@revealui/core 0.2.0 → 0.3.0

package/dist/collections/operations/find.js

@@ -6,29 +6,138 @@
 import { afterRead } from '../../fields/hooks/afterRead/index.js';
 import { buildWhereClause } from '../../queries/queryBuilder.js';
 import { deserializeJsonFields } from '../../utils/json-parsing.js';
+import { countDocumentsQuery, escapeIdentifier, listDocumentsQuery } from './sqlAdapter.js';
+/**
+ * Evaluate a collection's access.read function.
+ * Returns true (allow all), false (deny all), or a WhereClause to merge into the query.
+ */
+async function evaluateReadAccess(config, options) {
+    // If overrideAccess is explicitly set, skip access checks (caller already validated permission)
+    if (options.overrideAccess)
+        return true;
+    const accessConfig = config
+        .access;
+    const readAccess = accessConfig?.read;
+    // No access rule defined = allow all (backward compatible)
+    if (!readAccess)
+        return true;
+    const req = options.req;
+    if (!req)
+        return false; // No request context = deny (safe default)
+    const result = await readAccess({ req });
+    if (typeof result === 'boolean')
+        return result;
+    // WhereClause returned = row-level filtering (e.g. { author: { equals: user.id } })
+    return result;
+}
 export async function find(config, db, options) {
     const { where, limit = 10, page = 1, sort, depth = 0, req, populate: populateOption } = options;
     // Validate depth
     if (depth < 0 || depth > 3) {
         throw new Error(`Depth must be between 0 and 3, got ${depth}`);
     }
+    // --- Access control enforcement ---
+    const accessResult = await evaluateReadAccess(config, options);
+    if (accessResult === false) {
+        // Deny: return empty result set (same shape as a normal response)
+        return {
+            docs: [],
+            totalDocs: 0,
+            limit,
+            totalPages: 0,
+            page,
+            pagingCounter: 0,
+            hasPrevPage: false,
+            hasNextPage: false,
+            prevPage: null,
+            nextPage: null,
+        };
+    }
+    // Merge access-control WhereClause with user-provided where filter
+    const mergedWhere = accessResult === true ? where : where ? { and: [where, accessResult] } : accessResult;
+    // Replace where in options for downstream use.
+    // When access returned a WhereClause (not just boolean true), set overrideAccess: true
+    // to prevent infinite recursion if collectionStorage.find re-invokes this function.
+    const accessOptions = accessResult === true
+        ? { ...options, where: mergedWhere }
+        : { ...options, where: mergedWhere, overrideAccess: true };
+    if (db?.collectionStorage?.find) {
+        const result = await db.collectionStorage.find(config, accessOptions);
+        if (result !== undefined) {
+            if (req && depth > 0) {
+                const sanitizedConfig = {
+                    ...config,
+                    fields: config.fields,
+                    flattenedFields: config.fields,
+                    endpoints: config.endpoints === false ? undefined : config.endpoints,
+                };
+                const docs = await Promise.all(result.docs.map(async (doc) => {
+                    return await afterRead({
+                        collection: sanitizedConfig,
+                        context: req.context || {},
+                        currentDepth: 1,
+                        depth,
+                        doc,
+                        draft: false,
+                        fallbackLocale: req.fallbackLocale || 'en',
+                        findMany: true,
+                        flattenLocales: true,
+                        global: null,
+                        locale: req.locale || 'en',
+                        overrideAccess: false,
+                        populate: populateOption,
