npm - prisma-sql - Versions diffs - 1.43.0 → 1.45.0 - Mend

prisma-sql 1.43.0 → 1.45.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/generator.cjs CHANGED Viewed

@@ -56,7 +56,7 @@ var require_package = __commonJS({
   "package.json"(exports$1, module) {
     module.exports = {
       name: "prisma-sql",
-      version: "1.43.0",
+      version: "1.45.0",
       description: "Convert Prisma queries to optimized SQL with type safety. 2-7x faster than Prisma Client.",
       main: "dist/index.cjs",
       module: "dist/index.js",
@@ -159,20 +159,13 @@ var SQL_SEPARATORS = Object.freeze({
   CONDITION_OR: " OR ",
   ORDER_BY: ", "
 });
-var SQL_RESERVED_WORDS = /* @__PURE__ */ new Set([
+var ALIAS_FORBIDDEN_KEYWORDS = /* @__PURE__ */ new Set([
   "select",
   "from",
   "where",
-  "and",
-  "or",
-  "not",
-  "in",
-  "like",
-  "between",
+  "having",
   "order",
-  "by",
   "group",
-  "having",
   "limit",
   "offset",
   "join",
@@ -180,14 +173,42 @@ var SQL_RESERVED_WORDS = /* @__PURE__ */ new Set([
   "left",
   "right",
   "outer",
-  "on",
+  "cross",
+  "full",
+  "and",
+  "or",
+  "not",
+  "by",
   "as",
+  "on",
+  "union",
+  "intersect",
+  "except",
+  "case",
+  "when",
+  "then",
+  "else",
+  "end"
+]);
+var SQL_KEYWORDS = /* @__PURE__ */ new Set([
+  ...ALIAS_FORBIDDEN_KEYWORDS,
+  "user",
+  "users",
   "table",
   "column",
   "index",
-  "user",
-  "users",
   "values",
+  "in",
+  "like",
+  "between",
+  "is",
+  "exists",
+  "null",
+  "true",
+  "false",
+  "all",
+  "any",
+  "some",
   "update",
   "insert",
   "delete",
@@ -198,25 +219,9 @@ var SQL_RESERVED_WORDS = /* @__PURE__ */ new Set([
   "grant",
   "revoke",
   "exec",
-  "execute",
-  "union",
-  "intersect",
-  "except",
-  "case",
-  "when",
-  "then",
-  "else",
-  "end",
-  "null",
-  "true",
-  "false",
-  "is",
-  "exists",
-  "all",
-  "any",
-  "some"
+  "execute"
 ]);
-var SQL_KEYWORDS = SQL_RESERVED_WORDS;
+var SQL_RESERVED_WORDS = SQL_KEYWORDS;
 var DEFAULT_WHERE_CLAUSE = "1=1";
 var SPECIAL_FIELDS = Object.freeze({
   ID: "id"
@@ -295,12 +300,48 @@ var LIMITS = Object.freeze({
 });
 // src/utils/normalize-value.ts
-function normalizeValue(value) {
+var MAX_DEPTH = 20;
+function normalizeValue(value, seen = /* @__PURE__ */ new WeakSet(), depth = 0) {
+  if (depth > MAX_DEPTH) {
+    throw new Error(`Max normalization depth exceeded (${MAX_DEPTH} levels)`);
+  }
   if (value instanceof Date) {
+    const t = value.getTime();
+    if (!Number.isFinite(t)) {
+      throw new Error("Invalid Date value in SQL params");
+    }
     return value.toISOString();
   }
+  if (typeof value === "bigint") {
+    return value.toString();
+  }
   if (Array.isArray(value)) {
-    return value.map(normalizeValue);
+    const arrRef = value;
+    if (seen.has(arrRef)) {
+      throw new Error("Circular reference in SQL params");
+    }
+    seen.add(arrRef);
+    const out = value.map((v) => normalizeValue(v, seen, depth + 1));
+    seen.delete(arrRef);
+    return out;
+  }
+  if (value && typeof value === "object") {
+    if (value instanceof Uint8Array) return value;
+    if (typeof Buffer !== "undefined" && Buffer.isBuffer(value)) return value;
+    const proto = Object.getPrototypeOf(value);
+    const isPlain = proto === Object.prototype || proto === null;
+    if (!isPlain) return value;
+    const obj = value;
+    if (seen.has(obj)) {
+      throw new Error("Circular reference in SQL params");
+    }
+    seen.add(obj);
+    const out = {};
+    for (const [k, v] of Object.entries(obj)) {
+      out[k] = normalizeValue(v, seen, depth + 1);
+    }
+    seen.delete(obj);
+    return out;
   }
   return value;
 }
@@ -481,7 +522,7 @@ function prepareArrayParam(value, dialect) {
     throw new Error("prepareArrayParam requires array value");
   }
   if (dialect === "postgres") {
-    return value.map(normalizeValue);
+    return value.map((v) => normalizeValue(v));
   }
   return JSON.stringify(value);
 }
@@ -553,36 +594,46 @@ function createError(message, ctx, code = "VALIDATION_ERROR") {
 }
 // src/builder/shared/model-field-cache.ts
-var SCALAR_SET_CACHE = /* @__PURE__ */ new WeakMap();
-var RELATION_SET_CACHE = /* @__PURE__ */ new WeakMap();
+var MODEL_CACHE = /* @__PURE__ */ new WeakMap();
+function ensureFullCache(model) {
+  let cache = MODEL_CACHE.get(model);
+  if (!cache) {
+    const fieldInfo = /* @__PURE__ */ new Map();
+    const scalarFields = /* @__PURE__ */ new Set();
+    const relationFields = /* @__PURE__ */ new Set();
+    const columnMap = /* @__PURE__ */ new Map();
+    for (const f of model.fields) {
+      const info = {
+        name: f.name,
+        dbName: f.dbName || f.name,
+        type: f.type,
+        isRelation: !!f.isRelation,
+        isRequired: !!f.isRequired
+      };
+      fieldInfo.set(f.name, info);
+      if (info.isRelation) {
+        relationFields.add(f.name);
+      } else {
+        scalarFields.add(f.name);
+        columnMap.set(f.name, info.dbName);
+      }
+    }
+    cache = { fieldInfo, scalarFields, relationFields, columnMap };
+    MODEL_CACHE.set(model, cache);
+  }
+  return cache;
+}
+function getFieldInfo(model, fieldName) {
+  return ensureFullCache(model).fieldInfo.get(fieldName);
+}
 function getScalarFieldSet(model) {
-  const cached = SCALAR_SET_CACHE.get(model);
-  if (cached) return cached;
-  const s = /* @__PURE__ */ new Set();
-  for (const f of model.fields) if (!f.isRelation) s.add(f.name);
-  SCALAR_SET_CACHE.set(model, s);
-  return s;
+  return ensureFullCache(model).scalarFields;
 }
 function getRelationFieldSet(model) {
-  const cached = RELATION_SET_CACHE.get(model);
-  if (cached) return cached;
-  const s = /* @__PURE__ */ new Set();
-  for (const f of model.fields) if (f.isRelation) s.add(f.name);
-  RELATION_SET_CACHE.set(model, s);
-  return s;
-}
-var COLUMN_MAP_CACHE = /* @__PURE__ */ new WeakMap();
+  return ensureFullCache(model).relationFields;
+}
 function getColumnMap(model) {
-  const cached = COLUMN_MAP_CACHE.get(model);
-  if (cached) return cached;
-  const map = /* @__PURE__ */ new Map();
-  for (const f of model.fields) {
-    if (!f.isRelation) {
-      map.set(f.name, f.dbName || f.name);
-    }
-  }
-  COLUMN_MAP_CACHE.set(model, map);
-  return map;
+  return ensureFullCache(model).columnMap;
 }
 // src/builder/shared/validators/sql-validators.ts
@@ -642,7 +693,7 @@ function scanDollarPlaceholders(sql, markUpTo) {
   }
   return { count, min, max, seen };
 }
-function assertNoGaps(scan, rangeMin, rangeMax, sql) {
+function assertNoGapsDollar(scan, rangeMin, rangeMax, sql) {
   for (let k = rangeMin; k <= rangeMax; k++) {
     if (scan.seen[k] !== 1) {
       throw new Error(
@@ -670,7 +721,7 @@ function validateParamConsistency(sql, params) {
       `CRITICAL: Parameter mismatch - SQL max placeholder is $${scan.max} but ${paramLen} params provided. This will cause SQL execution to fail. SQL: ${sqlPreview(sql)}`
     );
   }
-  assertNoGaps(scan, 1, scan.max, sql);
+  assertNoGapsDollar(scan, 1, scan.max, sql);
 }
 function needsQuoting(id) {
   if (!isNonEmptyString(id)) return true;
@@ -688,14 +739,11 @@ function validateParamConsistencyFragment(sql, params) {
       `CRITICAL: Parameter mismatch - SQL references $${scan.max} but only ${paramLen} params provided. SQL: ${sqlPreview(sql)}`
     );
   }
-  assertNoGaps(scan, scan.min, scan.max, sql);
+  assertNoGapsDollar(scan, scan.min, scan.max, sql);
 }
 function assertOrThrow(condition, message) {
   if (!condition) throw new Error(message);
 }
-function dialectPlaceholderPrefix(dialect) {
-  return dialect === "sqlite" ? "?" : "$";
-}
 function parseSqlitePlaceholderIndices(sql) {
   const re = /\?(?:(\d+))?/g;
   const indices = [];
@@ -715,112 +763,70 @@ function parseSqlitePlaceholderIndices(sql) {
   }
   return { indices, sawNumbered, sawAnonymous };
 }
-function parseDollarPlaceholderIndices(sql) {
-  const re = /\$(\d+)/g;
-  const indices = [];
-  for (const m of sql.matchAll(re)) indices.push(parseInt(m[1], 10));
-  return indices;
-}
-function getPlaceholderIndices(sql, dialect) {
-  if (dialect === "sqlite") return parseSqlitePlaceholderIndices(sql);
-  return {
-    indices: parseDollarPlaceholderIndices(sql),
-    sawNumbered: false,
-    sawAnonymous: false
-  };
-}
 function maxIndex(indices) {
   return indices.length > 0 ? Math.max(...indices) : 0;
 }
-function ensureNoMixedSqlitePlaceholders(sawNumbered, sawAnonymous) {
-  assertOrThrow(
-    !(sawNumbered && sawAnonymous),
-    `CRITICAL: Mixed sqlite placeholders ('?' and '?NNN') are not supported.`
-  );
-}
-function ensurePlaceholderMaxMatchesMappingsLength(max, mappingsLength, dialect) {
-  assertOrThrow(
-    max === mappingsLength,
-    `CRITICAL: SQL placeholder max mismatch - max is ${dialectPlaceholderPrefix(dialect)}${max}, but mappings length is ${mappingsLength}.`
-  );
-}
-function ensureSequentialPlaceholders(placeholders, max, dialect) {
-  const prefix = dialectPlaceholderPrefix(dialect);
+function ensureSequentialIndices(seen, max, prefix) {
   for (let i = 1; i <= max; i++) {
     assertOrThrow(
-      placeholders.has(i),
+      seen.has(i),
       `CRITICAL: Missing SQL placeholder ${prefix}${i} - placeholders must be sequential 1..${max}.`
     );
   }
 }
-function validateMappingIndex(mapping, max) {
-  assertOrThrow(
-    Number.isInteger(mapping.index) && mapping.index >= 1 && mapping.index <= max,
-    `CRITICAL: ParamMapping index ${mapping.index} out of range 1..${max}.`
-  );
-}
-function ensureUniqueMappingIndex(mappingIndices, index, dialect) {
+function validateSqlitePlaceholders(sql, params) {
+  const paramLen = params.length;
+  const { indices, sawNumbered, sawAnonymous } = parseSqlitePlaceholderIndices(sql);
+  if (indices.length === 0) {
+    if (paramLen !== 0) {
+      throw new Error(
+        `CRITICAL: Parameter mismatch - SQL has no sqlite placeholders but ${paramLen} params provided. SQL: ${sqlPreview(sql)}`
+      );
+    }
+    return;
+  }
   assertOrThrow(
-    !mappingIndices.has(index),
-    `CRITICAL: Duplicate ParamMapping index ${index} - each placeholder index must map to exactly one ParamMap.`
