@powerhousedao/reactor-api 6.0.0-dev.6 → 6.0.0-dev.60

package/dist/src/graphql/document-model-subgraph.d.ts

@@ -1,51 +1,36 @@
-import { type IDocumentDriveServer } from "document-drive";
 import { type DocumentModelModule } from "document-model";
 import { BaseSubgraph } from "./base-subgraph.js";
 import type { SubgraphArgs } from "./types.js";
-export declare function generateDocumentModelResolversLegacy(documentModel: DocumentModelModule, reactor: IDocumentDriveServer): {
-    Query: {
-        [x: string]: () => {
-            getDocument: (args: {
-                docId: string;
-                driveId: string;
-            }) => Promise<{
-                __typename?: string;
-                id: string;
-                name: string;
-                documentType: string;
-                revision: number;
-                createdAtUtcIso: string;
-                lastModifiedAtUtcIso: string;
-                operations: import("./types.js").GqlOperation[];
-                stateJSON: JSON;
-                state: unknown;
-                initialState: unknown;
-                driveId: string;
-            }>;
-            getDocuments: (args: {
-                driveId: string;
-            }) => Promise<{
-                __typename?: string;
-                id: string;
-                name: string;
-                documentType: string;
-                revision: number;
-                createdAtUtcIso: string;
-                lastModifiedAtUtcIso: string;
-                operations: import("./types.js").GqlOperation[];
-                stateJSON: JSON;
-                state: unknown;
-                initialState: unknown;
-                driveId: string;
-            }[]>;
-        };
-    };
-    Mutation: {
-        [x: string]: any;
-    };
-};
+/**
+ * New document model subgraph that uses reactorClient instead of legacy reactor.
+ * This class auto-generates GraphQL queries and mutations for a document model.
+ */
+export declare class DocumentModelSubgraph extends BaseSubgraph {
+    private documentModel;
+    constructor(documentModel: DocumentModelModule, args: SubgraphArgs);
+    /**
+     * Generate __resolveType functions for union types found in the document model schema.
+     * Parses the state schema to find union definitions and their member types,
+     * then uses unique field presence to discriminate between member types at runtime.
+     */
+    private generateUnionResolvers;
+    /**
+     * Generate resolvers for this document model using reactorClient
+     * Uses flat queries (not nested) consistent with ReactorSubgraph patterns
+     */
+    private generateResolvers;
+}
+/**
+ * @deprecated Use `DocumentModelSubgraph` instead. This class uses the legacy `reactor` (IDocumentDriveServer)
+ * interface. The new `DocumentModelSubgraph` class uses `reactorClient` (IReactorClient) which provides
+ * better patterns and more capabilities. Enable via `useNewDocumentModelSubgraph: true` in GraphQLManager.
+ */
 export declare class DocumentModelSubgraphLegacy extends BaseSubgraph {
     private documentModel;
     constructor(documentModel: DocumentModelModule, args: SubgraphArgs);
+    /**
+     * Generate resolvers for this document model with permission checks
+     */
+    private generateResolvers;
 }
 //# sourceMappingURL=document-model-subgraph.d.ts.map

