altcodepro-polydb-python 2.3.10__py3-none-any.whl → 2.3.13__py3-none-any.whl

{altcodepro_polydb_python-2.3.10.dist-info → altcodepro_polydb_python-2.3.13.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: altcodepro-polydb-python
-Version: 2.3.10
+Version: 2.3.13
 Summary: Production-ready multi-cloud database abstraction layer with connection pooling, retry logic, and thread safety
 Author: AltCodePro
 Project-URL: Homepage, https://github.com/altcodepro/polydb-python

{altcodepro_polydb_python-2.3.10.dist-info → altcodepro_polydb_python-2.3.13.dist-info}/RECORD

@@ -1,5 +1,5 @@
-altcodepro_polydb_python-2.3.10.dist-info/licenses/LICENSE,sha256=9X8GLocsBwy-5aR5JGOt2SAMDDPs9Qv-YnqmHBHOXrw,1067
-polydb/PolyDB.py,sha256=p9eDdvBGosE4fNSSAbtq3tHObdKZ-C2V2Q_ia39Ackk,23397
+altcodepro_polydb_python-2.3.13.dist-info/licenses/LICENSE,sha256=9X8GLocsBwy-5aR5JGOt2SAMDDPs9Qv-YnqmHBHOXrw,1067
+polydb/PolyDB.py,sha256=DJjS1a-gjkqqo32avhRM-4CT-9ZZO3LZJ_sUOfZ99L0,23485
 polydb/__init__.py,sha256=UhUzfSvmMgKbV2tSME1ooIyfshIBi7_WyU4xl1tWWiA,1454
 polydb/advanced_query.py,sha256=cxMB-EB-qT3bWXJlhmjnMCUtrzogORWyoEfS50Dy7go,4280
 polydb/batch.py,sha256=_DjWZa1ZXYSk6MLKqFe0eT7SYVRZtYNqZb9bI8Y2sao,4566
@@ -13,18 +13,18 @@ polydb/models.py,sha256=9uu_BaJ95194n-vnd0Rx9KLc6aPS-mxn10P4W5grUcI,8155
 polydb/monitoring.py,sha256=UMm3ybyRJjAQi-prXXMLl9zuHhnhMnYBzMD3XWK66y8,9571
 polydb/multitenancy.py,sha256=9kyY98RpKg8xDy9ejB_MyV_YzF7eZd4uxashw5S8vlg,6408
 polydb/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-polydb/query.py,sha256=L13FL8A06HxT0F_LGlY9IBh-62j1VWZrv2Tu_wS-Ed0,6348
+polydb/query.py,sha256=3oWgRXIYLItmd_R-7u78hCdUgUaoiFmjVg38vi2-rVA,6600
 polydb/registry.py,sha256=RD_elvFXcmhTdCyZDm2f3ej0elxqhArnSJ2aO9k5VCU,2352
-polydb/retry.py,sha256=etsj8MGo1WMvlcZMzWmFELAsWCRs-XPEuJe6K76QgbM,2548
+polydb/retry.py,sha256=hEyL3s-frHI0ceS9dqqjh6yGOyww6tyhe1Bw1Ht7LFs,2681
 polydb/schema.py,sha256=VrOayX6V6AD2Qh3-lm4ZVPTpI24e4V52IYheZf2rNQ4,5812
-polydb/security.py,sha256=-bXdRjFmvq4X6ie6FrZMcO9ZbgjWFkNySSbRwFt1X1Q,16281
+polydb/security.py,sha256=9ju-hc6Y1sxobCoV_mZ3ZWroUD73LodyTLVMhY_HeKU,16360
 polydb/types.py,sha256=XB_85Un8_aWt4dSfpjIGotHbK3KBY2WurQGXr9EOxWY,2992
 polydb/utils.py,sha256=G_ki5zKr5rGPgpFQM1CTq6twQd5OytaHKfet267MftM,1662
 polydb/validation.py,sha256=a1o1d02k3c6PWQwkBbw_0nEmIgrdB5RR8OcpNQMn4cA,4810
 polydb/adapters/AzureBlobStorageAdapter.py,sha256=4vD55Z8DBTzBK66jIJbo5bNMY-AQ61MlP0-P2Fv_JgQ,7083
 polydb/adapters/AzureFileStorageAdapter.py,sha256=VZNprqlBXCuWUgtqClNT-NrQmRf-XFYEiRA2BLbf-Sc,7046
 polydb/adapters/AzureQueueAdapter.py,sha256=5PrKAX4OQxUD5nReZKrInF_mjQVdFcj2aYd0Xp-HjjQ,5254
-polydb/adapters/AzureTableStorageAdapter.py,sha256=EA7v5YUJwe0S3ql0EPg-ObNtX2iNJ38fJiwvRU-1Blo,23295
+polydb/adapters/AzureTableStorageAdapter.py,sha256=ILEB1mlQ96JumxQZ1BcYKGLvxTOeyFYU3tlTuTwQ6bU,23535
 polydb/adapters/BlockchainBlobAdapter.py,sha256=D01Yua9mkKfaQrxKYApblIyI6DSP0dtNAh4Tav51HJ4,3299
 polydb/adapters/BlockchainFileAdapter.py,sha256=G749xOVpG20HuKS8zCgi6PMjoJNu-YXK7zitygjLdzM,8335