+                        req,
+                        select: undefined,
+                        showHiddenFields: false,
+                    });
+                }));
+                return {
+                    ...result,
+                    docs,
+                };
+            }
+            return result;
+        }
+    }
     // Build query based on database adapter
     if (db?.query) {
+        // Dynamic collection storage is quarantined in sqlAdapter.ts until this
+        // layer is redesigned around typed tables that Drizzle can model directly.
         const offset = (page - 1) * limit;
         const tableName = config.slug;
-        // Build WHERE clause using query builder
+        // Build WHERE clause using query builder (uses access-merged where)
         const params = [];
-        const whereClause = buildWhereClause(where, params, {
+        const whereClause = buildWhereClause(mergedWhere, params, {
             parameterStyle: 'postgres',
             includeWhereKeyword: false,
             quoteFields: true,
         });
-        // Build ORDER BY clause
+        // Build ORDER BY clause with field name validation
         let orderByClause = '';
         if (sort) {
+            // Build allowlist from collection fields + common system columns
+            const allowedFields = new Set([
+                'id',
+                'createdAt',
+                'updatedAt',
+                'created_at',
+                'updated_at',
+                '_json',
+            ]);
+            if (config.fields) {
+                for (const field of config.fields) {
+                    if (field.name)
+                        allowedFields.add(field.name);
+                }
+            }
             const sortConditions = [];
             Object.entries(sort).forEach(([key, direction]) => {
-                sortConditions.push(`"${key}" ${direction === '-1' ? 'DESC' : 'ASC'}`);
+                if (!allowedFields.has(key)) {
+                    throw new Error(`Invalid sort field: "${key}". Must be a defined field on the "${tableName}" collection.`);
+                }
+                // Escape embedded double quotes in identifier to prevent SQL injection
+                const escaped = escapeIdentifier(key);
+                sortConditions.push(`"${escaped}" ${direction === '-1' ? 'DESC' : 'ASC'}`);
             });
             orderByClause = sortConditions.length > 0 ? `ORDER BY ${sortConditions.join(', ')}` : '';
         }
@@ -38,9 +147,7 @@ export async function find(config, db, options) {
         if (whereClause?.trim().toUpperCase().startsWith('WHERE')) {
             throw new Error(`WHERE clause unexpectedly starts with "WHERE" keyword. This indicates a bug in buildWhereClause. Clause: ${whereClause}`);
         }
-        const countQuery = whereClause
-            ? `SELECT COUNT(*) as total FROM "${tableName}" WHERE ${whereClause}`
-            : `SELECT COUNT(*) as total FROM "${tableName}"`;
+        const countQuery = countDocumentsQuery(tableName, whereClause);
         const countResult = await db.query(countQuery, params);
         const totalDocs = Number(countResult.rows[0]?.total) || 0;
         // Execute data query (PostgreSQL uses $1, $2 for parameters)
@@ -59,7 +166,7 @@ export async function find(config, db, options) {
         }
         const limitParam = params.length + 1;
         const offsetParam = params.length + 2;
-        const dataQuery = `SELECT * FROM "${tableName}" ${whereClause ? `WHERE ${whereClause}` : ''} ${orderByClause} LIMIT $${limitParam} OFFSET $${offsetParam}`;
+        const dataQuery = listDocumentsQuery(tableName, whereClause, orderByClause, limitParam, offsetParam);
         const docsResult = await db.query(dataQuery, [...params, limit, offset]);
         let docs = docsResult.rows.map((row) => {
             return deserializeJsonFields(row, tableName);

