@opensaas/stack-core 0.24.0 → 0.25.0

package/.turbo/turbo-build.log

@@ -1,4 +1,4 @@
 
-> @opensaas/stack-core@0.24.0 build /home/runner/work/stack/stack/packages/core
+> @opensaas/stack-core@0.25.0 build /home/runner/work/stack/stack/packages/core
 > tsc
 

package/CHANGELOG.md

@@ -1,5 +1,228 @@
 # @opensaas/stack-core
 
+## 0.25.0
+
+### Minor Changes
+
+- [#602](https://github.com/OpenSaasAU/stack/pull/602) [`44ec937`](https://github.com/OpenSaasAU/stack/commit/44ec9375baa4dacab4e34b03cbefb27c8aec07c9) Thanks [@borisno2](https://github.com/borisno2)! - Make `calendarDay` a `YYYY-MM-DD` string end-to-end (Keystone's CalendarDay scalar)
+
+  `calendarDay` is now a `YYYY-MM-DD` **string** at the `context.db` boundary in
+  both directions, so its type, validation, and runtime value finally agree.
+  Previously the field validated a `YYYY-MM-DD` string but its TypeScript type was
+  `Date`, so a typed caller passing `new Date(...)` hit a runtime `ValidationError`.
+  - The field/read type and the generated `CreateInput`/`UpdateInput` input types
+    are now `string`.
+  - Writes accept only a `YYYY-MM-DD` string; a malformed string or a `Date` is
+    rejected at runtime by validation (a `ValidationError`).
+  - Storage is unchanged: `DateTime @db.Date` on Postgres/MySQL, the SQLite TEXT
+    fallback as before.
+
+  **Behavioral change (reads):** reading a `calendarDay` now returns a
+  `YYYY-MM-DD` string instead of a `Date`. A field `resolveOutput` transform
+  normalises the value Prisma returns from the `@db.Date` column, using UTC
+  components to avoid timezone off-by-one. Consumers that previously relied on a
+  `Date` on read should update to the string form:
+
+  ```typescript
+  const event = await context.db.event.findUnique({ where: { id } })
+  event?.startDate // => '2025-01-15' (string, not Date)
+
+  // Writes: pass YYYY-MM-DD strings, not Date objects
+  await context.db.event.create({ data: { startDate: '2025-01-15' } })
+  ```
+
+- [#593](https://github.com/OpenSaasAU/stack/pull/593) [`fadd9db`](https://github.com/OpenSaasAU/stack/commit/fadd9dbd17085f4dd15899371a054ec46f943ce4) Thanks [@{](https://github.com/{)! - Nested relation writes now run the full hook pipeline inside one transaction ([#569](https://github.com/OpenSaasAU/stack/issues/569))
+
+  A record written via a nested `create`, `update`, or `delete` now fires the SAME
+  list- and field-level `beforeOperation`/`afterOperation` hooks as the equivalent
+  top-level write — so side effects (workflows, notifications, billing) are
+  identical whether a record is written nested or top-level. Previously nested
+  writes ran only `resolveInput`/`validate`/field-rules and silently skipped the
+  before/after side-effect hooks.
+  - Nested **create** runs `beforeOperation` (create) → persist → `afterOperation`
+    receiving the created `item`.
+  - Nested **update** runs `afterOperation` receiving both `originalItem` (the row
+    before) and the updated `item`.
+  - Nested **delete** runs `beforeOperation`/`afterOperation` receiving the
+    `originalItem`.
+
+  Existing access control, validation, silent-failure, sudo-bypass, and the [#578](https://github.com/OpenSaasAU/stack/issues/578)
+  nested-`connect`/`connectOrCreate` read-access + DB-reachability behavior are
+  unchanged. Pass-through nested kinds (`disconnect`/`set`/`updateMany`/
+  `deleteMany`) are out of scope and behave as before. See ADR-0010.
+
+  For to-many nested creates (`create: [{A},{B}]`), each created record's
+  `afterOperation` now fires exactly once against its OWN distinct row, recovered
+  by id-diff against the rows that existed before the write — so a pre-existing
+  sibling is never passed as the "created" item, and multiple creates no longer
+  collapse to a single row.
+
+  BEHAVIOR CHANGE — every write is now transactional, and a throwing
+  `beforeOperation`/`afterOperation` (or validation) rolls the whole write back.
+  The entire operation (parent + all nested writes) now runs inside one
+  `prisma.$transaction`, so it is atomic. Previously an `afterOperation` that threw
+  left the row committed; now it rolls back with the transaction (more
+  Keystone-correct). If you relied on a thrown `afterOperation` leaving the row
+  persisted, move that work to run after the write returns.
+
+  Inside a `beforeOperation`/`afterOperation` hook, `context.db` (and
+  `context.prisma`) are now bound to the write's transaction, so any `context.db`
+  write a hook performs participates in — and rolls back with — the same
+  transaction. Externally-visible side effects that must survive a rollback should
+  not use `context.db` from within these hooks (transaction-boundary hooks for
+  that are deferred — see [#590](https://github.com/OpenSaasAU/stack/issues/590)).
+
+  ```ts
+  // Nested create now fires the related list's beforeOperation/afterOperation,
+  // atomically with the parent — a throw anywhere rolls the whole write back.
+  await context.db.post.update({
+    where: { id },
+    data: {
+      title: 'Updated',
+   create: { name: 'New Author' } }, // User hooks fire; atomic
+    },
+  })
+  ```
+
+- [#594](https://github.com/OpenSaasAU/stack/pull/594) [`4f0d407`](https://github.com/OpenSaasAU/stack/commit/4f0d40721feff1a3109647a81fcbe47db5970026) Thanks [@borisno2](https://github.com/borisno2)! - Add an opt-in **Node build** of the generated `.opensaas/` bundle (ADR-0011, [#579](https://github.com/OpenSaasAU/stack/issues/579)).
+
+  Setting `output: { buildTarget: 'node' }` in `opensaas.config.ts` makes `opensaas generate` additionally compile the bundle to a plain-Node-loadable ESM form under `.opensaas/dist/` — `.js` + `.d.ts` with a `{"type":"module"}` marker — alongside the default `.ts` bundler form. The compiled entry is `.opensaas/dist/context.js`, with the Prisma client subtree at `.opensaas/dist/prisma-client/**` and the project config compiled in as a sibling, so a live module (e.g. better-auth's Prisma adapter) can be imported in a bundler-less runtime — plain Node, a Playwright e2e helper, or a build-time script — that the default `.ts` form cannot execute.
+
+  The Node build is purely additive: with `output.buildTarget` absent (the default), generation behaves exactly as before and no `.opensaas/dist/` is emitted.
+
+  ```typescript
+  // opensaas.config.ts
+  export default config({
+    output: { buildTarget: 'node' },
+    // ...
+  })
+
+  // then, from a plain-Node consumer (no bundler, no tsx):
+  import { createAuth } from '@opensaas/stack-auth/server'
+  import { config, rawOpensaasContext } from './.opensaas/dist/context.js'
+
+  const auth = createAuth(config, rawOpensaasContext)
+  await auth.api.signUpEmail({ body: { email, password, name } })
+  ```
+
+  The compile runs via the TypeScript compiler API with `rewriteRelativeImportExtensions` (turning the bundle's `.ts`-extension imports into runnable `.js` specifiers), `declaration`, `skipLibCheck`, and `noEmitOnError: false`, so it reuses the bundle's type-clean guarantee without adding a build dependency. `'node'` is the only `buildTarget` today; the field is a string-literal union so future compiled targets can be added without a breaking change.
+
+- [#592](https://github.com/OpenSaasAU/stack/pull/592) [`e355c05`](https://github.com/OpenSaasAU/stack/commit/e355c05a0787980b997609c4571271ab5c250f36) Thanks [@borisno2](https://github.com/borisno2)! - Make the generated `.opensaas/prisma-client` subtree statically resolvable by default and add a `db.prismaGeneratorOptions` passthrough.
+
+  The generated `generator client { ... }` block now emits `importFileExtension = "ts"` and `moduleFormat = "esm"` by default, so the prisma-client subtree uses explicit `.ts` import extensions and matches the extension style the rest of the `.opensaas` bundle already uses — the whole import graph is statically resolvable by a bundler out of the box, no post-generation surgery required.
+
+  A new optional `db.prismaGeneratorOptions` lets you override these values when you need a different module/extension story (e.g. emitting `.js` extensions for a plain-Node consumer). Any value you supply wins; omitted keys fall back to the `ts`/`esm` defaults. The existing `previewFeatures = ["multiSchema"]` emission (when `db.schemas` is set) is preserved and coexists with the new options.
+
+  ```typescript
+  export default config({
+    db: {
+      provider: 'postgresql',
+      prismaGeneratorOptions: {
+        importFileExtension: 'js',
+        moduleFormat: 'commonjs',
+      },
+      // ... rest of config
+    },
+    // ...
+  })
+  ```
+
+- [#600](https://github.com/OpenSaasAU/stack/pull/600) [`a93cebb`](https://github.com/OpenSaasAU/stack/commit/a93cebb5a6ba6550d8cdbb94f010c902ad7e29f1) Thanks [@relationship({](https://github.com/relationship({)! - Gate nested `connect` by the owning relationship field's field-level access
