@donotdev/functions 0.0.12 → 0.0.13

package/src/supabase/baseFunction.ts

@@ -103,7 +103,8 @@ export function createSupabaseHandler<TReq, TRes>(
           headers: {
             'Access-Control-Allow-Origin': allowedOrigin,
             'Access-Control-Allow-Methods': 'POST, OPTIONS',
-            'Access-Control-Allow-Headers': 'authorization, content-type, x-client-info, apikey',
+            'Access-Control-Allow-Headers':
+              'authorization, content-type, x-client-info, apikey',
           },
         });
       }
@@ -116,23 +117,32 @@ export function createSupabaseHandler<TReq, TRes>(
       // Extract and verify auth token
       const authHeader = req.headers.get('authorization');
       if (!authHeader?.startsWith('Bearer ')) {
-        return respond({ error: 'Missing or invalid authorization header' }, 401);
+        return respond(
+          { error: 'Missing or invalid authorization header' },
+          401
+        );
       }
       const token = authHeader.slice(7);
 
       // Create admin client
       const supabaseUrl = getEnvOrThrow('SUPABASE_URL');
       // Try new env var first, fall back to legacy name
-      const secretKey = getEnv('SUPABASE_SECRET_KEY') || getEnv('SUPABASE_SERVICE_ROLE_KEY');
+      const secretKey =
+        getEnv('SUPABASE_SECRET_KEY') || getEnv('SUPABASE_SERVICE_ROLE_KEY');
       if (!secretKey) {
-        throw new Error('Missing environment variable: SUPABASE_SECRET_KEY or SUPABASE_SERVICE_ROLE_KEY');
+        throw new Error(
+          'Missing environment variable: SUPABASE_SECRET_KEY or SUPABASE_SERVICE_ROLE_KEY'
+        );
       }
       const supabaseAdmin = createClient(supabaseUrl, secretKey, {
         auth: { autoRefreshToken: false, persistSession: false },
       });
 
       // Verify JWT and extract user
-      const { data: { user }, error: authError } = await supabaseAdmin.auth.getUser(token);
+      const {
+        data: { user },
+        error: authError,
+      } = await supabaseAdmin.auth.getUser(token);
       if (authError || !user) {
         return respond({ error: 'Invalid or expired token' }, 401);
       }
@@ -148,7 +158,9 @@ export function createSupabaseHandler<TReq, TRes>(
         // Non-guest access: verify user has required role level
         if (!hasRoleAccess(userRole, requiredRole)) {
           return respond(
-            { error: `Access denied. Required role: ${requiredRole}, your role: ${userRole}` },
+            {
+              error: `Access denied. Required role: ${requiredRole}, your role: ${userRole}`,
+            },
             403
           );
         }
@@ -164,8 +176,9 @@ export function createSupabaseHandler<TReq, TRes>(
             : `uid_${user.id}`;
         const rateLimitKey = `${operationName}_${rateLimitIdentifier}`;
         const rateLimitConfig: RateLimitConfig =
-          (DEFAULT_RATE_LIMITS as Record<string, RateLimitConfig>)[operationName] ||
-          DEFAULT_RATE_LIMITS.api;
+          (DEFAULT_RATE_LIMITS as Record<string, RateLimitConfig>)[
+            operationName
+          ] || DEFAULT_RATE_LIMITS.api;
 
         const rateLimitResult = await checkRateLimitWithPostgres(
           supabaseAdmin,
@@ -210,7 +223,10 @@ export function createSupabaseHandler<TReq, TRes>(
           supabaseAdmin,
         });
       } catch (handlerError) {
-        error = handlerError instanceof Error ? handlerError : new Error(String(handlerError));
+        error =
+          handlerError instanceof Error
+            ? handlerError
+            : new Error(String(handlerError));
         throw handlerError;
       } finally {
         // Record metrics if enabled
@@ -233,7 +249,8 @@ export function createSupabaseHandler<TReq, TRes>(
       return respond(result, 200);
     } catch (error) {
       console.error(`[${operationName}] Error:`, error);
-      const message = error instanceof Error ? error.message : 'Internal server error';
+      const message =
+        error instanceof Error ? error.message : 'Internal server error';
       const status = getErrorStatus(message);
       // allowedOrigin may not be set if error occurred before that line; fall back to '*'
       const origin = getEnv('ALLOWED_ORIGIN', '*');
@@ -246,7 +263,11 @@ export function createSupabaseHandler<TReq, TRes>(
 // Helpers
 // =============================================================================
 
