@strapi/core 5.36.1 → 5.37.0

package/dist/package.json.js

@@ -3,7 +3,7 @@
 Object.defineProperty(exports, '__esModule', { value: true });
 
 var name = "@strapi/core";
-var version = "5.36.1";
+var version = "5.37.0";
 var description = "Core of Strapi";
 var homepage = "https://strapi.io";
 var bugs = {
@@ -61,20 +61,20 @@ var dependencies = {
     "@koa/cors": "5.0.0",
     "@koa/router": "12.0.2",
     "@paralleldrive/cuid2": "2.2.2",
-    "@strapi/admin": "5.36.1",
-    "@strapi/database": "5.36.1",
-    "@strapi/generators": "5.36.1",
-    "@strapi/logger": "5.36.1",
-    "@strapi/permissions": "5.36.1",
-    "@strapi/types": "5.36.1",
-    "@strapi/typescript-utils": "5.36.1",
-    "@strapi/utils": "5.36.1",
+    "@strapi/admin": "5.37.0",
+    "@strapi/database": "5.37.0",
+    "@strapi/generators": "5.37.0",
+    "@strapi/logger": "5.37.0",
+    "@strapi/permissions": "5.37.0",
+    "@strapi/types": "5.37.0",
+    "@strapi/typescript-utils": "5.37.0",
+    "@strapi/utils": "5.37.0",
     "@vercel/stega": "0.1.2",
     bcryptjs: "2.4.3",
     boxen: "5.1.2",
     chalk: "4.1.2",
     "ci-info": "4.0.0",
-    "cli-table3": "0.6.2",
+    "cli-table3": "0.6.5",
     commander: "8.3.0",
     configstore: "5.0.1",
     copyfiles: "2.4.1",
@@ -99,7 +99,7 @@ var dependencies = {
     "koa-ip": "^2.1.3",
     "koa-session": "6.4.0",
     "koa-static": "5.0.0",
-    lodash: "4.17.21",
+    lodash: "4.17.23",
     "mime-types": "2.1.35",
     "node-schedule": "2.1.1",
     open: "8.4.0",
@@ -136,11 +136,11 @@ var devDependencies = {
     "@types/node": "24.10.0",
     "@types/node-schedule": "2.1.7",
     "@types/statuses": "2.0.1",
-    "eslint-config-custom": "5.36.1",
+    "eslint-config-custom": "5.37.0",
     supertest: "6.3.3",
-    tsconfig: "5.36.1",
+    tsconfig: "5.37.0",
     vitest: "4.0.18",
-    "vitest-config": "5.34.1"
+    "vitest-config": "5.37.0"
 };
 var engines = {
     node: ">=20.0.0 <=24.x.x",

package/dist/package.json.mjs

@@ -1,5 +1,5 @@
 var name = "@strapi/core";
-var version = "5.36.1";
+var version = "5.37.0";
 var description = "Core of Strapi";
 var homepage = "https://strapi.io";
 var bugs = {
@@ -57,20 +57,20 @@ var dependencies = {
     "@koa/cors": "5.0.0",
     "@koa/router": "12.0.2",
     "@paralleldrive/cuid2": "2.2.2",
-    "@strapi/admin": "5.36.1",
-    "@strapi/database": "5.36.1",
-    "@strapi/generators": "5.36.1",
-    "@strapi/logger": "5.36.1",
-    "@strapi/permissions": "5.36.1",
-    "@strapi/types": "5.36.1",
-    "@strapi/typescript-utils": "5.36.1",
-    "@strapi/utils": "5.36.1",
+    "@strapi/admin": "5.37.0",
+    "@strapi/database": "5.37.0",
+    "@strapi/generators": "5.37.0",
+    "@strapi/logger": "5.37.0",
+    "@strapi/permissions": "5.37.0",
+    "@strapi/types": "5.37.0",
+    "@strapi/typescript-utils": "5.37.0",
+    "@strapi/utils": "5.37.0",
     "@vercel/stega": "0.1.2",
     bcryptjs: "2.4.3",
     boxen: "5.1.2",
     chalk: "4.1.2",
     "ci-info": "4.0.0",
-    "cli-table3": "0.6.2",
+    "cli-table3": "0.6.5",
     commander: "8.3.0",
     configstore: "5.0.1",
     copyfiles: "2.4.1",
@@ -95,7 +95,7 @@ var dependencies = {
     "koa-ip": "^2.1.3",
     "koa-session": "6.4.0",
     "koa-static": "5.0.0",
-    lodash: "4.17.21",
+    lodash: "4.17.23",
     "mime-types": "2.1.35",
     "node-schedule": "2.1.1",
     open: "8.4.0",
@@ -132,11 +132,11 @@ var devDependencies = {
     "@types/node": "24.10.0",
     "@types/node-schedule": "2.1.7",
     "@types/statuses": "2.0.1",
-    "eslint-config-custom": "5.36.1",
+    "eslint-config-custom": "5.37.0",
     supertest: "6.3.3",
-    tsconfig: "5.36.1",
+    tsconfig: "5.37.0",
     vitest: "4.0.18",
-    "vitest-config": "5.34.1"
+    "vitest-config": "5.37.0"
 };
 var engines = {
     node: ">=20.0.0 <=24.x.x",

package/dist/services/content-api/index.d.ts

@@ -1,5 +1,5 @@
 import { sanitize, validate } from '@strapi/utils';
-import type { Core } from '@strapi/types';
+import type { Core, Modules } from '@strapi/types';
 /**
  * Create a content API container that holds logic, tools and utils. (eg: permissions, ...)
  */
@@ -51,7 +51,7 @@ declare const createContentAPI: (strapi: Core.Strapi) => {
     sanitize: {
         input: sanitize.SanitizeFunc;
         output: sanitize.SanitizeFunc;
-        query: (query: Record<string, unknown>, schema: import("@strapi/utils/dist/types").Model, { auth }?: sanitize.Options | undefined) => Promise<Record<string, unknown>>;
+        query: (query: Record<string, unknown>, schema: import("@strapi/utils/dist/types").Model, { auth, strictParams, route }?: sanitize.Options | undefined) => Promise<Record<string, unknown>>;
         filters: sanitize.SanitizeFunc;
         sort: sanitize.SanitizeFunc;
         fields: sanitize.SanitizeFunc;
@@ -59,12 +59,15 @@ declare const createContentAPI: (strapi: Core.Strapi) => {
     };
     validate: {
         input: validate.ValidateFunc;
-        query: (query: Record<string, unknown>, schema: import("@strapi/utils/dist/types").Model, { auth }?: validate.Options | undefined) => Promise<void>;
+        query: (query: Record<string, unknown>, schema: import("@strapi/utils/dist/types").Model, { auth, strictParams, route }?: validate.Options | undefined) => Promise<void>;
         filters: validate.ValidateFunc;
         sort: validate.ValidateFunc;
         fields: validate.ValidateFunc;
         populate: validate.ValidateFunc;
     };
+    addQueryParams: (options: Modules.ContentAPI.AddQueryParamsOptions) => void;
+    addInputParams: (options: Modules.ContentAPI.AddInputParamsOptions) => void;
+    applyExtraParamsToRoutes: (routes: Core.Route[]) => void;
 };
 export default createContentAPI;
 //# sourceMappingURL=index.d.ts.map

package/dist/services/content-api/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/services/content-api/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAqC,MAAM,eAAe,CAAC;AAEtF,OAAO,KAAK,EAAE,IAAI,EAAO,MAAM,eAAe,CAAC;AAgB/C;;GAEG;AACH,QAAA,MAAM,gBAAgB,WAAY,KAAK,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgF5C,CAAC;AAEF,eAAe,gBAAgB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/services/content-api/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,QAAQ,EACR,QAAQ,EAIT,MAAM,eAAe,CAAC;AAGvB,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAO,MAAM,eAAe,CAAC;AAiHxD;;GAEG;AACH,QAAA,MAAM,gBAAgB,WAAY,KAAK,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;8BA0CV,QAAQ,UAAU,CAAC,qBAAqB;8BAQxC,QAAQ,UAAU,CAAC,qBAAqB;uCAK/B,KAAK,KAAK,EAAE,KAAG,IAAI;CA2F9D,CAAC;AAEF,eAAe,gBAAgB,CAAC"}

package/dist/services/content-api/index.js

@@ -2,8 +2,28 @@
 
 var _ = require('lodash');
 var strapiUtils = require('@strapi/utils');
+var z = require('zod/v4');
 var index = require('./permissions/index.js');
 
