statezero 0.1.0b11__tar.gz → 0.1.0b22__tar.gz

{statezero-0.1.0b11 → statezero-0.1.0b22}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: statezero
-Version: 0.1.0b11
+Version: 0.1.0b22
 Summary: Connect your Python backend to a modern JavaScript SPA frontend with 90% less complexity.
 Author-email: Robert <robert.herring@statezero.dev>
 Project-URL: homepage, https://www.statezero.dev

{statezero-0.1.0b11 → statezero-0.1.0b22}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "statezero"
-version = "0.1.0b11"
+version = "0.1.0b22"
 description = "Connect your Python backend to a modern JavaScript SPA frontend with 90% less complexity."
 readme = "README.md"
 license = { file = "LICENSE" }

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/adaptors/django/actions.py

@@ -48,6 +48,13 @@ class DjangoActionSchemaGenerator:
                 action_config["response_serializer"]
             )
 
+            # Serialize display metadata if present
+            display_data = None
+            if action_config.get("display"):
+                display_data = DjangoActionSchemaGenerator._serialize_display_metadata(
+                    action_config["display"]
+                )
+
             schema_info = {
                 "action_name": action_name,
                 "app": app_name,
@@ -62,6 +69,7 @@ class DjangoActionSchemaGenerator:
                 "permissions": [
                     perm.__name__ for perm in action_config.get("permissions", [])
                 ],
+                "display": display_data,
             }
             actions_schema[action_name] = schema_info
 
@@ -117,6 +125,14 @@ class DjangoActionSchemaGenerator:
                 return "string"
             return "integer"
 
+        # Handle nested serializers (many=True creates a ListSerializer)
+        if isinstance(field, serializers.ListSerializer):
+            return "array"
+
+        # Handle nested serializers (single nested serializer)
+        if isinstance(field, serializers.Serializer):
+            return "object"
+
         type_mapping = {
             fields.BooleanField: "boolean",
             fields.CharField: "string",
@@ -212,4 +228,21 @@ class DjangoActionSchemaGenerator:
                 "class_name": model.__name__,
                 "primary_key_field": model._meta.pk.name,
             }
+        return None
+
+    @staticmethod
+    def _serialize_display_metadata(display):
+        """Convert DisplayMetadata dataclass to dict for JSON serialization"""
+        from dataclasses import asdict, is_dataclass
+
+        if display is None:
+            return None
+
+        if is_dataclass(display):
+            return asdict(display)
+
+        # If it's already a dict, return as-is
+        if isinstance(display, dict):
+            return display
+
         return None

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/adaptors/django/extensions/custom_field_serializers/money_field.py

@@ -15,6 +15,14 @@ class MoneyFieldSerializer(serializers.Field):
         self.decimal_places = kwargs.pop("decimal_places", 2)
         super().__init__(**kwargs)
 
+    @classmethod
+    def get_prefetch_db_fields(cls, field_name: str):
+        """
+        Return all database fields required for this field to serialize.
+        MoneyField creates two database columns: field_name and field_name_currency.
+        """
+        return [field_name, f"{field_name}_currency"]
+
     def to_representation(self, value):
         djmoney_field = MoneyField(
             max_digits=self.max_digits, decimal_places=self.decimal_places

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/adaptors/django/orm.py

@@ -258,6 +258,26 @@ class DjangoORMAdapter(AbstractORMProvider):
             fields_map=fields_map,
         )
 
+    def bulk_create(
+        self,
+        model: Type[models.Model],
+        data_list: List[Dict[str, Any]],
+        serializer,
+        req,
+        fields_map,
+    ) -> List[models.Model]:
+        """Create multiple model instances using Django's bulk_create."""
+        # Create instances without saving to DB yet
+        instances = [model(**data) for data in data_list]
+
+        # Use Django's bulk_create for efficiency
+        created_instances = model.objects.bulk_create(instances)
+
+        # Emit bulk create event for cache invalidation and frontend notification
+        config.event_bus.emit_bulk_event(ActionType.BULK_CREATE, created_instances)
+
+        return created_instances
+
     def update_instance(
         self,
         model: Type[models.Model],
@@ -750,19 +770,15 @@ class DjangoORMAdapter(AbstractORMProvider):
         req: RequestType,
         model: Type,
         initial_ast: Dict[str, Any],
-        custom_querysets: Dict[str, Type[AbstractCustomQueryset]],
         registered_permissions: List[Type[AbstractPermission]],
     ) -> Any:
         """Assemble and return the base QuerySet for the given model."""
-        custom_name = initial_ast.get("custom_queryset")
-        if custom_name and custom_name in custom_querysets:
-            custom_queryset_class = custom_querysets[custom_name]
-            return custom_queryset_class().get_queryset(req)
         return model.objects.all()
 
     def get_fields(self, model: models.Model) -> Set[str]:
         """
         Return a set of the model fields.
+        Includes both database fields and additional_fields (computed fields).
         """
         model_config = registry.get_config(model)
         if model_config.fields and "__all__" != model_config.fields:
@@ -775,6 +791,14 @@ class DjangoORMAdapter(AbstractORMProvider):
             resolved_fields = resolved_fields.union(additional_fields)
         return resolved_fields
 
