@vertz/server 0.2.17 → 0.2.18

package/dist/index.d.ts

@@ -4,6 +4,46 @@ import { ModelEntry } from "@vertz/db";
 import { AuthError, Result } from "@vertz/errors";
 import { Infer, ObjectSchema, StringSchema } from "@vertz/schema";
 /**
+* InMemoryClosureStore — closure table for resource hierarchy.
+*
+* Stores ancestor/descendant relationships with depth tracking.
+* Self-reference rows (depth 0) are created for every resource.
+* Hierarchy depth is capped at 4 levels.
+*/
+interface ClosureRow {
+	ancestorType: string;
+	ancestorId: string;
+	descendantType: string;
+	descendantId: string;
+	depth: number;
+}
+interface ClosureEntry {
+	type: string;
+	id: string;
+	depth: number;
+}
+interface ParentRef {
+	parentType: string;
+	parentId: string;
+}
+interface ClosureStore {
+	addResource(type: string, id: string, parent?: ParentRef): Promise<void>;
+	removeResource(type: string, id: string): Promise<void>;
+	getAncestors(type: string, id: string): Promise<ClosureEntry[]>;
+	getDescendants(type: string, id: string): Promise<ClosureEntry[]>;
+	hasPath(ancestorType: string, ancestorId: string, descendantType: string, descendantId: string): Promise<boolean>;
+	dispose(): void;
+}
+declare class InMemoryClosureStore implements ClosureStore {
+	private rows;
+	addResource(type: string, id: string, parent?: ParentRef): Promise<void>;
+	removeResource(type: string, id: string): Promise<void>;
+	getAncestors(type: string, id: string): Promise<ClosureEntry[]>;
+	getDescendants(type: string, id: string): Promise<ClosureEntry[]>;
+	hasPath(ancestorType: string, ancestorId: string, descendantType: string, descendantId: string): Promise<boolean>;
+	dispose(): void;
+}
+/**
 * rules.* builders — declarative access rule data structures.
 *
 * These are pure data structures with no evaluation logic.
@@ -207,43 +247,102 @@ interface AccessDefinition {
 }
 declare function defineAccess(input: DefineAccessInput): AccessDefinition;
 /**
-* InMemoryClosureStore — closure table for resource hierarchy.
+* Feature Flag Store — per-tenant boolean feature flags.
 *
-* Stores ancestor/descendant relationships with depth tracking.
-* Self-reference rows (depth 0) are created for every resource.
-* Hierarchy depth is capped at 4 levels.
+* Pluggable interface with in-memory default.
+* Used by Layer 1 of access context to gate entitlements on feature flags.
 */
-interface ClosureRow {
-	ancestorType: string;
-	ancestorId: string;
-	descendantType: string;
-	descendantId: string;
-	depth: number;
+interface FlagStore {
+	setFlag(tenantId: string, flag: string, enabled: boolean): void;
+	getFlag(tenantId: string, flag: string): boolean;
+	getFlags(tenantId: string): Record<string, boolean>;
 }
-interface ClosureEntry {
-	type: string;
-	id: string;
-	depth: number;
+declare class InMemoryFlagStore implements FlagStore {
+	private flags;
+	setFlag(tenantId: string, flag: string, enabled: boolean): void;
+	getFlag(tenantId: string, flag: string): boolean;
+	getFlags(tenantId: string): Record<string, boolean>;
 }
-interface ParentRef {
-	parentType: string;
-	parentId: string;
+/** Limit override: add (additive) or max (hard cap) */
+interface LimitOverrideDef {
+	add?: number;
+	max?: number;
 }
-interface ClosureStore {
-	addResource(type: string, id: string, parent?: ParentRef): Promise<void>;
-	removeResource(type: string, id: string): Promise<void>;
-	getAncestors(type: string, id: string): Promise<ClosureEntry[]>;
-	getDescendants(type: string, id: string): Promise<ClosureEntry[]>;
-	hasPath(ancestorType: string, ancestorId: string, descendantType: string, descendantId: string): Promise<boolean>;
+/** Per-tenant overrides */
+interface TenantOverrides {
+	features?: string[];
+	limits?: Record<string, LimitOverrideDef>;
+}
+interface OverrideStore {
+	set(tenantId: string, overrides: TenantOverrides): Promise<void>;
+	remove(tenantId: string, keys: {
+		features?: string[];
+		limits?: string[];
+	}): Promise<void>;
+	get(tenantId: string): Promise<TenantOverrides | null>;
 	dispose(): void;
 }
-declare class InMemoryClosureStore implements ClosureStore {
-	private rows;
-	addResource(type: string, id: string, parent?: ParentRef): Promise<void>;
-	removeResource(type: string, id: string): Promise<void>;
-	getAncestors(type: string, id: string): Promise<ClosureEntry[]>;
-	getDescendants(type: string, id: string): Promise<ClosureEntry[]>;
-	hasPath(ancestorType: string, ancestorId: string, descendantType: string, descendantId: string): Promise<boolean>;
+declare class InMemoryOverrideStore implements OverrideStore {
+	private overrides;
+	set(tenantId: string, overrides: TenantOverrides): Promise<void>;
+	remove(tenantId: string, keys: {
+		features?: string[];
+		limits?: string[];
+	}): Promise<void>;
+	get(tenantId: string): Promise<TenantOverrides | null>;
+	dispose(): void;
+}
+/**
+* Validate tenant overrides against the access definition.