 polydb/adapters/BlockchainKVAdapter.py,sha256=UFYHyTgvdW-sZUBqyHEG3Cdx6wSTiF2QowEVWL3XPTg,4564
@@ -36,7 +36,7 @@ polydb/adapters/GCPFilestoreAdapter.py,sha256=yjFQQwsWYWc8mo8XwMViVTWb5_D--xAyTM
 polydb/adapters/GCPPubSubAdapter.py,sha256=7XNots2VA0ReEDku-rjg-OTYmftIpx5UgnXYDdXNkOo,8692
 polydb/adapters/GCPStorageAdapter.py,sha256=9yS1Jhcn5_rCRdZ5uOqcRW6Ba-UNb6VOYpwENP-C6Qk,7133
 polydb/adapters/MongoDBAdapter.py,sha256=vX3SAHDLbTnHABGesES9N-gYSQqPqdqFLJgd7pYWZzw,7471
-polydb/adapters/PostgreSQLAdapter.py,sha256=atK8MEm2ui5kb-xWaDW0-6kn4vwTmaBl5G4BPhK4Gh0,24867
+polydb/adapters/PostgreSQLAdapter.py,sha256=oi3kIM6KXYTyqrTSaMozQHt-qqM4_wcJvk_4-ha3Itc,25613
 polydb/adapters/S3Adapter.py,sha256=5R0zHAL2SkGFjp1L3bp-IU468bXYdSf6nKx974MN104,7586
 polydb/adapters/S3CompatibleAdapter.py,sha256=jpafqbAjA8-irdXBrfXa1QJySIzrcUQ6UrFt5h5FAEc,7006
 polydb/adapters/SQSAdapter.py,sha256=1vfbNoqIDy-b8t2xcxy91SoxSYBPFDfUh7yCQWxdS84,5778
@@ -45,17 +45,17 @@ polydb/adapters/VercelFileAdapter.py,sha256=-fLRCi0AUbyXAR4nkHCV-wXkociHF2hzzEDq
 polydb/adapters/VercelKVAdapter.py,sha256=QZxRkuYzVNWFCEFaJPSph8YEAut-YtlXPqbCt0JlROI,8647
 polydb/adapters/VercelQueueAdapter.py,sha256=cWtPaMIWCako0HHr_rzAE6vMLugSR6zBXqp3VP9MXwY,2375
 polydb/adapters/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-polydb/audit/AuditStorage.py,sha256=A5HLhkWG8kef_caUuWakJf4fSK_r03NN4JLbbK7N55c,4949
+polydb/audit/AuditStorage.py,sha256=7HBEN6m-tBWVJJXxXIe13pe4SMi2BxncPm-_MNPgwNw,6455
 polydb/audit/__init__.py,sha256=Z7-y5djq3glQ2Yun6nj-13Efpj3oGz9Qc0veS2g06Y4,245
 polydb/audit/context.py,sha256=-A1FMtmr-2snVAHpTrVT80u-D_MCaqX6AoV4Ku2bz_o,1955
 polydb/audit/manager.py,sha256=KzaaOf5bDfr4M-CkCAZBG_U_4xIBCKDLRAf3hsm-DAk,1236
-polydb/audit/models.py,sha256=BgkSEQRbjbourxyGcEeJYIYzozwTM-pqTiSOM_BhWHs,2256
+polydb/audit/models.py,sha256=NapdH5dXU9GMoP9ccbDFaeMWvWbwoh2B5N7Nd3Ci6Cg,3745
 polydb/base/NoSQLKVAdapter.py,sha256=oa3MT7Z6E5zsF6mDeqjaMfefScKXJgne79LkB7dN8ZA,11557
 polydb/base/ObjectStorageAdapter.py,sha256=mNdJnhoB3VqSCQvmcoel5PohrVQw7Nrajdd5suGBOvQ,2242
 polydb/base/QueueAdapter.py,sha256=jFgyG-SUK4nhRNxm2NbzUbwnA9b_5iAC-ikLSUpXRwk,799
 polydb/base/SharedFilesAdapter.py,sha256=kXbJmtn_cwEyAZ-1AvFrmesCLSwu43ycTV3S4BmwrO4,853
 polydb/base/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-altcodepro_polydb_python-2.3.10.dist-info/METADATA,sha256=6w5pCWplrFUC9Ntyq-7bxXxCbVhEOWUmnoQygy1LjMM,12303
-altcodepro_polydb_python-2.3.10.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
-altcodepro_polydb_python-2.3.10.dist-info/top_level.txt,sha256=WgLFWJoYjUhwvyPxJFl6jYLrVFuBJDX3OABf4ocwk_E,7
-altcodepro_polydb_python-2.3.10.dist-info/RECORD,,
+altcodepro_polydb_python-2.3.13.dist-info/METADATA,sha256=KAxUf3jUoAFH8XIWpisSRTY1D61pJ2T87SI_VdILnKI,12303
+altcodepro_polydb_python-2.3.13.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+altcodepro_polydb_python-2.3.13.dist-info/top_level.txt,sha256=WgLFWJoYjUhwvyPxJFl6jYLrVFuBJDX3OABf4ocwk_E,7
+altcodepro_polydb_python-2.3.13.dist-info/RECORD,,

