npm - @truto/sqlite-builder - Versions diffs - 2.0.2-canary.28 → 2.0.2-canary.3 - Mend

@truto/sqlite-builder 2.0.2-canary.28 → 2.0.2-canary.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/constants.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+/**
+ * Common regex patterns and limits used across the codebase
+ */
+export declare const MAX_QUERY_LENGTH = 102400;
+export declare const MAX_IDENTIFIER_LENGTH = 255;
+export declare const MAX_PATTERN_LENGTH = 1024;
+export declare const STACKED_QUERY_REGEX: RegExp;
+export declare const QUALIFIED_IDENTIFIER_REGEX: RegExp;
+export declare const SIMPLE_IDENTIFIER_REGEX: RegExp;
+//# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,eAAO,MAAM,gBAAgB,SAAS,CAAA;AAKtC,eAAO,MAAM,qBAAqB,MAAM,CAAA;AAMxC,eAAO,MAAM,kBAAkB,OAAO,CAAA;AAMtC,eAAO,MAAM,mBAAmB,QAAe,CAAA;AAG/C,eAAO,MAAM,0BAA0B,QACgB,CAAA;AAGvD,eAAO,MAAM,uBAAuB,QAA6B,CAAA"}

package/dist/filter.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import type { FilterResult, JsonFilter } from './types';
+/**
+ * Compile a JSON filter to a SQL WHERE clause
+ */
+export declare function compileFilter(filter: JsonFilter): FilterResult;
+//# sourceMappingURL=filter.d.ts.map

package/dist/filter.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"filter.d.ts","sourceRoot":"","sources":["../src/filter.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAGV,YAAY,EACZ,UAAU,EACX,MAAM,SAAS,CAAA;AAgZhB;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,UAAU,GAAG,YAAY,CAuB9D"}

package/dist/fragment.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import type { SqlFragment } from './types';
+/**
+ * Create and register an immutable, branded SQL fragment.
+ *
+ * The returned object is frozen (including its values array) so callers cannot
+ * mutate a fragment after the integrity checks that produced it.
+ */
+export declare function createFragment(text: string, values: readonly unknown[]): SqlFragment;
+/**
+ * Type guard: was this value minted by the library (and therefore trusted to
+ * contribute raw SQL text)?
+ */
+export declare function isSqlFragment(value: unknown): value is SqlFragment;
+//# sourceMappingURL=fragment.d.ts.map