+
+  Nested `connect` (and the connect branch of `connectOrCreate`) is now gated by
+  the owning relationship field's create/update field-level access, in addition to
+  the target list's read/query access and DB-reachability check. This completes
+  the Keystone-parity rule that a connect requires both read access on the target
+  AND write access on the owning relationship field. `sudo` bypasses the check.
+
+  ```typescript
+  Post: list({
+    fields: {
+      // A non-sudo caller can only connect an author when this field's
+      // update access permits it (and the target User is readable/reachable).
+
+        ref: 'User.posts',
+        access: { update: ({ session }) => session?.role === 'editor' },
+      }),
+    },
+  })
+  ```
+
+- [#584](https://github.com/OpenSaasAU/stack/pull/584) [`b17ec45`](https://github.com/OpenSaasAU/stack/commit/b17ec45127fe55f02437892e9fd389c67373635a) Thanks [@borisno2](https://github.com/borisno2)! - Add `findFirst` to access-controlled `context.db.<list>` delegates
+
+  `findFirst` is sugar over the existing access-filtered `findMany` (`take: 1`), so
+  it introduces no new access surface: it applies the exact same query-access checks
+  and access-controlled include building as `findMany`, then returns the first
+  matching row or `null`. It honours the read-side silent-failure contract — an
+  access-denied query yields `null` rather than throwing.
+
+  ```ts
+  // Non-unique single-row lookup
+  const account = await context.db.account.findFirst({
+    where: { userId: '123' },
+    orderBy: { createdAt: 'desc' },
+  })
+
+  // Narrow the single result with a query fragment
+  const post = await context.db.post.findFirst({
+    where: { published: true },
+    query: postFragment,
+  })
+  // post: ResultOf<typeof postFragment> | null
+  ```
+
+  The CLI type generator now emits a `findFirst` method (and `<List>FindFirstArgs`
+  type) for each list in the generated `.opensaas/types.ts`, so migrated apps that
+  reach for the familiar Prisma `findFirst` pattern get full type support.
+
+- [#601](https://github.com/OpenSaasAU/stack/pull/601) [`8f98e25`](https://github.com/OpenSaasAU/stack/commit/8f98e25fbef4ec0fc3ff0cba456ff7f2f7ba2ea8) Thanks [@borisno2](https://github.com/borisno2)! - Add `beforeTransaction` / `afterTransaction` transaction-boundary hooks (list- and field-level)
+
+  These run OUTSIDE the write's database transaction (in addition to the in-transaction `beforeOperation`/`afterOperation`), for non-transactional side effects like external API calls that must not hold a transaction open and cannot be rolled back. They fire per `(list, operation)` involved in the write (the top-level list plus each nested create/update/delete list) and form a symmetric compensation bracket: `afterTransaction` always runs when its paired `beforeTransaction` ran, receiving the outcome (`status: 'committed' | 'rolled-back'` plus `error` on rollback). On commit it gets the persisted `item` (and `originalItem` for update/delete) **only for the top-level record** — for nested lists these are `undefined`, since the per-record persisted row is not recoverable outside the transaction; use the in-transaction `afterOperation` for per-record nested compensation. On rollback it gets no `item` so it can undo what `beforeTransaction` did. `connectOrCreate` is enumerated as a best-effort create involvement (a resolve-to-connect still fires the bracket with no write), so compensators should be idempotent.
+
+  ```typescript
+  list({
+    fields: { name: text() },
+    hooks: {
+      // Runs before the transaction opens.
+      beforeTransaction: async ({ operation, inputData }) => {
+        await billing.reserveSeat(inputData.seatId)
+      },
+      // Always runs after the transaction settles.
+      afterTransaction: async (args) => {
+        if (args.status === 'rolled-back') {
+          // The write did not persist (args.error explains why) — compensate.
+          await billing.releaseSeat(args.inputData.seatId)
+        } else {
+          await billing.confirmSeat(args.item.seatId)
+        }
+      },
+    },
+  })
+  ```
+
+  A throwing `beforeTransaction` aborts the write (the transaction never opens) and fires `afterTransaction` (`rolled-back`) only for lists whose `beforeTransaction` already ran. A throwing `afterTransaction` does not stop the other compensators; errors are surfaced afterward. Sudo does not affect these hooks. This is an additive, non-Keystone extension and does not change the existing `beforeOperation`/`afterOperation` semantics.
+
+### Patch Changes
+
+- [#603](https://github.com/OpenSaasAU/stack/pull/603) [`be9a896`](https://github.com/OpenSaasAU/stack/commit/be9a8965ad6338c279e99cfe3bf24162e63ffb92) Thanks [@borisno2](https://github.com/borisno2)! - Enforce required json fields on create: an omitted key is now rejected while any
+  present value (object, array, primitive, or null) is still accepted.
+
+- [#583](https://github.com/OpenSaasAU/stack/pull/583) [`e39d6e9`](https://github.com/OpenSaasAU/stack/commit/e39d6e9e37be2337c8cf1979053e76877f14296c) Thanks [@borisno2](https://github.com/borisno2)! - Make non-sudo writes fail loud in `filterWritableFields` (Keystone parity).
+
+  Undeclared `data` keys on create/update now throw instead of passing through unchecked ([#564](https://github.com/OpenSaasAU/stack/issues/564)), and fields denied by field-level access now throw instead of being silently stripped ([#568](https://github.com/OpenSaasAU/stack/issues/568)). `sudo` remains the single trusted bypass; system fields and relationship foreign keys still pass through. Raw multi-column split columns (e.g. `media_url`/`media_size` from an `image()`/`file()` field) are now gated by their owning field's write access — supplying them directly under non-sudo when that field denies the write throws, instead of bypassing the field's `access.create`/`access.update`.
+
+  Behavioural narrowing: a list-level `resolveInput` hook that adds keys to `resolvedData` which are not declared fields will now be rejected by the undeclared-key throw. No production hook does this today.
+
+- [#605](https://github.com/OpenSaasAU/stack/pull/605) [`ca4973b`](https://github.com/OpenSaasAU/stack/commit/ca4973b504eadb123d179e8f4d16d6ec8c9f8fc1) Thanks [@borisno2](https://github.com/borisno2)! - Required json fields now reject a present `null` during validation rather than failing later as a DB NOT NULL violation. Omitted keys on update are still allowed; the Prisma column nullability is unchanged.
+
+- [#602](https://github.com/OpenSaasAU/stack/pull/602) [`44ec937`](https://github.com/OpenSaasAU/stack/commit/44ec9375baa4dacab4e34b03cbefb27c8aec07c9) Thanks [@borisno2](https://github.com/borisno2)! - Fix update validation rejecting omitted required fields under zod 4.4 by using key-optionality (`.optional()`) instead of `z.union([schema, z.undefined()])`. Partial updates that omit a required-on-create field now validate; present values still enforce their rules.
+
+- [#587](https://github.com/OpenSaasAU/stack/pull/587) [`ecbf834`](https://github.com/OpenSaasAU/stack/commit/ecbf834059a072c428b0739d6ebcf4c74be8c893) Thanks [@borisno2](https://github.com/borisno2)! - Fix false denial of nested `connect` (and `connectOrCreate`'s connect branch): connect now requires read/query access on the target and evaluates filter results via DB reachability (`findFirst({ where: { AND: [connection, accessFilter] } })`), so nested-relation and `AND`/`OR`/`some`/`none`/`not` filters no longer always fail.
+
+- [#589](https://github.com/OpenSaasAU/stack/pull/589) [`481d6e0`](https://github.com/OpenSaasAU/stack/commit/481d6e00be90b1159b0b30eff015e5079c840158) Thanks [@borisno2](https://github.com/borisno2)! - Fix row-level access bypass when an explicit `include` is passed to non-sudo `findUnique`/`findMany`. The caller's `include` is now merged with (not replaced by) the access-controlled include: denied relations are dropped, each relation's access `where` is AND-combined with any caller nested `where`, and nested includes are filtered at every level. Sudo and query-fragment paths are unchanged. When no access-controlled include is computed (inside a `resolveOutput`/virtual-field context, at max include depth, or for a list with no relationships), the caller's `include` is passed through unchanged rather than dropped — avoiding fail-closed data loss.
+
+- [#586](https://github.com/OpenSaasAU/stack/pull/586) [`4622b5f`](https://github.com/OpenSaasAU/stack/commit/4622b5fa8fc731e2c8995011f1be0cfe341578da) Thanks [@borisno2](https://github.com/borisno2)! - Enforce unique-`where` for `context.db.<list>.findUnique` — a non-unique `where` now throws a clear error instead of silently returning a nondeterministic row. Use `findFirst` for non-unique single-row lookups.
+
 ## 0.24.0
 
