@opensaas/stack-core 0.20.0 → 0.21.0

package/dist/context/write-pipeline.js

@@ -0,0 +1,306 @@
+import { checkAccess, mergeFilters, filterReadableFields, filterWritableFields, } from '../access/index.js';
+import { executeValidate, executeBeforeOperation, executeAfterOperation, executeFieldValidateHooks, executeFieldBeforeOperationHooks, executeFieldAfterOperationHooks, ValidationError, } from '../hooks/index.js';
+import { hookPipeline } from './hook-pipeline.js';
+import { processNestedOperations } from './nested-operations.js';
+import { getDbKey } from '../lib/case-utils.js';
+/**
+ * Resolve the dynamic Prisma model for a list. Model names are generated at
+ * runtime from list keys, which is the one place a cast is unavoidable — it is
+ * kept localized here (mirroring the existing pattern in `context/index.ts`).
+ */
+function getModel(prisma, listName) {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- model names are generated at runtime
+    return prisma[getDbKey(listName)];
+}
+/**
+ * Check if a list is configured as a singleton.
+ */
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+function isSingletonList(listConfig) {
+    return !!listConfig.isSingleton;
+}
+/**
+ * Run the canonical secured write sequence once.
+ *
+ * Phase order (owned here, in one place):
+ *   resolve target + operation-level access
+ *     → list/field `resolveInput`
+ *     → list/field `validate`
+ *     → built-in field rules (`validateFieldRules`)
+ *     → filter writable fields
+ *     → nested operations
+ *     → list/field `beforeOperation`
+ *     → DB
+ *     → list/field `afterOperation`
+ *     → `filterReadableFields` (Field Visibility)
+ *
+ * Contract preserved exactly:
+ *   - missing target / access denied / filter non-match → `null` (silent),
+ *     BEFORE the DB call and BEFORE `beforeOperation`.
+ *   - validation failure → THROW `ValidationError` (never silent).
+ *   - sudo mode skips access checks and writable-field filtering (the strategy
+ *     and `filterWritableFields` both honour `context._isSudo`).
+ *   - `afterOperation` receives `originalItem` for update/delete (undefined for
+ *     create).
+ *   - delete returns the deleted row as-is (no Field Visibility pass), matching
+ *     current behaviour.
+ */
+export async function runWritePipeline(args) {
+    const { listName, listConfig, prisma, context, config, inputData, strategy } = args;
+    const { operation } = strategy;
+    const model = getModel(prisma, listName);
+    // ── Phase 1: resolve target + operation-level access ──────────────────────
+    // Short-circuits to `null` (silent failure) for missing target, denied
+    // access, or filter non-match — before any hook side effects or the DB call.
+    const resolution = await strategy.resolveTarget(model);
+    if (resolution.status === 'denied') {
+        return null;
+    }
+    const originalItem = resolution.originalItem;
+    // ── Delete path: skip input phases, run only validate/field-validate ────────
+    // (matches current delete behaviour exactly).
+    if (!strategy.runInputPhases) {
+        return runDeletePath({ listName, listConfig, context, originalItem, model, strategy });
+    }
+    // Only create/update reach here (delete short-circuited above). Narrow the
+    // operation so the field-hook helpers receive a 'create' | 'update' value.
+    const writeOp = operation === 'create' ? 'create' : 'update';
+    // `inputData` is always present for create/update (the operations that run
+    // input phases). Default to {} only as a defensive measure.
+    const input = inputData ?? {};
+    // ── Phases 2–4: transform + validate span (Hook Pipeline) ──────────────────
+    // The Hook Pipeline owns the list/field `resolveInput` → list/field `validate`
+    // → built-in field rules span and the `resolvedData` threading through it. It
+    // THROWS `ValidationError` on any validation failure (never silent).
