src/Appwrite/Utopia/Database/Validator/Queries/Base.php (1)

63-89: Internal attributes inclusion is good; minor naming/duplication nit.

Including $id, $createdAt, $updatedAt, $sequence in both lists is right so they’re orderable/filterable/selectable. Currently, $attributes and $allAttributes end up identical. Consider renaming $allAttributes to $selectableAttributes or deriving one from the other to reduce duplication and make intent clearer.

tests/e2e/Services/Functions/FunctionsCustomServerTest.php (1)

724-735: Good coverage for positive projection; consider adding a negative case.

The assertions verify that status is included and heavy fields like sourceSize are excluded. As a follow-up, add a negative test with an invalid field in select() (e.g., Query::select(['unknown'])) to assert a 400, which will guard the validator contract.

         $deployments = $this->listDeployments($functionId, [
             'queries' => [
                 Query::select(['status'])->toString(),
             ],
         ]);
@@
         $this->assertArrayNotHasKey('sourceSize', $deployments['body']['deployments'][1]);

+        // Negative: invalid select field should fail
+        $invalid = $this->listDeployments($functionId, [
+            'queries' => [
+                Query::select(['__notAField__'])->toString(),
+            ],
+        ]);
+        $this->assertEquals(400, $invalid['headers']['status-code']);

tests/e2e/Services/Sites/SitesCustomServerTest.php (1)

1055-1066: Nice projection assertions; mirror the Functions negative case here too.

The new block validates inclusion/exclusion as intended. Please also add an invalid select field check (expect 400) to catch regressions at the Sites deployments endpoint.

         $deployments = $this->listDeployments($siteId, [
             'queries' => [
                 Query::select(['status'])->toString(),
             ],
         ]);
@@
         $this->assertArrayNotHasKey('sourceSize', $deployments['body']['deployments'][1]);

+        // Negative: invalid select field should fail
+        $invalid = $this->listDeployments($siteId, [
+            'queries' => [
+                Query::select(['__notAField__'])->toString(),
+            ],
+        ]);
+        $this->assertEquals(400, $invalid['headers']['status-code']);

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

src/Appwrite/Utopia/Database/Validator/Queries/Base.php (1)

106-109: Defaulting isSelectQueryAllowed() to false avoids accidental global surface increase.

Thanks for flipping this to false—matches prior feedback and keeps Select strictly opt-in.

tests/e2e/Services/Users/UsersBase.php (1)

448-460: Good negative guard for non-opted-in endpoints; add minimal error-shape assertions.

This verifies /users rejects Query::select() as intended while Select is opt-in. To make the failure mode more robust (and future-proof messaging changes), add a couple of light assertions on the response body.

Apply this diff to harden the check:

         $response = $this->client->call(Client::METHOD_GET, '/users', array_merge([
             'content-type' => 'application/json',
             'x-appwrite-project' => $this->getProject()['$id'],
         ], $this->getHeaders()), [
             'queries' => [
                 Query::select(['name'])->toString()
             ]
         ]);
-        $this->assertEquals($response['headers']['status-code'], 400);
+        $this->assertEquals(400, $response['headers']['status-code']);
+        $this->assertIsArray($response['body']);
+        $this->assertEquals(400, $response['body']['code'] ?? null);

Optionally, consider moving this “select not supported” check into a small shared negative test to reuse across a couple of other endpoints, so we catch accidental global enablement. I can help wire that if useful.

src/Appwrite/Utopia/Database/Validator/Queries/Base.php (2)

44-61: Clarify intent: $allAttributes currently equals $attributes; consider building true “all attributes” for Select.

Right now, both $attributes and $allAttributes are populated only from $allowedAttributes (plus internals later), making them identical. If the intent is to let Select project over any collection attribute (while Filter/Order remain limited to $allowedAttributes), populate $allAttributes from the full collection, and $attributes from the allowed subset.

This also matches the earlier note that $attributes are “allowed for filter queries,” while $allAttributes should “get it all.”

