reltype 0.1.6 → 0.1.7

package/CHANGELOG.md

@@ -6,6 +6,40 @@ This project adheres to [Semantic Versioning](https://semver.org/).
 
 ---
 
+## [0.1.6] — 2026-03-19
+
+### Security — SQL Injection 전면 차단
+
+이번 릴리즈에서는 SQL Injection 취약점을 방어하기 위한 `sqlGuard` 유틸리티를 도입하고,
+모든 SQL 식별자(컬럼명, 테이블명, 집계 함수 등)에 대한 검증·이스케이프를 적용했습니다.
+
+#### 신규 파일
+
+- **`src/utils/sqlGuard.ts`** — SQL 보안 유틸리티 신규 추가
+  - `quoteIdentifier(raw)` — 식별자 패턴 검증 후 PostgreSQL 표준 이중 따옴표 이스케이프 (`"` → `""`)
+  - `escapeSchemaIdentifier(name)` — 스키마·테이블 정의 시 `"` 이스케이프 (패턴 검증 없음, 개발자 제어 값)
+  - `validateOrderDir(dir)` — ORDER BY 방향 화이트리스트 (ASC/DESC)
+  - `validateAggregateFn(fn)` — 집계 함수 화이트리스트 (COUNT/SUM/AVG/MIN/MAX)
+  - `validateJoinType(type)` — JOIN 타입 화이트리스트 (INNER/LEFT/RIGHT/FULL)
+  - 유효하지 않은 값 감지 시 `logger.error` 로 기록 후 안전한 기본값 반환 (no-throw 정책 준수)
+
+#### 수정 파일
+
+| 파일 | 수정 내용 |
+|---|---|
+| `src/features/schema/table.ts` | `escapeSchemaIdentifier` 적용 — 식별자 내 `"` 이중 이스케이프 |
+| `src/features/query/where.ts` | 컬럼명에 `quoteIdentifier` 적용 |
+| `src/features/query/insert.ts` | INSERT 컬럼명에 `quoteIdentifier` 적용 |
+| `src/features/query/update.ts` | SET 절 컬럼명에 `quoteIdentifier` 적용 |
+| `src/features/query/upsert.ts` | INSERT 컬럼명·`conflictCol`에 `quoteIdentifier` 적용, `EXCLUDED."col"` 이스케이프 |
+| `src/features/query/bulkInsert.ts` | INSERT 컬럼명에 `quoteIdentifier` 적용 |
+| `src/features/query/select.ts` | ORDER BY 컬럼 `quoteIdentifier`, 방향 `validateOrderDir` 적용 |
+| `src/features/query/builder.ts` | `renderCond`·`buildJoinSQL`·`buildGroupBySQL`·`buildOrderBySQL`·`calculate` 전체에 가드 적용, `cursorColumn` 사전 검증 추가 |
+| `src/index.ts` | `sqlGuard` 유틸리티 공개 export 추가 |
+| `src/utils/index.ts` | `sqlGuard` re-export 추가 |
+
+---
+
 ## [0.1.5] — 2026-03-19
 
 ### Changed

package/dist/features/query/builder.d.ts

@@ -71,18 +71,28 @@ export declare class QueryBuilder<T extends Record<string, unknown>> {
      */
     groupBy(columns: Array<keyof T | string>): this;
     /**
-     * JOIN 추가 (여러 번 호출 가능)
+     * JOIN 추가 (여러 번 호출 가능).
+     * `table`은 `quoteIdentifier`로 자동 검증됩니다.
+     * `type`(INNER/LEFT/RIGHT/FULL)은 화이트리스트로 검증됩니다.
      *
      * @example
      * .join({ table: 'orders', on: 'users.id = orders.user_id', type: 'LEFT' })
      *
-     * @security `on` 절은 애플리케이션 코드에서 정적으로 구성해야 합니다.
-     *           사용자 입력을 직접 전달하면 SQL Injection 위험이 있습니다.
+     * @security `on` 절(JOIN 조건)은 반드시 애플리케이션 코드에서 정적으로 구성해야 합니다.
+     *           사용자 입력을 `on` 에 직접 전달하면 SQL Injection 위험이 있습니다.
+     *           `table`, `type` 은 내부적으로 검증됩니다.
      */
     join(j: JoinClause): this;
     /**
      * SELECT 할 컬럼 지정 (기본값: *)
+     *
+     * 단순 컬럼명 및 `table.column` 표기법을 사용하세요.
+     * 집계 표현식(`COUNT(orders.id) AS cnt`)도 허용하지만,
+     * **사용자 입력을 직접 전달하면 SQL Injection 위험이 있습니다.**
+     * 복잡한 표현식은 정적으로 구성된 문자열만 전달하세요.
+     *
      * @example .columns(['id', 'email', 'firstName'])
+     * @example .columns(['users.id', 'orders.total'])
      */
     columns(cols: Array<keyof T | string>): this;
     /**

