npm - @classytic/mongokit - Versions diffs - 3.0.3 → 3.0.5 - Mend

@classytic/mongokit 3.0.3 → 3.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/actions/index.d.ts +2 -2
package/dist/{index-CMCrkd2v.d.ts → index-BljuCDFC.d.ts} +1 -1
package/dist/index.d.ts +4 -4
package/dist/index.js +712 -23
package/dist/pagination/PaginationEngine.d.ts +1 -1
package/dist/plugins/index.d.ts +34 -2
package/dist/plugins/index.js +148 -12
package/dist/queryParser-CxzCjzXd.d.ts +303 -0
package/dist/{types-B3dPUKjs.d.ts → types-CHIDluaP.d.ts} +53 -20
package/dist/utils/index.d.ts +4 -111
package/dist/utils/index.js +86 -16
package/package.json +1 -1
package/dist/memory-cache-Bn_-Kk-0.d.ts +0 -142

package/dist/index.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import mongoose from 'mongoose';
+import mongoose4 from 'mongoose';
 var __defProp = Object.defineProperty;
 var __export = (target, all) => {
@@ -521,12 +521,12 @@ function validateCursorVersion(cursorVersion, expectedVersion) {
 }
 function serializeValue(value) {
   if (value instanceof Date) return value.toISOString();
-  if (value instanceof mongoose.Types.ObjectId) return value.toString();
+  if (value instanceof mongoose4.Types.ObjectId) return value.toString();
   return value;
 }
 function getValueType(value) {
   if (value instanceof Date) return "date";
-  if (value instanceof mongoose.Types.ObjectId) return "objectid";
+  if (value instanceof mongoose4.Types.ObjectId) return "objectid";
   if (typeof value === "boolean") return "boolean";
   if (typeof value === "number") return "number";
   if (typeof value === "string") return "string";
@@ -537,7 +537,7 @@ function rehydrateValue(serialized, type) {
     case "date":
       return new Date(serialized);
     case "objectid":
-      return new mongoose.Types.ObjectId(serialized);
+      return new mongoose4.Types.ObjectId(serialized);
     case "boolean":
       return Boolean(serialized);
     case "number":
@@ -1001,7 +1001,7 @@ var Repository = class {
     const hasCursorParam = "cursor" in params || "after" in params;
     const hasExplicitSort = params.sort !== void 0;
     const useKeyset = !hasPageParam && (hasCursorParam || hasExplicitSort);
-    const filters = params.filters || {};
+    const filters = context.filters || params.filters || {};
     const search = params.search;
     const sort = params.sort || "-createdAt";
     const limit = params.limit || params.pagination?.limit || this._pagination.config.defaultLimit;
@@ -1109,7 +1109,7 @@ var Repository = class {
    * Execute callback within a transaction
    */
   async withTransaction(callback) {
-    const session = await mongoose.startSession();
+    const session = await mongoose4.startSession();
     session.startTransaction();
     try {
       const result = await callback(session);
@@ -1172,11 +1172,11 @@ var Repository = class {
    * Handle errors with proper HTTP status codes
    */
   _handleError(error) {
-    if (error instanceof mongoose.Error.ValidationError) {
+    if (error instanceof mongoose4.Error.ValidationError) {
       const messages = Object.values(error.errors).map((err) => err.message);
       return createError(400, `Validation Error: ${messages.join(", ")}`);
     }
-    if (error instanceof mongoose.Error.CastError) {
+    if (error instanceof mongoose4.Error.CastError) {
       return createError(400, `Invalid ${error.path}: ${error.value}`);
     }
     if (error.status && error.message) return error;
@@ -1329,12 +1329,45 @@ function auditLogPlugin(logger) {
 }
 // src/plugins/soft-delete.plugin.ts
+function buildDeletedFilter(deletedField, filterMode, includeDeleted) {
+  if (includeDeleted) {
+    return {};
+  }
+  if (filterMode === "exists") {
+    return { [deletedField]: { $exists: false } };
+  }
+  return { [deletedField]: null };
+}
+function buildGetDeletedFilter(deletedField, filterMode) {
+  if (filterMode === "exists") {
+    return { [deletedField]: { $exists: true, $ne: null } };
+  }
+  return { [deletedField]: { $ne: null } };
+}
 function softDeletePlugin(options = {}) {
   const deletedField = options.deletedField || "deletedAt";