Apply this diff to make the intent explicit:

-        foreach ($collection['attributes'] as $attribute) {
-            $key = $attribute['$id'];
-
-            if (!isset($allowedAttributesLookup[$key])) {
-                continue;
-            }
-
-            $attributeDocument = new Document([
-                'key' => $key,
-                'type' => $attribute['type'],
-                'array' => $attribute['array'],
-            ]);
-
-            $attributes[] = $attributeDocument;
-            $allAttributes[] = $attributeDocument;
-        }
+        foreach ($collection['attributes'] as $attribute) {
+            $key = $attribute['$id'];
+
+            // Always maintain a full list for Select()
+            $attributeDocument = new Document([
+                'key' => $key,
+                'type' => $attribute['type'],
+                'array' => $attribute['array'],
+            ]);
+            $allAttributes[] = $attributeDocument;
+
+            // Restrict Filter/Order to allowed attributes only
+            if (isset($allowedAttributesLookup[$key])) {
+                $attributes[] = $attributeDocument;
+            }
+        }

If the current behavior (Select limited to allowed attributes) is intentional for security or DX reasons, feel free to ignore—then it would help to add a short inline comment stating that Select is intentionally constrained to allowed attributes.

---

99-109: Confirm Select Opt-In Only for Deployments

• ✅ Verified that only Deployments overrides isSelectQueryAllowed(): bool to return true (src/Appwrite/Utopia/Database/Validator/Queries/Deployments.php:26–29).
• ✅ Base class remains false by default (src/Appwrite/Utopia/Database/Validator/Queries/Base.php:106–108). No other overrides found.
• ⚠️ I did not find any existing tests invoking select() or isSelectQueryAllowed().

To prevent regressions, please add unit tests that:

• Assert that Deployments queries allow select().
• Assert that other query validators (inheriting from Base) reject or block select().

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

src/Appwrite/SDK/Method.php (1)

106-108: Cache or inject a single Swoole Request/Response in validateResponseModel

Repeatedly instantiating new Request(new HttpRequest()) and new Response(new HttpResponse(), $request) inside validateResponseModel can incur unnecessary overhead and makes testing fragile when the Swoole extension (or stubs) isn’t present. Consider creating or injecting a single pair of Request/Response instances and reusing them.

• Location: src/Appwrite/SDK/Method.php, method validateResponseModel
• Recommended approach:
– Add private properties on Method to hold a cached Request and Response (initialized once in the constructor or via a factory).
– Update validateResponseModel to reuse those instances instead of constructing new ones each call.

Example refactor:

 class Method
 {
+    private Request  $cachedRequest;
+    private Response $cachedResponse;
 
     public function __construct(…)
     {
         // existing validation…
+        // Initialize a single Request/Response pair for model validation
+        $this->cachedRequest  = new Request(new HttpRequest());
+        $this->cachedResponse = new Response(new HttpResponse(), $this->cachedRequest);
     }

     protected function validateResponseModel(string|array $responseModel): void
     {
-        $request  = new Request(new HttpRequest());
-        $response = new Response(new HttpResponse(), $request);
+        $response = $this->cachedResponse;

         if (!\is_array($responseModel)) {
             $responseModel = [$responseModel];
         }

         foreach ($responseModel as $model) {
             try {
                 $response->getModel($model);
             } catch (\Exception $e) {
                 self::$errors[] = "Error with {$this->getRouteName()} method: Invalid response model, make sure the model has been defined in Response.php";
             }
         }
     }
 }

This change reduces per-call instantiation and makes it easier to substitute mocks or stubs in tests.

src/Appwrite/Utopia/Response/Model/ResourceToken.php (1)

63-91: Silence PHPMD for intentionally unused $request.

The new signature matches the framework, but $request isn’t used. Suppress the warning locally.

Apply:

-    public function filter(Document $document, Request $request): Document
+    /**
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function filter(Document $document, Request $request): Document
     {

src/Appwrite/Utopia/Response/Model/Team.php (1)

59-70: Silence PHPMD for intentionally unused $request.

Same pattern as other models; suppress the unused parameter warning.

Apply:

-    public function filter(Document $document, Request $request): Document
+    /**
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function filter(Document $document, Request $request): Document
     {

src/Appwrite/Utopia/Response/Model/Project.php (1)

344-417: Use $request to apply select projections (also clears PHPMD unused-parameter warnings)

Call applySelectQueries at the end so projection applies on the final shape. Safe since isSelectQueryAllowed() defaults to false here.

Apply:

-        return $document;
+        // Apply query.select() when allowed for this model
+        $this->applySelectQueries($document, $request);
+        return $document;

src/Appwrite/Utopia/Response/Model/User.php (1)

151-162: Leverage Request for optional select-based projection

Aligns with Deployment model and removes PHPMD UnusedFormalParameter warning.

