@classytic/mongokit 3.0.2 → 3.0.4

package/dist/actions/index.d.ts

@@ -1,3 +1,3 @@
-export { a as aggregate, c as create, _ as deleteActions, r as read, u as update } from '../index-CMCrkd2v.js';
+export { a as aggregate, c as create, _ as deleteActions, r as read, u as update } from '../index-wXrOSYWG.js';
 import 'mongoose';
-import '../types-B3dPUKjs.js';
+import '../types-DAl69QgM.js';

package/dist/{index-CMCrkd2v.d.ts → index-wXrOSYWG.d.ts}

@@ -1,5 +1,5 @@
 import { Model, ClientSession, PipelineStage } from 'mongoose';
-import { A as AnyDocument, C as CreateOptions, f as ObjectId, n as OperationOptions, S as SelectSpec, g as PopulateSpec, h as SortSpec, U as UpdateOptions, p as UpdateWithValidationResult, o as UpdateManyResult, D as DeleteResult, N as GroupResult, M as LookupOptions, Q as MinMaxResult } from './types-B3dPUKjs.js';
+import { A as AnyDocument, C as CreateOptions, f as ObjectId, n as OperationOptions, S as SelectSpec, g as PopulateSpec, h as SortSpec, U as UpdateOptions, p as UpdateWithValidationResult, o as UpdateManyResult, D as DeleteResult, W as GroupResult, T as LookupOptions, X as MinMaxResult } from './types-DAl69QgM.js';
 
 /**
  * Create Actions

package/dist/index.d.ts

@@ -1,11 +1,11 @@
-import { A as AnyDocument, e as PluginType, P as PaginationConfig, R as RepositoryOptions, f as ObjectId, S as SelectSpec, g as PopulateSpec, h as SortSpec, a as OffsetPaginationResult, b as KeysetPaginationResult, U as UpdateOptions, d as AggregatePaginationResult, i as RepositoryContext, H as HttpError } from './types-B3dPUKjs.js';
-export { c as AggregatePaginationOptions, j as AnyModel, T as CacheAdapter, X as CacheOperationOptions, W as CacheOptions, Y as CacheStats, _ as CascadeOptions, Z as CascadeRelation, C as CreateOptions, y as CrudSchemas, z as DecodedCursor, D as DeleteResult, E as EventPayload, F as FieldPreset, w as FieldRules, N as GroupResult, l as HookMode, J as JsonSchema, K as KeysetPaginationOptions, L as Logger, M as LookupOptions, Q as MinMaxResult, O as OffsetPaginationOptions, n as OperationOptions, m as PaginationResult, v as ParsedQuery, r as Plugin, s as PluginFunction, u as RepositoryEvent, t as RepositoryInstance, x as SchemaBuilderOptions, I as SoftDeleteOptions, k as SortDirection, o as UpdateManyResult, p as UpdateWithValidationResult, q as UserContext, G as ValidationChainOptions, V as ValidationResult, B as ValidatorDefinition } from './types-B3dPUKjs.js';
+import { A as AnyDocument, e as PluginType, P as PaginationConfig, R as RepositoryOptions, f as ObjectId, S as SelectSpec, g as PopulateSpec, h as SortSpec, a as OffsetPaginationResult, b as KeysetPaginationResult, U as UpdateOptions, d as AggregatePaginationResult, i as RepositoryContext, H as HttpError } from './types-DAl69QgM.js';
+export { c as AggregatePaginationOptions, j as AnyModel, Y as CacheAdapter, _ as CacheOperationOptions, Z as CacheOptions, $ as CacheStats, a1 as CascadeOptions, a0 as CascadeRelation, C as CreateOptions, z as CrudSchemas, B as DecodedCursor, D as DeleteResult, E as EventPayload, F as FieldPreset, x as FieldRules, w as FilterQuery, W as GroupResult, l as HookMode, J as JsonSchema, K as KeysetPaginationOptions, L as Logger, T as LookupOptions, X as MinMaxResult, O as OffsetPaginationOptions, n as OperationOptions, m as PaginationResult, v as ParsedQuery, r as Plugin, s as PluginFunction, u as RepositoryEvent, t as RepositoryInstance, y as SchemaBuilderOptions, N as SoftDeleteFilterMode, M as SoftDeleteOptions, Q as SoftDeleteRepository, k as SortDirection, o as UpdateManyResult, p as UpdateWithValidationResult, q as UserContext, I as ValidationChainOptions, V as ValidationResult, G as ValidatorDefinition } from './types-DAl69QgM.js';
 import * as mongoose from 'mongoose';
 import { Model, ClientSession, PipelineStage, PopulateOptions } from 'mongoose';
 import { PaginationEngine } from './pagination/PaginationEngine.js';
 export { aggregateHelpersPlugin, auditLogPlugin, autoInject, batchOperationsPlugin, blockIf, cachePlugin, cascadePlugin, fieldFilterPlugin, immutableField, methodRegistryPlugin, mongoOperationsPlugin, requireField, softDeletePlugin, subdocumentPlugin, timestampPlugin, uniqueField, validationChainPlugin } from './plugins/index.js';
-export { b as createError, c as createFieldPreset, d as createMemoryCache, f as filterResponseData, g as getFieldsForUser, a as getMongooseProjection } from './memory-cache-Bn_-Kk-0.js';
-export { i as actions } from './index-CMCrkd2v.js';
+export { F as FilterValue, O as OperatorMap, Q as QueryParser, h as QueryParserOptions, b as createError, c as createFieldPreset, d as createMemoryCache, f as filterResponseData, g as getFieldsForUser, a as getMongooseProjection, e as queryParser } from './queryParser-Bek4yy3x.js';
+export { i as actions } from './index-wXrOSYWG.js';
 
 /**
  * Repository Pattern - Data Access Layer
@@ -46,7 +46,7 @@ declare class Repository<TDoc = AnyDocument> {
     readonly _pagination: PaginationEngine<TDoc>;
     private readonly _hookMode;
     [key: string]: unknown;
-    constructor(Model: Model<TDoc>, plugins?: PluginType[], paginationConfig?: PaginationConfig, options?: RepositoryOptions);
+    constructor(Model: Model<TDoc, any, any, any>, plugins?: PluginType[], paginationConfig?: PaginationConfig, options?: RepositoryOptions);
     /**
      * Register a plugin
      */
@@ -236,6 +236,6 @@ declare class Repository<TDoc = AnyDocument> {
  * @example
  * const userRepo = createRepository(UserModel, [timestampPlugin()]);
  */
-declare function createRepository<TDoc>(Model: mongoose.Model<TDoc>, plugins?: PluginType[], paginationConfig?: PaginationConfig, options?: RepositoryOptions): Repository<TDoc>;
+declare function createRepository<TDoc>(Model: mongoose.Model<TDoc, any, any, any>, plugins?: PluginType[], paginationConfig?: PaginationConfig, options?: RepositoryOptions): Repository<TDoc>;
 
 export { AggregatePaginationResult, AnyDocument, HttpError, KeysetPaginationResult, ObjectId, OffsetPaginationResult, PaginationConfig, PaginationEngine, PluginType, PopulateSpec, Repository, RepositoryContext, RepositoryOptions, SelectSpec, SortSpec, UpdateOptions, createRepository, Repository as default };

package/dist/index.js

@@ -643,6 +643,7 @@ var PaginationEngine = class {
    * @param Model - Mongoose model to paginate
    * @param config - Pagination configuration
    */
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
   constructor(Model, config = {}) {
     this.Model = Model;
     this.config = {
@@ -1000,7 +1001,7 @@ var Repository = class {
     const hasCursorParam = "cursor" in params || "after" in params;
     const hasExplicitSort = params.sort !== void 0;
     const useKeyset = !hasPageParam && (hasCursorParam || hasExplicitSort);
-    const filters = params.filters || {};
+    const filters = context.filters || params.filters || {};
     const search = params.search;
     const sort = params.sort || "-createdAt";
     const limit = params.limit || params.pagination?.limit || this._pagination.config.defaultLimit;
@@ -1328,12 +1329,45 @@ function auditLogPlugin(logger) {
 }
 
 // src/plugins/soft-delete.plugin.ts
+function buildDeletedFilter(deletedField, filterMode, includeDeleted) {
+  if (includeDeleted) {
+    return {};
+  }
+  if (filterMode === "exists") {
+    return { [deletedField]: { $exists: false } };
+  }
+  return { [deletedField]: null };
+}