   const deletedByField = options.deletedByField || "deletedBy";
+  const filterMode = options.filterMode || "null";
+  const addRestoreMethod = options.addRestoreMethod !== false;
+  const addGetDeletedMethod = options.addGetDeletedMethod !== false;
+  const ttlDays = options.ttlDays;
   return {
     name: "softDelete",
     apply(repo) {
+      if (ttlDays !== void 0 && ttlDays > 0) {
+        const ttlSeconds = ttlDays * 24 * 60 * 60;
+        repo.Model.collection.createIndex(
+          { [deletedField]: 1 },
+          {
+            expireAfterSeconds: ttlSeconds,
+            partialFilterExpression: { [deletedField]: { $type: "date" } }
+          }
+        ).catch((err) => {
+          if (!err.message.includes("already exists")) {
+            console.warn(`[softDeletePlugin] Failed to create TTL index: ${err.message}`);
+          }
+        });
+      }
       repo.on("before:delete", async (context) => {
         if (options.soft !== false) {
           const updateData = {
@@ -1348,23 +1381,126 @@ function softDeletePlugin(options = {}) {
         }
       });
       repo.on("before:getAll", (context) => {
-        if (!context.includeDeleted && options.soft !== false) {
-          const queryParams = context.queryParams || {};
-          queryParams.filters = {
-            ...queryParams.filters || {},
-            [deletedField]: { $exists: false }
-          };
-          context.queryParams = queryParams;
+        if (options.soft !== false) {
+          const deleteFilter = buildDeletedFilter(deletedField, filterMode, !!context.includeDeleted);
+          if (Object.keys(deleteFilter).length > 0) {
+            const existingFilters = context.filters || {};
+            context.filters = {
+              ...existingFilters,
+              ...deleteFilter
+            };
+          }
         }
       });
       repo.on("before:getById", (context) => {
-        if (!context.includeDeleted && options.soft !== false) {
-          context.query = {
-            ...context.query || {},
-            [deletedField]: { $exists: false }
-          };
+        if (options.soft !== false) {
+          const deleteFilter = buildDeletedFilter(deletedField, filterMode, !!context.includeDeleted);
+          if (Object.keys(deleteFilter).length > 0) {
+            context.query = {
+              ...context.query || {},
+              ...deleteFilter
+            };
+          }
+        }
+      });
+      repo.on("before:getByQuery", (context) => {
+        if (options.soft !== false) {
+          const deleteFilter = buildDeletedFilter(deletedField, filterMode, !!context.includeDeleted);
+          if (Object.keys(deleteFilter).length > 0) {
+            context.query = {
+              ...context.query || {},
+              ...deleteFilter
+            };
+          }
         }
       });
+      if (addRestoreMethod) {
+        const restoreMethod = async function(id, restoreOptions = {}) {
+          const updateData = {
+            [deletedField]: null,
+            [deletedByField]: null
+          };
+          const result = await this.Model.findByIdAndUpdate(id, { $set: updateData }, {
+            new: true,
+            session: restoreOptions.session
+          });
+          if (!result) {
+            const error = new Error(`Document with id '${id}' not found`);
+            error.status = 404;
+            throw error;
+          }
+          await this.emitAsync("after:restore", { id, result });
+          return result;
+        };
+        if (typeof repo.registerMethod === "function") {
+          repo.registerMethod("restore", restoreMethod);
+        } else {
+          repo.restore = restoreMethod.bind(repo);
+        }
+      }
+      if (addGetDeletedMethod) {
+        const getDeletedMethod = async function(params = {}, getDeletedOptions = {}) {
+          const deletedFilter = buildGetDeletedFilter(deletedField, filterMode);
+          const combinedFilters = {
+            ...params.filters || {},
+            ...deletedFilter
+          };
+          const page = params.page || 1;
+          const limit = params.limit || 20;