+function _interopNamespaceDefault(e) {
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var z__namespace = /*#__PURE__*/_interopNamespaceDefault(z);
+
 const transformRoutePrefixFor = (pluginName)=>(route)=>{
         const prefix = route.config && route.config.prefix;
         const path = prefix !== undefined ? `${prefix}${route.path}` : `/${pluginName}${route.path}`;
@@ -13,9 +33,150 @@ const transformRoutePrefixFor = (pluginName)=>(route)=>{
         };
     };
 const filterContentAPI = (route)=>route.info.type === 'content-api';
+/**
+ * Runtime check for addQueryParams: we only allow scalar or array-of-scalar schemas (no nested objects).
+ * We keep this in addition to the ZodQueryParamSchema type because: (1) TypeScript can be bypassed (JS,
+ * any, or schema from another Zod instance); (2) it gives a clear, immediate error at registration
+ * time instead of a later failure in validate/sanitize. This list is intentionally tied to Zod v4
+ * constructor names; if Zod changes internals, this may need updating.
+ * Compatibility: Zod 3 and Zod 4 Classic (zod/v4) both use these constructor names and
+ * expose ._def with .innerType / .element for Optional/Default/Array. Zod 4 Core/Mini use
+ * ._zod.def instead; we only accept schemas from the same zod/v4 instance used here.
+ */ const ALLOWED_QUERY_SCHEMA_NAMES = new Set([
+    'ZodString',
+    'ZodNumber',
+    'ZodBoolean',
+    'ZodEnum',
+    'ZodOptional',
+    'ZodDefault',
+    'ZodArray'
+]);
+function assertQueryParamSchema(schema, param) {
+    const name = schema?.constructor?.name ?? '';
+    if (!ALLOWED_QUERY_SCHEMA_NAMES.has(name)) {
+        throw new Error(`contentAPI.addQueryParams: param "${param}" schema must be a scalar (string, number, boolean, enum) or array of scalars; got ${name}. Use addInputParams for nested objects.`);
+    }
+    if (name === 'ZodOptional' || name === 'ZodDefault') {
+        const inner = schema?._def?.innerType;
+        if (inner) assertQueryParamSchema(inner, param);
+        return;
+    }
+    if (name === 'ZodArray') {
+        const element = schema?._def?.element;
+        if (element) assertQueryParamSchema(element, param);
+    }
+}
+function resolveSchema(schemaOrFactory) {
+    if (typeof schemaOrFactory === 'function') {
+        return schemaOrFactory(z__namespace);
+    }
+    return schemaOrFactory;
+}
+const mergeOneQueryParamIntoRoute = (route, param, schema, matchRoute)=>{
+    if (matchRoute && !matchRoute(route)) return;
+    const query = {
+        ...route.request?.query ?? {}
+    };
+    if (param in query) {
+        throw new Error(`contentAPI.addQueryParams: param "${param}" already exists on route ${route.method} ${route.path}`);
+    }
+    route.request = {
+        ...route.request,
+        query: {
+            ...query,
+            [param]: schema
+        }
+    };
+};
+const mergeOneInputParamIntoRoute = (route, param, schema, matchRoute)=>{
+    if (matchRoute && !matchRoute(route)) return;
+    const jsonKey = 'application/json';
+    const body = route.request?.body ? {
+        ...route.request.body
+    } : {};
+    const existing = body[jsonKey];
+    const base = existing && typeof existing === 'object' && 'shape' in existing ? existing.shape : {};
+    if (param in base) {
+        throw new Error(`contentAPI.addInputParams: param "${param}" already exists on route ${route.method} ${route.path}`);
+    }
+    body[jsonKey] = z__namespace.object({
+        ...base,
+        [param]: schema
+    });
+    route.request = {
+        ...route.request,
+        body
+    };
+};
 /**
  * Create a content API container that holds logic, tools and utils. (eg: permissions, ...)
  */ const createContentAPI = (strapi)=>{
+    const extraQueryParams = [];
+    const extraInputParams = [];
+    const addQueryParam = (options)=>{
+        const { param, schema: schemaOrFactory, matchRoute } = options;
+        const schema = resolveSchema(schemaOrFactory);
+        assertQueryParamSchema(schema, param);
+        if (strapiUtils.ALLOWED_QUERY_PARAM_KEYS.includes(param)) {
+            throw new Error(`contentAPI.addQueryParams: param "${param}" is reserved by Strapi; use a different name`);
+        }
+        if (extraQueryParams.some((o)=>o.param === param)) {
+            throw new Error(`contentAPI.addQueryParams: param "${param}" has already been added`);
+        }
+        extraQueryParams.push({
+            param,
+            schema,
+            matchRoute
+        });
+    // Params are merged into routes when initRouting() runs (applyExtraParamsToRoutes).
+    // We do not merge here: at register() time routes may not exist yet (lazy creation), and
+    // merging here would cause double-merge when initRouting runs and 400 "invalid param" or
+    // "param already exists" errors.
+    };
+    const addInputParam = (options)=>{
+        const { param, schema: schemaOrFactory, matchRoute } = options;
+        const schema = resolveSchema(schemaOrFactory);
+        if (strapiUtils.RESERVED_INPUT_PARAM_KEYS.includes(param)) {
+            throw new Error(`contentAPI.addInputParams: param "${param}" is reserved by Strapi; use a different name`);
+        }
+        if (extraInputParams.some((o)=>o.param === param)) {
+            throw new Error(`contentAPI.addInputParams: param "${param}" has already been added`);
+        }
+        extraInputParams.push({
+            param,
+            schema,
+            matchRoute
+        });
+    // Params are merged into routes when initRouting() runs (applyExtraParamsToRoutes).
+    };
+    /**
+   * Register extra query params. Keys = param names; values = { schema, matchRoute? }.
+   * Schemas must be Zod scalar or array-of-scalars (enforced at runtime via assertQueryParamSchema).
+   */ const addQueryParams = (options)=>{
+        Object.entries(options).forEach(([param, rest])=>addQueryParam({
+                param,
+                ...rest
+            }));
+    };
+    /**
+   * Register extra input params (root-level body.data). Keys = param names; values = { schema, matchRoute? }.
+   * Any Zod type allowed; enforced at registration time.
+   */ const addInputParams = (options)=>{
+        Object.entries(options).forEach(([param, rest])=>addInputParam({
+                param,
+                ...rest
+            }));
+    };
+    /** Merge all registered extra params into the given routes (mutates in place). Called at route registration. Throws if a param key already exists. */ const applyExtraParamsToRoutes = (routes)=>{
+        routes.forEach((route)=>{
+            for (const { param, schema, matchRoute } of extraQueryParams){
+                mergeOneQueryParamIntoRoute(route, param, schema, matchRoute);
+            }
+            for (const { param, schema, matchRoute } of extraInputParams){
+                mergeOneInputParamIntoRoute(route, param, schema, matchRoute);
+            }
+        });
+    };
     const getRoutesMap = async ()=>{
         const routesMap = {};
         _.forEach(strapi.apis, (api, apiName)=>{
@@ -55,7 +216,6 @@ const filterContentAPI = (route)=>route.info.type === 'content-api';
         getModel (uid) {
             return strapi.getModel(uid);
         },
-        // NOTE: use lazy access to allow registration of sanitizers after the creation of the container
         get sanitizers () {
             return {
                 input: strapi.sanitizers.get('content-api.input'),
@@ -67,7 +227,6 @@ const filterContentAPI = (route)=>route.info.type === 'content-api';
         getModel (uid) {
             return strapi.getModel(uid);
         },
-        // NOTE: use lazy access to allow registration of validators after the creation of the container
         get validators () {
             return {
                 input: strapi.validators.get('content-api.input')
@@ -78,7 +237,10 @@ const filterContentAPI = (route)=>route.info.type === 'content-api';
         permissions: index(strapi),
         getRoutesMap,
         sanitize: sanitizer,
-        validate: validator
+        validate: validator,
+        addQueryParams,
+        addInputParams,
+        applyExtraParamsToRoutes
     };
 };
 

