@directus/api 36.0.0-rc.0 → 36.0.0

package/dist/ai/chat/lib/create-ui-stream.js

@@ -6,6 +6,7 @@ import "../../providers/index.js";
 import { getAITelemetryConfig } from "../../telemetry/index.js";
 import { SYSTEM_PROMPT } from "../constants/system-prompt.js";
 import { formatContextForSystemPrompt } from "../utils/format-context.js";
+import { applyAnthropicConversationCaching, buildCacheAwareSystemPrompt, formatUsageWithCacheTokens, sortToolsByName } from "../utils/prompt-caching.js";
 import { transformFilePartsForProvider } from "./transform-file-parts.js";
 import { ServiceUnavailableError } from "@directus/errors";
 import { convertToModelMessages, stepCountIs, streamText, wrapLanguageModel } from "ai";
@@ -27,35 +28,25 @@ const createUiStream = async (messages, { provider, model, tools, aiSettings, sy
 		model: languageModel,
 		middleware: devToolsMiddleware
 	});
-	const fullSystemPrompt = contextBlock ? baseSystemPrompt + contextBlock : baseSystemPrompt;
-	const finalTools = applyAnthropicToolSearch(provider, model, tools);
+	const streamSystemPrompt = buildCacheAwareSystemPrompt(provider, provider === "anthropic" || !contextBlock ? baseSystemPrompt : baseSystemPrompt + contextBlock);
+	const finalTools = sortToolsByName(applyAnthropicToolSearch(provider, model, tools));
 	const telemetryConfig = getAITelemetryConfig({
 		provider,
 		model,
 		userId,
 		role
 	});
+	const streamMessages = applyAnthropicConversationCaching(provider, await convertToModelMessages(transformFilePartsForProvider(messages)), contextBlock);
 	return streamText({
-		system: baseSystemPrompt,
+		system: streamSystemPrompt,
 		model: languageModel,
-		messages: await convertToModelMessages(transformFilePartsForProvider(messages)),
+		messages: streamMessages,
 		stopWhen: [stepCountIs(10)],
 		providerOptions,
 		tools: finalTools,
 		...telemetryConfig ? { experimental_telemetry: telemetryConfig } : {},
-		prepareStep: () => {
-			if (contextBlock) return { system: fullSystemPrompt };
-			return {};
-		},
-		onFinish({ usage }) {
-			if (onUsage) {
-				const { inputTokens, outputTokens, totalTokens } = usage;
-				onUsage({
-					inputTokens,
-					outputTokens,
-					totalTokens
-				});
-			}
+		onFinish(result) {
+			if (onUsage) onUsage(formatUsageWithCacheTokens(result));
 		}
 	});
 };

package/dist/ai/chat/utils/format-context.js

@@ -70,8 +70,6 @@ ${promptBlocks}
 </custom_instructions>`);
 	}
 	const sections = [];
-	const now = /* @__PURE__ */ new Date();
-	sections.push(`## Current Date\n${now.toISOString().split("T")[0]}`);
 	if (context.page) {
 		const page = context.page;
 		const pageLines = [`Path: ${escapeAngleBrackets(String(page.path))}`];
@@ -89,6 +87,8 @@ Use the items tool to fetch additional fields or update items when asked.
 
 ${itemLines}`);
 	}
+	const now = /* @__PURE__ */ new Date();
+	sections.push(`## Current Date\n${now.toISOString().split("T")[0]}`);
 	if (sections.length > 0) parts.push(`<user_context>\n${sections.join("\n\n")}\n</user_context>`);
 	if (groups.visualElements.length > 0) {
 		const elementLines = groups.visualElements.map(formatVisualElement).join("\n\n");

package/dist/ai/chat/utils/prompt-caching.js

@@ -0,0 +1,85 @@
+//#region src/ai/chat/utils/prompt-caching.ts
+function buildCacheAwareSystemPrompt(provider, content) {
+	if (provider !== "anthropic") return content;
+	return {
+		role: "system",
+		content,
+		providerOptions: { anthropic: { cacheControl: { type: "ephemeral" } } }
+	};
+}
+/**
+* For Anthropic, place a cache breakpoint on the last existing message so the conversation
+* prefix (tools + system + history) caches as it grows, and append the per-request page
+* context as a new user message after the breakpoint so it stays out of the cached prefix.
+*
+* Context is only appended after a real user turn. On multi-step continuations the last
+* message is an assistant or tool result; appending a user message there would make the
+* model respond to the context instead of synthesizing the tool output. The model still
+* sees context from the originating user turn earlier in the conversation.
+*
+* Other providers either auto-cache (Google/OpenAI) or don't support this, so we keep the
+* context inside the system prompt for them (handled upstream).
+*/
+function applyAnthropicConversationCaching(provider, messages, contextBlock) {
+	if (provider !== "anthropic" || messages.length === 0) return messages;
+	const lastIndex = messages.length - 1;
+	const messagesWithCache = messages.map((message, index) => index === lastIndex ? {
+		...message,
+		providerOptions: {
+			...message.providerOptions,
+			anthropic: {
+				...message.providerOptions?.["anthropic"],
+				cacheControl: { type: "ephemeral" }
+			}
+		}
+	} : message);
+	if (!contextBlock || messages[lastIndex]?.role !== "user") return messagesWithCache;
+	return [...messagesWithCache, {
+		role: "user",
+		content: contextBlock
+	}];
+}
+function sortToolsByName(tools) {
+	return Object.fromEntries(Object.entries(tools).sort(([a], [b]) => {
+		if (a < b) return -1;
+		if (a > b) return 1;
+		return 0;
+	}));
+}
+function formatUsageWithCacheTokens(result) {
+	const usage = result.totalUsage ?? result.usage;
+	const providerMetadata = result.steps?.map((step) => step.providerMetadata) ?? [result.providerMetadata];
+	const { inputTokens, outputTokens, totalTokens } = usage;
+	return {
+		inputTokens,
+		outputTokens,
+		totalTokens,
+		...getCacheTokenUsage(usage, providerMetadata)
+	};
+}
+function getCacheTokenUsage(usage, providerMetadata) {
+	const cacheReadTokens = usage.inputTokenDetails?.cacheReadTokens ?? usage.cachedInputTokens ?? sumNumbers([...providerMetadata.map((metadata) => getProviderMetadataNumber(metadata, "anthropic", "cacheReadInputTokens")), ...providerMetadata.map(getGoogleCachedContentTokenCount)]);
+	const cacheCreationTokens = usage.inputTokenDetails?.cacheWriteTokens ?? sumNumbers(providerMetadata.map((metadata) => getProviderMetadataNumber(metadata, "anthropic", "cacheCreationInputTokens")));
+	return {
+		...cacheReadTokens !== void 0 ? { cacheReadTokens } : {},
+		...cacheCreationTokens !== void 0 ? { cacheCreationTokens } : {}
+	};
+}
+function getProviderMetadataNumber(providerMetadata, providerName, fieldName) {
+	const value = providerMetadata?.[providerName]?.[fieldName];
+	return typeof value === "number" ? value : void 0;
+}
+function getGoogleCachedContentTokenCount(providerMetadata) {
+	const usageMetadata = providerMetadata?.["google"]?.["usageMetadata"];
+	if (!usageMetadata || typeof usageMetadata !== "object" || Array.isArray(usageMetadata)) return;
+	const cachedContentTokenCount = usageMetadata["cachedContentTokenCount"];
+	return typeof cachedContentTokenCount === "number" ? cachedContentTokenCount : void 0;
+}
+function sumNumbers(values) {
+	const definedValues = values.filter((value) => typeof value === "number");
+	if (definedValues.length === 0) return;
+	return definedValues.reduce((sum, value) => sum + value, 0);
+}
+
+//#endregion
+export { applyAnthropicConversationCaching, buildCacheAwareSystemPrompt, formatUsageWithCacheTokens, sortToolsByName };

