npm - @directus/api - Versions diffs - 35.2.0 → 36.0.0-rc.0 - Mend

@directus/api 35.2.0 → 36.0.0-rc.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (188) hide show

package/dist/ai/chat/models/chat-request.js +48 -48
package/dist/ai/chat/models/object-request.js +6 -6
package/dist/ai/chat/models/providers.js +14 -14
package/dist/ai/chat/utils/parse-json-schema-7.js +22 -22
package/dist/ai/mcp/server.js +44 -6
package/dist/ai/mcp/utils.js +31 -0
package/dist/ai/tools/assets/index.js +3 -3
package/dist/ai/tools/collections/index.js +18 -18
package/dist/ai/tools/fields/index.js +18 -18
package/dist/ai/tools/files/index.js +18 -18
package/dist/ai/tools/flows/index.js +16 -16
package/dist/ai/tools/folders/index.js +18 -18
package/dist/ai/tools/items/index.js +17 -17
package/dist/ai/tools/operations/index.js +16 -16
package/dist/ai/tools/relations/index.js +22 -22
package/dist/ai/tools/schema/index.js +3 -3
package/dist/ai/tools/schema.js +159 -159
package/dist/ai/tools/system/index.js +3 -3
package/dist/ai/tools/trigger-flow/index.js +3 -3
package/dist/app.js +33 -9
package/dist/auth/drivers/ldap.js +3 -1
package/dist/auth/drivers/local.js +2 -0
package/dist/auth/drivers/oauth2.js +3 -1
package/dist/auth/drivers/openid.js +3 -1
package/dist/auth/drivers/saml.js +2 -0
package/dist/auth/utils/check-local-disabled.js +16 -0
package/dist/auth/utils/check-sso-enabled.js +14 -0
package/dist/auth.js +8 -5
package/dist/cli/commands/bootstrap/index.js +3 -0
package/dist/cli/commands/cache/clear.js +6 -1
package/dist/cli/commands/roles/create.js +4 -1
package/dist/cli/commands/users/create.js +3 -0
package/dist/constants.js +8 -1
package/dist/controllers/access.js +1 -1
package/dist/controllers/activity.js +2 -1
package/dist/controllers/assets.js +2 -0
package/dist/controllers/auth.js +13 -5
package/dist/controllers/collections.js +1 -1
package/dist/controllers/comments.js +1 -1
package/dist/controllers/dashboards.js +1 -1
package/dist/controllers/fields.js +1 -1
package/dist/controllers/files.js +3 -1
package/dist/controllers/flows.js +6 -5
package/dist/controllers/folders.js +1 -1
package/dist/controllers/graphql.js +2 -0
package/dist/controllers/items.js +3 -1
package/dist/controllers/license.js +119 -0
package/dist/controllers/mcp/index.js +38 -0
package/dist/controllers/mcp/oauth-clients.js +68 -0
package/dist/controllers/mcp/oauth-consent-page.js +316 -0
package/dist/controllers/mcp/oauth.js +381 -0
package/dist/controllers/mcp/templates/oauth-consent.liquid +62 -0
package/dist/controllers/mcp/templates/oauth-error.liquid +28 -0
package/dist/controllers/notifications.js +1 -1
package/dist/controllers/operations.js +1 -1
package/dist/controllers/panels.js +1 -1
package/dist/controllers/permissions.js +1 -1
package/dist/controllers/policies.js +1 -1
package/dist/controllers/presets.js +1 -1
package/dist/controllers/revisions.js +3 -2
package/dist/controllers/roles.js +1 -1
package/dist/controllers/server.js +38 -9
package/dist/controllers/shares.js +1 -1
package/dist/controllers/translations.js +1 -1
package/dist/controllers/users.js +1 -1
package/dist/controllers/utils.js +2 -2
package/dist/controllers/versions.js +12 -5
package/dist/database/get-ast-from-query/lib/convert-wildcards.js +10 -1
package/dist/database/get-ast-from-query/lib/parse-fields.js +2 -1
package/dist/database/helpers/fn/dialects/mysql.js +7 -12
package/dist/database/helpers/fn/dialects/oracle.js +3 -4
package/dist/database/helpers/fn/dialects/postgres.js +4 -26
package/dist/database/helpers/fn/json/mysql-json-path.js +22 -0
package/dist/database/helpers/fn/json/parse-function.js +14 -6
package/dist/database/helpers/fn/json/postgres-json-path.js +54 -0
package/dist/database/migrations/20260110A-add-ai-provider-settings.js +4 -4
package/dist/database/migrations/20260217A-null-item-versions.js +14 -0
package/dist/database/migrations/20260312A-add-ai-translation-settings.js +18 -0
package/dist/database/migrations/20260507A-add-licensing.js +22 -0
package/dist/database/migrations/20260512A-add-autosave-revision-interval.js +14 -0
package/dist/database/migrations/20260512B-add-mcp-oauth.js +87 -0
package/dist/database/run-ast/lib/apply-query/filter/operator.js +116 -33
package/dist/database/run-ast/lib/apply-query/index.js +4 -1
package/dist/database/run-ast/lib/apply-query/sort.js +17 -7
package/dist/database/run-ast/lib/get-db-query.js +21 -9
package/dist/database/run-ast/lib/parse-current-level.js +2 -1
package/dist/database/run-ast/run-ast.js +2 -1
package/dist/database/run-ast/utils/get-column.js +2 -1
package/dist/extensions/lib/installation/manager.js +1 -1
package/dist/extensions/lib/sandbox/register/operation.js +1 -1
package/dist/extensions/lib/sync/sync.js +1 -1