package/dist/services/content-api/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sources":["../../../src/services/content-api/index.ts"],"sourcesContent":["import _ from 'lodash';\nimport { sanitize, validate, sanitizeRoutesMapForSerialization } from '@strapi/utils';\n\nimport type { Core, UID } from '@strapi/types';\n\nimport instantiatePermissionsUtilities from './permissions';\n\nconst transformRoutePrefixFor = (pluginName: string) => (route: Core.Route) => {\n  const prefix = route.config && route.config.prefix;\n  const path = prefix !== undefined ? `${prefix}${route.path}` : `/${pluginName}${route.path}`;\n\n  return {\n    ...route,\n    path,\n  };\n};\n\nconst filterContentAPI = (route: Core.Route) => route.info.type === 'content-api';\n\n/**\n * Create a content API container that holds logic, tools and utils. (eg: permissions, ...)\n */\nconst createContentAPI = (strapi: Core.Strapi) => {\n  const getRoutesMap = async () => {\n    const routesMap: Record<string, Core.Route[]> = {};\n\n    _.forEach(strapi.apis, (api, apiName) => {\n      const routes = _.flatMap(api.routes, (route) => {\n        if ('routes' in route) {\n          return route.routes;\n        }\n\n        return route;\n      }).filter(filterContentAPI);\n\n      if (routes.length === 0) {\n        return;\n      }\n\n      const apiPrefix = strapi.config.get('api.rest.prefix');\n      routesMap[`api::${apiName}`] = routes.map((route) => ({\n        ...route,\n        path: `${apiPrefix}${route.path}`,\n      }));\n    });\n\n    _.forEach(strapi.plugins, (plugin, pluginName) => {\n      const transformPrefix = transformRoutePrefixFor(pluginName);\n\n      if (Array.isArray(plugin.routes)) {\n        return plugin.routes.map(transformPrefix).filter(filterContentAPI);\n      }\n\n      const routes = _.flatMap(plugin.routes, (route) => route.routes.map(transformPrefix)).filter(\n        filterContentAPI\n      );\n\n      if (routes.length === 0) {\n        return;\n      }\n\n      const apiPrefix = strapi.config.get('api.rest.prefix');\n      routesMap[`plugin::${pluginName}`] = routes.map((route) => ({\n        ...route,\n        path: `${apiPrefix}${route.path}`,\n      }));\n    });\n\n    return sanitizeRoutesMapForSerialization(routesMap);\n  };\n\n  const sanitizer = sanitize.createAPISanitizers({\n    getModel(uid: string) {\n      return strapi.getModel(uid as UID.Schema);\n    },\n    // NOTE: use lazy access to allow registration of sanitizers after the creation of the container\n    get sanitizers() {\n      return {\n        input: strapi.sanitizers.get('content-api.input'),\n        output: strapi.sanitizers.get('content-api.output'),\n      };\n    },\n  });\n\n  const validator = validate.createAPIValidators({\n    getModel(uid: string) {\n      return strapi.getModel(uid as UID.Schema);\n    },\n    // NOTE: use lazy access to allow registration of validators after the creation of the container\n    get validators() {\n      return {\n        input: strapi.validators.get('content-api.input'),\n      };\n    },\n  });\n\n  return {\n    permissions: instantiatePermissionsUtilities(strapi),\n    getRoutesMap,\n    sanitize: sanitizer,\n    validate: validator,\n  };\n};\n\nexport default createContentAPI;\n"],"names":["transformRoutePrefixFor","pluginName","route","prefix","config","path","undefined","filterContentAPI","info","type","createContentAPI","strapi","getRoutesMap","routesMap","_","forEach","apis","api","apiName","routes","flatMap","filter","length","apiPrefix","get","map","plugins","plugin","transformPrefix","Array","isArray","sanitizeRoutesMapForSerialization","sanitizer","sanitize","createAPISanitizers","getModel","uid","sanitizers","input","output","validator","validate","createAPIValidators","validators","permissions","instantiatePermissionsUtilities"],"mappings":";;;;;;AAOA,MAAMA,uBAAAA,GAA0B,CAACC,UAAAA,GAAuB,CAACC,KAAAA,GAAAA;AACvD,QAAA,MAAMC,SAASD,KAAME,CAAAA,MAAM,IAAIF,KAAME,CAAAA,MAAM,CAACD,MAAM;AAClD,QAAA,MAAME,IAAOF,GAAAA,MAAAA,KAAWG,SAAY,GAAA,CAAA,EAAGH,SAASD,KAAMG,CAAAA,IAAI,CAAE,CAAA,GAAG,CAAC,CAAC,EAAEJ,UAAaC,CAAAA,EAAAA,KAAAA,CAAMG,IAAI,CAAE,CAAA;QAE5F,OAAO;AACL,YAAA,GAAGH,KAAK;AACRG,YAAAA;AACF,SAAA;AACF,KAAA;AAEA,MAAME,mBAAmB,CAACL,KAAAA,GAAsBA,MAAMM,IAAI,CAACC,IAAI,KAAK,aAAA;AAEpE;;IAGA,MAAMC,mBAAmB,CAACC,MAAAA,GAAAA;AACxB,IAAA,MAAMC,YAAe,GAAA,UAAA;AACnB,QAAA,MAAMC,YAA0C,EAAC;AAEjDC,QAAAA,CAAAA,CAAEC,OAAO,CAACJ,MAAAA,CAAOK,IAAI,EAAE,CAACC,GAAKC,EAAAA,OAAAA,GAAAA;AAC3B,YAAA,MAAMC,SAASL,CAAEM,CAAAA,OAAO,CAACH,GAAIE,CAAAA,MAAM,EAAE,CAACjB,KAAAA,GAAAA;AACpC,gBAAA,IAAI,YAAYA,KAAO,EAAA;AACrB,oBAAA,OAAOA,MAAMiB,MAAM;AACrB;gBAEA,OAAOjB,KAAAA;AACT,aAAA,CAAA,CAAGmB,MAAM,CAACd,gBAAAA,CAAAA;YAEV,IAAIY,MAAAA,CAAOG,MAAM,KAAK,CAAG,EAAA;AACvB,gBAAA;AACF;AAEA,YAAA,MAAMC,SAAYZ,GAAAA,MAAAA,CAAOP,MAAM,CAACoB,GAAG,CAAC,iBAAA,CAAA;AACpCX,YAAAA,SAAS,CAAC,CAAC,KAAK,EAAEK,OAAS,CAAA,CAAA,CAAC,GAAGC,MAAAA,CAAOM,GAAG,CAAC,CAACvB,KAAAA,IAAW;AACpD,oBAAA,GAAGA,KAAK;AACRG,oBAAAA,IAAAA,EAAM,CAAGkB,EAAAA,SAAAA,CAAAA,EAAYrB,KAAMG,CAAAA,IAAI,CAAE;iBACnC,CAAA,CAAA;AACF,SAAA,CAAA;AAEAS,QAAAA,CAAAA,CAAEC,OAAO,CAACJ,MAAAA,CAAOe,OAAO,EAAE,CAACC,MAAQ1B,EAAAA,UAAAA,GAAAA;AACjC,YAAA,MAAM2B,kBAAkB5B,uBAAwBC,CAAAA,UAAAA,CAAAA;AAEhD,YAAA,IAAI4B,KAAMC,CAAAA,OAAO,CAACH,MAAAA,CAAOR,MAAM,CAAG,EAAA;AAChC,gBAAA,OAAOQ,OAAOR,MAAM,CAACM,GAAG,CAACG,eAAAA,CAAAA,CAAiBP,MAAM,CAACd,gBAAAA,CAAAA;AACnD;AAEA,YAAA,MAAMY,SAASL,CAAEM,CAAAA,OAAO,CAACO,MAAAA,CAAOR,MAAM,EAAE,CAACjB,KAAUA,GAAAA,KAAAA,CAAMiB,MAAM,CAACM,GAAG,CAACG,eAAAA,CAAAA,CAAAA,CAAkBP,MAAM,CAC1Fd,gBAAAA,CAAAA;YAGF,IAAIY,MAAAA,CAAOG,MAAM,KAAK,CAAG,EAAA;AACvB,gBAAA;AACF;AAEA,YAAA,MAAMC,SAAYZ,GAAAA,MAAAA,CAAOP,MAAM,CAACoB,GAAG,CAAC,iBAAA,CAAA;AACpCX,YAAAA,SAAS,CAAC,CAAC,QAAQ,EAAEZ,UAAY,CAAA,CAAA,CAAC,GAAGkB,MAAAA,CAAOM,GAAG,CAAC,CAACvB,KAAAA,IAAW;AAC1D,oBAAA,GAAGA,KAAK;AACRG,oBAAAA,IAAAA,EAAM,CAAGkB,EAAAA,SAAAA,CAAAA,EAAYrB,KAAMG,CAAAA,IAAI,CAAE;iBACnC,CAAA,CAAA;AACF,SAAA,CAAA;AAEA,QAAA,OAAO0B,6CAAkClB,CAAAA,SAAAA,CAAAA;AAC3C,KAAA;IAEA,MAAMmB,SAAAA,GAAYC,oBAASC,CAAAA,mBAAmB,CAAC;AAC7CC,QAAAA,QAAAA,CAAAA,CAASC,GAAW,EAAA;YAClB,OAAOzB,MAAAA,CAAOwB,QAAQ,CAACC,GAAAA,CAAAA;AACzB,SAAA;;AAEA,QAAA,IAAIC,UAAa,CAAA,GAAA;YACf,OAAO;AACLC,gBAAAA,KAAAA,EAAO3B,MAAO0B,CAAAA,UAAU,CAACb,GAAG,CAAC,mBAAA,CAAA;AAC7Be,gBAAAA,MAAAA,EAAQ5B,MAAO0B,CAAAA,UAAU,CAACb,GAAG,CAAC,oBAAA;AAChC,aAAA;AACF;AACF,KAAA,CAAA;IAEA,MAAMgB,SAAAA,GAAYC,oBAASC,CAAAA,mBAAmB,CAAC;AAC7CP,QAAAA,QAAAA,CAAAA,CAASC,GAAW,EAAA;YAClB,OAAOzB,MAAAA,CAAOwB,QAAQ,CAACC,GAAAA,CAAAA;AACzB,SAAA;;AAEA,QAAA,IAAIO,UAAa,CAAA,GAAA;YACf,OAAO;AACLL,gBAAAA,KAAAA,EAAO3B,MAAOgC,CAAAA,UAAU,CAACnB,GAAG,CAAC,mBAAA;AAC/B,aAAA;AACF;AACF,KAAA,CAAA;IAEA,OAAO;AACLoB,QAAAA,WAAAA,EAAaC,KAAgClC,CAAAA,MAAAA,CAAAA;AAC7CC,QAAAA,YAAAA;QACAqB,QAAUD,EAAAA,SAAAA;QACVS,QAAUD,EAAAA;AACZ,KAAA;AACF;;;;"}
+{"version":3,"file":"index.js","sources":["../../../src/services/content-api/index.ts"],"sourcesContent":["import _ from 'lodash';\nimport {\n  sanitize,\n  validate,\n  sanitizeRoutesMapForSerialization,\n  ALLOWED_QUERY_PARAM_KEYS,\n  RESERVED_INPUT_PARAM_KEYS,\n} from '@strapi/utils';\nimport * as z from 'zod/v4';\n\nimport type { Core, Modules, UID } from '@strapi/types';\n\nimport instantiatePermissionsUtilities from './permissions';\n\nconst transformRoutePrefixFor = (pluginName: string) => (route: Core.Route) => {\n  const prefix = route.config && route.config.prefix;\n  const path = prefix !== undefined ? `${prefix}${route.path}` : `/${pluginName}${route.path}`;\n\n  return {\n    ...route,\n    path,\n  };\n};\n\nconst filterContentAPI = (route: Core.Route) => route.info.type === 'content-api';\n\n/**\n * Runtime check for addQueryParams: we only allow scalar or array-of-scalar schemas (no nested objects).\n * We keep this in addition to the ZodQueryParamSchema type because: (1) TypeScript can be bypassed (JS,\n * any, or schema from another Zod instance); (2) it gives a clear, immediate error at registration\n * time instead of a later failure in validate/sanitize. This list is intentionally tied to Zod v4\n * constructor names; if Zod changes internals, this may need updating.\n * Compatibility: Zod 3 and Zod 4 Classic (zod/v4) both use these constructor names and\n * expose ._def with .innerType / .element for Optional/Default/Array. Zod 4 Core/Mini use\n * ._zod.def instead; we only accept schemas from the same zod/v4 instance used here.\n */\nconst ALLOWED_QUERY_SCHEMA_NAMES = new Set([\n  'ZodString',\n  'ZodNumber',\n  'ZodBoolean',\n  'ZodEnum',\n  'ZodOptional',\n  'ZodDefault',\n  'ZodArray',\n]);\n\nfunction assertQueryParamSchema(schema: unknown, param: string): void {\n  const name = (schema as { constructor?: { name?: string } })?.constructor?.name ?? '';\n  if (!ALLOWED_QUERY_SCHEMA_NAMES.has(name)) {\n    throw new Error(\n      `contentAPI.addQueryParams: param \"${param}\" schema must be a scalar (string, number, boolean, enum) or array of scalars; got ${name}. Use addInputParams for nested objects.`\n    );\n  }\n  if (name === 'ZodOptional' || name === 'ZodDefault') {\n    const inner = (schema as { _def?: { innerType?: unknown } })?._def?.innerType;\n    if (inner) assertQueryParamSchema(inner, param);\n    return;\n  }\n  if (name === 'ZodArray') {\n    const element = (schema as { _def?: { element?: unknown } })?._def?.element;\n    if (element) assertQueryParamSchema(element, param);\n  }\n}\n\nfunction resolveSchema<T>(schemaOrFactory: T | ((zInstance: typeof z) => T)): T {\n  if (typeof schemaOrFactory === 'function') {\n    return (schemaOrFactory as (zInstance: typeof z) => T)(z);\n  }\n  return schemaOrFactory;\n}\n\nconst mergeOneQueryParamIntoRoute = (\n  route: Core.Route,\n  param: string,\n  schema: z.ZodType,\n  matchRoute?: (route: Core.Route) => boolean\n): void => {\n  if (matchRoute && !matchRoute(route)) return;\n  const query = { ...