turbine-orm 0.3.1 → 0.5.0

package/dist/query.d.ts

@@ -35,6 +35,8 @@ export interface WhereOperator<V = unknown> {
     contains?: string;
     startsWith?: string;
     endsWith?: string;
+    /** Set to 'insensitive' to use ILIKE instead of LIKE for string comparisons */
+    mode?: 'default' | 'insensitive';
 }
 /**
  * A where value can be:
@@ -77,6 +79,8 @@ export interface FindUniqueArgs<T> {
     select?: Record<string, boolean>;
     omit?: Record<string, boolean>;
     with?: WithClause;
+    /** Query timeout in milliseconds. Rejects with an error if exceeded. */
+    timeout?: number;
 }
 export interface FindManyArgs<T> {
     where?: WhereClause<T>;
@@ -92,36 +96,54 @@ export interface FindManyArgs<T> {
     take?: number;
     /** De-duplicate results by specified fields */
     distinct?: (keyof T & string)[];
+    /** Query timeout in milliseconds. Rejects with an error if exceeded. */
+    timeout?: number;
 }
 export interface CreateArgs<T> {
     data: Partial<T>;
+    /** Query timeout in milliseconds. Rejects with an error if exceeded. */
+    timeout?: number;
 }
 export interface CreateManyArgs<T> {
     data: Partial<T>[];
     /** When true, adds ON CONFLICT DO NOTHING to skip duplicate rows */
     skipDuplicates?: boolean;
+    /** Query timeout in milliseconds. Rejects with an error if exceeded. */
+    timeout?: number;
 }
 export interface UpdateArgs<T> {
     where: WhereClause<T>;
     data: Partial<T>;
+    /** Query timeout in milliseconds. Rejects with an error if exceeded. */
+    timeout?: number;
 }
 export interface UpdateManyArgs<T> {
     where: WhereClause<T>;
     data: Partial<T>;
+    /** Query timeout in milliseconds. Rejects with an error if exceeded. */
+    timeout?: number;
 }
 export interface DeleteArgs<T> {
     where: WhereClause<T>;
+    /** Query timeout in milliseconds. Rejects with an error if exceeded. */
+    timeout?: number;
 }
 export interface DeleteManyArgs<T> {
     where: WhereClause<T>;
+    /** Query timeout in milliseconds. Rejects with an error if exceeded. */
+    timeout?: number;
 }
 export interface UpsertArgs<T> {
     where: WhereClause<T>;
     create: Partial<T>;
     update: Partial<T>;
+    /** Query timeout in milliseconds. Rejects with an error if exceeded. */
+    timeout?: number;
 }
 export interface CountArgs<T> {
     where?: WhereClause<T>;
+    /** Query timeout in milliseconds. Rejects with an error if exceeded. */
+    timeout?: number;
 }
 export interface GroupByArgs<T> {
     by: (keyof T & string)[];
@@ -140,6 +162,8 @@ export interface GroupByArgs<T> {
     having?: Record<string, unknown>;
     /** Order groups */
     orderBy?: Record<string, OrderDirection>;
+    /** Query timeout in milliseconds. Rejects with an error if exceeded. */
+    timeout?: number;
 }
 /** Arguments for the standalone aggregate method */
 export interface AggregateArgs<T> {
@@ -154,6 +178,8 @@ export interface AggregateArgs<T> {
     _min?: Partial<Record<keyof T & string, boolean>>;
     /** Maximum value of fields */
     _max?: Partial<Record<keyof T & string, boolean>>;
+    /** Query timeout in milliseconds. Rejects with an error if exceeded. */
+    timeout?: number;
 }
 /** Result type for aggregate queries */
 export interface AggregateResult<T> {
@@ -211,6 +237,13 @@ type MiddlewareFn = (params: {
     action: string;
     args: Record<string, unknown>;
 }) => Promise<unknown>) => Promise<unknown>;
+/** Options passed from TurbineClient to QueryInterface */
+export interface QueryInterfaceOptions {
+    /** Default LIMIT applied to findMany() when no limit is specified */
+    defaultLimit?: number;
+    /** Log a warning when findMany() is called without a limit */
+    warnOnUnlimited?: boolean;
+}
 export declare class QueryInterface<T extends object> {
     private readonly pool;
     private readonly table;
@@ -219,10 +252,25 @@ export declare class QueryInterface<T extends object> {
     /** SQL template cache: cacheKey → sql string (params are always positional $1,$2,...) */
     private readonly sqlCache;
     private readonly middlewares;
-    constructor(pool: pg.Pool, table: string, schema: SchemaMetadata, middlewares?: MiddlewareFn[]);
+    private readonly defaultLimit?;
+    private readonly warnOnUnlimited;
+    /** Pre-computed column type lookups (avoids linear scans per query) */
+    private readonly columnPgTypeMap;
+    private readonly columnArrayTypeMap;
+    constructor(pool: pg.Pool, table: string, schema: SchemaMetadata, middlewares?: MiddlewareFn[], options?: QueryInterfaceOptions);
+    /**
+     * Execute a pool.query with an optional timeout.
