feat(security): add cookie session support to DatabaseAuthenticator

* Introduce enableCookieSession option for session management
* Implement LoginWithCookie and LogoutWithCookie methods
* Update Authenticate method to support session token from cookie

pkg/common/adapters/database/bun.go

@@ -300,6 +300,7 @@ type BunSelectQuery struct {
 	inJoinContext        bool                                                     // Track if we're in a JOIN relation context
 	joinTableAlias       string                                                   // Alias to use for JOIN conditions
 	skipAutoDetect       bool                                                     // Skip auto-detection to prevent circular calls
+	preloadRelationAlias string                                                   // Relation alias used in separate-query preloads (e.g. "tprp" for relation "TPRP")
 	customPreloads       map[string][]func(common.SelectQuery) common.SelectQuery // Relations to load with custom implementation
 	metricsEnabled       bool
 }
@@ -346,12 +347,14 @@ func (b *BunSelectQuery) ColumnExpr(query string, args ...interface{}) common.Se
 }
 
 func (b *BunSelectQuery) Where(query string, args ...interface{}) common.SelectQuery {
-	// If we're in a JOIN context, add table prefix to unqualified columns
 	if b.inJoinContext && b.joinTableAlias != "" {
 		query = addTablePrefix(query, b.joinTableAlias)
+	} else if b.preloadRelationAlias != "" && b.tableName != "" {
+		// Separate-query preload: the caller may have written conditions using the
+		// relation name as a prefix (e.g. "TPRP.col"). Bun uses the real table name
+		// as the alias, so rewrite any such references to use tableName instead.
+		query = replaceRelationAlias(query, b.preloadRelationAlias, b.tableName)
 	} else if b.tableAlias != "" && b.tableName != "" {
-		// If we have a table alias defined, check if the query references a different alias
-		// This can happen in preloads where the user expects a certain alias but Bun generates another
 		query = normalizeTableAlias(query, b.tableAlias, b.tableName)
 	}
 	b.query = b.query.Where(query, args...)
@@ -487,6 +490,38 @@ func normalizeTableAlias(query, expectedAlias, tableName string) string {
 	return modified
 }
 
+// replaceRelationAlias rewrites WHERE conditions written with a relation alias prefix
+// (e.g. "TPRP.col") to use the real table name that bun uses in separate queries
+// (e.g. "t_proposalinstance.col"). Only called for separate-query preload wrappers.
+func replaceRelationAlias(query, relationAlias, tableName string) string {
+	if relationAlias == "" || tableName == "" || query == "" {
+		return query
+	}
+	parts := strings.FieldsFunc(query, func(r rune) bool {
+		return r == ' ' || r == '(' || r == ')' || r == ','
+	})
+	modified := query
+	for _, part := range parts {
+		if dotIndex := strings.Index(part, "."); dotIndex > 0 {
+			prefix := part[:dotIndex]
+			column := part[dotIndex+1:]
+			if strings.EqualFold(prefix, relationAlias) {
+				logger.Debug("Replacing relation alias '%s' with table name '%s' in preload WHERE condition", prefix, tableName)
+				modified = strings.ReplaceAll(modified, part, tableName+"."+column)
+			}
+		}
+	}
+	return modified
+}
+
+func isJoinKeyword(word string) bool {
+	switch strings.ToUpper(word) {
+	case "JOIN", "INNER", "LEFT", "RIGHT", "FULL", "OUTER", "CROSS":
+		return true
+	}
+	return false
+}
+
 func (b *BunSelectQuery) WhereOr(query string, args ...interface{}) common.SelectQuery {
 	b.query = b.query.WhereOr(query, args...)
 	return b
@@ -517,7 +552,7 @@ func (b *BunSelectQuery) Join(query string, args ...interface{}) common.SelectQu
 	if prefix != "" && !strings.Contains(strings.ToUpper(query), " AS ") {
 		// If query doesn't already have AS, check if it's a simple table name
 		parts := strings.Fields(query)
-		if len(parts) > 0 && !strings.HasPrefix(strings.ToUpper(parts[0]), "JOIN") {
+		if len(parts) > 0 && !isJoinKeyword(parts[0]) {
 			// Simple table name, add prefix: "table AS prefix"
 			joinClause = fmt.Sprintf("%s AS %s", parts[0], prefix)
 			if len(parts) > 1 {
@@ -552,7 +587,7 @@ func (b *BunSelectQuery) LeftJoin(query string, args ...interface{}) common.Sele
 	joinClause := query
 	if prefix != "" && !strings.Contains(strings.ToUpper(query), " AS ") {
 		parts := strings.Fields(query)
-		if len(parts) > 0 && !strings.HasPrefix(strings.ToUpper(parts[0]), "LEFT") && !strings.HasPrefix(strings.ToUpper(parts[0]), "JOIN") {
+		if len(parts) > 0 && !isJoinKeyword(parts[0]) {
 			joinClause = fmt.Sprintf("%s AS %s", parts[0], prefix)
 			if len(parts) > 1 {
 				joinClause += " " + strings.Join(parts[1:], " ")
@@ -597,6 +632,19 @@ func (b *BunSelectQuery) PreloadRelation(relation string, apply ...func(common.S
 	if !b.skipAutoDetect {
 		model := b.query.GetModel()
 		if model != nil && model.Value() != nil {
+			// Guard against relations that don't exist on the model. Without this,
+			// bun panics inside Count/Scan with `model=X does not have relation="Y"`.
+			// Only validate the root segment so nested paths (e.g. "PRM.CHILD") still
+			// fall through to bun's native resolution.
+			rootRelation := relation
+			if idx := strings.Index(rootRelation, "."); idx >= 0 {
+				rootRelation = rootRelation[:idx]
+			}
+			if reflection.GetRelationType(model.Value(), rootRelation) == reflection.RelationUnknown {
+				logger.Warn("Skipping preload '%s': relation '%s' is not declared on model %T", relation, rootRelation, model.Value())
+				return b
+			}
+
 			relType := reflection.GetRelationType(model.Value(), relation)
 
 			// Log the detected relationship type
@@ -655,8 +703,20 @@ func (b *BunSelectQuery) PreloadRelation(relation string, apply ...func(common.S
 				wrapper.tableAlias = provider.TableAlias()
 				logger.Debug("Preload relation '%s' using table alias: %s", relation, wrapper.tableAlias)
 			}
+
 		}
 
+		// Fallback: if the model didn't provide a table name, ask bun directly.
+		if wrapper.tableName == "" {
+			wrapper.schema, wrapper.tableName = parseTableName(sq.GetTableName(), b.driverName)
+		}
+
+		// For separate-query preloads (has-many), bun aliases the related table using
+		// the actual table name, not the relation name. Record the relation alias so
+		// Where() can rewrite conditions like "TPRP.col" to "t_proposalinstance.col".
+		wrapper.preloadRelationAlias = strings.ToLower(relation)
+		logger.Debug("Preload relation '%s' registered alias '%s' for separate-query WHERE rewriting", relation, wrapper.preloadRelationAlias)
+
 		// Start with the interface value (not pointer)
 		current := common.SelectQuery(wrapper)
 
@@ -1255,6 +1315,7 @@ func (b *BunSelectQuery) Scan(ctx context.Context, dest interface{}) (err error)
 	if err != nil {
 		sqlStr := b.query.String()
 		logger.Error("BunSelectQuery.Scan failed. SQL: %s. Error: %v", sqlStr, err)
+		err = common.WrapSQLError(err, sqlStr)
 	}
 	return err
 }
@@ -1311,7 +1372,7 @@ func (b *BunSelectQuery) ScanModel(ctx context.Context) (err error) {
 	if err != nil {
 		sqlStr := b.query.String()
 		logger.Error("BunSelectQuery.ScanModel failed. SQL: %s. Error: %v", sqlStr, err)
-		return err
+		return common.WrapSQLError(err, sqlStr)
 	}
 
 	// After main query, load custom preloads using separate queries
@@ -1341,6 +1402,7 @@ func (b *BunSelectQuery) Count(ctx context.Context) (count int, err error) {
 		if err != nil {
 			sqlStr := b.query.String()
 			logger.Error("BunSelectQuery.Count failed. SQL: %s. Error: %v", sqlStr, err)
+			err = common.WrapSQLError(err, sqlStr)
 		}
 		return
 	}
@@ -1354,6 +1416,7 @@ func (b *BunSelectQuery) Count(ctx context.Context) (count int, err error) {
 	if err != nil {
 		sqlStr := countQuery.String()
 		logger.Error("BunSelectQuery.Count (subquery) failed. SQL: %s. Error: %v", sqlStr, err)
+		err = common.WrapSQLError(err, sqlStr)
 	}
 	return
 }
@@ -1371,6 +1434,7 @@ func (b *BunSelectQuery) Exists(ctx context.Context) (exists bool, err error) {
 	if err != nil {
 		sqlStr := b.query.String()
 		logger.Error("BunSelectQuery.Exists failed. SQL: %s. Error: %v", sqlStr, err)
+		err = common.WrapSQLError(err, sqlStr)
 	}
 	return
 }
@@ -1430,6 +1494,18 @@ func (b *BunInsertQuery) Returning(columns ...string) common.InsertQuery {
 	return b
 }
 
+func (b *BunInsertQuery) prepareValues() {
+	if len(b.values) > 0 {
+		if !b.hasModel {
+			b.query = b.query.Model(&b.values)
+		} else {
+			for k, v := range b.values {
+				b.query = b.query.Value(k, "?", v)
+			}
+		}
+	}
+}
+
 func (b *BunInsertQuery) Exec(ctx context.Context) (res common.Result, err error) {
 	defer func() {
 		if r := recover(); r != nil {
@@ -1437,23 +1513,25 @@ func (b *BunInsertQuery) Exec(ctx context.Context) (res common.Result, err error
 		}
 	}()
 	startedAt := time.Now()
-	if len(b.values) > 0 {
+	b.prepareValues()
-		if !b.hasModel {
-			// If no model was set, use the values map as the model
-			// Bun can insert map[string]interface{} directly
-			b.query = b.query.Model(&b.values)
-		} else {
-			// If model was set, use Value() to add individual values
-			for k, v := range b.values {
-				b.query = b.query.Value(k, "?", v)
-			}
-		}
-	}
 	result, err := b.query.Exec(ctx)
 	recordQueryMetrics(b.metricsEnabled, "INSERT", b.schema, b.entity, b.tableName, startedAt, err)
 	return &BunResult{result: result}, err
 }
 
+func (b *BunInsertQuery) Scan(ctx context.Context, dest interface{}) (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			err = logger.HandlePanic("BunInsertQuery.Scan", r)
+		}
+	}()
+	startedAt := time.Now()
+	b.prepareValues()
+	err = b.query.Scan(ctx, dest)
+	recordQueryMetrics(b.metricsEnabled, "INSERT", b.schema, b.entity, b.tableName, startedAt, err)
+	return err
+}
+
 // BunUpdateQuery implements UpdateQuery for Bun
 type BunUpdateQuery struct {
 	query          *bun.UpdateQuery
@@ -1516,7 +1594,7 @@ func (b *BunUpdateQuery) SetMap(values map[string]interface{}) common.UpdateQuer
 			// Skip primary key updates
 			continue
 		}
-		b.query = b.query.Set(column+" = ?", value)
+		b.query = b.query.Set(column+" = ?", common.ConvertSliceForBun(value))
 	}
 	return b
 }
@@ -1545,6 +1623,7 @@ func (b *BunUpdateQuery) Exec(ctx context.Context) (res common.Result, err error
 		// Log SQL string for debugging
 		sqlStr := b.query.String()
 		logger.Error("BunUpdateQuery.Exec failed. SQL: %s. Error: %v", sqlStr, err)
+		err = common.WrapSQLError(err, sqlStr)
 	}
 	recordQueryMetrics(b.metricsEnabled, "UPDATE", b.schema, b.entity, b.tableName, startedAt, err)
 	return &BunResult{result: result}, err
@@ -1596,6 +1675,7 @@ func (b *BunDeleteQuery) Exec(ctx context.Context) (res common.Result, err error
 		// Log SQL string for debugging
 		sqlStr := b.query.String()
 		logger.Error("BunDeleteQuery.Exec failed. SQL: %s. Error: %v", sqlStr, err)
+		err = common.WrapSQLError(err, sqlStr)
 	}
 	recordQueryMetrics(b.metricsEnabled, "DELETE", b.schema, b.entity, b.tableName, startedAt, err)
 	return &BunResult{result: result}, err

pkg/common/adapters/database/gorm.go

@@ -3,11 +3,13 @@ package database
 import (
 	"context"
 	"fmt"
+	"reflect"
 	"strings"
 	"sync"
 	"time"
 
 	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
 
 	"github.com/bitechdev/ResolveSpec/pkg/common"
 	"github.com/bitechdev/ResolveSpec/pkg/logger"
@@ -581,6 +583,7 @@ func (g *GormSelectQuery) Scan(ctx context.Context, dest interface{}) (err error
 			return tx.Find(dest)
 		})
 		logger.Error("GormSelectQuery.Scan failed. SQL: %s. Error: %v", sqlStr, err)
+		err = common.WrapSQLError(err, sqlStr)
 	}
 	recordQueryMetrics(g.metricsEnabled, "SELECT", g.schema, g.entity, g.tableName, startedAt, err)
 	return err
@@ -611,6 +614,7 @@ func (g *GormSelectQuery) ScanModel(ctx context.Context) (err error) {
 			return tx.Find(g.db.Statement.Model)
 		})
 		logger.Error("GormSelectQuery.ScanModel failed. SQL: %s. Error: %v", sqlStr, err)
+		err = common.WrapSQLError(err, sqlStr)
 	}
 	recordQueryMetrics(g.metricsEnabled, "SELECT", g.schema, g.entity, g.tableName, startedAt, err)
 	return err
@@ -640,6 +644,7 @@ func (g *GormSelectQuery) Count(ctx context.Context) (count int, err error) {
 			return tx.Count(&count64)
 		})
 		logger.Error("GormSelectQuery.Count failed. SQL: %s. Error: %v", sqlStr, err)
+		err = common.WrapSQLError(err, sqlStr)
 	}
 	recordQueryMetrics(g.metricsEnabled, "COUNT", g.schema, g.entity, g.tableName, startedAt, err)
 	return int(count64), err
@@ -669,6 +674,7 @@ func (g *GormSelectQuery) Exists(ctx context.Context) (exists bool, err error) {
 			return tx.Limit(1).Count(&count)
 		})
 		logger.Error("GormSelectQuery.Exists failed. SQL: %s. Error: %v", sqlStr, err)
+		err = common.WrapSQLError(err, sqlStr)
 	}
 	recordQueryMetrics(g.metricsEnabled, "EXISTS", g.schema, g.entity, g.tableName, startedAt, err)
 	return count > 0, err
@@ -685,6 +691,7 @@ type GormInsertQuery struct {
 	entity           string
 	driverName       string
 	metricsEnabled   bool
+	returningColumns []string
 }
 
 func (g *GormInsertQuery) Model(model interface{}) common.InsertQuery {
@@ -718,7 +725,7 @@ func (g *GormInsertQuery) OnConflict(action string) common.InsertQuery {
 }
 
 func (g *GormInsertQuery) Returning(columns ...string) common.InsertQuery {
-	// GORM doesn't have explicit RETURNING, but updates the model
+	g.returningColumns = columns
 	return g
 }
 
@@ -749,6 +756,76 @@ func (g *GormInsertQuery) Exec(ctx context.Context) (res common.Result, err erro
 	return &GormResult{result: result}, result.Error
 }
 
+func (g *GormInsertQuery) Scan(ctx context.Context, dest interface{}) (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			err = logger.HandlePanic("GormInsertQuery.Scan", r)
+		}
+	}()
+	startedAt := time.Now()
+
+	var returningCols []clause.Column
+	for _, col := range g.returningColumns {
+		returningCols = append(returningCols, clause.Column{Name: col})
+	}
+
+	db := g.db.WithContext(ctx)
+	if len(returningCols) > 0 {
+		db = db.Clauses(clause.Returning{Columns: returningCols})
+	}
+
+	var result *gorm.DB
+	switch {
+	case g.model != nil:
+		result = db.Create(g.model)
+	case g.values != nil:
+		result = db.Create(g.values)
+	default:
+		result = db.Create(map[string]interface{}{})
+	}
+
+	if isDBClosed(result.Error) && g.reconnect != nil {
+		if reconnErr := g.reconnect(g.db); reconnErr == nil {
+			result = db.Create(g.model)
+		}
+	}
+
+	recordQueryMetrics(g.metricsEnabled, "INSERT", g.schema, g.entity, g.tableName, startedAt, result.Error)
+	if result.Error != nil {
+		return result.Error
+	}
+
+	// Extract the returning column value from the model or values map
+	if len(g.returningColumns) == 1 {
+		col := g.returningColumns[0]
+		if g.model != nil {
+			val := reflect.ValueOf(g.model)
+			if val.Kind() == reflect.Ptr {
+				val = val.Elem()
+			}
+			if val.Kind() == reflect.Struct {
+				for i := 0; i < val.NumField(); i++ {
+					f := val.Type().Field(i)
+					dbTag := strings.Split(f.Tag.Get("bun"), ",")[0]
+					jsonTag := strings.Split(f.Tag.Get("json"), ",")[0]
+					if strings.EqualFold(f.Name, col) || dbTag == col || jsonTag == col {
+						reflect.ValueOf(dest).Elem().Set(val.Field(i))
+						return nil
+					}
+				}
+			}
+		}
+		if g.values != nil {
+			if v, ok := g.values[col]; ok {
+				reflect.ValueOf(dest).Elem().Set(reflect.ValueOf(v))
+				return nil
+			}
+		}
+	}
+
+	return nil
+}
+
 // GormUpdateQuery implements UpdateQuery for GORM
 type GormUpdateQuery struct {
 	db             *gorm.DB
@@ -858,6 +935,7 @@ func (g *GormUpdateQuery) Exec(ctx context.Context) (res common.Result, err erro
 			return tx.Updates(g.updates)
 		})
 		logger.Error("GormUpdateQuery.Exec failed. SQL: %s. Error: %v", sqlStr, result.Error)
+		return &GormResult{result: result}, common.WrapSQLError(result.Error, sqlStr)
 	}
 	recordQueryMetrics(g.metricsEnabled, "UPDATE", g.schema, g.entity, g.tableName, startedAt, result.Error)
 	return &GormResult{result: result}, result.Error
@@ -919,6 +997,7 @@ func (g *GormDeleteQuery) Exec(ctx context.Context) (res common.Result, err erro
 			return tx.Delete(g.model)
 		})
 		logger.Error("GormDeleteQuery.Exec failed. SQL: %s. Error: %v", sqlStr, result.Error)
+		return &GormResult{result: result}, common.WrapSQLError(result.Error, sqlStr)
 	}
 	recordQueryMetrics(g.metricsEnabled, "DELETE", g.schema, g.entity, g.tableName, startedAt, result.Error)
 	return &GormResult{result: result}, result.Error

pkg/common/adapters/database/pgsql.go

@@ -138,7 +138,7 @@ func (p *PgSQLAdapter) Exec(ctx context.Context, query string, args ...interface
 	if err != nil {
 		logger.Error("PgSQL Exec failed: %v", err)
 		recordQueryMetrics(p.metricsEnabled, operation, schema, entity, table, startedAt, err)
-		return nil, err
+		return nil, common.WrapSQLError(err, query)
 	}
 	recordQueryMetrics(p.metricsEnabled, operation, schema, entity, table, startedAt, nil)
 	return &PgSQLResult{result: result}, nil
@@ -164,7 +164,7 @@ func (p *PgSQLAdapter) Query(ctx context.Context, dest interface{}, query string
 	if err != nil {
 		logger.Error("PgSQL Query failed: %v", err)
 		recordQueryMetrics(p.metricsEnabled, operation, schema, entity, table, startedAt, err)
-		return err
+		return common.WrapSQLError(err, query)
 	}
 	defer rows.Close()
 
