@directus/api 35.2.0 → 36.0.0-rc.1

package/dist/services/mcp-oauth/types/error.js

@@ -0,0 +1,22 @@
+//#region src/services/mcp-oauth/types/error.ts
+/**
+* RFC 6749/7591 error with structured code for JSON serialization.
+*
+* `code` maps to the OAuth `error` field. `redirectable` controls whether
+* the controller can redirect the error back to the client's redirect_uri
+* (only safe after redirect_uri is validated against registered URIs).
+*/
+var OAuthError = class extends Error {
+	constructor(status, code, description, redirectable = false, headers = {}) {
+		super(description);
+		this.status = status;
+		this.code = code;
+		this.description = description;
+		this.redirectable = redirectable;
+		this.headers = headers;
+		this.name = "OAuthError";
+	}
+};
+
+//#endregion
+export { OAuthError };

package/dist/services/mcp-oauth/utils/cimd-egress.js

@@ -0,0 +1,182 @@
+import { IpBlocklist } from "@directus/utils/node";
+import { isIP } from "node:net";
+import { resolve4, resolve6 } from "node:dns/promises";
+
+//#region src/services/mcp-oauth/utils/cimd-egress.ts
+const DEFAULT_DNS_DEADLINE_MS = 1e3;
+const IPV4_SPECIAL_USE_CIDRS = [
+	"0.0.0.0/8",
+	"0.0.0.0/32",
+	"10.0.0.0/8",
+	"100.64.0.0/10",
+	"127.0.0.0/8",
+	"169.254.0.0/16",
+	"172.16.0.0/12",
+	"192.0.0.0/24",
+	"192.0.0.0/29",
+	"192.0.0.8/32",
+	"192.0.0.9/32",
+	"192.0.0.10/32",
+	"192.0.0.170/32",
+	"192.0.0.171/32",
+	"192.0.2.0/24",
+	"192.31.196.0/24",
+	"192.52.193.0/24",
+	"192.88.99.2/32",
+	"192.168.0.0/16",
+	"192.175.48.0/24",
+	"198.18.0.0/15",
+	"198.51.100.0/24",
+	"203.0.113.0/24",
+	"240.0.0.0/4",
+	"255.255.255.255/32"
+];
+const IPV6_SPECIAL_USE_CIDRS = [
+	"::/128",
+	"::1/128",
+	"::ffff:0:0/96",
+	"64:ff9b::/96",
+	"64:ff9b:1::/48",
+	"100::/64",
+	"100:0:0:1::/64",
+	"2001::/23",
+	"2001::/32",
+	"2001:1::1/128",
+	"2001:1::2/128",
+	"2001:1::3/128",
+	"2001:2::/48",
+	"2001:3::/32",
+	"2001:4:112::/48",
+	"2001:20::/28",
+	"2001:30::/28",
+	"2001:db8::/32",
+	"2002::/16",
+	"2620:4f:8000::/48",
+	"3fff::/20",
+	"5f00::/16",
+	"fc00::/7",
+	"fe80::/10"
+];
+const specialUseIpv4Blocklist = new IpBlocklist();
+const specialUseIpv6Blocklist = new IpBlocklist();
+for (const cidr of IPV4_SPECIAL_USE_CIDRS) specialUseIpv4Blocklist.parseSubnet(cidr);
+for (const cidr of IPV6_SPECIAL_USE_CIDRS) specialUseIpv6Blocklist.parseSubnet(cidr);
+var CimdEgressError = class extends Error {
+	reason;
+	constructor(reason, options) {
+		super(reason, options);
+		this.name = "CimdEgressError";
+		this.reason = reason;
+	}
+};
+const defaultResolver = {
+	resolve4,
+	resolve6
+};
+/** Fail-closed IP classifier for the CIMD egress policy. */
+function isSpecialUseIp(ip) {
+	const family = isIP(ip);
+	if (family === 0) return true;
+	try {
+		return family === 4 ? specialUseIpv4Blocklist.check(ip, "ipv4") : specialUseIpv6Blocklist.check(ip, "ipv6");
+	} catch {
+		return true;
+	}
+}
+function createCimdLookup(options) {
+	return (hostname, optionsOrCallback, callback) => {
+		const lookupOptions = normalizeLookupOptions(optionsOrCallback);
+		let settled = false;
+		const settleOnce = (settle) => {
+			if (settled) return;
+			settled = true;
+			settle();
+		};
+		const validationOptions = { deadlineAt: options.deadlineAt };
+		if (options.resolver) validationOptions.resolver = options.resolver;
