@directus/api 35.1.0 → 36.0.0-rc.0

package/dist/services/settings.js

@@ -1,6 +1,10 @@
+import { CUSTOM_LLM_FIELDS } from "../constants.js";
 import { ItemsService } from "./items.js";
+import { getEntitlementManager } from "../license/entitlements/manager.js";
 import { sendReport } from "../telemetry/lib/send-report.js";
 import "../telemetry/index.js";
+import "../license/index.js";
+import { InvalidPayloadError, ResourceRestrictedError } from "@directus/errors";
 import { version } from "directus/version";
 
 //#region src/services/settings.ts
@@ -8,6 +12,37 @@ var SettingsService = class extends ItemsService {
 	constructor(options) {
 		super("directus_settings", options);
 	}
+	async createOne(data, opts) {
+		if (this.accountability !== null) {
+			if ("license_key" in data) throw new InvalidPayloadError({ reason: `You can't change the "license_key" value manually` });
+			if ("license_token" in data) throw new InvalidPayloadError({ reason: `You can't change the "license_token" value manually` });
+		}
+		const entitlementManager = getEntitlementManager();
+		const changesLLM = CUSTOM_LLM_FIELDS.some((field) => field in data && data[field] !== null);
+		if (!entitlementManager.isEntitled("custom_llms_enabled") && changesLLM) throw new ResourceRestrictedError({ category: "custom_llms_enabled" });
+		const result = await super.createOne(data, opts);
+		if (changesLLM) await getEntitlementManager().clearCache("custom_llms_enabled");
+		return result;
+	}
+	async updateMany(keys, data, opts) {
+		if (this.accountability !== null) {
+			if ("license_key" in data) throw new InvalidPayloadError({ reason: `You can't change the "license_key" value manually` });
+			if ("license_token" in data) throw new InvalidPayloadError({ reason: `You can't change the "license_token" value manually` });
+		}
+		const entitlementManager = getEntitlementManager();
+		const changesLLM = CUSTOM_LLM_FIELDS.some((field) => field in data && data[field] !== null);
+		if (!entitlementManager.isEntitled("custom_llms_enabled") && changesLLM) throw new ResourceRestrictedError({ category: "custom_llms_enabled" });
+		const result = await super.updateMany(keys, data, opts);
+		if (changesLLM) await entitlementManager.clearCache("custom_llms_enabled");
+		return result;
+	}
+	async readByQuery(query, opts) {
+		const data = await super.readByQuery(query, opts);
+		if (!getEntitlementManager().isEntitled("custom_llms_enabled") && this.accountability !== null) {
+			for (const record of data) for (const field of CUSTOM_LLM_FIELDS) if (record[field]) record[field] = null;
+		}
+		return data;
+	}
 	async setOwner(data) {
 		const { project_id } = await this.knex.select("project_id").from("directus_settings").first();
 		sendReport({
@@ -19,10 +54,9 @@ var SettingsService = class extends ItemsService {
 		});
 		return await this.upsertSingleton({
 			project_owner: data.project_owner,
-			project_usage: data.project_usage,
-			org_name: data.org_name,
 			product_updates: data.product_updates,
-			project_status: null
+			project_usage: data.project_usage,
+			org_name: data.org_name
 		});
 	}
 };