@@ -511,7 +511,7 @@ func (p *PgSQLSelectQuery) Scan(ctx context.Context, dest interface{}) (err erro
 	if err != nil {
 		logger.Error("PgSQL SELECT failed: %v", err)
 		recordQueryMetrics(p.metricsEnabled, "SELECT", p.schema, p.entity, p.tableName, startedAt, err)
-		return err
+		return common.WrapSQLError(err, query)
 	}
 	defer rows.Close()
 
@@ -534,8 +534,8 @@ func (p *PgSQLSelectQuery) ScanModel(ctx context.Context) error {
 	return p.Scan(ctx, p.model)
 }
 
-// countInternal executes the COUNT query and returns the result without recording metrics.
+// countInternal executes the COUNT query and returns the result and the SQL string without recording metrics.
-func (p *PgSQLSelectQuery) countInternal(ctx context.Context) (int, error) {
+func (p *PgSQLSelectQuery) countInternal(ctx context.Context) (rowCount int, querySQL string, retErr error) {
 	var sb strings.Builder
 	sb.WriteString("SELECT COUNT(*) FROM ")
 	sb.WriteString(p.tableName)
@@ -571,9 +571,9 @@ func (p *PgSQLSelectQuery) countInternal(ctx context.Context) (int, error) {
 
 	var count int
 	if err := row.Scan(&count); err != nil {
-		return 0, err
+		return 0, query, err
 	}
-	return count, nil
+	return count, query, nil
 }
 
 func (p *PgSQLSelectQuery) Count(ctx context.Context) (count int, err error) {
@@ -584,9 +584,11 @@ func (p *PgSQLSelectQuery) Count(ctx context.Context) (count int, err error) {
 		}
 	}()
 	startedAt := time.Now()
-	count, err = p.countInternal(ctx)
+	var sqlStr string
+	count, sqlStr, err = p.countInternal(ctx)
 	if err != nil {
 		logger.Error("PgSQL COUNT failed: %v", err)
+		err = common.WrapSQLError(err, sqlStr)
 	}
 	recordQueryMetrics(p.metricsEnabled, "COUNT", p.schema, p.entity, p.tableName, startedAt, err)
 	return count, err
@@ -600,9 +602,11 @@ func (p *PgSQLSelectQuery) Exists(ctx context.Context) (exists bool, err error)
 		}
 	}()
 	startedAt := time.Now()
-	count, err := p.countInternal(ctx)
+	var sqlStr string
+	count, sqlStr, err := p.countInternal(ctx)
 	if err != nil {
 		logger.Error("PgSQL EXISTS failed: %v", err)
+		err = common.WrapSQLError(err, sqlStr)
 	}
 	recordQueryMetrics(p.metricsEnabled, "EXISTS", p.schema, p.entity, p.tableName, startedAt, err)
 	return count > 0, err
@@ -702,12 +706,60 @@ func (p *PgSQLInsertQuery) Exec(ctx context.Context) (res common.Result, err err
 
 	if err != nil {
 		logger.Error("PgSQL INSERT failed: %v", err)
-		return nil, err
+		return nil, common.WrapSQLError(err, query)
 	}
 
 	return &PgSQLResult{result: result}, nil
 }
 
+func (p *PgSQLInsertQuery) Scan(ctx context.Context, dest interface{}) (err error) {
+	startedAt := time.Now()
+	defer func() {
+		if r := recover(); r != nil {
+			err = logger.HandlePanic("PgSQLInsertQuery.Scan", r)
+		}
+		recordQueryMetrics(p.metricsEnabled, "INSERT", p.schema, p.entity, p.tableName, startedAt, err)
+	}()
+
+	if len(p.values) == 0 {
+		return fmt.Errorf("no values to insert")
+	}
+
+	columns := make([]string, 0, len(p.values))
+	placeholders := make([]string, 0, len(p.values))
+	args := make([]interface{}, 0, len(p.values))
+	i := 1
+	for _, col := range p.valueOrder {
+		columns = append(columns, col)
+		placeholders = append(placeholders, fmt.Sprintf("$%d", i))
+		args = append(args, p.values[col])
+		i++
+	}
+
+	query := fmt.Sprintf("INSERT INTO %s (%s) VALUES (%s)",
+		p.tableName,
+		strings.Join(columns, ", "),
+		strings.Join(placeholders, ", "))
+
+	if len(p.returning) > 0 {
+		query += " RETURNING " + strings.Join(p.returning, ", ")
+	}
+
+	logger.Debug("PgSQL INSERT (Scan): %s [args: %v]", query, args)
+
+	var row *sql.Row
+	if p.tx != nil {
+		row = p.tx.QueryRowContext(ctx, query, args...)
+	} else {
+		row = p.db.QueryRowContext(ctx, query, args...)
+	}
+
+	if err := row.Scan(dest); err != nil {
+		return common.WrapSQLError(err, query)
+	}
+	return nil
+}
+
 // PgSQLUpdateQuery implements UpdateQuery for PostgreSQL
 type PgSQLUpdateQuery struct {
 	db             *sql.DB
@@ -884,7 +936,7 @@ func (p *PgSQLUpdateQuery) Exec(ctx context.Context) (res common.Result, err err
 
 	if err != nil {
 		logger.Error("PgSQL UPDATE failed: %v", err)
-		return nil, err
+		return nil, common.WrapSQLError(err, query)
 	}
 
 	return &PgSQLResult{result: result}, nil
@@ -962,7 +1014,7 @@ func (p *PgSQLDeleteQuery) Exec(ctx context.Context) (res common.Result, err err
 
 	if err != nil {
 		logger.Error("PgSQL DELETE failed: %v", err)
-		return nil, err
+		return nil, common.WrapSQLError(err, query)
 	}
 
 	return &PgSQLResult{result: result}, nil
@@ -1043,7 +1095,7 @@ func (p *PgSQLTxAdapter) Exec(ctx context.Context, query string, args ...interfa
 	if err != nil {
 		logger.Error("PgSQL Tx Exec failed: %v", err)
 		recordQueryMetrics(p.metricsEnabled, operation, schema, entity, table, startedAt, err)
-		return nil, err
+		return nil, common.WrapSQLError(err, query)
 	}
 	recordQueryMetrics(p.metricsEnabled, operation, schema, entity, table, startedAt, nil)
 	return &PgSQLResult{result: result}, nil
@@ -1057,7 +1109,7 @@ func (p *PgSQLTxAdapter) Query(ctx context.Context, dest interface{}, query stri
 	if err != nil {
 		logger.Error("PgSQL Tx Query failed: %v", err)
 		recordQueryMetrics(p.metricsEnabled, operation, schema, entity, table, startedAt, err)
-		return err
+		return common.WrapSQLError(err, query)
 	}
 	defer rows.Close()
 

pkg/common/handler_utils.go

@@ -3,6 +3,7 @@ package common
 import (
 	"fmt"
 	"reflect"
+	"strconv"
 	"strings"
 
 	"github.com/bitechdev/ResolveSpec/pkg/logger"
@@ -261,3 +262,48 @@ func GetTableNameFromModel(model interface{}) string {
 	// This handles cases like "MasterTaskItem" -> "mastertaskitem"
 	return strings.ToLower(modelType.Name())
 }
+
+// ConvertSliceForBun converts []interface{} values to PostgreSQL array literal strings.
+// BUN's fallback appender for []interface{} is JSON encoding, which produces "[]" —
+// invalid PostgreSQL array syntax. PostgreSQL expects "{}" for empty arrays and
+// "{elem1,elem2}" for non-empty ones. All other value types are returned unchanged.
+func ConvertSliceForBun(value interface{}) interface{} {
+	arr, ok := value.([]interface{})
+	if !ok {
+		return value
+	}
+	if len(arr) == 0 {
+		return "{}"
+	}
+	parts := make([]string, len(arr))
+	for i, elem := range arr {
+		switch e := elem.(type) {
+		case string:
+			needsQuote := e == "" || strings.ContainsAny(e, `,"\\{}`+"\t\n\r ")
+			if needsQuote {
+				e = strings.ReplaceAll(e, `\`, `\\`)
+				e = strings.ReplaceAll(e, `"`, `""`)
+				parts[i] = `"` + e + `"`
+			} else {
+				parts[i] = e
+			}
+		case float64:
+			if e == float64(int64(e)) {
+				parts[i] = strconv.FormatInt(int64(e), 10)
+			} else {
+				parts[i] = strconv.FormatFloat(e, 'f', -1, 64)
+			}
+		case bool:
+			if e {
+				parts[i] = "t"
+			} else {
+				parts[i] = "f"
+			}
+		case nil:
+			parts[i] = "NULL"
+		default:
+			parts[i] = fmt.Sprintf("%v", e)
+		}
+	}
+	return "{" + strings.Join(parts, ",") + "}"
+}

pkg/common/handler_utils_test.go

@@ -106,3 +106,66 @@ func TestExtractTagValue(t *testing.T) {
 		})
 	}
 }
+
+func TestConvertSliceForBun(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    interface{}
+		expected interface{}
+	}{
+		{
+			name:     "empty slice produces empty pg array",
+			input:    []interface{}{},
+			expected: "{}",
+		},
+		{
+			name:     "string elements",
+			input:    []interface{}{"a", "b", "c"},
+			expected: "{a,b,c}",
+		},
+		{
+			name:     "string element needing quotes",
+			input:    []interface{}{"hello world", "ok"},
+			expected: `{"hello world",ok}`,
+		},
+		{
+			name:     "string with comma",
+			input:    []interface{}{"a,b"},
+			expected: `{"a,b"}`,
+		},
+		{
+			name:     "integer elements (JSON float64)",
+			input:    []interface{}{float64(1), float64(2), float64(3)},
+			expected: "{1,2,3}",
+		},
+		{
+			name:     "bool elements",
+			input:    []interface{}{true, false},
+			expected: "{t,f}",
+		},
+		{
+			name:     "nil input passthrough",
+			input:    nil,
+			expected: nil,
+		},
+		{
+			name:     "string input passthrough",
+			input:    "hello",
+			expected: "hello",
+		},
+		{
+			name:     "int input passthrough",
+			input:    42,
+			expected: 42,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := ConvertSliceForBun(tt.input)
+			if result != tt.expected {
+				t.Errorf("ConvertSliceForBun(%v) = %v; want %v", tt.input, result, tt.expected)
+			}
+		})
+	}
+}

pkg/common/interfaces.go

@@ -75,6 +75,7 @@ type InsertQuery interface {
 
 	// Execution
 	Exec(ctx context.Context) (Result, error)
+	Scan(ctx context.Context, dest interface{}) error
 }
 
 // UpdateQuery interface for building UPDATE queries

pkg/common/recursive_crud.go

@@ -125,6 +125,13 @@ func (p *NestedCUDProcessor) ProcessNestedCUD(
 			result.AffectedRows = 1
 			result.Data = regularData
 
+			// Re-select the inserted row so result.Data reflects DB-generated defaults.
+			if row, err := p.processSelect(ctx, tableName, id); err != nil {
+				logger.Warn("Select after insert failed: table=%s, id=%v, error=%v", tableName, id, err)
+			} else if len(row) > 0 {
+				result.Data = row
+			}
+
 			// Process child relations after parent insert (to get parent ID)
 			if err := p.processChildRelations(ctx, "insert", id, relationFields, result.RelationData, modelType, parentIDs); err != nil {
 				logger.Error("Failed to process child relations after insert: table=%s, parentID=%v, relations=%+v, error=%v", tableName, id, relationFields, err)
@@ -134,8 +141,12 @@ func (p *NestedCUDProcessor) ProcessNestedCUD(
 			logger.Debug("Skipping insert for %s - no data columns besides _request", tableName)
 		}
 
-	case "update":
+	case "update", "change":
 		// Only perform update if we have data to update
+		if reflection.IsEmptyValue(data[pkName]) {
+			logger.Warn("Skipping update for %s - no primary key", tableName)
+			return result, nil
+		}
 		if hasData {
 			rows, err := p.processUpdate(ctx, regularData, tableName, data[pkName])
 			if err != nil {
@@ -146,9 +157,16 @@ func (p *NestedCUDProcessor) ProcessNestedCUD(
 			result.AffectedRows = rows
 			result.Data = regularData
 
+			// Re-select the updated row so result.Data reflects current DB state.
+			if row, err := p.processSelect(ctx, tableName, result.ID); err != nil {
+				logger.Warn("Select after update failed: table=%s, id=%v, error=%v", tableName, result.ID, err)
+			} else if len(row) > 0 {
+				result.Data = row
+			}
+
 			// Process child relations for update
 			if err := p.processChildRelations(ctx, "update", data[pkName], relationFields, result.RelationData, modelType, parentIDs); err != nil {
-				logger.Error("Failed to process child relations after update: table=%s, parentID=%v, relations=%+v, error=%v", tableName, data[pkName], relationFields, err)
+				logger.Error("Failed to process child relations after update: table=%s, parentID=%v, relations=%+v, error=%v", tableName, data[pkName], regularData, err)
 				return nil, fmt.Errorf("failed to process child relations: %w", err)
 			}
 		} else {
@@ -157,10 +175,15 @@ func (p *NestedCUDProcessor) ProcessNestedCUD(
 		}
 
 	case "delete":
+		if reflection.IsEmptyValue(data[pkName]) {
+			logger.Warn("Skipping delete for %s - no primary key", tableName)
+			return result, nil
+		}
+
 		// Process child relations first (for referential integrity)
 		if err := p.processChildRelations(ctx, "delete", data[pkName], relationFields, result.RelationData, modelType, parentIDs); err != nil {
 			logger.Error("Failed to process child relations before delete: table=%s, id=%v, relations=%+v, error=%v", tableName, data[pkName], relationFields, err)
-			return nil, fmt.Errorf("failed to process child relations before delete: %w", err)
+			return nil, fmt.Errorf("failed to process child relations: %w", err)
 		}
 
 		rows, err := p.processDelete(ctx, tableName, data[pkName])
@@ -234,21 +257,32 @@ func (p *NestedCUDProcessor) injectForeignKeys(data map[string]interface{}, mode
 		return
 	}
 
-	// Iterate through model fields to find foreign key fields
+	pkCol := reflection.GetPrimaryKeyName(reflect.New(modelType).Interface())
+
+	for parentKey, parentID := range parentIDs {
+		dbColNames := reflection.GetForeignKeyColumn(modelType, parentKey)
+
+		if len(dbColNames) == 0 {
+			// No explicit tag found — fall back to naming convention by scanning scalar fields.
 			for i := 0; i < modelType.NumField(); i++ {
 				field := modelType.Field(i)
-		jsonTag := field.Tag.Get("json")
+				jsonName := strings.Split(field.Tag.Get("json"), ",")[0]
-		jsonName := strings.Split(jsonTag, ",")[0]
+				if strings.EqualFold(jsonName, "rid"+parentKey) ||
-
+					strings.EqualFold(jsonName, "rid_"+parentKey) ||
-		// Check if this field is a foreign key and we have a parent ID for it
+					strings.EqualFold(jsonName, "id_"+parentKey) ||
-		// Common patterns: DepartmentID, ManagerID, ProjectID, etc.
+					strings.EqualFold(jsonName, parentKey+"_id") ||
-		for parentKey, parentID := range parentIDs {
-			// Match field name patterns like "department_id" with parent key "department"
-			if strings.EqualFold(jsonName, parentKey+"_id") ||
 					strings.EqualFold(jsonName, parentKey+"id") ||
 					strings.EqualFold(field.Name, parentKey+"ID") {
-				// Use the DB column name as the key, since data is keyed by DB column names
+					dbColNames = []string{reflection.GetColumnName(field)}
-				dbColName := reflection.GetColumnName(field)
+					break
+				}
+			}
+		}
+
+		for _, dbColName := range dbColNames {
+			if pkCol != "" && strings.EqualFold(dbColName, pkCol) {
+				continue
+			}
 			if _, exists := data[dbColName]; !exists {
 				logger.Debug("Injecting foreign key: %s = %v", dbColName, parentID)
 				data[dbColName] = parentID
@@ -256,7 +290,6 @@ func (p *NestedCUDProcessor) injectForeignKeys(data map[string]interface{}, mode
 		}
 	}
 }
-}
 
 // processInsert handles insert operation
 func (p *NestedCUDProcessor) processInsert(
@@ -269,28 +302,33 @@ func (p *NestedCUDProcessor) processInsert(
 	query := p.db.NewInsert().Table(tableName)
 
 	for key, value := range data {
-		query = query.Value(key, value)
+		query = query.Value(key, ConvertSliceForBun(value))
 	}
 	pkName := reflection.GetPrimaryKeyName(tableName)
-	// Add RETURNING clause to get the inserted ID
 	query = query.Returning(pkName)
 
-	result, err := query.Exec(ctx)
+	var id interface{}
-	if err != nil {
+	if err := query.Scan(ctx, &id); err != nil {
 		logger.Error("Insert execution failed: table=%s, data=%+v, error=%v", tableName, data, err)
 		return nil, fmt.Errorf("insert exec failed: %w", err)
 	}
 
-	// Try to get the ID
+	logger.Debug("Insert successful, ID: %v", id)
-	var id interface{}
+	return id, nil
-	if lastID, err := result.LastInsertId(); err == nil && lastID > 0 {
-		id = lastID
-	} else if data[pkName] != nil {
-		id = data[pkName]
 }
 
-	logger.Debug("Insert successful, ID: %v, rows affected: %d", id, result.RowsAffected())
+// processSelect fetches the row identified by id from tableName into a flat map.
-	return id, nil
+// Used to populate result.Data with the actual DB state after insert/update.
+func (p *NestedCUDProcessor) processSelect(ctx context.Context, tableName string, id interface{}) (map[string]interface{}, error) {
+	pkName := reflection.GetPrimaryKeyName(tableName)
+	var row map[string]interface{}
+	if err := p.db.NewSelect().
+		Table(tableName).
+		Where(fmt.Sprintf("%s = ?", QuoteIdent(pkName)), id).
+		Scan(ctx, &row); err != nil {
+		return nil, fmt.Errorf("select after write failed: %w", err)
+	}
+	return row, nil
 }
 
 // processUpdate handles update operation

pkg/common/recursive_crud_test.go

@@ -101,12 +101,18 @@ func (m *mockInsertQuery) Value(column string, value interface{}) InsertQuery {
 func (m *mockInsertQuery) OnConflict(action string) InsertQuery { return m }
 func (m *mockInsertQuery) Returning(columns ...string) InsertQuery { return m }
 func (m *mockInsertQuery) Exec(ctx context.Context) (Result, error) {
-	// Record the insert call
 	m.db.insertCalls = append(m.db.insertCalls, m.values)
 	m.db.lastID++
 	return &mockResult{lastID: m.db.lastID, rowsAffected: 1}, nil
 }
 