package/dist/app.js

@@ -11,8 +11,6 @@ import { getFlowManager } from "./flows.js";
 import { getExtensionManager } from "./extensions/index.js";
 import { registerAuthProviders } from "./auth.js";
 import { ensureDeploymentWebhooks, registerDeploymentDrivers } from "./deployment.js";
-import rate_limiter_global_default from "./middleware/rate-limiter-global.js";
-import rate_limiter_ip_default from "./middleware/rate-limiter-ip.js";
 import { getLicenseManager } from "./license/manager.js";
 import "./license/index.js";
 import { aiRouter } from "./ai/chat/router.js";
@@ -63,6 +61,8 @@ import cors_default from "./middleware/cors.js";
 import { errorHandler } from "./middleware/error-handler.js";
 import extract_token_default from "./middleware/extract-token.js";
 import mcp_oauth_guard_default from "./middleware/mcp-oauth-guard.js";
+import rate_limiter_global_default from "./middleware/rate-limiter-global.js";
+import rate_limiter_ip_default from "./middleware/rate-limiter-ip.js";
 import request_counter_default from "./middleware/request-counter.js";
 import sanitize_query_default from "./middleware/sanitize-query.js";
 import schema_default$1 from "./middleware/schema.js";

package/dist/controllers/server.js

@@ -8,6 +8,7 @@ import { getLicenseManager } from "../license/manager.js";
 import { createAdmin } from "../utils/create-admin.js";
 import { useEnv } from "@directus/env";
 import { ErrorCode, ForbiddenError, InvalidPayloadError, RouteNotFoundError, isDirectusError } from "@directus/errors";
+import { toBoolean } from "@directus/utils";
 import { Router } from "express";
 import { fromZodError } from "zod-validation-error";
 import z from "zod";
@@ -49,7 +50,7 @@ router.get("/info", async_handler_default(async (req, res, next) => {
 	res.locals["payload"] = { data };
 	return next();
 }), respond);
-router.get("/health", async_handler_default(async (req, res, next) => {
+if (toBoolean(env["HEALTHCHECK_ENABLED"]) !== false) router.get("/health", async_handler_default(async (req, res, next) => {
 	const data = await new ServerService({
 		accountability: req.accountability,
 		schema: req.schema
@@ -85,6 +86,7 @@ router.post("/setup", async_handler_default(async (req, _res, next) => {
 	if (error) throw new InvalidPayloadError({ reason: fromZodError(error).message });
 	const licenseManager = getLicenseManager();
 	try {
+		if (data.license_key) await licenseManager.activate(data.license_key);
 		await createAdmin(req.schema, {
 			email: data.admin.email,
 			password: data.admin.password,
@@ -92,9 +94,6 @@ router.post("/setup", async_handler_default(async (req, _res, next) => {
 			last_name: data.admin.last_name
 		});
 		const settingsService = new SettingsService({ schema: req.schema });
-		if (data.license_key) try {
-			await licenseManager.activate(data.license_key);
-		} catch {}
 		if (data.owner) settingsService.setOwner(data.owner);
 	} catch (error$1) {
 		if (isDirectusError(error$1, ErrorCode.Forbidden)) return next();

package/dist/database/errors/dialects/postgres.js

@@ -34,7 +34,8 @@ function extractError(error, data) {
 		const matches = error.message.match(/"(.*?)"/g);
 		if (!matches) return error;
 		const collection = matches[0].slice(1, -1);
-		const field = matches[1]?.slice(1, -1) ?? null;
+		const fields = Object.keys(data);
+		const field = fields.length === 1 ? fields[0] : null;
 		return new ValueOutOfRangeError({
 			collection,
 			field,

