velocious 1.0.452 → 1.0.453

package/README.md

@@ -447,6 +447,7 @@ Frontend-model `where(...)` supports nested relationship descriptors (for exampl
 Frontend-model `joins(...)` supports relationship-object descriptors only (for example `Task.joins({project: {creatingUser: true}})`) and rejects raw SQL join strings.
 Frontend-model `distinct(...)` only accepts booleans (`true` by default) and is applied server-side through the backend query API.
 Frontend-model `pluck(...)` validates attribute/path descriptors against configured model metadata and does not accept SQL fragments.
+Frontend-model query fields are limited to attributes exposed by the backend resource. Use `{name: "attributeName", selectedByDefault: false}` for fields that may be selected or filtered explicitly but should stay out of default payloads.
 
 When backend payloads include `__preloadedRelationships`, nested frontend-model relationships are hydrated recursively. Relationship methods can use `getRelationshipByName("relationship").loaded()` and will throw when a relationship was not preloaded.
 
@@ -546,11 +547,14 @@ For frontend models, configure `resourceConfig().attachments` and use:
 await frontendTask.update({descriptionFile: file})
 const descriptionFile = await frontendTask.descriptionFile().download()
 const descriptionFileUrl = await frontendTask.descriptionFile().url()
+const descriptionFileMetadata = await frontendTask.descriptionFile().first()
+const filesMetadata = await frontendTask.files().toArray()
 await frontendTask.attach(file)
 ```
 
 Frontend model attachment input does not support `{path: ...}`.
 Use `File`/`Blob`/bytes/`contentBase64` payloads instead.
+Attachment metadata is exposed through the built-in `VelociousAttachment` frontend model with safe fields only: `id`, `recordType`, `recordId`, `name`, `position`, `filename`, `contentType`, `byteSize`, `createdAt`, and `updatedAt`. Storage internals such as `driver`, `storageKey`, and `contentBase64` remain hidden and non-queryable. Direct metadata queries require owner filters: `recordType`, `recordId`, and `name`.
 
 When your frontend app calls a backend on another host/port (or under a path prefix), configure transport once:
 
@@ -1002,6 +1006,8 @@ npx velocious g:migration create-tasks
 ```
 
 ## Write a migration
+Implicit `id` primary keys and `references(...)` columns use UUIDs by default. Use an explicit numeric `id` or reference `type` only for legacy schemas or external compatibility.
+
 ```js
 import Migration from "velocious/build/src/database/migration/index.js"
 
@@ -1011,9 +1017,9 @@ export default class CreateEvents extends Migration {
       t.timestamps()
     })
 
-    // UUID primary key
-    await this.createTable("uuid_items", {id: {type: "uuid"}}, (t) => {
-      t.string("title", {null: false})
+    // Legacy numeric primary key
+    await this.createTable("legacy_events", {id: {type: "bigint"}}, (t) => {
+      t.references("task", {type: "bigint"})
       t.timestamps()
     })
 

package/build/database/drivers/mssql/index.js

@@ -203,7 +203,7 @@ export default class VelociousDatabaseDriversMssql extends Base{
    * Runs primary key type.
    * @returns {string} - The primary key type.
    */
-  primaryKeyType() { return "bigint" }
+  primaryKeyType() { return "uuid" }
 
   /**
    * Runs query actual.

package/build/database/drivers/mysql/index.js

@@ -211,7 +211,7 @@ export default class VelociousDatabaseDriversMysql extends Base{
    * Runs primary key type.
    * @returns {string} - The primary key type.
    */
-  primaryKeyType() { return "bigint" }
+  primaryKeyType() { return "uuid" }
 
   /**
    * Runs retryable database error.

package/build/database/drivers/pgsql/index.js

@@ -177,7 +177,7 @@ export default class VelociousDatabaseDriversPgsql extends Base{
   }
 
   getType() { return "pgsql" }
-  primaryKeyType() { return "bigint" }
+  primaryKeyType() { return "uuid" }
 
   /**
    * Runs query actual.