+func (m *mockInsertQuery) Scan(ctx context.Context, dest interface{}) error {
+	m.db.insertCalls = append(m.db.insertCalls, m.values)
+	m.db.lastID++
+	reflect.ValueOf(dest).Elem().Set(reflect.ValueOf(m.db.lastID))
+	return nil
+}
+
 // Mock UpdateQuery
 type mockUpdateQuery struct {
 	db        *mockDatabase

pkg/common/sql_helpers.go

@@ -59,6 +59,38 @@ func IsSQLExpression(cond string) bool {
 	return false
 }
 
+// reEmptyCompMid matches a simple column comparison with an empty RHS that is immediately
+// followed by AND/OR (only whitespace between the operator and the next keyword).
+// Removing the match leaves the preceding AND/OR connector intact.
+// Example: "cond1 and col = \n    and cond2" → "cond1 and cond2"
+var reEmptyCompMid = regexp.MustCompile(`(?i)[\w.]+\s*(?:=|<>|!=|>=|<=|>|<)\s+(?:and|or)\s+`)
+
+// reEmptyCompEnd matches AND/OR + a simple column comparison with an empty RHS at the end
+// of the string (or sub-clause).
+// Example: "cond1 and col = " → "cond1"
+var reEmptyCompEnd = regexp.MustCompile(`(?i)\s+(?:and|or)\s+[\w.]+\s*(?:=|<>|!=|>=|<=|>|<)\s*$`)
+
+// stripEmptyComparisonClauses removes comparison conditions that have no right-hand side
+// value from a raw SQL string. Operates on the whole string so it also cleans up conditions
+// inside subqueries, not just top-level AND splits.
+func stripEmptyComparisonClauses(sql string) string {
+	sql = reEmptyCompMid.ReplaceAllLiteralString(sql, "")
+	sql = reEmptyCompEnd.ReplaceAllLiteralString(sql, "")
+	return sql
+}
+
+// hasEmptyRHS returns true when a condition ends with a comparison operator and has no
+// right-hand side value — e.g., "col = ", "com.rid_parent = ", "col >= ".
+func hasEmptyRHS(cond string) bool {
+	cond = strings.TrimSpace(cond)
+	for _, op := range []string{"<>", "!=", ">=", "<=", "=", ">", "<"} {
+		if strings.HasSuffix(cond, op) {
+			return true
+		}
+	}
+	return false
+}
+
 // IsTrivialCondition checks if a condition is trivial and always evaluates to true
 // These conditions should be removed from WHERE clauses as they have no filtering effect
 func IsTrivialCondition(cond string) bool {
@@ -147,6 +179,14 @@ func SanitizeWhereClause(where string, tableName string, options ...*RequestOpti
 		return ""
 	}
 
+	// Strip comparison conditions with empty RHS throughout the SQL string (including
+	// inside subqueries), before condition splitting.
+	where = stripEmptyComparisonClauses(where)
+	if where == "" {
+		return ""
+	}
+	where = strings.TrimSpace(where)
+
 	// Check if the original clause has outer parentheses and contains OR operators
 	// If so, we need to preserve the outer parentheses to prevent OR logic from escaping
 	hasOuterParens := false
@@ -212,6 +252,12 @@ func SanitizeWhereClause(where string, tableName string, options ...*RequestOpti
 			continue
 		}
 
+		// Skip conditions with no right-hand side value (e.g. "col = " with empty value)
+		if hasEmptyRHS(condToCheck) {
+			logger.Debug("Removing condition with empty value: '%s'", cond)
+			continue
+		}
+
 		// If tableName is provided and the condition HAS a table prefix, check if it's correct
 		if tableName != "" && hasTablePrefix(condToCheck) {
 			// Extract the current prefix and column name

pkg/common/sql_helpers_test.go

@@ -134,6 +134,30 @@ func TestSanitizeWhereClause(t *testing.T) {
 			tableName: "apiprovider",
 			expected:  "apiprovider.type in ('softphone') AND (apiprovider.rid_apiprovider in (select l.rid_apiprovider from core.apiproviderlink l where l.rid_hub = 2576))",
 		},
+		{
+			name:      "empty RHS stripped mid-clause",
+			where:     "com.tableprefix = 'tcli' and com.rid_parent = \n    and com.status = 'Active'",
+			tableName: "",
+			expected:  "com.tableprefix = 'tcli' AND com.status = 'Active'",
+		},
+		{
+			name:      "empty RHS stripped at end of clause",
+			where:     "com.tableprefix = 'tcli' and com.rid_parent =",
+			tableName: "",
+			expected:  "com.tableprefix = 'tcli'",
+		},
+		{
+			name:      "non-empty value not stripped",
+			where:     "com.tableprefix = 'tcli' and com.rid_parent = 123 and com.status = 'Active'",
+			tableName: "",
+			expected:  "com.tableprefix = 'tcli' AND com.rid_parent = 123 AND com.status = 'Active'",
+		},
+		{
+			name:      "empty RHS inside subquery stripped",
+			where:     "a = 1 and b in (select x from t where c.rid = \n    and d = 2)",
+			tableName: "",
+			expected:  "a = 1 AND b in (select x from t where d = 2)",
+		},
 	}
 
 	for _, tt := range tests {

pkg/common/types.go

@@ -1,5 +1,23 @@
 package common
 
+// SQLError wraps a database error together with the SQL that caused it,
+// so callers can surface the query in API error responses for easier debugging.
+type SQLError struct {
+	Err error
+	SQL string
+}
+
+func (e *SQLError) Error() string { return e.Err.Error() }
+func (e *SQLError) Unwrap() error { return e.Err }
+
+// WrapSQLError wraps err with the given SQL. If err is nil it returns nil.
+func WrapSQLError(err error, sql string) error {
+	if err == nil {
+		return nil
+	}
+	return &SQLError{Err: err, SQL: sql}
+}
+
 type RequestBody struct {
 	Operation string         `json:"operation"`
 	Data      interface{}    `json:"data"`
@@ -104,6 +122,7 @@ type APIError struct {
 	Message string      `json:"message"`
 	Details interface{} `json:"details,omitempty"`
 	Detail  string      `json:"detail,omitempty"`
+	SQL     string      `json:"sql,omitempty"`
 }
 
 type Column struct {

pkg/funcspec/function_api.go

@@ -3,6 +3,7 @@ package funcspec
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -168,9 +169,16 @@ func (h *Handler) SqlQueryList(sqlquery string, options SqlQueryOptions) HTTPFun
 		// Replace meta variables in SQL
 		sqlquery = h.replaceMetaVariables(sqlquery, r, userCtx, metainfo, variables)
 
-		// Remove unused input variables
+		// Replace variables from provided values, then blank any remaining unused ones
-		if options.BlankParams {
 		for _, kw := range inputvars {
+			varName := kw[1 : len(kw)-1] // strip [ and ]
+			if val, ok := variables[varName]; ok {
+				if strVal := fmt.Sprintf("%v", val); strVal != "" {
+					sqlquery = strings.ReplaceAll(sqlquery, kw, ValidSQL(strVal, "colvalue"))
+					continue
+				}
+			}
+			if options.BlankParams {
 				replacement := getReplacementForBlankParam(sqlquery, kw)
 				sqlquery = strings.ReplaceAll(sqlquery, kw, replacement)
 				logger.Debug("Replaced unused variable %s with: %s", kw, replacement)
@@ -520,9 +528,16 @@ func (h *Handler) SqlQuery(sqlquery string, options SqlQueryOptions) HTTPFuncTyp
 			}
 		}
 
-		// Remove unused input variables
+		// Replace variables from provided values, then blank any remaining unused ones
-		if options.BlankParams {
 		for _, kw := range inputvars {
+			varName := kw[1 : len(kw)-1] // strip [ and ]
+			if val, ok := variables[varName]; ok {
+				if strVal := fmt.Sprintf("%v", val); strVal != "" {
+					sqlquery = strings.ReplaceAll(sqlquery, kw, ValidSQL(strVal, "colvalue"))
+					continue
+				}
+			}
+			if options.BlankParams {
 				replacement := getReplacementForBlankParam(sqlquery, kw)
 				sqlquery = strings.ReplaceAll(sqlquery, kw, replacement)
 				logger.Debug("Replaced unused variable %s with: %s", kw, replacement)
@@ -715,8 +730,10 @@ func (h *Handler) mergeQueryParams(r *http.Request, sqlquery string, variables m
 			propQry[parmk] = val
 		}
 
-		// Apply filters if allowed
+		// Apply filters if allowed — check only the SELECT list to avoid matching function
-		if allowFilter && len(parmk) > 1 && strings.Contains(strings.ToLower(sqlquery), strings.ToLower(parmk)) {
+		// parameters in the FROM clause (e.g. [p_rid_doctype] in a set-returning function call)
+		// or names inside quoted string arguments.
+		if allowFilter && len(parmk) > 1 && strings.Contains(sqlSelectList(sqlStripStringLiterals(sqlquery)), strings.ToLower(parmk)) {
 			if len(parmv) > 1 {
 				// Sanitize each value in the IN clause with appropriate quoting
 				sanitizedValues := make([]string, len(parmv))
@@ -824,6 +841,26 @@ func (h *Handler) mergeHeaderParams(r *http.Request, sqlquery string, variables
 	return sqlquery
 }
 
+// sqlStripStringLiterals removes the contents of single-quoted string literals from SQL,
+// leaving the structural identifiers (column names, table names) intact.
+// Used to check column presence without matching inside string arguments.
+func sqlStripStringLiterals(sql string) string {
+	re := regexp.MustCompile(`'(?:[^']|'')*'`)
+	return re.ReplaceAllString(sql, "''")
+}
+
+// sqlSelectList returns the column list portion of a SELECT query (between SELECT and FROM).
+// Returns the full query lowercased if no clear SELECT…FROM boundary is found.
+func sqlSelectList(sql string) string {
+	lower := strings.ToLower(sql)
+	selectPos := strings.Index(lower, "select ")
+	fromPos := strings.Index(lower, " from ")
+	if selectPos < 0 || fromPos <= selectPos {
+		return lower
+	}
+	return lower[selectPos+7 : fromPos]
+}
+
 // replaceMetaVariables replaces meta variables like [rid_user], [user], etc. in the SQL query
 func (h *Handler) replaceMetaVariables(sqlquery string, r *http.Request, userCtx *security.UserContext, metainfo map[string]interface{}, variables map[string]interface{}) string {
 	if strings.Contains(sqlquery, "[p_meta_default]") {
@@ -991,8 +1028,8 @@ func getReplacementForBlankParam(sqlquery, param string) string {
 		charAfter = sqlquery[endIdx]
 	}
 
-	// Check if parameter is surrounded by quotes (single quote or dollar sign for PostgreSQL dollar-quoted strings)
+	// Check if parameter is surrounded by quotes (single quote, dollar sign for PostgreSQL dollar-quoted strings, or double quote for JSON string values)
-	if (charBefore == '\'' || charBefore == '$') && (charAfter == '\'' || charAfter == '$') {
+	if (charBefore == '\'' || charBefore == '$' || charBefore == '"') && (charAfter == '\'' || charAfter == '$' || charAfter == '"') {
 		// Parameter is in quotes, return empty string
 		return ""
 	}
@@ -1035,6 +1072,10 @@ func sendError(w http.ResponseWriter, status int, code, message string, err erro
 	}
 	if err != nil {
 		errObj.Detail = err.Error()
+		var sqlErr *common.SQLError
+		if errors.As(err, &sqlErr) {
+			errObj.SQL = sqlErr.SQL
+		}
 	}
 
 	data, _ := json.Marshal(map[string]interface{}{

pkg/funcspec/function_api_test.go

@@ -821,7 +821,7 @@ func TestReplaceMetaVariables(t *testing.T) {
 			name:     "Replace [user]",
 			sqlQuery: "SELECT * FROM audit WHERE username = [user]",
 			expectedCheck: func(result string) bool {
-				return strings.Contains(result, "'testuser'")
+				return strings.Contains(result, "$USR$testuser$USR$")
 			},
 		},
 		{
@@ -851,6 +851,285 @@ func TestReplaceMetaVariables(t *testing.T) {
 	}
 }
 
+// TestSqlStripStringLiterals tests that single-quoted string literals are removed
+func TestSqlStripStringLiterals(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "No string literals",
+			input:    "SELECT rid, rid_parent FROM users",
+			expected: "SELECT rid, rid_parent FROM users",
+		},
+		{
+			name:     "Simple string literal",
+			input:    "SELECT * FROM users WHERE mode = 'admin'",
+			expected: "SELECT * FROM users WHERE mode = ''",
+		},
+		{
+			name:     "JSON argument containing column names",
+			input:    `SELECT rid, rid_parent FROM crm_get_menu(1,'mode', '{"rid_parent":"[rid_parent]","CF:STARTDATE":"[cf_startdate]"}')`,
+			expected: `SELECT rid, rid_parent FROM crm_get_menu(1,'', '')`,
+		},
+		{
+			name:     "Escaped single quotes inside literal",
+			input:    "SELECT * FROM t WHERE name = 'O''Brien'",
+			expected: "SELECT * FROM t WHERE name = ''",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := sqlStripStringLiterals(tt.input)
+			if result != tt.expected {
+				t.Errorf("sqlStripStringLiterals() =\n  %q\nwant\n  %q", result, tt.expected)
+			}
+		})
+	}
+}
+
+// TestAllowFilterDoesNotMatchInsideJsonArgument verifies that AllowFilter will add WHERE
+// clauses for real output columns (rid, rid_parent) but not for names that only appear
+// inside a JSON string argument (cf_startdate, cf_rid_branch).
+func TestAllowFilterDoesNotMatchInsideJsonArgument(t *testing.T) {
+	handler := NewHandler(&MockDatabase{})
+
+	sqlQuery := `select rid, rid_parent, description
+      from crm_get_menu([rid_user],'[p_mode]', 0, '', '{"rid_parent":"[rid_parent]", "CF:STARTDATE": "[cf_startdate]", "CF:RID_BRANCH": "[cf_rid_branch]"}')`
+
+	tests := []struct {
+		name        string
+		queryParams map[string]string
+		checkResult func(t *testing.T, result string)
+	}{
+		{
+			name:        "rid_parent=0 is a real column — filter applied",
+			queryParams: map[string]string{"rid_parent": "0"},
+			checkResult: func(t *testing.T, result string) {
+				if !strings.Contains(strings.ToLower(result), "where") {
+					t.Error("Expected WHERE clause to be added for rid_parent")
+				}
+				if !strings.Contains(result, "rid_parent = 0 OR") && !strings.Contains(result, "rid_parent IS NULL") {
+					t.Errorf("Expected null-safe filter for rid_parent=0, got:\n%s", result)
+				}
+			},
+		},
+		{
+			name:        "cf_startdate only appears in JSON string — no filter applied",
+			queryParams: map[string]string{"cf_startdate": "2024-01-01"},
+			checkResult: func(t *testing.T, result string) {
+				if strings.Contains(strings.ToLower(result), "where") {
+					t.Errorf("Expected no WHERE clause for cf_startdate (only in JSON arg), got:\n%s", result)
+				}
+			},
+		},
+		{
+			name:        "cf_rid_branch only appears in JSON string — no filter applied",
+			queryParams: map[string]string{"cf_rid_branch": "5"},
+			checkResult: func(t *testing.T, result string) {
+				if strings.Contains(strings.ToLower(result), "where") {
+					t.Errorf("Expected no WHERE clause for cf_rid_branch (only in JSON arg), got:\n%s", result)
+				}
+			},
+		},
+		{
+			name:        "description is a real column — filter applied",
+			queryParams: map[string]string{"description": "test"},
+			checkResult: func(t *testing.T, result string) {
+				if !strings.Contains(strings.ToLower(result), "where") {
+					t.Error("Expected WHERE clause for description")
+				}
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := createTestRequest("GET", "/test", tt.queryParams, nil, nil)
+			variables := make(map[string]interface{})
+			propQry := make(map[string]string)
+
+			result := handler.mergeQueryParams(req, sqlQuery, variables, true, propQry)
+			tt.checkResult(t, result)
+		})
+	}
+}
+
+// TestAllowFilterDoesNotMatchFunctionParams verifies that query params that appear only
+// as function call arguments in the FROM clause (e.g. [p_rid_doctype]) are not treated
+// as column filters, since they are not in the SELECT list.
+func TestAllowFilterDoesNotMatchFunctionParams(t *testing.T) {
+	handler := NewHandler(&MockDatabase{})
+
+	sqlQuery := `select rid, rid_parent, description, row_cnt, filterstring, tableprefix, rid_table, tooltip, additionalfilter, haschildren
+    from crm_get_doc_menu($JQ$[p_tableprefix]$JQ$,[p_rid_parent],[p_rid_doctype],[p_removedup],[p_showall]) r`
+
+	tests := []struct {
+		name        string
+		queryParams map[string]string
+		checkResult func(t *testing.T, result string)
+	}{
+		{
+			name:        "p_rid_doctype is a function param, not a column — no filter applied",
+			queryParams: map[string]string{"p_rid_doctype": "0"},
+			checkResult: func(t *testing.T, result string) {
+				if strings.Contains(strings.ToLower(result), "where") {
+					t.Errorf("Expected no WHERE clause for p_rid_doctype (function arg, not SELECT column), got:\n%s", result)
+				}
+			},
+		},
+		{
+			name:        "p_showall is a function param, not a column — no filter applied",
+			queryParams: map[string]string{"p_showall": "1"},
+			checkResult: func(t *testing.T, result string) {
+				if strings.Contains(strings.ToLower(result), "where") {
+					t.Errorf("Expected no WHERE clause for p_showall (function arg, not SELECT column), got:\n%s", result)
+				}
+			},
+		},
+		{
+			name:        "rid is a SELECT column — filter applied",
+			queryParams: map[string]string{"rid": "42"},
+			checkResult: func(t *testing.T, result string) {
+				if !strings.Contains(strings.ToLower(result), "where") {
+					t.Error("Expected WHERE clause for rid (real SELECT column)")
+				}
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := createTestRequest("GET", "/test", tt.queryParams, nil, nil)
+			variables := make(map[string]interface{})
+			propQry := make(map[string]string)
+			result := handler.mergeQueryParams(req, sqlQuery, variables, true, propQry)
+			tt.checkResult(t, result)
+		})
+	}
+}
+
+// TestGetReplacementForBlankParamDoubleQuote verifies that placeholders surrounded by
+// double quotes (as in JSON string values) are blanked to "" not NULL.
+func TestGetReplacementForBlankParamDoubleQuote(t *testing.T) {
+	tests := []struct {
+		name     string
+		sqlQuery string
+		param    string
+		expected string
+	}{
+		{
+			name:     "Parameter in double quotes (JSON value)",
+			sqlQuery: `SELECT * FROM f(1, '{"key":"[myparam]"}')`,
+			param:    "[myparam]",
+			expected: "",
+		},
+		{
+			name:     "Parameter not in any quotes",
+			sqlQuery: `SELECT * FROM f([myparam])`,
+			param:    "[myparam]",
+			expected: "NULL",
+		},
+		{
+			name:     "Parameter in single quotes",
+			sqlQuery: `SELECT * FROM f('[myparam]')`,
+			param:    "[myparam]",
+			expected: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := getReplacementForBlankParam(tt.sqlQuery, tt.param)
+			if result != tt.expected {
+				t.Errorf("getReplacementForBlankParam() = %q, want %q\nquery: %s", result, tt.expected, tt.sqlQuery)
+			}
+		})
+	}
+}
+
+// TestVariableReplacementFromQueryParams verifies that query params matching [placeholder]
+// tokens are substituted even when they don't have the p- prefix.
+func TestVariableReplacementFromQueryParams(t *testing.T) {
+	handler := NewHandler(&MockDatabase{})
+
+	sqlQuery := `select rid, rid_parent from crm_get_menu([rid_user],'[p_mode]', 0, '', '{"rid_parent":"[rid_parent]","CF:STARTDATE":"[cf_startdate]"}')`
+
+	tests := []struct {
+		name        string
+		queryParams map[string]string
+		checkResult func(t *testing.T, result string)
+	}{
+		{
+			name:        "rid_parent replaced from query param",
+			queryParams: map[string]string{"rid_parent": "42"},
+			checkResult: func(t *testing.T, result string) {
+				if strings.Contains(result, "[rid_parent]") {
+					t.Errorf("Expected [rid_parent] to be replaced, still present in:\n%s", result)
+				}
+				if !strings.Contains(result, "42") {
+					t.Errorf("Expected value 42 in query, got:\n%s", result)
+				}
+			},
+		},
+		{
+			name:        "cf_startdate replaced from query param",
+			queryParams: map[string]string{"cf_startdate": "2024-01-01"},
+			checkResult: func(t *testing.T, result string) {
+				if strings.Contains(result, "[cf_startdate]") {
+					t.Errorf("Expected [cf_startdate] to be replaced, still present in:\n%s", result)
+				}
+				if !strings.Contains(result, "2024-01-01") {
+					t.Errorf("Expected date value in query, got:\n%s", result)
+				}
+			},
+		},
+		{
+			name:        "missing param blanked to empty string inside JSON (double-quoted)",
+			queryParams: map[string]string{},
+			checkResult: func(t *testing.T, result string) {
+				// [cf_startdate] is surrounded by " in the JSON — should blank to ""
+				if strings.Contains(result, "[cf_startdate]") {
+					t.Errorf("Expected [cf_startdate] to be blanked, still present in:\n%s", result)
+				}
+				if strings.Contains(result, "NULL") && strings.Contains(result, "cf_startdate") {
+					t.Errorf("Expected empty string (not NULL) for double-quoted placeholder, got:\n%s", result)
+				}
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			inputvars := make([]string, 0)
+			q := handler.extractInputVariables(sqlQuery, &inputvars)
+
+			req := createTestRequest("GET", "/test", tt.queryParams, nil, nil)
+			variables := make(map[string]interface{})
+			propQry := make(map[string]string)
+
+			q = handler.mergeQueryParams(req, q, variables, false, propQry)
+
+			// Simulate the variable replacement + blank-param loop (mirrors function_api.go)
+			for _, kw := range inputvars {
+				varName := kw[1 : len(kw)-1]
+				if val, ok := variables[varName]; ok {
+					if strVal := strings.TrimSpace(val.(string)); strVal != "" {
+						q = strings.ReplaceAll(q, kw, ValidSQL(strVal, "colvalue"))
+						continue
+					}
+				}
+				replacement := getReplacementForBlankParam(q, kw)
+				q = strings.ReplaceAll(q, kw, replacement)
+			}
+
+			tt.checkResult(t, q)
+		})
+	}
+}
+
 // TestGetReplacementForBlankParam tests the blank parameter replacement logic
 func TestGetReplacementForBlankParam(t *testing.T) {
 	tests := []struct {