+    const { resolvedData } = await hookPipeline.run({
+        operation: writeOp,
+        listName,
+        listConfig,
+        inputData: input,
+        item: originalItem,
+        context,
+    });
+    // ── Phase 5: filter writable fields (field-level access, skip if sudo) ──────
+    const filteredData = await filterWritableFields(resolvedData, listConfig.fields, writeOp, {
+        session: context.session,
+        item: originalItem,
+        context: { ...context, _isSudo: context._isSudo },
+        inputData: input,
+    });
+    // ── Phase 5.5: process nested relationship operations ───────────────────────
+    const data = await processNestedOperations(filteredData, listConfig.fields, config, { ...context, prisma }, writeOp);
+    // ── Phase 6: field-level beforeOperation (side effects only) ────────────────
+    await executeFieldBeforeOperationHooks(input, resolvedData, listConfig.fields, writeOp, context, listName, originalItem);
+    // ── Phase 7: list-level beforeOperation ─────────────────────────────────────
+    await executeBeforeOperation(listConfig.hooks, operation === 'create'
+        ? {
+            listKey: listName,
+            operation: 'create',
+            inputData: input,
+            resolvedData,
+            context,
+        }
+        : {
+            listKey: listName,
+            operation: 'update',
+            inputData: input,
+            item: originalItem,
+            resolvedData,
+            context,
+        });
+    // ── Phase 8: DB write ───────────────────────────────────────────────────────
+    const item = await strategy.persist(model, data);
+    // ── Phase 9: list-level afterOperation ──────────────────────────────────────
+    await executeAfterOperation(listConfig.hooks, operation === 'create'
+        ? {
+            listKey: listName,
+            operation: 'create',
+            inputData: input,
+            item,
+            resolvedData,
+            context,
+        }
+        : {
+            listKey: listName,
+            operation: 'update',
+            inputData: input,
+            // originalItem is the row before the update
+            originalItem: originalItem,
+            item,
+            resolvedData,
+            context,
+        });
+    // ── Phase 10: field-level afterOperation (side effects only) ────────────────
+    await executeFieldAfterOperationHooks(item, input, resolvedData, listConfig.fields, writeOp, context, listName, originalItem);
+    // ── Phase 11: Field Visibility (filter readable fields + resolveOutput) ─────
+    return filterReadableFields(item, listConfig.fields, {
+        session: context.session,
+        context: { ...context, _isSudo: context._isSudo },
+    }, config, 0, listName);
+}
+/**
+ * The delete tail of the pipeline: skips the input-shaping phases and runs only
+ * validate/field-validate before the DB delete, then the after-hooks. Returns
+ * the deleted row as-is (no Field Visibility pass) — matching current delete
+ * behaviour exactly.
+ */
+async function runDeletePath(args) {
+    const { listName, listConfig, context, originalItem, model, strategy } = args;
+    const item = originalItem;
+    // ── Phase 3: list-level validate (delete) ──────────────────────────────────
+    await executeValidate(listConfig.hooks, {
+        listKey: listName,
+        operation: 'delete',
+        item,
+        context,
+    });
+    // ── Phase 3.5: field-level validate (delete) ────────────────────────────────
+    await executeFieldValidateHooks(undefined, undefined, listConfig.fields, 'delete', context, listName, item);
+    // ── Phase 6: field-level beforeOperation (delete) ───────────────────────────
+    await executeFieldBeforeOperationHooks({}, {}, listConfig.fields, 'delete', context, listName, item);
+    // ── Phase 7: list-level beforeOperation (delete) ────────────────────────────
+    await executeBeforeOperation(listConfig.hooks, {
+        listKey: listName,
+        operation: 'delete',
+        item,
+        context,
+    });
+    // ── Phase 8: DB delete ──────────────────────────────────────────────────────
+    const deleted = await strategy.persist(model, {});
+    // ── Phase 9: list-level afterOperation (delete) ─────────────────────────────
+    await executeAfterOperation(listConfig.hooks, {
+        listKey: listName,
+        operation: 'delete',
+        originalItem: item,
+        context,
+    });
+    // ── Phase 10: field-level afterOperation (delete) ───────────────────────────
+    await executeFieldAfterOperationHooks(deleted, undefined, undefined, listConfig.fields, 'delete', context, listName, item);
+    return deleted;
+}
+// ── Per-operation strategies ──────────────────────────────────────────────────
+/**
+ * Create strategy.
+ *
+ * Axis 1: checks `create` access with NO existing row. Enforces the
+ * singleton-create constraint even under sudo. On create, an access result of
+ * `true` OR a filter object both proceed — there is no filter re-check.
+ * Axis 2: runs all input phases.
+ * Axis 3: `model.create({ data })`, prepending `id: 1` for singleton lists.
+ */
+export function createWriteStrategy(listName, 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+listConfig, context) {
+    const singleton = isSingletonList(listConfig);
+    return {
+        operation: 'create',
+        runInputPhases: true,
+        async resolveTarget(model) {
+            // Singleton constraint is enforced even under sudo.
+            if (singleton) {
+                const existingCount = await model.count();
+                if (existingCount > 0) {
+                    throw new ValidationError([`Cannot create: ${listName} is a singleton list with an existing record`], {});
+                }
+            }
+            if (!context._isSudo) {
+                const accessResult = await checkAccess(listConfig.access?.operation?.create, {
+                    session: context.session,
+                    context,
+                });
+                if (accessResult === false) {
+                    return { status: 'denied' };
+                }
+            }
+            return { status: 'ok', originalItem: undefined };
+        },
+        async persist(model, data) {
+            // Singleton lists use Int @id with value always 1 (matching Keystone 6).
+            const createData = singleton ? { id: 1, ...data } : data;
+            return model.create({ data: createData });
+        },
+    };
+}
+/**
+ * Build the shared target resolution for update/delete: fetch the row (missing
+ * → denied), check operation-level access (false → denied), and if access
+ * returns a filter, re-check via `findFirst(mergeFilters(where, filter))`
+ * (no match → denied). An access result of `true` proceeds with no re-check.
+ */
+function resolveExistingTarget(
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+listConfig, context, where, access) {
+    return async (model) => {
+        const item = await model.findUnique({ where });
+        if (!item) {
+            return { status: 'denied' };
+        }
+        if (!context._isSudo) {
+            const accessResult = await checkAccess(listConfig.access?.operation?.[access], {
+                session: context.session,
+                item,
+                context,
+            });
+            if (accessResult === false) {
+                return { status: 'denied' };
+            }
+            // A filter result must additionally match the target row.