+		validateCimdHostnameEgress(hostname, validationOptions).then((addresses) => {
+			const family = lookupOptions.family;
+			const selected = selectAddresses(addresses, family);
+			if (selected.length === 0) {
+				settleOnce(() => callback(new CimdEgressError("cimd_dns_empty_result"), ""));
+				return;
+			}
+			if (lookupOptions.all) {
+				settleOnce(() => callback(null, selected));
+				return;
+			}
+			const first = selected[0];
+			settleOnce(() => callback(null, first.address, first.family));
+		}).catch((error) => {
+			settleOnce(() => callback(error, ""));
+		});
+	};
+}
+async function validateCimdHostnameEgress(hostname, options = {}) {
+	if (isIP(hostname.replace(/^\[|\]$/g, ""))) throw new CimdEgressError("cimd_dns_ip_literal");
+	const deadlineAt = options.deadlineAt ?? performance.now() + DEFAULT_DNS_DEADLINE_MS;
+	const resolver = options.resolver ?? defaultResolver;
+	if (deadlineAt - performance.now() <= 0) throw new CimdEgressError("cimd_dns_timeout");
+	return withDeadline(resolveAndValidate(hostname, resolver), deadlineAt);
+}
+async function resolveAndValidate(hostname, resolver) {
+	const [addresses4, addresses6] = await Promise.all([resolveFamily(() => resolver.resolve4(hostname)), resolveFamily(() => resolver.resolve6(hostname))]);
+	if (addresses4.length === 0 && addresses6.length === 0) throw new CimdEgressError("cimd_dns_empty_result");
+	for (const address of [...addresses4, ...addresses6]) if (isSpecialUseIp(address)) throw new CimdEgressError("cimd_dns_special_use_ip");
+	return {
+		addresses4,
+		addresses6
+	};
+}
+async function resolveFamily(resolve) {
+	try {
+		return await resolve();
+	} catch (error) {
+		if (isEmptyDnsResult(error)) return [];
+		throw new CimdEgressError("cimd_dns_error", { cause: error });
+	}
+}
+function isEmptyDnsResult(error) {
+	return typeof error === "object" && error !== null && "code" in error && (error.code === "ENODATA" || error.code === "ENOTFOUND");
+}
+async function withDeadline(promise, deadlineAt) {
+	const remainingMs = Math.min(DEFAULT_DNS_DEADLINE_MS, deadlineAt - performance.now());
+	if (remainingMs <= 0) throw new CimdEgressError("cimd_dns_timeout");
+	let timeoutId;
+	const timeout = new Promise((_, reject) => {
+		timeoutId = setTimeout(() => reject(new CimdEgressError("cimd_dns_timeout")), Math.ceil(remainingMs));
+	});
+	try {
+		return await Promise.race([promise, timeout]);
+	} finally {
+		if (timeoutId) clearTimeout(timeoutId);
+	}
+}
+function normalizeLookupOptions(options) {
+	const lookupOptions = options;
+	return {
+		all: lookupOptions.all === true,
+		family: normalizeFamily(lookupOptions.family)
+	};
+}
+function normalizeFamily(family) {
+	if (family === 4 || family === "IPv4") return 4;
+	if (family === 6 || family === "IPv6") return 6;
+	return 0;
+}
+function selectAddresses(addresses, family) {
+	const addresses4 = addresses.addresses4.map((address) => ({
+		address,
+		family: 4
+	}));
+	const addresses6 = addresses.addresses6.map((address) => ({
+		address,
+		family: 6
+	}));
+	if (family === 4) return addresses4;
+	if (family === 6) return addresses6;
+	return [...addresses4, ...addresses6];
+}
+
+//#endregion
+export { CimdEgressError, createCimdLookup, isSpecialUseIp, validateCimdHostnameEgress };