+          const skip = (page - 1) * limit;
+          let sortSpec = { [deletedField]: -1 };
+          if (params.sort) {
+            if (typeof params.sort === "string") {
+              const sortOrder = params.sort.startsWith("-") ? -1 : 1;
+              const sortField = params.sort.startsWith("-") ? params.sort.substring(1) : params.sort;
+              sortSpec = { [sortField]: sortOrder };
+            } else {
+              sortSpec = params.sort;
+            }
+          }
+          let query = this.Model.find(combinedFilters).sort(sortSpec).skip(skip).limit(limit);
+          if (getDeletedOptions.session) {
+            query = query.session(getDeletedOptions.session);
+          }
+          if (getDeletedOptions.select) {
+            const selectValue = Array.isArray(getDeletedOptions.select) ? getDeletedOptions.select.join(" ") : getDeletedOptions.select;
+            query = query.select(selectValue);
+          }
+          if (getDeletedOptions.populate) {
+            const populateSpec = getDeletedOptions.populate;
+            if (typeof populateSpec === "string") {
+              query = query.populate(populateSpec.split(",").map((p) => p.trim()));
+            } else if (Array.isArray(populateSpec)) {
+              query = query.populate(populateSpec);
+            } else {
+              query = query.populate(populateSpec);
+            }
+          }
+          if (getDeletedOptions.lean !== false) {
+            query = query.lean();
+          }
+          const [docs, total] = await Promise.all([
+            query.exec(),
+            this.Model.countDocuments(combinedFilters)
+          ]);
+          const pages = Math.ceil(total / limit);
+          return {
+            method: "offset",
+            docs,
+            page,
+            limit,
+            total,
+            pages,
+            hasNext: page < pages,
+            hasPrev: page > 1
+          };
+        };
+        if (typeof repo.registerMethod === "function") {
+          repo.registerMethod("getDeleted", getDeletedMethod);
+        } else {
+          repo.getDeleted = getDeletedMethod.bind(repo);
+        }
+      }
     }
   };
 }
@@ -2071,7 +2207,7 @@ function cascadePlugin(options) {
         }
         const isSoftDelete = context.softDeleted === true;
         const cascadeDelete = async (relation) => {
-          const RelatedModel = mongoose.models[relation.model];
+          const RelatedModel = mongoose4.models[relation.model];
           if (!RelatedModel) {
             logger?.warn?.(`Cascade delete skipped: model '${relation.model}' not found`, {
               parentModel: context.model,
@@ -2162,7 +2298,7 @@ function cascadePlugin(options) {
           }
           const isSoftDelete = context.softDeleted === true;
           const cascadeDeleteMany = async (relation) => {
-            const RelatedModel = mongoose.models[relation.model];
+            const RelatedModel = mongoose4.models[relation.model];
             if (!RelatedModel) {
               logger?.warn?.(`Cascade deleteMany skipped: model '${relation.model}' not found`, {
                 parentModel: context.model
@@ -2278,6 +2414,559 @@ function createMemoryCache(maxEntries = 1e3) {
     }
   };
 }
+function isMongooseSchema(value) {
+  return value instanceof mongoose4.Schema;
+}
+function isPlainObject(value) {
+  return Object.prototype.toString.call(value) === "[object Object]";
+}
+function isObjectIdType(t) {
+  return t === mongoose4.Schema.Types.ObjectId || t === mongoose4.Types.ObjectId;
+}
+function buildCrudSchemasFromMongooseSchema(mongooseSchema, options = {}) {
+  const tree = mongooseSchema?.obj || {};
+  const jsonCreate = buildJsonSchemaForCreate(tree, options);
+  const jsonUpdate = buildJsonSchemaForUpdate(jsonCreate, options);
+  const jsonParams = {
+    type: "object",
+    properties: { id: { type: "string", pattern: "^[0-9a-fA-F]{24}$" } },
+    required: ["id"]
+  };
+  const jsonQuery = buildJsonSchemaForQuery(tree, options);
+  return { createBody: jsonCreate, updateBody: jsonUpdate, params: jsonParams, listQuery: jsonQuery };
