@momentumcms/server-express 0.5.9 → 0.5.11

package/index.cjs

@@ -175,7 +175,7 @@ function s3StorageAdapter(options) {
     baseUrl,
     forcePathStyle = false,
     acl = "private",
-    presignedUrlExpiry = 3600
+    presignedUrlExpiry = 900
   } = options;
   let client = null;
   async function getClient() {
@@ -569,14 +569,14 @@ var init_strip_artifacts = __esm({
 
 // libs/email/src/lib/render/render-types.ts
 function injectEmailData() {
-  return (0, import_core12.inject)(EMAIL_DATA);
+  return (0, import_core13.inject)(EMAIL_DATA);
 }
-var import_core12, EMAIL_DATA;
+var import_core13, EMAIL_DATA;
 var init_render_types = __esm({
   "libs/email/src/lib/render/render-types.ts"() {
     "use strict";
-    import_core12 = require("@angular/core");
-    EMAIL_DATA = new import_core12.InjectionToken("EMAIL_DATA");
+    import_core13 = require("@angular/core");
+    EMAIL_DATA = new import_core13.InjectionToken("EMAIL_DATA");
   }
 });
 
@@ -588,7 +588,7 @@ async function renderEmail(component, data, options) {
   const shouldInlineCss = options?.inlineCss ?? true;
   const shouldStripArtifacts = options?.stripArtifacts ?? true;
   const extraProviders = options?.providers ?? [];
-  const mirror = (0, import_core13.reflectComponentType)(component);
+  const mirror = (0, import_core14.reflectComponentType)(component);
   if (!mirror) {
     throw new Error(
       `Cannot reflect component type: ${component.name}. Ensure it has a @Component decorator.`
@@ -610,12 +610,12 @@ async function renderEmail(component, data, options) {
   }
   return html;
 }
-var import_compiler, import_core13, import_platform_server, import_platform_browser;
+var import_compiler, import_core14, import_platform_server, import_platform_browser;
 var init_render_email = __esm({
   "libs/email/src/lib/render/render-email.ts"() {
     "use strict";
     import_compiler = require("@angular/compiler");
-    import_core13 = require("@angular/core");
+    import_core14 = require("@angular/core");
     import_platform_server = require("@angular/platform-server");
     import_platform_browser = require("@angular/platform-browser");
     init_css_inliner();
@@ -1048,26 +1048,26 @@ var init_default_templates = __esm({
 });
 
 // libs/email/src/lib/components/eml-body.component.ts
-var import_core14, EmlBody;
+var import_core15, EmlBody;
 var init_eml_body_component = __esm({
   "libs/email/src/lib/components/eml-body.component.ts"() {
     "use strict";
-    import_core14 = require("@angular/core");
+    import_core15 = require("@angular/core");
     EmlBody = class {
       constructor() {
-        this.backgroundColor = (0, import_core14.input)("#f4f4f5");
-        this.fontFamily = (0, import_core14.input)(
+        this.backgroundColor = (0, import_core15.input)("#f4f4f5");
+        this.fontFamily = (0, import_core15.input)(
           "-apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif"
         );
-        this.padding = (0, import_core14.input)("40px 20px");
-        this.tableStyle = (0, import_core14.computed)(
+        this.padding = (0, import_core15.input)("40px 20px");
+        this.tableStyle = (0, import_core15.computed)(
           () => `background-color: ${this.backgroundColor()}; font-family: ${this.fontFamily()}; line-height: 1.6; margin: 0; padding: 0;`
         );
-        this.cellStyle = (0, import_core14.computed)(() => `padding: ${this.padding()};`);
+        this.cellStyle = (0, import_core15.computed)(() => `padding: ${this.padding()};`);
       }
     };
     EmlBody = __decorateClass([
-      (0, import_core14.Component)({
+      (0, import_core15.Component)({
         selector: "eml-body",
         template: `
 		<table
@@ -1084,33 +1084,33 @@ var init_eml_body_component = __esm({
 			</tr>
 		</table>
 	`,
-        changeDetection: import_core14.ChangeDetectionStrategy.OnPush
+        changeDetection: import_core15.ChangeDetectionStrategy.OnPush
       })
     ], EmlBody);
   }
 });
 
 // libs/email/src/lib/components/eml-container.component.ts
-var import_core15, EmlContainer;
+var import_core16, EmlContainer;
 var init_eml_container_component = __esm({
   "libs/email/src/lib/components/eml-container.component.ts"() {
     "use strict";
-    import_core15 = require("@angular/core");
+    import_core16 = require("@angular/core");
     EmlContainer = class {
       constructor() {
-        this.maxWidth = (0, import_core15.input)("480px");
-        this.backgroundColor = (0, import_core15.input)("#ffffff");
-        this.borderRadius = (0, import_core15.input)("8px");
-        this.padding = (0, import_core15.input)("40px");
-        this.shadow = (0, import_core15.input)("0 1px 3px rgba(0,0,0,0.1)");
-        this.tableStyle = (0, import_core15.computed)(
+        this.maxWidth = (0, import_core16.input)("480px");
+        this.backgroundColor = (0, import_core16.input)("#ffffff");
+        this.borderRadius = (0, import_core16.input)("8px");
+        this.padding = (0, import_core16.input)("40px");
+        this.shadow = (0, import_core16.input)("0 1px 3px rgba(0,0,0,0.1)");
+        this.tableStyle = (0, import_core16.computed)(
           () => `max-width: ${this.maxWidth()}; margin: 0 auto; background-color: ${this.backgroundColor()}; border-radius: ${this.borderRadius()}; box-shadow: ${this.shadow()};`
         );
-        this.cellStyle = (0, import_core15.computed)(() => `padding: ${this.padding()};`);
+        this.cellStyle = (0, import_core16.computed)(() => `padding: ${this.padding()};`);
       }
     };
     EmlContainer = __decorateClass([
-      (0, import_core15.Component)({
+      (0, import_core16.Component)({
         selector: "eml-container",
         template: `
 		<table
@@ -1127,26 +1127,26 @@ var init_eml_container_component = __esm({
 			</tr>
 		</table>
 	`,
-        changeDetection: import_core15.ChangeDetectionStrategy.OnPush
+        changeDetection: import_core16.ChangeDetectionStrategy.OnPush
       })
     ], EmlContainer);
   }
 });
 
 // libs/email/src/lib/components/eml-section.component.ts
-var import_core16, EmlSection;
+var import_core17, EmlSection;
 var init_eml_section_component = __esm({
   "libs/email/src/lib/components/eml-section.component.ts"() {
     "use strict";
-    import_core16 = require("@angular/core");
+    import_core17 = require("@angular/core");
     EmlSection = class {
       constructor() {
-        this.padding = (0, import_core16.input)("0");
-        this.cellStyle = (0, import_core16.computed)(() => `padding: ${this.padding()};`);
+        this.padding = (0, import_core17.input)("0");
+        this.cellStyle = (0, import_core17.computed)(() => `padding: ${this.padding()};`);
       }
     };
     EmlSection = __decorateClass([
-      (0, import_core16.Component)({
+      (0, import_core17.Component)({
         selector: "eml-section",
         template: `
 		<table role="presentation" width="100%" cellspacing="0" cellpadding="0">
@@ -1157,22 +1157,22 @@ var init_eml_section_component = __esm({
 			</tr>
 		</table>
 	`,
-        changeDetection: import_core16.ChangeDetectionStrategy.OnPush
+        changeDetection: import_core17.ChangeDetectionStrategy.OnPush
       })
     ], EmlSection);
   }
 });
 
