@directus/api 32.0.2 → 32.1.1

package/dist/controllers/extensions.js

@@ -74,6 +74,9 @@ router.get('/registry', asyncHandler(async (req, res, next) => {
     return next();
 }), respond);
 router.get(`/registry/account/:pk(${UUID_REGEX})`, asyncHandler(async (req, res, next) => {
+    if (req.accountability && req.accountability.admin !== true) {
+        throw new ForbiddenError();
+    }
     if (typeof req.params['pk'] !== 'string') {
         throw new ForbiddenError();
     }
@@ -86,6 +89,9 @@ router.get(`/registry/account/:pk(${UUID_REGEX})`, asyncHandler(async (req, res,
     return next();
 }), respond);
 router.get(`/registry/extension/:pk(${UUID_REGEX})`, asyncHandler(async (req, res, next) => {
+    if (req.accountability && req.accountability.admin !== true) {
+        throw new ForbiddenError();
+    }
     if (typeof req.params['pk'] !== 'string') {
         throw new ForbiddenError();
     }

package/dist/extensions/lib/installation/manager.js

@@ -1,5 +1,5 @@
 import { useEnv } from '@directus/env';
-import { ServiceUnavailableError } from '@directus/errors';
+import { ErrorCode, isDirectusError, ServiceUnavailableError } from '@directus/errors';
 import { EXTENSION_PKG_KEY, ExtensionManifest } from '@directus/extensions';
 import { download } from '@directus/extensions-registry';
 import DriverLocal from '@directus/storage-driver-local';
@@ -25,7 +25,13 @@ export class InstallationManager {
             if (env['MARKETPLACE_REGISTRY'] && typeof env['MARKETPLACE_REGISTRY'] === 'string') {
                 options.registry = env['MARKETPLACE_REGISTRY'];
             }
-            const tarReadableStream = await download(versionId, env['MARKETPLACE_TRUST'] === 'sandbox', options);
+            let tarReadableStream;
+            try {
+                tarReadableStream = await download(versionId, env['MARKETPLACE_TRUST'] === 'sandbox', options);
+            }
+            catch (error) {
+                throw new ServiceUnavailableError({ service: 'marketplace', reason: 'Could not download the extension' }, { cause: error });
+            }
             if (!tarReadableStream) {
                 throw new Error(`No readable stream returned from download`);
             }
@@ -65,7 +71,11 @@ export class InstallationManager {
         }
         catch (err) {
             logger.warn(err);
-            throw new ServiceUnavailableError({ service: 'marketplace', reason: 'Could not download and extract the extension' }, { cause: err });
+            // rethrow marketplace servic unavailable
+            if (isDirectusError(err, ErrorCode.ServiceUnavailable)) {
+                throw err;
+            }
+            throw new ServiceUnavailableError({ service: 'extensions', reason: 'Failed to extract the extension or write it to storage' }, { cause: err });
         }
         finally {
             await rm(tempDir, { recursive: true });

package/dist/mcp/tools/prompts/flows.md

@@ -247,12 +247,55 @@ UI button that users click to start flows
 - Data chain variable syntax
 - Operation-specific configuration
 
-**Workflow Process:**
+**Critical Workflow - Follow This Order:**
 
-1. Create flow first to get flow ID
-2. Use `operations` tool to add/manage operations
-3. Operations execute in sequence based on resolve/reject paths
-4. Link operations via UUIDs in resolve/reject fields </operations_integration>
+1. Create flow first (using `flows` tool)
+2. Create all operations with null resolve/reject initially (using `operations` tool)
+3. Link operations together using UUIDs from step 2
+4. Update flow to set first operation as entry point
+
+**Why This Order:** Operations must exist before they can be referenced. UUIDs only available after creation.
+
+**Complete Example:**
+
+```json
+// Step 1: Create flow
+{"action": "create", "data": {
+  "name": "Email on Post Published",
+  "trigger": "event",
+  "options": {"type": "action", "scope": ["items.create"], "collections": ["posts"]}
+}}
+// Returns: {"id": "flow-uuid-123"}
+
+// Step 2: Create operations with null connections
+{"action": "create", "data": {
+  "flow": "flow-uuid-123", "key": "check_status", "type": "condition",
+  "position_x": 19, "position_y": 1,
+  "options": {"filter": {"$trigger": {"payload": {"status": {"_eq": "published"}}}}},
+  "resolve": null, "reject": null
+}}
+// Returns: {"id": "condition-uuid-456"}
+
+{"action": "create", "data": {
+  "flow": "flow-uuid-123", "key": "send_email", "type": "mail",
+  "position_x": 37, "position_y": 1,
+  "options": {"to": ["admin@example.com"], "subject": "New post", "body": "{{$trigger.payload.title}}"},
+  "resolve": null, "reject": null
+}}
+// Returns: {"id": "email-uuid-789"}
+
+// Step 3: Link operations via UUIDs
+{"action": "update", "key": "condition-uuid-456", "data": {
+  "resolve": "email-uuid-789"
+}}
+
+// Step 4: Set flow entry point
+{"action": "update", "key": "flow-uuid-123", "data": {
+  "operation": "condition-uuid-456"
+}}
+```
+
+</operations_integration>
 
 <flow_chaining>
 
@@ -319,15 +362,17 @@ UI button that users click to start flows
 
 ## Data Chain Access
 
-**See the `operations` tool for complete data chain syntax and examples.**
+Operations can access data using `{{ variable }}` syntax:
 
-Operations can access:
+- `{{ $trigger.payload }}` - Trigger data
+- `{{ $accountability.user }}` - User context
+- `{{ $env.VARIABLE_NAME }}` - Environment variables
+- `{{ operation_key }}` - Result from specific operation (recommended)
+- `{{ operation_key.field }}` - Specific field from operation result
+- `{{ $last }}` - Previous operation result (⚠️ avoid - breaks when reordered)
 
