@directus/api 33.0.0 → 33.1.0

package/dist/services/deployment-runs.js

@@ -0,0 +1,6 @@
+import { ItemsService } from './items.js';
+export class DeploymentRunsService extends ItemsService {
+    constructor(options) {
+        super('directus_deployment_runs', options);
+    }
+}

package/dist/services/deployment.d.ts

@@ -0,0 +1,40 @@
+import type { AbstractServiceOptions, CachedResult, DeploymentConfig, PrimaryKey, Project, ProviderType, Query } from '@directus/types';
+import type { DeploymentDriver } from '../deployment/deployment.js';
+import { ItemsService } from './items.js';
+export declare class DeploymentService extends ItemsService<DeploymentConfig> {
+    constructor(options: AbstractServiceOptions);
+    createOne(data: Partial<DeploymentConfig>, opts?: any): Promise<PrimaryKey>;
+    updateOne(key: PrimaryKey, data: Partial<DeploymentConfig>, opts?: any): Promise<PrimaryKey>;
+    /**
+     * Read deployment config by provider
+     */
+    readByProvider(provider: ProviderType, query?: Query): Promise<DeploymentConfig>;
+    /**
+     * Update deployment config by provider
+     */
+    updateByProvider(provider: ProviderType, data: Partial<DeploymentConfig>): Promise<PrimaryKey>;
+    /**
+     * Delete deployment config by provider
+     */
+    deleteByProvider(provider: ProviderType): Promise<PrimaryKey>;
+    /**
+     * Read deployment config with decrypted credentials (internal use)
+     */
+    private readConfig;
+    /**
+     * Parse JSON string or return value as-is
+     */
+    private parseValue;
+    /**
+     * Get a deployment driver instance with decrypted credentials
+     */
+    getDriver(provider: ProviderType): Promise<DeploymentDriver>;
+    /**
+     * List projects from provider with caching
+     */
+    listProviderProjects(provider: ProviderType): Promise<CachedResult<Project[]>>;
+    /**
+     * Get project details from provider with caching
+     */
+    getProviderProject(provider: ProviderType, projectId: string): Promise<CachedResult<Project>>;
+}

