@typicalday/firegraph 0.1.0 → 0.2.0

package/dist/index.cjs

@@ -31,6 +31,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var index_exports = {};
 __export(index_exports, {
   BOOTSTRAP_ENTRIES: () => BOOTSTRAP_ENTRIES,
+  DEFAULT_QUERY_LIMIT: () => DEFAULT_QUERY_LIMIT,
   DiscoveryError: () => DiscoveryError,
   DynamicRegistryError: () => DynamicRegistryError,
   EDGE_TYPE_SCHEMA: () => EDGE_TYPE_SCHEMA,
@@ -43,9 +44,12 @@ __export(index_exports, {
   NodeNotFoundError: () => NodeNotFoundError,
   QueryClient: () => QueryClient,
   QueryClientError: () => QueryClientError,
+  QuerySafetyError: () => QuerySafetyError,
+  RegistryScopeError: () => RegistryScopeError,
   RegistryViolationError: () => RegistryViolationError,
   TraversalError: () => TraversalError,
   ValidationError: () => ValidationError,
+  analyzeQuerySafety: () => analyzeQuerySafety,
   buildEdgeQueryPlan: () => buildEdgeQueryPlan,
   buildEdgeRecord: () => buildEdgeRecord,
   buildNodeQueryPlan: () => buildNodeQueryPlan,
@@ -63,8 +67,11 @@ __export(index_exports, {
   discoverEntities: () => discoverEntities,
   generateDeterministicUid: () => generateDeterministicUid,
   generateId: () => generateId,
+  generateIndexConfig: () => generateIndexConfig,
   generateTypes: () => generateTypes,
   jsonSchemaToFieldMeta: () => jsonSchemaToFieldMeta,
+  matchScope: () => matchScope,
+  matchScopeAny: () => matchScopeAny,
   resolveView: () => resolveView
 });
 module.exports = __toCommonJS(index_exports);
@@ -77,6 +84,16 @@ var import_node_crypto = require("crypto");
 
 // src/internal/constants.ts
 var NODE_RELATION = "is";
+var DEFAULT_QUERY_LIMIT = 500;
+var BUILTIN_FIELDS = /* @__PURE__ */ new Set([
+  "aType",
+  "aUid",
+  "axbType",
+  "bType",
+  "bUid",
+  "createdAt",
+  "updatedAt"
+]);
 var SHARD_SEPARATOR = ":";
 
 // src/docid.ts
@@ -173,6 +190,21 @@ var DynamicRegistryError = class extends FiregraphError {
     this.name = "DynamicRegistryError";
   }
 };
+var QuerySafetyError = class extends FiregraphError {
+  constructor(message) {
+    super(message, "QUERY_SAFETY");
+    this.name = "QuerySafetyError";
+  }
+};
+var RegistryScopeError = class extends FiregraphError {
+  constructor(aType, axbType, bType, scopePath, allowedIn) {
+    super(
+      `Type (${aType}) -[${axbType}]-> (${bType}) is not allowed at scope "${scopePath || "root"}". Allowed in: [${allowedIn.join(", ")}]`,
+      "REGISTRY_SCOPE"
+    );
+    this.name = "RegistryScopeError";
+  }
+};
 
 // src/query.ts
 function buildEdgeQueryPlan(params) {
@@ -186,27 +218,32 @@ function buildEdgeQueryPlan(params) {
   if (axbType) filters.push({ field: "axbType", op: "==", value: axbType });
   if (bType) filters.push({ field: "bType", op: "==", value: bType });
   if (bUid) filters.push({ field: "bUid", op: "==", value: bUid });
-  const builtinFields = ["aType", "aUid", "axbType", "bType", "bUid", "createdAt", "updatedAt"];
   if (params.where) {
     for (const clause of params.where) {