polydb/PolyDB.py

@@ -23,7 +23,6 @@ from .types import JsonDict, Lookup
 from .utils import setup_logger
 from .validation import ModelValidator, SchemaValidator
 
-
 ModelRef = Union[Type, str]
 
 
@@ -336,6 +335,7 @@ class PolyDB:
         metadata: Optional[Dict[str, Any]] = None,
         storage_name: str = "default",
         optimize: bool = True,
+        container_name: Optional[str] = None,
     ) -> str:
         storage = self.get_object_storage(storage_name)
         return storage.put(
@@ -345,6 +345,7 @@ class PolyDB:
             optimize=optimize,
             media_type=media_type,
             metadata=metadata or {},
+            container_name=container_name,
         )
 
     def get_blob(

polydb/adapters/AzureTableStorageAdapter.py

@@ -116,11 +116,17 @@ class AzureTableStorageAdapter(NoSQLKVAdapter):
         if v is None:
             return None
 
+        # Treat empty containers as absent — let the row omit the property.
+        if isinstance(v, (list, tuple, dict)) and len(v) == 0:
+            return None
+
         if isinstance(v, bytes):
             return _BYTES_PREFIX + base64.b64encode(v).decode("ascii")
 
-        if isinstance(v, (dict, list)):
-            return _JSON_PREFIX + json.dumps(v, default=json_safe)
+        if isinstance(v, (dict, list, tuple)):
+            return _JSON_PREFIX + json.dumps(
+                list(v) if isinstance(v, tuple) else v, default=json_safe
+            )
 
         if isinstance(v, UUID):
             return str(v)

polydb/adapters/PostgreSQLAdapter.py

@@ -8,8 +8,6 @@ import hashlib
 from contextlib import contextmanager
 import json
 from datetime import datetime, date
-
-
 from ..errors import DatabaseError, ConnectionError
 from ..retry import retry
 from ..utils import validate_table_name, validate_column_name
@@ -102,34 +100,46 @@ class PostgreSQLAdapter:
 
     def _serialize_value(self, v: Any) -> Any:
         """
-        Make all outgoing values safe for psycopg2.
+        Make outgoing values safe for psycopg2 across mixed column types.
 