+    !(sawNumbered && sawAnonymous),
+    `CRITICAL: Mixed sqlite placeholders ('?' and '?NNN') are not supported.`
   );
-  mappingIndices.add(index);
-}
-function ensureMappingIndexExistsInSql(placeholders, index) {
+  const max = maxIndex(indices);
   assertOrThrow(
-    placeholders.has(index),
-    `CRITICAL: ParamMapping index ${index} not found in SQL placeholders.`
+    max === paramLen,
+    `CRITICAL: SQL placeholder max mismatch - max is ?${max}, but params length is ${paramLen}. SQL: ${sqlPreview(sql)}`
   );
+  const set = new Set(indices);
+  ensureSequentialIndices(set, max, "?");
 }
-function validateMappingValueShape(mapping) {
-  assertOrThrow(
-    !(mapping.dynamicName !== void 0 && mapping.value !== void 0),
-    `CRITICAL: ParamMap ${mapping.index} has both dynamicName and value`
-  );
-  assertOrThrow(
-    !(mapping.dynamicName === void 0 && mapping.value === void 0),
-    `CRITICAL: ParamMap ${mapping.index} has neither dynamicName nor value`
-  );
+function validateDollarPlaceholders(sql, params) {
+  validateParamConsistency(sql, params);
 }
-function ensureMappingsCoverAllIndices(mappingIndices, max, dialect) {
-  const prefix = dialectPlaceholderPrefix(dialect);
-  for (let i = 1; i <= max; i++) {
-    assertOrThrow(
-      mappingIndices.has(i),
-      `CRITICAL: Missing ParamMap for placeholder ${prefix}${i} - mappings must cover 1..${max} with no gaps.`
-    );
-  }
+function detectPlaceholderStyle(sql) {
+  const hasDollar = /\$\d+/.test(sql);
+  const hasSqliteQ = /\?(?:\d+)?/.test(sql);
+  return { hasDollar, hasSqliteQ };
 }
-function validateMappingsAgainstPlaceholders(mappings, placeholders, max, dialect) {
-  const mappingIndices = /* @__PURE__ */ new Set();
-  for (const mapping of mappings) {
-    validateMappingIndex(mapping, max);
-    ensureUniqueMappingIndex(mappingIndices, mapping.index);
-    ensureMappingIndexExistsInSql(placeholders, mapping.index);
-    validateMappingValueShape(mapping);
+function validateParamConsistencyByDialect(sql, params, dialect) {
+  const { hasDollar, hasSqliteQ } = detectPlaceholderStyle(sql);
+  if (dialect !== "sqlite") {
+    if (hasSqliteQ && !hasDollar) {
+      throw new Error(
+        `CRITICAL: Non-sqlite dialect query contains sqlite '?' placeholders. SQL: ${sqlPreview(sql)}`
+      );
+    }
+    return validateDollarPlaceholders(sql, params);
   }
-  ensureMappingsCoverAllIndices(mappingIndices, max, dialect);
-}
-function validateSqlPositions(sql, mappings, dialect) {
-  const { indices, sawNumbered, sawAnonymous } = getPlaceholderIndices(
-    sql,
-    dialect
-  );
-  if (dialect === "sqlite") {
-    ensureNoMixedSqlitePlaceholders(sawNumbered, sawAnonymous);
+  if (hasDollar && hasSqliteQ) {
+    throw new Error(
+      `CRITICAL: Mixed placeholder styles ($N and ?/ ?NNN) are not supported. SQL: ${sqlPreview(sql)}`
+    );
   }
-  const placeholders = new Set(indices);
-  if (placeholders.size === 0 && mappings.length === 0) return;
-  const max = maxIndex(indices);
-  ensurePlaceholderMaxMatchesMappingsLength(max, mappings.length, dialect);
-  ensureSequentialPlaceholders(placeholders, max, dialect);
-  validateMappingsAgainstPlaceholders(mappings, placeholders, max, dialect);
+  if (hasSqliteQ) return validateSqlitePlaceholders(sql, params);
+  return validateDollarPlaceholders(sql, params);
 }
 // src/builder/shared/sql-utils.ts
-var NUL = String.fromCharCode(0);
 function containsControlChars(s) {
-  return s.includes(NUL) || s.includes("\n") || s.includes("\r");
+  return /[\u0000-\u001F\u007F]/.test(s);
 }
 function assertNoControlChars(label, s) {
   if (containsControlChars(s)) {
@@ -1039,16 +1045,46 @@ function buildTableReference(schemaName, tableName, dialect) {
   return `"${safeSchema}"."${safeTable}"`;
 }
 function assertSafeAlias(alias) {
-  const a = String(alias);
-  if (a.trim().length === 0) {
-    throw new Error("alias is required and cannot be empty");
+  if (typeof alias !== "string") {
+    throw new Error(`Invalid alias: expected string, got ${typeof alias}`);
+  }
+  const a = alias.trim();
+  if (a.length === 0) {
+    throw new Error("Invalid alias: required and cannot be empty");
   }
-  if (containsControlChars(a) || a.includes(";")) {
-    throw new Error(`alias contains unsafe characters: ${JSON.stringify(a)}`);
+  if (a !== alias) {
+    throw new Error("Invalid alias: leading/trailing whitespace");
   }
-  if (!/^[A-Za-z_]\w*$/.test(a)) {
+  if (/[\u0000-\u001F\u007F]/.test(a)) {
     throw new Error(
-      `alias must be a simple identifier, got: ${JSON.stringify(a)}`
+      "Invalid alias: contains unsafe characters (control characters)"
+    );
+  }
+  if (a.includes('"') || a.includes("'") || a.includes("`")) {
+    throw new Error("Invalid alias: contains unsafe characters (quotes)");
+  }
+  if (a.includes(";")) {
+    throw new Error("Invalid alias: contains unsafe characters (semicolon)");
+  }
+  if (a.includes("--") || a.includes("/*") || a.includes("*/")) {
+    throw new Error(
+      "Invalid alias: contains unsafe characters (SQL comment tokens)"
+    );
+  }
+  if (/\s/.test(a)) {
+    throw new Error(
+      "Invalid alias: must be a simple identifier without whitespace"
+    );
+  }
+  if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(a)) {
+    throw new Error(
+      `Invalid alias: must be a simple identifier (alphanumeric with underscores): "${alias}"`
+    );
+  }
+  const lowered = a.toLowerCase();
+  if (ALIAS_FORBIDDEN_KEYWORDS.has(lowered)) {
+    throw new Error(
+      `Invalid alias: '${alias}' is a SQL keyword that would break query parsing. Forbidden aliases: ${[...ALIAS_FORBIDDEN_KEYWORDS].join(", ")}`
     );
   }
 }
@@ -1090,7 +1126,9 @@ function isValidRelationField(field) {
   if (fk.length === 0) return false;
   const refsRaw = field.references;
   const refs = normalizeKeyList(refsRaw);
-  if (refs.length === 0) return false;
+  if (refs.length === 0) {
+    return fk.length === 1;
+  }
   if (refs.length !== fk.length) return false;
   return true;
 }
@@ -1105,6 +1143,8 @@ function getReferenceFieldNames(field, foreignKeyCount) {
   return refs;
 }
 function joinCondition(field, parentModel, childModel, parentAlias, childAlias) {
+  assertSafeAlias(parentAlias);
+  assertSafeAlias(childAlias);
   const fkFields = normalizeKeyList(field.foreignKey);
   if (fkFields.length === 0) {
     throw createError(
@@ -1254,6 +1294,32 @@ function normalizeOrderByInput(orderBy, parseValue) {
   throw new Error("orderBy must be an object or array of objects");
 }
+// src/builder/shared/order-by-determinism.ts
+function modelHasScalarId(model) {
+  if (!model) return false;
+  return getScalarFieldSet(model).has("id");
+}
+function hasIdTiebreaker(orderBy, parse) {
+  if (!isNotNullish(orderBy)) return false;
+  const normalized = normalizeOrderByInput(orderBy, parse);
+  return normalized.some(
+    (obj) => Object.prototype.hasOwnProperty.call(obj, "id")
+  );
+}
+function addIdTiebreaker(orderBy) {
+  if (Array.isArray(orderBy)) return [...orderBy, { id: "asc" }];
+  return [orderBy, { id: "asc" }];
+}
+function ensureDeterministicOrderByInput(args) {
+  const { orderBy, model, parseValue } = args;
+  if (!modelHasScalarId(model)) return orderBy;
+  if (!isNotNullish(orderBy)) {
+    return { id: "asc" };
+  }
+  if (hasIdTiebreaker(orderBy, parseValue)) return orderBy;
+  return addIdTiebreaker(orderBy);
+}
 // src/builder/pagination.ts
 var MAX_LIMIT_OFFSET = 2147483647;
 function parseDirectionRaw(raw, errorLabel) {
@@ -1316,7 +1382,15 @@ function hasNonNullishProp(v, key) {
 }
 function normalizeIntegerOrDynamic(name, v) {
   if (schemaParser.isDynamicParameter(v)) return v;
-  return normalizeFiniteInteger(name, v);
+  const result = normalizeIntLike(name, v, {
+    min: Number.MIN_SAFE_INTEGER,
+    max: MAX_LIMIT_OFFSET,
+    allowZero: true
+  });
+  if (result === void 0) {
+    throw new Error(`${name} normalization returned undefined`);
+  }
+  return result;
 }
 function readSkipTake(relArgs) {
   const hasSkip = hasNonNullishProp(relArgs, "skip");
@@ -1382,7 +1456,7 @@ function buildCursorFilterParts(cursor, cursorAlias, params, model) {
   const placeholdersByField = /* @__PURE__ */ new Map();
   const parts = [];
   for (const [field, value] of entries) {
-    const c = `${cursorAlias}.${quote(field)}`;
+    const c = `${cursorAlias}.${quoteColumn(model, field)}`;
     if (value === null) {
       parts.push(`${c} IS NULL`);
       continue;
@@ -1396,13 +1470,6 @@ function buildCursorFilterParts(cursor, cursorAlias, params, model) {
     placeholdersByField
   };
 }
-function cursorValueExpr(tableName, cursorAlias, cursorWhereSql, field, model) {
-  const colName = quote(field);
-  return `(SELECT ${cursorAlias}.${colName} ${SQL_TEMPLATES.FROM} ${tableName} ${cursorAlias} ${SQL_TEMPLATES.WHERE} ${cursorWhereSql} ${SQL_TEMPLATES.LIMIT} 1)`;
-}
-function buildCursorRowExistsExpr(tableName, cursorAlias, cursorWhereSql) {
-  return `EXISTS (${SQL_TEMPLATES.SELECT} 1 ${SQL_TEMPLATES.FROM} ${tableName} ${cursorAlias} ${SQL_TEMPLATES.WHERE} ${cursorWhereSql} ${SQL_TEMPLATES.LIMIT} 1)`;
-}
 function buildCursorEqualityExpr(columnExpr, valueExpr) {
   return `((${valueExpr} IS NULL AND ${columnExpr} IS NULL) OR (${valueExpr} IS NOT NULL AND ${columnExpr} = ${valueExpr}))`;
 }
@@ -1441,7 +1508,7 @@ function buildOrderEntries(orderBy) {
       } else {
         entries.push({
           field,
-          direction: value.sort,
+          direction: value.direction,
           nulls: value.nulls
         });
       }
@@ -1449,16 +1516,53 @@ function buildOrderEntries(orderBy) {
   }
   return entries;
 }
+function buildCursorCteSelectList(cursorEntries, orderEntries, model) {
+  const set = /* @__PURE__ */ new Set();
+  for (const [f] of cursorEntries) set.add(f);
+  for (const e of orderEntries) set.add(e.field);
+  const cols = [...set].map((f) => quoteColumn(model, f));
+  if (cols.length === 0) {
+    throw new Error("cursor cte select list is empty");
+  }
+  return cols.join(SQL_SEPARATORS.FIELD_LIST);
+}
+function truncateIdent(name, maxLen) {
+  const s = String(name);