package/dist/fragment.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"fragment.d.ts","sourceRoot":"","sources":["../src/fragment.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AAkB1C;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,SAAS,OAAO,EAAE,GACzB,WAAW,CASb;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,WAAW,CAMlE"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * truto-sqlite-builder - Safe, zero-dependency template-literal tag for SQLite queries
+ */
+export { compileFilter } from './filter';
+export { sql } from './sql';
+export type { FilterResult, JsonFilter, SqlQuery } from './types';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AACxC,OAAO,EAAE,GAAG,EAAE,MAAM,OAAO,CAAA;AAC3B,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,548 @@
+// src/constants.ts
+var MAX_QUERY_LENGTH = 102400;
+var MAX_IDENTIFIER_LENGTH = 255;
+var MAX_PATTERN_LENGTH = 1024;
+var STACKED_QUERY_REGEX = /;[\s\S]*\S/;
+var QUALIFIED_IDENTIFIER_REGEX = /^[A-Za-z_][A-Za-z0-9_]*(\.[A-Za-z_][A-Za-z0-9_]*)*$/;
+var SIMPLE_IDENTIFIER_REGEX = /^[A-Za-z_][A-Za-z0-9_]*$/;
+// src/fragment.ts
+var fragmentRegistry = new WeakSet;
+function createFragment(text, values) {
+  const fragment = Object.freeze({
+    text,
+    values: Object.freeze([...values])
+  });
+  fragmentRegistry.add(fragment);
+  return fragment;
+}
+function isSqlFragment(value) {
+  return typeof value === "object" && value !== null && fragmentRegistry.has(value);
+}
+// src/sql.ts
+function formatDate(date) {
+  const year = date.getFullYear();
+  const month = String(date.getMonth() + 1).padStart(2, "0");
+  const day = String(date.getDate()).padStart(2, "0");
+  const hours = String(date.getHours()).padStart(2, "0");
+  const minutes = String(date.getMinutes()).padStart(2, "0");
+  const seconds = String(date.getSeconds()).padStart(2, "0");
+  return `${year}-${month}-${day} ${hours}:${minutes}:${seconds}`;
+}
+function sqlValue(value) {
+  if (value === null || value === undefined) {
+    return null;
+  }
+  if (typeof value === "string") {
+    return value;
+  }
+  if (typeof value === "number" || typeof value === "boolean") {
+    return value;
+  }
+  if (value instanceof Date) {
+    return formatDate(value);
+  }
+  if (value instanceof Buffer || value instanceof Uint8Array) {
+    throw new TypeError("Buffer/Uint8Array values must be used with sql.blob() for safe BLOB handling");
+  }
+  throw new TypeError(`Unsupported value type: ${typeof value}`);
+}
+function quoteSingleIdentifier(identifier) {
+  if (identifier.length > MAX_IDENTIFIER_LENGTH) {
+    throw new TypeError(`Identifier part too long: ${identifier.length} characters (max: ${MAX_IDENTIFIER_LENGTH})`);
+  }
+  if (!SIMPLE_IDENTIFIER_REGEX.test(identifier)) {
+    throw new TypeError(`Invalid identifier part: ${identifier}. Must be a valid ANSI identifier.`);
+  }
+  return `"${identifier}"`;
+}
+function quoteQualifiedIdentifier(identifier) {
+  if (!QUALIFIED_IDENTIFIER_REGEX.test(identifier)) {
+    throw new TypeError(`Invalid identifier: ${identifier}. Must be a valid identifier or qualified identifier (e.g., table.column)`);
+  }
+  const parts = identifier.split(".");
+  return parts.map(quoteSingleIdentifier).join(".");
+}
+function sqlIdent(identifier) {
+  if (Array.isArray(identifier)) {
+    if (identifier.length === 0) {
+      throw new TypeError("Identifier array cannot be empty");
+    }
+    const fragments = [];
+    for (const item of identifier) {
+      if (isSqlFragment(item)) {
+        fragments.push(item);
+      } else if (typeof item === "string") {
+        if (!item) {
+          throw new TypeError("All identifiers must be non-empty strings");
+        }
+        if (!QUALIFIED_IDENTIFIER_REGEX.test(item)) {
+          throw new TypeError(`Invalid identifier: ${item}. Must be a valid identifier or qualified identifier (e.g., table.column)`);
+        }
+        fragments.push(createFragment(quoteQualifiedIdentifier(item), []));
+      } else {
+        throw new TypeError("Array items must be strings or SQL fragments");
+      }
+    }
+    const text = fragments.map((f) => f.text).join(", ");
+    const values = fragments.flatMap((f) => [...f.values]);
+    return createFragment(text, values);
+  }
+  if (!identifier || typeof identifier !== "string") {
+    throw new TypeError("Identifier must be a non-empty string");
+  }
+  if (!QUALIFIED_IDENTIFIER_REGEX.test(identifier)) {
+    throw new TypeError(`Invalid identifier: ${identifier}. Must be a valid identifier or qualified identifier (e.g., table.column)`);
+  }
+  return createFragment(quoteQualifiedIdentifier(identifier), []);
+}
+function sqlIn(array) {
+  if (!Array.isArray(array)) {
+    throw new TypeError("sql.in() requires an array");
+  }
+  if (array.length === 0) {
+    throw new TypeError("sql.in() cannot be used with empty arrays");
+  }
+  if (array.length > 1000) {
+    console.warn(`sql.in(): Large array with ${array.length} items. Consider using temporary tables for better performance.`);
+  }
+  const placeholders = array.map(() => "?").join(",");
+  const values = array.map(sqlValue);
+  return createFragment(`(${placeholders})`, values);
+}
+function sqlRaw(rawSql) {
+  if (typeof rawSql !== "string") {
+    throw new TypeError("sql.raw() requires a string");
+  }
+  return createFragment(rawSql, []);
+}
+function sqlBlob(data) {
+  if (!(data instanceof Buffer) && !(data instanceof Uint8Array)) {
+    throw new TypeError("sql.blob() requires a Buffer or Uint8Array");
+  }
+  return createFragment("?", [data]);
+}
+var SEPARATOR_FORBIDDEN_TOKENS = [
+  "'",
+  '"',
+  "`",
+  "[",
+  "]",
+  ";",
+  "\\",
+  "\x00",
+  "--",
+  "/*",
+  "*/"
+];
+function assertSafeSeparator(separator) {
+  for (const token of SEPARATOR_FORBIDDEN_TOKENS) {
+    if (separator.includes(token)) {
+      throw new TypeError(`Unsafe sql.join() separator: contains forbidden token ${JSON.stringify(token)}. Pass a SqlFragment (e.g. sql.raw) if you need parameterized separators.`);
+    }
+  }
+  let depth = 0;
+  for (const char of separator) {
+    if (char === "(") {
+      depth++;
+    } else if (char === ")") {
+      depth--;
+      if (depth < 0) {
+        throw new TypeError("Unsafe sql.join() separator: unbalanced parentheses");
+      }
+    }
+  }
+  if (depth !== 0) {
+    throw new TypeError("Unsafe sql.join() separator: unbalanced parentheses");
+  }
+}
+function sqlJoin(fragments, separator = ", ") {
+  if (!Array.isArray(fragments)) {
+    throw new TypeError("sql.join() requires an array of fragments");
+  }
+  for (const fragment of fragments) {
+    if (!isSqlFragment(fragment)) {
+      throw new TypeError("sql.join() requires SQL fragments created by the sql tag or its helpers");
+    }
+  }
+  if (fragments.length === 0) {
+    return createFragment("", []);
+  }
+  let separatorText;
+  let separatorValues = [];
+  if (isSqlFragment(separator)) {
+    separatorText = separator.text;
+    separatorValues = separator.values;
+  } else if (typeof separator === "string") {
+    assertSafeSeparator(separator);
+    separatorText = separator;
+  } else {
+    throw new TypeError("sql.join() separator must be a string or a SQL fragment");
+  }
+  let text = "";
+  const values = [];
+  fragments.forEach((fragment, index) => {
+    if (index > 0) {
+      text += separatorText;
+      values.push(...separatorValues);
+    }
+    text += fragment.text;
+    values.push(...fragment.values);
+  });
+  return createFragment(text, values);
+}
+function scanSql(text) {
+  let placeholderCount = 0;
+  let code = "";
+  let i = 0;
+  const length = text.length;
+  while (i < length) {
+    const char = text[i];
+    const next = text[i + 1];
+    if (char === "-" && next === "-") {
+      i += 2;
+      while (i < length && text[i] !== `
+`) {
+        i++;
+      }
+      continue;
+    }
+    if (char === "/" && next === "*") {
+      i += 2;
+      while (i < length && !(text[i] === "*" && text[i + 1] === "/")) {
+        i++;
+      }
+      i += 2;
+      continue;
+    }
+    if (char === "'" || char === '"' || char === "`") {
+      const quote = char;
+      i++;
+      while (i < length) {
+        if (text[i] === quote) {
+          if (text[i + 1] === quote) {
+            i += 2;
+            continue;
+          }
+          i++;
+          break;
+        }
+        i++;
+      }
+      continue;
+    }
+    if (char === "[") {
+      i++;
+      while (i < length && text[i] !== "]") {
+        i++;
+      }
+      i++;
+      continue;
+    }
+    if (char === "?") {
+      placeholderCount++;
+    }
+    code += char;
+    i++;
+  }
+  return { placeholderCount, code };
+}
+function sql(strings, ...values) {
+  let text = strings[0] || "";
+  const queryValues = [];
+  for (let i = 0;i < values.length; i++) {
+    const value = values[i];
+    if (isSqlFragment(value)) {
+      text += value.text;
+      queryValues.push(...value.values);
+    } else {
+      text += "?";
+      queryValues.push(sqlValue(value));
+    }
+    text += strings[i + 1] || "";
+  }
+  if (text.length > MAX_QUERY_LENGTH) {
+    throw new Error(`Query too long: ${text.length} bytes (max: ${MAX_QUERY_LENGTH})`);
+  }
+  const { placeholderCount, code } = scanSql(text);
+  if (placeholderCount !== queryValues.length) {
+    throw new Error(`Placeholder count (${placeholderCount}) does not match bound value count (${queryValues.length}). ` + 'Did a raw fragment contain a "?" without supplying its value?');
+  }
+  if (STACKED_QUERY_REGEX.test(code)) {
+    throw new Error("Stacked queries are not allowed");
+  }
+  return createFragment(text, queryValues);
+}
+sql.value = sqlValue;
+sql.ident = sqlIdent;
+sql.in = sqlIn;
+sql.raw = sqlRaw;
+sql.blob = sqlBlob;
+sql.join = sqlJoin;
+// src/filter.ts
+var MAX_NESTING_DEPTH = 10;
+var MAX_OPERATORS = 100;
+var VALID_OPERATORS = new Set([
+  "gt",
+  "gte",
+  "lt",
+  "lte",
+  "ne",
+  "in",
+  "nin",
+  "like",
+  "ilike",
+  "regex",
+  "exists",
+  "and",
+  "or"
+]);
+function isJsonPath(field) {
+  return field.includes(".");
+}
+function compileJsonPath(field) {
+  const parts = field.split(".");
+  const columnName = parts[0];
+  const jsonPath = parts.slice(1);
+  if (!columnName || jsonPath.length === 0 || jsonPath.some((part) => !part)) {
+    throw new SyntaxError(`Invalid JSON path: ${field}`);
+  }
+  return {
+    columnName,