+    def get_db_fields(self, model: models.Model) -> Set[str]:
+        """
+        Return only actual database fields for the model.
+        Excludes read-only additional_fields (computed fields).
+        Used for deserialization - hooks can write to any DB field.
+        """
+        return set(field.name for field in model._meta.get_fields())
+
     def build_model_graph(
         self, model: Type[models.Model], model_graph: nx.DiGraph = None
     ) -> nx.DiGraph:

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/adaptors/django/permissions.py

@@ -25,6 +25,7 @@ class AllowAllPermission(AbstractPermission):
             ActionType.DELETE,
             ActionType.READ,
             ActionType.UPDATE,
+            ActionType.BULK_CREATE,
         }
 
     def allowed_object_actions(self, request, obj, model: Type[ORMModel]) -> Set[ActionType]:  # type: ignore
@@ -33,6 +34,7 @@ class AllowAllPermission(AbstractPermission):
             ActionType.DELETE,
             ActionType.READ,
             ActionType.UPDATE,
+            ActionType.BULK_CREATE,
         }
     
     def _get_user_fields(self) -> Set[str]:
@@ -74,6 +76,7 @@ class IsAuthenticatedPermission(AbstractPermission):
             ActionType.DELETE,
             ActionType.READ,
             ActionType.UPDATE,
+            ActionType.BULK_CREATE,
         }
 
     def allowed_object_actions(
@@ -86,6 +89,7 @@ class IsAuthenticatedPermission(AbstractPermission):
             ActionType.DELETE,
             ActionType.READ,
             ActionType.UPDATE,
+            ActionType.BULK_CREATE,
         }
     
     def _get_user_fields(self) -> Set[str]:
@@ -134,6 +138,7 @@ class IsStaffPermission(AbstractPermission):
             ActionType.DELETE,
             ActionType.READ,
             ActionType.UPDATE,
+            ActionType.BULK_CREATE,
         }
 
     def allowed_object_actions(
@@ -146,6 +151,7 @@ class IsStaffPermission(AbstractPermission):
             ActionType.DELETE,
             ActionType.READ,
             ActionType.UPDATE,
+            ActionType.BULK_CREATE,
         }
     
     def _get_user_fields(self) -> Set[str]:

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/adaptors/django/query_optimizer.py

@@ -477,7 +477,34 @@ def optimize_query(queryset, fields=None, fields_map=None, depth=0, use_only=Tru
             related_fields_to_fetch = set()
 
             if fields_map and related_model_name in fields_map:
-                related_fields_to_fetch.update(fields_map[related_model_name])
+                # Process each field, checking for custom serializers
+                from statezero.adaptors.django.serializers import get_custom_serializer
+                related_meta = _get_model_meta(related_model)
+                for field_name in fields_map[related_model_name]:
+                    try:
+                        field_obj = related_meta.get_field(field_name)
+                        if not field_obj.is_relation:
+                            # Check if this field has a custom serializer with explicit DB field requirements
+                            custom_serializer = get_custom_serializer(field_obj.__class__)
+                            if custom_serializer and hasattr(custom_serializer, 'get_prefetch_db_fields'):
+                                # Use the explicit list from the custom serializer
+                                db_fields = custom_serializer.get_prefetch_db_fields(field_name)
+                                for db_field in db_fields:
+                                    related_fields_to_fetch.add(db_field)
+                                logger.debug(f"Using custom DB fields {db_fields} for field '{field_name}' in {related_model_name}")
+                            else:
+                                # No custom serializer, just add the field itself
+                                related_fields_to_fetch.add(field_name)
+                        else:
+                            # Relation field, add as-is
+                            related_fields_to_fetch.add(field_name)
+                    except FieldDoesNotExist:
+                        # Field doesn't exist, add it anyway (might be computed)
+                        related_fields_to_fetch.add(field_name)
+                    except Exception as e:
+                        logger.error(f"Error checking custom serializer for field '{field_name}' in {related_model_name}: {e}")
+                        # On error, add the field anyway to be safe
+                        related_fields_to_fetch.add(field_name)
             else:
                 # If no field restrictions are provided, get all fields
                 all_fields = [f.name for f in related_model._meta.get_fields() if f.concrete]
@@ -531,7 +558,18 @@ def optimize_query(queryset, fields=None, fields_map=None, depth=0, use_only=Tru
                     try:
                         field_obj = root_meta.get_field(field_name)
                         if not field_obj.is_relation:
-                           root_fields_to_fetch.add(field_name)
+                           # Check if this field has a custom serializer with explicit DB field requirements
+                           from statezero.adaptors.django.serializers import get_custom_serializer
+                           custom_serializer = get_custom_serializer(field_obj.__class__)
+                           if custom_serializer and hasattr(custom_serializer, 'get_prefetch_db_fields'):
+                               # Use the explicit list from the custom serializer
+                               db_fields = custom_serializer.get_prefetch_db_fields(field_name)
+                               for db_field in db_fields:
+                                   root_fields_to_fetch.add(db_field)
+                               logger.debug(f"Using custom DB fields {db_fields} for field '{field_name}'")
+                           else:
+                               # No custom serializer, just add the field itself
+                               root_fields_to_fetch.add(field_name)
                         elif isinstance(field_obj, (ForeignKey, OneToOneField)):
                              # If FK/O2O itself is requested directly, include its id field
                              root_fields_to_fetch.add(field_obj.attname)