-      const field = builtinFields.includes(clause.field) ? clause.field : clause.field.startsWith("data.") ? clause.field : `data.${clause.field}`;
+      const field = BUILTIN_FIELDS.has(clause.field) ? clause.field : clause.field.startsWith("data.") ? clause.field : `data.${clause.field}`;
       filters.push({ field, op: clause.op, value: clause.value });
     }
   }
   if (filters.length === 0) {
     throw new InvalidQueryError("findEdges requires at least one filter parameter");
   }
-  const options = limit !== void 0 || orderBy ? { limit, orderBy } : void 0;
-  return { strategy: "query", filters, options };
+  const effectiveLimit = limit === void 0 ? DEFAULT_QUERY_LIMIT : limit || void 0;
+  return { strategy: "query", filters, options: { limit: effectiveLimit, orderBy } };
 }
 function buildNodeQueryPlan(params) {
-  return {
-    strategy: "query",
-    filters: [
-      { field: "aType", op: "==", value: params.aType },
-      { field: "axbType", op: "==", value: NODE_RELATION }
-    ]
-  };
+  const { aType, limit, orderBy } = params;
+  const filters = [
+    { field: "aType", op: "==", value: aType },
+    { field: "axbType", op: "==", value: NODE_RELATION }
+  ];
+  if (params.where) {
+    for (const clause of params.where) {
+      const field = BUILTIN_FIELDS.has(clause.field) ? clause.field : clause.field.startsWith("data.") ? clause.field : `data.${clause.field}`;
+      filters.push({ field, op: clause.op, value: clause.value });
+    }
+  }
+  const effectiveLimit = limit === void 0 ? DEFAULT_QUERY_LIMIT : limit || void 0;
+  return { strategy: "query", filters, options: { limit: effectiveLimit, orderBy } };
 }
 
 // src/internal/firestore-adapter.ts
@@ -359,10 +396,62 @@ function createPipelineQueryAdapter(db, collectionPath) {
 
 // src/transaction.ts
 var import_firestore2 = require("@google-cloud/firestore");
+
+// src/query-safety.ts
+var SAFE_INDEX_PATTERNS = [
+  /* @__PURE__ */ new Set(["aUid", "axbType"]),
+  /* @__PURE__ */ new Set(["axbType", "bUid"]),
+  /* @__PURE__ */ new Set(["aType", "axbType"]),
+  /* @__PURE__ */ new Set(["axbType", "bType"])
+];
+function analyzeQuerySafety(filters) {
+  const builtinFieldsPresent = /* @__PURE__ */ new Set();
+  let hasDataFilters = false;
+  for (const f of filters) {
+    if (BUILTIN_FIELDS.has(f.field)) {
+      builtinFieldsPresent.add(f.field);
+    } else {
+      hasDataFilters = true;
+    }
+  }
+  for (const pattern of SAFE_INDEX_PATTERNS) {
+    let matched = true;
+    for (const field of pattern) {
+      if (!builtinFieldsPresent.has(field)) {
+        matched = false;
+        break;
+      }
+    }
+    if (matched) {
+      return { safe: true };
+    }
+  }
+  const presentFields = [...builtinFieldsPresent];
+  if (presentFields.length === 0 && hasDataFilters) {
+    return {
+      safe: false,
+      reason: "Query filters only use data.* fields with no builtin field constraints. This requires a full collection scan. Add aType, aUid, axbType, bType, or bUid filters, or set allowCollectionScan: true."