+function buildGetDeletedFilter(deletedField, filterMode) {
+  if (filterMode === "exists") {
+    return { [deletedField]: { $exists: true, $ne: null } };
+  }
+  return { [deletedField]: { $ne: null } };
+}
 function softDeletePlugin(options = {}) {
   const deletedField = options.deletedField || "deletedAt";
   const deletedByField = options.deletedByField || "deletedBy";
+  const filterMode = options.filterMode || "null";
+  const addRestoreMethod = options.addRestoreMethod !== false;
+  const addGetDeletedMethod = options.addGetDeletedMethod !== false;
+  const ttlDays = options.ttlDays;
   return {
     name: "softDelete",
     apply(repo) {
+      if (ttlDays !== void 0 && ttlDays > 0) {
+        const ttlSeconds = ttlDays * 24 * 60 * 60;
+        repo.Model.collection.createIndex(
+          { [deletedField]: 1 },
+          {
+            expireAfterSeconds: ttlSeconds,
+            partialFilterExpression: { [deletedField]: { $type: "date" } }
+          }
+        ).catch((err) => {
+          if (!err.message.includes("already exists")) {
+            console.warn(`[softDeletePlugin] Failed to create TTL index: ${err.message}`);
+          }
+        });
+      }
       repo.on("before:delete", async (context) => {
         if (options.soft !== false) {
           const updateData = {
@@ -1347,23 +1381,126 @@ function softDeletePlugin(options = {}) {
         }
       });
       repo.on("before:getAll", (context) => {
-        if (!context.includeDeleted && options.soft !== false) {
-          const queryParams = context.queryParams || {};
-          queryParams.filters = {
-            ...queryParams.filters || {},
-            [deletedField]: { $exists: false }
-          };
-          context.queryParams = queryParams;
+        if (options.soft !== false) {
+          const deleteFilter = buildDeletedFilter(deletedField, filterMode, !!context.includeDeleted);
+          if (Object.keys(deleteFilter).length > 0) {
+            const existingFilters = context.filters || {};
+            context.filters = {
+              ...existingFilters,
+              ...deleteFilter
+            };
+          }
         }
       });
       repo.on("before:getById", (context) => {
-        if (!context.includeDeleted && options.soft !== false) {
-          context.query = {
-            ...context.query || {},
-            [deletedField]: { $exists: false }
-          };
+        if (options.soft !== false) {
+          const deleteFilter = buildDeletedFilter(deletedField, filterMode, !!context.includeDeleted);
+          if (Object.keys(deleteFilter).length > 0) {
+            context.query = {
+              ...context.query || {},
+              ...deleteFilter
+            };
+          }
         }
       });
+      repo.on("before:getByQuery", (context) => {
+        if (options.soft !== false) {
+          const deleteFilter = buildDeletedFilter(deletedField, filterMode, !!context.includeDeleted);
+          if (Object.keys(deleteFilter).length > 0) {
+            context.query = {
+              ...context.query || {},
+              ...deleteFilter
+            };
+          }
+        }
+      });
+      if (addRestoreMethod) {
+        const restoreMethod = async function(id, restoreOptions = {}) {
+          const updateData = {
+            [deletedField]: null,
+            [deletedByField]: null
+          };
+          const result = await this.Model.findByIdAndUpdate(id, { $set: updateData }, {
+            new: true,
+            session: restoreOptions.session
+          });
+          if (!result) {
+            const error = new Error(`Document with id '${id}' not found`);
+            error.status = 404;
+            throw error;
+          }
+          await this.emitAsync("after:restore", { id, result });
+          return result;
+        };
+        if (typeof repo.registerMethod === "function") {
+          repo.registerMethod("restore", restoreMethod);
+        } else {
+          repo.restore = restoreMethod.bind(repo);
+        }
+      }
+      if (addGetDeletedMethod) {
+        const getDeletedMethod = async function(params = {}, getDeletedOptions = {}) {
+          const deletedFilter = buildGetDeletedFilter(deletedField, filterMode);
+          const combinedFilters = {
+            ...params.filters || {},
+            ...deletedFilter
+          };
+          const page = params.page || 1;
+          const limit = params.limit || 20;
+          const skip = (page - 1) * limit;
+          let sortSpec = { [deletedField]: -1 };
+          if (params.sort) {
+            if (typeof params.sort === "string") {
+              const sortOrder = params.sort.startsWith("-") ? -1 : 1;
+              const sortField = params.sort.startsWith("-") ? params.sort.substring(1) : params.sort;
+              sortSpec = { [sortField]: sortOrder };
+            } else {
+              sortSpec = params.sort;
+            }
+          }
+          let query = this.Model.find(combinedFilters).sort(sortSpec).skip(skip).limit(limit);
+          if (getDeletedOptions.session) {
+            query = query.session(getDeletedOptions.session);
+          }
+          if (getDeletedOptions.select) {
+            const selectValue = Array.isArray(getDeletedOptions.select) ? getDeletedOptions.select.join(" ") : getDeletedOptions.select;
+            query = query.select(selectValue);
+          }
+          if (getDeletedOptions.populate) {
+            const populateSpec = getDeletedOptions.populate;
+            if (typeof populateSpec === "string") {
+              query = query.populate(populateSpec.split(",").map((p) => p.trim()));
+            } else if (Array.isArray(populateSpec)) {
+              query = query.populate(populateSpec);
+            } else {
+              query = query.populate(populateSpec);
+            }
+          }
+          if (getDeletedOptions.lean !== false) {
+            query = query.lean();
+          }
+          const [docs, total] = await Promise.all([
+            query.exec(),
+            this.Model.countDocuments(combinedFilters)
+          ]);
+          const pages = Math.ceil(total / limit);
+          return {
+            method: "offset",
+            docs,
+            page,
+            limit,
+            total,
+            pages,
+            hasNext: page < pages,
+            hasPrev: page > 1
+          };
+        };
+        if (typeof repo.registerMethod === "function") {
+          repo.registerMethod("getDeleted", getDeletedMethod);
+        } else {
+          repo.getDeleted = getDeletedMethod.bind(repo);
+        }
+      }
     }
   };
 }
@@ -2277,6 +2414,321 @@ function createMemoryCache(maxEntries = 1e3) {
     }
   };
 }
+var QueryParser = class {
+  options;
+  operators = {
+    eq: "$eq",
+    ne: "$ne",
+    gt: "$gt",
+    gte: "$gte",
+    lt: "$lt",
+    lte: "$lte",
+    in: "$in",
+    nin: "$nin",
+    like: "$regex",
+    contains: "$regex",
+    regex: "$regex",
+    exists: "$exists",
+    size: "$size",
+    type: "$type"
+  };
+  /**
+   * Dangerous MongoDB operators that should never be accepted from user input
+   * Security: Prevent NoSQL injection attacks
+   */
+  dangerousOperators;
+  /**
+   * Regex pattern characters that can cause catastrophic backtracking (ReDoS)
+   */
+  dangerousRegexPatterns = /(\{[0-9,]+\}|\*\+|\+\+|\?\+|(\([^)]*\))\1|\(\?[^)]*\)|[\[\]].*[\[\]])/;
+  constructor(options = {}) {
+    this.options = {