 // libs/email/src/lib/components/eml-row.component.ts
-var import_core17, EmlRow;
+var import_core18, EmlRow;
 var init_eml_row_component = __esm({
   "libs/email/src/lib/components/eml-row.component.ts"() {
     "use strict";
-    import_core17 = require("@angular/core");
+    import_core18 = require("@angular/core");
     EmlRow = class {
     };
     EmlRow = __decorateClass([
-      (0, import_core17.Component)({
+      (0, import_core18.Component)({
         selector: "eml-row",
         template: `
 		<table role="presentation" width="100%" cellspacing="0" cellpadding="0">
@@ -1181,130 +1181,130 @@ var init_eml_row_component = __esm({
 			</tr>
 		</table>
 	`,
-        changeDetection: import_core17.ChangeDetectionStrategy.OnPush
+        changeDetection: import_core18.ChangeDetectionStrategy.OnPush
       })
     ], EmlRow);
   }
 });
 
 // libs/email/src/lib/components/eml-column.component.ts
-var import_core18, EmlColumn;
+var import_core19, EmlColumn;
 var init_eml_column_component = __esm({
   "libs/email/src/lib/components/eml-column.component.ts"() {
     "use strict";
-    import_core18 = require("@angular/core");
+    import_core19 = require("@angular/core");
     EmlColumn = class {
       constructor() {
-        this.width = (0, import_core18.input)(void 0);
-        this.padding = (0, import_core18.input)("0");
-        this.verticalAlign = (0, import_core18.input)("top");
-        this.cellStyle = (0, import_core18.computed)(
+        this.width = (0, import_core19.input)(void 0);
+        this.padding = (0, import_core19.input)("0");
+        this.verticalAlign = (0, import_core19.input)("top");
+        this.cellStyle = (0, import_core19.computed)(
           () => `padding: ${this.padding()}; vertical-align: ${this.verticalAlign()};`
         );
       }
     };
     EmlColumn = __decorateClass([
-      (0, import_core18.Component)({
+      (0, import_core19.Component)({
         selector: "eml-column",
         template: `
 		<td [attr.style]="cellStyle()" [attr.width]="width()" valign="top">
 			<ng-content />
 		</td>
 	`,
-        changeDetection: import_core18.ChangeDetectionStrategy.OnPush
+        changeDetection: import_core19.ChangeDetectionStrategy.OnPush
       })
     ], EmlColumn);
   }
 });
 
 // libs/email/src/lib/components/eml-text.component.ts
-var import_core19, EmlText;
+var import_core20, EmlText;
 var init_eml_text_component = __esm({
   "libs/email/src/lib/components/eml-text.component.ts"() {
     "use strict";
-    import_core19 = require("@angular/core");
+    import_core20 = require("@angular/core");
     EmlText = class {
       constructor() {
-        this.color = (0, import_core19.input)("#3f3f46");
-        this.fontSize = (0, import_core19.input)("16px");
-        this.lineHeight = (0, import_core19.input)("1.6");
-        this.margin = (0, import_core19.input)("0 0 16px");
-        this.textAlign = (0, import_core19.input)("left");
-        this.pStyle = (0, import_core19.computed)(
+        this.color = (0, import_core20.input)("#3f3f46");
+        this.fontSize = (0, import_core20.input)("16px");
+        this.lineHeight = (0, import_core20.input)("1.6");
+        this.margin = (0, import_core20.input)("0 0 16px");
+        this.textAlign = (0, import_core20.input)("left");
+        this.pStyle = (0, import_core20.computed)(
           () => `margin: ${this.margin()}; color: ${this.color()}; font-size: ${this.fontSize()}; line-height: ${this.lineHeight()}; text-align: ${this.textAlign()};`
         );
       }
     };
     EmlText = __decorateClass([
-      (0, import_core19.Component)({
+      (0, import_core20.Component)({
         selector: "eml-text",
         template: `
 		<p [attr.style]="pStyle()">
 			<ng-content />
 		</p>
 	`,
-        changeDetection: import_core19.ChangeDetectionStrategy.OnPush
+        changeDetection: import_core20.ChangeDetectionStrategy.OnPush
       })
     ], EmlText);
   }
 });
 
 // libs/email/src/lib/components/eml-heading.component.ts
-var import_core20, EmlHeading;
+var import_core21, EmlHeading;
 var init_eml_heading_component = __esm({
   "libs/email/src/lib/components/eml-heading.component.ts"() {
     "use strict";
-    import_core20 = require("@angular/core");
+    import_core21 = require("@angular/core");
     EmlHeading = class {
       constructor() {
-        this.level = (0, import_core20.input)(1);
-        this.color = (0, import_core20.input)("#18181b");
-        this.margin = (0, import_core20.input)("0 0 24px");
-        this.textAlign = (0, import_core20.input)("left");
+        this.level = (0, import_core21.input)(1);
+        this.color = (0, import_core21.input)("#18181b");
+        this.margin = (0, import_core21.input)("0 0 24px");
+        this.textAlign = (0, import_core21.input)("left");
         this.fontSizeMap = {
           1: "24px",
           2: "20px",
           3: "16px"
         };
-        this.headingStyle = (0, import_core20.computed)(
+        this.headingStyle = (0, import_core21.computed)(
           () => `margin: ${this.margin()}; font-size: ${this.fontSizeMap[this.level()] ?? "24px"}; font-weight: 600; color: ${this.color()}; text-align: ${this.textAlign()};`
         );
       }
     };
     EmlHeading = __decorateClass([
-      (0, import_core20.Component)({
+      (0, import_core21.Component)({
         selector: "eml-heading",
         template: `<div [attr.style]="headingStyle()" [attr.role]="'heading'" [attr.aria-level]="level()">
 		<ng-content />
 	</div>`,
-        changeDetection: import_core20.ChangeDetectionStrategy.OnPush
+        changeDetection: import_core21.ChangeDetectionStrategy.OnPush
       })
     ], EmlHeading);
   }
 });
 
 // libs/email/src/lib/components/eml-button.component.ts
-var import_core21, EmlButton;
+var import_core22, EmlButton;
 var init_eml_button_component = __esm({
   "libs/email/src/lib/components/eml-button.component.ts"() {
     "use strict";
-    import_core21 = require("@angular/core");
+    import_core22 = require("@angular/core");
     EmlButton = class {
       constructor() {
-        this.href = (0, import_core21.input)("");
-        this.backgroundColor = (0, import_core21.input)("#18181b");
-        this.color = (0, import_core21.input)("#ffffff");
-        this.borderRadius = (0, import_core21.input)("6px");
-        this.padding = (0, import_core21.input)("12px 24px");
-        this.textAlign = (0, import_core21.input)("left");
-        this.alignStyle = (0, import_core21.computed)(() => `padding: 0; text-align: ${this.textAlign()};`);
-        this.linkStyle = (0, import_core21.computed)(
+        this.href = (0, import_core22.input)("");
+        this.backgroundColor = (0, import_core22.input)("#18181b");
+        this.color = (0, import_core22.input)("#ffffff");
+        this.borderRadius = (0, import_core22.input)("6px");
+        this.padding = (0, import_core22.input)("12px 24px");
+        this.textAlign = (0, import_core22.input)("left");
+        this.alignStyle = (0, import_core22.computed)(() => `padding: 0; text-align: ${this.textAlign()};`);
+        this.linkStyle = (0, import_core22.computed)(
           () => `display: inline-block; padding: ${this.padding()}; background-color: ${this.backgroundColor()}; color: ${this.color()}; text-decoration: none; border-radius: ${this.borderRadius()}; font-weight: 500;`
         );
       }
     };
     EmlButton = __decorateClass([
-      (0, import_core21.Component)({
+      (0, import_core22.Component)({
         selector: "eml-button",
         template: `
 		<table role="presentation" width="100%" cellspacing="0" cellpadding="0">
@@ -1317,62 +1317,62 @@ var init_eml_button_component = __esm({
 			</tr>
 		</table>
 	`,
-        changeDetection: import_core21.ChangeDetectionStrategy.OnPush
+        changeDetection: import_core22.ChangeDetectionStrategy.OnPush
       })
     ], EmlButton);
   }
 });
 