package/dist/services/users.js

@@ -12,11 +12,14 @@ import { createDefaultAccountability } from "../permissions/utils/create-default
 import isUrlAllowed from "../utils/is-url-allowed.js";
 import { verifyJWT } from "../utils/jwt.js";
 import { stall } from "../utils/stall.js";
+import { getEntitlementManager } from "../license/entitlements/manager.js";
 import { SettingsService } from "./settings.js";
+import "../license/index.js";
 import { useEnv } from "@directus/env";
 import { ForbiddenError, InvalidInviteError, InvalidPayloadError, RecordNotUniqueError } from "@directus/errors";
 import { getSimpleHash, toArray, validatePayload } from "@directus/utils";
 import { isEmpty } from "lodash-es";
+import { USER_INACTIVE_LICENSE_STATUS } from "@directus/constants";
 import { performance } from "perf_hooks";
 import Joi from "joi";
 import { FailedValidationError, joiValidationErrorItemToErrorExtensions } from "@directus/validation";
@@ -187,7 +190,7 @@ var UsersService = class UsersService extends ItemsService {
 		}
 		if ("role" in data) opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
 		if ("status" in data) if (data["status"] === "active") opts.userIntegrityCheckFlags = (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.UserLimits;
-		else opts.userIntegrityCheckFlags = UserIntegrityCheckFlag.All;
+		else opts.userIntegrityCheckFlags = (opts.userIntegrityCheckFlags ?? UserIntegrityCheckFlag.None) | UserIntegrityCheckFlag.RemainingAdmins;
 		if (opts.userIntegrityCheckFlags) opts.onRequireUserIntegrityCheck?.(opts.userIntegrityCheckFlags);
 		const result = await super.updateMany(keys, data, opts);
 		if (data["status"] !== void 0 && data["status"] !== "active") await this.clearUserSessions(keys);
@@ -213,6 +216,7 @@ var UsersService = class UsersService extends ItemsService {
 		await this.knex("directus_versions").update({ user_updated: null }).whereIn("user_updated", keys);
 		await super.deleteMany(keys, opts);
 		await this.clearUserSessions(keys);
+		await getEntitlementManager().clearCache("seats", "sso_enabled");
 		return keys;
 	}
 	async inviteUser(email, role, url, subject) {
@@ -258,12 +262,15 @@ var UsersService = class UsersService extends ItemsService {
 		if (scope !== "invite") throw new ForbiddenError();
 		const user = await this.getUserByEmail(email);
 		if (user?.status !== "invited") throw new InvalidInviteError();
-		await new UsersService({
+		const service = new UsersService({
 			knex: this.knex,
 			schema: this.schema
-		}).updateOne(user.id, {
+		});
+		const { allowed: isWithinLicenseLimits } = await getEntitlementManager().check("seats");
+		const status = isWithinLicenseLimits ? "active" : USER_INACTIVE_LICENSE_STATUS;
+		await service.updateOne(user.id, {
 			password,
-			status: "active"
+			status
 		});
 	}
 	async registerUser(input) {
@@ -310,7 +317,7 @@ var UsersService = class UsersService extends ItemsService {
 				email: input.email,
 				scope: "pending-registration"
 			};
-			const token = jwt.sign(payload, env["SECRET"], {
+			const token = jwt.sign(payload, getSecret(), {
 				expiresIn: env["EMAIL_VERIFICATION_TOKEN_TTL"],
 				issuer: "directus"
 			});
@@ -334,7 +341,7 @@ var UsersService = class UsersService extends ItemsService {
 		await stall(STALL_TIME, timeStart);
 	}
 	async verifyRegistration(token) {
-		const { email, scope } = verifyJWT(token, env["SECRET"]);
+		const { email, scope } = verifyJWT(token, getSecret());
 		if (scope !== "pending-registration") throw new ForbiddenError();
 		const user = await this.getUserByEmail(email);
 		if (user?.status !== "unverified") throw new InvalidPayloadError({ reason: "Invalid verification code" });

package/dist/services/utils.js

@@ -4,6 +4,8 @@ import { fetchAllowedFields } from "../permissions/modules/fetch-allowed-fields/
 import emitter_default from "../emitter.js";
 import { validateAccess } from "../permissions/modules/validate-access/validate-access.js";
 import { shouldClearCache } from "../utils/should-clear-cache.js";
+import { getEntitlementManager } from "../license/entitlements/manager.js";
+import "../license/index.js";
 import { ForbiddenError, InvalidPayloadError } from "@directus/errors";
 import { systemCollectionRows } from "@directus/system-data";
 