+  if (s.length <= maxLen) return s;
+  return s.slice(0, maxLen);
+}
+function buildCursorNames(outerAlias) {
+  const maxLen = 63;
+  const base = outerAlias.toLowerCase();
+  const cteName = truncateIdent(`__tp_cursor_${base}`, maxLen);
+  const srcAlias = truncateIdent(`__tp_cursor_src_${base}`, maxLen);
+  if (cteName === outerAlias || srcAlias === outerAlias) {
+    return {
+      cteName: truncateIdent(`__tp_cursor_${base}_x`, maxLen),
+      srcAlias: truncateIdent(`__tp_cursor_src_${base}_x`, maxLen)
+    };
+  }
+  return { cteName, srcAlias };
+}
 function buildCursorCondition(cursor, orderBy, tableName, alias, params, dialect, model) {
   var _a;
+  assertSafeTableRef(tableName);
+  assertSafeAlias(alias);
   const d = dialect != null ? dialect : getGlobalDialect();
   const cursorEntries = Object.entries(cursor);
   if (cursorEntries.length === 0) {
     throw new Error("cursor must have at least one field");
   }
-  const cursorAlias = "__tp_cursor_src";
-  const { whereSql: cursorWhereSql, placeholdersByField } = buildCursorFilterParts(cursor, cursorAlias, params);
-  let orderEntries = buildOrderEntries(orderBy);
+  const { cteName, srcAlias } = buildCursorNames(alias);
+  assertSafeAlias(cteName);
+  assertSafeAlias(srcAlias);
+  const { whereSql: cursorWhereSql, placeholdersByField } = buildCursorFilterParts(cursor, srcAlias, params, model);
+  const deterministicOrderBy = ensureDeterministicOrderByInput({
+    orderBy,
+    model,
+    parseValue: parseOrderByValue
+  });
+  let orderEntries = buildOrderEntries(deterministicOrderBy);
   if (orderEntries.length === 0) {
     orderEntries = cursorEntries.map(([field]) => ({
       field,
@@ -1467,11 +1571,21 @@ function buildCursorCondition(cursor, orderBy, tableName, alias, params, dialect
   } else {
     orderEntries = ensureCursorFieldsInOrder(orderEntries, cursorEntries);
   }
-  const existsExpr = buildCursorRowExistsExpr(
-    tableName,
-    cursorAlias,
-    cursorWhereSql
+  const cursorOrderBy = orderEntries.map(
+    (e) => `${srcAlias}.${quoteColumn(model, e.field)} ${e.direction.toUpperCase()}`
+  ).join(", ");
+  const selectList = buildCursorCteSelectList(
+    cursorEntries,
+    orderEntries,
+    model
   );
+  const cte = `${cteName} AS (
+    SELECT ${selectList} FROM ${tableName} ${srcAlias}
+    WHERE ${cursorWhereSql}
+    ORDER BY ${cursorOrderBy}
+    LIMIT 1
+  )`;
+  const existsExpr = `EXISTS (SELECT 1 FROM ${cteName})`;
   const outerCursorMatch = buildOuterCursorMatch(
     cursor,
     alias,
@@ -1479,34 +1593,31 @@ function buildCursorCondition(cursor, orderBy, tableName, alias, params, dialect
     params,
     model
   );
+  const getValueExpr = (field) => {
+    return `(SELECT ${quoteColumn(model, field)} FROM ${cteName})`;
+  };
   const orClauses = [];
   for (let level = 0; level < orderEntries.length; level++) {
     const andParts = [];
     for (let i = 0; i < level; i++) {
       const e2 = orderEntries[i];
       const c2 = col(alias, e2.field, model);
-      const v2 = cursorValueExpr(
-        tableName,
-        cursorAlias,
-        cursorWhereSql,
-        e2.field);
+      const v2 = getValueExpr(e2.field);
       andParts.push(buildCursorEqualityExpr(c2, v2));
     }
     const e = orderEntries[level];
     const c = col(alias, e.field, model);
-    const v = cursorValueExpr(
-      tableName,
-      cursorAlias,
-      cursorWhereSql,
-      e.field);
+    const v = getValueExpr(e.field);
     const nulls = (_a = e.nulls) != null ? _a : defaultNullsFor(d, e.direction);
     andParts.push(buildCursorInequalityExpr(c, e.direction, nulls, v));
     orClauses.push(`(${andParts.join(SQL_SEPARATORS.CONDITION_AND)})`);
   }
   const exclusive = orClauses.join(SQL_SEPARATORS.CONDITION_OR);
-  return `(${existsExpr} ${SQL_SEPARATORS.CONDITION_AND} ((${exclusive})${SQL_SEPARATORS.CONDITION_OR}(${outerCursorMatch})))`;
+  const condition = `(${existsExpr} ${SQL_SEPARATORS.CONDITION_AND} ((${exclusive})${SQL_SEPARATORS.CONDITION_OR}(${outerCursorMatch})))`;
+  return { cte, condition };
 }
 function buildOrderBy(orderBy, alias, dialect, model) {
+  assertSafeAlias(alias);
   const entries = buildOrderEntries(orderBy);
   if (entries.length === 0) return "";
   const d = dialect != null ? dialect : getGlobalDialect();
@@ -1606,6 +1717,11 @@ function buildScalarOperator(expr, op, val, params, mode, fieldType, dialect) {
     }
     return handleInOperator(expr, op, val, params, dialect);
   }
+  if (op === Ops.EQUALS && mode === Modes.INSENSITIVE && !isNotNullish(dialect)) {
+    throw createError(`Insensitive equals requires a SQL dialect`, {
+      operator: op
+    });
+  }
   return handleComparisonOperator(expr, op, val, params);
 }
 function handleNullValue(expr, op) {
@@ -1621,6 +1737,28 @@ function normalizeMode(v) {
 function handleNotOperator(expr, val, params, outerMode, fieldType, dialect) {
   const innerMode = normalizeMode(val.mode);
   const effectiveMode = innerMode != null ? innerMode : outerMode;
+  const entries = Object.entries(val).filter(
+    ([k, v]) => k !== "mode" && v !== void 0
+  );
+  if (entries.length === 0) return "";
+  if (!isNotNullish(dialect)) {
+    const clauses = [];
+    for (const [subOp, subVal] of entries) {
+      const sub = buildScalarOperator(
+        expr,
+        subOp,
+        subVal,
+        params,
+        effectiveMode,
+        fieldType,
+        void 0
+      );
+      if (sub && sub.trim().length > 0) clauses.push(`(${sub})`);
+    }
+    if (clauses.length === 0) return "";
+    if (clauses.length === 1) return `${SQL_TEMPLATES.NOT} ${clauses[0]}`;
+    return `${SQL_TEMPLATES.NOT} (${clauses.join(` ${SQL_TEMPLATES.AND} `)})`;
+  }
   return buildNotComposite(
     expr,
     val,
@@ -1835,6 +1973,7 @@ function handleArrayIsEmpty(expr, val, dialect) {
 // src/builder/where/operators-json.ts
 var SAFE_JSON_PATH_SEGMENT = /^[a-zA-Z_]\w*$/;
+var MAX_PATH_SEGMENT_LENGTH = 255;
 function validateJsonPathSegments(segments) {
   for (const segment of segments) {
     if (typeof segment !== "string") {
@@ -1843,6 +1982,12 @@ function validateJsonPathSegments(segments) {
         value: segment
       });
     }
+    if (segment.length > MAX_PATH_SEGMENT_LENGTH) {
+      throw createError(
+        `JSON path segment too long: max ${MAX_PATH_SEGMENT_LENGTH} characters`,
+        { operator: Ops.PATH, value: `[${segment.length} chars]` }
+      );
+    }
     if (!SAFE_JSON_PATH_SEGMENT.test(segment)) {
       throw createError(
         `Invalid JSON path segment: '${segment}'. Must be alphanumeric with underscores, starting with letter or underscore.`,
@@ -1931,6 +2076,9 @@ function handleJsonWildcard(expr, op, val, params, wildcards, dialect) {
 // src/builder/where/relations.ts
 var NO_JOINS = Object.freeze([]);
+function freezeJoins(items) {
+  return Object.freeze([...items]);
+}
 function isListRelation(fieldType) {
   return typeof fieldType === "string" && fieldType.endsWith("[]");
 }
@@ -1993,7 +2141,7 @@ function buildListRelationFilters(args) {
         const whereClause = `${relAlias}.${quote(checkField.name)} IS NULL`;
         return Object.freeze({
           clause: whereClause,
-          joins: [leftJoinSql]
+          joins: freezeJoins([leftJoinSql])
         });
       }
     }
@@ -2198,7 +2346,7 @@ function assertValidOperator(fieldName, op, fieldType, path, modelName) {
     Ops.HAS_EVERY,
     Ops.IS_EMPTY
   ]);
-  const JSON_OPS = /* @__PURE__ */ new Set([
+  const JSON_OPS2 = /* @__PURE__ */ new Set([
     Ops.PATH,
     Ops.STRING_CONTAINS,
     Ops.STRING_STARTS_WITH,
@@ -2215,7 +2363,7 @@ function assertValidOperator(fieldName, op, fieldType, path, modelName) {
       modelName
     });
   }
-  const isJsonOp = JSON_OPS.has(op);
+  const isJsonOp = JSON_OPS2.has(op);
   const isFieldJson = isJsonType(fieldType);
   const jsonOpMismatch = isJsonOp && !isFieldJson;
   if (jsonOpMismatch) {
@@ -2229,6 +2377,14 @@ function assertValidOperator(fieldName, op, fieldType, path, modelName) {
 }
 // src/builder/where/builder.ts
+var MAX_QUERY_DEPTH = 50;
+var EMPTY_JOINS = Object.freeze([]);
+var JSON_OPS = /* @__PURE__ */ new Set([
+  Ops.PATH,
+  Ops.STRING_CONTAINS,
+  Ops.STRING_STARTS_WITH,
+  Ops.STRING_ENDS_WITH
+]);
 var WhereBuilder = class {
   build(where, ctx) {
     if (!isPlainObject(where)) {
@@ -2240,8 +2396,6 @@ var WhereBuilder = class {
     return buildWhereInternal(where, ctx, this);
   }
 };
-var MAX_QUERY_DEPTH = 50;
-var EMPTY_JOINS = Object.freeze([]);
 var whereBuilderInstance = new WhereBuilder();
 function freezeResult(clause, joins = EMPTY_JOINS) {
   return Object.freeze({ clause, joins });
@@ -2418,16 +2572,8 @@ function buildOperator(expr, op, val, ctx, mode, fieldType) {
   if (fieldType && isArrayType(fieldType)) {
     return buildArrayOperator(expr, op, val, ctx.params, fieldType, ctx.dialect);
   }
-  if (fieldType && isJsonType(fieldType)) {
-    const JSON_OPS = /* @__PURE__ */ new Set([
-      Ops.PATH,
-      Ops.STRING_CONTAINS,
-      Ops.STRING_STARTS_WITH,
-      Ops.STRING_ENDS_WITH
-    ]);
-    if (JSON_OPS.has(op)) {
-      return buildJsonOperator(expr, op, val, ctx.params, ctx.dialect);
-    }
+  if (fieldType && isJsonType(fieldType) && JSON_OPS.has(op)) {
+    return buildJsonOperator(expr, op, val, ctx.params, ctx.dialect);
   }
   return buildScalarOperator(
     expr,
@@ -2448,7 +2594,7 @@ function toSafeSqlIdentifier(input) {
   const base = startsOk ? cleaned : `_${cleaned}`;
   const fallback = base.length > 0 ? base : "_t";
   const lowered = fallback.toLowerCase();
-  return SQL_KEYWORDS.has(lowered) ? `_${lowered}` : lowered;
+  return ALIAS_FORBIDDEN_KEYWORDS.has(lowered) ? `_${lowered}` : lowered;
 }
 function createAliasGenerator(maxAliases = 1e4) {
   let counter = 0;
@@ -2658,6 +2804,7 @@ function toPublicResult(clause, joins, params) {
 // src/builder/where.ts
 function buildWhereClause(where, options) {
   var _a, _b, _c, _d, _e;
+  assertSafeAlias(options.alias);
   const dialect = options.dialect || getGlobalDialect();
   const params = (_a = options.params) != null ? _a : createParamStore();
   const ctx = {
