@momentumcms/server-analog 0.5.9 → 0.5.11

package/index.js

@@ -145,7 +145,7 @@ function s3StorageAdapter(options) {
     baseUrl,
     forcePathStyle = false,
     acl = "private",
-    presignedUrlExpiry = 3600
+    presignedUrlExpiry = 900
   } = options;
   let client = null;
   async function getClient() {
@@ -1854,6 +1854,21 @@ var VersionOperationsImpl = class {
         });
       }
     }
+    if (!this.context.overrideAccess && hasFieldAccessControl(this.collectionConfig.fields)) {
+      for (let i = 0; i < docs.length; i++) {
+        const version = docs[i].version;
+        if (version && typeof version === "object") {
+          const versionRecord = version;
+          const filtered = await filterReadableFields(
+            this.collectionConfig.fields,
+            versionRecord,
+            this.buildRequestContext()
+          );
+          const filteredAsT = filtered;
+          docs[i] = { ...docs[i], version: filteredAsT };
+        }
+      }
+    }
     const countOptions = {
       includeAutosave: options?.includeAutosave,
       status: options?.status
@@ -1883,9 +1898,21 @@ var VersionOperationsImpl = class {
     if (parsedVersion === null) {
       return null;
     }
+    let filteredVersion = parsedVersion;
+    if (!this.context.overrideAccess && hasFieldAccessControl(this.collectionConfig.fields)) {
+      if (filteredVersion && typeof filteredVersion === "object") {
+        const versionRecord = filteredVersion;
+        const filtered = await filterReadableFields(
+          this.collectionConfig.fields,
+          versionRecord,
+          this.buildRequestContext()
+        );
+        filteredVersion = filtered;
+      }
+    }
     return {
       ...version,
-      version: parsedVersion
+      version: filteredVersion
     };
   }
   async restore(options) {
@@ -2107,6 +2134,415 @@ var VersionOperationsImpl = class {
   }
 };
 
+// libs/server-core/src/lib/where-clause.ts
+var OPERATOR_MAP = {
+  equals: "$eq",
+  gt: "$gt",
+  gte: "$gte",
+  lt: "$lt",
+  lte: "$lte",
+  not_equals: "$ne",
+  like: "$like",
+  contains: "$contains",
+  in: "$in",
+  not_in: "$nin",
+  exists: "$exists"
+};
+var MAX_WHERE_CONDITIONS = 20;
+var MAX_JOINS = 5;
+var MAX_WHERE_NESTING_DEPTH = 5;
+var MAX_PAGE_LIMIT = 1e3;
+var MAX_PAGE = 1e6;
+var VALID_OPERATORS = new Set(Object.keys(OPERATOR_MAP));
+function countWhereConditions(where, depth = 0) {
+  if (depth > MAX_WHERE_NESTING_DEPTH) {
+    throw new ValidationError([
+      {
+        field: "where",
+        message: `Where clause nesting depth exceeds maximum of ${MAX_WHERE_NESTING_DEPTH} levels.`
+      }
+    ]);
+  }
+  let count = 0;
+  for (const [key, value] of Object.entries(where)) {
+    if ((key === "and" || key === "or") && Array.isArray(value)) {
+      for (const sub of value) {
+        if (typeof sub === "object" && sub !== null) {
+          count += countWhereConditions(sub, depth + 1);
+        }
+      }
+    } else {
+      count++;
+    }
+  }
+  return count;
+}
+function flattenWhereClause(where) {
+  if (!where)
+    return {};
+  const fieldCount = countWhereConditions(where);
+  if (fieldCount > MAX_WHERE_CONDITIONS) {
+    throw new ValidationError([
+      {
+        field: "where",
+        message: `Where clause exceeds maximum of ${MAX_WHERE_CONDITIONS} conditions (got ${fieldCount}).`
+      }
+    ]);
+  }
+  return flattenWhereRecursive(where, 0);
+}
+function flattenWhereRecursive(where, depth) {
+  if (depth > MAX_WHERE_NESTING_DEPTH) {
+    throw new ValidationError([
+      {
+        field: "where",
+        message: `Where clause nesting depth exceeds maximum of ${MAX_WHERE_NESTING_DEPTH} levels.`
+      }
+    ]);
+  }
+  const result = {};
+  for (const [field, condition] of Object.entries(where)) {
