fix: force SQL operator precedence in pagination v2 to ensure nid isolation

GitOrigin-RevId: 451cbe6c4322222e36c182b4f7c1ff6cb9396dde

.reports/dep-licenses.csv

@@ -4,6 +4,5 @@
 "github.com/ory/x","Apache-2.0"
 "github.com/stretchr/testify","MIT"
 "go.opentelemetry.io/otel/sdk","Apache-2.0"
-"go.opentelemetry.io/otel/sdk","BSD-3-Clause"
 "golang.org/x/text","BSD-3-Clause"
 

oryx/pagination/keysetpagination_v2/query_builder.go

@@ -41,6 +41,13 @@ func Paginate[I any](p *Paginator) pop.ScopeFunc {
 			return quote(tableName) + "." + quote(name)
 		}
 		where, args, order := BuildWhereAndOrder(p.PageToken().Columns(), quoteAndContextualize)
+		// IMPORTANT: Ensures correct query logic by grouping conditions.
+		// Without parentheses, `WHERE otherCond AND pageCond1 OR pageCond2` would be
+		// evaluated as `(otherCond = ? AND pageCond1) OR pageCond2`, potentially returning
+		// rows that do not match `otherCond`.
+		// We fix it by forcing the query to be: `WHERE otherCond AND (paginationCond1 OR paginationCond2)`.
+		where = "(" + where + ")"
+
 		return q.
 			Where(where, args...).
 			Order(order).

oryx/safecast/safecast.go

@@ -1,3 +1,6 @@
+// Copyright © 2025 Ory Corp
+// SPDX-License-Identifier: Apache-2.0
+
 package safecast
 
 import "math"