@momentumcms/server-analog 0.5.3 → 0.5.5

package/CHANGELOG.md

@@ -1,3 +1,37 @@
+## 0.5.5 (2026-03-09)
+
+### 🚀 Features
+
+- extract syncDatabaseSchema + fix findById breaking change ([#52](https://github.com/DonaldMurillo/momentum-cms/pull/52))
+- swappable admin pages & layout slots with security hardening ([#51](https://github.com/DonaldMurillo/momentum-cms/pull/51))
+- NestJS server adapter + E2E stabilization (0.5.2) ([#48](https://github.com/DonaldMurillo/momentum-cms/pull/48))
+- S3, auth plugin wiring, redirects, and E2E tooling ([#41](https://github.com/DonaldMurillo/momentum-cms/pull/41))
+- client-side page view tracking and content performance improvements ([#39](https://github.com/DonaldMurillo/momentum-cms/pull/39))
+- blocks showcase with articles, pages, and UI fixes ([#36](https://github.com/DonaldMurillo/momentum-cms/pull/36))
+- add named tabs support with nested data grouping and UI improvements ([#30](https://github.com/DonaldMurillo/momentum-cms/pull/30))
+- Implement admin UI with API integration and SSR hydration ([9ed7b2bd](https://github.com/DonaldMurillo/momentum-cms/commit/9ed7b2bd))
+- Initialize Momentum CMS foundation ([f64f5817](https://github.com/DonaldMurillo/momentum-cms/commit/f64f5817))
+
+### 🩹 Fixes
+
+- Analog versioning access control + E2E improvements ([#54](https://github.com/DonaldMurillo/momentum-cms/pull/54))
+- add public access to form-builder npm publish config ([#46](https://github.com/DonaldMurillo/momentum-cms/pull/46))
+- Resolve non-null assertion bugs and CLAUDE.md violations ([#44](https://github.com/DonaldMurillo/momentum-cms/pull/44))
+- **create-momentum-app:** add shell option to execFileSync for Windows ([#28](https://github.com/DonaldMurillo/momentum-cms/pull/28))
+- correct repository URLs and add GitHub link to CLI ([#26](https://github.com/DonaldMurillo/momentum-cms/pull/26))
+- resolve CUD toast interceptor issues ([#17](https://github.com/DonaldMurillo/momentum-cms/pull/17), [#1](https://github.com/DonaldMurillo/momentum-cms/issues/1), [#2](https://github.com/DonaldMurillo/momentum-cms/issues/2), [#3](https://github.com/DonaldMurillo/momentum-cms/issues/3), [#4](https://github.com/DonaldMurillo/momentum-cms/issues/4))
+
+### ❤️ Thank You
+
+- Claude Haiku 4.5
+- Claude Opus 4.5
+- Claude Opus 4.6
+- Donald Murillo @DonaldMurillo
+
+## 0.5.4 (2026-03-07)
+
+This was a version bump only for server-analog to align it with other projects, there were no code changes.
+
 ## 0.5.0 (2026-02-23)
 
 This was a version bump only for server-analog to align it with other projects, there were no code changes.