+    if (field === "and" || field === "or") {
+      if (!Array.isArray(condition)) {
+        throw new ValidationError([
+          {
+            field,
+            message: `The "${field}" operator requires an array of conditions.`
+          }
+        ]);
+      }
+      const internalKey = field === "and" ? "$and" : "$or";
+      result[internalKey] = condition.filter((sub) => typeof sub === "object" && sub !== null).map((sub) => {
+        if ("$join" in sub)
+          return sub;
+        return flattenWhereRecursive(sub, depth + 1);
+      });
+      continue;
+    }
+    if (typeof condition !== "object" || condition === null) {
+      result[field] = condition;
+      continue;
+    }
+    const condObj = condition;
+    const ops = {};
+    let hasOp = false;
+    for (const [userOp, internalOp] of Object.entries(OPERATOR_MAP)) {
+      if (userOp in condObj) {
+        let value = condObj[userOp];
+        if (internalOp === "$exists" && typeof value === "string") {
+          value = value === "true";
+        }
+        if (typeof value === "string") {
+          value = value.replace(/\0/g, "");
+        }
+        if (Array.isArray(value)) {
+          value = value.map(
+            (item) => typeof item === "string" ? item.replace(/\0/g, "") : item
+          );
+        }
+        ops[internalOp] = value;
+        hasOp = true;
+      }
+    }
+    for (const key of Object.keys(condObj)) {
+      if (!VALID_OPERATORS.has(key)) {
+        throw new ValidationError([
+          {
+            field,
+            message: `Unknown operator "${key}". Valid operators: ${[...VALID_OPERATORS].sort().join(", ")}`
+          }
+        ]);
+      }
+    }
+    if (hasOp) {
+      result[field] = ops;
+    } else {
+      result[field] = condition;
+    }
+  }
+  return result;
+}
+function extractRelationshipJoins(where, fields, allCollections) {
+  if (!where)
+    return { cleanedWhere: void 0, joins: [], allJoins: [] };
+  const dataFields = flattenDataFields(fields);
+  const fieldMap = new Map(dataFields.map((f) => [f.name, f]));
+  const joins = [];
+  const allJoins = [];
+  const cleanedWhere = {};
+  for (const [key, condition] of Object.entries(where)) {
+    if (key === "and" || key === "or") {
+      if (Array.isArray(condition)) {
+        const cleanedArray = [];
+        for (const sub of condition) {
+          if (typeof sub === "object" && sub !== null) {
+            const {
+              cleanedWhere: subCleaned,
+              joins: subTopJoins,
+              allJoins: subAllJoins
+            } = extractRelationshipJoins(
+              // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- WhereClause sub-object
+              sub,
+              fields,
+              allCollections
+            );
+            if (subCleaned)
+              cleanedArray.push(subCleaned);
+            for (const join2 of subTopJoins) {
+              cleanedArray.push({ ["$join"]: join2 });
+            }
+            allJoins.push(...subAllJoins);
+          }
+        }
+        if (cleanedArray.length > 0) {
+          cleanedWhere[key] = cleanedArray;
+        }
+      }
+      continue;
+    }
+    let field = fieldMap.get(key);
+    if (!field && key.includes(".")) {
+      const [rootKey, ...subPath] = key.split(".");
+      const rootField = fieldMap.get(rootKey);
+      if (rootField && rootField.type === "relationship" && subPath.length > 0 && condition !== null) {
+        let nested = condition;
+        for (let i = subPath.length - 1; i >= 0; i--) {
+          nested = { [subPath[i]]: nested };
+        }
+        field = rootField;
+        const {
+          cleanedWhere: subCleaned,
+          joins: subJoins,
+          allJoins: subAllJoins
+        } = extractRelationshipJoins(