+            if (typeof accessResult === 'object') {
+                const matchesFilter = await model.findFirst({
+                    where: mergeFilters(where, accessResult) ?? {},
+                });
+                if (!matchesFilter) {
+                    return { status: 'denied' };
+                }
+            }
+        }
+        return { status: 'ok', originalItem: item };
+    };
+}
+/**
+ * Update strategy.
+ *
+ * Axis 1: fetch row, check `update` access, re-check filter results.
+ * Axis 2: runs all input phases.
+ * Axis 3: `model.update({ where, data })`; afterOperation gets `originalItem`.
+ */
+export function updateWriteStrategy(
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+listConfig, context, where) {
+    return {
+        operation: 'update',
+        runInputPhases: true,
+        resolveTarget: resolveExistingTarget(listConfig, context, where, 'update'),
+        async persist(model, data) {
+            return model.update({ where, data });
+        },
+    };
+}
+/**
+ * Delete strategy.
+ *
+ * Axis 1: enforce singleton constraint (even under sudo), fetch row, check
+ * `delete` access, re-check filter results.
+ * Axis 2: SKIPS input phases (runs only validate/field-validate).
+ * Axis 3: `model.delete({ where })`; afterOperation gets `originalItem`.
+ */
+export function deleteWriteStrategy(listName, 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+listConfig, context, where) {
+    const resolveTarget = resolveExistingTarget(listConfig, context, where, 'delete');
+    return {
+        operation: 'delete',
+        runInputPhases: false,
+        async resolveTarget(model) {
+            // Singleton lists may not be deleted (enforced even under sudo).
+            if (isSingletonList(listConfig)) {
+                throw new ValidationError([`Cannot delete: ${listName} is a singleton list`], {});
+            }
+            return resolveTarget(model);
+        },
+        async persist(model) {
+            return model.delete({ where });
+        },
+    };
+}
+//# sourceMappingURL=write-pipeline.js.map

package/dist/context/write-pipeline.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"write-pipeline.js","sourceRoot":"","sources":["../../src/context/write-pipeline.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,WAAW,EACX,YAAY,EACZ,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EACL,eAAe,EACf,sBAAsB,EACtB,qBAAqB,EACrB,yBAAyB,EACzB,gCAAgC,EAChC,+BAA+B,EAC/B,eAAe,GAChB,MAAM,mBAAmB,CAAA;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAA;AAChE,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAA;AAkF/C;;;;GAIG;AACH,SAAS,QAAQ,CACf,MAAe,EACf,QAAgB;IAEhB,sGAAsG;IACtG,OAAQ,MAAc,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAgB,CAAA;AAC3D,CAAC;AAED;;GAEG;AACH,qGAAqG;AACrG,SAAS,eAAe,CAAC,UAA2B;IAClD,OAAO,CAAC,CAAC,UAAU,CAAC,WAAW,CAAA;AACjC,CAAC;AAkBD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAAgC;IAEhC,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAA;IACnF,MAAM,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAA;IAC9B,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;IAExC,6EAA6E;IAC7E,uEAAuE;IACvE,6EAA6E;IAC7E,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,CAAA;IACtD,IAAI,UAAU,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QACnC,OAAO,IAAI,CAAA;IACb,CAAC;IACD,MAAM,YAAY,GAAG,UAAU,CAAC,YAAY,CAAA;IAE5C,+EAA+E;IAC/E,8CAA8C;IAC9C,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;QAC7B,OAAO,aAAa,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAA;IACxF,CAAC;IAED,2EAA2E;IAC3E,2EAA2E;IAC3E,MAAM