package/dist/collections/operations/findById.d.ts

@@ -3,13 +3,12 @@
  *
  * Finds a single document by ID with optional relationship population.
  */
-import type { DatabaseResult, PopulateType, RevealCollectionConfig, RevealDocument, RevealRequest } from '../../types/index.js';
-export declare function findByID(config: RevealCollectionConfig, db: {
-    query: (query: string, values?: unknown[]) => Promise<DatabaseResult>;
-} | null, options: {
+import type { PopulateType, QueryableDatabaseAdapter, RevealCollectionConfig, RevealDocument, RevealRequest } from '../../types/index.js';
+export declare function findByID(config: RevealCollectionConfig, db: QueryableDatabaseAdapter | null, options: {
     id: string | number;
     depth?: number;
     req?: RevealRequest;
     populate?: PopulateType;
+    overrideAccess?: boolean;
 }): Promise<RevealDocument | null>;
 //# sourceMappingURL=findById.d.ts.map

package/dist/collections/operations/findById.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"findById.d.ts","sourceRoot":"","sources":["../../../src/collections/operations/findById.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EACV,cAAc,EACd,YAAY,EACZ,sBAAsB,EACtB,cAAc,EACd,aAAa,EAEd,MAAM,sBAAsB,CAAA;AAG7B,wBAAsB,QAAQ,CAC5B,MAAM,EAAE,sBAAsB,EAC9B,EAAE,EAAE;IACF,KAAK,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,cAAc,CAAC,CAAA;CACtE,GAAG,IAAI,EACR,OAAO,EAAE;IACP,EAAE,EAAE,MAAM,GAAG,MAAM,CAAA;IACnB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,GAAG,CAAC,EAAE,aAAa,CAAA;IACnB,QAAQ,CAAC,EAAE,YAAY,CAAA;CACxB,GACA,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CA2DhC"}
+{"version":3,"file":"findById.d.ts","sourceRoot":"","sources":["../../../src/collections/operations/findById.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EACV,YAAY,EACZ,wBAAwB,EACxB,sBAAsB,EACtB,cAAc,EACd,aAAa,EAEd,MAAM,sBAAsB,CAAC;AAI9B,wBAAsB,QAAQ,CAC5B,MAAM,EAAE,sBAAsB,EAC9B,EAAE,EAAE,wBAAwB,GAAG,IAAI,EACnC,OAAO,EAAE;IACP,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,aAAa,CAAC;IACpB,QAAQ,CAAC,EAAE,YAAY,CAAC;IACxB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B,GACA,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAwHhC"}

package/dist/collections/operations/findById.js

@@ -5,17 +5,69 @@
  */
 import { afterRead } from '../../fields/hooks/afterRead/index.js';
 import { deserializeJsonFields } from '../../utils/json-parsing.js';
+import { selectByIdQuery } from './sqlAdapter.js';
 export async function findByID(config, db, options) {
     const { id, depth = 0, req, populate: populateOption } = options;
     // Validate depth
     if (depth < 0 || depth > 3) {
         throw new Error(`Depth must be between 0 and 3, got ${depth}`);
     }
+    // --- Access control enforcement ---
+    if (!options.overrideAccess) {
+        const accessConfig = config.access;
+        const readAccess = accessConfig?.read;
+        if (readAccess) {
+            if (!req)
+                return null; // No request context = deny
+            const result = await readAccess({ req, id });
+            if (result === false)
+                return null;
+            // If result is a WhereClause (row-level filter), we fetch the doc first then verify.
+            // For findByID, we check after fetch whether the doc matches the access filter.
+            // Boolean true = allow, WhereClause = post-fetch filter (handled below after query).
+        }
+    }
+    if (db?.collectionStorage?.findByID) {
+        const doc = await db.collectionStorage.findByID(config, { id });
+        if (doc !== undefined) {
+            if (!doc)
+                return null;
+            if (req && depth > 0) {
+                const sanitizedConfig = {
+                    ...config,
+                    fields: config.fields,
+                    flattenedFields: config.fields,
+                    endpoints: config.endpoints === false ? undefined : config.endpoints,
+                };
+                return await afterRead({
+                    collection: sanitizedConfig,
+                    context: req.context || {},
+                    currentDepth: 1,
+                    depth,
+                    doc,
+                    draft: false,
+                    fallbackLocale: req.fallbackLocale || 'en',
+                    findMany: false,
+                    flattenLocales: true,
+                    global: null,
+                    locale: req.locale || 'en',
+                    overrideAccess: false,
+                    populate: populateOption,
+                    req,
+                    select: undefined,
+                    showHiddenFields: false,
+                });
+            }
+            return doc;
+        }
+    }
     if (db?.query) {
+        // Dynamic collection storage is quarantined in sqlAdapter.ts until this
+        // layer is redesigned around typed tables that Drizzle can model directly.
         const tableName = config.slug;
         // Ensure id is a string for consistent comparison
         const idString = String(id);
-        const query = `SELECT * FROM "${tableName}" WHERE id = $1 LIMIT 1`;
+        const query = selectByIdQuery(tableName);
         const result = await db.query(query, [idString]);
         const rawDoc = result.rows[0];
         if (!rawDoc) {