+      maxRegexLength: options.maxRegexLength ?? 500,
+      maxSearchLength: options.maxSearchLength ?? 200,
+      maxFilterDepth: options.maxFilterDepth ?? 10,
+      additionalDangerousOperators: options.additionalDangerousOperators ?? []
+    };
+    this.dangerousOperators = [
+      "$where",
+      "$function",
+      "$accumulator",
+      "$expr",
+      ...this.options.additionalDangerousOperators
+    ];
+  }
+  /**
+   * Parse query parameters into MongoDB query format
+   */
+  parseQuery(query) {
+    const {
+      page,
+      limit = 20,
+      sort = "-createdAt",
+      populate,
+      search,
+      after,
+      cursor,
+      ...filters
+    } = query || {};
+    const parsed = {
+      filters: this._parseFilters(filters),
+      limit: parseInt(String(limit), 10),
+      sort: this._parseSort(sort),
+      populate,
+      search: this._sanitizeSearch(search)
+    };
+    if (after || cursor) {
+      parsed.after = after || cursor;
+    } else if (page !== void 0) {
+      parsed.page = parseInt(String(page), 10);
+    } else {
+      parsed.page = 1;
+    }
+    const orGroup = this._parseOr(query);
+    if (orGroup) {
+      parsed.filters = { ...parsed.filters, $or: orGroup };
+    }
+    parsed.filters = this._enhanceWithBetween(parsed.filters);
+    return parsed;
+  }
+  /**
+   * Parse sort parameter
+   * Converts string like '-createdAt' to { createdAt: -1 }
+   * Handles multiple sorts: '-createdAt,name' → { createdAt: -1, name: 1 }
+   */
+  _parseSort(sort) {
+    if (!sort) return void 0;
+    if (typeof sort === "object") return sort;
+    const sortObj = {};
+    const fields = sort.split(",").map((s) => s.trim());
+    for (const field of fields) {
+      if (field.startsWith("-")) {
+        sortObj[field.substring(1)] = -1;
+      } else {
+        sortObj[field] = 1;
+      }
+    }
+    return sortObj;
+  }
+  /**
+   * Parse standard filter parameter (filter[field]=value)
+   */
+  _parseFilters(filters) {
+    const parsedFilters = {};
+    const regexFields = {};
+    for (const [key, value] of Object.entries(filters)) {
+      if (this.dangerousOperators.includes(key) || key.startsWith("$") && !["$or", "$and"].includes(key)) {
+        console.warn(`[mongokit] Blocked dangerous operator: ${key}`);
+        continue;
+      }
+      if (["page", "limit", "sort", "populate", "search", "select", "lean", "includeDeleted"].includes(key)) {
+        continue;
+      }
+      const operatorMatch = key.match(/^(.+)\[(.+)\]$/);
+      if (operatorMatch) {
+        const [, , operator] = operatorMatch;
+        if (this.dangerousOperators.includes("$" + operator)) {
+          console.warn(`[mongokit] Blocked dangerous operator: ${operator}`);
+          continue;
+        }
+        this._handleOperatorSyntax(parsedFilters, regexFields, operatorMatch, value);
+        continue;
+      }
+      if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+        this._handleBracketSyntax(key, value, parsedFilters);
+      } else {
+        parsedFilters[key] = this._convertValue(value);
+      }
+    }
+    return parsedFilters;
+  }
+  /**
+   * Handle operator syntax: field[operator]=value
+   */
+  _handleOperatorSyntax(filters, regexFields, operatorMatch, value) {
+    const [, field, operator] = operatorMatch;
+    if (operator.toLowerCase() === "options" && regexFields[field]) {
+      const fieldValue = filters[field];
+      if (typeof fieldValue === "object" && fieldValue !== null && "$regex" in fieldValue) {
+        fieldValue.$options = value;
+      }
+      return;
+    }
+    if (operator.toLowerCase() === "contains" || operator.toLowerCase() === "like") {
+      const safeRegex = this._createSafeRegex(value);
+      if (safeRegex) {
+        filters[field] = { $regex: safeRegex };
+        regexFields[field] = true;
+      }
+      return;
+    }
+    const mongoOperator = this._toMongoOperator(operator);
+    if (this.dangerousOperators.includes(mongoOperator)) {
+      console.warn(`[mongokit] Blocked dangerous operator in field[${operator}]: ${mongoOperator}`);
+      return;
+    }
+    if (mongoOperator === "$eq") {
+      filters[field] = value;
+    } else if (mongoOperator === "$regex") {
+      filters[field] = { $regex: value };
+      regexFields[field] = true;
+    } else {
+      if (typeof filters[field] !== "object" || filters[field] === null || Array.isArray(filters[field])) {
+        filters[field] = {};
+      }
+      let processedValue;
+      const op = operator.toLowerCase();
+      if (["gt", "gte", "lt", "lte", "size"].includes(op)) {
+        processedValue = parseFloat(String(value));
+        if (isNaN(processedValue)) return;
+      } else if (op === "in" || op === "nin") {
+        processedValue = Array.isArray(value) ? value : String(value).split(",").map((v) => v.trim());
+      } else {
+        processedValue = this._convertValue(value);
+      }
+      filters[field][mongoOperator] = processedValue;
+    }
+  }
+  /**
+   * Handle bracket syntax with object value
+   */
+  _handleBracketSyntax(field, operators, parsedFilters) {
+    if (!parsedFilters[field]) {
+      parsedFilters[field] = {};
+    }
+    for (const [operator, value] of Object.entries(operators)) {
+      if (operator === "between") {
+        parsedFilters[field].between = value;
+        continue;
+      }
+      if (this.operators[operator]) {
+        const mongoOperator = this.operators[operator];
+        let processedValue;
+        if (["gt", "gte", "lt", "lte", "size"].includes(operator)) {
+          processedValue = parseFloat(String(value));
+          if (isNaN(processedValue)) continue;
+        } else if (operator === "in" || operator === "nin") {
+          processedValue = Array.isArray(value) ? value : String(value).split(",").map((v) => v.trim());
+        } else if (operator === "like" || operator === "contains") {
+          const safeRegex = this._createSafeRegex(value);
+          if (!safeRegex) continue;
+          processedValue = safeRegex;
+        } else {
+          processedValue = this._convertValue(value);
+        }
+        parsedFilters[field][mongoOperator] = processedValue;
+      }
+    }
+  }
+  /**
+   * Convert operator to MongoDB format
+   */
+  _toMongoOperator(operator) {
+    const op = operator.toLowerCase();
+    return op.startsWith("$") ? op : "$" + op;
+  }
+  /**
+   * Create a safe regex pattern with protection against ReDoS attacks
+   * @param pattern - The pattern string from user input
+   * @param flags - Regex flags (default: 'i' for case-insensitive)
+   * @returns A safe RegExp or null if pattern is invalid/dangerous
+   */
+  _createSafeRegex(pattern, flags = "i") {
+    if (pattern === null || pattern === void 0) {
+      return null;
+    }
+    const patternStr = String(pattern);
+    if (patternStr.length > this.options.maxRegexLength) {
+      console.warn(`[mongokit] Regex pattern too long (${patternStr.length} > ${this.options.maxRegexLength}), truncating`);
+      return new RegExp(this._escapeRegex(patternStr.substring(0, this.options.maxRegexLength)), flags);
+    }
+    if (this.dangerousRegexPatterns.test(patternStr)) {
+      console.warn("[mongokit] Potentially dangerous regex pattern detected, escaping");
+      return new RegExp(this._escapeRegex(patternStr), flags);
+    }
+    try {
+      return new RegExp(patternStr, flags);
+    } catch {