,OAAO,GAAwB,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAA;IAEjF,2EAA2E;IAC3E,4DAA4D;IAC5D,MAAM,KAAK,GAAG,SAAS,IAAI,EAAE,CAAA;IAE7B,8EAA8E;IAC9E,+EAA+E;IAC/E,8EAA8E;IAC9E,qEAAqE;IACrE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC;QAC9C,SAAS,EAAE,OAAO;QAClB,QAAQ;QACR,UAAU;QACV,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,YAAY;QAClB,OAAO;KACR,CAAC,CAAA;IAEF,+EAA+E;IAC/E,MAAM,YAAY,GAAG,MAAM,oBAAoB,CAAC,YAAY,EAAE,UAAU,CAAC,MAAM,EAAE,OAAO,EAAE;QACxF,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,EAAE,GAAG,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE;QACjD,SAAS,EAAE,KAAK;KACjB,CAAC,CAAA;IAEF,+EAA+E;IAC/E,MAAM,IAAI,GAAG,MAAM,uBAAuB,CACxC,YAAY,EACZ,UAAU,CAAC,MAAM,EACjB,MAAM,EACN,EAAE,GAAG,OAAO,EAAE,MAAM,EAAE,EACtB,OAAO,CACR,CAAA;IAED,+EAA+E;IAC/E,MAAM,gCAAgC,CACpC,KAAK,EACL,YAAY,EACZ,UAAU,CAAC,MAAM,EACjB,OAAO,EACP,OAAO,EACP,QAAQ,EACR,YAAY,CACb,CAAA;IAED,+EAA+E;IAC/E,MAAM,sBAAsB,CAC1B,UAAU,CAAC,KAAK,EAChB,SAAS,KAAK,QAAQ;QACpB,CAAC,CAAC;YACE,OAAO,EAAE,QAAQ;YACjB,SAAS,EAAE,QAAQ;YACnB,SAAS,EAAE,KAAK;YAChB,YAAY;YACZ,OAAO;SACR;QACH,CAAC,CAAC;YACE,OAAO,EAAE,QAAQ;YACjB,SAAS,EAAE,QAAQ;YACnB,SAAS,EAAE,KAAK;YAChB,IAAI,EAAE,YAAY;YAClB,YAAY;YACZ,OAAO;SACR,CACN,CAAA;IAED,+EAA+E;IAC/E,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;IAEhD,+EAA+E;IAC/E,MAAM,qBAAqB,CACzB,UAAU,CAAC,KAAK,EAChB,SAAS,KAAK,QAAQ;QACpB,CAAC,CAAC;YACE,OAAO,EAAE,QAAQ;YACjB,SAAS,EAAE,QAAQ;YACnB,SAAS,EAAE,KAAK;YAChB,IAAI;YACJ,YAAY;YACZ,OAAO;SACR;QACH,CAAC,CAAC;YACE,OAAO,EAAE,QAAQ;YACjB,SAAS,EAAE,QAAQ;YACnB,SAAS,EAAE,KAAK;YAChB,4CAA4C;YAC5C,YAAY,EAAE,YAAuC;YACrD,IAAI;YACJ,YAAY;YACZ,OAAO;SACR,CACN,CAAA;IAED,+EAA+E;IAC/E,MAAM,+BAA+B,CACnC,IAAI,EACJ,KAAK,EACL,YAAY,EACZ,UAAU,CAAC,MAAM,EACjB,OAAO,EACP,OAAO,EACP,QAAQ,EACR,YAAY,CACb,CAAA;IAED,+EAA+E;IAC/E,OAAO,oBAAoB,CACzB,IAAI,EACJ,UAAU,CAAC,MAAM,EACjB;QACE,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,OAAO,EAAE,EAAE,GAAG,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE;KAClD,EACD,MAAM,EACN,CAAC,EACD,QAAQ,CACT,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,aAAa,CAAC,IAQ5B;IACC,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAA;IAC7E,MAAM,IAAI,GAAG,YAAuC,CAAA;IAEpD,8EAA8E;IAC9E,MAAM,eAAe,CAAC,UAAU,CAAC,KAAK,EAAE;QACtC,OAAO,EAAE,QAAQ;QACjB,SAAS,EAAE,QAAQ;QACnB,IAAI;QACJ,OAAO;KACR,CAAC,CAAA;IAEF,+EAA+E;IAC/E,MAAM,yBAAyB,CAC7B,SAAS,EACT,SAAS,EACT,UAAU,CAAC,MAAM,EACjB,QAAQ,EACR,OAAO,EACP,QAAQ,EACR,IAAI,CACL,CAAA;IAED,+EAA+E;IAC/E,MAAM,gCAAgC,CACpC,EAAE,EACF,EAAE,EACF,UAAU,CAAC,MAAM,EACjB,QAAQ,EACR,OAAO,EACP,QAAQ,EACR,IAAI,CACL,CAAA;IAED,+EAA+E;IAC/E,MAAM,sBAAsB,CAAC,UAAU,CAAC,KAAK,EAAE;QAC7C,OAAO,EAAE,QAAQ;QACjB,SAAS,EAAE,QAAQ;QACnB,IAAI;QACJ,OAAO;KACR,CAAC,CAAA;IAEF,+EAA+E;IAC/E,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;IAEjD,+EAA+E;IAC/E,MAAM,qBAAqB,CAAC,UAAU,CAAC,KAAK,EAAE;QAC5C,OAAO,EAAE,QAAQ;QACjB,SAAS,EAAE,QAAQ;QACnB,YAAY,EAAE,IAAI;QAClB,OAAO;KACR,CAAC,CAAA;IAEF,+EAA+E;IAC/E,MAAM,+BAA+B,CACnC,OAAO,EACP,SAAS,EACT,SAAS,EACT,UAAU,CAAC,MAAM,EACjB,QAAQ,EACR,OAAO,EACP,QAAQ,EACR,IAAI,CACL,CAAA;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;GAQG;AACH,MAAM,UAAU,mBAAmB,CACjC,QAAgB;AAChB,qGAAqG;AACrG,UAA2B,EAC3B,OAAsB;IAEtB,MAAM,SAAS,GAAG,eAAe,CAAC,UAAU,CAAC,CAAA;IAC7C,OAAO;QACL,SAAS,EAAE,QAAQ;QACnB,cAAc,EAAE,IAAI;QACpB,KAAK,CAAC,aAAa,CAAC,KAAK;YACvB,oDAAoD;YACpD,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,KAAK,EAAE,CAAA;gBACzC,IAAI,aAAa,GAAG,CAAC,EAAE,CAAC;oBACtB,MAAM,IAAI,eAAe,CACvB,CAAC,kBAAkB,QAAQ,8CAA8C,CAAC,EAC1E,EAAE,CACH,CAAA;gBACH,CAAC;YACH,CAAC;YAED,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;gBACrB,