@@ -74,7 +76,10 @@ var UtilsService = class {
 	async clearCache({ system }) {
 		if (this.accountability?.admin !== true) throw new ForbiddenError();
 		const { cache } = getCache();
-		if (system) await clearSystemCache({ forced: true });
+		if (system) {
+			await clearSystemCache({ forced: true });
+			await getEntitlementManager().clearCache();
+		}
 		return cache?.clear();
 	}
 };

package/dist/services/versions.js

@@ -1,3 +1,4 @@
+import "../packages/types/dist/index.js";
 import { getCache } from "../cache.js";
 import { getHelpers } from "../database/helpers/index.js";
 import emitter_default from "../emitter.js";
@@ -8,10 +9,10 @@ import { splitRecursive } from "../utils/versioning/split-recursive.js";
 import { ItemsService } from "./items.js";
 import { ActivityService } from "./activity.js";
 import { RevisionsService } from "./revisions.js";
-import { ForbiddenError, InvalidPayloadError, UnprocessableContentError } from "@directus/errors";
+import { ForbiddenError, InvalidPayloadError, UnprocessableContentError, VersionHashMismatchError } from "@directus/errors";
 import { deepMapWithSchema } from "@directus/utils";
-import { assign, get, isEqual, isPlainObject, pick } from "lodash-es";
-import { Action } from "@directus/constants";
+import { assign, get, isEqual, isNil, isPlainObject, pick } from "lodash-es";
+import { Action, VERSION_KEY_DRAFT, isPublishedVersionKey } from "@directus/constants";
 import hash from "object-hash";
 import Joi from "joi";
 