package/dist/database/run-ast/utils/merge-with-parent-items.js

@@ -9,13 +9,13 @@ function mergeWithParentItems(schema, nestedItem, parentItem, nestedNode, fieldA
 	const parentItems = clone(toArray(parentItem));
 	if (nestedNode.type === "m2o") {
 		const parentsByForeignKey = /* @__PURE__ */ new Map();
+		const nestedPrimaryKeyField = schema.collections[nestedNode.relation.related_collection].primary;
 		for (const parentItem$1 of parentItems) {
-			const relationKey = parentItem$1[nestedNode.relation.field];
+			const relationKey = parentItem$1[nestedNode.relation.field]?.[nestedPrimaryKeyField] ?? parentItem$1[nestedNode.relation.field];
 			if (!parentsByForeignKey.has(relationKey)) parentsByForeignKey.set(relationKey, []);
 			parentItem$1[nestedNode.fieldKey] = null;
 			parentsByForeignKey.get(relationKey).push(parentItem$1);
 		}
-		const nestedPrimaryKeyField = schema.collections[nestedNode.relation.related_collection].primary;
 		for (const nestedItem$1 of nestedItems) {
 			const nestedPK = nestedItem$1[nestedPrimaryKeyField];
 			if (nestedPK === null) continue;
@@ -84,8 +84,10 @@ function mergeWithParentItems(schema, nestedItem, parentItem, nestedNode, fieldA
 			parentItem$1[nestedNode.fieldKey] = null;
 			continue;
 		}
+		const relatedPrimaryKeyField = schema.collections[relatedCollection].primary;
+		const foreignKey = parentItem$1[nestedNode.relation.field]?.[relatedPrimaryKeyField] ?? parentItem$1[nestedNode.relation.field];
 		const itemChild = nestedItem[relatedCollection].find((nestedItem$1) => {
-			return nestedItem$1[nestedNode.relatedKey[relatedCollection]] == parentItem$1[nestedNode.fieldKey];
+			return nestedItem$1[nestedNode.relatedKey[relatedCollection]] == foreignKey;
 		});
 		parentItem$1[nestedNode.fieldKey] = itemChild || null;
 	}

package/dist/license/entitlements/lib/custom-permission-rules-enabled.js

@@ -3,7 +3,7 @@ import { ItemsService } from "../../../services/items.js";
 import { getSchema } from "../../../utils/get-schema.js";
 import "../../../services/index.js";
 import { isEqual } from "lodash-es";
-import { appAccessMinimalPermissions, appRecommendedPermissions } from "@directus/system-data";
+import { appRecommendedPermissions } from "@directus/system-data";
 
 //#region src/license/entitlements/lib/custom-permission-rules-enabled.ts
 function hasCustomRule(permission) {
@@ -16,11 +16,6 @@ function isRecommendedAppPermission(permission) {
 	if (!foundPermission) return false;
 	return isEqual(foundPermission.fields ?? null, permission.fields ?? null) && isEqual(foundPermission.permissions ?? null, permission.permissions ?? null);
 }
-function isMinimumAppPermission(permission) {
-	const foundPermission = appAccessMinimalPermissions.find((p) => p.action === permission.action && p.collection === permission.collection);
-	if (!foundPermission) return false;
-	return isEqual(foundPermission.fields ?? null, permission.fields ?? null) && isEqual(foundPermission.permissions ?? null, permission.permissions ?? null) && isEqual(foundPermission.validation ?? null, permission.validation ?? null) && isEqual(foundPermission.presets ?? null, permission.presets ?? null);
-}
 async function checkCustomPermissionRules(opts) {
 	const knex = opts?.knex ?? database_default();
 	return (await new ItemsService("directus_permissions", {
@@ -38,4 +33,4 @@ async function checkCustomPermissionRules(opts) {
 }
 
 //#endregion
-export { checkCustomPermissionRules, hasCustomRule, isMinimumAppPermission, isRecommendedAppPermission };
+export { checkCustomPermissionRules, hasCustomRule, isRecommendedAppPermission };

package/dist/license/entitlements/lib/seats.js

@@ -8,10 +8,49 @@ import { toBoolean } from "@directus/utils";
 import { USER_INACTIVE_LICENSE_STATUS } from "@directus/constants";
 
 //#region src/license/entitlements/lib/seats.ts
+/**
+* Group access rows to the admin/app users and roles that occupy a seat.
+*/
+function getSeatUsersAndRoles(accessRows) {
+	const adminRoles = /* @__PURE__ */ new Set();
+	const appRoles = /* @__PURE__ */ new Set();
+	const adminUsers = /* @__PURE__ */ new Set();
+	const appUsers = /* @__PURE__ */ new Set();
+	const appUsersByRole = /* @__PURE__ */ new Map();
+	for (const accessRow of accessRows) {
+		const { admin_access, app_access } = accessRow["policy"] || {};
+		const isAdmin = toBoolean(admin_access);
+		const isApp = !isAdmin && toBoolean(app_access);
+		if (!isAdmin && !isApp) continue;
+		if (accessRow["user"] && accessRow["user"].status === "active") {
+			const { id, role } = accessRow["user"];
+			if (isAdmin) {
+				adminUsers.add(id);
+				appUsers.delete(id);
+			} else if (adminUsers.has(id) === false && (!role || adminRoles.has(role) === false)) {
+				appUsers.add(id);
+				if (role) {
+					const roleUsers = appUsersByRole.get(role) ?? /* @__PURE__ */ new Set();
+					appUsersByRole.set(role, roleUsers.add(id));
+				}
+			}
+		}
+		if (accessRow["role"]) if (isAdmin) {
+			adminRoles.add(accessRow["role"]);
+			for (const id of appUsersByRole.get(accessRow["role"]) ?? []) appUsers.delete(id);
+		} else appRoles.add(accessRow["role"]);
+	}
+	return {
+		adminUsers,
+		appUsers,
+		adminRoles,
+		appRoles
+	};
+}
 async function getActiveSeats(opts) {
 	const knex = opts?.knex ?? database_default();
 	const schema = await getSchema({ database: knex });
-	const accessRows = await new AccessService({
+	const { adminUsers, appUsers, adminRoles, appRoles } = getSeatUsersAndRoles(await new AccessService({
 		schema,
 		knex
 	}).readByQuery({
@@ -24,22 +63,7 @@ async function getActiveSeats(opts) {
 			"policy.admin_access"
 		],
 		limit: -1
-	});
-	const adminRoles = /* @__PURE__ */ new Set();
-	const appRoles = /* @__PURE__ */ new Set();
-	const adminUsers = /* @__PURE__ */ new Set();
-	const appUsers = /* @__PURE__ */ new Set();
-	for (const accessRow of accessRows) {
-		const isAdmin = toBoolean(accessRow["policy"]?.["admin_access"]);
-		const isApp = !isAdmin && toBoolean(accessRow["policy"]?.["app_access"]);
-		if (!isAdmin && !isApp) continue;
-		if (accessRow["user"] && accessRow["user"].status === "active") {
-			if (isAdmin) adminUsers.add(accessRow["user"].id);
-			else if (adminUsers.has(accessRow["user"].id) === false && adminRoles.has(accessRow["user"]?.role) === false) appUsers.add(accessRow["user"].id);
-		}
-		if (accessRow["role"]) if (isAdmin) adminRoles.add(accessRow["role"]);
-		else appRoles.add(accessRow["role"]);
-	}
+	}));
 	const { adminRoles: allAdminRoles, appRoles: allAppRoles } = await fetchAccessRoles({
 		adminRoles,
 		appRoles
@@ -100,4 +124,4 @@ async function resolveSeats(seats, ctx) {
 }
 