+* Throws on invalid limit keys, invalid feature names, or invalid max values.
+*/
+declare function validateOverrides(accessDef: AccessDefinition, overrides: TenantOverrides): void;
+/**
+* Plan Version Store — tracks versioned snapshots of plan configurations.
+*
+* When a plan's config changes (hash differs), a new version is created
+* with a snapshot of the plan's features, limits, and price at that point.
+*/
+interface PlanSnapshot {
+	features: readonly string[] | string[];
+	limits: Record<string, unknown>;
+	price: {
+		amount: number;
+		interval: string;
+	} | null;
+}
+interface PlanVersionInfo {
+	planId: string;
+	version: number;
+	hash: string;
+	snapshot: PlanSnapshot;
+	createdAt: Date;
+}
+interface PlanVersionStore {
+	/** Create a new version for a plan. Returns the version number. */
+	createVersion(planId: string, hash: string, snapshot: PlanSnapshot): Promise<number>;
+	/** Get the current (latest) version number for a plan. Returns null if no versions exist. */
+	getCurrentVersion(planId: string): Promise<number | null>;
+	/** Get a specific version's info. Returns null if not found. */
+	getVersion(planId: string, version: number): Promise<PlanVersionInfo | null>;
+	/** Get the version number a tenant is on for a given plan. Returns null if not set. */
+	getTenantVersion(tenantId: string, planId: string): Promise<number | null>;
+	/** Set the version number a tenant is on for a given plan. */
+	setTenantVersion(tenantId: string, planId: string, version: number): Promise<void>;
+	/** Get the hash of the current (latest) version for a plan. Returns null if no versions. */
+	getCurrentHash(planId: string): Promise<string | null>;
+	/** Clean up resources. */
+	dispose(): void;
+}
+declare class InMemoryPlanVersionStore implements PlanVersionStore {
+	private versions;
+	private tenantVersions;
+	createVersion(planId: string, hash: string, snapshot: PlanSnapshot): Promise<number>;
+	getCurrentVersion(planId: string): Promise<number | null>;
+	getVersion(planId: string, version: number): Promise<PlanVersionInfo | null>;
+	getTenantVersion(tenantId: string, planId: string): Promise<number | null>;
+	setTenantVersion(tenantId: string, planId: string, version: number): Promise<void>;
+	getCurrentHash(planId: string): Promise<string | null>;
 	dispose(): void;
 }
 interface RoleAssignment {
@@ -274,23 +373,6 @@ declare class InMemoryRoleAssignmentStore implements RoleAssignmentStore {
 	getEffectiveRole(userId: string, resourceType: string, resourceId: string, accessDef: AccessDefinition, closureStore: ClosureStore): Promise<string | null>;
 	dispose(): void;
 }
-/**
-* Feature Flag Store — per-tenant boolean feature flags.
-*
-* Pluggable interface with in-memory default.
-* Used by Layer 1 of access context to gate entitlements on feature flags.
