reject _id mutations in callback-based updates

Object-based updates reject _id via #toSetFields, but callback-based
updates (update, updateAll, updateCount, upsert) bypassed that check.
Add _id validation in #resolveUpdateDoc and the upsert callback path
so u._id.set() throws the same error as object mutations.

Author: wmadden

packages/2-mongo-family/5-query-builders/orm/src/collection.ts

@@ -460,6 +460,10 @@ class MongoCollectionImpl<
     if (typeof input.update === 'function') {
       const accessor = createFieldAccessor<TContract, ModelName>();
       const ops = input.update(accessor);
+      const idOp = ops.find((op) => op.field === '_id');
+      if (idOp) {
+        throw new Error('Mutation payloads cannot modify `_id`');
+      }
       const dotPathOp = ops.find((op) => op.field.includes('.'));
       if (dotPathOp) {
         throw new Error(
@@ -646,6 +650,10 @@ class MongoCollectionImpl<
     if (typeof dataOrCallback === 'function') {
       const accessor = createFieldAccessor<TContract, ModelName>();
       const ops = dataOrCallback(accessor);
+      const idOp = ops.find((op) => op.field === '_id');
+      if (idOp) {
+        throw new Error('Mutation payloads cannot modify `_id`');
+      }
       return compileFieldOperations(ops, (field, value, operator) =>
         this.#wrapFieldOpValue(field, value, operator),
       );

packages/2-mongo-family/5-query-builders/orm/test/collection.test.ts

@@ -1066,6 +1066,38 @@ describe('MongoCollection write methods', () => {
         }),
       ).rejects.toThrow('_id');
     });
+
+    it('update() with callback throws when _id is targeted', async () => {
+      const executor = createMockExecutor();
+      const col = createMongoCollection(contract, 'User', executor);
+      await expect(
+        col.where(MongoFieldFilter.eq('_id', 'id-1')).update((u) => [u._id.set('new-id')]),
+      ).rejects.toThrow('_id');
+    });
+
+    it('updateAll() with callback throws when _id is targeted', async () => {
+      const executor = createMockExecutor([{ _id: 'id-1' }]);
+      const col = createMongoCollection(contract, 'User', executor);
+      const result = col
+        .where(MongoFieldFilter.eq('_id', 'id-1'))
+        .updateAll((u: FieldAccessor<Contract, 'User'>) => [u._id.set('new-id')]);
+      await expect(async () => {
+        for await (const _ of result) {
+          /* drain */
+        }
+      }).rejects.toThrow('_id');
+    });
+
+    it('upsert() with callback throws when _id is targeted', async () => {
+      const executor = createMockExecutor();
+      const col = createMongoCollection(contract, 'User', executor);
+      await expect(
+        col.where(MongoFieldFilter.eq('email', 'a@b.c')).upsert({
+          create: defaultUserData,
+          update: (u) => [u._id.set('new-id')],
+        }),
+      ).rejects.toThrow('_id');
+    });
   });
 
   describe('immutability', () => {