GAAE,GAAE;AAAA,EAAE,SAAS,CAAC,GAAE;AAAA,IAAC,MAAM,IAAI,MAAM,iCAAiC;AAAA;AAAA,EAAE,SAAS,CAAC,GAAE;AAAA,IAAC,MAAM,IAAI,MAAM,mCAAmC;AAAA;AAAA,GAAG,QAAQ,GAAE;AAAA,IAAC,IAAG;AAAA,MAAC,OAAO,cAAY,aAAW,IAAE,aAAW,IAAE;AAAA,MAAE,MAAK;AAAA,MAAC,IAAE;AAAA;AAAA,IAAE,IAAG;AAAA,MAAC,OAAO,gBAAc,aAAW,IAAE,eAAa,IAAE;AAAA,MAAE,MAAK;AAAA,MAAC,IAAE;AAAA;AAAA,KAAK;AAAA,EAAE,SAAS,CAAC,CAAC,GAAE;AAAA,IAAC,IAAG,MAAI;AAAA,MAAW,OAAO,WAAW,GAAE,CAAC;AAAA,IAAE,KAAI,MAAI,MAAI,MAAI;AAAA,MAAW,OAAO,IAAE,YAAW,WAAW,GAAE,CAAC;AAAA,IAAE,IAAG;AAAA,MAAC,OAAO,EAAE,GAAE,CAAC;AAAA,MAAE,MAAK;AAAA,MAAC,IAAG;AAAA,QAAC,OAAO,EAAE,KAAK,MAAK,GAAE,CAAC;AAAA,QAAE,MAAK;AAAA,QAAC,OAAO,EAAE,KAAK,MAAK,GAAE,CAAC;AAAA;AAAA;AAAA;AAAA,EAAI,SAAS,CAAC,CAAC,GAAE;AAAA,IAAC,IAAG,MAAI;AAAA,MAAa,OAAO,aAAa,CAAC;AAAA,IAAE,KAAI,MAAI,MAAI,MAAI;AAAA,MAAa,OAAO,IAAE,cAAa,aAAa,CAAC;AAAA,IAAE,IAAG;AAAA,MAAC,OAAO,EAAE,CAAC;AAAA,MAAE,MAAK;AAAA,MAAC,IAAG;AAAA,QAAC,OAAO,EAAE,KAAK,MAAK,CAAC;AAAA,QAAE,MAAK;AAAA,QAAC,OAAO,EAAE,KAAK,MAAK,CAAC;AAAA;AAAA;AAAA;AAAA,EAAI,IAAI,IAAE,CAAC,GAAE,IAAE,OAAG,GAAE,IAAE;AAAA,EAAG,SAAS,CAAC,GAAE;AAAA,KAAE,MAAI,MAAI,IAAE,OAAG,EAAE,SAAO,IAAE,EAAE,OAAO,CAAC,IAAE,IAAE,IAAG,EAAE,UAAQ,EAAE;AAAA;AAAA,EAAG,SAAS,CAAC,GAAE;AAAA,IAAC,KAAI,GAAE;AAAA,MAAC,IAAI,IAAE,EAAE,CAAC;AAAA,MAAE,IAAE;AAAA,MAAG,SAAQ,IAAE,EAAE,OAAO,KAAG;AAAA,QAAC,KAAI,IAAE,GAAE,IAAE,CAAC,IAAI,IAAE;AAAA,UAAG,KAAG,EAAE,GAAG,IAAI;AAAA,QAAE,IAAE,IAAG,IAAE,EAAE;AAAA,MAAM;AAAA,MAAC,IAAE,MAAK,IAAE,OAAG,EAAE,CAAC;AAAA,IAAC;AAAA;AAAA,EAAE,EAAE,WAAS,QAAQ,CAAC,GAAE;AAAA,IAAC,IAAI,IAAE,IAAI,MAAM,UAAU,SAAO,CAAC;AAAA,IAAE,IAAG,UAAU,SAAO;AAAA,MAAE,SAAQ,IAAE,EAAE,IAAE,UAAU,QAAO;AAAA,QAAI,EAAE,IAAE,KAAG,UAAU;AAAA,IAAG,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC,CAAC,GAAE,EAAE,WAAS,MAAI,KAAG,EAAE,CAAC;AAAA;AAAA,EAAG,SAAS,CAAC,CAAC,GAAE,GAAE;AAAA,IAAC,KAAK,MAAI,GAAE,KAAK,QAAM;AAAA;AAAA,EAAE,EAAE,UAAU,MAAI,QAAQ,GAAE;AAAA,IAAC,KAAK,IAAI,MAAM,MAAK,KAAK,KAAK;AAAA;AAAA,EAAG,EAAE,QAAM;AAAA,EAAU,EAAE,UAAQ;AAAA,EAAG,EAAE,MAAI,CAAC;AAAA,EAAE,EAAE,OAAK,CAAC;AAAA,EAAE,EAAE,UAAQ;AAAA,EAAG,EAAE,WAAS,CAAC;AAAA,EAAE,SAAS,CAAC,GAAE;AAAA,EAAE,EAAE,KAAG;AAAA,EAAE,EAAE,cAAY;AAAA,EAAE,EAAE,OAAK;AAAA,EAAE,EAAE,MAAI;AAAA,EAAE,EAAE,iBAAe;AAAA,EAAE,EAAE,qBAAmB;AAAA,EAAE,EAAE,OAAK;AAAA,EAAE,EAAE,kBAAgB;AAAA,EAAE,EAAE,sBAAoB;AAAA,EAAE,EAAE,YAAU,QAAQ,CAAC,GAAE;AAAA,IAAC,OAAM,CAAC;AAAA;AAAA,EAAG,EAAE,UAAQ,QAAQ,CAAC,GAAE;AAAA,IAAC,MAAM,IAAI,MAAM,kCAAkC;AAAA;AAAA,EAAG,EAAE,MAAI,QAAQ,GAAE;AAAA,IAAC,OAAM;AAAA;AAAA,EAAK,EAAE,QAAM,QAAQ,CAAC,GAAE;AAAA,IAAC,MAAM,IAAI,MAAM,gCAAgC;AAAA;AAAA,EAAG,EAAE,QAAM,QAAQ,GAAE;AAAA,IAAC,OAAO;AAAA;AAAA,CAAG;AAAE,IAAI,IAAE,CAAC;AAAE,EAAE,GAAE,EAAC,SAAQ,MAAI,EAAC,CAAC;AAAE,EAAE,GAAE,EAAE,EAAE,CAAC,CAAC;AAAE,IAAI,IAAE,EAAE,EAAE,CAAC;;;ACIhzE,SAAS,iBAAiB,GAAW;AAAA,EACnC,OAAO,SAAS,EAAQ,IAAI,wBAAwB,UAAU,EAAE;AAAA;AAIlE,IAAM,sBAAsB;AAG5B,IAAM,6BACJ;AAKF,SAAS,UAAU,CAAC,MAAoB;AAAA,EACtC,MAAM,OAAO,KAAK,YAAY;AAAA,EAC9B,MAAM,QAAQ,OAAO,KAAK,SAAS,IAAI,CAAC,EAAE,SAAS,GAAG,GAAG;AAAA,EACzD,MAAM,MAAM,OAAO,KAAK,QAAQ,CAAC,EAAE,SAAS,GAAG,GAAG;AAAA,EAClD,MAAM,QAAQ,OAAO,KAAK,SAAS,CAAC,EAAE,SAAS,GAAG,GAAG;AAAA,EACrD,MAAM,UAAU,OAAO,KAAK,WAAW,CAAC,EAAE,SAAS,GAAG,GAAG;AAAA,EACzD,MAAM,UAAU,OAAO,KAAK,WAAW,CAAC,EAAE,SAAS,GAAG,GAAG;AAAA,EAEzD,OAAO,GAAG,QAAQ,SAAS,OAAO,SAAS,WAAW;AAAA;AAMxD,SAAS,QAAQ,CAAC,OAA0B;AAAA,EAC1C,IAAI,UAAU,QAAQ,UAAU,WAAW;AAAA,IACzC,OAAO;AAAA,EACT;AAAA,EAEA,IAAI,OAAO,UAAU,UAAU;AAAA,IAC7B,OAAO;AAAA,EACT;AAAA,EAEA,IAAI,OAAO,UAAU,YAAY,OAAO,UAAU,WAAW;AAAA,IAC3D,OAAO;AAAA,EACT;AAAA,EAEA,IAAI,iBAAiB,MAAM;AAAA,IACzB,OAAO,WAAW,KAAK;AAAA,EACzB;AAAA,EAEA,IAAI,iBAAiB,UAAU,iBAAiB,YAAY;AAAA,IAC1D,MAAM,IAAI,UACR,8EACF;AAAA,EACF;AAAA,EAEA,MAAM,IAAI,UAAU,2BAA2B,OAAO,OAAO;AAAA;AAM/D,SAAS,QAAQ,CACf,YACa;AAAA,EAEb,IAAI,MAAM,QAAQ,UAAU,GAAG;AAAA,IAC7B,IAAI,WAAW,WAAW,GAAG;AAAA,MAC3B,MAAM,IAAI,UAAU,kCAAkC;AAAA,IACxD;AAAA,IAEA,MAAM,YAA2B,CAAC;AAAA,IAElC,WAAW,QAAQ,YAAY;AAAA,MAE7B,IACE,QACA,OAAO,SAAS,YAChB,UAAU,QACV,YAAY,QACZ,OAAQ,KAAiC,SAAS,YAClD,MAAM,QAAS,KAAiC,MAAM,GACtD;AAAA,QACA,UAAU,KAAK,IAAmB;AAAA,MACpC,EAAO,SAAI,OAAO,SAAS,UAAU;AAAA,QAEnC,KAAK,MAAM;AAAA,UACT,MAAM,IAAI,UAAU,2CAA2C;AAAA,QACjE;AAAA,QAEA,KAAK,2BAA2B,KAAK,IAAI,GAAG;AAAA,UAC1C,MAAM,IAAI,UACR,uBAAuB,+EACzB;AAAA,QACF;AAAA,QAEA,UAAU,KAAK;AAAA,UACb,MAAM,MAAM,OAAO;AAAA,UACnB,QAAQ,CAAC;AAAA,QACX,CAAC;AAAA,MACH,EAAO;AAAA,QACL,MAAM,IAAI,UAAU,8CAA8C;AAAA;AAAA,IAEtE;AAAA,IAGA,MAAM,OAAO,UAAU,IAAI,CAAC,OAAM,GAAE,IAAI,EAAE,KAAK,IAAI;AAAA,IACnD,MAAM,SAAS,UAAU,QAAQ,CAAC,OAAM,CAAC,GAAG,GAAE,MAAM,CAAC;AAAA,IAErD,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAGA,KAAK,cAAc,OAAO,eAAe,UAAU;AAAA,IACjD,MAAM,IAAI,UAAU,uCAAuC;AAAA,EAC7D;AAAA,EAEA,KAAK,2BAA2B,KAAK,UAAU,GAAG;AAAA,IAChD,MAAM,IAAI,UACR,uBAAuB,qFACzB;AAAA,EACF;AAAA,EAEA,OAAO;AAAA,IACL,MAAM,MAAM,aAAa;AAAA,IACzB,QAAQ,CAAC;AAAA,EACX;AAAA;AAMF,SAAS,KAAK,CAAC,OAAwC;AAAA,EACrD,KAAK,MAAM,QAAQ,KAAK,GAAG;AAAA,IACzB,MAAM,IAAI,UAAU,4BAA4B;AAAA,EAClD;AAAA,EAEA,IAAI,MAAM,WAAW,GAAG;AAAA,IACtB,MAAM,IAAI,UAAU,2CAA2C;AAAA,EACjE;AAAA,EAGA,IAAI,MAAM,SAAS,MAAM;AAAA,IACvB,QAAQ,KACN,8BAA8B,MAAM,uEACtC;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,MAAM,IAAI,MAAM,GAAG,EAAE,KAAK,GAAG;AAAA,EAClD,MAAM,SAAS,MAAM,IAAI,QAAQ;AAAA,EAEjC,OAAO;AAAA,IACL,MAAM,IAAI;AAAA,IACV;AAAA,EACF;AAAA;AAMF,SAAS,MAAM,CAAC,QAA6B;AAAA,EAC3C,IAAI,OAAO,WAAW,UAAU;AAAA,IAC9B,MAAM,IAAI,UAAU,6BAA6B;AAAA,EACnD;AAAA,EAEA,OAAO;AAAA,IACL,MAAM;AAAA,IACN,QAAQ,CAAC;AAAA,EACX;AAAA;AAMF,SAAS,OAAO,CAAC,MAAwC;AAAA,EACvD,MAAM,gBAAgB,aAAa,gBAAgB,aAAa;AAAA,IAC9D,MAAM,IAAI,UAAU,4CAA4C;AAAA,EAClE;AAAA,EAEA,OAAO;AAAA,IACL,MAAM;AAAA,IACN,QAAQ,CAAC,IAAI;AAAA,EACf;AAAA;AAMF,SAAS,OAAO,CACd,WACA,YAAY,MACC;AAAA,EACb,KAAK,MAAM,QAAQ,SAAS,GAAG;AAAA,IAC7B,MAAM,IAAI,UAAU,2CAA2C;AAAA,EACjE;AAAA,EAEA,IAAI,UAAU,WAAW,GAAG;AAAA,IAC1B,OAAO,EAAE,MAAM,IAAI,QAAQ,CAAC,EAAE;AAAA,EAChC;AAAA,EAEA,MAAM,OAAO,UAAU,IAAI,CAAC,OAAmB,GAAE,IAAI,EAAE,KAAK,SAAS;AAAA,EACrE,MAAM,SAAS,UAAU,QAAQ,CAAC,OAAmB,CAAC,GAAG,GAAE,MAAM,CAAC;AAAA,EAElE,OAAO,EAAE,MAAM,OAAO;AAAA;AAMxB,SAAS,GAAG,CAAC,YAAkC,QAA6B;AAAA,EAE1E,IAAI,OAAO,QAAQ,MAAM;AAAA,EACzB,MAAM,cAAyB,CAAC;AAAA,EAEhC,SAAS,IAAI,EAAG,IAAI,OAAO,QAAQ,KAAK;AAAA,IACtC,MAAM,QAAQ,OAAO;AAAA,IAGrB,IACE,SACA,OAAO,UAAU,YACjB,UAAU,SACV,YAAY,SACZ,OAAQ,MAAkC,SAAS,YACnD,MAAM,QAAS,MAAkC,MAAM,GACvD;AAAA,MACA,MAAM,WAAW;AAAA,MACjB,QAAQ,SAAS;AAAA,MACjB,YAAY,KAAK,GAAG,SAAS,MAAM;AAAA,IACrC,EAAO;AAAA,MAEL,QAAQ;AAAA,MACR,YAAY,KAAK,SAAS,KAAiB,CAAC;AAAA;AAAA,IAG9C,QAAQ,QAAQ,IAAI,MAAM;AAAA,EAC5B;AAAA,EAGA,MAAM,YAAY,kBAAkB;AAAA,EACpC,IAAI,KAAK,SAAS,WAAW;AAAA,IAC3B,MAAM,IAAI,MAAM,mBAAmB,KAAK,sBAAsB,YAAY;AAAA,EAC5E;AAAA,EAEA,IAAI,oBAAoB,KAAK,IAAI,GAAG;AAAA,IAClC,MAAM,IAAI,MAAM,iCAAiC;AAAA,EACnD;AAAA,EAGA,OAAO,OAAO,OAAO;AAAA,IACnB;AAAA,IACA,QAAQ,OAAO,OAAO,CAAC,GAAG,WAAW,CAAC;AAAA,EACxC,CAAC;AAAA;AAIH,IAAI,QAAQ;AACZ,IAAI,QAAQ;AACZ,IAAI,KAAK;AACT,IAAI,MAAM;AACV,IAAI,OAAO;AACX,IAAI,OAAO;",
+  "debugId": "9115DAB11403208364756E2164756E21",
+  "names": []
+}

package/dist/sql.d.ts

@@ -0,0 +1,40 @@
+import type { SqlFragment, SqlQuery, SqlValue } from './types';
+/**
+ * Convert a value to its SQLite representation
+ */
+declare function sqlValue(value: SqlValue): unknown;
+/**
+ * Validate and quote a SQL identifier or array of identifiers/fragments
+ */
+declare function sqlIdent(identifier: string | readonly (string | SqlFragment)[]): SqlFragment;
+/**
+ * Create SQL IN clause from array
+ */
+declare function sqlIn(array: readonly unknown[]): SqlFragment;
