@directus/api 32.0.1 → 32.1.0

package/dist/auth/drivers/oauth2.d.ts

@@ -5,12 +5,11 @@ import type { RoleMap } from '../../types/rolemap.js';
 import { LocalAuthDriver } from './local.js';
 export declare class OAuth2AuthDriver extends LocalAuthDriver {
     client: Client;
-    redirectUrl: string;
     config: Record<string, any>;
     roleMap: RoleMap;
     constructor(options: AuthDriverOptions, config: Record<string, any>);
     generateCodeVerifier(): string;
-    generateAuthUrl(codeVerifier: string, prompt?: boolean): string;
+    generateAuthUrl(codeVerifier: string, prompt?: boolean, callbackUrl?: string): string;
     private fetchUserId;
     getUserID(payload: Record<string, any>): Promise<string>;
     login(user: User): Promise<void>;

package/dist/auth/drivers/oauth2.js

@@ -16,40 +16,37 @@ import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
+import { getSchema } from '../../utils/get-schema.js';
 import { getSecret } from '../../utils/get-secret.js';
-import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
 import { verifyJWT } from '../../utils/jwt.js';
 import { Url } from '../../utils/url.js';
+import { generateCallbackUrl } from '../utils/generate-callback-url.js';
+import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
 import { LocalAuthDriver } from './local.js';
-import { getSchema } from '../../utils/get-schema.js';
 export class OAuth2AuthDriver extends LocalAuthDriver {
     client;
-    redirectUrl;
     config;
     roleMap;
     constructor(options, config) {
         super(options, config);
-        const env = useEnv();
         const logger = useLogger();
         const { authorizeUrl, accessUrl, profileUrl, clientId, clientSecret, ...additionalConfig } = config;
         if (!authorizeUrl || !accessUrl || !profileUrl || !clientId || !clientSecret || !additionalConfig['provider']) {
             logger.error('Invalid provider config');
             throw new InvalidProviderConfigError({ provider: additionalConfig['provider'] });
         }
-        const redirectUrl = new Url(env['PUBLIC_URL']).addPath('auth', 'login', additionalConfig['provider'], 'callback');
-        this.redirectUrl = redirectUrl.toString();
         this.config = additionalConfig;
         this.roleMap = {};
         const roleMapping = this.config['roleMapping'];
-        if (roleMapping) {
-            this.roleMap = roleMapping;
-        }
         // role mapping will fail on login if AUTH_<provider>_ROLE_MAPPING is an array instead of an object.
         // This happens if the 'json:' prefix is missing from the variable declaration. To save the user from exhaustive debugging, we'll try to fail early here.
         if (roleMapping instanceof Array) {
             logger.error("[OAuth2] Expected a JSON-Object as role mapping, got an Array instead. Make sure you declare the variable with 'json:' prefix.");
             throw new InvalidProviderError();
         }
+        if (roleMapping) {
+            this.roleMap = roleMapping;
+        }
         const issuer = new Issuer({
             authorization_endpoint: authorizeUrl,
             token_endpoint: accessUrl,
@@ -67,7 +64,6 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
         this.client = new issuer.Client({
             client_id: clientId,
             client_secret: clientSecret,
-            redirect_uris: [this.redirectUrl],
             response_types: ['code'],
             ...clientOptionsOverrides,
         });
@@ -75,7 +71,7 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
     generateCodeVerifier() {
         return generators.codeVerifier();
     }
-    generateAuthUrl(codeVerifier, prompt = false) {
+    generateAuthUrl(codeVerifier, prompt = false, callbackUrl) {