 ### Minor Changes

package/dist/access/access-filter.d.ts

@@ -26,4 +26,43 @@ export declare function buildIncludeWithAccessControl(fieldConfigs: Record<strin
     where?: PrismaFilter;
     include?: Record<string, boolean | /*elided*/ any>;
 }> | undefined>;
+/**
+ * Merge a caller-supplied `include` with the access-controlled include — phase-1
+ * row/relation scoping for explicit caller selections.
+ *
+ * The caller's `include` decides WHICH relations to fetch; access control decides
+ * WHETHER each relation may be fetched and WITH WHAT filter. Replacing the
+ * access-controlled include with the caller's wholesale (the bug in #566) drops
+ * every per-relation access `where` and denied-relation exclusion, silently
+ * bypassing row-level access on any non-sudo read that passes `include`.
+ *
+ * For each relation the caller asks to include:
+ * - If the relation is a config-declared relationship but is ABSENT from the
+ *   access-controlled include, its `query` access returned `false` → it is DROPPED
+ *   (not fetched).
+ * - If it is present (allowed, possibly with a filter), the access entry is used
+ *   as the base: the access `where` is AND-combined with any caller-supplied
+ *   nested `where`, and nested includes are recursively merged using the related
+ *   list's field configs (so deeply-nested selections are filtered at every
+ *   level). A bare caller `true` becomes the access-controlled shape (filter +
+ *   nested filtered include), never bare `true`.
+ * - If the caller names a key that is NOT a config-declared relationship, it is
+ *   passed through unchanged (access control does not govern it).
+ *
+ * The access-controlled include is recursive to `MAX_DEPTH` (see
+ * `buildIncludeWithAccessControl`); beyond that depth no auto-include exists, so
+ * deeper caller selections pass through unscoped — consistent with the existing
+ * auto-include behaviour.
+ *
+ * `accessControlledInclude` being `undefined` is NOT "every relation denied". It
+ * means no access-controlled include was computed at all — a non-denial outcome
+ * that `buildIncludeWithAccessControl` returns when inside a `resolveOutput`/
+ * virtual-field context, at `MAX_DEPTH`, or when the list has no relationships.
+ * In every one of those cases there is nothing to merge against, so the caller's
+ * `include` is passed through unchanged (matching the prior `args.include || …`
+ * fallback). This is distinct from an `undefined` ENTRY inside a defined access
+ * include, which DOES mean the relation was denied and must be dropped (see the
+ * per-relation loop below). Only the whole-object `undefined` is a passthrough.
+ */
+export declare function mergeIncludeWithAccessControl(callerInclude: Record<string, unknown>, accessControlledInclude: Record<string, unknown> | undefined, fieldConfigs: Record<string, FieldConfig>, config: OpenSaasConfig): Record<string, unknown>;
 //# sourceMappingURL=access-filter.d.ts.map