 // libs/email/src/lib/components/eml-link.component.ts
-var import_core22, EmlLink;
+var import_core23, EmlLink;
 var init_eml_link_component = __esm({
   "libs/email/src/lib/components/eml-link.component.ts"() {
     "use strict";
-    import_core22 = require("@angular/core");
+    import_core23 = require("@angular/core");
     EmlLink = class {
       constructor() {
-        this.href = (0, import_core22.input)("");
-        this.color = (0, import_core22.input)("#18181b");
-        this.textDecoration = (0, import_core22.input)("underline");
-        this.linkStyle = (0, import_core22.computed)(
+        this.href = (0, import_core23.input)("");
+        this.color = (0, import_core23.input)("#18181b");
+        this.textDecoration = (0, import_core23.input)("underline");
+        this.linkStyle = (0, import_core23.computed)(
           () => `color: ${this.color()}; text-decoration: ${this.textDecoration()};`
         );
       }
     };
     EmlLink = __decorateClass([
-      (0, import_core22.Component)({
+      (0, import_core23.Component)({
         selector: "eml-link",
         template: `
 		<a [attr.href]="href()" [attr.style]="linkStyle()" target="_blank">
 			<ng-content />
 		</a>
 	`,
-        changeDetection: import_core22.ChangeDetectionStrategy.OnPush
+        changeDetection: import_core23.ChangeDetectionStrategy.OnPush
       })
     ], EmlLink);
   }
 });
 
 // libs/email/src/lib/components/eml-image.component.ts
-var import_core23, EmlImage;
+var import_core24, EmlImage;
 var init_eml_image_component = __esm({
   "libs/email/src/lib/components/eml-image.component.ts"() {
     "use strict";
-    import_core23 = require("@angular/core");
+    import_core24 = require("@angular/core");
     EmlImage = class {
       constructor() {
-        this.src = (0, import_core23.input)("");
-        this.alt = (0, import_core23.input)("");
-        this.width = (0, import_core23.input)(void 0);
-        this.height = (0, import_core23.input)(void 0);
-        this.borderRadius = (0, import_core23.input)("0");
-        this.imgStyle = (0, import_core23.computed)(
+        this.src = (0, import_core24.input)("");
+        this.alt = (0, import_core24.input)("");
+        this.width = (0, import_core24.input)(void 0);
+        this.height = (0, import_core24.input)(void 0);
+        this.borderRadius = (0, import_core24.input)("0");
+        this.imgStyle = (0, import_core24.computed)(
           () => `display: block; max-width: 100%; border: 0; outline: none; border-radius: ${this.borderRadius()};`
         );
       }
     };
     EmlImage = __decorateClass([
-      (0, import_core23.Component)({
+      (0, import_core24.Component)({
         selector: "eml-image",
         template: `
 		<img
@@ -1383,104 +1383,104 @@ var init_eml_image_component = __esm({
 			[attr.style]="imgStyle()"
 		/>
 	`,
-        changeDetection: import_core23.ChangeDetectionStrategy.OnPush
+        changeDetection: import_core24.ChangeDetectionStrategy.OnPush
       })
     ], EmlImage);
   }
 });
 
 // libs/email/src/lib/components/eml-divider.component.ts
-var import_core24, EmlDivider;
+var import_core25, EmlDivider;
 var init_eml_divider_component = __esm({
   "libs/email/src/lib/components/eml-divider.component.ts"() {
     "use strict";
-    import_core24 = require("@angular/core");
+    import_core25 = require("@angular/core");
     EmlDivider = class {
       constructor() {
-        this.color = (0, import_core24.input)("#e4e4e7");
-        this.margin = (0, import_core24.input)("24px 0");
-        this.hrStyle = (0, import_core24.computed)(
+        this.color = (0, import_core25.input)("#e4e4e7");
+        this.margin = (0, import_core25.input)("24px 0");
+        this.hrStyle = (0, import_core25.computed)(
           () => `border: none; border-top: 1px solid ${this.color()}; margin: ${this.margin()};`
         );
       }
     };
     EmlDivider = __decorateClass([
-      (0, import_core24.Component)({
+      (0, import_core25.Component)({
         selector: "eml-divider",
         template: `<hr [attr.style]="hrStyle()" />`,
-        changeDetection: import_core24.ChangeDetectionStrategy.OnPush
+        changeDetection: import_core25.ChangeDetectionStrategy.OnPush
       })
     ], EmlDivider);
   }
 });
 
 // libs/email/src/lib/components/eml-preview.component.ts
-var import_core25, EmlPreview;
+var import_core26, EmlPreview;
 var init_eml_preview_component = __esm({
   "libs/email/src/lib/components/eml-preview.component.ts"() {
     "use strict";
-    import_core25 = require("@angular/core");
+    import_core26 = require("@angular/core");
     EmlPreview = class {
     };
     EmlPreview = __decorateClass([
-      (0, import_core25.Component)({
+      (0, import_core26.Component)({
         selector: "eml-preview",
         template: `
 		<div style="display: none; max-height: 0; overflow: hidden; mso-hide: all;">
 			<ng-content />
 		</div>
 	`,
-        changeDetection: import_core25.ChangeDetectionStrategy.OnPush
+        changeDetection: import_core26.ChangeDetectionStrategy.OnPush
       })
     ], EmlPreview);
   }
 });
 
 // libs/email/src/lib/components/eml-spacer.component.ts
-var import_core26, EmlSpacer;
+var import_core27, EmlSpacer;
 var init_eml_spacer_component = __esm({
   "libs/email/src/lib/components/eml-spacer.component.ts"() {
     "use strict";
-    import_core26 = require("@angular/core");
+    import_core27 = require("@angular/core");
     EmlSpacer = class {
       constructor() {
-        this.height = (0, import_core26.input)("24px");
-        this.spacerStyle = (0, import_core26.computed)(
+        this.height = (0, import_core27.input)("24px");
+        this.spacerStyle = (0, import_core27.computed)(
           () => `height: ${this.height()}; line-height: ${this.height()}; font-size: 1px;`
         );
       }
     };
     EmlSpacer = __decorateClass([
-      (0, import_core26.Component)({
+      (0, import_core27.Component)({
         selector: "eml-spacer",
         template: `<div [attr.style]="spacerStyle()"></div>`,
-        changeDetection: import_core26.ChangeDetectionStrategy.OnPush
+        changeDetection: import_core27.ChangeDetectionStrategy.OnPush
       })
     ], EmlSpacer);
   }
 });
 