package/dist/collections/operations/sqlAdapter.d.ts

@@ -0,0 +1,23 @@
+import type { DatabaseResult } from '../../types/index.js';
+export type QueryableCollectionDb = {
+    query: (query: string, values?: unknown[]) => Promise<DatabaseResult>;
+};
+export declare function validateSlug(slug: string): void;
+export declare function validateColumnName(column: string): void;
+export declare function escapeIdentifier(identifier: string): string;
+export declare function collectionTable(configSlug: string): string;
+export declare function selectByIdQuery(configSlug: string): string;
+export declare function deleteByIdQuery(configSlug: string): string;
+export declare function countDocumentsQuery(configSlug: string, whereClause?: string): string;
+export declare function listDocumentsQuery(configSlug: string, whereClause: string, orderByClause: string, limitParam: number, offsetParam: number): string;
+export declare function insertDocumentQuery(configSlug: string, columns: string[]): string;
+export declare function selectJsonByIdQuery(configSlug: string): string;
+export declare function checkExistsByIdQuery(configSlug: string): string;
+export declare function updateByIdQuery(configSlug: string, keys: string[]): string;
+/**
+ * Version-aware UPDATE: includes `version = version + 1` in SET
+ * and `AND version = $N` in WHERE for optimistic locking.
+ * Returns the number of affected rows (0 = conflict).
+ */
+export declare function updateByIdWithVersionQuery(configSlug: string, keys: string[]): string;
+//# sourceMappingURL=sqlAdapter.d.ts.map

package/dist/collections/operations/sqlAdapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sqlAdapter.d.ts","sourceRoot":"","sources":["../../../src/collections/operations/sqlAdapter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,MAAM,MAAM,qBAAqB,GAAG;IAClC,KAAK,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;CACvE,CAAC;AAgBF,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAM/C;AAKD,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAMvD;AAED,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE3D;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAG1D;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE1D;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE1D;AAED,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAIpF;AAED,wBAAgB,kBAAkB,CAChC,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,aAAa,EAAE,MAAM,EACrB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,GAClB,MAAM,CAER;AAED,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,CAKjF;AAED,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAE/D;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,CAI1E;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,CAKrF"}

package/dist/collections/operations/sqlAdapter.js

@@ -0,0 +1,76 @@
+/**
+ * Dynamic collections resolve table and column names at runtime from config.
+ * Drizzle is the default elsewhere in the codebase. This adapter exists only
+ * because these collection operations target runtime-selected tables/columns
+ * that do not map cleanly to Drizzle's compile-time table model yet.
+ *
+ * Treat this as a temporary quarantine boundary for dynamic SQL. Do not add
+ * inline SQL back into the collection operations; extend this adapter or
+ * redesign the collection storage layer toward typed tables instead.
+ */
+/** Only lowercase alphanumeric, hyphens, and underscores (1-63 chars, PostgreSQL identifier limit). */
+const VALID_SLUG = /^[a-z][a-z0-9_-]{0,62}$/;
+export function validateSlug(slug) {
+    if (!VALID_SLUG.test(slug)) {
+        throw new Error(`Invalid collection slug: "${slug}". Slugs must start with a lowercase letter and contain only lowercase alphanumeric characters, hyphens, and underscores (max 63 chars).`);
+    }
+}
+/** Only lowercase alphanumeric and underscores (PostgreSQL column name safe). */
+const VALID_COLUMN = /^[a-z_][a-z0-9_]{0,62}$/;
+export function validateColumnName(column) {
+    if (!VALID_COLUMN.test(column)) {
+        throw new Error(`Invalid column name: "${column}". Column names must start with a lowercase letter or underscore and contain only lowercase alphanumeric characters and underscores.`);
+    }
+}
+export function escapeIdentifier(identifier) {
+    return identifier.replace(/"/g, '""');
+}
+export function collectionTable(configSlug) {
+    validateSlug(configSlug);
+    return `"${escapeIdentifier(configSlug)}"`;
+}
+export function selectByIdQuery(configSlug) {
+    return `SELECT * FROM ${collectionTable(configSlug)} WHERE id = $1 LIMIT 1`;
+}
+export function deleteByIdQuery(configSlug) {
+    return `DELETE FROM ${collectionTable(configSlug)} WHERE id = $1`;
+}
+export function countDocumentsQuery(configSlug, whereClause) {
+    return whereClause
+        ? `SELECT COUNT(*) as total FROM ${collectionTable(configSlug)} WHERE ${whereClause}`
+        : `SELECT COUNT(*) as total FROM ${collectionTable(configSlug)}`;
+}
+export function listDocumentsQuery(configSlug, whereClause, orderByClause, limitParam, offsetParam) {
+    return `SELECT * FROM ${collectionTable(configSlug)} ${whereClause ? `WHERE ${whereClause}` : ''} ${orderByClause} LIMIT $${limitParam} OFFSET $${offsetParam}`;
+}
+export function insertDocumentQuery(configSlug, columns) {
+    for (const col of columns)
+        validateColumnName(col);
+    const escapedColumns = columns.map((column) => `"${escapeIdentifier(column)}"`).join(', ');
+    const placeholders = columns.map((_, i) => `$${i + 2}`).join(', ');
+    return `INSERT INTO ${collectionTable(configSlug)} (id, ${escapedColumns}) VALUES ($1, ${placeholders})`;
+}
+export function selectJsonByIdQuery(configSlug) {
+    return `SELECT _json FROM ${collectionTable(configSlug)} WHERE id = $1 LIMIT 1`;
+}
+export function checkExistsByIdQuery(configSlug) {
+    return `SELECT id FROM ${collectionTable(configSlug)} WHERE id = $1 LIMIT 1`;
+}
+export function updateByIdQuery(configSlug, keys) {
+    for (const key of keys)
+        validateColumnName(key);
+    const setClause = keys.map((key, i) => `"${escapeIdentifier(key)}" = $${i + 1}`).join(', ');
+    return `UPDATE ${collectionTable(configSlug)} SET ${setClause} WHERE id = $${keys.length + 1}`;
+}
+/**
+ * Version-aware UPDATE: includes `version = version + 1` in SET
+ * and `AND version = $N` in WHERE for optimistic locking.
+ * Returns the number of affected rows (0 = conflict).
+ */
+export function updateByIdWithVersionQuery(configSlug, keys) {
+    for (const key of keys)
+        validateColumnName(key);
+    const setClause = keys.map((key, i) => `"${escapeIdentifier(key)}" = $${i + 1}`).join(', ');
+    // version param is at keys.length + 1, id param is at keys.length + 2
+    return `UPDATE ${collectionTable(configSlug)} SET ${setClause}, "version" = "version" + 1 WHERE id = $${keys.length + 2} AND "version" = $${keys.length + 1}`;
+}