+     * If timeout is set, races the query against a timer and rejects on expiry.
+     */
+    private queryWithTimeout;
     /**
      * Execute a query through the middleware chain.
      * If no middlewares are registered, executes directly.
+     *
+     * Middleware can inspect and log query parameters, modify results after execution,
+     * and measure timing. Note: query SQL is generated before middleware runs, so
+     * modifying params.args in middleware will NOT affect the executed SQL.
+     * To intercept queries before SQL generation, use the raw() method instead.
      */
     private executeWithMiddleware;
     /**
@@ -330,6 +378,7 @@ export declare class QueryInterface<T extends object> {
     /**
      * Get the Postgres type for a column (e.g. 'jsonb', 'text', '_int4').
      * Used to detect JSONB/array columns for specialized operators.
+     * Uses pre-computed Map for O(1) lookup instead of linear scan.
      */
     private getColumnPgType;
     /**
@@ -347,7 +396,10 @@ export declare class QueryInterface<T extends object> {
      * Supports: has, hasEvery, hasSome, isEmpty.
      */
     private buildArrayFilterClauses;
-    /** Get the Postgres array type for a column (used by UNNEST in createMany) */
+    /**
+     * Get the Postgres array type for a column (used by UNNEST in createMany).
+     * Uses pre-computed Map for O(1) lookup instead of linear scan.
+     */
     private getColumnArrayType;
 }
 export {};

package/dist/query.js

@@ -26,6 +26,13 @@ import { snakeToCamel, camelToSnake } from './schema.js';
 export function quoteIdent(name) {
     return `"${name.replace(/"/g, '""')}"`;
 }
+/**
+ * Escape single quotes for use as string keys in json_build_object().
+ * Doubles single quotes per SQL quoting rules.
+ */
+function escSingleQuote(s) {
+    return s.replace(/'/g, "''");
+}
 /**
  * Escape LIKE pattern metacharacters: %, _, and \.
  * Must be used with `ESCAPE '\'` in the LIKE clause.
@@ -36,7 +43,7 @@ function escapeLike(value) {
 /** Known operator keys — used to detect operator objects vs plain values */
 const OPERATOR_KEYS = new Set([
     'gt', 'gte', 'lt', 'lte', 'not', 'in', 'notIn',
-    'contains', 'startsWith', 'endsWith',
+    'contains', 'startsWith', 'endsWith', 'mode',
 ]);
 /** Check if a value is a where operator object (has at least one known operator key) */
 function isWhereOperator(value) {
@@ -66,15 +73,57 @@ function isArrayFilter(value) {
     const keys = Object.keys(value);
     return keys.length > 0 && keys.some((k) => ARRAY_OPERATOR_KEYS.has(k));
 }
+// ---------------------------------------------------------------------------
+// LRU cache — bounded SQL template cache to prevent memory leaks
+// ---------------------------------------------------------------------------
+/**
+ * Simple LRU (Least Recently Used) cache with a fixed maximum size.
+ * When the cache exceeds maxSize, the oldest (least recently used) entry is evicted.
+ * Uses Map insertion order for O(1) eviction.