+}
+function buildCrudSchemasFromModel(mongooseModel, options = {}) {
+  if (!mongooseModel || !mongooseModel.schema) {
+    throw new Error("Invalid mongoose model");
+  }
+  return buildCrudSchemasFromMongooseSchema(mongooseModel.schema, options);
+}
+function getImmutableFields(options = {}) {
+  const immutable = [];
+  const fieldRules = options?.fieldRules || {};
+  Object.entries(fieldRules).forEach(([field, rules]) => {
+    if (rules.immutable || rules.immutableAfterCreate) {
+      immutable.push(field);
+    }
+  });
+  (options?.update?.omitFields || []).forEach((f) => {
+    if (!immutable.includes(f)) immutable.push(f);
+  });
+  return immutable;
+}
+function getSystemManagedFields(options = {}) {
+  const systemManaged = [];
+  const fieldRules = options?.fieldRules || {};
+  Object.entries(fieldRules).forEach(([field, rules]) => {
+    if (rules.systemManaged) {
+      systemManaged.push(field);
+    }
+  });
+  return systemManaged;
+}
+function isFieldUpdateAllowed(fieldName, options = {}) {
+  const immutableFields = getImmutableFields(options);
+  const systemManagedFields = getSystemManagedFields(options);
+  return !immutableFields.includes(fieldName) && !systemManagedFields.includes(fieldName);
+}
+function validateUpdateBody(body = {}, options = {}) {
+  const violations = [];
+  const immutableFields = getImmutableFields(options);
+  const systemManagedFields = getSystemManagedFields(options);
+  Object.keys(body).forEach((field) => {
+    if (immutableFields.includes(field)) {
+      violations.push({ field, reason: "Field is immutable" });
+    } else if (systemManagedFields.includes(field)) {
+      violations.push({ field, reason: "Field is system-managed" });
+    }
+  });
+  return {
+    valid: violations.length === 0,
+    violations
+  };
+}
+function jsonTypeFor(def, options, seen) {
+  if (Array.isArray(def)) {
+    if (def[0] === mongoose4.Schema.Types.Mixed) {
+      return { type: "array", items: { type: "object", additionalProperties: true } };
+    }
+    return { type: "array", items: jsonTypeFor(def[0] ?? String, options, seen) };
+  }
+  if (isPlainObject(def) && "type" in def) {
+    const typedDef = def;
+    if (typedDef.enum && Array.isArray(typedDef.enum) && typedDef.enum.length) {
+      return { type: "string", enum: typedDef.enum.map(String) };
+    }
+    if (Array.isArray(typedDef.type)) {
+      const inner = typedDef.type[0] !== void 0 ? typedDef.type[0] : String;
+      if (inner === mongoose4.Schema.Types.Mixed) {
+        return { type: "array", items: { type: "object", additionalProperties: true } };
+      }
+      return { type: "array", items: jsonTypeFor(inner, options, seen) };
+    }
+    if (typedDef.type === String) return { type: "string" };
+    if (typedDef.type === Number) return { type: "number" };
+    if (typedDef.type === Boolean) return { type: "boolean" };
+    if (typedDef.type === Date) {
+      const mode = options?.dateAs || "datetime";
+      return mode === "date" ? { type: "string", format: "date" } : { type: "string", format: "date-time" };
+    }
+    if (typedDef.type === Map || typedDef.type === mongoose4.Schema.Types.Map) {
+      const ofSchema = jsonTypeFor(typedDef.of || String, options, seen);
+      return { type: "object", additionalProperties: ofSchema };
+    }
+    if (typedDef.type === mongoose4.Schema.Types.Mixed) {
+      return { type: "object", additionalProperties: true };
+    }
+    if (isObjectIdType(typedDef.type)) {
+      return { type: "string", pattern: "^[0-9a-fA-F]{24}$" };
+    }
+    if (isMongooseSchema(typedDef.type)) {
+      const obj = typedDef.type.obj;
+      if (obj && typeof obj === "object") {
+        if (seen.has(obj)) return { type: "object", additionalProperties: true };
+        seen.add(obj);
+        return convertTreeToJsonSchema(obj, options, seen);
+      }
+    }
+  }
+  if (def === String) return { type: "string" };
+  if (def === Number) return { type: "number" };
+  if (def === Boolean) return { type: "boolean" };
+  if (def === Date) {
+    const mode = options?.dateAs || "datetime";
