@flowerforce/flowerbase 1.8.4-beta.2 → 1.8.4-beta.4

package/dist/features/functions/interface.d.ts

@@ -10,6 +10,7 @@ export interface FunctionConfig {
 }
 export type Function = Omit<FunctionConfig, 'name'> & {
     code: string;
+    sourcePath?: string;
 };
 export type Functions = Record<string, Function>;
 export type RegisterFunctionsParams = {

package/dist/features/functions/interface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"interface.d.ts","sourceRoot":"","sources":["../../../src/features/functions/interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAClC,OAAO,EAAE,oBAAoB,EAAE,MAAM,oCAAoC,CAAA;AACzE,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAA;AAE1C,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB,aAAa,CAAC,EAAE,OAAO,CAAA;IACvB,gBAAgB,CAAC,EAAE,OAAO,CAAA;CAC3B;AAED,MAAM,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,GAAG;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,CAAA;AAEtE,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;AAEhD,MAAM,MAAM,uBAAuB,GAAG;IACpC,GAAG,EAAE,eAAe,CAAA;IACpB,aAAa,EAAE,SAAS,CAAA;IACxB,SAAS,EAAE,KAAK,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG;IAC/B,aAAa,EAAE,UAAU,CAAC,oBAAoB,CAAC,CAAC,MAAM,UAAU,CAAC,oBAAoB,CAAC,CAAC,CAAA;IACvF,KAAK,EAAE,UAAU,CAAC,oBAAoB,CAAC,CAAA;IACvC,MAAM,EAAE,QAAQ,CAAA;IAChB,MAAM,CAAC,EAAE,QAAQ,CAAA;IACjB,UAAU,CAAC,EAAE,QAAQ,CAAA;IACrB,OAAO,CAAC,EAAE,QAAQ,CAAA;IAClB,iBAAiB,CAAC,EAAE,OAAO,CAAA;IAC3B,QAAQ,EAAE,QAAQ,CAAA;IAClB,SAAS,EAAE,QAAQ,EAAE,CAAA;IACrB,QAAQ,EAAE,QAAQ,EAAE,CAAA;IACpB,QAAQ,CAAC,EAAE,OAAO,CAAA;CACnB,CAAA;AAED,KAAK,0BAA0B,GAAG;IAChC,aAAa,EAAE,SAAS,CAAA;IACxB,KAAK,EAAE,KAAK,CAAA;CACb,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG,CAC/B,GAAG,EAAE,eAAe,EACpB,EAAE,aAAa,EAAE,KAAK,EAAE,EAAE,0BAA0B,KACjD,OAAO,CAAC,IAAI,CAAC,CAAA"}
+{"version":3,"file":"interface.d.ts","sourceRoot":"","sources":["../../../src/features/functions/interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAA;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAClC,OAAO,EAAE,oBAAoB,EAAE,MAAM,oCAAoC,CAAA;AACzE,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAA;AAE1C,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB,aAAa,CAAC,EAAE,OAAO,CAAA;IACvB,gBAAgB,CAAC,EAAE,OAAO,CAAA;CAC3B;AAED,MAAM,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,GAAG;IACpD,IAAI,EAAE,MAAM,CAAA;IACZ,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,CAAA;AAED,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;AAEhD,MAAM,MAAM,uBAAuB,GAAG;IACpC,GAAG,EAAE,eAAe,CAAA;IACpB,aAAa,EAAE,SAAS,CAAA;IACxB,SAAS,EAAE,KAAK,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG;IAC/B,aAAa,EAAE,UAAU,CAAC,oBAAoB,CAAC,CAAC,MAAM,UAAU,CAAC,oBAAoB,CAAC,CAAC,CAAA;IACvF,KAAK,EAAE,UAAU,CAAC,oBAAoB,CAAC,CAAA;IACvC,MAAM,EAAE,QAAQ,CAAA;IAChB,MAAM,CAAC,EAAE,QAAQ,CAAA;IACjB,UAAU,CAAC,EAAE,QAAQ,CAAA;IACrB,OAAO,CAAC,EAAE,QAAQ,CAAA;IAClB,iBAAiB,CAAC,EAAE,OAAO,CAAA;IAC3B,QAAQ,EAAE,QAAQ,CAAA;IAClB,SAAS,EAAE,QAAQ,EAAE,CAAA;IACrB,QAAQ,EAAE,QAAQ,EAAE,CAAA;IACpB,QAAQ,CAAC,EAAE,OAAO,CAAA;CACnB,CAAA;AAED,KAAK,0BAA0B,GAAG;IAChC,aAAa,EAAE,SAAS,CAAA;IACxB,KAAK,EAAE,KAAK,CAAA;CACb,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG,CAC/B,GAAG,EAAE,eAAe,EACpB,EAAE,aAAa,EAAE,KAAK,EAAE,EAAE,0BAA0B,KACjD,OAAO,CAAC,IAAI,CAAC,CAAA"}

package/dist/features/functions/utils.js

@@ -46,7 +46,7 @@ const loadFunctions = (...args_1) => __awaiter(void 0, [...args_1], void 0, func
             throw new Error(`File ${name}.js or ${name}.ts not found`);
         }
         code = fs_1.default.readFileSync(fnPath, 'utf-8');
-        acc[name] = Object.assign({ code }, opts);
+        acc[name] = Object.assign({ code, sourcePath: fnPath }, opts);
         return acc;
     }, {});
     return functions;

package/dist/services/mongodb-atlas/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/services/mongodb-atlas/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAIL,QAAQ,EAQT,MAAM,SAAS,CAAA;AAOhB,OAAO,EAGL,oBAAoB,EAErB,MAAM,SAAS,CAAA;AA6JhB,eAAO,MAAM,kBAAkB,GAAI,OAAO,OAAO,KAAG,OA0BnD,CAAA;AA8BD,eAAO,MAAM,2BAA2B,GAAI,UAAU,QAAQ,EAAE,YAK5D,CAAA;AAwzCJ,QAAA,MAAM,YAAY,EAAE,oBAwBlB,CAAA;AAEF,eAAe,YAAY,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/services/mongodb-atlas/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAIL,QAAQ,EAQT,MAAM,SAAS,CAAA;AAOhB,OAAO,EAGL,oBAAoB,EAErB,MAAM,SAAS,CAAA;AA8JhB,eAAO,MAAM,kBAAkB,GAAI,OAAO,OAAO,KAAG,OA0BnD,CAAA;AA8BD,eAAO,MAAM,2BAA2B,GAAI,UAAU,QAAQ,EAAE,YAK5D,CAAA;AA80CJ,QAAA,MAAM,YAAY,EAAE,oBAwBlB,CAAA;AAEF,eAAe,YAAY,CAAA"}