package/dist/services/deployment.js

@@ -0,0 +1,202 @@
+import { useEnv } from '@directus/env';
+import { InvalidPayloadError, InvalidProviderConfigError } from '@directus/errors';
+import { mergeFilters, parseJSON } from '@directus/utils';
+import { has, isEmpty } from 'lodash-es';
+import { getCache, getCacheValueWithTTL, setCacheValueWithExpiry } from '../cache.js';
+import { getDeploymentDriver } from '../deployment.js';
+import { getMilliseconds } from '../utils/get-milliseconds.js';
+import { ItemsService } from './items.js';
+const env = useEnv();
+const DEPLOYMENT_CACHE_TTL = getMilliseconds(env['CACHE_DEPLOYMENT_TTL']) || 5000; // Default 5s
+export class DeploymentService extends ItemsService {
+    constructor(options) {
+        super('directus_deployments', options);
+    }
+    async createOne(data, opts) {
+        const provider = data.provider;
+        if (!provider) {
+            throw new InvalidPayloadError({ reason: 'Provider is required' });
+        }
+        if (isEmpty(data.credentials)) {
+            throw new InvalidPayloadError({ reason: 'Credentials are required' });
+        }
+        let credentials;
+        try {
+            credentials = this.parseValue(data.credentials, {});
+        }
+        catch {
+            throw new InvalidPayloadError({ reason: 'Credentials must be valid JSON' });
+        }
+        let options;
+        try {
+            options = this.parseValue(data.options, undefined);
+        }
+        catch {
+            throw new InvalidPayloadError({ reason: 'Options must be valid JSON' });
+        }
+        // Test connection before persisting
+        const driver = getDeploymentDriver(provider, credentials, options);
+        try {
+            await driver.testConnection();
+        }
+        catch {
+            throw new InvalidProviderConfigError({ provider, reason: 'Invalid config connection' });
+        }
+        const payload = {
+            ...data,
+            // Persist as string so payload service encrypts the value
+            credentials: JSON.stringify(credentials),
+        };
+        if (!isEmpty(options)) {
+            payload.options = JSON.stringify(options);
+        }
+        return super.createOne(payload, opts);
+    }
+    async updateOne(key, data, opts) {
+        const hasCredentials = has(data, 'credentials');
+        const hasOptions = has(data, 'options');
+        if (!hasCredentials && !hasOptions) {
+            return super.updateOne(key, data, opts);
+        }
+        const existing = await this.readOne(key);
+        const provider = existing.provider;
+        const internal = await this.readConfig(provider);
+        let credentials = this.parseValue(internal.credentials, {});
+        if (hasCredentials) {
+            try {
+                const parsed = this.parseValue(data.credentials, {});
+                credentials = { ...credentials, ...parsed };
+            }
+            catch {
+                throw new InvalidPayloadError({ reason: 'Credentials must be valid JSON or object' });
+            }
+        }
+        let options = existing.options ?? undefined;
+        if (hasOptions) {
+            try {
+                options = this.parseValue(data.options, undefined);
+            }
+            catch {
+                throw new InvalidPayloadError({ reason: 'Options must be valid JSON' });
+            }
+            if (isEmpty(options)) {
+                throw new InvalidPayloadError({ reason: 'Options must not be empty' });
+            }
+        }
+        // Test connection before persisting
+        const driver = getDeploymentDriver(provider, credentials, options);
+        try {
+            await driver.testConnection();
+        }
+        catch {
+            throw new InvalidProviderConfigError({ provider, reason: 'Invalid config connection' });
+        }
+        return super.updateOne(key, {
+            credentials: JSON.stringify(credentials),
+            ...(!isEmpty(options) ? { options: JSON.stringify(options) } : {}),
+        }, opts);
+    }
+    /**
+     * Read deployment config by provider
+     */
+    async readByProvider(provider, query) {
+        const results = await this.readByQuery({
+            ...query,
+            filter: mergeFilters({ provider: { _eq: provider } }, query?.filter ?? null),
+            limit: 1,
+        });
+        if (!results || results.length === 0) {
+            throw new Error(`Deployment config for "${provider}" not found`);
+        }
+        return results[0];
+    }
+    /**
+     * Update deployment config by provider
+     */
+    async updateByProvider(provider, data) {
+        const deployment = await this.readByProvider(provider);
+        return this.updateOne(deployment.id, data);
+    }
+    /**
+     * Delete deployment config by provider
+     */
+    async deleteByProvider(provider) {
+        const deployment = await this.readByProvider(provider);
+        return this.deleteOne(deployment.id);
+    }
+    /**
+     * Read deployment config with decrypted credentials (internal use)
+     */
+    async readConfig(provider) {
+        const internalService = new ItemsService('directus_deployments', {
+            knex: this.knex,
+            schema: this.schema,
+            accountability: null,
+        });
+        const results = await internalService.readByQuery({
+            filter: { provider: { _eq: provider } },
+            limit: 1,
+        });
+        if (!results || results.length === 0) {
+            throw new Error(`Deployment config for "${provider}" not found`);
+        }
+        return results[0];
+    }
+    /**
+     * Parse JSON string or return value as-is
+     */
+    parseValue(value, fallback) {
+        if (!value)
+            return fallback;
+        if (typeof value === 'string')
+            return parseJSON(value);
+        return value;
+    }
+    /**
+     * Get a deployment driver instance with decrypted credentials
+     */
+    async getDriver(provider) {
+        const deployment = await this.readConfig(provider);
+        const credentials = this.parseValue(deployment.credentials, {});
+        const options = this.parseValue(deployment.options, {});
+        return getDeploymentDriver(deployment.provider, credentials, options);
+    }
+    /**
+     * List projects from provider with caching
+     */
+    async listProviderProjects(provider) {
+        const cacheKey = `${provider}:projects`;
+        const { deploymentCache } = getCache();
+        // Check cache first
+        const cached = await getCacheValueWithTTL(deploymentCache, cacheKey);
+        if (cached) {
+            return { data: cached.data, remainingTTL: cached.remainingTTL };
+        }
+        // Fetch from driver
+        const driver = await this.getDriver(provider);
+        const projects = await driver.listProjects();
+        // Store in cache
+        await setCacheValueWithExpiry(deploymentCache, cacheKey, projects, DEPLOYMENT_CACHE_TTL);
+        // Return with full TTL (just cached)
+        return { data: projects, remainingTTL: DEPLOYMENT_CACHE_TTL };
+    }
+    /**
+     * Get project details from provider with caching
+     */
+    async getProviderProject(provider, projectId) {
+        const cacheKey = `${provider}:project:${projectId}`;
+        const { deploymentCache } = getCache();
+        // Check cache first
+        const cached = await getCacheValueWithTTL(deploymentCache, cacheKey);
+        if (cached) {
+            return { data: cached.data, remainingTTL: cached.remainingTTL };
+        }
+        // Fetch from driver
+        const driver = await this.getDriver(provider);
+        const project = await driver.getProject(projectId);
+        // Store in cache
+        await setCacheValueWithExpiry(deploymentCache, cacheKey, project, DEPLOYMENT_CACHE_TTL);
+        // Return with full TTL (just cached)
+        return { data: project, remainingTTL: DEPLOYMENT_CACHE_TTL };
+    }
+}