-function jsonResponse(data: unknown, status: number, allowedOrigin = '*'): Response {
+function jsonResponse(
+  data: unknown,
+  status: number,
+  allowedOrigin = '*'
+): Response {
   return new Response(JSON.stringify(data), {
     status,
     headers: {
@@ -257,13 +278,19 @@ function jsonResponse(data: unknown, status: number, allowedOrigin = '*'): Respo
 }
 
 function getEnvOrThrow(key: string): string {
-  const value = (typeof Deno !== 'undefined' ? Deno.env.get(key) : process.env[key]) as string | undefined;
+  const value = (
+    typeof Deno !== 'undefined' ? Deno.env.get(key) : process.env[key]
+  ) as string | undefined;
   if (!value) throw new Error(`Missing environment variable: ${key}`);
   return value;
 }
 
 function getEnv(key: string, defaultValue: string = ''): string {
-  return (typeof Deno !== 'undefined' ? Deno.env.get(key) : process.env[key]) as string | undefined || defaultValue;
+  return (
+    ((typeof Deno !== 'undefined' ? Deno.env.get(key) : process.env[key]) as
+      | string
+      | undefined) || defaultValue
+  );
 }
 
 function getClientIp(req: Request): string {
@@ -273,7 +300,10 @@ function getClientIp(req: Request): string {
     // W19: Take the rightmost (last) IP — the leftmost entry is client-supplied
     // and trivially spoofable. The last entry is appended by the nearest trusted
     // reverse proxy and is the most reliable.
-    const ips = forwardedFor.split(',').map((ip) => ip.trim()).filter(Boolean);
+    const ips = forwardedFor
+      .split(',')
+      .map((ip) => ip.trim())
+      .filter(Boolean);
     const lastIp = ips[ips.length - 1];
     if (lastIp) return lastIp;
   }
@@ -287,20 +317,45 @@ function getClientIp(req: Request): string {
 
 function getErrorCode(message: string): string {
   if (message.includes('Rate limit')) return 'rate-limit-exceeded';
-  if (message.includes('not found') || message.includes('No active')) return 'not-found';
-  if (message.includes('permission') || message.includes('denied') || message.includes('Forbidden')) return 'permission-denied';
-  if (message.includes('mismatch') || message.includes('Invalid') || message.includes('Missing')) return 'invalid-argument';
-  if (message.includes('already-exists') || message.includes('Duplicate')) return 'already-exists';
+  if (message.includes('not found') || message.includes('No active'))
+    return 'not-found';
+  if (
+    message.includes('permission') ||
+    message.includes('denied') ||
+    message.includes('Forbidden')
+  )
+    return 'permission-denied';
+  if (
+    message.includes('mismatch') ||
+    message.includes('Invalid') ||
+    message.includes('Missing')
+  )
+    return 'invalid-argument';
+  if (message.includes('already-exists') || message.includes('Duplicate'))
+    return 'already-exists';
   return 'internal';
 }
 
 function getErrorStatus(message: string): number {
   if (message.includes('Rate limit')) return 429;
-  if (message.includes('not found') || message.includes('No active')) return 404;
-  if (message.includes('permission') || message.includes('denied') || message.includes('Forbidden')) return 403;
-  if (message.includes('mismatch') || message.includes('Invalid') || message.includes('Missing')) return 400;
+  if (message.includes('not found') || message.includes('No active'))
+    return 404;
+  if (
+    message.includes('permission') ||
+    message.includes('denied') ||
+    message.includes('Forbidden')
+  )
+    return 403;
+  if (
+    message.includes('mismatch') ||
+    message.includes('Invalid') ||
+    message.includes('Missing')
+  )
+    return 400;
   return 500;
 }
 