package/dist/access/access-filter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"access-filter.d.ts","sourceRoot":"","sources":["../../src/access/access-filter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AACtE,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAGrE;;;;;;;;;;;;;;GAcG;AAEH;;;GAGG;AACH,wBAAsB,6BAA6B,CACjD,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,EACzC,IAAI,EAAE;IACJ,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;IACvB,OAAO,EAAE,aAAa,CAAA;CACvB,EACD,MAAM,EAAE,cAAc,EACtB,KAAK,GAAE,MAAU;YAeuB,YAAY;cAAY,MAAM,CAAC,MAAM,2BAAe;gBAkD7F"}
+{"version":3,"file":"access-filter.d.ts","sourceRoot":"","sources":["../../src/access/access-filter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AACtE,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAGrE;;;;;;;;;;;;;;GAcG;AAEH;;;GAGG;AACH,wBAAsB,6BAA6B,CACjD,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,EACzC,IAAI,EAAE;IACJ,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;IACvB,OAAO,EAAE,aAAa,CAAA;CACvB,EACD,MAAM,EAAE,cAAc,EACtB,KAAK,GAAE,MAAU;YAeuB,YAAY;cAAY,MAAM,CAAC,MAAM,2BAAe;gBAkD7F;AAiDD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,wBAAgB,6BAA6B,CAC3C,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACtC,uBAAuB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,EAC5D,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,EACzC,MAAM,EAAE,cAAc,GACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAgEzB"}

package/dist/access/access-filter.js

@@ -65,4 +65,125 @@ export async function buildIncludeWithAccessControl(fieldConfigs, args, config,
     }
     return hasRelationships ? include : undefined;
 }
+/**
+ * Narrow an unknown include value to the structured object form (vs bare `true`
+ * or any other primitive). Caller-supplied includes arrive untyped at the
+ * runtime boundary, so we validate the shape here rather than casting.
+ */
+function asEntryObject(value) {
+    if (value && typeof value === 'object') {
+        const obj = value;
+        const where = obj.where;
+        const include = obj.include;
+        const entry = {};
+        if (where && typeof where === 'object')
+            entry.where = where;
+        if (include && typeof include === 'object')
+            entry.include = include;
+        return entry;
+    }
+    return null;
+}
+/**
+ * AND-combine an access `where` with a caller-supplied nested `where`.
+ *
+ * The access filter is authoritative: the caller's filter may only NARROW the
+ * result further, never widen past what access permits. We therefore wrap both
+ * in a Prisma `AND` so neither can override the other. If only one side is
+ * present, it is returned as-is; if neither is present, the result is undefined.
+ */
+function andWhere(accessWhere, callerWhere) {
+    if (accessWhere && callerWhere) {
+        return { AND: [accessWhere, callerWhere] };
+    }
+    return accessWhere ?? callerWhere;
+}
+/**
+ * Merge a caller-supplied `include` with the access-controlled include — phase-1
+ * row/relation scoping for explicit caller selections.
+ *
+ * The caller's `include` decides WHICH relations to fetch; access control decides
+ * WHETHER each relation may be fetched and WITH WHAT filter. Replacing the
+ * access-controlled include with the caller's wholesale (the bug in #566) drops
+ * every per-relation access `where` and denied-relation exclusion, silently
+ * bypassing row-level access on any non-sudo read that passes `include`.
+ *
+ * For each relation the caller asks to include:
+ * - If the relation is a config-declared relationship but is ABSENT from the
+ *   access-controlled include, its `query` access returned `false` → it is DROPPED
+ *   (not fetched).
+ * - If it is present (allowed, possibly with a filter), the access entry is used
+ *   as the base: the access `where` is AND-combined with any caller-supplied
+ *   nested `where`, and nested includes are recursively merged using the related
+ *   list's field configs (so deeply-nested selections are filtered at every
+ *   level). A bare caller `true` becomes the access-controlled shape (filter +
+ *   nested filtered include), never bare `true`.
+ * - If the caller names a key that is NOT a config-declared relationship, it is
+ *   passed through unchanged (access control does not govern it).
+ *
+ * The access-controlled include is recursive to `MAX_DEPTH` (see
+ * `buildIncludeWithAccessControl`); beyond that depth no auto-include exists, so
+ * deeper caller selections pass through unscoped — consistent with the existing
+ * auto-include behaviour.
+ *
+ * `accessControlledInclude` being `undefined` is NOT "every relation denied". It
+ * means no access-controlled include was computed at all — a non-denial outcome
+ * that `buildIncludeWithAccessControl` returns when inside a `resolveOutput`/
+ * virtual-field context, at `MAX_DEPTH`, or when the list has no relationships.
+ * In every one of those cases there is nothing to merge against, so the caller's
+ * `include` is passed through unchanged (matching the prior `args.include || …`
+ * fallback). This is distinct from an `undefined` ENTRY inside a defined access
+ * include, which DOES mean the relation was denied and must be dropped (see the
+ * per-relation loop below). Only the whole-object `undefined` is a passthrough.
+ */
+export function mergeIncludeWithAccessControl(callerInclude, accessControlledInclude, fieldConfigs, config) {
+    // No access-controlled include was computed (resolveOutput/virtual context,
+    // MAX_DEPTH, or a list with no relationships) → nothing to scope against, so
+    // pass the caller's include through unchanged. Dropping relations here would be
+    // fail-closed data loss, not a denial. Denied relations are dropped only when a
+    // defined access include OMITS them (handled per-relation below).
+    if (accessControlledInclude === undefined) {
+        return callerInclude;
+    }
+    const merged = {};
+    const accessInclude = accessControlledInclude;
+    for (const [relationName, callerValue] of Object.entries(callerInclude)) {
+        const fieldConfig = fieldConfigs[relationName];
+        const isDeclaredRelationship = fieldConfig?.type === 'relationship' && 'ref' in fieldConfig && !!fieldConfig.ref;
+        // Not a config-declared relationship → access control does not govern it; pass through unchanged.
+        if (!isDeclaredRelationship) {
+            merged[relationName] = callerValue;
+            continue;
+        }
+        const accessValue = accessInclude[relationName];
+        // Declared relationship absent from the access include → query access denied → drop it.
+        if (accessValue === undefined) {
+            continue;
+        }
+        const accessEntry = asEntryObject(accessValue);
+        const callerEntry = asEntryObject(callerValue);
+        // Resolve the related list's field configs so nested includes merge recursively.
+        const relatedConfig = getRelatedListConfig(fieldConfig.ref, config);
+        const relatedFields = relatedConfig?.listConfig.fields;
+        const mergedWhere = andWhere(accessEntry?.where, callerEntry?.where);
+        let mergedNested;
+        if (callerEntry?.include && relatedFields) {
+            // Recurse: scope the caller's nested selection against the nested access include.
+            mergedNested = mergeIncludeWithAccessControl(callerEntry.include, accessEntry?.include, relatedFields, config);
+        }
+        else if (accessEntry?.include) {
+            // Caller selected the relation bare (no nested include); keep the
+            // access-controlled nested include so deeper relations stay filtered.
+            mergedNested = accessEntry.include;
+        }
+        const entry = {};
+        if (mergedWhere)
+            entry.where = mergedWhere;
+        if (mergedNested && Object.keys(mergedNested).length > 0)
+            entry.include = mergedNested;
+        // A bare-`true` relation with no access filter and no nested include stays `true`.
+        merged[relationName] = Object.keys(entry).length > 0 ? entry : true;
+    }
+    return merged;
+}
 //# sourceMappingURL=access-filter.js.map