package/dist/collections/operations/update.d.ts

@@ -1,10 +1,8 @@
 /**
  * Update Operation
  *
- * Updates an existing document with validation, password hashing, and JSON field handling.
+ * Updates an existing document with access control, validation, password hashing, and JSON field handling.
  */
-import type { DatabaseResult, RevealCollectionConfig, RevealDocument, RevealUpdateOptions } from '../../types/index.js';
-export declare function update(config: RevealCollectionConfig, db: {
-    query: (query: string, values?: unknown[]) => Promise<DatabaseResult>;
-} | null, options: RevealUpdateOptions): Promise<RevealDocument>;
+import type { QueryableDatabaseAdapter, RevealCollectionConfig, RevealDocument, RevealUpdateOptions } from '../../types/index.js';
+export declare function update(config: RevealCollectionConfig, db: QueryableDatabaseAdapter | null, options: RevealUpdateOptions): Promise<RevealDocument>;
 //# sourceMappingURL=update.d.ts.map

package/dist/collections/operations/update.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"update.d.ts","sourceRoot":"","sources":["../../../src/collections/operations/update.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EACV,cAAc,EACd,sBAAsB,EACtB,cAAc,EAEd,mBAAmB,EACpB,MAAM,sBAAsB,CAAA;AAM7B,wBAAsB,MAAM,CAC1B,MAAM,EAAE,sBAAsB,EAC9B,EAAE,EAAE;IACF,KAAK,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,cAAc,CAAC,CAAA;CACtE,GAAG,IAAI,EACR,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,cAAc,CAAC,CAgJzB"}
+{"version":3,"file":"update.d.ts","sourceRoot":"","sources":["../../../src/collections/operations/update.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EACV,wBAAwB,EACxB,sBAAsB,EACtB,cAAc,EAGd,mBAAmB,EACpB,MAAM,sBAAsB,CAAC;AAiF9B,wBAAsB,MAAM,CAC1B,MAAM,EAAE,sBAAsB,EAC9B,EAAE,EAAE,wBAAwB,GAAG,IAAI,EACnC,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,cAAc,CAAC,CAkMzB"}