         const { plainCodeChallenge } = this.config;
         try {
             const codeChallenge = plainCodeChallenge ? codeVerifier : generators.codeChallenge(codeVerifier);
@@ -89,6 +85,7 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
                 code_challenge_method: plainCodeChallenge ? 'plain' : 'S256',
                 // Some providers require state even with PKCE
                 state: codeChallenge,
+                redirect_uri: callbackUrl,
             });
         }
         catch (e) {
@@ -116,7 +113,7 @@ export class OAuth2AuthDriver extends LocalAuthDriver {
             const codeChallenge = plainCodeChallenge
                 ? payload['codeVerifier']
                 : generators.codeChallenge(payload['codeVerifier']);
-            tokenSet = await this.client.oauthCallback(this.redirectUrl, { code: payload['code'], state: payload['state'] }, { code_verifier: payload['codeVerifier'], state: codeChallenge });
+            tokenSet = await this.client.oauthCallback(payload['redirectUri'], { code: payload['code'], state: payload['state'] }, { code_verifier: payload['codeVerifier'], state: codeChallenge });
             userInfo = await this.client.userinfo(tokenSet.access_token);
         }
         catch (e) {
@@ -275,12 +272,19 @@ export function createOAuth2AuthRouter(providerName) {
         const provider = getAuthProvider(providerName);
         const codeVerifier = provider.generateCodeVerifier();
         const prompt = !!req.query['prompt'];
-        const redirect = req.query['redirect'];
         const otp = req.query['otp'];
-        if (isLoginRedirectAllowed(redirect, providerName) === false) {
+        const redirect = req.query['redirect'];
+        if (!isLoginRedirectAllowed(providerName, `${req.protocol}://${req.hostname}`, redirect)) {
             throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
         }
-        const token = jwt.sign({ verifier: codeVerifier, redirect, prompt, otp }, getSecret(), {
+        const callbackUrl = generateCallbackUrl(providerName, `${req.protocol}://${req.get('host')}`);
+        const token = jwt.sign({
+            verifier: codeVerifier,
+            redirect,
+            prompt,
+            otp,
+            callbackUrl,
+        }, getSecret(), {
             expiresIn: '5m',
             issuer: 'directus',
         });
@@ -288,7 +292,7 @@ export function createOAuth2AuthRouter(providerName) {
             httpOnly: true,
             sameSite: 'lax',
         });
-        return res.redirect(provider.generateAuthUrl(codeVerifier, prompt));
+        return res.redirect(provider.generateAuthUrl(codeVerifier, prompt, callbackUrl));
     }, respond);
     router.post('/callback', express.urlencoded({ extended: false }), (req, res) => {
         res.redirect(303, `./callback?${new URLSearchParams(req.body)}`);
@@ -303,7 +307,7 @@ export function createOAuth2AuthRouter(providerName) {
             logger.warn(e, `[OAuth2] Couldn't verify OAuth2 cookie`);
             throw new InvalidCredentialsError();
         }
-        const { verifier, prompt, otp } = tokenData;
+        const { verifier, prompt, otp, callbackUrl } = tokenData;
         let { redirect } = tokenData;
         const accountability = createDefaultAccountability({
             ip: getIPFromReq(req),
@@ -326,6 +330,7 @@ export function createOAuth2AuthRouter(providerName) {
                 code: req.query['code'],
                 codeVerifier: verifier,
                 state: req.query['state'],
+                callbackUrl,
             }, { session: authMode === 'session', ...(otp ? { otp: String(otp) } : {}) });
         }
         catch (error) {