         Rules:
-        - dict -> Json()
-        - list -> leave as list (so TEXT[] works)
-        - datetime/date -> pass as native (psycopg2 handles it)
-        - Decimal -> convert to float
-        - everything else -> pass as-is
+        None / empty list / empty dict   -> None  (becomes NULL on any column)
+        list of primitives (str/int/...) -> native list (psycopg2 maps to TEXT[]/INT[])
+        list containing dicts            -> Json(list)  (for JSONB columns)
+        dict                             -> Json(dict)
+        datetime/date                    -> native
+        Decimal                          -> float
+        everything else                  -> as-is
         """
+        # NULL-ify empties so they're valid for TEXT[], JSONB, and plain columns alike.
         from psycopg2.extras import Json
 
         if v is None:
             return None
+        if isinstance(v, (list, tuple)) and len(v) == 0:
+            return None
+        if isinstance(v, dict) and len(v) == 0:
+            return None
 
-        # Dict -> JSON/JSONB
+        # Dict -> JSONB
         if isinstance(v, dict):
             return Json(self._json_safe(v))
 
-        # List:
-        # DO NOT wrap in Json() automatically.
-        # If column is JSONB, Postgres will still accept Json(list).
-        # But for TEXT[] columns we must send Python list.
-        if isinstance(v, list):
+        # List: route by element type.
+        if isinstance(v, (list, tuple)):
+            v = list(v)
+            # If ANY element is a dict, treat as JSON payload (for JSONB columns).
+            if any(isinstance(x, dict) for x in v):
+                return Json(v)
+            # If ALL elements are primitives, send as native list for TEXT[]/INT[].
+            if all(isinstance(x, (str, int, float, bool, type(None))) for x in v):
+                return v
+            # Mixed / nested -> safest is JSONB
             return Json(v)
 
         # Datetime / date
         if isinstance(v, (datetime, date)):
-            return v  # psycopg2 handles natively
+            return v
 
         # Decimal
         if isinstance(v, Decimal):

polydb/audit/AuditStorage.py

@@ -10,14 +10,19 @@ from ..cloudDatabaseFactory import CloudDatabaseFactory
 
 class AuditStorage:
     """Audit log with distributed-safe hash chaining"""
-    
+
     _lock = threading.Lock()
-    
+
     def __init__(self):
         self.factory = CloudDatabaseFactory()
         self.sql = self.factory.get_sql()
         self._ensure_table()
-    
+
+    @staticmethod
+    def _is_unique_violation(exc: Exception) -> bool:
+        s = str(exc).lower()
+        return "23505" in s or "duplicate key" in s or "unique constraint" in s
+
     def _ensure_table(self):
         """Create audit table if not exists"""
         try:
@@ -43,7 +48,8 @@ class AuditStorage:
                 user_agent TEXT,
                 error TEXT,
                 hash VARCHAR(64) NOT NULL,
-                previous_hash VARCHAR(64),
+                previous_hash VARCHAR(64) NOT NULL DEFAULT '',
+                CONSTRAINT uq_audit_chain UNIQUE (tenant_id, previous_hash),
                 created_at TIMESTAMP DEFAULT NOW()
             );
             