package/dist/extensions/manager.js +3 -3
package/dist/flows.js +5 -5
package/dist/license/entitlements/lib/collections.js +37 -0
package/dist/license/entitlements/lib/custom-llms-enabled.js +18 -0
package/dist/license/entitlements/lib/custom-permission-rules-enabled.js +41 -0
package/dist/license/entitlements/lib/flows.js +29 -0
package/dist/license/entitlements/lib/seats.js +103 -0
package/dist/license/entitlements/lib/sso-enabled.js +45 -0
package/dist/license/entitlements/manager.js +256 -0
package/dist/license/index.js +4 -0
package/dist/license/manager.js +505 -0
package/dist/license/utils/compute-license-status.js +27 -0
package/dist/license/utils/get-core-grace-expires-at.js +38 -0
package/dist/license/utils/get-license-key.js +23 -0
package/dist/license/utils/get-license-token.js +23 -0
package/dist/license/utils/handle-license-error.js +41 -0
package/dist/license/utils/is-in-core-grace-period.js +11 -0
package/dist/license/utils/is-sso-bypass-allowed.js +21 -0
package/dist/license/utils/use-rpc.js +33 -0
package/dist/middleware/cache.js +4 -1
package/dist/middleware/error-handler.js +11 -0
package/dist/middleware/extract-token.js +11 -2
package/dist/middleware/is-admin.js +16 -0
package/dist/middleware/is-locked.js +16 -0
package/dist/middleware/mcp-oauth-guard.js +23 -0
package/dist/middleware/request-counter.js +5 -2
package/dist/packages/types/dist/index.js +117 -122
package/dist/permissions/modules/process-ast/utils/extract-paths-from-query.js +10 -1
package/dist/permissions/utils/get-unaliased-field-key.js +2 -1
package/dist/request/is-denied-ip.js +2 -0
package/dist/schedules/license.js +31 -0
package/dist/schedules/oauth-cleanup.js +26 -0
package/dist/schedules/retention.js +1 -1
package/dist/schedules/telemetry.js +4 -1
package/dist/schedules/tus.js +1 -1
package/dist/schedules/utils/duration-to-cron.js +36 -0
package/dist/services/activity.js +15 -0
package/dist/services/authentication.js +12 -5
package/dist/services/collections.js +40 -10
package/dist/services/fields.js +6 -6
package/dist/services/flows.js +12 -0
package/dist/services/graphql/resolvers/system-admin.js +2 -2
package/dist/services/graphql/resolvers/system-global.js +1 -1
package/dist/services/graphql/resolvers/system.js +34 -18
package/dist/services/graphql/schema/get-types.js +23 -2
package/dist/services/graphql/schema/parse-query.js +8 -0
package/dist/services/graphql/schema/read.js +12 -0
package/dist/services/graphql/types/json-filter.js +30 -0
package/dist/services/index.js +6 -6
package/dist/services/items.js +32 -14
package/dist/services/mcp-oauth/cimd.js +307 -0
package/dist/services/mcp-oauth/index.js +1185 -0
package/dist/services/mcp-oauth/types/error.js +22 -0
package/dist/services/mcp-oauth/utils/cimd-egress.js +182 -0
package/dist/services/mcp-oauth/utils/domain.js +21 -0
package/dist/services/mcp-oauth/utils/loopback.js +11 -0
package/dist/services/mcp-oauth/utils/redirect.js +84 -0
package/dist/services/mcp-oauth/utils/registration-debug.js +131 -0
package/dist/services/payload.js +2 -1
package/dist/services/permissions.js +31 -9
package/dist/services/revisions.js +15 -0
package/dist/services/server.js +21 -4
package/dist/services/settings.js +37 -3
package/dist/services/users.js +13 -6
package/dist/services/utils.js +6 -1
package/dist/services/versions.js +137 -69
package/dist/utils/calculate-field-depth.js +1 -0
package/dist/utils/deep-freeze.js +24 -0
package/dist/utils/extract-function-name.js +13 -0
package/dist/utils/generate-translations.js +5 -5
package/dist/utils/get-accountability-for-token.js +13 -1
package/dist/utils/get-cache-key.js +1 -1
package/dist/utils/get-history-filter-query.js +22 -0
package/dist/utils/get-schema.js +2 -2
package/dist/utils/get-service.js +3 -3
package/dist/utils/is-admin.js +9 -0
package/dist/utils/parse-oauth-scope.js +12 -0
package/dist/utils/sanitize-query.js +1 -1
package/dist/utils/split-field-path.js +29 -0
package/dist/utils/transaction.js +2 -2
package/dist/utils/translations-validation.js +2 -2
package/dist/utils/validate-query.js +35 -4
package/dist/utils/validate-user-count-integrity.js +28 -5
package/dist/utils/verify-session-jwt.js +5 -2
package/dist/utils/versioning/handle-version.js +130 -48
package/dist/utils/versioning/remove-circular.js +17 -0
package/dist/websocket/authenticate.js +2 -1
package/dist/websocket/collab/collab.js +1 -1
package/dist/websocket/collab/room.js +1 -1
package/dist/websocket/controllers/base.js +12 -0
package/dist/websocket/controllers/graphql.js +1 -1
package/dist/websocket/handlers/subscribe.js +1 -1
package/dist/websocket/messages.js +64 -64
package/dist/websocket/utils/items.js +2 -2
package/license +90 -80
package/package.json +33 -32
package/dist/controllers/mcp.js +0 -31