 // libs/email/src/lib/components/eml-footer.component.ts
-var import_core27, EmlFooter;
+var import_core28, EmlFooter;
 var init_eml_footer_component = __esm({
   "libs/email/src/lib/components/eml-footer.component.ts"() {
     "use strict";
-    import_core27 = require("@angular/core");
+    import_core28 = require("@angular/core");
     EmlFooter = class {
       constructor() {
-        this.maxWidth = (0, import_core27.input)("480px");
-        this.color = (0, import_core27.input)("#71717a");
-        this.fontSize = (0, import_core27.input)("12px");
-        this.textAlign = (0, import_core27.input)("center");
-        this.padding = (0, import_core27.input)("20px 0 0");
-        this.tableStyle = (0, import_core27.computed)(() => `max-width: ${this.maxWidth()}; margin: 0 auto;`);
-        this.cellStyle = (0, import_core27.computed)(
+        this.maxWidth = (0, import_core28.input)("480px");
+        this.color = (0, import_core28.input)("#71717a");
+        this.fontSize = (0, import_core28.input)("12px");
+        this.textAlign = (0, import_core28.input)("center");
+        this.padding = (0, import_core28.input)("20px 0 0");
+        this.tableStyle = (0, import_core28.computed)(() => `max-width: ${this.maxWidth()}; margin: 0 auto;`);
+        this.cellStyle = (0, import_core28.computed)(
           () => `text-align: ${this.textAlign()}; color: ${this.color()}; font-size: ${this.fontSize()}; padding: ${this.padding()};`
         );
       }
     };
     EmlFooter = __decorateClass([
-      (0, import_core27.Component)({
+      (0, import_core28.Component)({
         selector: "eml-footer",
         template: `
 		<table
@@ -1497,7 +1497,7 @@ var init_eml_footer_component = __esm({
 			</tr>
 		</table>
 	`,
-        changeDetection: import_core27.ChangeDetectionStrategy.OnPush
+        changeDetection: import_core28.ChangeDetectionStrategy.OnPush
       })
     ], EmlFooter);
   }
@@ -1658,6 +1658,7 @@ __export(src_exports3, {
   createMomentumServer: () => createMomentumServer,
   createOpenAPIMiddleware: () => createOpenAPIMiddleware,
   createProtectMiddleware: () => createProtectMiddleware,
+  createRateLimitMiddleware: () => createRateLimitMiddleware,
   createSessionResolverMiddleware: () => createSessionResolverMiddleware,
   createSetupMiddleware: () => createSetupMiddleware,
   getPluginMiddleware: () => getPluginMiddleware,
@@ -2789,6 +2790,21 @@ var VersionOperationsImpl = class {
         });
       }
     }
+    if (!this.context.overrideAccess && hasFieldAccessControl(this.collectionConfig.fields)) {
+      for (let i = 0; i < docs.length; i++) {
+        const version = docs[i].version;
+        if (version && typeof version === "object") {
+          const versionRecord = version;
+          const filtered = await filterReadableFields(
+            this.collectionConfig.fields,
+            versionRecord,
+            this.buildRequestContext()
+          );
+          const filteredAsT = filtered;
+          docs[i] = { ...docs[i], version: filteredAsT };
+        }
+      }
+    }
     const countOptions = {
       includeAutosave: options?.includeAutosave,
       status: options?.status
@@ -2818,9 +2834,21 @@ var VersionOperationsImpl = class {
     if (parsedVersion === null) {
       return null;
     }
+    let filteredVersion = parsedVersion;
+    if (!this.context.overrideAccess && hasFieldAccessControl(this.collectionConfig.fields)) {
+      if (filteredVersion && typeof filteredVersion === "object") {
+        const versionRecord = filteredVersion;
+        const filtered = await filterReadableFields(
+          this.collectionConfig.fields,
+          versionRecord,
+          this.buildRequestContext()
+        );
+        filteredVersion = filtered;
+      }
+    }
     return {
       ...version,
-      version: parsedVersion
+      version: filteredVersion
     };
   }
   async restore(options) {
@@ -3042,6 +3070,415 @@ var VersionOperationsImpl = class {
   }
 };
 
