@flowerforce/flowerbase 1.8.4-beta.3 → 1.8.4-beta.5

package/dist/services/mongodb-atlas/utils.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getCollectionsFromPipeline = exports.checkDenyOperation = exports.applyAccessControlToPipeline = exports.getFormattedProjection = exports.getFormattedQuery = exports.getValidRule = void 0;
+exports.getCollectionsFromPipeline = exports.checkDenyOperation = exports.applyAccessControlToPipeline = exports.mergeProjections = exports.getFormattedProjection = exports.getFormattedQuery = exports.getValidRule = void 0;
 exports.normalizeQuery = normalizeQuery;
 exports.ensureClientPipelineStages = ensureClientPipelineStages;
 exports.getHiddenFieldsFromRulesConfig = getHiddenFieldsFromRulesConfig;
@@ -48,21 +48,83 @@ const getFormattedQuery = (filters = [], query, user) => {
 };
 exports.getFormattedQuery = getFormattedQuery;
 const getFormattedProjection = (filters = [], user) => {
-    const projections = filters
-        .filter((filter) => {
-        if (filter.projection) {
-            const preFilter = (0, exports.getValidRule)({ filters, user });
-            const isValidPreFilter = !!(preFilter === null || preFilter === void 0 ? void 0 : preFilter.length);
-            return isValidPreFilter;
-        }
-        return false;
-    })
+    const projections = (0, exports.getValidRule)({ filters, user })
+        .filter((f) => !!f.projection)
         .map((f) => f.projection);
     if (!projections.length)
         return null;
     return Object.assign({}, ...projections);
 };
 exports.getFormattedProjection = getFormattedProjection;
+/**
+ * Merges a client-provided projection with the one computed from rules filters.
+ *
+ * Rules have higher priority over the client:
+ * - If rules exclude a top-level field (e.g. `{ instock: 0 }`), every client
+ *   reference to that field — including dotted sub-paths such as
+ *   `"instock.qty": 1` — is dropped from the final projection.
+ * - If rules include a field (value `1`), it is always part of the final
+ *   projection and overrides any conflicting client value.
+ * - The returned projection is always a valid MongoDB projection (no mixing of
+ *   inclusion and exclusion on non-`_id` keys), so it can be passed as-is to
+ *   native MongoDB methods.
+ * - Returns `undefined` when neither side provided a meaningful projection.
+ */
+const mergeProjections = (clientProjection, rulesProjection) => {
+    const hasClient = !!clientProjection && Object.keys(clientProjection).length > 0;
+    const hasRules = !!rulesProjection && Object.keys(rulesProjection).length > 0;
+    if (!hasClient && !hasRules)
+        return undefined;
+    const client = (hasClient ? clientProjection : {});
+    const rules = (hasRules ? rulesProjection : {});
+    const getTopLevel = (key) => key.split('.')[0];
+    const rulesEntries = Object.entries(rules);
+    const rulesIncludeKeys = rulesEntries
+        .filter(([, value]) => value === 1)
+        .map(([key]) => key);
+    const rulesExcludeKeys = rulesEntries
+        .filter(([, value]) => value === 0)
+        .map(([key]) => key);
+    // Top-level fields excluded by rules (excluding `_id` which has special
+    // MongoDB semantics and is allowed alongside inclusion projections).