-- `$trigger` - Initial trigger data
-- `$accountability` - User/permission context
-- `$env` - Environment variables
-- `<operationKey>` - Result of specific operation (recommended)
-- `$last` - Result of previous operation (avoid - breaks when reordered) </data_chain_warning>
+**Always use operation keys** for reliable flows. If you reorder operations, `$last` will reference a different
+operation. </data_chain_warning>
 
 <real_world_examples>
 

package/dist/mcp/tools/prompts/operations.md

@@ -146,309 +146,72 @@ can read existing operations to see if they are using extensions operations. </a
 
 <workflow_creation>
 
-## Workflow Creation Process - **ESSENTIAL READING**
+## Workflow Creation Process
 
-**⚠️ CRITICAL**: Follow this exact order or operations will fail
+**Critical Order:** Create flow first → Create operations with null resolve/reject → Link operations via UUIDs → Update
+flow entry point.
 
-<workflow_steps>
-
-### Step-by-Step Process:
-
-1. **Create the flow** using the `flows` tool
-2. **Create all operations** with null resolve/reject initially
-3. **Link operations together** using the UUIDs returned from step 2
-4. **Update the flow** to set the first operation as the entry point
-
-### Why This Order Matters:
-
-- Operations must exist before they can be referenced in resolve/reject fields
-- UUIDs are only available after operations are created
-- The flow needs at least one operation created before setting its entry point </workflow_steps>
-
-<workflow_example>
-
-### Complete Workflow Example:
-
-```json
-// Step 1: Create the flow first (using flows tool)
-{
-  "action": "create",
-  "data": {
-    "name": "Email on Post Published",
-    "trigger": "event",
-    "options": {
-      "type": "action",
-      "scope": ["items.create"],
-      "collections": ["posts"]
-    }
-  }
-}
-// Returns: {"id": "flow-uuid-123", ...}
-
-// Step 2: Create operations with null connections initially
-{"action": "create", "data": {
-  "flow": "flow-uuid-123",
-  "key": "check_status",
-  "type": "condition",
-  "position_x": 19,  // First operation position
-  "position_y": 1,
-  "options": {
-    "filter": {
-      "$trigger": {
-        "payload": {
-          "status": {"_eq": "published"}
-        }
-      }
-    }
-  },
-  "resolve": null,  // Set to null initially
-  "reject": null    // Set to null initially
-}}
-// Returns: {"id": "condition-uuid-456", ...}
-
-{"action": "create", "data": {
-  "flow": "flow-uuid-123",
-  "key": "send_email",
-  "type": "mail",
-  "position_x": 37,  // Second operation position
-  "position_y": 1,
-  "options": {
-    "to": ["admin@example.com"],
-    "subject": "New post published",
-    "body": "Post '{{$trigger.payload.title}}' was published"
-  },
-  "resolve": null,
-  "reject": null
-}}
-// Returns: {"id": "email-uuid-789", ...}
-
-// Step 3: Connect operations using UUIDs (NOT keys)
-{"action": "update", "key": "condition-uuid-456", "data": {
-  "resolve": "email-uuid-789",  // Use UUID from step 2
-  "reject": null                // No error handling operation
-}}
-
-// Step 4: Update flow to set first operation (using flows tool)
-{"action": "update", "key": "flow-uuid-123", "data": {
-  "operation": "condition-uuid-456"  // First operation UUID
-}}
-```
-
-</workflow_example> </workflow_creation>
+**See `flows` tool for complete workflow example with detailed steps.** </workflow_creation>
 
 <positioning_system>
 
-## Grid-Based Positioning - **ALWAYS SET POSITIONS**
-
-**Grid Rules:**
-
-- Each operation: 14x14 grid units
-- Standard spacing: 18 units (19, 37, 55, 73...)
-- Vertical start: `position_y: 1`
-- Never use (0,0) - operations will overlap
-
-**Common Patterns:**
-
-```json
-// Linear flow
-{"position_x": 19, "position_y": 1}  // First
-{"position_x": 37, "position_y": 1}  // Second
-{"position_x": 55, "position_y": 1}  // Third
-
-// Branching (success/error)
-{"position_x": 19, "position_y": 1}   // Main
-{"position_x": 37, "position_y": 1}   // Success (same row)
-{"position_x": 37, "position_y": 19}  // Error (lower row)
-```
-
-</positioning_system>
-
-<operation_examples> <condition> Evaluates filter rules to determine path
-
-```json
-{
-	"type": "condition",
-	"options": {
-		"filter": {
-			"$trigger": {
-				"payload": {
-					"status": { "_eq": "published" }
-				}
-			}
-		}
-	}
-}
-```
-
-<filter_examples>
-
-```json
-// Check if field exists
-{
-  "filter": {
-    "$trigger": {
-      "payload": {
-        "website": {"_nnull": true}
-      }
-    }
-  }
-}
-
-// Multiple conditions (AND) - CORRECTED SYNTAX
-{
-  "filter": {
-    "$trigger": {
-      "payload": {
-        "_and": [
-          {"status": {"_eq": "published"}},
-          {"featured": {"_eq": true}}
-        ]
-      }
-    }
-  }
-}
-```
-
-</filter_examples> </condition>
-
-<item_operations> **Create Items:**
+## Grid Positioning
 
-```json
-{
-	"type": "item-create",
-	"options": {
-		"collection": "notifications",
-		"permissions": "$trigger",
-		"emitEvents": true,
-		"payload": {
-			"title": "{{ $trigger.payload.title }}",
-			"user": "{{ $accountability.user }}"
-		}
-	}
-}
-```
+**Rules:** 14x14 units, spacing every 18 units (example 19/37/55/73). Never (0,0). Start `position_y: 1`.
 