-*/
-interface FlagStore {
-	setFlag(tenantId: string, flag: string, enabled: boolean): void;
-	getFlag(tenantId: string, flag: string): boolean;
-	getFlags(tenantId: string): Record<string, boolean>;
-}
-declare class InMemoryFlagStore implements FlagStore {
-	private flags;
-	setFlag(tenantId: string, flag: string, enabled: boolean): void;
-	getFlag(tenantId: string, flag: string): boolean;
-	getFlags(tenantId: string): Record<string, boolean>;
-}
 /** Per-tenant limit override. Only affects the cap, not the billing period. */
 interface LimitOverride {
 	max: number;
@@ -377,88 +459,6 @@ declare class InMemoryWalletStore implements WalletStore {
 	getConsumption(tenantId: string, entitlement: string, periodStart: Date, _periodEnd: Date): Promise<number>;
 	dispose(): void;
 }
-/** Limit override: add (additive) or max (hard cap) */
-interface LimitOverrideDef {
-	add?: number;
-	max?: number;
-}
-/** Per-tenant overrides */
-interface TenantOverrides {
-	features?: string[];
-	limits?: Record<string, LimitOverrideDef>;
-}
-interface OverrideStore {
-	set(tenantId: string, overrides: TenantOverrides): Promise<void>;
-	remove(tenantId: string, keys: {
-		features?: string[];
-		limits?: string[];
-	}): Promise<void>;
-	get(tenantId: string): Promise<TenantOverrides | null>;
-	dispose(): void;
-}
-declare class InMemoryOverrideStore implements OverrideStore {
-	private overrides;
-	set(tenantId: string, overrides: TenantOverrides): Promise<void>;
-	remove(tenantId: string, keys: {
-		features?: string[];
-		limits?: string[];
-	}): Promise<void>;
-	get(tenantId: string): Promise<TenantOverrides | null>;
-	dispose(): void;
-}
-/**
-* Validate tenant overrides against the access definition.
-* Throws on invalid limit keys, invalid feature names, or invalid max values.
-*/
-declare function validateOverrides(accessDef: AccessDefinition, overrides: TenantOverrides): void;
-/**
-* Plan Version Store — tracks versioned snapshots of plan configurations.
-*
-* When a plan's config changes (hash differs), a new version is created
-* with a snapshot of the plan's features, limits, and price at that point.
-*/
-interface PlanSnapshot {
-	features: readonly string[] | string[];
-	limits: Record<string, unknown>;
-	price: {
-		amount: number;
-		interval: string;
-	} | null;
-}
-interface PlanVersionInfo {
-	planId: string;
-	version: number;
-	hash: string;
-	snapshot: PlanSnapshot;
-	createdAt: Date;
-}
-interface PlanVersionStore {
-	/** Create a new version for a plan. Returns the version number. */
-	createVersion(planId: string, hash: string, snapshot: PlanSnapshot): Promise<number>;
-	/** Get the current (latest) version number for a plan. Returns null if no versions exist. */
-	getCurrentVersion(planId: string): Promise<number | null>;
-	/** Get a specific version's info. Returns null if not found. */
-	getVersion(planId: string, version: number): Promise<PlanVersionInfo | null>;
-	/** Get the version number a tenant is on for a given plan. Returns null if not set. */
-	getTenantVersion(tenantId: string, planId: string): Promise<number | null>;
-	/** Set the version number a tenant is on for a given plan. */
-	setTenantVersion(tenantId: string, planId: string, version: number): Promise<void>;
-	/** Get the hash of the current (latest) version for a plan. Returns null if no versions. */
-	getCurrentHash(planId: string): Promise<string | null>;
-	/** Clean up resources. */
-	dispose(): void;
-}
-declare class InMemoryPlanVersionStore implements PlanVersionStore {
-	private versions;
-	private tenantVersions;
-	createVersion(planId: string, hash: string, snapshot: PlanSnapshot): Promise<number>;
-	getCurrentVersion(planId: string): Promise<number | null>;
-	getVersion(planId: string, version: number): Promise<PlanVersionInfo | null>;
-	getTenantVersion(tenantId: string, planId: string): Promise<number | null>;
-	setTenantVersion(tenantId: string, planId: string, version: number): Promise<void>;
-	getCurrentHash(planId: string): Promise<string | null>;
-	dispose(): void;
-}
 interface ResourceRef {
 	type: string;
 	id: string;
@@ -963,11 +963,15 @@ interface AuthInstance {
 	*/
 	resolveSessionForSSR: (request: Request) => Promise<{