@@ -2826,6 +2973,9 @@ function buildRelationSelect(relArgs, relModel, relAlias) {
 }
 // src/builder/select/includes.ts
+var MAX_INCLUDE_DEPTH = 10;
+var MAX_TOTAL_SUBQUERIES = 100;
+var MAX_TOTAL_INCLUDES = 50;
 function getRelationTableReference(relModel, dialect) {
   return buildTableReference(
     SQL_TEMPLATES.PUBLIC_SCHEMA,
@@ -2871,107 +3021,24 @@ function relationEntriesFromArgs(args, model) {
   pushFrom(args.select);
   return out;
 }
-function assertScalarField(model, fieldName) {
-  const f = model.fields.find((x) => x.name === fieldName);
-  if (!f) {
-    throw new Error(
-      `orderBy references unknown field '${fieldName}' on model ${model.name}`
-    );
-  }
-  if (f.isRelation) {
-    throw new Error(
-      `orderBy does not support relation field '${fieldName}' on model ${model.name}`
-    );
-  }
-}
-function validateOrderByDirection(fieldName, v) {
-  const s = String(v).toLowerCase();
-  if (s !== "asc" && s !== "desc") {
-    throw new Error(
-      `Invalid orderBy direction for '${fieldName}': ${String(v)}`
-    );
-  }
-}
-function validateOrderByObject(fieldName, v) {
-  if (!("sort" in v)) {
-    throw new Error(
-      `orderBy for '${fieldName}' must be 'asc' | 'desc' or { sort, nulls? }`
-    );
-  }
-  validateOrderByDirection(fieldName, v.sort);
-  if ("nulls" in v && isNotNullish(v.nulls)) {
-    const n = String(v.nulls).toLowerCase();
-    if (n !== "first" && n !== "last") {
-      throw new Error(
-        `Invalid orderBy.nulls for '${fieldName}': ${String(v.nulls)}`
-      );
-    }
-  }
-  const allowed = /* @__PURE__ */ new Set(["sort", "nulls"]);
-  for (const k of Object.keys(v)) {
-    if (!allowed.has(k)) {
-      throw new Error(`Unsupported orderBy key '${k}' for field '${fieldName}'`);
-    }
-  }
-}
-function normalizeOrderByFieldName(name) {
-  const fieldName = String(name).trim();
-  if (fieldName.length === 0) {
-    throw new Error("orderBy field name cannot be empty");
-  }
-  return fieldName;
-}
-function requirePlainObjectForOrderByEntry(v) {
-  if (typeof v !== "object" || v === null || Array.isArray(v)) {
-    throw new Error("orderBy array entries must be objects");
-  }
-  return v;
-}
-function parseSingleFieldOrderByObject(obj) {
-  const entries = Object.entries(obj);
-  if (entries.length !== 1) {
-    throw new Error("orderBy array entries must have exactly one field");
-  }
-  const fieldName = normalizeOrderByFieldName(entries[0][0]);
-  return [fieldName, entries[0][1]];
-}
-function parseOrderByArray(orderBy) {
-  return orderBy.map(
-    (item) => parseSingleFieldOrderByObject(requirePlainObjectForOrderByEntry(item))
-  );
-}
-function parseOrderByObject(orderBy) {
-  const out = [];
-  for (const [k, v] of Object.entries(orderBy)) {
-    out.push([normalizeOrderByFieldName(k), v]);
-  }
-  return out;
-}
-function getOrderByEntries(orderBy) {
-  if (!isNotNullish(orderBy)) return [];
-  if (Array.isArray(orderBy)) {
-    return parseOrderByArray(orderBy);
-  }
-  if (typeof orderBy === "object" && orderBy !== null) {
-    return parseOrderByObject(orderBy);
-  }
-  throw new Error("orderBy must be an object or array of objects");
-}
 function validateOrderByForModel(model, orderBy) {
-  const entries = getOrderByEntries(orderBy);
-  for (const [fieldName, v] of entries) {
-    assertScalarField(model, fieldName);
-    if (typeof v === "string") {
-      validateOrderByDirection(fieldName, v);
-      continue;
+  if (!isNotNullish(orderBy)) return;
+  const scalarSet = getScalarFieldSet(model);
+  const normalized = normalizeOrderByInput(orderBy, parseOrderByValue);
+  for (const item of normalized) {
+    const entries = Object.entries(item);
+    if (entries.length !== 1) {
+      throw new Error("orderBy array entries must have exactly one field");
     }
-    if (isPlainObject(v)) {
-      validateOrderByObject(fieldName, v);
-      continue;
+    const fieldName = String(entries[0][0]).trim();
+    if (fieldName.length === 0) {
+      throw new Error("orderBy field name cannot be empty");
+    }
+    if (!scalarSet.has(fieldName)) {
+      throw new Error(
+        `orderBy references unknown or non-scalar field '${fieldName}' on model ${model.name}`
+      );
     }
-    throw new Error(
-      `orderBy for '${fieldName}' must be 'asc' | 'desc' or { sort, nulls? }`
-    );
   }
 }
 function appendLimitOffset(sql, dialect, params, takeVal, skipVal, scope) {
@@ -3000,7 +3067,10 @@ function readWhereInput(relArgs) {
 function readOrderByInput(relArgs) {
   if (!isPlainObject(relArgs)) return { hasOrderBy: false, orderBy: void 0 };
   if (!("orderBy" in relArgs)) return { hasOrderBy: false, orderBy: void 0 };
-  return { hasOrderBy: true, orderBy: relArgs.orderBy };
+  return {
+    hasOrderBy: true,
+    orderBy: relArgs.orderBy
+  };
 }
 function extractRelationPaginationConfig(relArgs) {
   const { hasOrderBy, orderBy: rawOrderByInput } = readOrderByInput(relArgs);
@@ -3030,36 +3100,28 @@ function maybeReverseNegativeTake(takeVal, hasOrderBy, orderByInput) {
     orderByInput: reverseOrderByInput(orderByInput)
   };
 }
-function hasIdTiebreaker(orderByInput) {
-  const entries = Array.isArray(orderByInput) ? orderByInput : [orderByInput];
-  return entries.some(
-    (entry) => isPlainObject(entry) ? Object.prototype.hasOwnProperty.call(entry, "id") : false
-  );
-}
-function modelHasScalarId(relModel) {
-  const idField = relModel.fields.find((f) => f.name === "id");
-  return Boolean(idField && !idField.isRelation);
-}
-function addIdTiebreaker(orderByInput) {
-  if (Array.isArray(orderByInput)) return [...orderByInput, { id: "asc" }];
-  return [orderByInput, { id: "asc" }];
-}
-function ensureDeterministicOrderBy(relModel, hasOrderBy, orderByInput, hasPagination) {
-  if (!hasPagination) {
-    if (hasOrderBy && isNotNullish(orderByInput)) {
-      validateOrderByForModel(relModel, orderByInput);
+function ensureDeterministicOrderByForInclude(args) {
+  if (!args.hasPagination) {
+    if (args.hasOrderBy && isNotNullish(args.orderByInput)) {
+      validateOrderByForModel(args.relModel, args.orderByInput);
     }
-    return orderByInput;
+    return args.orderByInput;
   }
-  if (!hasOrderBy) {
-    return modelHasScalarId(relModel) ? { id: "asc" } : orderByInput;
+  if (!args.hasOrderBy) {
+    return ensureDeterministicOrderByInput({
+      orderBy: void 0,
+      model: args.relModel,
+      parseValue: parseOrderByValue
+    });
   }
-  if (isNotNullish(orderByInput)) {
-    validateOrderByForModel(relModel, orderByInput);
+  if (isNotNullish(args.orderByInput)) {
+    validateOrderByForModel(args.relModel, args.orderByInput);
   }
-  if (!modelHasScalarId(relModel)) return orderByInput;
-  if (hasIdTiebreaker(orderByInput)) return orderByInput;
-  return addIdTiebreaker(orderByInput);
+  return ensureDeterministicOrderByInput({
+    orderBy: args.orderByInput,
+    model: args.relModel,
+    parseValue: parseOrderByValue
+  });
 }
 function buildSelectWithNestedIncludes(relArgs, relModel, relAlias, ctx) {
   let relSelect = buildRelationSelect(relArgs, relModel, relAlias);
@@ -3070,7 +3132,10 @@ function buildSelectWithNestedIncludes(relArgs, relModel, relAlias, ctx) {
     relAlias,
     ctx.aliasGen,
     ctx.params,
-    ctx.dialect
+    ctx.dialect,
+    ctx.visitPath || [],
+    (ctx.depth || 0) + 1,
+    ctx.stats
   ) : [];
   if (isNonEmptyArray(nestedIncludes)) {
     const emptyJson = ctx.dialect === "postgres" ? `'[]'::json` : `json('[]')`;
@@ -3220,12 +3285,12 @@ function buildSingleInclude(relName, relArgs, field, relModel, ctx) {
     paginationConfig.orderBy
   );
   const hasPagination = paginationConfig.hasSkip || paginationConfig.hasTake;
-  const finalOrderByInput = ensureDeterministicOrderBy(
+  const finalOrderByInput = ensureDeterministicOrderByForInclude({
     relModel,
-    paginationConfig.hasOrderBy,
-    adjusted.orderByInput,
+    hasOrderBy: paginationConfig.hasOrderBy,
+    orderByInput: adjusted.orderByInput,
     hasPagination
-  );
+  });
   const orderBySql = buildOrderBySql(
     finalOrderByInput,
     relAlias,
@@ -3266,12 +3331,48 @@ function buildSingleInclude(relName, relArgs, field, relModel, ctx) {
     ctx
   });
 }
-function buildIncludeSqlInternal(args, model, schemas, parentAlias, aliasGen, params, dialect) {
+function buildIncludeSqlInternal(args, model, schemas, parentAlias, aliasGen, params, dialect, visitPath = [], depth = 0, stats) {
+  if (!stats) {
+    stats = { totalIncludes: 0, totalSubqueries: 0, maxDepth: 0 };
+  }
+  if (depth > MAX_INCLUDE_DEPTH) {
+    throw new Error(
+      `Maximum include depth of ${MAX_INCLUDE_DEPTH} exceeded. Path: ${visitPath.join(" -> ")}. Deep includes cause exponential SQL complexity and performance issues.`
+    );
+  }
+  stats.maxDepth = Math.max(stats.maxDepth, depth);
   const includes = [];
   const entries = relationEntriesFromArgs(args, model);
   for (const [relName, relArgs] of entries) {
     if (relArgs === false) continue;
+    stats.totalIncludes++;
+    if (stats.totalIncludes > MAX_TOTAL_INCLUDES) {
+      throw new Error(
+        `Maximum total includes (${MAX_TOTAL_INCLUDES}) exceeded. Current: ${stats.totalIncludes} includes. Query has ${stats.maxDepth} levels deep. Simplify your query structure or use multiple queries.`
+      );
+    }
+    stats.totalSubqueries++;
+    if (stats.totalSubqueries > MAX_TOTAL_SUBQUERIES) {
+      throw new Error(
+        `Query complexity limit exceeded: ${stats.totalSubqueries} subqueries generated. Maximum allowed: ${MAX_TOTAL_SUBQUERIES}. This indicates exponential include nesting. Stats: depth=${stats.maxDepth}, includes=${stats.totalIncludes}. Path: ${visitPath.join(" -> ")}. Simplify your include structure or split into multiple queries.`
+      );
+    }
     const resolved = resolveRelationOrThrow(model, schemas, relName);
+    const relationPath = `${model.name}.${relName}`;
+    const currentPath = [...visitPath, relationPath];
+    if (visitPath.includes(relationPath)) {
+      throw new Error(
+        `Circular include detected: ${currentPath.join(" -> ")}. Relation '${relationPath}' creates an infinite loop.`
+      );
+    }