pkg/reflection/helpers.go

@@ -51,6 +51,31 @@ func ExtractTableNameOnly(fullName string) string {
 	return fullName[startIndex:]
 }
 
+// IsEmptyValue reports whether v is nil, an empty string, or a zero number.
+func IsEmptyValue(v any) bool {
+	if v == nil {
+		return true
+	}
+	rv := reflect.ValueOf(v)
+	if rv.Kind() == reflect.Ptr {
+		if rv.IsNil() {
+			return true
+		}
+		rv = rv.Elem()
+	}
+	switch rv.Kind() {
+	case reflect.String:
+		return rv.String() == ""
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		return rv.Int() == 0
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
+		return rv.Uint() == 0
+	case reflect.Float32, reflect.Float64:
+		return rv.Float() == 0
+	}
+	return false
+}
+
 // GetPointerElement returns the element type if the provided reflect.Type is a pointer.
 // If the type is a slice of pointers, it returns the element type of the pointer within the slice.
 // If neither condition is met, it returns the original type.
@@ -76,9 +101,14 @@ func GetJSONNameForField(modelType reflect.Type, fieldName string) string {
 		return ""
 	}
 
-	// Handle pointer types
+	// Unwrap pointer and slice indirections to reach the struct type
-	if modelType.Kind() == reflect.Ptr {
+	for {
+		switch modelType.Kind() {
+		case reflect.Ptr, reflect.Slice:
 			modelType = modelType.Elem()
+			continue
+		}
+		break
 	}
 
 	if modelType.Kind() != reflect.Struct {

pkg/reflection/model_utils.go

@@ -541,9 +541,14 @@ func collectSQLColumnsFromType(typ reflect.Type, columns *[]string, scanOnlyEmbe
 func IsColumnWritable(model any, columnName string) bool {
 	modelType := reflect.TypeOf(model)
 
-	// Unwrap pointers to get to the base struct type
+	// Unwrap pointers and slices to get to the base struct type
-	for modelType != nil && modelType.Kind() == reflect.Pointer {
+	for modelType != nil {
+		switch modelType.Kind() {
+		case reflect.Ptr, reflect.Slice:
 			modelType = modelType.Elem()
+			continue
+		}
+		break
 	}
 
 	// Validate that we have a struct type
@@ -878,8 +883,14 @@ func GetRelationType(model interface{}, fieldName string) RelationType {
 		return RelationUnknown
 	}
 
-	if modelType.Kind() == reflect.Ptr {
+	// Unwrap pointer → slice → pointer chains to reach the underlying struct
+	for {
+		switch modelType.Kind() {
+		case reflect.Ptr, reflect.Slice:
 			modelType = modelType.Elem()
+			continue
+		}
+		break
 	}
 
 	if modelType == nil || modelType.Kind() != reflect.Struct {
@@ -962,6 +973,108 @@ func GetRelationType(model interface{}, fieldName string) RelationType {
 	return RelationUnknown
 }
 
+// GetForeignKeyColumn returns the DB column names of the foreign key(s) that
+// relate parentKey to modelType. Composite keys (e.g. bun "join:a=b,join:c=d"
+// or GORM "foreignKey:ColA,ColB") yield multiple entries. Returns nil when no
+// tag is found (caller should fall back to convention).
+//
+// Two lookup strategies are tried in order:
+//
+//  1. Relation-field match: find a field whose name/json equals parentKey, then
+//     read its bun join: or GORM foreignKey: tag and return the local columns.
+//     e.g. parentKey="department", field `Department bun:"join:dept_id=id"` → ["dept_id"]
+//
+//  2. Join left-side scan: scan every bun join tag in the struct for pairs whose
+//     left side equals parentKey and return the right-side (child FK) columns.
+//     e.g. parentKey="rid_mastertaskitem", field `Children bun:"join:rid_mastertaskitem=rid_parentmastertaskitem"` → ["rid_parentmastertaskitem"]
+//     Strategy 1 is skipped if the matched field is a declared relation (rel:) or
+//     has a GORM tag but carries no explicit FK — callers should use convention.
+func GetForeignKeyColumn(modelType reflect.Type, parentKey string) []string {
+	for modelType.Kind() == reflect.Ptr || modelType.Kind() == reflect.Slice {
+		modelType = modelType.Elem()
+	}
+	if modelType.Kind() != reflect.Struct {
+		return nil
+	}
+
+	// Strategy 1: match parentKey against a field's name/json tag.
+	for i := 0; i < modelType.NumField(); i++ {
+		field := modelType.Field(i)
+
+		name := field.Name
+		jsonName := strings.Split(field.Tag.Get("json"), ",")[0]
+		if !strings.EqualFold(name, parentKey) && !strings.EqualFold(jsonName, parentKey) {
+			continue
+		}
+
+		bunTag := field.Tag.Get("bun")
+
+		// Bun: join:local_col=foreign_col (one join: part per pair)
+		var bunCols []string
+		for _, part := range strings.Split(bunTag, ",") {
+			part = strings.TrimSpace(part)
+			if strings.HasPrefix(part, "join:") {
+				pair := strings.TrimPrefix(part, "join:")
+				if idx := strings.Index(pair, "="); idx > 0 {
+					bunCols = append(bunCols, pair[:idx])
+				}
+			}
+		}
+		if len(bunCols) > 0 {
+			return bunCols
+		}
+
+		// GORM: foreignKey:FieldA,FieldB
+		for _, part := range strings.Split(field.Tag.Get("gorm"), ";") {
+			part = strings.TrimSpace(part)
+			if strings.HasPrefix(part, "foreignKey:") {
+				var cols []string
+				for _, fkFieldName := range strings.Split(strings.TrimPrefix(part, "foreignKey:"), ",") {
+					fkFieldName = strings.TrimSpace(fkFieldName)
+					if fkField, ok := modelType.FieldByName(fkFieldName); ok {
+						cols = append(cols, getColumnNameFromField(fkField))
+					}
+				}
+				if len(cols) > 0 {
+					return cols
+				}
+			}
+		}
+
+		// The field matched by name/json but has no explicit FK tag. If it is a
+		// declared relation field (rel:) or carries a GORM tag, the caller should
+		// use naming convention — don't fall through to strategy 2. Otherwise the
+		// matched field is a plain scalar column; proceed to the join left-side scan.
+		if strings.Contains(bunTag, "rel:") || field.Tag.Get("gorm") != "" {
+			return nil
+		}
+		break
+	}
+
+	// Strategy 2: scan every field's bun join tag for pairs whose left side (the
+	// parent's column) matches parentKey; the right side is the child FK column.
+	// This handles cases where parentKey is a raw column name rather than a
+	// relation field name (e.g. self-referential or has-many relationships).
+	seen := map[string]bool{}
+	var cols []string
+	for i := 0; i < modelType.NumField(); i++ {
+		for _, part := range strings.Split(modelType.Field(i).Tag.Get("bun"), ",") {
+			part = strings.TrimSpace(part)
+			if strings.HasPrefix(part, "join:") {
+				pair := strings.TrimPrefix(part, "join:")
+				if idx := strings.Index(pair, "="); idx > 0 {
+					left, right := pair[:idx], pair[idx+1:]
+					if strings.EqualFold(left, parentKey) && !seen[right] {
+						seen[right] = true
+						cols = append(cols, right)
+					}
+				}
+			}
+		}
+	}
+	return cols // nil if empty
+}
+
 // GetRelationModel gets the model type for a relation field
 // It searches for the field by name in the following order (case-insensitive):
 // 1. Actual field name
@@ -1244,6 +1357,16 @@ func setFieldValue(field reflect.Value, value interface{}) error {
 			}
 		}
 
+		// Handle map[string]interface{} → nested struct (e.g. relation fields like AFN, DEF)
+		if m, ok := value.(map[string]interface{}); ok {
+			if field.CanAddr() {
+				if err := MapToStruct(m, field.Addr().Interface()); err != nil {
+					return err
+				}
+				return nil
+			}
+		}
+
 		// Fallback: Try to find a "Val" field (for SqlNull types) and set it directly
 		valField := field.FieldByName("Val")
 		if valField.IsValid() && valField.CanSet() {
@@ -1462,9 +1585,14 @@ func convertToFloat64(value interface{}) (float64, bool) {
 func GetValidJSONFieldNames(modelType reflect.Type) map[string]bool {
 	validFields := make(map[string]bool)
 
-	// Unwrap pointers to get to the base struct type
+	// Unwrap pointers and slices to get to the base struct type
-	for modelType != nil && modelType.Kind() == reflect.Pointer {
+	for modelType != nil {
+		switch modelType.Kind() {
+		case reflect.Ptr, reflect.Slice:
 			modelType = modelType.Elem()
+			continue
+		}
+		break
 	}
 
 	if modelType == nil || modelType.Kind() != reflect.Struct {
@@ -1525,8 +1653,13 @@ func getRelationModelSingleLevel(model interface{}, fieldName string) interface{
 		return nil
 	}
 
-	if modelType.Kind() == reflect.Ptr {
+	for {
+		switch modelType.Kind() {
+		case reflect.Ptr, reflect.Slice:
 			modelType = modelType.Elem()
+			continue
+		}
+		break
 	}
 
 	if modelType == nil || modelType.Kind() != reflect.Struct {
@@ -1589,17 +1722,16 @@ func getRelationModelSingleLevel(model interface{}, fieldName string) interface{
 		return nil
 	}
 
-	if targetType.Kind() == reflect.Slice {
+	for {
+		switch targetType.Kind() {
+		case reflect.Ptr, reflect.Slice:
 			targetType = targetType.Elem()
 			if targetType == nil {
 				return nil
 			}
+			continue
 		}
-	if targetType.Kind() == reflect.Ptr {
+		break
-		targetType = targetType.Elem()
-		if targetType == nil {
-			return nil
-		}
 	}
 
 	if targetType.Kind() != reflect.Struct {

pkg/reflection/model_utils_foreign_key_test.go

@@ -0,0 +1,168 @@
+package reflection
+
+import (
+	"reflect"
+	"testing"
+)
+
+// --- local test models ---
+
+type fkDept struct{}
+
+// bunEmployee uses bun join: tag to declare the FK column explicitly.
+type bunEmployee struct {
+	DeptID     string   `bun:"dept_id"                          json:"dept_id"`
+	Department *fkDept  `bun:"rel:belongs-to,join:dept_id=id"   json:"department"`
+}
+
+// bunCompositeEmployee has a composite bun join: (two join: parts).
+type bunCompositeEmployee struct {
+	DeptID   string  `bun:"dept_id"   json:"dept_id"`
+	TenantID string  `bun:"tenant_id" json:"tenant_id"`
+	Department *fkDept `bun:"rel:belongs-to,join:dept_id=id,join:tenant_id=id" json:"department"`
+}
+
+// gormEmployee uses gorm foreignKey: tag (mirrors testmodels.Employee).
+type gormEmployee struct {
+	DepartmentID string  `json:"department_id"`
+	ManagerID    string  `json:"manager_id"`
+	Department   *fkDept `gorm:"foreignKey:DepartmentID;references:ID" json:"department"`
+	Manager      *fkDept `gorm:"foreignKey:ManagerID;references:ID"    json:"manager"`
+}
+
+// gormCompositeEmployee has a composite GORM foreignKey.
+type gormCompositeEmployee struct {
+	DeptID   string  `json:"dept_id"`
+	TenantID string  `json:"tenant_id"`
+	Department *fkDept `gorm:"foreignKey:DeptID,TenantID" json:"department"`
+}
+
+// selfRefItem mimics a self-referential model (like mastertaskitem) where the
+// parent PK column appears as the left side of a has-many join tag.
+type selfRefItem struct {
+	RidItem       int32        `json:"rid_item" bun:"rid_item,type:integer,pk"`
+	RidParentItem int32        `json:"rid_parentitem" bun:"rid_parentitem,type:integer"`
+	// has-one (single parent pointer)
+	Parent   *selfRefItem   `json:"Parent,omitempty" bun:"rel:has-one,join:rid_item=rid_parentitem"`
+	// has-many (child collection) — same join, duplicate right-side must be deduped
+	Children []*selfRefItem `json:"Children,omitempty" bun:"rel:has-many,join:rid_item=rid_parentitem"`
+}
+
+// conventionEmployee has no explicit FK tag — relies on naming convention.
+type conventionEmployee struct {
+	DepartmentID string  `json:"department_id"`
+	Department   *fkDept `json:"department"`
+}
+
+// noTagEmployee has a relation field with no FK tag and no convention match.
+type noTagEmployee struct {
+	Unrelated *fkDept `json:"unrelated"`
+}
+
+func TestGetForeignKeyColumn(t *testing.T) {
+	tests := []struct {
+		name      string
+		modelType reflect.Type
+		parentKey string
+		want      []string
+	}{
+		// Bun join: tag
+		{
+			name:      "bun join tag returns local column",
+			modelType: reflect.TypeOf(bunEmployee{}),
+			parentKey: "department",
+			want:      []string{"dept_id"},
+		},
+		{
+			name:      "bun join tag matched via json tag (case-insensitive)",
+			modelType: reflect.TypeOf(bunEmployee{}),
+			parentKey: "Department",
+			want:      []string{"dept_id"},
+		},
+		{
+			name:      "bun composite join returns all local columns",
+			modelType: reflect.TypeOf(bunCompositeEmployee{}),
+			parentKey: "department",
+			want:      []string{"dept_id", "tenant_id"},
+		},
+
+		// GORM foreignKey: tag
+		{
+			name:      "gorm foreignKey resolves to column name",
+			modelType: reflect.TypeOf(gormEmployee{}),
+			parentKey: "department",
+			want:      []string{"department_id"},
+		},
+		{
+			name:      "gorm foreignKey resolves second relation",
+			modelType: reflect.TypeOf(gormEmployee{}),
+			parentKey: "manager",
+			want:      []string{"manager_id"},
+		},
+		{
+			name:      "gorm foreignKey matched case-insensitively",
+			modelType: reflect.TypeOf(gormEmployee{}),
+			parentKey: "Department",
+			want:      []string{"department_id"},
+		},
+		{
+			name:      "gorm composite foreignKey returns all columns",
+			modelType: reflect.TypeOf(gormCompositeEmployee{}),
+			parentKey: "department",
+			want:      []string{"dept_id", "tenant_id"},
+		},
+
+		// Join left-side scan (parentKey is a raw column name, not a relation field name)
+		{
+			name:      "self-referential: parent PK column returns child FK column",
+			modelType: reflect.TypeOf(selfRefItem{}),
+			parentKey: "rid_item",
+			want:      []string{"rid_parentitem"},
+		},
+
+		// Pointer and slice unwrapping
+		{
+			name:      "pointer to struct is unwrapped",
+			modelType: reflect.TypeOf(&gormEmployee{}),
+			parentKey: "department",
+			want:      []string{"department_id"},
+		},
+		{
+			name:      "slice of struct is unwrapped",
+			modelType: reflect.TypeOf([]gormEmployee{}),
+			parentKey: "department",
+			want:      []string{"department_id"},
+		},
+
+		// No tag — returns nil so caller can fall back to convention
+		{
+			name:      "relation with no FK tag returns nil",
+			modelType: reflect.TypeOf(conventionEmployee{}),
+			parentKey: "department",
+			want:      nil,
+		},
+
+		// Unknown parent key
+		{
+			name:      "unknown parent key returns nil",
+			modelType: reflect.TypeOf(gormEmployee{}),
+			parentKey: "nonexistent",
+			want:      nil,
+		},
+		{
+			name:      "non-struct type returns nil",
+			modelType: reflect.TypeOf(""),
+			parentKey: "department",
+			want:      nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := GetForeignKeyColumn(tt.modelType, tt.parentKey)
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("GetForeignKeyColumn(%v, %q) = %v, want %v", tt.modelType, tt.parentKey, got, tt.want)
+			}
+		})
+	}
+}

pkg/reflection/model_utils_sqltypes_test.go

@@ -221,6 +221,124 @@ func TestMapToStruct_AllSqlTypes(t *testing.T) {
 	t.Logf("  - SqlJSONB (Tags): %v", tagsValue)
 }
 
