refactor: convert private fields to native #private

[B4nan]

Summary

• Replace TypeScript private _fieldName with native JS #fieldName for true runtime privacy enforcement
• QueryBuilder: 27 fields converted, clone() rewritten to explicitly copy # fields (invisible to Object.keys()), added @internal getters for _joins, _tptAlias, _aliasCounter (cross-class access)
• Collection: _count, _property, _populated → #count, #property, #populated
• EntityManager: _schema → #schema
• External callers (AbstractSqlDriver, MariaDbQueryBuilder, TransactionManager) updated to use public getters/API instead of as any casts
• Tests updated to use public API (shouldPopulate(), _aliasCounter getter)

Notes

• Stacked on refactor/protected-to-private
• Native # private fields had a V8 perf issue that was fixed in V8 v11.x (Node 21+); no overhead on Node 22+
• # fields are class-scoped (cross-instance access works within the class body), so clone() can access qb.#field directly

Test plan

• Full test suite (5220/5220 passing)
• yarn build passes
• yarn lint passes (0 errors)
• yarn tsc-check-tests passes

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 99.94135% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 99.68%. Comparing base (17ec4f5) to head (6800f23).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
packages/sql/src/query/QueryBuilderHelper.ts	98.80%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##           master    #7256    +/-   ##
========================================
  Coverage   99.68%   99.68%            
========================================
  Files         261      261            
  Lines       25068    25110    +42     
  Branches     6797     6982   +185     
========================================
+ Hits        24988    25031    +43     
+ Misses         77       76     -1     
  Partials        3        3            

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

In general terms, the problem is that denormalizePrimaryKey writes to and deletes from a plain object (data) using computed property names (pk.name and spk.name). To prevent prototype pollution, we should ensure that these names are not dangerous special keys like "__proto__", "constructor", or "prototype" before using them as object keys. If they are dangerous, we should skip the denormalization logic for those keys.

The best minimally-invasive fix is to add a small internal guard function in EntityFactory that checks whether a property name is safe to use as an object key, and then use this check in denormalizePrimaryKey before accessing data[pk.name] and data[spk.name]. Specifically, in packages/core/src/entity/EntityFactory.ts:

1. Add a private helper method inside EntityFactory (near other private helpers like processDiscriminatorColumn and denormalizePrimaryKey):

private isSafePropertyKey(key: string | number | symbol): boolean {
  if (typeof key !== 'string') {
    return true;
  }
  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
}

2. Update denormalizePrimaryKey so that before reading or writing data[pk.name] or data[spk.name], it verifies that both pk.name and spk.name are safe via isSafePropertyKey. If either is unsafe, immediately return without modifying data. This prevents any direct or indirect library/user control from ever writing to those special properties on plain objects, while leaving all existing behavior unchanged for normal keys like "id".

No changes are required in Reference.ts beyond what is already present; Reference.unwrapReference only passes through data, and the hardened denormalizePrimaryKey will now safely handle any keys it encounters.

Implementation details:

• All edits occur in packages/core/src/entity/EntityFactory.ts, within the shown class.
• No existing imports or external dependencies need to change; we only add a new private method and adjust an if condition.
• The logic in denormalizePrimaryKey remains the same except for the added safety check; thus, existing functionality for legitimate entity definitions is preserved.

---