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/adaptors/django/schemas.py

@@ -127,6 +127,11 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
         if hasattr(model._meta, "ordering") and model._meta.ordering:
             default_ordering = list(model._meta.ordering)
 
+        # Serialize display metadata if present
+        display_data = None
+        if model_config.display:
+            display_data = self._serialize_display_metadata(model_config.display)
+
         schema_meta = ModelSchemaMetadata(
             model_name=config.orm_provider.get_model_name(model),
             title=model._meta.verbose_name.title(),
@@ -153,6 +158,7 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
             time_format=getattr(settings, "REST_FRAMEWORK", {}).get(
                 "TIME_FORMAT", "iso-8601"
             ),
+            display=display_data,
         )
         return schema_meta
 
@@ -172,6 +178,7 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
                 nullable=False,
                 format=FieldFormat.ID,
                 description=description,
+                read_only=True,
             )
         elif isinstance(field, models.UUIDField):
             return SchemaFieldMetadata(
@@ -181,6 +188,7 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
                 nullable=False,
                 format=FieldFormat.UUID,
                 description=description,
+                read_only=True,
             )
         elif isinstance(field, models.CharField):
             return SchemaFieldMetadata(
@@ -191,6 +199,7 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
                 format=FieldFormat.ID,
                 max_length=field.max_length,
                 description=description,
+                read_only=True,
             )
         else:
             return SchemaFieldMetadata(
@@ -200,6 +209,7 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
                 nullable=False,
                 format=FieldFormat.ID,
                 description=description,
+                read_only=True,
             )
 
     def get_field_metadata(
@@ -250,6 +260,9 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
         elif isinstance(field, models.DateField):
             field_type = FieldType.STRING
             field_format = FieldFormat.DATE
+        elif isinstance(field, models.TimeField):
+            field_type = FieldType.STRING
+            field_format = FieldFormat.TIME
         elif isinstance(field, (models.ForeignKey, models.OneToOneField)):
             field_type = self.get_pk_type(field)
             field_format = self.get_relation_type(field)
@@ -280,6 +293,12 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
         elif callable(default):
             default = default()
 
+        # Check if field should be read-only (auto_now or auto_now_add)
+        read_only = False
+        if isinstance(field, (models.DateTimeField, models.DateField, models.TimeField)):
+            if getattr(field, "auto_now", False) or getattr(field, "auto_now_add", False):
+                read_only = True
+
         return SchemaFieldMetadata(
             type=field_type,
             title=title,
@@ -293,6 +312,7 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
             max_digits=max_digits,
             decimal_places=decimal_places,
             description=description,
+            read_only=read_only,
         )
 
     def get_field_title(self, field: models.Field) -> str:
@@ -303,8 +323,7 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
     @staticmethod
     def is_field_required(field: models.Field) -> bool:
         return (
-            not field.blank
-            and not field.null
+            not field.null
             and field.default == models.fields.NOT_PROVIDED
         )
 
@@ -322,3 +341,20 @@ class DjangoSchemaGenerator(AbstractSchemaGenerator):
         if isinstance(target_field, (models.UUIDField, models.CharField)):
             return FieldType.STRING
         return FieldType.INTEGER
+
+    @staticmethod
+    def _serialize_display_metadata(display) -> Dict[str, Any]:
+        """Convert DisplayMetadata dataclass to dict for JSON serialization"""
+        from dataclasses import asdict, is_dataclass
+
+        if display is None:
+            return None
+
+        if is_dataclass(display):
+            return asdict(display)
+
+        # If it's already a dict, return as-is
+        if isinstance(display, dict):
+            return display
+
+        return None