+    };
+  }
+  if (hasDataFilters) {
+    return {
+      safe: false,
+      reason: `Query filters on [${presentFields.join(", ")}] do not match any indexed pattern. data.* filters without an indexed base require a full collection scan. Safe patterns: (aUid + axbType), (axbType + bUid), (aType + axbType), (axbType + bType). Set allowCollectionScan: true to override.`
+    };
+  }
+  return {
+    safe: false,
+    reason: `Query filters on [${presentFields.join(", ")}] do not match any indexed pattern. This may cause a full collection scan on Firestore Enterprise. Safe patterns: (aUid + axbType), (axbType + bUid), (aType + axbType), (axbType + bType). Set allowCollectionScan: true to override.`
+  };
+}
+
+// src/transaction.ts
 var GraphTransactionImpl = class {
-  constructor(adapter, registry) {
+  constructor(adapter, registry, scanProtection = "error", scopePath = "") {
     this.adapter = adapter;
     this.registry = registry;
+    this.scanProtection = scanProtection;
+    this.scopePath = scopePath;
   }
   async getNode(uid) {
     const docId = computeNodeDocId(uid);
@@ -376,12 +465,22 @@ var GraphTransactionImpl = class {
     const record = await this.getEdge(aUid, axbType, bUid);
     return record !== null;
   }
+  checkQuerySafety(filters, allowCollectionScan) {
+    if (allowCollectionScan || this.scanProtection === "off") return;
+    const result = analyzeQuerySafety(filters);
+    if (result.safe) return;
+    if (this.scanProtection === "error") {
+      throw new QuerySafetyError(result.reason);
+    }
+    console.warn(`[firegraph] Query safety warning: ${result.reason}`);
+  }
   async findEdges(params) {
     const plan = buildEdgeQueryPlan(params);
     if (plan.strategy === "get") {
       const record = await this.adapter.getDoc(plan.docId);
       return record ? [record] : [];
     }
+    this.checkQuerySafety(plan.filters, params.allowCollectionScan);
     return this.adapter.query(plan.filters, plan.options);
   }
   async findNodes(params) {
@@ -390,11 +489,12 @@ var GraphTransactionImpl = class {
       const record = await this.adapter.getDoc(plan.docId);
       return record ? [record] : [];
     }
+    this.checkQuerySafety(plan.filters, params.allowCollectionScan);
     return this.adapter.query(plan.filters, plan.options);
   }
   async putNode(aType, uid, data) {
     if (this.registry) {
-      this.registry.validate(aType, NODE_RELATION, aType, data);
+      this.registry.validate(aType, NODE_RELATION, aType, data, this.scopePath);
     }
     const docId = computeNodeDocId(uid);
     const record = buildNodeRecord(aType, uid, data);
@@ -402,7 +502,7 @@ var GraphTransactionImpl = class {
   }
   async putEdge(aType, aUid, axbType, bType, bUid, data) {
     if (this.registry) {
-      this.registry.validate(aType, axbType, bType, data);
+      this.registry.validate(aType, axbType, bType, data, this.scopePath);
     }
     const docId = computeEdgeDocId(aUid, axbType, bUid);
     const record = buildEdgeRecord(aType, aUid, axbType, bType, bUid, data);
@@ -428,13 +528,14 @@ var GraphTransactionImpl = class {
 // src/batch.ts
 var import_firestore3 = require("@google-cloud/firestore");
 var GraphBatchImpl = class {
-  constructor(adapter, registry) {
+  constructor(adapter, registry, scopePath = "") {
     this.adapter = adapter;
     this.registry = registry;
+    this.scopePath = scopePath;
   }
   async putNode(aType, uid, data) {
     if (this.registry) {
-      this.registry.validate(aType, NODE_RELATION, aType, data);
+      this.registry.validate(aType, NODE_RELATION, aType, data, this.scopePath);
     }
     const docId = computeNodeDocId(uid);
     const record = buildNodeRecord(aType, uid, data);
@@ -442,7 +543,7 @@ var GraphBatchImpl = class {
   }
   async putEdge(aType, aUid, axbType, bType, bUid, data) {
     if (this.registry) {
-      this.registry.validate(aType, axbType, bType, data);