+      return new RegExp(this._escapeRegex(patternStr), flags);
+    }
+  }
+  /**
+   * Escape special regex characters for literal matching
+   */
+  _escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  }
+  /**
+   * Sanitize text search query for MongoDB $text search
+   * @param search - Raw search input from user
+   * @returns Sanitized search string or undefined
+   */
+  _sanitizeSearch(search) {
+    if (search === null || search === void 0 || search === "") {
+      return void 0;
+    }
+    let searchStr = String(search).trim();
+    if (!searchStr) {
+      return void 0;
+    }
+    if (searchStr.length > this.options.maxSearchLength) {
+      console.warn(`[mongokit] Search query too long (${searchStr.length} > ${this.options.maxSearchLength}), truncating`);
+      searchStr = searchStr.substring(0, this.options.maxSearchLength);
+    }
+    return searchStr;
+  }
+  /**
+   * Convert values based on operator type
+   */
+  _convertValue(value) {
+    if (value === null || value === void 0) return value;
+    if (Array.isArray(value)) return value.map((v) => this._convertValue(v));
+    if (typeof value === "object") return value;
+    const stringValue = String(value);
+    if (stringValue === "true") return true;
+    if (stringValue === "false") return false;
+    if (mongoose.Types.ObjectId.isValid(stringValue) && stringValue.length === 24) {
+      return stringValue;
+    }
+    return stringValue;
+  }
+  /**
+   * Parse $or conditions
+   */
+  _parseOr(query) {
+    const orArray = [];
+    const raw = query?.or || query?.OR || query?.$or;
+    if (!raw) return void 0;
+    const items = Array.isArray(raw) ? raw : typeof raw === "object" ? Object.values(raw) : [];
+    for (const item of items) {
+      if (typeof item === "object" && item) {
+        orArray.push(this._parseFilters(item));
+      }
+    }
+    return orArray.length ? orArray : void 0;
+  }
+  /**
+   * Enhance filters with between operator
+   */
+  _enhanceWithBetween(filters) {
+    const output = { ...filters };
+    for (const [key, value] of Object.entries(filters || {})) {
+      if (value && typeof value === "object" && "between" in value) {
+        const between = value.between;
+        const [from, to] = String(between).split(",").map((s) => s.trim());
+        const fromDate = from ? new Date(from) : void 0;
+        const toDate = to ? new Date(to) : void 0;
+        const range = {};
+        if (fromDate && !isNaN(fromDate.getTime())) range.$gte = fromDate;
+        if (toDate && !isNaN(toDate.getTime())) range.$lte = toDate;
+        output[key] = range;
+      }
+    }
+    return output;
+  }
+};
+var defaultQueryParser = new QueryParser();
+var queryParser_default = defaultQueryParser;
 
 // src/actions/index.ts
 var actions_exports = {};
@@ -2332,4 +2784,4 @@ var index_default = Repository;
  * ```
  */
 
-export { PaginationEngine, Repository, actions_exports as actions, aggregateHelpersPlugin, auditLogPlugin, autoInject, batchOperationsPlugin, blockIf, cachePlugin, cascadePlugin, createError, createFieldPreset, createMemoryCache, createRepository, index_default as default, fieldFilterPlugin, filterResponseData, getFieldsForUser, getMongooseProjection, immutableField, methodRegistryPlugin, mongoOperationsPlugin, requireField, softDeletePlugin, subdocumentPlugin, timestampPlugin, uniqueField, validationChainPlugin };
+export { PaginationEngine, QueryParser, Repository, actions_exports as actions, aggregateHelpersPlugin, auditLogPlugin, autoInject, batchOperationsPlugin, blockIf, cachePlugin, cascadePlugin, createError, createFieldPreset, createMemoryCache, createRepository, index_default as default, fieldFilterPlugin, filterResponseData, getFieldsForUser, getMongooseProjection, immutableField, methodRegistryPlugin, mongoOperationsPlugin, queryParser_default as queryParser, requireField, softDeletePlugin, subdocumentPlugin, timestampPlugin, uniqueField, validationChainPlugin };

package/dist/pagination/PaginationEngine.d.ts

@@ -1,5 +1,5 @@
 import { Model } from 'mongoose';
-import { A as AnyDocument, P as PaginationConfig, O as OffsetPaginationOptions, a as OffsetPaginationResult, K as KeysetPaginationOptions, b as KeysetPaginationResult, c as AggregatePaginationOptions, d as AggregatePaginationResult } from '../types-B3dPUKjs.js';
+import { A as AnyDocument, P as PaginationConfig, O as OffsetPaginationOptions, a as OffsetPaginationResult, K as KeysetPaginationOptions, b as KeysetPaginationResult, c as AggregatePaginationOptions, d as AggregatePaginationResult } from '../types-DAl69QgM.js';
 
 /**
  * Pagination Engine
@@ -50,7 +50,7 @@ declare class PaginationEngine<TDoc = AnyDocument> {
      * @param Model - Mongoose model to paginate
      * @param config - Pagination configuration
      */
-    constructor(Model: Model<TDoc>, config?: PaginationConfig);
+    constructor(Model: Model<TDoc, any, any, any>, config?: PaginationConfig);
     /**
      * Offset-based pagination using skip/limit
      * Best for small datasets and when users need random page access

package/dist/pagination/PaginationEngine.js

@@ -171,6 +171,7 @@ var PaginationEngine = class {
    * @param Model - Mongoose model to paginate
    * @param config - Pagination configuration
    */
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
   constructor(Model, config = {}) {
     this.Model = Model;
     this.config = {

package/dist/plugins/index.d.ts

@@ -1,4 +1,4 @@
-import { F as FieldPreset, r as Plugin, L as Logger, I as SoftDeleteOptions, t as RepositoryInstance, B as ValidatorDefinition, G as ValidationChainOptions, i as RepositoryContext, W as CacheOptions, _ as CascadeOptions } from '../types-B3dPUKjs.js';
+import { F as FieldPreset, r as Plugin, L as Logger, M as SoftDeleteOptions, t as RepositoryInstance, G as ValidatorDefinition, I as ValidationChainOptions, i as RepositoryContext, Z as CacheOptions, a1 as CascadeOptions } from '../types-DAl69QgM.js';
 import 'mongoose';
 
 /**
@@ -54,10 +54,42 @@ declare function auditLogPlugin(logger: Logger): Plugin;
 /**
  * Soft delete plugin
  *
- * @example
+ * @example Basic usage
+ * ```typescript
  * const repo = new Repository(Model, [
  *   softDeletePlugin({ deletedField: 'deletedAt' })
  * ]);
+ *
+ * // Delete (soft)
+ * await repo.delete(id);
+ *
+ * // Restore
+ * await repo.restore(id);
+ *
+ * // Get deleted documents
+ * await repo.getDeleted({ page: 1, limit: 20 });
+ * ```
+ *
+ * @example With null filter mode (for schemas with default: null)
+ * ```typescript
+ * // Schema: { deletedAt: { type: Date, default: null } }
+ * const repo = new Repository(Model, [
+ *   softDeletePlugin({
+ *     deletedField: 'deletedAt',
+ *     filterMode: 'null', // default - works with default: null
+ *   })
+ * ]);
+ * ```
+ *
+ * @example With TTL for auto-cleanup
+ * ```typescript
+ * const repo = new Repository(Model, [
+ *   softDeletePlugin({
+ *     deletedField: 'deletedAt',
+ *     ttlDays: 30, // Auto-delete after 30 days
+ *   })
+ * ]);
+ * ```
  */
 declare function softDeletePlugin(options?: SoftDeleteOptions): Plugin;
 

package/dist/plugins/index.js

@@ -115,12 +115,45 @@ function auditLogPlugin(logger) {
 }
 
 // src/plugins/soft-delete.plugin.ts
+function buildDeletedFilter(deletedField, filterMode, includeDeleted) {
+  if (includeDeleted) {
+    return {};
+  }
+  if (filterMode === "exists") {
+    return { [deletedField]: { $exists: false } };
+  }
+  return { [deletedField]: null };
