@opensaas/stack-core 0.24.0 → 0.25.0

package/src/context/nested-operations.ts

@@ -1,15 +1,70 @@
 import type { OpenSaasConfig, ListConfig, FieldConfig } from '../config/types.js'
-import type { AccessContext } from '../access/types.js'
+import type { AccessContext, FieldAccess } from '../access/types.js'
 import { checkAccess, filterWritableFields, getRelatedListConfig } from '../access/index.js'
+import { checkFieldAccess } from '../access/field-access.js'
 import {
   executeResolveInput,
   executeValidate,
   executeFieldResolveInputHooks,
+  executeBeforeOperation,
+  executeAfterOperation,
+  executeFieldBeforeOperationHooks,
+  executeFieldAfterOperationHooks,
+  executeFieldValidateHooks,
   validateFieldRules,
   ValidationError,
 } from '../hooks/index.js'
 import { getDbKey } from '../lib/case-utils.js'
 
+/**
+ * Nested writes (#569 / ADR-0010).
+ *
+ * Nested `create`/`update`/`delete` must fire the SAME list- and field-level
+ * `beforeOperation`/`afterOperation` as the equivalent top-level write, so a
+ * record's side effects are identical whether it was written nested or
+ * top-level. Persistence itself is still performed by Prisma's single nested
+ * write (so Prisma keeps owning FK ordering and intra-statement atomicity); we
+ * run the nested records' `beforeOperation` BEFORE that persist and their
+ * `afterOperation` AFTER it, all inside the one interactive transaction the
+ * Write Pipeline opens.
+ *
+ * Mechanism (per ADR-0010, "hooks around a single nested persist"):
+ *   - `processNestedOperations` runs nested resolveInput/validate/field-rules
+ *     (as before) AND nested `beforeOperation`, and returns the transformed
+ *     payload together with a list of deferred {@link AfterTask}s.
+ *   - The Write Pipeline persists the parent (with the nested relations
+ *     `include`d so the persisted nested rows come back), then calls
+ *     {@link runAfterTasks} so each nested record's `afterOperation` fires with
+ *     a real persisted `item` and (for update/delete) its `originalItem`.
+ *   - Everything runs inside the transaction, so a throwing `beforeOperation`/
+ *     `afterOperation` rolls back the whole write.
+ */
+
+/**
+ * A deferred nested `afterOperation` task, run after the parent has persisted.
+ * It receives the persisted parent row (with nested relations included) so it
+ * can recover the persisted nested `item`.
+ */
+export interface AfterTask {
+  /** Field name on the parent linking to the related list (for include lookup). */
+  fieldName: string
+  run(parentResult: Record<string, unknown>): Promise<void>
+}
+
+/**
+ * Result of processing nested operations: the transformed write payload plus
+ * the deferred `afterOperation` tasks and the relation fields the parent write
+ * must `include` so those tasks can recover their persisted `item`.
+ */
+export interface NestedOpsResult {
+  /** The transformed write payload handed to Prisma. */
+  data: Record<string, unknown>
+  /** Deferred `afterOperation` tasks to run after the parent persist. */
+  afterTasks: AfterTask[]
+  /** Relationship field names to `include` in the parent write result. */
+  includeFields: Set<string>
+}
+
 /**
  * Check if a field config is a relationship field
  */
@@ -18,20 +73,173 @@ function isRelationshipField(fieldConfig: FieldConfig | undefined): boolean {
 }
 
