befly 3.14.0 → 3.14.1

package/dist/befly.js

@@ -105,16 +105,20 @@ function upperFirst(s) {
   if (s.length === 0) {
     return s;
   }
-  return s[0].toUpperCase() + s.slice(1);
+  return s.charAt(0).toUpperCase() + s.slice(1);
 }
 function camelCase(input) {
   const parts = toWordParts(input);
   if (parts.length === 0) {
     return "";
   }
-  const first = parts[0].toLowerCase();
+  const firstPart = parts[0];
+  if (!firstPart) {
+    return "";
+  }
+  const first = firstPart.toLowerCase();
   const rest = parts.slice(1).map((p) => upperFirst(p.toLowerCase()));
-  return [first, ...rest].join("");
+  return [first].concat(rest).join("");
 }
 function normalizeToWords(input) {
   return String(input).replace(/([a-z0-9])([A-Z])/g, "$1 $2").replace(/[^a-zA-Z0-9]+/g, " ").trim();
@@ -235,7 +239,7 @@ function sanitizeErrorValue(err, options) {
     message: truncateString(err.message || "", options.maxStringLen)
   };
   if (typeof err.stack === "string") {
-    out.stack = truncateString(err.stack, options.maxStringLen);
+    out["stack"] = truncateString(err.stack, options.maxStringLen);
   }
   return out;
 }
@@ -323,8 +327,12 @@ function sanitizeAny(value, options, state, depth, visited) {
   const entries = Object.entries(obj);
   const limit = entries.length > options.sanitizeObjectKeys ? options.sanitizeObjectKeys : entries.length;
   for (let i = 0;i < limit; i++) {
-    const key = entries[i][0];
-    const child = entries[i][1];
+    const entry = entries[i];
+    if (!entry) {
+      continue;
+    }
+    const key = entry[0];
+    const child = entry[1];
     if (isSensitiveKey(key, options.sensitiveKeyMatcher)) {
       out[key] = "[MASKED]";
       continue;
@@ -365,10 +373,10 @@ function setCtxUser(userId, roleCode, nickname, roleType) {
   const store = storage.getStore();
   if (!store)
     return;
-  store.userId = userId;
-  store.roleCode = roleCode;
-  store.nickname = nickname;
-  store.roleType = roleType;
+  store.userId = userId === undefined ? null : userId;
+  store.roleCode = roleCode === undefined ? null : roleCode;
+  store.nickname = nickname === undefined ? null : nickname;
+  store.roleType = roleType === undefined ? null : roleType;
 }
 var storage;
 var init_asyncContext = __esm(() => {
@@ -798,8 +806,8 @@ function buildLogLine(level, record) {
     return `${safeJsonStringify(out)}
 `;
   }
-  if (base.msg === undefined) {
-    base.msg = "";
+  if (base["msg"] === undefined) {
+    base["msg"] = "";
   }
   return `${safeJsonStringify(base)}
 `;
@@ -809,7 +817,7 @@ function safeJsonStringify(obj) {
     return JSON.stringify(obj);
   } catch {
     try {
-      return JSON.stringify({ level: obj.level, time: obj.time, pid: obj.pid, hostname: obj.hostname, msg: "[Unserializable log record]" });
+      return JSON.stringify({ level: obj["level"], time: obj["time"], pid: obj["pid"], hostname: obj["hostname"], msg: "[Unserializable log record]" });
     } catch {
       return '{"msg":"[Unserializable log record]"}';
     }
@@ -855,10 +863,10 @@ function metaToObject() {
     now: meta.now,
     durationSinceNowMs
   };
-  obj.userId = meta.userId;
-  obj.roleCode = meta.roleCode;
-  obj.nickname = meta.nickname;
-  obj.roleType = meta.roleType;
+  obj["userId"] = meta.userId;
+  obj["roleCode"] = meta.roleCode;
+  obj["nickname"] = meta.nickname;
+  obj["roleType"] = meta.roleType;
   return obj;
 }
 function mergeMetaIntoObject(input, meta) {
@@ -1309,7 +1317,7 @@ async function scanViewsDirToMenuConfigs(viewsDir, prefix, parentPath = "") {
   return menus;
 }
 function getParentPath(path) {
-  const parts = path.split("/").filter((p) => !!p);
+  const parts = path.split("/").filter((p) => Boolean(p));
   if (parts.length <= 1) {
     return "";
   }
@@ -8468,7 +8476,7 @@ async function loadHooks(hooks) {
     hooksMap.push({
       name: hookName,
       enable: true,
-      deps: hook.deps,
+      deps: Array.isArray(hook.deps) ? hook.deps : [],
       handler: hook.handler
     });
   }
@@ -8502,7 +8510,7 @@ async function loadPlugins(plugins, context) {
       pluginsMap.push({
         name: pluginName,
         enable: true,
-        deps: plugin.deps,
+        deps: Array.isArray(plugin.deps) ? plugin.deps : [],
         handler: plugin.handler
       });
     } catch (error) {
@@ -8641,11 +8649,12 @@ function apiHandler(apis, hooks, context) {
       requestId,
       corsHeaders: {