package/dist/services/mongodb-atlas/index.js

@@ -459,13 +459,17 @@ const getOperators = (mongo, { rules, dbName, collName, user, run_as_system, mon
             var _a;
             try {
                 const { projection, options: normalizedOptions } = resolveFindArgs(projectionOrOptions, options);
-                const resolvedOptions = projection || normalizedOptions
-                    ? Object.assign(Object.assign({}, (normalizedOptions !== null && normalizedOptions !== void 0 ? normalizedOptions : {})), (projection ? { projection } : {})) : undefined;
                 const resolvedQuery = query !== null && query !== void 0 ? query : {};
                 if (!run_as_system) {
                     (0, utils_3.checkDenyOperation)(normalizedRules, collection.collectionName, model_1.CRUD_OPERATIONS.READ);
                     // Apply access control filters to the query
                     const formattedQuery = (0, utils_3.getFormattedQuery)(filters, resolvedQuery, user);
+                    // Rules-level projection has priority over client-provided projection.
+                    // The merged projection is passed natively to MongoDB.
+                    const rulesProjection = (0, utils_3.getFormattedProjection)(filters, user);
+                    const finalProjection = (0, utils_3.mergeProjections)(projection, rulesProjection);
+                    const resolvedOptions = finalProjection || normalizedOptions
+                        ? Object.assign(Object.assign({}, (normalizedOptions !== null && normalizedOptions !== void 0 ? normalizedOptions : {})), (finalProjection ? { projection: finalProjection } : {})) : undefined;
                     logDebug('update formattedQuery', {
                         collection: collName,
                         query,
@@ -509,8 +513,10 @@ const getOperators = (mongo, { rules, dbName, collName, user, run_as_system, mon
                     emitMongoEvent('findOne');
                     return Promise.resolve(response);
                 }
-                // System mode: no validation applied
-                const response = yield collection.findOne(resolvedQuery, resolvedOptions);
+                // System mode: no validation applied, only client-provided projection/options.
+                const systemOptions = projection || normalizedOptions
+                    ? Object.assign(Object.assign({}, (normalizedOptions !== null && normalizedOptions !== void 0 ? normalizedOptions : {})), (projection ? { projection } : {})) : undefined;
+                const response = yield collection.findOne(resolvedQuery, systemOptions);
                 emitMongoEvent('findOne');
                 return response;
             }
@@ -825,13 +831,17 @@ const getOperators = (mongo, { rules, dbName, collName, user, run_as_system, mon
         find: (query = {}, projectionOrOptions, options) => {
             try {
                 const { projection, options: normalizedOptions } = resolveFindArgs(projectionOrOptions, options);
-                const resolvedOptions = projection || normalizedOptions
-                    ? Object.assign(Object.assign({}, (normalizedOptions !== null && normalizedOptions !== void 0 ? normalizedOptions : {})), (projection ? { projection } : {})) : undefined;
                 if (!run_as_system) {
                     (0, utils_3.checkDenyOperation)(normalizedRules, collection.collectionName, model_1.CRUD_OPERATIONS.READ);
                     // Pre-query filtering based on access control rules
                     const formattedQuery = (0, utils_3.getFormattedQuery)(filters, query, user);
                     const currentQuery = formattedQuery.length ? { $and: formattedQuery } : {};
+                    // Rules-level projection has priority over client-provided projection.
+                    // The merged projection is passed natively to MongoDB.
+                    const rulesProjection = (0, utils_3.getFormattedProjection)(filters, user);
+                    const finalProjection = (0, utils_3.mergeProjections)(projection, rulesProjection);
+                    const resolvedOptions = finalProjection || normalizedOptions
+                        ? Object.assign(Object.assign({}, (normalizedOptions !== null && normalizedOptions !== void 0 ? normalizedOptions : {})), (finalProjection ? { projection: finalProjection } : {})) : undefined;
                     // aggiunto filter per evitare questo errore: $and argument's entries must be objects
                     const cursor = collection.find(currentQuery, resolvedOptions);
                     const originalToArray = cursor.toArray.bind(cursor);
@@ -866,8 +876,10 @@ const getOperators = (mongo, { rules, dbName, collName, user, run_as_system, mon
                     emitMongoEvent('find');
                     return cursor;
                 }
-                // System mode: return original unfiltered cursor
-                const cursor = collection.find(query, resolvedOptions);
+                // System mode: return original unfiltered cursor (only client projection/options).
+                const systemOptions = projection || normalizedOptions
+                    ? Object.assign(Object.assign({}, (normalizedOptions !== null && normalizedOptions !== void 0 ? normalizedOptions : {})), (projection ? { projection } : {})) : undefined;
+                const cursor = collection.find(query, systemOptions);
                 emitMongoEvent('find');
                 return cursor;
             }
@@ -1041,7 +1053,7 @@ const getOperators = (mongo, { rules, dbName, collName, user, run_as_system, mon
                     formattedQuery,
                     pipeline
                 });
-                const projection = (0, utils_3.getFormattedProjection)(filters);
+                const projection = (0, utils_3.getFormattedProjection)(filters, user);
                 const hiddenFields = (0, utils_3.getHiddenFieldsFromRulesConfig)(rulesConfig);
                 const sanitizedPipeline = (0, utils_3.applyAccessControlToPipeline)(pipeline, normalizedRules, user, collName, { isClientPipeline: true });
                 logDebug('aggregate sanitizedPipeline', {

package/dist/services/mongodb-atlas/utils.d.ts

@@ -7,6 +7,21 @@ import { CRUD_OPERATIONS, GetValidRuleParams } from './model';
 export declare const getValidRule: <T extends Role | Filter>({ filters, user, record }: GetValidRuleParams<T>) => T[];
 export declare const getFormattedQuery: (filters?: Filter[], query?: Parameters<Collection<Document>["findOne"]>[0], user?: User) => FilterMongoDB<Document>[];
 export declare const getFormattedProjection: (filters?: Filter[], user?: User) => Projection | null;
+/**
+ * Merges a client-provided projection with the one computed from rules filters.
+ *
+ * Rules have higher priority over the client:
+ * - If rules exclude a top-level field (e.g. `{ instock: 0 }`), every client
+ *   reference to that field — including dotted sub-paths such as
+ *   `"instock.qty": 1` — is dropped from the final projection.
+ * - If rules include a field (value `1`), it is always part of the final
+ *   projection and overrides any conflicting client value.
+ * - The returned projection is always a valid MongoDB projection (no mixing of
+ *   inclusion and exclusion on non-`_id` keys), so it can be passed as-is to
+ *   native MongoDB methods.
+ * - Returns `undefined` when neither side provided a meaningful projection.
+ */
+export declare const mergeProjections: (clientProjection: Projection | Document | undefined, rulesProjection: Projection | null | undefined) => Projection | Document | undefined;
 export declare const applyAccessControlToPipeline: (pipeline: AggregationPipeline, rules: Record<string, {
     filters?: Filter[];
     roles?: Role[];