package/dist/services/graphql/resolvers/system-admin.js

@@ -2,7 +2,6 @@ import { InvalidPayloadError } from '@directus/errors';
 import { isSystemField } from '@directus/system-data';
 import { GraphQLBoolean, GraphQLID, GraphQLList, GraphQLNonNull, GraphQLString } from 'graphql';
 import { SchemaComposer, toInputObjectType } from 'graphql-compose';
-import { fromZodError } from 'zod-validation-error';
 import { CollectionsService } from '../../collections.js';
 import { ExtensionsService } from '../../extensions.js';
 import { FieldsService, systemFieldUpdateSchema } from '../../fields.js';
@@ -112,7 +111,7 @@ export function resolveSystemAdmin(gql, schema, schemaComposer) {
                 if (isSystemField(args['collection'], args['field'])) {
                     const validationResult = systemFieldUpdateSchema.safeParse(args['data']);
                     if (!validationResult.success) {
-                        throw new InvalidPayloadError({ reason: fromZodError(validationResult.error).message });
+                        throw new InvalidPayloadError({ reason: 'Only "schema.is_indexed" may be modified for system fields' });
                     }
                 }
                 await service.updateField(args['collection'], {
@@ -140,7 +139,7 @@ export function resolveSystemAdmin(gql, schema, schemaComposer) {
                     if (isSystemField(args['collection'], fieldData['field'])) {
                         const validationResult = systemFieldUpdateSchema.safeParse(fieldData);
                         if (!validationResult.success) {
-                            throw new InvalidPayloadError({ reason: fromZodError(validationResult.error).message });
+                            throw new InvalidPayloadError({ reason: 'Only "schema.is_indexed" may be modified for system fields' });
                         }
                     }
                 }

package/dist/services/graphql/utils/filter-replace-m2a.js

@@ -1,5 +1,4 @@
-import { getRelation } from '@directus/utils';
-import { getRelationType } from '../../../utils/get-relation-type.js';
+import { getRelation, getRelationType } from '@directus/utils';
 export function filterReplaceM2A(filter_arg, collection, schema, options) {
     const filter = filter_arg;
     for (const key in filter) {
@@ -10,7 +9,7 @@ export function filterReplaceM2A(filter_arg, collection, schema, options) {
             continue;
         field = options?.aliasMap?.[field] ?? field;
         const relation = getRelation(schema.relations, collection, field);
-        const type = relation ? getRelationType({ relation, collection, field }) : null;
+        const type = relation ? getRelationType({ relation, collection, field, useA2O: true }) : null;
         if (type === 'o2m' && relation) {
             filter[key] = filterReplaceM2A(filter[key], relation.collection, schema, options);
         }
@@ -46,7 +45,7 @@ export function filterReplaceM2ADeep(deep_arg, collection, schema, options) {
             const relation = getRelation(schema.relations, collection, field);
             if (!relation)
                 continue;
-            const type = getRelationType({ relation, collection, field });
+            const type = getRelationType({ relation, collection, field, useA2O: true });
             if (type === 'o2m') {
                 deep[key] = filterReplaceM2ADeep(deep[key], relation.collection, schema);
             }