package/dist/auth/drivers/openid.d.ts

@@ -5,13 +5,12 @@ import type { RoleMap } from '../../types/rolemap.js';
 import { LocalAuthDriver } from './local.js';
 export declare class OpenIDAuthDriver extends LocalAuthDriver {
     client: null | Client;
-    redirectUrl: string;
     config: Record<string, any>;
     roleMap: RoleMap;
     constructor(options: AuthDriverOptions, config: Record<string, any>);
     private getClient;
     generateCodeVerifier(): string;
-    generateAuthUrl(codeVerifier: string, prompt?: boolean): Promise<string>;
+    generateAuthUrl(codeVerifier: string, prompt?: boolean, callbackUrl?: string): Promise<string>;
     private fetchUserId;
     getUserID(payload: Record<string, any>): Promise<string>;
     login(user: User): Promise<void>;

package/dist/auth/drivers/openid.js

@@ -16,20 +16,19 @@ import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { getIPFromReq } from '../../utils/get-ip-from-req.js';
+import { getSchema } from '../../utils/get-schema.js';
 import { getSecret } from '../../utils/get-secret.js';
-import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
 import { verifyJWT } from '../../utils/jwt.js';
 import { Url } from '../../utils/url.js';
+import { generateCallbackUrl } from '../utils/generate-callback-url.js';
+import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
 import { LocalAuthDriver } from './local.js';
-import { getSchema } from '../../utils/get-schema.js';
 export class OpenIDAuthDriver extends LocalAuthDriver {
     client;
-    redirectUrl;
     config;
     roleMap;
     constructor(options, config) {
         super(options, config);
-        const env = useEnv();
         const logger = useLogger();
         const { issuerUrl, clientId, clientSecret, clientPrivateKeys, clientTokenEndpointAuthMethod, provider, issuerDiscoveryMustSucceed, } = config;
         const isPrivateKeyJwtAuthMethod = clientTokenEndpointAuthMethod === 'private_key_jwt';
@@ -37,8 +36,6 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
             logger.error('Invalid provider config');
             throw new InvalidProviderConfigError({ provider });
         }
-        const redirectUrl = new Url(env['PUBLIC_URL']).addPath('auth', 'login', provider, 'callback');
-        this.redirectUrl = redirectUrl.toString();
         this.config = config;
         this.roleMap = {};
         const roleMapping = this.config['roleMapping'];
@@ -98,7 +95,6 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
         const client = new issuer.Client({
             client_id: clientId,
             ...(!isPrivateKeyJwtAuthMethod && { client_secret: clientSecret }),
-            redirect_uris: [this.redirectUrl],
             response_types: ['code'],
             ...clientOptionsOverrides,
         }, isPrivateKeyJwtAuthMethod ? { keys: clientPrivateKeys } : undefined);
@@ -116,7 +112,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
     generateCodeVerifier() {
         return generators.codeVerifier();
     }
-    async generateAuthUrl(codeVerifier, prompt = false) {
+    async generateAuthUrl(codeVerifier, prompt = false, callbackUrl) {
         const { plainCodeChallenge } = this.config;
         try {
             const client = await this.getClient();
@@ -132,6 +128,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
                 // Some providers require state even with PKCE
                 state: codeChallenge,
                 nonce: codeChallenge,
+                redirect_uri: callbackUrl,
             });
         }
         catch (e) {
@@ -160,7 +157,7 @@ export class OpenIDAuthDriver extends LocalAuthDriver {
             const codeChallenge = plainCodeChallenge
                 ? payload['codeVerifier']
                 : generators.codeChallenge(payload['codeVerifier']);
-            tokenSet = await client.callback(this.redirectUrl, { code: payload['code'], state: payload['state'], iss: payload['iss'] }, { code_verifier: payload['codeVerifier'], state: codeChallenge, nonce: codeChallenge });
+            tokenSet = await client.callback(payload['callbackUrl'], { code: payload['code'], state: payload['state'], iss: payload['iss'] }, { code_verifier: payload['codeVerifier'], state: codeChallenge, nonce: codeChallenge });
             userInfo = tokenSet.claims();
             if (client.issuer.metadata['userinfo_endpoint']) {
                 userInfo = {
@@ -329,10 +326,17 @@ export function createOpenIDAuthRouter(providerName) {
         const prompt = !!req.query['prompt'];
         const redirect = req.query['redirect'];
         const otp = req.query['otp'];
-        if (isLoginRedirectAllowed(redirect, providerName) === false) {
+        if (!isLoginRedirectAllowed(providerName, `${req.protocol}://${req.hostname}`, redirect)) {
             throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
         }
-        const token = jwt.sign({ verifier: codeVerifier, redirect, prompt, otp }, getSecret(), {
+        const callbackUrl = generateCallbackUrl(providerName, `${req.protocol}://${req.get('host')}`);
+        const token = jwt.sign({
+            verifier: codeVerifier,
+            redirect,
+            prompt,
+            otp,
+            callbackUrl,
+        }, getSecret(), {
             expiresIn: (env[`AUTH_${providerName.toUpperCase()}_LOGIN_TIMEOUT`] ?? '5m'),
             issuer: 'directus',
         });
@@ -341,7 +345,7 @@ export function createOpenIDAuthRouter(providerName) {
             sameSite: 'lax',
         });
         try {
-            return res.redirect(await provider.generateAuthUrl(codeVerifier, prompt));
+            return res.redirect(await provider.generateAuthUrl(codeVerifier, prompt, callbackUrl));
         }
         catch {
             return res.redirect(new Url(env['PUBLIC_URL'])
@@ -365,7 +369,7 @@ export function createOpenIDAuthRouter(providerName) {
             const url = new Url(env['PUBLIC_URL']).addPath('admin', 'login');
             return res.redirect(`${url.toString()}?reason=${ErrorCode.InvalidCredentials}`);
         }
-        const { verifier, prompt, otp } = tokenData;
+        const { verifier, prompt, otp, callbackUrl } = tokenData;
         let { redirect } = tokenData;
         const accountability = createDefaultAccountability({ ip: getIPFromReq(req) });
         const userAgent = req.get('user-agent')?.substring(0, 1024);
@@ -387,6 +391,7 @@ export function createOpenIDAuthRouter(providerName) {
                 codeVerifier: verifier,
                 state: req.query['state'],
                 iss: req.query['iss'],
+                callbackUrl,
             }, { session: authMode === 'session', ...(otp ? { otp: String(otp) } : {}) });
         }
         catch (error) {