+          // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- reconstructed nested where
+          { [rootKey]: nested },
+          fields,
+          allCollections
+        );
+        if (subCleaned)
+          Object.assign(cleanedWhere, subCleaned);
+        joins.push(...subJoins);
+        allJoins.push(...subAllJoins);
+        continue;
+      }
+    }
+    if (!field || field.type !== "relationship" || typeof condition !== "object" || condition === null) {
+      cleanedWhere[key] = condition;
+      continue;
+    }
+    const condObj = condition;
+    const condKeys = Object.keys(condObj);
+    const hasOperatorKeys = condKeys.some((k) => VALID_OPERATORS.has(k));
+    const hasNonOperatorKeys = condKeys.some((k) => !VALID_OPERATORS.has(k));
+    if (hasOperatorKeys && hasNonOperatorKeys) {
+      throw new ValidationError([
+        {
+          field: key,
+          message: `Cannot mix operators and sub-field references on relationship field "${key}". Use either operators (e.g. { equals: 'id' }) or sub-field queries (e.g. { name: { equals: 'value' } }), not both.`
+        }
+      ]);
+    }
+    if (!hasNonOperatorKeys) {
+      cleanedWhere[key] = condition;
+      continue;
+    }
+    const relField = field;
+    let targetSlug;
+    try {
+      const targetConfig = relField.collection();
+      if (targetConfig && typeof targetConfig === "object" && "slug" in targetConfig) {
+        targetSlug = targetConfig.slug;
+      }
+    } catch {
+    }
+    if (!targetSlug) {
+      throw new ValidationError([
+        {
+          field: key,
+          message: `Cannot resolve target collection for relationship field "${key}".`
+        }
+      ]);
+    }
+    const targetCollection = allCollections.find((c) => c.slug === targetSlug);
+    if (!targetCollection) {
+      throw new ValidationError([
+        {
+          field: key,
+          message: `Target collection "${targetSlug}" not found for relationship field "${key}".`
+        }
+      ]);
+    }
+    const subWhere = condition;
+    const flattenedConditions = flattenWhereClause(subWhere);
+    const targetTable = targetCollection.dbName ?? targetCollection.slug;
+    const joinSpec = {
+      targetTable,
+      localField: key,
+      targetField: "id",
+      conditions: flattenedConditions,
+      rawWhere: subWhere
+    };
+    joins.push(joinSpec);
+    allJoins.push(joinSpec);
+  }
+  return {
+    cleanedWhere: Object.keys(cleanedWhere).length > 0 ? cleanedWhere : void 0,
+    joins,
+    allJoins
+  };
+}
+var SYSTEM_QUERYABLE_FIELDS = /* @__PURE__ */ new Set(["id", "createdAt", "updatedAt", "_status"]);
+async function validateWhereFields(where, fields, req) {
+  if (!where)
+    return;
+  const dataFields = flattenDataFields(fields);
+  const fieldMap = new Map(dataFields.map((f) => [f.name, f]));
+  for (const fieldName of Object.keys(where)) {
+    if (fieldName === "and" || fieldName === "or") {
+      const subs = where[fieldName];
+      if (Array.isArray(subs)) {
+        for (const sub of subs) {
+          if (typeof sub === "object" && sub !== null) {
+            await validateWhereFields(sub, fields, req);
+          }
+        }
+      }
+      continue;
+    }
+    const baseName = fieldName.includes(".") ? fieldName.split(".")[0] : fieldName;
+    if (SYSTEM_QUERYABLE_FIELDS.has(baseName))
+      continue;
+    const field = fieldMap.get(baseName);
+    if (!field) {
+      throw new ValidationError([{ field: fieldName, message: `Unknown field: ${baseName}` }]);
+    }
+    if (!field.access?.read)
+      continue;
+    const allowed = await Promise.resolve(field.access.read({ req }));
+    if (!allowed) {
+      throw new AccessDeniedError("read", baseName);
+    }
+  }
+}
