fix(store): SQL injection guards, LIKE escaping, BigInt safety, batch null checks

- Validate SearchConfig identifiers (table/column names) against injection
- Guard FTS5 MATCH against empty query when all tokens are operators
- Validate migration version before PRAGMA interpolation
- Replace Number(row.id) with num() for BigInt consistency + add null check
- Remove non-null assertions in batch tag/attachment fetches
- Add likeEscape() helper and ESCAPE '\' clause across all 7 stores
- Add created_at tie-breaker to epics ORDER BY for stable pagination
- Add missing idx_attachments_project index

Author: prih

src/store/sqlite/lib/bigint.ts

@@ -8,6 +8,11 @@ export function now(): bigint {
   return BigInt(Date.now());
 }
 
+/** Escape LIKE special characters (%, _) for safe use in SQL LIKE patterns */
+export function likeEscape(text: string): string {
+  return text.replace(/[%_]/g, '\\$&');
+}
+
 /** Safely parse JSON with a fallback for corrupted data */
 export function safeJson<T>(raw: string, fallback: T): T {
   try {

src/store/sqlite/lib/entity-helpers.ts

@@ -35,9 +35,10 @@ export class EntityHelpers {
     // Insert new tags
     for (const tag of tags) {
       this.db.prepare('INSERT OR IGNORE INTO tags (project_id, name) VALUES (?, ?)').run(this.projectId, tag);
-      const row = this.db.prepare('SELECT id FROM tags WHERE project_id = ? AND name = ?').get(this.projectId, tag) as { id: bigint };
+      const row = this.db.prepare('SELECT id FROM tags WHERE project_id = ? AND name = ?').get(this.projectId, tag) as { id: bigint } | undefined;
+      if (!row) throw new Error(`Failed to resolve tag: ${tag}`);
       this.db.prepare(`INSERT INTO edges (project_id, from_graph, from_id, to_graph, to_id, kind) VALUES (?, 'tags', ?, ?, ?, 'tagged')`)
-        .run(this.projectId, Number(row.id), graph, entityId);
+        .run(this.projectId, num(row.id), graph, entityId);
     }
   }
 
@@ -69,7 +70,8 @@ export class EntityHelpers {
 
     for (const r of rows) {
       const id = num(r.entity_id);
-      result.get(id)!.push(r.name);
+      const arr = result.get(id);
+      if (arr) arr.push(r.name);
     }
     return result;
   }
@@ -99,7 +101,8 @@ export class EntityHelpers {
 
     for (const r of rows) {
       const id = num(r.entity_id as bigint);
-      result.get(id)!.push(this.toAttachmentMeta(r));
+      const arr = result.get(id);
+      if (arr) arr.push(this.toAttachmentMeta(r));
     }
     return result;
   }

src/store/sqlite/lib/migrate.ts

@@ -22,6 +22,9 @@ export function runMigrations(db: Database.Database, migrations: Migration[]): n
     if (m.version > current) {
       db.transaction(() => {
         db.exec(m.sql);
+        if (!Number.isInteger(m.version) || m.version < 0) {
+          throw new Error(`Invalid migration version: ${m.version}`);
+        }
         db.pragma(`user_version = ${m.version}`);
       })();
       applied++;

src/store/sqlite/lib/search.ts

@@ -4,17 +4,29 @@ import { num } from './bigint';
 
 const RRF_K = 60;
 
+/** Validate SQL identifier (table/column name) — alphanumeric + underscore only */
+function assertIdentifier(name: string, label: string): void {
+  if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(name)) {
+    throw new Error(`Invalid ${label}: ${name}`);
+  }
+}
+
 /**
  * Escape user text for FTS5 MATCH — wrap each token in double quotes.
  * Preserves FTS5 operators (AND, OR, NOT, NEAR) when used explicitly.
+ * Returns empty string if no valid tokens remain.
  */
 function ftsEscape(text: string): string {
   const FTS5_OPS = new Set(['AND', 'OR', 'NOT', 'NEAR']);
-  return text
+  const tokens = text
     .split(/\s+/)
-    .filter(t => t.length > 0)
+    .filter(t => t.length > 0);
+  const escaped = tokens
     .map(t => FTS5_OPS.has(t) ? t : `"${t.replace(/"/g, '""')}"`)
     .join(' ');
+  // If all tokens were FTS5 operators, result is unusable — return empty
+  if (tokens.length > 0 && tokens.every(t => FTS5_OPS.has(t))) return '';
+  return escaped;
 }
 