+// TestMapToStruct_NestedStructPointer tests that a map[string]interface{} value is
+// correctly converted into a pointer-to-struct field (e.g. AFN *ModelCoreActionfunction).
+func TestMapToStruct_NestedStructPointer(t *testing.T) {
+	type Inner struct {
+		ID   spectypes.SqlInt32  `bun:"rid_inner,pk" json:"rid_inner"`
+		Name spectypes.SqlString `bun:"name" json:"name"`
+	}
+	type Outer struct {
+		ID    spectypes.SqlInt32 `bun:"rid_outer,pk" json:"rid_outer"`
+		Inner *Inner             `json:"inner,omitempty" bun:"rel:has-one"`
+	}
+
+	dataMap := map[string]interface{}{
+		"rid_outer": int64(1),
+		"inner": map[string]interface{}{
+			"rid_inner": int64(42),
+			"name":      "hello",
+		},
+	}
+
+	var result Outer
+	err := reflection.MapToStruct(dataMap, &result)
+	if err != nil {
+		t.Fatalf("MapToStruct() error = %v", err)
+	}
+
+	if !result.ID.Valid || result.ID.Val != 1 {
+		t.Errorf("ID = %v, want 1", result.ID)
+	}
+	if result.Inner == nil {
+		t.Fatal("Inner is nil, want non-nil")
+	}
+	if !result.Inner.ID.Valid || result.Inner.ID.Val != 42 {
+		t.Errorf("Inner.ID = %v, want 42", result.Inner.ID)
+	}
+	if !result.Inner.Name.Valid || result.Inner.Name.Val != "hello" {
+		t.Errorf("Inner.Name = %v, want 'hello'", result.Inner.Name)
+	}
+}
+
+// TestMapToStruct_NestedStructNilPointer tests that a nil map value leaves the pointer nil.
+func TestMapToStruct_NestedStructNilPointer(t *testing.T) {
+	type Inner struct {
+		ID spectypes.SqlInt32 `bun:"rid_inner,pk" json:"rid_inner"`
+	}
+	type Outer struct {
+		ID    spectypes.SqlInt32 `bun:"rid_outer,pk" json:"rid_outer"`
+		Inner *Inner             `json:"inner,omitempty" bun:"rel:has-one"`
+	}
+
+	dataMap := map[string]interface{}{
+		"rid_outer": int64(5),
+		"inner":     nil,
+	}
+
+	var result Outer
+	err := reflection.MapToStruct(dataMap, &result)
+	if err != nil {
+		t.Fatalf("MapToStruct() error = %v", err)
+	}
+
+	if result.Inner != nil {
+		t.Errorf("Inner = %v, want nil", result.Inner)
+	}
+}
+
+// TestMapToStruct_NestedStructWithSpectypes mirrors the real-world case of
+// ModelCoreActionoption.AFN being populated from map[string]interface{}.
+func TestMapToStruct_NestedStructWithSpectypes(t *testing.T) {
+	type ActionFunction struct {
+		Ridactionfunction spectypes.SqlInt32  `bun:"rid_actionfunction,pk" json:"rid_actionfunction"`
+		Functionname      spectypes.SqlString `bun:"functionname" json:"functionname"`
+		Fntype            spectypes.SqlString `bun:"fntype" json:"fntype"`
+	}
+	type ActionOption struct {
+		Ridactionoption   spectypes.SqlInt32  `bun:"rid_actionoption,pk" json:"rid_actionoption"`
+		Ridactionfunction spectypes.SqlInt32  `bun:"rid_actionfunction" json:"rid_actionfunction"`
+		Description       spectypes.SqlString `bun:"description" json:"description"`
+		AFN               *ActionFunction     `json:"AFN,omitempty" bun:"rel:has-one"`
+	}
+
+	dataMap := map[string]interface{}{
+		"rid_actionoption":   int64(10),
+		"rid_actionfunction": int64(99),
+		"description":        "test option",
+		"AFN": map[string]interface{}{
+			"rid_actionfunction": int64(99),
+			"functionname":       "MyFunction",
+			"fntype":             "action",
+		},
+	}
+
+	var result ActionOption
+	err := reflection.MapToStruct(dataMap, &result)
+	if err != nil {
+		t.Fatalf("MapToStruct() error = %v", err)
+	}
+
+	if !result.Ridactionoption.Valid || result.Ridactionoption.Val != 10 {
+		t.Errorf("Ridactionoption = %v, want 10", result.Ridactionoption)
+	}
+	if !result.Description.Valid || result.Description.Val != "test option" {
+		t.Errorf("Description = %v, want 'test option'", result.Description)
+	}
+	if result.AFN == nil {
+		t.Fatal("AFN is nil, want non-nil")
+	}
+	if !result.AFN.Ridactionfunction.Valid || result.AFN.Ridactionfunction.Val != 99 {
+		t.Errorf("AFN.Ridactionfunction = %v, want 99", result.AFN.Ridactionfunction)
+	}
+	if !result.AFN.Functionname.Valid || result.AFN.Functionname.Val != "MyFunction" {
+		t.Errorf("AFN.Functionname = %v, want 'MyFunction'", result.AFN.Functionname)
+	}
+	if !result.AFN.Fntype.Valid || result.AFN.Fntype.Val != "action" {
+		t.Errorf("AFN.Fntype = %v, want 'action'", result.AFN.Fntype)
+	}
+}
+
 func TestMapToStruct_SqlNull_NilValues(t *testing.T) {
 	// Test that SqlNull types handle nil values correctly
 	type TestModel struct {

pkg/resolvespec/handler.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"reflect"
@@ -603,7 +604,7 @@ func (h *Handler) handleCreate(ctx context.Context, w common.ResponseWriter, dat
 		// Standard processing without nested relations
 		query := h.db.NewInsert().Table(tableName)
 		for key, value := range v {
-			query = query.Value(key, value)
+			query = query.Value(key, common.ConvertSliceForBun(value))
 		}
 		result, err := query.Exec(ctx)
 		if err != nil {
@@ -669,7 +670,7 @@ func (h *Handler) handleCreate(ctx context.Context, w common.ResponseWriter, dat
 			for _, item := range v {
 				txQuery := tx.NewInsert().Table(tableName)
 				for key, value := range item {
-					txQuery = txQuery.Value(key, value)
+					txQuery = txQuery.Value(key, common.ConvertSliceForBun(value))
 				}
 				if _, err := txQuery.Exec(ctx); err != nil {
 					return err
@@ -747,7 +748,7 @@ func (h *Handler) handleCreate(ctx context.Context, w common.ResponseWriter, dat
 				if itemMap, ok := item.(map[string]interface{}); ok {
 					txQuery := tx.NewInsert().Table(tableName)
 					for key, value := range itemMap {
-						txQuery = txQuery.Value(key, value)
+						txQuery = txQuery.Value(key, common.ConvertSliceForBun(value))
 					}
 					if _, err := txQuery.Exec(ctx); err != nil {
 						return err
@@ -1757,18 +1758,21 @@ func (h *Handler) sendResponse(w common.ResponseWriter, data interface{}, metada
 }
 
 func (h *Handler) sendError(w common.ResponseWriter, status int, code, message string, details interface{}) {
-	w.SetHeader("Content-Type", "application/json")
+	apiErr := &common.APIError{
-	w.WriteHeader(status)
-	err := w.WriteJSON(common.Response{
-		Success: false,
-		Error: &common.APIError{
 		Code:    code,
 		Message: message,
 		Details: details,
 		Detail:  fmt.Sprintf("%v", details),
-		},
+	}
-	})
+	if asErr, ok := details.(error); ok {
-	if err != nil {
+		var sqlErr *common.SQLError
+		if errors.As(asErr, &sqlErr) {
+			apiErr.SQL = sqlErr.SQL
+		}
+	}
+	w.SetHeader("Content-Type", "application/json")
+	w.WriteHeader(status)
+	if err := w.WriteJSON(common.Response{Success: false, Error: apiErr}); err != nil {
 		logger.Error("Error sending response: %v", err)
 	}
 }

pkg/restheadspec/empty_result_test.go

@@ -9,29 +9,29 @@ import (
 	"github.com/bitechdev/ResolveSpec/pkg/common"
 )
 
-// Test that normalizeResultArray returns empty array when no records found without ID
+// Test that normalizeResultArray returns empty object when no records found (single-record mode)
 func TestNormalizeResultArray_EmptyArrayWhenNoID(t *testing.T) {
 	handler := &Handler{}
 
 	tests := []struct {
 		name             string
 		input            interface{}
-		shouldBeEmptyArr bool
+		shouldBeEmptyObj bool
 	}{
 		{
-			name:             "nil should return empty array",
+			name:             "nil should return empty object",
 			input:            nil,
-			shouldBeEmptyArr: true,
+			shouldBeEmptyObj: true,
 		},
 		{
-			name:             "empty slice should return empty array",
+			name:             "empty slice should return empty object",
 			input:            []*EmptyTestModel{},
-			shouldBeEmptyArr: true,
+			shouldBeEmptyObj: true,
 		},
 		{
 			name:             "single element should return the element",
 			input:            []*EmptyTestModel{{ID: 1, Name: "test"}},
-			shouldBeEmptyArr: false,
+			shouldBeEmptyObj: false,
 		},
 		{
 			name: "multiple elements should return the slice",
@@ -39,7 +39,7 @@ func TestNormalizeResultArray_EmptyArrayWhenNoID(t *testing.T) {
 				{ID: 1, Name: "test1"},
 				{ID: 2, Name: "test2"},
 			},
-			shouldBeEmptyArr: false,
+			shouldBeEmptyObj: false,
 		},
 	}
 
@@ -47,25 +47,25 @@ func TestNormalizeResultArray_EmptyArrayWhenNoID(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			result := handler.normalizeResultArray(tt.input)
 
-			// For cases that should return empty array
+			// For cases that should return empty object
-			if tt.shouldBeEmptyArr {
+			if tt.shouldBeEmptyObj {
-				emptyArr, ok := result.([]interface{})
+				emptyObj, ok := result.(map[string]interface{})
 				if !ok {
-					t.Errorf("Expected empty array []interface{}{}, got %T: %v", result, result)
+					t.Errorf("Expected empty object map[string]interface{}{}, got %T: %v", result, result)
 					return
 				}
-				if len(emptyArr) != 0 {
+				if len(emptyObj) != 0 {
-					t.Errorf("Expected empty array with length 0, got length %d", len(emptyArr))
+					t.Errorf("Expected empty object with length 0, got length %d", len(emptyObj))
 				}
 
-				// Verify it serializes to [] and not null
+				// Verify it serializes to {} and not null
 				jsonBytes, err := json.Marshal(result)
 				if err != nil {
 					t.Errorf("Failed to marshal result: %v", err)
 					return
 				}
-				if string(jsonBytes) != "[]" {
+				if string(jsonBytes) != "{}" {
-					t.Errorf("Expected JSON '[]', got '%s'", string(jsonBytes))
+					t.Errorf("Expected JSON '{}', got '%s'", string(jsonBytes))
 				}
 			}
 		})
@@ -138,12 +138,12 @@ func TestSendResponseWithOptions_NoDataFoundHeader(t *testing.T) {
 		t.Errorf("Expected X-No-Data-Found header to be 'true', got '%s'", mockWriter.headers["X-No-Data-Found"])
 	}
 
-	// Check status code is 200
+	// Check status code is 200 even when no records found
 	if mockWriter.statusCode != 200 {
 		t.Errorf("Expected status code 200, got %d", mockWriter.statusCode)
 	}
 
-	// Verify the body is an empty array
+	// Verify the body is an empty array (list request, SingleRecordAsObject not set)
 	if mockWriter.body == nil {
 		t.Error("Expected body to be set, got nil")
 	} else {

pkg/restheadspec/handler.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"database/sql"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"reflect"
@@ -575,11 +576,25 @@ func (h *Handler) handleRead(ctx context.Context, w common.ResponseWriter, id st
 		}
 	}
 
-	// Apply custom SQL JOIN clauses
+	// Apply custom SQL JOIN clauses, skipping any whose alias is already provided by a
+	// preload LEFT JOIN (to prevent "table name specified more than once" errors).
 	if len(options.CustomSQLJoin) > 0 {
-		for _, joinClause := range options.CustomSQLJoin {
+		preloadAliasSet := make(map[string]bool, len(options.Preload))
+		for i := range options.Preload {
+			if alias := common.RelationPathToBunAlias(options.Preload[i].Relation); alias != "" {
+				preloadAliasSet[alias] = true
+			}
+		}
+
+		for i, joinClause := range options.CustomSQLJoin {
+			if i < len(options.JoinAliases) && options.JoinAliases[i] != "" {
+				alias := strings.ToLower(options.JoinAliases[i])
+				if preloadAliasSet[alias] {
+					logger.Debug("Skipping custom SQL JOIN (alias '%s' already joined by preload): %s", alias, joinClause)
+					continue
+				}
+			}
 			logger.Debug("Applying custom SQL JOIN: %s", joinClause)
-			// Joins are already sanitized during parsing, so we can apply them directly
 			query = query.Join(joinClause)
 		}
 	}
@@ -605,16 +620,19 @@ func (h *Handler) handleRead(ctx context.Context, w common.ResponseWriter, id st
 		logger.Debug("FetchRowNumber: Row number %d for PK %s = %s", rowNum, pkName, fetchRowNumberPKValue)
 
 		// Now filter the main query to this specific primary key
-		query = query.Where(fmt.Sprintf("%s = ?", common.QuoteIdent(pkName)), fetchRowNumberPKValue)
+		tableAlias := reflection.ExtractTableNameOnly(tableName)
+		query = query.Where(fmt.Sprintf("%s.%s = ?", common.QuoteIdent(tableAlias), common.QuoteIdent(pkName)), fetchRowNumberPKValue)
 	} else if id != "" {
 		// If ID is provided (and not FetchRowNumber), filter by ID
 		pkName := reflection.GetPrimaryKeyName(model)
 		logger.Debug("Filtering by ID=%s: %s", pkName, id)
 
-		query = query.Where(fmt.Sprintf("%s = ?", common.QuoteIdent(pkName)), id)
+		tableAlias := reflection.ExtractTableNameOnly(tableName)
+		query = query.Where(fmt.Sprintf("%s.%s = ?", common.QuoteIdent(tableAlias), common.QuoteIdent(pkName)), id)
 	}
 
 	// Apply sorting
+	tableAlias := reflection.ExtractTableNameOnly(tableName)
 	for _, sort := range options.Sort {
 		direction := "ASC"
 		if strings.EqualFold(sort.Direction, "desc") {
@@ -626,9 +644,12 @@ func (h *Handler) handleRead(ctx context.Context, w common.ResponseWriter, id st
 		if strings.HasPrefix(sort.Column, "(") && strings.HasSuffix(sort.Column, ")") {
 			// For expressions, pass as raw SQL to prevent auto-quoting
 			query = query.OrderExpr(fmt.Sprintf("%s %s", sort.Column, direction))
+		} else if strings.Contains(sort.Column, ".") {
+			// Already qualified (e.g. alias.column) - pass as raw expression to preserve the dot
+			query = query.OrderExpr(fmt.Sprintf("%s %s", sort.Column, direction))
 		} else {
-			// Regular column - let Bun handle quoting
+			// Unqualified column - prefix with main table alias to avoid ambiguity on JOINs
-			query = query.Order(fmt.Sprintf("%s %s", sort.Column, direction))
+			query = query.OrderExpr(fmt.Sprintf("%s.%s %s", common.QuoteIdent(tableAlias), common.QuoteIdent(sort.Column), direction))
 		}
 	}
 
@@ -1346,7 +1367,7 @@ func (h *Handler) handleUpdate(ctx context.Context, w common.ResponseWriter, id
 
 		// First, read the existing record from the database
 		existingRecord := reflect.New(reflection.GetPointerElement(reflect.TypeOf(model))).Interface()
-		selectQuery := tx.NewSelect().Model(existingRecord).Column("*").Where(fmt.Sprintf("%s = ?", common.QuoteIdent(pkName)), targetID)
+		selectQuery := tx.NewSelect().Model(existingRecord).Where(fmt.Sprintf("%s = ?", common.QuoteIdent(pkName)), targetID)
 		if err := selectQuery.ScanModel(ctx); err != nil {
 			if err == sql.ErrNoRows {
 				return fmt.Errorf("record not found with ID: %v", targetID)
@@ -2488,14 +2509,12 @@ func (h *Handler) sendResponseWithOptions(w common.ResponseWriter, data interfac
 		w.SetHeader("X-No-Data-Found", "true")
 	}
 
-	w.WriteHeader(http.StatusOK)
-
 	// Normalize single-record arrays to objects if requested
 	if options != nil && options.SingleRecordAsObject {
 		data = h.normalizeResultArray(data)
 	}
 
-	// Return data as-is without wrapping in common.Response
+	w.WriteHeader(http.StatusOK)
 
 	if err := w.WriteJSON(data); err != nil {
 		logger.Error("Failed to write JSON response: %v", err)
@@ -2506,7 +2525,7 @@ func (h *Handler) sendResponseWithOptions(w common.ResponseWriter, data interfac
 // Returns the single element if data is a slice/array with exactly one element, otherwise returns data unchanged
 func (h *Handler) normalizeResultArray(data interface{}) interface{} {
 	if data == nil {
-		return []interface{}{}
+		return map[string]interface{}{}
 	}
 
 	// Use reflection to check if data is a slice or array
@@ -2521,15 +2540,15 @@ func (h *Handler) normalizeResultArray(data interface{}) interface{} {
 			// Return the single element
 			return dataValue.Index(0).Interface()
 		} else if dataValue.Len() == 0 {
-			// Keep empty array as empty array, don't convert to empty object
+			// Single-record request with no result → empty object
-			return []interface{}{}
+			return map[string]interface{}{}
 		}
 	}
 
 	if dataValue.Kind() == reflect.String {
 		str := dataValue.String()
 		if str == "" || str == "null" {
-			return []interface{}{}
+			return map[string]interface{}{}
 		}
 
 	}
@@ -2538,9 +2557,6 @@ func (h *Handler) normalizeResultArray(data interface{}) interface{} {
 