package/dist/auth/drivers/saml.js

@@ -13,8 +13,8 @@ import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { LocalAuthDriver } from './local.js';
-import { isLoginRedirectAllowed } from '../../utils/is-login-redirect-allowed.js';
 import { getSchema } from '../../utils/get-schema.js';
+import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
 // Register the samlify schema validator
 samlify.setSchemaValidator(validator);
 export class SAMLAuthDriver extends LocalAuthDriver {
@@ -95,7 +95,7 @@ export function createSAMLAuthRouter(providerName) {
         const parsedUrl = new URL(url);
         if (req.query['redirect']) {
             const redirect = req.query['redirect'];
-            if (isLoginRedirectAllowed(redirect, providerName) === false) {
+            if (!isLoginRedirectAllowed(providerName, `${req.protocol}://${req.hostname}`, redirect)) {
                 throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
             }
             parsedUrl.searchParams.append('RelayState', redirect);

package/dist/auth/utils/generate-callback-url.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Generate callback URL from origin
+ *
+ * @param string Origin URL
+ * @param providerName OAuth provider name
+ * @returns url
+ */
+export declare function generateCallbackUrl(providerName: string, originUrl: string): string;

package/dist/auth/utils/generate-callback-url.js

@@ -0,0 +1,11 @@
+import { Url } from '../../utils/url.js';
+/**
+ * Generate callback URL from origin
+ *
+ * @param string Origin URL
+ * @param providerName OAuth provider name
+ * @returns url
+ */
+export function generateCallbackUrl(providerName, originUrl) {
+    return new Url(originUrl).addPath('auth', 'login', providerName, 'callback').toString();
+}

package/dist/auth/utils/is-login-redirect-allowed.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Check if the redirect URL is allowed
+ * @param originUrl Origin URL
+ * @param provider OAuth provider name
+ * @param redirect URL to redirect to
+ * @returns True if the redirect is allowed, false otherwise
+ */
+export declare function isLoginRedirectAllowed(provider: string, originUrl: string, redirect: unknown): boolean;