 // Deno global type declaration for env access
-declare const Deno: { env: { get(key: string): string | undefined } } | undefined;
+declare const Deno:
+  | { env: { get(key: string): string | undefined } }
+  | undefined;

package/src/supabase/billing/cancelSubscription.ts

@@ -44,14 +44,20 @@ export function createCancelSubscription() {
       initStripe(getStripeKey());
       const authProvider = createSupabaseAuthProvider(ctx.supabaseAdmin);
       return cancelUserSubscription(data.userId, authProvider);
-    },
+    }
   );
 }
 
 function getStripeKey(): string {
-  const key = (typeof Deno !== 'undefined' ? Deno.env.get('STRIPE_SECRET_KEY') : process.env.STRIPE_SECRET_KEY) as string | undefined;
+  const key = (
+    typeof Deno !== 'undefined'
+      ? Deno.env.get('STRIPE_SECRET_KEY')
+      : process.env.STRIPE_SECRET_KEY
+  ) as string | undefined;
   if (!key) throw new Error('Missing STRIPE_SECRET_KEY environment variable');
   return key;
 }
 
-declare const Deno: { env: { get(key: string): string | undefined } } | undefined;
+declare const Deno:
+  | { env: { get(key: string): string | undefined } }
+  | undefined;

package/src/supabase/billing/changePlan.ts

@@ -25,7 +25,10 @@ import { createSupabaseAuthProvider } from '../helpers/authProvider.js';
 const changePlanSchema = v.object({
   userId: v.pipe(v.string(), v.minLength(1, 'User ID is required')),
   newPriceId: v.pipe(v.string(), v.minLength(1, 'Price ID is required')),
-  billingConfigKey: v.pipe(v.string(), v.minLength(1, 'Billing config key is required')),
+  billingConfigKey: v.pipe(
+    v.string(),
+    v.minLength(1, 'Billing config key is required')
+  ),
 });
 
 // =============================================================================
@@ -48,15 +51,27 @@ export function createChangePlan(billingConfig: StripeBackConfig) {
     async (data, ctx) => {
       initStripe(getStripeKey());
       const authProvider = createSupabaseAuthProvider(ctx.supabaseAdmin);
-      return changeUserPlan(data.userId, data.newPriceId, data.billingConfigKey, billingConfig, authProvider);
-    },
+      return changeUserPlan(
+        data.userId,
+        data.newPriceId,
+        data.billingConfigKey,
+        billingConfig,
+        authProvider
+      );
+    }
   );
 }
 
 function getStripeKey(): string {
-  const key = (typeof Deno !== 'undefined' ? Deno.env.get('STRIPE_SECRET_KEY') : process.env.STRIPE_SECRET_KEY) as string | undefined;
+  const key = (
+    typeof Deno !== 'undefined'
+      ? Deno.env.get('STRIPE_SECRET_KEY')
+      : process.env.STRIPE_SECRET_KEY
+  ) as string | undefined;
   if (!key) throw new Error('Missing STRIPE_SECRET_KEY environment variable');
   return key;
 }
 
-declare const Deno: { env: { get(key: string): string | undefined } } | undefined;
+declare const Deno:
+  | { env: { get(key: string): string | undefined } }
+  | undefined;

package/src/supabase/billing/createCheckoutSession.ts

@@ -13,7 +13,11 @@ import type { StripeBackConfig } from '@donotdev/core/server';
 import { CreateCheckoutSessionRequestSchema } from '@donotdev/core/server';
 
 import { createCheckoutAlgorithm } from '../../shared/billing/createCheckout.js';
-import { initStripe, stripe, validateStripeEnvironment } from '../../shared/utils.js';
+import {
+  initStripe,
+  stripe,
+  validateStripeEnvironment,
+} from '../../shared/utils.js';
 import { createSupabaseHandler } from '../baseFunction.js';
 import { createSupabaseAuthProvider } from '../helpers/authProvider.js';
 
@@ -68,15 +72,26 @@ export function createCheckoutSession(billingConfig: StripeBackConfig) {
         },
       };
 
-      return createCheckoutAlgorithm(data, stripeProvider, authProvider, billingConfig);
-    },
+      return createCheckoutAlgorithm(
+        data,
+        stripeProvider,
+        authProvider,
+        billingConfig
+      );
+    }
   );
 }
 
 function getStripeKey(): string {
-  const key = (typeof Deno !== 'undefined' ? Deno.env.get('STRIPE_SECRET_KEY') : process.env.STRIPE_SECRET_KEY) as string | undefined;
+  const key = (
+    typeof Deno !== 'undefined'
+      ? Deno.env.get('STRIPE_SECRET_KEY')
+      : process.env.STRIPE_SECRET_KEY
+  ) as string | undefined;
   if (!key) throw new Error('Missing STRIPE_SECRET_KEY environment variable');
   return key;
 }
 