package/dist/services/index.d.ts

@@ -10,6 +10,9 @@ export * from './fields.js';
 export * from './files.js';
 export * from './flows.js';
 export * from './folders.js';
+export * from './deployment.js';
+export * from './deployment-projects.js';
+export * from './deployment-runs.js';
 export * from './graphql/index.js';
 export * from './import-export.js';
 export * from './items.js';

package/dist/services/index.js

@@ -10,6 +10,9 @@ export * from './fields.js';
 export * from './files.js';
 export * from './flows.js';
 export * from './folders.js';
+export * from './deployment.js';
+export * from './deployment-projects.js';
+export * from './deployment-runs.js';
 export * from './graphql/index.js';
 export * from './import-export.js';
 export * from './items.js';

package/dist/services/server.js

@@ -103,6 +103,7 @@ export class ServerService {
                 info['websocket'].heartbeat = toBoolean(env['WEBSOCKETS_HEARTBEAT_ENABLED'])
                     ? env['WEBSOCKETS_HEARTBEAT_PERIOD']
                     : false;
+                info['websocket'].collaborativeEditing = toBoolean(env['WEBSOCKETS_COLLAB_ENABLED']);
                 info['websocket'].logs =
                     toBoolean(env['WEBSOCKETS_LOGS_ENABLED']) && this.accountability.admin
                         ? {

package/dist/services/specifications.js

@@ -2,7 +2,7 @@ import { useEnv } from '@directus/env';
 import formatTitle from '@directus/format-title';
 import { spec } from '@directus/specs';
 import { isSystemCollection } from '@directus/system-data';
-import { getRelation } from '@directus/utils';
+import { getRelation, getRelationType } from '@directus/utils';
 import { cloneDeep, mergeWith } from 'lodash-es';
 import hash from 'object-hash';
 import { OAS_REQUIRED_SCHEMAS } from '../constants.js';
@@ -10,7 +10,6 @@ import getDatabase from '../database/index.js';
 import { fetchPermissions } from '../permissions/lib/fetch-permissions.js';
 import { fetchPolicies } from '../permissions/lib/fetch-policies.js';
 import { fetchAllowedFieldMap } from '../permissions/modules/fetch-allowed-field-map/fetch-allowed-field-map.js';
-import { getRelationType } from '../utils/get-relation-type.js';
 import { reduceSchema } from '../utils/reduce-schema.js';
 import { GraphQLService } from './graphql/index.js';
 const env = useEnv();
@@ -362,6 +361,7 @@ class OASSpecsService {
                 relation,
                 field: field.field,
                 collection: collection,
+                useA2O: true,
             });
             if (relationType === 'm2o') {
                 const relatedTag = tags.find((tag) => tag['x-collection'] === relation.related_collection);

package/dist/services/versions.js

@@ -1,5 +1,6 @@
 import { Action } from '@directus/constants';
 import { ForbiddenError, InvalidPayloadError, UnprocessableContentError } from '@directus/errors';
+import { deepMapWithSchema } from '@directus/utils';
 import Joi from 'joi';
 import { assign, get, isEqual, isPlainObject, pick } from 'lodash-es';
 import objectHash from 'object-hash';
@@ -8,7 +9,6 @@ import { getHelpers } from '../database/helpers/index.js';
 import emitter from '../emitter.js';
 import { validateAccess } from '../permissions/modules/validate-access/validate-access.js';
 import { shouldClearCache } from '../utils/should-clear-cache.js';
-import { deepMapWithSchema } from '../utils/versioning/deep-map-with-schema.js';
 import { splitRecursive } from '../utils/versioning/split-recursive.js';
 import { ActivityService } from './activity.js';
 import { ItemsService } from './items.js';

