@momentumcms/server-analog 0.5.4 → 0.5.5

package/CHANGELOG.md

@@ -1,3 +1,33 @@
+## 0.5.5 (2026-03-09)
+
+### 🚀 Features
+
+- extract syncDatabaseSchema + fix findById breaking change ([#52](https://github.com/DonaldMurillo/momentum-cms/pull/52))
+- swappable admin pages & layout slots with security hardening ([#51](https://github.com/DonaldMurillo/momentum-cms/pull/51))
+- NestJS server adapter + E2E stabilization (0.5.2) ([#48](https://github.com/DonaldMurillo/momentum-cms/pull/48))
+- S3, auth plugin wiring, redirects, and E2E tooling ([#41](https://github.com/DonaldMurillo/momentum-cms/pull/41))
+- client-side page view tracking and content performance improvements ([#39](https://github.com/DonaldMurillo/momentum-cms/pull/39))
+- blocks showcase with articles, pages, and UI fixes ([#36](https://github.com/DonaldMurillo/momentum-cms/pull/36))
+- add named tabs support with nested data grouping and UI improvements ([#30](https://github.com/DonaldMurillo/momentum-cms/pull/30))
+- Implement admin UI with API integration and SSR hydration ([9ed7b2bd](https://github.com/DonaldMurillo/momentum-cms/commit/9ed7b2bd))
+- Initialize Momentum CMS foundation ([f64f5817](https://github.com/DonaldMurillo/momentum-cms/commit/f64f5817))
+
+### 🩹 Fixes
+
+- Analog versioning access control + E2E improvements ([#54](https://github.com/DonaldMurillo/momentum-cms/pull/54))
+- add public access to form-builder npm publish config ([#46](https://github.com/DonaldMurillo/momentum-cms/pull/46))
+- Resolve non-null assertion bugs and CLAUDE.md violations ([#44](https://github.com/DonaldMurillo/momentum-cms/pull/44))
+- **create-momentum-app:** add shell option to execFileSync for Windows ([#28](https://github.com/DonaldMurillo/momentum-cms/pull/28))
+- correct repository URLs and add GitHub link to CLI ([#26](https://github.com/DonaldMurillo/momentum-cms/pull/26))
+- resolve CUD toast interceptor issues ([#17](https://github.com/DonaldMurillo/momentum-cms/pull/17), [#1](https://github.com/DonaldMurillo/momentum-cms/issues/1), [#2](https://github.com/DonaldMurillo/momentum-cms/issues/2), [#3](https://github.com/DonaldMurillo/momentum-cms/issues/3), [#4](https://github.com/DonaldMurillo/momentum-cms/issues/4))
+
+### ❤️ Thank You
+
+- Claude Haiku 4.5
+- Claude Opus 4.5
+- Claude Opus 4.6
+- Donald Murillo @DonaldMurillo
+
 ## 0.5.4 (2026-03-07)
 
 This was a version bump only for server-analog to align it with other projects, there were no code changes.