+      this.registry.validate(aType, axbType, bType, data, this.scopePath);
     }
     const docId = computeEdgeDocId(aUid, axbType, bUid);
     const record = buildEdgeRecord(aType, aUid, axbType, bType, bUid, data);
@@ -534,14 +635,39 @@ async function bulkDeleteDocIds(db, collectionPath, docIds, options) {
   return { deleted, batches: completedBatches, errors };
 }
 async function bulkRemoveEdges(db, collectionPath, reader, params, options) {
-  const edges = await reader.findEdges(params);
+  const effectiveParams = params.limit !== void 0 ? { ...params, allowCollectionScan: params.allowCollectionScan ?? true } : { ...params, limit: 0, allowCollectionScan: params.allowCollectionScan ?? true };
+  const edges = await reader.findEdges(effectiveParams);
   const docIds = edges.map((e) => computeEdgeDocId(e.aUid, e.axbType, e.bUid));
   return bulkDeleteDocIds(db, collectionPath, docIds, options);
 }
+async function deleteSubcollectionsRecursive(db, collectionPath, docId, options) {
+  const docRef = db.collection(collectionPath).doc(docId);
+  const subcollections = await docRef.listCollections();
+  if (subcollections.length === 0) return { deleted: 0, errors: [] };
+  let totalDeleted = 0;
+  const allErrors = [];
+  const subOptions = options ? { batchSize: options.batchSize, maxRetries: options.maxRetries } : void 0;
+  for (const subCollRef of subcollections) {
+    const subCollPath = subCollRef.path;
+    const snapshot = await subCollRef.select().get();
+    const subDocIds = snapshot.docs.map((d) => d.id);
+    for (const subDocId of subDocIds) {
+      const subResult = await deleteSubcollectionsRecursive(db, subCollPath, subDocId, subOptions);
+      totalDeleted += subResult.deleted;
+      allErrors.push(...subResult.errors);
+    }
+    if (subDocIds.length > 0) {
+      const result = await bulkDeleteDocIds(db, subCollPath, subDocIds, subOptions);
+      totalDeleted += result.deleted;
+      allErrors.push(...result.errors);
+    }
+  }
+  return { deleted: totalDeleted, errors: allErrors };
+}
 async function removeNodeCascade(db, collectionPath, reader, uid, options) {
   const [outgoingRaw, incomingRaw] = await Promise.all([
-    reader.findEdges({ aUid: uid }),
-    reader.findEdges({ bUid: uid })
+    reader.findEdges({ aUid: uid, allowCollectionScan: true, limit: 0 }),
+    reader.findEdges({ bUid: uid, allowCollectionScan: true, limit: 0 })
   ]);
   const outgoing = outgoingRaw.filter((e) => e.axbType !== NODE_RELATION);
   const incoming = incomingRaw.filter((e) => e.axbType !== NODE_RELATION);
@@ -554,8 +680,18 @@ async function removeNodeCascade(db, collectionPath, reader, uid, options) {
       allEdges.push(edge);
     }
   }
-  const edgeDocIds = allEdges.map((e) => computeEdgeDocId(e.aUid, e.axbType, e.bUid));
+  const shouldDeleteSubcollections = options?.deleteSubcollections !== false;
   const nodeDocId = computeNodeDocId(uid);
+  let subcollectionResult = { deleted: 0, errors: [] };
+  if (shouldDeleteSubcollections) {
+    subcollectionResult = await deleteSubcollectionsRecursive(
+      db,
+      collectionPath,
+      nodeDocId,
+      options
+    );
+  }
+  const edgeDocIds = allEdges.map((e) => computeEdgeDocId(e.aUid, e.axbType, e.bUid));
   const allDocIds = [...edgeDocIds, nodeDocId];
   const batchSize = Math.min(options?.batchSize ?? MAX_BATCH_SIZE, MAX_BATCH_SIZE);
   const result = await bulkDeleteDocIds(db, collectionPath, allDocIds, {
@@ -565,9 +701,12 @@ async function removeNodeCascade(db, collectionPath, reader, uid, options) {
   const totalChunks = Math.ceil(allDocIds.length / batchSize);
   const nodeChunkIndex = totalChunks - 1;
   const nodeDeleted = !result.errors.some((e) => e.batchIndex === nodeChunkIndex);
+  const topLevelEdgesDeleted = nodeDeleted ? result.deleted - 1 : result.deleted;
   return {
-    ...result,
-    edgesDeleted: nodeDeleted ? result.deleted - 1 : result.deleted,