package/dist/telemetry/lib/get-report.js

@@ -1,4 +1,5 @@
 import { useEnv } from '@directus/env';
+import { toBoolean } from '@directus/utils';
 import { version } from 'directus/version';
 import { getHelpers } from '../../database/helpers/index.js';
 import { getDatabase, getDatabaseClient } from '../../database/index.js';
@@ -55,6 +56,7 @@ export const getReport = async () => {
         extensions: extensionsCounts.totalEnabled,
         database_size: databaseSize ?? 0,
         files_size_total: filesizes.total,
+        websockets_enabled: toBoolean(env['WEBSOCKETS_ENABLED'] ?? false),
         ...settings,
     };
 };

package/dist/telemetry/types/report.d.ts

@@ -91,4 +91,12 @@ export interface TelemetryReport {
      * Number of Visual Editor URLs configured in the system
      */
     visual_editor_urls: number;
+    /**
+     * Whether collaborative editing is enabled
+     */
+    collaborative_editing_enabled: boolean;
+    /**
+     * Whether WebSockets are enabled
+     */
+    websockets_enabled: boolean;
 }

package/dist/telemetry/utils/get-settings.d.ts

@@ -8,6 +8,7 @@ export type TelemetrySettings = {
     ai_openai_api_key: boolean;
     ai_anthropic_api_key: boolean;
     ai_system_prompt: boolean;
+    collaborative_editing_enabled: boolean;
 };
 export type DatabaseSettings = {
     project_id: string;
@@ -20,5 +21,6 @@ export type DatabaseSettings = {
     ai_openai_api_key?: string;
     ai_anthropic_api_key?: string;
     ai_system_prompt?: string;
+    collaborative_editing_enabled?: boolean;
 };
 export declare const getSettings: (db: Knex) => Promise<TelemetrySettings>;

package/dist/telemetry/utils/get-settings.js

@@ -1,6 +1,9 @@
+import { useEnv } from '@directus/env';
+import { toBoolean } from '@directus/utils';
 import { SettingsService } from '../../services/settings.js';
 import { getSchema } from '../../utils/get-schema.js';
 export const getSettings = async (db) => {
+    const env = useEnv();
     const settingsService = new SettingsService({
         knex: db,
         schema: await getSchema({ database: db }),
@@ -15,6 +18,7 @@ export const getSettings = async (db) => {
             'ai_openai_api_key',
             'ai_anthropic_api_key',
             'ai_system_prompt',
+            'collaborative_editing_enabled',
         ],
     }));
     return {
@@ -26,5 +30,6 @@ export const getSettings = async (db) => {
         ai_openai_api_key: Boolean(settings?.ai_openai_api_key),
         ai_anthropic_api_key: Boolean(settings?.ai_anthropic_api_key),
         ai_system_prompt: Boolean(settings?.ai_system_prompt),
+        collaborative_editing_enabled: toBoolean(env['WEBSOCKETS_COLLAB_ENABLED'] ?? true) && (settings?.collaborative_editing_enabled ?? false),
     };
 };

package/dist/utils/deep-map-response.d.ts

@@ -1,5 +1,5 @@
 import type { CollectionOverview, FieldOverview, Relation, SchemaOverview } from '@directus/types';
-import { type RelationInfo } from './get-relation-info.js';
+import { type RelationInfo } from '@directus/utils';
 /**
  * Allows to deep map the response from the ItemsService with collection, field and relation context for each entry.
  * Bottom to Top depth first mapping of values.

package/dist/utils/deep-map-response.js

@@ -1,7 +1,7 @@
 import assert from 'node:assert';
 import { InvalidQueryError } from '@directus/errors';
+import { getRelationInfo } from '@directus/utils';
 import { isPlainObject } from 'lodash-es';
-import { getRelationInfo } from './get-relation-info.js';
 /**
  * Allows to deep map the response from the ItemsService with collection, field and relation context for each entry.
  * Bottom to Top depth first mapping of values.