package/index.cjs

@@ -1452,6 +1452,14 @@ var MediaCollection = defineCollection({
   }
 });
 
+// libs/core/src/lib/versions/version.types.ts
+function hasVersionDrafts(collection) {
+  const v = collection.versions;
+  if (!v || typeof v === "boolean")
+    return false;
+  return !!v.drafts;
+}
+
 // libs/server-core/src/lib/field-access.ts
 function hasFieldAccessControl(fields) {
   for (const field of fields) {
@@ -1806,6 +1814,12 @@ var DocumentNotFoundError = class extends Error {
     this.name = "DocumentNotFoundError";
   }
 };
+var DraftNotVisibleError = class extends Error {
+  constructor(collection, id) {
+    super(`Draft "${id}" in collection "${collection}" is not visible to the current user`);
+    this.name = "DraftNotVisibleError";
+  }
+};
 var AccessDeniedError = class extends Error {
   constructor(operation, collection) {
     super(`Access denied for ${operation} on collection "${collection}"`);
@@ -2038,13 +2052,18 @@ var VersionOperationsImpl = class {
     }
     return "draft";
   }
-  async compare(versionId1, versionId2) {
+  async compare(versionId1, versionId2, parentId) {
     await this.checkAccess("readVersions");
     const version1 = await this.findVersionById(versionId1);
     const version2 = await this.findVersionById(versionId2);
     if (!version1 || !version2) {
       throw new Error("One or both versions not found");
     }
+    if (parentId) {
+      if (version1.parent !== parentId || version2.parent !== parentId) {
+        throw new Error("Version does not belong to the specified document");
+      }
+    }
     const data1 = version1.version;
     const data2 = version2.version;
     if (!isRecord(data1) || !isRecord(data2)) {
@@ -2099,6 +2118,9 @@ var VersionOperationsImpl = class {
   // Private Helpers
   // ============================================
   async checkAccess(operation) {
+    if (this.context.overrideAccess) {
+      return;
+    }
     const accessFn = this.collectionConfig.access?.[operation];
     if (!accessFn) {
       return;
@@ -2215,13 +2237,31 @@ function stripTransientKeys(data) {
   }
   return result;
 }
+var COMPARISON_OPS = ["gt", "gte", "lt", "lte"];
 function flattenWhereClause(where) {
   if (!where)
     return {};
   const result = {};
   for (const [field, condition] of Object.entries(where)) {
-    if (typeof condition === "object" && condition !== null && "equals" in condition) {
-      result[field] = condition["equals"];
+    if (typeof condition !== "object" || condition === null) {
+      result[field] = condition;
+      continue;
+    }
+    const condObj = condition;
+    if ("equals" in condObj) {
+      result[field] = condObj["equals"];
+      continue;
+    }
+    const ops = {};
+    let hasComparisonOp = false;
+    for (const op of COMPARISON_OPS) {
+      if (op in condObj) {
+        ops[`$${op}`] = condObj[op];
+        hasComparisonOp = true;
+      }
+    }
+    if (hasComparisonOp) {
+      result[field] = ops;
     } else {
       result[field] = condition;
     }
@@ -2255,6 +2295,12 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
         Object.assign(whereParams, constraints);
       }
     }
+    if (hasVersionDrafts(this.collectionConfig) && !this.context.overrideAccess) {
+      const canSeeDrafts = await this.canReadDrafts();
+      if (!canSeeDrafts) {
+        whereParams["_status"] = "published";
+      }
+    }
     const query = {
       ...queryOptions,
       ...whereParams,
@@ -2310,15 +2356,24 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
     await this.runBeforeReadHooks();
     const doc = await this.adapter.findById(this.slug, id);
     if (!doc) {
-      return null;
+      throw new DocumentNotFoundError(this.slug, id);
     }
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (softDeleteField && !options?.withDeleted && // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- T is compatible with Record<string, unknown>
     doc[softDeleteField]) {
-      return null;
+      throw new DocumentNotFoundError(this.slug, id);
+    }
+    if (hasVersionDrafts(this.collectionConfig) && !this.context.overrideAccess) {
+      const canSeeDrafts = await this.canReadDrafts();
+      if (!canSeeDrafts) {
+        const record = doc;
+        if (record["_status"] !== "published") {
+          throw new DraftNotVisibleError(this.slug, id);
+        }
+      }
     }
     if (!this.matchesDefaultWhereConstraints(doc)) {
-      return null;
+      throw new DocumentNotFoundError(this.slug, id);
     }
     const [processed] = await this.processAfterReadHooks([doc]);
     const MAX_RELATIONSHIP_DEPTH = 10;
@@ -2402,6 +2457,15 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
     if (!this.matchesDefaultWhereConstraints(originalDoc)) {
       throw new DocumentNotFoundError(this.slug, id);
     }
+    if (hasVersionDrafts(this.collectionConfig) && this.adapter.createVersion) {
+      const status = originalDoc["_status"] ?? "draft";
+      await this.adapter.createVersion(this.slug, id, originalDoc, { status });
+      const versionsConfig = this.collectionConfig.versions;
+      const maxPerDoc = typeof versionsConfig === "object" && versionsConfig !== null ? versionsConfig.maxPerDoc : void 0;
+      if (maxPerDoc && this.adapter.deleteVersions) {
+        await this.adapter.deleteVersions(this.slug, id, maxPerDoc);
+      }
+    }
     let processedData = data;
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (softDeleteField && softDeleteField in processedData) {
@@ -2733,6 +2797,30 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
       throw new AccessDeniedError(operation, this.slug);
     }
   }
+  /**
+   * Check if the current user can see draft documents (non-throwing).