package/dist/features/query/builder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"builder.d.ts","sourceRoot":"","sources":["../../../src/features/query/builder.ts"],"names":[],"mappings":"AAKA,OAAO,EACL,aAAa,EAEb,UAAU,EACV,aAAa,EACb,YAAY,EACZ,UAAU,EACV,aAAa,EAEb,kBAAkB,EAClB,gBAAgB,EAChB,UAAU,EACV,SAAS,EACV,MAAM,uBAAuB,CAAC;AA4D/B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,qBAAa,YAAY,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IACzD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,SAAS,CAAkB;IACnC,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,eAAe,CAAmD;IAC1E,OAAO,CAAC,SAAS,CAAC,CAAS;IAC3B,OAAO,CAAC,UAAU,CAAC,CAAS;IAC5B,OAAO,CAAC,YAAY,CAAiB;IACrC,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,KAAK,CAAO;IACpB,OAAO,CAAC,UAAU,CAAC,CAAe;gBAEtB,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC;IASvD,gBAAgB;IAChB,KAAK,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC,CAAC,GAAG,IAAI;IAKzC,eAAe;IACf,EAAE,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC,CAAC,GAAG,IAAI;IAKtC;;;OAGG;IACH,OAAO,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI;IAQ1C,KAAK,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI;IAKtB,MAAM,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI;IAKvB;;;OAGG;IACH,OAAO,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,IAAI;IAK/C;;;;;;;;OAQG;IACH,IAAI,CAAC,CAAC,EAAE,UAAU,GAAG,IAAI;IAKzB;;;OAGG;IACH,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,IAAI;IAK5C;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI;IAO5B;;;OAGG;IACG,IAAI,IAAI,OAAO,CAAC,CAAC,EAAE,CAAC;IAK1B;;;OAGG;IACG,GAAG,IAAI,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IAK9B;;;;;;;;;;;;OAYG;IACG,SAAS,CAAC,GAAG,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAoBvE;;;;;;;;;;;;OAYG;IACG,QAAQ,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAqE1D;;;;;;;;;;;;;;;;;;;;;OAqBG;IACG,cAAc,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC;IA4C5E;;;;;;;;;;;;;;;;OAgBG;IACG,OAAO,CACX,EAAE,EAAE,CAAC,KAAK,EAAE,CAAC,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,EACjC,IAAI,CAAC,EAAE,UAAU,GAChB,OAAO,CAAC,IAAI,CAAC;IA0BhB;;;;;;;;;;;;OAYG;IACI,MAAM,CAAC,IAAI,CAAC,EAAE,UAAU,GAAG,cAAc,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC;IA2BlE;;;;;;;;;OASG;IACH,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,cAAc,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC;IAI1D;;;;;;;;;;;OAWG;IACG,OAAO,CAAC,OAAO,UAAQ,GAAG,OAAO,CAAC,MAAM,CAAC;IAS/C;;;OAGG;IACH,KAAK,IAAI;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,OAAO,EAAE,CAAA;KAAE;IAI3C;;;;;;;;;;;OAWG;WACU,GAAG,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC1E,GAAG,EAAE,MAAM,EACX,MAAM,CAAC,EAAE,OAAO,EAAE,GACjB,OAAO,CAAC,CAAC,EAAE,CAAC;IAYf;;;;OAIG;IACH,KAAK,IAAI,YAAY,CAAC,CAAC,CAAC;IAgBxB,IAAI,CAAC,CAAC,EACJ,WAAW,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,KAAK,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,SAAS,EACpE,UAAU,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,OAAO,KAAK,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,SAAS,GACxE,OAAO,CAAC,CAAC,CAAC;IAIb,KAAK,CAAC,CAAC,GAAG,KAAK,EACb,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,OAAO,KAAK,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,SAAS,GACvE,OAAO,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAMnB,OAAO,CAAC,eAAe;IAgBvB,OAAO,CAAC,YAAY;IAMpB,OAAO,CAAC,eAAe;IAMvB,OAAO,CAAC,eAAe;IAMvB,OAAO,CAAC,cAAc;IAuBtB;;OAEG;YACW,QAAQ;CA0CvB"}
+{"version":3,"file":"builder.d.ts","sourceRoot":"","sources":["../../../src/features/query/builder.ts"],"names":[],"mappings":"AAWA,OAAO,EACL,aAAa,EAEb,UAAU,EACV,aAAa,EACb,YAAY,EACZ,UAAU,EACV,aAAa,EAEb,kBAAkB,EAClB,gBAAgB,EAChB,UAAU,EACV,SAAS,EACV,MAAM,uBAAuB,CAAC;AA8D/B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,qBAAa,YAAY,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IACzD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,SAAS,CAAkB;IACnC,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,eAAe,CAAmD;IAC1E,OAAO,CAAC,SAAS,CAAC,CAAS;IAC3B,OAAO,CAAC,UAAU,CAAC,CAAS;IAC5B,OAAO,CAAC,YAAY,CAAiB;IACrC,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,KAAK,CAAO;IACpB,OAAO,CAAC,UAAU,CAAC,CAAe;gBAEtB,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC;IASvD,gBAAgB;IAChB,KAAK,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC,CAAC,GAAG,IAAI;IAKzC,eAAe;IACf,EAAE,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC,CAAC,GAAG,IAAI;IAKtC;;;OAGG;IACH,OAAO,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI;IAQ1C,KAAK,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI;IAKtB,MAAM,CAAC,CAAC,EAAE,MAAM,GAAG,IAAI;IAKvB;;;OAGG;IACH,OAAO,CAAC,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,IAAI;IAK/C;;;;;;;;;;;OAWG;IACH,IAAI,CAAC,CAAC,EAAE,UAAU,GAAG,IAAI;IAKzB;;;;;;;;;;OAUG;IACH,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,IAAI;IAK5C;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI;IAO5B;;;OAGG;IACG,IAAI,IAAI,OAAO,CAAC,CAAC,EAAE,CAAC;IAK1B;;;OAGG;IACG,GAAG,IAAI,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IAK9B;;;;;;;;;;;;OAYG;IACG,SAAS,CAAC,GAAG,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAyBvE;;;;;;;;;;;;OAYG;IACG,QAAQ,CAAC,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAqE1D;;;;;;;;;;;;;;;;;;;;;OAqBG;IACG,cAAc,CAAC,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC;IAoD5E;;;;;;;;;;;;;;;;OAgBG;IACG,OAAO,CACX,EAAE,EAAE,CAAC,KAAK,EAAE,CAAC,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,EACjC,IAAI,CAAC,EAAE,UAAU,GAChB,OAAO,CAAC,IAAI,CAAC;IA0BhB;;;;;;;;;;;;OAYG;IACI,MAAM,CAAC,IAAI,CAAC,EAAE,UAAU,GAAG,cAAc,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC;IA2BlE;;;;;;;;;OASG;IACH,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,cAAc,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC;IAI1D;;;;;;;;;;;OAWG;IACG,OAAO,CAAC,OAAO,UAAQ,GAAG,OAAO,CAAC,MAAM,CAAC;IAS/C;;;OAGG;IACH,KAAK,IAAI;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,OAAO,EAAE,CAAA;KAAE;IAI3C;;;;;;;;;;;OAWG;WACU,GAAG,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC1E,GAAG,EAAE,MAAM,EACX,MAAM,CAAC,EAAE,OAAO,EAAE,GACjB,OAAO,CAAC,CAAC,EAAE,CAAC;IAYf;;;;OAIG;IACH,KAAK,IAAI,YAAY,CAAC,CAAC,CAAC;IAgBxB,IAAI,CAAC,CAAC,EACJ,WAAW,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,KAAK,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,SAAS,EACpE,UAAU,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,OAAO,KAAK,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,SAAS,GACxE,OAAO,CAAC,CAAC,CAAC;IAIb,KAAK,CAAC,CAAC,GAAG,KAAK,EACb,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,OAAO,KAAK,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,SAAS,GACvE,OAAO,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAMnB,OAAO,CAAC,eAAe;IAgBvB,OAAO,CAAC,YAAY;IAUpB,OAAO,CAAC,eAAe;IAMvB,OAAO,CAAC,eAAe;IAMvB,OAAO,CAAC,cAAc;IAuBtB;;OAEG;YACW,QAAQ;CA0CvB"}