+    const modelOccurrences = currentPath.filter(
+      (p) => p.startsWith(`${resolved.relModel.name}.`)
+    ).length;
+    if (modelOccurrences > 2) {
+      throw new Error(
+        `Include too deeply nested: model '${resolved.relModel.name}' appears ${modelOccurrences} times in path: ${currentPath.join(" -> ")}`
+      );
+    }
     const include = buildSingleInclude(
       relName,
       relArgs,
@@ -3283,7 +3384,10 @@ function buildIncludeSqlInternal(args, model, schemas, parentAlias, aliasGen, pa
         parentAlias,
         aliasGen,
         dialect,
-        params
+        params,
+        visitPath: currentPath,
+        depth: depth + 1,
+        stats
       }
     );
     includes.push(include);
@@ -3292,6 +3396,11 @@ function buildIncludeSqlInternal(args, model, schemas, parentAlias, aliasGen, pa
 }
 function buildIncludeSql(args, model, schemas, parentAlias, params, dialect) {
   const aliasGen = createAliasGenerator();
+  const stats = {
+    totalIncludes: 0,
+    totalSubqueries: 0,
+    maxDepth: 0
+  };
   return buildIncludeSqlInternal(
     args,
     model,
@@ -3299,7 +3408,10 @@ function buildIncludeSql(args, model, schemas, parentAlias, params, dialect) {
     parentAlias,
     aliasGen,
     params,
-    dialect
+    dialect,
+    [],
+    0,
+    stats
   );
 }
 function resolveCountRelationOrThrow(relName, model, schemas) {
@@ -3315,6 +3427,11 @@ function resolveCountRelationOrThrow(relName, model, schemas) {
       `_count.${relName} references unknown relation on model ${model.name}`
     );
   }
+  if (!isValidRelationField(field)) {
+    throw new Error(
+      `_count.${relName} has invalid relation metadata on model ${model.name}`
+    );
+  }
   const relModel = schemas.find((m) => m.name === field.relatedModel);
   if (!relModel) {
     throw new Error(
@@ -3323,31 +3440,81 @@ function resolveCountRelationOrThrow(relName, model, schemas) {
   }
   return { field, relModel };
 }
-function groupByColForCount(field, countAlias) {
-  const fkFields = normalizeKeyList(field.foreignKey);
-  const refFields = normalizeKeyList(field.references);
-  return field.isForeignKeyLocal ? `${countAlias}.${quote(refFields[0] || "id")}` : `${countAlias}.${quote(fkFields[0])}`;
+function defaultReferencesForCount(fkCount) {
+  if (fkCount === 1) return ["id"];
+  throw new Error(
+    "Relation count for composite keys requires explicit references matching foreignKey length"
+  );
 }
-function leftJoinOnForCount(field, parentAlias, joinAlias) {
+function resolveCountKeyPairs(field) {
   const fkFields = normalizeKeyList(field.foreignKey);
-  const refFields = normalizeKeyList(field.references);
-  return field.isForeignKeyLocal ? `${joinAlias}.__fk = ${parentAlias}.${quote(fkFields[0])}` : `${joinAlias}.__fk = ${parentAlias}.${quote(refFields[0] || "id")}`;
+  if (fkFields.length === 0) {
+    throw new Error("Relation count requires foreignKey");
+  }
+  const refsRaw = field.references;
+  const refs = normalizeKeyList(refsRaw);
+  const refFields = refs.length > 0 ? refs : defaultReferencesForCount(fkFields.length);
+  if (refFields.length !== fkFields.length) {
+    throw new Error(
+      "Relation count requires references count to match foreignKey count"
+    );
+  }
+  const relKeyFields = field.isForeignKeyLocal ? refFields : fkFields;
+  const parentKeyFields = field.isForeignKeyLocal ? fkFields : refFields;
+  return { relKeyFields, parentKeyFields };
+}
+function aliasQualifiedColumn(alias, model, field) {
+  return `${alias}.${quoteColumn(model, field)}`;
+}
+function subqueryForCount(args) {
+  const selectKeys = args.relKeyFields.map(
+    (f, i) => `${aliasQualifiedColumn(args.countAlias, args.relModel, f)} AS "__fk${i}"`
+  ).join(SQL_SEPARATORS.FIELD_LIST);
+  const groupByKeys = args.relKeyFields.map((f) => aliasQualifiedColumn(args.countAlias, args.relModel, f)).join(SQL_SEPARATORS.FIELD_LIST);
+  const cntExpr = args.dialect === "postgres" ? "COUNT(*)::int AS __cnt" : "COUNT(*) AS __cnt";
+  return `(SELECT ${selectKeys}${SQL_SEPARATORS.FIELD_LIST}${cntExpr} FROM ${args.relTable} ${args.countAlias} GROUP BY ${groupByKeys})`;
+}
+function leftJoinOnForCount(args) {
+  const parts = args.parentKeyFields.map(
+    (f, i) => `${args.joinAlias}."__fk${i}" = ${aliasQualifiedColumn(args.parentAlias, args.parentModel, f)}`
+  );
+  return parts.length === 1 ? parts[0] : `(${parts.join(" AND ")})`;
 }
-function subqueryForCount(dialect, relTable, countAlias, groupByCol) {
-  return dialect === "postgres" ? `(SELECT ${groupByCol} AS __fk, COUNT(*)::int AS __cnt FROM ${relTable} ${countAlias} GROUP BY ${groupByCol})` : `(SELECT ${groupByCol} AS __fk, COUNT(*) AS __cnt FROM ${relTable} ${countAlias} GROUP BY ${groupByCol})`;
+function nextAliasAvoiding(aliasGen, base, forbidden) {
+  let a = aliasGen.next(base);
+  while (forbidden.has(a)) {
+    a = aliasGen.next(base);
+  }
+  return a;
 }
 function buildCountJoinAndPair(args) {
   const relTable = getRelationTableReference(args.relModel, args.dialect);
-  const countAlias = `__tp_cnt_${args.relName}`;
-  const groupByCol = groupByColForCount(args.field, countAlias);
-  const subquery = subqueryForCount(
-    args.dialect,
+  const { relKeyFields, parentKeyFields } = resolveCountKeyPairs(args.field);
+  const forbidden = /* @__PURE__ */ new Set([args.parentAlias]);
+  const countAlias = nextAliasAvoiding(
+    args.aliasGen,
+    `__tp_cnt_${args.relName}`,
+    forbidden
+  );
+  forbidden.add(countAlias);
+  const subquery = subqueryForCount({
+    dialect: args.dialect,
     relTable,
     countAlias,
-    groupByCol
+    relModel: args.relModel,
+    relKeyFields
+  });
+  const joinAlias = nextAliasAvoiding(
+    args.aliasGen,
+    `__tp_cnt_j_${args.relName}`,
+    forbidden
   );
-  const joinAlias = `__tp_cnt_j_${args.relName}`;
-  const leftJoinOn = leftJoinOnForCount(args.field, args.parentAlias, joinAlias);
+  const leftJoinOn = leftJoinOnForCount({
+    joinAlias,
+    parentAlias: args.parentAlias,
+    parentModel: args.parentModel,
+    parentKeyFields
+  });
   return {
     joinSql: `LEFT JOIN ${subquery} ${joinAlias} ON ${leftJoinOn}`,
     pairSql: `${sqlStringLiteral(args.relName)}, COALESCE(${joinAlias}.__cnt, 0)`
@@ -3356,6 +3523,7 @@ function buildCountJoinAndPair(args) {
 function buildRelationCountSql(countSelect, model, schemas, parentAlias, _params, dialect) {
   const joins = [];
   const pairs = [];
+  const aliasGen = createAliasGenerator();
   for (const [relName, shouldCount] of Object.entries(countSelect)) {
     if (!shouldCount) continue;
     const resolved = resolveCountRelationOrThrow(relName, model, schemas);
@@ -3363,8 +3531,10 @@ function buildRelationCountSql(countSelect, model, schemas, parentAlias, _params
       relName,
       field: resolved.field,
       relModel: resolved.relModel,
+      parentModel: model,
       parentAlias,
-      dialect
+      dialect,
+      aliasGen
     });
     joins.push(built.joinSql);
     pairs.push(built.pairSql);
@@ -3376,13 +3546,21 @@ function buildRelationCountSql(countSelect, model, schemas, parentAlias, _params
 }
 // src/builder/select/assembly.ts
-var SIMPLE_SELECT_RE_CACHE = /* @__PURE__ */ new Map();
+var ALIAS_CAPTURE = "([A-Za-z_][A-Za-z0-9_]*)";
+var COLUMN_PART = '(?:"([^"]+)"|([a-z_][a-z0-9_]*))';
+var AS_PART = `(?:\\s+AS\\s+${COLUMN_PART})?`;
+var SIMPLE_COLUMN_PATTERN = `^${ALIAS_CAPTURE}\\.${COLUMN_PART}${AS_PART}$`;
+var SIMPLE_COLUMN_RE = new RegExp(SIMPLE_COLUMN_PATTERN, "i");
 function joinNonEmpty(parts, sep) {
   return parts.filter((s) => s.trim().length > 0).join(sep);
 }
 function buildWhereSql(conditions) {
   if (!isNonEmptyArray(conditions)) return "";
-  return ` ${SQL_TEMPLATES.WHERE} ${conditions.join(SQL_SEPARATORS.CONDITION_AND)}`;
+  const parts = [
+    SQL_TEMPLATES.WHERE,
+    conditions.join(SQL_SEPARATORS.CONDITION_AND)
+  ];
+  return ` ${parts.join(" ")}`;
 }
 function buildJoinsSql(...joinGroups) {
   const all = [];
@@ -3397,37 +3575,39 @@ function buildSelectList(baseSelect, extraCols) {
   if (base && extra) return `${base}${SQL_SEPARATORS.FIELD_LIST}${extra}`;
   return base || extra;
 }
-function finalizeSql(sql, params) {
+function finalizeSql(sql, params, dialect) {
   const snapshot = params.snapshot();
   validateSelectQuery(sql);
-  validateParamConsistency(sql, snapshot.params);
+  validateParamConsistencyByDialect(sql, snapshot.params, dialect);
   return Object.freeze({
     sql,
     params: snapshot.params,
-    paramMappings: snapshot.mappings
+    paramMappings: Object.freeze(snapshot.mappings)
   });
 }
-function parseSimpleScalarSelect(select, alias) {
-  var _a, _b;
+function parseSimpleScalarSelect(select, fromAlias) {
+  var _a, _b, _c, _d;
   const raw = select.trim();
   if (raw.length === 0) return [];
-  let re = SIMPLE_SELECT_RE_CACHE.get(alias);
-  if (!re) {
-    const safeAlias2 = alias.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    re = new RegExp(`^${safeAlias2}\\.(?:"([^"]+)"|([a-z_][a-z0-9_]*))$`, "i");
-    SIMPLE_SELECT_RE_CACHE.set(alias, re);
-  }
   const parts = raw.split(SQL_SEPARATORS.FIELD_LIST);
   const names = [];
   for (const part of parts) {
     const p = part.trim();
-    const m = p.match(re);
+    const m = p.match(SIMPLE_COLUMN_RE);
     if (!m) {
       throw new Error(
-        `sqlite distinct emulation requires scalar select fields to be simple columns. Got: ${p}`
+        `sqlite distinct emulation requires scalar select fields to be simple columns (optionally with AS). Got: ${p}`
+      );
+    }
+    const actualAlias = m[1];
+    if (actualAlias.toLowerCase() !== fromAlias.toLowerCase()) {
+      throw new Error(
+        `Expected alias '${fromAlias}', got '${actualAlias}' in: ${p}`
       );
     }
-    const name = ((_b = (_a = m[1]) != null ? _a : m[2]) != null ? _b : "").trim();
+    const columnName = ((_b = (_a = m[2]) != null ? _a : m[3]) != null ? _b : "").trim();
+    const outAlias = ((_d = (_c = m[4]) != null ? _c : m[5]) != null ? _d : "").trim();
+    const name = outAlias.length > 0 ? outAlias : columnName;
     if (name.length === 0) {