package/dist/access/access-filter.js.map

@@ -1 +1 @@
-{"version":3,"file":"access-filter.js","sourceRoot":"","sources":["../../src/access/access-filter.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAA;AAE/D;;;;;;;;;;;;;;GAcG;AAEH;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,YAAyC,EACzC,IAGC,EACD,MAAsB,EACtB,QAAgB,CAAC;IAEjB,MAAM,SAAS,GAAG,CAAC,CAAA;IACnB,IAAI,KAAK,IAAI,SAAS,EAAE,CAAC;QACvB,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,qEAAqE;IACrE,uEAAuE;IACvE,gFAAgF;IAChF,0EAA0E;IAC1E,IAAI,IAAI,CAAC,OAAO,CAAC,qBAAqB,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;QACjD,OAAO,SAAS,CAAA;IAClB,CAAC;IAID,MAAM,OAAO,GAAiC,EAAE,CAAA;IAChD,IAAI,gBAAgB,GAAG,KAAK,CAAA;IAE5B,KAAK,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QACpE,IAAI,WAAW,EAAE,IAAI,KAAK,cAAc,IAAI,KAAK,IAAI,WAAW,IAAI,WAAW,CAAC,GAAG,EAAE,CAAC;YACpF,gBAAgB,GAAG,IAAI,CAAA;YACvB,MAAM,aAAa,GAAG,oBAAoB,CAAC,WAAW,CAAC,GAAa,EAAE,MAAM,CAAC,CAAA;YAE7E,IAAI,aAAa,EAAE,CAAC;gBAClB,0CAA0C;gBAC1C,MAAM,WAAW,GAAG,aAAa,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,EAAE,KAAK,CAAA;gBACrE,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,WAAW,EAAE;oBAClD,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,OAAO,EAAE,IAAI,CAAC,OAAO;iBACtB,CAAC,CAAA;gBAEF,4DAA4D;gBAC5D,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;oBAC3B,SAAQ;gBACV,CAAC;gBAED,0BAA0B;gBAC1B,MAAM,YAAY,GAA4B,EAAE,CAAA;gBAEhD,yDAAyD;gBACzD,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;oBACrC,YAAY,CAAC,KAAK,GAAG,YAAY,CAAA;gBACnC,CAAC;gBAED,oCAAoC;gBACpC,MAAM,aAAa,GAAG,MAAM,6BAA6B,CACvD,aAAa,CAAC,UAAU,CAAC,MAAM,EAC/B,IAAI,EACJ,MAAM,EACN,KAAK,GAAG,CAAC,CACV,CAAA;gBAED,IAAI,aAAa,IAAI,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3D,YAAY,CAAC,OAAO,GAAG,aAAa,CAAA;gBACtC,CAAC;gBAED,wBAAwB;gBACxB,OAAO,CAAC,SAAS,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAA;YACjF,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAA;AAC/C,CAAC"}
+{"version":3,"file":"access-filter.js","sourceRoot":"","sources":["../../src/access/access-filter.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAA;AAE/D;;;;;;;;;;;;;;GAcG;AAEH;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,YAAyC,EACzC,IAGC,EACD,MAAsB,EACtB,QAAgB,CAAC;IAEjB,MAAM,SAAS,GAAG,CAAC,CAAA;IACnB,IAAI,KAAK,IAAI,SAAS,EAAE,CAAC;QACvB,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,qEAAqE;IACrE,uEAAuE;IACvE,gFAAgF;IAChF,0EAA0E;IAC1E,IAAI,IAAI,CAAC,OAAO,CAAC,qBAAqB,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;QACjD,OAAO,SAAS,CAAA;IAClB,CAAC;IAID,MAAM,OAAO,GAAiC,EAAE,CAAA;IAChD,IAAI,gBAAgB,GAAG,KAAK,CAAA;IAE5B,KAAK,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QACpE,IAAI,WAAW,EAAE,IAAI,KAAK,cAAc,IAAI,KAAK,IAAI,WAAW,IAAI,WAAW,CAAC,GAAG,EAAE,CAAC;YACpF,gBAAgB,GAAG,IAAI,CAAA;YACvB,MAAM,aAAa,GAAG,oBAAoB,CAAC,WAAW,CAAC,GAAa,EAAE,MAAM,CAAC,CAAA;YAE7E,IAAI,aAAa,EAAE,CAAC;gBAClB,0CAA0C;gBAC1C,MAAM,WAAW,GAAG,aAAa,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,EAAE,KAAK,CAAA;gBACrE,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,WAAW,EAAE;oBAClD,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,OAAO,EAAE,IAAI,CAAC,OAAO;iBACtB,CAAC,CAAA;gBAEF,4DAA4D;gBAC5D,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;oBAC3B,SAAQ;gBACV,CAAC;gBAED,0BAA0B;gBAC1B,MAAM,YAAY,GAA4B,EAAE,CAAA;gBAEhD,yDAAyD;gBACzD,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;oBACrC,YAAY,CAAC,KAAK,GAAG,YAAY,CAAA;gBACnC,CAAC;gBAED,oCAAoC;gBACpC,MAAM,aAAa,GAAG,MAAM,6BAA6B,CACvD,aAAa,CAAC,UAAU,CAAC,MAAM,EAC/B,IAAI,EACJ,MAAM,EACN,KAAK,GAAG,CAAC,CACV,CAAA;gBAED,IAAI,aAAa,IAAI,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3D,YAAY,CAAC,OAAO,GAAG,aAAa,CAAA;gBACtC,CAAC;gBAED,wBAAwB;gBACxB,OAAO,CAAC,SAAS,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAA;YACjF,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAA;AAC/C,CAAC;AAaD;;;;GAIG;AACH,SAAS,aAAa,CAAC,KAAc;IACnC,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,KAAgC,CAAA;QAC5C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAA;QACvB,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAA;QAC3B,MAAM,KAAK,GAAuB,EAAE,CAAA;QACpC,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,KAAK,CAAC,KAAK,GAAG,KAAqB,CAAA;QAC3E,IAAI,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,KAAK,CAAC,OAAO,GAAG,OAAwB,CAAA;QACpF,OAAO,KAAK,CAAA;IACd,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,QAAQ,CACf,WAAqC,EACrC,WAAqC;IAErC,IAAI,WAAW,IAAI,WAAW,EAAE,CAAC;QAC/B,OAAO,EAAE,GAAG,EAAE,CAAC,WAAW,EAAE,WAAW,CAAC,EAAE,CAAA;IAC5C,CAAC;IACD,OAAO,WAAW,IAAI,WAAW,CAAA;AACnC,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,MAAM,UAAU,6BAA6B,CAC3C,aAAsC,EACtC,uBAA4D,EAC5D,YAAyC,EACzC,MAAsB;IAEtB,4EAA4E;IAC5E,6EAA6E;IAC7E,gFAAgF;IAChF,gFAAgF;IAChF,kEAAkE;IAClE,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO,aAAa,CAAA;IACtB,CAAC;IAED,MAAM,MAAM,GAA4B,EAAE,CAAA;IAC1C,MAAM,aAAa,GAAG,uBAAuB,CAAA;IAE7C,KAAK,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;QACxE,MAAM,WAAW,GAAG,YAAY,CAAC,YAAY,CAAC,CAAA;QAC9C,MAAM,sBAAsB,GAC1B,WAAW,EAAE,IAAI,KAAK,cAAc,IAAI,KAAK,IAAI,WAAW,IAAI,CAAC,CAAC,WAAW,CAAC,GAAG,CAAA;QAEnF,kGAAkG;QAClG,IAAI,CAAC,sBAAsB,EAAE,CAAC;YAC5B,MAAM,CAAC,YAAY,CAAC,GAAG,WAAW,CAAA;YAClC,SAAQ;QACV,CAAC;QAED,MAAM,WAAW,GAAG,aAAa,CAAC,YAAY,CAAC,CAAA;QAE/C,wFAAwF;QACxF,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;YAC9B,SAAQ;QACV,CAAC;QAED,MAAM,WAAW,GAAG,aAAa,CAAC,WAAW,CAAC,CAAA;QAC9C,MAAM,WAAW,GAAG,aAAa,CAAC,WAAW,CAAC,CAAA;QAE9C,iFAAiF;QACjF,MAAM,aAAa,GAAG,oBAAoB,CAAC,WAAW,CAAC,GAAa,EAAE,MAAM,CAAC,CAAA;QAC7E,MAAM,aAAa,GAAG,aAAa,EAAE,UAAU,CAAC,MAAM,CAAA;QAEtD,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,CAAC,CAAA;QAEpE,IAAI,YAAiD,CAAA;QACrD,IAAI,WAAW,EAAE,OAAO,IAAI,aAAa,EAAE,CAAC;YAC1C,kFAAkF;YAClF,YAAY,GAAG,6BAA6B,CAC1C,WAAW,CAAC,OAAO,EACnB,WAAW,EAAE,OAAO,EACpB,aAAa,EACb,MAAM,CACP,CAAA;QACH,CAAC;aAAM,IAAI,WAAW,EAAE,OAAO,EAAE,CAAC;YAChC,kEAAkE;YAClE,sEAAsE;YACtE,YAAY,GAAG,WAAW,CAAC,OAAO,CAAA;QACpC,CAAC;QAED,MAAM,KAAK,GAAgE,EAAE,CAAA;QAC7E,IAAI,WAAW;YAAE,KAAK,CAAC,KAAK,GAAG,WAAW,CAAA;QAC1C,IAAI,YAAY,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM,GAAG,CAAC;YAAE,KAAK,CAAC,OAAO,GAAG,YAAY,CAAA;QAEtF,mFAAmF;QACnF,MAAM,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAA;IACrE,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/access/field-access.d.ts