package/dist/services/mcp-oauth/utils/domain.js

@@ -0,0 +1,21 @@
+//#region src/services/mcp-oauth/utils/domain.ts
+/**
+* Check if a hostname matches any of the provided domain patterns.
+* Supports exact match and `*.example.com` wildcard prefix (matches subdomains, not base).
+* Case-insensitive. Whitespace in patterns is trimmed.
+*/
+function isDomainAllowed(hostname, patterns) {
+	const lower = hostname.toLowerCase();
+	for (const pattern of patterns) {
+		const p = pattern.toLowerCase().trim();
+		if (!p) continue;
+		if (p.startsWith("*.")) {
+			const suffix = p.slice(1);
+			if (lower.endsWith(suffix) && lower.length > suffix.length) return true;
+		} else if (lower === p) return true;
+	}
+	return false;
+}
+
+//#endregion
+export { isDomainAllowed };

package/dist/services/mcp-oauth/utils/loopback.js

@@ -0,0 +1,11 @@
+//#region src/services/mcp-oauth/utils/loopback.ts
+/**
+* Check if a URL hostname is a loopback address (localhost, 127.0.0.1, [::1]).
+* URL.hostname returns '[::1]' with brackets for IPv6 on Node 22+.
+*/
+function isLoopbackHost(hostname) {
+	return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]";
+}
+
+//#endregion
+export { isLoopbackHost };

package/dist/services/mcp-oauth/utils/redirect.js

@@ -0,0 +1,84 @@
+import { OAuthError } from "../types/error.js";
+import { isDomainAllowed } from "./domain.js";
+import { isLoopbackHost } from "./loopback.js";
+import { useEnv } from "@directus/env";
+
+//#region src/services/mcp-oauth/utils/redirect.ts
+const MAX_REDIRECT_URI_LENGTH = 255;
+function parseAllowedCustomRedirect(value) {
+	let parsed;
+	try {
+		parsed = new URL(value);
+	} catch {
+		return null;
+	}
+	if (parsed.protocol === "http:" || parsed.protocol === "https:") return null;
+	if (!parsed.hostname || parsed.port || parsed.username || parsed.password || parsed.search || parsed.hash) return null;
+	if (parsed.pathname && parsed.pathname !== "/") return null;
+	return {
+		protocol: parsed.protocol,
+		hostname: parsed.hostname.toLowerCase()
+	};
+}
+function getAllowedCustomRedirects() {
+	return (useEnv()["MCP_OAUTH_ALLOWED_CUSTOM_REDIRECTS"] ?? []).flatMap((value) => {
+		const redirect = parseAllowedCustomRedirect(value);
+		return redirect ? [redirect] : [];
+	});
+}
+function getAllowedCustomRedirectSchemes() {
+	return [...new Set(getAllowedCustomRedirects().map(({ protocol }) => protocol))];
+}
+function isAllowedCustomRedirectUri(parsed) {
+	if (parsed.port) return false;
+	return getAllowedCustomRedirects().some(({ protocol, hostname }) => parsed.protocol === protocol && parsed.hostname.toLowerCase() === hostname);
+}
+/**
+* Validate a redirect URI per RFC 6749 Section 3.1.2 + OAuth 2.1 policy (HTTPS, no fragment, no userinfo).
+* RFC 8252 Section 7.3: HTTP is allowed for loopback addresses (localhost, 127.0.0.1, [::1]).
+* Compatibility: MCP_OAUTH_ALLOWED_CUSTOM_REDIRECTS configures known custom-scheme desktop redirects.
+* Optional MCP_OAUTH_ALLOWED_REDIRECT_DOMAINS env var enforces a server-wide domain allowlist
+* (loopback and known desktop redirects bypass the allowlist to keep native OAuth clients working).
+*/
+function validateRedirectUri(uri) {
+	if (typeof uri !== "string") throw new OAuthError(400, "invalid_redirect_uri", "redirect_uri must be a string");
+	if (uri.length > MAX_REDIRECT_URI_LENGTH) throw new OAuthError(400, "invalid_redirect_uri", `redirect_uri must not exceed ${MAX_REDIRECT_URI_LENGTH} characters`);
+	let parsed;
+	try {
+		parsed = new URL(uri);
+	} catch {
+		throw new OAuthError(400, "invalid_redirect_uri", `Invalid redirect URI: ${uri}`);
+	}
+	if (parsed.hash) throw new OAuthError(400, "invalid_redirect_uri", "redirect_uri must not contain a fragment");
+	if (parsed.username || parsed.password) throw new OAuthError(400, "invalid_redirect_uri", "redirect_uri must not contain userinfo");
+	if (isAllowedCustomRedirectUri(parsed)) return;
+	if (parsed.protocol !== "https:" && !(parsed.protocol === "http:" && isLoopbackHost(parsed.hostname))) throw new OAuthError(400, "invalid_redirect_uri", "redirect_uri must use HTTPS (except for localhost)");
+	const allowedDomains = useEnv()["MCP_OAUTH_ALLOWED_REDIRECT_DOMAINS"] ?? [];
+	if (allowedDomains.length > 0 && !isLoopbackHost(parsed.hostname) && !isDomainAllowed(parsed.hostname, allowedDomains)) throw new OAuthError(400, "invalid_redirect_uri", "redirect_uri domain is not in the allowlist");
+}
+/**
+* Check if a requested redirect_uri matches any registered URI.
+* RFC 6749 Section 3.1.2: exact string match for non-loopback.
+* RFC 8252 Section 7.3: loopback redirect URIs (localhost, 127.0.0.1, [::1]) MUST allow any port
+* at request time, since native apps bind to ephemeral ports.
+*/
+function matchRedirectUri(requested, registered) {
+	let reqUrl;
+	try {
+		reqUrl = new URL(requested);
+	} catch {
+		return false;
+	}
+	if (reqUrl.username || reqUrl.password || reqUrl.hash) return false;
+	return registered.some((reg) => {
+		if (reg === requested) return true;
+		try {
+			const regUrl = new URL(reg);
+			if (isLoopbackHost(regUrl.hostname) && isLoopbackHost(reqUrl.hostname)) return regUrl.protocol === reqUrl.protocol && regUrl.username === reqUrl.username && regUrl.password === reqUrl.password && regUrl.hostname === reqUrl.hostname && regUrl.pathname === reqUrl.pathname && regUrl.search === reqUrl.search && regUrl.hash === reqUrl.hash;
+		} catch {}
+		return false;
+	});
+}
+
+//#endregion
+export { getAllowedCustomRedirectSchemes, matchRedirectUri, validateRedirectUri };