         "X-Request-ID": requestId
-      },
-      api: apis.get(apiPath),
-      response: undefined,
-      result: undefined
+      }
     };
+    const api = apis.get(apiPath);
+    if (api) {
+      ctx.api = api;
+    }
     return withCtx({
       requestId,
       method: req.method,
@@ -8666,9 +8675,9 @@ function apiHandler(apis, hooks, context) {
             apiName: ctx.api.name
           };
           if (ctx.body && Object.keys(ctx.body).length > 0) {
-            logData.body = ctx.body;
+            logData["body"] = ctx.body;
           }
-          logData.msg = "request";
+          logData["msg"] = "request";
           Logger.info(logData);
         }
         if (!ctx.api) {
@@ -10085,8 +10094,14 @@ async function getTableColumnsRuntime(runtime, tableName) {
         let max = null;
         const m = /^(\w+)\s*\((\d+)\)/.exec(baseType);
         if (m) {
-          baseType = m[1];
-          max = Number(m[2]);
+          const base = m[1];
+          const maxText = m[2];
+          if (typeof base === "string") {
+            baseType = base;
+          }
+          if (typeof maxText === "string") {
+            max = Number(maxText);
+          }
         }
         columns[row.name] = {
           type: baseType.toLowerCase(),
@@ -10115,9 +10130,13 @@ async function getTableIndexesRuntime(runtime, tableName) {
       const q = getSyncTableIndexesQuery({ dialect: "mysql", table: tableName, dbName: runtime.dbName });
       const result = await runtime.db.unsafe(q.sql, q.params);
       for (const row of result.data) {
-        if (!indexes[row.INDEX_NAME])
-          indexes[row.INDEX_NAME] = [];
-        indexes[row.INDEX_NAME].push(row.COLUMN_NAME);
+        const indexName = row.INDEX_NAME;
+        const current = indexes[indexName];
+        if (Array.isArray(current)) {
+          current.push(row.COLUMN_NAME);
+        } else {
+          indexes[indexName] = [row.COLUMN_NAME];
+        }
       }
     } else if (runtime.dbDialect === "postgresql") {
       const q = getSyncTableIndexesQuery({ dialect: "postgresql", table: tableName, dbName: runtime.dbName });
@@ -10125,7 +10144,8 @@ async function getTableIndexesRuntime(runtime, tableName) {
       for (const row of result.data) {
         const m = /\(([^)]+)\)/.exec(row.indexdef);
         if (m) {
-          const col = m[1].replace(/"/g, "").trim();
+          const colPart = m[1];
+          const col = typeof colPart === "string" ? colPart.replace(/"/g, "").trim() : "";
           indexes[row.indexname] = [col];
         }
       }
@@ -10158,7 +10178,8 @@ async function ensureDbVersion(dbDialect, db) {
       throw new Error("\u65E0\u6CD5\u83B7\u53D6 MySQL \u7248\u672C\u4FE1\u606F");
     }
     const version = r.data[0].version;
-    const majorVersion = parseInt(String(version).split(".")[0], 10);
+    const majorPart = String(version).split(".")[0] || "0";
+    const majorVersion = parseInt(majorPart, 10);
     if (!Number.isFinite(majorVersion) || majorVersion < DB_VERSION_REQUIREMENTS.MYSQL_MIN_MAJOR) {
       throw new Error(`\u6B64\u811A\u672C\u4EC5\u652F\u6301 MySQL ${DB_VERSION_REQUIREMENTS.MYSQL_MIN_MAJOR}.0+\uFF0C\u5F53\u524D\u7248\u672C: ${version}`);
     }
@@ -10171,7 +10192,8 @@ async function ensureDbVersion(dbDialect, db) {
     }
     const versionText = r.data[0].version;
     const m = /PostgreSQL\s+(\d+)/i.exec(versionText);
-    const major = m ? parseInt(m[1], 10) : NaN;
+    const majorText = m ? m[1] : undefined;
+    const major = typeof majorText === "string" ? parseInt(majorText, 10) : NaN;
     if (!Number.isFinite(major) || major < DB_VERSION_REQUIREMENTS.POSTGRES_MIN_MAJOR) {
       throw new Error(`\u6B64\u811A\u672C\u8981\u6C42 PostgreSQL >= ${DB_VERSION_REQUIREMENTS.POSTGRES_MIN_MAJOR}\uFF0C\u5F53\u524D: ${versionText}`);
     }
@@ -10183,7 +10205,10 @@ async function ensureDbVersion(dbDialect, db) {
       throw new Error("\u65E0\u6CD5\u83B7\u53D6 SQLite \u7248\u672C\u4FE1\u606F");
     }
     const version = r.data[0].version;
-    const [maj, min, patch] = String(version).split(".").map((v) => parseInt(v, 10) || 0);
+    const parts = String(version).split(".").map((v) => parseInt(v, 10) || 0);
+    const maj = parts[0] ?? 0;
+    const min = parts[1] ?? 0;
+    const patch = parts[2] ?? 0;
     const vnum = maj * 1e4 + min * 100 + patch;
     if (!Number.isFinite(vnum) || vnum < DB_VERSION_REQUIREMENTS.SQLITE_MIN_VERSION_NUM) {