@@ -33,6 +33,7 @@ export declare function checkFieldAccess(fieldAccess: FieldAccess | undefined, o
 export declare function filterWritableFields<T extends Record<string, unknown>>(data: T, fieldConfigs: Record<string, {
     access?: FieldAccess;
     type?: string;
+    getColumnNames?: (fieldName: string) => string[];
 }>, operation: 'create' | 'update', args: {
     session: Session | null;
     item?: Record<string, unknown>;

package/dist/access/field-access.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"field-access.d.ts","sourceRoot":"","sources":["../../src/access/field-access.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AACxD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAE7C;;;;;;;;;GASG;AAEH;;;;;;;;GAQG;AACH,wBAAsB,gBAAgB,CACpC,WAAW,EAAE,WAAW,GAAG,SAAS,EACpC,SAAS,EAAE,MAAM,GAAG,QAAQ,GAAG,QAAQ,EACvC,IAAI,EAAE;IACJ,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC9B,OAAO,EAAE,aAAa,GAAG;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,CAAA;IAC9C,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACpC,GACA,OAAO,CAAC,OAAO,CAAC,CAmClB;AA8BD;;GAEG;AACH,wBAAsB,oBAAoB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC1E,IAAI,EAAE,CAAC,EACP,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE;IAAE,MAAM,CAAC,EAAE,WAAW,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,EACrE,SAAS,EAAE,QAAQ,GAAG,QAAQ,EAC9B,IAAI,EAAE;IACJ,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC9B,OAAO,EAAE,aAAa,GAAG;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,CAAA;IAC9C,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACpC,GACA,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAgDrB"}
+{"version":3,"file":"field-access.d.ts","sourceRoot":"","sources":["../../src/access/field-access.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AACxD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAM7C;;;;;;;;;GASG;AAEH;;;;;;;;GAQG;AACH,wBAAsB,gBAAgB,CACpC,WAAW,EAAE,WAAW,GAAG,SAAS,EACpC,SAAS,EAAE,MAAM,GAAG,QAAQ,GAAG,QAAQ,EACvC,IAAI,EAAE;IACJ,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC9B,OAAO,EAAE,aAAa,GAAG;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,CAAA;IAC9C,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACpC,GACA,OAAO,CAAC,OAAO,CAAC,CAmClB;AA8BD;;GAEG;AACH,wBAAsB,oBAAoB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC1E,IAAI,EAAE,CAAC,EACP,YAAY,EAAE,MAAM,CAClB,MAAM,EACN;IACE,MAAM,CAAC,EAAE,WAAW,CAAA;IACpB,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,cAAc,CAAC,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,MAAM,EAAE,CAAA;CACjD,CACF,EACD,SAAS,EAAE,QAAQ,GAAG,QAAQ,EAC9B,IAAI,EAAE;IACJ,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC9B,OAAO,EAAE,aAAa,GAAG;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,CAAA;IAC9C,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACpC,GACA,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CA2HrB"}