@@ -21,16 +22,23 @@ var VersionsService = class VersionsService extends ItemsService {
 		super("directus_versions", options);
 	}
 	async validateCreateData(data) {
-		const { error } = Joi.object({
+		const versionCreateSchema = Joi.object({
 			key: Joi.string().required(),
 			name: Joi.string().allow(null),
 			collection: Joi.string().required(),
-			item: Joi.string().required()
-		}).validate(data);
+			item: Joi.string().allow(null)
+		});
+		const itemLess = isNil(data["item"]);
+		const { error } = versionCreateSchema.validate(data);
 		if (error) throw new InvalidPayloadError({ reason: error.message });
-		if (data["key"] === "main") throw new InvalidPayloadError({ reason: `"main" is a reserved version key` });
+		if (isPublishedVersionKey(data["key"])) throw new InvalidPayloadError({ reason: `"${data["key"]}" is a reserved version key` });
+		if (itemLess && data["key"] !== VERSION_KEY_DRAFT) throw new InvalidPayloadError({ reason: `"key" must be "${VERSION_KEY_DRAFT}" for versions not linked to an item` });
 		if (this.accountability) try {
-			await validateAccess({
+			await validateAccess(itemLess ? {
+				accountability: this.accountability,
+				action: "read",
+				collection: data["collection"]
+			} : {
 				accountability: this.accountability,
 				action: "read",
 				collection: data["collection"],
@@ -47,6 +55,7 @@ var VersionsService = class VersionsService extends ItemsService {
 			knex: this.knex,
 			schema: this.schema
 		}).readOne(data["collection"])).meta?.versioning) throw new UnprocessableContentError({ reason: `Content Versioning is not enabled for collection "${data["collection"]}"` });
+		if (itemLess) return;
 		if ((await new VersionsService({
 			knex: this.knex,
 			schema: this.schema
@@ -73,18 +82,27 @@ var VersionsService = class VersionsService extends ItemsService {
 			mainHash
 		};
 	}
-	async getVersionSave(key, collection, item, mapDelta = true) {
-		const version = (await this.readByQuery({ filter: {
-			key: { _eq: key },
-			collection: { _eq: collection },
-			item: { _eq: item }
-		} }))[0];
-		if (mapDelta && version?.delta) version.delta = this.mapDelta(version);
-		return version;
+	async getVersionSaves(key, collection, item, mapDelta = true) {
+		let itemFilter = {};
+		if (item) itemFilter = { item: { _eq: item } };
+		let versions = await this.readByQuery({
+			filter: {
+				key: { _eq: key },
+				collection: { _eq: collection },
+				...itemFilter
+			},
+			limit: -1
+		});
+		if (mapDelta) versions = versions.map((version) => {
+			if (version.delta) version.delta = this.mapDelta(version);
+			return version;
+		});
+		return versions;
 	}
 	async createOne(data, opts) {
 		await this.validateCreateData(data);
-		data["hash"] = hash(await this.getMainItem(data["collection"], data["item"]));
+		if (data["item"]) data["hash"] = hash(await this.getMainItem(data["collection"], data["item"]));
+		else data["hash"] = null;
 		return super.createOne(data, opts);
 	}
 	async readOne(key, query = {}, opts) {
@@ -105,66 +123,105 @@ var VersionsService = class VersionsService extends ItemsService {
 	async updateMany(keys, data, opts) {
 		const { error } = Joi.object({
 			key: Joi.string(),
-			name: Joi.string().allow(null)
+			name: Joi.string().allow(null),
+			item: Joi.string().allow(null)
 		}).validate(data);
 		if (error) throw new InvalidPayloadError({ reason: error.message });
-		if ("key" in data) {
-			if (data["key"] === "main") throw new InvalidPayloadError({ reason: `"main" is a reserved version key` });
-			const keyCombos = /* @__PURE__ */ new Set();
-			for (const pk of keys) {
-				const { collection, item } = await this.readOne(pk, { fields: ["collection", "item"] });
-				const keyCombo = `${data["key"]}-${collection}-${item}`;
-				if (keyCombos.has(keyCombo)) throw new UnprocessableContentError({ reason: `Cannot update multiple versions on "${item}" in collection "${collection}" to the same key "${data["key"]}"` });
-				keyCombos.add(keyCombo);
-				if ((await super.readByQuery({
-					aggregate: { count: ["*"] },
-					filter: {
-						id: { _neq: pk },
-						key: { _eq: data["key"] },
-						collection: { _eq: collection },
-						item: { _eq: item }
-					}
-				}))[0]["count"] > 0) throw new UnprocessableContentError({ reason: `Version "${data["key"]}" already exists for item "${item}" in collection "${collection}"` });
-			}
+		if (isPublishedVersionKey(data["key"])) throw new InvalidPayloadError({ reason: `"${data["key"]}" is a reserved version key` });
+		const keyCombos = /* @__PURE__ */ new Set();
+		for (const pk of keys) {
+			const existingVersion = await this.readOne(pk, { fields: [
+				"collection",
+				"item",
+				"key"
+			] });
+			const collection = existingVersion.collection;
+			const item = "item" in data ? data["item"] : existingVersion.item;
+			const key = "key" in data ? data["key"] : existingVersion.key;
+			if (key !== VERSION_KEY_DRAFT && item === null) throw new InvalidPayloadError({ reason: `"key" must be "${VERSION_KEY_DRAFT}" for versions not linked to an item` });
+			if (item === null) continue;
+			const keyCombo = `${key}-${collection}-${item}`;
+			if (keyCombos.has(keyCombo)) throw new UnprocessableContentError({ reason: `Cannot update multiple versions on "${item}" in collection "${collection}" to the same key "${key}"` });
+			keyCombos.add(keyCombo);
+			if ((await super.readByQuery({
+				aggregate: { count: ["*"] },
+				filter: {
+					id: { _neq: pk },
+					key: { _eq: key },
+					collection: { _eq: collection },
+					item: { _eq: item }
+				}
+			}))[0]["count"] > 0) throw new UnprocessableContentError({ reason: `Version "${key}" already exists for item "${item}" in collection "${collection}"` });