 		session: {
-			user: Record<string, unknown>;
+			user: {
+				id: string;
+				email: string;
+				role: string;
+				[key: string]: unknown;
+			};
 			expiresAt: number;
 		};
-		/** AccessSet | null at runtime; typed as unknown to avoid cross-package dependency on @vertz/ui */
-		accessSet?: unknown;
+		accessSet?: AccessSet | null;
 	} | null>;
 }
 interface AuthContext {

package/dist/index.js

@@ -6236,6 +6236,260 @@ import {
   err as err4,
   ok as ok4
 } from "@vertz/errors";
+
+// src/entity/vertzql-parser.ts
+function extractAllowKeys(allow) {
+  if (!allow)
+    return [];
+  if (Array.isArray(allow))
+    return allow;
+  return Object.keys(allow);
+}
+var MAX_CURSOR_LENGTH = 512;
+var MAX_LIMIT = 1000;
+var MAX_Q_BASE64_LENGTH = 10240;
+var ALLOWED_Q_KEYS = new Set(["select", "include", "where", "orderBy", "limit"]);
+function parseVertzQL(query) {
+  const result = {};
+  for (const [key, value] of Object.entries(query)) {
+    const whereMatch = key.match(/^where\[([^\]]+)\](?:\[([^\]]+)\])?$/);
+    if (whereMatch) {
+      if (!result.where)
+        result.where = {};
+      const field = whereMatch[1];
+      const op = whereMatch[2];
+      const existing = result.where[field];
+      if (op) {
+        const base = existing && typeof existing === "object" ? existing : existing !== undefined ? { eq: existing } : {};
+        result.where[field] = { ...base, [op]: value };
+      } else {
+        if (existing && typeof existing === "object") {
+          result.where[field] = { ...existing, eq: value };
+        } else {
+          result.where[field] = value;
+        }
+      }
+      continue;
+    }
+    if (key === "limit") {
+      const parsed = Number.parseInt(value, 10);
+      if (!Number.isNaN(parsed)) {
+        result.limit = Math.max(0, Math.min(parsed, MAX_LIMIT));
+      }
+      continue;
+    }
+    if (key === "after") {
+      if (value && value.length <= MAX_CURSOR_LENGTH) {
+        result.after = value;
+      }
+      continue;
+    }
+    if (key === "orderBy") {
+      const [field, dir] = value.split(":");
+      if (field) {
+        if (!result.orderBy)
+          result.orderBy = {};
+        result.orderBy[field] = dir === "desc" ? "desc" : "asc";
+      }
+      continue;
+    }
+    if (key === "q") {
+      try {
+        const urlDecoded = decodeURIComponent(value);
+        if (urlDecoded.length > MAX_Q_BASE64_LENGTH) {
+          result._qError = "q= parameter exceeds maximum allowed size";
+          continue;
+        }
+        const b64 = urlDecoded.replace(/-/g, "+").replace(/_/g, "/");
+        const padded = b64 + "=".repeat((4 - b64.length % 4) % 4);
+        const decoded = JSON.parse(atob(padded));
+        for (const k of Object.keys(decoded)) {
+          if (!ALLOWED_Q_KEYS.has(k)) {
+            delete decoded[k];
+          }
+        }
+        if (decoded.select && typeof decoded.select === "object") {
+          result.select = decoded.select;
+        }
+        if (decoded.include && typeof decoded.include === "object") {
+          result.include = decoded.include;
+        }
+        if (decoded.where && typeof decoded.where === "object" && !Array.isArray(decoded.where)) {
+          result.where = { ...result.where, ...decoded.where };
+        }
+        if (decoded.orderBy && typeof decoded.orderBy === "object" && !Array.isArray(decoded.orderBy)) {
+          const orderByObj = decoded.orderBy;
+          const sanitized = {};
+          for (const [field, dir] of Object.entries(orderByObj)) {
+            sanitized[field] = dir === "desc" ? "desc" : "asc";
+          }
+          result.orderBy = { ...result.orderBy, ...sanitized };
+        }
+        if (decoded.limit !== undefined) {
+          const parsed = typeof decoded.limit === "number" ? decoded.limit : Number(decoded.limit);
+          if (!Number.isNaN(parsed)) {
+            result.limit = Math.max(0, Math.min(parsed, MAX_LIMIT));
+          }
+        }
+      } catch {
+        result._qError = "Invalid q= parameter: not valid base64 or JSON";
+      }
+    }
+  }
+  return result;
+}
+function getHiddenColumns(table) {
+  const hidden = new Set;