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE;oBAC3E,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,OAAO;iBACR,CAAC,CAAA;gBACF,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;oBAC3B,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAA;gBAC7B,CAAC;YACH,CAAC;YAED,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,CAAA;QAClD,CAAC;QACD,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI;YACvB,yEAAyE;YACzE,MAAM,UAAU,GAAG,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAA;YACxD,OAAO,KAAK,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAA;QAC3C,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,qBAAqB;AAC5B,qGAAqG;AACrG,UAA2B,EAC3B,OAAsB,EACtB,KAAqB,EACrB,MAA2B;IAE3B,OAAO,KAAK,EAAE,KAAK,EAAE,EAAE;QACrB,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC,CAAA;QAC9C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAA;QAC7B,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YACrB,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE;gBAC7E,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,IAAI;gBACJ,OAAO;aACR,CAAC,CAAA;YAEF,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;gBAC3B,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAA;YAC7B,CAAC;YAED,0DAA0D;YAC1D,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;gBACrC,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC;oBAC1C,KAAK,EAAE,YAAY,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,EAAE;iBAC/C,CAAC,CAAA;gBACF,IAAI,CAAC,aAAa,EAAE,CAAC;oBACnB,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAA;gBAC7B,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAA;IAC7C,CAAC,CAAA;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB;AACjC,qGAAqG;AACrG,UAA2B,EAC3B,OAAsB,EACtB,KAAqB;IAErB,OAAO;QACL,SAAS,EAAE,QAAQ;QACnB,cAAc,EAAE,IAAI;QACpB,aAAa,EAAE,qBAAqB,CAAC,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC;QAC1E,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI;YACvB,OAAO,KAAK,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;QACtC,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,QAAgB;AAChB,qGAAqG;AACrG,UAA2B,EAC3B,OAAsB,EACtB,KAAqB;IAErB,MAAM,aAAa,GAAG,qBAAqB,CAAC,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAA;IACjF,OAAO;QACL,SAAS,EAAE,QAAQ;QACnB,cAAc,EAAE,KAAK;QACrB,KAAK,CAAC,aAAa,CAAC,KAAK;YACvB,iEAAiE;YACjE,IAAI,eAAe,CAAC,UAAU,CAAC,EAAE,CAAC;gBAChC,MAAM,IAAI,eAAe,CAAC,CAAC,kBAAkB,QAAQ,sBAAsB,CAAC,EAAE,EAAE,CAAC,CAAA;YACnF,CAAC;YACD,OAAO,aAAa,CAAC,KAAK,CAAC,CAAA;QAC7B,CAAC;QACD,KAAK,CAAC,OAAO,CAAC,KAAK;YACjB,OAAO,KAAK,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAA;QAChC,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/extend.d.ts

@@ -0,0 +1,3 @@
+export type { Plugin, PluginContext, GeneratedFiles } from './config/index.js';
+export type { BaseFieldConfig, TypeInfo, TypeDescriptor } from './config/index.js';
+//# sourceMappingURL=extend.d.ts.map

package/dist/extend.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"extend.d.ts","sourceRoot":"","sources":["../src/extend.ts"],"names":[],"mappings":"AAUA,YAAY,EAAE,MAAM,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAG9E,YAAY,EAAE,eAAe,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA"}

package/dist/extend.js

@@ -0,0 +1,10 @@
+// ───────────────────────────────────────────────────────────────
+// @opensaas/stack-core/extend
+//
+// Authoring contracts for extending the stack: implement these when
+// you build a plugin or a third-party field package. Stable, public
+// API — distinct from the everyday consumer surface on the root entry
+// point and from the unstable plumbing on `/internal`.