package/build/database/drivers/sqlite/base.js

@@ -269,7 +269,7 @@ export default class VelociousDatabaseDriversSqliteBase extends Base {
    * Runs primary key type.
    * @returns {string} - The type of the primary key for this driver.
    */
-  primaryKeyType() { return "integer" } // Because bigint on SQLite doesn't support auto increment
+  primaryKeyType() { return "uuid" }
 
   /**
    * Runs query to sql.

package/build/database/record/attachments/attachment-record.js

@@ -0,0 +1,121 @@
+// @ts-check
+
+import DatabaseRecord from "../index.js"
+import RecordAttachmentsStore from "./store.js"
+
+const INTEGER_STRING_PATTERN = /^-?\d+$/
+
+/** Frontend-readable metadata row for `velocious_attachments`. */
+export default class VelociousAttachment extends DatabaseRecord {
+  /**
+   * Returns the backing attachment table name.
+   * @returns {string} - Backing attachment table name.
+   */
+  static tableName() {
+    return "velocious_attachments"
+  }
+
+  /**
+   * Ensures the framework-owned attachment table exists before loading metadata.
+   * @param {object} args - Options object.
+   * @param {import("../../../configuration.js").default} args.configuration - Configuration instance.
+   * @returns {Promise<void>} - Resolves when complete.
+   */
+  static async initializeRecord({configuration}) {
+    const store = new RecordAttachmentsStore({
+      configuration,
+      databaseIdentifier: this.getConfiguredDatabaseIdentifier()
+    })
+
+    await store.ensureReady()
+    await super.initializeRecord({configuration})
+  }
+
+  /**
+   * Returns the attachment id.
+   * @returns {string} - Attachment id.
+   */
+  id() { return this.readAttribute("id") }
+
+  /**
+   * Returns the owner model name.
+   * @returns {string} - Owner model name.
+   */
+  recordType() { return this.readAttribute("recordType") }
+
+  /**
+   * Returns the owner record id.
+   * @returns {string} - Owner record id.
+   */
+  recordId() { return this.readAttribute("recordId") }
+
+  /**
+   * Returns the attachment name on the owner model.
+   * @returns {string} - Attachment name on the owner model.
+   */
+  name() { return this.readAttribute("name") }
+
+  /**
+   * Returns the attachment position.
+   * @returns {number} - Attachment position.
+   */
+  position() { return this.readAttribute("position") }
+
+  /**
+   * Returns the attachment filename.
+   * @returns {string} - Attachment filename.
+   */
+  filename() { return this.readAttribute("filename") }
+
+  /**
+   * Returns the attachment content type.
+   * @returns {string | null} - Attachment content type.
+   */
+  contentType() { return this.readAttribute("contentType") }
+
+  /**
+   * Returns the attachment byte size.
+   * @returns {number} - Attachment byte size.
+   */
+  byteSize() { return this.safeIntegerAttribute({attributeName: "byteSize", expectedDescription: "attachment byte size"}) }
+
+  /**
+   * Returns the created-at timestamp in milliseconds.
+   * @returns {number} - Created-at timestamp in milliseconds.
+   */
+  createdAtMs() { return this.safeIntegerAttribute({attributeName: "createdAtMs", expectedDescription: "safe millisecond timestamp"}) }
+
+  /**
+   * Returns the updated-at timestamp in milliseconds.
+   * @returns {number} - Updated-at timestamp in milliseconds.
+   */
+  updatedAtMs() { return this.safeIntegerAttribute({attributeName: "updatedAtMs", expectedDescription: "safe millisecond timestamp"}) }
+
+  /**
+   * Returns a checked integer attribute value.
+   * @param {object} args - Options object.
+   * @param {"byteSize" | "createdAtMs" | "updatedAtMs"} args.attributeName - Integer attribute name.
+   * @param {string} args.expectedDescription - Description for error messages.
+   * @returns {number} - Safe integer value.