 //#endregion
-export { countActiveSeats, getActiveSeats, resolveSeats };
+export { countActiveSeats, getActiveSeats, getSeatUsersAndRoles, resolveSeats };

package/dist/license/entitlements/lib/sso-enabled.js

@@ -3,6 +3,7 @@ import database_default from "../../../database/index.js";
 import { getSchema } from "../../../utils/get-schema.js";
 import { UsersService } from "../../../services/users.js";
 import "../../../services/index.js";
+import { isObject } from "@directus/utils";
 import { USER_INACTIVE_LICENSE_STATUS } from "@directus/constants";
 
 //#region src/license/entitlements/lib/sso-enabled.ts
@@ -33,7 +34,7 @@ async function resolveSSOUsers(resolution, ctx) {
 		_neq: DEFAULT_AUTH_PROVIDER,
 		_nnull: true
 	} }, { id: { _neq: adminId } }] } }, { status: USER_INACTIVE_LICENSE_STATUS });
-	if (typeof resolution === "object" && Object.keys(resolution.admin).length) {
+	if (isObject(resolution) && Object.keys(resolution.admin ?? {}).length) {
 		const payload = { provider: DEFAULT_AUTH_PROVIDER };
 		if (resolution.admin.email?.length) payload["email"] = resolution.admin.email;
 		if (resolution.admin.password?.length) payload["password"] = resolution.admin.password;

package/dist/services/graphql/resolvers/system.js

@@ -160,17 +160,17 @@ function injectSystemResolvers(gql, schemaComposer, { CreateCollectionTypes, Rea
 					schema: gql.schema
 				}).serverInfo();
 			}, "server_info")
-		},
-		server_health: {
-			type: GraphQLJSON,
-			resolve: dedupeResolver(async () => {
-				return await new ServerService({
-					accountability: gql.accountability,
-					schema: gql.schema
-				}).health();
-			}, "server_health")
 		}
 	});
+	if (toBoolean(env["HEALTHCHECK_ENABLED"]) !== false) schemaComposer.Query.addFields({ server_health: {
+		type: GraphQLJSON,
+		resolve: dedupeResolver(async () => {
+			return await new ServerService({
+				accountability: gql.accountability,
+				schema: gql.schema
+			}).health();
+		}, "server_health")
+	} });
 	if ("directus_collections" in schema.read.collections) {
 		const Collection = getCollectionType(schemaComposer, schema, "read");
 		schemaComposer.Query.addFields({

package/dist/services/graphql/schema/get-types.js

@@ -119,26 +119,26 @@ function getTypes(schemaComposer, scope, schema, inconsistentFields, action) {
 		CollectionTypes[relation.collection]?.addFields({ [relation.field]: {
 			type: CollectionTypes[relation.related_collection],
 			resolve: (obj, _, __, info) => {
-				return obj[info?.path?.key ?? relation.field];
+				return obj[info?.path?.key] ?? obj[info?.fieldName ?? relation.field];
 			}
 		} });
 		VersionTypes[relation.collection]?.addFields({ [relation.field]: {
 			type: GraphQLJSON,
 			resolve: (obj, _, __, info) => {
-				return obj[info?.path?.key ?? relation.field];
+				return obj[info?.path?.key] ?? obj[info?.fieldName ?? relation.field];
 			}
 		} });
 		if (relation.meta?.one_field) {
 			CollectionTypes[relation.related_collection]?.addFields({ [relation.meta.one_field]: {
 				type: [CollectionTypes[relation.collection]],
 				resolve: (obj, _, __, info) => {
-					return obj[info?.path?.key ?? relation.meta.one_field];
+					return obj[info?.path?.key] ?? obj[info?.fieldName ?? relation.meta.one_field];
 				}
 			} });
 			if (scope === "items") VersionTypes[relation.related_collection]?.addFields({ [relation.meta.one_field]: {
 				type: GraphQLJSON,
 				resolve: (obj, _, __, info) => {
-					return obj[info?.path?.key ?? relation.meta.one_field];
+					return obj[info?.path?.key] ?? obj[info?.fieldName ?? relation.meta.one_field];
 				}
 			} });
 		}
@@ -160,7 +160,7 @@ function getTypes(schemaComposer, scope, schema, inconsistentFields, action) {
 			}
 		}),
 		resolve: (obj, _, __, info) => {
-			return obj[info?.path?.key ?? relation.field];
+			return obj[info?.path?.key] ?? obj[info?.fieldName ?? relation.field];
 		}
 	} });
 	return {

package/dist/services/permissions.js

@@ -41,13 +41,13 @@ var PermissionsService = class extends ItemsService {
 		return withAppMinimalPermissions(this.accountability, mappedPermissions, query.filter);
 	}
 	async createOne(data, opts) {
-		if (hasCustomRule(data) && !isRecommendedAppPermission(data)) await getEntitlementManager().assert("custom_permission_rules_enabled", { knex: this.knex });
+		if (!getEntitlementManager().isEntitled("custom_permission_rules_enabled") && hasCustomRule(data) && !isRecommendedAppPermission(data)) throw new ResourceRestrictedError({ category: "custom_permission_rules_enabled" });
 		const res = await super.createOne(data, opts);
 		await this.clearCaches(opts);
 		return res;
 	}
 	async updateMany(keys, data, opts) {
-		if (hasCustomRule(data) && !isRecommendedAppPermission(data)) await getEntitlementManager().assert("custom_permission_rules_enabled", { knex: this.knex });
+		if (!getEntitlementManager().isEntitled("custom_permission_rules_enabled") && hasCustomRule(data) && !isRecommendedAppPermission(data)) throw new ResourceRestrictedError({ category: "custom_permission_rules_enabled" });
 		const res = await super.updateMany(keys, data, opts);
 		await this.clearCaches(opts);
 		return res;