 /**
@@ -57,17 +69,25 @@ export function hybridSearch(
   let ftsRanked: Array<{ id: number; rn: number }> = [];
   let vecRanked: Array<{ id: number; rn: number }> = [];
 
+  // Validate config identifiers to prevent SQL injection
+  assertIdentifier(config.ftsTable, 'ftsTable');
+  assertIdentifier(config.vecTable, 'vecTable');
+  assertIdentifier(config.parentTable, 'parentTable');
+  assertIdentifier(config.parentIdColumn, 'parentIdColumn');
+
   const extraJoin = config.extraJoinCondition ?? '';
 
   // FTS5 keyword search
   if (mode !== 'vector' && query.text) {
+    const escaped = ftsEscape(query.text);
+    if (!escaped) return [];
     const rows = db.prepare(`
       SELECT p.${config.parentIdColumn} AS id, ROW_NUMBER() OVER (ORDER BY rank) AS rn
       FROM ${config.ftsTable} fts
       JOIN ${config.parentTable} p ON p.${config.parentIdColumn} = fts.rowid AND p.project_id = ? ${extraJoin}
       WHERE ${config.ftsTable} MATCH ?
       LIMIT ?
-    `).all(projectId, ftsEscape(query.text), topK) as Array<{ id: bigint; rn: bigint }>;
+    `).all(projectId, escaped, topK) as Array<{ id: bigint; rn: bigint }>;
 
     ftsRanked = rows.map(r => ({ id: num(r.id), rn: num(r.rn) }));
   }

src/store/sqlite/migrations/v001.ts

@@ -53,6 +53,7 @@ CREATE TABLE attachments (
   added_at   INTEGER NOT NULL DEFAULT (unixepoch('now','subsec') * 1000),
   UNIQUE(project_id, graph, entity_id, filename)
 );
+CREATE INDEX idx_attachments_project ON attachments(project_id);
 
 -- =============================================
 -- Unified edges (same-graph + cross-graph)

src/store/sqlite/stores/code.ts

@@ -8,7 +8,7 @@ import type {
   PaginationOptions,
 } from '../../types';
 import { MetaHelper } from '../lib/meta';
-import { num } from '../lib/bigint';
+import { num, likeEscape } from '../lib/bigint';
 import { hybridSearch, SearchConfig } from '../lib/search';
 import * as path from 'path';
 
@@ -187,8 +187,8 @@ export class SqliteCodeStore implements CodeStore {
     const params: unknown[] = [this.projectId];
 
     if (filter) {
-      conditions.push('f.file_id LIKE ?');
-      params.push(`%${filter}%`);
+      conditions.push("f.file_id LIKE ? ESCAPE '\\'");
+      params.push(`%${likeEscape(filter)}%`);
     }
 
     const where = conditions.join(' AND ');

src/store/sqlite/stores/docs.ts

@@ -8,7 +8,7 @@ import type {
   PaginationOptions,
 } from '../../types';
 import { MetaHelper } from '../lib/meta';
-import { num, safeJson } from '../lib/bigint';
+import { num, safeJson, likeEscape } from '../lib/bigint';
 import { hybridSearch, SearchConfig } from '../lib/search';
 
 const GRAPH = 'docs';
@@ -171,8 +171,8 @@ export class SqliteDocsStore implements DocsStore {
     const params: unknown[] = [this.projectId];
 
     if (filter) {
-      conditions.push('(d.file_id LIKE ? OR d.title LIKE ?)');
-      const like = `%${filter}%`;
+      conditions.push("(d.file_id LIKE ? ESCAPE '\\' OR d.title LIKE ? ESCAPE '\\')");
+      const like = `%${likeEscape(filter)}%`;
       params.push(like, like);
     }
 

src/store/sqlite/stores/epics.ts

@@ -16,7 +16,7 @@ import type {
 import { VersionConflictError } from '../../types';
 import { MetaHelper } from '../lib/meta';
 import { EntityHelpers } from '../lib/entity-helpers';
-import { num, now } from '../lib/bigint';
+import { num, now, likeEscape } from '../lib/bigint';
 import { hybridSearch, SearchConfig } from '../lib/search';
 
 const GRAPH = 'epics';
@@ -178,7 +178,7 @@ export class SqliteEpicsStore implements EpicsStore {
 