@@ -56,81 +62,103 @@ class AuditStorage:
             CREATE INDEX IF NOT EXISTS idx_audit_hash_chain 
                 ON polydb_audit_log(tenant_id, timestamp DESC, previous_hash);
             """
-            
+
             self.sql.execute(schema)
         except Exception:
             # Table may already exist
             pass
-    
+
     def get_last_hash(self, tenant_id: Optional[str]) -> Optional[str]:
         """Get most recent hash with strict ordering (distributed-safe)"""
         with self._lock:
             try:
                 from ..query import QueryBuilder, Operator
-                
+
                 builder = QueryBuilder()
-                
+
                 if tenant_id is not None:
-                    builder.where('tenant_id', Operator.EQ, tenant_id)
-                
-                builder.order_by('timestamp', descending=True).take(1)
-                
-                results = self.sql.query_linq('polydb_audit_log', builder)
-                
+                    builder.where("tenant_id", Operator.EQ, tenant_id)
+
+                builder.order_by("timestamp", descending=True).take(1)
+
+                results = self.sql.query_linq("polydb_audit_log", builder)
+
                 if results and len(results) > 0:
-                    return results[0].get('hash')
-                
+                    return results[0].get("hash")
+
                 return None
             except Exception:
                 return None
-    
+
     def persist(self, record: AuditRecord) -> None:
-        """Persist with lock to ensure chain integrity"""
-        with self._lock:
-            self.sql.insert('polydb_audit_log', {
-                'audit_id': record.audit_id,
-                'timestamp': record.timestamp,
-                'tenant_id': record.tenant_id,
-                'actor_id': record.actor_id,
-                'roles': record.roles,
-                'action': record.action,
-                'model': record.model,
-                'entity_id': record.entity_id,
-                'storage_type': record.storage_type,
-                'provider': record.provider,
-                'success': record.success,
-                'before': record.before,
-                'after': record.after,
-                'changed_fields': record.changed_fields,
-                'trace_id': record.trace_id,
-                'request_id': record.request_id,
-                'ip_address': record.ip_address,
-                'user_agent': record.user_agent,
-                'error': record.error,
-                'hash': record.hash,
-                'previous_hash': record.previous_hash,
-            })
-    
+        """Append to the hash chain. Concurrency-safe ACROSS PROCESSES via the
+        UNIQUE(tenant_id, previous_hash) constraint + bounded retry: if two
+        writers race on the same predecessor, the loser re-reads the new tail
+        and re-chains instead of forking. (threading.Lock alone was only
+        process-local — the old "distributed-safe" claim was false.)"""
+        from dataclasses import asdict
+        from .models import compute_audit_hash
+
+        last_err: Optional[Exception] = None
+        for _ in range(8):
+            with self._lock:
+                prev = self.get_last_hash(record.tenant_id) or ""
+                record.previous_hash = prev
+                record.hash = compute_audit_hash(asdict(record))
+                row = {
+                    "audit_id": record.audit_id,
+                    "timestamp": record.timestamp,
+                    "tenant_id": record.tenant_id,
+                    "actor_id": record.actor_id,
+                    "roles": record.roles or None,
+                    "action": record.action,
+                    "model": record.model,
+                    "entity_id": record.entity_id,
+                    "storage_type": record.storage_type,
+                    "provider": record.provider,
+                    "success": record.success,
+                    "before": record.before,
+                    "after": record.after,
+                    "changed_fields": record.changed_fields or None,
+                    "trace_id": record.trace_id,
+                    "request_id": record.request_id,
+                    "ip_address": record.ip_address,
+                    "user_agent": record.user_agent,
+                    "error": record.error,
+                    "hash": record.hash,
+                    "previous_hash": record.previous_hash,
+                }
+                try:
+                    self.sql.insert("polydb_audit_log", row)
+                    return
+                except Exception as e:
+                    if self._is_unique_violation(e):
+                        last_err = e
+                        continue
+                    raise
+        raise last_err or RuntimeError("audit persist failed after retries")
+
     def verify_chain(self, tenant_id: Optional[str] = None) -> bool:
-        """Verify hash chain integrity"""
+        """Verify BOTH chain linkage AND per-record content integrity.
+        The old version only checked previous_hash linkage, so editing
+        before/after/action while leaving `hash` intact passed silently."""
         from ..query import QueryBuilder, Operator
-        
+        from .models import compute_audit_hash
+
         builder = QueryBuilder()
-        
         if tenant_id is not None:
-            builder.where('tenant_id', Operator.EQ, tenant_id)
-        
-        builder.order_by('timestamp', descending=False)
-        
-        records = self.sql.query_linq('polydb_audit_log', builder)
-        
+            builder.where("tenant_id", Operator.EQ, tenant_id)
+        builder.order_by("timestamp", descending=False)
+
+        records = self.sql.query_linq("polydb_audit_log", builder)
         if not records:
             return True
-        
-        prev_hash = None
-        for record in records:
-            if record.get('previous_hash') != prev_hash:
+
+        prev = ""
+        for r in records:
+            if (r.get("previous_hash") or "") != prev:
+                return False
+            if r.get("hash") != compute_audit_hash(r):  # content tamper check
                 return False
-            prev_hash = record.get('hash')
-        
-        return True
+            prev = r.get("hash")
+        return True