Apply:

-        return $document;
+        $this->applySelectQueries($document, $request);
+        return $document;

src/Appwrite/Utopia/Response/Model/Migration.php (1)

113-136: Apply select projection using the provided Request

Keeps behavior consistent across models; no effect unless select is allowed.

Apply:

-        // errors now only have code and message.
-        $document->setAttribute('errors', $errors);
-
-        return $document;
+        // errors now only have code and message.
+        $document->setAttribute('errors', $errors);
+
+        $this->applySelectQueries($document, $request);
+        return $document;

src/Appwrite/Utopia/Response/Model/ColumnIndex.php (1)

97-106: Consume $request to support future select queries and silence PHPMD

Call applySelectQueries before returning.

Apply:

-        return $document;
+        $this->applySelectQueries($document, $request);
+        return $document;

tests/unit/Utopia/ResponseTest.php (1)

5-10: Centralize SwooleRequest/Response creation for more resilient tests

Tests are currently instantiating real Swoole objects directly (e.g. new SwooleRequest(), new SwooleResponse()), but no factory or stub helper exists. If the Swoole extension isn’t available in CI or on a contributor’s machine, these tests will fatal. To keep things robust, add a small helper—e.g. Tests\Support\SwooleFactory::emptyRequest() and ::emptyResponse()—and use that everywhere.

• tests/unit/Utopia/RequestTest.php
Replace

$this->request = new Request(new SwooleRequest());

with

$this->request = new Request(Tests\Support\SwooleFactory::emptyRequest());

• tests/unit/Utopia/ResponseTest.php
Replace

$request  = new Request(new SwooleRequest());
$response = new Response(new SwooleResponse(), $request);

with

$request  = new Request(Tests\Support\SwooleFactory::emptyRequest());
$response = new Response(Tests\Support\SwooleFactory::emptyResponse(), $request);

• tests/unit/GraphQL/BuilderTest.php
Likewise swap both new SwooleRequest() and new SwooleResponse() for factory calls.

You can implement the factory stub under tests/Support/SwooleFactory.php:

<?php
namespace Tests\Support;

use Swoole\Http\Request as SwooleRequest;
use Swoole\Http\Response as SwooleResponse;

class SwooleFactory
{
    public static function emptyRequest(): SwooleRequest
    {
        return new SwooleRequest(); // or a minimal stub if Swoole isn’t installed
    }

    public static function emptyResponse(): SwooleResponse
    {
        return new SwooleResponse();
    }
}

This keeps your tests decoupled from the real extension and easy to stub or polyfill later.

src/Appwrite/Utopia/Response/Model/AttributeRelationship.php (1)

84-96: Silence PHPMD for unused $request param

Method must match the base signature; parameter is intentionally unused. Add a suppression to keep CI green.

     /**
      * Process Document before returning it to the client
      *
      * @return Document
      */
-    public function filter(Document $document, Request $request): Document
+    /**
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function filter(Document $document, Request $request): Document
     {

src/Appwrite/Utopia/Response/Model/Table.php (1)

115-139: Silence PHPMD for unused $request param; terminology looks consistent

Parameter is required by the interface but unused here. Add suppression. Also, good job keeping “table/row” terminology consistent with prior guidance.

     /**
      * Process Document before returning it to the client for backwards compatibility!
      */
-    public function filter(Document $document, Request $request): Document
+    /**
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function filter(Document $document, Request $request): Document
     {

src/Appwrite/Utopia/Response/Model/Execution.php (1)

160-166: Silence PHPMD for unused $request param

Execution::filter matches the new signature but doesn’t use the Request. Suppress PHPMD to avoid noise.

-    public function filter(Document $document, Request $request): Document
+    /**
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function filter(Document $document, Request $request): Document
     {

src/Appwrite/Utopia/Response/Model/Variable.php (2)

27-32: Fix description typo for $updatedAt.

Change "creation" to "update" to match the field’s meaning.

-            ->addRule('$updatedAt', [
-                'type' => self::TYPE_DATETIME,
-                'description' => 'Variable creation date in ISO 8601 format.',
+            ->addRule('$updatedAt', [
+                'type' => self::TYPE_DATETIME,
+                'description' => 'Variable update date in ISO 8601 format.',

---

67-74: Docblock and PHPMD alignment for new Request param.