+    const excludedTopLevel = new Set(rulesExcludeKeys.map(getTopLevel).filter((key) => key !== '_id'));
+    const filteredClient = {};
+    for (const [key, value] of Object.entries(client)) {
+        if (excludedTopLevel.has(getTopLevel(key)))
+            continue;
+        filteredClient[key] = value;
+    }
+    const hasInclusion = rulesIncludeKeys.some((key) => key !== '_id') ||
+        Object.entries(filteredClient).some(([key, value]) => value === 1 && key !== '_id');
+    const merged = {};
+    if (hasInclusion) {
+        // Inclusion mode: keep only client inclusions, then overlay rules inclusions.
+        // Client exclusions (other than `_id: 0`) are incompatible with inclusion
+        // mode and are dropped; not-included fields are implicitly excluded anyway.
+        for (const [key, value] of Object.entries(filteredClient)) {
+            if (value === 1 || key === '_id')
+                merged[key] = value;
+        }
+        for (const key of rulesIncludeKeys)
+            merged[key] = 1;
+        // Allow `_id: 0` to be forced by rules in inclusion mode.
+        for (const key of rulesExcludeKeys) {
+            if (key === '_id')
+                merged[key] = 0;
+        }
+    }
+    else {
+        // Pure exclusion mode: combine all exclusions from both sides.
+        for (const [key, value] of Object.entries(filteredClient)) {
+            if (value === 0)
+                merged[key] = 0;
+        }
+        for (const key of rulesExcludeKeys)
+            merged[key] = 0;
+    }
+    return Object.keys(merged).length > 0 ? merged : undefined;
+};
+exports.mergeProjections = mergeProjections;
 const applyAccessControlToPipeline = (pipeline, rules, user, collectionName, options) => {
     const { isClientPipeline = false } = options || {};
     const hiddenFieldsForCollection = isClientPipeline
@@ -77,7 +139,7 @@ const applyAccessControlToPipeline = (pipeline, rules, user, collectionName, opt
             (0, exports.checkDenyOperation)(rules, currentCollection, model_1.CRUD_OPERATIONS.READ);
             const lookupRules = rules[currentCollection] || {};
             const formattedQuery = (0, exports.getFormattedQuery)(lookupRules.filters, {}, user);
-            const projection = (0, exports.getFormattedProjection)(lookupRules.filters);
+            const projection = (0, exports.getFormattedProjection)(lookupRules.filters, user);
             const nestedPipeline = (0, exports.applyAccessControlToPipeline)(lookUpStage.pipeline || [], rules, user, currentCollection, { isClientPipeline });
             const lookupPipeline = [
                 ...(formattedQuery.length ? [{ $match: { $and: formattedQuery } }] : []),
@@ -98,7 +160,7 @@ const applyAccessControlToPipeline = (pipeline, rules, user, collectionName, opt
             (0, exports.checkDenyOperation)(rules, currentCollection, model_1.CRUD_OPERATIONS.READ);
             const unionRules = rules[currentCollection] || {};
             const formattedQuery = (0, exports.getFormattedQuery)(unionRules.filters, {}, user);
-            const projection = (0, exports.getFormattedProjection)(unionRules.filters);
+            const projection = (0, exports.getFormattedProjection)(unionRules.filters, user);
             if (isSimpleStage) {
                 return stage;
             }