+    deleted: result.deleted + subcollectionResult.deleted,
+    batches: result.batches,
+    errors: [...result.errors, ...subcollectionResult.errors],
+    edgesDeleted: topLevelEdgesDeleted,
     nodeDeleted
   };
 }
@@ -667,6 +806,39 @@ function propertyToFieldMeta(name, prop, required) {
   return { name, type: "unknown", required, description: prop.description };
 }
 
+// src/scope.ts
+function matchScope(scopePath, pattern) {
+  if (pattern === "root") return scopePath === "";
+  if (pattern === "**") return true;
+  const pathSegments = scopePath === "" ? [] : scopePath.split("/");
+  const patternSegments = pattern.split("/");
+  return matchSegments(pathSegments, 0, patternSegments, 0);
+}
+function matchScopeAny(scopePath, patterns) {
+  if (!patterns || patterns.length === 0) return true;
+  return patterns.some((p) => matchScope(scopePath, p));
+}
+function matchSegments(path, pi, pattern, qi) {
+  if (pi === path.length && qi === pattern.length) return true;
+  if (qi === pattern.length) return false;
+  const seg = pattern[qi];
+  if (seg === "**") {
+    if (qi === pattern.length - 1) return true;
+    for (let skip = 0; skip <= path.length - pi; skip++) {
+      if (matchSegments(path, pi + skip, pattern, qi + 1)) return true;
+    }
+    return false;
+  }
+  if (pi === path.length) return false;
+  if (seg === "*") {
+    return matchSegments(path, pi + 1, pattern, qi + 1);
+  }
+  if (path[pi] === seg) {
+    return matchSegments(path, pi + 1, pattern, qi + 1);
+  }
+  return false;
+}
+
 // src/registry.ts
 function tripleKey(aType, axbType, bType) {
   return `${aType}:${axbType}:${bType}`;
@@ -689,11 +861,16 @@ function createRegistry(input) {
     lookup(aType, axbType, bType) {
       return map.get(tripleKey(aType, axbType, bType))?.entry;
     },
-    validate(aType, axbType, bType, data) {
+    validate(aType, axbType, bType, data, scopePath) {
       const rec = map.get(tripleKey(aType, axbType, bType));
       if (!rec) {
         throw new RegistryViolationError(aType, axbType, bType);
       }
+      if (scopePath !== void 0 && rec.entry.allowedIn && rec.entry.allowedIn.length > 0) {
+        if (!matchScopeAny(scopePath, rec.entry.allowedIn)) {
+          throw new RegistryScopeError(aType, axbType, bType, scopePath, rec.entry.allowedIn);
+        }
+      }
       if (rec.validate) {
         try {
           rec.validate(data);
@@ -721,7 +898,8 @@ function discoveryToEntries(discovery) {
       jsonSchema: entity.schema,
       description: entity.description,
       titleField: entity.titleField,
-      subtitleField: entity.subtitleField
+      subtitleField: entity.subtitleField,
+      allowedIn: entity.allowedIn
     });
   }
   for (const [axbType, entity] of discovery.edges) {
@@ -739,7 +917,8 @@ function discoveryToEntries(discovery) {
           description: entity.description,
           inverseLabel: topology.inverseLabel,
           titleField: entity.titleField,
-          subtitleField: entity.subtitleField
+          subtitleField: entity.subtitleField,
+          allowedIn: entity.allowedIn
         });
       }
     }
@@ -760,7 +939,8 @@ var NODE_TYPE_SCHEMA = {
     titleField: { type: "string" },
     subtitleField: { type: "string" },
     viewTemplate: { type: "string" },
-    viewCss: { type: "string" }
+    viewCss: { type: "string" },
+    allowedIn: { type: "array", items: { type: "string", minLength: 1 } }
   },
   additionalProperties: false
 };
@@ -787,7 +967,8 @@ var EDGE_TYPE_SCHEMA = {
     titleField: { type: "string" },
     subtitleField: { type: "string" },
     viewTemplate: { type: "string" },
-    viewCss: { type: "string" }
+    viewCss: { type: "string" },
+    allowedIn: { type: "array", items: { type: "string", minLength: 1 } }
   },
   additionalProperties: false
 };
@@ -829,7 +1010,8 @@ async function createRegistryFromGraph(reader) {