package/dist/services/server.js

@@ -1,20 +1,25 @@
+import { useRedis } from "../redis/lib/use-redis.js";
+import { redisConfigAvailable } from "../redis/utils/redis-config-available.js";
+import "../redis/index.js";
 import { useLogger } from "../logger/index.js";
+import { getMilliseconds } from "../utils/get-milliseconds.js";
 import { FILE_UPLOADS, RESUMABLE_UPLOADS } from "../constants.js";
-import { getCache } from "../cache.js";
 import { getStorage } from "../storage/index.js";
 import database_default, { hasDatabaseConnection } from "../database/index.js";
+import { useStore } from "../utils/store.js";
 import getMailer from "../mailer.js";
 import { getEntitlementManager } from "../license/entitlements/manager.js";
 import { SettingsService } from "./settings.js";
-import { rateLimiterGlobal } from "../middleware/rate-limiter-global.js";
-import { rateLimiter } from "../middleware/rate-limiter-ip.js";
 import { getAllowedLogLevels } from "../utils/get-allowed-log-levels.js";
 import { SERVER_ONLINE } from "../server.js";
+import { isUnauthenticated } from "../utils/is-unauthenticated.js";
 import { getLicenseManager } from "../license/manager.js";
 import "../license/index.js";
 import { useEnv } from "@directus/env";
+import { ForbiddenError } from "@directus/errors";
 import { toArray, toBoolean } from "@directus/utils";
 import { merge } from "lodash-es";
+import { createKv } from "@directus/memory";
 import { performance } from "perf_hooks";
 import { Readable } from "node:stream";
 import { version } from "directus/version";
@@ -22,6 +27,8 @@ import { version } from "directus/version";
 //#region src/services/server.ts
 const env = useEnv();
 const logger = useLogger();
+const HEALTHCHECK_CACHE_TTL = getMilliseconds(env["HEALTHCHECK_CACHE_TTL"], 3e5);
+const store = useStore(env["HEALTHCHECK_NAMESPACE"] ?? "directus:healthcheck", { ttl: HEALTHCHECK_CACHE_TTL });
 var ServerService = class {
 	knex;
 	accountability;
@@ -121,17 +128,25 @@ var ServerService = class {
 		return info;
 	}
 	async health() {
+		if (isUnauthenticated(this.accountability)) throw new ForbiddenError();
+		const healthResult = await store(async (store$1) => {
+			try {
+				return await store$1.get("health");
+			} catch (err) {
+				logger.warn(err, "Failed to read health check cache");
+			}
+		});
+		if (healthResult) return this.accountability?.admin === true ? healthResult : { status: healthResult["status"] };
 		const { nanoid } = await import("nanoid");
 		const checkID = nanoid(5);
+		const enabledServices = toArray(env["HEALTHCHECK_SERVICES"]);
 		const data = {
 			status: "ok",
 			releaseId: version,
 			serviceId: env["PUBLIC_URL"],
 			checks: merge(...await Promise.all([
 				testDatabase(),
-				testCache(),
-				testRateLimiter(),
-				testRateLimiterGlobal(),
+				testRedis(),
 				testStorage(),
 				testEmail()
 			]))
@@ -152,9 +167,14 @@ var ServerService = class {
 			}
 			if (data.status === "error") break;
 		}
-		if (this.accountability?.admin !== true) return { status: data.status };
-		else return data;
+		await store(async (store$1) => {
+			await store$1.set("health", data).catch((err) => {
+				logger.warn(err, "Failed to write health check cache");
+			});
+		});
+		return this.accountability?.admin === true ? data : { status: data.status };
 		async function testDatabase() {
+			if (enabledServices.includes("database") === false) return {};
 			const database = database_default();
 			const client = env["DB_CLIENT"];
 			const checks = {};
@@ -186,10 +206,15 @@ var ServerService = class {
 			}];
 			return checks;
 		}
-		async function testCache() {
-			if (env["CACHE_ENABLED"] !== true) return {};
-			const { cache } = getCache();
-			const checks = { "cache:responseTime": [{
+		async function testRedis() {
+			if (enabledServices.includes("redis") === false || redisConfigAvailable() !== true) return {};
+			const redis = createKv({
+				type: "redis",
+				redis: useRedis(),
+				namespace: env["HEALTHCHECK_NAMESPACE"] ?? "directus:healthcheck",
+				ttl: HEALTHCHECK_CACHE_TTL
+			});
+			const checks = { "redis:responseTime": [{
 				status: "ok",
 				componentType: "cache",
 				observedValue: 0,
@@ -198,65 +223,20 @@ var ServerService = class {
 			}] };
 			const startTime = performance.now();
 			try {
-				await cache.set(`directus-health-${checkID}`, true, 5);
-				await cache.delete(`directus-health-${checkID}`);
-			} catch (err) {
-				checks["cache:responseTime"][0].status = "error";
-				checks["cache:responseTime"][0].output = err;
-			} finally {
-				const endTime = performance.now();
-				checks["cache:responseTime"][0].observedValue = +(endTime - startTime).toFixed(3);
-				if (checks["cache:responseTime"][0].observedValue > checks["cache:responseTime"][0].threshold && checks["cache:responseTime"][0].status !== "error") checks["cache:responseTime"][0].status = "warn";
-			}
-			return checks;
-		}
-		async function testRateLimiter() {
-			if (env["RATE_LIMITER_ENABLED"] !== true) return {};
-			const checks = { "rateLimiter:responseTime": [{
-				status: "ok",
-				componentType: "ratelimiter",
-				observedValue: 0,
-				observedUnit: "ms",
-				threshold: env["RATE_LIMITER_HEALTHCHECK_THRESHOLD"] ? +env["RATE_LIMITER_HEALTHCHECK_THRESHOLD"] : 150
-			}] };
-			const startTime = performance.now();
-			try {
-				await rateLimiter.consume(`directus-health-${checkID}`, 1);
-				await rateLimiter.delete(`directus-health-${checkID}`);
-			} catch (err) {
-				checks["rateLimiter:responseTime"][0].status = "error";
-				checks["rateLimiter:responseTime"][0].output = err;
-			} finally {
-				const endTime = performance.now();
-				checks["rateLimiter:responseTime"][0].observedValue = +(endTime - startTime).toFixed(3);
-				if (checks["rateLimiter:responseTime"][0].observedValue > checks["rateLimiter:responseTime"][0].threshold && checks["rateLimiter:responseTime"][0].status !== "error") checks["rateLimiter:responseTime"][0].status = "warn";
-			}
-			return checks;
-		}
-		async function testRateLimiterGlobal() {
-			if (env["RATE_LIMITER_GLOBAL_ENABLED"] !== true) return {};
-			const checks = { "rateLimiterGlobal:responseTime": [{
-				status: "ok",
-				componentType: "ratelimiter",
-				observedValue: 0,
-				observedUnit: "ms",
-				threshold: env["RATE_LIMITER_GLOBAL_HEALTHCHECK_THRESHOLD"] ? +env["RATE_LIMITER_GLOBAL_HEALTHCHECK_THRESHOLD"] : 150
-			}] };
-			const startTime = performance.now();
-			try {
-				await rateLimiterGlobal.consume(`directus-health-${checkID}`, 1);
-				await rateLimiterGlobal.delete(`directus-health-${checkID}`);
+				await redis.set(`directus-health-${checkID}`, 1);
+				await redis.delete(`directus-health-${checkID}`);
 			} catch (err) {
-				checks["rateLimiterGlobal:responseTime"][0].status = "error";
-				checks["rateLimiterGlobal:responseTime"][0].output = err;
+				checks["redis:responseTime"][0].status = "error";
+				checks["redis:responseTime"][0].output = err;
 			} finally {
 				const endTime = performance.now();
-				checks["rateLimiterGlobal:responseTime"][0].observedValue = +(endTime - startTime).toFixed(3);
-				if (checks["rateLimiterGlobal:responseTime"][0].observedValue > checks["rateLimiterGlobal:responseTime"][0].threshold && checks["rateLimiterGlobal:responseTime"][0].status !== "error") checks["rateLimiterGlobal:responseTime"][0].status = "warn";
+				checks["redis:responseTime"][0].observedValue = +(endTime - startTime).toFixed(3);
+				if (checks["redis:responseTime"][0].observedValue > checks["redis:responseTime"][0].threshold && checks["redis:responseTime"][0].status !== "error") checks["redis:responseTime"][0].status = "warn";
 			}
 			return checks;
 		}
 		async function testStorage() {
+			if (enabledServices.includes("storage") === false) return {};
 			const storage = await getStorage();
 			const checks = {};
 			for (const location of toArray(env["STORAGE_LOCATIONS"])) {
@@ -284,6 +264,7 @@ var ServerService = class {
 			return checks;
 		}
 		async function testEmail() {
+			if (enabledServices.includes("email") === false || toBoolean(env["EMAIL_VERIFY_SETUP"]) === false) return {};
 			const checks = { "email:connection": [{
 				status: "ok",
 				componentType: "email"