+}
+function buildGetDeletedFilter(deletedField, filterMode) {
+  if (filterMode === "exists") {
+    return { [deletedField]: { $exists: true, $ne: null } };
+  }
+  return { [deletedField]: { $ne: null } };
+}
 function softDeletePlugin(options = {}) {
   const deletedField = options.deletedField || "deletedAt";
   const deletedByField = options.deletedByField || "deletedBy";
+  const filterMode = options.filterMode || "null";
+  const addRestoreMethod = options.addRestoreMethod !== false;
+  const addGetDeletedMethod = options.addGetDeletedMethod !== false;
+  const ttlDays = options.ttlDays;
   return {
     name: "softDelete",
     apply(repo) {
+      if (ttlDays !== void 0 && ttlDays > 0) {
+        const ttlSeconds = ttlDays * 24 * 60 * 60;
+        repo.Model.collection.createIndex(
+          { [deletedField]: 1 },
+          {
+            expireAfterSeconds: ttlSeconds,
+            partialFilterExpression: { [deletedField]: { $type: "date" } }
+          }
+        ).catch((err) => {
+          if (!err.message.includes("already exists")) {
+            console.warn(`[softDeletePlugin] Failed to create TTL index: ${err.message}`);
+          }
+        });
+      }
       repo.on("before:delete", async (context) => {
         if (options.soft !== false) {
           const updateData = {
@@ -134,23 +167,126 @@ function softDeletePlugin(options = {}) {
         }
       });
       repo.on("before:getAll", (context) => {
-        if (!context.includeDeleted && options.soft !== false) {
-          const queryParams = context.queryParams || {};
-          queryParams.filters = {
-            ...queryParams.filters || {},
-            [deletedField]: { $exists: false }
-          };
-          context.queryParams = queryParams;
+        if (options.soft !== false) {
+          const deleteFilter = buildDeletedFilter(deletedField, filterMode, !!context.includeDeleted);
+          if (Object.keys(deleteFilter).length > 0) {
+            const existingFilters = context.filters || {};
+            context.filters = {
+              ...existingFilters,
+              ...deleteFilter
+            };
+          }
         }
       });
       repo.on("before:getById", (context) => {
-        if (!context.includeDeleted && options.soft !== false) {
-          context.query = {
-            ...context.query || {},
-            [deletedField]: { $exists: false }
-          };
+        if (options.soft !== false) {
+          const deleteFilter = buildDeletedFilter(deletedField, filterMode, !!context.includeDeleted);
+          if (Object.keys(deleteFilter).length > 0) {
+            context.query = {
+              ...context.query || {},
+              ...deleteFilter
+            };
+          }
         }
       });
+      repo.on("before:getByQuery", (context) => {
+        if (options.soft !== false) {
+          const deleteFilter = buildDeletedFilter(deletedField, filterMode, !!context.includeDeleted);
+          if (Object.keys(deleteFilter).length > 0) {
+            context.query = {
+              ...context.query || {},
+              ...deleteFilter
+            };
+          }
+        }
+      });
+      if (addRestoreMethod) {
+        const restoreMethod = async function(id, restoreOptions = {}) {
+          const updateData = {
+            [deletedField]: null,
+            [deletedByField]: null
+          };
+          const result = await this.Model.findByIdAndUpdate(id, { $set: updateData }, {
+            new: true,
+            session: restoreOptions.session
+          });
+          if (!result) {
+            const error = new Error(`Document with id '${id}' not found`);
+            error.status = 404;
+            throw error;
+          }
+          await this.emitAsync("after:restore", { id, result });
+          return result;
+        };
+        if (typeof repo.registerMethod === "function") {
+          repo.registerMethod("restore", restoreMethod);
+        } else {
+          repo.restore = restoreMethod.bind(repo);
+        }
+      }
+      if (addGetDeletedMethod) {
+        const getDeletedMethod = async function(params = {}, getDeletedOptions = {}) {
+          const deletedFilter = buildGetDeletedFilter(deletedField, filterMode);
+          const combinedFilters = {
+            ...params.filters || {},
+            ...deletedFilter
+          };
+          const page = params.page || 1;
+          const limit = params.limit || 20;
+          const skip = (page - 1) * limit;
+          let sortSpec = { [deletedField]: -1 };
+          if (params.sort) {
+            if (typeof params.sort === "string") {
+              const sortOrder = params.sort.startsWith("-") ? -1 : 1;
+              const sortField = params.sort.startsWith("-") ? params.sort.substring(1) : params.sort;
+              sortSpec = { [sortField]: sortOrder };
+            } else {
+              sortSpec = params.sort;
+            }
+          }
+          let query = this.Model.find(combinedFilters).sort(sortSpec).skip(skip).limit(limit);
+          if (getDeletedOptions.session) {
+            query = query.session(getDeletedOptions.session);
+          }
+          if (getDeletedOptions.select) {
+            const selectValue = Array.isArray(getDeletedOptions.select) ? getDeletedOptions.select.join(" ") : getDeletedOptions.select;
+            query = query.select(selectValue);
+          }
+          if (getDeletedOptions.populate) {
+            const populateSpec = getDeletedOptions.populate;
+            if (typeof populateSpec === "string") {
+              query = query.populate(populateSpec.split(",").map((p) => p.trim()));
+            } else if (Array.isArray(populateSpec)) {
+              query = query.populate(populateSpec);
+            } else {
+              query = query.populate(populateSpec);
+            }
+          }
+          if (getDeletedOptions.lean !== false) {
+            query = query.lean();
+          }
+          const [docs, total] = await Promise.all([
+            query.exec(),
+            this.Model.countDocuments(combinedFilters)
+          ]);
+          const pages = Math.ceil(total / limit);
+          return {
+            method: "offset",
+            docs,
+            page,
+            limit,
+            total,
+            pages,
+            hasNext: page < pages,
+            hasPrev: page > 1
+          };
+        };
+        if (typeof repo.registerMethod === "function") {
+          repo.registerMethod("getDeleted", getDeletedMethod);
+        } else {
+          repo.getDeleted = getDeletedMethod.bind(repo);
+        }
+      }
     }
   };
 }

package/dist/{memory-cache-Bn_-Kk-0.d.ts → queryParser-Bek4yy3x.d.ts}

@@ -1,4 +1,4 @@
-import { q as UserContext, F as FieldPreset, H as HttpError, T as CacheAdapter } from './types-B3dPUKjs.js';
+import { q as UserContext, F as FieldPreset, H as HttpError, Y as CacheAdapter, v as ParsedQuery } from './types-DAl69QgM.js';
 
 /**
  * Field Selection Utilities
@@ -139,4 +139,112 @@ declare function createError(status: number, message: string): HttpError;
  */
 declare function createMemoryCache(maxEntries?: number): CacheAdapter;
 
-export { getMongooseProjection as a, createError as b, createFieldPreset as c, createMemoryCache as d, filterResponseData as f, getFieldsForUser as g };
+/**
+ * Query Parser
+ *
+ * Parses HTTP query parameters into MongoDB-compatible query objects.