package/dist/src/graphql/document-model-subgraph.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"document-model-subgraph.d.ts","sourceRoot":"","sources":["../../../src/graphql/document-model-subgraph.ts"],"names":[],"mappings":"AACA,OAAO,EAAW,KAAK,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AACpE,OAAO,EAAW,KAAK,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAKnE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,wBAAgB,oCAAoC,CAClD,aAAa,EAAE,mBAAmB,EAClC,OAAO,EAAE,oBAAoB;;;gCAiBK;gBAAE,KAAK,EAAE,MAAM,CAAC;gBAAC,OAAO,EAAE,MAAM,CAAA;aAAE;;;;;;;;;;;;;;iCA4BjC;gBAAE,OAAO,EAAE,MAAM,CAAA;aAAE;;;;;;;;;;;;;;;;;;;EA+EvD;AAED,qBAAa,2BAA4B,SAAQ,YAAY;IAC3D,OAAO,CAAC,aAAa,CAAsB;gBAE/B,aAAa,EAAE,mBAAmB,EAAE,IAAI,EAAE,YAAY;CAYnE"}
+{"version":3,"file":"document-model-subgraph.d.ts","sourceRoot":"","sources":["../../../src/graphql/document-model-subgraph.ts"],"names":[],"mappings":"AAEA,OAAO,EAAW,KAAK,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAMnE,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AASlD,OAAO,KAAK,EAAW,YAAY,EAAE,MAAM,YAAY,CAAC;AAGxD;;;GAGG;AACH,qBAAa,qBAAsB,SAAQ,YAAY;IACrD,OAAO,CAAC,aAAa,CAAsB;gBAE/B,aAAa,EAAE,mBAAmB,EAAE,IAAI,EAAE,YAAY;IAWlE;;;;OAIG;IACH,OAAO,CAAC,sBAAsB;IAuE9B;;;OAGG;IACH,OAAO,CAAC,iBAAiB;CA0V1B;AAED;;;;GAIG;AACH,qBAAa,2BAA4B,SAAQ,YAAY;IAC3D,OAAO,CAAC,aAAa,CAAsB;gBAE/B,aAAa,EAAE,mBAAmB,EAAE,IAAI,EAAE,YAAY;IAUlE;;OAEG;IACH,OAAO,CAAC,iBAAiB;CA2L1B"}

package/dist/src/graphql/document-model-subgraph.js

@@ -1,104 +1,446 @@
 import { camelCase, kebabCase } from "change-case";
 import { addFile } from "document-drive";
 import { setName } from "document-model";
-import { generateDocumentModelSchemaLegacy, getDocumentModelSchemaName, } from "../utils/create-schema.js";
+import { GraphQLError, Kind, parse } from "graphql";
+import { generateDocumentModelSchema, getDocumentModelSchemaName, } from "../utils/create-schema.js";
 import { BaseSubgraph } from "./base-subgraph.js";
+import { toGqlPhDocument } from "./reactor/adapters.js";
+import { createEmptyDocument as createEmptyDocumentResolver, documentChildren as documentChildrenResolver, documentParents as documentParentsResolver, document as documentResolver, findDocuments as findDocumentsResolver, } from "./reactor/resolvers.js";
 import { buildGraphQlDocument } from "./utils.js";
-export function generateDocumentModelResolversLegacy(documentModel, reactor) {
-    const documentType = documentModel.documentModel.global.id;
-    const documentName = getDocumentModelSchemaName(documentModel.documentModel.global);
-    const operations = documentModel.documentModel.global.specifications
-        .at(-1)
-        ?.modules.flatMap((module) => module.operations.filter((op) => op.name)) ?? [];
-    return {
-        Query: {
-            [documentName]: () => {
-                return {
-                    getDocument: async (args) => {
-                        const { docId, driveId } = args;
-                        if (!docId) {
-                            throw new Error("Document id is required");
-                        }
-                        if (driveId) {
-                            const docIds = await reactor.getDocuments(driveId);
-                            if (!docIds.includes(docId)) {
-                                throw new Error(`Document with id ${docId} is not part of ${driveId}`);
-                            }
+/**
+ * New document model subgraph that uses reactorClient instead of legacy reactor.
+ * This class auto-generates GraphQL queries and mutations for a document model.
+ */
+export class DocumentModelSubgraph extends BaseSubgraph {
+    documentModel;
+    constructor(documentModel, args) {
+        super(args);
+        this.documentModel = documentModel;
+        this.name = kebabCase(documentModel.documentModel.global.name);
+        this.typeDefs = generateDocumentModelSchema(this.documentModel.documentModel.global, { useNewApi: true });
+        this.resolvers = this.generateResolvers();
+    }
+    /**
+     * Generate __resolveType functions for union types found in the document model schema.