       throw new Error(`Failed to parse selected column name from: ${p}`);
     }
@@ -3436,18 +3616,18 @@ function parseSimpleScalarSelect(select, alias) {
   return names;
 }
 function replaceOrderByAlias(orderBy, fromAlias, outerAlias) {
-  const needle = `${fromAlias}.`;
-  const replacement = `${outerAlias}.`;
-  return orderBy.split(needle).join(replacement);
+  const src = String(fromAlias);
+  if (src.length === 0) return orderBy;
+  const escaped = src.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  const re = new RegExp(`\\b${escaped}\\.`, "gi");
+  return orderBy.replace(re, `${outerAlias}.`);
 }
 function buildDistinctColumns(distinct, fromAlias, model) {
   return distinct.map((f) => col(fromAlias, f, model)).join(SQL_SEPARATORS.FIELD_LIST);
 }
 function buildOutputColumns(scalarNames, includeNames, hasCount) {
   const outputCols = [...scalarNames, ...includeNames];
-  if (hasCount) {
-    outputCols.push("_count");
-  }
+  if (hasCount) outputCols.push("_count");
   const formatted = outputCols.map((n) => quote(n)).join(SQL_SEPARATORS.FIELD_LIST);
   if (!isNonEmptyString(formatted)) {
     throw new Error("distinct emulation requires at least one output column");
@@ -3456,9 +3636,10 @@ function buildOutputColumns(scalarNames, includeNames, hasCount) {
 }
 function buildWindowOrder(args) {
   const { baseOrder, idField, fromAlias, model } = args;
+  const fromLower = String(fromAlias).toLowerCase();
   const orderFields = baseOrder.split(SQL_SEPARATORS.ORDER_BY).map((s) => s.trim().toLowerCase());
   const hasIdInOrder = orderFields.some(
-    (f) => f.startsWith(`${fromAlias}.id `) || f.startsWith(`${fromAlias}."id" `)
+    (f) => f.startsWith(`${fromLower}.id `) || f.startsWith(`${fromLower}."id" `)
   );
   if (hasIdInOrder) return baseOrder;
   const idTiebreaker = idField ? `, ${col(fromAlias, "id", model)} ASC` : "";
@@ -3493,15 +3674,37 @@ function buildSqliteDistinctQuery(spec, selectWithIncludes, countJoins) {
   const outerOrder = isNonEmptyString(orderBy) ? replaceOrderByAlias(orderBy, from.alias, `"__tp_distinct"`) : replaceOrderByAlias(fallbackOrder, from.alias, `"__tp_distinct"`);
   const joins = buildJoinsSql(whereJoins, countJoins);
   const conditions = [];
-  if (whereClause && whereClause !== "1=1") {
-    conditions.push(whereClause);
-  }
+  if (whereClause && whereClause !== "1=1") conditions.push(whereClause);
   const whereSql = buildWhereSql(conditions);
   const innerSelectList = selectWithIncludes.trim();
   const innerComma = innerSelectList.length > 0 ? SQL_SEPARATORS.FIELD_LIST : "";
-  const inner = `${SQL_TEMPLATES.SELECT} ${innerSelectList}${innerComma}ROW_NUMBER() OVER (PARTITION BY ${distinctCols} ORDER BY ${windowOrder}) ${SQL_TEMPLATES.AS} "__tp_rn" ${SQL_TEMPLATES.FROM} ${from.table} ${from.alias}${joins}${whereSql}`;
-  const outer = `${SQL_TEMPLATES.SELECT} ${outerSelectCols} ${SQL_TEMPLATES.FROM} (${inner}) ${SQL_TEMPLATES.AS} "__tp_distinct" ${SQL_TEMPLATES.WHERE} "__tp_rn" = 1` + (isNonEmptyString(outerOrder) ? ` ${SQL_TEMPLATES.ORDER_BY} ${outerOrder}` : "");
-  return outer;
+  const innerParts = [
+    SQL_TEMPLATES.SELECT,
+    innerSelectList + innerComma,
+    `ROW_NUMBER() OVER (PARTITION BY ${distinctCols} ORDER BY ${windowOrder})`,
+    SQL_TEMPLATES.AS,
+    '"__tp_rn"',
+    SQL_TEMPLATES.FROM,
+    from.table,
+    from.alias
+  ];
+  if (joins) innerParts.push(joins);
+  if (whereSql) innerParts.push(whereSql);
+  const inner = innerParts.filter(Boolean).join(" ");
+  const outerParts = [
+    SQL_TEMPLATES.SELECT,
+    outerSelectCols,
+    SQL_TEMPLATES.FROM,
+    `(${inner})`,
+    SQL_TEMPLATES.AS,
+    '"__tp_distinct"',
+    SQL_TEMPLATES.WHERE,
+    '"__tp_rn" = 1'
+  ];
+  if (isNonEmptyString(outerOrder)) {
+    outerParts.push(SQL_TEMPLATES.ORDER_BY, outerOrder);
+  }
+  return outerParts.filter(Boolean).join(" ");
 }
 function buildIncludeColumns(spec) {
   var _a, _b;
@@ -3629,6 +3832,7 @@ function constructFinalSql(spec) {
     orderBy,
     distinct,
     method,
+    cursorCte,
     cursorClause,
     params,
     dialect,
@@ -3643,9 +3847,13 @@ function constructFinalSql(spec) {
     const spec2 = withCountJoins(spec, countJoins, whereJoins);
     let sql2 = buildSqliteDistinctQuery(spec2, selectWithIncludes).trim();
     sql2 = appendPagination(sql2, spec);
-    return finalizeSql(sql2, params);
+    return finalizeSql(sql2, params, dialect);
   }
-  const parts = [SQL_TEMPLATES.SELECT];
+  const parts = [];
+  if (cursorCte) {
+    parts.push(`WITH ${cursorCte}`);
+  }
+  parts.push(SQL_TEMPLATES.SELECT);
   const distinctOn = dialect === "postgres" ? buildPostgresDistinctOnClause(from.alias, distinct, model) : null;
   if (distinctOn) parts.push(distinctOn);
   const baseSelect = (select != null ? select : "").trim();
@@ -3661,7 +3869,41 @@ function constructFinalSql(spec) {
   if (isNonEmptyString(orderBy)) parts.push(SQL_TEMPLATES.ORDER_BY, orderBy);
   let sql = parts.join(" ").trim();
   sql = appendPagination(sql, spec);
-  return finalizeSql(sql, params);
+  return finalizeSql(sql, params, dialect);
+}
+// src/builder/shared/validators/field-assertions.ts
+var NUMERIC_TYPES = /* @__PURE__ */ new Set(["Int", "Float", "Decimal", "BigInt"]);
+function assertScalarField(model, fieldName, context) {
+  const field = getFieldInfo(model, fieldName);
+  if (!field) {
+    throw createError(
+      `${context} references unknown field '${fieldName}' on model ${model.name}`,
+      {
+        field: fieldName,
+        modelName: model.name,
+        availableFields: model.fields.map((f) => f.name)
+      }
+    );
+  }
+  if (field.isRelation) {
+    throw createError(
+      `${context} does not support relation field '${fieldName}'`,
+      { field: fieldName, modelName: model.name }
+    );
+  }
+  return field;
+}
+function assertNumericField(model, fieldName, context) {
+  const field = assertScalarField(model, fieldName, context);
+  const baseType = field.type.replace(/\[\]|\?/g, "");
+  if (!NUMERIC_TYPES.has(baseType)) {
+    throw createError(
+      `${context} requires numeric field, got '${field.type}'`,
+      { field: fieldName, modelName: model.name }
+    );
+  }
+  return field;
 }
 // src/builder/select.ts
@@ -3694,7 +3936,7 @@ function buildPostgresDistinctOrderBy(distinctFields, existing) {
   }
   return next;
 }
-function applyPostgresDistinctOrderBy(args, _model) {
+function applyPostgresDistinctOrderBy(args) {
   const distinctFields = normalizeDistinctFields(args.distinct);
   if (distinctFields.length === 0) return args;
   if (!isNotNullish(args.orderBy)) return args;
@@ -3704,19 +3946,6 @@ function applyPostgresDistinctOrderBy(args, _model) {
     orderBy: buildPostgresDistinctOrderBy(distinctFields, existing)
   });
 }
-function assertScalarFieldOnModel(model, fieldName, ctx) {
-  const f = model.fields.find((x) => x.name === fieldName);
-  if (!f) {
-    throw new Error(
-      `${ctx} references unknown field '${fieldName}' on model ${model.name}`
-    );
-  }
-  if (f.isRelation) {
-    throw new Error(
-      `${ctx} does not support relation field '${fieldName}' on model ${model.name}`
-    );
-  }
-}
 function validateDistinct(model, distinct) {
   if (!isNotNullish(distinct) || !isNonEmptyArray(distinct)) return;
   const seen = /* @__PURE__ */ new Set();
@@ -3727,24 +3956,24 @@ function validateDistinct(model, distinct) {
       throw new Error(`distinct must not contain duplicates (field: '${f}')`);
     }
     seen.add(f);
-    assertScalarFieldOnModel(model, f, "distinct");
+    assertScalarField(model, f, "distinct");
   }
 }
-function validateOrderByValue(fieldName, v) {
-  parseOrderByValue(v, fieldName);
-}
 function validateOrderBy(model, orderBy) {
   if (!isNotNullish(orderBy)) return;
   const items = normalizeOrderByInput2(orderBy);
   if (items.length === 0) return;
   for (const it of items) {
     const entries = Object.entries(it);
+    if (entries.length !== 1) {
+      throw new Error("orderBy array entries must have exactly one field");
+    }
     const fieldName = String(entries[0][0]).trim();
     if (fieldName.length === 0) {
       throw new Error("orderBy field name cannot be empty");
     }
-    assertScalarFieldOnModel(model, fieldName, "orderBy");
-    validateOrderByValue(fieldName, entries[0][1]);
+    assertScalarField(model, fieldName, "orderBy");
+    parseOrderByValue(entries[0][1], fieldName);
   }
 }
 function validateCursor(model, cursor) {
@@ -3761,7 +3990,7 @@ function validateCursor(model, cursor) {
     if (f.length === 0) {
       throw new Error("cursor field name cannot be empty");
     }
-    assertScalarFieldOnModel(model, f, "cursor");
+    assertScalarField(model, f, "cursor");
   }
 }
 function resolveDialect(dialect) {
@@ -3780,20 +4009,21 @@ function normalizeArgsForNegativeTake(method, args) {
     orderBy: reverseOrderByInput(args.orderBy)
   });
 }
-function normalizeArgsForDialect(dialect, args, model) {
+function normalizeArgsForDialect(dialect, args) {
   if (dialect !== "postgres") return args;
   return applyPostgresDistinctOrderBy(args);
 }
 function buildCursorClauseIfAny(input) {
-  const { cursor, orderBy, tableName, alias, params, dialect } = input;
-  if (!isNotNullish(cursor)) return void 0;
+  const { cursor, orderBy, tableName, alias, params, dialect, model } = input;
+  if (!isNotNullish(cursor)) return {};
   return buildCursorCondition(
     cursor,
     orderBy,
     tableName,
     alias,
     params,
-    dialect
+    dialect,
+    model
   );
 }
 function buildSelectSpec(input) {
@@ -3832,14 +4062,20 @@ function buildSelectSpec(input) {
     params,
     dialect
   );
-  const cursorClause = buildCursorClauseIfAny({
+  const cursorResult = buildCursorClauseIfAny({
     cursor,
     orderBy: normalizedArgs.orderBy,
     tableName,
     alias,
     params,
-    dialect
+    dialect,
+    model
   });
+  if (dialect === "sqlite" && isNonEmptyArray(normalizedArgs.distinct) && cursorResult.condition) {
+    throw new Error(
+      "Cursor pagination with distinct is not supported in SQLite due to window function limitations. Use findMany with skip/take instead, or remove distinct."