+   * Uses `access.readDrafts` if configured, otherwise falls back to `access.update`.
+   */
+  async canReadDrafts() {
+    if (!this.context.user)
+      return false;
+    const readDraftsFn = this.collectionConfig.access?.readDrafts;
+    if (readDraftsFn) {
+      try {
+        return !!await Promise.resolve(readDraftsFn({ req: this.buildRequestContext() }));
+      } catch {
+        return false;
+      }
+    }
+    const updateFn = this.collectionConfig.access?.update;
+    if (!updateFn)
+      return true;
+    try {
+      return !!await Promise.resolve(updateFn({ req: this.buildRequestContext() }));
+    } catch {
+      return false;
+    }
+  }
   buildRequestContext() {
     return {
       user: this.context.user
@@ -3156,9 +3244,6 @@ function createMomentumHandlers(config) {
       const depth = typeof request.query?.["depth"] === "number" ? request.query["depth"] : void 0;
       const withDeleted = request.query?.["withDeleted"] === true;
       const doc = await api.collection(request.collectionSlug).findById(request.id, { depth, withDeleted });
-      if (!doc) {
-        return { error: "Document not found", status: 404 };
-      }
       return { doc };
     } catch (error) {
       return handleError(error);
@@ -3275,6 +3360,9 @@ function handleError(error) {
   if (error instanceof DocumentNotFoundError) {
     return { error: error.message, status: 404 };
   }
+  if (error instanceof DraftNotVisibleError) {
+    return { doc: null };
+  }
   if (error instanceof AccessDeniedError) {
     return { error: error.message, status: 403 };
   }
@@ -3412,8 +3500,9 @@ function buildGraphQLSchema(collections) {
   }
   function getOrCreateEnum(field, parentName) {
     const key = `${parentName}_${field.name}`;
-    if (enumCache.has(key)) {
-      return enumCache.get(key);
+    const cached = enumCache.get(key);
+    if (cached) {
+      return cached;
     }
     const values = {};
     for (const opt of field.options) {
@@ -3524,8 +3613,9 @@ function buildGraphQLSchema(collections) {
     }
   }
   function getOrCreateObjectType(fields, typeName) {
-    if (typeCache.has(typeName)) {
-      return typeCache.get(typeName);
+    const cachedType = typeCache.get(typeName);
+    if (cachedType) {
+      return cachedType;
     }
     const objType = new import_graphql2.GraphQLObjectType({
       name: typeName,
@@ -3546,8 +3636,9 @@ function buildGraphQLSchema(collections) {
   }
   function getOrCreateInputType(fields, typeName) {
     const inputName = `${typeName}Input`;
-    if (inputCache.has(inputName)) {
-      return inputCache.get(inputName);
+    const cachedInput = inputCache.get(inputName);
+    if (cachedInput) {
+      return cachedInput;
     }
     const inputType = new import_graphql2.GraphQLInputObjectType({
       name: inputName,
@@ -3668,7 +3759,14 @@ function buildGraphQLSchema(collections) {
           const api = getMomentumAPI();
           const ctx = buildAPIContext(context);
           const contextApi = Object.keys(ctx).length > 0 ? api.setContext(ctx) : api;
-          return contextApi.collection(col.slug).findById(args.id);
+          try {
+            return await contextApi.collection(col.slug).findById(args.id);
+          } catch (err) {
+            if (err instanceof Error && err.name === "DocumentNotFoundError") {
+              return null;
+            }
+            throw err;
+          }
         }
       };
       queryFields[plural.charAt(0).toLowerCase() + plural.slice(1)] = {
@@ -5299,7 +5397,13 @@ function createComprehensiveMomentumHandler(config) {
         return { docs: r.docs, totalDocs: r.totalDocs };
       },
       findById: async (slug2, id) => {
-        return await contextApi.collection(slug2).findById(id);
+        try {
+          return await contextApi.collection(slug2).findById(id);