+ */
+class LRUCache {
+    maxSize;
+    cache = new Map();
+    constructor(maxSize) {
+        this.maxSize = maxSize;
+    }
+    get(key) {
+        const value = this.cache.get(key);
+        if (value !== undefined) {
+            // Move to end (most recently used)
+            this.cache.delete(key);
+            this.cache.set(key, value);
+        }
+        return value;
+    }
+    set(key, value) {
+        if (this.cache.has(key)) {
+            this.cache.delete(key);
+        }
+        else if (this.cache.size >= this.maxSize) {
+            // Delete oldest (first) entry
+            const firstKey = this.cache.keys().next().value;
+            if (firstKey !== undefined)
+                this.cache.delete(firstKey);
+        }
+        this.cache.set(key, value);
+    }
+    get size() { return this.cache.size; }
+}
 export class QueryInterface {
     pool;
     table;
     schema;
     tableMeta;
     /** SQL template cache: cacheKey → sql string (params are always positional $1,$2,...) */
-    sqlCache = new Map();
+    sqlCache = new LRUCache(1000);
     middlewares;
-    constructor(pool, table, schema, middlewares) {
+    defaultLimit;
+    warnOnUnlimited;
+    /** Pre-computed column type lookups (avoids linear scans per query) */
+    columnPgTypeMap;
+    columnArrayTypeMap;
+    constructor(pool, table, schema, middlewares, options) {
         this.pool = pool;
         this.table = table;
         this.schema = schema;
@@ -84,10 +133,43 @@ export class QueryInterface {
         }
         this.tableMeta = meta;
         this.middlewares = middlewares ?? [];
+        this.defaultLimit = options?.defaultLimit;
+        this.warnOnUnlimited = options?.warnOnUnlimited ?? false;
+        // Pre-compute column type lookup maps (TASK-26)
+        this.columnPgTypeMap = new Map();
+        this.columnArrayTypeMap = new Map();
+        for (const col of this.tableMeta.columns) {
+            this.columnPgTypeMap.set(col.name, col.pgType);
+            this.columnArrayTypeMap.set(col.name, col.pgArrayType);
+        }
+    }
+    /**
+     * Execute a pool.query with an optional timeout.
+     * If timeout is set, races the query against a timer and rejects on expiry.
+     */
+    async queryWithTimeout(sql, params, timeout) {
+        if (!timeout) {
+            return this.pool.query(sql, params);
+        }
+        let timer;
+        const timeoutPromise = new Promise((_, reject) => {
+            timer = setTimeout(() => reject(new Error(`[turbine] Query timed out after ${timeout}ms`)), timeout);
+        });
+        try {
+            return await Promise.race([this.pool.query(sql, params), timeoutPromise]);
+        }
+        finally {
+            clearTimeout(timer);
+        }
     }
     /**
      * Execute a query through the middleware chain.
      * If no middlewares are registered, executes directly.
+     *
+     * Middleware can inspect and log query parameters, modify results after execution,
+     * and measure timing. Note: query SQL is generated before middleware runs, so
+     * modifying params.args in middleware will NOT affect the executed SQL.
+     * To intercept queries before SQL generation, use the raw() method instead.
      */
     async executeWithMiddleware(action, args, executor) {
         if (this.middlewares.length === 0) {
@@ -124,7 +206,7 @@ export class QueryInterface {
     async findUnique(args) {
         return this.executeWithMiddleware('findUnique', args, async () => {
             const deferred = this.buildFindUnique(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args.timeout);
             return deferred.transform(result);
         });
     }
@@ -198,9 +280,14 @@ export class QueryInterface {
     // findMany
     // -------------------------------------------------------------------------
     async findMany(args) {
+        // Warn if no limit specified and warnOnUnlimited is enabled
+        const hasExplicitLimit = args?.limit !== undefined || args?.take !== undefined;
+        if (this.warnOnUnlimited && !hasExplicitLimit) {
+            console.warn(`[turbine] findMany() called without limit on table "${this.table}". Set defaultLimit in config to prevent unbounded queries.`);
+        }
         return this.executeWithMiddleware('findMany', (args ?? {}), async () => {
             const deferred = this.buildFindMany(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args?.timeout);
             return deferred.transform(result);
         });
     }
@@ -251,8 +338,8 @@ export class QueryInterface {
         if (args?.orderBy) {
             sql += ` ORDER BY ${this.buildOrderBy(args.orderBy)}`;