+    jsonPath: "$." + jsonPath.join(".")
+  };
+}
+function isValidSqlIdentifier(identifier) {
+  return identifier.length <= MAX_IDENTIFIER_LENGTH && SIMPLE_IDENTIFIER_REGEX.test(identifier);
+}
+function assertPatternWithinLimit(operator, pattern) {
+  if (pattern.length > MAX_PATTERN_LENGTH) {
+    throw new RangeError(`${operator} pattern too long: ${pattern.length} characters (max: ${MAX_PATTERN_LENGTH})`);
+  }
+}
+function compileFieldCondition(field, condition, context, alias) {
+  if (condition === null || condition === undefined || typeof condition === "string" || typeof condition === "number" || typeof condition === "boolean" || condition instanceof Date) {
+    context.operatorCount++;
+    if (context.operatorCount > MAX_OPERATORS) {
+      throw new RangeError(`Too many operators (max: ${MAX_OPERATORS})`);
+    }
+    if (isJsonPath(field)) {
+      const { columnName, jsonPath } = compileJsonPath(field);
+      const identFragment2 = sql.ident(columnName);
+      const fullFieldExpr = alias ? `${alias}.${identFragment2.text}` : identFragment2.text;
+      if (condition === null || condition === undefined) {
+        context.values.push(jsonPath);
+        return `(json_extract(${fullFieldExpr}, ?) IS NULL)`;
+      } else {
+        context.values.push(jsonPath, sql.value(condition));
+        return `(json_extract(${fullFieldExpr}, ?) = ?)`;
+      }
+    } else {
+      const identFragment2 = sql.ident(field);
+      const fullFieldExpr = alias ? `${alias}.${identFragment2.text}` : identFragment2.text;
+      if (condition === null || condition === undefined) {
+        return `(${fullFieldExpr} IS NULL)`;
+      } else {
+        context.values.push(sql.value(condition));
+        return `(${fullFieldExpr} = ?)`;
+      }
+    }
+  }
+  if (typeof condition !== "object" || condition === null) {
+    throw new TypeError("Condition must be a value or operator object");
+  }
+  const operators = condition;
+  const clauses = [];
+  for (const op of Object.keys(operators)) {
+    if (!VALID_OPERATORS.has(op)) {
+      throw new SyntaxError(`Unknown operator: ${op}`);
+    }
+  }
+  const identFragment = sql.ident(isJsonPath(field) ? compileJsonPath(field).columnName : field);
+  const baseFieldExpr = alias ? `${alias}.${identFragment.text}` : identFragment.text;
+  const fieldExpr = isJsonPath(field) ? `json_extract(${baseFieldExpr}, ?)` : baseFieldExpr;
+  if (isJsonPath(field)) {
+    context.values.push(compileJsonPath(field).jsonPath);
+  }
+  if ("exists" in operators) {
+    context.operatorCount++;
+    if (context.operatorCount > MAX_OPERATORS) {
+      throw new RangeError(`Too many operators (max: ${MAX_OPERATORS})`);
+    }
+    return operators.exists ? `(${fieldExpr} IS NOT NULL)` : `(${fieldExpr} IS NULL)`;
+  }
+  for (const [op, value] of Object.entries(operators)) {
+    context.operatorCount++;
+    if (context.operatorCount > MAX_OPERATORS) {
+      throw new RangeError(`Too many operators (max: ${MAX_OPERATORS})`);
+    }
+    switch (op) {
+      case "gt":
+        context.values.push(sql.value(value));
+        clauses.push(`${fieldExpr} > ?`);
+        break;
+      case "gte":
+        context.values.push(sql.value(value));
+        clauses.push(`${fieldExpr} >= ?`);
+        break;
+      case "lt":
+        context.values.push(sql.value(value));
+        clauses.push(`${fieldExpr} < ?`);
+        break;
+      case "lte":
+        context.values.push(sql.value(value));
+        clauses.push(`${fieldExpr} <= ?`);
+        break;
+      case "ne":
+        if (value === null || value === undefined) {
+          clauses.push(`${fieldExpr} IS NOT NULL`);
+        } else {
+          context.values.push(sql.value(value));
+          clauses.push(`${fieldExpr} <> ?`);
+        }
+        break;
+      case "in": {
+        if (!Array.isArray(value)) {
+          throw new TypeError("IN operator requires an array");
+        }
+        if (value.length === 0) {
+          throw new TypeError("IN operator cannot be used with empty arrays");
+        }
+        if (value.length > 999) {
+          throw new RangeError("IN operator cannot be used with arrays larger than 999 items");
+        }
+        const inFragment = sql.in(value);
+        context.values.push(...inFragment.values);
+        clauses.push(`${fieldExpr} IN ${inFragment.text}`);
+        break;
+      }
+      case "nin": {
+        if (!Array.isArray(value)) {
+          throw new TypeError("NIN operator requires an array");
+        }
+        if (value.length === 0) {
+          throw new TypeError("NIN operator cannot be used with empty arrays");
+        }
+        if (value.length > 999) {
+          throw new RangeError("NIN operator cannot be used with arrays larger than 999 items");
+        }
+        const ninFragment = sql.in(value);
+        context.values.push(...ninFragment.values);
+        clauses.push(`${fieldExpr} NOT IN ${ninFragment.text}`);
+        break;
+      }
+      case "like":
+        if (typeof value !== "string") {
+          throw new TypeError("LIKE operator requires a string pattern");
+        }
+        assertPatternWithinLimit("LIKE", value);
+        context.values.push(value);
+        clauses.push(`${fieldExpr} LIKE ?`);
+        break;
+      case "ilike":
+        if (typeof value !== "string") {
+          throw new TypeError("ILIKE operator requires a string pattern");
+        }
+        assertPatternWithinLimit("ILIKE", value);
+        context.values.push(value);
+        clauses.push(`${fieldExpr} LIKE ? COLLATE NOCASE`);
+        break;
+      case "regex":
+        if (typeof value !== "string") {
+          throw new TypeError("REGEX operator requires a string pattern");
+        }
+        assertPatternWithinLimit("REGEX", value);
+        context.values.push(value);
+        clauses.push(`${fieldExpr} REGEXP ?`);
+        break;
+    }
+  }
+  if (clauses.length === 0) {
+    throw new SyntaxError("Operator object must contain at least one valid operator");
+  }
+  return clauses.length === 1 ? `(${clauses[0]})` : `(${clauses.join(" AND ")})`;
+}
+function compileFilterRecursive(filter, context, alias) {
+  if (context.depth >= MAX_NESTING_DEPTH) {
+    throw new RangeError(`Nesting depth too deep (max: ${MAX_NESTING_DEPTH})`);
+  }
+  if (typeof filter !== "object" || filter === null) {
+    throw new TypeError("Filter must be an object");
+  }
+  context.depth++;
+  const clauses = [];
+  if ("and" in filter && filter.and) {
+    context.operatorCount++;
+    if (context.operatorCount > MAX_OPERATORS) {
+      throw new RangeError(`Too many operators (max: ${MAX_OPERATORS})`);
+    }
+    if (!Array.isArray(filter.and)) {
+      throw new TypeError("AND operator must be an array");
+    }
+    if (filter.and.length === 0) {
+      throw new TypeError("AND operator cannot be used with empty arrays");
+    }
+    const andClauses = filter.and.map((subFilter) => compileFilterRecursive(subFilter, context, alias));
+    clauses.push(`(${andClauses.join(" AND ")})`);
+  }
+  if ("or" in filter && filter.or) {
+    context.operatorCount++;
+    if (context.operatorCount > MAX_OPERATORS) {
+      throw new RangeError(`Too many operators (max: ${MAX_OPERATORS})`);
+    }
+    if (!Array.isArray(filter.or)) {
+      throw new TypeError("OR operator must be an array");
+    }
+    if (filter.or.length === 0) {
+      throw new TypeError("OR operator cannot be used with empty arrays");
+    }
+    const orClauses = filter.or.map((subFilter) => compileFilterRecursive(subFilter, context, alias));
+    clauses.push(`(${orClauses.join(" OR ")})`);
+  }
+  const fieldEntries = Object.entries(filter).filter(([field, condition]) => field !== "and" && field !== "or" && !field.startsWith("$") && condition !== undefined);
+  for (const [field, condition] of fieldEntries) {
+    if (Array.isArray(condition)) {
+      throw new SyntaxError(`Field '${field}' cannot have array value. Use logical operators 'and'/'or' instead.`);
+    }
+    clauses.push(compileFieldCondition(field, condition, context, alias));
+  }
+  const aliasEntries = Object.entries(filter).filter(([key, value]) => key.startsWith("$") && value !== undefined && typeof value === "object" && value !== null);
+  for (const [aliasKey, aliasFilter] of aliasEntries) {
+    const aliasName = aliasKey.slice(1);
+    if (!isValidSqlIdentifier(aliasName)) {
+      throw new SyntaxError(`Invalid alias identifier: ${aliasName}`);
+    }
+    const aliasClause = compileFilterRecursive(aliasFilter, context, aliasName);
+    clauses.push(aliasClause);
+  }
+  context.depth--;
+  if (clauses.length === 0) {
+    throw new SyntaxError("Filter must contain at least one condition");
+  }
+  if (clauses.length === 1) {
+    return clauses[0];
+  } else {
+    return `(${clauses.join(" AND ")})`;
+  }
+}
+function compileFilter(filter) {
+  const context = {
+    depth: 0,
+    operatorCount: 0,
+    values: []
+  };
+  const text = `(${compileFilterRecursive(filter, context)})`;
+  if (text.length > MAX_QUERY_LENGTH) {
+    throw new RangeError(`Compiled filter too long: ${text.length} bytes (max: ${MAX_QUERY_LENGTH})`);
+  }
+  return createFragment(text, context.values);
+}
+export {
+  sql,
+  compileFilter
+};
+//# debugId=B02F5A27F175BBBF64756E2164756E21
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1,13 @@
+{
+  "version": 3,
+  "sources": ["../src/constants.ts", "../src/fragment.ts", "../src/sql.ts", "../src/filter.ts"],
+  "sourcesContent": [
+    "/**\n * Common regex patterns and limits used across the codebase\n */\n\n// Maximum query length (100KB)\nexport const MAX_QUERY_LENGTH = 102400\n\n// Maximum length of a single identifier part (table/column/alias name).\n// Bounds the amount of attacker-influenced text that can be quoted into a\n// query, preventing identifier-based denial-of-service (huge field names).\nexport const MAX_IDENTIFIER_LENGTH = 255\n\n// Maximum length of a LIKE/ILIKE/REGEXP pattern. These patterns are evaluated\n// by the underlying SQLite engine at query time; bounding their size limits\n// pathological matching cost (e.g. catastrophic backtracking in a REGEXP\n// extension, or quadratic LIKE scans).\nexport const MAX_PATTERN_LENGTH = 1024\n\n// Regex to detect stacked queries (semicolon followed by non-whitespace).\n// Applied to a \"code-only\" view of the query (string literals and comments\n// stripped) so that semicolons inside literals/comments do not cause false\n// positives, and commented-out semicolons cannot smuggle a second statement.\nexport const STACKED_QUERY_REGEX = /;[\\s\\S]*\\S/\n\n// ANSI identifier validation - supports qualified identifiers (e.g., table.column)\nexport const QUALIFIED_IDENTIFIER_REGEX =\n  /^[A-Za-z_][A-Za-z0-9_]*(\\.[A-Za-z_][A-Za-z0-9_]*)*$/\n\n// Simple identifier validation (for individual parts)\nexport const SIMPLE_IDENTIFIER_REGEX = /^[A-Za-z_][A-Za-z0-9_]*$/\n",