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/adaptors/django/serializers.py

@@ -6,7 +6,8 @@ from rest_framework import serializers
 import contextvars
 from contextlib import contextmanager
 import logging
-from cytoolz import pluck
+from cytoolz import pluck, keyfilter
+from cytoolz.functoolz import thread_first
 from zen_queries import queries_disabled
 
 from statezero.adaptors.django.config import config, registry
@@ -476,41 +477,78 @@ class DRFDynamicSerializer(AbstractDataSerializer):
     def deserialize(
         self,
         model: Type[models.Model],
-        data: Dict[str, Any],
+        data: Union[Dict[str, Any], List[Dict[str, Any]]],
         fields_map: Optional[Dict[str, Set[str]]],
         partial: bool = False,
         request: Optional[RequestType] = None,
-    ) -> Dict[str, Any]:
+        many: bool = False,
+    ) -> Union[Dict[str, Any], List[Dict[str, Any]]]:
         # Serious security issue if fields_map is None
         assert fields_map is not None, "fields_map is required and cannot be None"
 
-        # Use the context manager for the duration of deserialization
-        with fields_map_context(fields_map):
-            # Create serializer class
-            serializer_class = DynamicModelSerializer.for_model(model)
-            available_fields = set(serializer_class().fields.keys())
+        # Get model name and allowed fields from fields_map
+        model_name = config.orm_provider.get_model_name(model)
+        allowed_fields = fields_map.get(model_name, set())
 
-            try:
-                model_config = registry.get_config(model)
-                if model_config.pre_hooks:
-                    for hook in model_config.pre_hooks:
-                        hook_result = hook(data, request=request)
-                        if settings.DEBUG:
-                            data = _check_pre_hook_result(
-                                original_data=data,
-                                result_data=hook_result,
-                                model=model,
-                                serializer_fields=available_fields
-                            )
-                        else:
-                            data = hook_result or data
-            except ValueError:
-                # No model config available
-                model_config = None
+        # Filter user input to only allowed fields (security boundary)
+        if many:
+            data = [dict(keyfilter(lambda k: k in allowed_fields, item)) for item in data]
+        else:
+            data = dict(keyfilter(lambda k: k in allowed_fields, data))
+
+        try:
+            model_config = registry.get_config(model)
+        except ValueError:
+            # No model config available
+            model_config = None
+
+        # Run pre-hooks on filtered data (hooks can add any DB fields)
+        if model_config and model_config.pre_hooks:
+            # Wrap hooks with validation in DEBUG mode
+            if settings.DEBUG:
+                # Get all DB fields for validation
+                all_db_fields = config.orm_provider.get_db_fields(model)
+
+                def make_validated_pre_hook(hook):
+                    def validated_hook(data, request=None):
+                        original_data = data
+                        result = hook(data, request=request)
+                        return _check_pre_hook_result(
+                            original_data=original_data,
+                            result_data=result,
+                            model=model,
+                            serializer_fields=all_db_fields
+                        )
+                    return validated_hook
+                hook_funcs = [(make_validated_pre_hook(hook), request) for hook in model_config.pre_hooks]
+            else:
+                hook_funcs = [(hook, request) for hook in model_config.pre_hooks]
+
+            if many:
+                data = [thread_first(item, *hook_funcs) for item in data]
+            else:
+                data = thread_first(data, *hook_funcs)
+
+        # Expand fields_map to include fields that hooks may have added
+        # For partial updates, only include allowed_fields + any fields in the data
+        # This prevents validation errors on required fields that were filtered out
+        if partial:
+            # For partial updates: only include fields that are either allowed or in the data
+            expanded_fields = allowed_fields | set(data.keys())
+        else:
+            # For creates: include all DB fields to allow hooks to add any field
+            expanded_fields = config.orm_provider.get_db_fields(model)
+        expanded_fields_map = {model_name: expanded_fields}
+
+        # Use the context manager with expanded fields map
+        with fields_map_context(expanded_fields_map):
+            # Create serializer class with all DB fields available
+            serializer_class = DynamicModelSerializer.for_model(model)
 