package/dist/license/utils/is-sso-bypass-allowed.js ADDED Viewed

@@ -0,0 +1,21 @@
+import { isInCoreGracePeriod } from "./is-in-core-grace-period.js";
+import { getLicenseManager } from "../manager.js";
+//#region src/license/utils/is-sso-bypass-allowed.ts
+/**
+* Keep SSO reachable for unentitled installs when the license is locked or in the v12 core grace
+* period, so admins can still sign in and resolve licensing.
+*
+* 'grace' only bypasses when also in the core grace period, so licensed expiry-grace doesn't qualify.
+*/
+async function isSSOBypassAllowed() {
+	const licenseManager = getLicenseManager();
+	const status = await licenseManager.getStatus();
+	const source = licenseManager.getSource();
+	if (status === "locked") return true;
+	if (status === "grace" && source === null) return isInCoreGracePeriod();
+	return false;
+}
+//#endregion
+export { isSSOBypassAllowed };

package/dist/license/utils/use-rpc.js ADDED Viewed

@@ -0,0 +1,33 @@
+import { useBus } from "../../bus/lib/use-bus.js";
+import "../../bus/index.js";
+import { randomUUID } from "crypto";
+//#region src/license/utils/use-rpc.ts
+/**
+* RPC means remote procedure call, allowing to call functions across multiple instances in a code native manner.
+*
+* Does not call the function on its OWN instance
+*/
+function useRPC(self, channel) {
+	const uid = randomUUID();
+	const messenger = useBus();
+	messenger.subscribe(channel, async ({ uid: id, method, args }) => {
+		if (uid == id) return;
+		const fn = self[method];
+		if (typeof fn === "function") try {
+			await fn.apply(self, args);
+		} catch {}
+	});
+	return new Proxy({}, { get(_, method) {
+		return async (...args) => {
+			await messenger.publish(channel, {
+				uid,
+				method,
+				args
+			});
+		};
+	} });
+}
+//#endregion
+export { useRPC };

package/dist/middleware/cache.js CHANGED Viewed

@@ -2,9 +2,11 @@ import async_handler_default from "../utils/async-handler.js";
 import { useLogger } from "../logger/index.js";
 import { getCache, getCacheValue } from "../cache.js";
 import { useBufferedCounter } from "../telemetry/counter/use-buffered-counter.js";
+import { getEntitlementManager } from "../license/entitlements/manager.js";
 import { shouldSkipCache } from "../utils/should-skip-cache.js";
 import { getCacheControlHeader } from "../utils/get-cache-headers.js";
 import { getCacheKey } from "../utils/get-cache-key.js";
+import "../license/index.js";
 import { useEnv } from "@directus/env";
 import { toBoolean } from "@directus/utils";
@@ -13,6 +15,7 @@ const checkCacheMiddleware = async_handler_default(async (req, res, next) => {
 	const env = useEnv();
 	const { cache } = getCache();
 	const logger = useLogger();
+	const entitlementManager = getEntitlementManager();
 	if (req.method.toLowerCase() !== "get" && req.originalUrl?.startsWith("/graphql") === false) return next();
 	if (env["CACHE_ENABLED"] !== true) return next();
 	if (!cache) return next();
@@ -42,7 +45,7 @@ const checkCacheMiddleware = async_handler_default(async (req, res, next) => {
 		res.setHeader("Cache-Control", getCacheControlHeader(req, cacheTTL, true, true));
 		res.setHeader("Vary", "Origin, Cache-Control");
 		if (env["CACHE_STATUS_HEADER"]) res.setHeader(`${env["CACHE_STATUS_HEADER"]}`, "HIT");
-		if (toBoolean(env["TELEMETRY"])) try {
+		if (entitlementManager.isEntitled("telemetry_required") || toBoolean(env["TELEMETRY"])) try {
 			useBufferedCounter("api-requests").increment("cached");
 		} catch (err) {
 			logger.trace(err, "Failed to increment cached request counter");