+    );
+  }
   return {
     select: selectFields,
     includes,
@@ -3850,7 +4086,8 @@ function buildSelectSpec(input) {
     pagination: { take, skip },
     distinct: normalizedArgs.distinct,
     method,
-    cursorClause,
+    cursorCte: cursorResult.cte,
+    cursorClause: cursorResult.condition,
     params,
     dialect,
     model,
@@ -3864,9 +4101,7 @@ function buildSelectSql(input) {
   assertSafeTableRef(from.tableName);
   const dialectToUse = resolveDialect(dialect);
   const argsForSql = normalizeArgsForNegativeTake(method, args);
-  const normalizedArgs = normalizeArgsForDialect(
-    dialectToUse,
-    argsForSql);
+  const normalizedArgs = normalizeArgsForDialect(dialectToUse, argsForSql);
   validateDistinct(model, normalizedArgs.distinct);
   validateOrderBy(model, normalizedArgs.orderBy);
   validateCursor(model, normalizedArgs.cursor);
@@ -3882,8 +4117,21 @@ function buildSelectSql(input) {
   });
   return constructFinalSql(spec);
 }
-var MODEL_FIELD_CACHE = /* @__PURE__ */ new WeakMap();
-var NUMERIC_TYPES = /* @__PURE__ */ new Set(["Int", "Float", "Decimal", "BigInt"]);
+// src/builder/shared/comparison-builder.ts
+function buildComparisons(expr, filter, params, dialect, builder, excludeKeys = /* @__PURE__ */ new Set(["mode"])) {
+  const out = [];
+  for (const [op, val] of Object.entries(filter)) {
+    if (excludeKeys.has(op) || val === void 0) continue;
+    const built = builder(expr, op, val, params, dialect);
+    if (built && built.trim().length > 0) {
+      out.push(built);
+    }
+  }
+  return out;
+}
+// src/builder/aggregates.ts
 var AGGREGATES = [
   ["_sum", "SUM"],
   ["_avg", "AVG"],
@@ -3898,16 +4146,16 @@ var COMPARISON_OPS = {
   [Ops.LT]: "<",
   [Ops.LTE]: "<="
 };
-function getModelFieldMap(model) {
-  const cached = MODEL_FIELD_CACHE.get(model);
-  if (cached) return cached;
-  const m = /* @__PURE__ */ new Map();
-  for (const f of model.fields) {
-    m.set(f.name, { name: f.name, type: f.type, isRelation: !!f.isRelation });
-  }
-  MODEL_FIELD_CACHE.set(model, m);
-  return m;
-}
+var HAVING_ALLOWED_OPS = /* @__PURE__ */ new Set([
+  Ops.EQUALS,
+  Ops.NOT,
+  Ops.GT,
+  Ops.GTE,
+  Ops.LT,
+  Ops.LTE,
+  Ops.IN,
+  Ops.NOT_IN
+]);
 function isTruthySelection(v) {
   return v === true;
 }
@@ -3949,24 +4197,10 @@ function normalizeLogicalValue2(operator, value) {
   }
   throw new Error(`${operator} must be an object or array of objects in HAVING`);
 }
-function assertScalarField2(model, fieldName, ctx) {
-  const m = getModelFieldMap(model);
-  const field = m.get(fieldName);
-  if (!field) {
-    throw new Error(
-      `${ctx} references unknown field '${fieldName}' on model ${model.name}. Available fields: ${model.fields.map((f) => f.name).join(", ")}`
-    );
-  }
-  if (field.isRelation) {
-    throw new Error(`${ctx} does not support relation field '${fieldName}'`);
-  }
-  return { name: field.name, type: field.type };
-}
-function assertAggregateFieldType(aggKey, fieldType, fieldName, modelName) {
-  const baseType = fieldType.replace(/\[\]|\?/g, "");
-  if ((aggKey === "_sum" || aggKey === "_avg") && !NUMERIC_TYPES.has(baseType)) {
+function assertHavingOp(op) {
+  if (!HAVING_ALLOWED_OPS.has(op)) {
     throw new Error(
-      `Cannot use ${aggKey} on non-numeric field '${fieldName}' (type: ${fieldType}) on model ${modelName}`
+      `Unsupported HAVING operator '${op}'. Allowed: ${[...HAVING_ALLOWED_OPS].join(", ")}`
     );
   }
 }
@@ -3996,6 +4230,7 @@ function buildBinaryComparison(expr, op, val, params) {
   return `${expr} ${sqlOp} ${placeholder}`;
 }
 function buildSimpleComparison(expr, op, val, params, dialect) {
+  assertHavingOp(op);
   if (val === null) return buildNullComparison(expr, op);
   if (op === Ops.NOT && isPlainObject(val)) {
     return buildNotComposite(
@@ -4084,20 +4319,19 @@ function assertHavingAggTarget(aggKey, field, model) {
     }
     return;
   }
-  const f = assertScalarField2(model, field, "HAVING");
-  assertAggregateFieldType(aggKey, f.type, f.name, model.name);
+  if (aggKey === "_sum" || aggKey === "_avg") {
+    assertNumericField(model, field, "HAVING");
+  } else {
+    assertScalarField(model, field, "HAVING");
+  }
 }
 function buildHavingOpsForExpr(expr, filter, params, dialect) {
-  const out = [];
-  for (const [op, val] of Object.entries(filter)) {
-    if (op === "mode") continue;
-    const built = buildSimpleComparison(expr, op, val, params, dialect);
-    if (built && built.trim().length > 0) out.push(built);
-  }
-  return out;
+  return buildComparisons(expr, filter, params, dialect, buildSimpleComparison);
 }
 function buildHavingForAggregateFirstShape(aggKey, target, alias, params, dialect, model) {
-  if (!isPlainObject(target)) return [];
+  if (!isPlainObject(target)) {
+    throw new Error(`HAVING '${aggKey}' must be an object`);
+  }
   const out = [];
   for (const [field, filter] of Object.entries(target)) {
     assertHavingAggTarget(aggKey, field, model);
@@ -4108,30 +4342,39 @@ function buildHavingForAggregateFirstShape(aggKey, target, alias, params, dialec
   return out;
 }
 function buildHavingForFieldFirstShape(fieldName, target, alias, params, dialect, model) {
-  if (!isPlainObject(target)) return [];
-  const field = assertScalarField2(model, fieldName, "HAVING");
+  if (!isPlainObject(target)) {
+    throw new Error(`HAVING '${fieldName}' must be an object`);
+  }
+  assertScalarField(model, fieldName, "HAVING");
   const out = [];
   const obj = target;
   const keys = ["_count", "_sum", "_avg", "_min", "_max"];
   for (const aggKey of keys) {
     const aggFilter = obj[aggKey];
     if (!isPlainObject(aggFilter)) continue;
-    assertAggregateFieldType(aggKey, field.type, field.name, model.name);
+    if (aggKey === "_sum" || aggKey === "_avg") {
+      assertNumericField(model, fieldName, "HAVING");
+    }
     const entries = Object.entries(aggFilter);
     if (entries.length === 0) continue;
     const expr = aggExprForField(aggKey, fieldName, alias, model);
-    for (const [op, val] of entries) {
-      if (op === "mode") continue;
-      const built = buildSimpleComparison(expr, op, val, params, dialect);
-      if (built && built.trim().length > 0) out.push(built);
-    }
+    const clauses = buildComparisons(
+      expr,
+      aggFilter,
+      params,
+      dialect,
+      buildSimpleComparison
+    );
+    out.push(...clauses);
   }
   return out;
 }
 function buildHavingClause(having, alias, params, model, dialect) {
   if (!isNotNullish(having)) return "";
   const d = dialect != null ? dialect : getGlobalDialect();
-  if (!isPlainObject(having)) return "";
+  if (!isPlainObject(having)) {
+    throw new Error("having must be an object");
+  }
   return buildHavingNode(having, alias, params, d, model);
 }
 function normalizeCountArg(v) {
@@ -4145,18 +4388,8 @@ function pushCountAllField(fields) {
     `${SQL_TEMPLATES.COUNT_ALL} ${SQL_TEMPLATES.AS} ${quote("_count._all")}`
   );
 }
-function assertCountableScalarField(fieldMap, model, fieldName) {
-  const field = fieldMap.get(fieldName);
-  if (!field) {
-    throw new Error(
-      `Field '${fieldName}' does not exist on model ${model.name}`
-    );
-  }
-  if (field.isRelation) {
-    throw new Error(
-      `Cannot use _count on relation field '${fieldName}' on model ${model.name}`
-    );
-  }
+function assertCountableScalarField(model, fieldName) {
+  assertScalarField(model, fieldName, "_count");
 }
 function pushCountField(fields, alias, fieldName, model) {
   const outAlias = `_count.${fieldName}`;
@@ -4164,7 +4397,7 @@ function pushCountField(fields, alias, fieldName, model) {
     `COUNT(${col(alias, fieldName, model)}) ${SQL_TEMPLATES.AS} ${quote(outAlias)}`
   );
 }
-function addCountFields(fields, countArg, alias, model, fieldMap) {
+function addCountFields(fields, countArg, alias, model) {
   if (!isNotNullish(countArg)) return;
   if (countArg === true) {
     pushCountAllField(fields);
@@ -4178,7 +4411,7 @@ function addCountFields(fields, countArg, alias, model, fieldMap) {
     ([f, v]) => f !== "_all" && isTruthySelection(v)
   );
   for (const [f] of selected) {
-    assertCountableScalarField(fieldMap, model, f);
+    assertCountableScalarField(model, f);
     pushCountField(fields, alias, f, model);
   }
 }
@@ -4186,19 +4419,12 @@ function getAggregateSelectionObject(args, agg) {
   const obj = args[agg];
   return isPlainObject(obj) ? obj : void 0;
 }
-function assertAggregatableScalarField(fieldMap, model, agg, fieldName) {
-  const field = fieldMap.get(fieldName);
-  if (!field) {
-    throw new Error(
-      `Field '${fieldName}' does not exist on model ${model.name}`
-    );
-  }
-  if (field.isRelation) {
-    throw new Error(
-      `Cannot use ${agg} on relation field '${fieldName}' on model ${model.name}`
-    );
+function assertAggregatableScalarField(model, agg, fieldName) {
+  if (agg === "_sum" || agg === "_avg") {
+    assertNumericField(model, fieldName, agg);
+  } else {
+    assertScalarField(model, fieldName, agg);
   }
-  return field;
 }
 function pushAggregateFieldSql(fields, aggFn, alias, agg, fieldName, model) {
   const outAlias = `${agg}.${fieldName}`;
@@ -4206,7 +4432,7 @@ function pushAggregateFieldSql(fields, aggFn, alias, agg, fieldName, model) {
     `${aggFn}(${col(alias, fieldName, model)}) ${SQL_TEMPLATES.AS} ${quote(outAlias)}`
   );
 }
-function addAggregateFields(fields, args, alias, model, fieldMap) {
+function addAggregateFields(fields, args, alias, model) {
   for (const [agg, aggFn] of AGGREGATES) {
     const obj = getAggregateSelectionObject(args, agg);
     if (!obj) continue;
@@ -4214,23 +4440,16 @@ function addAggregateFields(fields, args, alias, model, fieldMap) {
       if (fieldName === "_all")