package/dist/services/mcp-oauth/utils/registration-debug.js

@@ -0,0 +1,131 @@
+import { isObject } from "@directus/utils";
+
+//#region src/services/mcp-oauth/utils/registration-debug.ts
+const KNOWN_REGISTRATION_FIELDS = new Set([
+	"client_name",
+	"redirect_uris",
+	"grant_types",
+	"response_types",
+	"token_endpoint_auth_method",
+	"client_uri",
+	"logo_uri",
+	"tos_uri",
+	"policy_uri",
+	"client_secret",
+	"client_secret_expires_at"
+]);
+const OPTIONAL_URI_FIELDS = [
+	"client_uri",
+	"logo_uri",
+	"tos_uri",
+	"policy_uri"
+];
+const ALLOWED_GRANT_TYPES = new Set(["authorization_code", "refresh_token"]);
+const ALLOWED_RESPONSE_TYPES = new Set(["code"]);
+const ALLOWED_TOKEN_ENDPOINT_AUTH_METHODS = new Set([
+	"none",
+	"client_secret_basic",
+	"client_secret_post"
+]);
+function typeOf(value) {
+	if (value === null) return "null";
+	if (Array.isArray(value)) return "array";
+	return typeof value;
+}
+function summarizeEnumArray(value, allowedValues) {
+	if (!Array.isArray(value)) return { type: typeOf(value) };
+	const stringValues = value.filter((item) => typeof item === "string");
+	const recognizedValues = [...new Set(stringValues.filter((item) => allowedValues.has(item)))].sort();
+	const unknownValueCount = stringValues.filter((item) => !allowedValues.has(item)).length;
+	return {
+		type: "array",
+		count: value.length,
+		recognized_values: recognizedValues,
+		unknown_value_count: unknownValueCount
+	};
+}
+function summarizeUris(value) {
+	if (!Array.isArray(value)) return { type: typeOf(value) };
+	const uris = value.slice(0, 10).map((uri) => {
+		if (typeof uri !== "string") return { type: typeOf(uri) };
+		try {
+			const parsed = new URL(uri);
+			return {
+				scheme: parsed.protocol.replace(/:$/, ""),
+				hostname: parsed.hostname,
+				has_path: parsed.pathname !== "/",
+				has_query: parsed.search.length > 0,
+				has_fragment: parsed.hash.length > 0,
+				has_userinfo: parsed.username.length > 0 || parsed.password.length > 0
+			};
+		} catch {
+			return {
+				type: "string",
+				length: uri.length,
+				parseable: false
+			};
+		}
+	});
+	return {
+		type: "array",
+		count: value.length,
+		uris
+	};
+}
+function summarizeOptionalUri(value) {
+	if (value === void 0 || value === null) return { present: false };
+	if (typeof value !== "string") return {
+		present: true,
+		type: typeOf(value)
+	};
+	try {
+		const parsed = new URL(value);
+		return {
+			present: true,
+			scheme: parsed.protocol.replace(/:$/, ""),
+			hostname: parsed.hostname,
+			has_query: parsed.search.length > 0,
+			has_fragment: parsed.hash.length > 0,
+			has_userinfo: parsed.username.length > 0 || parsed.password.length > 0
+		};
+	} catch {
+		return {
+			present: true,
+			type: "string",
+			length: value.length,
+			parseable: false
+		};
+	}
+}
+function summarizeDcrRegistrationMetadata(body) {
+	if (!isObject(body)) return { body_type: typeOf(body) };
+	const keys = Object.keys(body).sort();
+	const clientName = body["client_name"];