             # Create serializer
             serializer = serializer_class(
-                data=data, 
+                data=data,
+                many=many,
                 partial=partial,
                 request=request
             )
@@ -518,16 +556,26 @@ class DRFDynamicSerializer(AbstractDataSerializer):
             validated_data = serializer.validated_data
 
             if model_config and model_config.post_hooks:
-                for hook in model_config.post_hooks:
-                    hook_result = hook(validated_data, request=request)
-                    if settings.DEBUG:
-                        validated_data = _check_post_hook_result(
-                            original_data=validated_data,
-                            result_data=hook_result,
-                            model=model
-                        )
-                    else:
-                        validated_data = hook_result or validated_data
+                # Wrap hooks with validation in DEBUG mode
+                if settings.DEBUG:
+                    def make_validated_hook(hook):
+                        def validated_hook(data, request=None):
+                            original_data = data
+                            result = hook(data, request=request)
+                            return _check_post_hook_result(
+                                original_data=original_data,
+                                result_data=result,
+                                model=model
+                            )
+                        return validated_hook
+                    hook_funcs = [(make_validated_hook(hook), request) for hook in model_config.post_hooks]
+                else:
+                    hook_funcs = [(hook, request) for hook in model_config.post_hooks]
+
+                if many:
+                    validated_data = [thread_first(item, *hook_funcs) for item in validated_data]
+                else:
+                    validated_data = thread_first(validated_data, *hook_funcs)
 
             return validated_data
 

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/adaptors/django/urls.py

@@ -1,6 +1,6 @@
 from django.urls import path
 
-from .views import EventsAuthView, ModelListView, ModelView, SchemaView, FileUploadView, FastUploadView, ActionSchemaView, ActionView, ValidateView
+from .views import EventsAuthView, ModelListView, ModelView, SchemaView, FileUploadView, FastUploadView, ActionSchemaView, ActionView, ValidateView, FieldPermissionsView
 
 app_name = "statezero"
 
@@ -12,6 +12,7 @@ urlpatterns = [
     path("actions/<str:action_name>/", ActionView.as_view(), name="action"),
     path("actions-schema/", ActionSchemaView.as_view(), name="actions_schema"),
     path("<str:model_name>/validate/", ValidateView.as_view(), name="validate"),
+    path("<str:model_name>/field-permissions/", FieldPermissionsView.as_view(), name="field_permissions"),
     path("<str:model_name>/get-schema/", SchemaView.as_view(), name="schema_view"),
     path("<str:model_name>/", ModelView.as_view(), name="model_view"),
 ]

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/adaptors/django/views.py

@@ -485,3 +485,104 @@ class ValidateView(APIView):
         except Exception as original_exception:
             # Let StateZero's exception handler deal with ValidationError, PermissionDenied, etc.
             return explicit_exception_handler(original_exception)
+
+
+class FieldPermissionsView(APIView):
+    """
+    Returns user-specific field permissions for a given model.
+    Used by frontend forms to determine which fields to show/enable at runtime.
+    """
+
+    permission_classes = [permission_class]
+
+    def get(self, request, model_name):
+        """Get field permissions for the current user."""
+        try:
+            # Create processor following the same pattern as other views
+            processor = RequestProcessor(config=config, registry=registry)
+
+            # Get model using the processor's ORM provider
+            try:
+                model = processor.orm_provider.get_model_by_name(model_name)
+            except (LookupError, ValueError):
+                return Response({"error": f"Model {model_name} not found"}, status=404)
+
+            if not model:
+                return Response({"error": f"Model {model_name} not found"}, status=404)
+
+            try:
+                model_config = processor.registry.get_config(model)
+            except ValueError:
+                return Response(
+                    {"error": f"Model {model_name} not registered"}, status=404
+                )
+
+            # Compute field permissions using the same logic as ASTParser._get_operation_fields
+            all_fields = processor.orm_provider.get_fields(model)
+
+            visible_fields = self._compute_operation_fields(
+                model, model_config, all_fields, request, "read"
+            )
+            creatable_fields = self._compute_operation_fields(
+                model, model_config, all_fields, request, "create"
+            )
+            editable_fields = self._compute_operation_fields(
+                model, model_config, all_fields, request, "update"
+            )
+
+            return Response(
+                {
+                    "visible_fields": list(visible_fields),
+                    "creatable_fields": list(creatable_fields),
+                    "editable_fields": list(editable_fields),
+                },
+                status=200,
+            )
+
+        except Exception as original_exception:
+            # Let StateZero's exception handler deal with errors
+            return explicit_exception_handler(original_exception)
+
+    def _compute_operation_fields(self, model, model_config, all_fields, request, operation_type):
+        """
+        Compute allowed fields for a specific operation type.
+        Replicates the logic from ASTParser._get_operation_fields.
+        """
+        from typing import Union, Set, Literal
+
+        allowed_fields = set()
+
+        for permission_cls in model_config.permissions:
+            permission = permission_cls()
+
+            # Get the appropriate field set based on operation
+            if operation_type == "read":
+                fields = permission.visible_fields(request, model)
+            elif operation_type == "create":
+                fields = permission.create_fields(request, model)
+            elif operation_type == "update":
+                fields = permission.editable_fields(request, model)
+            else:
+                fields = set()
+
+            # If any permission allows all fields
+            if fields == "__all__":
+                # For read operations, default "__all__" to frontend_fields
+                if operation_type == "read":
+                    # If frontend_fields is also "__all__", then return all fields
+                    if model_config.fields == "__all__":
+                        return all_fields
+                    # Otherwise, use frontend_fields as the default for "__all__"
+                    else:
+                        fields = model_config.fields
+                        fields &= all_fields  # Ensure fields actually exist
+                        allowed_fields |= fields
+                else:
+                    # For create/update operations, "__all__" means truly all fields
+                    return all_fields
+            else:
+                # Add allowed fields from this permission
+                fields &= all_fields  # Ensure fields actually exist
+                allowed_fields |= fields
+
+        return allowed_fields