+        } catch (err) {
+          if (err instanceof Error && err.name === "DocumentNotFoundError")
+            return null;
+          throw err;
+        }
       },
       count: (slug2) => contextApi.collection(slug2).count(),
       create: async (slug2, data) => {
@@ -5664,6 +5768,10 @@ function createComprehensiveMomentumHandler(config) {
           });
           return { doc: restored, message: "Version restored successfully" };
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           const message = sanitizeErrorMessage(error, "Unknown error");
           if (error instanceof Error && error.message.includes("mismatch")) {
             utils.setResponseStatus(event, 400);
@@ -5704,6 +5812,10 @@ function createComprehensiveMomentumHandler(config) {
           );
           return { differences };
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: "Failed to compare versions",
@@ -5731,6 +5843,10 @@ function createComprehensiveMomentumHandler(config) {
           }
           return version;
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: "Failed to fetch version",
@@ -5755,6 +5871,10 @@ function createComprehensiveMomentumHandler(config) {
           });
           return result;
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: "Failed to fetch versions",
@@ -5795,12 +5915,7 @@ function createComprehensiveMomentumHandler(config) {
           }
         } else {
           const contextApi = getContextualAPI(user);
-          const doc = await contextApi.collection(collectionSlug2).findById(docId);
-          if (!doc) {
-            utils.setResponseStatus(event, 404);
-            return { error: "Document not found" };
-          }
-          docRecord = doc;
+          docRecord = await contextApi.collection(collectionSlug2).findById(docId);
         }
         const emailField = getEmailBuilderFieldName(collectionConfig);
         const html = emailField ? await renderEmailPreviewHTML(docRecord, emailField) : renderPreviewHTML({ doc: docRecord, collection: collectionConfig });
@@ -5869,6 +5984,10 @@ function createComprehensiveMomentumHandler(config) {
             return { message: "Scheduled publish cancelled" };
           }
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: `Failed to ${action.replace(/-/g, " ")}`,
@@ -5910,6 +6029,10 @@ function createComprehensiveMomentumHandler(config) {
         const status = await versionOps.getStatus(docId);
         return { status };
       } catch (error) {
+        if (error instanceof Error && error.name === "AccessDeniedError") {
+          utils.setResponseStatus(event, 403);
+          return { error: "Access denied" };
+        }
         utils.setResponseStatus(event, 500);
         return {
           error: "Failed to get status",

package/index.js

@@ -1419,6 +1419,14 @@ var MediaCollection = defineCollection({
   }
 });
 
+// libs/core/src/lib/versions/version.types.ts
+function hasVersionDrafts(collection) {
+  const v = collection.versions;
+  if (!v || typeof v === "boolean")
+    return false;
+  return !!v.drafts;
+}
+
 // libs/server-core/src/lib/field-access.ts
 function hasFieldAccessControl(fields) {
   for (const field of fields) {
@@ -1773,6 +1781,12 @@ var DocumentNotFoundError = class extends Error {
     this.name = "DocumentNotFoundError";
   }
 };
+var DraftNotVisibleError = class extends Error {
+  constructor(collection, id) {
+    super(`Draft "${id}" in collection "${collection}" is not visible to the current user`);
+    this.name = "DraftNotVisibleError";
+  }
+};
 var AccessDeniedError = class extends Error {
   constructor(operation, collection) {
     super(`Access denied for ${operation} on collection "${collection}"`);
@@ -2005,13 +2019,18 @@ var VersionOperationsImpl = class {
     }
     return "draft";
   }
-  async compare(versionId1, versionId2) {