         }
-        // take overrides limit when cursor pagination is used
-        const effectiveLimit = args?.take ?? args?.limit;
+        // take overrides limit when cursor pagination is used; fall back to defaultLimit
+        const effectiveLimit = args?.take ?? args?.limit ?? this.defaultLimit;
         if (effectiveLimit !== undefined) {
             params.push(Number(effectiveLimit));
             sql += ` LIMIT $${params.length}`;
@@ -276,7 +363,7 @@ export class QueryInterface {
     async findFirst(args) {
         return this.executeWithMiddleware('findFirst', (args ?? {}), async () => {
             const deferred = this.buildFindFirst(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args?.timeout);
             return deferred.transform(result);
         });
     }
@@ -300,7 +387,7 @@ export class QueryInterface {
     async findFirstOrThrow(args) {
         return this.executeWithMiddleware('findFirstOrThrow', (args ?? {}), async () => {
             const deferred = this.buildFindFirstOrThrow(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args?.timeout);
             return deferred.transform(result);
         });
     }
@@ -325,7 +412,7 @@ export class QueryInterface {
     async findUniqueOrThrow(args) {
         return this.executeWithMiddleware('findUniqueOrThrow', args, async () => {
             const deferred = this.buildFindUniqueOrThrow(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args.timeout);
             return deferred.transform(result);
         });
     }
@@ -350,7 +437,7 @@ export class QueryInterface {
     async create(args) {
         return this.executeWithMiddleware('create', args, async () => {
             const deferred = this.buildCreate(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args.timeout);
             return deferred.transform(result);
         });
     }
@@ -378,7 +465,7 @@ export class QueryInterface {
     async createMany(args) {
         return this.executeWithMiddleware('createMany', args, async () => {
             const deferred = this.buildCreateMany(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args.timeout);
             return deferred.transform(result);
         });
     }
@@ -425,7 +512,7 @@ export class QueryInterface {
     async update(args) {
         return this.executeWithMiddleware('update', args, async () => {
             const deferred = this.buildUpdate(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args.timeout);
             return deferred.transform(result);
         });
     }
@@ -459,7 +546,7 @@ export class QueryInterface {
     async delete(args) {
         return this.executeWithMiddleware('delete', args, async () => {
             const deferred = this.buildDelete(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args.timeout);
             return deferred.transform(result);
         });
     }
@@ -484,7 +571,7 @@ export class QueryInterface {
     async upsert(args) {
         return this.executeWithMiddleware('upsert', args, async () => {
             const deferred = this.buildUpsert(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args.timeout);
             return deferred.transform(result);
         });
     }
@@ -528,7 +615,7 @@ export class QueryInterface {
     async updateMany(args) {
         return this.executeWithMiddleware('updateMany', args, async () => {
             const deferred = this.buildUpdateMany(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args.timeout);
             return deferred.transform(result);
         });
     }
@@ -557,7 +644,7 @@ export class QueryInterface {
     async deleteMany(args) {
         return this.executeWithMiddleware('deleteMany', args, async () => {
             const deferred = this.buildDeleteMany(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args.timeout);
             return deferred.transform(result);
         });
     }
@@ -577,7 +664,7 @@ export class QueryInterface {
     async count(args) {
         return this.executeWithMiddleware('count', (args ?? {}), async () => {
             const deferred = this.buildCount(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args?.timeout);
             return deferred.transform(result);
         });
     }
@@ -599,7 +686,7 @@ export class QueryInterface {
     async groupBy(args) {
         return this.executeWithMiddleware('groupBy', args, async () => {
             const deferred = this.buildGroupBy(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args.timeout);
             return deferred.transform(result);
         });
     }
@@ -726,7 +813,7 @@ export class QueryInterface {