+ * Supports operators, pagination, sorting, and filtering.
+ */
+
+/** Operator mapping from query syntax to MongoDB operators */
+type OperatorMap = Record<string, string>;
+/** Possible values in filter parameters */
+type FilterValue = string | number | boolean | null | undefined | Record<string, unknown> | unknown[];
+/** Configuration options for QueryParser */
+interface QueryParserOptions {
+    /** Maximum allowed regex pattern length (default: 500) */
+    maxRegexLength?: number;
+    /** Maximum allowed text search query length (default: 200) */
+    maxSearchLength?: number;
+    /** Maximum allowed filter depth (default: 10) */
+    maxFilterDepth?: number;
+    /** Additional operators to block */
+    additionalDangerousOperators?: string[];
+}
+/**
+ * Query Parser Class
+ *
+ * Parses HTTP query parameters into MongoDB-compatible query objects.
+ * Includes security measures against NoSQL injection and ReDoS attacks.
+ *
+ * @example
+ * ```typescript
+ * import { QueryParser } from '@classytic/mongokit';
+ *
+ * const parser = new QueryParser({ maxRegexLength: 100 });
+ * const query = parser.parseQuery(req.query);
+ * ```
+ */
+declare class QueryParser {
+    private readonly options;
+    private readonly operators;
+    /**
+     * Dangerous MongoDB operators that should never be accepted from user input
+     * Security: Prevent NoSQL injection attacks
+     */
+    private readonly dangerousOperators;
+    /**
+     * Regex pattern characters that can cause catastrophic backtracking (ReDoS)
+     */
+    private readonly dangerousRegexPatterns;
+    constructor(options?: QueryParserOptions);
+    /**
+     * Parse query parameters into MongoDB query format
+     */
+    parseQuery(query: Record<string, unknown> | null | undefined): ParsedQuery;
+    /**
+     * Parse sort parameter
+     * Converts string like '-createdAt' to { createdAt: -1 }
+     * Handles multiple sorts: '-createdAt,name' → { createdAt: -1, name: 1 }
+     */
+    private _parseSort;
+    /**
+     * Parse standard filter parameter (filter[field]=value)
+     */
+    private _parseFilters;
+    /**
+     * Handle operator syntax: field[operator]=value
+     */
+    private _handleOperatorSyntax;
+    /**
+     * Handle bracket syntax with object value
+     */
+    private _handleBracketSyntax;
+    /**
+     * Convert operator to MongoDB format
+     */
+    private _toMongoOperator;
+    /**
+     * Create a safe regex pattern with protection against ReDoS attacks
+     * @param pattern - The pattern string from user input
+     * @param flags - Regex flags (default: 'i' for case-insensitive)
+     * @returns A safe RegExp or null if pattern is invalid/dangerous
+     */
+    private _createSafeRegex;
+    /**
+     * Escape special regex characters for literal matching
+     */
+    private _escapeRegex;
+    /**
+     * Sanitize text search query for MongoDB $text search
+     * @param search - Raw search input from user
+     * @returns Sanitized search string or undefined
+     */
+    private _sanitizeSearch;
+    /**
+     * Convert values based on operator type
+     */
+    private _convertValue;
+    /**
+     * Parse $or conditions
+     */
+    private _parseOr;
+    /**
+     * Enhance filters with between operator
+     */
+    private _enhanceWithBetween;
+}
+/** Default query parser instance with standard options */
+declare const defaultQueryParser: QueryParser;
+
+export { type FilterValue as F, type OperatorMap as O, QueryParser as Q, getMongooseProjection as a, createError as b, createFieldPreset as c, createMemoryCache as d, defaultQueryParser as e, filterResponseData as f, getFieldsForUser as g, type QueryParserOptions as h };

package/dist/{types-B3dPUKjs.d.ts → types-DAl69QgM.d.ts}

@@ -405,6 +405,8 @@ interface Logger {
     warn?(message: string, meta?: Record<string, unknown>): void;
     debug?(message: string, meta?: Record<string, unknown>): void;
 }
+/** Filter mode for soft delete queries */
+type SoftDeleteFilterMode = 'null' | 'exists';
 /** Soft delete plugin options */
 interface SoftDeleteOptions {
     /** Field name for deletion timestamp (default: 'deletedAt') */
@@ -413,6 +415,51 @@ interface SoftDeleteOptions {
     deletedByField?: string;
     /** Enable soft delete (default: true) */
     soft?: boolean;
+    /**
+     * Filter mode for excluding deleted documents (default: 'null')
+     * - 'null': Filters where deletedField is null (works with `default: null` in schema)
+     * - 'exists': Filters where deletedField does not exist (legacy behavior)
+     */
+    filterMode?: SoftDeleteFilterMode;
+    /** Add restore method to repository (default: true) */
+    addRestoreMethod?: boolean;
+    /** Add getDeleted method to repository (default: true) */
+    addGetDeletedMethod?: boolean;
+    /**
+     * TTL in days for auto-cleanup of deleted documents.
+     * When set, creates a TTL index on the deletedField.
+     * Documents will be automatically removed after the specified days.