+     * Parses the state schema to find union definitions and their member types,
+     * then uses unique field presence to discriminate between member types at runtime.
+     */
+    generateUnionResolvers() {
+        const documentName = getDocumentModelSchemaName(this.documentModel.documentModel.global);
+        const specification = this.documentModel.documentModel.global.specifications.at(-1);
+        if (!specification)
+            return {};
+        const globalSchema = specification.state.global.schema ?? "";
+        const localSchema = specification.state.local.schema ?? "";
+        const fullSchema = `${globalSchema}\n${localSchema}`;
+        if (!fullSchema.trim())
+            return {};
+        let ast;
+        try {
+            ast = parse(fullSchema);
+        }
+        catch {
+            return {};
+        }
+        // Build map: object type name -> field names
+        const objectFieldsMap = new Map();
+        for (const def of ast.definitions) {
+            if (def.kind === Kind.OBJECT_TYPE_DEFINITION) {
+                objectFieldsMap.set(def.name.value, def.fields?.map((f) => f.name.value) ?? []);
+            }
+        }
+        const resolvers = {};
+        for (const def of ast.definitions) {
+            if (def.kind !== Kind.UNION_TYPE_DEFINITION)
+                continue;
+            const unionName = def.name.value;
+            const memberTypes = def.types?.map((t) => t.name.value) ?? [];
+            if (memberTypes.length === 0)
+                continue;
+            // Compute unique fields per member type
+            const uniqueFields = {};
+            for (const memberType of memberTypes) {
+                const ownFields = objectFieldsMap.get(memberType) ?? [];
+                const otherFields = new Set(memberTypes
+                    .filter((t) => t !== memberType)
+                    .flatMap((t) => objectFieldsMap.get(t) ?? []));
+                uniqueFields[memberType] = ownFields.filter((f) => !otherFields.has(f));
+            }
+            const prefixedUnionName = `${documentName}_${unionName}`;
+            resolvers[prefixedUnionName] = {
+                __resolveType: (obj) => {
+                    for (const memberType of memberTypes) {
+                        const fields = uniqueFields[memberType] ?? [];
+                        if (fields.length > 0 && fields.some((f) => f in obj)) {
+                            return `${documentName}_${memberType}`;
                         }
-                        const doc = await reactor.getDocument(docId);
-                        if (doc.header.documentType !== documentType) {
-                            throw new Error(`Document with id ${docId} is not of type ${documentType}`);
+                    }
+                    return `${documentName}_${memberTypes[0]}`;
+                },
+            };
+        }
+        return resolvers;
+    }
+    /**
+     * Generate resolvers for this document model using reactorClient
+     * Uses flat queries (not nested) consistent with ReactorSubgraph patterns
+     */
+    generateResolvers() {
+        const documentType = this.documentModel.documentModel.global.id;
+        const documentName = getDocumentModelSchemaName(this.documentModel.documentModel.global);
+        const operations = this.documentModel.documentModel.global.specifications
+            .at(-1)
+            ?.modules.flatMap((module) => module.operations.filter((op) => op.name)) ?? [];
+        return {
+            ...this.generateUnionResolvers(),
+            Query: {
+                // Flat query: Get a specific document by identifier
+                // Uses shared documentResolver from reactor/resolvers.ts
+                [`${documentName}_document`]: async (_, args, ctx) => {
+                    const { identifier, view } = args;
+                    if (!identifier) {
+                        throw new GraphQLError("Document identifier is required");
+                    }
+                    // Use shared resolver function
+                    const result = await documentResolver(this.reactorClient, {
+                        identifier,
+                        view,
+                    });
+                    // Validate document type
+                    if (result.document.documentType !== documentType) {
+                        throw new GraphQLError(`Document with id ${identifier} is not of type ${documentType}`);
+                    }
+                    // Check permissions
+                    await this.assertCanRead(result.document.id, ctx);
+                    // Return shared resolver result directly (matches PHDocument format)
+                    return result;
+                },
+                // Flat query: Find documents by search criteria (type is built-in)
+                // Uses shared findDocumentsResolver from reactor/resolvers.ts
+                [`${documentName}_findDocuments`]: async (_, args, ctx) => {
+                    const { search, view, paging } = args;
+                    // Use shared resolver function with built-in type filter
+                    const result = await findDocumentsResolver(this.reactorClient, {