 // sendFormattedResponse sends response with formatting options
 func (h *Handler) sendFormattedResponse(w common.ResponseWriter, data interface{}, metadata *common.Metadata, options ExtendedRequestOptions) {
-	// Normalize single-record arrays to objects if requested
-	httpStatus := http.StatusOK
-
 	// Handle nil data - convert to empty array
 	if data == nil {
 		data = []interface{}{}
@@ -2577,7 +2593,7 @@ func (h *Handler) sendFormattedResponse(w common.ResponseWriter, data interface{
 	switch options.ResponseFormat {
 	case "simple":
 		// Simple format: just return the data array
-		w.WriteHeader(httpStatus)
+		w.WriteHeader(http.StatusOK)
 		if err := w.WriteJSON(data); err != nil {
 			logger.Error("Failed to write JSON response: %v", err)
 		}
@@ -2589,7 +2605,7 @@ func (h *Handler) sendFormattedResponse(w common.ResponseWriter, data interface{
 		if metadata != nil {
 			response["count"] = metadata.Total
 		}
-		w.WriteHeader(httpStatus)
+		w.WriteHeader(http.StatusOK)
 		if err := w.WriteJSON(response); err != nil {
 			logger.Error("Failed to write JSON response: %v", err)
 		}
@@ -2600,7 +2616,7 @@ func (h *Handler) sendFormattedResponse(w common.ResponseWriter, data interface{
 			Data:     data,
 			Metadata: metadata,
 		}
-		w.WriteHeader(httpStatus)
+		w.WriteHeader(http.StatusOK)
 		if err := w.WriteJSON(response); err != nil {
 			logger.Error("Failed to write JSON response: %v", err)
 		}
@@ -2630,6 +2646,12 @@ func (h *Handler) sendError(w common.ResponseWriter, statusCode int, code, messa
 		"_error":  errorMsg,
 		"_retval": 1,
 	}
+
+	var sqlErr *common.SQLError
+	if errors.As(err, &sqlErr) {
+		response["_sql"] = sqlErr.SQL
+	}
+
 	w.SetHeader("Content-Type", "application/json")
 	w.WriteHeader(statusCode)
 	if jsonErr := w.WriteJSON(response); jsonErr != nil {

pkg/restheadspec/headers.go

@@ -5,8 +5,10 @@ import (
 	"encoding/json"
 	"fmt"
 	"reflect"
+	"regexp"
 	"strconv"
 	"strings"
+	"unicode/utf8"
 
 	"github.com/bitechdev/ResolveSpec/pkg/common"
 	"github.com/bitechdev/ResolveSpec/pkg/logger"
@@ -63,7 +65,10 @@ type ExpandOption struct {
 // decodeHeaderValue decodes base64 encoded header values
 // Supports ZIP_ and __ prefixes for base64 encoding
 func decodeHeaderValue(value string) string {
-	str, _ := DecodeParam(value)
+	str, err := DecodeParam(value)
+	if err != nil {
+		return value
+	}
 	return str
 }
 
@@ -97,6 +102,11 @@ func DecodeParam(pStr string) (string, error) {
 
 	if strings.HasPrefix(code, "ZIP_") || strings.HasPrefix(code, "__") {
 		code, _ = DecodeParam(code)
+	} else {
+		strDat, err := base64.StdEncoding.DecodeString(code)
+		if err == nil && utf8.Valid(strDat) {
+			code = string(strDat)
+		}
 	}
 
 	return code, nil
@@ -501,6 +511,31 @@ func (h *Handler) parseExpand(options *ExtendedRequestOptions, value string) {
 	}
 }
 
+// reMultiJoinBoundary finds the start of each individual JOIN clause within a string that
+// may contain multiple consecutive JOIN clauses (e.g., "INNER JOIN ... LEFT OUTER JOIN ...").
+var reMultiJoinBoundary = regexp.MustCompile(`(?i)(?:inner|left(?:\s+outer)?|right(?:\s+outer)?|full(?:\s+outer)?|cross)\s+join\b`)
+
+// splitJoinClauses splits a SQL string that may contain multiple JOIN clauses into
+// individual clauses. A plain pipe-separated segment may itself contain several JOINs;
+// this function splits them so each gets its own alias entry.
+func splitJoinClauses(joinStr string) []string {
+	indices := reMultiJoinBoundary.FindAllStringIndex(joinStr, -1)
+	if len(indices) <= 1 {
+		return []string{strings.TrimSpace(joinStr)}
+	}
+	parts := make([]string, 0, len(indices))
+	for i, idx := range indices {
+		end := len(joinStr)
+		if i+1 < len(indices) {
+			end = indices[i+1][0]
+		}
+		if part := strings.TrimSpace(joinStr[idx[0]:end]); part != "" {
+			parts = append(parts, part)
+		}
+	}
+	return parts
+}
+
 // parseCustomSQLJoin parses x-custom-sql-join header
 // Format: Single JOIN clause or multiple JOIN clauses separated by |
 // Example: "LEFT JOIN departments d ON d.id = employees.department_id"
@@ -533,17 +568,19 @@ func (h *Handler) parseCustomSQLJoin(options *ExtendedRequestOptions, value stri
 			continue
 		}
 
-		// Extract table alias from the JOIN clause
+		// Split into individual JOIN clauses so each clause gets its own alias entry.
-		alias := extractJoinAlias(sanitizedJoin)
+		// CustomSQLJoin and JoinAliases are kept parallel (one entry per individual clause).
-		if alias != "" {
+		for _, clause := range splitJoinClauses(sanitizedJoin) {
+			alias := extractJoinAlias(clause)
+			// Keep arrays parallel; use empty string when alias cannot be extracted.
 			options.JoinAliases = append(options.JoinAliases, alias)
-			// Also add to the embedded RequestOptions for validation
 			options.RequestOptions.JoinAliases = append(options.RequestOptions.JoinAliases, alias)
+			if alias != "" {
 				logger.Debug("Extracted join alias: %s", alias)
 			}
-
+			logger.Debug("Adding custom SQL join: %s", clause)
-		logger.Debug("Adding custom SQL join: %s", sanitizedJoin)
+			options.CustomSQLJoin = append(options.CustomSQLJoin, clause)
-		options.CustomSQLJoin = append(options.CustomSQLJoin, sanitizedJoin)
+		}
 	}
 }
 

pkg/security/README.md

@@ -13,6 +13,7 @@ Type-safe, composable security system for ResolveSpec with support for authentic
 - ✅ **Extensible** - Implement custom providers for your needs
 - ✅ **Stored Procedures** - All database operations use PostgreSQL stored procedures for security and maintainability
 - ✅ **OAuth2 Authorization Server** - Built-in OAuth 2.1 + PKCE server (RFC 8414, 7591, 7009, 7662) with login form and external provider federation
+- ✅ **Password Reset** - Self-service password reset with secure token generation and session invalidation
 
 ## Stored Procedure Architecture
 
@@ -45,6 +46,8 @@ Type-safe, composable security system for ResolveSpec with support for authentic
 | `resolvespec_oauth_exchange_code` | Consume authorization code (single-use) | OAuthServer / DatabaseAuthenticator |
 | `resolvespec_oauth_introspect` | Token introspection (RFC 7662) | OAuthServer / DatabaseAuthenticator |
 | `resolvespec_oauth_revoke` | Token revocation (RFC 7009) | OAuthServer / DatabaseAuthenticator |
+| `resolvespec_password_reset_request` | Create password reset token | DatabaseAuthenticator |
+| `resolvespec_password_reset` | Validate token and set new password | DatabaseAuthenticator |
 
 See `database_schema.sql` for complete stored procedure definitions and examples.
 
@@ -904,6 +907,66 @@ securityList := security.NewSecurityList(provider)
 restheadspec.RegisterSecurityHooks(handler, securityList) // or funcspec/resolvespec
 ```
 
+## Password Reset
+
+`DatabaseAuthenticator` implements `PasswordResettable` for self-service password reset.
+
+### Flow
+
+1. User submits email or username → `RequestPasswordReset` → server generates a token and returns it for out-of-band delivery (email, SMS, etc.)
+2. User submits the raw token + new password → `CompletePasswordReset` → password updated, all sessions invalidated
+
+### DB Requirements
+
+Run the migrations in `database_schema.sql`:
+- `user_password_resets` table (`user_id`, `token_hash` SHA-256, `expires_at`, `used`, `used_at`)
+- `resolvespec_password_reset_request` stored procedure
+- `resolvespec_password_reset` stored procedure
+
+Requires the `pgcrypto` extension (`gen_random_bytes`, `digest`) — already used by `resolvespec_login`.
+
+### Usage
+
+```go
+auth := security.NewDatabaseAuthenticator(db)
+
+// Step 1 — initiate reset (call after user submits their email)
+resp, err := auth.RequestPasswordReset(ctx, security.PasswordResetRequest{
+    Email: "user@example.com",
+})
+// resp.Token is the raw token — deliver it out-of-band
+// resp.ExpiresIn is 3600 (1 hour)
+// Always returns success regardless of whether the user exists (anti-enumeration)
+
+// Step 2 — complete reset (call after user submits token + new password)
+err = auth.CompletePasswordReset(ctx, security.PasswordResetCompleteRequest{
+    Token:       rawToken,
+    NewPassword: "newSecurePassword",
+})
+// On success: password updated, all active sessions deleted
+```
+
+### Security Notes
+
+- The raw token is never stored; only its SHA-256 hash is persisted
+- Requesting a reset invalidates any previous unused tokens for that user
+- Tokens expire after 1 hour
+- Completing a reset deletes all active sessions, forcing re-login
+- `RequestPasswordReset` always returns success even when the email/username is not found, preventing user enumeration
+- Hash the new password with bcrypt before storing (pgcrypto `crypt`/`gen_salt`) — see the TODO comment in `resolvespec_password_reset`
+
+### SQLNames
+
+```go
+type SQLNames struct {
+    // ...
+    PasswordResetRequest  string // default: "resolvespec_password_reset_request"
+    PasswordResetComplete string // default: "resolvespec_password_reset"
+}
+```
+
+---
+
 ## OAuth2 Authorization Server
 
 `OAuthServer` is a generic OAuth 2.1 + PKCE authorization server. It is not tied to any spec — `pkg/resolvemcp` uses it, but it can be used standalone with any `http.ServeMux`.
@@ -1110,6 +1173,14 @@ type Cacheable interface {
 }
 ```
 
+**PasswordResettable** - Self-service password reset:
+```go
+type PasswordResettable interface {
+    RequestPasswordReset(ctx context.Context, req PasswordResetRequest) (*PasswordResetResponse, error)
+    CompletePasswordReset(ctx context.Context, req PasswordResetCompleteRequest) error
+}
+```
+
 ## Benefits Over Callbacks
 
 | Feature | Old (Callbacks) | New (Interfaces) |

pkg/security/chain.go

@@ -0,0 +1,41 @@
+package security
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+)
+
+// ChainAuthenticator tries each authenticator in order, returning the first success.
+// Login and Logout are delegated to the primary authenticator.
+type ChainAuthenticator struct {
+	authenticators []Authenticator
+}
+
+// NewChainAuthenticator creates a ChainAuthenticator from the given authenticators.
+// At least one authenticator is required; the first is treated as primary for Login/Logout.
+func NewChainAuthenticator(primary Authenticator, rest ...Authenticator) *ChainAuthenticator {
+	return &ChainAuthenticator{
+		authenticators: append([]Authenticator{primary}, rest...),
+	}
+}
+
+func (c *ChainAuthenticator) Authenticate(r *http.Request) (*UserContext, error) {
+	var lastErr error
+	for _, a := range c.authenticators {
+		if uc, err := a.Authenticate(r); err == nil {
+			return uc, nil
+		} else {
+			lastErr = err
+		}
+	}
+	return nil, fmt.Errorf("all authenticators failed; last error: %w", lastErr)
+}
+
+func (c *ChainAuthenticator) Login(ctx context.Context, req LoginRequest) (*LoginResponse, error) {
+	return c.authenticators[0].Login(ctx, req)
+}
+
+func (c *ChainAuthenticator) Logout(ctx context.Context, req LogoutRequest) error {
+	return c.authenticators[0].Logout(ctx, req)
+}

pkg/security/chain_test.go

@@ -0,0 +1,117 @@
+package security
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+// stubAuthenticator is a configurable Authenticator for testing.
+type stubAuthenticator struct {
+	userCtx *UserContext
+	err     error
+}
+
+func (s *stubAuthenticator) Authenticate(_ *http.Request) (*UserContext, error) {
+	return s.userCtx, s.err
+}
+
+func (s *stubAuthenticator) Login(_ context.Context, _ LoginRequest) (*LoginResponse, error) {
+	if s.err != nil {
+		return nil, s.err
+	}
+	return &LoginResponse{Token: "tok"}, nil
+}
+
+func (s *stubAuthenticator) Logout(_ context.Context, _ LogoutRequest) error {
+	return s.err
+}
+
+func TestChainAuthenticator_Authenticate(t *testing.T) {
+	successCtx := &UserContext{UserID: 42, UserName: "alice"}
+	failStub := &stubAuthenticator{err: fmt.Errorf("no token")}
+	okStub := &stubAuthenticator{userCtx: successCtx}
+
+	t.Run("primary succeeds", func(t *testing.T) {
+		chain := NewChainAuthenticator(okStub, failStub)
+		req := httptest.NewRequest("GET", "/", nil)
+
+		uc, err := chain.Authenticate(req)
+		if err != nil {
+			t.Fatalf("expected no error, got %v", err)
+		}
+		if uc.UserID != 42 {
+			t.Errorf("expected UserID 42, got %d", uc.UserID)
+		}
+	})
+
+	t.Run("primary fails, secondary succeeds", func(t *testing.T) {
+		chain := NewChainAuthenticator(failStub, okStub)
+		req := httptest.NewRequest("GET", "/", nil)
+
+		uc, err := chain.Authenticate(req)
+		if err != nil {
+			t.Fatalf("expected no error, got %v", err)
+		}
+		if uc.UserID != 42 {
+			t.Errorf("expected UserID 42, got %d", uc.UserID)
+		}
+	})
+
+	t.Run("all fail", func(t *testing.T) {
+		chain := NewChainAuthenticator(failStub, failStub)
+		req := httptest.NewRequest("GET", "/", nil)
+
+		_, err := chain.Authenticate(req)
+		if err == nil {
+			t.Fatal("expected error when all authenticators fail")
+		}
+	})
+
+	t.Run("three in chain, first two fail", func(t *testing.T) {
+		chain := NewChainAuthenticator(failStub, failStub, okStub)
+		req := httptest.NewRequest("GET", "/", nil)
+
+		uc, err := chain.Authenticate(req)
+		if err != nil {
+			t.Fatalf("expected no error, got %v", err)
+		}
+		if uc.UserName != "alice" {
+			t.Errorf("expected UserName alice, got %s", uc.UserName)
+		}
+	})
+}
+
+func TestChainAuthenticator_LoginLogout(t *testing.T) {
+	primary := &stubAuthenticator{userCtx: &UserContext{UserID: 1}}
+	secondary := &stubAuthenticator{userCtx: &UserContext{UserID: 2}}
+	chain := NewChainAuthenticator(primary, secondary)
+	ctx := context.Background()
+
+	t.Run("login delegates to primary", func(t *testing.T) {
+		resp, err := chain.Login(ctx, LoginRequest{Username: "u", Password: "p"})
+		if err != nil {
+			t.Fatalf("expected no error, got %v", err)
+		}
+		if resp.Token != "tok" {
+			t.Errorf("expected token from primary, got %s", resp.Token)
+		}
+	})
+
+	t.Run("logout delegates to primary", func(t *testing.T) {
+		if err := chain.Logout(ctx, LogoutRequest{}); err != nil {
+			t.Fatalf("expected no error, got %v", err)
+		}
+	})
+
+	t.Run("login error from primary is returned", func(t *testing.T) {
+		failPrimary := &stubAuthenticator{err: fmt.Errorf("db down")}
+		chain2 := NewChainAuthenticator(failPrimary, secondary)
+		_, err := chain2.Login(ctx, LoginRequest{})
+		if err == nil {
+			t.Fatal("expected error from primary login failure")
+		}
+	})
+}

pkg/security/database_schema.sql

@@ -1398,6 +1398,158 @@ $$ LANGUAGE plpgsql;
 -- Get credentials by username
 -- SELECT * FROM resolvespec_passkey_get_credentials_by_username('admin');
 
+-- ============================================
+-- Password Reset Tables
+-- ============================================
+
+-- Password reset tokens table
+CREATE TABLE IF NOT EXISTS user_password_resets (
+    id SERIAL PRIMARY KEY,
+    user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    token_hash VARCHAR(64) NOT NULL UNIQUE, -- SHA-256 hex of the raw token
+    expires_at TIMESTAMP NOT NULL,
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    used BOOLEAN DEFAULT false,
+    used_at TIMESTAMP
+);
+
+CREATE INDEX IF NOT EXISTS idx_pw_reset_token_hash ON user_password_resets(token_hash);
+CREATE INDEX IF NOT EXISTS idx_pw_reset_user_id ON user_password_resets(user_id);
+CREATE INDEX IF NOT EXISTS idx_pw_reset_expires_at ON user_password_resets(expires_at);
+
+-- ============================================
+-- Stored Procedures for Password Reset
+-- ============================================
+
+-- 1. resolvespec_password_reset_request - Creates a password reset token for a user
+-- Input: p_request jsonb {email: string, username: string}
+-- Output: p_success (bool), p_error (text), p_data jsonb {token: string, expires_in: int}
+-- NOTE: The raw token is returned so the caller can deliver it out-of-band (e.g. email).
+--       Only the SHA-256 hash is stored. Invalidates any previous unused tokens for the user.
+CREATE OR REPLACE FUNCTION resolvespec_password_reset_request(p_request jsonb)
+RETURNS TABLE(p_success boolean, p_error text, p_data jsonb) AS $$
+DECLARE
+    v_user_id   INTEGER;
+    v_email     TEXT;
+    v_username  TEXT;
+    v_raw_token TEXT;
+    v_token_hash TEXT;
+    v_expires_at TIMESTAMP;
+BEGIN
+    v_email    := p_request->>'email';
+    v_username := p_request->>'username';
+
+    -- Require at least one identifier
+    IF (v_email IS NULL OR v_email = '') AND (v_username IS NULL OR v_username = '') THEN
+        RETURN QUERY SELECT false, 'email or username is required'::text, NULL::jsonb;
+        RETURN;
+    END IF;
+
+    -- Look up active user
+    IF v_email IS NOT NULL AND v_email <> '' THEN
+        SELECT id INTO v_user_id FROM users WHERE email = v_email AND is_active = true;
+    ELSE
+        SELECT id INTO v_user_id FROM users WHERE username = v_username AND is_active = true;
+    END IF;
+
+    -- Return generic success even when user not found to avoid user enumeration
+    IF NOT FOUND THEN
+        RETURN QUERY SELECT true, NULL::text, jsonb_build_object('token', '', 'expires_in', 0);
+        RETURN;
+    END IF;
+
+    -- Invalidate previous unused tokens for this user
+    DELETE FROM user_password_resets WHERE user_id = v_user_id AND used = false;
+
+    -- Generate a random 32-byte token and store its SHA-256 hash
+    v_raw_token  := encode(gen_random_bytes(32), 'hex');
+    v_token_hash := encode(digest(v_raw_token, 'sha256'), 'hex');
+    v_expires_at := now() + interval '1 hour';
+
+    INSERT INTO user_password_resets (user_id, token_hash, expires_at)
+    VALUES (v_user_id, v_token_hash, v_expires_at);
+
+    RETURN QUERY SELECT
+        true,
+        NULL::text,
+        jsonb_build_object(
+            'token',      v_raw_token,
+            'expires_in', 3600
+        );
+EXCEPTION
+    WHEN OTHERS THEN
+        RETURN QUERY SELECT false, SQLERRM::text, NULL::jsonb;
+END;
+$$ LANGUAGE plpgsql;
+
+-- 2. resolvespec_password_reset - Validates the token and updates the user's password
+-- Input: p_request jsonb {token: string, new_password: string}
+-- Output: p_success (bool), p_error (text)
+-- NOTE: Hash the new_password with bcrypt before storing (pgcrypto crypt/gen_salt).
+--       The TODO below mirrors the convention used in resolvespec_register.
+CREATE OR REPLACE FUNCTION resolvespec_password_reset(p_request jsonb)
+RETURNS TABLE(p_success boolean, p_error text) AS $$
+DECLARE
+    v_raw_token  TEXT;
+    v_token_hash TEXT;
+    v_new_pw     TEXT;
+    v_reset_id   INTEGER;
+    v_user_id    INTEGER;
+    v_expires_at TIMESTAMP;
+BEGIN
+    v_raw_token := p_request->>'token';
+    v_new_pw    := p_request->>'new_password';
+
+    IF v_raw_token IS NULL OR v_raw_token = '' THEN
+        RETURN QUERY SELECT false, 'token is required'::text;
+        RETURN;
+    END IF;
+
+    IF v_new_pw IS NULL OR v_new_pw = '' THEN
+        RETURN QUERY SELECT false, 'new_password is required'::text;
+        RETURN;
+    END IF;
+
+    v_token_hash := encode(digest(v_raw_token, 'sha256'), 'hex');
+
+    -- Find valid, unused reset token
+    SELECT id, user_id, expires_at
+    INTO v_reset_id, v_user_id, v_expires_at
+    FROM user_password_resets
+    WHERE token_hash = v_token_hash AND used = false;
+
+    IF NOT FOUND THEN
+        RETURN QUERY SELECT false, 'invalid or expired token'::text;
+        RETURN;
+    END IF;
+
+    IF v_expires_at <= now() THEN
+        RETURN QUERY SELECT false, 'invalid or expired token'::text;
+        RETURN;
+    END IF;
+
+    -- TODO: Hash new password with pgcrypto before storing
+    -- Enable pgcrypto: CREATE EXTENSION IF NOT EXISTS pgcrypto;
+    -- v_new_pw := crypt(v_new_pw, gen_salt('bf'));
+
+    -- Update password and invalidate all sessions
+    UPDATE users SET password = v_new_pw, updated_at = now() WHERE id = v_user_id;
+    DELETE FROM user_sessions WHERE user_id = v_user_id;
+
+    -- Mark token as used
+    UPDATE user_password_resets SET used = true, used_at = now() WHERE id = v_reset_id;
+
+    RETURN QUERY SELECT true, NULL::text;
+EXCEPTION
+    WHEN OTHERS THEN
+        RETURN QUERY SELECT false, SQLERRM::text;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Example: Test password reset stored procedures
+-- SELECT * FROM resolvespec_password_reset_request('{"email": "user@example.com"}'::jsonb);
+-- SELECT * FROM resolvespec_password_reset('{"token": "<raw_token>", "new_password": "newpass123"}'::jsonb);
+
 -- ============================================
 -- OAuth2 Server Tables (OAuthServer persistence)
 -- ============================================