+/**
+ * Create raw SQL fragment (DANGEROUS - must not contain user input)
+ */
+declare function sqlRaw(rawSql: string): SqlFragment;
+/**
+ * Create SQL fragment for BLOB data (for validated binary data)
+ */
+declare function sqlBlob(data: Buffer | Uint8Array): SqlFragment;
+/**
+ * Join SQL fragments with a separator
+ */
+declare function sqlJoin(fragments: readonly SqlFragment[], separator?: string): SqlFragment;
+/**
+ * Main SQL tagged template function
+ */
+declare function sql(strings: TemplateStringsArray, ...values: unknown[]): SqlQuery;
+declare namespace sql {
+    export var value: typeof sqlValue;
+    export var ident: typeof sqlIdent;
+    var _a: typeof sqlIn;
+    export var raw: typeof sqlRaw;
+    export var blob: typeof sqlBlob;
+    export var join: typeof sqlJoin;
+    export { _a as in };
+}
+export { sql };
+//# sourceMappingURL=sql.d.ts.map

package/dist/sql.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sql.d.ts","sourceRoot":"","sources":["../src/sql.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AA4B9D;;GAEG;AACH,iBAAS,QAAQ,CAAC,KAAK,EAAE,QAAQ,GAAG,OAAO,CAwB1C;AAED;;GAEG;AACH,iBAAS,QAAQ,CACf,UAAU,EAAE,MAAM,GAAG,SAAS,CAAC,MAAM,GAAG,WAAW,CAAC,EAAE,GACrD,WAAW,CAkEb;AAED;;GAEG;AACH,iBAAS,KAAK,CAAC,KAAK,EAAE,SAAS,OAAO,EAAE,GAAG,WAAW,CAuBrD;AAED;;GAEG;AACH,iBAAS,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,WAAW,CAS3C;AAED;;GAEG;AACH,iBAAS,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,WAAW,CASvD;AAED;;GAEG;AACH,iBAAS,OAAO,CACd,SAAS,EAAE,SAAS,WAAW,EAAE,EACjC,SAAS,SAAO,GACf,WAAW,CAab;AAED;;GAEG;AACH,iBAAS,GAAG,CAAC,OAAO,EAAE,oBAAoB,EAAE,GAAG,MAAM,EAAE,OAAO,EAAE,GAAG,QAAQ,CA4C1E;kBA5CQ,GAAG;;;;;;;;;AAsDZ,OAAO,EAAE,GAAG,EAAE,CAAA"}

package/dist/types.d.ts

@@ -0,0 +1,19 @@
+/**
+ * The result of a SQL tagged template
+ */
+export interface SqlQuery {
+    readonly text: string;
+    readonly values: readonly unknown[];
+}
+/**
+ * Valid SQL value types that can be safely interpolated
+ */
+export type SqlValue = string | number | boolean | null | undefined | Date | Buffer | Uint8Array;
+/**
+ * A SQL fragment that can be joined with other fragments
+ */
+export interface SqlFragment {
+    readonly text: string;