+                        search: {
+                            type: documentType, // Type is built-in for this document model subgraph
+                            parentId: search.parentId,
+                        },
+                        view,
+                        paging,
+                    });
+                    // Filter by permission if needed
+                    if (!this.hasGlobalAdminAccess(ctx) &&
+                        this.documentPermissionService) {
+                        const filteredItems = [];
+                        for (const item of result.items) {
+                            const canRead = await this.canReadDocument(item.id, ctx);
+                            if (canRead) {
+                                filteredItems.push(item);
+                            }
                         }
                         return {
-                            driveId: driveId,
-                            ...buildGraphQlDocument(doc),
+                            ...result,
+                            items: filteredItems,
+                            totalCount: filteredItems.length,
                         };
-                    },
-                    getDocuments: async (args) => {
-                        const { driveId } = args;
-                        const docsIds = await reactor.getDocuments(driveId);
-                        const docs = await Promise.all(docsIds.map(async (docId) => {
-                            const doc = await reactor.getDocument(docId);
-                            return {
-                                driveId: driveId,
-                                ...buildGraphQlDocument(doc),
-                            };
-                        }));
-                        return docs.filter((doc) => doc.documentType === documentType);
-                    },
-                };
+                    }
+                    // Return shared resolver result directly (matches PHDocument format)
+                    return result;
+                },
+                // Flat query: Get children of a document (filtered by this document type)
+                // Uses shared documentChildrenResolver from reactor/resolvers.ts
+                [`${documentName}_documentChildren`]: async (_, args, ctx) => {
+                    const { parentIdentifier, view, paging } = args;
+                    await this.assertCanRead(parentIdentifier, ctx);
+                    // Use shared resolver function
+                    const result = await documentChildrenResolver(this.reactorClient, {
+                        parentIdentifier,
+                        view,
+                        paging,
+                    });
+                    // Filter children by this document type
+                    const filteredItems = result.items.filter((item) => item.documentType === documentType);
+                    return {
+                        ...result,
+                        items: filteredItems,
+                        totalCount: filteredItems.length,
+                    };
+                },
+                // Flat query: Get parents of a document
+                // Uses shared documentParentsResolver from reactor/resolvers.ts
+                [`${documentName}_documentParents`]: async (_, args, ctx) => {
+                    const { childIdentifier, view, paging } = args;
+                    await this.assertCanRead(childIdentifier, ctx);
+                    // Use shared resolver function - return directly
+                    return documentParentsResolver(this.reactorClient, {
+                        childIdentifier,
+                        view,
+                        paging,
+                    });
+                },
             },
-        },
-        Mutation: {
-            [`${documentName}_createDocument`]: async (_, args) => {
-                const { driveId, name } = args;
-                const document = await reactor.addDocument(documentType);
-                if (driveId) {
-                    await reactor.addAction(driveId, addFile({
-                        name,
-                        id: document.header.id,
-                        documentType: documentType,
-                    }));
-                }
-                if (name) {
-                    await reactor.addAction(document.header.id, setName(name));
-                }
-                return document.header.id;
+            Mutation: {
+                // Uses shared createEmptyDocumentResolver from reactor/resolvers.ts
+                [`${documentName}_createDocument`]: async (_, args, ctx) => {
+                    const { parentIdentifier, name } = args;
+                    if (parentIdentifier) {
+                        await this.assertCanWrite(parentIdentifier, ctx);
+                    }
+                    else if (this.authorizationService) {
+                        if (!ctx.user?.address) {
+                            throw new GraphQLError("Forbidden: authentication required to create documents");
+                        }
+                    }
+                    else if (!this.hasGlobalAdminAccess(ctx)) {
+                        throw new GraphQLError("Forbidden: insufficient permissions to create documents");