pkg/security/interfaces.go

@@ -57,6 +57,27 @@ type LogoutRequest struct {
 	UserID int    `json:"user_id"`
 }
 
+// PasswordResetRequest initiates a password reset for a user
+type PasswordResetRequest struct {
+	Email    string `json:"email,omitempty"`
+	Username string `json:"username,omitempty"`
+}
+
+// PasswordResetResponse is returned when a reset is initiated
+type PasswordResetResponse struct {
+	// Token is the reset token to be delivered out-of-band (e.g. email).
+	// The stored procedure may return it for delivery or leave it empty
+	// if the delivery is handled entirely in the database.
+	Token     string `json:"token"`
+	ExpiresIn int64  `json:"expires_in"` // seconds
+}
+
+// PasswordResetCompleteRequest completes a password reset using the token
+type PasswordResetCompleteRequest struct {
+	Token       string `json:"token"`
+	NewPassword string `json:"new_password"`
+}
+
 // Authenticator handles user authentication operations
 type Authenticator interface {
 	// Login authenticates credentials and returns a token
@@ -114,3 +135,12 @@ type Cacheable interface {
 	// ClearCache clears cached security rules for a user/entity
 	ClearCache(ctx context.Context, userID int, schema, table string) error
 }
+
+// PasswordResettable allows providers to support self-service password reset
+type PasswordResettable interface {
+	// RequestPasswordReset creates a reset token for the given email/username
+	RequestPasswordReset(ctx context.Context, req PasswordResetRequest) (*PasswordResetResponse, error)
+
+	// CompletePasswordReset validates the token and sets the new password
+	CompletePasswordReset(ctx context.Context, req PasswordResetCompleteRequest) error
+}

pkg/security/providers.go

@@ -70,6 +70,10 @@ type DatabaseAuthenticator struct {
 	cacheTTL  time.Duration
 	sqlNames  *SQLNames
 
+	// Cookie session support (optional, gated by enableCookieSession)
+	enableCookieSession bool
+	cookieOptions       SessionCookieOptions
+
 	// OAuth2 providers registry (multiple providers supported)
 	oauth2Providers      map[string]*OAuth2Provider
 	oauth2ProvidersMutex sync.RWMutex
@@ -93,6 +97,14 @@ type DatabaseAuthenticatorOptions struct {
 	// DBFactory is called to obtain a fresh *sql.DB when the existing connection is closed.
 	// If nil, reconnection is disabled.
 	DBFactory func() (*sql.DB, error)
+	// EnableCookieSession enables cookie-based session management.
+	// When true, Authenticate reads the session token from the cookie named by
+	// CookieOptions.Name (default "session_token") in addition to the Authorization header,
+	// and LoginWithCookie / LogoutWithCookie automatically set / clear the cookie.
+	EnableCookieSession bool
+	// CookieOptions configures the session cookie written by LoginWithCookie.
+	// Only used when EnableCookieSession is true.
+	CookieOptions SessionCookieOptions
 }
 
 func NewDatabaseAuthenticator(db *sql.DB) *DatabaseAuthenticator {
@@ -120,6 +132,8 @@ func NewDatabaseAuthenticatorWithOptions(db *sql.DB, opts DatabaseAuthenticatorO
 		cacheTTL:            opts.CacheTTL,
 		sqlNames:            sqlNames,
 		passkeyProvider:     opts.PasskeyProvider,
+		enableCookieSession: opts.EnableCookieSession,
+		cookieOptions:       opts.CookieOptions,
 	}
 }
 
@@ -265,6 +279,33 @@ func (a *DatabaseAuthenticator) Logout(ctx context.Context, req LogoutRequest) e
 	return nil
 }
 
+// LoginWithCookie performs a login and, when EnableCookieSession is true, writes the
+// session cookie to w using the configured CookieOptions. The LoginResponse is returned
+// regardless of whether cookie sessions are enabled.
+func (a *DatabaseAuthenticator) LoginWithCookie(ctx context.Context, req LoginRequest, w http.ResponseWriter) (*LoginResponse, error) {
+	resp, err := a.Login(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+	if a.enableCookieSession {
+		SetSessionCookie(w, resp, a.cookieOptions)
+	}
+	return resp, nil
+}
+
+// LogoutWithCookie performs a logout and, when EnableCookieSession is true, clears the
+// session cookie on w. The logout itself is performed regardless of the cookie flag.
+func (a *DatabaseAuthenticator) LogoutWithCookie(ctx context.Context, req LogoutRequest, w http.ResponseWriter) error {
+	err := a.Logout(ctx, req)
+	if err != nil {
+		return err
+	}
+	if a.enableCookieSession {
+		ClearSessionCookie(w, a.cookieOptions)
+	}
+	return nil
+}
+
 func (a *DatabaseAuthenticator) Authenticate(r *http.Request) (*UserContext, error) {
 	// Extract session token from header or cookie
 	sessionToken := r.Header.Get("Authorization")
@@ -272,11 +313,12 @@ func (a *DatabaseAuthenticator) Authenticate(r *http.Request) (*UserContext, err
 	var tokens []string
 
 	if sessionToken == "" {
-		// Try cookie
+		if a.enableCookieSession {
-		if token := GetSessionCookie(r); token != "" {
+			if token := GetSessionCookie(r, a.cookieOptions); token != "" {
 				tokens = []string{token}
 				reference = "cookie"
 			}
+		}
 	} else {
 		// Parse Authorization header which may contain multiple comma-separated tokens
 		// Format: "Token abc, Token def" or "Bearer abc" or just "abc"
@@ -868,6 +910,75 @@ func generateRandomString(length int) string {
 // 	return ""
 // }
 
+// Password reset methods
+// ======================
+
+// RequestPasswordReset implements PasswordResettable. It calls the stored procedure
+// resolvespec_password_reset_request and returns the reset token and expiry.
+func (a *DatabaseAuthenticator) RequestPasswordReset(ctx context.Context, req PasswordResetRequest) (*PasswordResetResponse, error) {
+	reqJSON, err := json.Marshal(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal password reset request: %w", err)
+	}
+
+	var success bool
+	var errorMsg sql.NullString
+	var dataJSON sql.NullString
+
+	err = a.runDBOpWithReconnect(func(db *sql.DB) error {
+		query := fmt.Sprintf(`SELECT p_success, p_error, p_data::text FROM %s($1::jsonb)`, a.sqlNames.PasswordResetRequest)
+		return db.QueryRowContext(ctx, query, string(reqJSON)).Scan(&success, &errorMsg, &dataJSON)
+	})
+	if err != nil {
+		return nil, fmt.Errorf("password reset request query failed: %w", err)
+	}
+
+	if !success {
+		if errorMsg.Valid {
+			return nil, fmt.Errorf("%s", errorMsg.String)
+		}
+		return nil, fmt.Errorf("password reset request failed")
+	}
+
+	var response PasswordResetResponse
+	if dataJSON.Valid && dataJSON.String != "" {
+		if err := json.Unmarshal([]byte(dataJSON.String), &response); err != nil {
+			return nil, fmt.Errorf("failed to parse password reset response: %w", err)
+		}
+	}
+
+	return &response, nil
+}
+
+// CompletePasswordReset implements PasswordResettable. It validates the token and
+// updates the user's password via resolvespec_password_reset.
+func (a *DatabaseAuthenticator) CompletePasswordReset(ctx context.Context, req PasswordResetCompleteRequest) error {
+	reqJSON, err := json.Marshal(req)
+	if err != nil {
+		return fmt.Errorf("failed to marshal password reset complete request: %w", err)
+	}
+
+	var success bool
+	var errorMsg sql.NullString
+
+	err = a.runDBOpWithReconnect(func(db *sql.DB) error {
+		query := fmt.Sprintf(`SELECT p_success, p_error FROM %s($1::jsonb)`, a.sqlNames.PasswordResetComplete)
+		return db.QueryRowContext(ctx, query, string(reqJSON)).Scan(&success, &errorMsg)
+	})
+	if err != nil {
+		return fmt.Errorf("password reset complete query failed: %w", err)
+	}
+
+	if !success {
+		if errorMsg.Valid {
+			return fmt.Errorf("%s", errorMsg.String)
+		}
+		return fmt.Errorf("password reset failed")
+	}
+
+	return nil
+}
+
 // Passkey authentication methods
 // ==============================
 

pkg/security/sql_names.go

@@ -47,6 +47,10 @@ type SQLNames struct {
 	PasskeyUpdateName         string // default: "resolvespec_passkey_update_name"
 	PasskeyLogin              string // default: "resolvespec_passkey_login"
 
+	// Password reset procedures (DatabaseAuthenticator)
+	PasswordResetRequest  string // default: "resolvespec_password_reset_request"
+	PasswordResetComplete string // default: "resolvespec_password_reset"
+
 	// OAuth2 procedures (DatabaseAuthenticator OAuth2 methods)
 	OAuthGetOrCreateUser    string // default: "resolvespec_oauth_getorcreateuser"
 	OAuthCreateSession      string // default: "resolvespec_oauth_createsession"
@@ -95,6 +99,9 @@ func DefaultSQLNames() *SQLNames {
 		PasskeyUpdateName:         "resolvespec_passkey_update_name",
 		PasskeyLogin:              "resolvespec_passkey_login",
 
+		PasswordResetRequest:  "resolvespec_password_reset_request",
+		PasswordResetComplete: "resolvespec_password_reset",
+
 		OAuthGetOrCreateUser:    "resolvespec_oauth_getorcreateuser",
 		OAuthCreateSession:      "resolvespec_oauth_createsession",
 		OAuthGetRefreshToken:    "resolvespec_oauth_getrefreshtoken",
@@ -190,6 +197,12 @@ func MergeSQLNames(base, override *SQLNames) *SQLNames {
 	if override.PasskeyLogin != "" {
 		merged.PasskeyLogin = override.PasskeyLogin
 	}
+	if override.PasswordResetRequest != "" {
+		merged.PasswordResetRequest = override.PasswordResetRequest
+	}
+	if override.PasswordResetComplete != "" {
+		merged.PasswordResetComplete = override.PasswordResetComplete
+	}
 	if override.OAuthGetOrCreateUser != "" {
 		merged.OAuthGetOrCreateUser = override.OAuthGetOrCreateUser
 	}