-**Read Items:**
+**Patterns:** Linear (19,1)→(37,1)→(55,1). Branching: success (37,1), error (37,19). </positioning_system>
 
-```json
-{
-	"type": "item-read",
-	"options": {
-		"collection": "products",
-		"permissions": "$full",
-		"query": {
-			"filter": { "status": { "_eq": "active" } },
-			"limit": 10
-		}
-	}
-}
-```
-
-**Update Items:**
+<operation_examples> **condition** - Evaluates filter rules
 
 ```json
-{
-	"type": "item-update",
-	"options": {
-		"collection": "orders",
-		"permissions": "$trigger",
-		"emitEvents": true,
-		"key": "{{ $trigger.payload.id }}",
-		"payload": { "status": "processed" }
-	}
-}
+{ "type": "condition", "options": { "filter": { "$trigger": { "payload": { "status": { "_eq": "published" } } } } } }
+// Multiple: {"_and": [{"status": {"_eq": "published"}}, {"featured": {"_eq": true}}]}
 ```
 
-**Delete Items:**
+**item-create/read/update/delete** - CRUD operations
 
 ```json
-{
-	"type": "item-delete",
-	"options": {
-		"collection": "temp_data",
-		"permissions": "$full",
-		"key": ["{{ read_items[0].id }}"]
-	}
-}
+{"type": "item-create", "options": {"collection": "notifications", "permissions": "$trigger", "payload": {"title": "{{ $trigger.payload.title }}"}}}
+{"type": "item-read", "options": {"collection": "products", "query": {"filter": {"status": {"_eq": "active"}}}}}
+{"type": "item-update", "options": {"collection": "orders", "key": "{{ $trigger.payload.id }}", "payload": {"status": "processed"}}}
+{"type": "item-delete", "options": {"collection": "temp_data", "key": ["{{ read_items[0].id }}"]}}
 ```
 
-</item_operations>
-
-<exec>
-Execute custom JavaScript/TypeScript in isolated sandbox
-
-**⚠️ SECURITY WARNING**: Scripts run sandboxed with NO file system or network access
+**exec** - Custom JavaScript/TypeScript (sandboxed, no file/network access)
 
 ```json
 {
 	"type": "exec",
 	"options": {
-		"code": "module.exports = async function(data) {\n  // Validate input\n  if (!data.$trigger.payload.value) {\n    throw new Error('Missing required value');\n  }\n  \n  // Process data\n  const result = data.$trigger.payload.value * 2;\n  \n  // Return must be valid JSON\n  return {\n    result: result,\n    processed: true\n  };\n}"
+		"code": "module.exports = async function(data) {\n  const result = data.$trigger.payload.value * 2;\n  return { result, processed: true };\n}"
 	}
 }
 ```
 
-**Common Use Cases**: Data transformation, calculations, complex logic, formatting, extracting nested values </exec>
-
-<mail>
-Send email notifications with optional templates
+**mail** - Send email (markdown/wysiwyg/template)
 
 ```json
 {
 	"type": "mail",
 	"options": {
-		"to": ["user@example.com", "{{ $trigger.payload.email }}"],
+		"to": ["user@example.com"],
 		"subject": "Order Confirmation",
-		"type": "markdown", // "markdown" (default), "wysiwyg", or "template"
-		"body": "Your order {{ $trigger.payload.order_id }} has been confirmed.",
-		"cc": ["cc@example.com"], // Optional
-		"bcc": ["bcc@example.com"], // Optional
-		"replyTo": ["reply@example.com"] // Optional
+		"body": "Order {{ $trigger.payload.order_id }}"
 	}
 }
+// Template: {"type": "template", "template": "welcome-email", "data": {"username": "{{ $trigger.payload.name }}"}}
 ```
 
-**Template Mode:**
-
-```json
-{
-	"type": "mail",
-	"options": {
-		"to": ["{{ $trigger.payload.email }}"],
-		"subject": "Welcome!",
-		"type": "template",
-		"template": "welcome-email", // Template name (default: "base")
-		"data": {
-			"username": "{{ $trigger.payload.name }}",
-			"activation_url": "https://example.com/activate/{{ $trigger.payload.token }}"
-		}
-	}
-}
-```
-
-</mail>
-
-<notification>
-Send in-app notifications to users
+**notification** - In-app notifications
 
 ```json
 {
 	"type": "notification",
-	"options": {
-		"recipient": ["{{ $accountability.user }}"], // User ID(s) to notify
-		"subject": "Task Complete",
-		"message": "Your export is ready for download",
-		"permissions": "$trigger",
-		"collection": "exports", // Optional: Related collection
-		"item": "{{ create_export.id }}" // Optional: Related item ID
-	}
+	"options": { "recipient": ["{{ $accountability.user }}"], "subject": "Task Complete", "message": "Export ready" }
 }
 ```
 
-</notification>
-
-<request>
-Make HTTP requests
+**request** - HTTP requests (headers must be array of objects, body as stringified JSON)
 
 ```json
 {
@@ -456,146 +219,57 @@ Make HTTP requests
 	"options": {
 		"method": "POST",
 		"url": "https://api.example.com/webhook",
-		"headers": [
-			{
-				"header": "Authorization",
-				"value": "Bearer {{ $env.API_TOKEN }}"
-			},
-			{
-				"header": "Content-Type",
-				"value": "application/json"
-			}
-		],
-		"body": "{\"data\": \"{{ process_data }}\", \"timestamp\": \"{{ $trigger.timestamp }}\"}"
+		"headers": [{ "header": "Authorization", "value": "Bearer {{ $env.API_TOKEN }}" }],
+		"body": "{\"data\": \"{{ process_data }}\"}"
 	}
 }
 ```
 