+    readonly values: readonly unknown[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,QAAQ,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAA;CACpC;AAED;;GAEG;AACH,MAAM,MAAM,QAAQ,GAChB,MAAM,GACN,MAAM,GACN,OAAO,GACP,IAAI,GACJ,SAAS,GACT,IAAI,GACJ,MAAM,GACN,UAAU,CAAA;AAEd;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,QAAQ,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAA;CACpC"}

package/package.json

@@ -0,0 +1,88 @@
+{
+  "name": "@truto/sqlite-builder",
+  "version": "1.0.0",
+  "description": "Safe, zero-dependency template-literal tag for SQLite queries in any JS environment",
+  "keywords": [
+    "sqlite",
+    "tagged template",
+    "sql",
+    "injection-safe",
+    "javascript",
+    "typescript",
+    "template-literal",
+    "database",
+    "query-builder"
+  ],
+  "homepage": "https://github.com/truto/truto-sqlite-builder#readme",
+  "bugs": {
+    "url": "https://github.com/truto/truto-sqlite-builder/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/truto/truto-sqlite-builder.git"
+  },
+  "license": "MIT",
+  "author": "Truto <eng@truto.com>",
+  "type": "module",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist/**/*",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "bun build src/index.ts --outdir dist --sourcemap=linked && tsc --emitDeclarationOnly",
+    "build:declaration": "tsc --emitDeclarationOnly",
+    "dev": "vitest --watch",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "lint": "eslint",
+    "lint:fix": "eslint --fix",
+    "prepublishOnly": "bun run typecheck && bun run lint && bun test && bun run build",
+    "test": "vitest",
+    "test:coverage": "vitest --coverage",
+    "test:ui": "vitest --ui",
+    "typecheck": "tsc --noEmit"
+  },
+  "lint-staged": {
+    "*.{ts,tsx}": [
+      "bun run eslint --fix"
+    ],
+    "*.{json,md,yml,yaml}": [
+      "bun run prettier --write"
+    ]
+  },
+  "devDependencies": {
+    "@changesets/cli": "2.29.5",
+    "@eslint/js": "9.29.0",
+    "@types/bun": "latest",
+    "@typescript-eslint/eslint-plugin": "8.34.1",
+    "@typescript-eslint/parser": "8.34.1",
+    "@vitest/coverage-v8": "3.2.4",
+    "@vitest/ui": "3.2.4",
+    "eslint": "9.29.0",
+    "eslint-config-prettier": "10.1.5",
+    "eslint-plugin-prettier": "5.5.0",
+    "eslint-plugin-security": "3.0.1",
+    "globals": "16.2.0",
+    "husky": "9.1.7",
+    "lint-staged": "16.1.2",
+    "prettier": "3.5.3",
+    "prettier-plugin-packagejson": "2.5.15",
+    "typescript": "5.8.3",
+    "vitest": "3.2.4"
+  },
+  "engines": {
+    "bun": ">=1.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}