Update the docblock to include the Request parameter and suppress the UnusedFormalParameter warning (the param is intentionally unused here).

     /**
      * Filter
      *
-     * @param Document $document
+     * @param Document $document
+     * @param Request  $request
      * @return Document
      */
-    public function filter(Document $document, Request $request): Document
+    /**
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function filter(Document $document, Request $request): Document

src/Appwrite/Utopia/Response/Model/ColumnRelationship.php (1)

79-86: Docblock and PHPMD alignment for new Request param.

Add the Request param to the docblock and suppress UnusedFormalParameter to satisfy PHPMD.

     /**
      * Process Document before returning it to the client
      *
      * @return Document
      */
-    public function filter(Document $document, Request $request): Document
+    /**
+     * @param Document $document
+     * @param Request  $request
+     * @return Document
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function filter(Document $document, Request $request): Document

src/Appwrite/Utopia/Response/Model/Row.php (1)

79-97: Cast $sequence to int for parity with Document::filter.

Document::filter normalizes $sequence to int; Row::filter should mirror this to avoid type inconsistencies.

     public function filter(DatabaseDocument $document, Request $request): DatabaseDocument
     {
         $document->removeAttribute('$collection');
         $document->removeAttribute('$tenant');
+        $document->setAttribute('$sequence', (int)$document->getAttribute('$sequence', 0));
 
         foreach ($document->getAttributes() as $column) {

src/Appwrite/Utopia/Response/Model.php (2)

204-232: Tighten up to satisfy PHPMD and small robustness tweaks.

• $document param in applySelectQueries is unused; $rule is unused; also guard when queries is a string.

Apply:

-    public function applySelectQueries(Document $document, Request $request): void
+    /**
+     * @SuppressWarnings("UnusedFormalParameter")
+     */
+    public function applySelectQueries(Document $_document, Request $request): void
     {
-        $queries = $request->getParam('queries', []);
+        $queries = $request->getParam('queries', []);
+        if (!\is_array($queries)) {
+            $queries = [$queries];
+        }
 
         $queries = Query::parseQueries($queries);
         $selectQueries = Query::groupByType($queries)['selections'] ?? [];
@@
-        foreach ($this->getRules() as $ruleName => $rule) {
+        foreach (\array_keys($this->getRules()) as $ruleName) {
             if (\str_starts_with($ruleName, '$')) {
                 continue;
             }
 
             if (!\in_array($ruleName, $attributes)) {
                 $this->removeRule($ruleName);
             }
         }
     }

---

54-57: Suppress PHPMD for unused $request in base filter().

Base implementation is intentionally a no-op; silence the warning.

Apply:

-    public function filter(Document $document, Request $request): Document
+    /**
+     * @SuppressWarnings("UnusedFormalParameter")
+     */
+    public function filter(Document $document, Request $request): Document
     {
         return $document;
     }

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

Learnt from: ItzNotABug
PR: appwrite/appwrite#9693
File: src/Appwrite/Platform/Modules/Databases/Http/Databases/Tables/Update.php:57-59
Timestamp: 2025-06-19T09:20:03.312Z
Learning: In table-related endpoints (such as `src/Appwrite/Platform/Modules/Databases/Http/Databases/Tables/Update.php`), parameter descriptions should use "table" and "row" terminology instead of "collection" and "document" for clarity and consistency.

Learnt from: abnegate
PR: appwrite/appwrite#9743
File: src/Appwrite/Utopia/Request.php:0-0
Timestamp: 2025-05-12T06:07:51.470Z
Learning: In Appwrite's request handling architecture, the Request::getParams() method selects which SDK method to use based on parameter matching, but does not validate required parameters. The action execution flow handles parameter validation separately. This separation of concerns allows for more flexible handling of multi-method routes.

tests/e2e/Services/Functions/FunctionsCustomServerTest.php (2)

724-735: Harden select(['status']) assertions and reduce flakiness

Add minimal guards and verify system fields are retained while non-selected heavy fields are excluded.