+    return mode === "date" ? { type: "string", format: "date" } : { type: "string", format: "date-time" };
+  }
+  if (isObjectIdType(def)) return { type: "string", pattern: "^[0-9a-fA-F]{24}$" };
+  if (isPlainObject(def)) {
+    if (seen.has(def)) return { type: "object", additionalProperties: true };
+    seen.add(def);
+    return convertTreeToJsonSchema(def, options, seen);
+  }
+  return {};
+}
+function convertTreeToJsonSchema(tree, options, seen = /* @__PURE__ */ new WeakSet()) {
+  if (!tree || typeof tree !== "object") {
+    return { type: "object", properties: {} };
+  }
+  if (seen.has(tree)) {
+    return { type: "object", additionalProperties: true };
+  }
+  seen.add(tree);
+  const properties = {};
+  const required = [];
+  for (const [key, val] of Object.entries(tree || {})) {
+    if (key === "__v" || key === "_id" || key === "id") continue;
+    const cfg = isPlainObject(val) && "type" in val ? val : { };
+    properties[key] = jsonTypeFor(val, options, seen);
+    if (cfg.required === true) required.push(key);
+  }
+  const schema = { type: "object", properties };
+  if (required.length) schema.required = required;
+  return schema;
+}
+function buildJsonSchemaForCreate(tree, options) {
+  const base = convertTreeToJsonSchema(tree, options, /* @__PURE__ */ new WeakSet());
+  const fieldsToOmit = /* @__PURE__ */ new Set(["createdAt", "updatedAt", "__v"]);
+  (options?.create?.omitFields || []).forEach((f) => fieldsToOmit.add(f));
+  const fieldRules = options?.fieldRules || {};
+  Object.entries(fieldRules).forEach(([field, rules]) => {
+    if (rules.systemManaged) {
+      fieldsToOmit.add(field);
+    }
+  });
+  fieldsToOmit.forEach((field) => {
+    if (base.properties?.[field]) {
+      delete base.properties[field];
+    }
+    if (base.required) {
+      base.required = base.required.filter((k) => k !== field);
+    }
+  });
+  const reqOv = options?.create?.requiredOverrides || {};
+  const optOv = options?.create?.optionalOverrides || {};
+  base.required = base.required || [];
+  for (const [k, v] of Object.entries(reqOv)) {
+    if (v && !base.required.includes(k)) base.required.push(k);
+  }
+  for (const [k, v] of Object.entries(optOv)) {
+    if (v && base.required) base.required = base.required.filter((x) => x !== k);
+  }
+  Object.entries(fieldRules).forEach(([field, rules]) => {
+    if (rules.optional && base.required) {
+      base.required = base.required.filter((x) => x !== field);
+    }
+  });
+  const schemaOverrides = options?.create?.schemaOverrides || {};
+  for (const [k, override] of Object.entries(schemaOverrides)) {
+    if (base.properties?.[k]) {
+      base.properties[k] = override;
+    }
+  }
+  if (options?.strictAdditionalProperties === true) {
+    base.additionalProperties = false;
+  }
+  return base;
+}
+function buildJsonSchemaForUpdate(createJson, options) {
+  const clone = JSON.parse(JSON.stringify(createJson));
+  delete clone.required;
+  const fieldsToOmit = /* @__PURE__ */ new Set();
+  (options?.update?.omitFields || []).forEach((f) => fieldsToOmit.add(f));
+  const fieldRules = options?.fieldRules || {};
+  Object.entries(fieldRules).forEach(([field, rules]) => {
+    if (rules.immutable || rules.immutableAfterCreate) {
+      fieldsToOmit.add(field);
+    }
+  });
+  fieldsToOmit.forEach((field) => {
+    if (clone.properties?.[field]) {
+      delete clone.properties[field];
+    }
+  });
+  if (options?.strictAdditionalProperties === true) {
+    clone.additionalProperties = false;
+  }
+  return clone;
+}
+function buildJsonSchemaForQuery(_tree, options) {
+  const basePagination = {
+    type: "object",
+    properties: {
+      page: { type: "string" },
+      limit: { type: "string" },
+      sort: { type: "string" },
+      populate: { type: "string" },
+      search: { type: "string" },
+      select: { type: "string" },
+      lean: { type: "string" },
+      includeDeleted: { type: "string" }
+    },
+    additionalProperties: true
+  };
+  const filterable = options?.query?.filterableFields || {};
+  for (const [k, v] of Object.entries(filterable)) {
+    if (basePagination.properties) {