       throw new Error(`\u6B64\u811A\u672C\u8981\u6C42 SQLite >= ${DB_VERSION_REQUIREMENTS.SQLITE_MIN_VERSION}\uFF0C\u5F53\u524D: ${version}`);
@@ -10213,7 +10238,11 @@ function compareFieldDefinition(dbDialect, existingColumn, fieldDef) {
     }
   }
   const typeMapping = getTypeMapping(dbDialect);
-  const expectedType = typeMapping[fieldDef.type].toLowerCase();
+  const mapped = typeMapping[fieldDef.type];
+  if (typeof mapped !== "string") {
+    throw new Error(`\u672A\u77E5\u5B57\u6BB5\u7C7B\u578B\u6620\u5C04\uFF1Adialect=${dbDialect} type=${String(fieldDef.type)}`);
+  }
+  const expectedType = mapped.toLowerCase();
   const currentType = existingColumn.type.toLowerCase();
   if (currentType !== expectedType) {
     changes.push({
@@ -10523,8 +10552,8 @@ var calcPerfTime = (startTime, endTime = Bun.nanoseconds()) => {
 // utils/processInfo.ts
 function getProcessRole(env) {
   const runtimeEnv = env || {};
-  const bunWorkerId = runtimeEnv.BUN_WORKER_ID;
-  const pm2InstanceId = runtimeEnv.PM2_INSTANCE_ID;
+  const bunWorkerId = runtimeEnv["BUN_WORKER_ID"];
+  const pm2InstanceId = runtimeEnv["PM2_INSTANCE_ID"];
   if (bunWorkerId !== undefined) {
     return {
       role: bunWorkerId === "" ? "primary" : "worker",
@@ -12311,7 +12340,7 @@ class Validator {
     return {
       code: failed ? 1 : 0,
       failed,
-      firstError: failed ? errors[0] : null,
+      firstError: failed ? errors[0] ?? null : null,
       errors,
       errorFields,
       fieldErrors
@@ -12825,18 +12854,44 @@ class DbUtils {
       throw new Error("tableRef \u4E0D\u80FD\u4E3A\u7A7A");
     }
     const parts = trimmed.split(/\s+/).filter((p) => p.length > 0);
+    if (parts.length === 0) {
+      throw new Error("tableRef \u4E0D\u80FD\u4E3A\u7A7A");
+    }
     if (parts.length > 2) {
       throw new Error(`\u4E0D\u652F\u6301\u7684\u8868\u5F15\u7528\u683C\u5F0F\uFF08\u5305\u542B\u8FC7\u591A\u7247\u6BB5\uFF09\u3002\u8BF7\u4F7F\u7528\u6700\u7B80\u5F62\u5F0F\uFF1Atable \u6216 table alias \u6216 schema.table \u6216 schema.table alias (tableRef: ${trimmed})`);
     }
     const namePart = parts[0];
-    const aliasPart = parts.length === 2 ? parts[1] : null;
+    if (typeof namePart !== "string" || namePart.trim() === "") {
+      throw new Error(`tableRef \u89E3\u6790\u5931\u8D25\uFF1A\u7F3A\u5C11\u8868\u540D (tableRef: ${trimmed})`);
+    }
+    let aliasPart = null;
+    if (parts.length === 2) {
+      const alias = parts[1];
+      if (typeof alias !== "string" || alias.trim() === "") {
+        throw new Error(`tableRef \u89E3\u6790\u5931\u8D25\uFF1A\u7F3A\u5C11 alias (tableRef: ${trimmed})`);
+      }
+      aliasPart = alias;
+    }
     const nameSegments = namePart.split(".");
     if (nameSegments.length > 2) {
       throw new Error(`\u4E0D\u652F\u6301\u7684\u8868\u5F15\u7528\u683C\u5F0F\uFF08schema \u5C42\u7EA7\u8FC7\u6DF1\uFF09 (tableRef: ${trimmed})`);
     }
-    const schema = nameSegments.length === 2 ? nameSegments[0] : null;
-    const table = nameSegments.length === 2 ? nameSegments[1] : nameSegments[0];
-    return { schema, table, alias: aliasPart };
+    if (nameSegments.length === 2) {
+      const schema = nameSegments[0];
+      const table2 = nameSegments[1];
+      if (typeof schema !== "string" || schema.trim() === "") {
+        throw new Error(`tableRef \u89E3\u6790\u5931\u8D25\uFF1Aschema \u4E3A\u7A7A (tableRef: ${trimmed})`);
+      }
+      if (typeof table2 !== "string" || table2.trim() === "") {
+        throw new Error(`tableRef \u89E3\u6790\u5931\u8D25\uFF1Atable \u4E3A\u7A7A (tableRef: ${trimmed})`);
+      }
+      return { schema, table: table2, alias: aliasPart };
+    }
+    const table = nameSegments[0];
+    if (typeof table !== "string" || table.trim() === "") {
+      throw new Error(`tableRef \u89E3\u6790\u5931\u8D25\uFF1Atable \u4E3A\u7A7A (tableRef: ${trimmed})`);
+    }
+    return { schema: null, table, alias: aliasPart };
   }
   static normalizeTableRef(tableRef) {
     const parsed = DbUtils.parseTableRef(tableRef);
@@ -12914,7 +12969,15 @@ class DbUtils {
       if (typeof item !== "string" || !item.includes("#")) {
         return item;
       }
-      const [field, direction] = item.split("#");
+      const parts = item.split("#");
+      if (parts.length !== 2) {
+        return item;
+      }
+      const field = parts[0];
+      const direction = parts[1];