+  for (const key of Object.keys(table._columns)) {
+    const col = table._columns[key];
+    if (col?._meta._annotations.hidden) {
+      hidden.add(key);
+    }
+  }
+  return hidden;
+}
+function validateVertzQL(options, table, relationsConfig, exposeConfig, evaluatedExpose) {
+  if (options._qError) {
+    return { ok: false, error: options._qError };
+  }
+  const hiddenColumns = getHiddenColumns(table);
+  if (options.where) {
+    const allowWhereSet = evaluatedExpose ? evaluatedExpose.allowedWhereFields : null;
+    const allowWhereKeys = !evaluatedExpose && exposeConfig ? extractAllowKeys(exposeConfig.allowWhere) : null;
+    for (const field of Object.keys(options.where)) {
+      if (hiddenColumns.has(field)) {
+        return { ok: false, error: `Field "${field}" is not filterable` };
+      }
+      if (allowWhereSet !== null && !allowWhereSet.has(field)) {
+        return { ok: false, error: `Field "${field}" is not filterable` };
+      }
+      if (allowWhereKeys !== null && !allowWhereKeys.includes(field)) {
+        return { ok: false, error: `Field "${field}" is not filterable` };
+      }
+    }
+  }
+  if (options.orderBy) {
+    const allowOrderBySet = evaluatedExpose ? evaluatedExpose.allowedOrderByFields : null;
+    const allowOrderByKeys = !evaluatedExpose && exposeConfig ? extractAllowKeys(exposeConfig.allowOrderBy) : null;
+    for (const field of Object.keys(options.orderBy)) {
+      if (hiddenColumns.has(field)) {
+        return { ok: false, error: `Field "${field}" is not sortable` };
+      }
+      if (allowOrderBySet !== null && !allowOrderBySet.has(field)) {
+        return { ok: false, error: `Field "${field}" is not sortable` };
+      }
+      if (allowOrderByKeys !== null && !allowOrderByKeys.includes(field)) {
+        return { ok: false, error: `Field "${field}" is not sortable` };
+      }
+    }
+  }
+  if (options.select) {
+    const exposeSelectKeys = exposeConfig ? extractAllowKeys(exposeConfig.select) : null;
+    for (const field of Object.keys(options.select)) {
+      if (hiddenColumns.has(field)) {
+        return { ok: false, error: `Field "${field}" is not selectable` };
+      }
+      if (exposeSelectKeys !== null && exposeSelectKeys.length > 0 && !exposeSelectKeys.includes(field)) {
+        return { ok: false, error: `Field "${field}" is not selectable` };
+      }
+    }
+  }
+  if (options.include && relationsConfig) {
+    const includeResult = validateInclude(options.include, relationsConfig, "");
+    if (!includeResult.ok)
+      return includeResult;
+  }
+  return { ok: true };
+}
+function validateInclude(include, relationsConfig, pathPrefix) {
+  for (const [relation, requested] of Object.entries(include)) {
+    const entityConfig = relationsConfig[relation];
+    const relationPath = pathPrefix ? `${pathPrefix}.${relation}` : relation;
+    if (entityConfig === undefined || entityConfig === false) {
+      return { ok: false, error: `Relation "${relationPath}" is not exposed` };
+    }
+    if (requested === true)
+      continue;
+    const configObj = typeof entityConfig === "object" ? entityConfig : undefined;
+    if (requested.where) {
+      const allowWhereKeys = extractAllowKeys(configObj?.allowWhere);
+      if (!configObj || allowWhereKeys.length === 0) {
+        return {
+          ok: false,
+          error: `Filtering is not enabled on relation '${relationPath}'. ` + "Add 'allowWhere' to the entity relations config."
+        };
+      }
+      const allowedSet = new Set(allowWhereKeys);
+      for (const field of Object.keys(requested.where)) {
+        if (!allowedSet.has(field)) {
+          return {
+            ok: false,
+            error: `Field '${field}' is not filterable on relation '${relationPath}'. ` + `Allowed: ${allowWhereKeys.join(", ")}`
+          };
+        }
+      }
+    }
+    if (requested.orderBy) {
+      const allowOrderByKeys = extractAllowKeys(configObj?.allowOrderBy);
+      if (!configObj || allowOrderByKeys.length === 0) {
+        return {
+          ok: false,
+          error: `Sorting is not enabled on relation '${relationPath}'. ` + "Add 'allowOrderBy' to the entity relations config."