package/dist/features/query/builder.js

@@ -6,6 +6,7 @@ const mapper_1 = require("../transform/mapper");
 const case_1 = require("../transform/case");
 const logger_1 = require("../../utils/logger");
 const dbError_1 = require("../../utils/dbError");
+const sqlGuard_1 = require("../../utils/sqlGuard");
 const logger = logger_1.Logger.fromEnv(process.env, { prefix: '[Query]' });
 // ── 내부 유틸 ──────────────────────────────────────────────────────────────
 function isWhereVal(val) {
@@ -33,19 +34,20 @@ function parseWhere(where) {
     return conds;
 }
 function renderCond(c, params) {
+    const col = (0, sqlGuard_1.quoteIdentifier)(c.col);
     switch (c.op) {
         case 'IS NULL':
         case 'IS NOT NULL':
-            return `${c.col} ${c.op}`;
+            return `${col} ${c.op}`;
         case 'IN':
         case 'NOT IN': {
             const arr = Array.isArray(c.val) ? c.val : [c.val];
             const phs = arr.map((v) => { params.push(v); return `$${params.length}`; });
-            return `${c.col} ${c.op} (${phs.join(', ')})`;
+            return `${col} ${c.op} (${phs.join(', ')})`;
         }
         default:
             params.push(c.val);
-            return `${c.col} ${c.op} $${params.length}`;
+            return `${col} ${c.op} $${params.length}`;
     }
 }
 // ── QueryBuilder ────────────────────────────────────────────────────────────
@@ -123,7 +125,7 @@ class QueryBuilder {
     orderBy(clauses) {
         this._orderByClauses = clauses.map(({ column, direction }) => ({
             col: (0, case_1.toSnake)(String(column)),
-            dir: direction ?? 'ASC',
+            dir: (0, sqlGuard_1.validateOrderDir)(direction ?? 'ASC'),
         }));
         return this;
     }
@@ -144,13 +146,16 @@ class QueryBuilder {
         return this;
     }
     /**
-     * JOIN 추가 (여러 번 호출 가능)
+     * JOIN 추가 (여러 번 호출 가능).
+     * `table`은 `quoteIdentifier`로 자동 검증됩니다.
+     * `type`(INNER/LEFT/RIGHT/FULL)은 화이트리스트로 검증됩니다.
      *
      * @example
      * .join({ table: 'orders', on: 'users.id = orders.user_id', type: 'LEFT' })
      *
-     * @security `on` 절은 애플리케이션 코드에서 정적으로 구성해야 합니다.
-     *           사용자 입력을 직접 전달하면 SQL Injection 위험이 있습니다.
+     * @security `on` 절(JOIN 조건)은 반드시 애플리케이션 코드에서 정적으로 구성해야 합니다.
+     *           사용자 입력을 `on` 에 직접 전달하면 SQL Injection 위험이 있습니다.
+     *           `table`, `type` 은 내부적으로 검증됩니다.
      */
     join(j) {
         this._joins.push(j);
@@ -158,7 +163,14 @@ class QueryBuilder {
     }
     /**
      * SELECT 할 컬럼 지정 (기본값: *)
+     *
+     * 단순 컬럼명 및 `table.column` 표기법을 사용하세요.
+     * 집계 표현식(`COUNT(orders.id) AS cnt`)도 허용하지만,
+     * **사용자 입력을 직접 전달하면 SQL Injection 위험이 있습니다.**
+     * 복잡한 표현식은 정적으로 구성된 문자열만 전달하세요.
+     *
      * @example .columns(['id', 'email', 'firstName'])
+     * @example .columns(['users.id', 'orders.total'])
      */
     columns(cols) {
         this._cols = cols.map((c) => (0, case_1.toSnake)(String(c))).join(', ');
@@ -216,14 +228,19 @@ class QueryBuilder {
     async calculate(fns) {
         const { whereSQL, params } = this.buildWhereParts();
         const selects = fns
-            .map(({ fn, column, alias }) => `${fn}(${column ?? '*'}) AS ${alias}`)
+            .map(({ fn, column, alias }) => {
+            const safeFn = (0, sqlGuard_1.validateAggregateFn)(fn);
+            const safeCol = column ? (0, sqlGuard_1.quoteIdentifier)((0, case_1.toSnake)(column)) : '*';
+            const safeAlias = (0, sqlGuard_1.quoteIdentifier)(alias);
+            return `${safeFn}(${safeCol}) AS ${safeAlias}`;
+        })
             .join(', ');
         const sql = [
             `SELECT ${selects}`,
             `FROM ${this._table}`,
-            ...this._joins.map((j) => `${j.type ?? 'INNER'} JOIN ${j.table} ON ${j.on}`),
+            this.buildJoinSQL(),
             whereSQL,
-            this._groupByCols.length > 0 ? `GROUP BY ${this._groupByCols.join(', ')}` : '',
+            this._groupByCols.length > 0 ? `GROUP BY ${this._groupByCols.map(sqlGuard_1.quoteIdentifier).join(', ')}` : '',
         ]
             .filter(Boolean)
             .join(' ');
@@ -323,6 +340,11 @@ class QueryBuilder {
     async cursorPaginate(opts) {
         const { pageSize, cursor, cursorColumn, direction = 'asc' } = opts;
         const colSnake = (0, case_1.toSnake)(cursorColumn);
+        // cursorColumn 유효성 검증 (내부에서 quoteIdentifier가 렌더 시 재검증함)
+        if (!colSnake || (0, sqlGuard_1.quoteIdentifier)(colSnake) === '""') {
+            logger.error(`cursorPaginate [${this._table}]: 유효하지 않은 cursorColumn "${cursorColumn}".`);
+            return { data: [], nextCursor: null, pageSize, hasNext: false };
+        }
         let cursorValue;
         if (cursor) {
             try {
@@ -538,17 +560,21 @@ class QueryBuilder {
     }
     buildJoinSQL() {
         return this._joins
-            .map((j) => `${j.type ?? 'INNER'} JOIN ${j.table} ON ${j.on}`)
+            .map((j) => {
+            const type = (0, sqlGuard_1.validateJoinType)(j.type ?? 'INNER');
+            const table = (0, sqlGuard_1.quoteIdentifier)(j.table);
+            return `${type} JOIN ${table} ON ${j.on}`;
+        })
             .join(' ');
     }
     buildGroupBySQL() {
         return this._groupByCols.length > 0
-            ? `GROUP BY ${this._groupByCols.join(', ')}`
+            ? `GROUP BY ${this._groupByCols.map(sqlGuard_1.quoteIdentifier).join(', ')}`
             : '';
     }
     buildOrderBySQL() {
         return this._orderByClauses.length > 0
-            ? `ORDER BY ${this._orderByClauses.map((o) => `${o.col} ${o.dir}`).join(', ')}`
+            ? `ORDER BY ${this._orderByClauses.map((o) => `${(0, sqlGuard_1.quoteIdentifier)(o.col)} ${o.dir}`).join(', ')}`
             : '';
     }
     buildSelectSQL() {

package/dist/features/query/bulkInsert.d.ts

@@ -1,6 +1,7 @@
 import { BuiltQuery } from './interfaces/Query';
 /**
  * 여러 row를 한 번의 INSERT 쿼리로 삽입합니다.
+ * 모든 컬럼명은 `quoteIdentifier`로 검증 및 이스케이프됩니다.
  *
  * @param table - 테이블명
  * @param rows  - 삽입할 데이터 배열 (camelCase key)

package/dist/features/query/bulkInsert.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bulkInsert.d.ts","sourceRoot":"","sources":["../../../src/features/query/bulkInsert.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAQhD;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAC9B,UAAU,CA4BZ"}
+{"version":3,"file":"bulkInsert.d.ts","sourceRoot":"","sources":["../../../src/features/query/bulkInsert.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAQhD;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,GAC9B,UAAU,CA4BZ"}