package/dist/utils/context/helpers.d.ts

@@ -176,23 +176,23 @@ export declare const generateContextData: ({ user, services, app, rules, current
                     context: object;
                 }>;
             } | {
-                lambda: (region: string) => import("@aws-sdk/client-lambda/dist-types").Lambda & {
-                    Invoke: (params: import("@aws-sdk/client-lambda/dist-types").InvokeCommandInput) => Promise<Omit<import("@aws-sdk/client-lambda/dist-types").InvokeCommandOutput, "Payload"> & {
+                lambda: (region: string) => import("@aws-sdk/client-lambda").Lambda & {
+                    Invoke: (params: import("@aws-sdk/client-lambda").InvokeCommandInput) => Promise<Omit<import("@aws-sdk/client-lambda").InvokeCommandOutput, "Payload"> & {
                         Payload: {
                             text: () => string | undefined;
                         };
                     }>;
-                    InvokeAsync: (params: import("@aws-sdk/client-lambda/dist-types").InvokeAsyncCommandInput) => Promise<import("@aws-sdk/client-lambda/dist-types").InvokeAsyncCommandOutput>;
+                    InvokeAsync: (params: import("@aws-sdk/client-lambda").InvokeAsyncCommandInput) => Promise<import("@aws-sdk/client-lambda").InvokeAsyncCommandOutput>;
                 };
-                s3: (region: string) => import("@aws-sdk/client-s3/dist-types").S3Client & {
-                    PutObject: (params: import("@aws-sdk/client-s3/dist-types").PutObjectCommandInput) => Promise<import("@aws-sdk/client-s3/dist-types").PutObjectCommandOutput>;
-                    GetObject: (params: import("@aws-sdk/client-s3/dist-types").GetObjectCommandInput) => Promise<import("@aws-sdk/client-s3/dist-types").GetObjectCommandOutput>;
-                    getSignedUrl: (operation: "getObject" | "putObject", params: (import("@aws-sdk/client-s3/dist-types").GetObjectCommandInput | import("@aws-sdk/client-s3/dist-types").PutObjectCommandInput) & {
+                s3: (region: string) => import("@aws-sdk/client-s3").S3Client & {
+                    PutObject: (params: import("@aws-sdk/client-s3").PutObjectCommandInput) => Promise<import("@aws-sdk/client-s3").PutObjectCommandOutput>;
+                    GetObject: (params: import("@aws-sdk/client-s3").GetObjectCommandInput) => Promise<import("@aws-sdk/client-s3").GetObjectCommandOutput>;
+                    getSignedUrl: (operation: "getObject" | "putObject", params: (import("@aws-sdk/client-s3").GetObjectCommandInput | import("@aws-sdk/client-s3").PutObjectCommandInput) & {
                         Expires?: number;
                     }, options?: {
                         expiresIn?: number;
                     }) => Promise<string>;
-                    PresignURL: (params: (import("@aws-sdk/client-s3/dist-types").GetObjectCommandInput | import("@aws-sdk/client-s3/dist-types").PutObjectCommandInput) & {
+                    PresignURL: (params: (import("@aws-sdk/client-s3").GetObjectCommandInput | import("@aws-sdk/client-s3").PutObjectCommandInput) & {
                         Method?: string;
                         ExpirationMS?: number;
                         Expires?: number;
@@ -328,23 +328,23 @@ export declare const generateContextData: ({ user, services, app, rules, current
                 context: object;
             }>;
         } | {
-            lambda: (region: string) => import("@aws-sdk/client-lambda/dist-types").Lambda & {
-                Invoke: (params: import("@aws-sdk/client-lambda/dist-types").InvokeCommandInput) => Promise<Omit<import("@aws-sdk/client-lambda/dist-types").InvokeCommandOutput, "Payload"> & {
+            lambda: (region: string) => import("@aws-sdk/client-lambda").Lambda & {
+                Invoke: (params: import("@aws-sdk/client-lambda").InvokeCommandInput) => Promise<Omit<import("@aws-sdk/client-lambda").InvokeCommandOutput, "Payload"> & {
                     Payload: {
                         text: () => string | undefined;
                     };
                 }>;
-                InvokeAsync: (params: import("@aws-sdk/client-lambda/dist-types").InvokeAsyncCommandInput) => Promise<import("@aws-sdk/client-lambda/dist-types").InvokeAsyncCommandOutput>;
+                InvokeAsync: (params: import("@aws-sdk/client-lambda").InvokeAsyncCommandInput) => Promise<import("@aws-sdk/client-lambda").InvokeAsyncCommandOutput>;
             };
-            s3: (region: string) => import("@aws-sdk/client-s3/dist-types").S3Client & {
-                PutObject: (params: import("@aws-sdk/client-s3/dist-types").PutObjectCommandInput) => Promise<import("@aws-sdk/client-s3/dist-types").PutObjectCommandOutput>;