 		}
 		return super.updateMany(keys, data, opts);
 	}
-	async save(key, delta) {
+	async save(key, delta, opts) {
 		const version = await super.readOne(key);
 		const payloadService = new PayloadService(this.collection, {
 			accountability: this.accountability,
 			knex: this.knex,
 			schema: this.schema
 		});
-		const activityService = new ActivityService({
-			knex: this.knex,
-			schema: this.schema
-		});
-		const revisionsService = new RevisionsService({
-			knex: this.knex,
-			schema: this.schema
-		});
 		const { item, collection, delta: existingDelta } = version;
-		const activity = await activityService.createOne({
-			action: Action.VERSION_SAVE,
-			user: this.accountability?.user ?? null,
-			collection,
-			ip: this.accountability?.ip ?? null,
-			user_agent: this.accountability?.userAgent ?? null,
-			origin: this.accountability?.origin ?? null,
-			item
-		});
-		const helpers = getHelpers(this.knex);
 		let revisionDelta = await payloadService.prepareDelta(delta);
-		await revisionsService.createOne({
-			activity,
-			version: key,
-			collection,
-			item,
-			data: revisionDelta,
-			delta: revisionDelta
-		});
+		if (item) {
+			const trackingAccountability = this.schema.collections[collection]?.accountability ?? null;
+			if (trackingAccountability !== null) {
+				const revisionsService = new RevisionsService({
+					knex: this.knex,
+					schema: this.schema
+				});
+				let patchedExistingRevision = false;
+				if (opts?.patchRevision && trackingAccountability === "all") {
+					const [latestRevision] = await revisionsService.readByQuery({
+						filter: { version: { _eq: key } },
+						sort: ["-activity.timestamp"],
+						limit: 1,
+						fields: [
+							"id",
+							"data",
+							"delta",
+							"activity.user"
+						]
+					});
+					const currentUser = this.accountability?.user ?? null;
+					const latestRevisionUser = (latestRevision?.["activity"])?.user ?? null;
+					if (latestRevision && latestRevisionUser === currentUser) {
+						const mergedRevisionData = assign({}, latestRevision["data"], revisionDelta);
+						const mergedRevisionDelta = assign({}, latestRevision["delta"], revisionDelta);
+						await revisionsService.updateOne(latestRevision["id"], {
+							data: mergedRevisionData,
+							delta: mergedRevisionDelta
+						});
+						patchedExistingRevision = true;
+					}
+				}
+				if (!patchedExistingRevision) {
+					const activity = await new ActivityService({
+						knex: this.knex,
+						schema: this.schema
+					}).createOne({
+						action: Action.VERSION_SAVE,
+						user: this.accountability?.user ?? null,
+						collection,
+						ip: this.accountability?.ip ?? null,
+						user_agent: this.accountability?.userAgent ?? null,
+						origin: this.accountability?.origin ?? null,
+						item
+					});
+					if (trackingAccountability === "all") await revisionsService.createOne({
+						activity,
+						version: key,
+						collection,
+						item,
+						data: revisionDelta,
+						delta: revisionDelta
+					});
+				}
+			}
+		}
 		revisionDelta = revisionDelta ? revisionDelta : null;
+		const helpers = getHelpers(this.knex);
 		const date = new Date(helpers.date.writeTimestamp((/* @__PURE__ */ new Date()).toISOString()));
 		deepMapObjects(revisionDelta, (object, path) => {
 			const existing = get(existingDelta, path);
@@ -185,22 +242,29 @@ var VersionsService = class VersionsService extends ItemsService {
 		if (shouldClearCache(cache, void 0, collection)) cache.clear();
 		return finalVersionDelta;
 	}
-	async promote(version, mainHash, fields) {
+	async promote(version, opts) {
 		const { collection, item, delta } = await super.readOne(version);
-		if (this.accountability) await validateAccess({
+		if (item && typeof opts?.mainHash !== "string") throw new InvalidPayloadError({ reason: `"mainHash" field is required` });
+		if (this.accountability) await validateAccess(item ? {
 			accountability: this.accountability,
 			action: "update",
 			collection,
 			primaryKeys: [item]
+		} : {
+			accountability: this.accountability,
+			action: "create",
+			collection
 		}, {
 			schema: this.schema,
 			knex: this.knex
 		});
 		if (!delta) throw new UnprocessableContentError({ reason: `No changes to promote` });
-		const { outdated } = await this.verifyHash(collection, item, mainHash);
-		if (outdated) throw new UnprocessableContentError({ reason: `Main item has changed since this version was last updated` });
+		if (item) {
+			const { outdated, mainHash } = await this.verifyHash(collection, item, opts?.mainHash);
+			if (outdated) throw new VersionHashMismatchError({ mainHash });
+		}
 		const { rawDelta, defaultOverwrites } = splitRecursive(delta);
-		const payloadToUpdate = fields ? pick(rawDelta, fields) : rawDelta;
+		const payloadToUpdate = opts?.fields ? pick(rawDelta, opts.fields) : rawDelta;
 		const itemsService = new ItemsService(collection, {
 			accountability: this.accountability,
 			knex: this.knex,
@@ -215,7 +279,12 @@ var VersionsService = class VersionsService extends ItemsService {
 			schema: this.schema,
 			accountability: this.accountability
 		});
-		const updatedItemKey = await itemsService.updateOne(item, payloadAfterHooks, { overwriteDefaults: defaultOverwrites });
+		let updatedItemKey;
+		if (item) updatedItemKey = await itemsService.updateOne(item, payloadAfterHooks, { overwriteDefaults: defaultOverwrites });
+		else {
+			updatedItemKey = await itemsService.createOne(payloadAfterHooks, { overwriteDefaults: defaultOverwrites });
+			await this.updateOne(version, { item: String(updatedItemKey) });
+		}
 		emitter_default.emitAction(["items.promote", `${collection}.items.promote`], {
 			payload: payloadAfterHooks,
 			collection,