package/dist/features/query/bulkInsert.js

@@ -2,10 +2,12 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.buildBulkInsert = buildBulkInsert;
 const case_1 = require("../transform/case");
+const sqlGuard_1 = require("../../utils/sqlGuard");
 const logger_1 = require("../../utils/logger");
 const logger = logger_1.Logger.fromEnv(process.env, { prefix: '[Query]' });
 /**
  * 여러 row를 한 번의 INSERT 쿼리로 삽입합니다.
+ * 모든 컬럼명은 `quoteIdentifier`로 검증 및 이스케이프됩니다.
  *
  * @param table - 테이블명
  * @param rows  - 삽입할 데이터 배열 (camelCase key)
@@ -24,7 +26,7 @@ function buildBulkInsert(table, rows) {
         logger.error(`buildBulkInsert [${table}]: 첫 번째 row에 삽입할 데이터가 없습니다.`);
         return { sql: '', params: [] };
     }
-    const cols = keys.map(case_1.toSnake).join(', ');
+    const cols = keys.map((k) => (0, sqlGuard_1.quoteIdentifier)((0, case_1.toSnake)(k))).join(', ');
     const params = [];
     const valueSets = rows.map((row) => {
         const placeholders = keys.map((k) => {

package/dist/features/query/insert.d.ts

@@ -2,6 +2,7 @@ import { BuiltQuery } from './interfaces/Query';
 /**
  * INSERT 쿼리를 생성합니다. RETURNING * 으로 삽입된 row를 반환합니다.
  * camelCase key → snake_case 컬럼명으로 자동 변환됩니다.
+ * 모든 컬럼명은 `quoteIdentifier`로 검증 및 이스케이프됩니다.
  *
  * 삽입할 데이터가 없으면 빈 쿼리를 반환합니다 (실행 시 no-op).
  */

package/dist/features/query/insert.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"insert.d.ts","sourceRoot":"","sources":["../../../src/features/query/insert.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAQhD;;;;;GAKG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC5B,UAAU,CAgBZ"}
+{"version":3,"file":"insert.d.ts","sourceRoot":"","sources":["../../../src/features/query/insert.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAQhD;;;;;;GAMG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC5B,UAAU,CAgBZ"}

package/dist/features/query/insert.js

@@ -2,11 +2,13 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.buildInsert = buildInsert;
 const case_1 = require("../transform/case");
+const sqlGuard_1 = require("../../utils/sqlGuard");
 const logger_1 = require("../../utils/logger");
 const logger = logger_1.Logger.fromEnv(process.env, { prefix: '[Query]' });
 /**
  * INSERT 쿼리를 생성합니다. RETURNING * 으로 삽입된 row를 반환합니다.
  * camelCase key → snake_case 컬럼명으로 자동 변환됩니다.
+ * 모든 컬럼명은 `quoteIdentifier`로 검증 및 이스케이프됩니다.
  *
  * 삽입할 데이터가 없으면 빈 쿼리를 반환합니다 (실행 시 no-op).
  */
@@ -16,7 +18,7 @@ function buildInsert(table, data) {
         logger.error(`buildInsert [${table}]: 삽입할 데이터가 없습니다.`);
         return { sql: '', params: [] };
     }
-    const cols = entries.map(([k]) => (0, case_1.toSnake)(k)).join(', ');
+    const cols = entries.map(([k]) => (0, sqlGuard_1.quoteIdentifier)((0, case_1.toSnake)(k))).join(', ');
     const placeholders = entries.map((_, i) => `$${i + 1}`).join(', ');
     const params = entries.map(([, v]) => v);
     return {

package/dist/features/query/select.d.ts

@@ -9,7 +9,7 @@ export interface SelectOpts<T extends Record<string, unknown>> {
 }
 /**
  * SELECT 쿼리를 생성합니다.
- * 모든 WHERE 조건은 camelCase → snake_case 자동 변환됩니다.
+ * camelCase → snake_case 자동 변환 및 `quoteIdentifier` 검증이 적용됩니다.
  */
 export declare function buildSelect<T extends Record<string, unknown>>(table: string, opts?: SelectOpts<T>): BuiltQuery;
 //# sourceMappingURL=select.d.ts.map

package/dist/features/query/select.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"select.d.ts","sourceRoot":"","sources":["../../../src/features/query/select.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,WAAW,UAAU,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAC3D,KAAK,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC;IACtB,OAAO,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC3D,KAAK,EAAE,MAAM,EACb,IAAI,GAAE,UAAU,CAAC,CAAC,CAAM,GACvB,UAAU,CA8BZ"}
+{"version":3,"file":"select.d.ts","sourceRoot":"","sources":["../../../src/features/query/select.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,WAAW,UAAU,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAC3D,KAAK,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC;IACtB,OAAO,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC3D,KAAK,EAAE,MAAM,EACb,IAAI,GAAE,UAAU,CAAC,CAAC,CAAM,GACvB,UAAU,CAgCZ"}

package/dist/features/query/select.js

@@ -2,10 +2,11 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.buildSelect = buildSelect;
 const case_1 = require("../transform/case");
+const sqlGuard_1 = require("../../utils/sqlGuard");
 const where_1 = require("./where");
 /**
  * SELECT 쿼리를 생성합니다.
- * 모든 WHERE 조건은 camelCase → snake_case 자동 변환됩니다.
+ * camelCase → snake_case 자동 변환 및 `quoteIdentifier` 검증이 적용됩니다.
  */
 function buildSelect(table, opts = {}) {
     const parts = [`SELECT * FROM ${table}`];
@@ -18,7 +19,11 @@ function buildSelect(table, opts = {}) {
         }
     }
     if (opts.orderBy && opts.orderBy.length > 0) {
-        const clauses = opts.orderBy.map(({ col, dir }) => `${(0, case_1.toSnake)(String(col))} ${dir ?? 'ASC'}`);
+        const clauses = opts.orderBy.map(({ col, dir }) => {
+            const safeCol = (0, sqlGuard_1.quoteIdentifier)((0, case_1.toSnake)(String(col)));
+            const safeDir = (0, sqlGuard_1.validateOrderDir)(dir ?? 'ASC');
+            return `${safeCol} ${safeDir}`;
+        });
         parts.push(`ORDER BY ${clauses.join(', ')}`);
     }
     if (opts.limit !== undefined) {

package/dist/features/query/update.d.ts

@@ -3,6 +3,7 @@ import { WhereInput } from './interfaces/Where';
 /**
  * UPDATE 쿼리를 생성합니다. RETURNING * 으로 수정된 row를 반환합니다.
  * camelCase key → snake_case 컬럼명으로 자동 변환됩니다.
+ * 모든 컬럼명은 `quoteIdentifier`로 검증 및 이스케이프됩니다.
  *
  * 수정할 데이터가 없거나 WHERE 조건이 없으면 빈 쿼리를 반환합니다 (실행 시 no-op).
  */