+async function validateSortField(sort, fields, req) {
+  if (!sort)
+    return;
+  const fieldName = sort.startsWith("-") ? sort.slice(1) : sort;
+  const baseName = fieldName.includes(".") ? fieldName.split(".")[0] : fieldName;
+  const dataFields = flattenDataFields(fields);
+  const field = dataFields.find((f) => f.name === baseName);
+  if (!field?.access?.read)
+    return;
+  const allowed = await Promise.resolve(field.access.read({ req }));
+  if (!allowed) {
+    throw new AccessDeniedError("read", baseName);
+  }
+}
+
+// libs/server-core/src/lib/api-utils.ts
+function deepEqual(a, b) {
+  if (a === b)
+    return true;
+  if (a == null || b == null)
+    return false;
+  if (typeof a !== "object" || typeof b !== "object")
+    return false;
+  if (Array.isArray(a)) {
+    if (!Array.isArray(b) || a.length !== b.length)
+      return false;
+    return a.every((item, i) => deepEqual(item, b[i]));
+  }
+  if (Array.isArray(b))
+    return false;
+  const aKeys = Object.keys(a);
+  const bKeys = Object.keys(b);
+  if (aKeys.length !== bKeys.length)
+    return false;
+  const aRec = a;
+  const bRec = b;
+  return aKeys.every(
+    (key) => Object.prototype.hasOwnProperty.call(bRec, key) && deepEqual(aRec[key], bRec[key])
+  );
+}
+function stripTransientKeys(data) {
+  const result = {};
+  for (const [key, value] of Object.entries(data)) {
+    if (!key.startsWith("_")) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+
+// libs/server-core/src/lib/collection-access.ts
+async function checkSingleCollectionAdminAccess(collection, user) {
+  const adminFn = collection.access?.admin;
+  if (!adminFn) {
+    return !!user;
+  }
+  const accessArgs = {
+    req: { user }
+  };
+  return Promise.resolve(adminFn(accessArgs));
+}
+async function checkAccessFunction(accessFn, user, defaultIfUndefined) {
+  if (!accessFn) {
+    return defaultIfUndefined;
+  }
+  const accessArgs = {
+    req: { user }
+  };
+  return Promise.resolve(accessFn(accessArgs));
+}
+async function getCollectionPermissions(config, user) {
+  const results = await Promise.all(
+    config.collections.map(async (collection) => {
+      const isManaged = collection.managed === true;
+      const [canAccess, canCreate, canRead, canUpdate, canDelete] = await Promise.all([
+        checkSingleCollectionAdminAccess(collection, user),
+        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.create, user, !!user),
+        checkAccessFunction(collection.access?.read, user, true),
+        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.update, user, !!user),
+        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.delete, user, !!user)
+      ]);
+      return {
+        slug: collection.slug,
+        canAccess,
+        canCreate,
+        canRead,
+        canUpdate,
+        canDelete,
+        ...isManaged ? { managed: true } : {}
+      };
+    })
+  );
+  return results;
+}
+var ACCESS_OPS = ["read", "create", "update", "delete"];
+var ACCESS_DEFAULTS = {
+  read: "public (anyone)",
+  create: "any authenticated user",
+  update: "any authenticated user",
+  delete: "any authenticated user"
+};
+function warnInsecureDefaults(collections) {
+  const logger = createLogger("Security");
+  const warnings = [];
+  for (const collection of collections) {
+    if (collection.managed)
+      continue;
+    const missing = ACCESS_OPS.filter((op) => !collection.access?.[op]);
+    if (missing.length > 0) {
+      const details = missing.map((op) => `${op} (${ACCESS_DEFAULTS[op]})`).join(", ");
+      const msg = `Collection "${collection.slug}" has no explicit access control for: ${details}. Define access functions to restrict.`;
+      logger.warn(msg);
+      warnings.push(msg);
+    }
+  }
+  return warnings;
+}
+
 // libs/server-core/src/lib/momentum-api.ts