package/dist/middleware/error-handler.js CHANGED Viewed

@@ -1,6 +1,8 @@
 import { useLogger } from "../logger/index.js";
 import database_default from "../database/index.js";
 import emitter_default from "../emitter.js";
+import { buildMcpWWWAuthenticateHeader, getMcpUrls, isMcpPath } from "../ai/mcp/utils.js";
+import { useEnv } from "@directus/env";
 import { ErrorCode, InternalServerError, isDirectusError } from "@directus/errors";
 import { isObject } from "@directus/utils";
 import { getNodeEnv } from "@directus/utils/node";
@@ -8,11 +10,20 @@ import { getNodeEnv } from "@directus/utils/node";
 //#region src/middleware/error-handler.ts
 const FALLBACK_ERROR = new InternalServerError();
 const errorHandler = asyncErrorHandler(async (err, req, res) => {
+	const env = useEnv();
 	const logger = useLogger();
 	let errors = [];
 	let status = null;
 	const receivedErrors = Array.isArray(err) ? err : [err];
 	for (const error of receivedErrors) {
+		if ((isDirectusError(error, ErrorCode.InvalidCredentials) || isDirectusError(error, ErrorCode.InvalidToken) || isDirectusError(error, ErrorCode.TokenExpired)) && isMcpPath(req.path) && env["MCP_OAUTH_ENABLED"] === true) {
+			const { metadataUrl } = getMcpUrls();
+			res.status(401).set("WWW-Authenticate", buildMcpWWWAuthenticateHeader(metadataUrl, "invalid_token")).set("Access-Control-Expose-Headers", "WWW-Authenticate").json({
+				error: "invalid_token",
+				error_description: error.message
+			});
+			return;
+		}
 		if (getNodeEnv() === "development" && error instanceof Error && error.stack) (error.extensions ??= {})["stack"] = error.stack;
 		if (isDirectusError(error)) {
 			logger.debug(error);

package/dist/middleware/extract-token.js CHANGED Viewed

@@ -14,18 +14,27 @@ import { InvalidPayloadError } from "@directus/errors";
 const extractToken = (req, _res, next) => {
 	const env = useEnv();
 	let token = null;
-	if (req.query && req.query["access_token"]) token = req.query["access_token"];
+	let tokenSource = null;
+	if (req.query && req.query["access_token"]) {
+		token = req.query["access_token"];
+		tokenSource = "query";
+	}
 	if (req.headers && req.headers.authorization) {
 		const parts = req.headers.authorization.split(" ");
 		if (parts.length === 2 && parts[0].toLowerCase() === "bearer") {
 			if (token !== null) throw new InvalidPayloadError({ reason: "The request uses more than one method for including an access token" });
 			token = parts[1];
+			tokenSource = "header";
 		}
 	}
 	if (req.cookies && req.cookies[env["SESSION_COOKIE_NAME"]]) {
-		if (token === null) token = req.cookies[env["SESSION_COOKIE_NAME"]];
+		if (token === null) {
+			token = req.cookies[env["SESSION_COOKIE_NAME"]];
+			tokenSource = "cookie";
+		}
 	}
 	req.token = token;
+	req.tokenSource = tokenSource;
 	next();
 };
 var extract_token_default = extractToken;

package/dist/middleware/is-admin.js ADDED Viewed

@@ -0,0 +1,16 @@
+import async_handler_default from "../utils/async-handler.js";
+import { isAdmin } from "../utils/is-admin.js";
+import { ForbiddenError } from "@directus/errors";
+//#region src/middleware/is-admin.ts
+/**
+* Require the request to have been  made by an admin
+*/
+const handler = async (req, _res, next) => {
+	if (!isAdmin(req.accountability)) throw new ForbiddenError();
+	return next();
+};
+var is_admin_default = async_handler_default(handler);
+//#endregion
+export { is_admin_default as default, handler };

package/dist/middleware/is-locked.js ADDED Viewed

@@ -0,0 +1,16 @@
+import async_handler_default from "../utils/async-handler.js";
+import { getLicenseManager } from "../license/manager.js";
+import { ResourceRestrictedError } from "@directus/errors";
+//#region src/middleware/is-locked.ts
+/**
+* Throws an error if the license is in a locked state
+*/
+const handler = (resource) => async_handler_default(async (_req, _res, next) => {
+	if (await getLicenseManager().isLocked()) throw new ResourceRestrictedError({ category: resource });
+	return next();
+});
+var is_locked_default = handler;
+//#endregion
+export { is_locked_default as default, handler };