package/dist/utils/calculate-field-depth.js

@@ -39,6 +39,7 @@ function calculateFieldDepth(obj, dotNotationKeys = []) {
 	const keys = Object.keys(obj);
 	for (const key of keys) {
 		const nestedValue = obj[key];
+		if (key === "_json") continue;
 		if (dotNotationKeys.includes(key) && nestedValue) {
 			let sortDepth = 0;
 			for (const sortKey of nestedValue) if (sortKey) sortDepth = Math.max(sortKey.split(".").length, sortDepth);

package/dist/utils/deep-freeze.js

@@ -0,0 +1,24 @@
+import { isPlainObject } from "lodash-es";
+
+//#region src/utils/deep-freeze.ts
+/**
+* Recursively freezes arrays and plain objects so the entire structure is immutable.
+*
+* @example
+* const frozen = deepFreeze({ a: { b: 1 } });
+* frozen.a.b = 2; // throws in strict mode
+*/
+function deepFreeze(value) {
+	if (Array.isArray(value)) {
+		for (const item of value) deepFreeze(item);
+		return Object.freeze(value);
+	}
+	if (isPlainObject(value)) {
+		for (const item of Object.values(value)) deepFreeze(item);
+		return Object.freeze(value);
+	}
+	return value;
+}
+
+//#endregion
+export { deepFreeze };

package/dist/utils/extract-function-name.js

@@ -0,0 +1,13 @@
+//#region src/utils/extract-function-name.ts
+/**
+* Extracts the function name from a function call string, e.g. `year(date_created)` → `'year'`.
+* Returns null if the string is not a recognized function call.
+*/
+function extractFunctionName(str) {
+	const trimmed = str.trim();
+	if (!trimmed.includes("(") || !trimmed.endsWith(")")) return null;
+	return trimmed.split("(")[0] ?? null;
+}
+
+//#endregion
+export { extractFunctionName };

package/dist/utils/generate-translations.js

@@ -10,7 +10,7 @@ import { cloneFields, validateFieldsEligibility } from "./translations-shared.js
 import { dbSafeIdentifierSchema } from "./translations-validation.js";
 import { InvalidPayloadError } from "@directus/errors";
 import { fromZodError } from "zod-validation-error";
-import { z } from "zod";
+import { z as z$1 } from "zod";
 