-                GetObject: (params: import("@aws-sdk/client-s3/dist-types").GetObjectCommandInput) => Promise<import("@aws-sdk/client-s3/dist-types").GetObjectCommandOutput>;
-                getSignedUrl: (operation: "getObject" | "putObject", params: (import("@aws-sdk/client-s3/dist-types").GetObjectCommandInput | import("@aws-sdk/client-s3/dist-types").PutObjectCommandInput) & {
+            s3: (region: string) => import("@aws-sdk/client-s3").S3Client & {
+                PutObject: (params: import("@aws-sdk/client-s3").PutObjectCommandInput) => Promise<import("@aws-sdk/client-s3").PutObjectCommandOutput>;
+                GetObject: (params: import("@aws-sdk/client-s3").GetObjectCommandInput) => Promise<import("@aws-sdk/client-s3").GetObjectCommandOutput>;
+                getSignedUrl: (operation: "getObject" | "putObject", params: (import("@aws-sdk/client-s3").GetObjectCommandInput | import("@aws-sdk/client-s3").PutObjectCommandInput) & {
                     Expires?: number;
                 }, options?: {
                     expiresIn?: number;
                 }) => Promise<string>;
-                PresignURL: (params: (import("@aws-sdk/client-s3/dist-types").GetObjectCommandInput | import("@aws-sdk/client-s3/dist-types").PutObjectCommandInput) & {
+                PresignURL: (params: (import("@aws-sdk/client-s3").GetObjectCommandInput | import("@aws-sdk/client-s3").PutObjectCommandInput) & {
                     Method?: string;
                     ExpirationMS?: number;
                     Expires?: number;
@@ -479,23 +479,23 @@ export declare const generateContextData: ({ user, services, app, rules, current
                 context: object;
             }>;
         } | {
-            lambda: (region: string) => import("@aws-sdk/client-lambda/dist-types").Lambda & {
-                Invoke: (params: import("@aws-sdk/client-lambda/dist-types").InvokeCommandInput) => Promise<Omit<import("@aws-sdk/client-lambda/dist-types").InvokeCommandOutput, "Payload"> & {
+            lambda: (region: string) => import("@aws-sdk/client-lambda").Lambda & {
+                Invoke: (params: import("@aws-sdk/client-lambda").InvokeCommandInput) => Promise<Omit<import("@aws-sdk/client-lambda").InvokeCommandOutput, "Payload"> & {
                     Payload: {
                         text: () => string | undefined;
                     };
                 }>;
-                InvokeAsync: (params: import("@aws-sdk/client-lambda/dist-types").InvokeAsyncCommandInput) => Promise<import("@aws-sdk/client-lambda/dist-types").InvokeAsyncCommandOutput>;
+                InvokeAsync: (params: import("@aws-sdk/client-lambda").InvokeAsyncCommandInput) => Promise<import("@aws-sdk/client-lambda").InvokeAsyncCommandOutput>;
             };
-            s3: (region: string) => import("@aws-sdk/client-s3/dist-types").S3Client & {
-                PutObject: (params: import("@aws-sdk/client-s3/dist-types").PutObjectCommandInput) => Promise<import("@aws-sdk/client-s3/dist-types").PutObjectCommandOutput>;
-                GetObject: (params: import("@aws-sdk/client-s3/dist-types").GetObjectCommandInput) => Promise<import("@aws-sdk/client-s3/dist-types").GetObjectCommandOutput>;
-                getSignedUrl: (operation: "getObject" | "putObject", params: (import("@aws-sdk/client-s3/dist-types").GetObjectCommandInput | import("@aws-sdk/client-s3/dist-types").PutObjectCommandInput) & {
+            s3: (region: string) => import("@aws-sdk/client-s3").S3Client & {
+                PutObject: (params: import("@aws-sdk/client-s3").PutObjectCommandInput) => Promise<import("@aws-sdk/client-s3").PutObjectCommandOutput>;
+                GetObject: (params: import("@aws-sdk/client-s3").GetObjectCommandInput) => Promise<import("@aws-sdk/client-s3").GetObjectCommandOutput>;
+                getSignedUrl: (operation: "getObject" | "putObject", params: (import("@aws-sdk/client-s3").GetObjectCommandInput | import("@aws-sdk/client-s3").PutObjectCommandInput) & {
                     Expires?: number;
                 }, options?: {
                     expiresIn?: number;
                 }) => Promise<string>;
-                PresignURL: (params: (import("@aws-sdk/client-s3/dist-types").GetObjectCommandInput | import("@aws-sdk/client-s3/dist-types").PutObjectCommandInput) & {
+                PresignURL: (params: (import("@aws-sdk/client-s3").GetObjectCommandInput | import("@aws-sdk/client-s3").PutObjectCommandInput) & {
                     Method?: string;
                     ExpirationMS?: number;
                     Expires?: number;