package/dist/{utils → auth/utils}/is-login-redirect-allowed.js

@@ -1,19 +1,23 @@
 import { useEnv } from '@directus/env';
 import { toArray } from '@directus/utils';
-import { useLogger } from '../logger/index.js';
-import isUrlAllowed from './is-url-allowed.js';
+import { useLogger } from '../../logger/index.js';
+import isUrlAllowed from '../../utils/is-url-allowed.js';
 /**
- * Checks if the defined redirect after successful SSO login is in the allow list
+ * Check if the redirect URL is allowed
+ * @param originUrl Origin URL
+ * @param provider OAuth provider name
+ * @param redirect URL to redirect to
+ * @returns True if the redirect is allowed, false otherwise
  */
-export function isLoginRedirectAllowed(redirect, provider) {
+export function isLoginRedirectAllowed(provider, originUrl, redirect) {
     if (!redirect)
         return true; // empty redirect
     if (typeof redirect !== 'string')
         return false; // invalid type
     const env = useEnv();
     const publicUrl = env['PUBLIC_URL'];
-    if (URL.canParse(redirect) === false) {
-        if (redirect.startsWith('//') === false) {
+    if (!URL.canParse(redirect)) {
+        if (!redirect.startsWith('//')) {
             // should be a relative path like `/admin/test`
             return true;
         }
@@ -21,6 +25,10 @@ export function isLoginRedirectAllowed(redirect, provider) {
         return false;
     }
     const { protocol: redirectProtocol, hostname: redirectDomain } = new URL(redirect);
+    const redirectUrl = `${redirectProtocol}//${redirectDomain}`;
+    // Security check: redirect URL must match the request origin
+    if (redirectUrl !== originUrl)
+        return false;
     const envKey = `AUTH_${provider.toUpperCase()}_REDIRECT_ALLOW_LIST`;
     if (envKey in env) {
         if (isUrlAllowed(redirect, [...toArray(env[envKey]), publicUrl]))
@@ -30,7 +38,7 @@ export function isLoginRedirectAllowed(redirect, provider) {
         useLogger().error('Invalid PUBLIC_URL for login redirect');
         return false;
     }
-    // allow redirects to the defined PUBLIC_URL
     const { protocol: publicProtocol, hostname: publicDomain } = new URL(publicUrl);
-    return `${redirectProtocol}//${redirectDomain}` === `${publicProtocol}//${publicDomain}`;
+    // allow redirects to the defined PUBLIC_URL
+    return redirectUrl === `${publicProtocol}//${publicDomain}`;
 }

package/dist/controllers/extensions.js

@@ -74,6 +74,9 @@ router.get('/registry', asyncHandler(async (req, res, next) => {
     return next();
 }), respond);
 router.get(`/registry/account/:pk(${UUID_REGEX})`, asyncHandler(async (req, res, next) => {
+    if (req.accountability && req.accountability.admin !== true) {
+        throw new ForbiddenError();
+    }
     if (typeof req.params['pk'] !== 'string') {
         throw new ForbiddenError();
     }
@@ -86,6 +89,9 @@ router.get(`/registry/account/:pk(${UUID_REGEX})`, asyncHandler(async (req, res,
     return next();
 }), respond);
 router.get(`/registry/extension/:pk(${UUID_REGEX})`, asyncHandler(async (req, res, next) => {
+    if (req.accountability && req.accountability.admin !== true) {
+        throw new ForbiddenError();
+    }
     if (typeof req.params['pk'] !== 'string') {
         throw new ForbiddenError();
     }

package/dist/extensions/lib/installation/manager.js

@@ -1,5 +1,5 @@
 import { useEnv } from '@directus/env';
-import { ServiceUnavailableError } from '@directus/errors';
+import { ErrorCode, isDirectusError, ServiceUnavailableError } from '@directus/errors';
 import { EXTENSION_PKG_KEY, ExtensionManifest } from '@directus/extensions';
 import { download } from '@directus/extensions-registry';
 import DriverLocal from '@directus/storage-driver-local';
@@ -25,7 +25,13 @@ export class InstallationManager {
             if (env['MARKETPLACE_REGISTRY'] && typeof env['MARKETPLACE_REGISTRY'] === 'string') {
                 options.registry = env['MARKETPLACE_REGISTRY'];
             }
-            const tarReadableStream = await download(versionId, env['MARKETPLACE_TRUST'] === 'sandbox', options);
+            let tarReadableStream;
+            try {
+                tarReadableStream = await download(versionId, env['MARKETPLACE_TRUST'] === 'sandbox', options);
+            }
+            catch (error) {
+                throw new ServiceUnavailableError({ service: 'marketplace', reason: 'Could not download the extension' }, { cause: error });
+            }
             if (!tarReadableStream) {
                 throw new Error(`No readable stream returned from download`);
             }
@@ -65,7 +71,11 @@ export class InstallationManager {
         }
         catch (err) {
             logger.warn(err);
-            throw new ServiceUnavailableError({ service: 'marketplace', reason: 'Could not download and extract the extension' }, { cause: err });
+            // rethrow marketplace servic unavailable
+            if (isDirectusError(err, ErrorCode.ServiceUnavailable)) {
+                throw err;
+            }
+            throw new ServiceUnavailableError({ service: 'extensions', reason: 'Failed to extract the extension or write it to storage' }, { cause: err });
         }
         finally {
             await rm(tempDir, { recursive: true });