polydb/audit/models.py

@@ -1,15 +1,52 @@
 # src/polydb/audit/models.py
 
 from dataclasses import dataclass, asdict
-from datetime import datetime
 from typing import Any, Dict, List, Optional
 import uuid
 import hashlib
 import json
-
+from datetime import datetime, timezone
 from ..json_safe import json_safe
 
 
+def _iso(ts: Any) -> str:
+    return ts.isoformat() if hasattr(ts, "isoformat") else str(ts)
+
+
+def canonical_audit_payload(src: Dict[str, Any]) -> str:
+    """Deterministic JSON for the hash chain. Identical whether `src` is a
+    freshly-built record (asdict) or a row read back from Postgres, so the
+    create-time hash and the verify-time recomputed hash match.
+    Normalizes [] vs NULL and timestamp formatting; excludes `hash`."""
+    payload = {
+        "audit_id": src.get("audit_id"),
+        "timestamp": _iso(src.get("timestamp")),
+        "tenant_id": src.get("tenant_id"),
+        "actor_id": src.get("actor_id"),
+        "roles": list(src.get("roles") or []),
+        "action": src.get("action"),
+        "model": src.get("model"),
+        "entity_id": src.get("entity_id"),
+        "storage_type": src.get("storage_type"),
+        "provider": src.get("provider"),
+        "success": bool(src.get("success")),
+        "before": src.get("before"),
+        "after": src.get("after"),
+        "changed_fields": list(src.get("changed_fields") or []),
+        "trace_id": src.get("trace_id"),
+        "request_id": src.get("request_id"),
+        "ip_address": src.get("ip_address"),
+        "user_agent": src.get("user_agent"),
+        "error": src.get("error"),
+        "previous_hash": src.get("previous_hash") or "",
+    }
+    return json.dumps(payload, sort_keys=True, default=json_safe)
+
+
+def compute_audit_hash(src: Dict[str, Any]) -> str:
+    return hashlib.sha256(canonical_audit_payload(src).encode()).hexdigest()
+
+
 @dataclass
 class AuditRecord:
     audit_id: str
@@ -55,7 +92,7 @@ class AuditRecord:
         context,
         previous_hash: Optional[str] = None,
     ):
-        now = datetime.utcnow().isoformat()
+        now = datetime.now(timezone.utc).replace(tzinfo=None).isoformat()
         audit_id = str(uuid.uuid4())
 
         record = cls(
@@ -81,8 +118,6 @@ class AuditRecord:
             previous_hash=previous_hash,
         )
 
-        record.hash = hashlib.sha256(
-            json.dumps(asdict(record), sort_keys=True,default=json_safe).encode()
-        ).hexdigest()
+        record.hash = compute_audit_hash(asdict(record))
 
         return record

polydb/query.py

@@ -4,6 +4,7 @@ from __future__ import annotations
 from dataclasses import dataclass, field
 from typing import Any, Dict, List, Optional, Union
 from enum import Enum
+from .utils import validate_column_name
 
 
 class Operator(Enum):
@@ -130,6 +131,7 @@ class QueryBuilder:
         params = []
 
         for f in self.filters:
+            validate_column_name(f.field)
 
             if f.operator == Operator.EQ:
                 clauses.append(f"{f.field} = %s")
@@ -156,14 +158,15 @@ class QueryBuilder:
                 params.append(f.value)
 
             elif f.operator == Operator.IN:
-
                 if isinstance(f.value, (list, tuple)):
-                    placeholders = ",".join(["%s"] * len(f.value))
-                    clauses.append(f"{f.field} IN ({placeholders})")
-                    params.extend(f.value)
-
+                    if not f.value:
+                        clauses.append("1=0")  # empty IN → match nothing
+                    else:
+                        placeholders = ",".join(["%s"] * len(f.value))
+                        clauses.append(f"{f.field} IN ({placeholders})")
+                        params.extend(f.value)
                 else:
-                    clauses.append(f"{f.field} LIKE %s")
+                    clauses.append(f"{f.field} = %s")  # scalar IN == equality
                     params.append(f.value)
 