+// ───────────────────────────────────────────────────────────────
+export {};
+//# sourceMappingURL=extend.js.map

package/dist/extend.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"extend.js","sourceRoot":"","sources":["../src/extend.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,8BAA8B;AAC9B,EAAE;AACF,oEAAoE;AACpE,oEAAoE;AACpE,sEAAsE;AACtE,uDAAuD;AACvD,kEAAkE"}

package/dist/fields/index.d.ts

@@ -1,4 +1,5 @@
 import type { TextField, IntegerField, DecimalField, CheckboxField, TimestampField, CalendarDayField, PasswordField, SelectField, RelationshipField, JsonField, VirtualField } from '../config/types.js';
+export type { TextField, IntegerField, DecimalField, CheckboxField, TimestampField, CalendarDayField, PasswordField, SelectField, RelationshipField, JsonField, VirtualField, PrismaRelationResult, } from '../config/types.js';
 /**
  * Text field
  */

package/dist/fields/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/fields/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,SAAS,EACT,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,cAAc,EACd,gBAAgB,EAChB,aAAa,EACb,WAAW,EACX,iBAAiB,EACjB,SAAS,EACT,YAAY,EACb,MAAM,oBAAoB,CAAA;AAa3B;;GAEG;AACH,wBAAgB,IAAI,CAClB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,SAAS,CAAC,SAAS,CAAC,CAiFpE;AAED;;GAEG;AACH,wBAAgB,OAAO,CACrB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,CAAC,EAAE,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,YAAY,CAAC,SAAS,CAAC,CA+D1E;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,wBAAgB,OAAO,CACrB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,CAAC,EAAE,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,YAAY,CAAC,SAAS,CAAC,CAuH1E;AAED;;GAEG;AACH,wBAAgB,QAAQ,CACtB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,aAAa,CAAC,SAAS,CAAC,CAuC5E;AAED;;GAEG;AACH,wBAAgB,SAAS,CACvB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,CAAC,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,cAAc,CAAC,SAAS,CAAC,CA0D9E;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AACH,wBAAgB,WAAW,CACzB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,CAAC,EAAE,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAiFlF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AACH,wBAAgB,QAAQ,CAAC,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,EAC9E,OAAO,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAC/C,aAAa,CAAC,SAAS,CAAC,CAqH1B;AAOD;;GAEG;AACH,wBAAgB,MAAM,CACpB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,WAAW,CAAC,SAAS,CAAC,CAiGvE;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,EAAE,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAoCnF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,wBAAgB,IAAI,CAClB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,SAAS,CAAC,SAAS,CAAC,CA0DpE;AAsDD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqEG;AACH,wBAAgB,OAAO,CAAC,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,EAC7E,OAAO,EAAE,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,SAAS,GAAG,YAAY,GAAG,MAAM,CAAC,GAAG;IAC1E,IAAI,EAAE,OAAO,oBAAoB,EAAE,cAAc,CAAA;CAClD,GACA,YAAY,CAAC,SAAS,CAAC,CAqCzB"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/fields/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,SAAS,EACT,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,cAAc,EACd,gBAAgB,EAChB,aAAa,EACb,WAAW,EACX,iBAAiB,EACjB,SAAS,EACT,YAAY,EAIb,MAAM,oBAAoB,CAAA;AAM3B,YAAY,EACV,SAAS,EACT,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,cAAc,EACd,gBAAgB,EAChB,aAAa,EACb,WAAW,EACX,iBAAiB,EACjB,SAAS,EACT,YAAY,EACZ,oBAAoB,GACrB,MAAM,oBAAoB,CAAA;AAY3B;;GAEG;AACH,wBAAgB,IAAI,CAClB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,SAAS,CAAC,SAAS,CAAC,CAiFpE;AAED;;GAEG;AACH,wBAAgB,OAAO,CACrB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,CAAC,EAAE,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,YAAY,CAAC,SAAS,CAAC,CA+D1E;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,wBAAgB,OAAO,CACrB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,CAAC,EAAE,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,YAAY,CAAC,SAAS,CAAC,CAuH1E;AAED;;GAEG;AACH,wBAAgB,QAAQ,CACtB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,aAAa,CAAC,SAAS,CAAC,CAuC5E;AAED;;GAEG;AACH,wBAAgB,SAAS,CACvB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,CAAC,EAAE,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,cAAc,CAAC,SAAS,CAAC,CA0D9E;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AACH,wBAAgB,WAAW,CACzB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,CAAC,EAAE,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAiFlF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AACH,wBAAgB,QAAQ,CAAC,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,EAC9E,OAAO,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAC/C,aAAa,CAAC,SAAS,CAAC,CAqH1B;AAOD;;GAEG;AACH,wBAAgB,MAAM,CACpB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,WAAW,CAAC,SAAS,CAAC,CAiGvE;AAwRD;;GAEG;AACH,wBAAgB,YAAY,CAC1B,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,EAAE,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,iBAAiB,CAAC,SAAS,CAAC,CA6CnF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AACH,wBAAgB,IAAI,CAClB,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,GAAG,OAAO,oBAAoB,EAAE,QAAQ,EAC/F,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,GAAG,SAAS,CAAC,SAAS,CAAC,CA0DpE;AAsDD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqEG;AACH,wBAAgB,OAAO,CAAC,SAAS,SAAS,OAAO,oBAAoB,EAAE,QAAQ,EAC7E,OAAO,EAAE,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,SAAS,GAAG,YAAY,GAAG,MAAM,CAAC,GAAG;IAC1E,IAAI,EAAE,OAAO,oBAAoB,EAAE,cAAc,CAAA;CAClD,GACA,YAAY,CAAC,SAAS,CAAC,CAqCzB"}

package/dist/fields/index.js

@@ -541,7 +541,7 @@ export function password(options) {
         type: 'password',
         ...options,
         resultExtension: {
-            outputType: "import('@opensaas/stack-core').HashedPassword",
+            outputType: "import('@opensaas/stack-core/internal').HashedPassword",
             // No compute - delegates to resolveOutput hook
         },
         ui: {
@@ -733,6 +733,215 @@ export function select(options) {
         },
     };
 }
+/**
+ * Parse a relationship ref into its target list and optional target field.