package/dist/middleware/mcp-oauth-guard.js ADDED Viewed

@@ -0,0 +1,23 @@
+import { isMcpPath } from "../ai/mcp/utils.js";
+import { ForbiddenError } from "@directus/errors";
+//#region src/middleware/mcp-oauth-guard.ts
+/**
+* OAuth session route guard. If `accountability.oauth` is set, restrict to MCP endpoints only.
+* All other Directus API routes are forbidden. Regular sessions pass through untouched.
+*/
+function handler(req, _res, next) {
+	if (!req.accountability?.oauth) {
+		next();
+		return;
+	}
+	if (!isMcpPath(req.path) || req.method !== "GET" && req.method !== "POST") {
+		next(new ForbiddenError());
+		return;
+	}
+	next();
+}
+var mcp_oauth_guard_default = handler;
+//#endregion
+export { mcp_oauth_guard_default as default, handler };

package/dist/middleware/request-counter.js CHANGED Viewed

@@ -1,13 +1,16 @@
 import { useLogger } from "../logger/index.js";
 import { useBufferedCounter } from "../telemetry/counter/use-buffered-counter.js";
 import { TRACKED_METHODS } from "../telemetry/utils/format-api-request-counts.js";
+import { getEntitlementManager } from "../license/entitlements/manager.js";
+import "../license/index.js";
 import { useEnv } from "@directus/env";
 import { toBoolean } from "@directus/utils";
 //#region src/middleware/request-counter.ts
 const TRACKED_METHODS_UPPER = new Set(TRACKED_METHODS.map((m) => m.toUpperCase()));
-let requestCounterMiddleware = (_req, _res, next) => next();
-if (toBoolean(useEnv()["TELEMETRY"])) requestCounterMiddleware = (req, _res, next) => {
+const env = useEnv();
+const requestCounterMiddleware = (req, _res, next) => {
+	if (!getEntitlementManager().isEntitled("telemetry_required") && toBoolean(env["TELEMETRY"]) === false) return next();
 	if (TRACKED_METHODS_UPPER.has(req.method)) try {
 		useBufferedCounter("api-requests").increment(req.method.toLowerCase());
 	} catch (err) {