             elif f.operator == Operator.NOT_IN:

polydb/retry.py

@@ -12,42 +12,49 @@ from typing import Callable, Optional, Tuple, Type
 # Metrics hooks for enterprise monitoring
 class MetricsHooks:
     """Metrics hooks that users can override for monitoring"""
-    
+
     @staticmethod
     def on_query_start(operation: str, **kwargs):
         """Called when query starts"""
         pass
-    
+
     @staticmethod
     def on_query_end(operation: str, duration: float, success: bool, **kwargs):
         """Called when query ends"""
         pass
-    
+
     @staticmethod
     def on_error(operation: str, error: Exception, **kwargs):
         """Called when error occurs"""
         pass
 
 
-def retry(max_attempts: int = 3, delay: float = 1.0, backoff: float = 2.0, 
-        exceptions: Tuple[Type[Exception], ...] = (Exception,)):
+def retry(
+    max_attempts: int = 3,
+    delay: float = 1.0,
+    backoff: float = 2.0,
+    exceptions: Tuple[Type[Exception], ...] = (Exception,),
+):
     """
     Retry decorator with exponential backoff
-    
+
     Args:
         max_attempts: Maximum number of retry attempts
         delay: Initial delay between retries (seconds)
         backoff: Backoff multiplier
         exceptions: Tuple of exceptions to catch
     """
+    if max_attempts < 1:
+        raise ValueError("max_attempts must be >= 1")
+
     def decorator(func: Callable) -> Callable:
         @wraps(func)
         def wrapper(*args, **kwargs):
             attempt = 0
             current_delay = delay
-            
+
             logger = logging.getLogger(__name__)
-            
+
             while attempt < max_attempts:
                 start_time = time.time()
                 try:
@@ -61,16 +68,20 @@ def retry(max_attempts: int = 3, delay: float = 1.0, backoff: float = 2.0,
                     duration = time.time() - start_time
                     MetricsHooks.on_query_end(func.__name__, duration, False)
                     MetricsHooks.on_error(func.__name__, e)
-                    
+
                     if attempt >= max_attempts:
                         raise
-                    
+
                     logger.warning(
                         f"Attempt {attempt}/{max_attempts} failed for {func.__name__}: {str(e)}. "
                         f"Retrying in {current_delay}s..."
                     )
                     time.sleep(current_delay)
                     current_delay *= backoff
-            
+            raise RuntimeError(
+                f"{func.__name__} exhausted {max_attempts} attempts without returning"
+            )
+
         return wrapper
-    return decorator
+
+    return decorator

polydb/security.py

@@ -2,6 +2,7 @@
 """
 Security features: encryption, masking, row-level security
 """
+
 from typing import Dict, Any, List, Optional, Callable, Union
 from dataclasses import dataclass
 import hashlib
@@ -50,7 +51,7 @@ class FieldEncryption:
         """Encrypt arbitrary value (serialize if non-str)"""
         if value is None:
             return ""
-        data = json.dumps(value,default=json_safe) if not isinstance(value, str) else value
+        data = json.dumps(value, default=json_safe) if not isinstance(value, str) else value
         try:
             from cryptography.hazmat.primitives.ciphers.aead import AESGCM
 
@@ -91,9 +92,11 @@ class FieldEncryption:
         except ImportError:
             raise ImportError("cryptography not installed")
         except Exception as e:
-            # On decrypt failure, return masked or original to avoid crashes
-            logger.warning(f"Decryption failed: {e}. Returning original value.")
-            return encrypted_data
+            # Fail loud. Returning ciphertext as if it were plaintext masks
+            # key-rotation errors / corruption and leaks the 'encrypted:' blob
+            # into application data.
+            logger.error("Field decryption failed: %s", e)
+            raise
 
     def encrypt_fields(self, data: Dict[str, Any], fields: List[str]) -> Dict[str, Any]:
         """Encrypt specified fields in data dict"""