     async aggregate(args) {
         return this.executeWithMiddleware('aggregate', args, async () => {
             const deferred = this.buildAggregate(args);
-            const result = await this.pool.query(deferred.sql, deferred.params);
+            const result = await this.queryWithTimeout(deferred.sql, deferred.params, args.timeout);
             return deferred.transform(result);
         });
     }
@@ -1117,17 +1204,19 @@ export class QueryInterface {
             params.push(op.notIn);
             clauses.push(`${column} != ALL($${params.length})`);
         }
+        // Use ILIKE for case-insensitive mode, LIKE otherwise
+        const likeOp = op.mode === 'insensitive' ? 'ILIKE' : 'LIKE';
         if (op.contains !== undefined) {
             params.push(`%${escapeLike(op.contains)}%`);
-            clauses.push(`${column} LIKE $${params.length} ESCAPE '\\'`);
+            clauses.push(`${column} ${likeOp} $${params.length} ESCAPE '\\'`);
         }
         if (op.startsWith !== undefined) {
             params.push(`${escapeLike(op.startsWith)}%`);
-            clauses.push(`${column} LIKE $${params.length} ESCAPE '\\'`);
+            clauses.push(`${column} ${likeOp} $${params.length} ESCAPE '\\'`);
         }
         if (op.endsWith !== undefined) {
             params.push(`%${escapeLike(op.endsWith)}`);
-            clauses.push(`${column} LIKE $${params.length} ESCAPE '\\'`);
+            clauses.push(`${column} ${likeOp} $${params.length} ESCAPE '\\'`);
         }
         return clauses;
     }
@@ -1265,7 +1354,7 @@ export class QueryInterface {
             targetColumns = targetMeta.allColumns.filter((col) => !omittedFields.has(col));
         }
         // Build json_build_object pairs for resolved columns
-        const jsonPairs = targetColumns.map((col) => `'${targetMeta.reverseColumnMap[col] ?? snakeToCamel(col)}', ${alias}.${quoteIdent(col)}`);
+        const jsonPairs = targetColumns.map((col) => `'${escSingleQuote(targetMeta.reverseColumnMap[col] ?? snakeToCamel(col))}', ${alias}.${quoteIdent(col)}`);
         // Nested relations?
         if (spec !== true && spec.with) {
             for (const [nestedRelName, nestedSpec] of Object.entries(spec.with)) {
@@ -1276,7 +1365,7 @@ export class QueryInterface {
                 }
                 // Recursively build nested subquery, passing THIS alias as the parent reference
                 const nestedSubquery = this.buildRelationSubquery(nestedRelDef, nestedSpec, params, alias, aliasCounter);
-                jsonPairs.push(`'${nestedRelName}', COALESCE((${nestedSubquery}), '[]'::json)`);
+                jsonPairs.push(`'${escSingleQuote(nestedRelName)}', COALESCE((${nestedSubquery}), '[]'::json)`);
             }
         }
         const jsonObj = `json_build_object(${jsonPairs.join(', ')})`;
@@ -1334,14 +1423,14 @@ export class QueryInterface {
                 // Inner SELECT always needs all columns for WHERE/ORDER to work; json_build_object filters later
                 const innerSql = `SELECT ${targetMeta.allColumns.map((c) => `${alias}.${quoteIdent(c)}`).join(', ')} FROM ${qTarget} ${alias} WHERE ${whereClause}${orderClause}${limitClause}`;
                 // For the json_build_object, reference the inner alias — only include resolved columns
-                const innerJsonPairs = targetColumns.map((col) => `'${targetMeta.reverseColumnMap[col] ?? snakeToCamel(col)}', ${innerAlias}.${quoteIdent(col)}`);
+                const innerJsonPairs = targetColumns.map((col) => `'${escSingleQuote(targetMeta.reverseColumnMap[col] ?? snakeToCamel(col))}', ${innerAlias}.${quoteIdent(col)}`);
                 // Re-add nested relation subqueries referencing innerAlias
                 if (spec !== true && spec.with) {
                     for (const [nestedRelName] of Object.entries(spec.with)) {
                         const nestedRelDef = targetMeta.relations[nestedRelName];
                         if (nestedRelDef) {
                             const nestedSub = this.buildRelationSubquery(nestedRelDef, spec.with[nestedRelName], params, innerAlias, aliasCounter);
-                            innerJsonPairs.push(`'${nestedRelName}', COALESCE((${nestedSub}), '[]'::json)`);
+                            innerJsonPairs.push(`'${escSingleQuote(nestedRelName)}', COALESCE((${nestedSub}), '[]'::json)`);
                         }
                     }
                 }
@@ -1356,10 +1445,10 @@ export class QueryInterface {
     /**
      * Get the Postgres type for a column (e.g. 'jsonb', 'text', '_int4').
      * Used to detect JSONB/array columns for specialized operators.