         $deployments = $this->listDeployments($functionId, [
             'queries' => [
                 Query::select(['status'])->toString(),
             ],
         ]);

         $this->assertEquals($deployments['headers']['status-code'], 200);
+        $this->assertIsArray($deployments['body']['deployments']);
+        $this->assertGreaterThanOrEqual(2, \count($deployments['body']['deployments']));
         $this->assertArrayHasKey('status', $deployments['body']['deployments'][0]);
         $this->assertArrayHasKey('status', $deployments['body']['deployments'][1]);
         $this->assertArrayNotHasKey('sourceSize', $deployments['body']['deployments'][0]);
         $this->assertArrayNotHasKey('sourceSize', $deployments['body']['deployments'][1]);
+        // Internal/system attributes should remain available with select()
+        $this->assertArrayHasKey('$id', $deployments['body']['deployments'][0]);
+        // Non-selected heavy fields should be omitted
+        $this->assertArrayNotHasKey('buildSize', $deployments['body']['deployments'][0]);
+        $this->assertArrayNotHasKey('buildLogs', $deployments['body']['deployments'][0]);

---

736-747: Broaden coverage: type checks, multi-field select, and invalid-field error path

Validate payload shape, ensure multi-attribute projections work, and assert validator behavior for unknown fields.

         // Extra select query check, for attribute not allowed by filter queries
         $deployments = $this->listDeployments($functionId, [
             'queries' => [
                 Query::select(['buildLogs'])->toString(),
             ],
         ]);
         $this->assertEquals($deployments['headers']['status-code'], 200);
+        $this->assertIsArray($deployments['body']['deployments']);
+        $this->assertGreaterThanOrEqual(2, \count($deployments['body']['deployments']));
         $this->assertArrayHasKey('buildLogs', $deployments['body']['deployments'][0]);
         $this->assertArrayHasKey('buildLogs', $deployments['body']['deployments'][1]);
+        $this->assertIsString($deployments['body']['deployments'][0]['buildLogs']);
         $this->assertArrayNotHasKey('sourceSize', $deployments['body']['deployments'][0]);
         $this->assertArrayNotHasKey('sourceSize', $deployments['body']['deployments'][1]);
+
+        // Multi-field projection
+        $deployments = $this->listDeployments($functionId, [
+            'queries' => [
+                Query::select(['status', 'buildLogs'])->toString(),
+            ],
+        ]);
+        $this->assertEquals(200, $deployments['headers']['status-code']);
+        $this->assertArrayHasKey('status', $deployments['body']['deployments'][0]);
+        $this->assertArrayHasKey('buildLogs', $deployments['body']['deployments'][0]);
+        $this->assertArrayNotHasKey('sourceSize', $deployments['body']['deployments'][0]);
+
+        // Invalid attribute should be rejected by validator
+        $invalid = $this->listDeployments($functionId, [
+            'queries' => [
+                Query::select(['__nonExisting__'])->toString(),
+            ],
+        ]);
+        $this->assertEquals(400, $invalid['headers']['status-code']);

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

src/Appwrite/Utopia/Response/Model/Deployment.php (1)

5-7: Optional: duplicate rules for providerBranch elsewhere in this model.

There are two addRule('providerBranch', ...) blocks in this class (Lines 134–139 and 170–175). While unchanged in this PR, duplicates can cause confusion or unintended overrides.

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

src/Appwrite/Platform/Modules/Compute/Base.php (2)

24-35: Fix docblock to match signature and intent

The docblock mentions Document but the method accepts Response and model key. Update annotations and tighten the summary.

-    /**
-     * Helper to apply select queries
-     *
-     * Method to respect request select queries in response format,
-     * to prevent default rule values from being applied on not-selected attributes
-     *
-     * @param Request $request
-     * @param Document $document
-     * @return void
-     */
+    /**
+     * Helper to apply select queries.
+     *
+     * Respects select([...]) in the request and prunes non-selected attributes
+     * from the given response model to avoid defaulting removed fields.
+     *
+     * @param Request  $request
+     * @param Response $response
+     * @param string   $model   Response::<MODEL_*>
+     * @return void
+     */

---

53-62: Remove unused $rule and prefer strict lookup

PHPMD flags $rule as unused. Iterate over keys only and use strict in_array to avoid surprises.

-        foreach ($responseModel->getRules() as $ruleName => $rule) {
+        foreach (\array_keys($responseModel->getRules()) as $ruleName) {
             if (\str_starts_with($ruleName, '$')) {
                 continue;
             }
 
-            if (!\in_array($ruleName, $attributes)) {
+            if (!\in_array($ruleName, $attributes, true)) {
                 $responseModel->removeRule($ruleName);
             }
         }

src/Appwrite/Platform/Modules/Functions/Http/Deployments/XList.php (1)

58-58: Surface select support in the SDK param description

Clarify that projections are supported to set correct expectations for clients.