package/dist/services/mongodb-atlas/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/services/mongodb-atlas/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAElC,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,IAAI,aAAa,EAAE,MAAM,SAAS,CAAA;AACvE,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AACtC,OAAO,EACL,mBAAmB,EAEnB,MAAM,EAEN,UAAU,EACV,KAAK,EAGN,MAAM,gCAAgC,CAAA;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,6BAA6B,CAAA;AAGlD,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAA;AAE7D,eAAO,MAAM,YAAY,GAAI,CAAC,SAAS,IAAI,GAAG,MAAM,EAAE,2BAInD,kBAAkB,CAAC,CAAC,CAAC,QA8BvB,CAAA;AAED,eAAO,MAAM,iBAAiB,GAC5B,UAAS,MAAM,EAAO,EACtB,QAAQ,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,EACtD,OAAO,IAAI,8BAcZ,CAAA;AAED,eAAO,MAAM,sBAAsB,GACjC,UAAS,MAAM,EAAO,EACtB,OAAO,IAAI,KACV,UAAU,GAAG,IAaf,CAAA;AAED,eAAO,MAAM,4BAA4B,GACvC,UAAU,mBAAmB,EAC7B,OAAO,MAAM,CACX,MAAM,EACN;IACE,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;IAClB,KAAK,CAAC,EAAE,IAAI,EAAE,CAAA;CACf,CACF,EACD,MAAM,IAAI,EACV,gBAAgB,MAAM,EACtB,UAAU;IACR,gBAAgB,CAAC,EAAE,OAAO,CAAA;CAC3B,KACA,mBA6GF,CAAA;AAED,eAAO,MAAM,kBAAkB,GAC7B,OAAO,KAAK,EACZ,gBAAgB,MAAM,EACtB,WAAW,eAAe,SAM3B,CAAA;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,aAAa,CAAC,QAAQ,CAAC,EAAE;;;;;;;;iBA0I8iqS,CAAC;sBAAgC,CAAC;2BAAsC,CAAC;;;;IAlIrrqS;AAED,eAAO,MAAM,0BAA0B,GAAI,UAAU,QAAQ,EAAE,aAgC9D,CAAA;AAYD,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,mBAAmB,QA+BvE;AAED,wBAAgB,8BAA8B,CAAC,WAAW,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,IAAI,EAAE,CAAA;CAAE,YAK9E;AAwCD,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,EAAE,uBAKtF"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/services/mongodb-atlas/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAElC,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,IAAI,aAAa,EAAE,MAAM,SAAS,CAAA;AACvE,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AACtC,OAAO,EACL,mBAAmB,EAEnB,MAAM,EAEN,UAAU,EACV,KAAK,EAGN,MAAM,gCAAgC,CAAA;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,6BAA6B,CAAA;AAGlD,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAA;AAE7D,eAAO,MAAM,YAAY,GAAI,CAAC,SAAS,IAAI,GAAG,MAAM,EAAE,2BAInD,kBAAkB,CAAC,CAAC,CAAC,QA8BvB,CAAA;AAED,eAAO,MAAM,iBAAiB,GAC5B,UAAS,MAAM,EAAO,EACtB,QAAQ,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,EACtD,OAAO,IAAI,8BAcZ,CAAA;AAED,eAAO,MAAM,sBAAsB,GACjC,UAAS,MAAM,EAAO,EACtB,OAAO,IAAI,KACV,UAAU,GAAG,IAMf,CAAA;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,gBAAgB,GAC3B,kBAAkB,UAAU,GAAG,QAAQ,GAAG,SAAS,EACnD,iBAAiB,UAAU,GAAG,IAAI,GAAG,SAAS,KAC7C,UAAU,GAAG,QAAQ,GAAG,SAyD1B,CAAA;AAED,eAAO,MAAM,4BAA4B,GACvC,UAAU,mBAAmB,EAC7B,OAAO,MAAM,CACX,MAAM,EACN;IACE,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;IAClB,KAAK,CAAC,EAAE,IAAI,EAAE,CAAA;CACf,CACF,EACD,MAAM,IAAI,EACV,gBAAgB,MAAM,EACtB,UAAU;IACR,gBAAgB,CAAC,EAAE,OAAO,CAAA;CAC3B,KACA,mBA6GF,CAAA;AAED,eAAO,MAAM,kBAAkB,GAC7B,OAAO,KAAK,EACZ,gBAAgB,MAAM,EACtB,WAAW,eAAe,SAM3B,CAAA;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,aAAa,CAAC,QAAQ,CAAC,EAAE;;;;;;;;iBA0I2jkS,CAAC;sBAAgC,CAAC;2BAAsC,CAAC;;;;IAlIlskS;AAED,eAAO,MAAM,0BAA0B,GAAI,UAAU,QAAQ,EAAE,aAgC9D,CAAA;AAYD,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,mBAAmB,QA+BvE;AAED,wBAAgB,8BAA8B,CAAC,WAAW,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,IAAI,EAAE,CAAA;CAAE,YAK9E;AAwCD,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,EAAE,uBAKtF"}

package/dist/services/mongodb-atlas/utils.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getCollectionsFromPipeline = exports.checkDenyOperation = exports.applyAccessControlToPipeline = exports.getFormattedProjection = exports.getFormattedQuery = exports.getValidRule = void 0;
+exports.getCollectionsFromPipeline = exports.checkDenyOperation = exports.applyAccessControlToPipeline = exports.mergeProjections = exports.getFormattedProjection = exports.getFormattedQuery = exports.getValidRule = void 0;
 exports.normalizeQuery = normalizeQuery;
 exports.ensureClientPipelineStages = ensureClientPipelineStages;
 exports.getHiddenFieldsFromRulesConfig = getHiddenFieldsFromRulesConfig;
@@ -48,21 +48,83 @@ const getFormattedQuery = (filters = [], query, user) => {
 };
 exports.getFormattedQuery = getFormattedQuery;
 const getFormattedProjection = (filters = [], user) => {
-    const projections = filters
-        .filter((filter) => {
-        if (filter.projection) {
-            const preFilter = (0, exports.getValidRule)({ filters, user });
-            const isValidPreFilter = !!(preFilter === null || preFilter === void 0 ? void 0 : preFilter.length);
-            return isValidPreFilter;
-        }
-        return false;
-    })
+    const projections = (0, exports.getValidRule)({ filters, user })
+        .filter((f) => !!f.projection)
         .map((f) => f.projection);
     if (!projections.length)
         return null;
     return Object.assign({}, ...projections);
 };
 exports.getFormattedProjection = getFormattedProjection;
+/**
+ * Merges a client-provided projection with the one computed from rules filters.
+ *
+ * Rules have higher priority over the client:
+ * - If rules exclude a top-level field (e.g. `{ instock: 0 }`), every client
+ *   reference to that field — including dotted sub-paths such as
+ *   `"instock.qty": 1` — is dropped from the final projection.
+ * - If rules include a field (value `1`), it is always part of the final
+ *   projection and overrides any conflicting client value.
+ * - The returned projection is always a valid MongoDB projection (no mixing of
+ *   inclusion and exclusion on non-`_id` keys), so it can be passed as-is to
+ *   native MongoDB methods.
+ * - Returns `undefined` when neither side provided a meaningful projection.
+ */
+const mergeProjections = (clientProjection, rulesProjection) => {
+    const hasClient = !!clientProjection && Object.keys(clientProjection).length > 0;
+    const hasRules = !!rulesProjection && Object.keys(rulesProjection).length > 0;
+    if (!hasClient && !hasRules)
+        return undefined;
+    const client = (hasClient ? clientProjection : {});
+    const rules = (hasRules ? rulesProjection : {});
+    const getTopLevel = (key) => key.split('.')[0];
+    const rulesEntries = Object.entries(rules);
+    const rulesIncludeKeys = rulesEntries
+        .filter(([, value]) => value === 1)
+        .map(([key]) => key);
+    const rulesExcludeKeys = rulesEntries
+        .filter(([, value]) => value === 0)
+        .map(([key]) => key);
+    // Top-level fields excluded by rules (excluding `_id` which has special
+    // MongoDB semantics and is allowed alongside inclusion projections).
+    const excludedTopLevel = new Set(rulesExcludeKeys.map(getTopLevel).filter((key) => key !== '_id'));
+    const filteredClient = {};
+    for (const [key, value] of Object.entries(client)) {
+        if (excludedTopLevel.has(getTopLevel(key)))
+            continue;
+        filteredClient[key] = value;
+    }
+    const hasInclusion = rulesIncludeKeys.some((key) => key !== '_id') ||
+        Object.entries(filteredClient).some(([key, value]) => value === 1 && key !== '_id');
+    const merged = {};
+    if (hasInclusion) {
+        // Inclusion mode: keep only client inclusions, then overlay rules inclusions.
+        // Client exclusions (other than `_id: 0`) are incompatible with inclusion
+        // mode and are dropped; not-included fields are implicitly excluded anyway.
+        for (const [key, value] of Object.entries(filteredClient)) {
+            if (value === 1 || key === '_id')
+                merged[key] = value;
+        }
+        for (const key of rulesIncludeKeys)
+            merged[key] = 1;
+        // Allow `_id: 0` to be forced by rules in inclusion mode.
+        for (const key of rulesExcludeKeys) {
+            if (key === '_id')
+                merged[key] = 0;
+        }
+    }
+    else {
+        // Pure exclusion mode: combine all exclusions from both sides.
+        for (const [key, value] of Object.entries(filteredClient)) {
+            if (value === 0)
+                merged[key] = 0;
+        }
+        for (const key of rulesExcludeKeys)
+            merged[key] = 0;
+    }
+    return Object.keys(merged).length > 0 ? merged : undefined;
+};
+exports.mergeProjections = mergeProjections;
 const applyAccessControlToPipeline = (pipeline, rules, user, collectionName, options) => {
     const { isClientPipeline = false } = options || {};
     const hiddenFieldsForCollection = isClientPipeline
@@ -77,7 +139,7 @@ const applyAccessControlToPipeline = (pipeline, rules, user, collectionName, opt
             (0, exports.checkDenyOperation)(rules, currentCollection, model_1.CRUD_OPERATIONS.READ);
             const lookupRules = rules[currentCollection] || {};
             const formattedQuery = (0, exports.getFormattedQuery)(lookupRules.filters, {}, user);
-            const projection = (0, exports.getFormattedProjection)(lookupRules.filters);
+            const projection = (0, exports.getFormattedProjection)(lookupRules.filters, user);
             const nestedPipeline = (0, exports.applyAccessControlToPipeline)(lookUpStage.pipeline || [], rules, user, currentCollection, { isClientPipeline });
             const lookupPipeline = [
                 ...(formattedQuery.length ? [{ $match: { $and: formattedQuery } }] : []),
@@ -98,7 +160,7 @@ const applyAccessControlToPipeline = (pipeline, rules, user, collectionName, opt
             (0, exports.checkDenyOperation)(rules, currentCollection, model_1.CRUD_OPERATIONS.READ);
             const unionRules = rules[currentCollection] || {};
             const formattedQuery = (0, exports.getFormattedQuery)(unionRules.filters, {}, user);
-            const projection = (0, exports.getFormattedProjection)(unionRules.filters);
+            const projection = (0, exports.getFormattedProjection)(unionRules.filters, user);
             if (isSimpleStage) {
                 return stage;
             }