package/dist/features/query/update.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"update.d.ts","sourceRoot":"","sources":["../../../src/features/query/update.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAQhD;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC3D,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,EAChB,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,GACnB,UAAU,CAiCZ"}
+{"version":3,"file":"update.d.ts","sourceRoot":"","sources":["../../../src/features/query/update.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAQhD;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC3D,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC,EAChB,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,GACnB,UAAU,CAiCZ"}

package/dist/features/query/update.js

@@ -2,12 +2,14 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.buildUpdate = buildUpdate;
 const case_1 = require("../transform/case");
+const sqlGuard_1 = require("../../utils/sqlGuard");
 const where_1 = require("./where");
 const logger_1 = require("../../utils/logger");
 const logger = logger_1.Logger.fromEnv(process.env, { prefix: '[Query]' });
 /**
  * UPDATE 쿼리를 생성합니다. RETURNING * 으로 수정된 row를 반환합니다.
  * camelCase key → snake_case 컬럼명으로 자동 변환됩니다.
+ * 모든 컬럼명은 `quoteIdentifier`로 검증 및 이스케이프됩니다.
  *
  * 수정할 데이터가 없거나 WHERE 조건이 없으면 빈 쿼리를 반환합니다 (실행 시 no-op).
  */
@@ -25,7 +27,7 @@ function buildUpdate(table, data, where) {
     const params = [];
     const setClauses = entries.map(([k, v]) => {
         params.push(v);
-        return `${(0, case_1.toSnake)(k)} = $${params.length}`;
+        return `${(0, sqlGuard_1.quoteIdentifier)((0, case_1.toSnake)(k))} = $${params.length}`;
     });
     const { sql: whereSql, params: whereParams } = (0, where_1.buildWhere)(where, params.length + 1);
     params.push(...whereParams);

package/dist/features/query/upsert.d.ts

@@ -2,6 +2,7 @@ import { BuiltQuery } from './interfaces/Query';
 /**
  * INSERT ... ON CONFLICT DO UPDATE 쿼리를 생성합니다.
  * 충돌 컬럼을 제외한 나머지 컬럼을 EXCLUDED 값으로 업데이트합니다.
+ * 모든 컬럼명은 `quoteIdentifier`로 검증 및 이스케이프됩니다.
  *
  * @param table       - 테이블명
  * @param data        - 삽입할 데이터 (camelCase key)

package/dist/features/query/upsert.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"upsert.d.ts","sourceRoot":"","sources":["../../../src/features/query/upsert.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAQhD;;;;;;;;;GASG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,WAAW,EAAE,MAAM,GAClB,UAAU,CAqCZ"}
+{"version":3,"file":"upsert.d.ts","sourceRoot":"","sources":["../../../src/features/query/upsert.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAQhD;;;;;;;;;;GAUG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,WAAW,EAAE,MAAM,GAClB,UAAU,CAyCZ"}

package/dist/features/query/upsert.js

@@ -2,11 +2,13 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.buildUpsert = buildUpsert;
 const case_1 = require("../transform/case");
+const sqlGuard_1 = require("../../utils/sqlGuard");
 const logger_1 = require("../../utils/logger");
 const logger = logger_1.Logger.fromEnv(process.env, { prefix: '[Query]' });
 /**
  * INSERT ... ON CONFLICT DO UPDATE 쿼리를 생성합니다.
  * 충돌 컬럼을 제외한 나머지 컬럼을 EXCLUDED 값으로 업데이트합니다.
+ * 모든 컬럼명은 `quoteIdentifier`로 검증 및 이스케이프됩니다.
  *
  * @param table       - 테이블명
  * @param data        - 삽입할 데이터 (camelCase key)
@@ -20,19 +22,23 @@ function buildUpsert(table, data, conflictCol) {
         logger.error(`buildUpsert [${table}]: 삽입할 데이터가 없습니다.`);
         return { sql: '', params: [] };
     }
-    const cols = entries.map(([k]) => (0, case_1.toSnake)(k)).join(', ');
+    const quotedConflictCol = (0, sqlGuard_1.quoteIdentifier)(conflictCol);
+    const snakeCols = entries.map(([k]) => (0, case_1.toSnake)(k));
+    const cols = snakeCols.map(sqlGuard_1.quoteIdentifier).join(', ');
     const placeholders = entries.map((_, i) => `$${i + 1}`).join(', ');
     const params = entries.map(([, v]) => v);
-    const updateSet = entries
-        .map(([k]) => (0, case_1.toSnake)(k))
+    const updateSet = snakeCols
         .filter((col) => col !== conflictCol)
-        .map((col) => `${col} = EXCLUDED.${col}`)
+        .map((col) => {
+        const q = (0, sqlGuard_1.quoteIdentifier)(col);
+        return `${q} = EXCLUDED.${q}`;
+    })
         .join(', ');
     if (!updateSet) {
         return {
             sql: [
                 `INSERT INTO ${table} (${cols}) VALUES (${placeholders})`,
-                `ON CONFLICT (${conflictCol}) DO NOTHING`,
+                `ON CONFLICT (${quotedConflictCol}) DO NOTHING`,
                 'RETURNING *',
             ].join(' '),
             params,
@@ -41,7 +47,7 @@ function buildUpsert(table, data, conflictCol) {
     return {
         sql: [
             `INSERT INTO ${table} (${cols}) VALUES (${placeholders})`,
-            `ON CONFLICT (${conflictCol}) DO UPDATE SET ${updateSet}`,
+            `ON CONFLICT (${quotedConflictCol}) DO UPDATE SET ${updateSet}`,
             'RETURNING *',
         ].join(' '),
         params,

package/dist/features/query/where.d.ts

@@ -3,6 +3,7 @@ import { WhereInput } from './interfaces/Where';
 /**
  * WhereInput 객체로부터 WHERE 절 SQL과 params를 생성합니다.
  * camelCase key → snake_case 컬럼명으로 자동 변환됩니다.
+ * 모든 컬럼명은 `quoteIdentifier`로 검증 및 이스케이프됩니다.
  *
  * @param where     - camelCase key 기반 조건 객체
  * @param startIdx  - param placeholder 시작 번호 ($1, $2 ...)