-declare const Deno: { env: { get(key: string): string | undefined } } | undefined;
+declare const Deno:
+  | { env: { get(key: string): string | undefined } }
+  | undefined;

package/src/supabase/billing/createCustomerPortal.ts

@@ -44,15 +44,25 @@ export function createCustomerPortal() {
     async (data, ctx) => {
       initStripe(getStripeKey());
       const authProvider = createSupabaseAuthProvider(ctx.supabaseAdmin);
-      return createCustomerPortalSession(data.userId, authProvider, data.returnUrl);
-    },
+      return createCustomerPortalSession(
+        data.userId,
+        authProvider,
+        data.returnUrl
+      );
+    }
   );
 }
 
 function getStripeKey(): string {
-  const key = (typeof Deno !== 'undefined' ? Deno.env.get('STRIPE_SECRET_KEY') : process.env.STRIPE_SECRET_KEY) as string | undefined;
+  const key = (
+    typeof Deno !== 'undefined'
+      ? Deno.env.get('STRIPE_SECRET_KEY')
+      : process.env.STRIPE_SECRET_KEY
+  ) as string | undefined;
   if (!key) throw new Error('Missing STRIPE_SECRET_KEY environment variable');
   return key;
 }
 
-declare const Deno: { env: { get(key: string): string | undefined } } | undefined;
+declare const Deno:
+  | { env: { get(key: string): string | undefined } }
+  | undefined;

package/src/supabase/billing/refreshSubscriptionStatus.ts

@@ -12,7 +12,11 @@
 import Stripe from 'stripe';
 import * as v from 'valibot';
 
-import { initStripe, stripe, validateStripeEnvironment } from '../../shared/utils.js';
+import {
+  initStripe,
+  stripe,
+  validateStripeEnvironment,
+} from '../../shared/utils.js';
 import { createSupabaseHandler } from '../baseFunction.js';
 import { createSupabaseAuthProvider } from '../helpers/authProvider.js';
 
@@ -48,12 +52,16 @@ export function createRefreshSubscriptionStatus() {
       const user = await authProvider.getUser(data.userId);
       const currentClaims = user.customClaims || {};
 
-      const subscriptionId = (currentClaims.subscription as { subscriptionId?: string } | undefined)?.subscriptionId;
+      const subscriptionId = (
+        currentClaims.subscription as { subscriptionId?: string } | undefined
+      )?.subscriptionId;
       if (!subscriptionId) {
         throw new Error('No active subscription found');
       }
 
-      const subscription = await stripe.subscriptions.retrieve(subscriptionId) as Stripe.Subscription;
+      const subscription = (await stripe.subscriptions.retrieve(
+        subscriptionId
+      )) as Stripe.Subscription;
 
       // Update claims via auth provider
       const updatedClaims = {
@@ -61,8 +69,12 @@ export function createRefreshSubscriptionStatus() {
         subscription: {
           ...(currentClaims.subscription as Record<string, unknown>),
           status: subscription.status,
-          currentPeriodStart: new Date((subscription as any).current_period_start * 1000).toISOString(),
-          currentPeriodEnd: new Date((subscription as any).current_period_end * 1000).toISOString(),
+          currentPeriodStart: new Date(
+            (subscription as any).current_period_start * 1000
+          ).toISOString(),
+          currentPeriodEnd: new Date(
+            (subscription as any).current_period_end * 1000
+          ).toISOString(),
           cancelAtPeriodEnd: (subscription as any).cancel_at_period_end,
         },
       };
@@ -73,17 +85,25 @@ export function createRefreshSubscriptionStatus() {
         success: true,
         userId: data.userId,
         status: subscription.status,
-        currentPeriodEnd: new Date((subscription as any).current_period_end * 1000).toISOString(),
+        currentPeriodEnd: new Date(
+          (subscription as any).current_period_end * 1000
+        ).toISOString(),
         cancelAtPeriodEnd: (subscription as any).cancel_at_period_end,
       };
-    },
+    }
   );
 }
 
 function getStripeKey(): string {
-  const key = (typeof Deno !== 'undefined' ? Deno.env.get('STRIPE_SECRET_KEY') : process.env.STRIPE_SECRET_KEY) as string | undefined;
+  const key = (
+    typeof Deno !== 'undefined'
+      ? Deno.env.get('STRIPE_SECRET_KEY')
+      : process.env.STRIPE_SECRET_KEY
+  ) as string | undefined;
   if (!key) throw new Error('Missing STRIPE_SECRET_KEY environment variable');
   return key;
 }
 