+        };
+      }
+      const allowedSet = new Set(allowOrderByKeys);
+      for (const [field, dir] of Object.entries(requested.orderBy)) {
+        if (!allowedSet.has(field)) {
+          return {
+            ok: false,
+            error: `Field '${field}' is not sortable on relation '${relationPath}'. ` + `Allowed: ${allowOrderByKeys.join(", ")}`
+          };
+        }
+        if (dir !== "asc" && dir !== "desc") {
+          return {
+            ok: false,
+            error: `Invalid orderBy direction '${String(dir)}' for field '${field}' on relation '${relationPath}'. Must be 'asc' or 'desc'.`
+          };
+        }
+      }
+    }
+    if (requested.limit !== undefined) {
+      if (typeof requested.limit !== "number" || !Number.isFinite(requested.limit)) {
+        return {
+          ok: false,
+          error: `Invalid limit on relation '${relationPath}': must be a finite number`
+        };
+      }
+      if (requested.limit < 0) {
+        requested.limit = 0;
+      }
+      if (configObj?.maxLimit !== undefined && requested.limit > configObj.maxLimit) {
+        requested.limit = configObj.maxLimit;
+      }
+    }
+    if (requested.select && configObj?.select) {
+      for (const field of Object.keys(requested.select)) {
+        if (!(field in configObj.select)) {
+          return {
+            ok: false,
+            error: `Field "${field}" is not exposed on relation "${relationPath}"`
+          };
+        }
+      }
+    }
+    if (requested.include) {
+      if (entityConfig === true) {
+        return {
+          ok: false,
+          error: `Nested includes are not supported on relation '${relationPath}' ` + "without a structured relations config."
+        };
+      }
+    }
+  }
+  return { ok: true };
+}
+
+// src/entity/crud-pipeline.ts
 function resolvePrimaryKeyColumn(table) {
   for (const key of Object.keys(table._columns)) {
     const col = table._columns[key];
@@ -6320,7 +6574,7 @@ function createCrudHandlers(def, db, options) {
       const indirectWhere = await resolveIndirectTenantWhere(ctx);
       const where = indirectWhere ? { ...directWhere, ...indirectWhere } : directWhere;
       const limit = Math.max(0, options2?.limit ?? 20);
-      const after = options2?.after && options2.after.length <= 512 ? options2.after : undefined;
+      const after = options2?.after && options2.after.length <= MAX_CURSOR_LENGTH ? options2.after : undefined;
       const orderBy = options2?.orderBy;
       const include = options2?.include;
       const { data: rows, total } = await db.list({ where, orderBy, limit, after, include });
@@ -6593,240 +6847,6 @@ async function evaluateExposeDescriptors(expose, ctx, options = {}) {
   };
 }
 
-// src/entity/vertzql-parser.ts
-function extractAllowKeys(allow) {
-  if (!allow)
-    return [];
-  if (Array.isArray(allow))
-    return allow;
-  return Object.keys(allow);
-}
-var MAX_LIMIT = 1000;
-var MAX_Q_BASE64_LENGTH = 10240;
-var ALLOWED_Q_KEYS = new Set(["select", "include", "where", "orderBy", "limit", "offset"]);
-function parseVertzQL(query) {
-  const result = {};
-  for (const [key, value] of Object.entries(query)) {
-    const whereMatch = key.match(/^where\[([^\]]+)\](?:\[([^\]]+)\])?$/);
-    if (whereMatch) {
-      if (!result.where)
-        result.where = {};
-      const field = whereMatch[1];
-      const op = whereMatch[2];
-      const existing = result.where[field];
-      if (op) {
-        const base = existing && typeof existing === "object" ? existing : existing !== undefined ? { eq: existing } : {};
-        result.where[field] = { ...base, [op]: value };
-      } else {
-        if (existing && typeof existing === "object") {
-          result.where[field] = { ...existing, eq: value };
-        } else {
-          result.where[field] = value;
-        }
-      }
-      continue;
-    }
-    if (key === "limit") {
-      const parsed = Number.parseInt(value, 10);
-      if (!Number.isNaN(parsed)) {
-        result.limit = Math.max(0, Math.min(parsed, MAX_LIMIT));
-      }
-      continue;
-    }
-    if (key === "after") {
-      if (value) {
-        result.after = value;
-      }
-      continue;
-    }
-    if (key === "orderBy") {
-      const [field, dir] = value.split(":");
-      if (field) {
-        if (!result.orderBy)
-          result.orderBy = {};
-        result.orderBy[field] = dir === "desc" ? "desc" : "asc";
-      }
-      continue;
-    }
-    if (key === "q") {