 //#region src/utils/generate-translations.ts
 const logger = useLogger();
@@ -31,15 +31,15 @@ function buildTranslationsAliasField(languagesFields) {
 		}
 	};
 }
-const GenerateTranslationsInput = z.object({
+const GenerateTranslationsInput = z$1.object({
 	collection: dbSafeIdentifierSchema,
-	fields: z.array(dbSafeIdentifierSchema).min(1),
+	fields: z$1.array(dbSafeIdentifierSchema).min(1),
 	translationsCollection: dbSafeIdentifierSchema.optional(),
 	languagesCollection: dbSafeIdentifierSchema.optional(),
 	parentFkField: dbSafeIdentifierSchema.optional(),
 	languageFkField: dbSafeIdentifierSchema.optional(),
-	createLanguagesCollection: z.boolean().optional().default(true),
-	seedLanguages: z.boolean().optional().default(true)
+	createLanguagesCollection: z$1.boolean().optional().default(true),
+	seedLanguages: z$1.boolean().optional().default(true)
 });
 async function generateTranslations(input, options) {
 	const parseResult = GenerateTranslationsInput.safeParse(input);

package/dist/utils/get-accountability-for-token.js

@@ -5,6 +5,7 @@ import { getSecret } from "./get-secret.js";
 import { createDefaultAccountability } from "../permissions/utils/create-default-accountability.js";
 import { verifyAccessJWT } from "./jwt.js";
 import isDirectusJWT from "./is-directus-jwt.js";
+import { parseOAuthScope } from "./parse-oauth-scope.js";
 import { verifySessionJWT } from "./verify-session-jwt.js";
 import { InvalidCredentialsError } from "@directus/errors";
 
@@ -15,8 +16,19 @@ async function getAccountabilityForToken(token, accountability) {
 	if (token) if (isDirectusJWT(token)) {
 		const payload = verifyAccessJWT(token, getSecret());
 		if ("session" in payload) {
-			await verifySessionJWT(payload);
+			const { oauth_client } = await verifySessionJWT(payload);
 			accountability.session = payload.session;
+			if (oauth_client !== null) {
+				let aud;
+				if (Array.isArray(payload.aud)) aud = payload.aud;
+				else if (payload.aud) aud = [String(payload.aud)];
+				else aud = [];
+				accountability.oauth = {
+					client: oauth_client,
+					scopes: parseOAuthScope(payload.scope),
+					aud
+				};
+			}
 		}
 		if (payload.share) accountability.share = payload.share;
 		if (payload.id) accountability.user = payload.id;

package/dist/utils/get-cache-key.js

@@ -1,7 +1,7 @@
 import database_default from "../database/index.js";
+import { getFlowManager } from "../flows.js";
 import { fetchPoliciesIpAccess } from "../permissions/modules/fetch-policies-ip-access/fetch-policies-ip-access.js";
 import { getGraphqlQueryAndVariables } from "./get-graphql-query-and-variables.js";
-import { getFlowManager } from "../flows.js";
 import { toArray } from "@directus/utils";
 import { isEmpty, pick } from "lodash-es";
 import { ipInNetworks } from "@directus/utils/node";

package/dist/utils/get-history-filter-query.js

@@ -0,0 +1,22 @@
+import { getEntitlementManager } from "../license/entitlements/manager.js";
+import "../license/index.js";
+import { mergeFilters } from "@directus/utils";
+
+//#region src/utils/get-history-filter-query.ts
+function getHistoryFilterQuery(query, entitlement, buildFilter) {
+	const limit = getEntitlementManager().getEntitlementLimit(entitlement);
+	if (limit === null || !Number.isFinite(limit) || limit < 0) return query;
+	if (limit === 0) return {
+		...query,
+		limit: 0
+	};
+	const filter = mergeFilters(buildFilter(/* @__PURE__ */ new Date(Date.now() - limit * 1e3)), query.filter ?? null, "and");
+	if (!filter) return query;
+	return {
+		...query,
+		filter
+	};
+}
+
+//#endregion
+export { getHistoryFilterQuery };