package/dist/utils/context/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/utils/context/index.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAA;AA4JnD;;;;;;;;;;GAUG;AACH,wBAAsB,eAAe,CAAC,EACpC,IAAI,EACJ,GAAG,EACH,KAAK,EACL,IAAI,EACJ,eAAe,EACf,aAAa,EACb,QAAQ,EACR,YAAY,EACZ,WAAW,EACX,eAAsB,EACtB,OAAO,EACP,OAAO,EACR,EAAE,qBAAqB,GAAG,OAAO,CAAC,OAAO,CAAC,CA2G1C;AAED,wBAAgB,mBAAmB,CAAC,EAClC,IAAI,EACJ,GAAG,EACH,KAAK,EACL,IAAI,EACJ,eAAe,EACf,aAAa,EACb,QAAQ,EACR,YAAY,EACZ,WAAW,EACX,eAAsB,EACtB,OAAO,EACR,EAAE,qBAAqB,GAAG,OAAO,CA6BjC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/utils/context/index.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAA;AA8RnD;;;;;;;;;;GAUG;AACH,wBAAsB,eAAe,CAAC,EACpC,IAAI,EACJ,GAAG,EACH,KAAK,EACL,IAAI,EACJ,eAAe,EACf,aAAa,EACb,QAAQ,EACR,YAAY,EACZ,WAAW,EACX,eAAsB,EACtB,OAAO,EACP,OAAO,EACR,EAAE,qBAAqB,GAAG,OAAO,CAAC,OAAO,CAAC,CA2G1C;AAED,wBAAgB,mBAAmB,CAAC,EAClC,IAAI,EACJ,GAAG,EACH,KAAK,EACL,IAAI,EACJ,eAAe,EACf,aAAa,EACb,QAAQ,EACR,YAAY,EACZ,WAAW,EACX,eAAsB,EACtB,OAAO,EACR,EAAE,qBAAqB,GAAG,OAAO,CA0BjC"}