+   */
+  safeIntegerAttribute({attributeName, expectedDescription}) {
+    const value = this.readAttribute(attributeName)
+    let integer
+
+    if (typeof value === "number") {
+      integer = value
+    } else if (typeof value === "bigint") {
+      integer = Number(value)
+    } else if (typeof value === "string" && INTEGER_STRING_PATTERN.test(value)) {
+      integer = Number(value)
+    } else {
+      throw new Error(`Expected ${attributeName} to be a ${expectedDescription}`)
+    }
+
+    if (!Number.isSafeInteger(integer)) {
+      throw new Error(`Expected ${attributeName} to be a ${expectedDescription}`)
+    }
+
+    return integer
+  }
+}

package/build/database/record/attachments/store.js

@@ -98,6 +98,8 @@ export default class RecordAttachmentsStore {
 
     this._readyPromise = (async () => {
       await this._withDb(async (db) => {
+        db.clearSchemaCache()
+
         if (await db.tableExists(ATTACHMENTS_TABLE)) {
           await this.ensureAttachmentStoreSchema({db})
           return

package/build/database/table-data/index.js

@@ -188,7 +188,7 @@ export default class TableData {
     const referenceArgs = args || {}
     const reference = new TableReference(name, referenceArgs)
     const {index, polymorphic, ...restArgs} = referenceArgs
-    const columnArgs = Object.assign({isNewColumn: true, type: "bigint"}, restArgs)
+    const columnArgs = Object.assign({isNewColumn: true, type: "uuid"}, restArgs)
     const column = new TableColumn(columnName, columnArgs)
     const indexArgs = typeof index == "object" ? {unique: index.unique === true} : undefined
     const tableIndex = new TableIndex([column], indexArgs)

package/build/environment-handlers/node/cli/commands/generate/frontend-models.js

@@ -2,7 +2,8 @@ import BaseCommand from "../../../../../cli/base-command.js"
 import fs from "fs/promises"
 import path from "node:path"
 import * as inflection from "inflection"
-import {frontendModelResourceClassFromDefinition, frontendModelResourceConfigurationFromDefinition, frontendModelResourcesForBackendProject} from "../../../../../frontend-models/resource-definition.js"
+import {frontendModelResourceIsBuiltIn, frontendModelResourcesWithBuiltInsForBackendProject} from "../../../../../frontend-models/built-in-resources.js"
+import {frontendModelResourceClassFromDefinition, frontendModelResourceConfigurationFromDefinition} from "../../../../../frontend-models/resource-definition.js"
 
 /**
  * Attribute metadata used for generated frontend-model JSDoc.
@@ -110,6 +111,10 @@ export default class DbGenerateFrontendModels extends BaseCommand {
         this.validateModelConfig({availableFrontendModelClassNames, className, modelConfig, resourceClass})
 
         if (generatedModelNames.has(className)) {
+          if (frontendModelResourceIsBuiltIn({modelName: modelClassName, resourceDefinition: resources[modelClassName]})) {
+            continue
+          }
+
           throw new Error(`Duplicate frontend model definition for '${className}'`)
         }
 
@@ -191,7 +196,7 @@ export default class DbGenerateFrontendModels extends BaseCommand {
    * @returns {Record<string, import("../../../../../configuration-types.js").FrontendModelResourceDefinition>} - Resource definitions keyed by model class name.
