@adminforge/core 0.3.1

package/dist/next.cjs

@@ -0,0 +1,839 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/api/security/agent-auth.ts
+var agent_auth_exports = {};
+__export(agent_auth_exports, {
+  assertScope: () => assertScope,
+  generateAgentToken: () => generateAgentToken,
+  verifyAgentToken: () => verifyAgentToken
+});
+function getSecret() {
+  const secret = process.env.ADMINFORGE_SECRET;
+  if (!secret) {
+    throw new Error("ADMINFORGE_SECRET env var is required. Generate one with: openssl rand -hex 32");
+  }
+  return secret;
+}
+function normalizeScope(scope) {
+  const normalized = scope.trim().toLowerCase();
+  if (!/^[a-z0-9_-]+:[a-z]+$/.test(normalized)) {
+    throw new Error(`Malformed scope format: ${scope}`);
+  }
+  return normalized;
+}
+function assertValidAction(action) {
+  const validActions = ["create", "read", "update", "delete"];
+  if (!validActions.includes(action)) {
+    throw new Error(`Invalid action: ${action}`);
+  }
+  return action;
+}
+function assertValidCollection(collection2) {
+  if (!/^[a-z0-9_-]+$/.test(collection2)) {
+    throw new Error(`Invalid collection name: ${collection2}`);
+  }
+  return collection2;
+}
+function generateAgentToken(userId, role, scopes, expiresInSeconds = 600) {
+  const normalizedScopes = scopes.map(normalizeScope);
+  return import_jsonwebtoken.default.sign(
+    {
+      sub: userId,
+      role,
+      scope: normalizedScopes,
+      sessionId: import_crypto.default.randomUUID()
+    },
+    getSecret(),
+    {
+      expiresIn: expiresInSeconds,
+      issuer: "adminforge",
+      audience: "agent"
+    }
+  );
+}
+function isRevoked(sessionId) {
+  return false;
+}
+function verifyAgentToken(token) {
+  try {
+    const payload = import_jsonwebtoken.default.verify(token, getSecret(), {
+      issuer: "adminforge",
+      audience: "agent"
+    });
+    if (!payload.sub) throw new Error("Missing userId (sub)");
+    if (!payload.role) throw new Error("Missing role");
+    if (!Array.isArray(payload.scope)) throw new Error("Invalid scope format");
+    if (isRevoked(payload.sessionId)) {
+      throw new Error("Session revoked");
+    }
+    payload.scope = payload.scope.map(normalizeScope);
+    return payload;
+  } catch (error) {
+    throw new Error(`Unauthorized: ${error.message}`);
+  }
+}
+function assertScope(agent, collection2, action) {
+  const validColl = assertValidCollection(collection2);
+  const validAction = assertValidAction(action);
+  const key = `${validColl}:${validAction}`.toLowerCase();
+  if (!agent.scope.includes(key)) {
+    throw new Error(`Forbidden: Missing scope ${key}`);
+  }
+}
+var import_jsonwebtoken, import_crypto;
+var init_agent_auth = __esm({
+  "src/api/security/agent-auth.ts"() {
+    "use strict";
+    import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
+    import_crypto = __toESM(require("crypto"), 1);
+  }
+});
+
+// src/core/schema/config.ts
+function defineConfig(config) {
+  return {
+    collections: config.collections,
+    auth: config.auth ?? { enabled: false }
+  };
+}
+var init_config = __esm({
+  "src/core/schema/config.ts"() {
+    "use strict";
+  }
+});
+
+// src/core/schema/collection.ts
+function collection(input) {
+  return {
+    name: input.name,
+    label: input.label ?? input.name.charAt(0).toUpperCase() + input.name.slice(1),
+    icon: input.icon,
+    fields: input.fields,
+    hooks: input.hooks,
+    access: input.access
+  };
+}
+var init_collection = __esm({
+  "src/core/schema/collection.ts"() {
+    "use strict";
+  }
+});
+
+// src/core/schema/normalize.ts
+function normalize(config) {
+  return {
+    collections: config.collections.map((c) => ({
+      ...c,
+      label: c.label ?? c.name.charAt(0).toUpperCase() + c.name.slice(1)
+    })),
+    auth: config.auth ?? { enabled: false }
+  };
+}
+function serializeConfig(config) {