package/dist/features/query/where.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"where.d.ts","sourceRoot":"","sources":["../../../src/features/query/where.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC1D,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,EACpB,QAAQ,GAAE,MAAU,GACnB,UAAU,CAqBZ"}
+{"version":3,"file":"where.d.ts","sourceRoot":"","sources":["../../../src/features/query/where.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD;;;;;;;GAOG;AACH,wBAAgB,UAAU,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC1D,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,EACpB,QAAQ,GAAE,MAAU,GACnB,UAAU,CAqBZ"}

package/dist/features/query/where.js

@@ -2,9 +2,11 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.buildWhere = buildWhere;
 const case_1 = require("../transform/case");
+const sqlGuard_1 = require("../../utils/sqlGuard");
 /**
  * WhereInput 객체로부터 WHERE 절 SQL과 params를 생성합니다.
  * camelCase key → snake_case 컬럼명으로 자동 변환됩니다.
+ * 모든 컬럼명은 `quoteIdentifier`로 검증 및 이스케이프됩니다.
  *
  * @param where     - camelCase key 기반 조건 객체
  * @param startIdx  - param placeholder 시작 번호 ($1, $2 ...)
@@ -17,7 +19,7 @@ function buildWhere(where, startIdx = 1) {
     const params = [];
     const conditions = [];
     for (const [key, val] of entries) {
-        const col = (0, case_1.toSnake)(key);
+        const col = (0, sqlGuard_1.quoteIdentifier)((0, case_1.toSnake)(key));
         if (val === null) {
             conditions.push(`${col} IS NULL`);
         }

package/dist/features/schema/table.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"table.d.ts","sourceRoot":"","sources":["../../../src/features/schema/table.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAEpD,MAAM,WAAW,SAAS;IACxB;;;;;OAKG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,wBAAgB,WAAW,CAAC,KAAK,SAAS,MAAM,EAAE,KAAK,SAAS,IAAI,EAClE,eAAe,EAAE,KAAK,EACtB,IAAI,EAAE,KAAK,EACX,IAAI,CAAC,EAAE,SAAS,GACf,QAAQ,CAAC,MAAM,EAAE,KAAK,CAAC,CAyBzB"}
+{"version":3,"file":"table.d.ts","sourceRoot":"","sources":["../../../src/features/schema/table.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAGpD,MAAM,WAAW,SAAS;IACxB;;;;;OAKG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,wBAAgB,WAAW,CAAC,KAAK,SAAS,MAAM,EAAE,KAAK,SAAS,IAAI,EAClE,eAAe,EAAE,KAAK,EACtB,IAAI,EAAE,KAAK,EACX,IAAI,CAAC,EAAE,SAAS,GACf,QAAQ,CAAC,MAAM,EAAE,KAAK,CAAC,CA0BzB"}

package/dist/features/schema/table.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.defineTable = defineTable;
+const sqlGuard_1 = require("../../utils/sqlGuard");
 /**
  * PostgreSQL 테이블 정의를 생성합니다.
  *
@@ -47,9 +48,10 @@ function defineTable(nameOrQualified, cols, opts) {
         resolvedSchema = opts?.schema;
     }
     // 쌍따옴표로 식별자 이스케이프 (예약어·대소문자 안전)
+    // 내부의 " 문자는 "" 로 이중 이스케이프합니다 (PostgreSQL 표준).
     const qualifiedName = resolvedSchema
-        ? `"${resolvedSchema}"."${resolvedName}"`
-        : `"${resolvedName}"`;
+        ? `${(0, sqlGuard_1.escapeSchemaIdentifier)(resolvedSchema)}.${(0, sqlGuard_1.escapeSchemaIdentifier)(resolvedName)}`
+        : (0, sqlGuard_1.escapeSchemaIdentifier)(resolvedName);
     return {
         name: resolvedName,
         schema: resolvedSchema,

package/dist/index.d.ts

@@ -33,4 +33,5 @@ export type { DatabaseConfig } from './interfaces/DatabaseConfig';
 export { PostgresConfig, NodeEnvSource, readEnv } from './utils/reader';
 export { Logger } from './utils/logger';
 export type { LogLevel, LogFormat, LoggerConfig } from './utils/logger';
+export { quoteIdentifier, escapeSchemaIdentifier, validateOrderDir, validateAggregateFn, validateJoinType, } from './utils/sqlGuard';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAe,0BAA0B,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAY,yBAAyB,CAAC;AAC5D,YAAY,EAAE,SAAS,EAAE,MAAS,yBAAyB,CAAC;AAC5D,YAAY,EAAE,QAAQ,EAAE,MAAU,qCAAqC,CAAC;AACxE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AACzE,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,oCAAoC,CAAC;AAG7F,OAAO,EAAE,UAAU,EAAE,MAAa,8BAA8B,CAAC;AACjE,OAAO,EAAE,QAAQ,EAAE,MAAe,4BAA4B,CAAC;AAC/D,YAAY,EAAE,KAAK,EAAE,MAAa,uCAAuC,CAAC;AAC1E,YAAY,EAAE,QAAQ,EAAE,MAAU,uCAAuC,CAAC;AAG1E,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC5G,YAAY,EAAE,UAAU,EAAE,MAAQ,4BAA4B,CAAC;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAgB,0BAA0B,CAAC;AAG7D,OAAO,EAAE,WAAW,EAAE,MAAY,yBAAyB,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAE,MAAY,yBAAyB,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAE,MAAY,yBAAyB,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAE,MAAY,yBAAyB,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAE,MAAY,yBAAyB,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAQ,6BAA6B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,MAAa,wBAAwB,CAAC;AAC3D,YAAY,EAAE,UAAU,EAAE,MAAQ,mCAAmC,CAAC;AACtE,YAAY,EAAE,UAAU,EAAE,MAAQ,mCAAmC,CAAC;AACtE,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,mCAAmC,CAAC;AAChF,YAAY,EAAE,UAAU,EAAE,MAAQ,yBAAyB,CAAC;AAG5D,OAAO,EAAE,YAAY,EAAE,MAAW,0BAA0B,CAAC;AAC7D,YAAY,EACV,aAAa,EACb,OAAO,EACP,QAAQ,EACR,UAAU,EACV,QAAQ,EACR,WAAW,EACX,aAAa,EACb,YAAY,EACZ,UAAU,EACV,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EAChB,UAAU,EACV,SAAS,GACV,MAAM,sCAAsC,CAAC;AAG9C,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACvF,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAQ,6BAA6B,CAAC;AAGhE,OAAO,EAAE,OAAO,EAAE,MAAgB,iBAAiB,CAAC;AACpD,YAAY,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAGnE,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAClD,YAAY,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAGxE,OAAO,EAAE,MAAM,EAAE,MAAiB,gBAAgB,CAAC;AACnD,YAAY,EAAE,QAAQ,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAe,0BAA0B,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAY,yBAAyB,CAAC;AAC5D,YAAY,EAAE,SAAS,EAAE,MAAS,yBAAyB,CAAC;AAC5D,YAAY,EAAE,QAAQ,EAAE,MAAU,qCAAqC,CAAC;AACxE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AACzE,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,oCAAoC,CAAC;AAG7F,OAAO,EAAE,UAAU,EAAE,MAAa,8BAA8B,CAAC;AACjE,OAAO,EAAE,QAAQ,EAAE,MAAe,4BAA4B,CAAC;AAC/D,YAAY,EAAE,KAAK,EAAE,MAAa,uCAAuC,CAAC;AAC1E,YAAY,EAAE,QAAQ,EAAE,MAAU,uCAAuC,CAAC;AAG1E,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC5G,YAAY,EAAE,UAAU,EAAE,MAAQ,4BAA4B,CAAC;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAgB,0BAA0B,CAAC;AAG7D,OAAO,EAAE,WAAW,EAAE,MAAY,yBAAyB,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAE,MAAY,yBAAyB,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAE,MAAY,yBAAyB,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAE,MAAY,yBAAyB,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAE,MAAY,yBAAyB,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAQ,6BAA6B,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,MAAa,wBAAwB,CAAC;AAC3D,YAAY,EAAE,UAAU,EAAE,MAAQ,mCAAmC,CAAC;AACtE,YAAY,EAAE,UAAU,EAAE,MAAQ,mCAAmC,CAAC;AACtE,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,mCAAmC,CAAC;AAChF,YAAY,EAAE,UAAU,EAAE,MAAQ,yBAAyB,CAAC;AAG5D,OAAO,EAAE,YAAY,EAAE,MAAW,0BAA0B,CAAC;AAC7D,YAAY,EACV,aAAa,EACb,OAAO,EACP,QAAQ,EACR,UAAU,EACV,QAAQ,EACR,WAAW,EACX,aAAa,EACb,YAAY,EACZ,UAAU,EACV,aAAa,EACb,kBAAkB,EAClB,gBAAgB,EAChB,UAAU,EACV,SAAS,GACV,MAAM,sCAAsC,CAAC;AAG9C,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACvF,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAQ,6BAA6B,CAAC;AAGhE,OAAO,EAAE,OAAO,EAAE,MAAgB,iBAAiB,CAAC;AACpD,YAAY,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAGnE,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAClD,YAAY,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAGxE,OAAO,EAAE,MAAM,EAAE,MAAiB,gBAAgB,CAAC;AACnD,YAAY,EAAE,QAAQ,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAGxE,OAAO,EACL,eAAe,EACf,sBAAsB,EACtB,gBAAgB,EAChB,mBAAmB,EACnB,gBAAgB,GACjB,MAAM,kBAAkB,CAAC"}

