Guide

Field visibility

Remove hidden and context-sensitive fields from every engine result.

Visibility controls serialization, not storage. Validators, hooks and the database adapter still receive complete entities; callers receive filtered ones.

Always hidden

{
  name: 'password',
  columnName: 'password',
  type: 'string',
  nullable: false,
  primaryKey: false,
  unique: false,
  hidden: true,
  validators: []
}

hidden fields are removed from findMany, findOne, findPage, create, updateOne and updateMany. They are also removed inside populated relations. Type inference excludes them from returned entities.

Contextual visibility

{
  name: 'salary',
  // ...
  visibility({ user, entity, tenantId }) {
    return canViewSalary(user, entity, tenantId)
  }
}

Pass the visibility context on reads:

const employee = await engine.findOne('employees', {
  where: byId(id),
  context: { user: actor, tenantId, requestId }
})

Resolvers run per entity and may be asynchronous. Dynamically visible fields are optional in the inferred result because their presence depends on context.

Visibility is not write authorization. A hidden field can still be written. Use hooks or a dedicated authorization layer to control mutations.