+      basePagination.properties[k] = v && typeof v === "object" && "type" in v ? v : { type: "string" };
+    }
+  }
+  return basePagination;
+}
+var QueryParser = class {
+  options;
+  operators = {
+    eq: "$eq",
+    ne: "$ne",
+    gt: "$gt",
+    gte: "$gte",
+    lt: "$lt",
+    lte: "$lte",
+    in: "$in",
+    nin: "$nin",
+    like: "$regex",
+    contains: "$regex",
+    regex: "$regex",
+    exists: "$exists",
+    size: "$size",
+    type: "$type"
+  };
+  /**
+   * Dangerous MongoDB operators that should never be accepted from user input
+   * Security: Prevent NoSQL injection attacks
+   */
+  dangerousOperators;
+  /**
+   * Regex pattern characters that can cause catastrophic backtracking (ReDoS)
+   */
+  dangerousRegexPatterns = /(\{[0-9,]+\}|\*\+|\+\+|\?\+|(\([^)]*\))\1|\(\?[^)]*\)|[\[\]].*[\[\]])/;
+  constructor(options = {}) {
+    this.options = {
+      maxRegexLength: options.maxRegexLength ?? 500,
+      maxSearchLength: options.maxSearchLength ?? 200,
+      maxFilterDepth: options.maxFilterDepth ?? 10,
+      additionalDangerousOperators: options.additionalDangerousOperators ?? []
+    };
+    this.dangerousOperators = [
+      "$where",
+      "$function",
+      "$accumulator",
+      "$expr",
+      ...this.options.additionalDangerousOperators
+    ];
+  }
+  /**
+   * Parse query parameters into MongoDB query format
+   */
+  parseQuery(query) {
+    const {
+      page,
+      limit = 20,
+      sort = "-createdAt",
+      populate,
+      search,
+      after,
+      cursor,
+      ...filters
+    } = query || {};
+    const parsed = {
+      filters: this._parseFilters(filters),
+      limit: parseInt(String(limit), 10),
+      sort: this._parseSort(sort),
+      populate,
+      search: this._sanitizeSearch(search)
+    };
+    if (after || cursor) {
+      parsed.after = after || cursor;
+    } else if (page !== void 0) {
+      parsed.page = parseInt(String(page), 10);
+    } else {
+      parsed.page = 1;
+    }
+    const orGroup = this._parseOr(query);
+    if (orGroup) {
+      parsed.filters = { ...parsed.filters, $or: orGroup };
+    }
+    parsed.filters = this._enhanceWithBetween(parsed.filters);
+    return parsed;
+  }
+  /**
+   * Parse sort parameter
+   * Converts string like '-createdAt' to { createdAt: -1 }
+   * Handles multiple sorts: '-createdAt,name' → { createdAt: -1, name: 1 }
+   */
+  _parseSort(sort) {
+    if (!sort) return void 0;
+    if (typeof sort === "object") return sort;
+    const sortObj = {};
+    const fields = sort.split(",").map((s) => s.trim());
+    for (const field of fields) {
+      if (field.startsWith("-")) {
+        sortObj[field.substring(1)] = -1;
+      } else {
+        sortObj[field] = 1;
+      }
+    }
+    return sortObj;
+  }
+  /**
+   * Parse standard filter parameter (filter[field]=value)
+   */
+  _parseFilters(filters) {
+    const parsedFilters = {};
+    const regexFields = {};
+    for (const [key, value] of Object.entries(filters)) {
+      if (this.dangerousOperators.includes(key) || key.startsWith("$") && !["$or", "$and"].includes(key)) {
+        console.warn(`[mongokit] Blocked dangerous operator: ${key}`);
+        continue;
+      }
+      if (["page", "limit", "sort", "populate", "search", "select", "lean", "includeDeleted"].includes(key)) {
+        continue;
+      }
+      const operatorMatch = key.match(/^(.+)\[(.+)\]$/);
+      if (operatorMatch) {
+        const [, , operator] = operatorMatch;
+        if (this.dangerousOperators.includes("$" + operator)) {
+          console.warn(`[mongokit] Blocked dangerous operator: ${operator}`);
+          continue;
+        }
+        this._handleOperatorSyntax(parsedFilters, regexFields, operatorMatch, value);
+        continue;
+      }
+      if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+        this._handleBracketSyntax(key, value, parsedFilters);
+      } else {
+        parsedFilters[key] = this._convertValue(value);
+      }
+    }
+    return parsedFilters;
+  }
+  /**
+   * Handle operator syntax: field[operator]=value
+   */
+  _handleOperatorSyntax(filters, regexFields, operatorMatch, value) {