(route.request?.query ?? {}) };\n  if (param in query) {\n    throw new Error(\n      `contentAPI.addQueryParams: param \"${param}\" already exists on route ${route.method} ${route.path}`\n    );\n  }\n  route.request = { ...route.request, query: { ...query, [param]: schema } };\n};\n\nconst mergeOneInputParamIntoRoute = (\n  route: Core.Route,\n  param: string,\n  schema: z.ZodType,\n  matchRoute?: (route: Core.Route) => boolean\n): void => {\n  if (matchRoute && !matchRoute(route)) return;\n  const jsonKey = 'application/json';\n  type RouteBody = NonNullable<NonNullable<Core.Route['request']>['body']>;\n  const body: RouteBody = route.request?.body ? { ...route.request.body } : ({} as RouteBody);\n  const existing = body[jsonKey];\n  const base =\n    existing && typeof existing === 'object' && 'shape' in existing\n      ? (existing as { shape: Record<string, z.ZodType> }).shape\n      : {};\n  if (param in base) {\n    throw new Error(\n      `contentAPI.addInputParams: param \"${param}\" already exists on route ${route.method} ${route.path}`\n    );\n  }\n  body[jsonKey] = z.object({ ...base, [param]: schema }) as RouteBody[keyof RouteBody];\n  route.request = { ...route.request, body };\n};\n\n/** Stored options with schema always resolved (never a function). */\ntype ResolvedQueryParamEntry = {\n  param: string;\n  schema: z.ZodType;\n  matchRoute?: (route: Core.Route) => boolean;\n};\ntype ResolvedInputParamEntry = {\n  param: string;\n  schema: z.ZodType;\n  matchRoute?: (route: Core.Route) => boolean;\n};\n\n/**\n * Create a content API container that holds logic, tools and utils. (eg: permissions, ...)\n */\nconst createContentAPI = (strapi: Core.Strapi) => {\n  const extraQueryParams: ResolvedQueryParamEntry[] = [];\n  const extraInputParams: ResolvedInputParamEntry[] = [];\n\n  const addQueryParam = (options: Modules.ContentAPI.QueryParamEntry & { param: string }) => {\n    const { param, schema: schemaOrFactory, matchRoute } = options;\n    const schema = resolveSchema(schemaOrFactory);\n    assertQueryParamSchema(schema, param);\n    if ((ALLOWED_QUERY_PARAM_KEYS as readonly string[]).includes(param)) {\n      throw new Error(\n        `contentAPI.addQueryParams: param \"${param}\" is reserved by Strapi; use a different name`\n      );\n    }\n    if (extraQueryParams.some((o) => o.param === param)) {\n      throw new Error(`contentAPI.addQueryParams: param \"${param}\" has already been added`);\n    }\n    extraQueryParams.push({ param, schema, matchRoute });\n    // Params are merged into routes when initRouting() runs (applyExtraParamsToRoutes).\n    // We do not merge here: at register() time routes may not exist yet (lazy creation), and\n    // merging here would cause double-merge when initRouting runs and 400 \"invalid param\" or\n    // \"param already exists\" errors.\n  };\n\n  const addInputParam = (options: Modules.ContentAPI.InputParamEntry & { param: string }) => {\n    const { param, schema: schemaOrFactory, matchRoute } = options;\n    const schema = resolveSchema(schemaOrFactory);\n    if ((RESERVED_INPUT_PARAM_KEYS as readonly string[]).includes(param)) {\n      throw new Error(\n        `contentAPI.addInputParams: param \"${param}\" is reserved by Strapi; use a different name`\n      );\n    }\n    if (extraInputParams.some((o) => o.param === param)) {\n      throw new Error(`contentAPI.addInputParams: param \"${param}\" has already been added`);\n    }\n    extraInputParams.push({ param, schema, matchRoute });\n    // Params are merged into routes when initRouting() runs (applyExtraParamsToRoutes).\n  };\n\n  /**\n   * Register extra query params. Keys = param names; values = { schema, matchRoute? }.\n   * Schemas must be Zod scalar or array-of-scalars (enforced at runtime via assertQueryParamSchema).\n   */\n  const addQueryParams = (options: Modules.ContentAPI.AddQueryParamsOptions) => {\n    Object.entries(options).forEach(([param, rest]) => addQueryParam({ param, ...rest }));\n  };\n\n  /**\n   * Register extra input params (root-level body.data). Keys = param names; values = { schema, matchRoute? }.\n   * Any Zod type allowed; enforced at registration time.\n   */\n  const addInputParams = (options: Modules.ContentAPI.AddInputParamsOptions) => {\n    Object.entries(options).forEach(([param, rest]) => addInputParam({ param, ...rest }));\n  };\n\n  /** Merge all registered extra params into the given routes (mutates in place). Called at route registration. Throws if a param key already exists. */\n  const applyExtraParamsToRoutes = (routes: Core.Route[]): void => {\n    routes.forEach((route) => {\n      for (const { param, schema, matchRoute } of extraQueryParams) {\n        mergeOneQueryParamIntoRoute(route, param, schema, matchRoute);\n      }\n      for (const { param, schema, matchRoute } of extraInputParams) {\n        mergeOneInputParamIntoRoute(route, param, schema, matchRoute);\n      }\n    });\n  };\n\n  const getRoutesMap = async () => {\n    const routesMap: Record<string, Core.Route[]> = {};\n\n    _.forEach(strapi.apis, (api, apiName) => {\n      const routes = _.flatMap(api.routes, (route) => {\n        if ('routes' in route) {\n          return route.routes;\n        }\n\n        return route;\n      }).filter(filterContentAPI);\n\n      if (routes.length === 0) {\n        return;\n      }\n\n      const apiPrefix = strapi.config.get('api.rest.prefix');\n      routesMap[`api::${apiName}`] = routes.map((route) => ({\n        ...route,\n        path: `${apiPrefix}${route.path}`,\n      }));\n    });\n\n    _.forEach(strapi.plugins, (plugin, pluginName) => {\n      const transformPrefix = transformRoutePrefixFor(pluginName);\n\n      if (Array.isArray(plugin.routes)) {\n        return plugin.routes.map(transformPrefix).filter(filterContentAPI);\n      }\n\n      const routes = _.flatMap(plugin.routes, (route) => route.routes.map(transformPrefix)).filter(\n        filterContentAPI\n      );\n\n      if (routes.length === 0) {\n        return;\n      }\n\n      const apiPrefix = strapi.config.get('api.rest.prefix');\n      routesMap[`plugin::${pluginName}`] = routes.map((route) => ({\n        ...route,\n        path: `${apiPrefix}${route.path}`,\n      }));\n    });\n\n    return sanitizeRoutesMapForSerialization(routesMap);\n  };\n\n  const sanitizer = sanitize.createAPISanitizers({\n    getModel(uid: string) {\n      return strapi.getModel(uid as UID.Schema);\n    },\n    get sanitizers() {\n      return {\n        input: strapi.sanitizers.get('content-api.input'),\n        output: strapi.sanitizers.get('content-api.output'),\n      };\n    },\n  });\n\n  const validator = validate.createAPIValidators({\n    getModel(uid: string) {\n      return strapi.getModel(uid as UID.Schema);\n    },\n    get validators() {\n      return {\n        input: strapi.validators.get('content-api.input'),\n      };\n    },\n  });\n\n  return {\n    permissions: instantiatePermissionsUtilities(strapi),\n    getRoutesMap,\n    sanitize: sanitizer,\n    validate: validator,\n    addQueryParams,\n    addInputParams,\n    applyExtraParamsToRoutes,\n  };\n};\n\nexport default createContentAPI;\n"],"names":["transformRoutePrefixFor","pluginName","route","prefix","config","path","undefined","filterContentAPI","info","type","ALLOWED_QUERY_SCHEMA_NAMES","Set","assertQueryParamSchema","schema","param","name","has","Error","inner","_def","innerType","element","resolveSchema","schemaOrFactory","z","mergeOneQueryParamIntoRoute","matchRoute","query","request","method","mergeOneInputParamIntoRoute","jsonKey","body","existing","base","shape","object","createContentAPI","strapi","extraQueryParams","extraInputParams","addQueryParam","options","ALLOWED_QUERY_PARAM_KEYS","includes","some","o","push","addInputParam","RESERVED_INPUT_PARAM_KEYS","addQueryParams","Object","entries","forEach","rest","addInputParams","applyExtraParamsToRoutes","routes","getRoutesMap","routesMap","_","apis","api","apiName","flatMap","filter","length","apiPrefix","get","map","plugins","plugin","transformPrefix","Array","isArray","sanitizeRoutesMapForSerialization","sanitizer","sanitize","createAPISanitizers","getModel","uid","sanitizers","input","output","validator","validate","createAPIValidators","validators","permissions","instantiatePermissionsUtilities"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAcA,MAAMA,uBAAAA,GAA0B,CAACC,UAAAA,GAAuB,CAACC,KAAAA,GAAAA;AACvD,QAAA,MAAMC,SAASD,KAAME,CAAAA,MAAM,IAAIF,KAAME,CAAAA,MAAM,CAACD,MAAM;AAClD,QAAA,MAAME,IAAOF,GAAAA,MAAAA,KAAWG,SAAY,GAAA,CAAA,EAAGH,SAASD,KAAMG,CAAAA,IAAI,CAAE,CAAA,GAAG,CAAC,CAAC,EAAEJ,UAAaC,CAAAA,EAAAA,KAAAA,CAAMG,IAAI,CAAE,CAAA;QAE5F,OAAO;AACL,YAAA,GAAGH,KAAK;AACRG,YAAAA;AACF,SAAA;AACF,KAAA;AAEA,MAAME,mBAAmB,CAACL,KAAAA,GAAsBA,MAAMM,IAAI,CAACC,IAAI,KAAK,aAAA;AAEpE;;;;;;;;;IAUA,MAAMC,0BAA6B,GAAA,IAAIC,GAAI,CAAA;AACzC,IAAA,WAAA;AACA,IAAA,WAAA;AACA,IAAA,YAAA;AACA,IAAA,SAAA;AACA,IAAA,aAAA;AACA,IAAA,YAAA;AACA,IAAA;AACD,CAAA,CAAA;AAED,SAASC,sBAAAA,CAAuBC,MAAe,EAAEC,KAAa,EAAA;AAC5D,IAAA,MAAMC,IAAO,GAACF,MAAgD,EAAA,WAAA,EAAaE,IAAQ,IAAA,EAAA;AACnF,IAAA,IAAI,CAACL,0BAAAA,CAA2BM,GAAG,CAACD,IAAO,CAAA,EAAA;QACzC,MAAM,IAAIE,KACR,CAAA,CAAC,kCAAkC,EAAEH,MAAM,mFAAmF,EAAEC,IAAK,CAAA,wCAAwC,CAAC,CAAA;AAElL;IACA,IAAIA,IAAAA,KAAS,aAAiBA,IAAAA,IAAAA,KAAS,YAAc,EAAA;QACnD,MAAMG,KAAAA,GAASL,QAA+CM,IAAMC,EAAAA,SAAAA;QACpE,IAAIF,KAAAA,EAAON,uBAAuBM,KAAOJ,EAAAA,KAAAA,CAAAA;AACzC,QAAA;AACF;AACA,IAAA,IAAIC,SAAS,UAAY,EAAA;QACvB,MAAMM,OAAAA,GAAWR,QAA6CM,IAAME,EAAAA,OAAAA;QACpE,IAAIA,OAAAA,EAAST,uBAAuBS,OAASP,EAAAA,KAAAA,CAAAA;AAC/C;AACF;AAEA,SAASQ,cAAiBC,eAAiD,EAAA;IACzE,IAAI,OAAOA,oBAAoB,UAAY,EAAA;AACzC,QAAA,OAAO,eAAgDC,CAAAA,YAAAA,CAAAA;AACzD;IACA,OAAOD,eAAAA;AACT;AAEA,MAAME,2BAA8B,GAAA,CAClCvB,KACAY,EAAAA,KAAAA,EACAD,MACAa,EAAAA,UAAAA,GAAAA;IAEA,IAAIA,UAAAA,IAAc,CAACA,UAAAA,CAAWxB,KAAQ,CAAA,EAAA;AACtC,IAAA,MAAMyB,KAAQ,GAAA;AAAE,QAAA,GAAIzB,KAAM0B,CAAAA,OAAO,EAAED,KAAAA,IAAS;AAAI,KAAA;AAChD,IAAA,IAAIb,SAASa,KAAO,EAAA;AAClB,QAAA,MAAM,IAAIV,KAAAA,CACR,CAAC,kCAAkC,EAAEH,KAAM,CAAA,0BAA0B,EAAEZ,KAAAA,CAAM2B,MAAM,CAAC,CAAC,EAAE3B,KAAAA,CAAMG,IAAI,CAAE,CAAA,CAAA;AAEvG;AACAH,IAAAA,KAAAA,CAAM0B,OAAO,GAAG;AAAE,QAAA,GAAG1B,MAAM0B,OAAO;QAAED,KAAO,EAAA;AAAE,YAAA,GAAGA,KAAK;AAAE,YAAA,CAACb,QAAQD;AAAO;AAAE,KAAA;AAC3E,CAAA;AAEA,MAAMiB,2BAA8B,GAAA,CAClC5B,KACAY,EAAAA,KAAAA,EACAD,MACAa,EAAAA,UAAAA,GAAAA;IAEA,IAAIA,UAAAA,IAAc,CAACA,UAAAA,CAAWxB,KAAQ,CAAA,EAAA;AACtC,IAAA,MAAM6B,OAAU,GAAA,kBAAA;AAEhB,IAAA,MAAMC,IAAkB9B,GAAAA,KAAAA,CAAM0B,OAAO,EAAEI,IAAO,GAAA;QAAE,GAAG9B,KAAAA,CAAM0B,OAAO,CAACI;AAAK,KAAA,GAAK,EAAC;IAC5E,MAAMC,QAAAA,GAAWD,IAAI,CAACD,OAAQ,CAAA;IAC9B,MAAMG,IAAAA,GACJD,QAAY,IAAA,OAAOA,QAAa,KAAA,QAAA,IAAY,OAAWA,IAAAA,QAAAA,GACnD,QAACA,CAAkDE,KAAK,GACxD,EAAC;AACP,IAAA,IAAIrB,SAASoB,IAAM,EAAA;AACjB,QAAA,MAAM,IAAIjB,KAAAA,CACR,CAAC,kCAAkC,EAAEH,KAAM,CAAA,0BAA0B,EAAEZ,KAAAA,CAAM2B,MAAM,CAAC,CAAC,EAAE3B,KAAAA,CAAMG,IAAI,CAAE,CAAA,CAAA;AAEvG;AACA2B,IAAAA,IAAI,CAACD,OAAAA,CAAQ,GAAGP,YAAAA,CAAEY,MAAM,CAAC;AAAE,QAAA,GAAGF,IAAI;AAAE,QAAA,CAACpB,QAAQD;AAAO,KAAA,CAAA;AACpDX,IAAAA,KAAAA,CAAM0B,OAAO,GAAG;AAAE,QAAA,GAAG1B,MAAM0B,OAAO;AAAEI,QAAAA;AAAK,KAAA;AAC3C,CAAA;AAcA;;IAGA,MAAMK,mBAAmB,CAACC,MAAAA,GAAAA;AACxB,IAAA,MAAMC,mBAA8C,EAAE;AACtD,IAAA,MAAMC,mBAA8C,EAAE;AAEtD,IAAA,MAAMC,gBAAgB,CAACC,OAAAA,GAAAA;QACrB,MAAM,EAAE5B,KAAK,EAAED,MAAAA,EAAQU,eAAe,EAAEG,UAAU,EAAE,GAAGgB,OAAAA;AACvD,QAAA,MAAM7B,SAASS,aAAcC,CAAAA,eAAAA,CAAAA;AAC7BX,QAAAA,sBAAAA,CAAuBC,MAAQC,EAAAA,KAAAA,CAAAA;AAC/B,QAAA,IAAI6B,oCAACA,CAA+CC,QAAQ,CAAC9B,KAAQ,CAAA,EAAA;AACnE,YAAA,MAAM,IAAIG,KACR,CAAA,CAAC,kCAAkC,EAAEH,KAAAA,CAAM,6CAA6C,CAAC,CAAA;AAE7F;QACA,IAAIyB,gBAAAA,CAAiBM,IAAI,CAAC,CAACC,IAAMA,CAAEhC,CAAAA,KAAK,KAAKA,KAAQ,CAAA,EAAA;AACnD,YAAA,MAAM,IAAIG,KAAM,CAAA,CAAC,kCAAkC,EAAEH,KAAAA,CAAM,wBAAwB,CAAC,CAAA;AACtF;AACAyB,QAAAA,gBAAAA,CAAiBQ,IAAI,CAAC;AAAEjC,YAAAA,KAAAA;AAAOD,YAAAA,MAAAA;AAAQa,YAAAA;AAAW,SAAA,CAAA;;;;;AAKpD,KAAA;AAEA,IAAA,MAAMsB,gBAAgB,CAACN,OAAAA,GAAAA;QACrB,MAAM,EAAE5B,KAAK,EAAED,MAAAA,EAAQU,eAAe,EAAEG,UAAU,EAAE,GAAGgB,OAAAA;AACvD,QAAA,MAAM7B,SAASS,aAAcC,CAAAA,eAAAA,CAAAA;AAC7B,QAAA,IAAI0B,qCAACA,CAAgDL,QAAQ,CAAC9B,KAAQ,CAAA,EAAA;AACpE,YAAA,MAAM,IAAIG,KACR,CAAA,CAAC,kCAAkC,EAAEH,KAAAA,CAAM,6CAA6C,CAAC,CAAA;AAE7F;QACA,IAAI0B,gBAAAA,CAAiBK,IAAI,CAAC,CAACC,IAAMA,CAAEhC,CAAAA,KAAK,KAAKA,KAAQ,CAAA,EAAA;AACnD,YAAA,MAAM,IAAIG,KAAM,CAAA,CAAC,kCAAkC,EAAEH,KAAAA,CAAM,wBAAwB,CAAC,CAAA;AACtF;AACA0B,QAAAA,gBAAAA,CAAiBO,IAAI,CAAC;AAAEjC,YAAAA,KAAAA;AAAOD,YAAAA,MAAAA;AAAQa,YAAAA;AAAW,SAAA,CAAA;;AAEpD,KAAA;AAEA;;;MAIA,MAAMwB,iBAAiB,CAACR,OAAAA,GAAAA;QACtBS,MAAOC,CAAAA,OAAO,CAACV,OAAAA,CAAAA,CAASW,OAAO,CAAC,CAAC,CAACvC,KAAAA,EAAOwC,IAAK,CAAA,GAAKb,aAAc,CAAA;AAAE3B,gBAAAA,KAAAA;AAAO,gBAAA,GAAGwC;AAAK,aAAA,CAAA,CAAA;AACpF,KAAA;AAEA;;;MAIA,MAAMC,iBAAiB,CAACb,OAAAA,GAAAA;QACtBS,MAAOC,CAAAA,OAAO,CAACV,OAAAA,CAAAA,CAASW,OAAO,CAAC,CAAC,CAACvC,KAAAA,EAAOwC,IAAK,CAAA,GAAKN,aAAc,CAAA;AAAElC,gBAAAA,KAAAA;AAAO,gBAAA,GAAGwC;AAAK,aAAA,CAAA,CAAA;AACpF,KAAA;2JAGA,MAAME,wBAAAA,GAA2B,CAACC,MAAAA,GAAAA;QAChCA,MAAOJ,CAAAA,OAAO,CAAC,CAACnD,KAAAA,GAAAA;YACd,KAAK,MAAM,EAAEY,KAAK,EAAED,MAAM,EAAEa,UAAU,EAAE,IAAIa,gBAAkB,CAAA;gBAC5Dd,2BAA4BvB,CAAAA,KAAAA,EAAOY,OAAOD,MAAQa,EAAAA,UAAAA,CAAAA;AACpD;YACA,KAAK,MAAM,EAAEZ,KAAK,EAAED,MAAM,EAAEa,UAAU,EAAE,IAAIc,gBAAkB,CAAA;gBAC5DV,2BAA4B5B,CAAAA,KAAAA,EAAOY,OAAOD,MAAQa,EAAAA,UAAAA,CAAAA;AACpD;AACF,SAAA,CAAA;AACF,KAAA;AAEA,IAAA,MAAMgC,YAAe,GAAA,UAAA;AACnB,QAAA,MAAMC,YAA0C,EAAC;AAEjDC,QAAAA,CAAAA,CAAEP,OAAO,CAACf,MAAAA,CAAOuB,IAAI,EAAE,CAACC,GAAKC,EAAAA,OAAAA,GAAAA;AAC3B,YAAA,MAAMN,SAASG,CAAEI,CAAAA,OAAO,CAACF,GAAIL,CAAAA,MAAM,EAAE,CAACvD,KAAAA,GAAAA;AACpC,gBAAA,IAAI,YAAYA,KAAO,EAAA;AACrB,oBAAA,OAAOA,MAAMuD,MAAM;AACrB;gBAEA,OAAOvD,KAAAA;AACT,aAAA,CAAA,CAAG+D,MAAM,CAAC1D,gBAAAA,CAAAA;YAEV,IAAIkD,MAAAA,CAAOS,MAAM,KAAK,CAAG,EAAA;AACvB,gBAAA;AACF;AAEA,YAAA,MAAMC,SAAY7B,GAAAA,MAAAA,CAAOlC,MAAM,CAACgE,GAAG,CAAC,iBAAA,CAAA;AACpCT,YAAAA,SAAS,CAAC,CAAC,KAAK,EAAEI,OAAS,CAAA,CAAA,CAAC,GAAGN,MAAAA,CAAOY,GAAG,CAAC,CAACnE,KAAAA,IAAW;AACpD,oBAAA,GAAGA,KAAK;AACRG,oBAAAA,IAAAA,EAAM,CAAG8D,EAAAA,SAAAA,CAAAA,EAAYjE,KAAMG,CAAAA,IAAI,CAAE;iBACnC,CAAA,CAAA;AACF,SAAA,CAAA;AAEAuD,QAAAA,CAAAA,CAAEP,OAAO,CAACf,MAAAA,CAAOgC,OAAO,EAAE,CAACC,MAAQtE,EAAAA,UAAAA,GAAAA;AACjC,YAAA,MAAMuE,kBAAkBxE,uBAAwBC,CAAAA,UAAAA,CAAAA;AAEhD,YAAA,IAAIwE,KAAMC,CAAAA,OAAO,CAACH,MAAAA,CAAOd,MAAM,CAAG,EAAA;AAChC,gBAAA,OAAOc,OAAOd,MAAM,CAACY,GAAG,CAACG,eAAAA,CAAAA,CAAiBP,MAAM,CAAC1D,gBAAAA,CAAAA;AACnD;AAEA,YAAA,MAAMkD,SAASG,CAAEI,CAAAA,OAAO,CAACO,MAAAA,CAAOd,MAAM,EAAE,CAACvD,KAAUA,GAAAA,KAAAA,CAAMuD,MAAM,CAACY,GAAG,CAACG,eAAAA,CAAAA,CAAAA,CAAkBP,MAAM,CAC1F1D,gBAAAA,CAAAA;YAGF,IAAIkD,MAAAA,CAAOS,MAAM,KAAK,CAAG,EAAA;AACvB,gBAAA;AACF;AAEA,YAAA,MAAMC,SAAY7B,GAAAA,MAAAA,CAAOlC,MAAM,CAACgE,GAAG,CAAC,iBAAA,CAAA;AACpCT,YAAAA,SAAS,CAAC,CAAC,QAAQ,EAAE1D,UAAY,CAAA,CAAA,CAAC,GAAGwD,MAAAA,CAAOY,GAAG,CAAC,CAACnE,KAAAA,IAAW;AAC1D,oBAAA,GAAGA,KAAK;AACRG,oBAAAA,IAAAA,EAAM,CAAG8D,EAAAA,SAAAA,CAAAA,EAAYjE,KAAMG,CAAAA,IAAI,CAAE;iBACnC,CAAA,CAAA;AACF,SAAA,CAAA;AAEA,QAAA,OAAOsE,6CAAkChB,CAAAA,SAAAA,CAAAA;AAC3C,KAAA;IAEA,MAAMiB,SAAAA,GAAYC,oBAASC,CAAAA,mBAAmB,CAAC;AAC7CC,QAAAA,QAAAA,CAAAA,CAASC,GAAW,EAAA;YAClB,OAAO1C,MAAAA,CAAOyC,QAAQ,CAACC,GAAAA,CAAAA;AACzB,SAAA;AACA,QAAA,IAAIC,UAAa,CAAA,GAAA;YACf,OAAO;AACLC,gBAAAA,KAAAA,EAAO5C,MAAO2C,CAAAA,UAAU,CAACb,GAAG,CAAC,mBAAA,CAAA;AAC7Be,gBAAAA,MAAAA,EAAQ7C,MAAO2C,CAAAA,UAAU,CAACb,GAAG,CAAC,oBAAA;AAChC,aAAA;AACF;AACF,KAAA,CAAA;IAEA,MAAMgB,SAAAA,GAAYC,oBAASC,CAAAA,mBAAmB,CAAC;AAC7CP,QAAAA,QAAAA,CAAAA,CAASC,GAAW,EAAA;YAClB,OAAO1C,MAAAA,CAAOyC,QAAQ,CAACC,GAAAA,CAAAA;AACzB,SAAA;AACA,QAAA,IAAIO,UAAa,CAAA,GAAA;YACf,OAAO;AACLL,gBAAAA,KAAAA,EAAO5C,MAAOiD,CAAAA,UAAU,CAACnB,GAAG,CAAC,mBAAA;AAC/B,aAAA;AACF;AACF,KAAA,CAAA;IAEA,OAAO;AACLoB,QAAAA,WAAAA,EAAaC,KAAgCnD,CAAAA,MAAAA,CAAAA;AAC7CoB,QAAAA,YAAAA;QACAmB,QAAUD,EAAAA,SAAAA;QACVS,QAAUD,EAAAA,SAAAA;AACVlC,QAAAA,cAAAA;AACAK,QAAAA,cAAAA;AACAC,QAAAA;AACF,KAAA;AACF;;;;"}