package/dist/utils/get-schema.js

@@ -12,7 +12,7 @@ import getDefaultValue from "./get-default-value.js";
 import { getSystemFieldRowsWithAuthProviders } from "./get-field-system-rows.js";
 import { useEnv } from "@directus/env";
 import { parseJSON, toArray, toBoolean } from "@directus/utils";
-import { mapValues } from "lodash-es";
+import { mapValues, pick } from "lodash-es";
 import { createInspector } from "@directus/schema";
 import { systemCollectionRows } from "@directus/system-data";
 
@@ -74,7 +74,7 @@ async function getDatabaseSchema(database, schemaInspector) {
 	};
 	const systemFieldRows$1 = getSystemFieldRowsWithAuthProviders();
 	const schemaOverview = await schemaInspector.overview();
-	const collections = [...await database.select("collection", "singleton", "note", "sort_field", "accountability").from("directus_collections"), ...systemCollectionRows];
+	const collections = [...(await database.select("*").from("directus_collections")).filter((c) => !("status" in c) || c["status"] === "active").map((c) => pick(c, "collection", "singleton", "note", "sort_field", "accountability")), ...systemCollectionRows];
 	for (const [collection, info] of Object.entries(schemaOverview)) {
 		if (toArray(env["DB_EXCLUDE_TABLES"]).includes(collection)) {
 			logger.trace(`Collection "${collection}" is configured to be excluded and will be ignored`);

package/dist/utils/get-service.js

@@ -1,12 +1,13 @@
 import { ItemsService } from "../services/items.js";
 import { FilesService } from "../services/files.js";
 import { FoldersService } from "../services/folders.js";
-import { ActivityService } from "../services/activity.js";
 import { AccessService } from "../services/access.js";
+import { ActivityService } from "../services/activity.js";
+import { FlowsService } from "../services/flows.js";
+import { RevisionsService } from "../services/revisions.js";
 import { SettingsService } from "../services/settings.js";
 import { UsersService } from "../services/users.js";
 import { NotificationsService } from "../services/notifications.js";
-import { RevisionsService } from "../services/revisions.js";
 import { CommentsService } from "../services/comments.js";
 import { DashboardsService } from "../services/dashboards.js";
 import { DeploymentProjectsService } from "../services/deployment-projects.js";
@@ -22,7 +23,6 @@ import { SharesService } from "../services/shares.js";
 import { TranslationsService } from "../services/translations.js";
 import { VersionsService } from "../services/versions.js";
 import "../services/index.js";
-import { FlowsService } from "../services/flows.js";
 import { ForbiddenError } from "@directus/errors";
 
 //#region src/utils/get-service.ts

package/dist/utils/is-admin.js

@@ -0,0 +1,9 @@
+//#region src/utils/is-admin.ts
+function isAdmin(accountability) {
+	if (accountability === null) return true;
+	if (accountability?.admin === true) return true;
+	return false;
+}
+
+//#endregion
+export { isAdmin };

package/dist/utils/parse-oauth-scope.js

@@ -0,0 +1,12 @@
+//#region src/utils/parse-oauth-scope.ts
+/**
+* Parse an OAuth scope string into a deduplicated array of scope tokens.
+* Per RFC 6749 Section 3.3, scope is a space-separated list of case-sensitive strings.
+*/
+function parseOAuthScope(scope) {
+	if (typeof scope !== "string" || scope.trim() === "") return [];
+	return [...new Set(scope.trim().split(/\s+/))];
+}
+
+//#endregion
+export { parseOAuthScope };