       jsonSchema: data.jsonSchema,
       description: data.description,
       titleField: data.titleField,
-      subtitleField: data.subtitleField
+      subtitleField: data.subtitleField,
+      allowedIn: data.allowedIn
     });
   }
   for (const record of edgeTypes) {
@@ -846,7 +1028,8 @@ async function createRegistryFromGraph(reader) {
           description: data.description,
           inverseLabel: data.inverseLabel,
           titleField: data.titleField,
-          subtitleField: data.subtitleField
+          subtitleField: data.subtitleField,
+          allowedIn: data.allowedIn
         });
       }
     }
@@ -857,9 +1040,10 @@ async function createRegistryFromGraph(reader) {
 // src/client.ts
 var _standardModeWarned = false;
 var RESERVED_TYPE_NAMES = /* @__PURE__ */ new Set([META_NODE_TYPE, META_EDGE_TYPE]);
-var GraphClientImpl = class {
-  constructor(db, collectionPath, options) {
+var GraphClientImpl = class _GraphClientImpl {
+  constructor(db, collectionPath, options, scopePath = "") {
     this.db = db;
+    this.scopePath = scopePath;
     this.adapter = createFirestoreAdapter(db, collectionPath);
     if (options?.registry && options?.registryMode) {
       throw new DynamicRegistryError(
@@ -889,6 +1073,7 @@ var GraphClientImpl = class {
         "[firegraph] Standard query mode enabled. This is NOT recommended for production:\n  - Enterprise Firestore: data.* filters cause full collection scans (high billing)\n  - Standard Firestore: data.* filters without composite indexes will fail\n  See: https://github.com/typicalday/firegraph#query-modes"
       );
     }
+    this.scanProtection = options?.scanProtection ?? "error";
     if (this.queryMode === "pipeline") {
       this.pipelineAdapter = createPipelineQueryAdapter(db, collectionPath);
       if (this.metaAdapter) {
@@ -902,6 +1087,7 @@ var GraphClientImpl = class {
   adapter;
   pipelineAdapter;
   queryMode;
+  scanProtection;
   // Static mode
   staticRegistry;
   // Dynamic mode
@@ -910,6 +1096,8 @@ var GraphClientImpl = class {
   dynamicRegistry;
   metaAdapter;
   metaPipelineAdapter;
+  // Subgraph scope tracking
+  scopePath;
   // ---------------------------------------------------------------------------
   // Registry routing
   // ---------------------------------------------------------------------------
@@ -963,6 +1151,19 @@ var GraphClientImpl = class {
     }
     return this.adapter.query(filters, options);
   }
+  /**
+   * Check whether a query's filter set is safe (matches a known index pattern).
+   * Throws QuerySafetyError or logs a warning depending on scanProtection config.
+   */
+  checkQuerySafety(filters, allowCollectionScan) {
+    if (allowCollectionScan || this.scanProtection === "off") return;
+    const result = analyzeQuerySafety(filters);
+    if (result.safe) return;
+    if (this.scanProtection === "error") {
+      throw new QuerySafetyError(result.reason);
+    }
+    console.warn(`[firegraph] Query safety warning: ${result.reason}`);
+  }
   // ---------------------------------------------------------------------------
   // GraphReader
   // ---------------------------------------------------------------------------
@@ -984,6 +1185,7 @@ var GraphClientImpl = class {
       const record = await this.adapter.getDoc(plan.docId);
       return record ? [record] : [];
     }
+    this.checkQuerySafety(plan.filters, params.allowCollectionScan);
     return this.executeQuery(plan.filters, plan.options);
   }
   async findNodes(params) {
@@ -992,6 +1194,7 @@ var GraphClientImpl = class {
       const record = await this.adapter.getDoc(plan.docId);
       return record ? [record] : [];
     }
+    this.checkQuerySafety(plan.filters, params.allowCollectionScan);
     return this.executeQuery(plan.filters, plan.options);
   }
   // ---------------------------------------------------------------------------
@@ -1000,7 +1203,7 @@ var GraphClientImpl = class {