+      if (typeof field !== "string" || typeof direction !== "string") {
+        return item;
+      }
       return `${snakeCase(field.trim())}#${direction.trim()}`;
     });
   }
@@ -12924,14 +12987,26 @@ class DbUtils {
     }
     if (field.toUpperCase().includes(" AS ")) {
       const parts = field.split(/\s+AS\s+/i);
-      const fieldPart = parts[0].trim();
-      const aliasPart = parts[1].trim();
-      return `${DbUtils.processJoinField(fieldPart)} AS ${aliasPart}`;
+      const fieldPart = parts[0];
+      const aliasPart = parts[1];
+      if (typeof fieldPart !== "string" || typeof aliasPart !== "string") {
+        return field;
+      }
+      return `${DbUtils.processJoinField(fieldPart.trim())} AS ${aliasPart.trim()}`;
     }
     if (field.includes(".")) {
       const parts = field.split(".");
-      const tableName = parts[0];
-      const fieldName = parts[1];
+      if (parts.length < 2) {
+        return snakeCase(field);
+      }
+      if (parts.some((p) => p.trim() === "")) {
+        return field;
+      }
+      const fieldName = parts[parts.length - 1];
+      const tableName = parts.slice(0, parts.length - 1).join(".");
+      if (typeof fieldName !== "string" || typeof tableName !== "string") {
+        return snakeCase(field);
+      }
       return `${tableName.trim()}.${snakeCase(fieldName)}`;
     }
     return snakeCase(field);
@@ -12946,16 +13021,34 @@ class DbUtils {
       const operator = key.substring(lastDollarIndex);
       if (fieldPart.includes(".")) {
         const parts = fieldPart.split(".");
-        const tableName = parts[0];
-        const fieldName = parts[1];
+        if (parts.length < 2) {
+          return `${snakeCase(fieldPart)}${operator}`;
+        }
+        if (parts.some((p) => p.trim() === "")) {
+          return `${snakeCase(fieldPart)}${operator}`;
+        }
+        const fieldName = parts[parts.length - 1];
+        const tableName = parts.slice(0, parts.length - 1).join(".");
+        if (typeof fieldName !== "string" || typeof tableName !== "string") {
+          return `${snakeCase(fieldPart)}${operator}`;
+        }
         return `${tableName.trim()}.${snakeCase(fieldName)}${operator}`;
       }
       return `${snakeCase(fieldPart)}${operator}`;
     }
     if (key.includes(".")) {
       const parts = key.split(".");
-      const tableName = parts[0];
-      const fieldName = parts[1];
+      if (parts.length < 2) {
+        return snakeCase(key);
+      }
+      if (parts.some((p) => p.trim() === "")) {
+        return snakeCase(key);
+      }
+      const fieldName = parts[parts.length - 1];
+      const tableName = parts.slice(0, parts.length - 1).join(".");
+      if (typeof fieldName !== "string" || typeof tableName !== "string") {
+        return snakeCase(key);
+      }
       return `${tableName.trim()}.${snakeCase(fieldName)}`;
     }
     return snakeCase(key);
@@ -12988,7 +13081,15 @@ class DbUtils {
       if (typeof item !== "string" || !item.includes("#")) {
         return item;
       }
-      const [field, direction] = item.split("#");
+      const parts = item.split("#");
+      if (parts.length !== 2) {
+        return item;
+      }
+      const field = parts[0];
+      const direction = parts[1];
+      if (typeof field !== "string" || typeof direction !== "string") {
+        return item;
+      }
       return `${DbUtils.processJoinField(field.trim())}#${direction.trim()}`;
     });
   }
@@ -13109,10 +13210,10 @@ class DbUtils {
     for (const [key, value] of Object.entries(userData)) {
       result[key] = value;
     }
-    result.id = options.id;
-    result.created_at = options.now;
-    result.updated_at = options.now;
-    result.state = 1;
+    result["id"] = options.id;
+    result["created_at"] = options.now;
+    result["updated_at"] = options.now;
+    result["state"] = 1;
     return result;
   }
   static buildUpdateRow(options) {
@@ -13122,7 +13223,7 @@ class DbUtils {
     for (const [key, value] of Object.entries(userData)) {
       result[key] = value;
     }
-    result.updated_at = options.now;
+    result["updated_at"] = options.now;
     return result;
   }
   static buildPartialUpdateData(options) {
@@ -13246,6 +13347,7 @@ var SqlBuilderError = {
   QUOTE_IDENT_NEED_STRING: (identifier) => `quoteIdent \u9700\u8981\u5B57\u7B26\u4E32\u7C7B\u578B\u6807\u8BC6\u7B26 (identifier: ${String(identifier)})`,