-**Real Example (Netlify Deploy Hook)**:
-
-```json
-{
-	"type": "request",
-	"options": {
-		"method": "POST",
-		"url": "https://api.netlify.com/build_hooks/your-hook-id",
-		"headers": [
-			{
-				"header": "User-Agent",
-				"value": "Directus-Flow/1.0"
-			}
-		],
-		"body": "{\"trigger\": \"content_updated\", \"item_id\": \"{{ $trigger.payload.id }}\"}"
-	}
-}
-```
-
-</request>
-
-<json_web_token> Sign, verify, or decode JWT tokens - **CONSOLIDATED EXAMPLE**
+**json-web-token** - Sign/verify/decode JWT
 
 ```json
 {
 	"type": "json-web-token",
 	"options": {
-		"operation": "sign", // "sign", "verify", or "decode"
-
-		// For SIGN operations:
-		"payload": {
-			"userId": "{{ $trigger.payload.user }}",
-			"role": "{{ $trigger.payload.role }}"
-		},
+		"operation": "sign",
+		"payload": { "userId": "{{ $trigger.payload.user }}" },
 		"secret": "{{ $env.JWT_SECRET }}",
-		"options": {
-			"expiresIn": "1h",
-			"algorithm": "HS256"
-		},
-
-		// For VERIFY/DECODE operations:
-		"token": "{{ $trigger.payload.token }}"
-		// "secret": "{{ $env.JWT_SECRET }}", // Required for verify, not for decode
-		// "options": {"algorithms": ["HS256"]}, // For verify
-		// "options": {"complete": true} // For decode
+		"options": { "expiresIn": "1h" }
 	}
 }
+// Verify: {"operation": "verify", "token": "{{ $trigger.payload.token }}", "secret": "{{ $env.JWT_SECRET }}"}
 ```
 
-</json_web_token>
-
-<other_operations> **Transform JSON:**
+**transform** - Create custom JSON payloads
 
 ```json
 {
 	"type": "transform",
-	"options": {
-		"json": {
-			"combined": {
-				"user": "{{ $accountability.user }}",
-				"items": "{{ read_items }}",
-				"timestamp": "{{ $trigger.timestamp }}"
-			}
-		}
-	}
+	"options": { "json": { "combined": { "user": "{{ $accountability.user }}", "items": "{{ read_items }}" } } }
 }
 ```
 
-**Trigger Flow:**
+**trigger** - Execute another flow
 
 ```json
 {
 	"type": "trigger",
-	"options": {
-		"flow": "other-flow-uuid",
-		"payload": { "data": "{{ transform_result }}" },
-		"iterationMode": "parallel", // "parallel", "serial", "batch"
-		"batchSize": 10 // Only for batch mode
-	}
-}
-```
-
-**Sleep:**
-
-```json
-{
-	"type": "sleep",
-	"options": { "milliseconds": 5000 }
+	"options": { "flow": "flow-uuid", "payload": { "data": "{{ transform_result }}" }, "iterationMode": "parallel" }
 }
 ```
 
-**Log:**
+**sleep/log/throw-error** - Utilities
 
 ```json
-{
-	"type": "log",
-	"options": { "message": "Processing item: {{ $trigger.payload.id }}" }
-}
+{"type": "sleep", "options": {"milliseconds": 5000}}
+{"type": "log", "options": {"message": "Processing {{ $trigger.payload.id }}"}}
+{"type": "throw-error", "options": {"code": "CUSTOM_ERROR", "status": "400", "message": "Invalid data"}}
 ```
 
-**Throw Error:**
-
-```json
-{
-	"type": "throw-error",
-	"options": {
-		"code": "CUSTOM_ERROR",
-		"status": "400",
-		"message": "Invalid data: {{ $trigger.payload.error_details }}"
-	}
-}
-```
-
-</other_operations> </operation_examples>
-
-<data_chain_variables> Use `{{ variable }}` syntax to access data:
-
-- `{{ $trigger.payload }}` - Trigger data
-- `{{ $accountability.user }}` - User context
-- `{{ operation_key }}` - Result from specific operation (recommended)
-- `{{ operation_key.field }}` - Specific field from operation result
+</operation_examples>
 
-**⚠️ Avoid `$last`:** While `{{ $last }}` references the previous operation's result, avoid using it in production
-flows. If you reorder operations, `$last` will reference a different operation, potentially breaking your flow. Always
-use specific operation keys like `{{ operation_key }}` for reliable, maintainable flows. </data_chain_variables>
+<data_chain_variables> **Data Chain:** Use `{{ operation_key }}` to access results, `{{ $trigger.payload }}` for trigger
+data. Avoid `{{ $last }}` (breaks when reordered). See `flows` tool for complete syntax. </data_chain_variables>
 
 <permission_options> For operations that support permissions:
 
@@ -604,118 +278,22 @@ use specific operation keys like `{{ operation_key }}` for reliable, maintainabl
 - `$full` - Use full system permissions
 - `role-uuid` - Use specific role's permissions </permission_options>
 