package/dist/access/field-access.js

@@ -1,3 +1,7 @@
+// `ValidationError` is referenced only inside function bodies (call-time), never
+// at module-evaluation time, so the field-access ⇄ hooks import cycle is safe
+// under ESM live bindings.
+import { ValidationError } from '../hooks/index.js';
 /**
  * Shared field-level access evaluation.
  *
@@ -84,6 +88,23 @@ export async function filterWritableFields(data, fieldConfigs, operation, args)
     // Build a set of foreign key field names to exclude
     // Foreign keys should not be in the data when using Prisma's relation syntax
     const foreignKeyFields = new Set();
+    // Map each raw per-part column name contributed by a multi-column field
+    // (e.g. storage image()/file() in Keystone-parity mode) back to its OWNING
+    // declared field. These columns are injected into the write payload by the
+    // field's `splitColumns` AFTER resolveInput and are intentionally NOT declared
+    // as their own entries in `fieldConfigs`, so without this map they would trip
+    // the #564 undeclared-key reject below.
+    //
+    // SECURITY (#568): a raw column must NOT be blanket-passed through. The hooks
+    // layer (`executeFieldResolveInputHooks`) only gates the owning field when the
+    // LOGICAL key (e.g. `media`) is present, because it iterates declared fields,
+    // not data keys. A non-sudo caller who supplies the raw columns DIRECTLY
+    // (`data: { media_url, media_size }`) never produces that logical key, so that
+    // gate never fires. We therefore gate each raw column HERE by its owning
+    // field's write access — denied (non-sudo) throws, allowed (or sudo) passes
+    // through — so the legitimate multi-column write path is preserved while the
+    // direct-raw-column bypass is closed.
+    const splitColumnOwners = new Map();
     for (const [fieldName, fieldConfig] of Object.entries(fieldConfigs)) {
         if (fieldConfig.type === 'relationship') {
             // For non-many relationships, Prisma creates a foreign key field named `${fieldName}Id`
@@ -92,7 +113,13 @@ export async function filterWritableFields(data, fieldConfigs, operation, args)
                 foreignKeyFields.add(`${fieldName}Id`);
             }
         }
+        if (typeof fieldConfig.getColumnNames === 'function') {
+            for (const column of fieldConfig.getColumnNames(fieldName)) {
+                splitColumnOwners.set(column, { fieldName, access: fieldConfig.access });
+            }
+        }
     }
+    const isSudo = args.context._isSudo === true;
     for (const [fieldName, value] of Object.entries(data)) {
         const fieldConfig = fieldConfigs[fieldName];
         // Skip system fields
@@ -109,14 +136,62 @@ export async function filterWritableFields(data, fieldConfigs, operation, args)
         if (foreignKeyFields.has(fieldName)) {
             continue;
         }
-        // Check field access (checkFieldAccess already handles sudo mode)
-        const canWrite = await checkFieldAccess(fieldConfig?.access, operation, {
+        // Raw per-part columns produced by a multi-column field's `splitColumns`.
+        // They are undeclared by design, so they must not trip the #564 reject — but
+        // they must NOT be blanket-passed through either: gate each one by its
+        // OWNING field's write access (see the SECURITY note where the map is built).
+        // This is the real gate for callers who supply the raw columns directly,
+        // because the logical-key gate in `executeFieldResolveInputHooks` never fires
+        // for them. Denied (non-sudo) throws — same fail-loud behaviour as a denied
+        // declared field (#568); allowed (or sudo, via `checkFieldAccess`) passes
+        // through, preserving the legitimate multi-column write path.
+        const splitColumnOwner = splitColumnOwners.get(fieldName);
+        if (splitColumnOwner) {
+            const canWrite = await checkFieldAccess(splitColumnOwner.access, operation, {
+                ...args,
+                inputData: args.inputData,
+            });
+            if (!canWrite) {
+                throw new ValidationError([
+                    `Cannot ${operation} "${splitColumnOwner.fieldName}" (via column "${fieldName}"): ` +
+                        `field-level access denied.`,
+                ]);
+            }
+            filtered[fieldName] = value;
+            continue;
+        }
+        // #564 — undeclared data keys must fail CLOSED.
+        // A key with no entry in `fieldConfigs` is not a field the list config
+        // exposes. The generated Prisma model has MORE fields than the config
+        // declares (e.g. back-relations like `from_Enrolment_student`), so allowing
+        // an undeclared key to pass through lets a non-sudo caller drive ungated
+        // nested writes on undeclared back-relations. Mirror Keystone's
+        // GraphQL-schema behaviour and reject it. `sudo` is the single trusted
+        // bypass, so undeclared keys still pass through under sudo.
+        if (!fieldConfig) {
+            if (isSudo) {
+                filtered[fieldName] = value;
+                continue;
+            }
+            throw new ValidationError([
+                `Cannot ${operation} "${fieldName}": it is not a field of this list. ` +
+                    `Undeclared data keys are rejected (use sudo to bypass).`,
+            ]);
+        }
+        // #568 — fields denied by field-level access must THROW, not be silently
+        // dropped. Keystone threw a GraphQL access error for the same situation;
+        // silently stripping the field lets a write "succeed" while doing less than
+        // asked (and skips any hook side effects gated on that field).
+        // `checkFieldAccess` already returns `true` under sudo, so sudo writes never
+        // reach the throw below — no parallel sudo path is needed here.
+        const canWrite = await checkFieldAccess(fieldConfig.access, operation, {
             ...args,
             inputData: args.inputData,
         });
-        if (canWrite) {
-            filtered[fieldName] = value;
+        if (!canWrite) {
+            throw new ValidationError([`Cannot ${operation} "${fieldName}": field-level access denied.`]);
         }
+        filtered[fieldName] = value;
     }
     return filtered;
 }