   async putNode(aType, uid, data) {
     const registry = this.getRegistryForType(aType);
     if (registry) {
-      registry.validate(aType, NODE_RELATION, aType, data);
+      registry.validate(aType, NODE_RELATION, aType, data, this.scopePath);
     }
     const adapter = this.getAdapterForType(aType);
     const docId = computeNodeDocId(uid);
@@ -1010,7 +1213,7 @@ var GraphClientImpl = class {
   async putEdge(aType, aUid, axbType, bType, bUid, data) {
     const registry = this.getRegistryForType(aType);
     if (registry) {
-      registry.validate(aType, axbType, bType, data);
+      registry.validate(aType, axbType, bType, data, this.scopePath);
     }
     const adapter = this.getAdapterForType(aType);
     const docId = computeEdgeDocId(aUid, axbType, bUid);
@@ -1042,13 +1245,42 @@ var GraphClientImpl = class {
         this.adapter.collectionPath,
         firestoreTx
       );
-      const graphTx = new GraphTransactionImpl(adapter, this.getCombinedRegistry());
+      const graphTx = new GraphTransactionImpl(adapter, this.getCombinedRegistry(), this.scanProtection, this.scopePath);
       return fn(graphTx);
     });
   }
   batch() {
     const adapter = createBatchAdapter(this.db, this.adapter.collectionPath);
-    return new GraphBatchImpl(adapter, this.getCombinedRegistry());
+    return new GraphBatchImpl(adapter, this.getCombinedRegistry(), this.scopePath);
+  }
+  // ---------------------------------------------------------------------------
+  // Subgraph
+  // ---------------------------------------------------------------------------
+  subgraph(parentNodeUid, name = "graph") {
+    if (!parentNodeUid || parentNodeUid.includes("/")) {
+      throw new FiregraphError(
+        `Invalid parentNodeUid for subgraph: "${parentNodeUid}". Must be a non-empty string without "/".`,
+        "INVALID_SUBGRAPH"
+      );
+    }
+    if (name.includes("/")) {
+      throw new FiregraphError(
+        `Subgraph name must not contain "/": got "${name}". Use chained .subgraph() calls for nested subgraphs.`,
+        "INVALID_SUBGRAPH"
+      );
+    }
+    const subCollectionPath = `${this.adapter.collectionPath}/${parentNodeUid}/${name}`;
+    const newScopePath = this.scopePath ? `${this.scopePath}/${name}` : name;
+    return new _GraphClientImpl(
+      this.db,
+      subCollectionPath,
+      {
+        registry: this.getCombinedRegistry(),
+        queryMode: this.queryMode === "pipeline" ? "pipeline" : "standard",
+        scanProtection: this.scanProtection
+      },
+      newScopePath
+    );
   }
   // ---------------------------------------------------------------------------
   // Bulk operations
@@ -1080,6 +1312,7 @@ var GraphClientImpl = class {
     if (options?.subtitleField !== void 0) data.subtitleField = options.subtitleField;
     if (options?.viewTemplate !== void 0) data.viewTemplate = options.viewTemplate;
     if (options?.viewCss !== void 0) data.viewCss = options.viewCss;
+    if (options?.allowedIn !== void 0) data.allowedIn = options.allowedIn;
     await this.putNode(META_NODE_TYPE, uid, data);
   }
   async defineEdgeType(name, topology, jsonSchema, description, options) {
@@ -1106,6 +1339,7 @@ var GraphClientImpl = class {
     if (options?.subtitleField !== void 0) data.subtitleField = options.subtitleField;
     if (options?.viewTemplate !== void 0) data.viewTemplate = options.viewTemplate;
     if (options?.viewCss !== void 0) data.viewCss = options.viewCss;
+    if (options?.allowedIn !== void 0) data.allowedIn = options.allowedIn;
     await this.putNode(META_EDGE_TYPE, uid, data);
   }
   async reloadRegistry() {
@@ -1264,7 +1498,9 @@ var TraversalBuilderImpl = class {
           }
           if (hop.orderBy) params.orderBy = hop.orderBy;
           const limit = hop.limit ?? DEFAULT_LIMIT;
-          if (!hop.filter) {
+          if (hop.filter) {
+            params.limit = 0;