 var momentumApiInstance = null;
 function initializeMomentumAPI(config) {
@@ -2114,6 +2550,7 @@ function initializeMomentumAPI(config) {
     createLogger("API").warn("Already initialized, returning existing instance");
     return momentumApiInstance;
   }
+  warnInsecureDefaults(config.collections);
   momentumApiInstance = new MomentumAPIImpl(config);
   return momentumApiInstance;
 }
@@ -2171,70 +2608,6 @@ var MomentumAPIImpl = class _MomentumAPIImpl {
     return { ...this.context };
   }
 };
-function deepEqual(a, b) {
-  if (a === b)
-    return true;
-  if (a == null || b == null)
-    return false;
-  if (typeof a !== "object" || typeof b !== "object")
-    return false;
-  if (Array.isArray(a)) {
-    if (!Array.isArray(b) || a.length !== b.length)
-      return false;
-    return a.every((item, i) => deepEqual(item, b[i]));
-  }
-  if (Array.isArray(b))
-    return false;
-  const aKeys = Object.keys(a);
-  const bKeys = Object.keys(b);
-  if (aKeys.length !== bKeys.length)
-    return false;
-  const aRec = a;
-  const bRec = b;
-  return aKeys.every(
-    (key) => Object.prototype.hasOwnProperty.call(bRec, key) && deepEqual(aRec[key], bRec[key])
-  );
-}
-function stripTransientKeys(data) {
-  const result = {};
-  for (const [key, value] of Object.entries(data)) {
-    if (!key.startsWith("_")) {
-      result[key] = value;
-    }
-  }
-  return result;
-}
-var COMPARISON_OPS = ["gt", "gte", "lt", "lte"];
-function flattenWhereClause(where) {
-  if (!where)
-    return {};
-  const result = {};
-  for (const [field, condition] of Object.entries(where)) {
-    if (typeof condition !== "object" || condition === null) {
-      result[field] = condition;
-      continue;
-    }
-    const condObj = condition;
-    if ("equals" in condObj) {
-      result[field] = condObj["equals"];
-      continue;
-    }
-    const ops = {};
-    let hasComparisonOp = false;
-    for (const op of COMPARISON_OPS) {
-      if (op in condObj) {
-        ops[`$${op}`] = condObj[op];
-        hasComparisonOp = true;
-      }
-    }
-    if (hasComparisonOp) {
-      result[field] = ops;
-    } else {
-      result[field] = condition;
-    }
-  }
-  return result;
-}
 var CollectionOperationsImpl = class _CollectionOperationsImpl {
   constructor(slug2, collectionConfig, adapter, context, allCollections = []) {
     this.slug = slug2;
@@ -2245,11 +2618,37 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
   }
   async find(options = {}) {
     await this.checkAccess("read");
+    if (!this.context.overrideAccess) {
+      await validateWhereFields(
+        options.where,
+        this.collectionConfig.fields,
+        this.buildRequestContext()
+      );
+      await validateSortField(
+        options.sort,
+        this.collectionConfig.fields,
+        this.buildRequestContext()
+      );
+    }
     await this.runBeforeReadHooks();
-    const limit = options.limit ?? 10;
-    const page = options.page ?? 1;
+    const rawLimit = options.limit ?? 10;
+    const rawPage = options.page ?? 1;
+    const limit = Math.max(
+      1,
+      Math.min(Number.isFinite(rawLimit) ? Math.floor(rawLimit) : 10, MAX_PAGE_LIMIT)
+    );
+    const page = Math.max(
+      1,
+      Math.min(Number.isFinite(rawPage) ? Math.floor(rawPage) : 1, MAX_PAGE)
+    );
     const { depth: _depth, where, withDeleted: _wd, onlyDeleted: _od, ...queryOptions } = options;
-    const whereParams = flattenWhereClause(where);
+    const { cleanedWhere, joins, allJoins } = extractRelationshipJoins(
+      where,
+      this.collectionConfig.fields,
+      this.allCollections
+    );
+    await this.enforceWhereLimits(cleanedWhere, allJoins);
+    const whereParams = flattenWhereClause(cleanedWhere);