+                    }
+                    // Use shared resolver function - returns PHDocument format
+                    const createdDoc = await createEmptyDocumentResolver(this.reactorClient, {
+                        documentType,
+                        parentIdentifier,
+                    });
+                    // Auto-ownership: set creator as document owner
+                    if (this.authorizationService &&
+                        ctx.user?.address &&
+                        createdDoc?.id) {
+                        await this.documentPermissionService?.initializeDocumentProtection(createdDoc.id, ctx.user.address, this.authorizationService.config.defaultProtection);
+                    }
+                    if (name) {
+                        const updatedDoc = await this.reactorClient.execute(createdDoc.id, "main", [setName(name)]);
+                        // Use toGqlPhDocument for PHDocument format with revisionsList
+                        return toGqlPhDocument(updatedDoc);
+                    }
+                    // Return directly - already in PHDocument format
+                    return createdDoc;
+                },
+                // Uses shared createEmptyDocumentResolver from reactor/resolvers.ts
+                [`${documentName}_createEmptyDocument`]: async (_, args, ctx) => {
+                    const { parentIdentifier } = args;
+                    if (parentIdentifier) {
+                        await this.assertCanWrite(parentIdentifier, ctx);
+                    }
+                    else if (this.authorizationService) {
+                        if (!ctx.user?.address) {
+                            throw new GraphQLError("Forbidden: authentication required to create documents");
+                        }
+                    }
+                    else if (!this.hasGlobalAdminAccess(ctx)) {
+                        throw new GraphQLError("Forbidden: insufficient permissions to create documents");
+                    }
+                    // Use shared resolver function - returns PHDocument format directly
+                    const result = await createEmptyDocumentResolver(this.reactorClient, {
+                        documentType,
+                        parentIdentifier,
+                    });
+                    // Auto-ownership: set creator as document owner
+                    if (this.authorizationService && ctx.user?.address && result?.id) {
+                        await this.documentPermissionService?.initializeDocumentProtection(result.id, ctx.user.address, this.authorizationService.config.defaultProtection);
+                    }
+                    return result;
+                },
+                // Generate sync and async mutations for each operation
+                ...operations.reduce((mutations, op) => {
+                    // Sync mutation
+                    mutations[`${documentName}_${camelCase(op.name)}`] = async (_, args, ctx) => {
+                        const { docId, input } = args;
+                        // assertCanExecuteOperation uses canMutate (write + operation) when
+                        // authorizationService is available. Legacy fallback needs separate write check.
+                        if (!this.authorizationService) {
+                            await this.assertCanWrite(docId, ctx);
+                        }
+                        await this.assertCanExecuteOperation(docId, op.name, ctx);
+                        const doc = await this.reactorClient.get(docId);
+                        if (doc.header.documentType !== documentType) {
+                            throw new GraphQLError(`Document with id ${docId} is not of type ${documentType}`);
+                        }
+                        const action = this.documentModel.actions[camelCase(op.name)];
+                        if (!action) {
+                            throw new GraphQLError(`Action ${op.name} not found`);
+                        }
+                        try {
+                            const updatedDoc = await this.reactorClient.execute(docId, "main", [action(input)]);
+                            // Use toGqlPhDocument for PHDocument format with revisionsList
+                            return toGqlPhDocument(updatedDoc);
+                        }
+                        catch (error) {
+                            throw new GraphQLError(error instanceof Error
+                                ? error.message
+                                : `Failed to ${op.name}`);
+                        }
+                    };
+                    // Async mutation - returns job ID
+                    mutations[`${documentName}_${camelCase(op.name)}Async`] = async (_, args, ctx) => {
+                        const { docId, input } = args;
+                        if (!this.authorizationService) {
+                            await this.assertCanWrite(docId, ctx);
+                        }
+                        await this.assertCanExecuteOperation(docId, op.name, ctx);
+                        const doc = await this.reactorClient.get(docId);
+                        if (doc.header.documentType !== documentType) {