+     */
+    ttlDays?: number;
+}
+/** Repository with soft delete methods */
+interface SoftDeleteRepository {
+    /**
+     * Restore a soft-deleted document by setting deletedAt to null
+     * @param id - Document ID to restore
+     * @param options - Optional session for transactions
+     * @returns The restored document
+     */
+    restore(id: string | ObjectId, options?: {
+        session?: ClientSession;
+    }): Promise<unknown>;
+    /**
+     * Get all soft-deleted documents
+     * @param params - Query parameters (filters, pagination, etc.)
+     * @param options - Query options (select, populate, etc.)
+     * @returns Paginated result of deleted documents
+     */
+    getDeleted(params?: {
+        filters?: Record<string, unknown>;
+        sort?: SortSpec | string;
+        page?: number;
+        limit?: number;
+    }, options?: {
+        select?: SelectSpec;
+        populate?: PopulateSpec;
+        lean?: boolean;
+        session?: ClientSession;
+    }): Promise<OffsetPaginationResult<unknown>>;
 }
 /** Lookup options for aggregate */
 interface LookupOptions {
@@ -533,4 +580,4 @@ interface HttpError extends Error {
     }>;
 }
 
-export type { AnyDocument as A, ValidatorDefinition as B, CreateOptions as C, DeleteResult as D, EventPayload as E, FieldPreset as F, ValidationChainOptions as G, HttpError as H, SoftDeleteOptions as I, JsonSchema as J, KeysetPaginationOptions as K, Logger as L, LookupOptions as M, GroupResult as N, OffsetPaginationOptions as O, PaginationConfig as P, MinMaxResult as Q, RepositoryOptions as R, SelectSpec as S, CacheAdapter as T, UpdateOptions as U, ValidationResult as V, CacheOptions as W, CacheOperationOptions as X, CacheStats as Y, CascadeRelation as Z, CascadeOptions as _, OffsetPaginationResult as a, KeysetPaginationResult as b, AggregatePaginationOptions as c, AggregatePaginationResult as d, PluginType as e, ObjectId as f, PopulateSpec as g, SortSpec as h, RepositoryContext as i, AnyModel as j, SortDirection as k, HookMode as l, PaginationResult as m, OperationOptions as n, UpdateManyResult as o, UpdateWithValidationResult as p, UserContext as q, Plugin as r, PluginFunction as s, RepositoryInstance as t, RepositoryEvent as u, ParsedQuery as v, FieldRules as w, SchemaBuilderOptions as x, CrudSchemas as y, DecodedCursor as z };
+export type { CacheStats as $, AnyDocument as A, DecodedCursor as B, CreateOptions as C, DeleteResult as D, EventPayload as E, FieldPreset as F, ValidatorDefinition as G, HttpError as H, ValidationChainOptions as I, JsonSchema as J, KeysetPaginationOptions as K, Logger as L, SoftDeleteOptions as M, SoftDeleteFilterMode as N, OffsetPaginationOptions as O, PaginationConfig as P, SoftDeleteRepository as Q, RepositoryOptions as R, SelectSpec as S, LookupOptions as T, UpdateOptions as U, ValidationResult as V, GroupResult as W, MinMaxResult as X, CacheAdapter as Y, CacheOptions as Z, CacheOperationOptions as _, OffsetPaginationResult as a, CascadeRelation as a0, CascadeOptions as a1, KeysetPaginationResult as b, AggregatePaginationOptions as c, AggregatePaginationResult as d, PluginType as e, ObjectId as f, PopulateSpec as g, SortSpec as h, RepositoryContext as i, AnyModel as j, SortDirection as k, HookMode as l, PaginationResult as m, OperationOptions as n, UpdateManyResult as o, UpdateWithValidationResult as p, UserContext as q, Plugin as r, PluginFunction as s, RepositoryInstance as t, RepositoryEvent as u, ParsedQuery as v, FilterQuery as w, FieldRules as x, SchemaBuilderOptions as y, CrudSchemas as z };

package/dist/utils/index.d.ts

@@ -1,61 +1,6 @@
-export { b as createError, c as createFieldPreset, d as createMemoryCache, f as filterResponseData, g as getFieldsForUser, a as getMongooseProjection } from '../memory-cache-Bn_-Kk-0.js';
-import { v as ParsedQuery, x as SchemaBuilderOptions, y as CrudSchemas, V as ValidationResult, S as SelectSpec, g as PopulateSpec, h as SortSpec } from '../types-B3dPUKjs.js';
+export { F as FilterValue, O as OperatorMap, Q as QueryParser, h as QueryParserOptions, b as createError, c as createFieldPreset, d as createMemoryCache, f as filterResponseData, g as getFieldsForUser, a as getMongooseProjection, e as queryParser } from '../queryParser-Bek4yy3x.js';
 import mongoose__default, { Schema } from 'mongoose';
-
-/**
- * Query Parser
- *
- * Parses HTTP query parameters into MongoDB-compatible query objects.
- * Supports operators, pagination, sorting, and filtering.
- */
-
-declare class QueryParser {
-    private operators;
-    /**
-     * Dangerous MongoDB operators that should never be accepted from user input
-     * Security: Prevent NoSQL injection attacks
-     */
-    private dangerousOperators;
-    /**
-     * Parse query parameters into MongoDB query format
-     */
-    parseQuery(query: Record<string, unknown> | null | undefined): ParsedQuery;
-    /**
-     * Parse sort parameter
-     * Converts string like '-createdAt' to { createdAt: -1 }
-     * Handles multiple sorts: '-createdAt,name' → { createdAt: -1, name: 1 }
-     */
-    private _parseSort;
-    /**
-     * Parse standard filter parameter (filter[field]=value)
-     */
-    private _parseFilters;
-    /**
-     * Handle operator syntax: field[operator]=value
-     */
-    private _handleOperatorSyntax;
-    /**
-     * Handle bracket syntax with object value
-     */
-    private _handleBracketSyntax;
-    /**
-     * Convert operator to MongoDB format
-     */
-    private _toMongoOperator;
-    /**
-     * Convert values based on operator type
-     */
-    private _convertValue;
-    /**
-     * Parse $or conditions
-     */
-    private _parseOr;
-    /**
-     * Enhance filters with between operator
-     */
-    private _enhanceWithBetween;
-}
-declare const _default: QueryParser;
+import { y as SchemaBuilderOptions, z as CrudSchemas, V as ValidationResult, S as SelectSpec, g as PopulateSpec, h as SortSpec } from '../types-DAl69QgM.js';
 
 /**
  * Mongoose to JSON Schema Converter with Field Rules
@@ -186,4 +131,4 @@ declare function modelPattern(prefix: string, model: string): string;
  */
 declare function listPattern(prefix: string, model: string): string;
 
-export { buildCrudSchemasFromModel, buildCrudSchemasFromMongooseSchema, byIdKey, byQueryKey, getImmutableFields, getSystemManagedFields, isFieldUpdateAllowed, listPattern, listQueryKey, modelPattern, _default as queryParser, validateUpdateBody, versionKey };
+export { buildCrudSchemasFromModel, buildCrudSchemasFromMongooseSchema, byIdKey, byQueryKey, getImmutableFields, getSystemManagedFields, isFieldUpdateAllowed, listPattern, listQueryKey, modelPattern, validateUpdateBody, versionKey };

package/dist/utils/index.js

@@ -46,6 +46,7 @@ function createFieldPreset(config) {
   };
 }
 var QueryParser = class {
+  options;
   operators = {
     eq: "$eq",