package/dist/utils/get-column-path.js

@@ -1,5 +1,5 @@
 import { InvalidQueryError } from '@directus/errors';
-import { getRelationInfo } from './get-relation-info.js';
+import { getRelationInfo } from '@directus/utils';
 /**
  * Converts a Directus field list path to the correct SQL names based on the constructed alias map.
  * For example: ['author', 'role', 'name'] -> 'ljnsv.name'

package/dist/utils/get-service.js

@@ -1,5 +1,5 @@
 import { ForbiddenError } from '@directus/errors';
-import { AccessService, ActivityService, CommentsService, DashboardsService, FilesService, FlowsService, FoldersService, ItemsService, NotificationsService, OperationsService, PanelsService, PermissionsService, PoliciesService, PresetsService, RevisionsService, RolesService, SettingsService, SharesService, TranslationsService, UsersService, VersionsService, } from '../services/index.js';
+import { AccessService, ActivityService, CommentsService, DashboardsService, DeploymentProjectsService, DeploymentRunsService, DeploymentService, FilesService, FlowsService, FoldersService, ItemsService, NotificationsService, OperationsService, PanelsService, PermissionsService, PoliciesService, PresetsService, RevisionsService, RolesService, SettingsService, SharesService, TranslationsService, UsersService, VersionsService, } from '../services/index.js';
 /**
  * Select the correct service for the given collection. This allows the individual services to run
  * their custom checks (f.e. it allows `UsersService` to prevent updating TFA secret from outside).
@@ -46,6 +46,12 @@ export function getService(collection, opts) {
             return new UsersService(opts);
         case 'directus_versions':
             return new VersionsService(opts);
+        case 'directus_deployments':
+            return new DeploymentService(opts);
+        case 'directus_deployment_projects':
+            return new DeploymentProjectsService(opts);
+        case 'directus_deployment_runs':
+            return new DeploymentRunsService(opts);
         default:
             // Deny usage of other system collections via ItemsService
             if (collection.startsWith('directus_'))

package/dist/utils/is-field-allowed.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Check if a specific field is allowed within a set of allowed fields
+ */
+export declare function isFieldAllowed(allowedFields: string[] | Set<string>, field: string): boolean;

package/dist/utils/is-field-allowed.js

@@ -0,0 +1,9 @@
+/**
+ * Check if a specific field is allowed within a set of allowed fields
+ */
+export function isFieldAllowed(allowedFields, field) {
+    if (Array.isArray(allowedFields)) {
+        return allowedFields.includes(field) || allowedFields.includes('*');
+    }
+    return allowedFields.has(field) || allowedFields.has('*');
+}

package/dist/utils/versioning/handle-version.js

@@ -1,6 +1,6 @@
 import { ForbiddenError } from '@directus/errors';
+import { deepMapWithSchema } from '@directus/utils';
 import { transaction } from '../transaction.js';
-import { deepMapWithSchema } from './deep-map-with-schema.js';
 import { splitRecursive } from './split-recursive.js';
 export async function handleVersion(self, key, queryWithKey, opts) {
     const { VersionsService } = await import('../../services/versions.js');

package/dist/websocket/collab/calculate-cache-metadata.d.ts

@@ -0,0 +1,9 @@
+import type { Accountability, SchemaOverview } from '@directus/types';
+export declare const DYNAMIC_VARIABLE_MAP: Record<string, string>;
+/**
+ * Calculate logical expiry (TTL) and dependencies for permissions caching.
+ */
+export declare function calculateCacheMetadata(collection: string, itemData: any, rawPermissions: any[], schema: SchemaOverview, accountability: Accountability): {
+    ttlMs: number | undefined;
+    dependencies: string[];
+};