+    const [, field, operator] = operatorMatch;
+    if (operator.toLowerCase() === "options" && regexFields[field]) {
+      const fieldValue = filters[field];
+      if (typeof fieldValue === "object" && fieldValue !== null && "$regex" in fieldValue) {
+        fieldValue.$options = value;
+      }
+      return;
+    }
+    if (operator.toLowerCase() === "contains" || operator.toLowerCase() === "like") {
+      const safeRegex = this._createSafeRegex(value);
+      if (safeRegex) {
+        filters[field] = { $regex: safeRegex };
+        regexFields[field] = true;
+      }
+      return;
+    }
+    const mongoOperator = this._toMongoOperator(operator);
+    if (this.dangerousOperators.includes(mongoOperator)) {
+      console.warn(`[mongokit] Blocked dangerous operator in field[${operator}]: ${mongoOperator}`);
+      return;
+    }
+    if (mongoOperator === "$eq") {
+      filters[field] = value;
+    } else if (mongoOperator === "$regex") {
+      filters[field] = { $regex: value };
+      regexFields[field] = true;
+    } else {
+      if (typeof filters[field] !== "object" || filters[field] === null || Array.isArray(filters[field])) {
+        filters[field] = {};
+      }
+      let processedValue;
+      const op = operator.toLowerCase();
+      if (["gt", "gte", "lt", "lte", "size"].includes(op)) {
+        processedValue = parseFloat(String(value));
+        if (isNaN(processedValue)) return;
+      } else if (op === "in" || op === "nin") {
+        processedValue = Array.isArray(value) ? value : String(value).split(",").map((v) => v.trim());
+      } else {
+        processedValue = this._convertValue(value);
+      }
+      filters[field][mongoOperator] = processedValue;
+    }
+  }
+  /**
+   * Handle bracket syntax with object value
+   */
+  _handleBracketSyntax(field, operators, parsedFilters) {
+    if (!parsedFilters[field]) {
+      parsedFilters[field] = {};
+    }
+    for (const [operator, value] of Object.entries(operators)) {
+      if (operator === "between") {
+        parsedFilters[field].between = value;
+        continue;
+      }
+      if (this.operators[operator]) {
+        const mongoOperator = this.operators[operator];
+        let processedValue;
+        if (["gt", "gte", "lt", "lte", "size"].includes(operator)) {
+          processedValue = parseFloat(String(value));
+          if (isNaN(processedValue)) continue;
+        } else if (operator === "in" || operator === "nin") {
+          processedValue = Array.isArray(value) ? value : String(value).split(",").map((v) => v.trim());
+        } else if (operator === "like" || operator === "contains") {
+          const safeRegex = this._createSafeRegex(value);
+          if (!safeRegex) continue;
+          processedValue = safeRegex;
+        } else {
+          processedValue = this._convertValue(value);
+        }
+        parsedFilters[field][mongoOperator] = processedValue;
+      }
+    }
+  }
+  /**
+   * Convert operator to MongoDB format
+   */
+  _toMongoOperator(operator) {
+    const op = operator.toLowerCase();
+    return op.startsWith("$") ? op : "$" + op;
+  }
+  /**
+   * Create a safe regex pattern with protection against ReDoS attacks
+   * @param pattern - The pattern string from user input
+   * @param flags - Regex flags (default: 'i' for case-insensitive)
+   * @returns A safe RegExp or null if pattern is invalid/dangerous
+   */
+  _createSafeRegex(pattern, flags = "i") {
+    if (pattern === null || pattern === void 0) {
+      return null;
+    }
+    const patternStr = String(pattern);
+    if (patternStr.length > this.options.maxRegexLength) {
+      console.warn(`[mongokit] Regex pattern too long (${patternStr.length} > ${this.options.maxRegexLength}), truncating`);
+      return new RegExp(this._escapeRegex(patternStr.substring(0, this.options.maxRegexLength)), flags);
+    }
+    if (this.dangerousRegexPatterns.test(patternStr)) {
+      console.warn("[mongokit] Potentially dangerous regex pattern detected, escaping");
+      return new RegExp(this._escapeRegex(patternStr), flags);
+    }
+    try {
+      return new RegExp(patternStr, flags);