-            ->param('queries', [], new Deployments(), 'Array of query strings generated using the Query class provided by the SDK. [Learn more about queries](https://appwrite.io/docs/queries). Maximum of ' . APP_LIMIT_ARRAY_PARAMS_SIZE . ' queries are allowed, each ' . APP_LIMIT_ARRAY_ELEMENT_SIZE . ' characters long. You may filter on the following attributes: ' . implode(', ', Deployments::ALLOWED_ATTRIBUTES), true)
+            ->param('queries', [], new Deployments(), 'Array of query strings generated using the Query class provided by the SDK. [Learn more about queries](https://appwrite.io/docs/queries). Maximum of ' . APP_LIMIT_ARRAY_PARAMS_SIZE . ' queries are allowed, each ' . APP_LIMIT_ARRAY_ELEMENT_SIZE . ' characters long. You may filter on the following attributes: ' . implode(', ', Deployments::ALLOWED_ATTRIBUTES) . '. Field projection via Query::select([...]) is supported for deployments.', true)

src/Appwrite/Platform/Modules/Sites/Http/Deployments/XList.php (1)

58-58: Document select support in Sites endpoint as well

Aligns docs with behavior.

-            ->param('queries', [], new Deployments(), 'Array of query strings generated using the Query class provided by the SDK. [Learn more about queries](https://appwrite.io/docs/queries). Maximum of ' . APP_LIMIT_ARRAY_PARAMS_SIZE . ' queries are allowed, each ' . APP_LIMIT_ARRAY_ELEMENT_SIZE . ' characters long. You may filter on the following attributes: ' . implode(', ', Deployments::ALLOWED_ATTRIBUTES), true)
+            ->param('queries', [], new Deployments(), 'Array of query strings generated using the Query class provided by the SDK. [Learn more about queries](https://appwrite.io/docs/queries). Maximum of ' . APP_LIMIT_ARRAY_PARAMS_SIZE . ' queries are allowed, each ' . APP_LIMIT_ARRAY_ELEMENT_SIZE . ' characters long. You may filter on the following attributes: ' . implode(', ', Deployments::ALLOWED_ATTRIBUTES) . '. Field projection via Query::select([...]) is supported for deployments.', true)

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

src/Appwrite/Platform/Action.php (3)

165-171: Fix docblock typos and param annotations.

Spelling: “presnet” → “present”. Also, the second param is Response (not Document) and $model is missing from the annotations.

Apply this diff:

-    /**
-     * Helper to apply (request) select queries to response model.
-     *
-     * This prevents default values of rules to be presnet for not-selected attributes
-     *
-     * @param Request $request
-     * @param Document $document
-     * @return void
-     */
+    /**
+     * Helper to apply select() queries to a response model.
+     *
+     * Prevents default values from being present for non-selected attributes.
+     *
+     * @param Request $request
+     * @param Response $response
+     * @param string $model Response::MODEL_* key
+     * @return void
+     */

---

185-201: Use a set for lookups and address PHPMD’s unused variable.

Build a hash-set for selected attributes to get O(1) membership and remove the unused $rule flagged by PHPMD at Line 193.

-        $attributes = [];
-        foreach ($selectQueries as $query) {
-            foreach ($query->getValues() as $attribute) {
-                $attributes[] = $attribute;
-            }
-        }
+        $selected = [];
+        foreach ($selectQueries as $query) {
+            foreach ($query->getValues() as $attribute) {
+                $selected[$attribute] = true;
+            }
+        }

-        $responseModel = $response->getModel($model);
-        foreach ($responseModel->getRules() as $ruleName => $rule) {
+        $responseModel = $response->getModel($model);
+        foreach (\array_keys($responseModel->getRules()) as $ruleName) {
             if (\str_starts_with($ruleName, '$')) {
                 continue;
             }
-
-            if (!\in_array($ruleName, $attributes)) {
+            if (!isset($selected[$ruleName])) {
                 $responseModel->removeRule($ruleName);
             }
         }

---

194-196: Confirm intent: always include internal “$” fields even when not selected.

You skip pruning for keys starting with “$”. If the product expectation is “only selected” user-visible fields plus system internals, this is fine. If strict projection is desired, remove the guard or make it configurable.

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.