-declare const Deno: { env: { get(key: string): string | undefined } } | undefined;
+declare const Deno:
+  | { env: { get(key: string): string | undefined } }
+  | undefined;

package/src/supabase/crud/aggregate.ts

@@ -92,11 +92,18 @@ export function createSupabaseAggregateEntities(
       let query = supabaseAdmin.from(collection);
 
       for (const [field, operator, value] of where) {
-        query = applyOperator(query, mapper.toBackendField(field), operator, value);
+        query = applyOperator(
+          query,
+          mapper.toBackendField(field),
+          operator,
+          value
+        );
       }
 
       if (groupBy && groupBy.length > 0) {
-        const groupByColumns = groupBy.map((f) => mapper.toBackendField(f)).join(', ');
+        const groupByColumns = groupBy
+          .map((f) => mapper.toBackendField(f))
+          .join(', ');
         const selectFields = `${groupByColumns}, ${aggregate.operation}(${aggregateColumn})`;
         query = query.select(selectFields);
         for (const field of groupBy) {
@@ -114,7 +121,10 @@ export function createSupabaseAggregateEntities(
       const { data: rows, error, count } = await query;
 
       if (error) {
-        throw new DoNotDevError(`Failed to aggregate entities: ${error.message}`, 'internal');
+        throw new DoNotDevError(
+          `Failed to aggregate entities: ${error.message}`,
+          'internal'
+        );
       }
 
       // Process results
@@ -133,7 +143,7 @@ export function createSupabaseAggregateEntities(
           return { value: count ?? 0 };
         } else {
           // Calculate aggregate from rows
-          const values = (rows || [] as any[])
+          const values = (rows || ([] as any[]))
             .map((row) => row[aggregateColumn])
             .filter((v) => v != null && !isNaN(Number(v)))
             .map((v) => Number(v));

package/src/supabase/crud/create.ts

@@ -19,10 +19,7 @@ import { defaultFieldMapper } from '@donotdev/supabase';
 import { createMetadata } from '../../shared/index.js';
 import { DoNotDevError, validateDocument } from '../../shared/utils.js';
 import { createSupabaseHandler } from '../baseFunction.js';
-import {
-  checkIdempotency,
-  storeIdempotency,
-} from '../utils/idempotency.js';
+import { checkIdempotency, storeIdempotency } from '../utils/idempotency.js';
 
 const mapper = defaultFieldMapper;
 
@@ -68,7 +65,10 @@ async function checkUniqueKeys(
   uniqueKeys: UniqueKeyDefinition[],
   isDraft: boolean,
   supabaseAdmin: any
-): Promise<{ found: false } | { found: true; existingDoc: Record<string, any>; findOrCreate: boolean }> {
+): Promise<
+  | { found: false }
+  | { found: true; existingDoc: Record<string, any>; findOrCreate: boolean }
+> {
   for (const uniqueKey of uniqueKeys) {
     // Skip validation for drafts only if explicitly opted in
     if (isDraft && uniqueKey.skipForDrafts === true) continue;
@@ -81,13 +81,19 @@ async function checkUniqueKeys(
 
     let query = supabaseAdmin.from(collection).select('*');
     for (const field of uniqueKey.fields) {
-      query = query.eq(mapper.toBackendField(field), normalizeValue(payload[field]));
+      query = query.eq(
+        mapper.toBackendField(field),
+        normalizeValue(payload[field])
+      );
     }
 
     const { data: existing, error } = await query.limit(1);
 
     if (!error && existing && existing.length > 0) {
-      const existingDoc = mapper.fromBackendRow(existing[0]) as Record<string, any>;
+      const existingDoc = mapper.fromBackendRow(existing[0]) as Record<
+        string,
+        any
+      >;
 
       if (uniqueKey.findOrCreate) {
         return { found: true, existingDoc, findOrCreate: true };
@@ -185,9 +191,17 @@ export function createSupabaseCreateEntity(
       }
 
       const metadata = createMetadata(uid);
-      const snakeMetadata = mapper.toBackendKeys(metadata as Record<string, unknown>);
+      const snakeMetadata = mapper.toBackendKeys(
+        metadata as Record<string, unknown>
+      );
 