+  async compare(versionId1, versionId2, parentId) {
     await this.checkAccess("readVersions");
     const version1 = await this.findVersionById(versionId1);
     const version2 = await this.findVersionById(versionId2);
     if (!version1 || !version2) {
       throw new Error("One or both versions not found");
     }
+    if (parentId) {
+      if (version1.parent !== parentId || version2.parent !== parentId) {
+        throw new Error("Version does not belong to the specified document");
+      }
+    }
     const data1 = version1.version;
     const data2 = version2.version;
     if (!isRecord(data1) || !isRecord(data2)) {
@@ -2066,6 +2085,9 @@ var VersionOperationsImpl = class {
   // Private Helpers
   // ============================================
   async checkAccess(operation) {
+    if (this.context.overrideAccess) {
+      return;
+    }
     const accessFn = this.collectionConfig.access?.[operation];
     if (!accessFn) {
       return;
@@ -2182,13 +2204,31 @@ function stripTransientKeys(data) {
   }
   return result;
 }
+var COMPARISON_OPS = ["gt", "gte", "lt", "lte"];
 function flattenWhereClause(where) {
   if (!where)
     return {};
   const result = {};
   for (const [field, condition] of Object.entries(where)) {
-    if (typeof condition === "object" && condition !== null && "equals" in condition) {
-      result[field] = condition["equals"];
+    if (typeof condition !== "object" || condition === null) {
+      result[field] = condition;
+      continue;
+    }
+    const condObj = condition;
+    if ("equals" in condObj) {
+      result[field] = condObj["equals"];
+      continue;
+    }
+    const ops = {};
+    let hasComparisonOp = false;
+    for (const op of COMPARISON_OPS) {
+      if (op in condObj) {
+        ops[`$${op}`] = condObj[op];
+        hasComparisonOp = true;
+      }
+    }
+    if (hasComparisonOp) {
+      result[field] = ops;
     } else {
       result[field] = condition;
     }
@@ -2222,6 +2262,12 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
         Object.assign(whereParams, constraints);
       }
     }
+    if (hasVersionDrafts(this.collectionConfig) && !this.context.overrideAccess) {
+      const canSeeDrafts = await this.canReadDrafts();
+      if (!canSeeDrafts) {
+        whereParams["_status"] = "published";
+      }
+    }
     const query = {
       ...queryOptions,
       ...whereParams,
@@ -2277,15 +2323,24 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
     await this.runBeforeReadHooks();
     const doc = await this.adapter.findById(this.slug, id);
     if (!doc) {
-      return null;
+      throw new DocumentNotFoundError(this.slug, id);
     }
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (softDeleteField && !options?.withDeleted && // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- T is compatible with Record<string, unknown>
     doc[softDeleteField]) {
-      return null;
+      throw new DocumentNotFoundError(this.slug, id);
+    }
+    if (hasVersionDrafts(this.collectionConfig) && !this.context.overrideAccess) {
+      const canSeeDrafts = await this.canReadDrafts();
+      if (!canSeeDrafts) {
+        const record = doc;
+        if (record["_status"] !== "published") {
+          throw new DraftNotVisibleError(this.slug, id);
+        }
+      }
     }
     if (!this.matchesDefaultWhereConstraints(doc)) {
-      return null;
+      throw new DocumentNotFoundError(this.slug, id);
     }
     const [processed] = await this.processAfterReadHooks([doc]);
     const MAX_RELATIONSHIP_DEPTH = 10;
@@ -2369,6 +2424,15 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
     if (!this.matchesDefaultWhereConstraints(originalDoc)) {
       throw new DocumentNotFoundError(this.slug, id);
     }
+    if (hasVersionDrafts(this.collectionConfig) && this.adapter.createVersion) {