-<real_world_patterns> <data_processing_pipeline>
-
-### Data Processing Pipeline
-
-Read → Transform → Update pattern:
-
-```json
-// 1. Read with relations
-{
-  "flow": "flow-uuid", "key": "invoice", "type": "item-read",
-  "position_x": 19, "position_y": 1,
-  "options": {
-    "collection": "os_invoices",
-    "key": ["{{$trigger.payload.invoice}}"],
-    "query": {"fields": ["*", "line_items.*", "payments.*"]}
-  },
-  "resolve": "calc-operation-uuid"
-}
-// 2. Calculate totals
-{
-  "flow": "flow-uuid", "key": "calculations", "type": "exec",
-  "position_x": 37, "position_y": 1,
-  "options": {
-    "code": "module.exports = async function(data) {\n  const invoice = data.invoice;\n  const subtotal = invoice.line_items.reduce((sum, item) => sum + (item.price * item.quantity), 0);\n  const tax = subtotal * 0.08;\n  return { subtotal, tax, total: subtotal + tax };\n}"
-  },
-  "resolve": "update-operation-uuid"
-}
-// 3. Update with results
-{
-  "flow": "flow-uuid", "key": "update_invoice", "type": "item-update",
-  "position_x": 55, "position_y": 1,
-  "options": {
-    "collection": "os_invoices",
-    "payload": "{{calculations}}",
-    "key": ["{{$trigger.payload.invoice}}"]
-  }
-}
-```
-
-</data_processing_pipeline>
-
-<error_handling_branching>
-
-### Error Handling with Branching
-
-```json
-// Main operation with error handling
-{
-  "flow": "flow-uuid", "key": "main_operation", "type": "request",
-  "position_x": 19, "position_y": 1,
-  "resolve": "success-operation-uuid",
-  "reject": "error-operation-uuid"
-}
-// Success path
-{
-  "flow": "flow-uuid", "key": "success_notification", "type": "notification",
-  "position_x": 37, "position_y": 1
-}
-// Error path (lower row)
-{
-  "flow": "flow-uuid", "key": "error_log", "type": "log",
-  "position_x": 37, "position_y": 19
-}
-```
-
-</error_handling_branching> </real_world_patterns>
-
 <common_mistakes>
 
-1. **DO NOT** create operations without a flow - create flow first
-2. **DO NOT** use operation keys in resolve/reject - use UUIDs (see <workflow_example> above)
-3. **DO NOT** try to reference operations that do not exist yet
-4. **DO NOT** use duplicate keys within the same flow
-5. **DO NOT** create circular references in resolve/reject paths
-6. **DO NOT** forget to handle both success and failure paths
-7. **DO NOT** pass stringified JSON - use native objects (except request body)
-8. **DO NOT** leave operations at default position (0,0) - see <positioning_system> above
-9. **DO NOT** use dot notation in condition filters - see <critical_syntax> above
-10. **DO NOT** use wrong format for request operations - see <critical_syntax> above </common_mistakes>
+1. Create flow first, never operations without flow
+2. Use UUIDs in resolve/reject, NOT keys
+3. Create operations before referencing them
+4. No duplicate keys within same flow
+5. Avoid circular resolve/reject references
+6. Set positions (not 0,0)
+7. Use nested objects in filters, NOT dot notation
+8. Request headers as array of objects, body as stringified JSON
+9. Pass native objects in data (except request body)
+10. ALWAYS pass native objects in data (EXCEPTIONS: - request body for `request` operation - code in `exec` operations)
+11. No `$NOW` variable - use exec operation: `return { now: new Date().toISOString() };` </common_mistakes>
 
 <troubleshooting>
-<invalid_foreign_key>
-### "Invalid foreign key" Errors
-
-This typically means you're trying to reference an operation that doesn't exist:
-
-- Verify the operation UUID exists by reading operations for the flow
-- Check that you're using UUIDs (36 characters) not keys (short names)
-- Ensure operations are created before being referenced </invalid_foreign_key>
-
-<operation_not_executing>
-
-### Operation Not Executing
-
-- Check the resolve/reject chain for breaks
-- Verify the first operation is set as the flow's `operation` field
-- Confirm all required operation options are provided </operation_not_executing>
-
-<overlapping_operations>
-
-### Overlapping Operations in Visual Editor
-
-If operations appear stacked at (0,0) in the flow editor:
-
-```json
-// Fix by updating each operation's position
-{"action": "update", "key": "operation-uuid", "data": {
-  "position_x": 19, "position_y": 1
-}}
-{"action": "update", "key": "other-operation-uuid", "data": {
-  "position_x": 37, "position_y": 1
-}}
-```
-
-</overlapping_operations> </troubleshooting>
+**Invalid foreign key:** Operation UUID doesn't exist. Use UUIDs (36 chars), not keys. Create operations before referencing.
+**Not executing:** Check resolve/reject chain, verify flow.operation set, confirm required options provided.
+**Overlapping (0,0):** Update positions: `{"action": "update", "key": "uuid", "data": {"position_x": 19, "position_y": 1}}`
+</troubleshooting>

package/dist/middleware/respond.js

@@ -74,6 +74,11 @@ export const respond = asyncHandler(async (req, res) => {
             res.set('Content-Type', 'text/csv');
             return res.status(200).send(exportService.transform(res.locals['payload']?.data, 'csv'));
         }
+        if (req.sanitizedQuery.export === 'csv_utf8') {
+            res.attachment(`${filename}.csv`);
+            res.set('Content-Type', 'text/csv; charset=utf-8');
+            return res.status(200).send(exportService.transform(res.locals['payload']?.data, 'csv_utf8'));
+        }
         if (req.sanitizedQuery.export === 'yaml') {
             res.attachment(`${filename}.yaml`);
             res.set('Content-Type', 'text/yaml');

package/dist/services/graphql/resolvers/query.js

@@ -23,10 +23,10 @@ export async function resolveQuery(gql, info) {
         query = await getAggregateQuery(args, selections, gql.schema, gql.accountability, collection);
     }
     else {
-        query = await getQuery(args, gql.schema, selections, info.variableValues, gql.accountability, collection);
         if (collection.endsWith('_by_id') && collection in gql.schema.collections === false) {
             collection = collection.slice(0, -6);
         }
+        query = await getQuery(args, gql.schema, selections, info.variableValues, gql.accountability, collection);
         if (collection.endsWith('_by_version') && collection in gql.schema.collections === false) {
             collection = collection.slice(0, -11);
             query.versionRaw = true;