+    "import type { SqlFragment } from './types'\n\n/**\n * Module-private registry of every SQL fragment minted by this library.\n *\n * Trust model: the text of a query is \"code\" (must originate from the\n * developer) and interpolated values are \"data\" (always parameterized). The\n * only way to contribute raw text is through a fragment created by one of the\n * library helpers (sql, sql.raw, sql.ident, sql.in, sql.blob, sql.join,\n * compileFilter). Membership in this WeakSet is the unforgeable proof that an\n * object is such a fragment.\n *\n * A plain object that merely looks like `{ text, values }` (e.g. from\n * JSON.parse or an untrusted request body) is NOT in this set, so it can never\n * be treated as raw SQL. This closes the structural duck-typing bypass.\n */\nconst fragmentRegistry = new WeakSet<object>()\n\n/**\n * Create and register an immutable, branded SQL fragment.\n *\n * The returned object is frozen (including its values array) so callers cannot\n * mutate a fragment after the integrity checks that produced it.\n */\nexport function createFragment(\n  text: string,\n  values: readonly unknown[],\n): SqlFragment {\n  const fragment: SqlFragment = Object.freeze({\n    text,\n    values: Object.freeze([...values]),\n  })\n\n  fragmentRegistry.add(fragment)\n\n  return fragment\n}\n\n/**\n * Type guard: was this value minted by the library (and therefore trusted to\n * contribute raw SQL text)?\n */\nexport function isSqlFragment(value: unknown): value is SqlFragment {\n  return (\n    typeof value === 'object' &&\n    value !== null &&\n    fragmentRegistry.has(value as object)\n  )\n}\n",
+    "import {\n  MAX_IDENTIFIER_LENGTH,\n  MAX_QUERY_LENGTH,\n  QUALIFIED_IDENTIFIER_REGEX,\n  SIMPLE_IDENTIFIER_REGEX,\n  STACKED_QUERY_REGEX,\n} from './constants'\nimport { createFragment, isSqlFragment } from './fragment'\nimport type { SqlFragment, SqlQuery, SqlValue } from './types'\n\n/**\n * Format a date for SQLite (YYYY-MM-DD HH:MM:SS)\n */\nfunction formatDate(date: Date): string {\n  const year = date.getFullYear()\n  const month = String(date.getMonth() + 1).padStart(2, '0')\n  const day = String(date.getDate()).padStart(2, '0')\n  const hours = String(date.getHours()).padStart(2, '0')\n  const minutes = String(date.getMinutes()).padStart(2, '0')\n  const seconds = String(date.getSeconds()).padStart(2, '0')\n\n  return `${year}-${month}-${day} ${hours}:${minutes}:${seconds}`\n}\n\n/**\n * Convert a value to its SQLite representation\n */\nfunction sqlValue(value: SqlValue): unknown {\n  if (value === null || value === undefined) {\n    return null\n  }\n\n  if (typeof value === 'string') {\n    return value\n  }\n\n  if (typeof value === 'number' || typeof value === 'boolean') {\n    return value\n  }\n\n  if (value instanceof Date) {\n    return formatDate(value)\n  }\n\n  if (value instanceof Buffer || value instanceof Uint8Array) {\n    throw new TypeError(\n      'Buffer/Uint8Array values must be used with sql.blob() for safe BLOB handling',\n    )\n  }\n\n  throw new TypeError(`Unsupported value type: ${typeof value}`)\n}\n\n/**\n * Quote a single identifier part\n */\nfunction quoteSingleIdentifier(identifier: string): string {\n  if (identifier.length > MAX_IDENTIFIER_LENGTH) {\n    throw new TypeError(\n      `Identifier part too long: ${identifier.length} characters (max: ${MAX_IDENTIFIER_LENGTH})`,\n    )\n  }\n  if (!SIMPLE_IDENTIFIER_REGEX.test(identifier)) {\n    throw new TypeError(\n      `Invalid identifier part: ${identifier}. Must be a valid ANSI identifier.`,\n    )\n  }\n  return `\"${identifier}\"`\n}\n\n/**\n * Quote a qualified identifier by splitting on dots and quoting each part\n */\nfunction quoteQualifiedIdentifier(identifier: string): string {\n  if (!QUALIFIED_IDENTIFIER_REGEX.test(identifier)) {\n    throw new TypeError(\n      `Invalid identifier: ${identifier}. Must be a valid identifier or qualified identifier (e.g., table.column)`,\n    )\n  }\n\n  const parts = identifier.split('.')\n  return parts.map(quoteSingleIdentifier).join('.')\n}\n\n/**\n * Validate and quote a SQL identifier or array of identifiers/fragments\n */\nfunction sqlIdent(\n  identifier: string | readonly (string | SqlFragment)[],\n): SqlFragment {\n  // Handle array of identifiers and fragments\n  if (Array.isArray(identifier)) {\n    if (identifier.length === 0) {\n      throw new TypeError('Identifier array cannot be empty')\n    }\n\n    const fragments: SqlFragment[] = []\n\n    for (const item of identifier) {\n      // Only fragments minted by this library may pass through unquoted. This\n      // prevents a forged `{ text, values }` object (e.g. from untrusted JSON)\n      // from being injected as raw SQL via sql.ident().\n      if (isSqlFragment(item)) {\n        fragments.push(item)\n      } else if (typeof item === 'string') {\n        // Handle string identifiers\n        if (!item) {\n          throw new TypeError('All identifiers must be non-empty strings')\n        }\n\n        if (!QUALIFIED_IDENTIFIER_REGEX.test(item)) {\n          throw new TypeError(\n            `Invalid identifier: ${item}. Must be a valid identifier or qualified identifier (e.g., table.column)`,\n          )\n        }\n\n        fragments.push(createFragment(quoteQualifiedIdentifier(item), []))\n      } else {\n        throw new TypeError('Array items must be strings or SQL fragments')\n      }\n    }\n\n    // Join all fragments\n    const text = fragments.map((f) => f.text).join(', ')\n    const values = fragments.flatMap((f) => [...f.values])\n\n    return createFragment(text, values)\n  }\n\n  // Handle single identifier (existing behavior)\n  if (!identifier || typeof identifier !== 'string') {\n    throw new TypeError('Identifier must be a non-empty string')\n  }\n\n  if (!QUALIFIED_IDENTIFIER_REGEX.test(identifier)) {\n    throw new TypeError(\n      `Invalid identifier: ${identifier}. Must be a valid identifier or qualified identifier (e.g., table.column)`,\n    )\n  }\n\n  return createFragment(quoteQualifiedIdentifier(identifier), [])\n}\n\n/**\n * Create SQL IN clause from array\n */\nfunction sqlIn(array: readonly unknown[]): SqlFragment {\n  if (!Array.isArray(array)) {\n    throw new TypeError('sql.in() requires an array')\n  }\n\n  if (array.length === 0) {\n    throw new TypeError('sql.in() cannot be used with empty arrays')\n  }\n\n  // Soft warning for large arrays\n  if (array.length > 1000) {\n    console.warn(\n      `sql.in(): Large array with ${array.length} items. Consider using temporary tables for better performance.`,\n    )\n  }\n\n  const placeholders = array.map(() => '?').join(',')\n  const values = array.map(sqlValue)\n\n  return createFragment(`(${placeholders})`, values)\n}\n\n/**\n * Create raw SQL fragment (DANGEROUS - must not contain user input).\n *\n * This is the library's single, explicit trust boundary: whatever string is\n * passed here becomes SQL verbatim. Only ever pass developer-authored,\n * constant SQL. Never pass user input. For dynamic WHERE clauses use\n * compileFilter(); for identifiers use sql.ident().\n */\nfunction sqlRaw(rawSql: string): SqlFragment {\n  if (typeof rawSql !== 'string') {\n    throw new TypeError('sql.raw() requires a string')\n  }\n\n  return createFragment(rawSql, [])\n}\n\n/**\n * Create SQL fragment for BLOB data (for validated binary data)\n */\nfunction sqlBlob(data: Buffer | Uint8Array): SqlFragment {\n  if (!(data instanceof Buffer) && !(data instanceof Uint8Array)) {\n    throw new TypeError('sql.blob() requires a Buffer or Uint8Array')\n  }\n\n  return createFragment('?', [data])\n}\n\n/**\n * Tokens that allow breaking out of a SQL expression context. A join separator\n * is structural SQL (a connector such as `, `, ` AND `, ` OR `). To make\n * arbitrary separators safe regardless of their origin, we forbid the\n * primitives that would let a separator escape the connector role: string and\n * identifier literal delimiters, statement terminators, comment markers, NUL,\n * and backslash escapes.\n */\nconst SEPARATOR_FORBIDDEN_TOKENS = [\n  \"'\",\n  '\"',\n  '`',\n  '[',\n  ']',\n  ';',\n  '\\\\',\n  '\\0',\n  '--',\n  '/*',\n  '*/',\n] as const\n\n/**\n * Validate a string separator for sql.join(). Allows any structural connector\n * while rejecting the primitives used to inject literals, comments, or extra\n * statements. Parentheses must be balanced so a separator cannot escape the\n * grouping it sits within.\n */\nfunction assertSafeSeparator(separator: string): void {\n  for (const token of SEPARATOR_FORBIDDEN_TOKENS) {\n    if (separator.includes(token)) {\n      throw new TypeError(\n        `Unsafe sql.join() separator: contains forbidden token ${JSON.stringify(\n          token,\n        )}. Pass a SqlFragment (e.g. sql.raw) if you need parameterized separators.`,\n      )\n    }\n  }\n\n  let depth = 0\n  for (const char of separator) {\n    if (char === '(') {\n      depth++\n    } else if (char === ')') {\n      depth--\n      if (depth < 0) {\n        throw new TypeError(\n          'Unsafe sql.join() separator: unbalanced parentheses',\n        )\n      }\n    }\n  }\n  if (depth !== 0) {\n    throw new TypeError('Unsafe sql.join() separator: unbalanced parentheses')\n  }\n}\n\n/**\n * Join SQL fragments with a separator.\n *\n * Fragments must be library-minted (branded) fragments. The separator may be:\n *  - a string: treated as a structural connector and validated by\n *    assertSafeSeparator() so any connector is supported safely; or\n *  - a SqlFragment: its text becomes the connector and its values are\n *    interleaved between fragments, allowing fully parameterized separators.