+// libs/server-core/src/lib/where-clause.ts
+var OPERATOR_MAP = {
+  equals: "$eq",
+  gt: "$gt",
+  gte: "$gte",
+  lt: "$lt",
+  lte: "$lte",
+  not_equals: "$ne",
+  like: "$like",
+  contains: "$contains",
+  in: "$in",
+  not_in: "$nin",
+  exists: "$exists"
+};
+var MAX_WHERE_CONDITIONS = 20;
+var MAX_JOINS = 5;
+var MAX_WHERE_NESTING_DEPTH = 5;
+var MAX_PAGE_LIMIT = 1e3;
+var MAX_PAGE = 1e6;
+var VALID_OPERATORS = new Set(Object.keys(OPERATOR_MAP));
+function countWhereConditions(where, depth = 0) {
+  if (depth > MAX_WHERE_NESTING_DEPTH) {
+    throw new ValidationError([
+      {
+        field: "where",
+        message: `Where clause nesting depth exceeds maximum of ${MAX_WHERE_NESTING_DEPTH} levels.`
+      }
+    ]);
+  }
+  let count = 0;
+  for (const [key, value] of Object.entries(where)) {
+    if ((key === "and" || key === "or") && Array.isArray(value)) {
+      for (const sub of value) {
+        if (typeof sub === "object" && sub !== null) {
+          count += countWhereConditions(sub, depth + 1);
+        }
+      }
+    } else {
+      count++;
+    }
+  }
+  return count;
+}
+function flattenWhereClause(where) {
+  if (!where)
+    return {};
+  const fieldCount = countWhereConditions(where);
+  if (fieldCount > MAX_WHERE_CONDITIONS) {
+    throw new ValidationError([
+      {
+        field: "where",
+        message: `Where clause exceeds maximum of ${MAX_WHERE_CONDITIONS} conditions (got ${fieldCount}).`
+      }
+    ]);
+  }
+  return flattenWhereRecursive(where, 0);
+}
+function flattenWhereRecursive(where, depth) {
+  if (depth > MAX_WHERE_NESTING_DEPTH) {
+    throw new ValidationError([
+      {
+        field: "where",
+        message: `Where clause nesting depth exceeds maximum of ${MAX_WHERE_NESTING_DEPTH} levels.`
+      }
+    ]);
+  }
+  const result = {};
+  for (const [field, condition] of Object.entries(where)) {
+    if (field === "and" || field === "or") {
+      if (!Array.isArray(condition)) {
+        throw new ValidationError([
+          {
+            field,
+            message: `The "${field}" operator requires an array of conditions.`
+          }
+        ]);
+      }
+      const internalKey = field === "and" ? "$and" : "$or";
+      result[internalKey] = condition.filter((sub) => typeof sub === "object" && sub !== null).map((sub) => {
+        if ("$join" in sub)
+          return sub;
+        return flattenWhereRecursive(sub, depth + 1);
+      });
+      continue;
+    }
+    if (typeof condition !== "object" || condition === null) {
+      result[field] = condition;
+      continue;
+    }
+    const condObj = condition;
+    const ops = {};
+    let hasOp = false;
+    for (const [userOp, internalOp] of Object.entries(OPERATOR_MAP)) {
+      if (userOp in condObj) {
+        let value = condObj[userOp];
+        if (internalOp === "$exists" && typeof value === "string") {
+          value = value === "true";
+        }
+        if (typeof value === "string") {
+          value = value.replace(/\0/g, "");
+        }
+        if (Array.isArray(value)) {
+          value = value.map(
+            (item) => typeof item === "string" ? item.replace(/\0/g, "") : item
+          );
+        }
+        ops[internalOp] = value;
+        hasOp = true;
+      }
+    }
+    for (const key of Object.keys(condObj)) {
+      if (!VALID_OPERATORS.has(key)) {
+        throw new ValidationError([
+          {
+            field,
+            message: `Unknown operator "${key}". Valid operators: ${[...VALID_OPERATORS].sort().join(", ")}`
+          }
+        ]);
+      }
+    }
+    if (hasOp) {
+      result[field] = ops;
+    } else {
+      result[field] = condition;
+    }
+  }
+  return result;
+}
+function extractRelationshipJoins(where, fields, allCollections) {
+  if (!where)
+    return { cleanedWhere: void 0, joins: [], allJoins: [] };
+  const dataFields = flattenDataFields(fields);
+  const fieldMap = new Map(dataFields.map((f) => [f.name, f]));
+  const joins = [];
+  const allJoins = [];
+  const cleanedWhere = {};
+  for (const [key, condition] of Object.entries(where)) {
+    if (key === "and" || key === "or") {
+      if (Array.isArray(condition)) {
+        const cleanedArray = [];
+        for (const sub of condition) {
+          if (typeof sub === "object" && sub !== null) {
+            const {
+              cleanedWhere: subCleaned,
+              joins: subTopJoins,
+              allJoins: subAllJoins
+            } = extractRelationshipJoins(
+              // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- WhereClause sub-object
+              sub,
+              fields,
+              allCollections
+            );
+            if (subCleaned)
+              cleanedArray.push(subCleaned);
+            for (const join2 of subTopJoins) {
+              cleanedArray.push({ ["$join"]: join2 });
+            }
+            allJoins.push(...subAllJoins);
+          }
+        }
+        if (cleanedArray.length > 0) {
+          cleanedWhere[key] = cleanedArray;
+        }
+      }
+      continue;
+    }
+    let field = fieldMap.get(key);
+    if (!field && key.includes(".")) {
+      const [rootKey, ...subPath] = key.split(".");
+      const rootField = fieldMap.get(rootKey);
+      if (rootField && rootField.type === "relationship" && subPath.length > 0 && condition !== null) {
+        let nested = condition;
+        for (let i = subPath.length - 1; i >= 0; i--) {
+          nested = { [subPath[i]]: nested };
+        }
+        field = rootField;
+        const {
+          cleanedWhere: subCleaned,
+          joins: subJoins,
+          allJoins: subAllJoins
+        } = extractRelationshipJoins(
+          // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- reconstructed nested where
+          { [rootKey]: nested },
+          fields,
+          allCollections
+        );
+        if (subCleaned)
+          Object.assign(cleanedWhere, subCleaned);
+        joins.push(...subJoins);
+        allJoins.push(...subAllJoins);
+        continue;
+      }
+    }
+    if (!field || field.type !== "relationship" || typeof condition !== "object" || condition === null) {
+      cleanedWhere[key] = condition;
+      continue;
+    }
+    const condObj = condition;
+    const condKeys = Object.keys(condObj);
+    const hasOperatorKeys = condKeys.some((k) => VALID_OPERATORS.has(k));
+    const hasNonOperatorKeys = condKeys.some((k) => !VALID_OPERATORS.has(k));
+    if (hasOperatorKeys && hasNonOperatorKeys) {
+      throw new ValidationError([
+        {
+          field: key,
+          message: `Cannot mix operators and sub-field references on relationship field "${key}". Use either operators (e.g. { equals: 'id' }) or sub-field queries (e.g. { name: { equals: 'value' } }), not both.`
+        }
+      ]);
+    }
+    if (!hasNonOperatorKeys) {
+      cleanedWhere[key] = condition;
+      continue;
+    }
+    const relField = field;
+    let targetSlug;
+    try {
+      const targetConfig = relField.collection();
+      if (targetConfig && typeof targetConfig === "object" && "slug" in targetConfig) {
+        targetSlug = targetConfig.slug;
+      }
+    } catch {
+    }
+    if (!targetSlug) {
+      throw new ValidationError([
+        {
+          field: key,
+          message: `Cannot resolve target collection for relationship field "${key}".`
+        }
+      ]);
+    }
+    const targetCollection = allCollections.find((c) => c.slug === targetSlug);
+    if (!targetCollection) {
+      throw new ValidationError([
+        {
+          field: key,
+          message: `Target collection "${targetSlug}" not found for relationship field "${key}".`
+        }
+      ]);
+    }
+    const subWhere = condition;
+    const flattenedConditions = flattenWhereClause(subWhere);
+    const targetTable = targetCollection.dbName ?? targetCollection.slug;
+    const joinSpec = {
+      targetTable,
+      localField: key,
+      targetField: "id",
+      conditions: flattenedConditions,
+      rawWhere: subWhere
+    };
+    joins.push(joinSpec);
+    allJoins.push(joinSpec);
+  }
+  return {
+    cleanedWhere: Object.keys(cleanedWhere).length > 0 ? cleanedWhere : void 0,
+    joins,
+    allJoins
+  };
+}
+var SYSTEM_QUERYABLE_FIELDS = /* @__PURE__ */ new Set(["id", "createdAt", "updatedAt", "_status"]);
+async function validateWhereFields(where, fields, req) {
+  if (!where)
+    return;
+  const dataFields = flattenDataFields(fields);
+  const fieldMap = new Map(dataFields.map((f) => [f.name, f]));