-      try {
-        const urlDecoded = decodeURIComponent(value);
-        if (urlDecoded.length > MAX_Q_BASE64_LENGTH) {
-          result._qError = "q= parameter exceeds maximum allowed size";
-          continue;
-        }
-        const b64 = urlDecoded.replace(/-/g, "+").replace(/_/g, "/");
-        const padded = b64 + "=".repeat((4 - b64.length % 4) % 4);
-        const decoded = JSON.parse(atob(padded));
-        for (const k of Object.keys(decoded)) {
-          if (!ALLOWED_Q_KEYS.has(k)) {
-            delete decoded[k];
-          }
-        }
-        if (decoded.select && typeof decoded.select === "object") {
-          result.select = decoded.select;
-        }
-        if (decoded.include && typeof decoded.include === "object") {
-          result.include = decoded.include;
-        }
-      } catch {
-        result._qError = "Invalid q= parameter: not valid base64 or JSON";
-      }
-    }
-  }
-  return result;
-}
-function getHiddenColumns(table) {
-  const hidden = new Set;
-  for (const key of Object.keys(table._columns)) {
-    const col = table._columns[key];
-    if (col?._meta._annotations.hidden) {
-      hidden.add(key);
-    }
-  }
-  return hidden;
-}
-function validateVertzQL(options, table, relationsConfig, exposeConfig, evaluatedExpose) {
-  if (options._qError) {
-    return { ok: false, error: options._qError };
-  }
-  const hiddenColumns = getHiddenColumns(table);
-  if (options.where) {
-    const allowWhereSet = evaluatedExpose ? evaluatedExpose.allowedWhereFields : null;
-    const allowWhereKeys = !evaluatedExpose && exposeConfig ? extractAllowKeys(exposeConfig.allowWhere) : null;
-    for (const field of Object.keys(options.where)) {
-      if (hiddenColumns.has(field)) {
-        return { ok: false, error: `Field "${field}" is not filterable` };
-      }
-      if (allowWhereSet !== null && !allowWhereSet.has(field)) {
-        return { ok: false, error: `Field "${field}" is not filterable` };
-      }
-      if (allowWhereKeys !== null && !allowWhereKeys.includes(field)) {
-        return { ok: false, error: `Field "${field}" is not filterable` };
-      }
-    }
-  }
-  if (options.orderBy) {
-    const allowOrderBySet = evaluatedExpose ? evaluatedExpose.allowedOrderByFields : null;
-    const allowOrderByKeys = !evaluatedExpose && exposeConfig ? extractAllowKeys(exposeConfig.allowOrderBy) : null;
-    for (const field of Object.keys(options.orderBy)) {
-      if (hiddenColumns.has(field)) {
-        return { ok: false, error: `Field "${field}" is not sortable` };
-      }
-      if (allowOrderBySet !== null && !allowOrderBySet.has(field)) {
-        return { ok: false, error: `Field "${field}" is not sortable` };
-      }
-      if (allowOrderByKeys !== null && !allowOrderByKeys.includes(field)) {
-        return { ok: false, error: `Field "${field}" is not sortable` };
-      }
-    }
-  }
-  if (options.select) {
-    const exposeSelectKeys = exposeConfig ? extractAllowKeys(exposeConfig.select) : null;
-    for (const field of Object.keys(options.select)) {
-      if (hiddenColumns.has(field)) {
-        return { ok: false, error: `Field "${field}" is not selectable` };
-      }
-      if (exposeSelectKeys !== null && exposeSelectKeys.length > 0 && !exposeSelectKeys.includes(field)) {
-        return { ok: false, error: `Field "${field}" is not selectable` };
-      }
-    }
-  }
-  if (options.include && relationsConfig) {
-    const includeResult = validateInclude(options.include, relationsConfig, "");
-    if (!includeResult.ok)
-      return includeResult;
-  }
-  return { ok: true };
-}
-function validateInclude(include, relationsConfig, pathPrefix) {
-  for (const [relation, requested] of Object.entries(include)) {
-    const entityConfig = relationsConfig[relation];
-    const relationPath = pathPrefix ? `${pathPrefix}.${relation}` : relation;
-    if (entityConfig === undefined || entityConfig === false) {
-      return { ok: false, error: `Relation "${relationPath}" is not exposed` };
-    }
-    if (requested === true)
-      continue;
-    const configObj = typeof entityConfig === "object" ? entityConfig : undefined;
-    if (requested.where) {
-      const allowWhereKeys = extractAllowKeys(configObj?.allowWhere);
-      if (!configObj || allowWhereKeys.length === 0) {
-        return {
-          ok: false,
-          error: `Filtering is not enabled on relation '${relationPath}'. ` + "Add 'allowWhere' to the entity relations config."