package/dist/packages/types/dist/index.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import z$1, { z } from "zod";
+import z, { z as z$1 } from "zod";
 import { PERMISSION_ACTIONS } from "@directus/constants";
 //#region ../packages/types/dist/index.js
@@ -53,69 +53,67 @@ const DatabaseClients = [
 * Supported deployment provider types
 */
 const DEPLOYMENT_PROVIDER_TYPES = ["vercel", "netlify"];
-const SplitEntrypoint = z.object({
-	app: z.string(),
-	api: z.string()
+const SplitEntrypoint = z$1.object({
+	app: z$1.string(),
+	api: z$1.string()
 });
-const ExtensionSandboxRequestedScopes = z.object({
-	request: z.optional(z.object({
-		urls: z.array(z.string()),
-		methods: z.array(z.union([
-			z.literal("GET"),
-			z.literal("POST"),
-			z.literal("PATCH"),
-			z.literal("PUT"),
-			z.literal("DELETE")
+const ExtensionSandboxRequestedScopes = z$1.object({
+	request: z$1.optional(z$1.object({
+		urls: z$1.array(z$1.string()),
+		methods: z$1.array(z$1.union([
+			z$1.literal("GET"),
+			z$1.literal("POST"),
+			z$1.literal("PATCH"),
+			z$1.literal("PUT"),
+			z$1.literal("DELETE")
 		]))
 	})),
-	log: z.optional(z.object({})),
-	sleep: z.optional(z.object({}))
+	log: z$1.optional(z$1.object({})),
+	sleep: z$1.optional(z$1.object({}))
 });
-const ExtensionSandboxOptions = z.optional(z.object({
-	enabled: z.boolean(),
+const ExtensionSandboxOptions = z$1.optional(z$1.object({
+	enabled: z$1.boolean(),
 	requestedScopes: ExtensionSandboxRequestedScopes
 }));
-const Color = z.string();
-const FamilyName = z.string().meta({ $ref: "FamilyName" });
-const FontWeight = z.string().meta({ $ref: "FontWeight" });
-const Length = z.string();
-const Percentage = z.string();
-const BoxShadow = z.string();
-const Number = z.string();
-const Size = z.string();
-const LineWidth = z.union([
-	z.string(),
-	z.literal("thin"),
-	z.literal("medium"),
-	z.literal("thick")
+const Color = z$1.string();
+const FamilyName = z$1.string().meta({ $ref: "FamilyName" });
+const FontWeight = z$1.string().meta({ $ref: "FontWeight" });
+const Length = z$1.string();
+const Percentage = z$1.string();
+const BoxShadow = z$1.string();
+const Number = z$1.string();
+const Size = z$1.string();
+const LineWidth = z$1.union([
+	z$1.string(),
+	z$1.literal("thin"),
+	z$1.literal("medium"),
+	z$1.literal("thick")
 ]);
-const FormRules = z.object({
-	columnGap: z.union([Length, Percentage]).optional(),
-	rowGap: z.union([Length, Percentage]).optional(),
-	field: z.object({
-		label: z.object({
+const FormRules = z$1.object({
+	columnGap: z$1.union([Length, Percentage]).optional(),
+	rowGap: z$1.union([Length, Percentage]).optional(),
+	field: z$1.object({
+		label: z$1.object({
 			foreground: Color.optional(),
 			fontFamily: FamilyName.optional(),
 			fontWeight: FontWeight.optional()
 		}).optional(),
-		input: z.object({
+		input: z$1.object({
 			background: Color.optional(),
 			backgroundSubdued: Color.optional(),
 			foreground: Color.optional(),
 			foregroundSubdued: Color.optional(),
 			borderColor: Color.optional(),
 			borderColorHover: Color.optional(),
-			borderColorFocus: Color.optional(),
+			focusRingColor: Color.optional(),
 			boxShadow: BoxShadow.optional(),
-			boxShadowHover: BoxShadow.optional(),
-			boxShadowFocus: BoxShadow.optional(),
 			height: Size.optional(),
-			padding: z.union([Length, Percentage]).optional()
+			padding: z$1.union([Length, Percentage]).optional()
 		}).optional()
 	}).optional()
 }).optional();
-const Rules = z.object({
-	borderRadius: z.union([Length, Percentage]).optional(),
+const Rules = z$1.object({
+	borderRadius: z$1.union([Length, Percentage]).optional(),
 	borderWidth: LineWidth.optional(),
 	foreground: Color.optional(),
 	foregroundSubdued: Color.optional(),
@@ -147,41 +145,44 @@ const Rules = z.object({
 	dangerBackground: Color.optional(),
 	dangerSubdued: Color.optional(),
 	dangerAccent: Color.optional(),
-	fonts: z.object({
-		display: z.object({
+	fonts: z$1.object({
+		display: z$1.object({
 			fontFamily: FamilyName.optional(),
 			fontWeight: FontWeight.optional()
 		}).optional(),
-		sans: z.object({
+		title: z$1.object({
 			fontFamily: FamilyName.optional(),
 			fontWeight: FontWeight.optional()
 		}).optional(),
-		serif: z.object({
+		sans: z$1.object({
 			fontFamily: FamilyName.optional(),
 			fontWeight: FontWeight.optional()
 		}).optional(),
-		monospace: z.object({
+		serif: z$1.object({
+			fontFamily: FamilyName.optional(),
+			fontWeight: FontWeight.optional()
+		}).optional(),
+		monospace: z$1.object({
 			fontFamily: FamilyName.optional(),
 			fontWeight: FontWeight.optional()
 		}).optional()
 	}).optional(),
-	navigation: z.object({
+	shell: z$1.object({
 		background: Color.optional(),
 		backgroundAccent: Color.optional(),
 		borderWidth: LineWidth.optional(),
-		borderColor: Color.optional(),
-		project: z.object({
-			background: Color.optional(),
+		borderColor: Color.optional()
+	}).optional(),
+	navigation: z$1.object({
+		project: z$1.object({
 			foreground: Color.optional(),
-			fontFamily: FamilyName.optional(),
-			borderWidth: LineWidth.optional(),
-			borderColor: Color.optional()
+			fontFamily: FamilyName.optional()
 		}).optional(),
-		modules: z.object({
+		modules: z$1.object({
 			background: Color.optional(),
 			borderWidth: LineWidth.optional(),
 			borderColor: Color.optional(),
-			button: z.object({
+			button: z$1.object({
 				foreground: Color.optional(),
 				foregroundHover: Color.optional(),
 				foregroundActive: Color.optional(),
@@ -190,8 +191,8 @@ const Rules = z.object({
 				backgroundActive: Color.optional()
 			}).optional()
 		}).optional(),
-		list: z.object({
-			icon: z.object({
+		list: z$1.object({
+			icon: z$1.object({
 				foreground: Color.optional(),
 				foregroundHover: Color.optional(),
 				foregroundActive: Color.optional()
@@ -203,37 +204,33 @@ const Rules = z.object({
 			backgroundHover: Color.optional(),
 			backgroundActive: Color.optional(),
 			fontFamily: FamilyName.optional(),
-			divider: z.object({
+			divider: z$1.object({
 				borderColor: Color.optional(),
 				borderWidth: LineWidth.optional()
 			})
 		}).optional()
 	}).optional(),
-	header: z.object({
-		background: Color.optional(),
-		borderWidth: LineWidth.optional(),
-		borderColor: Color.optional(),
-		boxShadow: BoxShadow.optional(),