   IDENT_EMPTY: "SQL \u6807\u8BC6\u7B26\u4E0D\u80FD\u4E3A\u7A7A",
   FIELD_EXPR_NOT_ALLOWED: (field) => `\u5B57\u6BB5\u5305\u542B\u51FD\u6570/\u8868\u8FBE\u5F0F\uFF0C\u8BF7\u4F7F\u7528 selectRaw/whereRaw (field: ${field})`,
+  FIELD_INVALID: (field) => `\u5B57\u6BB5\u683C\u5F0F\u975E\u6CD5\uFF0C\u8BF7\u4F7F\u7528\u7B80\u5355\u5B57\u6BB5\u540D\u6216\u5B89\u5168\u5F15\u7528\uFF0C\u590D\u6742\u8868\u8FBE\u5F0F\u8BF7\u4F7F\u7528 selectRaw/whereRaw (field: ${field})`,
   FROM_EMPTY: "FROM \u8868\u540D\u4E0D\u80FD\u4E3A\u7A7A",
   FROM_NEED_NON_EMPTY: (table) => `FROM \u8868\u540D\u5FC5\u987B\u662F\u975E\u7A7A\u5B57\u7B26\u4E32 (table: ${String(table)})`,
   FROM_REQUIRED: "FROM \u8868\u540D\u662F\u5FC5\u9700\u7684",
@@ -13349,10 +13451,18 @@ class SqlBuilder {
     }
     if (field.toUpperCase().includes(" AS ")) {
       const parts = field.split(/\s+AS\s+/i);
-      const fieldPart = parts[0].trim();
-      const aliasPart = parts[1].trim();
-      SqlCheck.assertSafeAlias(aliasPart);
-      return `${this._escapeField(fieldPart)} AS ${aliasPart}`;
+      if (parts.length !== 2) {
+        throw new Error(SqlBuilderError.FIELD_INVALID(field));
+      }
+      const fieldPart = parts[0];
+      const aliasPart = parts[1];
+      if (typeof fieldPart !== "string" || typeof aliasPart !== "string") {
+        throw new Error(SqlBuilderError.FIELD_INVALID(field));
+      }
+      const cleanFieldPart = fieldPart.trim();
+      const cleanAliasPart = aliasPart.trim();
+      SqlCheck.assertSafeAlias(cleanAliasPart);
+      return `${this._escapeField(cleanFieldPart)} AS ${cleanAliasPart}`;
     }
     if (field.includes(".")) {
       const parts = field.split(".");
@@ -13386,16 +13496,26 @@ class SqlBuilder {
     if (parts.length > 2) {
       throw new Error(SqlBuilderError.TABLE_REF_TOO_MANY_PARTS(table));
     }
-    const namePart = parts[0].trim();
-    const aliasPart = parts.length === 2 ? parts[1].trim() : null;
+    const namePartRaw = parts[0];
+    if (typeof namePartRaw !== "string" || namePartRaw.trim() === "") {
+      throw new Error(SqlBuilderError.FROM_EMPTY);
+    }
+    const namePart = namePartRaw.trim();
+    const aliasPartRaw = parts.length === 2 ? parts[1] : null;
+    const aliasPart = typeof aliasPartRaw === "string" ? aliasPartRaw.trim() : null;
     const nameSegments = namePart.split(".");
     if (nameSegments.length > 2) {
       throw new Error(SqlBuilderError.TABLE_REF_SCHEMA_TOO_DEEP(table));
     }
     let escapedName = "";
     if (nameSegments.length === 2) {
-      const schema = nameSegments[0].trim();
-      const tableName = nameSegments[1].trim();
+      const schemaRaw = nameSegments[0];
+      const tableNameRaw = nameSegments[1];
+      if (typeof schemaRaw !== "string" || typeof tableNameRaw !== "string") {
+        throw new Error(SqlBuilderError.TABLE_REF_SCHEMA_TOO_DEEP(table));
+      }
+      const schema = schemaRaw.trim();
+      const tableName = tableNameRaw.trim();
       const escapedSchema = this._isQuotedIdent(schema) ? schema : (() => {
         if (this._startsWithQuote(schema) && !this._isQuotedIdent(schema)) {
           throw new Error(SqlBuilderError.SCHEMA_QUOTE_NOT_PAIRED(schema));
@@ -13412,7 +13532,11 @@ class SqlBuilder {
       })();
       escapedName = `${escapedSchema}.${escapedTableName}`;
     } else {
-      const tableName = nameSegments[0].trim();
+      const tableNameRaw = nameSegments[0];
+      if (typeof tableNameRaw !== "string") {
+        throw new Error(SqlBuilderError.FROM_EMPTY);
+      }
+      const tableName = tableNameRaw.trim();
       if (this._isQuotedIdent(tableName)) {
         escapedName = tableName;
       } else {
@@ -13670,7 +13794,15 @@ class SqlBuilder {
       if (typeof item !== "string" || !item.includes("#")) {
         throw new Error(SqlBuilderError.ORDER_BY_ITEM_NEED_HASH(item));
       }
-      const [fieldName, direction] = item.split("#");
+      const parts = item.split("#");
+      if (parts.length !== 2) {
+        throw new Error(SqlBuilderError.ORDER_BY_ITEM_NEED_HASH(item));
+      }
+      const fieldName = parts[0];
+      const direction = parts[1];
+      if (typeof fieldName !== "string" || typeof direction !== "string") {
+        throw new Error(SqlBuilderError.ORDER_BY_ITEM_NEED_HASH(item));
+      }
       const cleanField = fieldName.trim();
       const cleanDir = direction.trim().toUpperCase();
       if (!cleanField) {