package/dist/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Logger = exports.readEnv = exports.NodeEnvSource = exports.PostgresConfig = exports.getDatabaseConfig = exports.DbError = exports.mapRows = exports.mapRow = exports.keysToSnake = exports.keysToCamel = exports.toSnake = exports.toCamel = exports.QueryBuilder = exports.buildWhere = exports.buildBulkInsert = exports.buildUpsert = exports.buildDelete = exports.buildUpdate = exports.buildInsert = exports.buildSelect = exports.runInTx = exports.checkPoolHealth = exports.getPoolStatus = exports.closePool = exports.withClient = exports.getPool = exports.BaseRepo = exports.createRepo = exports.defineTable = exports.Col = exports.col = void 0;
+exports.validateJoinType = exports.validateAggregateFn = exports.validateOrderDir = exports.escapeSchemaIdentifier = exports.quoteIdentifier = exports.Logger = exports.readEnv = exports.NodeEnvSource = exports.PostgresConfig = exports.getDatabaseConfig = exports.DbError = exports.mapRows = exports.mapRow = exports.keysToSnake = exports.keysToCamel = exports.toSnake = exports.toCamel = exports.QueryBuilder = exports.buildWhere = exports.buildBulkInsert = exports.buildUpsert = exports.buildDelete = exports.buildUpdate = exports.buildInsert = exports.buildSelect = exports.runInTx = exports.checkPoolHealth = exports.getPoolStatus = exports.closePool = exports.withClient = exports.getPool = exports.BaseRepo = exports.createRepo = exports.defineTable = exports.Col = exports.col = void 0;
 // ── Schema ──────────────────────────────────────────────────────────────────
 var column_1 = require("./features/schema/column");
 Object.defineProperty(exports, "col", { enumerable: true, get: function () { return column_1.col; } });
@@ -61,3 +61,10 @@ Object.defineProperty(exports, "readEnv", { enumerable: true, get: function () {
 // ── Logger ───────────────────────────────────────────────────────────────────
 var logger_1 = require("./utils/logger");
 Object.defineProperty(exports, "Logger", { enumerable: true, get: function () { return logger_1.Logger; } });
+// ── SQL Guard (SQL Injection 방어 유틸리티) ───────────────────────────────────
+var sqlGuard_1 = require("./utils/sqlGuard");
+Object.defineProperty(exports, "quoteIdentifier", { enumerable: true, get: function () { return sqlGuard_1.quoteIdentifier; } });
+Object.defineProperty(exports, "escapeSchemaIdentifier", { enumerable: true, get: function () { return sqlGuard_1.escapeSchemaIdentifier; } });
+Object.defineProperty(exports, "validateOrderDir", { enumerable: true, get: function () { return sqlGuard_1.validateOrderDir; } });
+Object.defineProperty(exports, "validateAggregateFn", { enumerable: true, get: function () { return sqlGuard_1.validateAggregateFn; } });
+Object.defineProperty(exports, "validateJoinType", { enumerable: true, get: function () { return sqlGuard_1.validateJoinType; } });

package/dist/utils/index.d.ts

@@ -1,4 +1,5 @@
 export * from './logger';
 export * from './reader';
 export * from './dbError';
+export * from './sqlGuard';
 //# sourceMappingURL=index.d.ts.map

package/dist/utils/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAC;AACzB,cAAc,UAAU,CAAC;AACzB,cAAc,WAAW,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAC;AACzB,cAAc,UAAU,CAAC;AACzB,cAAc,WAAW,CAAC;AAC1B,cAAc,YAAY,CAAC"}

package/dist/utils/index.js

@@ -17,3 +17,4 @@ Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./logger"), exports);
 __exportStar(require("./reader"), exports);
 __exportStar(require("./dbError"), exports);
+__exportStar(require("./sqlGuard"), exports);

package/dist/utils/sqlGuard.d.ts

@@ -0,0 +1,42 @@
+import { AggregateFn, JoinType } from '../features/query/interfaces/Advanced';
+/**
+ * SQL 식별자(컬럼명, 테이블명 등)를 검증하고 PostgreSQL 표준으로 이스케이프합니다.
+ *
+ * - 유효한 식별자 패턴 `[a-zA-Z_][a-zA-Z0-9_.]*` 에 맞지 않으면
+ *   `logger.error` 로 기록하고 `""` (빈 식별자) 를 반환합니다.
+ * - `"` 문자는 `""` 로 이중 이스케이프합니다 (PostgreSQL 표준).
+ * - `schema.table` / `table.column` 도트 표기법을 지원합니다.
+ *
+ * @example
+ * quoteIdentifier('first_name')   // → '"first_name"'
+ * quoteIdentifier('auth.users')   // → '"auth"."users"'
+ * quoteIdentifier('1; DROP TABLE')// → '""' + logger.error
+ */
+export declare function quoteIdentifier(raw: string): string;
+/**
+ * 개발자가 정의하는 테이블/스키마 식별자를 이스케이프합니다.
+ * 패턴 검증 없이 `"` → `""` 이중 이스케이프만 수행합니다.
+ *
+ * `defineTable` 내부에서만 사용합니다 (개발자가 제어하는 정적 값).
+ *
+ * @example
+ * escapeSchemaIdentifier('auth')     // → '"auth"'
+ * escapeSchemaIdentifier('my"table') // → '"my""table"'
+ */
+export declare function escapeSchemaIdentifier(name: string): string;
+/**
+ * ORDER BY 방향(ASC / DESC)을 검증합니다.
+ * 유효하지 않으면 `logger.error` 후 `'ASC'` 를 반환합니다.
+ */
+export declare function validateOrderDir(dir: string): 'ASC' | 'DESC';
+/**
+ * 집계 함수명(COUNT / SUM / AVG / MIN / MAX)을 검증합니다.
+ * 유효하지 않으면 `logger.error` 후 `'COUNT'` 를 반환합니다.
+ */
+export declare function validateAggregateFn(fn: string): AggregateFn;
+/**
+ * JOIN 타입(INNER / LEFT / RIGHT / FULL)을 검증합니다.
+ * 유효하지 않으면 `logger.error` 후 `'INNER'` 를 반환합니다.
+ */
+export declare function validateJoinType(type: string): JoinType;
+//# sourceMappingURL=sqlGuard.d.ts.map