package/dist/mcp/tools/prompts/flows.md

@@ -247,12 +247,55 @@ UI button that users click to start flows
 - Data chain variable syntax
 - Operation-specific configuration
 
-**Workflow Process:**
+**Critical Workflow - Follow This Order:**
 
-1. Create flow first to get flow ID
-2. Use `operations` tool to add/manage operations
-3. Operations execute in sequence based on resolve/reject paths
-4. Link operations via UUIDs in resolve/reject fields </operations_integration>
+1. Create flow first (using `flows` tool)
+2. Create all operations with null resolve/reject initially (using `operations` tool)
+3. Link operations together using UUIDs from step 2
+4. Update flow to set first operation as entry point
+
+**Why This Order:** Operations must exist before they can be referenced. UUIDs only available after creation.
+
+**Complete Example:**
+
+```json
+// Step 1: Create flow
+{"action": "create", "data": {
+  "name": "Email on Post Published",
+  "trigger": "event",
+  "options": {"type": "action", "scope": ["items.create"], "collections": ["posts"]}
+}}
+// Returns: {"id": "flow-uuid-123"}
+
+// Step 2: Create operations with null connections
+{"action": "create", "data": {
+  "flow": "flow-uuid-123", "key": "check_status", "type": "condition",
+  "position_x": 19, "position_y": 1,
+  "options": {"filter": {"$trigger": {"payload": {"status": {"_eq": "published"}}}}},
+  "resolve": null, "reject": null
+}}
+// Returns: {"id": "condition-uuid-456"}
+
+{"action": "create", "data": {
+  "flow": "flow-uuid-123", "key": "send_email", "type": "mail",
+  "position_x": 37, "position_y": 1,
+  "options": {"to": ["admin@example.com"], "subject": "New post", "body": "{{$trigger.payload.title}}"},
+  "resolve": null, "reject": null
+}}
+// Returns: {"id": "email-uuid-789"}
+
+// Step 3: Link operations via UUIDs
+{"action": "update", "key": "condition-uuid-456", "data": {
+  "resolve": "email-uuid-789"
+}}
+
+// Step 4: Set flow entry point
+{"action": "update", "key": "flow-uuid-123", "data": {
+  "operation": "condition-uuid-456"
+}}
+```
+
+</operations_integration>
 
 <flow_chaining>
 
@@ -319,15 +362,17 @@ UI button that users click to start flows
 
 ## Data Chain Access
 
-**See the `operations` tool for complete data chain syntax and examples.**
+Operations can access data using `{{ variable }}` syntax:
 
-Operations can access:
+- `{{ $trigger.payload }}` - Trigger data
+- `{{ $accountability.user }}` - User context
+- `{{ $env.VARIABLE_NAME }}` - Environment variables
+- `{{ operation_key }}` - Result from specific operation (recommended)
+- `{{ operation_key.field }}` - Specific field from operation result
+- `{{ $last }}` - Previous operation result (⚠️ avoid - breaks when reordered)
 
-- `$trigger` - Initial trigger data
-- `$accountability` - User/permission context
-- `$env` - Environment variables
-- `<operationKey>` - Result of specific operation (recommended)
-- `$last` - Result of previous operation (avoid - breaks when reordered) </data_chain_warning>
+**Always use operation keys** for reliable flows. If you reorder operations, `$last` will reference a different
+operation. </data_chain_warning>
 
 <real_world_examples>