package/dist/services/graphql/schema/parse-query.js

@@ -96,9 +96,9 @@ export async function getQuery(rawQuery, schema, selections, variableValues, acc
     query.deep = replaceFuncs(query.deep);
     if (collection) {
         if (query.filter) {
-            query.filter = filterReplaceM2A(query.filter, collection, schema);
+            query.filter = filterReplaceM2A(query.filter, collection, schema, { aliasMap: query.alias });
         }
-        query.deep = filterReplaceM2ADeep(query.deep, collection, schema);
+        query.deep = filterReplaceM2ADeep(query.deep, collection, schema, { aliasMap: query.alias });
     }
     validateQuery(query);
     return query;

package/dist/services/graphql/utils/filter-replace-m2a.d.ts

@@ -1,3 +1,7 @@
-import type { Filter, NestedDeepQuery, SchemaOverview } from '@directus/types';
-export declare function filterReplaceM2A(filter_arg: Filter, collection: string, schema: SchemaOverview): any;
-export declare function filterReplaceM2ADeep(deep_arg: NestedDeepQuery | null | undefined, collection: string, schema: SchemaOverview): any;
+import type { Filter, NestedDeepQuery, Query, SchemaOverview } from '@directus/types';
+export declare function filterReplaceM2A(filter_arg: Filter, collection: string, schema: SchemaOverview, options?: {
+    aliasMap?: Query['alias'];
+}): any;
+export declare function filterReplaceM2ADeep(deep_arg: NestedDeepQuery | null | undefined, collection: string, schema: SchemaOverview, options?: {
+    aliasMap?: Query['alias'];
+}): any;

package/dist/services/graphql/utils/filter-replace-m2a.js

@@ -1,42 +1,48 @@
 import { getRelation } from '@directus/utils';
 import { getRelationType } from '../../../utils/get-relation-type.js';
-export function filterReplaceM2A(filter_arg, collection, schema) {
+export function filterReplaceM2A(filter_arg, collection, schema, options) {
     const filter = filter_arg;
     for (const key in filter) {
-        const [field, any_collection] = key.split('__');
+        const parts = key.split('__');
+        let field = parts[0];
+        const any_collection = parts[1];
         if (!field)
             continue;
+        field = options?.aliasMap?.[field] ?? field;
         const relation = getRelation(schema.relations, collection, field);
         const type = relation ? getRelationType({ relation, collection, field }) : null;
         if (type === 'o2m' && relation) {
-            filter[key] = filterReplaceM2A(filter[key], relation.collection, schema);
+            filter[key] = filterReplaceM2A(filter[key], relation.collection, schema, options);
         }
         else if (type === 'm2o' && relation) {
-            filter[key] = filterReplaceM2A(filter[key], relation.related_collection, schema);
+            filter[key] = filterReplaceM2A(filter[key], relation.related_collection, schema, options);
         }
         else if (type === 'a2o' &&
             relation &&
             any_collection &&
             relation.meta?.one_allowed_collections?.includes(any_collection)) {
-            filter[`${field}:${any_collection}`] = filterReplaceM2A(filter[key], any_collection, schema);
+            filter[`${field}:${any_collection}`] = filterReplaceM2A(filter[key], any_collection, schema, options);
             delete filter[key];
         }
         else if (Array.isArray(filter[key])) {
-            filter[key] = filter[key].map((item) => filterReplaceM2A(item, collection, schema));
+            filter[key] = filter[key].map((item) => filterReplaceM2A(item, collection, schema, options));
         }
         else if (typeof filter[key] === 'object') {
-            filter[key] = filterReplaceM2A(filter[key], collection, schema);
+            filter[key] = filterReplaceM2A(filter[key], collection, schema, options);
         }
     }
     return filter;
 }
-export function filterReplaceM2ADeep(deep_arg, collection, schema) {
+export function filterReplaceM2ADeep(deep_arg, collection, schema, options) {
     const deep = deep_arg;
     for (const key in deep) {
         if (key.startsWith('_') === false) {
-            const [field, any_collection] = key.split('__');
+            const parts = key.split('__');
+            let field = parts[0];
+            const any_collection = parts[1];
             if (!field)
                 continue;
+            field = options?.aliasMap?.[field] || deep._alias?.[field] || field;
             const relation = getRelation(schema.relations, collection, field);
             if (!relation)
                 continue;

package/dist/services/import-export.js

@@ -443,6 +443,7 @@ export class ExportService {
                 throw new Error('Failed to create temporary file for export');
             const mimeTypes = {
                 csv: 'text/csv',
+                csv_utf8: 'text/csv; charset=utf-8',
                 json: 'application/json',
                 xml: 'text/xml',
                 yaml: 'text/yaml',
@@ -485,7 +486,7 @@ export class ExportService {
                     readCount += result.length;
                     if (result.length) {
                         let csvHeadings = null;
-                        if (format === 'csv') {
+                        if (format.startsWith('csv')) {
                             if (!query.fields)
                                 query.fields = ['*'];
                             // to ensure the all headings are included in the CSV file, all possible fields need to be determined.
@@ -593,14 +594,15 @@ Your export of ${collection} is ready. <a href="${href}">Click here to view.</a>
             }
             return string;
         }
-        if (format === 'csv') {
+        if (format.startsWith('csv')) {
             if (input.length === 0)
                 return '';
             const transforms = [CSVTransforms.flatten({ separator: '.' })];
             const header = options?.includeHeader !== false;
+            const withBOM = format === 'csv_utf8';
             const transformOptions = options?.fields
-                ? { transforms, header, fields: options?.fields }
-                : { transforms, header };
+                ? { transforms, header, fields: options?.fields, withBOM }
+                : { transforms, header, withBOM };
             let string = new CSVParser(transformOptions).parse(input);
             if (options?.includeHeader === false) {
                 string = '\n' + string;