-		headline: z.object({
-			foreground: Color.optional(),
-			fontFamily: FamilyName.optional()
-		}).optional(),
-		title: z.object({
-			foreground: Color.optional(),
-			fontFamily: FamilyName.optional(),
-			fontWeight: FontWeight.optional()
-		}).optional()
-	}).optional(),
+	header: z$1.object({ title: z$1.object({
+		foreground: Color.optional(),
+		fontFamily: FamilyName.optional(),
+		fontWeight: FontWeight.optional()
+	}).optional() }).optional(),
 	form: FormRules,
-	sidebar: z.object({
+	sidebar: z$1.object({
 		background: Color.optional(),
 		foreground: Color.optional(),
 		fontFamily: FamilyName.optional(),
 		borderWidth: LineWidth.optional(),
 		borderColor: Color.optional(),
-		section: z.object({
-			toggle: z.object({
-				icon: z.object({
+		section: z$1.object({
+			borderWidth: LineWidth.optional(),
+			borderColor: Color.optional(),
+			active: z$1.object({
+				borderWidth: LineWidth.optional(),
+				borderColor: Color.optional()
+			}).optional(),
+			toggle: z$1.object({
+				icon: z$1.object({
 					foreground: Color.optional(),
 					foregroundHover: Color.optional(),
 					foregroundActive: Color.optional()
@@ -244,18 +241,16 @@ const Rules = z.object({
 				background: Color.optional(),
 				backgroundHover: Color.optional(),
 				backgroundActive: Color.optional(),
-				fontFamily: FamilyName.optional(),
-				borderWidth: LineWidth.optional(),
-				borderColor: Color.optional()
+				fontFamily: FamilyName.optional()
 			}).optional(),
 			form: FormRules
 		}).optional()
 	}).optional(),
-	public: z.object({
+	public: z$1.object({
 		background: Color.optional(),
 		foreground: Color.optional(),
 		foregroundAccent: Color.optional(),
-		art: z.object({
+		art: z$1.object({
 			background: Color.optional(),
 			primary: Color.optional(),
 			secondary: Color.optional(),
@@ -263,42 +258,42 @@ const Rules = z.object({
 		}).optional(),
 		form: FormRules
 	}).optional(),
-	popover: z.object({ menu: z.object({
+	popover: z$1.object({ menu: z$1.object({
 		background: Color.optional(),
-		borderRadius: z.union([Length, Percentage]).optional(),
+		borderRadius: z$1.union([Length, Percentage]).optional(),
 		boxShadow: BoxShadow.optional()
 	}).optional() }).optional(),
-	banner: z.object({
+	banner: z$1.object({
 		background: Color.optional(),
-		padding: z.union([Length, Percentage]).optional(),
-		borderRadius: z.union([Length, Percentage]).optional(),
-		avatar: z.object({
+		padding: z$1.union([Length, Percentage]).optional(),
+		borderRadius: z$1.union([Length, Percentage]).optional(),
+		avatar: z$1.object({
 			background: Color.optional(),
 			foreground: Color.optional(),
-			borderRadius: z.union([Length, Percentage]).optional()
+			borderRadius: z$1.union([Length, Percentage]).optional()
 		}).optional(),
-		headline: z.object({
+		headline: z$1.object({
 			foreground: Color.optional(),
 			fontFamily: FamilyName.optional(),
 			fontWeight: FontWeight.optional()
 		}).optional(),
-		title: z.object({
+		title: z$1.object({
 			foreground: Color.optional(),
 			fontFamily: FamilyName.optional(),
 			fontWeight: FontWeight.optional()
 		}).optional(),
-		subtitle: z.object({
+		subtitle: z$1.object({
 			foreground: Color.optional(),
 			fontFamily: FamilyName.optional(),
 			fontWeight: FontWeight.optional()
 		}).optional(),
-		art: z.object({ foreground: Color.optional() }).optional()
+		art: z$1.object({ foreground: Color.optional() }).optional()
 	}).optional()
 });
-const ThemeSchema = z.object({
-	id: z.string(),
-	name: z.string(),
-	appearance: z.union([z.literal("light"), z.literal("dark")]),
+const ThemeSchema = z$1.object({
+	id: z$1.string(),
+	name: z$1.string(),
+	appearance: z$1.union([z$1.literal("light"), z$1.literal("dark")]),
 	rules: Rules
 });
 /**
@@ -319,9 +314,9 @@ let UserIntegrityCheckFlag = /* @__PURE__ */ function(UserIntegrityCheckFlag$1)
 	UserIntegrityCheckFlag$1[UserIntegrityCheckFlag$1["All"] = 3] = "All";
 	return UserIntegrityCheckFlag$1;
 }({});
-const zodStringOrNumber = z.union([z.string(), z.number()]);
-const WebSocketMessage = z.object({
-	type: z.string(),
+const zodStringOrNumber = z$1.union([z$1.string(), z$1.number()]);
+const WebSocketMessage = z$1.object({
+	type: z$1.string(),
 	uid: zodStringOrNumber.optional()
 }).passthrough();
 const TYPE = { COLLAB: "collab" };
@@ -356,35 +351,35 @@ const ACTION = {
 		ERROR: "error"
 	}
 };
-const BaseClientMessage = z$1.object({
-	type: z$1.literal(TYPE.COLLAB),
-	room: z$1.string()
+const BaseClientMessage = z.object({
+	type: z.literal(TYPE.COLLAB),
+	room: z.string()
 });
-const ClientMessage = z$1.discriminatedUnion("action", [
-	z$1.object({
-		type: z$1.literal(TYPE.COLLAB),
-		action: z$1.literal(ACTION.CLIENT.JOIN),
-		collection: z$1.string(),
-		item: z$1.union([z$1.string(), z$1.number()]).nullable(),
-		version: z$1.string().nullable(),
-		color: z$1.enum(COLORS).nullable().optional(),
-		initialChanges: z$1.record(z$1.string(), z$1.any()).optional()
+const ClientMessage = z.discriminatedUnion("action", [
+	z.object({
+		type: z.literal(TYPE.COLLAB),
+		action: z.literal(ACTION.CLIENT.JOIN),
+		collection: z.string(),
+		item: z.union([z.string(), z.number()]).nullable(),
+		version: z.string().nullable(),
+		color: z.enum(COLORS).nullable().optional(),
+		initialChanges: z.record(z.string(), z.any()).optional()
 	}),
-	BaseClientMessage.extend({ action: z$1.literal(ACTION.CLIENT.LEAVE) }),
+	BaseClientMessage.extend({ action: z.literal(ACTION.CLIENT.LEAVE) }),
 	BaseClientMessage.extend({
-		action: z$1.literal(ACTION.CLIENT.UPDATE),
-		field: z$1.string(),
-		changes: z$1.unknown().optional()
+		action: z.literal(ACTION.CLIENT.UPDATE),
+		field: z.string(),
+		changes: z.unknown().optional()
 	}),
 	BaseClientMessage.extend({
-		action: z$1.literal(ACTION.CLIENT.UPDATE_ALL),
-		changes: z$1.record(z$1.string(), z$1.any()).optional()
+		action: z.literal(ACTION.CLIENT.UPDATE_ALL),
+		changes: z.record(z.string(), z.any()).optional()
 	}),
 	BaseClientMessage.extend({
-		action: z$1.literal(ACTION.CLIENT.FOCUS),
-		field: z$1.string().nullable()
+		action: z.literal(ACTION.CLIENT.FOCUS),
+		field: z.string().nullable()
 	}),
-	BaseClientMessage.extend({ action: z$1.literal(ACTION.CLIENT.DISCARD) })
+	BaseClientMessage.extend({ action: z.literal(ACTION.CLIENT.DISCARD) })
 ]);
 //#endregion