package/dist/services/users.js

@@ -117,6 +117,12 @@ var UsersService = class UsersService extends ItemsService {
 		}
 	}
 	/**
+	* Block setting a non-default auth provider when the current license isn't entitled to SSO
+	*/
+	checkProviderEntitlement(input) {
+		if ((Array.isArray(input) ? input : [input]).some((provider) => provider && provider !== DEFAULT_AUTH_PROVIDER) && !getEntitlementManager().isEntitled("sso_enabled")) throw new InvalidPayloadError({ reason: `Setting a custom "provider" isn't included in the current license` });
+	}
+	/**
 	* Create a new user
 	*/
 	async createOne(data, opts = {}) {
@@ -126,6 +132,7 @@ var UsersService = class UsersService extends ItemsService {
 				await this.checkUniqueEmails([data["email"]]);
 			}
 			if ("password" in data) await this.checkPasswordPolicy([data["password"]]);
+			if ("provider" in data) this.checkProviderEntitlement(data["provider"]);
 		} catch (err) {
 			opts.preMutationError = err;
 		}
@@ -141,6 +148,7 @@ var UsersService = class UsersService extends ItemsService {
 	async createMany(data, opts = {}) {
 		const emails = data.map((payload) => payload["email"]).filter((email) => email);
 		const passwords = data.map((payload) => payload["password"]).filter((password) => password);
+		const providers = data.map((payload) => payload["provider"]).filter((provider) => provider);
 		const someActive = data.some((payload) => !("status" in payload) || payload["status"] === "active");
 		try {
 			if (emails.length) {
@@ -148,6 +156,7 @@ var UsersService = class UsersService extends ItemsService {
 				await this.checkUniqueEmails(emails);
 			}
 			if (passwords.length) await this.checkPasswordPolicy(passwords);
+			if (providers.length) this.checkProviderEntitlement(providers);
 		} catch (err) {
 			opts.preMutationError = err;
 		}
@@ -179,6 +188,7 @@ var UsersService = class UsersService extends ItemsService {
 			if (data["tfa_secret"] !== void 0) throw new InvalidPayloadError({ reason: `You can't change the "tfa_secret" value manually` });
 			if (data["provider"] !== void 0) {
 				if (this.accountability && this.accountability.admin !== true) throw new InvalidPayloadError({ reason: `You can't change the "provider" value manually` });
+				this.checkProviderEntitlement(data["provider"]);
 				data["auth_data"] = null;
 			}
 			if (data["external_identifier"] !== void 0) {