-        };
-      }
-      const allowedSet = new Set(allowWhereKeys);
-      for (const field of Object.keys(requested.where)) {
-        if (!allowedSet.has(field)) {
-          return {
-            ok: false,
-            error: `Field '${field}' is not filterable on relation '${relationPath}'. ` + `Allowed: ${allowWhereKeys.join(", ")}`
-          };
-        }
-      }
-    }
-    if (requested.orderBy) {
-      const allowOrderByKeys = extractAllowKeys(configObj?.allowOrderBy);
-      if (!configObj || allowOrderByKeys.length === 0) {
-        return {
-          ok: false,
-          error: `Sorting is not enabled on relation '${relationPath}'. ` + "Add 'allowOrderBy' to the entity relations config."
-        };
-      }
-      const allowedSet = new Set(allowOrderByKeys);
-      for (const [field, dir] of Object.entries(requested.orderBy)) {
-        if (!allowedSet.has(field)) {
-          return {
-            ok: false,
-            error: `Field '${field}' is not sortable on relation '${relationPath}'. ` + `Allowed: ${allowOrderByKeys.join(", ")}`
-          };
-        }
-        if (dir !== "asc" && dir !== "desc") {
-          return {
-            ok: false,
-            error: `Invalid orderBy direction '${String(dir)}' for field '${field}' on relation '${relationPath}'. Must be 'asc' or 'desc'.`
-          };
-        }
-      }
-    }
-    if (requested.limit !== undefined) {
-      if (typeof requested.limit !== "number" || !Number.isFinite(requested.limit)) {
-        return {
-          ok: false,
-          error: `Invalid limit on relation '${relationPath}': must be a finite number`
-        };
-      }
-      if (requested.limit < 0) {
-        requested.limit = 0;
-      }
-      if (configObj?.maxLimit !== undefined && requested.limit > configObj.maxLimit) {
-        requested.limit = configObj.maxLimit;
-      }
-    }
-    if (requested.select && configObj?.select) {
-      for (const field of Object.keys(requested.select)) {
-        if (!(field in configObj.select)) {
-          return {
-            ok: false,
-            error: `Field "${field}" is not exposed on relation "${relationPath}"`
-          };
-        }
-      }
-    }
-    if (requested.include) {
-      if (entityConfig === true) {
-        return {
-          ok: false,
-          error: `Nested includes are not supported on relation '${relationPath}' ` + "without a structured relations config."
-        };
-      }
-    }
-  }
-  return { ok: true };
-}
-
 // src/entity/route-generator.ts
 function jsonResponse(data, status = 200) {
   return new Response(JSON.stringify(data), {
@@ -6940,6 +6960,19 @@ function generateEntityRoutes(def, registry, db, options) {
         try {
           const entityCtx = makeEntityCtx(ctx);
           const body = ctx.body ?? {};
+          if (body.after !== undefined) {
+            if (typeof body.after !== "string") {
+              return jsonResponse({ error: { code: "BadRequest", message: "cursor must be a string" } }, 400);
+            }
+            if (body.after.length > MAX_CURSOR_LENGTH) {
+              return jsonResponse({
+                error: {
+                  code: "BadRequest",
+                  message: `cursor exceeds maximum length of ${MAX_CURSOR_LENGTH}`
+                }
+              }, 400);
+            }
+          }
           const parsed = {
             where: body.where,
             orderBy: body.orderBy,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vertz/server",
-  "version": "0.2.17",
+  "version": "0.2.18",
   "type": "module",
   "license": "MIT",
   "description": "Vertz server runtime — modules, routing, and auth",
@@ -31,10 +31,10 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@vertz/core": "^0.2.16",
-    "@vertz/db": "^0.2.16",
-    "@vertz/errors": "^0.2.16",
-    "@vertz/schema": "^0.2.16",
+    "@vertz/core": "^0.2.17",
+    "@vertz/db": "^0.2.17",
+    "@vertz/errors": "^0.2.17",
+    "@vertz/schema": "^0.2.17",
     "bcryptjs": "^3.0.3",
     "jose": "^6.0.11"
   },