package/dist/utils/roles/machines/read/D/validators.d.ts

@@ -1,4 +1,4 @@
 import { MachineContext } from '../../interface';
 export declare const checkAdditionalFieldsFn: ({ role }: MachineContext) => boolean;
-export declare const checkIsValidFieldNameFn: (context: MachineContext) => Promise<import("bson/bson").Document>;
+export declare const checkIsValidFieldNameFn: (context: MachineContext) => Promise<import("bson").Document>;
 //# sourceMappingURL=validators.d.ts.map

package/dist/utils/roles/machines/read/D/validators.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../../../../../src/utils/roles/machines/read/D/validators.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAEhD,eAAO,MAAM,uBAAuB,GAAI,UAAU,cAAc,YAE/D,CAAA;AAED,eAAO,MAAM,uBAAuB,GAAU,SAAS,cAAc,0CAOpE,CAAA"}
+{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../../../../../src/utils/roles/machines/read/D/validators.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAEhD,eAAO,MAAM,uBAAuB,GAAI,UAAU,cAAc,YAE/D,CAAA;AAED,eAAO,MAAM,uBAAuB,GAAU,SAAS,cAAc,qCAOpE,CAAA"}

package/dist/utils/roles/machines/write/C/validators.d.ts

@@ -1,4 +1,4 @@
 import { MachineContext } from '../../interface';
 export declare const checkAdditionalFieldsFn: ({ role }: MachineContext) => boolean;
-export declare const checkIsValidFieldNameFn: (context: MachineContext) => Promise<import("bson/bson").Document>;
+export declare const checkIsValidFieldNameFn: (context: MachineContext) => Promise<import("bson").Document>;
 //# sourceMappingURL=validators.d.ts.map

package/dist/utils/roles/machines/write/C/validators.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../../../../../src/utils/roles/machines/write/C/validators.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAEhD,eAAO,MAAM,uBAAuB,GAAI,UAAU,cAAc,YAE/D,CAAA;AAED,eAAO,MAAM,uBAAuB,GAAU,SAAS,cAAc,0CAIpE,CAAA"}
+{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../../../../../src/utils/roles/machines/write/C/validators.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAEhD,eAAO,MAAM,uBAAuB,GAAI,UAAU,cAAc,YAE/D,CAAA;AAED,eAAO,MAAM,uBAAuB,GAAU,SAAS,cAAc,qCAIpE,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flowerforce/flowerbase",
-  "version": "1.8.4-beta.3",
+  "version": "1.8.4-beta.5",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/features/functions/__tests__/controller.test.ts

@@ -1,4 +1,5 @@
 import Fastify, { FastifyInstance, FastifyReply, FastifyRequest } from 'fastify'
+import { services } from '../../../services'
 import { GenerateContext } from '../../../utils/context'
 import { functionsController } from '../controller'
 
@@ -8,18 +9,19 @@ jest.mock('../../../utils/context', () => ({
 
 describe('functionsController', () => {
   let app: FastifyInstance
+  const originalMongoService = services['mongodb-atlas']
 
   beforeEach(async () => {
     app = Fastify()
 
     app.decorate('jwtAuthentication', async (request: FastifyRequest, _reply: FastifyReply) => {
-      ;(request as any).user = {
+      ; (request as any).user = {
         id: '507f191e810c19729de860ea',
         typ: 'access'
       }
     })
 