package/index.cjs

@@ -1814,6 +1814,12 @@ var DocumentNotFoundError = class extends Error {
     this.name = "DocumentNotFoundError";
   }
 };
+var DraftNotVisibleError = class extends Error {
+  constructor(collection, id) {
+    super(`Draft "${id}" in collection "${collection}" is not visible to the current user`);
+    this.name = "DraftNotVisibleError";
+  }
+};
 var AccessDeniedError = class extends Error {
   constructor(operation, collection) {
     super(`Access denied for ${operation} on collection "${collection}"`);
@@ -2231,13 +2237,31 @@ function stripTransientKeys(data) {
   }
   return result;
 }
+var COMPARISON_OPS = ["gt", "gte", "lt", "lte"];
 function flattenWhereClause(where) {
   if (!where)
     return {};
   const result = {};
   for (const [field, condition] of Object.entries(where)) {
-    if (typeof condition === "object" && condition !== null && "equals" in condition) {
-      result[field] = condition["equals"];
+    if (typeof condition !== "object" || condition === null) {
+      result[field] = condition;
+      continue;
+    }
+    const condObj = condition;
+    if ("equals" in condObj) {
+      result[field] = condObj["equals"];
+      continue;
+    }
+    const ops = {};
+    let hasComparisonOp = false;
+    for (const op of COMPARISON_OPS) {
+      if (op in condObj) {
+        ops[`$${op}`] = condObj[op];
+        hasComparisonOp = true;
+      }
+    }
+    if (hasComparisonOp) {
+      result[field] = ops;
     } else {
       result[field] = condition;
     }
@@ -2332,24 +2356,24 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
     await this.runBeforeReadHooks();
     const doc = await this.adapter.findById(this.slug, id);
     if (!doc) {
-      return null;
+      throw new DocumentNotFoundError(this.slug, id);
     }
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (softDeleteField && !options?.withDeleted && // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- T is compatible with Record<string, unknown>
     doc[softDeleteField]) {
-      return null;
+      throw new DocumentNotFoundError(this.slug, id);
     }
     if (hasVersionDrafts(this.collectionConfig) && !this.context.overrideAccess) {
       const canSeeDrafts = await this.canReadDrafts();
       if (!canSeeDrafts) {
         const record = doc;
         if (record["_status"] !== "published") {
-          return null;
+          throw new DraftNotVisibleError(this.slug, id);
         }
       }
     }
     if (!this.matchesDefaultWhereConstraints(doc)) {
-      return null;
+      throw new DocumentNotFoundError(this.slug, id);
     }
     const [processed] = await this.processAfterReadHooks([doc]);
     const MAX_RELATIONSHIP_DEPTH = 10;
@@ -3220,9 +3244,6 @@ function createMomentumHandlers(config) {
       const depth = typeof request.query?.["depth"] === "number" ? request.query["depth"] : void 0;
       const withDeleted = request.query?.["withDeleted"] === true;
       const doc = await api.collection(request.collectionSlug).findById(request.id, { depth, withDeleted });
-      if (!doc) {
-        return { error: "Document not found", status: 404 };
-      }
       return { doc };
     } catch (error) {
       return handleError(error);
@@ -3339,6 +3360,9 @@ function handleError(error) {
   if (error instanceof DocumentNotFoundError) {
     return { error: error.message, status: 404 };
   }
+  if (error instanceof DraftNotVisibleError) {
+    return { doc: null };
+  }
   if (error instanceof AccessDeniedError) {
     return { error: error.message, status: 403 };
   }
@@ -3735,7 +3759,14 @@ function buildGraphQLSchema(collections) {
           const api = getMomentumAPI();
           const ctx = buildAPIContext(context);
           const contextApi = Object.keys(ctx).length > 0 ? api.setContext(ctx) : api;
-          return contextApi.collection(col.slug).findById(args.id);
+          try {
+            return await contextApi.collection(col.slug).findById(args.id);
+          } catch (err) {
+            if (err instanceof Error && err.name === "DocumentNotFoundError") {
+              return null;
+            }
+            throw err;
+          }
         }
       };
       queryFields[plural.charAt(0).toLowerCase() + plural.slice(1)] = {
@@ -5366,7 +5397,13 @@ function createComprehensiveMomentumHandler(config) {
         return { docs: r.docs, totalDocs: r.totalDocs };
       },
       findById: async (slug2, id) => {
-        return await contextApi.collection(slug2).findById(id);
+        try {
+          return await contextApi.collection(slug2).findById(id);
+        } catch (err) {
+          if (err instanceof Error && err.name === "DocumentNotFoundError")
+            return null;
+          throw err;
+        }
       },
       count: (slug2) => contextApi.collection(slug2).count(),
       create: async (slug2, data) => {
@@ -5731,6 +5768,10 @@ function createComprehensiveMomentumHandler(config) {
           });
           return { doc: restored, message: "Version restored successfully" };
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           const message = sanitizeErrorMessage(error, "Unknown error");
           if (error instanceof Error && error.message.includes("mismatch")) {
             utils.setResponseStatus(event, 400);
@@ -5771,6 +5812,10 @@ function createComprehensiveMomentumHandler(config) {
           );
           return { differences };
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: "Failed to compare versions",
@@ -5798,6 +5843,10 @@ function createComprehensiveMomentumHandler(config) {
           }
           return version;
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: "Failed to fetch version",
@@ -5822,6 +5871,10 @@ function createComprehensiveMomentumHandler(config) {
           });
           return result;
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: "Failed to fetch versions",
@@ -5862,12 +5915,7 @@ function createComprehensiveMomentumHandler(config) {
           }
         } else {
           const contextApi = getContextualAPI(user);
-          const doc = await contextApi.collection(collectionSlug2).findById(docId);
-          if (!doc) {
-            utils.setResponseStatus(event, 404);
-            return { error: "Document not found" };
-          }
-          docRecord = doc;
+          docRecord = await contextApi.collection(collectionSlug2).findById(docId);
         }
         const emailField = getEmailBuilderFieldName(collectionConfig);
         const html = emailField ? await renderEmailPreviewHTML(docRecord, emailField) : renderPreviewHTML({ doc: docRecord, collection: collectionConfig });
@@ -5936,6 +5984,10 @@ function createComprehensiveMomentumHandler(config) {
             return { message: "Scheduled publish cancelled" };
           }
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: `Failed to ${action.replace(/-/g, " ")}`,
@@ -5977,6 +6029,10 @@ function createComprehensiveMomentumHandler(config) {
         const status = await versionOps.getStatus(docId);
         return { status };
       } catch (error) {
+        if (error instanceof Error && error.name === "AccessDeniedError") {
+          utils.setResponseStatus(event, 403);
+          return { error: "Access denied" };
+        }
         utils.setResponseStatus(event, 500);
         return {
           error: "Failed to get status",