     if (opts?.status) { conditions.push('e.status = ?'); params.push(opts.status); }
     if (opts?.priority) { conditions.push('e.priority = ?'); params.push(opts.priority); }
-    if (opts?.filter) { conditions.push('(e.title LIKE ? OR e.description LIKE ?)'); const like = `%${opts.filter}%`; params.push(like, like); }
+    if (opts?.filter) { conditions.push("(e.title LIKE ? ESCAPE '\\' OR e.description LIKE ? ESCAPE '\\')"); const like = `%${likeEscape(opts.filter)}%`; params.push(like, like); }
     if (opts?.tag) {
       conditions.push(`EXISTS (
         SELECT 1 FROM edges ed JOIN tags tg ON tg.id = ed.from_id AND tg.project_id = ed.project_id
@@ -189,7 +189,7 @@ export class SqliteEpicsStore implements EpicsStore {
     }
 
     const where = conditions.join(' AND ');
-    const rows = this.db.prepare(`SELECT e.* FROM epics e WHERE ${where} ORDER BY e."order" LIMIT ? OFFSET ?`)
+    const rows = this.db.prepare(`SELECT e.* FROM epics e WHERE ${where} ORDER BY e."order", e.created_at LIMIT ? OFFSET ?`)
       .all(...params, limit, offset) as Array<Record<string, unknown>>;
     const total = num((this.db.prepare(`SELECT COUNT(*) AS c FROM epics e WHERE ${where}`).get(...params) as { c: bigint }).c);
 

src/store/sqlite/stores/files.ts

@@ -8,7 +8,7 @@ import type {
   SearchResult,
 } from '../../types';
 import { MetaHelper } from '../lib/meta';
-import { num } from '../lib/bigint';
+import { num, likeEscape } from '../lib/bigint';
 
 const GRAPH = 'files';
 
@@ -187,8 +187,8 @@ export class SqliteFilesStore implements FilesStore {
     }
 
     if (opts?.filter) {
-      conditions.push('file_path LIKE ?');
-      params.push(`%${opts.filter}%`);
+      conditions.push("file_path LIKE ? ESCAPE '\\'");
+      params.push(`%${likeEscape(opts.filter)}%`);
     }
 
     const where = conditions.join(' AND ');
@@ -215,9 +215,9 @@ export class SqliteFilesStore implements FilesStore {
     if (mode === 'keyword' && query.text) {
       // Fallback: LIKE-based search on file_path
       const rows = this.db.prepare(`
-        SELECT id FROM files WHERE project_id = ? AND file_path LIKE ? AND kind = 'file'
+        SELECT id FROM files WHERE project_id = ? AND file_path LIKE ? ESCAPE '\\' AND kind = 'file'
         ORDER BY file_path ASC LIMIT ?
-      `).all(this.projectId, `%${query.text}%`, maxResults) as Array<{ id: bigint }>;
+      `).all(this.projectId, `%${likeEscape(query.text)}%`, maxResults) as Array<{ id: bigint }>;
 
       return rows
         .map((r, i) => ({ id: num(r.id), score: 1 / (60 + i + 1) }))
@@ -248,9 +248,9 @@ export class SqliteFilesStore implements FilesStore {
 
       if (query.text) {
         const rows = this.db.prepare(`
-          SELECT id FROM files WHERE project_id = ? AND file_path LIKE ? AND kind = 'file'
+          SELECT id FROM files WHERE project_id = ? AND file_path LIKE ? ESCAPE '\\' AND kind = 'file'
           ORDER BY file_path ASC LIMIT ?
-        `).all(this.projectId, `%${query.text}%`, query.topK ?? 50) as Array<{ id: bigint }>;
+        `).all(this.projectId, `%${likeEscape(query.text)}%`, query.topK ?? 50) as Array<{ id: bigint }>;
         rows.forEach((r, i) => likeResults.push({ id: num(r.id), rn: i + 1 }));
       }
 

src/store/sqlite/stores/knowledge.ts

@@ -14,7 +14,7 @@ import type {
 import { VersionConflictError } from '../../types';
 import { MetaHelper } from '../lib/meta';
 import { EntityHelpers } from '../lib/entity-helpers';
-import { num, now } from '../lib/bigint';
+import { num, now, likeEscape } from '../lib/bigint';
 import { hybridSearch, SearchConfig } from '../lib/search';
 
 const GRAPH = 'knowledge';
@@ -141,8 +141,8 @@ export class SqliteKnowledgeStore implements KnowledgeStore {
     const params: unknown[] = [this.projectId];
 
     if (filter) {
-      conditions.push('(k.title LIKE ? OR k.content LIKE ?)');
-      const like = `%${filter}%`;
+      conditions.push("(k.title LIKE ? ESCAPE '\\' OR k.content LIKE ? ESCAPE '\\')");
+      const like = `%${likeEscape(filter)}%`;
       params.push(like, like);
     }