-    ;(GenerateContext as jest.Mock).mockResolvedValue({ ok: true })
+      ; (GenerateContext as jest.Mock).mockResolvedValue({ ok: true })
 
     await app.register(functionsController, {
       functionsList: {
@@ -33,6 +35,7 @@ describe('functionsController', () => {
   })
 
   afterEach(async () => {
+    services['mongodb-atlas'] = originalMongoService
     await app.close()
     jest.clearAllMocks()
   })
@@ -57,4 +60,41 @@ describe('functionsController', () => {
       })
     )
   })
+
+  it('passes mongodb-atlas distinct service arguments through POST /call', async () => {
+    const distinct = jest.fn().mockResolvedValue(['open'])
+    services['mongodb-atlas'] = jest.fn(() => ({
+      db: jest.fn().mockReturnValue({
+        collection: jest.fn().mockReturnValue({
+          distinct
+        })
+      })
+    })) as any
+
+    const response = await app.inject({
+      method: 'POST',
+      url: '/call',
+      payload: {
+        service: 'mongodb-atlas',
+        name: 'distinct',
+        arguments: [
+          {
+            database: 'app',
+            collection: 'todos',
+            key: 'status',
+            query: { archived: false },
+            options: { maxTimeMS: 250 }
+          }
+        ]
+      }
+    })
+
+    expect(response.statusCode).toBe(200)
+    expect(JSON.parse(response.body)).toEqual(['open'])
+    expect(distinct).toHaveBeenCalledWith(
+      'status',
+      { archived: false },
+      { maxTimeMS: 250 }
+    )
+  })
 })

package/src/features/functions/__tests__/utils.test.ts

@@ -30,4 +30,48 @@ describe('executeQuery', () => {
       { upsert: true }
     )
   })
+
+  it('passes distinct arguments through to the service method', async () => {
+    const currentMethod = jest.fn().mockResolvedValue(['open'])
+
+    const operators = await executeQuery({
+      currentMethod,
+      key: 'status',
+      query: { archived: false },
+      update: {},
+      options: { maxTimeMS: 500 }
+    } as any)
+
+    await operators.distinct()
+
+    expect(currentMethod).toHaveBeenCalledWith(
+      'status',
+      { archived: false },
+      { maxTimeMS: 500 }
+    )
+  })
+
+  it('passes bulkWrite operations through to the service method', async () => {
+    const currentMethod = jest.fn().mockResolvedValue({ acknowledged: true })
+    const operations = [
+      {
+        updateOne: {
+          filter: { archived: false },
+          update: { $set: { archived: true } }
+        }
+      }
+    ]
+
+    const operators = await executeQuery({
+      currentMethod,
+      query: {},
+      update: {},
+      operations,
+      options: { ordered: false }
+    } as any)
+
+    await operators.bulkWrite()
+
+    expect(currentMethod).toHaveBeenCalledWith(operations, { ordered: false })
+  })
 })

package/src/features/functions/controller.ts

@@ -9,6 +9,29 @@ import { Base64Function, FunctionCallBase64Dto, FunctionCallDto } from './dtos'
 import { FunctionController } from './interface'
 import { executeQuery } from './utils'
 
+const SUPPORTED_QUERY_METHODS = [
+  'find',
+  'findOne',
+  'count',
+  'countDocuments',
+  'distinct',
+  'deleteOne',
+  'insertOne',
+  'updateOne',
+  'findOneAndUpdate',
+  'aggregate',
+  'insertMany',
+  'bulkWrite',
+  'updateMany',
+  'deleteMany'
+] as const
+
+type SupportedQueryMethod = (typeof SUPPORTED_QUERY_METHODS)[number]
+
+const isSupportedQueryMethod = (value: unknown): value is SupportedQueryMethod =>
+  typeof value === 'string' &&
+  (SUPPORTED_QUERY_METHODS as readonly string[]).includes(value)
+
 const normalizeUser = (payload: Record<string, any> | undefined) => {
   if (!payload) return undefined
   const nestedUser =
@@ -352,6 +375,7 @@ export const functionsController: FunctionController = async (
       const [{
         database,
         collection,
+        key,
         query,
         filter,
         update,
@@ -360,9 +384,14 @@ export const functionsController: FunctionController = async (
         returnNewDocument,
         document,
         documents,
+        operations,
         pipeline = []
       }] = args
 