-      const { createdAt, updatedAt, created_at, updated_at, ...payloadWithoutTimestamps } = normalizedPayload;
+      const {
+        createdAt,
+        updatedAt,
+        created_at,
+        updated_at,
+        ...payloadWithoutTimestamps
+      } = normalizedPayload;
       const snakePayload = mapper.toBackendKeys(payloadWithoutTimestamps);
 
       // Insert document (DB sets created_at/updated_at via triggers)
@@ -202,10 +216,15 @@ export function createSupabaseCreateEntity(
         .single();
 
       if (error) {
-        throw new DoNotDevError(`Failed to create entity: ${error.message}`, 'internal');
+        throw new DoNotDevError(
+          `Failed to create entity: ${error.message}`,
+          'internal'
+        );
       }
 
-      const result = mapper.fromBackendRow(inserted as Record<string, unknown>) as Record<string, any>;
+      const result = mapper.fromBackendRow(
+        inserted as Record<string, unknown>
+      ) as Record<string, any>;
 
       // Store result for idempotency if key provided
       if (idempotencyKey) {

package/src/supabase/crud/delete.ts

@@ -51,7 +51,11 @@ async function findReferences(
   docId: string,
   referenceMetadata?: ReferenceMetadata
 ): Promise<Array<{ collection: string; field: string; count: number }>> {
-  const references: Array<{ collection: string; field: string; count: number }> = [];
+  const references: Array<{
+    collection: string;
+    field: string;
+    count: number;
+  }> = [];
 
   if (!referenceMetadata) {
     return references;
@@ -120,7 +124,8 @@ export function createSupabaseDeleteEntity(
       // Prevent deletion if required references exist
       const requiredReferences = references.filter((ref) => {
         const metadata = referenceMetadata?.incoming?.find(
-          (r) => r.sourceCollection === ref.collection && r.sourceField === ref.field
+          (r) =>
+            r.sourceCollection === ref.collection && r.sourceField === ref.field
         );
         return metadata?.required === true;
       });
@@ -144,7 +149,10 @@ export function createSupabaseDeleteEntity(
         .eq('id', id);
 
       if (error) {
-        throw new DoNotDevError(`Failed to delete entity: ${error.message}`, 'internal');
+        throw new DoNotDevError(
+          `Failed to delete entity: ${error.message}`,
+          'internal'
+        );
       }
 
       return { success: true };

package/src/supabase/crud/get.ts

@@ -18,6 +18,12 @@ import {
 } from '@donotdev/core/server';
 import type { EntityOwnershipConfig, UserRole } from '@donotdev/core/server';
 
+import {
+  createEntityAwareMapper,
+  defaultFieldMapper,
+  getEntityFieldNames,
+} from '@donotdev/supabase';
+
 import { DoNotDevError } from '../../shared/utils.js';
 import { createSupabaseHandler } from '../baseFunction.js';
 
@@ -63,16 +69,32 @@ export function createSupabaseGetEntity(
       const isAdmin = hasRoleAccess(userRole, 'admin');
 
       // Hide drafts/deleted from non-admin users (security: hidden statuses never reach public)
-      if (!isAdmin && (HIDDEN_STATUSES as readonly string[]).includes(row.status)) {
+      if (
+        !isAdmin &&
+        (HIDDEN_STATUSES as readonly string[]).includes(row.status)
+      ) {
         throw new DoNotDevError('Entity not found', 'not-found');
       }
 
+      // Normalize DB row to entity field names before filtering.
+      const entityFieldNames = getEntityFieldNames(documentSchema);
+      const entityMapper =
+        entityFieldNames.length > 0
+          ? createEntityAwareMapper(entityFieldNames)
+          : defaultFieldMapper;
+      const normalized = entityMapper.fromBackendRow(row) as Record<
+        string,
+        any
+      >;
+
       const visibilityOptions =
-        ownership && uid ? { documentData: row, uid, ownership } : undefined;
+        ownership && uid
+          ? { documentData: normalized, uid, ownership }
+          : undefined;
 
       // Filter fields based on visibility and user role (and ownership for visibility: 'owner')
       const filteredData = filterVisibleFields(
-        row,
+        normalized,
         documentSchema,
         userRole,
         visibilityOptions