    */
   resourcesForBackendProject(backendProject) {
-    return frontendModelResourcesForBackendProject(backendProject)
+    return frontendModelResourcesWithBuiltInsForBackendProject(backendProject)
   }
 
   /**

package/build/frontend-model-controller.js

@@ -2,8 +2,10 @@
 
 import * as inflection from "inflection"
 import Controller from "./controller.js"
+import FrontendModelBaseResource from "./frontend-model-resource/base-resource.js"
 import Response from "./http-server/client/response.js"
-import {frontendModelResourceClassFromDefinition, frontendModelResourceConfigurationFromDefinition, frontendModelResourcePath, frontendModelResourcesForBackendProject} from "./frontend-models/resource-definition.js"
+import {frontendModelResourcesWithBuiltInsForBackendProject} from "./frontend-models/built-in-resources.js"
+import {frontendModelResourceClassFromDefinition, frontendModelResourceConfigurationFromDefinition, frontendModelResourcePath} from "./frontend-models/resource-definition.js"
 import {normalizeGroup as normalizeQueryGroup, normalizeJoins as normalizeQueryJoins, normalizePluck as normalizeQueryPluck, normalizePreload as normalizeQueryPreload, normalizeSearchOperator as normalizeQuerySearchOperator, normalizeSort as normalizeQuerySort} from "./frontend-models/query.js"
 import {assignSafeProperty, deserializeFrontendModelTransportValue, isBackendModelInstance, serializeFrontendModelTransportValue} from "./frontend-models/transport-serialization.js"
 import RoutesResolver from "./routes/resolver.js"
@@ -679,7 +681,7 @@ export default class FrontendModelController extends Controller {
     const backendProjects = this.getConfiguration().getBackendProjects()
 
     for (const backendProject of backendProjects) {
-      const resources = frontendModelResourcesForBackendProject(backendProject)
+      const resources = frontendModelResourcesWithBuiltInsForBackendProject(backendProject)
 
       if (modelName && modelName.length > 0 && resources[modelName]) {
         const resourceDefinition = resources[modelName]
@@ -733,7 +735,7 @@ export default class FrontendModelController extends Controller {
    * @returns {{backendProject: import("./configuration-types.js").BackendProjectConfiguration, modelName: string, resourceClass: import("./configuration-types.js").FrontendModelResourceClassType, resourceConfiguration: import("./configuration-types.js").NormalizedFrontendModelResourceConfiguration} | null} - Frontend model resource configuration for model name.
    */
   frontendModelResourceConfigurationForBackendProjectModelName({backendProject, modelName}) {
-    const resources = frontendModelResourcesForBackendProject(backendProject)
+    const resources = frontendModelResourcesWithBuiltInsForBackendProject(backendProject)
     const resourceDefinition = resources[modelName]
 
     if (!resourceDefinition) return null
@@ -1027,16 +1029,31 @@ export default class FrontendModelController extends Controller {
   }
 
   /**
-   * Runs frontend model authorized query.
+   * Runs frontend model ability authorized query.
    * @param {"index" | "find" | "create" | "update" | "destroy" | "attach" | "download" | "url"} action - Frontend action.
    * @returns {import("./database/query/model-class-query.js").default<typeof import("./database/record/index.js").default>} - Authorized query for the action.
    */
-  frontendModelAuthorizedQuery(action) {
+  frontendModelAbilityAuthorizedQuery(action) {
     const abilityAction = this.frontendModelAbilityAction(action)
 
     return this.frontendModelClass().accessibleFor(abilityAction, this.currentAbility())
   }
 
+  /**
+   * Runs frontend model authorized query.
+   * @param {"index" | "find" | "create" | "update" | "destroy" | "attach" | "download" | "url"} action - Frontend action.
+   * @returns {import("./database/query/model-class-query.js").default<typeof import("./database/record/index.js").default>} - Authorized query for the action.
+   */
+  frontendModelAuthorizedQuery(action) {
+    const resource = this.frontendModelResourceInstance()
+
+    if (resource.authorizedQuery !== FrontendModelBaseResource.prototype.authorizedQuery) {
+      return resource.authorizedQuery(action)
+    }
+
+    return this.frontendModelAbilityAuthorizedQuery(action)
+  }
+
   /**
    * Runs frontend model primary key value.
    * @param {import("./database/record/index.js").default} model - Model instance.