         throw new Error(`'${agg}' does not support '_all'`);
       if (!isTruthySelection(selection)) continue;
-      const field = assertAggregatableScalarField(
-        fieldMap,
-        model,
-        agg,
-        fieldName
-      );
-      assertAggregateFieldType(agg, field.type, fieldName, model.name);
+      assertAggregatableScalarField(model, agg, fieldName);
       pushAggregateFieldSql(fields, aggFn, alias, agg, fieldName, model);
     }
   }
 }
 function buildAggregateFields(args, alias, model) {
   const fields = [];
-  const fieldMap = getModelFieldMap(model);
   const countArg = normalizeCountArg(args._count);
-  addCountFields(fields, countArg, alias, model, fieldMap);
-  addAggregateFields(fields, args, alias, model, fieldMap);
+  addCountFields(fields, countArg, alias, model);
+  addAggregateFields(fields, args, alias, model);
   return fields;
 }
 function buildAggregateSql(args, whereResult, tableName, alias, model) {
@@ -4267,32 +4486,24 @@ function assertGroupByBy(args, model) {
   if (bySet.size !== byFields.length) {
     throw new Error("buildGroupBySql: by must not contain duplicates");
   }
-  const modelFieldMap = getModelFieldMap(model);
   for (const f of byFields) {
-    const field = modelFieldMap.get(f);
-    if (!field) {
-      throw new Error(
-        `groupBy.by references unknown field '${f}' on model ${model.name}`
-      );
-    }
-    if (field.isRelation) {
-      throw new Error(
-        `groupBy.by does not support relation field '${f}' on model ${model.name}`
-      );
-    }
+    assertScalarField(model, f, "groupBy.by");
   }
   return byFields;
 }
 function buildGroupBySelectParts(args, alias, model, byFields) {
   const groupCols = byFields.map((f) => col(alias, f, model));
+  const selectCols = byFields.map((f) => colWithAlias(alias, f, model));
   const groupFields = groupCols.join(SQL_SEPARATORS.FIELD_LIST);
   const aggFields = buildAggregateFields(args, alias, model);
-  const selectFields = isNonEmptyArray(aggFields) ? groupCols.concat(aggFields).join(SQL_SEPARATORS.FIELD_LIST) : groupCols.join(SQL_SEPARATORS.FIELD_LIST);
+  const selectFields = isNonEmptyArray(aggFields) ? selectCols.concat(aggFields).join(SQL_SEPARATORS.FIELD_LIST) : selectCols.join(SQL_SEPARATORS.FIELD_LIST);
   return { groupCols, groupFields, selectFields };
 }
 function buildGroupByHaving(args, alias, params, model, dialect) {
   if (!isNotNullish(args.having)) return "";
-  if (!isPlainObject(args.having)) return "";
+  if (!isPlainObject(args.having)) {
+    throw new Error("having must be an object");
+  }
   const h = buildHavingClause(args.having, alias, params, model, dialect);
   if (!h || h.trim().length === 0) return "";
   return `${SQL_TEMPLATES.HAVING} ${h}`;
@@ -4325,63 +4536,61 @@ function buildGroupBySql(args, whereResult, tableName, alias, model, dialect) {
   const snapshot = params.snapshot();
   validateSelectQuery(sql);
   validateParamConsistency(sql, [...whereResult.params, ...snapshot.params]);
+  const mergedParams = [...whereResult.params, ...snapshot.params];
   return Object.freeze({
     sql,
-    params: Object.freeze([...whereResult.params, ...snapshot.params]),
+    params: Object.freeze(mergedParams),
     paramMappings: Object.freeze([
       ...whereResult.paramMappings,
       ...snapshot.mappings
     ])
   });
 }
-function buildCountSql(whereResult, tableName, alias, skip, dialect) {
+function buildCountSql(whereResult, tableName, alias, skip, _dialect) {
   assertSafeAlias(alias);
   assertSafeTableRef(tableName);
-  const d = getGlobalDialect();
+  if (skip !== void 0 && skip !== null) {
+    if (schemaParser.isDynamicParameter(skip)) {
+      throw new Error(
+        "count() with skip is not supported because it produces nondeterministic results. Dynamic skip cannot be validated at build time. Use findMany().length or add explicit orderBy + cursor/skip logic in a deterministic query."
+      );
+    }
+    if (typeof skip === "string") {
+      const s = skip.trim();
+      if (s.length > 0) {
+        const n = Number(s);
+        if (Number.isFinite(n) && Number.isInteger(n) && n > 0) {
+          throw new Error(
+            "count() with skip is not supported because it produces nondeterministic results. Use findMany().length or add explicit orderBy to ensure deterministic behavior."
+          );
+        }
+      }
+    }
+    if (typeof skip === "number" && Number.isFinite(skip) && Number.isInteger(skip) && skip > 0) {
+      throw new Error(
+        "count() with skip is not supported because it produces nondeterministic results. Use findMany().length or add explicit orderBy to ensure deterministic behavior."
+      );
+    }
+  }
   const whereClause = isValidWhereClause(whereResult.clause) ? `${SQL_TEMPLATES.WHERE} ${whereResult.clause}` : "";
-  const params = createParamStore(whereResult.nextParamIndex);
-  const baseSubSelect = [
-    SQL_TEMPLATES.SELECT,
-    "1",
-    SQL_TEMPLATES.FROM,
-    tableName,
-    alias,
-    whereClause
-  ].filter((x) => x && String(x).trim().length > 0).join(" ").trim();
-  const normalizedSkip = normalizeSkipLike(skip);
-  const subSelect = applyCountSkip(baseSubSelect, normalizedSkip, params, d);
   const sql = [
     SQL_TEMPLATES.SELECT,
     SQL_TEMPLATES.COUNT_ALL,
     SQL_TEMPLATES.AS,
     quote("_count._all"),
     SQL_TEMPLATES.FROM,
-    `(${subSelect})`,
-    SQL_TEMPLATES.AS,
-    `"sub"`
+    tableName,
+    alias,
+    whereClause
   ].filter((x) => x && String(x).trim().length > 0).join(" ").trim();
   validateSelectQuery(sql);
-  const snapshot = params.snapshot();
-  const mergedParams = [...whereResult.params, ...snapshot.params];
-  validateParamConsistency(sql, mergedParams);
+  validateParamConsistency(sql, whereResult.params);
   return Object.freeze({
     sql,
-    params: Object.freeze(mergedParams),
-    paramMappings: Object.freeze([
-      ...whereResult.paramMappings,
-      ...snapshot.mappings
-    ])
+    params: Object.freeze([...whereResult.params]),
+    paramMappings: Object.freeze([...whereResult.paramMappings])
   });
 }
-function applyCountSkip(subSelect, normalizedSkip, params, dialect) {
-  const shouldApply = schemaParser.isDynamicParameter(normalizedSkip) || typeof normalizedSkip === "number" && normalizedSkip > 0;
-  if (!shouldApply) return subSelect;
-  const placeholder = addAutoScoped(params, normalizedSkip, "count.skip");
-  if (dialect === "sqlite") {
-    return `${subSelect} ${SQL_TEMPLATES.LIMIT} -1 ${SQL_TEMPLATES.OFFSET} ${placeholder}`;
-  }
-  return `${subSelect} ${SQL_TEMPLATES.OFFSET} ${placeholder}`;
-}
 function safeAlias(input) {
   const raw = String(input).toLowerCase();
   const cleaned = raw.replace(/[^a-z0-9_]/g, "_");
@@ -4531,8 +4740,12 @@ function buildAndNormalizeSql(args) {
   );
 }
 function finalizeDirective(args) {
-  const { directive, normalizedSql, normalizedMappings } = args;
-  validateSqlPositions(normalizedSql, normalizedMappings, getGlobalDialect());
+  const { directive, normalizedSql, normalizedMappings, dialect } = args;
+  const params = normalizedMappings.map((m) => {
+    var _a;
+    return (_a = m.value) != null ? _a : void 0;
+  });
+  validateParamConsistencyByDialect(normalizedSql, params, dialect);
   const { staticParams, dynamicKeys } = buildParamsFromMappings(normalizedMappings);
   return {
     method: directive.method,
@@ -4569,7 +4782,8 @@ function generateSQL(directive) {
   return finalizeDirective({
     directive,
     normalizedSql: normalized.sql,
-    normalizedMappings: normalized.paramMappings
+    normalizedMappings: normalized.paramMappings,
+    dialect
   });
 }
 function generateSQL2(directive) {
@@ -4677,18 +4891,57 @@ function generateCode(models, queries, dialect, datamodel) {
   return `// Generated by @prisma-sql/generator - DO NOT EDIT
 import { buildSQL, transformQueryResults, type PrismaMethod, type Model } from 'prisma-sql'
-function normalizeValue(value: unknown): unknown {
+/**
+ * Normalize values for SQL params.
+ * Synced from src/utils/normalize-value.ts
+ */
+function normalizeValue(value: unknown, seen = new WeakSet<object>(), depth = 0): unknown {
+  const MAX_DEPTH = 20
+  if (depth > MAX_DEPTH) {
+    throw new Error(\`Max normalization depth exceeded (\${MAX_DEPTH} levels)\`)
+  }
   if (value instanceof Date) {
+    const t = value.getTime()
+    if (!Number.isFinite(t)) {
+      throw new Error('Invalid Date value in SQL params')
+    }
     return value.toISOString()
   }
+  if (typeof value === 'bigint') {
+    return value.toString()
+  }
   if (Array.isArray(value)) {
-    return value.map(normalizeValue)
+    const arrRef = value as unknown as object
+    if (seen.has(arrRef)) {
+      throw new Error('Circular reference in SQL params')
+    }
+    seen.add(arrRef)
+    const out = value.map((v) => normalizeValue(v, seen, depth + 1))
+    seen.delete(arrRef)
+    return out
+  }
+  if (value && typeof value === 'object') {
+    if (value instanceof Uint8Array) return value
+    if (typeof Buffer !== 'undefined' && Buffer.isBuffer(value)) return value
+    const proto = Object.getPrototypeOf(value)
+    const isPlain = proto === Object.prototype || proto === null
+    if (!isPlain) return value
+    const obj = value as Record<string, unknown>
+    if (seen.has(obj)) {
+      throw new Error('Circular reference in SQL params')
+    }
+    seen.add(obj)
+    const out: Record<string, unknown> = {}
+    for (const [k, v] of Object.entries(obj)) {
+      out[k] = normalizeValue(v, seen, depth + 1)
+    }
+    seen.delete(obj)
+    return out
   }
   return value
 }
 export const MODELS: Model[] = ${JSON.stringify(cleanModels, null, 2)}
 const ENUM_MAPPINGS: Record<string, Record<string, string>> = ${JSON.stringify(mappings, null, 2)}