package/dist/utils/context/index.js

@@ -14,6 +14,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.GenerateContext = GenerateContext;
 exports.GenerateContextSync = GenerateContextSync;
+const node_fs_1 = __importDefault(require("node:fs"));
 const node_module_1 = require("node:module");
 const node_path_1 = __importDefault(require("node:path"));
 const node_url_1 = require("node:url");
@@ -89,6 +90,27 @@ const wrapEsmModule = (code) => {
     ].join('\n');
     return `${prelude}\n${code}\n${trailer}`;
 };
+const transpileSandboxModule = (code) => {
+    const exportedNames = [];
+    let transformed = code.includes('import ')
+        ? transformImportsToRequire(code)
+        : code;
+    transformed = transformed.replace(/^\s*export\s+function\s+([A-Za-z_$][\w$]*)\s*\(/gm, (_match, name) => {
+        exportedNames.push(name);
+        return `function ${name}(`;
+    });
+    transformed = transformed.replace(/^\s*export\s+(const|let|var|class)\s+([A-Za-z_$][\w$]*)/gm, (_match, kind, name) => {
+        exportedNames.push(name);
+        return `${kind} ${name}`;
+    });
+    transformed = transformed.replace(/^\s*export\s+default\s+/gm, 'module.exports = ');
+    if (exportedNames.length === 0) {
+        return transformed;
+    }
+    return `${transformed}\n${[...new Set(exportedNames)]
+        .map((name) => `exports.${name} = ${name}`)
+        .join('\n')}`;
+};
 const resolveImportTarget = (specifier, customRequire) => {
     try {
         const resolved = customRequire.resolve(specifier);
@@ -109,6 +131,53 @@ const shouldFallbackFromVmModules = (error) => {
     const code = error.code;
     return code === 'ERR_VM_MODULES_DISABLED' || code === 'ERR_VM_MODULES_NOT_SUPPORTED';
 };
+const resolveModulePath = (specifier, parentFile) => {
+    const parentDir = node_path_1.default.dirname(parentFile);
+    const basePath = node_path_1.default.resolve(parentDir, specifier);
+    const candidates = [
+        basePath,
+        `${basePath}.js`,
+        `${basePath}.ts`,
+        node_path_1.default.join(basePath, 'index.js'),
+        node_path_1.default.join(basePath, 'index.ts')
+    ];
+    return candidates.find((candidate) => {
+        try {
+            return node_fs_1.default.statSync(candidate).isFile();
+        }
+        catch (_a) {
+            return false;
+        }
+    });
+};
+const executeSandboxModule = ({ code, contextData, filePath, moduleCache }) => {
+    var _a;
+    if (moduleCache.has(filePath)) {
+        return moduleCache.get(filePath);
+    }
+    const sandboxModule = { exports: {} };
+    moduleCache.set(filePath, sandboxModule.exports);
+    const baseRequire = (0, node_module_1.createRequire)(filePath);
+    const localRequire = ((specifier) => {
+        if (specifier.startsWith('.') || specifier.startsWith('/')) {
+            const resolvedPath = resolveModulePath(specifier, filePath);
+            if (resolvedPath) {
+                return executeSandboxModule({
+                    code: node_fs_1.default.readFileSync(resolvedPath, 'utf-8'),
+                    contextData,
+                    filePath: resolvedPath,
+                    moduleCache
+                });
+            }
+        }
+        return baseRequire(specifier);
+    });
+    const vmContext = vm_1.default.createContext(Object.assign(Object.assign({}, contextData), { require: localRequire, exports: sandboxModule.exports, module: sandboxModule, __filename: filePath, __dirname: node_path_1.default.dirname(filePath), __fb_require: localRequire, __fb_filename: filePath, __fb_dirname: node_path_1.default.dirname(filePath) }));
+    vm_1.default.runInContext(transpileSandboxModule(code), vmContext, { filename: filePath });
+    sandboxModule.exports = (_a = resolveExport(vmContext)) !== null && _a !== void 0 ? _a : sandboxModule.exports;
+    moduleCache.set(filePath, sandboxModule.exports);
+    return sandboxModule.exports;
+};
 const isExportedFunction = (value) => typeof value === 'function';
 const getDefaultExport = (value) => {
     if (!value || typeof value !== 'object')
@@ -128,11 +197,25 @@ const resolveExport = (ctx) => {
         return contextExports;
     return (_e = getDefaultExport(moduleExports)) !== null && _e !== void 0 ? _e : getDefaultExport(contextExports);
 };
-const buildVmContext = (contextData) => {
-    var _a, _b;
+const buildVmContext = (contextData, currentFunction) => {
+    var _a, _b, _c;
     const sandboxModule = { exports: {} };
-    const entryFile = (_b = (_a = require.main) === null || _a === void 0 ? void 0 : _a.filename) !== null && _b !== void 0 ? _b : process.cwd();
-    const customRequire = (0, node_module_1.createRequire)(entryFile);
+    const entryFile = (_c = (_a = currentFunction === null || currentFunction === void 0 ? void 0 : currentFunction.sourcePath) !== null && _a !== void 0 ? _a : (_b = require.main) === null || _b === void 0 ? void 0 : _b.filename) !== null && _c !== void 0 ? _c : process.cwd();
+    const moduleCache = new Map();
+    const customRequire = ((specifier) => {
+        if ((specifier.startsWith('.') || specifier.startsWith('/')) && (currentFunction === null || currentFunction === void 0 ? void 0 : currentFunction.sourcePath)) {
+            const resolvedPath = resolveModulePath(specifier, currentFunction.sourcePath);
+            if (resolvedPath) {
+                return executeSandboxModule({
+                    code: node_fs_1.default.readFileSync(resolvedPath, 'utf-8'),
+                    contextData,
+                    filePath: resolvedPath,
+                    moduleCache
+                });
+            }
+        }
+        return (0, node_module_1.createRequire)(entryFile)(specifier);
+    });
     const vmContext = vm_1.default.createContext(Object.assign(Object.assign({}, contextData), { require: customRequire, exports: sandboxModule.exports, module: sandboxModule, __filename,
         __dirname, __fb_require: customRequire, __fb_filename: __filename, __fb_dirname: __dirname }));
     return { sandboxModule, entryFile, customRequire, vmContext };
@@ -169,7 +252,7 @@ function GenerateContext(_a) {
                 GenerateContextSync,
                 request
             });
-            const { sandboxModule, entryFile, customRequire, vmContext } = buildVmContext(contextData);
+            const { sandboxModule, entryFile, customRequire, vmContext } = buildVmContext(contextData, functionToRun);
             const vmModules = vm_1.default;
             const hasStaticImport = /\bimport\s+/.test(functionToRun.code);
             let usedVmModules = false;
@@ -214,10 +297,7 @@ function GenerateContext(_a) {
                 }
             }
             if (!usedVmModules) {
-                const codeToRun = functionToRun.code.includes('import ')
-                    ? transformImportsToRequire(functionToRun.code)
-                    : functionToRun.code;
-                vm_1.default.runInContext(codeToRun, vmContext);
+                vm_1.default.runInContext(transpileSandboxModule(functionToRun.code), vmContext, { filename: entryFile });
             }
             sandboxModule.exports = (_a = resolveExport(vmContext)) !== null && _a !== void 0 ? _a : sandboxModule.exports;
             if (deserializeArgs) {
@@ -247,11 +327,8 @@ function GenerateContextSync({ args, app, rules, user, currentFunction, function
         GenerateContextSync,
         request
     });
-    const { sandboxModule, vmContext } = buildVmContext(contextData);
-    const codeToRun = functionToRun.code.includes('import ')
-        ? transformImportsToRequire(functionToRun.code)
-        : functionToRun.code;
-    vm_1.default.runInContext(codeToRun, vmContext);
+    const { sandboxModule, entryFile, vmContext } = buildVmContext(contextData, functionToRun);
+    vm_1.default.runInContext(transpileSandboxModule(functionToRun.code), vmContext, { filename: entryFile });
     sandboxModule.exports = (_a = resolveExport(vmContext)) !== null && _a !== void 0 ? _a : sandboxModule.exports;
     const fn = sandboxModule.exports;
     if (deserializeArgs) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flowerforce/flowerbase",
-  "version": "1.8.4-beta.2",
+  "version": "1.8.4-beta.4",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/features/functions/interface.ts

@@ -10,7 +10,10 @@ export interface FunctionConfig {
   disable_arg_logs?: boolean
 }
 
-export type Function = Omit<FunctionConfig, 'name'> & { code: string }
+export type Function = Omit<FunctionConfig, 'name'> & {
+  code: string
+  sourcePath?: string
+}
 
 export type Functions = Record<string, Function>
 

package/src/features/functions/utils.ts

@@ -27,7 +27,7 @@ export const loadFunctions = async (rootDir = process.cwd()): Promise<Functions>
       throw new Error(`File ${name}.js or ${name}.ts not found`)
     }
     code = fs.readFileSync(fnPath, 'utf-8')
-    acc[name] = { code, ...opts }
+    acc[name] = { code, sourcePath: fnPath, ...opts }
 
     return acc
   }, {} as Functions)
@@ -74,8 +74,8 @@ export const executeQuery = async ({
     typeof projection !== 'undefined'
       ? parsedProjection
       : parsedOptions &&
-          typeof parsedOptions === 'object' &&
-          'projection' in parsedOptions
+        typeof parsedOptions === 'object' &&
+        'projection' in parsedOptions
         ? (parsedOptions as Document).projection
         : undefined
   return {

package/src/services/mongodb-atlas/__tests__/utils.test.ts

@@ -1,4 +1,4 @@
-import { ensureClientPipelineStages, getHiddenFieldsFromRulesConfig, prependUnsetStage, applyAccessControlToPipeline } from '../utils'
+import { ensureClientPipelineStages, getHiddenFieldsFromRulesConfig, prependUnsetStage, applyAccessControlToPipeline, mergeProjections } from '../utils'
 import { Role } from '../../../utils/roles/interface'
 