+                            throw new GraphQLError(`Document with id ${docId} is not of type ${documentType}`);
+                        }
+                        const action = this.documentModel.actions[camelCase(op.name)];
+                        if (!action) {
+                            throw new GraphQLError(`Action ${op.name} not found`);
+                        }
+                        try {
+                            const jobInfo = await this.reactorClient.executeAsync(docId, "main", [action(input)]);
+                            return jobInfo.id;
+                        }
+                        catch (error) {
+                            throw new GraphQLError(error instanceof Error
+                                ? error.message
+                                : `Failed to ${op.name}`);
+                        }
+                    };
+                    return mutations;
+                }, {}),
             },
-            ...operations.reduce((mutations, op) => {
-                mutations[`${documentName}_${camelCase(op.name)}`] = async (_, args) => {
-                    const { docId, input } = args;
-                    const doc = await reactor.getDocument(docId);
-                    if (!doc) {
-                        throw new Error("Document not found");
-                    }
-                    const action = documentModel.actions[camelCase(op.name)];
-                    if (!action) {
-                        throw new Error(`Action ${op.name} not found`);
-                    }
-                    const result = await reactor.addAction(docId, action(input));
-                    if (result.status !== "SUCCESS") {
-                        throw new Error(result.error?.message ?? `Failed to ${op.name}`);
-                    }
-                    const errorOp = result.operations.find((op) => op.error);
-                    if (errorOp) {
-                        throw new Error(errorOp.error);
-                    }
-                    return result.operations.at(-1)?.index ?? -1;
-                };
-                return mutations;
-            }, {}),
-        },
-    };
+        };
+    }
 }
+/**
+ * @deprecated Use `DocumentModelSubgraph` instead. This class uses the legacy `reactor` (IDocumentDriveServer)
+ * interface. The new `DocumentModelSubgraph` class uses `reactorClient` (IReactorClient) which provides
+ * better patterns and more capabilities. Enable via `useNewDocumentModelSubgraph: true` in GraphQLManager.
+ */
 export class DocumentModelSubgraphLegacy extends BaseSubgraph {
     documentModel;
     constructor(documentModel, args) {
         super(args);
         this.documentModel = documentModel;
         this.name = kebabCase(documentModel.documentModel.global.name);
-        this.typeDefs = generateDocumentModelSchemaLegacy(this.documentModel.documentModel.global);
-        this.resolvers = generateDocumentModelResolversLegacy(this.documentModel, args.reactor);
+        this.typeDefs = generateDocumentModelSchema(this.documentModel.documentModel.global);
+        this.resolvers = this.generateResolvers();
+    }
+    /**
+     * Generate resolvers for this document model with permission checks
+     */
+    generateResolvers() {
+        const documentType = this.documentModel.documentModel.global.id;
+        const documentName = getDocumentModelSchemaName(this.documentModel.documentModel.global);
+        const operations = this.documentModel.documentModel.global.specifications
+            .at(-1)
+            ?.modules.flatMap((module) => module.operations.filter((op) => op.name)) ?? [];
+        return {
+            Query: {
+                [documentName]: (_, __, ctx) => {
+                    return {
+                        getDocument: async (args) => {
+                            const { docId, driveId } = args;
+                            if (!docId) {
+                                throw new Error("Document id is required");
+                            }
+                            // Check read permission before accessing document
+                            await this.assertCanRead(docId, ctx);
+                            if (driveId) {
+                                const docIds = await this.reactor.getDocuments(driveId);
+                                if (!docIds.includes(docId)) {
+                                    throw new Error(`Document with id ${docId} is not part of ${driveId}`);
+                                }
+                            }
+                            const doc = await this.reactor.getDocument(docId);
+                            if (doc.header.documentType !== documentType) {
+                                throw new Error(`Document with id ${docId} is not of type ${documentType}`);
+                            }
+                            return {
+                                driveId: driveId,
+                                ...buildGraphQlDocument(doc),
+                            };
+                        },
+                        getDocuments: async (args) => {
+                            const { driveId } = args;