+  for (const fieldName of Object.keys(where)) {
+    if (fieldName === "and" || fieldName === "or") {
+      const subs = where[fieldName];
+      if (Array.isArray(subs)) {
+        for (const sub of subs) {
+          if (typeof sub === "object" && sub !== null) {
+            await validateWhereFields(sub, fields, req);
+          }
+        }
+      }
+      continue;
+    }
+    const baseName = fieldName.includes(".") ? fieldName.split(".")[0] : fieldName;
+    if (SYSTEM_QUERYABLE_FIELDS.has(baseName))
+      continue;
+    const field = fieldMap.get(baseName);
+    if (!field) {
+      throw new ValidationError([{ field: fieldName, message: `Unknown field: ${baseName}` }]);
+    }
+    if (!field.access?.read)
+      continue;
+    const allowed = await Promise.resolve(field.access.read({ req }));
+    if (!allowed) {
+      throw new AccessDeniedError("read", baseName);
+    }
+  }
+}
+async function validateSortField(sort, fields, req) {
+  if (!sort)
+    return;
+  const fieldName = sort.startsWith("-") ? sort.slice(1) : sort;
+  const baseName = fieldName.includes(".") ? fieldName.split(".")[0] : fieldName;
+  const dataFields = flattenDataFields(fields);
+  const field = dataFields.find((f) => f.name === baseName);
+  if (!field?.access?.read)
+    return;
+  const allowed = await Promise.resolve(field.access.read({ req }));
+  if (!allowed) {
+    throw new AccessDeniedError("read", baseName);
+  }
+}
+
+// libs/server-core/src/lib/api-utils.ts
+function deepEqual(a, b) {
+  if (a === b)
+    return true;
+  if (a == null || b == null)
+    return false;
+  if (typeof a !== "object" || typeof b !== "object")
+    return false;
+  if (Array.isArray(a)) {
+    if (!Array.isArray(b) || a.length !== b.length)
+      return false;
+    return a.every((item, i) => deepEqual(item, b[i]));
+  }
+  if (Array.isArray(b))
+    return false;
+  const aKeys = Object.keys(a);
+  const bKeys = Object.keys(b);
+  if (aKeys.length !== bKeys.length)
+    return false;
+  const aRec = a;
+  const bRec = b;
+  return aKeys.every(
+    (key) => Object.prototype.hasOwnProperty.call(bRec, key) && deepEqual(aRec[key], bRec[key])
+  );
+}
+function stripTransientKeys(data) {
+  const result = {};
+  for (const [key, value] of Object.entries(data)) {
+    if (!key.startsWith("_")) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+
+// libs/server-core/src/lib/collection-access.ts
+async function checkSingleCollectionAdminAccess(collection, user) {
+  const adminFn = collection.access?.admin;
+  if (!adminFn) {
+    return !!user;
+  }
+  const accessArgs = {
+    req: { user }
+  };
+  return Promise.resolve(adminFn(accessArgs));
+}
+async function checkAccessFunction(accessFn, user, defaultIfUndefined) {
+  if (!accessFn) {
+    return defaultIfUndefined;
+  }
+  const accessArgs = {
+    req: { user }
+  };
+  return Promise.resolve(accessFn(accessArgs));
+}
+async function getCollectionPermissions(config, user) {
+  const results = await Promise.all(
+    config.collections.map(async (collection) => {
+      const isManaged = collection.managed === true;
+      const [canAccess, canCreate, canRead, canUpdate, canDelete] = await Promise.all([
+        checkSingleCollectionAdminAccess(collection, user),
+        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.create, user, !!user),
+        checkAccessFunction(collection.access?.read, user, true),
+        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.update, user, !!user),
+        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.delete, user, !!user)
+      ]);
+      return {
+        slug: collection.slug,
+        canAccess,
+        canCreate,
+        canRead,
+        canUpdate,
+        canDelete,
+        ...isManaged ? { managed: true } : {}
+      };
+    })
+  );
+  return results;
+}
+var ACCESS_OPS = ["read", "create", "update", "delete"];
+var ACCESS_DEFAULTS = {
+  read: "public (anyone)",
+  create: "any authenticated user",
+  update: "any authenticated user",
+  delete: "any authenticated user"
+};
+function warnInsecureDefaults(collections) {
+  const logger = createLogger("Security");
+  const warnings = [];
+  for (const collection of collections) {
+    if (collection.managed)
+      continue;
+    const missing = ACCESS_OPS.filter((op) => !collection.access?.[op]);
+    if (missing.length > 0) {
+      const details = missing.map((op) => `${op} (${ACCESS_DEFAULTS[op]})`).join(", ");
+      const msg = `Collection "${collection.slug}" has no explicit access control for: ${details}. Define access functions to restrict.`;
+      logger.warn(msg);
+      warnings.push(msg);
+    }
+  }
+  return warnings;
+}
+
 // libs/server-core/src/lib/momentum-api.ts
 var momentumApiInstance = null;
 function initializeMomentumAPI(config) {
@@ -3049,6 +3486,7 @@ function initializeMomentumAPI(config) {
     createLogger("API").warn("Already initialized, returning existing instance");
     return momentumApiInstance;
   }
+  warnInsecureDefaults(config.collections);
   momentumApiInstance = new MomentumAPIImpl(config);
   return momentumApiInstance;
 }
@@ -3106,70 +3544,6 @@ var MomentumAPIImpl = class _MomentumAPIImpl {
     return { ...this.context };
   }
 };
-function deepEqual(a, b) {
-  if (a === b)
-    return true;
-  if (a == null || b == null)
-    return false;
-  if (typeof a !== "object" || typeof b !== "object")
-    return false;
-  if (Array.isArray(a)) {
-    if (!Array.isArray(b) || a.length !== b.length)
-      return false;
-    return a.every((item, i) => deepEqual(item, b[i]));
-  }
-  if (Array.isArray(b))
-    return false;
-  const aKeys = Object.keys(a);
-  const bKeys = Object.keys(b);
-  if (aKeys.length !== bKeys.length)
-    return false;
-  const aRec = a;
-  const bRec = b;
-  return aKeys.every(
-    (key) => Object.prototype.hasOwnProperty.call(bRec, key) && deepEqual(aRec[key], bRec[key])
-  );
-}
-function stripTransientKeys(data) {
-  const result = {};
-  for (const [key, value] of Object.entries(data)) {
-    if (!key.startsWith("_")) {
-      result[key] = value;
-    }
-  }
-  return result;
-}
-var COMPARISON_OPS = ["gt", "gte", "lt", "lte"];
-function flattenWhereClause(where) {
-  if (!where)
-    return {};
-  const result = {};
-  for (const [field, condition] of Object.entries(where)) {
-    if (typeof condition !== "object" || condition === null) {
-      result[field] = condition;
-      continue;
-    }
-    const condObj = condition;
-    if ("equals" in condObj) {
-      result[field] = condObj["equals"];
-      continue;
-    }
-    const ops = {};
-    let hasComparisonOp = false;
-    for (const op of COMPARISON_OPS) {
-      if (op in condObj) {
-        ops[`$${op}`] = condObj[op];
-        hasComparisonOp = true;
-      }
-    }
-    if (hasComparisonOp) {
-      result[field] = ops;
-    } else {
-      result[field] = condition;
-    }
-  }
-  return result;
-}
 var CollectionOperationsImpl = class _CollectionOperationsImpl {
   constructor(slug2, collectionConfig, adapter, context, allCollections = []) {
     this.slug = slug2;
@@ -3180,11 +3554,37 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
   }
   async find(options = {}) {
     await this.checkAccess("read");
+    if (!this.context.overrideAccess) {
+      await validateWhereFields(
+        options.where,
+        this.collectionConfig.fields,
+        this.buildRequestContext()
+      );
+      await validateSortField(
+        options.sort,
+        this.collectionConfig.fields,
+        this.buildRequestContext()
+      );
+    }
     await this.runBeforeReadHooks();
-    const limit = options.limit ?? 10;
-    const page = options.page ?? 1;
+    const rawLimit = options.limit ?? 10;
+    const rawPage = options.page ?? 1;
+    const limit = Math.max(
+      1,
+      Math.min(Number.isFinite(rawLimit) ? Math.floor(rawLimit) : 10, MAX_PAGE_LIMIT)
+    );
+    const page = Math.max(
+      1,
+      Math.min(Number.isFinite(rawPage) ? Math.floor(rawPage) : 1, MAX_PAGE)
+    );
     const { depth: _depth, where, withDeleted: _wd, onlyDeleted: _od, ...queryOptions } = options;
-    const whereParams = flattenWhereClause(where);
+    const { cleanedWhere, joins, allJoins } = extractRelationshipJoins(
+      where,
+      this.collectionConfig.fields,
+      this.allCollections
+    );
+    await this.enforceWhereLimits(cleanedWhere, allJoins);
+    const whereParams = flattenWhereClause(cleanedWhere);