package/dist/services/content-api/index.mjs

@@ -1,5 +1,6 @@
 import _ from 'lodash';
-import { sanitize, validate, sanitizeRoutesMapForSerialization } from '@strapi/utils';
+import { sanitize, validate, sanitizeRoutesMapForSerialization, ALLOWED_QUERY_PARAM_KEYS, RESERVED_INPUT_PARAM_KEYS } from '@strapi/utils';
+import * as z from 'zod/v4';
 import instantiatePermissionsUtilities from './permissions/index.mjs';
 
 const transformRoutePrefixFor = (pluginName)=>(route)=>{
@@ -11,9 +12,150 @@ const transformRoutePrefixFor = (pluginName)=>(route)=>{
         };
     };
 const filterContentAPI = (route)=>route.info.type === 'content-api';
+/**
+ * Runtime check for addQueryParams: we only allow scalar or array-of-scalar schemas (no nested objects).
+ * We keep this in addition to the ZodQueryParamSchema type because: (1) TypeScript can be bypassed (JS,
+ * any, or schema from another Zod instance); (2) it gives a clear, immediate error at registration
+ * time instead of a later failure in validate/sanitize. This list is intentionally tied to Zod v4
+ * constructor names; if Zod changes internals, this may need updating.
+ * Compatibility: Zod 3 and Zod 4 Classic (zod/v4) both use these constructor names and
+ * expose ._def with .innerType / .element for Optional/Default/Array. Zod 4 Core/Mini use
+ * ._zod.def instead; we only accept schemas from the same zod/v4 instance used here.
+ */ const ALLOWED_QUERY_SCHEMA_NAMES = new Set([
+    'ZodString',
+    'ZodNumber',
+    'ZodBoolean',
+    'ZodEnum',
+    'ZodOptional',
+    'ZodDefault',
+    'ZodArray'
+]);
+function assertQueryParamSchema(schema, param) {
+    const name = schema?.constructor?.name ?? '';
+    if (!ALLOWED_QUERY_SCHEMA_NAMES.has(name)) {
+        throw new Error(`contentAPI.addQueryParams: param "${param}" schema must be a scalar (string, number, boolean, enum) or array of scalars; got ${name}. Use addInputParams for nested objects.`);
+    }
+    if (name === 'ZodOptional' || name === 'ZodDefault') {
+        const inner = schema?._def?.innerType;
+        if (inner) assertQueryParamSchema(inner, param);
+        return;
+    }
+    if (name === 'ZodArray') {
+        const element = schema?._def?.element;
+        if (element) assertQueryParamSchema(element, param);
+    }
+}
+function resolveSchema(schemaOrFactory) {
+    if (typeof schemaOrFactory === 'function') {
+        return schemaOrFactory(z);
+    }
+    return schemaOrFactory;
+}
+const mergeOneQueryParamIntoRoute = (route, param, schema, matchRoute)=>{
+    if (matchRoute && !matchRoute(route)) return;
+    const query = {
+        ...route.request?.query ?? {}
+    };
+    if (param in query) {
+        throw new Error(`contentAPI.addQueryParams: param "${param}" already exists on route ${route.method} ${route.path}`);
+    }
+    route.request = {
+        ...route.request,
+        query: {
+            ...query,
+            [param]: schema
+        }
+    };
+};
+const mergeOneInputParamIntoRoute = (route, param, schema, matchRoute)=>{
+    if (matchRoute && !matchRoute(route)) return;
+    const jsonKey = 'application/json';
+    const body = route.request?.body ? {
+        ...route.request.body
+    } : {};
+    const existing = body[jsonKey];
+    const base = existing && typeof existing === 'object' && 'shape' in existing ? existing.shape : {};
+    if (param in base) {
+        throw new Error(`contentAPI.addInputParams: param "${param}" already exists on route ${route.method} ${route.path}`);
+    }
+    body[jsonKey] = z.object({
+        ...base,
+        [param]: schema
+    });
+    route.request = {
+        ...route.request,
+        body
+    };
+};
 /**
  * Create a content API container that holds logic, tools and utils. (eg: permissions, ...)
  */ const createContentAPI = (strapi)=>{
+    const extraQueryParams = [];
+    const extraInputParams = [];
+    const addQueryParam = (options)=>{
+        const { param, schema: schemaOrFactory, matchRoute } = options;
+        const schema = resolveSchema(schemaOrFactory);
+        assertQueryParamSchema(schema, param);
+        if (ALLOWED_QUERY_PARAM_KEYS.includes(param)) {
+            throw new Error(`contentAPI.addQueryParams: param "${param}" is reserved by Strapi; use a different name`);
+        }
+        if (extraQueryParams.some((o)=>o.param === param)) {
+            throw new Error(`contentAPI.addQueryParams: param "${param}" has already been added`);
+        }
+        extraQueryParams.push({
+            param,
+            schema,
+            matchRoute
+        });
+    // Params are merged into routes when initRouting() runs (applyExtraParamsToRoutes).
+    // We do not merge here: at register() time routes may not exist yet (lazy creation), and
+    // merging here would cause double-merge when initRouting runs and 400 "invalid param" or
+    // "param already exists" errors.
+    };
+    const addInputParam = (options)=>{
+        const { param, schema: schemaOrFactory, matchRoute } = options;
+        const schema = resolveSchema(schemaOrFactory);
+        if (RESERVED_INPUT_PARAM_KEYS.includes(param)) {
+            throw new Error(`contentAPI.addInputParams: param "${param}" is reserved by Strapi; use a different name`);
+        }
+        if (extraInputParams.some((o)=>o.param === param)) {
+            throw new Error(`contentAPI.addInputParams: param "${param}" has already been added`);
+        }
+        extraInputParams.push({
+            param,
+            schema,
+            matchRoute
+        });
+    // Params are merged into routes when initRouting() runs (applyExtraParamsToRoutes).
+    };
+    /**
+   * Register extra query params. Keys = param names; values = { schema, matchRoute? }.
+   * Schemas must be Zod scalar or array-of-scalars (enforced at runtime via assertQueryParamSchema).
+   */ const addQueryParams = (options)=>{
+        Object.entries(options).forEach(([param, rest])=>addQueryParam({
+                param,
+                ...rest
+            }));
+    };
+    /**
+   * Register extra input params (root-level body.data). Keys = param names; values = { schema, matchRoute? }.
+   * Any Zod type allowed; enforced at registration time.
+   */ const addInputParams = (options)=>{
+        Object.entries(options).forEach(([param, rest])=>addInputParam({
+                param,
+                ...rest
+            }));
+    };
+    /** Merge all registered extra params into the given routes (mutates in place). Called at route registration. Throws if a param key already exists. */ const applyExtraParamsToRoutes = (routes)=>{
+        routes.forEach((route)=>{
+            for (const { param, schema, matchRoute } of extraQueryParams){
+                mergeOneQueryParamIntoRoute(route, param, schema, matchRoute);
+            }
+            for (const { param, schema, matchRoute } of extraInputParams){
+                mergeOneInputParamIntoRoute(route, param, schema, matchRoute);
+            }
+        });
+    };
     const getRoutesMap = async ()=>{
         const routesMap = {};
         _.forEach(strapi.apis, (api, apiName)=>{
@@ -53,7 +195,6 @@ const filterContentAPI = (route)=>route.info.type === 'content-api';
         getModel (uid) {
             return strapi.getModel(uid);
         },
-        // NOTE: use lazy access to allow registration of sanitizers after the creation of the container
         get sanitizers () {
             return {
                 input: strapi.sanitizers.get('content-api.input'),
@@ -65,7 +206,6 @@ const filterContentAPI = (route)=>route.info.type === 'content-api';
         getModel (uid) {
             return strapi.getModel(uid);
         },
-        // NOTE: use lazy access to allow registration of validators after the creation of the container
         get validators () {
             return {
                 input: strapi.validators.get('content-api.input')
@@ -76,7 +216,10 @@ const filterContentAPI = (route)=>route.info.type === 'content-api';
         permissions: instantiatePermissionsUtilities(strapi),
         getRoutesMap,
         sanitize: sanitizer,
-        validate: validator
+        validate: validator,
+        addQueryParams,
+        addInputParams,
+        applyExtraParamsToRoutes
     };
 };