@@ -1638,7 +1655,11 @@ export default class FrontendModelController extends Controller {
         modelClass,
         path: pluckEntry.path
       })
-      const columnName = this.resolveFrontendModelColumnName(targetModelClass, pluckEntry.column)
+      const columnName = this.resolveFrontendModelQueryableColumnName({
+        attributeName: pluckEntry.column,
+        modelClass: targetModelClass,
+        operationName: "pluck"
+      })
 
       if (!columnName) {
         throw new Error(`Unknown pluck column "${pluckEntry.column}" for ${targetModelClass.name}`)
@@ -1717,7 +1738,11 @@ export default class FrontendModelController extends Controller {
       modelClass,
       path: search.path
     })
-    const columnName = this.resolveFrontendModelColumnName(targetModelClass, search.column)
+    const columnName = this.resolveFrontendModelQueryableColumnName({
+      attributeName: search.column,
+      modelClass: targetModelClass,
+      operationName: "search"
+    })
 
     if (!columnName) {
       throw new Error(`Unknown search column "${search.column}" for ${targetModelClass.name}`)
@@ -1895,6 +1920,110 @@ export default class FrontendModelController extends Controller {
     }
   }
 
+  /**
+   * Runs frontend model exposed attribute names for model class.
+   * @param {typeof import("./database/record/index.js").default} modelClass - Model class.
+   * @returns {Set<string> | null} - Exposed attribute names, or null when no resource metadata is available.
+   */
+  frontendModelExposedAttributeNamesForModelClass(modelClass) {
+    const frontendModelResource = this.frontendModelResourceConfigurationForModelClass(modelClass)
+    const attributes = frontendModelResource?.resourceConfiguration.attributes
+
+    if (!attributes) return null
+
+    if (Array.isArray(attributes)) {
+      const attributeNames = attributes
+        .map((entry) => {
+          if (typeof entry === "string") return entry
+          if (!entry || typeof entry !== "object") return null
+
+          const name = /**
+                        * Types the following value.
+                        * @type {Record<string, ?>} */ (entry).name
+
+          return typeof name === "string" && name.length > 0 ? name : null
+        })
+        .filter((entry) => typeof entry === "string")
+
+      return new Set(attributeNames)
+    }
+
+    if (typeof attributes === "object") {
+      return new Set(Object.keys(attributes))
+    }
+
+    return null
+  }
+
+  /**
+   * Resolves a frontend-supplied key to its canonical model attribute name.
+   * @param {typeof import("./database/record/index.js").default} modelClass - Model class.
+   * @param {string} key - Frontend key or raw column key.
+   * @returns {string | null} - Canonical attribute name.
+   */
+  frontendModelAttributeNameForKey(modelClass, key) {
+    const resolvedAttributeName = modelClass.resolveAttributeName(key)
+
+    if (resolvedAttributeName) return resolvedAttributeName
+
+    const columnAttributeName = modelClass.getColumnNameToAttributeNameMap()[key]
+
+    return columnAttributeName || null
+  }
+
+  /**
+   * Checks if a frontend-supplied attribute is exposed by the resource.
+   * @param {object} args - Args.
+   * @param {string} args.attributeName - Requested attribute name.
+   * @param {typeof import("./database/record/index.js").default} args.modelClass - Model class.
+   * @returns {boolean} - Whether the resource permits the attribute.
+   */
+  frontendModelAttributeIsExposed({attributeName, modelClass}) {
+    const exposedAttributeNames = this.frontendModelExposedAttributeNamesForModelClass(modelClass)
+
+    if (!exposedAttributeNames) return true
+
+    return exposedAttributeNames.has(attributeName)
+  }
+
+  /**
+   * Validates a selected frontend-model attribute list against resource metadata.
+   * @param {object} args - Args.
+   * @param {string[]} args.attributeNames - Selected attribute names.
+   * @param {typeof import("./database/record/index.js").default} args.modelClass - Model class.
+   * @param {"select" | "selectsExtra"} args.operationName - Selection operation.
+   * @returns {string[]} - Validated selected attribute names.
+   */
+  validateFrontendModelSelectedAttributes({attributeNames, modelClass, operationName}) {
+    for (const attributeName of attributeNames) {
+      if (this.frontendModelAttributeIsExposed({attributeName, modelClass})) continue
+
+      throw new Error(`Unknown ${operationName} attribute "${attributeName}" for ${modelClass.name}`)
+    }
+
+    return attributeNames
+  }
+
+  /**
+   * Resolves a user-queryable frontend attribute to a database column.