 describe('MongoDB Atlas aggregate helpers', () => {
@@ -165,4 +165,89 @@ describe('MongoDB Atlas aggregate helpers', () => {
       })
     })
   })
+
+  describe('mergeProjections', () => {
+    it('returns undefined when both sides are empty', () => {
+      expect(mergeProjections(undefined, undefined)).toBeUndefined()
+      expect(mergeProjections({}, null)).toBeUndefined()
+    })
+
+    it('returns the client projection when rules have none', () => {
+      expect(mergeProjections({ a: 1, b: 1 }, null)).toEqual({ a: 1, b: 1 })
+    })
+
+    it('normalizes the rules projection when client has none', () => {
+      // Mixed inclusion/exclusion rules are normalized to pure inclusion mode.
+      expect(
+        mergeProjections(undefined, { item: 1, status: 1, instock: 0 })
+      ).toEqual({ item: 1, status: 1 })
+    })
+
+    it('merges plain inclusion projections (rules wins on conflict)', () => {
+      expect(
+        mergeProjections(
+          { item: 1, price: 1 },
+          { item: 1, status: 1 }
+        )
+      ).toEqual({ item: 1, status: 1, price: 1 })
+    })
+
+    it('supports dotted client keys alongside plain rules keys', () => {
+      expect(
+        mergeProjections(
+          { price: 1 },
+          { item: 1, status: 1, 'instock.qty': 1 }
+        )
+      ).toEqual({ item: 1, status: 1, 'instock.qty': 1, price: 1 })
+    })
+
+    it('drops client dotted keys when rules exclude the top-level field', () => {
+      // Rules: include item/status, exclude the whole `instock` subtree.
+      // Client tries to read `instock.qty` — it must be stripped.
+      expect(
+        mergeProjections(
+          { item: 1, status: 1, 'instock.qty': 1 },
+          { item: 1, status: 1, instock: 0 }
+        )
+      ).toEqual({ item: 1, status: 1 })
+    })
+
+    it('drops every client inclusion whose top-level is excluded by rules', () => {
+      expect(
+        mergeProjections(
+          {
+            item: 1,
+            'instock.qty': 1,
+            'instock.warehouse': 1,
+            price: 1
+          },
+          { item: 1, instock: 0 }
+        )
+      ).toEqual({ item: 1, price: 1 })
+    })
+
+    it('produces pure exclusion output when neither side has inclusions', () => {
+      expect(
+        mergeProjections({ secretA: 0 }, { secretB: 0 })
+      ).toEqual({ secretA: 0, secretB: 0 })
+    })
+
+    it('drops non-_id client exclusions when switching to inclusion mode', () => {
+      // Can't mix `{ price: 0, item: 1 }` in MongoDB — rules force inclusion
+      // mode so the client exclusion is silently dropped (price is implicitly
+      // excluded because it is not included).
+      expect(
+        mergeProjections({ price: 0 }, { item: 1 })
+      ).toEqual({ item: 1 })
+    })
+
+    it('keeps _id: 0 alongside inclusion mode', () => {
+      expect(
+        mergeProjections({ _id: 0 }, { item: 1 })
+      ).toEqual({ _id: 0, item: 1 })
+      expect(
+        mergeProjections({ item: 1 }, { _id: 0 })
+      ).toEqual({ _id: 0, item: 1 })
+    })
+  })
 })

package/src/services/mongodb-atlas/index.ts

@@ -35,6 +35,7 @@ import {
   getFormattedProjection,
   getFormattedQuery,
   getHiddenFieldsFromRulesConfig,
+  mergeProjections,
   normalizeQuery
 } from './utils'
 
@@ -558,13 +559,6 @@ const getOperators: GetOperatorsFunction = (
           projectionOrOptions,
           options
         )
-        const resolvedOptions =
-          projection || normalizedOptions
-            ? {
-              ...(normalizedOptions ?? {}),
-              ...(projection ? { projection } : {})
-            }
-            : undefined
         const resolvedQuery = query ?? {}
         if (!run_as_system) {
           checkDenyOperation(
@@ -574,6 +568,17 @@ const getOperators: GetOperatorsFunction = (
           )
           // Apply access control filters to the query
           const formattedQuery = getFormattedQuery(filters, resolvedQuery, user)
+          // Rules-level projection has priority over client-provided projection.
+          // The merged projection is passed natively to MongoDB.
+          const rulesProjection = getFormattedProjection(filters, user)
+          const finalProjection = mergeProjections(projection, rulesProjection)
+          const resolvedOptions =
+            finalProjection || normalizedOptions
+              ? {
+                ...(normalizedOptions ?? {}),
+                ...(finalProjection ? { projection: finalProjection } : {})
+              }
+              : undefined
           logDebug('update formattedQuery', {
             collection: collName,
             query,
@@ -629,8 +634,15 @@ const getOperators: GetOperatorsFunction = (
           emitMongoEvent('findOne')
           return Promise.resolve(response)
         }
-        // System mode: no validation applied
-        const response = await collection.findOne(resolvedQuery, resolvedOptions)
+        // System mode: no validation applied, only client-provided projection/options.
+        const systemOptions =
+          projection || normalizedOptions
+            ? {
+              ...(normalizedOptions ?? {}),
+              ...(projection ? { projection } : {})
+            }
+            : undefined
+        const response = await collection.findOne(resolvedQuery, systemOptions)
         emitMongoEvent('findOne')
         return response
       } catch (error) {
@@ -1023,13 +1035,6 @@ const getOperators: GetOperatorsFunction = (
           projectionOrOptions,
           options
         )
-        const resolvedOptions =
-          projection || normalizedOptions
-            ? {
-              ...(normalizedOptions ?? {}),
-              ...(projection ? { projection } : {})
-            }
-            : undefined
         if (!run_as_system) {
           checkDenyOperation(
             normalizedRules,
@@ -1039,6 +1044,17 @@ const getOperators: GetOperatorsFunction = (
           // Pre-query filtering based on access control rules
           const formattedQuery = getFormattedQuery(filters, query, user)
           const currentQuery = formattedQuery.length ? { $and: formattedQuery } : {}
+          // Rules-level projection has priority over client-provided projection.
+          // The merged projection is passed natively to MongoDB.
+          const rulesProjection = getFormattedProjection(filters, user)
+          const finalProjection = mergeProjections(projection, rulesProjection)
+          const resolvedOptions =
+            finalProjection || normalizedOptions
+              ? {
+                ...(normalizedOptions ?? {}),
+                ...(finalProjection ? { projection: finalProjection } : {})
+              }
+              : undefined
           // aggiunto filter per evitare questo errore: $and argument's entries must be objects
           const cursor = collection.find(currentQuery, resolvedOptions)
           const originalToArray = cursor.toArray.bind(cursor)
@@ -1084,8 +1100,15 @@ const getOperators: GetOperatorsFunction = (
           emitMongoEvent('find')
           return cursor
         }
-        // System mode: return original unfiltered cursor
-        const cursor = collection.find(query, resolvedOptions)
+        // System mode: return original unfiltered cursor (only client projection/options).
+        const systemOptions =
+          projection || normalizedOptions
+            ? {
+              ...(normalizedOptions ?? {}),
+              ...(projection ? { projection } : {})
+            }
+            : undefined
+        const cursor = collection.find(query, systemOptions)
         emitMongoEvent('find')
         return cursor
       } catch (error) {
@@ -1327,7 +1350,7 @@ const getOperators: GetOperatorsFunction = (
           formattedQuery,
           pipeline
         })
-        const projection = getFormattedProjection(filters)
+        const projection = getFormattedProjection(filters, user)
         const hiddenFields = getHiddenFieldsFromRulesConfig(rulesConfig)
 
         const sanitizedPipeline = applyAccessControlToPipeline(

package/src/services/mongodb-atlas/utils.ts

@@ -76,20 +76,89 @@ export const getFormattedProjection = (
   filters: Filter[] = [],
   user?: User
 ): Projection | null => {
-  const projections = filters
-    .filter((filter) => {
-      if (filter.projection) {
-        const preFilter = getValidRule({ filters, user })
-        const isValidPreFilter = !!preFilter?.length
-        return isValidPreFilter
-      }
-      return false
-    })
-    .map((f) => f.projection)
+  const projections = getValidRule({ filters, user })
+    .filter((f) => !!f.projection)
+    .map((f) => f.projection as Projection)
   if (!projections.length) return null
   return Object.assign({}, ...projections)
 }
 