+	const authMethod = body["token_endpoint_auth_method"];
+	const optional_uris = {};
+	for (const field of OPTIONAL_URI_FIELDS) if (field in body) optional_uris[field] = summarizeOptionalUri(body[field]);
+	return {
+		body_type: "object",
+		body_keys: keys,
+		unknown_fields: keys.filter((key) => !KNOWN_REGISTRATION_FIELDS.has(key)),
+		client_name: {
+			type: typeOf(clientName),
+			present: typeof clientName === "string" && clientName.length > 0,
+			...typeof clientName === "string" ? { length: clientName.length } : {}
+		},
+		redirect_uris: summarizeUris(body["redirect_uris"]),
+		grant_types: summarizeEnumArray(body["grant_types"], ALLOWED_GRANT_TYPES),
+		response_types: summarizeEnumArray(body["response_types"], ALLOWED_RESPONSE_TYPES),
+		token_endpoint_auth_method: {
+			type: typeOf(authMethod),
+			...typeof authMethod === "string" && ALLOWED_TOKEN_ENDPOINT_AUTH_METHODS.has(authMethod) ? { value: authMethod } : {},
+			...typeof authMethod === "string" && !ALLOWED_TOKEN_ENDPOINT_AUTH_METHODS.has(authMethod) ? { unknown_value: true } : {}
+		},
+		optional_uris,
+		client_secret_present: body["client_secret"] !== void 0,
+		client_secret_expires_at_present: body["client_secret_expires_at"] !== void 0
+	};
+}
+
+//#endregion
+export { summarizeDcrRegistrationMetadata };

package/dist/services/payload.js

@@ -1,5 +1,6 @@
 import { useLogger } from "../logger/index.js";
 import { UserIntegrityCheckFlag } from "../packages/types/dist/index.js";
+import { extractFunctionName } from "../utils/extract-function-name.js";
 import { getFunctions, getHelpers } from "../database/helpers/index.js";
 import database_default from "../database/index.js";
 import { decrypt, encrypt } from "../utils/encrypt.js";
@@ -219,7 +220,7 @@ var PayloadService = class {
 	processJsonFunctionResults(payloads, aliasMap = {}) {
 		const fn = getFunctions(this.knex, this.schema);
 		for (const [aliasField, originalField] of Object.entries(aliasMap)) {
-			if (!originalField.startsWith("json(") || !originalField.endsWith(")")) continue;
+			if (extractFunctionName(originalField) !== "json") continue;
 			for (const payload of payloads) payload[aliasField] = fn.parseJsonResult(payload[aliasField]);
 		}
 	}

package/dist/services/permissions.js

@@ -4,8 +4,11 @@ import { fetchPolicies } from "../permissions/lib/fetch-policies.js";
 import { fetchPermissions } from "../permissions/lib/fetch-permissions.js";
 import { validateAccess } from "../permissions/modules/validate-access/validate-access.js";
 import { ItemsService } from "./items.js";
-import { ForbiddenError } from "@directus/errors";
-import { uniq } from "lodash-es";
+import { hasCustomRule, isRecommendedAppPermission } from "../license/entitlements/lib/custom-permission-rules-enabled.js";
+import { getEntitlementManager } from "../license/entitlements/manager.js";
+import "../license/index.js";
+import { ForbiddenError, ResourceRestrictedError } from "@directus/errors";
+import { omit, uniq } from "lodash-es";
 