package/dist/services/versions.js

@@ -55,7 +55,9 @@ var VersionsService = class VersionsService extends ItemsService {
 			knex: this.knex,
 			schema: this.schema
 		}).readOne(data["collection"])).meta?.versioning) throw new UnprocessableContentError({ reason: `Content Versioning is not enabled for collection "${data["collection"]}"` });
-		if (itemLess) return;
+		const isSingleton = !!this.schema.collections[data["collection"]]?.singleton;
+		if (itemLess) if (isSingleton) await this.assertSingletonEmpty(data["collection"]);
+		else return;
 		if ((await new VersionsService({
 			knex: this.knex,
 			schema: this.schema
@@ -64,9 +66,9 @@ var VersionsService = class VersionsService extends ItemsService {
 			filter: {
 				key: { _eq: data["key"] },
 				collection: { _eq: data["collection"] },
-				item: { _eq: data["item"] }
+				item: itemLess ? { _null: true } : { _eq: data["item"] }
 			}
-		}))[0]["count"] > 0) throw new UnprocessableContentError({ reason: `Version "${data["key"]}" already exists for item "${data["item"]}" in collection "${data["collection"]}"` });
+		}))[0]["count"] > 0) throw new UnprocessableContentError({ reason: itemLess ? `Singleton collection "${data["collection"]}" already has an item-less version` : `Version "${data["key"]}" already exists for item "${data["item"]}" in collection "${data["collection"]}"` });
 	}
 	async getMainItem(collection, item, query) {
 		return await new ItemsService(collection, {
@@ -114,6 +116,7 @@ var VersionsService = class VersionsService extends ItemsService {
 		if (!Array.isArray(data)) throw new InvalidPayloadError({ reason: "Input should be an array of items" });
 		const keyCombos = /* @__PURE__ */ new Set();
 		for (const item of data) {
+			if (isNil(item["item"])) continue;
 			const keyCombo = `${item["key"]}-${item["collection"]}-${item["item"]}`;
 			if (keyCombos.has(keyCombo)) throw new UnprocessableContentError({ reason: `Cannot create multiple versions on "${item["item"]}" in collection "${item["collection"]}" with the same key "${item["key"]}"` });
 			keyCombos.add(keyCombo);
@@ -139,7 +142,20 @@ var VersionsService = class VersionsService extends ItemsService {
 			const item = "item" in data ? data["item"] : existingVersion.item;
 			const key = "key" in data ? data["key"] : existingVersion.key;
 			if (key !== VERSION_KEY_DRAFT && item === null) throw new InvalidPayloadError({ reason: `"key" must be "${VERSION_KEY_DRAFT}" for versions not linked to an item` });
-			if (item === null) continue;
+			if (item === null) {
+				if (this.schema.collections[collection]?.singleton) {
+					await this.assertSingletonEmpty(collection);
+					if ((await super.readByQuery({
+						aggregate: { count: ["*"] },
+						filter: {
+							id: { _neq: pk },
+							collection: { _eq: collection },
+							item: { _null: true }
+						}
+					}))[0]["count"] > 0) throw new UnprocessableContentError({ reason: `Singleton collection "${collection}" already has an item-less version` });
+				}
+				continue;
+			}
 			const keyCombo = `${key}-${collection}-${item}`;
 			if (keyCombos.has(keyCombo)) throw new UnprocessableContentError({ reason: `Cannot update multiple versions on "${item}" in collection "${collection}" to the same key "${key}"` });
 			keyCombos.add(keyCombo);
@@ -282,6 +298,7 @@ var VersionsService = class VersionsService extends ItemsService {
 		let updatedItemKey;
 		if (item) updatedItemKey = await itemsService.updateOne(item, payloadAfterHooks, { overwriteDefaults: defaultOverwrites });
 		else {
+			await this.assertSingletonEmpty(collection);
 			updatedItemKey = await itemsService.createOne(payloadAfterHooks, { overwriteDefaults: defaultOverwrites });
 			await this.updateOne(version, { item: String(updatedItemKey) });
 		}
@@ -297,6 +314,11 @@ var VersionsService = class VersionsService extends ItemsService {
 		});
 		return updatedItemKey;
 	}
+	async assertSingletonEmpty(collection) {
+		const collectionMeta = this.schema.collections[collection];
+		if (!collectionMeta?.singleton) return;
+		if (await this.knex(collection).first(collectionMeta.primary)) throw new UnprocessableContentError({ reason: `Singleton collection "${collection}" already contains an item` });
+	}
 	mapDelta(version) {
 		const delta = version.delta ?? {};
 		delta[this.schema.collections[version.collection].primary] = version.item;

package/dist/utils/create-admin.js

@@ -27,6 +27,9 @@ const defaultAdminPolicy = {
 async function createAdmin(schema, admin) {
 	const logger = useLogger();
 	const env = useEnv();
+	const adminEmail = admin?.email ?? env["ADMIN_EMAIL"];
+	const adminPassword = admin?.password ?? env["ADMIN_PASSWORD"];
+	if (!adminEmail || !adminPassword) return;
 	logger.info("Setting up first admin role...");
 	const accessService = new AccessService({ schema });
 	const policiesService = new PoliciesService({ schema });
@@ -37,9 +40,6 @@ async function createAdmin(schema, admin) {
 		role
 	});
 	const usersService = new UsersService({ schema });
-	const adminEmail = admin?.email ?? env["ADMIN_EMAIL"];
-	const adminPassword = admin?.password ?? env["ADMIN_PASSWORD"];
-	if (!adminEmail || !adminPassword) return;
 	const token = env["ADMIN_TOKEN"] ?? null;
 	logger.info("Adding first admin user...");
 	await usersService.createOne({

package/dist/utils/get-cache-key.js

@@ -34,6 +34,7 @@ async function getCacheKey(req) {
 		path,
 		query: isGraphQl ? getGraphqlQueryAndVariables(req) : req.sanitizedQuery,
 		...flowTriggerQuery && { rawQuery: flowTriggerQuery },
+		...req.accountability?.share && { share: req.accountability.share },
 		...includeIp && { ip: req.accountability.ip }
 	});
 }