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (softDeleteField && !options.withDeleted && !options.onlyDeleted) {
       whereParams[softDeleteField] = null;
@@ -2274,6 +2673,9 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
       limit,
       page
     };
+    if (joins.length > 0) {
+      query["$joins"] = joins.map(({ rawWhere: _rw, ...rest }) => rest);
+    }
     const docs = await this.adapter.find(this.slug, query);
     let afterHookDocs = await this.processAfterReadHooks(docs);
     const MAX_RELATIONSHIP_DEPTH = 10;
@@ -2297,14 +2699,15 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
       );
     }
     const countQuery = { ...queryOptions, ...whereParams };
+    if (joins.length > 0) {
+      countQuery["$joins"] = joins.map(({ rawWhere: _rw, ...rest }) => rest);
+    }
     delete countQuery["limit"];
     delete countQuery["page"];
-    const allDocs = await this.adapter.find(this.slug, {
-      ...countQuery,
-      limit: 0
-      // Signal to adapter: count-only (returns all if not supported)
-    });
-    const totalDocs = allDocs.length;
+    const totalDocs = this.adapter.count ? await this.adapter.count(this.slug, countQuery) : (
+      // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- Adapter returns Record<string, unknown>[], safe cast to T[]
+      (await this.adapter.find(this.slug, { ...countQuery, limit: 0 })).length
+    );
     const totalPages = Math.ceil(totalDocs / limit) || 1;
     return {
       docs: afterHookDocs,
@@ -2541,7 +2944,12 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
   async restore(id) {
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (!softDeleteField) {
-      throw new Error(`Collection "${this.slug}" does not have soft delete enabled`);
+      throw new ValidationError([
+        {
+          field: "_softDelete",
+          message: `Collection "${this.slug}" does not have soft delete enabled`
+        }
+      ]);
     }
     const restoreAccessFn = this.collectionConfig.access?.restore;
     if (restoreAccessFn) {
@@ -2599,20 +3007,43 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
     if (softDeleteField) {
       softDeleteFilter[softDeleteField] = null;
     }
+    const defaultWhereFilter = {};
+    if (this.collectionConfig.defaultWhere) {
+      const constraints = this.collectionConfig.defaultWhere(this.buildRequestContext());
+      if (constraints) {
+        Object.assign(defaultWhereFilter, constraints);
+      }
+    }
     let docs;
     if (this.adapter.search) {
       docs = await this.adapter.search(this.slug, query, searchFields, { limit, page });
       if (softDeleteField) {
         docs = docs.filter((doc) => !doc[softDeleteField]);
       }
+      if (Object.keys(defaultWhereFilter).length > 0) {
+        docs = docs.filter((doc) => {
+          return Object.entries(defaultWhereFilter).every(([key, value]) => {
+            if (value && typeof value === "object" && !Array.isArray(value)) {
+              return JSON.stringify(doc[key]) === JSON.stringify(value);
+            }
+            return doc[key] === value;
+          });
+        });
+      }
     } else {
-      docs = await this.adapter.find(this.slug, { ...softDeleteFilter, limit, page });
+      docs = await this.adapter.find(this.slug, {
+        ...softDeleteFilter,
+        ...defaultWhereFilter,
+        limit,
+        page
+      });
     }
     const resolvedDocs = docs;
-    const totalDocs = resolvedDocs.length;
+    const afterHookDocs = await this.processAfterReadHooks(resolvedDocs);
+    const totalDocs = afterHookDocs.length;
     const totalPages = Math.max(1, Math.ceil(totalDocs / limit));
     return {
-      docs: resolvedDocs,
+      docs: afterHookDocs,
       totalDocs,
       totalPages,
       page,
@@ -2625,13 +3056,40 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