 /**
- * Process nested create operations
- * Applies hooks and access control to each item being created
+ * Resolve the related list name for a related list config (config object identity).
+ */
+function findListName(
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+  relatedListConfig: ListConfig<any>,
+  config: OpenSaasConfig,
+): string {
+  for (const [listKey, listCfg] of Object.entries(config.lists)) {
+    if (listCfg === relatedListConfig) {
+      return listKey
+    }
+  }
+  return ''
+}
+
+/**
+ * Read the rows of a parent's included relation as an array.
+ *
+ * A to-one relation comes back as a single row (or `null`); a to-many relation
+ * comes back as an array. This normalises both to an array so callers can apply
+ * a uniform id-diff.
+ */
+function includedRows(
+  parentResult: Record<string, unknown>,
+  fieldName: string,
+): Array<Record<string, unknown>> {
+  const included = parentResult[fieldName]
+  if (included == null) return []
+  if (Array.isArray(included)) return included as Array<Record<string, unknown>>
+  return [included as Record<string, unknown>]
+}
+
+/**
+ * Recover an UPDATED nested row from the parent result by its known id.
+ *
+ * The updated row's id is known up front (it was fetched for access as
+ * `originalItem`), so the persisted row is the included row with that id.
+ */
+function recoverUpdatedRow(
+  parentResult: Record<string, unknown>,
+  fieldName: string,
+  knownId: string | undefined,
+): Record<string, unknown> | undefined {
+  if (knownId === undefined) return undefined
+  return includedRows(parentResult, fieldName).find((r) => r.id === knownId)
+}
+
+/**
+ * Recover the CREATED nested rows from the parent result by id-diff.
+ *
+ * Created rows have no known id before the write, so they are identified as the
+ * included rows whose ids are NOT in `preExistingIds` (the set of related-row
+ * ids captured before the persist). Returned in include order, which the create
+ * handler pairs to its create-payload entries by position (see
+ * {@link CreatedRowRecovery}).
+ */
+function recoverCreatedRows(
+  parentResult: Record<string, unknown>,
+  fieldName: string,
+  preExistingIds: Set<string>,
+): Array<Record<string, unknown>> {
+  return includedRows(parentResult, fieldName).filter(
+    (r) => typeof r.id === 'string' && !preExistingIds.has(r.id as string),
+  )
+}
+
+/**
+ * Shared, memoised recovery of the rows created for ONE nested `create` payload
+ * on ONE relation field.
+ *
+ * A to-many `create: [{A},{B}]` produces several rows that must each fire their
+ * own `afterOperation` against their OWN row. We cannot tell which included row
+ * corresponds to which payload entry by content alone, so we identify the set of
+ * NEW rows by id-diff against the ids that existed before the persist, then pair
+ * them to the create-payload entries by POSITION (Prisma preserves create-array
+ * order in the included result). The id-diff is computed once per parent result
+ * and cached so every entry's task shares it.
+ *
+ * `inputData`↔row pairing is therefore positional and best-effort; `item`
+ * correctness (each task gets a genuinely-created, distinct row) is guaranteed:
+ * a pre-existing row can never be returned because it is excluded by the diff.
+ */
+interface CreatedRowRecovery {
+  /** Recover the created row for the create-payload entry at `index`. */
+  rowAt(parentResult: Record<string, unknown>, index: number): Record<string, unknown> | undefined
+}
+
+function createCreatedRowRecovery(
+  fieldName: string,
+  preExistingIds: Set<string>,
+): CreatedRowRecovery {
+  let cache: { source: Record<string, unknown>; rows: Array<Record<string, unknown>> } | undefined
+  return {
+    rowAt(parentResult, index) {
+      if (!cache || cache.source !== parentResult) {
+        cache = {
+          source: parentResult,
+          rows: recoverCreatedRows(parentResult, fieldName, preExistingIds),
+        }
+      }
+      return cache.rows[index]
+    },
+  }
+}
+
+/**
+ * Capture the ids of the rows currently linked to the parent via `fieldName`,
+ * BEFORE the parent persists. Used to identify which included rows are NEW
+ * (created by this write) afterwards.
+ *
+ * - For a parent CREATE there are no pre-existing related rows (the parent does
+ *   not exist yet), so the set is empty.
+ * - For a parent UPDATE we read the parent row's current relation and collect
+ *   its ids. The same `tx` client is used so the read participates in the
+ *   transaction and sees a consistent snapshot.
+ */
+async function capturePreExistingIds(
+  parentListName: string,
+  parentOriginalItem: Record<string, unknown> | undefined,
+  fieldName: string,
+  prisma: unknown,
+): Promise<Set<string>> {
+  const ids = new Set<string>()
+  const parentId = parentOriginalItem?.id
+  if (typeof parentId !== 'string') {
+    // Parent create (no existing row) — nothing pre-exists.
+    return ids
+  }
+
+  // Access Prisma model dynamically - required because model names are generated at runtime
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const parentModel = (prisma as any)[getDbKey(parentListName)]
+  if (!parentModel?.findUnique) return ids
+
+  const current = await parentModel.findUnique({
+    where: { id: parentId },
+    include: { [fieldName]: true },
+  })
+  for (const row of includedRows((current ?? {}) as Record<string, unknown>, fieldName)) {
+    if (typeof row.id === 'string') ids.add(row.id)
+  }
+  return ids
+}
+
+/**
+ * Process nested create operations.
+ *
+ * Runs the target list's full input pipeline (resolveInput → validate →
+ * field-rules → filter-writable → recurse) AND its `beforeOperation`, then
+ * registers an `afterOperation` task keyed to the parent's included relation.
  */
 async function processNestedCreate(
   items: Record<string, unknown> | Array<Record<string, unknown>>,
+  fieldName: string,
+  relatedListName: string,
   // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
   relatedListConfig: ListConfig<any>,
   context: AccessContext,
   config: OpenSaasConfig,
+  prisma: unknown,
+  afterTasks: AfterTask[],
+  recovery: CreatedRowRecovery,
 ): Promise<Record<string, unknown> | Array<Record<string, unknown>>> {
   const itemsArray = Array.isArray(items) ? items : [items]
 
   const processedItems = await Promise.all(
-    itemsArray.map(async (item) => {
+    itemsArray.map(async (item, index) => {
       // 1. Check create access (skip if sudo mode)
       if (!context._isSudo) {
         const createAccess = relatedListConfig.access?.operation?.create
@@ -45,16 +253,7 @@ async function processNestedCreate(
         }
       }
 
-      // 2. Get the list name for this related config
-      let relatedListName = ''
-      for (const [listKey, listCfg] of Object.entries(config.lists)) {
-        if (listCfg === relatedListConfig) {
-          relatedListName = listKey
-          break
-        }
-      }
-
-      // 3. Execute list-level resolveInput hook
+      // 2. Execute list-level resolveInput hook
       let resolvedData = await executeResolveInput(relatedListConfig.hooks, {
         listKey: relatedListName,
         operation: 'create',
@@ -64,7 +263,7 @@ async function processNestedCreate(
         context,
       })
 
-      // 4. Execute field-level resolveInput hooks
+      // 3. Execute field-level resolveInput hooks
       resolvedData = await executeFieldResolveInputHooks(
         item,
         resolvedData,
@@ -74,7 +273,7 @@ async function processNestedCreate(
         relatedListName,
       )
 
-      // 5. Execute validate hook
+      // 4. Execute validate hook
       await executeValidate(relatedListConfig.hooks, {
         listKey: relatedListName,
         operation: 'create',
@@ -84,13 +283,23 @@ async function processNestedCreate(
         context,
       })
 
-      // 4. Field validation
+      // 4.5 Field-level validate hooks
+      await executeFieldValidateHooks(
+        item,
+        resolvedData,
+        relatedListConfig.fields,
+        'create',
+        context,
+        relatedListName,
+      )
+
+      // 5. Field validation (built-in rules)
       const validation = validateFieldRules(resolvedData, relatedListConfig.fields, 'create')
       if (validation.errors.length > 0) {
         throw new ValidationError(validation.errors, validation.fieldErrors)
       }
 
-      // 5. Filter writable fields
+      // 6. Filter writable fields
       const filtered = await filterWritableFields(
         resolvedData,
         relatedListConfig.fields,
@@ -102,14 +311,89 @@ async function processNestedCreate(
         },
       )
 