+     * Uses pre-computed Map for O(1) lookup instead of linear scan.
      */
     getColumnPgType(column) {
-        const col = this.tableMeta.columns.find((c) => c.name === column);
-        return col?.pgType ?? 'text';
+        return this.columnPgTypeMap.get(column) ?? 'text';
     }
     /**
      * Get the Postgres base element type for an array column.
@@ -1446,13 +1535,15 @@ export class QueryInterface {
         }
         return clauses;
     }
-    /** Get the Postgres array type for a column (used by UNNEST in createMany) */
+    /**
+     * Get the Postgres array type for a column (used by UNNEST in createMany).
+     * Uses pre-computed Map for O(1) lookup instead of linear scan.
+     */
     getColumnArrayType(column) {
-        // Find the column metadata
-        const col = this.tableMeta.columns.find((c) => c.name === column);
-        if (col)
-            return col.pgArrayType;
-        // Fallback heuristic
+        const arrayType = this.columnArrayTypeMap.get(column);
+        if (arrayType)
+            return arrayType;
+        // Fallback heuristic for unknown columns
         if (column === 'id' || column.endsWith('_id'))
             return 'bigint[]';
         if (column.endsWith('_at'))

package/dist/schema-sql.js

@@ -6,6 +6,7 @@
  */
 import pg from 'pg';
 import { camelToSnake } from './schema.js';
+import { quoteIdent } from './query.js';
 // ---------------------------------------------------------------------------
 // SQL Generation — SchemaDef → CREATE TABLE statements
 // ---------------------------------------------------------------------------
@@ -17,7 +18,6 @@ import { camelToSnake } from './schema.js';
  */
 export function schemaToSQL(schema) {
     const statements = [];
-    const tableNames = Object.keys(schema.tables);
     // Topologically sort tables by their foreign key references
     const sorted = topologicalSort(schema);
     // Generate CREATE TABLE statements
@@ -81,14 +81,14 @@ function generateCreateTable(table) {
         columnDefs.push(generateColumnDef(fieldName, config));
     }
     const body = columnDefs.map((d) => `    ${d}`).join(',\n');
-    return `CREATE TABLE ${tableName} (\n${body}\n);`;
+    return `CREATE TABLE ${quoteIdent(tableName)} (\n${body}\n);`;
 }
 /**
  * Generate a single column definition line (e.g. "id BIGSERIAL PRIMARY KEY").
  */
 function generateColumnDef(fieldName, config) {
     const snakeName = camelToSnake(fieldName);
-    const parts = [snakeName];
+    const parts = [quoteIdent(snakeName)];
     // Type
     if (config.type === 'VARCHAR' && config.maxLength != null) {
         parts.push(`VARCHAR(${config.maxLength})`);
@@ -124,7 +124,7 @@ function generateColumnDef(fieldName, config) {
     if (config.referencesTarget) {
         const refParts = config.referencesTarget.split('.');
         if (refParts.length === 2) {
-            parts.push(`REFERENCES ${refParts[0]}(${refParts[1]})`);
+            parts.push(`REFERENCES ${quoteIdent(refParts[0])}(${quoteIdent(refParts[1])})`);
         }
     }
     return parts.join(' ');
@@ -139,11 +139,27 @@ function generateColumnDef(fieldName, config) {
  *   '0'      → 0
  */
 function normalizeDefault(val) {
-    // Recognize function calls like now(), gen_random_uuid(), etc.
-    if (/^[a-z_]+\(\)$/i.test(val)) {
-        return val.toUpperCase();
+    const upper = val.toUpperCase().trim();
+    // Known SQL constants
+    if (['TRUE', 'FALSE', 'NULL'].includes(upper)) {
+        return upper;
+    }
+    // Known SQL function calls: NOW(), CURRENT_TIMESTAMP, CURRENT_DATE, CURRENT_TIME, GEN_RANDOM_UUID()
+    const allowedFunctions = [
+        'NOW()', 'CURRENT_TIMESTAMP', 'CURRENT_DATE', 'CURRENT_TIME', 'GEN_RANDOM_UUID()',
+    ];
+    if (allowedFunctions.includes(upper)) {
+        return upper;
+    }
+    // Numeric literals (integer or decimal, optionally negative)
+    if (/^-?\d+(\.\d+)?$/.test(val.trim())) {
+        return val.trim();
+    }
+    // Simple single-quoted string literals (no nested quotes)
+    if (/^'[^']*'$/.test(val.trim())) {
+        return val.trim();
     }
-    return val;
+    throw new Error(`Unsupported default value: ${val}. Use a SQL function, numeric, string literal, or NULL.`);
 }
 /**
  * Generate CREATE INDEX statements for foreign key columns.