   }
   async count(where, options) {
     await this.checkAccess("read");
-    const whereParams = flattenWhereClause(where);
+    if (!this.context.overrideAccess) {
+      await validateWhereFields(where, this.collectionConfig.fields, this.buildRequestContext());
+    }
+    const { cleanedWhere, joins, allJoins } = extractRelationshipJoins(
+      where,
+      this.collectionConfig.fields,
+      this.allCollections
+    );
+    await this.enforceWhereLimits(cleanedWhere, allJoins);
+    const whereParams = flattenWhereClause(cleanedWhere);
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (softDeleteField && !options?.withDeleted) {
       whereParams[softDeleteField] = null;
     }
-    const query = { ...whereParams, limit: 0 };
-    const docs = await this.adapter.find(this.slug, query);
+    if (this.collectionConfig.defaultWhere) {
+      const constraints = this.collectionConfig.defaultWhere(this.buildRequestContext());
+      if (constraints) {
+        Object.assign(whereParams, constraints);
+      }
+    }
+    if (hasVersionDrafts(this.collectionConfig) && !this.context.overrideAccess) {
+      const canSeeDrafts = await this.canReadDrafts();
+      if (!canSeeDrafts) {
+        whereParams["_status"] = "published";
+      }
+    }
+    const query = { ...whereParams };
+    if (joins.length > 0) {
+      query["$joins"] = joins.map(({ rawWhere: _rw, ...rest }) => rest);
+    }
+    if (this.adapter.count) {
+      return this.adapter.count(this.slug, query);
+    }
+    const docs = await this.adapter.find(this.slug, { ...query, limit: 0 });
     return docs.length;
   }
   async batchCreate(items) {
@@ -2791,6 +3249,46 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
       return false;
     }
   }
+  async enforceWhereLimits(cleanedWhere, joins) {
+    if (joins.length > MAX_JOINS) {
+      throw new ValidationError([
+        {
+          field: "where",
+          message: `Number of relationship joins (${joins.length}) exceeds maximum of ${MAX_JOINS}.`
+        }
+      ]);
+    }
+    const mainCount = cleanedWhere ? countWhereConditions(cleanedWhere) : 0;
+    const joinCount = joins.reduce((sum, j) => sum + countWhereConditions(j.rawWhere), 0);
+    const totalConditions = mainCount + joinCount;
+    if (totalConditions > MAX_WHERE_CONDITIONS) {
+      throw new ValidationError([
+        {
+          field: "where",
+          message: `Where clause exceeds maximum of ${MAX_WHERE_CONDITIONS} conditions (got ${totalConditions} across main query and ${joins.length} join(s)).`
+        }
+      ]);
+    }
+    if (!this.context.overrideAccess) {
+      for (const join2 of joins) {
+        const targetCol = this.allCollections.find(
+          (c) => (c.dbName ?? c.slug) === join2.targetTable
+        );
+        if (targetCol) {
+          const collectionAccessFn = targetCol.access?.read;
+          if (collectionAccessFn) {
+            const allowed = await Promise.resolve(
+              collectionAccessFn({ req: this.buildRequestContext() })
+            );
+            if (!allowed) {
+              throw new AccessDeniedError("read", targetCol.slug);
+            }
+          }
+          await validateWhereFields(join2.rawWhere, targetCol.fields, this.buildRequestContext());
+        }
+      }
+    }
+  }
   buildRequestContext() {
     return {
       user: this.context.user
@@ -3199,7 +3697,14 @@ function createMomentumHandlers(config) {
       });
       return {
         docs: result.docs,
-        totalDocs: result.totalDocs
+        totalDocs: result.totalDocs,
+        totalPages: result.totalPages,
+        page: result.page,
+        limit: result.limit,
+        hasNextPage: result.hasNextPage,
+        hasPrevPage: result.hasPrevPage,