-      // 6. Recursively process nested operations in this item
-      return await processNestedOperations(
+      // 7. Recursively process nested operations in this item. This nested row
+      // is itself being CREATED, so its own relations have no pre-existing rows
+      // (parent originalItem is undefined → empty pre-existing set).
+      const { data: nestedData, afterTasks: childAfterTasks } = await processNestedOperations(
         filtered,
         relatedListConfig.fields,
         config,
-        context,
+        { ...context, prisma },
+        'create',
+        relatedListName,
+        undefined,
+        // This nested row is being CREATED, so its enclosing inputData is its own
+        // create payload (passed to the connect-site owning-field gate, #588).
+        item,
+      )
+
+      // 8. Field-level beforeOperation (side effects) for this nested create
+      await executeFieldBeforeOperationHooks(
+        item,
+        resolvedData,
+        relatedListConfig.fields,
         'create',
+        context,
+        relatedListName,
       )
+
+      // 9. List-level beforeOperation for this nested create
+      await executeBeforeOperation(relatedListConfig.hooks, {
+        listKey: relatedListName,
+        operation: 'create',
+        inputData: item,
+        resolvedData,
+        context,
+      })
+
+      // 10. Register afterOperation: fires once the parent (and thus this nested
+      // row) has persisted. The created row is recovered by id-diff and paired
+      // to THIS create-payload entry by position (see CreatedRowRecovery), so a
+      // to-many `create: [{A},{B}]` fires once per row, each against its OWN
+      // distinct row, and never against a pre-existing sibling.
+      afterTasks.push({
+        fieldName,
+        run: async (parentResult) => {
+          const createdItem = recovery.rowAt(parentResult, index)
+          if (!createdItem) {
+            // The created row could not be identified by id-diff — the parent
+            // write did not return this nested relation (e.g. the underlying
+            // client does not echo `include`d relations). We must NOT hand an
+            // id-less `{}` to a hook as if it were the persisted row (finding 4:
+            // that would fire `afterOperation` against a fabricated item). The
+            // before-persist hooks have already run; we deliberately SKIP this
+            // record's create `afterOperation` rather than fire it with a bogus
+            // item. Real Prisma always echoes the `include`d relation, so this
+            // skip is reached only by clients/mocks that omit it. `item`
+            // correctness is the must-have; a missing row is never fabricated.
+            return
+          }
+
+          await executeAfterOperation(relatedListConfig.hooks, {
+            listKey: relatedListName,
+            operation: 'create',
+            inputData: item,
+            item: createdItem,
+            resolvedData,
+            context,
+          })
+
+          await executeFieldAfterOperationHooks(
+            createdItem,
+            item,
+            resolvedData,
+            relatedListConfig.fields,
+            'create',
+            context,
+            relatedListName,
+          )
+
+          // Run any deeper nested afterOperation tasks, scoped to the persisted row.
+          await runAfterTasks(childAfterTasks, createdItem)
+        },
+      })
+
+      return nestedData
     }),
   )
 
@@ -117,8 +401,106 @@ async function processNestedCreate(
 }
 
 /**
- * Process nested connect operations
- * Verifies update access to the items being connected
+ * Verify that a single connection target is reachable for the caller.
+ *
+ * Connecting an existing row references it; it does not modify the row's own
+ * data. Mirroring Keystone, this requires **read/query** access on the target
+ * list (not `update`). When query access returns a filter object, the filter is
+ * evaluated in the DATABASE (not in memory) via
+ * `findFirst({ where: { AND: [connection, accessFilter] } })`. The connect is
+ * allowed iff that query returns a row, which correctly handles arbitrary
+ * nested-relation predicates and boolean combinators (`AND`/`OR`/`some`/
+ * `none`/`not`). The existence check is folded into the reachability query so a
+ * non-existent id is still denied.
+ *
+ * In ADDITION to the target read/reachability check (#578), the OWNING
+ * relationship field's field-level access (its `create`/`update` access on the
+ * list being written, e.g. `Post.author`) must permit the connect (#588). This
+ * is the other half Keystone required: a connect needs read access on the
+ * target AND write access on the owning relationship field. If the owning
+ * field's field-level access denies, the connect is denied even when the target
+ * row is readable/reachable.
+ *
+ * Sudo bypasses the entire check (handled by the caller).
+ */
+async function verifyConnectReachable(
+  connection: Record<string, unknown>,
+  relatedListName: string,
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+  relatedListConfig: ListConfig<any>,
+  context: AccessContext,
+  prisma: unknown,
+  owningFieldAccess: FieldAccess | undefined,
+  enclosingOperation: 'create' | 'update',
+  enclosingItem: Record<string, unknown> | undefined,
+  enclosingInputData: Record<string, unknown> | undefined,
+): Promise<void> {
+  // Access Prisma model dynamically - required because model names are generated at runtime
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const model = (prisma as any)[getDbKey(relatedListName)]
+
+  // #588 — gate the connect by the OWNING relationship field's field-level
+  // access (evaluated for the enclosing write's operation). This runs in
+  // addition to the target read/reachability check below; a deny here denies
+  // the connect even if the target row is readable. `checkFieldAccess` returns
+  // `true` under sudo, but the caller already skips this whole function for
+  // sudo, so the gate never fires for trusted writes.
+  //
+  // `item`/`inputData` are the ENCLOSING write's `originalItem`/`inputData` —
+  // the SAME values the canonical Phase-5 `filterWritableFields` call passes for
+  // this field — so a field-access rule that depends on `item` or `inputData`
+  // (e.g. `({ item }) => item.status === 'draft'`) evaluates identically here and
+  // at Phase 5, and the two gates cannot diverge into a spurious connect denial.
+  const owningFieldAllowed = await checkFieldAccess(owningFieldAccess, enclosingOperation, {
+    session: context.session,
+    item: enclosingItem,
+    inputData: enclosingInputData,
+    context,
+  })
+  if (!owningFieldAllowed) {
+    throw new Error('Access denied: Cannot connect to this item')
+  }
+
+  // Connecting references an existing row; it requires READ (query) access on
+  // the target, not update access.
+  const queryAccess = relatedListConfig.access?.operation?.query
+  const accessResult = await checkAccess(queryAccess, {
+    session: context.session,
+    context,
+  })
+
+  // Explicit denial.
+  if (accessResult === false) {
+    throw new Error('Access denied: Cannot connect to this item')
+  }
+
+  // Full access: still verify the row exists (keep "Item not found" behaviour).
+  if (accessResult === true) {
+    const item = await model.findUnique({ where: connection })
+    if (!item) {
+      throw new Error(`Cannot connect: Item not found`)
+    }
+    return
+  }
+
+  // Filter result: confirm the row is reachable under the access filter by
+  // AND-combining the connection identifier with the filter and querying the DB.
+  // A non-existent id and an unreachable row both yield no row → denied. This
+  // correctly evaluates arbitrary nested-relation predicates and boolean
+  // combinators because the database does the matching, not an in-memory walk.
+  const reachable = await model.findFirst({
+    where: { AND: [connection, accessResult] },
+  })
+
+  if (!reachable) {
+    throw new Error('Access denied: Cannot connect to this item')
+  }
+}
+
+/**
+ * Process nested connect operations.
+ * Verifies read (query) access to the items being connected via DB reachability
+ * AND the owning relationship field's field-level access (#588).
  */
 async function processNestedConnect(
   connections: Record<string, unknown> | Array<Record<string, unknown>>,
@@ -127,50 +509,27 @@ async function processNestedConnect(
   relatedListConfig: ListConfig<any>,
   context: AccessContext,
   prisma: unknown,
+  owningFieldAccess: FieldAccess | undefined,
+  enclosingOperation: 'create' | 'update',
+  enclosingItem: Record<string, unknown> | undefined,
+  enclosingInputData: Record<string, unknown> | undefined,
 ): Promise<Record<string, unknown> | Array<Record<string, unknown>>> {
   const connectionsArray = Array.isArray(connections) ? connections : [connections]
 