@@ -155,7 +171,7 @@ function generateForeignKeyIndexes(table) {
         if (config.referencesTarget) {
             const snakeName = camelToSnake(fieldName);
             const indexName = `idx_${table.name}_${snakeName}`;
-            indexes.push(`CREATE INDEX ${indexName} ON ${table.name}(${snakeName});`);
+            indexes.push(`CREATE INDEX ${quoteIdent(indexName)} ON ${quoteIdent(table.name)}(${quoteIdent(snakeName)});`);
         }
     }
     return indexes;
@@ -224,7 +240,7 @@ export async function schemaDiff(schema, connectionString) {
                 if (!dbCol) {
                     // Column exists in schema but not in DB — ADD COLUMN
                     const colDef = generateColumnDef(fieldName, config);
-                    const sql = `ALTER TABLE ${tableName} ADD COLUMN ${colDef};`;
+                    const sql = `ALTER TABLE ${quoteIdent(tableName)} ADD COLUMN ${colDef};`;
                     alterDef.columns.push({ column: snakeName, action: 'add', sql });
                     result.statements.push(sql);
                     continue;
@@ -235,7 +251,7 @@ export async function schemaDiff(schema, connectionString) {
                     const sqlType = config.type === 'VARCHAR' && config.maxLength
                         ? `VARCHAR(${config.maxLength})`
                         : config.type;
-                    const sql = `ALTER TABLE ${tableName} ALTER COLUMN ${snakeName} TYPE ${sqlType};`;
+                    const sql = `ALTER TABLE ${quoteIdent(tableName)} ALTER COLUMN ${quoteIdent(snakeName)} TYPE ${sqlType};`;
                     alterDef.columns.push({ column: snakeName, action: 'alter_type', sql });
                     result.statements.push(sql);
                 }
@@ -243,12 +259,12 @@ export async function schemaDiff(schema, connectionString) {
                 const shouldBeNotNull = config.isNotNull || config.isPrimaryKey || config.type === 'BIGSERIAL';
                 const isCurrentlyNullable = dbCol.isNullable;
                 if (shouldBeNotNull && isCurrentlyNullable && !config.isNullable) {
-                    const sql = `ALTER TABLE ${tableName} ALTER COLUMN ${snakeName} SET NOT NULL;`;
+                    const sql = `ALTER TABLE ${quoteIdent(tableName)} ALTER COLUMN ${quoteIdent(snakeName)} SET NOT NULL;`;
                     alterDef.columns.push({ column: snakeName, action: 'set_not_null', sql });
                     result.statements.push(sql);
                 }
                 else if (!shouldBeNotNull && !isCurrentlyNullable && config.isNullable) {
-                    const sql = `ALTER TABLE ${tableName} ALTER COLUMN ${snakeName} DROP NOT NULL;`;
+                    const sql = `ALTER TABLE ${quoteIdent(tableName)} ALTER COLUMN ${quoteIdent(snakeName)} DROP NOT NULL;`;
                     alterDef.columns.push({ column: snakeName, action: 'drop_not_null', sql });
                     result.statements.push(sql);
                 }
@@ -257,7 +273,7 @@ export async function schemaDiff(schema, connectionString) {
             for (const dbColName of Object.keys(dbCols)) {
                 const hasField = Object.entries(tableDef.columns).some(([fieldName]) => camelToSnake(fieldName) === dbColName);
                 if (!hasField) {
-                    const sql = `ALTER TABLE ${tableName} DROP COLUMN ${dbColName};`;
+                    const sql = `ALTER TABLE ${quoteIdent(tableName)} DROP COLUMN ${quoteIdent(dbColName)};`;
                     alterDef.columns.push({ column: dbColName, action: 'drop', sql });
                     // Don't auto-add drops to statements for safety — user must opt in
                 }