+   * @param {object} args - Args.
+   * @param {string} args.attributeName - Requested attribute name.
+   * @param {typeof import("./database/record/index.js").default} args.modelClass - Model class.
+   * @param {"group" | "pluck" | "search" | "sort" | "where"} args.operationName - Query operation.
+   * @returns {string | undefined} - Resolved column name.
+   */
+  resolveFrontendModelQueryableColumnName({attributeName, modelClass, operationName}) {
+    void operationName
+
+    const resolvedAttributeName = this.frontendModelAttributeNameForKey(modelClass, attributeName)
+
+    if (resolvedAttributeName && !this.frontendModelAttributeIsExposed({attributeName: resolvedAttributeName, modelClass})) {
+      return undefined
+    }
+
+    return this.resolveFrontendModelColumnName(modelClass, attributeName)
+  }
+
   /**
    * Resolves a key that may be either a camelCase attribute name or a raw DB
    * column name to its canonical column name.  Returns `undefined` when the
@@ -1925,7 +2054,11 @@ export default class FrontendModelController extends Controller {
    */
   applyFrontendModelWhereForPath({modelClass, path, query, where}) {
     for (const [attributeName, value] of Object.entries(where)) {
-      const columnName = this.resolveFrontendModelColumnName(modelClass, attributeName)
+      const columnName = this.resolveFrontendModelQueryableColumnName({
+        attributeName,
+        modelClass,
+        operationName: "where"
+      })
 
       if (columnName) {
         this.ensureFrontendModelJoinPath({path, query})
@@ -2049,7 +2182,11 @@ export default class FrontendModelController extends Controller {
       modelClass,
       path: group.path
     })
-    const columnName = this.resolveFrontendModelColumnName(targetModelClass, group.column)
+    const columnName = this.resolveFrontendModelQueryableColumnName({
+      attributeName: group.column,
+      modelClass: targetModelClass,
+      operationName: "group"
+    })
 
     if (!columnName) {
       throw new Error(`Unknown group column "${group.column}" for ${targetModelClass.name}`)
@@ -2162,7 +2299,11 @@ export default class FrontendModelController extends Controller {
     const translatedAttributeNames = Object.keys(translatedAttributesMap)
     const isTranslatedSortAttribute = translatedAttributeNames.includes(sort.column)
 
-    const columnName = this.resolveFrontendModelColumnName(targetModelClass, sort.column)
+    const columnName = this.resolveFrontendModelQueryableColumnName({
+      attributeName: sort.column,
+      modelClass: targetModelClass,
+      operationName: "sort"
+    })
     const direction = sort.direction.toUpperCase()
 
     if (isTranslatedSortAttribute) {
@@ -2239,7 +2380,15 @@ export default class FrontendModelController extends Controller {
 
     if (!select) return null
 
-    return select[modelClass.getModelName()] || null
+    const selectedAttributes = select[modelClass.getModelName()] || null
+
+    if (!selectedAttributes) return null
+
+    return this.validateFrontendModelSelectedAttributes({
+      attributeNames: selectedAttributes,
+      modelClass,
+      operationName: "select"
+    })
   }
 
   /**
@@ -2252,7 +2401,15 @@ export default class FrontendModelController extends Controller {
 
     if (!selectsExtra) return null
 
-    return selectsExtra[modelClass.getModelName()] || null
+    const extraAttributes = selectsExtra[modelClass.getModelName()] || null
+
+    if (!extraAttributes) return null
+
+    return this.validateFrontendModelSelectedAttributes({
+      attributeNames: extraAttributes,
+      modelClass,
+      operationName: "selectsExtra"
+    })
   }
 
   /**
@@ -2319,42 +2476,6 @@ export default class FrontendModelController extends Controller {
     return null
   }
 
-  /**
-   * Runs frontend model non default attributes for model class.