package/dist/utils/sqlGuard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sqlGuard.d.ts","sourceRoot":"","sources":["../../src/utils/sqlGuard.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,uCAAuC,CAAC;AAoB9E;;;;;;;;;;;;GAYG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAanD;AAED;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAE3D;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,KAAK,GAAG,MAAM,CAS5D;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,EAAE,EAAE,MAAM,GAAG,WAAW,CAS3D;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,QAAQ,CASvD"}

package/dist/utils/sqlGuard.js

@@ -0,0 +1,94 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.quoteIdentifier = quoteIdentifier;
+exports.escapeSchemaIdentifier = escapeSchemaIdentifier;
+exports.validateOrderDir = validateOrderDir;
+exports.validateAggregateFn = validateAggregateFn;
+exports.validateJoinType = validateJoinType;
+const logger_1 = require("./logger");
+const logger = logger_1.Logger.fromEnv(process.env, { prefix: '[SqlGuard]' });
+/**
+ * 유효한 SQL 식별자 패턴.
+ * - 단순 식별자: `[a-zA-Z_][a-zA-Z0-9_]*`  예: `first_name`, `userId`
+ * - 점 표기법:   `schema.table`, `table.column`
+ *
+ * 공백, 세미콜론, 따옴표, 괄호 등 SQL 특수문자를 포함하는 경우 거부합니다.
+ */
+const IDENTIFIER_RE = /^[a-zA-Z_][a-zA-Z0-9_]*(\.[a-zA-Z_][a-zA-Z0-9_]*)*$/;
+const VALID_ORDER_DIRS = new Set(['ASC', 'DESC']);
+const VALID_AGG_FNS = new Set(['COUNT', 'SUM', 'AVG', 'MIN', 'MAX']);
+const VALID_JOIN_TYPES = new Set(['INNER', 'LEFT', 'RIGHT', 'FULL']);
+/**
+ * SQL 식별자(컬럼명, 테이블명 등)를 검증하고 PostgreSQL 표준으로 이스케이프합니다.
+ *
+ * - 유효한 식별자 패턴 `[a-zA-Z_][a-zA-Z0-9_.]*` 에 맞지 않으면
+ *   `logger.error` 로 기록하고 `""` (빈 식별자) 를 반환합니다.
+ * - `"` 문자는 `""` 로 이중 이스케이프합니다 (PostgreSQL 표준).
+ * - `schema.table` / `table.column` 도트 표기법을 지원합니다.
+ *
+ * @example
+ * quoteIdentifier('first_name')   // → '"first_name"'
+ * quoteIdentifier('auth.users')   // → '"auth"."users"'
+ * quoteIdentifier('1; DROP TABLE')// → '""' + logger.error
+ */
+function quoteIdentifier(raw) {
+    if (!IDENTIFIER_RE.test(raw)) {
+        logger.error(`유효하지 않은 SQL 식별자 "${raw}". ` +
+            `허용 패턴: [a-zA-Z_][a-zA-Z0-9_]*(.[a-zA-Z_][a-zA-Z0-9_]*)*. ` +
+            `빈 식별자("")로 대체합니다.`);
+        return '""';
+    }
+    return raw
+        .split('.')
+        .map((part) => `"${part.replace(/"/g, '""')}"`)
+        .join('.');
+}
+/**
+ * 개발자가 정의하는 테이블/스키마 식별자를 이스케이프합니다.
+ * 패턴 검증 없이 `"` → `""` 이중 이스케이프만 수행합니다.
+ *
+ * `defineTable` 내부에서만 사용합니다 (개발자가 제어하는 정적 값).
+ *
+ * @example
+ * escapeSchemaIdentifier('auth')     // → '"auth"'
+ * escapeSchemaIdentifier('my"table') // → '"my""table"'
+ */
+function escapeSchemaIdentifier(name) {
+    return `"${name.replace(/"/g, '""')}"`;
+}
+/**
+ * ORDER BY 방향(ASC / DESC)을 검증합니다.
+ * 유효하지 않으면 `logger.error` 후 `'ASC'` 를 반환합니다.
+ */
+function validateOrderDir(dir) {
+    const upper = dir.toUpperCase();
+    if (!VALID_ORDER_DIRS.has(upper)) {
+        logger.error(`유효하지 않은 ORDER BY 방향 "${dir}". 허용 값: ASC, DESC. 'ASC'로 대체합니다.`);
+        return 'ASC';
+    }
+    return upper;
+}
+/**
+ * 집계 함수명(COUNT / SUM / AVG / MIN / MAX)을 검증합니다.
+ * 유효하지 않으면 `logger.error` 후 `'COUNT'` 를 반환합니다.
+ */
+function validateAggregateFn(fn) {
+    const upper = fn.toUpperCase();
+    if (!VALID_AGG_FNS.has(upper)) {
+        logger.error(`유효하지 않은 집계 함수 "${fn}". 허용 값: COUNT, SUM, AVG, MIN, MAX. 'COUNT'로 대체합니다.`);
+        return 'COUNT';
+    }
+    return upper;
+}
+/**
+ * JOIN 타입(INNER / LEFT / RIGHT / FULL)을 검증합니다.
+ * 유효하지 않으면 `logger.error` 후 `'INNER'` 를 반환합니다.
+ */
+function validateJoinType(type) {
+    const upper = type.toUpperCase();
+    if (!VALID_JOIN_TYPES.has(upper)) {
+        logger.error(`유효하지 않은 JOIN 타입 "${type}". 허용 값: INNER, LEFT, RIGHT, FULL. 'INNER'로 대체합니다.`);
+        return 'INNER';
+    }
+    return upper;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "reltype",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "Type-first relational modeling for PostgreSQL in TypeScript. Fluent query builder with automatic camelCase ↔ snake_case conversion, CRUD, streaming, cursor pagination, and hooks.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",