This patch affects the create and collMod commands, which can contain validators, and the createIndexes command, which can contain partialFilterExpressions for each index.

The limitations on partialFilterExpressions are pretty straightforward, but the limitations on validators need to have a few special cases because validators can be used to designate encrypted fields in a collection when using FLE1 with JSON schemas, but $jsonSchema is not supported in query analysis.

For FLE 1, any validator provided that includes $jsonSchema must match the schema in the schema map exactly. This means that running collMod with a validator cannot extend the schema to add new encrypted fields, or new unencrypted fields.

For FLE 2, a $jsonSchema that references an encrypted field will always result in a query analysis error because $jsonSchema is not supported in query analysis. Server-side behavior that adds validation for the binData of encrypted fields still works, because query analysis does not run on the server-side.

Since the server codebase does not contain driver code but instead makes use of implicit encryption in the legacy shell in integration tests, drivers should make sure to write an integration test to confirm that schemas in the schemaMap are properly sent to query analysis along with create, collMod, and createIndexes commands. This has some implications for collMod with FLE1 specifically, for the reason mentioned above.

Description of Linked Ticket

Both the collection creation command and createIndex command bypass query analysis, however they contain match expressions which may refer to encrypted fields.