+                            // Check read permission on drive before listing documents
+                            await this.assertCanRead(driveId, ctx);
+                            const docsIds = await this.reactor.getDocuments(driveId);
+                            const docs = await Promise.all(docsIds.map(async (docId) => {
+                                const doc = await this.reactor.getDocument(docId);
+                                return {
+                                    driveId: driveId,
+                                    ...buildGraphQlDocument(doc),
+                                };
+                            }));
+                            const filteredByType = docs.filter((doc) => doc.documentType === documentType);
+                            // If user doesn't have global read access, filter by document-level permissions
+                            if (!this.hasGlobalAdminAccess(ctx) &&
+                                this.documentPermissionService) {
+                                const filteredDocs = [];
+                                for (const doc of filteredByType) {
+                                    const canRead = await this.canReadDocument(doc.id, ctx);
+                                    if (canRead) {
+                                        filteredDocs.push(doc);
+                                    }
+                                }
+                                return filteredDocs;
+                            }
+                            return filteredByType;
+                        },
+                    };
+                },
+            },
+            Mutation: {
+                [`${documentName}_createDocument`]: async (_, args, ctx) => {
+                    const { driveId, name } = args;
+                    // If creating under a drive, check write permission on drive
+                    if (driveId) {
+                        await this.assertCanWrite(driveId, ctx);
+                    }
+                    else if (this.authorizationService) {
+                        if (!ctx.user?.address) {
+                            throw new GraphQLError("Forbidden: authentication required to create documents");
+                        }
+                    }
+                    else if (!this.hasGlobalAdminAccess(ctx)) {
+                        throw new GraphQLError("Forbidden: insufficient permissions to create documents");
+                    }
+                    const document = await this.reactor.addDocument(documentType);
+                    if (driveId) {
+                        await this.reactor.addAction(driveId, addFile({
+                            name,
+                            id: document.header.id,
+                            documentType: documentType,
+                        }));
+                    }
+                    if (name) {
+                        await this.reactor.addAction(document.header.id, setName(name));
+                    }
+                    // Auto-ownership: set creator as document owner
+                    if (this.authorizationService && ctx.user?.address) {
+                        await this.documentPermissionService?.initializeDocumentProtection(document.header.id, ctx.user.address, this.authorizationService.config.defaultProtection);
+                    }
+                    return document.header.id;
+                },
+                ...operations.reduce((mutations, op) => {
+                    mutations[`${documentName}_${camelCase(op.name)}`] = async (_, args, ctx) => {
+                        const { docId, input } = args;
+                        // assertCanExecuteOperation uses canMutate (write + operation) when
+                        // authorizationService is available. Legacy fallback needs separate write check.
+                        if (!this.authorizationService) {
+                            await this.assertCanWrite(docId, ctx);
+                        }
+                        await this.assertCanExecuteOperation(docId, op.name, ctx);
+                        const doc = await this.reactor.getDocument(docId);
+                        if (!doc) {
+                            throw new Error("Document not found");
+                        }
+                        const action = this.documentModel.actions[camelCase(op.name)];
+                        if (!action) {
+                            throw new Error(`Action ${op.name} not found`);
+                        }
+                        const result = await this.reactor.addAction(docId, action(input));
+                        if (result.status !== "SUCCESS") {
+                            throw new Error(result.error?.message ?? `Failed to ${op.name}`);
+                        }
+                        const errorOp = result.operations.find((op) => op.error);
+                        if (errorOp) {
+                            throw new Error(errorOp.error);
+                        }
+                        return result.operations.at(-1)?.index ?? -1;
+                    };
+                    return mutations;
+                }, {}),
+            },
+        };
     }
 }
 //# sourceMappingURL=document-model-subgraph.js.map