fix: orm interfaces findX

[yyyyaaa]

fixes https://github.com/constructive-io/constructive-planning/issues/752

ORM model interfaces (the core fix)

findFirst — single object return ✓
findFirst(
args: FindFirstArgs<S, UserFilter, UserOrderBy> & { select: S } & StrictSelect<S, UserSelect>
): QueryBuilder<{
user: InferSelectResult<UserWithRelations, S> | null; // ← singular, was array
}>
With transform callback: (data) => ({ user: data.users?.nodes?.[0] ?? null })

findOne — single object return ✓
Same { user: ... | null } shape as findFirst, using buildFindManyDocument with where: { id: { equalTo: args.id } }, first: 1.

Coverage across SDKs (constructive-sdk only — others mirror)

• findFirst<...> declarations: 168 (auth: 9, objects: 5, admin: 34, public: 120)
• Unique singular { xxx: InferSelectResult<XxxWithRelations, S> | null } return shapes: 120 distinct entities
• Regression check: 0 instances of findFirst returning an array

FindFirstArgs interface (in generated select-types.ts)

export interface FindFirstArgs<TSelect, TWhere, TOrderBy = never> {
select?: TSelect;
where?: TWhere;
orderBy?: TOrderBy[]; // ← new orderBy support
}

CLI (sdk/constructive-cli)

• Help text includes --orderBy under "Find-First Options" (verified user.ts and others)
• handleFindFirst calls parseFindFirstArgs<FindFirstArgs<UserSelect, UserFilter, UserOrderBy>>(argv, defaultSelect)

React hooks (sdk/constructive-react)

• useUserQuery returns UseQueryResult<{ user: InferSelectResult<UserWithRelations, S> | null }>
• Delegates to getClient().user.findOne(...) — picks up the new singular shape transparently
• fetchUserQuery and prefetchUserQuery mirror the same contract

migrate-client SDK

Same pattern verified on SqlAction.findFirst — returns { sqlAction: ... | null } with SqlActionOrderBy type param.

Build + typecheck (already done)

• All 4 SDKs build clean
• tsc --noEmit passes with zero errors on all 4 SDKs
• 306 codegen tests pass, 119 snapshots green

[pyramation]

nice is this ready to review?

[yyyyaaa]

yep, pr ready

[pyramation]

out of curiosity, breaking changes? so we'll need to change FE before we do this one?

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​js-yaml@​4.0.9
	@​types/​geojson@​7946.0.16
	@​types/​react-dom@​19.2.3
	@​types/​react@​19.2.14
	@​types/​node@​22.19.11
	js-yaml@​4.1.1
	async-retry@​1.3.3
	react@​19.2.4
	glob@​13.0.6
	form-data@​4.0.5
	supertest@​7.2.2
	ajv@​8.18.0
	typescript@​5.9.3
	prettier@​3.8.1
	react-dom@​19.2.4

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: Handlebars.js has JavaScript Injection via AST Type Confusion CVE: GHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type Confusion (CRITICAL) Affected versions: >= 4.0.0 < 4.7.9 Patched version: 4.7.9 From: pnpm-lock.yaml → npm/handlebars@4.7.8 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/handlebars@4.7.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/entities@6.0.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@6.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm markdown-it is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/markdown-it@14.1.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/markdown-it@14.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report