+      if (!isSupportedQueryMethod(method)) {
+        throw new Error(`Unsupported service method "${String(method)}"`)
+      }
+
       const currentMethod = serviceFn(app, { rules, user })
         .db(database)
         .collection(collection)[method]
@@ -371,6 +400,7 @@ export const functionsController: FunctionController = async (
       const operatorsByType = await executeQuery({
         currentMethod,
         query,
+        key,
         filter,
         update,
         projection,
@@ -378,10 +408,15 @@ export const functionsController: FunctionController = async (
         returnNewDocument,
         document,
         documents,
+        operations,
         pipeline,
         isClient: true
       })
-      const serviceResult = await operatorsByType[method as keyof typeof operatorsByType]()
+      const operator = operatorsByType[method]
+      if (typeof operator !== 'function') {
+        throw new Error(`Unsupported service method "${method}"`)
+      }
+      const serviceResult = await operator()
       res.type('application/json')
       return serializeEjson(serviceResult)
     }

package/src/features/functions/dtos.ts

@@ -23,6 +23,7 @@ export type FunctionCallBase64Dto = {
 type ArgumentsData = Arguments<{
   database: string
   collection: string
+  key?: string
   filter?: Document
   query: Parameters<GetOperatorsFunction>
   update: Document
@@ -31,6 +32,7 @@ type ArgumentsData = Arguments<{
   returnNewDocument?: boolean
   document: Document
   documents: Document[]
+  operations?: Document[]
   pipeline?: Document[]
 }>
 

package/src/features/functions/interface.ts

@@ -27,12 +27,14 @@ export type ExecuteQueryParams = {
   currentMethod: ReturnType<GetOperatorsFunction>[keyof ReturnType<GetOperatorsFunction>]
   query: Parameters<GetOperatorsFunction>
   update: Document
+  key?: string
   filter?: Document
   projection?: Document
   options?: Document
   returnNewDocument?: boolean
   document: Document
   documents: Document[]
+  operations?: Document[]
   pipeline: Document[]
   isClient?: boolean
 }

package/src/features/functions/utils.ts

@@ -45,12 +45,14 @@ export const executeQuery = async ({
   currentMethod,
   query,
   update,
+  key,
   filter,
   projection,
   options,
   returnNewDocument,
   document,
   documents,
+  operations,
   pipeline,
   isClient = false
 }: ExecuteQueryParams) => {
@@ -113,6 +115,12 @@ export const executeQuery = async ({
         EJSON.deserialize(resolvedQuery),
         parsedOptions
       ),
+    distinct: () =>
+      (currentMethod as ReturnType<GetOperatorsFunction>['distinct'])(
+        key ?? '',
+        EJSON.deserialize(resolvedQuery),
+        parsedOptions
+      ),
     deleteOne: () =>
       (currentMethod as ReturnType<GetOperatorsFunction>['deleteOne'])(
         EJSON.deserialize(resolvedQuery),
@@ -144,6 +152,11 @@ export const executeQuery = async ({
       (currentMethod as ReturnType<GetOperatorsFunction>['insertMany'])(
         EJSON.deserialize(documents)
       ),
+    bulkWrite: () =>
+      (currentMethod as ReturnType<GetOperatorsFunction>['bulkWrite'])(
+        EJSON.deserialize(operations ?? []),
+        parsedOptions
+      ),
     updateMany: () =>
       (currentMethod as ReturnType<GetOperatorsFunction>['updateMany'])(
         EJSON.deserialize(resolvedQuery),

package/src/services/mongodb-atlas/__tests__/realmCompatibility.test.ts

@@ -1,3 +1,5 @@
+/// <reference types="jest" />
+
 import { ObjectId } from 'mongodb'
 import MongoDbAtlas from '..'
 import { Rules } from '../../../features/rules/interface'
@@ -178,6 +180,70 @@ describe('mongodb-atlas Realm compatibility', () => {
     )
   })
 