package/dist/collections/operations/update.js

@@ -1,7 +1,7 @@
 /**
  * Update Operation
  *
- * Updates an existing document with validation, password hashing, and JSON field handling.
+ * Updates an existing document with access control, validation, password hashing, and JSON field handling.
  */
 import bcrypt from 'bcryptjs';
 import { defaultLogger } from '../../instance/logger.js';
@@ -9,10 +9,61 @@ import { collectJsonFields, serializeValueForDatabase } from '../../utils/json-p
 import { flattenFields, isJsonFieldType } from '../../utils/type-guards.js';
 import { runBeforeFieldHooks } from './fieldHooks.js';
 import { findByID } from './findById.js';
+import { checkExistsByIdQuery, selectJsonByIdQuery, updateByIdQuery, updateByIdWithVersionQuery, } from './sqlAdapter.js';
+/**
+ * Recursively deep-merge two plain objects. Arrays, nulls, Dates, and
+ * primitives in `source` replace the corresponding key in `target`.
+ * Only plain-object vs plain-object pairs are merged recursively.
+ */
+function deepMergeJson(target, source) {
+    const result = structuredClone(target);
+    for (const key of Object.keys(source)) {
+        const sourceVal = source[key];
+        const targetVal = result[key];
+        if (sourceVal !== null &&
+            typeof sourceVal === 'object' &&
+            !Array.isArray(sourceVal) &&
+            targetVal !== null &&
+            typeof targetVal === 'object' &&
+            !Array.isArray(targetVal)) {
+            result[key] = deepMergeJson(targetVal, sourceVal);
+        }
+        else {
+            result[key] = structuredClone(sourceVal);
+        }
+    }
+    return result;
+}
+/**
+ * Evaluate a collection's access.update function.
+ * Returns true (allow) or false (deny).
+ */
+async function evaluateUpdateAccess(config, options) {
+    if (options.overrideAccess)
+        return true;
+    const accessConfig = config.access;
+    const updateAccess = accessConfig?.update;
+    // No access rule defined = allow all (backward compatible)
+    if (!updateAccess)
+        return true;
+    const req = options.req;
+    if (!req)
+        return false; // No request context = deny (safe default)
+    const result = await updateAccess({ req, id: options.id, data: options.data });
+    if (result === false)
+        return false;
+    // Any truthy result (true, WhereClause) = allowed for single-document operations
+    return !!result;
+}
 export async function update(config, db, options) {
     const { id, data } = options;
+    // --- Access control enforcement ---
+    const allowed = await evaluateUpdateAccess(config, options);
+    if (!allowed) {
+        throw new Error('Access denied: insufficient permissions to update this document');
+    }
     // Run beforeValidate field hooks before validation so they can transform values.
-    await runBeforeFieldHooks(config, data, 'update', 'beforeValidate');
+    await runBeforeFieldHooks(config, data, 'update', 'beforeValidate', undefined, options.req);
     // Validate email format if email field is being updated
     if (config.fields) {
         for (const field of config.fields) {
@@ -42,13 +93,15 @@ export async function update(config, db, options) {
         }
     }
     // Run beforeChange field hooks after validation but before the DB write.
-    await runBeforeFieldHooks(config, data, 'update', 'beforeChange');
+    await runBeforeFieldHooks(config, data, 'update', 'beforeChange', undefined, options.req);
     // Hash password if present and not already hashed (doesn't start with $2a$ or $2b$)
     if (data.password && typeof data.password === 'string' && !data.password.startsWith('$2')) {
-        const saltRounds = 10;
+        const saltRounds = 12;
         data.password = await bcrypt.hash(data.password, saltRounds);
     }
     if (db?.query) {
+        // Dynamic collection storage is quarantined in sqlAdapter.ts until this
+        // layer is redesigned around typed tables that Drizzle can model directly.
         const tableName = config.slug;
         // Build UPDATE query (PostgreSQL uses $1, $2 style)
         // Serialize complex values (objects, arrays) to JSON strings for SQLite
@@ -57,7 +110,23 @@ export async function update(config, db, options) {
             .filter((field) => isJsonFieldType(field) && field.name)
             .map((field) => field.name)
             .filter((name) => typeof name === 'string'));
-        const keys = Object.keys(data).filter((k) => k !== 'id' && !jsonFieldNames.has(k));
+        // Build allowlist from collection fields + system columns to prevent SQL injection via crafted keys
+        const allowedColumns = new Set([