+/**
+ * Merges a client-provided projection with the one computed from rules filters.
+ *
+ * Rules have higher priority over the client:
+ * - If rules exclude a top-level field (e.g. `{ instock: 0 }`), every client
+ *   reference to that field — including dotted sub-paths such as
+ *   `"instock.qty": 1` — is dropped from the final projection.
+ * - If rules include a field (value `1`), it is always part of the final
+ *   projection and overrides any conflicting client value.
+ * - The returned projection is always a valid MongoDB projection (no mixing of
+ *   inclusion and exclusion on non-`_id` keys), so it can be passed as-is to
+ *   native MongoDB methods.
+ * - Returns `undefined` when neither side provided a meaningful projection.
+ */
+export const mergeProjections = (
+  clientProjection: Projection | Document | undefined,
+  rulesProjection: Projection | null | undefined
+): Projection | Document | undefined => {
+  const hasClient = !!clientProjection && Object.keys(clientProjection).length > 0
+  const hasRules = !!rulesProjection && Object.keys(rulesProjection).length > 0
+  if (!hasClient && !hasRules) return undefined
+
+  const client = (hasClient ? (clientProjection as Projection) : {}) as Projection
+  const rules = (hasRules ? (rulesProjection as Projection) : {}) as Projection
+
+  const getTopLevel = (key: string) => key.split('.')[0]
+
+  const rulesEntries = Object.entries(rules)
+  const rulesIncludeKeys = rulesEntries
+    .filter(([, value]) => value === 1)
+    .map(([key]) => key)
+  const rulesExcludeKeys = rulesEntries
+    .filter(([, value]) => value === 0)
+    .map(([key]) => key)
+
+  // Top-level fields excluded by rules (excluding `_id` which has special
+  // MongoDB semantics and is allowed alongside inclusion projections).
+  const excludedTopLevel = new Set(
+    rulesExcludeKeys.map(getTopLevel).filter((key) => key !== '_id')
+  )
+
+  const filteredClient: Record<string, 0 | 1> = {}
+  for (const [key, value] of Object.entries(client)) {
+    if (excludedTopLevel.has(getTopLevel(key))) continue
+    filteredClient[key] = value as 0 | 1
+  }
+
+  const hasInclusion =
+    rulesIncludeKeys.some((key) => key !== '_id') ||
+    Object.entries(filteredClient).some(([key, value]) => value === 1 && key !== '_id')
+
+  const merged: Record<string, 0 | 1> = {}
+
+  if (hasInclusion) {
+    // Inclusion mode: keep only client inclusions, then overlay rules inclusions.
+    // Client exclusions (other than `_id: 0`) are incompatible with inclusion
+    // mode and are dropped; not-included fields are implicitly excluded anyway.
+    for (const [key, value] of Object.entries(filteredClient)) {
+      if (value === 1 || key === '_id') merged[key] = value
+    }
+    for (const key of rulesIncludeKeys) merged[key] = 1
+    // Allow `_id: 0` to be forced by rules in inclusion mode.
+    for (const key of rulesExcludeKeys) {
+      if (key === '_id') merged[key] = 0
+    }
+  } else {
+    // Pure exclusion mode: combine all exclusions from both sides.
+    for (const [key, value] of Object.entries(filteredClient)) {
+      if (value === 0) merged[key] = 0
+    }
+    for (const key of rulesExcludeKeys) merged[key] = 0
+  }
+
+  return Object.keys(merged).length > 0 ? merged : undefined
+}
+
 export const applyAccessControlToPipeline = (
   pipeline: AggregationPipeline,
   rules: Record<
@@ -120,7 +189,7 @@ export const applyAccessControlToPipeline = (
       checkDenyOperation(rules as Rules, currentCollection, CRUD_OPERATIONS.READ)
       const lookupRules = rules[currentCollection] || {}
       const formattedQuery = getFormattedQuery(lookupRules.filters, {}, user)
-      const projection = getFormattedProjection(lookupRules.filters)
+      const projection = getFormattedProjection(lookupRules.filters, user)
 
       const nestedPipeline = applyAccessControlToPipeline(
         lookUpStage.pipeline || [],
@@ -155,7 +224,7 @@ export const applyAccessControlToPipeline = (
       checkDenyOperation(rules as Rules, currentCollection, CRUD_OPERATIONS.READ)
       const unionRules = rules[currentCollection] || {}
       const formattedQuery = getFormattedQuery(unionRules.filters, {}, user)
-      const projection = getFormattedProjection(unionRules.filters)
+      const projection = getFormattedProjection(unionRules.filters, user)
 
       if (isSimpleStage) {
         return stage

package/src/utils/__tests__/contextExecuteCompatibility.test.ts

@@ -1,5 +1,8 @@
 import { GenerateContextSync } from '../context'
 import { Functions } from '../../features/functions/interface'
+import fs from 'node:fs'
+import os from 'node:os'
+import path from 'node:path'
 
 const mockServices = {
   api: jest.fn().mockReturnValue({}),
@@ -117,4 +120,41 @@ describe('context.functions.execute compatibility', () => {
 
     expect(result).toBe(true)
   })
+
+  it('loads same-directory helper modules for sandboxed functions', () => {
+    const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'flowerbase-context-'))
+    const helperPath = path.join(tempDir, 'getFreightRate.ts')
+
+    fs.writeFileSync(
+      helperPath,
+      'export function getFreightRate([address, amount, freightRateValues]) { return { address, total: amount * freightRateValues.multiplier } }'
+    )
+
+    const functionsList = {
+      caller: {
+        sourcePath: path.join(tempDir, 'caller.ts'),
+        code: `
+          import { getFreightRate } from './getFreightRate'
+
+          module.exports = function() {
+            return getFreightRate(['rome', 4, { multiplier: 2.5 }])
+          }
+        `
+      }
+    } as Functions
+
+    const result = GenerateContextSync({
+      args: [],
+      app: {} as any,
+      rules: {} as any,
+      user: {} as any,
+      currentFunction: functionsList.caller,
+      functionsList,
+      services: mockServices,
+      functionName: 'caller'
+    })
+
+    expect(result).toEqual({ address: 'rome', total: 10 })
+    fs.rmSync(tempDir, { recursive: true, force: true })
+  })
 })

package/src/utils/context/index.ts

@@ -1,9 +1,11 @@
+import fs from 'node:fs'
 import { createRequire } from 'node:module'
 import path from 'node:path'
 import { pathToFileURL } from 'node:url'
 import vm from 'vm'
 import { EJSON } from 'bson'
 import { StateManager } from '../../state'
+import { Function as AppFunction } from '../../features/functions/interface'
 import { generateContextData } from './helpers'
 import { GenerateContextParams } from './interface'
 