package/dist/services/mail/index.d.ts

@@ -7,13 +7,26 @@ export type EmailOptions = SendMailOptions & {
         data: Record<string, any>;
     };
 };
+export type DefaultTemplateData = {
+    projectName: string;
+    projectColor: string;
+    projectLogo: string;
+    projectUrl: string;
+};
 export declare class MailService {
     schema: SchemaOverview;
     accountability: Accountability | null;
     knex: Knex;
     mailer: Transporter;
     constructor(opts: AbstractServiceOptions);
-    send<T>(options: EmailOptions): Promise<T | null>;
+    send<T>(data: EmailOptions, options?: {
+        defaultTemplateData: DefaultTemplateData;
+    }): Promise<T | null>;
     private renderTemplate;
-    private getDefaultTemplateData;
+    getDefaultTemplateData(): Promise<{
+        projectName: any;
+        projectColor: any;
+        projectLogo: string;
+        projectUrl: any;
+    }>;
 }

package/dist/services/mail/index.js

@@ -37,14 +37,15 @@ export class MailService {
             });
         }
     }
-    async send(options) {
+    async send(data, options) {
         await useEmailRateLimiterQueue();
-        const payload = await emitter.emitFilter(`email.send`, options, {});
+        const payload = await emitter.emitFilter(`email.send`, data, {});
         if (!payload)
             return null;
         const { template, ...emailOptions } = payload;
-        let { html } = options;
-        const defaultTemplateData = await this.getDefaultTemplateData();
+        let { html } = data;
+        // option for providing tempalate data was added to prevent transaction race conditions with preceding promises
+        const defaultTemplateData = options?.defaultTemplateData ?? (await this.getDefaultTemplateData());
         if (isObject(emailOptions.from) && (!emailOptions.from.name || !emailOptions.from.address)) {
             throw new InvalidPayloadError({ reason: 'A name and address property are required in the "from" object' });
         }

package/dist/services/notifications.js

@@ -48,6 +48,8 @@ export class NotificationsService extends ItemsService {
                     },
                     to: user['email'],
                     subject: data.subject,
+                }, {
+                    defaultTemplateData: await mailService.getDefaultTemplateData(),
                 })
                     .catch((error) => {
                     logger.error(error, `Could not send notification via mail`);

package/dist/services/tus/data-store.d.ts

@@ -1,7 +1,7 @@
 import type { TusDriver } from '@directus/storage';
 import type { Accountability, File, SchemaOverview } from '@directus/types';
-import stream from 'node:stream';
 import { DataStore, Upload } from '@tus/utils';
+import stream from 'node:stream';
 export type TusDataStoreConfig = {
     constants: {
         ENABLED: boolean;

package/dist/services/tus/data-store.js

@@ -1,12 +1,12 @@
 import formatTitle from '@directus/format-title';
+import { DataStore, ERRORS, Upload } from '@tus/utils';
+import { omit } from 'lodash-es';
 import { extension } from 'mime-types';
 import { extname } from 'node:path';
 import stream from 'node:stream';
-import { DataStore, ERRORS, Upload } from '@tus/utils';
-import { ItemsService } from '../items.js';
-import { useLogger } from '../../logger/index.js';
 import getDatabase from '../../database/index.js';
-import { omit } from 'lodash-es';
+import { useLogger } from '../../logger/index.js';
+import { ItemsService } from '../items.js';
 export class TusDataStore extends DataStore {
     chunkSize;
     maxSize;
@@ -66,7 +66,7 @@ export class TusDataStore extends DataStore {
             upload.metadata['replace_id'] = upload.metadata['id'];
         }
         const fileData = {
-            ...omit(upload.metadata, ['id']),
+            ...omit(upload.metadata, ['id', 'replace_id']),
             tus_id: upload.id,
             tus_data: upload,
             filesize: upload.size,

package/dist/telemetry/utils/get-settings.js

@@ -1,14 +1,18 @@
-import { toBoolean } from '@directus/utils';
+import { SettingsService } from '../../services/settings.js';
+import { getSchema } from '../../utils/get-schema.js';
 export const getSettings = async (db) => {
-    const settings = await db
-        .select('project_id', 'mcp_enabled', 'mcp_allow_deletes', 'mcp_system_prompt_enabled', 'visual_editor_urls')
-        .from('directus_settings')
-        .first();
+    const settingsService = new SettingsService({
+        knex: db,
+        schema: await getSchema({ database: db }),
+    });
+    const settings = (await settingsService.readSingleton({
+        fields: ['project_id', 'mcp_enabled', 'mcp_allow_deletes', 'mcp_system_prompt_enabled', 'visual_editor_urls'],
+    }));
     return {
         project_id: settings.project_id,
-        mcp_enabled: toBoolean(settings?.mcp_enabled),
-        mcp_allow_deletes: toBoolean(settings?.mcp_allow_deletes),
-        mcp_system_prompt_enabled: toBoolean(settings?.mcp_system_prompt_enabled),
-        visual_editor_urls: settings.visual_editor_urls ? JSON.parse(settings.visual_editor_urls).length : 0,
+        mcp_enabled: settings?.mcp_enabled || false,
+        mcp_allow_deletes: settings?.mcp_allow_deletes || false,
+        mcp_system_prompt_enabled: settings?.mcp_system_prompt_enabled || false,
+        visual_editor_urls: settings.visual_editor_urls?.length || 0,
     };
 };