+  it('forwards bulkWrite to the underlying collection in system mode', async () => {
+    const operations = [
+      {
+        updateOne: {
+          filter: { done: false },
+          update: { $set: { done: true } }
+        }
+      }
+    ]
+    const bulkWriteResult = {
+      acknowledged: true,
+      matchedCount: 1,
+      modifiedCount: 1,
+      insertedCount: 0,
+      deletedCount: 0,
+      upsertedCount: 0,
+      insertedIds: {},
+      upsertedIds: {}
+    }
+    const bulkWrite = jest.fn().mockResolvedValue(bulkWriteResult)
+    const collection = {
+      collectionName: 'todos',
+      bulkWrite
+    }
+
+    const operators = MongoDbAtlas(createAppWithCollection(collection) as any, {
+      run_as_system: true
+    }).db('db').collection('todos')
+
+    const result = await operators.bulkWrite(operations as any, { ordered: false } as any)
+
+    expect(result).toEqual(bulkWriteResult)
+    expect(bulkWrite).toHaveBeenCalledWith(operations, { ordered: false })
+  })
+
+  it('rejects bulkWrite outside run_as_system mode', async () => {
+    const bulkWrite = jest.fn()
+    const collection = {
+      collectionName: 'todos',
+      bulkWrite
+    }
+
+    const operators = MongoDbAtlas(createAppWithCollection(collection) as any, {
+      rules: createRules(),
+      user: { id: 'user-1' }
+    }).db('db').collection('todos')
+
+    await expect(
+      operators.bulkWrite(
+        [
+          {
+            updateOne: {
+              filter: { done: false },
+              update: { $set: { done: true } }
+            }
+          }
+        ] as any,
+        { ordered: false } as any
+      )
+    ).rejects.toThrow('bulkWrite is available only when run_as_system is enabled')
+
+    expect(bulkWrite).not.toHaveBeenCalled()
+  })
+
   it('supports operator updates in updateMany without using invalid aggregate stages', async () => {
     const id = new ObjectId()
     const find = jest.fn().mockReturnValue({
@@ -513,6 +579,56 @@ describe('mongodb-atlas Realm compatibility', () => {
     expect(result.insertedIds).toEqual([id0, id1])
   })
 
+  it('computes distinct values from readable documents only', async () => {
+    const find = jest.fn().mockReturnValue({
+      toArray: jest.fn().mockResolvedValue([
+        { _id: new ObjectId(), visible: 'A', secret: 'internal-1' },
+        { _id: new ObjectId(), visible: 'A', secret: 'internal-2' },
+        { _id: new ObjectId(), visible: 'B', secret: 'internal-1' }
+      ])
+    })
+    const collection = {
+      collectionName: 'todos',
+      find
+    }
+    const operators = MongoDbAtlas(createAppWithCollection(collection) as any, {
+      rules: createRules({
+        roles: [
+          {
+            name: 'reader',
+            apply_when: {},
+            insert: true,
+            delete: true,
+            search: true,
+            read: true,
+            write: true,
+            fields: {
+              visible: { read: true },
+              secret: { read: false, write: false }
+            }
+          } as any
+        ]
+      }),
+      user: { id: 'user-1' }
+    }).db('db').collection('todos')
+
+    const visibleResult = await operators.distinct('visible', { archived: false })
+    const secretResult = await operators.distinct('secret', { archived: false })
+
+    expect(visibleResult).toEqual(['A', 'B'])
+    expect(secretResult).toEqual([])
+    expect(find).toHaveBeenNthCalledWith(
+      1,
+      { $and: [{ archived: false }] },
+      { projection: { _id: 1, visible: 1 } }
+    )
+    expect(find).toHaveBeenNthCalledWith(
+      2,
+      { $and: [{ archived: false }] },
+      { projection: { _id: 1, secret: 1 } }
+    )
+  })
+
   it('exposes startSession and delegates to the underlying MongoClient', async () => {
     const mockSession = { withTransaction: jest.fn() }
     const startSession = jest.fn().mockReturnValue(mockSession)