-  // Check update access for each item being connected (skip if sudo mode)
+  // Check read access for each item being connected (skip if sudo mode)
   if (!context._isSudo) {
     for (const connection of connectionsArray) {
-      // Access Prisma model dynamically - required because model names are generated at runtime
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const model = (prisma as any)[getDbKey(relatedListName)]
-
-      // Fetch the item to check access
-      const item = await model.findUnique({
-        where: connection,
-      })
-
-      if (!item) {
-        throw new Error(`Cannot connect: Item not found`)
-      }
-
-      // Check update access (connecting modifies the relationship)
-      const updateAccess = relatedListConfig.access?.operation?.update
-      const accessResult = await checkAccess(updateAccess, {
-        session: context.session,
-        item,
+      await verifyConnectReachable(
+        connection,
+        relatedListName,
+        relatedListConfig,
         context,
-      })
-
-      if (accessResult === false) {
-        throw new Error('Access denied: Cannot connect to this item')
-      }
-
-      // If access returns a filter, check if item matches
-      if (typeof accessResult === 'object') {
-        // Simple field matching
-        for (const [key, value] of Object.entries(accessResult)) {
-          if (typeof value === 'object' && value !== null && 'equals' in value) {
-            if (item[key] !== (value as Record<string, unknown>).equals) {
-              throw new Error('Access denied: Cannot connect to this item')
-            }
-          } else if (item[key] !== value) {
-            throw new Error('Access denied: Cannot connect to this item')
-          }
-        }
-      }
+        prisma,
+        owningFieldAccess,
+        enclosingOperation,
+        enclosingItem,
+        enclosingInputData,
+      )
     }
   }
 
@@ -178,17 +537,22 @@ async function processNestedConnect(
 }
 
 /**
- * Process nested update operations
- * Applies hooks and access control to updates
+ * Process nested update operations.
+ *
+ * Runs the target list's full update input pipeline AND its `beforeOperation`,
+ * then registers an `afterOperation` task receiving `originalItem` (the row
+ * fetched before the write) and the persisted updated `item`.
  */
 async function processNestedUpdate(
   updates: Record<string, unknown> | Array<Record<string, unknown>>,
+  fieldName: string,
   relatedListName: string,
   // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
   relatedListConfig: ListConfig<any>,
   context: AccessContext,
   config: OpenSaasConfig,
   prisma: unknown,
+  afterTasks: AfterTask[],
 ): Promise<Record<string, unknown> | Array<Record<string, unknown>>> {
   const updatesArray = Array.isArray(updates) ? updates : [updates]
 
@@ -198,21 +562,25 @@ async function processNestedUpdate(
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       const model = (prisma as any)[getDbKey(relatedListName)]
 
-      // Fetch the existing item
-      const item = await model.findUnique({
-        where: (update as Record<string, unknown>).where,
-      })
+      const where = (update as Record<string, unknown>).where as Record<string, unknown>
+
+      // Fetch the existing item — reused as `originalItem` for afterOperation.
+      const originalItem = await model.findUnique({ where })
 
-      if (!item) {
+      if (!originalItem) {
         throw new Error('Cannot update: Item not found')
       }
 
+      // The updated row's id is known up front, so the included-result read-back
+      // finds this row directly by id.
+      const knownId = typeof originalItem.id === 'string' ? (originalItem.id as string) : undefined
+
       // Check update access (skip if sudo mode)
       if (!context._isSudo) {
         const updateAccess = relatedListConfig.access?.operation?.update
         const accessResult = await checkAccess(updateAccess, {
           session: context.session,
-          item,
+          item: originalItem,
           context,
         })
 
@@ -228,7 +596,7 @@ async function processNestedUpdate(
         operation: 'update',
         inputData: updateData,
         resolvedData: updateData,
-        item,
+        item: originalItem,
         context,
       })
 
@@ -240,7 +608,7 @@ async function processNestedUpdate(
         'update',
         context,
         relatedListName,
-        item,
+        originalItem,
       )
 
       // Execute validate hook
@@ -249,11 +617,22 @@ async function processNestedUpdate(
         operation: 'update',
         inputData: updateData,
         resolvedData,
-        item,
+        item: originalItem,
         context,
       })
 
-      // Field validation
+      // Field-level validate hooks
+      await executeFieldValidateHooks(
+        updateData,
+        resolvedData,
+        relatedListConfig.fields,
+        'update',
+        context,
+        relatedListName,
+        originalItem,
+      )
+
+      // Field validation (built-in rules)
       const validation = validateFieldRules(resolvedData, relatedListConfig.fields, 'update')
       if (validation.errors.length > 0) {
         throw new ValidationError(validation.errors, validation.fieldErrors)
@@ -266,24 +645,84 @@ async function processNestedUpdate(
         'update',
         {
           session: context.session,
-          item,
+          item: originalItem,
           context,
           inputData: updateData,
         },
       )
 
-      // Recursively process nested operations
-      const processedData = await processNestedOperations(
+      // Recursively process nested operations. This nested row is being UPDATED,
+      // so its own relations' pre-existing rows are captured from `originalItem`.
+      const { data: nestedData, afterTasks: childAfterTasks } = await processNestedOperations(
         filtered,
         relatedListConfig.fields,
         config,
-        context,
+        { ...context, prisma },
+        'update',
+        relatedListName,
+        originalItem,
+        // This nested row is being UPDATED, so its enclosing inputData is its own
+        // update payload (passed to the connect-site owning-field gate, #588).
+        updateData,
+      )
+
+      // Field-level beforeOperation (side effects)
+      await executeFieldBeforeOperationHooks(
+        updateData,
+        resolvedData,
+        relatedListConfig.fields,
         'update',
+        context,
+        relatedListName,
+        originalItem,
       )
 