+ * Supports both 'ListName.fieldName' (bidirectional) and 'ListName' (list-only) formats.
+ */
+function parseRelationshipRef(ref) {
+    const parts = ref.split('.');
+    if (parts.length === 1) {
+        const list = parts[0];
+        if (!list) {
+            throw new Error(`Invalid relationship ref: ${ref}`);
+        }
+        return { list };
+    }
+    else if (parts.length === 2) {
+        const [list, field] = parts;
+        if (!list || !field) {
+            throw new Error(`Invalid relationship ref: ${ref}`);
+        }
+        return { list, field };
+    }
+    else {
+        throw new Error(`Invalid relationship ref: ${ref}`);
+    }
+}
+/**
+ * Check if a relationship is one-to-one (bidirectional with both sides having many: false).
+ */
+function isOneToOneRelationship(fieldName, field, config) {
+    const { list: targetList, field: targetField } = parseRelationshipRef(field.ref);
+    if (!targetField) {
+        return false;
+    }
+    if (field.many) {
+        return false;
+    }
+    const targetListConfig = config.lists[targetList];
+    if (!targetListConfig) {
+        throw new Error(`Referenced list "${targetList}" not found in config`);
+    }
+    const targetFieldConfig = targetListConfig.fields[targetField];
+    if (!targetFieldConfig) {
+        throw new Error(`Referenced field "${targetList}.${targetField}" not found. If you want a one-sided relationship, use ref: "${targetList}" instead of ref: "${targetList}.${targetField}"`);
+    }
+    if (targetFieldConfig.type !== 'relationship') {
+        throw new Error(`Referenced field "${targetList}.${targetField}" is not a relationship field`);
+    }
+    return !targetFieldConfig.many;
+}
+/**
+ * Determine if this side of a relationship should store the foreign key.
+ * For one-to-one relationships, only one side stores the foreign key.
+ */
+function shouldHaveForeignKey(listKey, fieldName, field, config) {
+    const { list: targetList, field: targetField } = parseRelationshipRef(field.ref);
+    if (!targetField) {
+        return true;
+    }
+    if (field.many) {
+        return false;
+    }
+    const isOneToOne = isOneToOneRelationship(fieldName, field, config);
+    if (!isOneToOne) {
+        return true;
+    }
+    const targetListConfig = config.lists[targetList];
+    const targetFieldConfig = targetListConfig.fields[targetField];
+    const thisSideExplicit = field.db?.foreignKey;
+    const otherSideExplicit = targetFieldConfig.db?.foreignKey;
+    if (thisSideExplicit === true && otherSideExplicit === true) {
+        throw new Error(`Invalid one-to-one relationship: both "${listKey}.${fieldName}" and "${targetList}.${targetField}" have db.foreignKey set to true. Only one side can store the foreign key.`);
+    }
+    if (thisSideExplicit === true) {
+        return true;
+    }
+    if (otherSideExplicit === true) {
+        return false;
+    }
+    // Default: the alphabetically "smaller" list name gets the foreign key
+    const comparison = listKey.localeCompare(targetList);
+    if (comparison !== 0) {
+        return comparison < 0;
+    }
+    // Self-referential: use field name ordering
+    return fieldName.localeCompare(targetField) < 0;
+}
+/**
+ * Check whether a many relationship is a true many-to-many (both sides many).
+ */
+function isManyToMany(fieldName, field, config) {
+    if (!field.many) {
+        return false;
+    }
+    const { list: targetList, field: targetField } = parseRelationshipRef(field.ref);
+    // List-only ref with many: true is implicitly many-to-many
+    if (!targetField) {
+        return true;
+    }
+    const targetFieldConfig = config.lists[targetList]?.fields[targetField];
+    if (!targetFieldConfig || targetFieldConfig.type !== 'relationship') {
+        return false;
+    }
+    return !!targetFieldConfig.many;
+}
+/**
+ * Compute the explicit relation name for a bidirectional many-to-many relationship,
+ * or `undefined` when Prisma's default naming should be used.
+ *
+ * Honours per-field `db.relationName` (which must match on both sides) and the
+ * global `db.joinTableNaming: 'keystone'` setting, picking a deterministic owner
+ * for bidirectional relationships so both sides resolve to the same name.