package/index.js

@@ -1781,6 +1781,12 @@ var DocumentNotFoundError = class extends Error {
     this.name = "DocumentNotFoundError";
   }
 };
+var DraftNotVisibleError = class extends Error {
+  constructor(collection, id) {
+    super(`Draft "${id}" in collection "${collection}" is not visible to the current user`);
+    this.name = "DraftNotVisibleError";
+  }
+};
 var AccessDeniedError = class extends Error {
   constructor(operation, collection) {
     super(`Access denied for ${operation} on collection "${collection}"`);
@@ -2198,13 +2204,31 @@ function stripTransientKeys(data) {
   }
   return result;
 }
+var COMPARISON_OPS = ["gt", "gte", "lt", "lte"];
 function flattenWhereClause(where) {
   if (!where)
     return {};
   const result = {};
   for (const [field, condition] of Object.entries(where)) {
-    if (typeof condition === "object" && condition !== null && "equals" in condition) {
-      result[field] = condition["equals"];
+    if (typeof condition !== "object" || condition === null) {
+      result[field] = condition;
+      continue;
+    }
+    const condObj = condition;
+    if ("equals" in condObj) {
+      result[field] = condObj["equals"];
+      continue;
+    }
+    const ops = {};
+    let hasComparisonOp = false;
+    for (const op of COMPARISON_OPS) {
+      if (op in condObj) {
+        ops[`$${op}`] = condObj[op];
+        hasComparisonOp = true;
+      }
+    }
+    if (hasComparisonOp) {
+      result[field] = ops;
     } else {
       result[field] = condition;
     }
@@ -2299,24 +2323,24 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
     await this.runBeforeReadHooks();
     const doc = await this.adapter.findById(this.slug, id);
     if (!doc) {
-      return null;
+      throw new DocumentNotFoundError(this.slug, id);
     }
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (softDeleteField && !options?.withDeleted && // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- T is compatible with Record<string, unknown>
     doc[softDeleteField]) {
-      return null;
+      throw new DocumentNotFoundError(this.slug, id);
     }
     if (hasVersionDrafts(this.collectionConfig) && !this.context.overrideAccess) {
       const canSeeDrafts = await this.canReadDrafts();
       if (!canSeeDrafts) {
         const record = doc;
         if (record["_status"] !== "published") {
-          return null;
+          throw new DraftNotVisibleError(this.slug, id);
         }
       }
     }
     if (!this.matchesDefaultWhereConstraints(doc)) {
-      return null;
+      throw new DocumentNotFoundError(this.slug, id);
     }
     const [processed] = await this.processAfterReadHooks([doc]);
     const MAX_RELATIONSHIP_DEPTH = 10;
@@ -3187,9 +3211,6 @@ function createMomentumHandlers(config) {
       const depth = typeof request.query?.["depth"] === "number" ? request.query["depth"] : void 0;
       const withDeleted = request.query?.["withDeleted"] === true;
       const doc = await api.collection(request.collectionSlug).findById(request.id, { depth, withDeleted });
-      if (!doc) {
-        return { error: "Document not found", status: 404 };
-      }
       return { doc };
     } catch (error) {
       return handleError(error);
@@ -3306,6 +3327,9 @@ function handleError(error) {
   if (error instanceof DocumentNotFoundError) {
     return { error: error.message, status: 404 };
   }
+  if (error instanceof DraftNotVisibleError) {
+    return { doc: null };
+  }
   if (error instanceof AccessDeniedError) {
     return { error: error.message, status: 403 };
   }
@@ -3715,7 +3739,14 @@ function buildGraphQLSchema(collections) {
           const api = getMomentumAPI();
           const ctx = buildAPIContext(context);
           const contextApi = Object.keys(ctx).length > 0 ? api.setContext(ctx) : api;
-          return contextApi.collection(col.slug).findById(args.id);
+          try {
+            return await contextApi.collection(col.slug).findById(args.id);