+        nextPage: result.nextPage,
+        prevPage: result.prevPage
       };
     } catch (error) {
       return handleError(error);
@@ -3287,7 +3792,14 @@ function createMomentumHandlers(config) {
       const result = await api.collection(request.collectionSlug).search(q, { fields, limit, page });
       return {
         docs: result.docs,
-        totalDocs: result.totalDocs
+        totalDocs: result.totalDocs,
+        totalPages: result.totalPages,
+        page: result.page,
+        limit: result.limit,
+        hasNextPage: result.hasNextPage,
+        hasPrevPage: result.hasPrevPage,
+        nextPage: result.nextPage,
+        prevPage: result.prevPage
       };
     } catch (error) {
       return handleError(error);
@@ -3352,51 +3864,6 @@ function handleError(error) {
   return { error: "Unknown error", status: 500 };
 }
 
-// libs/server-core/src/lib/collection-access.ts
-async function checkSingleCollectionAdminAccess(collection, user) {
-  const adminFn = collection.access?.admin;
-  if (!adminFn) {
-    return !!user;
-  }
-  const accessArgs = {
-    req: { user }
-  };
-  return Promise.resolve(adminFn(accessArgs));
-}
-async function checkAccessFunction(accessFn, user, defaultIfUndefined) {
-  if (!accessFn) {
-    return defaultIfUndefined;
-  }
-  const accessArgs = {
-    req: { user }
-  };
-  return Promise.resolve(accessFn(accessArgs));
-}
-async function getCollectionPermissions(config, user) {
-  const results = await Promise.all(
-    config.collections.map(async (collection) => {
-      const isManaged = collection.managed === true;
-      const [canAccess, canCreate, canRead, canUpdate, canDelete] = await Promise.all([
-        checkSingleCollectionAdminAccess(collection, user),
-        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.create, user, !!user),
-        checkAccessFunction(collection.access?.read, user, true),
-        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.update, user, !!user),
-        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.delete, user, !!user)
-      ]);
-      return {
-        slug: collection.slug,
-        canAccess,
-        canCreate,
-        canRead,
-        canUpdate,
-        canDelete,
-        ...isManaged ? { managed: true } : {}
-      };
-    })
-  );
-  return results;
-}
-
 // libs/server-core/src/lib/webhooks.ts
 var webhookLogger = createLogger("Webhook");
 
@@ -3875,7 +4342,7 @@ function checkDepth(node, currentDepth, maxDepth, context) {
     }
   }
 }
-async function executeGraphQL(schema, requestBody, context) {
+async function executeGraphQL(schema, requestBody, context, options) {
   if (!requestBody.query) {
     return {
       status: 400,
@@ -3891,6 +4358,17 @@ async function executeGraphQL(schema, requestBody, context) {
       body: { errors: [{ message: "Query parsing failed" }] }
     };
   }
+  if (options?.readOnly) {
+    const hasMutation = document.definitions.some(
+      (def) => def.kind === "OperationDefinition" && def.operation === "mutation"
+    );
+    if (hasMutation) {
+      return {
+        status: 405,
+        body: { errors: [{ message: "Mutations are not allowed via GET requests" }] }
+      };
+    }
+  }
   const depthErrors = validate(schema, document, [depthLimitRule(MAX_QUERY_DEPTH)]);
   if (depthErrors.length > 0) {
     return {
@@ -5555,8 +6033,8 @@ function createComprehensiveMomentumHandler(config) {
             return { error: "API key not found" };
           }
           if (existingKey.createdBy !== String(user.id)) {
-            utils.setResponseStatus(event, 403);
-            return { error: "You can only delete your own API keys" };
+            utils.setResponseStatus(event, 404);
+            return { error: "API key not found" };
           }
         }
         try {