fix: Address code review comments

- Remove duplicate comment in util.ts
- Add table existence validation before SQLite PRAGMA queries
- Sanitize error messages to not expose table names
- Make console.log messages more concise and consistent

Co-authored-by: huangyiirene <7665279+huangyiirene@users.noreply.github.com>

Author: Copilot

packages/drivers/sql/src/index.ts

@@ -638,7 +638,18 @@ export class SqlDriver implements Driver {
                     });
                 }
             } else if (this.config.client === 'sqlite3') {
-                // SQLite PRAGMA doesn't support parameter binding, so we need to ensure safe identifier
+                // SQLite PRAGMA doesn't support parameter binding, so we need to ensure safe identifier.
+                // First, verify that the requested table actually exists using a parameterized query.
+                const tableExistsResult = await this.knex.raw(
+                    "SELECT name FROM sqlite_master WHERE type = 'table' AND name = ?",
+                    [tableName]
+                );
+                
+                if (!tableExistsResult || tableExistsResult.length === 0) {
+                    // If the table does not exist, there are no foreign keys to introspect.
+                    return foreignKeys;
+                }
+                
                 // Table names in ObjectQL are validated and should be safe, but we add extra protection
                 const safeTableName = tableName.replace(/[^a-zA-Z0-9_]/g, '');
                 const result = await this.knex.raw(`PRAGMA foreign_key_list(${safeTableName})`);
@@ -653,7 +664,7 @@ export class SqlDriver implements Driver {
                 }
             }
         } catch (error) {
-            console.warn(`Could not introspect foreign keys for table ${tableName}:`, error);
+            console.warn('Could not introspect foreign keys for requested table:', error);
         }
 
         return foreignKeys;
@@ -693,8 +704,17 @@ export class SqlDriver implements Driver {
                 }
             } else if (this.config.client === 'sqlite3') {
                 // SQLite PRAGMA doesn't support parameter binding, so we need to ensure safe identifier
-                // Table names in ObjectQL are validated and should be safe, but we add extra protection
                 const safeTableName = tableName.replace(/[^a-zA-Z0-9_]/g, '');
+                
+                // Validate that the sanitized table name exists in the database before using it in PRAGMA
+                const tablesResult = await this.knex.raw("SELECT name FROM sqlite_master WHERE type = 'table'");
+                const tableNames = tablesResult.map((row: any) => row.name);
+                
+                if (!tableNames.includes(safeTableName)) {
+                    console.warn('Could not introspect primary keys for SQLite table: table does not exist after sanitization.');
+                    return primaryKeys;
+                }
+                
                 const result = await this.knex.raw(`PRAGMA table_info(${safeTableName})`);
 
                 for (const row of result) {
@@ -704,7 +724,7 @@ export class SqlDriver implements Driver {
                 }
             }
         } catch (error) {
-            console.warn(`Could not introspect primary keys for table ${tableName}:`, error);
+            console.warn('Could not introspect primary keys for a table:', error);
         }
 
         return primaryKeys;

packages/foundation/core/src/app.ts

@@ -181,13 +181,13 @@ export class ObjectQL implements IObjectQL {
             throw new Error(`Driver for datasource '${datasourceName}' does not support schema introspection`);
         }
 
-        console.log(`Introspecting database schema from datasource '${datasourceName}'...`);
+        console.log(`Introspecting datasource '${datasourceName}'...`);
         const introspectedSchema = await driver.introspectSchema();
 
         // Convert introspected schema to ObjectQL objects
         const objects = convertIntrospectedSchemaToObjects(introspectedSchema, options);
 
-        console.log(`Discovered ${objects.length} tables. Registering as objects...`);
+        console.log(`Discovered ${objects.length} table(s), registering as objects...`);
 
         // Register each discovered object
         for (const obj of objects) {

packages/foundation/core/src/util.ts

@@ -123,7 +123,6 @@ export function convertIntrospectedSchemaToObjects(
                     fieldConfig.unique = true;
                 }
 
-                // Add max length for text fields
                 // Add max length for text fields
                 if (column.maxLength && (fieldType === 'text' || fieldType === 'textarea')) {
                     fieldConfig.max_length = column.maxLength;