+      // List-level beforeOperation
+      await executeBeforeOperation(relatedListConfig.hooks, {
+        listKey: relatedListName,
+        operation: 'update',
+        inputData: updateData,
+        item: originalItem,
+        resolvedData,
+        context,
+      })
+
+      // Register afterOperation: fires after the parent persist. The updated row
+      // is recovered from the parent's included relation by its known id.
+      afterTasks.push({
+        fieldName,
+        run: async (parentResult) => {
+          const persisted = recoverUpdatedRow(parentResult, fieldName, knownId)
+          const updatedItem = persisted ?? originalItem
+
+          await executeAfterOperation(relatedListConfig.hooks, {
+            listKey: relatedListName,
+            operation: 'update',
+            inputData: updateData,
+            originalItem,
+            item: updatedItem,
+            resolvedData,
+            context,
+          })
+
+          await executeFieldAfterOperationHooks(
+            updatedItem,
+            updateData,
+            resolvedData,
+            relatedListConfig.fields,
+            'update',
+            context,
+            relatedListName,
+            originalItem,
+          )
+
+          await runAfterTasks(childAfterTasks, updatedItem)
+        },
+      })
+
       return {
-        where: (update as Record<string, unknown>).where,
-        data: processedData,
+        where,
+        data: nestedData,
       }
     }),
   )
@@ -291,61 +730,237 @@ async function processNestedUpdate(
   return Array.isArray(updates) ? processedUpdates : processedUpdates[0]
 }
 
+/**
+ * Process nested delete operations.
+ *
+ * Runs the target list's delete pipeline (validate/field-validate +
+ * `beforeOperation`) before the parent persist, and registers an
+ * `afterOperation` task receiving the `originalItem` (the row before deletion).
+ * Persistence is performed by Prisma's nested write; the row no longer exists
+ * after, so `originalItem` is the authoritative record for after-hooks.
+ */
+async function processNestedDelete(
+  deletes: Record<string, unknown> | Array<Record<string, unknown>> | boolean,
+  relatedListName: string,
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
+  relatedListConfig: ListConfig<any>,
+  context: AccessContext,
+  prisma: unknown,
+  afterTasks: AfterTask[],
+): Promise<Record<string, unknown> | Array<Record<string, unknown>> | boolean> {
+  // A to-one relation delete can be a boolean (`{ delete: true }`); there is no
+  // identifying `where`, so we cannot run target-resolved hooks. Pass through.
+  if (typeof deletes === 'boolean') {
+    return deletes
+  }
+
+  const deletesArray = Array.isArray(deletes) ? deletes : [deletes]
+
+  await Promise.all(
+    deletesArray.map(async (del) => {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const model = (prisma as any)[getDbKey(relatedListName)]
+
+      // A nested delete entry is itself the unique `where` (e.g. `{ id }`).
+      const where = del as Record<string, unknown>
+
+      const originalItem = await model.findUnique({ where })
+      if (!originalItem) {
+        throw new Error('Cannot delete: Item not found')
+      }
+
+      // Check delete access (skip if sudo mode)
+      if (!context._isSudo) {
+        const deleteAccess = relatedListConfig.access?.operation?.delete
+        const accessResult = await checkAccess(deleteAccess, {
+          session: context.session,
+          item: originalItem,
+          context,
+        })
+
+        if (accessResult === false) {
+          throw new Error('Access denied: Cannot delete related item')
+        }
+      }
+
+      // List-level validate (delete)
+      await executeValidate(relatedListConfig.hooks, {
+        listKey: relatedListName,
+        operation: 'delete',
+        item: originalItem,
+        context,
+      })
+
+      // Field-level validate (delete)
+      await executeFieldValidateHooks(
+        undefined,
+        undefined,
+        relatedListConfig.fields,
+        'delete',
+        context,
+        relatedListName,
+        originalItem,
+      )
+
+      // Field-level beforeOperation (delete)
+      await executeFieldBeforeOperationHooks(
+        {},
+        {},
+        relatedListConfig.fields,
+        'delete',
+        context,
+        relatedListName,
+        originalItem,
+      )
+
+      // List-level beforeOperation (delete)
+      await executeBeforeOperation(relatedListConfig.hooks, {
+        listKey: relatedListName,
+        operation: 'delete',
+        item: originalItem,
+        context,
+      })
+
+      // Register afterOperation: the row is gone after persist, so the
+      // originalItem is the authoritative record passed to after-hooks.
+      afterTasks.push({
+        fieldName: '',
+        run: async () => {
+          await executeAfterOperation(relatedListConfig.hooks, {
+            listKey: relatedListName,
+            operation: 'delete',
+            originalItem,
+            context,
+          })
+
+          await executeFieldAfterOperationHooks(
+            originalItem,
+            undefined,
+            undefined,
+            relatedListConfig.fields,
+            'delete',
+            context,
+            relatedListName,
+            originalItem,
+          )
+        },
+      })
+    }),
+  )
+
+  return deletes
+}
+
 /**
  * Process nested connectOrCreate operations
  */
 async function processNestedConnectOrCreate(
   operations: Record<string, unknown> | Array<Record<string, unknown>>,
+  fieldName: string,
   relatedListName: string,
   // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
   relatedListConfig: ListConfig<any>,
   context: AccessContext,
   config: OpenSaasConfig,
   prisma: unknown,
+  afterTasks: AfterTask[],
+  recovery: CreatedRowRecovery,
+  owningFieldAccess: FieldAccess | undefined,
+  enclosingOperation: 'create' | 'update',
+  enclosingItem: Record<string, unknown> | undefined,
+  enclosingInputData: Record<string, unknown> | undefined,
 ): Promise<Record<string, unknown> | Array<Record<string, unknown>>> {
   const operationsArray = Array.isArray(operations) ? operations : [operations]
 
   const processedOps = await Promise.all(
     operationsArray.map(async (op) => {
-      // Process the create portion through create hooks
       const opRecord = op as Record<string, unknown>
-      const processedCreate = await processNestedCreate(
-        opRecord.create as Record<string, unknown> | Array<Record<string, unknown>>,
-        relatedListConfig,
-        context,
-        config,
-      )
 