+      const status = originalDoc["_status"] ?? "draft";
+      await this.adapter.createVersion(this.slug, id, originalDoc, { status });
+      const versionsConfig = this.collectionConfig.versions;
+      const maxPerDoc = typeof versionsConfig === "object" && versionsConfig !== null ? versionsConfig.maxPerDoc : void 0;
+      if (maxPerDoc && this.adapter.deleteVersions) {
+        await this.adapter.deleteVersions(this.slug, id, maxPerDoc);
+      }
+    }
     let processedData = data;
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (softDeleteField && softDeleteField in processedData) {
@@ -2700,6 +2764,30 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
       throw new AccessDeniedError(operation, this.slug);
     }
   }
+  /**
+   * Check if the current user can see draft documents (non-throwing).
+   * Uses `access.readDrafts` if configured, otherwise falls back to `access.update`.
+   */
+  async canReadDrafts() {
+    if (!this.context.user)
+      return false;
+    const readDraftsFn = this.collectionConfig.access?.readDrafts;
+    if (readDraftsFn) {
+      try {
+        return !!await Promise.resolve(readDraftsFn({ req: this.buildRequestContext() }));
+      } catch {
+        return false;
+      }
+    }
+    const updateFn = this.collectionConfig.access?.update;
+    if (!updateFn)
+      return true;
+    try {
+      return !!await Promise.resolve(updateFn({ req: this.buildRequestContext() }));
+    } catch {
+      return false;
+    }
+  }
   buildRequestContext() {
     return {
       user: this.context.user
@@ -3123,9 +3211,6 @@ function createMomentumHandlers(config) {
       const depth = typeof request.query?.["depth"] === "number" ? request.query["depth"] : void 0;
       const withDeleted = request.query?.["withDeleted"] === true;
       const doc = await api.collection(request.collectionSlug).findById(request.id, { depth, withDeleted });
-      if (!doc) {
-        return { error: "Document not found", status: 404 };
-      }
       return { doc };
     } catch (error) {
       return handleError(error);
@@ -3242,6 +3327,9 @@ function handleError(error) {
   if (error instanceof DocumentNotFoundError) {
     return { error: error.message, status: 404 };
   }
+  if (error instanceof DraftNotVisibleError) {
+    return { doc: null };
+  }
   if (error instanceof AccessDeniedError) {
     return { error: error.message, status: 403 };
   }
@@ -3392,8 +3480,9 @@ function buildGraphQLSchema(collections) {
   }
   function getOrCreateEnum(field, parentName) {
     const key = `${parentName}_${field.name}`;
-    if (enumCache.has(key)) {
-      return enumCache.get(key);
+    const cached = enumCache.get(key);
+    if (cached) {
+      return cached;
     }
     const values = {};
     for (const opt of field.options) {
@@ -3504,8 +3593,9 @@ function buildGraphQLSchema(collections) {
     }
   }
   function getOrCreateObjectType(fields, typeName) {
-    if (typeCache.has(typeName)) {
-      return typeCache.get(typeName);
+    const cachedType = typeCache.get(typeName);
+    if (cachedType) {
+      return cachedType;
     }
     const objType = new GraphQLObjectType({
       name: typeName,
@@ -3526,8 +3616,9 @@ function buildGraphQLSchema(collections) {
   }
   function getOrCreateInputType(fields, typeName) {
     const inputName = `${typeName}Input`;
-    if (inputCache.has(inputName)) {
-      return inputCache.get(inputName);
+    const cachedInput = inputCache.get(inputName);
+    if (cachedInput) {
+      return cachedInput;
     }
     const inputType = new GraphQLInputObjectType({
       name: inputName,
@@ -3648,7 +3739,14 @@ function buildGraphQLSchema(collections) {
           const api = getMomentumAPI();
           const ctx = buildAPIContext(context);
           const contextApi = Object.keys(ctx).length > 0 ? api.setContext(ctx) : api;