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/core/actions.py

@@ -20,8 +20,9 @@ class ActionRegistry:
             List[AbstractActionPermission], AbstractActionPermission, None
         ] = None,
         name: Optional[str] = None,
+        display: Optional[Any] = None,
     ):
-        """Register an action function with an optional, explicit docstring."""
+        """Register an action function with an optional, explicit docstring and display metadata."""
 
         def decorator(func: Callable):
             action_name = name or func.__name__
@@ -47,6 +48,7 @@ class ActionRegistry:
                 "name": action_name,
                 "module": func.__module__,
                 "docstring": final_docstring,  # Store the determined docstring
+                "display": display,  # Store display metadata
             }
             return func
 
@@ -76,8 +78,9 @@ def action(
         List[AbstractActionPermission], AbstractActionPermission, None
     ] = None,
     name: Optional[str] = None,
+    display: Optional[Any] = None,
 ):
-    """Framework-agnostic decorator to register an action."""
+    """Framework-agnostic decorator to register an action with optional display metadata."""
     return action_registry.register(
         func,
         docstring=docstring,
@@ -85,4 +88,5 @@ def action(
         response_serializer=response_serializer,
         permissions=permissions,
         name=name,
+        display=display,
     )

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/core/ast_parser.py

@@ -5,6 +5,7 @@ import networkx as nx
 
 
 from statezero.core.config import AppConfig, Registry
+from statezero.core.exceptions import PermissionDenied
 from statezero.core.interfaces import (
     AbstractDataSerializer,
     AbstractPermission,
@@ -86,6 +87,7 @@ class ASTParser:
         # Lookup table mapping AST op types to handler methods.
         self.handlers: Dict[str, Callable[[Dict[str, Any]], Dict[str, Any]]] = {
             "create": self._handle_create,
+            "bulk_create": self._handle_bulk_create,
             "update": self._handle_update,
             "delete": self._handle_delete,
             "get": self._handle_get,
@@ -525,6 +527,46 @@ class ASTParser:
             "metadata": {"created": True, "response_type": ResponseType.INSTANCE.value},
         }
 
+    def _handle_bulk_create(self, ast: Dict[str, Any]) -> Dict[str, Any]:
+        """ Handle bulk create operation."""
+        data_list = ast.get("data", [])
+
+        # Check model-level CREATE permission
+        if not self._has_operation_permission(self.model, operation_type="create"):
+            raise PermissionDenied("Create not allowed")
+
+        # Validate all data items using many=True
+        validated_data_list = self.serializer.deserialize(
+            model=self.model,
+            data=data_list,
+            partial=False,
+            request=self.request,
+            fields_map=self.create_fields_map,
+            many=True,
+        )
+
+        # Bulk create all records
+        records = self.engine.bulk_create(
+            self.model,
+            validated_data_list,
+            self.serializer,
+            self.request,
+            self.create_fields_map,
+        )
+
+        # Serialize the created records
+        serialized = self.serializer.serialize(
+            records,
+            self.model,
+            many=True,
+            depth=self.depth,
+            fields_map=self.read_fields_map,
+        )
+        return {
+            "data": serialized,
+            "metadata": {"created": True, "response_type": ResponseType.QUERYSET.value},
+        }
+
     def _handle_update(self, ast: Dict[str, Any]) -> Dict[str, Any]:
         """ Pass current queryset to update method."""
         data = ast.get("data", {})
@@ -942,6 +984,7 @@ class ASTParser:
         all_ops = ASTParser._extract_all_operations(ast)
         OPERATION_MAPPING = {
             "create": ActionType.CREATE,
+            "bulk_create": ActionType.BULK_CREATE,
             "update": ActionType.UPDATE,
             "update_or_create": ActionType.UPDATE,
             "delete": ActionType.DELETE,