-      // Check access for the connect portion (try to find existing item) (skip if sudo mode)
+      // Check access for the connect portion (skip if sudo mode).
+      //
+      // connectOrCreate connects an existing row when present, otherwise
+      // creates. So when the row exists we apply the same connect semantics as
+      // processNestedConnect — READ (query) access on the target, evaluated via
+      // DB reachability for filter results, PLUS the owning relationship field's
+      // field-level access (#588). When the row does not exist we fall through to
+      // create. We must NOT swallow an access-denied error: only the genuine
+      // "row absent" case may fall back to create.
+      let rowExists = false
       if (!context._isSudo) {
-        try {
-          // Access Prisma model dynamically - required because model names are generated at runtime
-          // eslint-disable-next-line @typescript-eslint/no-explicit-any
-          const model = (prisma as any)[getDbKey(relatedListName)]
-          const existingItem = await model.findUnique({
-            where: opRecord.where,
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const model = (prisma as any)[getDbKey(relatedListName)]
+        const where = opRecord.where as Record<string, unknown>
+
+        const existingItem = await model.findUnique({ where })
+
+        // Only enforce connect access when the row actually exists; otherwise
+        // the create branch is used.
+        if (existingItem) {
+          rowExists = true
+
+          // #588 — gate the connect branch by the OWNING relationship field's
+          // field-level access, identical to processNestedConnect. A deny here
+          // denies the connect even if the target row is readable/reachable.
+          // `item`/`inputData` are the ENCLOSING write's `originalItem`/
+          // `inputData` (the same values Phase-5 `filterWritableFields` passes),
+          // so item-/inputData-dependent field rules cannot diverge between the
+          // two gates.
+          const owningFieldAllowed = await checkFieldAccess(owningFieldAccess, enclosingOperation, {
+            session: context.session,
+            item: enclosingItem,
+            inputData: enclosingInputData,
+            context,
           })
+          if (!owningFieldAllowed) {
+            throw new Error('Access denied: Cannot connect to existing item')
+          }
+
+          const queryAccess = relatedListConfig.access?.operation?.query
+          const accessResult = await checkAccess(queryAccess, {
+            session: context.session,
+            item: existingItem,
+            context,
+          })
+
+          if (accessResult === false) {
+            throw new Error('Access denied: Cannot connect to existing item')
+          }
 
-          if (existingItem) {
-            // Check update access for connection
-            const updateAccess = relatedListConfig.access?.operation?.update
-            const accessResult = await checkAccess(updateAccess, {
-              session: context.session,
-              item: existingItem,
-              context,
+          // Filter result: confirm the existing row is reachable under the
+          // access filter via DB reachability (handles nested/boolean filters).
+          if (accessResult !== true) {
+            const reachable = await model.findFirst({
+              where: { AND: [where, accessResult] },
             })
 
-            if (accessResult === false) {
+            if (!reachable) {
               throw new Error('Access denied: Cannot connect to existing item')
             }
           }
-        } catch {
-          // Item doesn't exist, will use create (already processed)
         }
       }
 
+      // Process the create portion through the full create pipeline (incl.
+      // before/afterOperation). Only register an afterOperation task when the
+      // create branch will actually run (row absent), so a pure connect does not
+      // fire create hooks. Under sudo we cannot statically know, so we let the
+      // create pipeline run its hooks (sudo bypasses access only, not hooks).
+      const runCreateHooks = context._isSudo || !rowExists
+      const createAfterTasks: AfterTask[] = runCreateHooks ? afterTasks : []
+      const processedCreate = await processNestedCreate(
+        opRecord.create as Record<string, unknown> | Array<Record<string, unknown>>,
+        fieldName,
+        relatedListName,
+        relatedListConfig,
+        context,
+        config,
+        prisma,
+        createAfterTasks,
+        recovery,
+      )
+
       return {
-        where: (op as Record<string, unknown>).where,
+        where: opRecord.where,
         create: processedCreate,
       }
     }),
@@ -356,100 +971,230 @@ async function processNestedConnectOrCreate(
 
 /**
  * Arguments passed to every nested-operation handler.
- *
- * A handler receives the raw value supplied for a single nested-op kind
- * (e.g. the contents of `value.create`) alongside everything it needs to apply
- * hooks, access control, and recursion.
  */
 interface NestedOpHandlerArgs {
   /** Raw payload supplied for this nested-op kind (e.g. the value of `value.create`). */
   value: unknown
+  /** The owning relationship field name on the parent (for include read-back). */
+  fieldName: string
   /** The list name of the related model (e.g. `'User'`). */
   relatedListName: string
   // eslint-disable-next-line @typescript-eslint/no-explicit-any -- ListConfig must accept any TypeInfo
   relatedListConfig: ListConfig<any>
+  /**
+   * Field-level `access` of the OWNING relationship field on the list being
+   * written (e.g. `Post.author`). Used by the connect/connectOrCreate handlers
+   * to gate connects by the owning field's create/update access (#588).
+   */
+  owningFieldAccess: FieldAccess | undefined
+  /**
+   * The enclosing write's operation (`create`/`update`), used as the field-access
+   * operation for the owning-field connect gate (#588).
+   */
+  enclosingOperation: 'create' | 'update'
+  /**
+   * The enclosing write's existing row (the parent `originalItem`): present for an
+   * enclosing UPDATE, `undefined` for an enclosing CREATE. Threaded into the
+   * connect-site owning-field gate so it evaluates `item` exactly like the
+   * canonical Phase-5 `filterWritableFields` call and the two cannot diverge
+   * (#588 finding).
+   */
+  enclosingItem: Record<string, unknown> | undefined
+  /**
+   * The enclosing write's input data. Threaded into the connect-site owning-field
+   * gate so it evaluates `inputData` exactly like the canonical Phase-5
+   * `filterWritableFields` call (#588 finding).
+   */
+  enclosingInputData: Record<string, unknown> | undefined
   context: AccessContext
   config: OpenSaasConfig
   /** Prisma client used for dynamic model access during access checks. */
   prisma: unknown
+  /** Collector for deferred nested `afterOperation` tasks. */
+  afterTasks: AfterTask[]
+  /**
+   * Recovery of the rows created on THIS field by id-diff (created kinds only —
+   * `create` and `connectOrCreate`'s create branch). Identifies each created row
+   * by excluding the ids that existed before the persist, and pairs them to the
+   * create-payload entries by position. Created lazily because it requires a
+   * pre-persist DB read; `undefined` for kinds that never create.
+   */
+  recovery: CreatedRowRecovery | undefined
 }
 