+            'id',
+            'createdAt',
+            'updatedAt',
+            'created_at',
+            'updated_at',
+            '_json',
+            'password',
+        ]);
+        if (config.fields) {
+            for (const field of config.fields) {
+                if (field.name)
+                    allowedColumns.add(field.name);
+            }
+        }
+        const keys = Object.keys(data).filter((k) => k !== 'id' && !jsonFieldNames.has(k) && allowedColumns.has(k));
         const jsonKeys = Object.keys(data).filter((k) => k !== 'id' && jsonFieldNames.has(k));
         // Collect JSON fields to update using collectJsonFields utility
         const jsonUpdates = collectJsonFields(data, jsonFieldNames);
@@ -67,7 +136,7 @@ export async function update(config, db, options) {
         let existingJson = {};
         if (jsonFieldNames.size > 0) {
             // Fetch _json to preserve existing JSON fields (even when only updating non-JSON fields)
-            const rawQuery = `SELECT _json FROM "${tableName}" WHERE id = $1 LIMIT 1`;
+            const rawQuery = selectJsonByIdQuery(tableName);
             const rawResult = await db.query(rawQuery, [String(id)]);
             if (!rawResult.rows[0]) {
                 throw new Error(`Document with id ${id} not found`);
@@ -95,7 +164,7 @@ export async function update(config, db, options) {
         }
         else if (keys.length > 0) {
             // No JSON fields in collection - just verify document exists
-            const checkQuery = `SELECT id FROM "${tableName}" WHERE id = $1 LIMIT 1`;
+            const checkQuery = checkExistsByIdQuery(tableName);
             const checkResult = await db.query(checkQuery, [String(id)]);
             if (!checkResult.rows[0]) {
                 throw new Error(`Document with id ${id} not found`);
@@ -104,13 +173,12 @@ export async function update(config, db, options) {
         // Merge existing JSON with updates (only if we have JSON fields)
         let mergedJson = {};
         if (jsonFieldNames.size > 0) {
-            mergedJson = { ...existingJson, ...jsonUpdates };
+            mergedJson = deepMergeJson(existingJson, jsonUpdates);
             // Only include _json in UPDATE if there are actual changes or existing JSON to preserve
             if (jsonKeys.length > 0 || Object.keys(existingJson).length > 0) {
                 keys.push('_json');
             }
         }
-        const setClause = keys.map((key, i) => `"${key}" = $${i + 1}`).join(', ');
         const values = keys.map((key) => {
             if (key === '_json') {
                 // Serialize merged JSON fields object to JSON string
@@ -121,8 +189,32 @@ export async function update(config, db, options) {
         });
         // Ensure id is a string for consistent comparison
         const idString = String(id);
-        const query = `UPDATE "${tableName}" SET ${setClause} WHERE id = $${keys.length + 1}`;
-        await db.query(query, [...values, idString]);
+        // Optimistic locking: if the caller provides a `version` field, use version-aware update
+        // to detect concurrent modifications. The version is stripped from the SET clause and
+        // moved to the WHERE clause; the DB auto-increments version on success.
+        const clientVersion = typeof data.version === 'number' ? data.version : undefined;
+        const updateKeys = clientVersion !== undefined ? keys.filter((k) => k !== 'version') : keys;
+        const updateValues = clientVersion !== undefined
+            ? updateKeys.map((key) => {
+                if (key === '_json')
+                    return serializeValueForDatabase(mergedJson);
+                return serializeValueForDatabase(data[key]);
+            })
+            : values;
+        if (clientVersion !== undefined) {
+            const query = updateByIdWithVersionQuery(tableName, updateKeys);
+            const result = await db.query(query, [...updateValues, clientVersion, idString]);
+            if (result.rowCount === 0) {
+                // Document exists but version mismatch — concurrent edit detected
+                const err = new Error('Document was modified by another user. Refresh and try again.');
+                err.statusCode = 409;
+                throw err;
+            }
+        }
+        else {
+            const query = updateByIdQuery(tableName, updateKeys);
+            await db.query(query, [...updateValues, idString]);
+        }
         // Return updated document (use idString for consistency)
         const updatedDoc = await findByID(config, db, { id: idString });
         if (!updatedDoc) {