 //#region src/services/permissions.ts
 var PermissionsService = class extends ItemsService {
@@ -14,17 +17,41 @@ var PermissionsService = class extends ItemsService {
 	}
 	async clearCaches(opts) {
 		await clearSystemCache({ autoPurgeCache: opts?.autoPurgeCache });
+		await getEntitlementManager().clearCache("custom_permission_rules_enabled");
 		if (this.cache && opts?.autoPurgeCache !== false) await this.cache.clear();
 	}
 	async readByQuery(query, opts) {
-		const result = await super.readByQuery(query, opts);
-		return withAppMinimalPermissions(this.accountability, result, query.filter);
+		if (getEntitlementManager().isEntitled("custom_permission_rules_enabled")) {
+			const result = await super.readByQuery(query, opts);
+			return withAppMinimalPermissions(this.accountability, result, query.filter);
+		}
+		const requiredFields = [
+			"fields",
+			"permissions",
+			"validation",
+			"presets"
+		];
+		let extraFields = [];
+		if (query.fields && !query.fields.includes("*")) {
+			extraFields = requiredFields.filter((f) => !query.fields?.includes(f));
+			query.fields = [...query.fields, ...extraFields];
+		}
+		const filteredPermissions = (await super.readByQuery(query, opts)).filter((p) => !hasCustomRule(p) || isRecommendedAppPermission(p));
+		const mappedPermissions = extraFields.length > 0 ? filteredPermissions.map((p) => omit(p, extraFields)) : filteredPermissions;
+		return withAppMinimalPermissions(this.accountability, mappedPermissions, query.filter);
 	}
 	async createOne(data, opts) {
+		if (hasCustomRule(data) && !isRecommendedAppPermission(data)) await getEntitlementManager().assert("custom_permission_rules_enabled", { knex: this.knex });
 		const res = await super.createOne(data, opts);
 		await this.clearCaches(opts);
 		return res;
 	}
+	async updateMany(keys, data, opts) {
+		if (hasCustomRule(data) && !isRecommendedAppPermission(data)) await getEntitlementManager().assert("custom_permission_rules_enabled", { knex: this.knex });
+		const res = await super.updateMany(keys, data, opts);
+		await this.clearCaches(opts);
+		return res;
+	}
 	async createMany(data, opts) {
 		const res = await super.createMany(data, opts);
 		await this.clearCaches(opts);
@@ -35,11 +62,6 @@ var PermissionsService = class extends ItemsService {
 		await this.clearCaches(opts);
 		return res;
 	}
-	async updateMany(keys, data, opts) {
-		const res = await super.updateMany(keys, data, opts);
-		await this.clearCaches(opts);
-		return res;
-	}
 	async upsertMany(payloads, opts) {
 		const res = await super.upsertMany(payloads, opts);
 		await this.clearCaches(opts);

package/dist/services/revisions.js

@@ -1,8 +1,10 @@
 import { ItemsService } from "./items.js";
+import { getHistoryFilterQuery } from "../utils/get-history-filter-query.js";
 import { ForbiddenError, InvalidPayloadError } from "@directus/errors";
 
 //#region src/services/revisions.ts
 var RevisionsService = class extends ItemsService {
+	queryCache = /* @__PURE__ */ new WeakMap();
 	constructor(options) {
 		super("directus_revisions", options);
 	}
@@ -37,6 +39,19 @@ var RevisionsService = class extends ItemsService {
 	async updateMany(keys, data, opts) {
 		return super.updateMany(keys, data, this.setDefaultOptions(opts));
 	}
+	async readByQuery(query, opts) {
+		if (this.accountability === null) return super.readByQuery(query, opts);
+		const historyQuery = this.getLimitedHistoryQuery(query);
+		return super.readByQuery(historyQuery, opts);
+	}
+	getLimitedHistoryQuery(query) {
+		let cachedQuery = this.queryCache.get(query);
+		if (!cachedQuery) {
+			cachedQuery = getHistoryFilterQuery(query, "revision_historical_timeframe", (sinceDate) => ({ activity: { timestamp: { _gte: sinceDate.toISOString() } } }));
+			this.queryCache.set(query, cachedQuery);
+		}
+		return cachedQuery;
+	}
 };
 
 //#endregion