\n */\nfunction sqlJoin(\n  fragments: readonly SqlFragment[],\n  separator: string | SqlFragment = ', ',\n): SqlFragment {\n  if (!Array.isArray(fragments)) {\n    throw new TypeError('sql.join() requires an array of fragments')\n  }\n\n  for (const fragment of fragments) {\n    if (!isSqlFragment(fragment)) {\n      throw new TypeError(\n        'sql.join() requires SQL fragments created by the sql tag or its helpers',\n      )\n    }\n  }\n\n  if (fragments.length === 0) {\n    return createFragment('', [])\n  }\n\n  let separatorText: string\n  let separatorValues: readonly unknown[] = []\n\n  if (isSqlFragment(separator)) {\n    separatorText = separator.text\n    separatorValues = separator.values\n  } else if (typeof separator === 'string') {\n    assertSafeSeparator(separator)\n    separatorText = separator\n  } else {\n    throw new TypeError(\n      'sql.join() separator must be a string or a SQL fragment',\n    )\n  }\n\n  let text = ''\n  const values: unknown[] = []\n\n  fragments.forEach((fragment, index) => {\n    if (index > 0) {\n      text += separatorText\n      values.push(...separatorValues)\n    }\n    text += fragment.text\n    values.push(...fragment.values)\n  })\n\n  return createFragment(text, values)\n}\n\n/**\n * Scan assembled SQL once to (a) count true placeholders and (b) produce a\n * \"code-only\" view with string/identifier literals and comments removed.\n *\n * Placeholders inside literals/comments are not counted, and semicolons inside\n * literals/comments are not treated as statement separators.\n */\nfunction scanSql(text: string): { placeholderCount: number; code: string } {\n  let placeholderCount = 0\n  let code = ''\n  let i = 0\n  const length = text.length\n\n  while (i < length) {\n    const char = text[i]\n    const next = text[i + 1]\n\n    // Line comment: -- ... <newline>\n    if (char === '-' && next === '-') {\n      i += 2\n      while (i < length && text[i] !== '\\n') {\n        i++\n      }\n      continue\n    }\n\n    // Block comment: /* ... */\n    if (char === '/' && next === '*') {\n      i += 2\n      while (i < length && !(text[i] === '*' && text[i + 1] === '/')) {\n        i++\n      }\n      i += 2\n      continue\n    }\n\n    // Quoted string ('...') or quoted identifier (\"...\", `...`), with the SQL\n    // convention that the quote char is escaped by doubling it.\n    if (char === \"'\" || char === '\"' || char === '`') {\n      const quote = char\n      i++\n      while (i < length) {\n        if (text[i] === quote) {\n          if (text[i + 1] === quote) {\n            i += 2\n            continue\n          }\n          i++\n          break\n        }\n        i++\n      }\n      continue\n    }\n\n    // Bracket-quoted identifier: [ ... ]\n    if (char === '[') {\n      i++\n      while (i < length && text[i] !== ']') {\n        i++\n      }\n      i++\n      continue\n    }\n\n    if (char === '?') {\n      placeholderCount++\n    }\n    code += char\n    i++\n  }\n\n  return { placeholderCount, code }\n}\n\n/**\n * Main SQL tagged template function\n */\nfunction sql(strings: TemplateStringsArray, ...values: unknown[]): SqlQuery {\n  // Build the query text and collect values\n  let text = strings[0] || ''\n  const queryValues: unknown[] = []\n\n  for (let i = 0; i < values.length; i++) {\n    const value = values[i]\n\n    // Only library-minted fragments contribute raw text; everything else is\n    // parameterized. This blocks forged `{ text, values }` objects.\n    if (isSqlFragment(value)) {\n      text += value.text\n      queryValues.push(...value.values)\n    } else {\n      // Regular value - add placeholder and collect value\n      text += '?'\n      queryValues.push(sqlValue(value as SqlValue))\n    }\n\n    text += strings[i + 1] || ''\n  }\n\n  // Security checks\n  if (text.length > MAX_QUERY_LENGTH) {\n    throw new Error(\n      `Query too long: ${text.length} bytes (max: ${MAX_QUERY_LENGTH})`,\n    )\n  }\n\n  const { placeholderCount, code } = scanSql(text)\n\n  // Integrity: every placeholder must have exactly one bound value and vice\n  // versa. Catches raw fragments that smuggle a stray `?` (or, conversely,\n  // raw SQL that forgot to carry its values), keeping text and values aligned.\n  if (placeholderCount !== queryValues.length) {\n    throw new Error(\n      `Placeholder count (${placeholderCount}) does not match bound value count (${queryValues.length}). ` +\n        'Did a raw fragment contain a \"?\" without supplying its value?',\n    )\n  }\n\n  if (STACKED_QUERY_REGEX.test(code)) {\n    throw new Error('Stacked queries are not allowed')\n  }\n\n  // Return frozen, branded result so it can be safely composed into other\n  // queries (e.g. via sql.join) without being mistaken for a forgery.\n  return createFragment(text, queryValues) as SqlQuery\n}\n\n// Attach helper functions to sql\nsql.value = sqlValue\nsql.ident = sqlIdent\nsql.in = sqlIn\nsql.raw = sqlRaw\nsql.blob = sqlBlob\nsql.join = sqlJoin\n\nexport { sql }\n",
+    "import {\n  MAX_IDENTIFIER_LENGTH,\n  MAX_PATTERN_LENGTH,\n  MAX_QUERY_LENGTH,\n  SIMPLE_IDENTIFIER_REGEX,\n} from './constants'\nimport { createFragment } from './fragment'\nimport { sql } from './sql'\nimport type {\n  ComparisonOperators,\n  FieldCondition,\n  FilterResult,\n  JsonFilter,\n} from './types'\n\n// Limits to prevent DoS attacks\nconst MAX_NESTING_DEPTH = 10\nconst MAX_OPERATORS = 100\n\n// Valid operators for validation\nconst VALID_OPERATORS = new Set([\n  'gt',\n  'gte',\n  'lt',\n  'lte',\n  'ne',\n  'in',\n  'nin',\n  'like',\n  'ilike',\n  'regex',\n  'exists',\n  'and',\n  'or',\n])\n\n/**\n * Context for tracking compilation state\n */\ninterface CompileContext {\n  depth: number\n  operatorCount: number\n  values: unknown[]\n}\n\n/**\n * Check if a field name represents a JSON path (contains dots)\n */\nfunction isJsonPath(field: string): boolean {\n  return field.includes('.')\n}\n\n/**\n * Convert a JSON path field to json_extract expression\n */\nfunction compileJsonPath(field: string): {\n  columnName: string\n  jsonPath: string\n} {\n  const parts = field.split('.')\n  const columnName = parts[0]\n  const jsonPath = parts.slice(1)\n\n  if (!columnName || jsonPath.length === 0 || jsonPath.some((part) => !part)) {\n    throw new SyntaxError(`Invalid JSON path: ${field}`)\n  }\n\n  return {\n    columnName,\n    jsonPath: '$.' + jsonPath.join('.'),\n  }\n}\n\n/**\n * Validate if a string is a valid SQL identifier\n */\nfunction isValidSqlIdentifier(identifier: string): boolean {\n  return (\n    identifier.length <= MAX_IDENTIFIER_LENGTH &&\n    SIMPLE_IDENTIFIER_REGEX.test(identifier)\n  )\n}\n\n/**\n * Validate a LIKE/ILIKE/REGEXP pattern, bounding its length to limit\n * pathological matching cost at the SQLite layer.\n */\nfunction assertPatternWithinLimit(operator: string, pattern: string): void {\n  if (pattern.length > MAX_PATTERN_LENGTH) {\n    throw new RangeError(\n      `${operator} pattern too long: ${pattern.length} characters (max: ${MAX_PATTERN_LENGTH})`,\n    )\n  }\n}\n\n/**\n * Compile a single field condition to SQL\n */\nfunction compileFieldCondition(\n  field: string,\n  condition: FieldCondition,\n  context: CompileContext,\n  alias?: string,\n): string {\n  // Handle direct value (equality)\n  if (\n    condition === null ||\n    condition === undefined ||\n    typeof condition === 'string' ||\n    typeof condition === 'number' ||\n    typeof condition === 'boolean' ||\n    condition instanceof Date\n  ) {\n    context.operatorCount++\n    if (context.operatorCount > MAX_OPERATORS) {\n      throw new RangeError(`Too many operators (max: ${MAX_OPERATORS})`)\n    }\n\n    if (isJsonPath(field)) {\n      const { columnName, jsonPath } = compileJsonPath(field)\n      const identFragment = sql.ident(columnName)\n      const fullFieldExpr = alias\n        ? `${alias}.${identFragment.text}`\n        : identFragment.text\n\n      if (condition === null || condition === undefined) {\n        context.values.push(jsonPath)\n        return `(json_extract(${fullFieldExpr}, ?) IS NULL)`\n      } else {\n        context.values.push(jsonPath, sql.value(condition))\n        return `(json_extract(${fullFieldExpr}, ?) = ?)`\n      }\n    } else {\n      const identFragment = sql.ident(field)\n      const fullFieldExpr = alias\n        ? `${alias}.${identFragment.text}`\n        : identFragment.text\n\n      if (condition === null || condition === undefined) {\n        return `(${fullFieldExpr} IS NULL)`\n      } else {\n        context.values.push(sql.value(condition))\n        return `(${fullFieldExpr} = ?)`\n      }\n    }\n  }\n\n  // Handle operator object\n  if (typeof condition !== 'object' || condition === null) {\n    throw new TypeError('Condition must be a value or operator object')\n  }\n\n  const operators = condition as ComparisonOperators\n  const clauses: string[] = []\n\n  // Validate all operators are known\n  for (const op of Object.keys(operators)) {\n    if (!VALID_OPERATORS.has(op)) {\n      throw new SyntaxError(`Unknown operator: ${op}`)\n    }\n  }\n\n  const identFragment = sql.ident(\n    isJsonPath(field) ? compileJsonPath(field).columnName : field,\n  )\n  const baseFieldExpr = alias\n    ? `${alias}.${identFragment.text}`\n    : identFragment.text\n  const fieldExpr = isJsonPath(field)\n    ? `json_extract(${baseFieldExpr}, ?)`\n    : baseFieldExpr\n\n  // Add JSON path to values if needed\n  if (isJsonPath(field)) {\n    context.values.push(compileJsonPath(field).jsonPath)\n  }\n\n  // Handle exists operator first (it overrides other operators)\n  if ('exists' in operators) {\n    context.operatorCount++\n    if (context.operatorCount > MAX_OPERATORS) {\n      throw new RangeError(`Too many operators (max: ${MAX_OPERATORS})`)\n    }\n\n    return operators.exists\n      ? `(${fieldExpr} IS NOT NULL)`\n      : `(${fieldExpr} IS NULL)`\n  }\n\n  // Handle comparison operators\n  for (const [op, value] of Object.entries(operators)) {\n    context.operatorCount++\n    if (context.operatorCount > MAX_OPERATORS) {\n      throw new RangeError(`Too many operators (max: ${MAX_OPERATORS})`)\n    }\n\n    switch (op) {\n      case 'gt':\n        context.values.push(sql.value(value))\n        clauses.push(`${fieldExpr} > ?`)\n        break\n      case 'gte':\n        context.values.push(sql.value(value))\n        clauses.push(`${fieldExpr} >= ?`)\n        break\n      case 'lt':\n        context.values.push(sql.value(value))\n        clauses.push(`${fieldExpr} < ?`)\n        break\n      case 'lte':\n        context.values.push(sql.value(value))\n        clauses.push(`${fieldExpr} <= ?