-          return contextApi.collection(col.slug).findById(args.id);
+          try {
+            return await contextApi.collection(col.slug).findById(args.id);
+          } catch (err) {
+            if (err instanceof Error && err.name === "DocumentNotFoundError") {
+              return null;
+            }
+            throw err;
+          }
         }
       };
       queryFields[plural.charAt(0).toLowerCase() + plural.slice(1)] = {
@@ -5279,7 +5377,13 @@ function createComprehensiveMomentumHandler(config) {
         return { docs: r.docs, totalDocs: r.totalDocs };
       },
       findById: async (slug2, id) => {
-        return await contextApi.collection(slug2).findById(id);
+        try {
+          return await contextApi.collection(slug2).findById(id);
+        } catch (err) {
+          if (err instanceof Error && err.name === "DocumentNotFoundError")
+            return null;
+          throw err;
+        }
       },
       count: (slug2) => contextApi.collection(slug2).count(),
       create: async (slug2, data) => {
@@ -5644,6 +5748,10 @@ function createComprehensiveMomentumHandler(config) {
           });
           return { doc: restored, message: "Version restored successfully" };
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           const message = sanitizeErrorMessage(error, "Unknown error");
           if (error instanceof Error && error.message.includes("mismatch")) {
             utils.setResponseStatus(event, 400);
@@ -5684,6 +5792,10 @@ function createComprehensiveMomentumHandler(config) {
           );
           return { differences };
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: "Failed to compare versions",
@@ -5711,6 +5823,10 @@ function createComprehensiveMomentumHandler(config) {
           }
           return version;
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: "Failed to fetch version",
@@ -5735,6 +5851,10 @@ function createComprehensiveMomentumHandler(config) {
           });
           return result;
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: "Failed to fetch versions",
@@ -5775,12 +5895,7 @@ function createComprehensiveMomentumHandler(config) {
           }
         } else {
           const contextApi = getContextualAPI(user);
-          const doc = await contextApi.collection(collectionSlug2).findById(docId);
-          if (!doc) {
-            utils.setResponseStatus(event, 404);
-            return { error: "Document not found" };
-          }
-          docRecord = doc;
+          docRecord = await contextApi.collection(collectionSlug2).findById(docId);
         }
         const emailField = getEmailBuilderFieldName(collectionConfig);
         const html = emailField ? await renderEmailPreviewHTML(docRecord, emailField) : renderPreviewHTML({ doc: docRecord, collection: collectionConfig });
@@ -5849,6 +5964,10 @@ function createComprehensiveMomentumHandler(config) {
             return { message: "Scheduled publish cancelled" };
           }
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: `Failed to ${action.replace(/-/g, " ")}`,
@@ -5890,6 +6009,10 @@ function createComprehensiveMomentumHandler(config) {
         const status = await versionOps.getStatus(docId);
         return { status };
       } catch (error) {
+        if (error instanceof Error && error.name === "AccessDeniedError") {
+          utils.setResponseStatus(event, 403);
+          return { error: "Access denied" };
+        }
         utils.setResponseStatus(event, 500);
         return {
           error: "Failed to get status",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@momentumcms/server-analog",
-  "version": "0.5.3",
+  "version": "0.5.5",
   "description": "Nitro/h3 adapter for Momentum CMS with Analog.js support",
   "license": "MIT",
   "author": "Momentum CMS Contributors",