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/core/classes.py

@@ -71,6 +71,7 @@ class FieldFormat(str, Enum):
     TEXT = "text"
     DATE = "date"
     DATETIME = "date-time"
+    TIME = "time"
     FOREIGN_KEY = "foreign-key"
     ONE_TO_ONE = "one-to-one"
     MANY_TO_MANY = "many-to-many"
@@ -131,12 +132,15 @@ class ModelSchemaMetadata(BaseModel):
     default_ordering: Optional[List[str]] = None
     # Extra definitions (for schemas referenced via $ref) are merged in if provided.
     definitions: Dict[str, Any] = field(default_factory=dict)
-    
+
     # Date / time formatting templates
     datetime_format: Optional[str] = None
     date_format: Optional[str] = None
     time_format: Optional[str] = None
 
+    # Display customization
+    display: Optional[Dict[str, Any]] = None
+
 @dataclass
 class ModelSummaryRepresentation:
     pk: Any
@@ -165,3 +169,56 @@ class FieldNode:
     is_relation: bool
     related_model: Optional[str] = None  # The object name of the related model, if any
     type: str = "field"
+
+
+@dataclass
+class FieldDisplayConfig:
+    """
+    Configuration for customizing how a field is displayed in the frontend.
+
+    Attributes:
+        field_name: The name of the field this config applies to
+        display_component: Custom UI component name (e.g., "AddressAutocomplete", "DatePicker")
+        filter_queryset: Filter options for select/multi-select fields (dict passed to backend)
+        display_help_text: Additional help text for the field
+        extra: Additional custom metadata for framework-specific or UI-specific extensions
+    """
+    field_name: str
+    display_component: Optional[str] = None
+    filter_queryset: Optional[Dict[str, Any]] = None
+    display_help_text: Optional[str] = None
+    extra: Optional[Dict[str, Any]] = None
+
+
+@dataclass
+class FieldGroup:
+    """
+    Group related fields together for better UX.
+
+    Attributes:
+        display_title: Group heading
+        display_description: Group description
+        field_names: List of field names in this group
+    """
+    display_title: str
+    display_description: Optional[str] = None
+    field_names: Optional[List[str]] = None
+
+
+@dataclass
+class DisplayMetadata:
+    """
+    Rich display information for models and actions to customize frontend rendering.
+
+    Attributes:
+        display_title: Main heading/title override
+        display_description: Explanatory text about the model/action
+        field_groups: Logical grouping of fields (e.g., "Contact Info", "Address Details")
+        field_display_configs: Per-field customization (custom components, filters, help text)
+        extra: Additional custom metadata for framework-specific or UI-specific extensions
+    """
+    display_title: Optional[str] = None
+    display_description: Optional[str] = None
+    field_groups: Optional[List[FieldGroup]] = None
+    field_display_configs: Optional[List[FieldDisplayConfig]] = None
+    extra: Optional[Dict[str, Any]] = None

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/core/config.py

@@ -144,8 +144,6 @@ class ModelConfig:
     -----------
     model: Type
         The model class to register
-    custom_querysets: Dict[str, Type[AbstractCustomQueryset]], optional
-        Custom queryset methods for this model
     permissions: List[Type[AbstractPermission]], optional
         Permission classes that control access to this model
     pre_hooks: List[Callable], optional
@@ -162,6 +160,8 @@ class ModelConfig:
         Fields that can be used for ordering
     fields: Optional[Optional[Union[Set[str], Literal["__all__"]]]]
         Expose just a subset of the model fields
+    display: Optional[Any], optional
+        Display metadata for frontend customization (DisplayMetadata instance)
     DEBUG: bool, default=False
         Enable debug mode for this model
     """
@@ -169,8 +169,6 @@ class ModelConfig:
     def __init__(
         self,
         model: Type,
-        custom_querysets: Optional[Dict[str, Type[AbstractCustomQueryset]]] = None,
-        custom_querysets_user_scoped: Optional[Dict[str, bool]] = None,
         permissions: Optional[List[Type[AbstractPermission]]] = None,
         pre_hooks: Optional[List] = None,
         post_hooks: Optional[List] = None,
@@ -179,11 +177,10 @@ class ModelConfig:
         searchable_fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
         ordering_fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
         fields: Optional[Union[Set[str], Literal["__all__"]]] = None,
+        display: Optional[Any] = None,
         DEBUG: bool = False,
     ):
         self.model = model
-        self._custom_querysets = custom_querysets or {}
-        self._custom_querysets_user_scoped = custom_querysets_user_scoped or {}
         self._permissions = permissions or []
         self.pre_hooks = pre_hooks or []
         self.post_hooks = post_hooks or []
@@ -192,6 +189,7 @@ class ModelConfig:
         self.searchable_fields = searchable_fields or set()
         self.ordering_fields = ordering_fields or set()
         self.fields = fields or "__all__"
+        self.display = display
         self.DEBUG = DEBUG or False
 