`)\n        break\n      case 'ne':\n        if (value === null || value === undefined) {\n          clauses.push(`${fieldExpr} IS NOT NULL`)\n        } else {\n          context.values.push(sql.value(value))\n          clauses.push(`${fieldExpr} <> ?`)\n        }\n        break\n      case 'in': {\n        if (!Array.isArray(value)) {\n          throw new TypeError('IN operator requires an array')\n        }\n        if (value.length === 0) {\n          throw new TypeError('IN operator cannot be used with empty arrays')\n        }\n        if (value.length > 999) {\n          throw new RangeError(\n            'IN operator cannot be used with arrays larger than 999 items',\n          )\n        }\n\n        const inFragment = sql.in(value)\n        context.values.push(...inFragment.values)\n        clauses.push(`${fieldExpr} IN ${inFragment.text}`)\n        break\n      }\n      case 'nin': {\n        if (!Array.isArray(value)) {\n          throw new TypeError('NIN operator requires an array')\n        }\n        if (value.length === 0) {\n          throw new TypeError('NIN operator cannot be used with empty arrays')\n        }\n        if (value.length > 999) {\n          throw new RangeError(\n            'NIN operator cannot be used with arrays larger than 999 items',\n          )\n        }\n\n        const ninFragment = sql.in(value)\n        context.values.push(...ninFragment.values)\n        clauses.push(`${fieldExpr} NOT IN ${ninFragment.text}`)\n        break\n      }\n      case 'like':\n        if (typeof value !== 'string') {\n          throw new TypeError('LIKE operator requires a string pattern')\n        }\n        assertPatternWithinLimit('LIKE', value)\n        context.values.push(value)\n        clauses.push(`${fieldExpr} LIKE ?`)\n        break\n      case 'ilike':\n        if (typeof value !== 'string') {\n          throw new TypeError('ILIKE operator requires a string pattern')\n        }\n        assertPatternWithinLimit('ILIKE', value)\n        context.values.push(value)\n        clauses.push(`${fieldExpr} LIKE ? COLLATE NOCASE`)\n        break\n      case 'regex':\n        if (typeof value !== 'string') {\n          throw new TypeError('REGEX operator requires a string pattern')\n        }\n        assertPatternWithinLimit('REGEX', value)\n        context.values.push(value)\n        clauses.push(`${fieldExpr} REGEXP ?`)\n        break\n    }\n  }\n\n  if (clauses.length === 0) {\n    throw new SyntaxError(\n      'Operator object must contain at least one valid operator',\n    )\n  }\n\n  return clauses.length === 1 ? `(${clauses[0]})` : `(${clauses.join(' AND ')})`\n}\n\n/**\n * Compile a JSON filter to SQL recursively\n */\nfunction compileFilterRecursive(\n  filter: JsonFilter,\n  context: CompileContext,\n  alias?: string,\n): string {\n  if (context.depth >= MAX_NESTING_DEPTH) {\n    throw new RangeError(`Nesting depth too deep (max: ${MAX_NESTING_DEPTH})`)\n  }\n\n  if (typeof filter !== 'object' || filter === null) {\n    throw new TypeError('Filter must be an object')\n  }\n\n  context.depth++\n  const clauses: string[] = []\n\n  // Handle logical operators first\n  if ('and' in filter && filter.and) {\n    context.operatorCount++\n    if (context.operatorCount > MAX_OPERATORS) {\n      throw new RangeError(`Too many operators (max: ${MAX_OPERATORS})`)\n    }\n\n    if (!Array.isArray(filter.and)) {\n      throw new TypeError('AND operator must be an array')\n    }\n    if (filter.and.length === 0) {\n      throw new TypeError('AND operator cannot be used with empty arrays')\n    }\n\n    const andClauses = filter.and.map((subFilter) =>\n      compileFilterRecursive(subFilter, context, alias),\n    )\n    clauses.push(`(${andClauses.join(' AND ')})`)\n  }\n\n  if ('or' in filter && filter.or) {\n    context.operatorCount++\n    if (context.operatorCount > MAX_OPERATORS) {\n      throw new RangeError(`Too many operators (max: ${MAX_OPERATORS})`)\n    }\n\n    if (!Array.isArray(filter.or)) {\n      throw new TypeError('OR operator must be an array')\n    }\n    if (filter.or.length === 0) {\n      throw new TypeError('OR operator cannot be used with empty arrays')\n    }\n\n    const orClauses = filter.or.map((subFilter) =>\n      compileFilterRecursive(subFilter, context, alias),\n    )\n    clauses.push(`(${orClauses.join(' OR ')})`)\n  }\n\n  // Handle field conditions (implicit AND) first - preserve original order\n  const fieldEntries = Object.entries(filter).filter(\n    ([field, condition]) =>\n      field !== 'and' &&\n      field !== 'or' &&\n      !field.startsWith('$') &&\n      condition !== undefined,\n  )\n\n  for (const [field, condition] of fieldEntries) {\n    // Handle array conditions (for 'and'/'or' at field level)\n    if (Array.isArray(condition)) {\n      throw new SyntaxError(\n        `Field '${field}' cannot have array value. Use logical operators 'and'/'or' instead.`,\n      )\n    }\n\n    clauses.push(\n      compileFieldCondition(field, condition as FieldCondition, context, alias),\n    )\n  }\n\n  // Handle alias blocks (keys starting with $) after regular fields\n  const aliasEntries = Object.entries(filter).filter(\n    ([key, value]) =>\n      key.startsWith('$') &&\n      value !== undefined &&\n      typeof value === 'object' &&\n      value !== null,\n  )\n\n  for (const [aliasKey, aliasFilter] of aliasEntries) {\n    const aliasName = aliasKey.slice(1) // Remove the $ prefix\n\n    // Validate alias name\n    if (!isValidSqlIdentifier(aliasName)) {\n      throw new SyntaxError(`Invalid alias identifier: ${aliasName}`)\n    }\n\n    // Recursively compile the alias block with the alias context\n    const aliasClause = compileFilterRecursive(\n      aliasFilter as JsonFilter,\n      context,\n      aliasName,\n    )\n    clauses.push(aliasClause)\n  }\n\n  context.depth--\n\n  if (clauses.length === 0) {\n    throw new SyntaxError('Filter must contain at least one condition')\n  }\n\n  // Fix: ensure we have at least one clause before accessing clauses[0]\n  if (clauses.length === 1) {\n    return clauses[0]!\n  } else {\n    return `(${clauses.join(' AND ')})`\n  }\n}\n\n/**\n * Compile a JSON filter to a SQL WHERE clause\n */\nexport function compileFilter(filter: JsonFilter): FilterResult {\n  const context: CompileContext = {\n    depth: 0,\n    operatorCount: 0,\n    values: [],\n  }\n\n  const text = `(${compileFilterRecursive(filter, context)})`\n\n  // Backstop against output-size denial-of-service. Identifier-length and\n  // operator-count limits keep individual pieces bounded; this guards the\n  // aggregate so compileFilter() cannot emit an oversized clause even when used\n  // standalone (the sql tag enforces the same cap when fragments are composed).\n  if (text.length > MAX_QUERY_LENGTH) {\n    throw new RangeError(\n      `Compiled filter too long: ${text.length} bytes (max: ${MAX_QUERY_LENGTH})`,\n    )\n  }\n\n  // Returned as a branded fragment so it can be interpolated directly into a\n  // sql`` template with its values automatically collected — no sql.raw()\n  // needed, which removes the value-binding footgun.\n  return createFragment(text, context.values) as FilterResult\n}\n"
+  ],
+  "mappings": ";AAKO,IAAM,mBAAmB;AAKzB,IAAM,wBAAwB;AAM9B,IAAM,qBAAqB;AAM3B,IAAM,sBAAsB;AAG5B,IAAM,6BACX;AAGK,IAAM,0BAA0B;;;ACbvC,IAAM,mBAAmB,IAAI;AAQtB,SAAS,cAAc,CAC5B,MACA,QACa;AAAA,EACb,MAAM,WAAwB,OAAO,OAAO;AAAA,IAC1C;AAAA,IACA,QAAQ,OAAO,OAAO,CAAC,GAAG,MAAM,CAAC;AAAA,EACnC,CAAC;AAAA,EAED,iBAAiB,IAAI,QAAQ;AAAA,EAE7B,OAAO;AAAA;AAOF,SAAS,aAAa,CAAC,OAAsC;AAAA,EAClE,OACE,OAAO,UAAU,YACjB,UAAU,QACV,iBAAiB,IAAI,KAAe;AAAA;;;ACjCxC,SAAS,UAAU,CAAC,MAAoB;AAAA,EACtC,MAAM,OAAO,KAAK,YAAY;AAAA,EAC9B,MAAM,QAAQ,OAAO,KAAK,SAAS,IAAI,CAAC,EAAE,SAAS,GAAG,GAAG;AAAA,EACzD,MAAM,MAAM,OAAO,KAAK,QAAQ,CAAC,EAAE,SAAS,GAAG,GAAG;AAAA,EAClD,MAAM,QAAQ,OAAO,KAAK,SAAS,CAAC,EAAE,SAAS,GAAG,GAAG;AAAA,EACrD,MAAM,UAAU,OAAO,KAAK,WAAW,CAAC,EAAE,SAAS,GAAG,GAAG;AAAA,EACzD,MAAM,UAAU,OAAO,KAAK,WAAW,CAAC,EAAE,SAAS,GAAG,GAAG;AAAA,EAEzD,OAAO,GAAG,QAAQ,SAAS,OAAO,SAAS,WAAW;AAAA;AAMxD,SAAS,QAAQ,CAAC,OAA0B;AAAA,EAC1C,IAAI,UAAU,QAAQ,UAAU,WAAW;AAAA,IACzC,OAAO;AAAA,EACT;AAAA,EAEA,IAAI,OAAO,UAAU,UAAU;AAAA,IAC7B,OAAO;AAAA,EACT;AAAA,EAEA,IAAI,OAAO,UAAU,YAAY,OAAO,UAAU,WAAW;AAAA,IAC3D,OAAO;AAAA,EACT;AAAA,EAEA,IAAI,iBAAiB,MAAM;AAAA,IACzB,OAAO,WAAW,KAAK;AAAA,EACzB;AAAA,EAEA,IAAI,iBAAiB,UAAU,iBAAiB,YAAY;AAAA,IAC1D,MAAM,IAAI,UACR,8EACF;AAAA,EACF;AAAA,EAEA,MAAM,IAAI,UAAU,2BAA2B,OAAO,OAAO;AAAA;AAM/D,SAAS,qBAAqB,CAAC,YAA4B;AAAA,EACzD,IAAI,WAAW,SAAS,uBAAuB;AAAA,IAC7C,MAAM,IAAI,UACR,6BAA6B,WAAW,2BAA2B,wBACrE;AAAA,EACF;AAAA,EACA,IAAI,CAAC,wBAAwB,KAAK,UAAU,GAAG;AAAA,IAC7C,MAAM,IAAI,UACR,4BAA4B,8CAC9B;AAAA,EACF;AAAA,EACA,OAAO,IAAI;AAAA;AAMb,SAAS,wBAAwB,CAAC,YAA4B;AAAA,EAC5D,IAAI,CAAC,2BAA2B,KAAK,UAAU,GAAG;AAAA,IAChD,MAAM,IAAI,UACR,uBAAuB,qFACzB;AAAA,EACF;AAAA,EAEA,MAAM,QAAQ,WAAW,MAAM,GAAG;AAAA,EAClC,OAAO,MAAM,IAAI,qBAAqB,EAAE,KAAK,GAAG;AAAA;AAMlD,SAAS,QAAQ,CACf,YACa;AAAA,EAEb,IAAI,MAAM,QAAQ,UAAU,GAAG;AAAA,IAC7B,IAAI,WAAW,WAAW,GAAG;AAAA,MAC3B,MAAM,IAAI,UAAU,kCAAkC;AAAA,IACxD;AAAA,IAEA,MAAM,YAA2B,CAAC;AAAA,IAElC,WAAW,QAAQ,YAAY;AAAA,MAI7B,IAAI,cAAc,IAAI,GAAG;AAAA,QACvB,UAAU,KAAK,IAAI;AAAA,MACrB,EAAO,SAAI,OAAO,SAAS,UAAU;AAAA,QAEnC,IAAI,CAAC,MAAM;AAAA,UACT,MAAM,IAAI,UAAU,2CAA2C;AAAA,QACjE;AAAA,QAEA,IAAI,CAAC,2BAA2B,KAAK,IAAI,GAAG;AAAA,UAC1C,MAAM,IAAI,UACR,uBAAuB,+EACzB;AAAA,QACF;AAAA,QAEA,UAAU,KAAK,eAAe,yBAAyB,IAAI,GAAG,CAAC,CAAC,CAAC;AAAA,MACnE,EAAO;AAAA,QACL,MAAM,IAAI,UAAU,8CAA8C;AAAA;AAAA,IAEtE;AAAA,IAGA,MAAM,OAAO,UAAU,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,IAAI;AAAA,IACnD,MAAM,SAAS,UAAU,QAAQ,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC;AAAA,IAErD,OAAO,eAAe,MAAM,MAAM;AAAA,EACpC;AAAA,EAGA,IAAI,CAAC,cAAc,OAAO,eAAe,UAAU;AAAA,IACjD,MAAM,IAAI,UAAU,uCAAuC;AAAA,EAC7D;AAAA,EAEA,IAAI,CAAC,2BAA2B,KAAK,UAAU,GAAG;AAAA,IAChD,MAAM,IAAI,UACR,uBAAuB,qFACzB;AAAA,EACF;AAAA,EAEA,OAAO,eAAe,yBAAyB,UAAU,GAAG,CAAC,CAAC;AAAA;AAMhE,SAAS,KAAK,CAAC,OAAwC;AAAA,EACrD,IAAI,CAAC,MAAM,QAAQ,KAAK,GAAG;AAAA,IACzB,MAAM,IAAI,UAAU,4BAA4B;AAAA,EAClD;AAAA,EAEA,IAAI,MAAM,WAAW,GAAG;AAAA,IACtB,MAAM,IAAI,UAAU,2CAA2C;AAAA,EACjE;AAAA,EAGA,IAAI,MAAM,SAAS,MAAM;AAAA,IACvB,QAAQ,KACN,8BAA8B,MAAM,uEACtC;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,MAAM,IAAI,MAAM,GAAG,EAAE,KAAK,GAAG;AAAA,EAClD,MAAM,SAAS,MAAM,IAAI,QAAQ;AAAA,EAEjC,OAAO,eAAe,IAAI,iBAAiB,MAAM;AAAA;AAWnD,SAAS,MAAM,CAAC,QAA6B;AAAA,EAC3C,IAAI,OAAO,WAAW,UAAU;AAAA,IAC9B,MAAM,IAAI,UAAU,6BAA6B;AAAA,EACnD;AAAA,EAEA,OAAO,eAAe,QAAQ,CAAC,CAAC;AAAA;AAMlC,SAAS,OAAO,CAAC,MAAwC;AAAA,EACvD,IAAI,EAAE,gBAAgB,WAAW,EAAE,gBAAgB,aAAa;AAAA,IAC9D,MAAM,IAAI,UAAU,4CAA4C;AAAA,EAClE;AAAA,EAEA,OAAO,eAAe,KAAK,CAAC,IAAI,CAAC;AAAA;AAWnC,IAAM,6BAA6B;AAAA,EACjC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAQA,SAAS,mBAAmB,CAAC,WAAyB;AAAA,EACpD,WAAW,SAAS,4BAA4B;AAAA,IAC9C,IAAI,UAAU,SAAS,KAAK,GAAG;AAAA,MAC7B,MAAM,IAAI,UACR,yDAAyD,KAAK,UAC5D,KACF,4EACF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,IAAI,QAAQ;AAAA,EACZ,WAAW,QAAQ,WAAW;AAAA,IAC5B,IAAI,SAAS,KAAK;AAAA,MAChB;AAAA,IACF,EAAO,SAAI,SAAS,KAAK;AAAA,MACvB;AAAA,MACA,IAAI,QAAQ,GAAG;AAAA,QACb,MAAM,IAAI,UACR,qDACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,IAAI,UAAU,GAAG;AAAA,IACf,MAAM,IAAI,UAAU,qDAAqD;AAAA,EAC3E;AAAA;AAYF,SAAS,OAAO,CACd,WACA,YAAkC,MACrB;AAAA,EACb,IAAI,CAAC,MAAM,QAAQ,SAAS,GAAG;AAAA,IAC7B,MAAM,IAAI,UAAU,2CAA2C;AAAA,EACjE;AAAA,EAEA,WAAW,YAAY,WAAW;AAAA,IAChC,IAAI,CAAC,cAAc,QAAQ,GAAG;AAAA,MAC5B,MAAM,IAAI,UACR,yEACF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,IAAI,UAAU,WAAW,GAAG;AAAA,IAC1B,OAAO,eAAe,IAAI,CAAC,CAAC;AAAA,EAC9B;AAAA,EAEA,IAAI;AAAA,EACJ,IAAI,kBAAsC,CAAC;AAAA,EAE3C,IAAI,cAAc,SAAS,GAAG;AAAA,IAC5B,gBAAgB,UAAU;AAAA,IAC1B,kBAAkB,UAAU;AAAA,EAC9B,EAAO,SAAI,OAAO,cAAc,UAAU;AAAA,IACxC,oBAAoB,SAAS;AAAA,IAC7B,gBAAgB;AAAA,EAClB,EAAO;AAAA,IACL,MAAM,IAAI,UACR,yDACF;AAAA;AAAA,EAGF,IAAI,OAAO;AAAA,EACX,MAAM,SAAoB,CAAC;AAAA,EAE3B,UAAU,QAAQ,CAAC,UAAU,UAAU;AAAA,IACrC,IAAI,QAAQ,GAAG;AAAA,MACb,QAAQ;AAAA,MACR,OAAO,KAAK,GAAG,eAAe;AAAA,IAChC;AAAA,IACA,QAAQ,SAAS;AAAA,IACjB,OAAO,KAAK,GAAG,SAAS,MAAM;AAAA,GAC/B;AAAA,EAED,OAAO,eAAe,MAAM,MAAM;AAAA;AAUpC,SAAS,OAAO,CAAC,MAA0D;AAAA,EACzE,IAAI,mBAAmB;AAAA,EACvB,IAAI,OAAO;AAAA,EACX,IAAI,IAAI;AAAA,EACR,MAAM,SAAS,KAAK;AAAA,EAEpB,OAAO,IAAI,QAAQ;AAAA,IACjB,MAAM,OAAO,KAAK;AAAA,IAClB,MAAM,OAAO,KAAK,IAAI;AAAA,IAGtB,IAAI,SAAS,OAAO,SAAS,KAAK;AAAA,MAChC,KAAK;AAAA,MACL,OAAO,IAAI,UAAU,KAAK,OAAO;AAAA,GAAM;AAAA,QACrC;AAAA,MACF;AAAA,MACA;AAAA,IACF;AAAA,IAGA,IAAI,SAAS,OAAO,SAAS,KAAK;AAAA,MAChC,KAAK;AAAA,MACL,OAAO,IAAI,UAAU,EAAE,KAAK,OAAO,OAAO,KAAK,IAAI,OAAO,MAAM;AAAA,QAC9D;AAAA,MACF;AAAA,MACA,KAAK;AAAA,MACL;AAAA,IACF;AAAA,IAIA,IAAI,SAAS,OAAO,SAAS,OAAO,SAAS,KAAK;AAAA,MAChD,MAAM,QAAQ;AAAA,MACd;AAAA,MACA,OAAO,IAAI,QAAQ;AAAA,QACjB,IAAI,KAAK,OAAO,OAAO;AAAA,UACrB,IAAI,KAAK,IAAI,OAAO,OAAO;AAAA,YACzB,KAAK;AAAA,YACL;AAAA,UACF;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,QACA;AAAA,MACF;AAAA,MACA;AAAA,IACF;AAAA,IAGA,IAAI,SAAS,KAAK;AAAA,MAChB;AAAA,MACA,OAAO,IAAI,UAAU,KAAK,OAAO,KAAK;AAAA,QACpC;AAAA,MACF;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IAEA,IAAI,SAAS,KAAK;AAAA,MAChB;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,IACR;AAAA,EACF;AAAA,EAEA,OAAO,EAAE,kBAAkB,KAAK;AAAA;AAMlC,SAAS,GAAG,CAAC,YAAkC,QAA6B;AAAA,EAE1E,IAAI,OAAO,QAAQ,MAAM;AAAA,EACzB,MAAM,cAAyB,CAAC;AAAA,EAEhC,SAAS,IAAI,EAAG,IAAI,OAAO,QAAQ,KAAK;AAAA,IACtC,MAAM,QAAQ,OAAO;AAAA,IAIrB,IAAI,cAAc,KAAK,GAAG;AAAA,MACxB,QAAQ,MAAM;AAAA,MACd,YAAY,KAAK,GAAG,MAAM,MAAM;AAAA,IAClC,EAAO;AAAA,MAEL,QAAQ;AAAA,MACR,YAAY,KAAK,SAAS,KAAiB,CAAC;AAAA;AAAA,IAG9C,QAAQ,QAAQ,IAAI,MAAM;AAAA,EAC5B;AAAA,EAGA,IAAI,KAAK,SAAS,kBAAkB;AAAA,IAClC,MAAM,IAAI,MACR,mBAAmB,KAAK,sBAAsB,mBAChD;AAAA,EACF;AAAA,EAEA,QAAQ,kBAAkB,SAAS,QAAQ,IAAI;AAAA,EAK/C,IAAI,qBAAqB,YAAY,QAAQ;AAAA,IAC3C,MAAM,IAAI,MACR,sBAAsB,uDAAuD,YAAY,cACvF,+DACJ;AAAA,EACF;AAAA,EAEA,IAAI,oBAAoB,KAAK,IAAI,GAAG;AAAA,IAClC,MAAM,IAAI,MAAM,iCAAiC;AAAA,EACnD;AAAA,EAIA,OAAO,eAAe,MAAM,WAAW;AAAA;AAIzC,IAAI,QAAQ;AACZ,IAAI,QAAQ;AACZ,IAAI,KAAK;AACT,IAAI,MAAM;AACV,IAAI,OAAO;AACX,IAAI,OAAO;;;AC7aX,IAAM,oBAAoB;AAC1B,IAAM,gBAAgB;AAGtB,IAAM,kBAAkB,IAAI,IAAI;AAAA,EAC9B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAcD,SAAS,UAAU,CAAC,OAAwB;AAAA,EAC1C,OAAO,MAAM,SAAS,GAAG;AAAA;AAM3B,SAAS,eAAe,CAAC,OAGvB;AAAA,EACA,MAAM,QAAQ,MAAM,MAAM,GAAG;AAAA,EAC7B,MAAM,aAAa,MAAM;AAAA,EACzB,MAAM,WAAW,MAAM,MAAM,CAAC;AAAA,EAE9B,IAAI,CAAC,cAAc,SAAS,WAAW,KAAK,SAAS,KAAK,CAAC,SAAS,CAAC,IAAI,GAAG;AAAA,IAC1E,MAAM,IAAI,YAAY,sBAAsB,OAAO;AAAA,EACrD;AAAA,EAEA,OAAO;AAAA,IACL;AAAA,IACA,UAAU,OAAO,SAAS,KAAK,GAAG;AAAA,EACpC;AAAA;AAMF,SAAS,oBAAoB,CAAC,YAA6B;AAAA,EACzD,OACE,WAAW,UAAU,yBACrB,wBAAwB,KAAK,UAAU;AAAA;AAQ3C,SAAS,wBAAwB,CAAC,UAAkB,SAAuB;AAAA,EACzE,IAAI,QAAQ,SAAS,oBAAoB;AAAA,IACvC,MAAM,IAAI,WACR,GAAG,8BAA8B,QAAQ,2BAA2B,qBACtE;AAAA,EACF;AAAA;AAMF,SAAS,qBAAqB,CAC5B,OACA,WACA,SACA,OACQ;AAAA,EAER,IACE,cAAc,QACd,cAAc,aACd,OAAO,cAAc,YACrB,OAAO,cAAc,YACrB,OAAO,cAAc,aACrB,qBAAqB,MACrB;AAAA,IACA,QAAQ;AAAA,IACR,IAAI,QAAQ,gBAAgB,eAAe;AAAA,MACzC,MAAM,IAAI,WAAW,4BAA4B,gBAAgB;AAAA,IACnE;AAAA,IAEA,IAAI,WAAW,KAAK,GAAG;AAAA,MACrB,QAAQ,YAAY,aAAa,gBAAgB,KAAK;AAAA,MACtD,MAAM,iBAAgB,IAAI,MAAM,UAAU;AAAA,MAC1C,MAAM,gBAAgB,QAClB,GAAG,SAAS,eAAc,SAC1B,eAAc;AAAA,MAElB,IAAI,cAAc,QAAQ,cAAc,WAAW;AAAA,QACjD,QAAQ,OAAO,KAAK,QAAQ;AAAA,QAC5B,OAAO,iBAAiB;AAAA,MAC1B,EAAO;AAAA,QACL,QAAQ,OAAO,KAAK,UAAU,IAAI,MAAM,SAAS,CAAC;AAAA,QAClD,OAAO,iBAAiB;AAAA;AAAA,IAE5B,EAAO;AAAA,MACL,MAAM,iBAAgB,IAAI,MAAM,KAAK;AAAA,MACrC,MAAM,gBAAgB,QAClB,GAAG,SAAS,eAAc,SAC1B,eAAc;AAAA,MAElB,IAAI,cAAc,QAAQ,cAAc,WAAW;AAAA,QACjD,OAAO,IAAI;AAAA,MACb,EAAO;AAAA,QACL,QAAQ,OAAO,KAAK,IAAI,MAAM,SAAS,CAAC;AAAA,QACxC,OAAO,IAAI;AAAA;AAAA;AAAA,EAGjB;AAAA,EAGA,IAAI,OAAO,cAAc,YAAY,cAAc,MAAM;AAAA,IACvD,MAAM,IAAI,UAAU,8CAA8C;AAAA,EACpE;AAAA,EAEA,MAAM,YAAY;AAAA,EAClB,MAAM,UAAoB,CAAC;AAAA,EAG3B,WAAW,MAAM,OAAO,KAAK,SAAS,GAAG;AAAA,IACvC,IAAI,CAAC,gBAAgB,IAAI,EAAE,GAAG;AAAA,MAC5B,MAAM,IAAI,YAAY,qBAAqB,IAAI;AAAA,IACjD;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,IAAI,MACxB,WAAW,KAAK,IAAI,gBAAgB,KAAK,EAAE,aAAa,KAC1D;AAAA,EACA,MAAM,gBAAgB,QAClB,GAAG,SAAS,cAAc,SAC1B,cAAc;AAAA,EAClB,MAAM,YAAY,WAAW,KAAK,IAC9B,gBAAgB,sBAChB;AAAA,EAGJ,IAAI,WAAW,KAAK,GAAG;AAAA,IACrB,QAAQ,OAAO,KAAK,gBAAgB,KAAK,EAAE,QAAQ;AAAA,EACrD;AAAA,EAGA,IAAI,YAAY,WAAW;AAAA,IACzB,QAAQ;AAAA,IACR,IAAI,QAAQ,gBAAgB,eAAe;AAAA,MACzC,MAAM,IAAI,WAAW,4BAA4B,gBAAgB;AAAA,IACnE;AAAA,IAEA,OAAO,UAAU,SACb,IAAI,2BACJ,IAAI;AAAA,EACV;AAAA,EAGA,YAAY,IAAI,UAAU,OAAO,QAAQ,SAAS,GAAG;AAAA,IACnD,QAAQ;AAAA,IACR,IAAI,QAAQ,gBAAgB,eAAe;AAAA,MACzC,MAAM,IAAI,WAAW,4BAA4B,gBAAgB;AAAA,IACnE;AAAA,IAEA,QAAQ;AAAA,WACD;AAAA,QACH,QAAQ,OAAO,KAAK,IAAI,MAAM,KAAK,CAAC;AAAA,QACpC,QAAQ,KAAK,GAAG,eAAe;AAAA,QAC/B;AAAA,WACG;AAAA,QACH,QAAQ,OAAO,KAAK,IAAI,MAAM,KAAK,CAAC;AAAA,QACpC,QAAQ,KAAK,GAAG,gBAAgB;AAAA,QAChC;AAAA,WACG;AAAA,QACH,QAAQ,OAAO,KAAK,IAAI,MAAM,KAAK,CAAC;AAAA,QACpC,QAAQ,KAAK,GAAG,eAAe;AAAA,QAC/B;AAAA,WACG;AAAA,QACH,QAAQ,OAAO,KAAK,IAAI,MAAM,KAAK,CAAC;AAAA,QACpC,QAAQ,KAAK,GAAG,gBAAgB;AAAA,QAChC;AAAA,WACG;AAAA,QACH,IAAI,UAAU,QAAQ,UAAU,WAAW;AAAA,UACzC,QAAQ,KAAK,GAAG,uBAAuB;AAAA,QACzC,EAAO;AAAA,UACL,QAAQ,OAAO,KAAK,IAAI,MAAM,KAAK,CAAC;AAAA,UACpC,QAAQ,KAAK,GAAG,gBAAgB;AAAA;AAAA,QAElC;AAAA,WACG,MAAM;AAAA,QACT,IAAI,CAAC,MAAM,QAAQ,KAAK,GAAG;AAAA,UACzB,MAAM,IAAI,UAAU,+BAA+B;AAAA,QACrD;AAAA,QACA,IAAI,MAAM,WAAW,GAAG;AAAA,UACtB,MAAM,IAAI,UAAU,8CAA8C;AAAA,QACpE;AAAA,QACA,IAAI,MAAM,SAAS,KAAK;AAAA,UACtB,MAAM,IAAI,WACR,8DACF;AAAA,QACF;AAAA,QAEA,MAAM,aAAa,IAAI,GAAG,KAAK;AAAA,QAC/B,QAAQ,OAAO,KAAK,GAAG,WAAW,MAAM;AAAA,QACxC,QAAQ,KAAK,GAAG,gBAAgB,WAAW,MAAM;AAAA,QACjD;AAAA,MACF;AAAA,WACK,OAAO;AAAA,QACV,IAAI,CAAC,MAAM,QAAQ,KAAK,GAAG;AAAA,UACzB,MAAM,IAAI,UAAU,gCAAgC;AAAA,QACtD;AAAA,QACA,IAAI,MAAM,WAAW,GAAG;AAAA,UACtB,MAAM,IAAI,UAAU,+CAA+C;AAAA,QACrE;AAAA,QACA,IAAI,MAAM,SAAS,KAAK;AAAA,UACtB,MAAM,IAAI,WACR,+DACF;AAAA,QACF;AAAA,QAEA,MAAM,cAAc,IAAI,GAAG,KAAK;AAAA,QAChC,QAAQ,OAAO,KAAK,GAAG,YAAY,MAAM;AAAA,QACzC,QAAQ,KAAK,GAAG,oBAAoB,YAAY,MAAM;AAAA,QACtD;AAAA,MACF;AAAA,WACK;AAAA,QACH,IAAI,OAAO,UAAU,UAAU;AAAA,UAC7B,MAAM,IAAI,UAAU,yCAAyC;AAAA,QAC/D;AAAA,QACA,yBAAyB,QAAQ,KAAK;AAAA,QACtC,QAAQ,OAAO,KAAK,KAAK;AAAA,QACzB,QAAQ,KAAK,GAAG,kBAAkB;AAAA,QAClC;AAAA,WACG;AAAA,QACH,IAAI,OAAO,UAAU,UAAU;AAAA,UAC7B,MAAM,IAAI,UAAU,0CAA0C;AAAA,QAChE;AAAA,QACA,yBAAyB,SAAS,KAAK;AAAA,QACvC,QAAQ,OAAO,KAAK,KAAK;AAAA,QACzB,QAAQ,KAAK,GAAG,iCAAiC;AAAA,QACjD;AAAA,WACG;AAAA,QACH,IAAI,OAAO,UAAU,UAAU;AAAA,UAC7B,MAAM,IAAI,UAAU,0CAA0C;AAAA,QAChE;AAAA,QACA,yBAAyB,SAAS,KAAK;AAAA,QACvC,QAAQ,OAAO,KAAK,KAAK;AAAA,QACzB,QAAQ,KAAK,GAAG,oBAAoB;AAAA,QACpC;AAAA;AAAA,EAEN;AAAA,EAEA,IAAI,QAAQ,WAAW,GAAG;AAAA,IACxB,MAAM,IAAI,YACR,0DACF;AAAA,EACF;AAAA,EAEA,OAAO,QAAQ,WAAW,IAAI,IAAI,QAAQ,QAAQ,IAAI,QAAQ,KAAK,OAAO;AAAA;AAM5E,SAAS,sBAAsB,CAC7B,QACA,SACA,OACQ;AAAA,EACR,IAAI,QAAQ,SAAS,mBAAmB;AAAA,IACtC,MAAM,IAAI,WAAW,gCAAgC,oBAAoB;AAAA,EAC3E;AAAA,EAEA,IAAI,OAAO,WAAW,YAAY,WAAW,MAAM;AAAA,IACjD,MAAM,IAAI,UAAU,0BAA0B;AAAA,EAChD;AAAA,EAEA,QAAQ;AAAA,EACR,MAAM,UAAoB,CAAC;AAAA,EAG3B,IAAI,SAAS,UAAU,OAAO,KAAK;AAAA,IACjC,QAAQ;AAAA,IACR,IAAI,QAAQ,gBAAgB,eAAe;AAAA,MACzC,MAAM,IAAI,WAAW,4BAA4B,gBAAgB;AAAA,IACnE;AAAA,IAEA,IAAI,CAAC,MAAM,QAAQ,OAAO,GAAG,GAAG;AAAA,MAC9B,MAAM,IAAI,UAAU,+BAA+B;AAAA,IACrD;AAAA,IACA,IAAI,OAAO,IAAI,WAAW,GAAG;AAAA,MAC3B,MAAM,IAAI,UAAU,+CAA+C;AAAA,IACrE;AAAA,IAEA,MAAM,aAAa,OAAO,IAAI,IAAI,CAAC,cACjC,uBAAuB,WAAW,SAAS,KAAK,CAClD;AAAA,IACA,QAAQ,KAAK,IAAI,WAAW,KAAK,OAAO,IAAI;AAAA,EAC9C;AAAA,EAEA,IAAI,QAAQ,UAAU,OAAO,IAAI;AAAA,IAC/B,QAAQ;AAAA,IACR,IAAI,QAAQ,gBAAgB,eAAe;AAAA,MACzC,MAAM,IAAI,WAAW,4BAA4B,gBAAgB;AAAA,IACnE;AAAA,IAEA,IAAI,CAAC,MAAM,QAAQ,OAAO,EAAE,GAAG;AAAA,MAC7B,MAAM,IAAI,UAAU,8BAA8B;AAAA,IACpD;AAAA,IACA,IAAI,OAAO,GAAG,WAAW,GAAG;AAAA,MAC1B,MAAM,IAAI,UAAU,8CAA8C;AAAA,IACpE;AAAA,IAEA,MAAM,YAAY,OAAO,GAAG,IAAI,CAAC,cAC/B,uBAAuB,WAAW,SAAS,KAAK,CAClD;AAAA,IACA,QAAQ,KAAK,IAAI,UAAU,KAAK,MAAM,IAAI;AAAA,EAC5C;AAAA,EAGA,MAAM,eAAe,OAAO,QAAQ,MAAM,EAAE,OAC1C,EAAE,OAAO,eACP,UAAU,SACV,UAAU,QACV,CAAC,MAAM,WAAW,GAAG,KACrB,cAAc,SAClB;AAAA,EAEA,YAAY,OAAO,cAAc,cAAc;AAAA,IAE7C,IAAI,MAAM,QAAQ,SAAS,GAAG;AAAA,MAC5B,MAAM,IAAI,YACR,UAAU,2EACZ;AAAA,IACF;AAAA,IAEA,QAAQ,KACN,sBAAsB,OAAO,WAA6B,SAAS,KAAK,CAC1E;AAAA,EACF;AAAA,EAGA,MAAM,eAAe,OAAO,QAAQ,MAAM,EAAE,OAC1C,EAAE,KAAK,WACL,IAAI,WAAW,GAAG,KAClB,UAAU,aACV,OAAO,UAAU,YACjB,UAAU,IACd;AAAA,EAEA,YAAY,UAAU,gBAAgB,cAAc;AAAA,IAClD,MAAM,YAAY,SAAS,MAAM,CAAC;AAAA,IAGlC,IAAI,CAAC,qBAAqB,SAAS,GAAG;AAAA,MACpC,MAAM,IAAI,YAAY,6BAA6B,WAAW;AAAA,IAChE;AAAA,IAGA,MAAM,cAAc,uBAClB,aACA,SACA,SACF;AAAA,IACA,QAAQ,KAAK,WAAW;AAAA,EAC1B;AAAA,EAEA,QAAQ;AAAA,EAER,IAAI,QAAQ,WAAW,GAAG;AAAA,IACxB,MAAM,IAAI,YAAY,4CAA4C;AAAA,EACpE;AAAA,EAGA,IAAI,QAAQ,WAAW,GAAG;AAAA,IACxB,OAAO,QAAQ;AAAA,EACjB,EAAO;AAAA,IACL,OAAO,IAAI,QAAQ,KAAK,OAAO;AAAA;AAAA;AAO5B,SAAS,aAAa,CAAC,QAAkC;AAAA,EAC9D,MAAM,UAA0B;AAAA,IAC9B,OAAO;AAAA,IACP,eAAe;AAAA,IACf,QAAQ,CAAC;AAAA,EACX;AAAA,EAEA,MAAM,OAAO,IAAI,uBAAuB,QAAQ,OAAO;AAAA,EAMvD,IAAI,KAAK,SAAS,kBAAkB;AAAA,IAClC,MAAM,IAAI,WACR,6BAA6B,KAAK,sBAAsB,mBAC1D;AAAA,EACF;AAAA,EAKA,OAAO,eAAe,MAAM,QAAQ,MAAM;AAAA;",
+  "debugId": "B02F5A27F175BBBF64756E2164756E21",
+  "names": []
+}