+          } else {
             params.limit = limit;
           }
           let edges = await this.reader.findEdges(params);
@@ -1515,7 +1751,8 @@ function loadNodeEntity(dir, name) {
     subtitleField: meta?.subtitleField,
     viewDefaults: meta?.viewDefaults,
     viewsPath,
-    sampleData
+    sampleData,
+    allowedIn: meta?.allowedIn
   };
 }
 function loadEdgeEntity(dir, name) {
@@ -1550,7 +1787,8 @@ function loadEdgeEntity(dir, name) {
     subtitleField: meta?.subtitleField,
     viewDefaults: meta?.viewDefaults,
     viewsPath,
-    sampleData
+    sampleData,
+    allowedIn: meta?.allowedIn
   };
 }
 function getSubdirectories(dir) {
@@ -1636,6 +1874,83 @@ async function generateTypes(discovery, options = {}) {
   return chunks.join("\n").trimEnd() + "\n";
 }
 
+// src/indexes.ts
+function baseIndexes(collection) {
+  return [
+    {
+      collectionGroup: collection,
+      queryScope: "COLLECTION",
+      fields: [
+        { fieldPath: "aUid", order: "ASCENDING" },
+        { fieldPath: "axbType", order: "ASCENDING" }
+      ]
+    },
+    {
+      collectionGroup: collection,
+      queryScope: "COLLECTION",
+      fields: [
+        { fieldPath: "axbType", order: "ASCENDING" },
+        { fieldPath: "bUid", order: "ASCENDING" }
+      ]
+    },
+    {
+      collectionGroup: collection,
+      queryScope: "COLLECTION",
+      fields: [
+        { fieldPath: "aType", order: "ASCENDING" },
+        { fieldPath: "axbType", order: "ASCENDING" }
+      ]
+    },
+    {
+      collectionGroup: collection,
+      queryScope: "COLLECTION",
+      fields: [
+        { fieldPath: "axbType", order: "ASCENDING" },
+        { fieldPath: "bType", order: "ASCENDING" }
+      ]
+    }
+  ];
+}
+function extractSchemaFields(schema) {
+  const s = schema;
+  if (s.type !== "object" || !s.properties) return [];
+  return Object.keys(s.properties);
+}
+function generateIndexConfig(collection, entities) {
+  const indexes = baseIndexes(collection);
+  if (entities) {
+    for (const [, entity] of entities.nodes) {
+      const fields = extractSchemaFields(entity.schema);
+      for (const field of fields) {
+        indexes.push({
+          collectionGroup: collection,
+          queryScope: "COLLECTION",
+          fields: [
+            { fieldPath: "aType", order: "ASCENDING" },
+            { fieldPath: "axbType", order: "ASCENDING" },
+            { fieldPath: `data.${field}`, order: "ASCENDING" }
+          ]
+        });
+      }
+    }
+    for (const [, entity] of entities.edges) {
+      const fields = extractSchemaFields(entity.schema);
+      for (const field of fields) {
+        indexes.push({
+          collectionGroup: collection,
+          queryScope: "COLLECTION",
+          fields: [
+            { fieldPath: "aUid", order: "ASCENDING" },
+            { fieldPath: "axbType", order: "ASCENDING" },
+            { fieldPath: `data.${field}`, order: "ASCENDING" }
+          ]
+        });
+      }
+    }
+  }
+  return { indexes, fieldOverrides: [] };
+}
+
 // src/query-client/client.ts
 var import_node_http = __toESM(require("http"), 1);
 
@@ -1914,6 +2229,7 @@ var QueryClient = class {
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   BOOTSTRAP_ENTRIES,
+  DEFAULT_QUERY_LIMIT,
   DiscoveryError,
   DynamicRegistryError,
   EDGE_TYPE_SCHEMA,
@@ -1926,9 +2242,12 @@ var QueryClient = class {
   NodeNotFoundError,
   QueryClient,
   QueryClientError,
+  QuerySafetyError,
+  RegistryScopeError,
   RegistryViolationError,
   TraversalError,
   ValidationError,
+  analyzeQuerySafety,
   buildEdgeQueryPlan,
   buildEdgeRecord,
   buildNodeQueryPlan,
@@ -1946,8 +2265,11 @@ var QueryClient = class {
   discoverEntities,
   generateDeterministicUid,
   generateId,
+  generateIndexConfig,
   generateTypes,
   jsonSchemaToFieldMeta,
+  matchScope,
+  matchScopeAny,
   resolveView
 });
 //# sourceMappingURL=index.cjs.map