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (softDeleteField && !options.withDeleted && !options.onlyDeleted) {
       whereParams[softDeleteField] = null;
@@ -3209,6 +3609,9 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
       limit,
       page
     };
+    if (joins.length > 0) {
+      query["$joins"] = joins.map(({ rawWhere: _rw, ...rest }) => rest);
+    }
     const docs = await this.adapter.find(this.slug, query);
     let afterHookDocs = await this.processAfterReadHooks(docs);
     const MAX_RELATIONSHIP_DEPTH = 10;
@@ -3232,14 +3635,15 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
       );
     }
     const countQuery = { ...queryOptions, ...whereParams };
+    if (joins.length > 0) {
+      countQuery["$joins"] = joins.map(({ rawWhere: _rw, ...rest }) => rest);
+    }
     delete countQuery["limit"];
     delete countQuery["page"];
-    const allDocs = await this.adapter.find(this.slug, {
-      ...countQuery,
-      limit: 0
-      // Signal to adapter: count-only (returns all if not supported)
-    });
-    const totalDocs = allDocs.length;
+    const totalDocs = this.adapter.count ? await this.adapter.count(this.slug, countQuery) : (
+      // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- Adapter returns Record<string, unknown>[], safe cast to T[]
+      (await this.adapter.find(this.slug, { ...countQuery, limit: 0 })).length
+    );
     const totalPages = Math.ceil(totalDocs / limit) || 1;
     return {
       docs: afterHookDocs,
@@ -3476,7 +3880,12 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
   async restore(id) {
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (!softDeleteField) {
-      throw new Error(`Collection "${this.slug}" does not have soft delete enabled`);
+      throw new ValidationError([
+        {
+          field: "_softDelete",
+          message: `Collection "${this.slug}" does not have soft delete enabled`
+        }
+      ]);
     }
     const restoreAccessFn = this.collectionConfig.access?.restore;
     if (restoreAccessFn) {
@@ -3534,20 +3943,43 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
     if (softDeleteField) {
       softDeleteFilter[softDeleteField] = null;
     }
+    const defaultWhereFilter = {};
+    if (this.collectionConfig.defaultWhere) {
+      const constraints = this.collectionConfig.defaultWhere(this.buildRequestContext());
+      if (constraints) {
+        Object.assign(defaultWhereFilter, constraints);
+      }
+    }
     let docs;
     if (this.adapter.search) {
       docs = await this.adapter.search(this.slug, query, searchFields, { limit, page });
       if (softDeleteField) {
         docs = docs.filter((doc) => !doc[softDeleteField]);
       }
+      if (Object.keys(defaultWhereFilter).length > 0) {
+        docs = docs.filter((doc) => {
+          return Object.entries(defaultWhereFilter).every(([key, value]) => {
+            if (value && typeof value === "object" && !Array.isArray(value)) {
+              return JSON.stringify(doc[key]) === JSON.stringify(value);
+            }
+            return doc[key] === value;
+          });
+        });
+      }
     } else {
-      docs = await this.adapter.find(this.slug, { ...softDeleteFilter, limit, page });
+      docs = await this.adapter.find(this.slug, {
+        ...softDeleteFilter,
+        ...defaultWhereFilter,
+        limit,
+        page
+      });
     }
     const resolvedDocs = docs;
-    const totalDocs = resolvedDocs.length;
+    const afterHookDocs = await this.processAfterReadHooks(resolvedDocs);
+    const totalDocs = afterHookDocs.length;
     const totalPages = Math.max(1, Math.ceil(totalDocs / limit));
     return {
-      docs: resolvedDocs,
+      docs: afterHookDocs,
       totalDocs,
       totalPages,
       page,
@@ -3560,13 +3992,40 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
   }
   async count(where, options) {
     await this.checkAccess("read");
-    const whereParams = flattenWhereClause(where);
+    if (!this.context.overrideAccess) {
+      await validateWhereFields(where, this.collectionConfig.fields, this.buildRequestContext());
+    }
+    const { cleanedWhere, joins, allJoins } = extractRelationshipJoins(
+      where,
+      this.collectionConfig.fields,
+      this.allCollections
+    );
+    await this.enforceWhereLimits(cleanedWhere, allJoins);
+    const whereParams = flattenWhereClause(cleanedWhere);
     const softDeleteField = getSoftDeleteField(this.collectionConfig);
     if (softDeleteField && !options?.withDeleted) {
       whereParams[softDeleteField] = null;
     }
-    const query = { ...whereParams, limit: 0 };
-    const docs = await this.adapter.find(this.slug, query);
+    if (this.collectionConfig.defaultWhere) {
+      const constraints = this.collectionConfig.defaultWhere(this.buildRequestContext());
+      if (constraints) {
+        Object.assign(whereParams, constraints);
+      }
+    }
+    if (hasVersionDrafts(this.collectionConfig) && !this.context.overrideAccess) {
+      const canSeeDrafts = await this.canReadDrafts();
+      if (!canSeeDrafts) {
+        whereParams["_status"] = "published";
+      }
+    }
+    const query = { ...whereParams };
+    if (joins.length > 0) {
+      query["$joins"] = joins.map(({ rawWhere: _rw, ...rest }) => rest);
+    }
+    if (this.adapter.count) {
+      return this.adapter.count(this.slug, query);
+    }
+    const docs = await this.adapter.find(this.slug, { ...query, limit: 0 });
     return docs.length;
   }
   async batchCreate(items) {
@@ -3726,6 +4185,46 @@ var CollectionOperationsImpl = class _CollectionOperationsImpl {
       return false;
     }
   }
+  async enforceWhereLimits(cleanedWhere, joins) {
+    if (joins.length > MAX_JOINS) {
+      throw new ValidationError([
+        {
+          field: "where",
+          message: `Number of relationship joins (${joins.length}) exceeds maximum of ${MAX_JOINS}.`
+        }
+      ]);
+    }
+    const mainCount = cleanedWhere ? countWhereConditions(cleanedWhere) : 0;
+    const joinCount = joins.reduce((sum, j) => sum + countWhereConditions(j.rawWhere), 0);
+    const totalConditions = mainCount + joinCount;
+    if (totalConditions > MAX_WHERE_CONDITIONS) {
+      throw new ValidationError([
+        {
+          field: "where",
+          message: `Where clause exceeds maximum of ${MAX_WHERE_CONDITIONS} conditions (got ${totalConditions} across main query and ${joins.length} join(s)).`
+        }
+      ]);
+    }
+    if (!this.context.overrideAccess) {
+      for (const join2 of joins) {
+        const targetCol = this.allCollections.find(
+          (c) => (c.dbName ?? c.slug) === join2.targetTable
+        );
+        if (targetCol) {
+          const collectionAccessFn = targetCol.access?.read;
+          if (collectionAccessFn) {
+            const allowed = await Promise.resolve(
+              collectionAccessFn({ req: this.buildRequestContext() })
+            );
+            if (!allowed) {
+              throw new AccessDeniedError("read", targetCol.slug);
+            }
+          }
+          await validateWhereFields(join2.rawWhere, targetCol.fields, this.buildRequestContext());
+        }
+      }
+    }
+  }
   buildRequestContext() {
     return {
       user: this.context.user
@@ -4134,7 +4633,14 @@ function createMomentumHandlers(config) {
       });
       return {
         docs: result.docs,
-        totalDocs: result.totalDocs
+        totalDocs: result.totalDocs,
+        totalPages: result.totalPages,
+        page: result.page,
+        limit: result.limit,
+        hasNextPage: result.hasNextPage,
+        hasPrevPage: result.hasPrevPage,
+        nextPage: result.nextPage,
+        prevPage: result.prevPage
       };
     } catch (error) {
       return handleError(error);
@@ -4222,7 +4728,14 @@ function createMomentumHandlers(config) {
       const result = await api.collection(request.collectionSlug).search(q, { fields, limit, page });
       return {
         docs: result.docs,
-        totalDocs: result.totalDocs
+        totalDocs: result.totalDocs,
+        totalPages: result.totalPages,
+        page: result.page,
+        limit: result.limit,
+        hasNextPage: result.hasNextPage,
+        hasPrevPage: result.hasPrevPage,
+        nextPage: result.nextPage,
+        prevPage: result.prevPage
       };
     } catch (error) {
       return handleError(error);
@@ -4287,51 +4800,6 @@ function handleError(error) {
   return { error: "Unknown error", status: 500 };
 }
 