@@ -13767,7 +13899,9 @@ class SqlBuilder {
       for (let i = 0;i < data.length; i++) {
         const row = data[i];
         for (const field of fields) {
-          params.push(row[field]);
+          const value = row[field];
+          this._validateParam(value);
+          params.push(value);
         }
       }
       return { sql, params };
@@ -13782,7 +13916,12 @@ class SqlBuilder {
       const escapedFields = fields.map((field) => this._escapeField(field));
       const placeholders = fields.map(() => "?").join(", ");
       const sql = `INSERT INTO ${escapedTable} (${escapedFields.join(", ")}) VALUES (${placeholders})`;
-      const params = fields.map((field) => data[field]);
+      const params = [];
+      for (const field of fields) {
+        const value = data[field];
+        this._validateParam(value);
+        params.push(value);
+      }
       return { sql, params };
     }
   }
@@ -13884,7 +14023,9 @@ class SqlBuilder {
         }
         whenList.push("WHEN ? THEN ?");
         args.push(row.id);
-        args.push(row.data[field]);
+        const value = row.data[field];
+        SqlCheck.assertNoUndefinedParam(value, "SQL \u53C2\u6570\u503C");
+        args.push(value);
       }
       if (whenList.length === 0) {
         continue;
@@ -13916,7 +14057,7 @@ class DbHelper {
   constructor(options) {
     this.redis = options.redis;
     this.sql = options.sql || null;
-    this.isTransaction = !!options.sql;
+    this.isTransaction = Boolean(options.sql);
     this.dialect = options.dialect ? options.dialect : new MySqlDialect;
   }
   createSqlBuilder() {
@@ -14046,7 +14187,8 @@ class DbHelper {
   }
   async getCount(options) {
     const { table, where, joins, tableQualifier } = await this.prepareQueryOptions(options);
-    const builder = this.createSqlBuilder().selectRaw("COUNT(*) as count").from(table).where(DbUtils.addDefaultStateFilter(where, tableQualifier, !!joins));
+    const hasJoins = Array.isArray(joins) && joins.length > 0;
+    const builder = this.createSqlBuilder().selectRaw("COUNT(*) as count").from(table).where(DbUtils.addDefaultStateFilter(where, tableQualifier, hasJoins));
     this.applyJoins(builder, joins);
     const { sql, params } = builder.toSelectSql();
     const execRes = await this.executeWithConn(sql, params);
@@ -14058,7 +14200,8 @@ class DbHelper {
   }
   async getOne(options) {
     const { table, fields, where, joins, tableQualifier } = await this.prepareQueryOptions(options);
-    const builder = this.createSqlBuilder().select(fields).from(table).where(DbUtils.addDefaultStateFilter(where, tableQualifier, !!joins));
+    const hasJoins = Array.isArray(joins) && joins.length > 0;
+    const builder = this.createSqlBuilder().select(fields).from(table).where(DbUtils.addDefaultStateFilter(where, tableQualifier, hasJoins));
     this.applyJoins(builder, joins);
     const { sql, params } = builder.toSelectSql();
     const execRes = await this.executeWithConn(sql, params);
@@ -14078,12 +14221,16 @@ class DbHelper {
         sql: execRes.sql
       };
     }
-    const data = convertBigIntFields([deserialized])[0];
+    const convertedList = convertBigIntFields([deserialized]);
+    const data = convertedList[0] ?? deserialized;
     return {
       data,
       sql: execRes.sql
     };
   }
+  async getDetail(options) {
+    return await this.getOne(options);
+  }
   async getList(options) {
     const prepared = await this.prepareQueryOptions(options);
     if (prepared.page < 1 || prepared.page > 1e4) {
@@ -14092,7 +14239,7 @@ class DbHelper {
     if (prepared.limit < 1 || prepared.limit > 1000) {
       throw new Error(`\u6BCF\u9875\u6570\u91CF\u5FC5\u987B\u5728 1 \u5230 1000 \u4E4B\u95F4 (table: ${options.table}, page: ${prepared.page}, limit: ${prepared.limit})`);
     }
-    const whereFiltered = DbUtils.addDefaultStateFilter(prepared.where, prepared.tableQualifier, !!prepared.joins);
+    const whereFiltered = DbUtils.addDefaultStateFilter(prepared.where, prepared.tableQualifier, Array.isArray(prepared.joins) && prepared.joins.length > 0);
     const countBuilder = this.createSqlBuilder().selectRaw("COUNT(*) as total").from(prepared.table).where(whereFiltered);
     this.applyJoins(countBuilder, prepared.joins);
     const { sql: countSql, params: countParams } = countBuilder.toSelectSql();
@@ -14140,8 +14287,21 @@ class DbHelper {
   async getAll(options) {
     const MAX_LIMIT = 1e4;