@@ -92,6 +94,42 @@ const wrapEsmModule = (code: string): string => {
   return `${prelude}\n${code}\n${trailer}`
 }
 
+const transpileSandboxModule = (code: string): string => {
+  const exportedNames: string[] = []
+  let transformed = code.includes('import ')
+    ? transformImportsToRequire(code)
+    : code
+
+  transformed = transformed.replace(
+    /^\s*export\s+function\s+([A-Za-z_$][\w$]*)\s*\(/gm,
+    (_match, name: string) => {
+      exportedNames.push(name)
+      return `function ${name}(`
+    }
+  )
+
+  transformed = transformed.replace(
+    /^\s*export\s+(const|let|var|class)\s+([A-Za-z_$][\w$]*)/gm,
+    (_match, kind: string, name: string) => {
+      exportedNames.push(name)
+      return `${kind} ${name}`
+    }
+  )
+
+  transformed = transformed.replace(
+    /^\s*export\s+default\s+/gm,
+    'module.exports = '
+  )
+
+  if (exportedNames.length === 0) {
+    return transformed
+  }
+
+  return `${transformed}\n${[...new Set(exportedNames)]
+    .map((name) => `exports.${name} = ${name}`)
+    .join('\n')}`
+}
+
 const resolveImportTarget = (specifier: string, customRequire: NodeRequire): string => {
   try {
     const resolved = customRequire.resolve(specifier)
@@ -123,6 +161,82 @@ type SandboxContext = vm.Context & {
   __fb_dirname?: string
 }
 
+type SandboxExecutionContext = ReturnType<typeof generateContextData>
+
+const resolveModulePath = (specifier: string, parentFile: string): string | undefined => {
+  const parentDir = path.dirname(parentFile)
+  const basePath = path.resolve(parentDir, specifier)
+  const candidates = [
+    basePath,
+    `${basePath}.js`,
+    `${basePath}.ts`,
+    path.join(basePath, 'index.js'),
+    path.join(basePath, 'index.ts')
+  ]
+
+  return candidates.find((candidate) => {
+    try {
+      return fs.statSync(candidate).isFile()
+    } catch {
+      return false
+    }
+  })
+}
+
+const executeSandboxModule = ({
+  code,
+  contextData,
+  filePath,
+  moduleCache
+}: {
+  code: string
+  contextData: SandboxExecutionContext
+  filePath: string
+  moduleCache: Map<string, unknown>
+}): unknown => {
+  if (moduleCache.has(filePath)) {
+    return moduleCache.get(filePath)
+  }
+
+  const sandboxModule: SandboxModule = { exports: {} }
+  moduleCache.set(filePath, sandboxModule.exports)
+  const baseRequire = createRequire(filePath)
+
+  const localRequire = ((specifier: string) => {
+    if (specifier.startsWith('.') || specifier.startsWith('/')) {
+      const resolvedPath = resolveModulePath(specifier, filePath)
+      if (resolvedPath) {
+        return executeSandboxModule({
+          code: fs.readFileSync(resolvedPath, 'utf-8'),
+          contextData,
+          filePath: resolvedPath,
+          moduleCache
+        })
+      }
+    }
+
+    return baseRequire(specifier)
+  }) as NodeRequire
+
+  const vmContext = vm.createContext({
+    ...contextData,
+    require: localRequire,
+    exports: sandboxModule.exports,
+    module: sandboxModule,
+    __filename: filePath,
+    __dirname: path.dirname(filePath),
+    __fb_require: localRequire,
+    __fb_filename: filePath,
+    __fb_dirname: path.dirname(filePath)
+  }) as SandboxContext
+
+  vm.runInContext(transpileSandboxModule(code), vmContext, { filename: filePath })
+  sandboxModule.exports = resolveExport(vmContext) ?? sandboxModule.exports
+  moduleCache.set(filePath, sandboxModule.exports)
+
+  return sandboxModule.exports
+}
+
 const isExportedFunction = (value: unknown): value is ExportedFunction =>
   typeof value === 'function'
 
@@ -141,10 +255,28 @@ const resolveExport = (ctx: SandboxContext): ExportedFunction | undefined => {
   return getDefaultExport(moduleExports) ?? getDefaultExport(contextExports)
 }
 
-const buildVmContext = (contextData: ReturnType<typeof generateContextData>) => {
+const buildVmContext = (
+  contextData: ReturnType<typeof generateContextData>,
+  currentFunction?: AppFunction
+) => {
   const sandboxModule: SandboxModule = { exports: {} }
-  const entryFile = require.main?.filename ?? process.cwd()
-  const customRequire = createRequire(entryFile)
+  const entryFile = currentFunction?.sourcePath ?? require.main?.filename ?? process.cwd()
+  const moduleCache = new Map<string, unknown>()
+  const customRequire = ((specifier: string) => {
+    if ((specifier.startsWith('.') || specifier.startsWith('/')) && currentFunction?.sourcePath) {
+      const resolvedPath = resolveModulePath(specifier, currentFunction.sourcePath)
+      if (resolvedPath) {
+        return executeSandboxModule({
+          code: fs.readFileSync(resolvedPath, 'utf-8'),
+          contextData,
+          filePath: resolvedPath,
+          moduleCache
+        })
+      }
+    }
+
+    return createRequire(entryFile)(specifier)
+  }) as NodeRequire
 
   const vmContext: SandboxContext = vm.createContext({
     ...contextData,
@@ -206,7 +338,10 @@ export async function GenerateContext({
       GenerateContextSync,
       request
     })
-    const { sandboxModule, entryFile, customRequire, vmContext } = buildVmContext(contextData)
+    const { sandboxModule, entryFile, customRequire, vmContext } = buildVmContext(
+      contextData,
+      functionToRun
+    )
 
     const vmModules = vm as typeof vm & {
       SourceTextModule?: typeof vm.SourceTextModule
@@ -271,10 +406,7 @@ export async function GenerateContext({
     }
 
     if (!usedVmModules) {
-      const codeToRun = functionToRun.code.includes('import ')
-        ? transformImportsToRequire(functionToRun.code)
-        : functionToRun.code
-      vm.runInContext(codeToRun, vmContext)
+      vm.runInContext(transpileSandboxModule(functionToRun.code), vmContext, { filename: entryFile })
     }
 
     sandboxModule.exports = resolveExport(vmContext) ?? sandboxModule.exports
@@ -323,12 +455,9 @@ export function GenerateContextSync({
     GenerateContextSync,
     request
   })
-  const { sandboxModule, vmContext } = buildVmContext(contextData)
-  const codeToRun = functionToRun.code.includes('import ')
-    ? transformImportsToRequire(functionToRun.code)
-    : functionToRun.code
+  const { sandboxModule, entryFile, vmContext } = buildVmContext(contextData, functionToRun)
 
-  vm.runInContext(codeToRun, vmContext)
+  vm.runInContext(transpileSandboxModule(functionToRun.code), vmContext, { filename: entryFile })
   sandboxModule.exports = resolveExport(vmContext) ?? sandboxModule.exports
   const fn = sandboxModule.exports as ExportedFunction
   if (deserializeArgs) {