-// libs/server-core/src/lib/collection-access.ts
-async function checkSingleCollectionAdminAccess(collection, user) {
-  const adminFn = collection.access?.admin;
-  if (!adminFn) {
-    return !!user;
-  }
-  const accessArgs = {
-    req: { user }
-  };
-  return Promise.resolve(adminFn(accessArgs));
-}
-async function checkAccessFunction(accessFn, user, defaultIfUndefined) {
-  if (!accessFn) {
-    return defaultIfUndefined;
-  }
-  const accessArgs = {
-    req: { user }
-  };
-  return Promise.resolve(accessFn(accessArgs));
-}
-async function getCollectionPermissions(config, user) {
-  const results = await Promise.all(
-    config.collections.map(async (collection) => {
-      const isManaged = collection.managed === true;
-      const [canAccess, canCreate, canRead, canUpdate, canDelete] = await Promise.all([
-        checkSingleCollectionAdminAccess(collection, user),
-        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.create, user, !!user),
-        checkAccessFunction(collection.access?.read, user, true),
-        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.update, user, !!user),
-        isManaged ? Promise.resolve(false) : checkAccessFunction(collection.access?.delete, user, !!user)
-      ]);
-      return {
-        slug: collection.slug,
-        canAccess,
-        canCreate,
-        canRead,
-        canUpdate,
-        canDelete,
-        ...isManaged ? { managed: true } : {}
-      };
-    })
-  );
-  return results;
-}
-
 // libs/server-core/src/lib/seeding/seed-tracker.ts
 var import_node_crypto = require("node:crypto");
 function createSeedTracker(adapter) {
@@ -5364,7 +5832,7 @@ function checkDepth(node, currentDepth, maxDepth, context) {
     }
   }
 }
-async function executeGraphQL(schema, requestBody, context) {
+async function executeGraphQL(schema, requestBody, context, options) {
   if (!requestBody.query) {
     return {
       status: 400,
@@ -5380,6 +5848,17 @@ async function executeGraphQL(schema, requestBody, context) {
       body: { errors: [{ message: "Query parsing failed" }] }
     };
   }
+  if (options?.readOnly) {
+    const hasMutation = document.definitions.some(
+      (def) => def.kind === "OperationDefinition" && def.operation === "mutation"
+    );
+    if (hasMutation) {
+      return {
+        status: 405,
+        body: { errors: [{ message: "Mutations are not allowed via GET requests" }] }
+      };
+    }
+  }
   const depthErrors = (0, import_graphql3.validate)(schema, document, [depthLimitRule(MAX_QUERY_DEPTH)]);
   if (depthErrors.length > 0) {
     return {
@@ -6799,24 +7278,29 @@ function momentumApiMiddleware(config) {
   const router = (0, import_express.Router)();
   const handlers = createMomentumHandlers(config);
   router.use((0, import_express.json)());
+  router.use((_req, res, next) => {
+    res.setHeader("X-Content-Type-Options", "nosniff");
+    res.setHeader("X-Frame-Options", "DENY");
+    res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+    res.setHeader("X-Permitted-Cross-Domain-Policies", "none");
+    next();
+  });
   router.use((req, res, next) => {
     const corsConfig = config.server?.cors ?? {};
     const origins = Array.isArray(corsConfig.origin) ? corsConfig.origin : corsConfig.origin ? [corsConfig.origin] : [];
-    let allowOrigin;
-    if (origins.length === 0) {
-      allowOrigin = "*";
+    if (origins.length === 0 || origins.includes("*")) {
+      if (process.env["NODE_ENV"] === "production") {
+        createLogger("CORS").warn(
+          'Origin is set to "*" in production. Configure explicit origins via config.server.cors.origin.'
+        );
+      }
+      res.setHeader("Access-Control-Allow-Origin", "*");
     } else {
       const requestOrigin = req.headers["origin"] ?? "";
-      allowOrigin = origins.includes(requestOrigin) ? requestOrigin : origins[0];
-    }
-    if (allowOrigin === "*" && process.env["NODE_ENV"] === "production") {
-      createLogger("CORS").warn(
-        'Origin is set to "*" in production. Configure explicit origins via config.server.cors.origin.'
-      );
-    }
-    res.setHeader("Access-Control-Allow-Origin", allowOrigin);
-    if (allowOrigin !== "*") {
       res.setHeader("Vary", "Origin");
+      if (origins.includes(requestOrigin)) {
+        res.setHeader("Access-Control-Allow-Origin", requestOrigin);
+      }
     }
     res.setHeader(
       "Access-Control-Allow-Methods",
@@ -6899,7 +7383,12 @@ function momentumApiMiddleware(config) {
       res.status(400).json({ errors: [{ message: "Query parameter required" }] });
       return;
     }
-    const result = await executeGraphQL(graphqlSchema, { query: queryParam }, { user });
+    const result = await executeGraphQL(
+      graphqlSchema,
+      { query: queryParam },
+      { user },
+      { readOnly: true }
+    );
     res.status(result.status).json(result.body);
   });
   router.get("/globals/:slug", async (req, res) => {
@@ -7232,7 +7721,14 @@ function momentumApiMiddleware(config) {
       res.json({ status });
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Unknown error");
-      res.status(500).json({ error: "Failed to get status", message });
+      let status = 500;
+      if (error instanceof Error) {
+        if (error.name === "AccessDeniedError")
+          status = 403;
+        else if (error.name === "DocumentNotFoundError")
+          status = 404;
+      }
+      res.status(status).json({ error: status === 403 ? "Access denied" : "Failed to get status", message });
     }
   });
   async function handlePreviewRequest(req, res) {
@@ -7421,8 +7917,11 @@ function momentumApiMiddleware(config) {
         return { docs, totalDocs: docs.length };
       },
       findById: (slug2, id) => txAdapter.findById(slug2, id),
-      count: async (slug2) => {
-        const docs = await txAdapter.find(slug2, {});
+      count: async (slug2, where) => {
+        if (txAdapter.count) {
+          return txAdapter.count(slug2, where ?? {});
+        }
+        const docs = await txAdapter.find(slug2, where ?? {});
         return docs.length;
       },
       create: (slug2, data) => txAdapter.create(slug2, data),
@@ -7464,7 +7963,7 @@ function momentumApiMiddleware(config) {
                 throw err;
               }
             },
-            count: (slug2) => ctxApi.collection(slug2).count(),
+            count: (slug2, where) => ctxApi.collection(slug2).count(where),
             create: async (slug2, data) => {
               return await ctxApi.collection(slug2).create(data);
             },
@@ -7487,6 +7986,8 @@ function momentumApiMiddleware(config) {
             collection,
             // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- Express body is parsed JSON
             body: req.body,
+            // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- Express query params
+            params: req.query,
             query: buildQueryHelper(contextApi)
           });
           res.status(result.status).json(result.body);
@@ -7554,7 +8055,15 @@ function momentumApiMiddleware(config) {
       }
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Batch operation failed");
-      const status = error instanceof Error && error.name === "ValidationError" ? 400 : 500;
+      let status = 500;
+      if (error instanceof Error) {
+        if (error.name === "ValidationError")
+          status = 400;
+        else if (error.name === "DocumentNotFoundError")
+          status = 404;
+        else if (error.name === "AccessDeniedError")
+          status = 403;
+      }
       res.status(status).json({ error: message });
     }
   });
@@ -7613,7 +8122,16 @@ function momentumApiMiddleware(config) {
       }
     } catch (error) {
       const message = sanitizeErrorMessage(error, "Export failed");
-      res.status(500).json({ error: message });
+      let status = 500;
+      if (error instanceof Error) {
+        if (error.name === "AccessDeniedError")
+          status = 403;
+        else if (error.name === "ValidationError")
+          status = 400;
+        else if (error.name === "DocumentNotFoundError")
+          status = 404;
+      }
+      res.status(status).json({ error: message });
     }
   });
   router.post("/:collection/import", async (req, res) => {
@@ -8411,6 +8929,7 @@ function createSetupMiddleware(config) {
   const dbConfig = isLegacyConfig(config) ? { type: "sqlite", database: config.database } : config.db;
   const { auth } = config;
   const router = (0, import_express3.Router)();
+  let setupInProgress = false;
   router.get("/setup/status", async (_req, res) => {
     let hasUsers;
     if (dbConfig.type === "sqlite") {
@@ -8425,6 +8944,13 @@ function createSetupMiddleware(config) {
     res.json(status);
   });
   router.post("/setup/create-admin", async (req, res) => {
+    if (setupInProgress) {
+      res.status(409).json({
+        error: { message: "Setup is already in progress." }
+      });
+      return;
+    }
+    setupInProgress = true;
     try {
       let hasUsers;
       if (dbConfig.type === "sqlite") {
@@ -8501,9 +9027,10 @@ function createSetupMiddleware(config) {
           updatedAt: userRow.updatedAt
         }
       });
-    } catch (error) {
-      const message = error instanceof Error ? error.message : "Failed to create admin user";
-      res.status(500).json({ error: { message } });
+    } catch {
+      res.status(500).json({ error: { message: "Failed to create admin user" } });
+    } finally {
+      setupInProgress = false;
     }
   });
   return router;
@@ -8579,9 +9106,8 @@ function createApiKeyRoutes(config) {
       return;
     }
     const role = body.role ?? "user";
-    const validRoles = ["admin", "editor", "user", "viewer"];
-    if (!validRoles.includes(role)) {
-      res.status(400).json({ error: `Invalid role. Must be one of: ${validRoles.join(", ")}` });
+    if (!ROLE_HIERARCHY.includes(role)) {
+      res.status(400).json({ error: `Invalid role. Must be one of: ${ROLE_HIERARCHY.join(", ")}` });
       return;
     }
     const userRoleIndex = ROLE_HIERARCHY.indexOf(user.role ?? "viewer");
@@ -8647,7 +9173,7 @@ function createApiKeyRoutes(config) {
           return;
         }
         if (existingKey.createdBy !== user.id) {
-          res.status(403).json({ error: "You can only delete your own API keys" });
+          res.status(404).json({ error: "API key not found" });
           return;
         }
       }
@@ -8918,6 +9444,20 @@ function createHealthMiddleware(options = {}) {
   return router;
 }
 
+// libs/server-express/src/lib/rate-limit-middleware.ts
+function createRateLimitMiddleware(limiter) {
+  return (req, res, next) => {
+    const forwarded = req.headers["x-forwarded-for"];
+    const key = (forwarded ? forwarded.toString().split(",")[0].trim() : req.ip) ?? "unknown";
+    if (!limiter.isAllowed(key)) {
+      res.setHeader("Retry-After", "60");
+      res.status(429).json({ error: "Too many requests. Please try again later." });
+      return;
+    }
+    next();
+  };
+}
+
 // libs/server-express/src/lib/create-momentum-server.ts
 var import_express6 = __toESM(require("express"));
 async function createMomentumServer(options) {
@@ -9004,6 +9544,7 @@ async function createMomentumServer(options) {
   createMomentumServer,
   createOpenAPIMiddleware,
   createProtectMiddleware,
+  createRateLimitMiddleware,
   createSessionResolverMiddleware,
   createSetupMiddleware,
   getPluginMiddleware,