package/dist/access/field-access.js.map

@@ -1 +1 @@
-{"version":3,"file":"field-access.js","sourceRoot":"","sources":["../../src/access/field-access.ts"],"names":[],"mappings":"AAGA;;;;;;;;;GASG;AAEH;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,WAAoC,EACpC,SAAuC,EACvC,IAKC;IAED,iCAAiC;IACjC,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,IAAI,CAAA,CAAC,8BAA8B;IAC5C,CAAC;IAED,MAAM,aAAa,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;IAC5C,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,IAAI,CAAA,CAAC,yCAAyC;IACvD,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;QACjC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS;KAC6B,CAAC,CAAA;IAEzC,kCAAkC;IAClC,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,kCAAkC;IAClC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,mDAAmD;IACnD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,IAA6B,EAAE,MAA+B;IACnF,KAAK,MAAM,CAAC,GAAG,EAAE,SAAS,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACtD,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACxD,kDAAkD;YAClD,IAAI,QAAQ,IAAI,SAAS,EAAE,CAAC;gBAC1B,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC,MAAM,EAAE,CAAC;oBACnC,OAAO,KAAK,CAAA;gBACd,CAAC;YACH,CAAC;iBAAM,IAAI,KAAK,IAAI,SAAS,EAAE,CAAC;gBAC9B,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC,GAAG,EAAE,CAAC;oBAChC,OAAO,KAAK,CAAA;gBACd,CAAC;YACH,CAAC;YACD,qCAAqC;QACvC,CAAC;aAAM,CAAC;YACN,wBAAwB;YACxB,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;gBAC5B,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAO,EACP,YAAqE,EACrE,SAA8B,EAC9B,IAKC;IAED,MAAM,QAAQ,GAA4B,EAAE,CAAA;IAE5C,oDAAoD;IACpD,6EAA6E;IAC7E,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAA;IAC1C,KAAK,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QACpE,IAAI,WAAW,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;YACxC,wFAAwF;YACxF,MAAM,SAAS,GAAG,WAAiC,CAAA;YACnD,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;gBACpB,gBAAgB,CAAC,GAAG,CAAC,GAAG,SAAS,IAAI,CAAC,CAAA;YACxC,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACtD,MAAM,WAAW,GAAG,YAAY,CAAC,SAAS,CAAC,CAAA;QAE3C,qBAAqB;QACrB,IAAI,CAAC,IAAI,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACzD,SAAQ;QACV,CAAC;QAED,qDAAqD;QACrD,wEAAwE;QACxE,IAAI,WAAW,IAAI,SAAS,IAAI,WAAW,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACnE,SAAQ;QACV,CAAC;QAED,8FAA8F;QAC9F,kGAAkG;QAClG,IAAI,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,SAAQ;QACV,CAAC;QAED,kEAAkE;QAClE,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE;YACtE,GAAG,IAAI;YACP,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAA;QAEF,IAAI,QAAQ,EAAE,CAAC;YACb,QAAQ,CAAC,SAAS,CAAC,GAAG,KAAK,CAAA;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,QAAsB,CAAA;AAC/B,CAAC"}
+{"version":3,"file":"field-access.js","sourceRoot":"","sources":["../../src/access/field-access.ts"],"names":[],"mappings":"AAEA,iFAAiF;AACjF,8EAA8E;AAC9E,2BAA2B;AAC3B,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAEnD;;;;;;;;;GASG;AAEH;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,WAAoC,EACpC,SAAuC,EACvC,IAKC;IAED,iCAAiC;IACjC,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,IAAI,CAAA,CAAC,8BAA8B;IAC5C,CAAC;IAED,MAAM,aAAa,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;IAC5C,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,IAAI,CAAA,CAAC,yCAAyC;IACvD,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;QACjC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS;KAC6B,CAAC,CAAA;IAEzC,kCAAkC;IAClC,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,kCAAkC;IAClC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,mDAAmD;IACnD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,IAA6B,EAAE,MAA+B;IACnF,KAAK,MAAM,CAAC,GAAG,EAAE,SAAS,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACtD,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACxD,kDAAkD;YAClD,IAAI,QAAQ,IAAI,SAAS,EAAE,CAAC;gBAC1B,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC,MAAM,EAAE,CAAC;oBACnC,OAAO,KAAK,CAAA;gBACd,CAAC;YACH,CAAC;iBAAM,IAAI,KAAK,IAAI,SAAS,EAAE,CAAC;gBAC9B,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC,GAAG,EAAE,CAAC;oBAChC,OAAO,KAAK,CAAA;gBACd,CAAC;YACH,CAAC;YACD,qCAAqC;QACvC,CAAC;aAAM,CAAC;YACN,wBAAwB;YACxB,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;gBAC5B,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAO,EACP,YAOC,EACD,SAA8B,EAC9B,IAKC;IAED,MAAM,QAAQ,GAA4B,EAAE,CAAA;IAE5C,oDAAoD;IACpD,6EAA6E;IAC7E,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAA;IAC1C,wEAAwE;IACxE,2EAA2E;IAC3E,2EAA2E;IAC3E,+EAA+E;IAC/E,8EAA8E;IAC9E,wCAAwC;IACxC,EAAE;IACF,8EAA8E;IAC9E,+EAA+E;IAC/E,8EAA8E;IAC9E,yEAAyE;IACzE,+EAA+E;IAC/E,yEAAyE;IACzE,4EAA4E;IAC5E,6EAA6E;IAC7E,sCAAsC;IACtC,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAuD,CAAA;IACxF,KAAK,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QACpE,IAAI,WAAW,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;YACxC,wFAAwF;YACxF,MAAM,SAAS,GAAG,WAAiC,CAAA;YACnD,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;gBACpB,gBAAgB,CAAC,GAAG,CAAC,GAAG,SAAS,IAAI,CAAC,CAAA;YACxC,CAAC;QACH,CAAC;QACD,IAAI,OAAO,WAAW,CAAC,cAAc,KAAK,UAAU,EAAE,CAAC;YACrD,KAAK,MAAM,MAAM,IAAI,WAAW,CAAC,cAAc,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC3D,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,CAAC,CAAA;YAC1E,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,KAAK,IAAI,CAAA;IAE5C,KAAK,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACtD,MAAM,WAAW,GAAG,YAAY,CAAC,SAAS,CAAC,CAAA;QAE3C,qBAAqB;QACrB,IAAI,CAAC,IAAI,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACzD,SAAQ;QACV,CAAC;QAED,qDAAqD;QACrD,wEAAwE;QACxE,IAAI,WAAW,IAAI,SAAS,IAAI,WAAW,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACnE,SAAQ;QACV,CAAC;QAED,8FAA8F;QAC9F,kGAAkG;QAClG,IAAI,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,SAAQ;QACV,CAAC;QAED,0EAA0E;QAC1E,6EAA6E;QAC7E,uEAAuE;QACvE,8EAA8E;QAC9E,yEAAyE;QACzE,8EAA8E;QAC9E,4EAA4E;QAC5E,0EAA0E;QAC1E,8DAA8D;QAC9D,MAAM,gBAAgB,GAAG,iBAAiB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;QACzD,IAAI,gBAAgB,EAAE,CAAC;YACrB,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,gBAAgB,CAAC,MAAM,EAAE,SAAS,EAAE;gBAC1E,GAAG,IAAI;gBACP,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B,CAAC,CAAA;YACF,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,IAAI,eAAe,CAAC;oBACxB,UAAU,SAAS,KAAK,gBAAgB,CAAC,SAAS,kBAAkB,SAAS,MAAM;wBACjF,4BAA4B;iBAC/B,CAAC,CAAA;YACJ,CAAC;YACD,QAAQ,CAAC,SAAS,CAAC,GAAG,KAAK,CAAA;YAC3B,SAAQ;QACV,CAAC;QAED,gDAAgD;QAChD,uEAAuE;QACvE,sEAAsE;QACtE,4EAA4E;QAC5E,yEAAyE;QACzE,gEAAgE;QAChE,uEAAuE;QACvE,4DAA4D;QAC5D,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,IAAI,MAAM,EAAE,CAAC;gBACX,QAAQ,CAAC,SAAS,CAAC,GAAG,KAAK,CAAA;gBAC3B,SAAQ;YACV,CAAC;YACD,MAAM,IAAI,eAAe,CAAC;gBACxB,UAAU,SAAS,KAAK,SAAS,qCAAqC;oBACpE,yDAAyD;aAC5D,CAAC,CAAA;QACJ,CAAC;QAED,yEAAyE;QACzE,yEAAyE;QACzE,4EAA4E;QAC5E,+DAA+D;QAC/D,6EAA6E;QAC7E,gEAAgE;QAChE,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,WAAW,CAAC,MAAM,EAAE,SAAS,EAAE;YACrE,GAAG,IAAI;YACP,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,eAAe,CAAC,CAAC,UAAU,SAAS,KAAK,SAAS,+BAA+B,CAAC,CAAC,CAAA;QAC/F,CAAC;QAED,QAAQ,CAAC,SAAS,CAAC,GAAG,KAAK,CAAA;IAC7B,CAAC;IAED,OAAO,QAAsB,CAAA;AAC/B,CAAC"}