+          } catch (err) {
+            if (err instanceof Error && err.name === "DocumentNotFoundError") {
+              return null;
+            }
+            throw err;
+          }
         }
       };
       queryFields[plural.charAt(0).toLowerCase() + plural.slice(1)] = {
@@ -5346,7 +5377,13 @@ function createComprehensiveMomentumHandler(config) {
         return { docs: r.docs, totalDocs: r.totalDocs };
       },
       findById: async (slug2, id) => {
-        return await contextApi.collection(slug2).findById(id);
+        try {
+          return await contextApi.collection(slug2).findById(id);
+        } catch (err) {
+          if (err instanceof Error && err.name === "DocumentNotFoundError")
+            return null;
+          throw err;
+        }
       },
       count: (slug2) => contextApi.collection(slug2).count(),
       create: async (slug2, data) => {
@@ -5711,6 +5748,10 @@ function createComprehensiveMomentumHandler(config) {
           });
           return { doc: restored, message: "Version restored successfully" };
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           const message = sanitizeErrorMessage(error, "Unknown error");
           if (error instanceof Error && error.message.includes("mismatch")) {
             utils.setResponseStatus(event, 400);
@@ -5751,6 +5792,10 @@ function createComprehensiveMomentumHandler(config) {
           );
           return { differences };
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: "Failed to compare versions",
@@ -5778,6 +5823,10 @@ function createComprehensiveMomentumHandler(config) {
           }
           return version;
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: "Failed to fetch version",
@@ -5802,6 +5851,10 @@ function createComprehensiveMomentumHandler(config) {
           });
           return result;
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: "Failed to fetch versions",
@@ -5842,12 +5895,7 @@ function createComprehensiveMomentumHandler(config) {
           }
         } else {
           const contextApi = getContextualAPI(user);
-          const doc = await contextApi.collection(collectionSlug2).findById(docId);
-          if (!doc) {
-            utils.setResponseStatus(event, 404);
-            return { error: "Document not found" };
-          }
-          docRecord = doc;
+          docRecord = await contextApi.collection(collectionSlug2).findById(docId);
         }
         const emailField = getEmailBuilderFieldName(collectionConfig);
         const html = emailField ? await renderEmailPreviewHTML(docRecord, emailField) : renderPreviewHTML({ doc: docRecord, collection: collectionConfig });
@@ -5916,6 +5964,10 @@ function createComprehensiveMomentumHandler(config) {
             return { message: "Scheduled publish cancelled" };
           }
         } catch (error) {
+          if (error instanceof Error && error.name === "AccessDeniedError") {
+            utils.setResponseStatus(event, 403);
+            return { error: "Access denied" };
+          }
           utils.setResponseStatus(event, 500);
           return {
             error: `Failed to ${action.replace(/-/g, " ")}`,
@@ -5957,6 +6009,10 @@ function createComprehensiveMomentumHandler(config) {
         const status = await versionOps.getStatus(docId);
         return { status };
       } catch (error) {
+        if (error instanceof Error && error.name === "AccessDeniedError") {
+          utils.setResponseStatus(event, 403);
+          return { error: "Access denied" };
+        }
         utils.setResponseStatus(event, 500);
         return {
           error: "Failed to get status",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@momentumcms/server-analog",
-  "version": "0.5.4",
+  "version": "0.5.5",
   "description": "Nitro/h3 adapter for Momentum CMS with Analog.js support",
   "license": "MIT",
   "author": "Momentum CMS Contributors",