package/dist/websocket/collab/calculate-cache-metadata.js

@@ -0,0 +1,121 @@
+import { REGEX_BETWEEN_PARENS } from '@directus/constants';
+import { adjustDate } from '@directus/utils';
+export const DYNAMIC_VARIABLE_MAP = {
+    $CURRENT_USER: 'directus_users',
+    $CURRENT_ROLE: 'directus_roles',
+    $CURRENT_ROLES: 'directus_roles',
+    $CURRENT_POLICIES: 'directus_policies',
+};
+/**
+ * Calculate logical expiry (TTL) and dependencies for permissions caching.
+ */
+export function calculateCacheMetadata(collection, itemData, rawPermissions, schema, accountability) {
+    let ttlMs;
+    const dependencies = new Set();
+    if (itemData) {
+        const now = Date.now();
+        let closestExpiry = Infinity;
+        // Scan permission filters for dynamic variables and relational dependencies to determine cache invalidation rules
+        const scan = (val, fieldKey, currentCollection = collection) => {
+            if (!val || typeof val !== 'object')
+                return;
+            for (const [key, value] of Object.entries(val)) {
+                // Parse dynamic variables
+                if (typeof value === 'string' && value.startsWith('$')) {
+                    // $NOW requires calculating a logical expiry (TTL) based on the field value
+                    if (value.startsWith('$NOW')) {
+                        const field = fieldKey || key;
+                        const dateValue = itemData[field];
+                        if (dateValue) {
+                            let ruleDate = new Date();
+                            if (value.includes('(')) {
+                                const adjustment = value.match(REGEX_BETWEEN_PARENS)?.[1];
+                                if (adjustment)
+                                    ruleDate = adjustDate(ruleDate, adjustment) || ruleDate;
+                            }
+                            const adjustmentMs = ruleDate.getTime() - now;
+                            const expiry = new Date(dateValue).getTime() - adjustmentMs;
+                            if (expiry > now && expiry < closestExpiry) {
+                                closestExpiry = expiry;
+                            }
+                        }
+                    }
+                    else {
+                        // Other dynamic variables ($CURRENT_USER, etc) create collection-based dependencies
+                        const parts = value.split('.');
+                        const dynamicVariable = parts[0];
+                        const rootCollection = DYNAMIC_VARIABLE_MAP[dynamicVariable];
+                        if (rootCollection) {
+                            // Only $CURRENT_USER needs granular tagging
+                            // Other dynamic variables trigger full cache wipe so collection-level is sufficient
+                            if (dynamicVariable === '$CURRENT_USER' && accountability.user) {
+                                dependencies.add(`${rootCollection}:${accountability.user}`);
+                            }
+                            else {
+                                dependencies.add(rootCollection);
+                            }
+                            // Track all intermediate collections in the path
+                            if (parts.length > 1) {
+                                let currentCollection = rootCollection;
+                                for (const segment of parts.slice(1, -1)) {
+                                    if (!currentCollection)
+                                        break;
+                                    const relation = schema.relations.find((r) => (r.collection === currentCollection && r.field === segment) ||
+                                        (r.related_collection === currentCollection && r.meta?.one_field === segment));
+                                    if (relation) {
+                                        currentCollection =
+                                            relation.collection === currentCollection
+                                                ? relation.related_collection
+                                                : relation.collection;
+                                        if (currentCollection)
+                                            dependencies.add(currentCollection);
+                                    }
+                                    else {
+                                        currentCollection = null;
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+                // Parse relational filter dependencies to track which collections affect this permission
+                let field = key;
+                if (key.includes('(') && key.includes(')')) {
+                    const columnName = key.match(REGEX_BETWEEN_PARENS)?.[1];
+                    if (columnName)
+                        field = columnName;
+                }
+                if (!field.startsWith('_')) {
+                    const relation = schema.relations.find((r) => (r.collection === currentCollection && r.field === field) ||
+                        (r.related_collection === currentCollection && r.meta?.one_field === field));
+                    let targetCol = null;
+                    if (relation) {
+                        targetCol = relation.collection === currentCollection ? relation.related_collection : relation.collection;
+                    }
+                    if (targetCol) {
+                        dependencies.add(targetCol);
+                        scan(value, undefined, targetCol);
+                    }
+                    else {
+                        // Not a relation, but might be a nested filter object
+                        scan(value, field.startsWith('_') ? fieldKey : field, currentCollection);
+                    }
+                }
+                else {
+                    // Keep scanning filter operators
+                    scan(value, fieldKey, currentCollection);
+                }
+            }
+        };
+        // Scan all raw permissions to collect dependencies and calculate TTL
+        for (const permission of rawPermissions) {
+            scan(permission.permissions);
+        }
+        if (closestExpiry !== Infinity) {
+            ttlMs = closestExpiry - now;
+            // Limit TTL to between 1s and 1 hour
+            ttlMs = Math.max(1000, Math.min(ttlMs, 3600000));
+        }
+    }
+    return { ttlMs, dependencies: Array.from(dependencies) };
+}