+/**
+ * Narrow the lazily-built {@link CreatedRowRecovery} to a present value for the
+ * created kinds (`create`, `connectOrCreate`). It is always provided for these
+ * kinds by {@link processFieldNestedOps}; the guard backstops a programming
+ * error rather than a user-facing path.
+ */
+function requireRecovery(
+  recovery: CreatedRowRecovery | undefined,
+  kind: string,
+): CreatedRowRecovery {
+  if (!recovery) {
+    throw new Error(`Internal error: missing created-row recovery for nested "${kind}"`)
+  }
+  return recovery
+}
+
+/** Nested-op kinds that can create new rows and so need created-row recovery. */
+const CREATING_KINDS = new Set(['create', 'connectOrCreate'])
+
 /**
  * A nested-operation handler describes how a single nested-op kind
  * (`create`, `connect`, …) is processed before it reaches Prisma.
- *
- * Adding support for a new nested-op kind means registering a new entry in
- * {@link nestedOpRegistry}, not editing the dispatch loop.
  */
 interface NestedOpHandler {
   /** Produce the processed payload for this nested-op kind. */
   execute(args: NestedOpHandlerArgs): Promise<unknown>
+  /**
+   * Whether this kind needs the parent write to `include` the relation so its
+   * persisted row can be read back for `afterOperation` (`create`/`update`).
+   */
+  needsInclude: boolean
 }
 
 /**
  * Registry of nested-operation handlers keyed by nested-op kind.
  *
- * The dispatch loop in {@link processNestedOperations} looks handlers up here
- * instead of branching on each kind. Kinds that require hooks/access control
- * (`create`, `connect`, `connectOrCreate`, `update`) provide an `execute` that
- * applies them; pass-through kinds (`disconnect`, `delete`, `deleteMany`,
- * `set`, `updateMany`) return their value unchanged so Prisma's own
- * constraints apply.
+ * Kinds that run the full hook pipeline (`create`, `update`, `delete`, and the
+ * create branch of `connectOrCreate`) run `beforeOperation` inline and register
+ * deferred `afterOperation` tasks. `connect`/`connectOrCreate`'s connect branch
+ * enforce access only. Remaining pass-through kinds (`disconnect`, `set`,
+ * `updateMany`, `deleteMany`) return their value unchanged so Prisma's own
+ * constraints apply — they are intentionally NOT in scope for #569.
  */
 const nestedOpRegistry: Record<string, NestedOpHandler> = {
   create: {
-    execute: ({ value, relatedListConfig, context, config }) =>
+    needsInclude: true,
+    execute: ({
+      value,
+      fieldName,
+      relatedListName,
+      relatedListConfig,
+      context,
+      config,
+      prisma,
+      afterTasks,
+      recovery,
+    }) =>
       processNestedCreate(
         value as Record<string, unknown> | Array<Record<string, unknown>>,
+        fieldName,
+        relatedListName,
         relatedListConfig,
         context,
         config,
+        prisma,
+        afterTasks,
+        requireRecovery(recovery, 'create'),
       ),
   },
   connect: {
-    execute: ({ value, relatedListName, relatedListConfig, context, prisma }) =>
+    needsInclude: false,
+    execute: ({
+      value,
+      relatedListName,
+      relatedListConfig,
+      context,
+      prisma,
+      owningFieldAccess,
+      enclosingOperation,
+      enclosingItem,
+      enclosingInputData,
+    }) =>
       processNestedConnect(
         value as Record<string, unknown> | Array<Record<string, unknown>>,
         relatedListName,
         relatedListConfig,
         context,
         prisma,
+        owningFieldAccess,
+        enclosingOperation,
+        enclosingItem,
+        enclosingInputData,
       ),
   },
   connectOrCreate: {
-    execute: ({ value, relatedListName, relatedListConfig, context, config, prisma }) =>
+    needsInclude: true,
+    execute: ({
+      value,
+      fieldName,
+      relatedListName,
+      relatedListConfig,
+      context,
+      config,
+      prisma,
+      afterTasks,
+      recovery,
+      owningFieldAccess,
+      enclosingOperation,
+      enclosingItem,
+      enclosingInputData,
+    }) =>
       processNestedConnectOrCreate(
         value as Record<string, unknown> | Array<Record<string, unknown>>,
+        fieldName,
         relatedListName,
         relatedListConfig,
         context,
         config,
         prisma,
+        afterTasks,
+        requireRecovery(recovery, 'connectOrCreate'),
+        owningFieldAccess,
+        enclosingOperation,
+        enclosingItem,
+        enclosingInputData,
       ),
   },
   update: {
-    execute: ({ value, relatedListName, relatedListConfig, context, config, prisma }) =>
+    needsInclude: true,
+    execute: ({
+      value,
+      fieldName,
+      relatedListName,
+      relatedListConfig,
+      context,
+      config,
+      prisma,
+      afterTasks,
+    }) =>
       processNestedUpdate(
         value as Record<string, unknown> | Array<Record<string, unknown>>,
+        fieldName,
         relatedListName,
         relatedListConfig,
         context,
         config,
         prisma,
+        afterTasks,
+      ),
+  },
+  delete: {
+    // The row no longer exists after the parent write, so no read-back include.
+    needsInclude: false,
+    execute: ({ value, relatedListName, relatedListConfig, context, prisma, afterTasks }) =>
+      processNestedDelete(
+        value as Record<string, unknown> | Array<Record<string, unknown>> | boolean,
+        relatedListName,
+        relatedListConfig,
+        context,
+        prisma,
+        afterTasks,
       ),
   },
   // Pass-through kinds: no hooks/access control, left to Prisma's own constraints.
-  disconnect: { execute: ({ value }) => Promise.resolve(value) },
-  delete: { execute: ({ value }) => Promise.resolve(value) },
-  deleteMany: { execute: ({ value }) => Promise.resolve(value) },
-  set: { execute: ({ value }) => Promise.resolve(value) },
-  updateMany: { execute: ({ value }) => Promise.resolve(value) },
+  // (Out of scope for #569 — see the issue's "Out of scope" notes.)
+  disconnect: { needsInclude: false, execute: ({ value }) => Promise.resolve(value) },
+  deleteMany: { needsInclude: false, execute: ({ value }) => Promise.resolve(value) },
+  set: { needsInclude: false, execute: ({ value }) => Promise.resolve(value) },
+  updateMany: { needsInclude: false, execute: ({ value }) => Promise.resolve(value) },
 }
 