package/dist/utils/validate-query.js

@@ -20,7 +20,7 @@ const querySchema = Joi.object({
     page: Joi.number().integer().min(0),
     meta: Joi.array().items(Joi.string().valid('total_count', 'filter_count')),
     search: Joi.string(),
-    export: Joi.string().valid('csv', 'json', 'xml', 'yaml'),
+    export: Joi.string().valid('csv', 'csv_utf8', 'json', 'xml', 'yaml'),
     version: Joi.string(),
     versionRaw: Joi.boolean(),
     aggregate: Joi.object(),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@directus/api",
-  "version": "32.0.2",
+  "version": "32.1.1",
   "description": "Directus is a real-time API and App dashboard for managing SQL database content",
   "keywords": [
     "directus",
@@ -59,9 +59,9 @@
   ],
   "dependencies": {
     "@authenio/samlify-node-xmllint": "2.0.0",
-    "@aws-sdk/client-sesv2": "3.918.0",
+    "@aws-sdk/client-sesv2": "3.928.0",
     "@godaddy/terminus": "4.12.1",
-    "@modelcontextprotocol/sdk": "1.20.2",
+    "@modelcontextprotocol/sdk": "1.21.1",
     "@rollup/plugin-alias": "5.1.1",
     "@rollup/plugin-node-resolve": "16.0.3",
     "@rollup/plugin-virtual": "3.0.2",
@@ -93,17 +93,17 @@
     "flat": "6.0.1",
     "fs-extra": "11.3.2",
     "glob-to-regexp": "0.4.1",
-    "graphql": "16.11.0",
+    "graphql": "16.12.0",
     "graphql-compose": "9.1.0",
     "graphql-ws": "6.0.6",
     "helmet": "8.1.0",
     "icc": "3.0.0",
-    "inquirer": "12.10.0",
+    "inquirer": "12.11.0",
     "ioredis": "5.8.2",
     "ip-matching": "2.1.2",
     "isolated-vm": "5.0.3",
     "joi": "18.0.1",
-    "js-yaml": "4.1.0",
+    "js-yaml": "4.1.1",
     "js2xmlparser": "5.0.0",
     "json2csv": "5.0.7",
     "jsonwebtoken": "9.0.2",
@@ -120,7 +120,7 @@
     "ms": "2.1.3",
     "nanoid": "5.1.6",
     "node-machine-id": "1.1.12",
-    "cron": "4.3.3",
+    "cron": "4.3.4",
     "nodemailer": "7.0.10",
     "object-hash": "3.0.0",
     "openapi3-ts": "4.5.0",
@@ -143,7 +143,7 @@
     "rollup": "4.52.5",
     "samlify": "2.10.1",
     "sanitize-html": "2.17.0",
-    "sharp": "0.34.4",
+    "sharp": "0.34.5",
     "snappy": "7.3.3",
     "stream-json": "1.9.1",
     "tar": "7.5.2",
@@ -153,30 +153,30 @@
     "ws": "8.18.3",
     "zod": "4.1.12",
     "zod-validation-error": "4.0.2",
-    "@directus/env": "5.3.1",
-    "@directus/constants": "14.0.0",
+    "@directus/app": "14.3.0",
+    "@directus/env": "5.3.2",
+    "@directus/extensions-registry": "3.0.14",
+    "@directus/extensions": "3.0.14",
     "@directus/errors": "2.0.5",
-    "@directus/app": "14.1.2",
-    "@directus/extensions": "3.0.13",
-    "@directus/extensions-sdk": "17.0.2",
+    "@directus/constants": "14.0.0",
+    "@directus/extensions-sdk": "17.0.3",
+    "@directus/memory": "3.0.12",
     "@directus/format-title": "12.1.1",
-    "@directus/memory": "3.0.11",
-    "@directus/extensions-registry": "3.0.13",
-    "@directus/pressure": "3.0.11",
+    "@directus/pressure": "3.0.12",
+    "@directus/schema-builder": "0.0.9",
+    "@directus/specs": "11.2.0",
     "@directus/schema": "13.0.4",
-    "@directus/specs": "11.1.1",
     "@directus/storage": "12.0.3",
-    "@directus/storage-driver-azure": "12.0.11",
-    "@directus/schema-builder": "0.0.8",
-    "@directus/storage-driver-cloudinary": "12.0.11",
-    "@directus/storage-driver-gcs": "12.0.11",
+    "@directus/storage-driver-cloudinary": "12.0.12",
+    "@directus/storage-driver-azure": "12.0.12",
     "@directus/storage-driver-local": "12.0.3",
-    "@directus/storage-driver-supabase": "3.0.11",
-    "@directus/storage-driver-s3": "12.0.11",
-    "@directus/system-data": "3.4.1",
-    "@directus/utils": "13.0.12",
-    "@directus/validation": "2.0.11",
-    "directus": "11.13.2"
+    "@directus/storage-driver-gcs": "12.0.12",
+    "@directus/storage-driver-supabase": "3.0.12",
+    "@directus/storage-driver-s3": "12.0.12",
+    "@directus/utils": "13.0.13",
+    "@directus/validation": "2.0.12",
+    "@directus/system-data": "3.4.2",
+    "directus": "11.13.4"
   },
   "devDependencies": {
     "@directus/tsconfig": "3.0.0",
@@ -205,7 +205,7 @@
     "@types/node": "22.13.14",
     "@types/nodemailer": "7.0.3",
     "@types/object-hash": "3.0.6",
-    "@types/papaparse": "5.3.16",
+    "@types/papaparse": "5.5.0",
     "@types/proxy-addr": "2.0.3",
     "@types/qs": "6.14.0",
     "@types/sanitize-html": "2.16.0",
@@ -219,8 +219,8 @@
     "knex-mock-client": "3.0.2",
     "typescript": "5.9.3",
     "vitest": "3.2.4",
-    "@directus/schema-builder": "0.0.8",
-    "@directus/types": "13.3.1"
+    "@directus/schema-builder": "0.0.9",
+    "@directus/types": "13.4.0"
   },
   "optionalDependencies": {
     "@keyv/redis": "3.0.1",