package/dist/permissions/modules/process-ast/utils/extract-paths-from-query.js CHANGED Viewed

@@ -1,3 +1,5 @@
+import { parseJsonFunction } from "../../../../database/helpers/fn/json/parse-function.js";
+import { extractFunctionName } from "../../../../utils/extract-function-name.js";
 import { flattenFilter } from "./flatten-filter.js";
 import { isEqual, uniqWith } from "lodash-es";
@@ -21,7 +23,14 @@ function extractPathsFromQuery(query) {
 	const readOnlyPaths = [];
 	if (query.filter) flattenFilter(readOnlyPaths, query.filter);
 	if (query.sort) for (const field of query.sort) {
-		const parts = field.split(".").map((field$1) => field$1.startsWith("-") ? field$1.substring(1) : field$1);
+		const stripped = field.startsWith("-") ? field.substring(1) : field;
+		const resolved = query.alias?.[stripped] ?? stripped;
+		if (extractFunctionName(resolved) === "json") {
+			const { field: jsonField } = parseJsonFunction(resolved);
+			readOnlyPaths.push([jsonField]);
+			continue;
+		}
+		const parts = resolved.split(".");
 		if (query.aggregate && parts.length > 0 && parts[0] in query.aggregate) continue;
 		readOnlyPaths.push(parts);
 	}

package/dist/permissions/utils/get-unaliased-field-key.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { parseJsonFunction } from "../../database/helpers/fn/json/parse-function.js";
+import { extractFunctionName } from "../../utils/extract-function-name.js";
 import { parseFilterKey } from "../../utils/parse-filter-key.js";
 //#region src/permissions/utils/get-unaliased-field-key.ts
@@ -11,7 +12,7 @@ function getUnaliasedFieldKey(node) {
 		case "a2o":
 		case "m2o": return node.relation.field;
 		case "field": return parseFilterKey(node.name).fieldName;
-		case "functionField": if (node.name.startsWith("json")) return parseJsonFunction(node.name).field;
+		case "functionField": if (extractFunctionName(node.name) === "json") return parseJsonFunction(node.name).field;
 		else return parseFilterKey(node.name).fieldName;
 	}
 }

package/dist/request/is-denied-ip.js CHANGED Viewed

@@ -15,6 +15,8 @@ function isDeniedIp(ip) {
 			const blockNetwork = blockNetworkRaw.trim();
 			if (blockNetwork === "0.0.0.0") {
 				blockNetworkInterfaces = true;
+				blockList.parseSubnet("0.0.0.0/8");
+				blockList.parseAddress("::");
 				continue;
 			}
 			if (blockNetwork.includes("-")) {