package/dist/sql.d.ts ADDED Viewed

@@ -0,0 +1,51 @@
+import type { SqlFragment, SqlQuery, SqlValue } from './types';
+/**
+ * Convert a value to its SQLite representation
+ */
+declare function sqlValue(value: SqlValue): unknown;
+/**
+ * Validate and quote a SQL identifier or array of identifiers/fragments
+ */
+declare function sqlIdent(identifier: string | readonly (string | SqlFragment)[]): SqlFragment;
+/**
+ * Create SQL IN clause from array
+ */
+declare function sqlIn(array: readonly unknown[]): SqlFragment;
+/**
+ * Create raw SQL fragment (DANGEROUS - must not contain user input).
+ *
+ * This is the library's single, explicit trust boundary: whatever string is
+ * passed here becomes SQL verbatim. Only ever pass developer-authored,
+ * constant SQL. Never pass user input. For dynamic WHERE clauses use
+ * compileFilter(); for identifiers use sql.ident().
+ */
+declare function sqlRaw(rawSql: string): SqlFragment;
+/**
+ * Create SQL fragment for BLOB data (for validated binary data)
+ */
+declare function sqlBlob(data: Buffer | Uint8Array): SqlFragment;
+/**
+ * Join SQL fragments with a separator.
+ *
+ * Fragments must be library-minted (branded) fragments. The separator may be:
+ *  - a string: treated as a structural connector and validated by
+ *    assertSafeSeparator() so any connector is supported safely; or
+ *  - a SqlFragment: its text becomes the connector and its values are
+ *    interleaved between fragments, allowing fully parameterized separators.
+ */
+declare function sqlJoin(fragments: readonly SqlFragment[], separator?: string | SqlFragment): SqlFragment;
+/**
+ * Main SQL tagged template function
+ */
+declare function sql(strings: TemplateStringsArray, ...values: unknown[]): SqlQuery;
+declare namespace sql {
+    export var value: typeof sqlValue;
+    export var ident: typeof sqlIdent;
+    var _a: typeof sqlIn;
+    export var raw: typeof sqlRaw;
+    export var blob: typeof sqlBlob;
+    export var join: typeof sqlJoin;
+    export { _a as in };
+}
+export { sql };
+//# sourceMappingURL=sql.d.ts.map

package/dist/sql.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sql.d.ts","sourceRoot":"","sources":["../src/sql.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAgB9D;;GAEG;AACH,iBAAS,QAAQ,CAAC,KAAK,EAAE,QAAQ,GAAG,OAAO,CAwB1C;AAiCD;;GAEG;AACH,iBAAS,QAAQ,CACf,UAAU,EAAE,MAAM,GAAG,SAAS,CAAC,MAAM,GAAG,WAAW,CAAC,EAAE,GACrD,WAAW,CAoDb;AAED;;GAEG;AACH,iBAAS,KAAK,CAAC,KAAK,EAAE,SAAS,OAAO,EAAE,GAAG,WAAW,CAoBrD;AAED;;;;;;;GAOG;AACH,iBAAS,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,WAAW,CAM3C;AAED;;GAEG;AACH,iBAAS,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,WAAW,CAMvD;AA2DD;;;;;;;;GAQG;AACH,iBAAS,OAAO,CACd,SAAS,EAAE,SAAS,WAAW,EAAE,EACjC,SAAS,GAAE,MAAM,GAAG,WAAkB,GACrC,WAAW,CA6Cb;AA6ED;;GAEG;AACH,iBAAS,GAAG,CAAC,OAAO,EAAE,oBAAoB,EAAE,GAAG,MAAM,EAAE,OAAO,EAAE,GAAG,QAAQ,CAgD1E;kBAhDQ,GAAG;;;;;;;;;AA0DZ,OAAO,EAAE,GAAG,EAAE,CAAA"}

package/dist/types.d.ts ADDED Viewed

@@ -0,0 +1,74 @@
+/**
+ * The result of a SQL tagged template
+ */
+export interface SqlQuery {
+    readonly text: string;
+    readonly values: readonly unknown[];
+}
+/**
+ * Valid SQL value types that can be safely interpolated
+ */
+export type SqlValue = string | number | boolean | null | undefined | Date | Buffer | Uint8Array;
+/**
+ * A SQL fragment that can be joined with other fragments
+ */
+export interface SqlFragment {
+    readonly text: string;
+    readonly values: readonly unknown[];
+}
+/**
+ * Comparison operators for JSON filters
+ */
+export interface ComparisonOperators {
+    /** Greater than */
+    gt?: SqlValue;
+    /** Greater than or equal */
+    gte?: SqlValue;
+    /** Less than */
+    lt?: SqlValue;
+    /** Less than or equal */
+    lte?: SqlValue;
+    /** Not equal */
+    ne?: SqlValue;
+    /** IN array */
+    in?: readonly SqlValue[];
+    /** NOT IN array */
+    nin?: readonly SqlValue[];
+    /** LIKE pattern */
+    like?: string;
+    /** Case-insensitive LIKE */
+    ilike?: string;
+    /** Regular expression pattern */
+    regex?: string;
+    /** Field exists check (true = IS NOT NULL, false = IS NULL) */
+    exists?: boolean;
+}
+/**
+ * A field condition can be a direct value or an object with operators
+ */
+export type FieldCondition = SqlValue | ComparisonOperators;
+/**
+ * Logical operators for combining filters
+ */
+export interface LogicalOperators {
+    /** All conditions must match */
+    and?: readonly JsonFilter[];
+    /** Any condition must match */
+    or?: readonly JsonFilter[];
+}
+/**
+ * A JSON filter for compiling to SQL WHERE clauses
+ * Can be a field-to-condition mapping with implicit AND, explicit logical operators,
+ * or alias blocks (keys starting with $) containing nested filters
+ */
+export type JsonFilter = LogicalOperators & {
+    [field: string]: FieldCondition | readonly JsonFilter[] | JsonFilter | undefined;
+};
+/**
+ * Result of compiling a JSON filter to SQL
+ */
+export interface FilterResult {
+    readonly text: string;
+    readonly values: readonly unknown[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,QAAQ,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAA;CACpC;AAED;;GAEG;AACH,MAAM,MAAM,QAAQ,GAChB,MAAM,GACN,MAAM,GACN,OAAO,GACP,IAAI,GACJ,SAAS,GACT,IAAI,GACJ,MAAM,GACN,UAAU,CAAA;AAEd;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,QAAQ,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAA;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,mBAAmB;IACnB,EAAE,CAAC,EAAE,QAAQ,CAAA;IACb,4BAA4B;IAC5B,GAAG,CAAC,EAAE,QAAQ,CAAA;IACd,gBAAgB;IAChB,EAAE,CAAC,EAAE,QAAQ,CAAA;IACb,yBAAyB;IACzB,GAAG,CAAC,EAAE,QAAQ,CAAA;IACd,gBAAgB;IAChB,EAAE,CAAC,EAAE,QAAQ,CAAA;IACb,eAAe;IACf,EAAE,CAAC,EAAE,SAAS,QAAQ,EAAE,CAAA;IACxB,mBAAmB;IACnB,GAAG,CAAC,EAAE,SAAS,QAAQ,EAAE,CAAA;IACzB,mBAAmB;IACnB,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,4BAA4B;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,iCAAiC;IACjC,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,+DAA+D;IAC/D,MAAM,CAAC,EAAE,OAAO,CAAA;CACjB;AAED;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,QAAQ,GAAG,mBAAmB,CAAA;AAE3D;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,gCAAgC;IAChC,GAAG,CAAC,EAAE,SAAS,UAAU,EAAE,CAAA;IAC3B,+BAA+B;IAC/B,EAAE,CAAC,EAAE,SAAS,UAAU,EAAE,CAAA;CAC3B;AAED;;;;GAIG;AACH,MAAM,MAAM,UAAU,GAAG,gBAAgB,GAAG;IAC1C,CAAC,KAAK,EAAE,MAAM,GACV,cAAc,GACd,SAAS,UAAU,EAAE,GACrB,UAAU,GACV,SAAS,CAAA;CACd,CAAA;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,QAAQ,CAAC,MAAM,EAAE,SAAS,OAAO,EAAE,CAAA;CACpC"}

package/package.json CHANGED Viewed

	@@ -1 +1 @@
1	- {"name":"@truto/sqlite-builder","version":"2.0.2-canary.28","description":"debug canary","license":"MIT","main":"index.js"}
1	+ {"name":"@truto/sqlite-builder","version":"2.0.2-canary.3","description":"debug canary","license":"MIT","main":"dist/index.js"}

package/README.md DELETED Viewed

	@@ -1 +0,0 @@
1	- `

package/index.js DELETED Viewed

	@@ -1 +0,0 @@
1	- module.exports = {};