     @property
@@ -210,37 +208,6 @@ class ModelConfig:
                 resolved.append(perm)
         return resolved
 
-    @property
-    def custom_querysets(self):
-        """Resolve queryset class strings to actual classes on each access"""
-        resolved = {}
-        for key, queryset in self._custom_querysets.items():
-            if isinstance(queryset, str):
-                from django.utils.module_loading import import_string
-                try:
-                    qs_class = import_string(queryset)
-                    resolved[key] = qs_class
-                except ImportError:
-                    raise ImportError(f"Could not import queryset class: {queryset}")
-            else:
-                resolved[key] = queryset
-        return resolved
-    
-    @property
-    def custom_querysets_user_scoped(self):
-        """Resolve queryset class strings to actual classes on each access"""
-        resolved = {}
-        for key, queryset in self._custom_querysets_user_scoped.items():
-            if isinstance(queryset, str):
-                from django.utils.module_loading import import_string
-                try:
-                    qs_class = import_string(queryset)
-                    resolved[key] = qs_class
-                except ImportError:
-                    raise ImportError(f"Could not import queryset class: {queryset}")
-            else:
-                resolved[key] = queryset
-        return resolved
 
 class Registry:
     """

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/core/interfaces.py

@@ -70,6 +70,16 @@ class AbstractORMProvider(ABC):
     def get_fields(self, model: ORMModel) -> Set[str]:
         """
         Get all of the model fields - doesn't apply permissions check.
+        Includes both database fields and additional_fields (computed fields).
+        """
+        pass
+
+    @abstractmethod
+    def get_db_fields(self, model: ORMModel) -> Set[str]:
+        """
+        Get only the actual database fields for a model.
+        Excludes read-only additional_fields (computed fields).
+        Used for deserialization - hooks can write to any DB field.
         """
         pass
 
@@ -207,6 +217,20 @@ class AbstractORMProvider(ABC):
         """Create a new record using the model class."""
         pass
 
+    @abstractmethod
+    def bulk_create(
+        self,
+        model: Type[ORMModel],
+        data_list: List[Dict[str, Any]],
+        *args,
+        **kwargs
+    ) -> List[Any]:
+        """
+        Create multiple records using the model class.
+        Returns a list of created instances.
+        """
+        pass
+
     @abstractmethod
     def update(
         self,
@@ -315,13 +339,12 @@ class AbstractORMProvider(ABC):
         request: RequestType,
         model: ORMModel,  # type:ignore
         initial_ast: Dict[str, Any],
-        custom_querysets: Dict[str, Type],
         registered_permissions: List[Type],
     ) -> Any:
         """
         Assemble and return the base QuerySet (or equivalent) for the given model.
         This method considers the request context, initial AST (filters, sorting, etc.),
-        custom query sets, and any model-specific permission restrictions.
+        and any model-specific permission restrictions.
         """
         pass
 
@@ -406,13 +429,15 @@ class AbstractDataSerializer(ABC):
     def deserialize(
         self,
         model: ORMModel,  # type:ignore
-        data: dict,
+        data: Union[dict, List[dict]],
         allowed_fields: Optional[Dict[str, Set[str]]] = None,
         request: Optional[Any] = None,
-    ) -> dict:
+        many: bool = False,
+    ) -> Union[dict, List[dict]]:
         """
         Deserialize the input data into validated Python types for the specified model.
         - `allowed_fields`: a mapping (by model name) of fields the user is allowed to edit.
+        - `many`: if True, expects data to be a list of dicts and returns a list of validated dicts.
 
         Only keys that appear in the allowed set will be processed.
         """

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/core/process_request.py

@@ -113,7 +113,6 @@ class RequestProcessor:
             req=req,
             model=model,
             initial_ast=initial_query_ast,
-            custom_querysets=model_config.custom_querysets,
             registered_permissions=model_config.permissions,
         )
 

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero/core/types.py

@@ -22,6 +22,7 @@ class ActionType(Enum):
     READ = "read"
     UPDATE = "update"
     DELETE = "delete"
+    BULK_CREATE = "bulk_create"
     BULK_UPDATE = "bulk_update"
     BULK_DELETE = "bulk_delete"
     # new pre-operation types

{statezero-0.1.0b11 → statezero-0.1.0b22}/statezero.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: statezero
-Version: 0.1.0b11
+Version: 0.1.0b22
 Summary: Connect your Python backend to a modern JavaScript SPA frontend with 90% less complexity.
 Author-email: Robert <robert.herring@statezero.dev>
 Project-URL: homepage, https://www.statezero.dev