     ne: "$ne",
@@ -66,7 +67,26 @@ var QueryParser = class {
    * Dangerous MongoDB operators that should never be accepted from user input
    * Security: Prevent NoSQL injection attacks
    */
-  dangerousOperators = ["$where", "$function", "$accumulator", "$expr"];
+  dangerousOperators;
+  /**
+   * Regex pattern characters that can cause catastrophic backtracking (ReDoS)
+   */
+  dangerousRegexPatterns = /(\{[0-9,]+\}|\*\+|\+\+|\?\+|(\([^)]*\))\1|\(\?[^)]*\)|[\[\]].*[\[\]])/;
+  constructor(options = {}) {
+    this.options = {
+      maxRegexLength: options.maxRegexLength ?? 500,
+      maxSearchLength: options.maxSearchLength ?? 200,
+      maxFilterDepth: options.maxFilterDepth ?? 10,
+      additionalDangerousOperators: options.additionalDangerousOperators ?? []
+    };
+    this.dangerousOperators = [
+      "$where",
+      "$function",
+      "$accumulator",
+      "$expr",
+      ...this.options.additionalDangerousOperators
+    ];
+  }
   /**
    * Parse query parameters into MongoDB query format
    */
@@ -86,7 +106,7 @@ var QueryParser = class {
       limit: parseInt(String(limit), 10),
       sort: this._parseSort(sort),
       populate,
-      search
+      search: this._sanitizeSearch(search)
     };
     if (after || cursor) {
       parsed.after = after || cursor;
@@ -126,6 +146,7 @@ var QueryParser = class {
    */
   _parseFilters(filters) {
     const parsedFilters = {};
+    const regexFields = {};
     for (const [key, value] of Object.entries(filters)) {
       if (this.dangerousOperators.includes(key) || key.startsWith("$") && !["$or", "$and"].includes(key)) {
         console.warn(`[mongokit] Blocked dangerous operator: ${key}`);
@@ -141,7 +162,7 @@ var QueryParser = class {
           console.warn(`[mongokit] Blocked dangerous operator: ${operator}`);
           continue;
         }
-        this._handleOperatorSyntax(parsedFilters, {}, operatorMatch, value);
+        this._handleOperatorSyntax(parsedFilters, regexFields, operatorMatch, value);
         continue;
       }
       if (typeof value === "object" && value !== null && !Array.isArray(value)) {
@@ -165,8 +186,11 @@ var QueryParser = class {
       return;
     }
     if (operator.toLowerCase() === "contains" || operator.toLowerCase() === "like") {
-      filters[field] = { $regex: new RegExp(String(value), "i") };
-      regexFields[field] = true;
+      const safeRegex = this._createSafeRegex(value);
+      if (safeRegex) {
+        filters[field] = { $regex: safeRegex };
+        regexFields[field] = true;
+      }
       return;
     }
     const mongoOperator = this._toMongoOperator(operator);
@@ -217,7 +241,9 @@ var QueryParser = class {
         } else if (operator === "in" || operator === "nin") {
           processedValue = Array.isArray(value) ? value : String(value).split(",").map((v) => v.trim());
         } else if (operator === "like" || operator === "contains") {
-          processedValue = value !== void 0 && value !== null ? new RegExp(String(value), "i") : /.*/;
+          const safeRegex = this._createSafeRegex(value);
+          if (!safeRegex) continue;
+          processedValue = safeRegex;
         } else {
           processedValue = this._convertValue(value);
         }
@@ -232,6 +258,56 @@ var QueryParser = class {
     const op = operator.toLowerCase();
     return op.startsWith("$") ? op : "$" + op;
   }
+  /**
+   * Create a safe regex pattern with protection against ReDoS attacks
+   * @param pattern - The pattern string from user input
+   * @param flags - Regex flags (default: 'i' for case-insensitive)
+   * @returns A safe RegExp or null if pattern is invalid/dangerous
+   */
+  _createSafeRegex(pattern, flags = "i") {
+    if (pattern === null || pattern === void 0) {
+      return null;
+    }
+    const patternStr = String(pattern);
+    if (patternStr.length > this.options.maxRegexLength) {
+      console.warn(`[mongokit] Regex pattern too long (${patternStr.length} > ${this.options.maxRegexLength}), truncating`);
+      return new RegExp(this._escapeRegex(patternStr.substring(0, this.options.maxRegexLength)), flags);
+    }
+    if (this.dangerousRegexPatterns.test(patternStr)) {
+      console.warn("[mongokit] Potentially dangerous regex pattern detected, escaping");
+      return new RegExp(this._escapeRegex(patternStr), flags);
+    }
+    try {
+      return new RegExp(patternStr, flags);
+    } catch {
+      return new RegExp(this._escapeRegex(patternStr), flags);
+    }
+  }
+  /**
+   * Escape special regex characters for literal matching
+   */
+  _escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  }
+  /**
+   * Sanitize text search query for MongoDB $text search
+   * @param search - Raw search input from user
+   * @returns Sanitized search string or undefined
+   */
+  _sanitizeSearch(search) {
+    if (search === null || search === void 0 || search === "") {
+      return void 0;
+    }
+    let searchStr = String(search).trim();
+    if (!searchStr) {
+      return void 0;
+    }
+    if (searchStr.length > this.options.maxSearchLength) {
+      console.warn(`[mongokit] Search query too long (${searchStr.length} > ${this.options.maxSearchLength}), truncating`);
+      searchStr = searchStr.substring(0, this.options.maxSearchLength);
+    }
+    return searchStr;
+  }
   /**
    * Convert values based on operator type
    */
@@ -282,7 +358,8 @@ var QueryParser = class {
     return output;
   }
 };
-var queryParser_default = new QueryParser();
+var defaultQueryParser = new QueryParser();
+var queryParser_default = defaultQueryParser;
 function isMongooseSchema(value) {
   return value instanceof mongoose2.Schema;
 }
@@ -638,4 +715,4 @@ function listPattern(prefix, model) {
   return `${prefix}:list:${model}:*`;
 }
 
-export { buildCrudSchemasFromModel, buildCrudSchemasFromMongooseSchema, byIdKey, byQueryKey, createError, createFieldPreset, createMemoryCache, filterResponseData, getFieldsForUser, getImmutableFields, getMongooseProjection, getSystemManagedFields, isFieldUpdateAllowed, listPattern, listQueryKey, modelPattern, queryParser_default as queryParser, validateUpdateBody, versionKey };
+export { QueryParser, buildCrudSchemasFromModel, buildCrudSchemasFromMongooseSchema, byIdKey, byQueryKey, createError, createFieldPreset, createMemoryCache, filterResponseData, getFieldsForUser, getImmutableFields, getMongooseProjection, getSystemManagedFields, isFieldUpdateAllowed, listPattern, listQueryKey, modelPattern, queryParser_default as queryParser, validateUpdateBody, versionKey };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@classytic/mongokit",
-  "version": "3.0.2",
+  "version": "3.0.4",
   "description": "Production-grade MongoDB repositories with zero dependencies - smart pagination, events, and plugins",
   "type": "module",
   "main": "./dist/index.js",