pkg/spectypes/sql_array_types.go

@@ -0,0 +1,755 @@
+package spectypes
+
+import (
+	"database/sql/driver"
+	"encoding/json"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/google/uuid"
+)
+
+// parsePostgresArrayElements parses a PostgreSQL array literal (e.g. `{a,"b,c",d}`)
+// into a slice of raw string elements. Each element retains its unquoted/unescaped value.
+func parsePostgresArrayElements(s string) ([]string, error) {
+	s = strings.TrimSpace(s)
+	if s == "" || strings.EqualFold(s, "null") || strings.EqualFold(s, "NULL") {
+		return nil, nil
+	}
+	if !strings.HasPrefix(s, "{") || !strings.HasSuffix(s, "}") {
+		return nil, fmt.Errorf("not a valid PostgreSQL array literal: %q", s)
+	}
+	inner := s[1 : len(s)-1]
+	if inner == "" {
+		return []string{}, nil
+	}
+
+	var result []string
+	var cur strings.Builder
+	inQuotes := false
+	i := 0
+	for i < len(inner) {
+		c := inner[i]
+		switch {
+		case c == '"' && !inQuotes:
+			inQuotes = true
+		case c == '"' && inQuotes:
+			if i+1 < len(inner) && inner[i+1] == '"' {
+				cur.WriteByte('"')
+				i++
+			} else {
+				inQuotes = false
+			}
+		case c == '\\' && inQuotes:
+			if i+1 < len(inner) {
+				cur.WriteByte(inner[i+1])
+				i++
+			}
+		case c == ',' && !inQuotes:
+			result = append(result, cur.String())
+			cur.Reset()
+		default:
+			cur.WriteByte(c)
+		}
+		i++
+	}
+	result = append(result, cur.String())
+	return result, nil
+}
+
+// formatPostgresStringArray formats a []string back into a PostgreSQL array literal.
+func formatPostgresStringArray(vals []string) string {
+	if vals == nil {
+		return "NULL"
+	}
+	parts := make([]string, len(vals))
+	for i, v := range vals {
+		// Quote if value contains comma, double-quote, backslash, braces, whitespace, or is empty.
+		needsQuote := v == "" || strings.ContainsAny(v, `,"\\{}`+"\t\n\r ")
+		if needsQuote {
+			v = strings.ReplaceAll(v, `\`, `\\`)
+			v = strings.ReplaceAll(v, `"`, `""`)
+			parts[i] = `"` + v + `"`
+		} else {
+			parts[i] = v
+		}
+	}
+	return "{" + strings.Join(parts, ",") + "}"
+}
+
+// ── SqlStringArray ───────────────────────────────────────────────────────────
+
+// SqlStringArray is a nullable PostgreSQL text[] / varchar[] array.
+type SqlStringArray struct {
+	Val   []string
+	Valid bool
+}
+
+func (a *SqlStringArray) Scan(value any) error {
+	if value == nil {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var s string
+	switch v := value.(type) {
+	case string:
+		s = v
+	case []byte:
+		s = string(v)
+	default:
+		return fmt.Errorf("SqlStringArray: cannot scan type %T", value)
+	}
+	elems, err := parsePostgresArrayElements(s)
+	if err != nil {
+		return err
+	}
+	a.Val = elems
+	a.Valid = true
+	return nil
+}
+
+func (a SqlStringArray) Value() (driver.Value, error) {
+	if !a.Valid {
+		return nil, nil
+	}
+	return formatPostgresStringArray(a.Val), nil
+}
+
+func (a SqlStringArray) MarshalJSON() ([]byte, error) {
+	if !a.Valid {
+		return []byte("null"), nil
+	}
+	return json.Marshal(a.Val)
+}
+
+func (a *SqlStringArray) UnmarshalJSON(b []byte) error {
+	s := strings.TrimSpace(string(b))
+	if s == "null" {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var vals []string
+	if err := json.Unmarshal(b, &vals); err != nil {
+		return err
+	}
+	a.Val = vals
+	a.Valid = true
+	return nil
+}
+
+func NewSqlStringArray(v []string) SqlStringArray {
+	return SqlStringArray{Val: v, Valid: true}
+}
+
+// ── SqlInt16Array ────────────────────────────────────────────────────────────
+
+type SqlInt16Array struct {
+	Val   []int16
+	Valid bool
+}
+
+func (a *SqlInt16Array) Scan(value any) error {
+	if value == nil {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var s string
+	switch v := value.(type) {
+	case string:
+		s = v
+	case []byte:
+		s = string(v)
+	default:
+		return fmt.Errorf("SqlInt16Array: cannot scan type %T", value)
+	}
+	elems, err := parsePostgresArrayElements(s)
+	if err != nil {
+		return err
+	}
+	a.Val = make([]int16, len(elems))
+	for i, e := range elems {
+		n, err := strconv.ParseInt(strings.TrimSpace(e), 10, 16)
+		if err != nil {
+			return fmt.Errorf("SqlInt16Array: element %d %q: %w", i, e, err)
+		}
+		a.Val[i] = int16(n)
+	}
+	a.Valid = true
+	return nil
+}
+
+func (a SqlInt16Array) Value() (driver.Value, error) {
+	if !a.Valid {
+		return nil, nil
+	}
+	parts := make([]string, len(a.Val))
+	for i, v := range a.Val {
+		parts[i] = strconv.FormatInt(int64(v), 10)
+	}
+	return "{" + strings.Join(parts, ",") + "}", nil
+}
+
+func (a SqlInt16Array) MarshalJSON() ([]byte, error) {
+	if !a.Valid {
+		return []byte("null"), nil
+	}
+	return json.Marshal(a.Val)
+}
+
+func (a *SqlInt16Array) UnmarshalJSON(b []byte) error {
+	if strings.TrimSpace(string(b)) == "null" {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var vals []int16
+	if err := json.Unmarshal(b, &vals); err != nil {
+		return err
+	}
+	a.Val = vals
+	a.Valid = true
+	return nil
+}
+
+func NewSqlInt16Array(v []int16) SqlInt16Array {
+	return SqlInt16Array{Val: v, Valid: true}
+}
+
+// ── SqlInt32Array ────────────────────────────────────────────────────────────
+
+type SqlInt32Array struct {
+	Val   []int32
+	Valid bool
+}
+
+func (a *SqlInt32Array) Scan(value any) error {
+	if value == nil {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var s string
+	switch v := value.(type) {
+	case string:
+		s = v
+	case []byte:
+		s = string(v)
+	default:
+		return fmt.Errorf("SqlInt32Array: cannot scan type %T", value)
+	}
+	elems, err := parsePostgresArrayElements(s)
+	if err != nil {
+		return err
+	}
+	a.Val = make([]int32, len(elems))
+	for i, e := range elems {
+		n, err := strconv.ParseInt(strings.TrimSpace(e), 10, 32)
+		if err != nil {
+			return fmt.Errorf("SqlInt32Array: element %d %q: %w", i, e, err)
+		}
+		a.Val[i] = int32(n)
+	}
+	a.Valid = true
+	return nil
+}
+
+func (a SqlInt32Array) Value() (driver.Value, error) {
+	if !a.Valid {
+		return nil, nil
+	}
+	parts := make([]string, len(a.Val))
+	for i, v := range a.Val {
+		parts[i] = strconv.FormatInt(int64(v), 10)
+	}
+	return "{" + strings.Join(parts, ",") + "}", nil
+}
+
+func (a SqlInt32Array) MarshalJSON() ([]byte, error) {
+	if !a.Valid {
+		return []byte("null"), nil
+	}
+	return json.Marshal(a.Val)
+}
+
+func (a *SqlInt32Array) UnmarshalJSON(b []byte) error {
+	if strings.TrimSpace(string(b)) == "null" {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var vals []int32
+	if err := json.Unmarshal(b, &vals); err != nil {
+		return err
+	}
+	a.Val = vals
+	a.Valid = true
+	return nil
+}
+
+func NewSqlInt32Array(v []int32) SqlInt32Array {
+	return SqlInt32Array{Val: v, Valid: true}
+}
+
+// ── SqlInt64Array ────────────────────────────────────────────────────────────
+
+type SqlInt64Array struct {
+	Val   []int64
+	Valid bool
+}
+
+func (a *SqlInt64Array) Scan(value any) error {
+	if value == nil {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var s string
+	switch v := value.(type) {
+	case string:
+		s = v
+	case []byte:
+		s = string(v)
+	default:
+		return fmt.Errorf("SqlInt64Array: cannot scan type %T", value)
+	}
+	elems, err := parsePostgresArrayElements(s)
+	if err != nil {
+		return err
+	}
+	a.Val = make([]int64, len(elems))
+	for i, e := range elems {
+		n, err := strconv.ParseInt(strings.TrimSpace(e), 10, 64)
+		if err != nil {
+			return fmt.Errorf("SqlInt64Array: element %d %q: %w", i, e, err)
+		}
+		a.Val[i] = n
+	}
+	a.Valid = true
+	return nil
+}
+
+func (a SqlInt64Array) Value() (driver.Value, error) {
+	if !a.Valid {
+		return nil, nil
+	}
+	parts := make([]string, len(a.Val))
+	for i, v := range a.Val {
+		parts[i] = strconv.FormatInt(v, 10)
+	}
+	return "{" + strings.Join(parts, ",") + "}", nil
+}
+
+func (a SqlInt64Array) MarshalJSON() ([]byte, error) {
+	if !a.Valid {
+		return []byte("null"), nil
+	}
+	return json.Marshal(a.Val)
+}
+
+func (a *SqlInt64Array) UnmarshalJSON(b []byte) error {
+	if strings.TrimSpace(string(b)) == "null" {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var vals []int64
+	if err := json.Unmarshal(b, &vals); err != nil {
+		return err
+	}
+	a.Val = vals
+	a.Valid = true
+	return nil
+}
+
+func NewSqlInt64Array(v []int64) SqlInt64Array {
+	return SqlInt64Array{Val: v, Valid: true}
+}
+
+// ── SqlFloat32Array ──────────────────────────────────────────────────────────
+
+type SqlFloat32Array struct {
+	Val   []float32
+	Valid bool
+}
+
+func (a *SqlFloat32Array) Scan(value any) error {
+	if value == nil {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var s string
+	switch v := value.(type) {
+	case string:
+		s = v
+	case []byte:
+		s = string(v)
+	default:
+		return fmt.Errorf("SqlFloat32Array: cannot scan type %T", value)
+	}
+	elems, err := parsePostgresArrayElements(s)
+	if err != nil {
+		return err
+	}
+	a.Val = make([]float32, len(elems))
+	for i, e := range elems {
+		f, err := strconv.ParseFloat(strings.TrimSpace(e), 32)
+		if err != nil {
+			return fmt.Errorf("SqlFloat32Array: element %d %q: %w", i, e, err)
+		}
+		a.Val[i] = float32(f)
+	}
+	a.Valid = true
+	return nil
+}
+
+func (a SqlFloat32Array) Value() (driver.Value, error) {
+	if !a.Valid {
+		return nil, nil
+	}
+	parts := make([]string, len(a.Val))
+	for i, v := range a.Val {
+		parts[i] = strconv.FormatFloat(float64(v), 'f', -1, 32)
+	}
+	return "{" + strings.Join(parts, ",") + "}", nil
+}
+
+func (a SqlFloat32Array) MarshalJSON() ([]byte, error) {
+	if !a.Valid {
+		return []byte("null"), nil
+	}
+	return json.Marshal(a.Val)
+}
+
+func (a *SqlFloat32Array) UnmarshalJSON(b []byte) error {
+	if strings.TrimSpace(string(b)) == "null" {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var vals []float32
+	if err := json.Unmarshal(b, &vals); err != nil {
+		return err
+	}
+	a.Val = vals
+	a.Valid = true
+	return nil
+}
+
+func NewSqlFloat32Array(v []float32) SqlFloat32Array {
+	return SqlFloat32Array{Val: v, Valid: true}
+}
+
+// ── SqlFloat64Array ──────────────────────────────────────────────────────────
+
+type SqlFloat64Array struct {
+	Val   []float64
+	Valid bool
+}
+
+func (a *SqlFloat64Array) Scan(value any) error {
+	if value == nil {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var s string
+	switch v := value.(type) {
+	case string:
+		s = v
+	case []byte:
+		s = string(v)
+	default:
+		return fmt.Errorf("SqlFloat64Array: cannot scan type %T", value)
+	}
+	elems, err := parsePostgresArrayElements(s)
+	if err != nil {
+		return err
+	}
+	a.Val = make([]float64, len(elems))
+	for i, e := range elems {
+		f, err := strconv.ParseFloat(strings.TrimSpace(e), 64)
+		if err != nil {
+			return fmt.Errorf("SqlFloat64Array: element %d %q: %w", i, e, err)
+		}
+		a.Val[i] = f
+	}
+	a.Valid = true
+	return nil
+}
+
+func (a SqlFloat64Array) Value() (driver.Value, error) {
+	if !a.Valid {
+		return nil, nil
+	}
+	parts := make([]string, len(a.Val))
+	for i, v := range a.Val {
+		parts[i] = strconv.FormatFloat(v, 'f', -1, 64)
+	}
+	return "{" + strings.Join(parts, ",") + "}", nil
+}
+
+func (a SqlFloat64Array) MarshalJSON() ([]byte, error) {
+	if !a.Valid {
+		return []byte("null"), nil
+	}
+	return json.Marshal(a.Val)
+}
+
+func (a *SqlFloat64Array) UnmarshalJSON(b []byte) error {
+	if strings.TrimSpace(string(b)) == "null" {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var vals []float64
+	if err := json.Unmarshal(b, &vals); err != nil {
+		return err
+	}
+	a.Val = vals
+	a.Valid = true
+	return nil
+}
+
+func NewSqlFloat64Array(v []float64) SqlFloat64Array {
+	return SqlFloat64Array{Val: v, Valid: true}
+}
+
+// ── SqlBoolArray ─────────────────────────────────────────────────────────────
+
+type SqlBoolArray struct {
+	Val   []bool
+	Valid bool
+}
+
+func (a *SqlBoolArray) Scan(value any) error {
+	if value == nil {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var s string
+	switch v := value.(type) {
+	case string:
+		s = v
+	case []byte:
+		s = string(v)
+	default:
+		return fmt.Errorf("SqlBoolArray: cannot scan type %T", value)
+	}
+	elems, err := parsePostgresArrayElements(s)
+	if err != nil {
+		return err
+	}
+	a.Val = make([]bool, len(elems))
+	for i, e := range elems {
+		e = strings.ToLower(strings.TrimSpace(e))
+		a.Val[i] = e == "t" || e == "true" || e == "1" || e == "yes"
+	}
+	a.Valid = true
+	return nil
+}
+
+func (a SqlBoolArray) Value() (driver.Value, error) {
+	if !a.Valid {
+		return nil, nil
+	}
+	parts := make([]string, len(a.Val))
+	for i, v := range a.Val {
+		if v {
+			parts[i] = "t"
+		} else {
+			parts[i] = "f"
+		}
+	}
+	return "{" + strings.Join(parts, ",") + "}", nil
+}
+
+func (a SqlBoolArray) MarshalJSON() ([]byte, error) {
+	if !a.Valid {
+		return []byte("null"), nil
+	}
+	return json.Marshal(a.Val)
+}
+
+func (a *SqlBoolArray) UnmarshalJSON(b []byte) error {
+	if strings.TrimSpace(string(b)) == "null" {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var vals []bool
+	if err := json.Unmarshal(b, &vals); err != nil {
+		return err
+	}
+	a.Val = vals
+	a.Valid = true
+	return nil
+}
+
+func NewSqlBoolArray(v []bool) SqlBoolArray {
+	return SqlBoolArray{Val: v, Valid: true}
+}
+
+// ── SqlUUIDArray ─────────────────────────────────────────────────────────────
+
+type SqlUUIDArray struct {
+	Val   []uuid.UUID
+	Valid bool
+}
+
+func (a *SqlUUIDArray) Scan(value any) error {
+	if value == nil {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var s string
+	switch v := value.(type) {
+	case string:
+		s = v
+	case []byte:
+		s = string(v)
+	default:
+		return fmt.Errorf("SqlUUIDArray: cannot scan type %T", value)
+	}
+	elems, err := parsePostgresArrayElements(s)
+	if err != nil {
+		return err
+	}
+	a.Val = make([]uuid.UUID, len(elems))
+	for i, e := range elems {
+		u, err := uuid.Parse(strings.TrimSpace(e))
+		if err != nil {
+			return fmt.Errorf("SqlUUIDArray: element %d %q: %w", i, e, err)
+		}
+		a.Val[i] = u
+	}
+	a.Valid = true
+	return nil
+}
+
+func (a SqlUUIDArray) Value() (driver.Value, error) {
+	if !a.Valid {
+		return nil, nil
+	}
+	parts := make([]string, len(a.Val))
+	for i, v := range a.Val {
+		parts[i] = v.String()
+	}
+	return "{" + strings.Join(parts, ",") + "}", nil
+}
+
+func (a SqlUUIDArray) MarshalJSON() ([]byte, error) {
+	if !a.Valid {
+		return []byte("null"), nil
+	}
+	return json.Marshal(a.Val)
+}
+
+func (a *SqlUUIDArray) UnmarshalJSON(b []byte) error {
+	if strings.TrimSpace(string(b)) == "null" {
+		a.Valid = false
+		a.Val = nil
+		return nil
+	}
+	var vals []uuid.UUID
+	if err := json.Unmarshal(b, &vals); err != nil {
+		return err
+	}
+	a.Val = vals
+	a.Valid = true
+	return nil
+}
+
+func NewSqlUUIDArray(v []uuid.UUID) SqlUUIDArray {
+	return SqlUUIDArray{Val: v, Valid: true}
+}
+
+// ── SqlVector ────────────────────────────────────────────────────────────────
+
+// SqlVector is a nullable pgvector `vector` type backed by []float32.
+// Wire format: `[1.0,2.0,3.0]` (square brackets, comma-separated floats).
+type SqlVector struct {
+	Val   []float32
+	Valid bool
+}
+
+func (v *SqlVector) Scan(value any) error {
+	if value == nil {
+		v.Valid = false
+		v.Val = nil
+		return nil
+	}
+	var s string
+	switch val := value.(type) {
+	case string:
+		s = val
+	case []byte:
+		s = string(val)
+	default:
+		return fmt.Errorf("SqlVector: cannot scan type %T", value)
+	}
+	s = strings.TrimSpace(s)
+	if !strings.HasPrefix(s, "[") || !strings.HasSuffix(s, "]") {
+		return fmt.Errorf("SqlVector: not a valid vector literal: %q", s)
+	}
+	inner := s[1 : len(s)-1]
+	if inner == "" {
+		v.Val = []float32{}
+		v.Valid = true
+		return nil
+	}
+	parts := strings.Split(inner, ",")
+	v.Val = make([]float32, len(parts))
+	for i, p := range parts {
+		f, err := strconv.ParseFloat(strings.TrimSpace(p), 32)
+		if err != nil {
+			return fmt.Errorf("SqlVector: element %d %q: %w", i, p, err)
+		}
+		v.Val[i] = float32(f)
+	}
+	v.Valid = true
+	return nil
+}
+
+func (v SqlVector) Value() (driver.Value, error) {
+	if !v.Valid {
+		return nil, nil
+	}
+	parts := make([]string, len(v.Val))
+	for i, f := range v.Val {
+		parts[i] = strconv.FormatFloat(float64(f), 'f', -1, 32)
+	}
+	return "[" + strings.Join(parts, ",") + "]", nil
+}
+
+func (v SqlVector) MarshalJSON() ([]byte, error) {
+	if !v.Valid {
+		return []byte("null"), nil
+	}
+	return json.Marshal(v.Val)
+}
+
+func (v *SqlVector) UnmarshalJSON(b []byte) error {
+	if strings.TrimSpace(string(b)) == "null" {
+		v.Valid = false
+		v.Val = nil
+		return nil
+	}
+	var vals []float32
+	if err := json.Unmarshal(b, &vals); err != nil {
+		return err
+	}
+	v.Val = vals
+	v.Valid = true
+	return nil
+}
+
+func NewSqlVector(val []float32) SqlVector {
+	return SqlVector{Val: val, Valid: true}
+}

pkg/websocketspec/handler.go

@@ -3,6 +3,7 @@ package websocketspec
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"reflect"
@@ -17,6 +18,17 @@ import (
 	"github.com/bitechdev/ResolveSpec/pkg/reflection"
 )
 
+// newErrorResponseFromErr creates an error response from a Go error, including the SQL
+// query in the error info when the error is a database SQLError.
+func newErrorResponseFromErr(id, code string, err error) *ResponseMessage {
+	resp := NewErrorResponse(id, code, err.Error())
+	var sqlErr *common.SQLError
+	if errors.As(err, &sqlErr) {
+		resp.Error.SQL = sqlErr.SQL
+	}
+	return resp
+}
+
 // Handler handles WebSocket connections and messages
 type Handler struct {
 	db                  common.Database
@@ -174,6 +186,7 @@ func (h *Handler) handleRequest(conn *Connection, msg *Message) {
 		Options:    msg.Options,
 		ID:         recordID,
 		Data:       msg.Data,
+		Tx:         h.db,
 		Metadata:   make(map[string]interface{}),
 	}
 
@@ -235,7 +248,7 @@ func (h *Handler) handleRead(conn *Connection, msg *Message, hookCtx *HookContex
 
 	if err != nil {
 		logger.Error("[WebSocketSpec] Read operation failed: %v", err)
-		errResp := NewErrorResponse(msg.ID, "read_error", err.Error())
+		errResp := newErrorResponseFromErr(msg.ID, "read_error", err)
 		_ = conn.SendJSON(errResp)
 		return
 	}
@@ -271,7 +284,7 @@ func (h *Handler) handleCreate(conn *Connection, msg *Message, hookCtx *HookCont
 	data, err := h.create(hookCtx)
 	if err != nil {
 		logger.Error("[WebSocketSpec] Create operation failed: %v", err)
-		errResp := NewErrorResponse(msg.ID, "create_error", err.Error())
+		errResp := newErrorResponseFromErr(msg.ID, "create_error", err)
 		_ = conn.SendJSON(errResp)
 		return
 	}
@@ -309,7 +322,7 @@ func (h *Handler) handleUpdate(conn *Connection, msg *Message, hookCtx *HookCont
 	data, err := h.update(hookCtx)
 	if err != nil {
 		logger.Error("[WebSocketSpec] Update operation failed: %v", err)
-		errResp := NewErrorResponse(msg.ID, "update_error", err.Error())
+		errResp := newErrorResponseFromErr(msg.ID, "update_error", err)
 		_ = conn.SendJSON(errResp)
 		return
 	}
@@ -347,7 +360,7 @@ func (h *Handler) handleDelete(conn *Connection, msg *Message, hookCtx *HookCont
 	err := h.delete(hookCtx)
 	if err != nil {
 		logger.Error("[WebSocketSpec] Delete operation failed: %v", err)
-		errResp := NewErrorResponse(msg.ID, "delete_error", err.Error())
+		errResp := newErrorResponseFromErr(msg.ID, "delete_error", err)
 		_ = conn.SendJSON(errResp)
 		return
 	}

pkg/websocketspec/handler_test.go

@@ -239,6 +239,11 @@ func (m *MockInsertQuery) Exec(ctx context.Context) (common.Result, error) {
 	return args.Get(0).(common.Result), args.Error(1)
 }
 
+func (m *MockInsertQuery) Scan(ctx context.Context, dest interface{}) error {
+	args := m.Called(ctx, dest)
+	return args.Error(0)
+}
+
 // MockUpdateQuery is a mock implementation of common.UpdateQuery
 type MockUpdateQuery struct {
 	mock.Mock

pkg/websocketspec/hooks.go

@@ -111,6 +111,9 @@ type HookContext struct {
 	AbortMessage string // Message to return if aborted
 	AbortCode    int    // HTTP status code if aborted
 
+	// Tx provides access to the database/transaction for executing additional SQL
+	Tx common.Database
+
 	// Metadata is additional context data
 	Metadata map[string]interface{}
 }

pkg/websocketspec/message.go

@@ -99,6 +99,9 @@ type ErrorInfo struct {
 
 	// Details contains additional error context
 	Details map[string]interface{} `json:"details,omitempty"`
+
+	// SQL is the query that caused the error, populated for database errors
+	SQL string `json:"sql,omitempty"`
 }
 
 // RequestMessage represents a client request

todo.md

@@ -92,6 +92,7 @@ See [`resolvespec-python/todo.md`](./resolvespec-python/todo.md) for detailed Py
 
 - [ ] Long preload alias names may exceed PostgreSQL identifier limit
 - [ ] Some edge cases in computed column handling
+- [ ] `GormResult.LastInsertId()` (`pkg/common/adapters/database/gorm.go:936`) always returns `0, nil` — GORM does not expose last insert ID via `sql.Result` for most dialects. Auto-generated IDs from GORM inserts are not propagated back through `LastInsertId`, which breaks the ID-retrieval path in `recursive_crud.go`. Fix: read the ID back from the model struct after `Create()` using reflection, or use GORM's `Statement.LastInsertId`.
 
 ---