package/dist/collections/operations/updateMany.d.ts

@@ -0,0 +1,11 @@
+/**
+ * updateMany Operation
+ *
+ * Updates multiple documents in a single transaction. All-or-nothing: if any
+ * update fails, the entire batch is rolled back.
+ *
+ * Documents without a db adapter fall back to in-memory objects (no transaction).
+ */
+import type { BatchResult, BatchUpdateOptions, QueryableDatabaseAdapter, RevealCollectionConfig, RevealDocument } from '../../types/index.js';
+export declare function updateMany(config: RevealCollectionConfig, db: QueryableDatabaseAdapter | null, options: BatchUpdateOptions): Promise<BatchResult<RevealDocument>>;
+//# sourceMappingURL=updateMany.d.ts.map

package/dist/collections/operations/updateMany.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"updateMany.d.ts","sourceRoot":"","sources":["../../../src/collections/operations/updateMany.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,kBAAkB,EAClB,wBAAwB,EACxB,sBAAsB,EACtB,cAAc,EACf,MAAM,sBAAsB,CAAC;AAG9B,wBAAsB,UAAU,CAC9B,MAAM,EAAE,sBAAsB,EAC9B,EAAE,EAAE,wBAAwB,GAAG,IAAI,EACnC,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC,CA2CtC"}

package/dist/collections/operations/updateMany.js

@@ -0,0 +1,52 @@
+/**
+ * updateMany Operation
+ *
+ * Updates multiple documents in a single transaction. All-or-nothing: if any
+ * update fails, the entire batch is rolled back.
+ *
+ * Documents without a db adapter fall back to in-memory objects (no transaction).
+ */
+import { update } from './update.js';
+export async function updateMany(config, db, options) {
+    const results = [];
+    const errors = [];
+    if (!db?.query || options.updates.length === 0) {
+        // No DB or empty batch: run each update independently (no transaction available).
+        for (const [i, item] of options.updates.entries()) {
+            try {
+                const doc = await update(config, db, {
+                    id: item.id,
+                    data: item.data,
+                    req: options.req,
+                    overrideAccess: options.overrideAccess,
+                });
+                results.push(doc);
+            }
+            catch (error) {
+                errors.push({ index: i, error: error instanceof Error ? error.message : String(error) });
+            }
+        }
+        return { results, errors };
+    }
+    // Wrap all updates in a transaction: stop on first error, rollback on failure.
+    await db.query('BEGIN');
+    try {
+        for (const item of options.updates) {
+            const doc = await update(config, db, {
+                id: item.id,
+                data: item.data,
+                req: options.req,
+                overrideAccess: options.overrideAccess,
+            });
+            results.push(doc);
+        }
+        await db.query('COMMIT');
+    }
+    catch (error) {
+        await db.query('ROLLBACK');
+        const index = results.length; // Index of the failing item
+        errors.push({ index, error: error instanceof Error ? error.message : String(error) });
+        return { results: [], errors };
+    }
+    return { results, errors };
+}

package/dist/collections/registry.d.ts

@@ -0,0 +1,12 @@
+import type { RevealCollectionConfig } from '../types/index.js';
+export type CollectionStorageMode = 'dynamic' | 'typed-candidate';
+export interface CollectionStorageDescriptor {
+    slug: string;
+    tableName: string;
+    storageMode: CollectionStorageMode;
+    allowedColumns: string[];
+    jsonFieldNames: string[];
+}
+export declare function buildCollectionStorageDescriptor(collection: RevealCollectionConfig): CollectionStorageDescriptor;
+export declare function buildCollectionStorageRegistry(collections: RevealCollectionConfig[] | undefined): Record<string, CollectionStorageDescriptor>;
+//# sourceMappingURL=registry.d.ts.map

package/dist/collections/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/collections/registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAiB,MAAM,mBAAmB,CAAC;AAG/E,MAAM,MAAM,qBAAqB,GAAG,SAAS,GAAG,iBAAiB,CAAC;AAElE,MAAM,WAAW,2BAA2B;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,qBAAqB,CAAC;IACnC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAID,wBAAgB,gCAAgC,CAC9C,UAAU,EAAE,sBAAsB,GACjC,2BAA2B,CA6B7B;AAED,wBAAgB,8BAA8B,CAC5C,WAAW,EAAE,sBAAsB,EAAE,GAAG,SAAS,GAChD,MAAM,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAM7C"}