-   * @param {typeof import("./database/record/index.js").default} modelClass - Model class.
-   * @returns {string[]} - Attribute names explicitly marked selectedByDefault: false.
-   */
-  frontendModelNonDefaultAttributesForModelClass(modelClass) {
-    const frontendModelResource = this.frontendModelResourceConfigurationForModelClass(modelClass)
-    const attributes = frontendModelResource?.resourceConfiguration.attributes
-
-    if (!attributes) return []
-
-    if (Array.isArray(attributes)) {
-      return attributes
-        .filter((entry) => {
-          if (typeof entry !== "object" || !entry) return false
-
-          return /** @type {Record<string, ?>} */ (entry).selectedByDefault === false
-        })
-        .map((entry) => /**
-                         * Types the following value.
-                         * @type {Record<string, ?>} */ (/**
-                                                         * Types the following value.
-                                                         * @type {?} */ (entry)).name)
-    }
-
-    if (typeof attributes === "object") {
-      return Object.entries(attributes)
-        .filter(([, config]) => typeof config === "object" && config && /**
-                                                                         * Types the following value.
-                                                                         * @type {Record<string, ?>} */ (config).selectedByDefault === false)
-        .map(([name]) => name)
-    }
-
-    return []
-  }
-
   /**
    * Runs serialize frontend model attributes.
    * @param {import("./database/record/index.js").default} model - Model instance.
@@ -2452,12 +2573,10 @@ export default class FrontendModelController extends Controller {
         return modelAttributes
       }
 
-      const excludedAttributes = this.frontendModelNonDefaultAttributesForModelClass(modelClass)
-      const serializedAttributes = {...modelAttributes}
-
-      for (const excludedName of excludedAttributes) {
-        delete serializedAttributes[excludedName]
-      }
+      /**
+       * Serialized attributes.
+       * @type {Record<string, ?>} */
+      const serializedAttributes = {}
 
       for (const attributeName of defaultAttributes) {
         if (!attributeExists(attributeName)) continue
@@ -2499,7 +2618,7 @@ export default class FrontendModelController extends Controller {
                             * @type {typeof import("./database/record/index.js").default} */ (model.constructor).getModelName()
 
     for (const backendProject of backendProjects) {
-      const resources = frontendModelResourcesForBackendProject(backendProject)
+      const resources = frontendModelResourcesWithBuiltInsForBackendProject(backendProject)
       const resourceDefinition = resources[modelClassName]
       const resourceClass = resourceDefinition ? frontendModelResourceClassFromDefinition(resourceDefinition) : null
 

package/build/frontend-model-resource/base-resource.js

@@ -14,6 +14,7 @@ import isPlainObject from "../utils/plain-object.js"
  * @typedef {import("../controller.js").default & {
  *   currentAbility: () => import("../authorization/ability.js").default | undefined,
  *   frontendModelAbilityAction: (action: FrontendModelResourceAction) => string,
+ *   frontendModelAbilityAuthorizedQuery: (action: FrontendModelResourceAction) => import("../database/query/model-class-query.js").default<typeof import("../database/record/index.js").default>,
  *   frontendModelAuthorizedQuery: (action: FrontendModelResourceAction) => import("../database/query/model-class-query.js").default<typeof import("../database/record/index.js").default>,
  *   frontendModelIndexQuery: () => import("../database/query/model-class-query.js").default<typeof import("../database/record/index.js").default>,
  *   frontendModelParams: () => import("../configuration-types.js").VelociousParams,
@@ -393,7 +394,7 @@ export default class FrontendModelBaseResource extends AuthorizationBaseResource
    */
   authorizedQuery(action) {
     // Narrows the controller query to this resource's model class.
-    return /** @type {import("../database/query/model-class-query.js").default<TModelClass>} */ (this.typedControllerInstance().frontendModelAuthorizedQuery(action))
+    return /** @type {import("../database/query/model-class-query.js").default<TModelClass>} */ (this.typedControllerInstance().frontendModelAbilityAuthorizedQuery(action))
   }