package/dist/utils/is-unauthenticated.js

@@ -0,0 +1,15 @@
+//#region src/utils/is-unauthenticated.ts
+/**
+* Checks if the given accountability is unauthenticated
+*
+* @param accountability
+* @returns True if the user is unauthenticated, false otherwise.
+*/
+function isUnauthenticated(accountability) {
+	if (accountability === null) return false;
+	if (accountability === void 0) return true;
+	return accountability?.role === null && accountability?.user === null;
+}
+
+//#endregion
+export { isUnauthenticated };

package/dist/utils/sanitize-query.js

@@ -143,7 +143,7 @@ async function sanitizeDeep(deep, schema, accountability) {
 		for (const [key, value] of Object.entries(level)) {
 			if (!key) break;
 			if (key.startsWith("_")) subQuery[key.substring(1)] = value;
-			else if (isPlainObject(value)) parse(value, [...path, key]);
+			else if (isPlainObject(value)) await parse(value, [...path, key]);
 		}
 		if (Object.keys(subQuery).length > 0) {
 			const parsedSubQuery = await sanitizeQuery(subQuery, schema, accountability);

package/dist/utils/store.js

@@ -13,7 +13,7 @@ function useStore(namespace, options) {
 		namespace,
 		redis: useRedis()
 	};
-	if (config.type === "redis" && options?.ttl) config.ttl = options?.ttl;
+	if (options?.ttl) config.ttl = options?.ttl;
 	const store = createCache(config);
 	return (callback) => store.usingLock(`lock`, async () => {
 		return await callback({

package/dist/utils/versioning/handle-version.js

@@ -144,7 +144,8 @@ async function handleVersion(self, key, query, opts) {
 		return result;
 	});
 	const env = useEnv();
-	if (results.length < (query.limit ?? Number(env["QUERY_LIMIT_DEFAULT"]))) results.push(...itemlessErrors.map((errorMeta) => {
+	const effectiveLimit = query.limit ?? Number(env["QUERY_LIMIT_DEFAULT"]);
+	if (effectiveLimit === -1 || results.length < effectiveLimit) results.push(...itemlessErrors.map((errorMeta) => {
 		let item = { $meta: errorMeta };
 		if (errorMeta.error) item = Object.assign({}, defaultItem, item, pick(errorMeta.delta, requestedFields));
 		return item;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@directus/api",
-  "version": "36.0.0-rc.0",
+  "version": "36.0.0",
   "description": "Directus is a real-time API and App dashboard for managing SQL database content",
   "keywords": [
     "directus",
@@ -166,30 +166,30 @@
     "ws": "8.18.3",
     "zod": "4.1.12",
     "zod-validation-error": "4.0.2",
-    "@directus/app": "16.0.0-rc.0",
-    "@directus/env": "6.0.0-rc.0",
-    "@directus/constants": "14.4.0-rc.0",
-    "@directus/ai": "1.3.2-rc.0",
-    "@directus/extensions": "4.0.0-rc.0",
-    "@directus/extensions-registry": "4.0.0-rc.0",
-    "@directus/errors": "2.4.0-rc.0",
-    "@directus/extensions-sdk": "18.0.0-rc.0",
-    "@directus/memory": "4.0.0-rc.0",
-    "@directus/format-title": "13.0.0-rc.0",
-    "@directus/pressure": "4.0.0-rc.0",
-    "@directus/schema": "14.0.0-rc.0",
-    "@directus/storage": "13.0.0-rc.0",
-    "@directus/specs": "14.0.0-rc.0",
-    "@directus/storage-driver-azure": "13.0.0-rc.0",
-    "@directus/storage-driver-cloudinary": "13.0.0-rc.0",
-    "@directus/storage-driver-gcs": "13.0.0-rc.0",
-    "@directus/storage-driver-supabase": "4.0.0-rc.0",
-    "@directus/storage-driver-s3": "13.0.0-rc.0",
-    "@directus/storage-driver-local": "13.0.0-rc.0",
-    "@directus/utils": "13.5.0-rc.0",
-    "@directus/system-data": "4.5.0-rc.0",
-    "@directus/validation": "3.0.0-rc.0",
-    "directus": "12.0.0-rc.1"
+    "@directus/app": "16.0.0",
+    "@directus/ai": "1.3.2",
+    "@directus/env": "6.0.0",
+    "@directus/constants": "14.4.0",
+    "@directus/errors": "2.4.0",
+    "@directus/extensions-registry": "4.0.0",
+    "@directus/extensions": "4.0.0",
+    "@directus/format-title": "13.0.0",
+    "@directus/memory": "4.0.0",
+    "@directus/extensions-sdk": "18.0.0",
+    "@directus/schema": "14.0.0",
+    "@directus/pressure": "4.0.0",
+    "@directus/storage": "13.0.0",
+    "@directus/storage-driver-azure": "13.0.0",
+    "@directus/storage-driver-local": "13.0.0",
+    "@directus/storage-driver-gcs": "13.0.0",
+    "@directus/storage-driver-cloudinary": "13.0.0",
+    "@directus/specs": "14.0.0",
+    "@directus/storage-driver-s3": "13.0.0",
+    "@directus/system-data": "4.5.0",
+    "@directus/storage-driver-supabase": "4.0.0",
+    "@directus/utils": "13.5.0",
+    "@directus/validation": "3.0.0",
+    "directus": "12.0.0"
   },
   "devDependencies": {
     "@directus/tsconfig": "4.0.0",
@@ -224,15 +224,15 @@
     "@types/stream-json": "1.7.8",
     "@types/wellknown": "0.5.8",
     "@types/ws": "8.18.1",
-    "@vitest/coverage-v8": "3.2.4",
+    "@vitest/coverage-v8": "3.2.6",
     "copyfiles": "2.4.1",
     "form-data": "4.0.4",
     "get-port": "7.1.0",
     "knex-mock-client": "3.0.2",
     "typescript": "5.9.3",
-    "vitest": "3.2.4",
-    "@directus/schema-builder": "1.0.0-rc.0",
-    "@directus/types": "16.0.0-rc.0"
+    "vitest": "3.2.6",
+    "@directus/schema-builder": "1.0.0",
+    "@directus/types": "16.0.0"
   },
   "optionalDependencies": {
     "@keyv/redis": "3.0.1",