 /**
  * Order in which nested-op kinds are processed for a single relationship field.
- *
- * Mirrors the historical in-place dispatch order so behaviour is preserved.
  */
 const nestedOpOrder = [
   'create',
@@ -469,11 +1214,33 @@ const nestedOpOrder = [
  * the {@link nestedOpRegistry}.
  */
 async function processFieldNestedOps(
+  fieldName: string,
   valueRecord: Record<string, unknown>,
-  args: Omit<NestedOpHandlerArgs, 'value'>,
+  args: Omit<NestedOpHandlerArgs, 'value' | 'fieldName' | 'recovery'>,
+  includeFields: Set<string>,
+  parentListName: string,
+  parentOriginalItem: Record<string, unknown> | undefined,
 ): Promise<Record<string, unknown>> {
   const nestedOp: Record<string, unknown> = {}
 
+  // Created-row recovery is only needed when this field has a creating kind
+  // (`create`/`connectOrCreate`). When present it requires a pre-persist read of
+  // the parent's current related ids, so build it once, lazily, and share it
+  // across the creating kinds on this field.
+  let recovery: CreatedRowRecovery | undefined
+  const hasCreatingKind = nestedOpOrder.some(
+    (kind) => CREATING_KINDS.has(kind) && valueRecord[kind] !== undefined,
+  )
+  if (hasCreatingKind) {
+    const preExistingIds = await capturePreExistingIds(
+      parentListName,
+      parentOriginalItem,
+      fieldName,
+      args.prisma,
+    )
+    recovery = createCreatedRowRecovery(fieldName, preExistingIds)
+  }
+
   for (const kind of nestedOpOrder) {
     const value = valueRecord[kind]
     if (value === undefined) {
@@ -481,15 +1248,27 @@ async function processFieldNestedOps(
     }
 
     const handler = nestedOpRegistry[kind]
-    nestedOp[kind] = await handler.execute({ ...args, value })
+    if (handler.needsInclude) {
+      includeFields.add(fieldName)
+    }
+    nestedOp[kind] = await handler.execute({
+      ...args,
+      value,
+      fieldName,
+      recovery,
+    })
   }
 
   return nestedOp
 }
 
 /**
- * Process all nested operations in a data payload
- * Recursively handles relationship fields with nested writes
+ * Process all nested operations in a data payload.
+ *
+ * Recursively handles relationship fields with nested writes. In addition to
+ * transforming the payload it runs each nested record's `beforeOperation` and
+ * collects deferred `afterOperation` tasks (run by the Write Pipeline after the
+ * parent persist via {@link runAfterTasks}). See ADR-0010.
  */
 export async function processNestedOperations(
   data: Record<string, unknown>,
@@ -497,12 +1276,22 @@ export async function processNestedOperations(
   config: OpenSaasConfig,
   context: AccessContext & { prisma: unknown },
   operation: 'create' | 'update',
+  parentListName: string,
+  parentOriginalItem: Record<string, unknown> | undefined,
+  // The enclosing write's input data (the SAME value Phase-5 `filterWritableFields`
+  // passes as `inputData`). Threaded into the connect-site owning-field gate (#588
+  // finding) so item-/inputData-dependent field-access rules cannot diverge between
+  // Phase 5 and the connect site. `undefined` is tolerated (defaults to `{}`).
+  parentInputData: Record<string, unknown> | undefined = undefined,
   depth: number = 0,
-): Promise<Record<string, unknown>> {
+): Promise<NestedOpsResult> {
   const MAX_DEPTH = 5
 
+  const afterTasks: AfterTask[] = []
+  const includeFields = new Set<string>()
+
   if (depth >= MAX_DEPTH) {
-    return data
+    return { data, afterTasks, includeFields }
   }
 
   const processed: Record<string, unknown> = {}
@@ -525,16 +1314,53 @@ export async function processNestedOperations(
     }
 
     const { listName: relatedListName, listConfig: relatedListConfig } = relatedConfig
+    // Sanity: ensure the resolved list name matches the config identity.
+    const resolvedListName = relatedListName || findListName(relatedListConfig, config)
 
-    // Dispatch each present nested-op kind through the handler registry.
-    processed[fieldName] = await processFieldNestedOps(value as Record<string, unknown>, {
-      relatedListName,
-      relatedListConfig,
-      context,
-      config,
-      prisma: context.prisma,
-    })
+    // #588 — the owning relationship field's field-level access (e.g. the
+    // `access` on `Post.author`). Threaded into the nested-op handlers so the
+    // connect/connectOrCreate handlers can gate connects by this field's
+    // create/update access, in addition to the target's read access.
+    const owningFieldAccess = fieldConfig.access
+
+    processed[fieldName] = await processFieldNestedOps(
+      fieldName,
+      value as Record<string, unknown>,
+      {
+        relatedListName: resolvedListName,
+        relatedListConfig,
+        owningFieldAccess,
+        enclosingOperation: operation,
+        // The enclosing write's `originalItem`/`inputData` — the SAME values the
+        // canonical Phase-5 `filterWritableFields` call passes for this field — so
+        // the connect-site owning-field gate evaluates item-/inputData-dependent
+        // rules identically and cannot diverge into a spurious connect denial (#588).
+        enclosingItem: parentOriginalItem,
+        enclosingInputData: parentInputData ?? {},
+        context,
+        config,
+        prisma: context.prisma,
+        afterTasks,
+      },
+      includeFields,
+      parentListName,
+      parentOriginalItem,
+    )
   }
 
-  return processed
+  return { data: processed, afterTasks, includeFields }
+}
+
+/**
+ * Run a set of deferred nested `afterOperation` tasks against a persisted parent
+ * row. Tasks run sequentially so a throwing after-hook aborts the rest (and, run
+ * inside the transaction by the Write Pipeline, rolls the whole write back).
+ */
+export async function runAfterTasks(
+  afterTasks: AfterTask[],
+  parentResult: Record<string, unknown>,
+): Promise<void> {
+  for (const task of afterTasks) {
+    await task.run(parentResult)
+  }
 }