+    } catch {
+      return new RegExp(this._escapeRegex(patternStr), flags);
+    }
+  }
+  /**
+   * Escape special regex characters for literal matching
+   */
+  _escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  }
+  /**
+   * Sanitize text search query for MongoDB $text search
+   * @param search - Raw search input from user
+   * @returns Sanitized search string or undefined
+   */
+  _sanitizeSearch(search) {
+    if (search === null || search === void 0 || search === "") {
+      return void 0;
+    }
+    let searchStr = String(search).trim();
+    if (!searchStr) {
+      return void 0;
+    }
+    if (searchStr.length > this.options.maxSearchLength) {
+      console.warn(`[mongokit] Search query too long (${searchStr.length} > ${this.options.maxSearchLength}), truncating`);
+      searchStr = searchStr.substring(0, this.options.maxSearchLength);
+    }
+    return searchStr;
+  }
+  /**
+   * Convert values based on operator type
+   */
+  _convertValue(value) {
+    if (value === null || value === void 0) return value;
+    if (Array.isArray(value)) return value.map((v) => this._convertValue(v));
+    if (typeof value === "object") return value;
+    const stringValue = String(value);
+    if (stringValue === "true") return true;
+    if (stringValue === "false") return false;
+    if (mongoose4.Types.ObjectId.isValid(stringValue) && stringValue.length === 24) {
+      return stringValue;
+    }
+    return stringValue;
+  }
+  /**
+   * Parse $or conditions
+   */
+  _parseOr(query) {
+    const orArray = [];
+    const raw = query?.or || query?.OR || query?.$or;
+    if (!raw) return void 0;
+    const items = Array.isArray(raw) ? raw : typeof raw === "object" ? Object.values(raw) : [];
+    for (const item of items) {
+      if (typeof item === "object" && item) {
+        orArray.push(this._parseFilters(item));
+      }
+    }
+    return orArray.length ? orArray : void 0;
+  }
+  /**
+   * Enhance filters with between operator
+   */
+  _enhanceWithBetween(filters) {
+    const output = { ...filters };
+    for (const [key, value] of Object.entries(filters || {})) {
+      if (value && typeof value === "object" && "between" in value) {
+        const between = value.between;
+        const [from, to] = String(between).split(",").map((s) => s.trim());
+        const fromDate = from ? new Date(from) : void 0;
+        const toDate = to ? new Date(to) : void 0;
+        const range = {};
+        if (fromDate && !isNaN(fromDate.getTime())) range.$gte = fromDate;
+        if (toDate && !isNaN(toDate.getTime())) range.$lte = toDate;
+        output[key] = range;
+      }
+    }
+    return output;
+  }
+};
+var defaultQueryParser = new QueryParser();
+var queryParser_default = defaultQueryParser;
 // src/actions/index.ts
 var actions_exports = {};
@@ -2333,4 +3022,4 @@ var index_default = Repository;
  * ```
  */
-export { PaginationEngine, Repository, actions_exports as actions, aggregateHelpersPlugin, auditLogPlugin, autoInject, batchOperationsPlugin, blockIf, cachePlugin, cascadePlugin, createError, createFieldPreset, createMemoryCache, createRepository, index_default as default, fieldFilterPlugin, filterResponseData, getFieldsForUser, getMongooseProjection, immutableField, methodRegistryPlugin, mongoOperationsPlugin, requireField, softDeletePlugin, subdocumentPlugin, timestampPlugin, uniqueField, validationChainPlugin };
+export { PaginationEngine, QueryParser, Repository, actions_exports as actions, aggregateHelpersPlugin, auditLogPlugin, autoInject, batchOperationsPlugin, blockIf, buildCrudSchemasFromModel, buildCrudSchemasFromMongooseSchema, cachePlugin, cascadePlugin, createError, createFieldPreset, createMemoryCache, createRepository, index_default as default, fieldFilterPlugin, filterResponseData, getFieldsForUser, getImmutableFields, getMongooseProjection, getSystemManagedFields, immutableField, isFieldUpdateAllowed, methodRegistryPlugin, mongoOperationsPlugin, queryParser_default as queryParser, requireField, softDeletePlugin, subdocumentPlugin, timestampPlugin, uniqueField, validateUpdateBody, validationChainPlugin };