+ */
+function computeManyToManyRelationName(listKey, fieldName, field, config) {
+    const { list: targetList, field: targetField } = parseRelationshipRef(field.ref);
+    const joinTableNaming = config.db.joinTableNaming || 'prisma';
+    const sourceRelationName = field.db?.relationName;
+    let targetRelationName;
+    if (targetField) {
+        const targetFieldConfig = config.lists[targetList]?.fields[targetField];
+        if (targetFieldConfig?.type === 'relationship') {
+            targetRelationName = targetFieldConfig.db?.relationName;
+        }
+    }
+    if (sourceRelationName && targetRelationName && sourceRelationName !== targetRelationName) {
+        throw new Error(`Relation name mismatch: ${listKey}.${fieldName} has relationName "${sourceRelationName}" but ${targetList}.${targetField} has "${targetRelationName}". Both sides must use the same relationName.`);
+    }
+    const explicitRelationName = sourceRelationName || targetRelationName;
+    if (explicitRelationName) {
+        return explicitRelationName;
+    }
+    if (joinTableNaming === 'keystone') {
+        if (targetField) {
+            // Pick a deterministic owner so both sides agree on the relation name
+            const sourceKey = `${listKey}.${fieldName}`;
+            const targetKey = `${targetList}.${targetField}`;
+            return sourceKey.localeCompare(targetKey) < 0
+                ? `${listKey}_${fieldName}`
+                : `${targetList}_${targetField}`;
+        }
+        return `${listKey}_${fieldName}`;
+    }
+    // Default Prisma naming - no explicit relation name needed
+    return undefined;
+}
+/**
+ * Build the Prisma schema contribution for a relationship field.
+ */
+function getPrismaRelation(field, fieldName, listKey, config) {
+    const { list: targetList, field: targetField } = parseRelationshipRef(field.ref);
+    const paddedName = fieldName.padEnd(12);
+    // Synthetic back-relation for list-only refs (Prisma requires an opposite field)
+    let backRelation;
+    if (!targetField) {
+        const syntheticFieldName = `from_${listKey}_${fieldName}`;
+        const relationName = field.db?.relationName ?? `${listKey}_${fieldName}`;
+        backRelation = {
+            targetList,
+            line: `  ${syntheticFieldName.padEnd(12)} ${listKey}[]  @relation("${relationName}")`,
+        };
+    }
+    if (field.many) {
+        let relationLine;
+        if (targetField) {
+            // Bidirectional many side: use explicit relation name only for true many-to-many
+            const m2mName = isManyToMany(fieldName, field, config)
+                ? computeManyToManyRelationName(listKey, fieldName, field, config)
+                : undefined;
+            relationLine = m2mName
+                ? `  ${paddedName} ${targetList}[]  @relation("${m2mName}")`
+                : `  ${paddedName} ${targetList}[]`;
+        }
+        else {
+            // List-only ref many side: always a named relation paired with the synthetic field
+            const relationName = field.db?.relationName ?? `${listKey}_${fieldName}`;
+            relationLine = `  ${paddedName} ${targetList}[]  @relation("${relationName}")`;
+        }
+        if (field.db?.extendPrismaSchema) {
+            relationLine = field.db.extendPrismaSchema({ relationLine }).relationLine;
+        }
+        return { modelLines: [relationLine], backRelation };
+    }
+    // Single relationship
+    if (shouldHaveForeignKey(listKey, fieldName, field, config)) {
+        const foreignKeyField = `${fieldName}Id`;
+        const fkPaddedName = foreignKeyField.padEnd(12);
+        const uniqueModifier = isOneToOneRelationship(fieldName, field, config) ? ' @unique' : '';
+        const mapModifier = typeof field.db?.foreignKey === 'object' && field.db.foreignKey.map
+            ? ` @map("${field.db.foreignKey.map}")`
+            : ` @map("${fieldName}")`;
+        let fkLine = `  ${fkPaddedName} String?${uniqueModifier}${mapModifier}`;
+        let relationLine = targetField
+            ? `  ${paddedName} ${targetList}?  @relation(fields: [${foreignKeyField}], references: [id])`
+            : `  ${paddedName} ${targetList}?  @relation("${listKey}_${fieldName}", fields: [${foreignKeyField}], references: [id])`;
+        if (field.db?.extendPrismaSchema) {
+            const extended = field.db.extendPrismaSchema({ fkLine, relationLine });
+            fkLine = extended.fkLine ?? fkLine;
+            relationLine = extended.relationLine;
+        }
+        // Default to indexing foreign keys (matching Keystone behaviour) unless disabled
+        const indexType = field.isIndexed ?? true;
+        const foreignKeyIndex = indexType !== false ? { foreignKeyField, indexType } : undefined;
+        return { modelLines: [fkLine, relationLine], foreignKeyIndex, backRelation };
+    }
+    // Non-FK side of a one-to-one relationship: just the relation field
+    let relationLine = `  ${paddedName} ${targetList}?`;
+    if (field.db?.extendPrismaSchema) {
+        relationLine = field.db.extendPrismaSchema({ relationLine }).relationLine;
+    }
+    return { modelLines: [relationLine], backRelation };
+}
 /**
  * Relationship field
  */
@@ -758,10 +967,12 @@ export function relationship(options) {
                 'List-only refs (ref: "ListName") always create foreign keys automatically.');
         }
     }
-    return {
+    const field = {
         type: 'relationship',
         ...options,
     };
+    field.getPrismaRelation = (fieldName, _allFields, listKey, config) => getPrismaRelation(field, fieldName, listKey, config);
+    return field;
 }
 /**
  * JSON field for storing arbitrary JSON data