     const WARNING_LIMIT = 1000;
-    const prepared = await this.prepareQueryOptions({ ...options, page: 1, limit: 10 });
-    const whereFiltered = DbUtils.addDefaultStateFilter(prepared.where, prepared.tableQualifier, !!prepared.joins);
+    const prepareOptions = {
+      table: options.table,
+      page: 1,
+      limit: 10
+    };
+    if (options.fields !== undefined)
+      prepareOptions.fields = options.fields;
+    if (options.where !== undefined)
+      prepareOptions.where = options.where;
+    if (options.joins !== undefined)
+      prepareOptions.joins = options.joins;
+    if (options.orderBy !== undefined)
+      prepareOptions.orderBy = options.orderBy;
+    const prepared = await this.prepareQueryOptions(prepareOptions);
+    const whereFiltered = DbUtils.addDefaultStateFilter(prepared.where, prepared.tableQualifier, Array.isArray(prepared.joins) && prepared.joins.length > 0);
     const countBuilder = this.createSqlBuilder().selectRaw("COUNT(*) as total").from(prepared.table).where(whereFiltered);
     this.applyJoins(countBuilder, prepared.joins);
     const { sql: countSql, params: countParams } = countBuilder.toSelectSql();
@@ -14201,7 +14361,7 @@ class DbHelper {
     const builder = this.createSqlBuilder();
     const { sql, params } = builder.toInsertSql(snakeTable, processed);
     const execRes = await this.executeWithConn(sql, params);
-    const insertedId = processed.id || execRes.data?.lastInsertRowid || 0;
+    const insertedId = processed["id"] || execRes.data?.lastInsertRowid || 0;
     return {
       data: insertedId,
       sql: execRes.sql
@@ -14226,7 +14386,11 @@ class DbHelper {
     }
     const now = Date.now();
     const processedList = dataList.map((data, index) => {
-      return DbUtils.buildInsertRow({ data, id: ids[index], now });
+      const id = ids[index];
+      if (typeof id !== "number") {
+        throw new Error(`\u6279\u91CF\u63D2\u5165\u751F\u6210 ID \u5931\u8D25\uFF1Aids[${index}] \u4E0D\u662F number (table: ${snakeTable})`);
+      }
+      return DbUtils.buildInsertRow({ data, id, now });
     });
     const insertFields = SqlCheck.assertBatchInsertRowsConsistent(processedList, { table: snakeTable });
     const builder = this.createSqlBuilder();
@@ -14509,38 +14673,50 @@ class Jwt {
     };
   }
   sign(payload, options = {}) {
-    const key = options.secret || this.config.secret || "befly-secret";
+    const key = options.secret || this.config.secret;
     const algorithm = options.algorithm || this.config.algorithm || "HS256";
-    const signer = import_fast_jwt.createSigner({
+    const signerOptions = {
       key,
       algorithm,
-      expiresIn: options.expiresIn || this.config.expiresIn,
-      iss: options.issuer,
-      aud: options.audience,
-      sub: options.subject,
-      jti: options.jwtId,
-      notBefore: typeof options.notBefore === "number" ? options.notBefore : undefined
-    });
+      expiresIn: options.expiresIn ?? this.config.expiresIn
+    };
+    if (options.issuer !== undefined)
+      signerOptions.iss = options.issuer;
+    if (options.audience !== undefined)
+      signerOptions.aud = options.audience;
+    if (options.subject !== undefined)
+      signerOptions.sub = options.subject;
+    if (options.jwtId !== undefined)
+      signerOptions.jti = options.jwtId;
+    if (typeof options.notBefore === "number")
+      signerOptions.notBefore = options.notBefore;
+    const signer = import_fast_jwt.createSigner(signerOptions);
     return signer(payload);
   }
   verify(token, options = {}) {
     if (!token || typeof token !== "string") {
       throw new Error("Token\u5FC5\u987B\u662F\u975E\u7A7A\u5B57\u7B26\u4E32");
     }
-    const key = options.secret || this.config.secret || "befly-secret";
+    const key = options.secret || this.config.secret;
     const algorithm = this.config.algorithm || "HS256";
     const algorithms = options.algorithms ? options.algorithms : [algorithm];
-    const verifier = import_fast_jwt.createVerifier({
+    const verifierOptions = {
       key,
       algorithms,
-      allowedIss: options.issuer,
-      allowedAud: options.audience,
-      allowedSub: options.subject,
-      ignoreExpiration: options.ignoreExpiration,
-      ignoreNotBefore: options.ignoreNotBefore,
       cache: true,
       cacheTTL: 600000
-    });
+    };
+    if (options.issuer !== undefined)
+      verifierOptions.allowedIss = options.issuer;
+    if (options.audience !== undefined)
+      verifierOptions.allowedAud = options.audience;
+    if (options.subject !== undefined)
+      verifierOptions.allowedSub = options.subject;
+    if (typeof options.ignoreExpiration === "boolean")
+      verifierOptions.ignoreExpiration = options.ignoreExpiration;
+    if (typeof options.ignoreNotBefore === "boolean")
+      verifierOptions.ignoreNotBefore = options.ignoreNotBefore;
+    const verifier = import_fast_jwt.createVerifier(verifierOptions);
     return verifier(token);
   }
   decode(token, complete = false) {
@@ -15151,7 +15327,7 @@ async function scanFiles(dir, source, type, pattern) {
       const base = {
         source,
         type,
-        sourceName: { core: "\u6838\u5FC3", addon: "\u7EC4\u4EF6", app: "\u9879\u76EE" }[source],
+        sourceName: source === "core" ? "\u6838\u5FC3" : source === "addon" ? "\u7EC4\u4EF6" : "\u9879\u76EE",
         filePath: normalizedFile,
         relativePath,
         fileName,
@@ -15162,28 +15338,28 @@ async function scanFiles(dir, source, type, pattern) {
         customKeys: isPlainObject(content) ? Object.keys(content) : []
       };
       if (type === "table") {
-        base.content = content;
+        base["content"] = content;
         results.push(base);
         continue;
       }
       if (type === "api") {
-        base.auth = true;
-        base.rawBody = false;
-        base.method = "POST";
-        base.fields = {};
-        base.required = [];
+        base["auth"] = true;
+        base["rawBody"] = false;
+        base["method"] = "POST";
+        base["fields"] = {};
+        base["required"] = [];
       }
       if (type === "plugin" || type === "hook") {
-        base.deps = [];
-        base.name = "";
-        base.handler = null;
+        base["deps"] = [];
+        base["name"] = "";
+        base["handler"] = null;
       }
       forOwn(content, (value, key) => {
         base[key] = value;
       });
       if (type === "api") {
-        base.routePrefix = source === "app" ? "/app" : `/addon/${addonName}`;
-        base.path = `/api${base.routePrefix}/${relativePath}`;
+        base["routePrefix"] = source === "app" ? "/app" : `/addon/${addonName}`;
+        base["path"] = `/api${base["routePrefix"]}/${relativePath}`;
       }
       results.push(base);
     }
@@ -15239,11 +15415,11 @@ class Befly {
   async start(env = {}) {
     try {
       const serverStartTime = Bun.nanoseconds();
-      this.config = await loadBeflyConfig(env.NODE_ENV || "development");
+      this.config = await loadBeflyConfig(env["NODE_ENV"] || "development");
       this.context.config = this.config;
       this.context.env = env;
       const { apis, tables, plugins, hooks, addons } = await scanSources();
-      this.context.addons = addons;
+      this.context["addons"] = addons;
       await checkApi(apis);
       await checkTable(tables);
       await checkPlugin(plugins);
@@ -15266,15 +15442,23 @@ class Befly {
       await syncTable(this.context, tables);
       await syncApi(this.context, apis);
       await syncMenu(this.context, checkedMenus);
-      await syncDev(this.context, { devEmail: this.config.devEmail, devPassword: this.config.devPassword });
+      const devEmail = this.config.devEmail;
+      const devPassword = this.config.devPassword;
+      if (typeof devEmail === "string" && devEmail.length > 0 && typeof devPassword === "string" && devPassword.length > 0) {
+        await syncDev(this.context, { devEmail, devPassword });
+      } else {
+        Logger.debug("\u8DF3\u8FC7 syncDev\uFF1A\u672A\u914D\u7F6E devEmail/devPassword");
+      }
       await syncCache(this.context);
       this.hooks = await loadHooks(hooks);
       this.apis = await loadApis(apis);
       const apiFetch = apiHandler(this.apis, this.hooks, this.context);
       const staticFetch = staticHandler(this.config.cors);
+      const port = typeof this.config.appPort === "number" ? this.config.appPort : 3000;
+      const hostname = typeof this.config.appHost === "string" && this.config.appHost.length > 0 ? this.config.appHost : "0.0.0.0";
       const server = Bun.serve({
-        port: this.config.appPort,
-        hostname: this.config.appHost,
+        port,
+        hostname,
         development: this.config.nodeEnv === "development",
         idleTimeout: 30,
         fetch: async (req, bunServer) => {