+  return {
+    ...config,
+    collections: config.collections.map((c) => ({
+      ...c,
+      fields: Object.fromEntries(
+        Object.entries(c.fields).map(([name, field]) => {
+          const { validation, ...rest } = field;
+          return [name, rest];
+        })
+      )
+    }))
+  };
+}
+var init_normalize = __esm({
+  "src/core/schema/normalize.ts"() {
+    "use strict";
+  }
+});
+
+// src/core/fields/index.ts
+function fieldMeta(options = {}) {
+  return {
+    required: Boolean(options.required),
+    unique: Boolean(options.unique),
+    default: options.default,
+    label: options.label,
+    hidden: options.hidden,
+    readOnly: options.readOnly,
+    description: options.description
+  };
+}
+function text(options = {}) {
+  return {
+    type: "text",
+    db: { type: "String", nullable: !options.required, unique: options.unique, default: options.default },
+    access: options.access,
+    ui: { component: "text", props: { label: options.label, hidden: options.hidden, readOnly: options.readOnly } },
+    validation: options.required ? import_zod2.z.string().min(1) : import_zod2.z.string().optional(),
+    meta: fieldMeta(options)
+  };
+}
+function boolean(options = {}) {
+  return {
+    type: "boolean",
+    db: { type: "Boolean", nullable: !options.required, default: options.default ?? false },
+    access: options.access,
+    ui: { component: "boolean", props: { label: options.label, hidden: options.hidden, readOnly: options.readOnly } },
+    validation: options.required ? import_zod2.z.boolean() : import_zod2.z.boolean().optional(),
+    meta: fieldMeta(options)
+  };
+}
+function richText(options = {}) {
+  return {
+    type: "richText",
+    db: { type: "String", nullable: !options.required },
+    access: options.access,
+    ui: { component: "richText", props: { label: options.label, hidden: options.hidden, readOnly: options.readOnly } },
+    validation: options.required ? import_zod2.z.string().min(1) : import_zod2.z.string().optional(),
+    meta: fieldMeta(options)
+  };
+}
+function slug(options) {
+  return {
+    type: "slug",
+    db: { type: "String", nullable: !options.required, unique: options.unique ?? true },
+    access: options.access,
+    ui: { component: "slug", props: { from: options.from, label: options.label, hidden: options.hidden, readOnly: options.readOnly } },
+    validation: options.required ? import_zod2.z.string().regex(/^[a-z0-9-]+$/) : import_zod2.z.string().regex(/^[a-z0-9-]+$/).optional(),
+    hooks: { beforeSave: (value) => {
+      if (typeof value === "string") return value.toLowerCase().replace(/\s+/g, "-").replace(/[^a-z0-9-]/g, "");
+      return value;
+    } },
+    meta: { ...fieldMeta(options), unique: options.unique ?? true }
+  };
+}
+function relation(options) {
+  const isMulti = options.type === "many-to-many" || options.type === "one-to-many";
+  return {
+    type: "relation",
+    db: { type: "String", nullable: !options.required, references: { model: options.to, field: "id" }, relationType: options.type },
+    access: options.access,
+    ui: { component: "relation", props: { to: options.to, relationType: options.type, label: options.label, hidden: options.hidden, readOnly: options.readOnly } },
+    validation: isMulti ? options.required ? import_zod2.z.array(import_zod2.z.string()).min(1) : import_zod2.z.array(import_zod2.z.string()).optional() : options.required ? import_zod2.z.string().min(1) : import_zod2.z.string().optional(),
+    meta: fieldMeta(options)
+  };
+}
+function date(options = {}) {
+  return {
+    type: "date",
+    db: { type: "DateTime", nullable: !options.required },
+    access: options.access,
+    ui: { component: "date", props: { label: options.label, hidden: options.hidden, readOnly: options.readOnly } },
+    validation: options.required ? import_zod2.z.string().datetime() : import_zod2.z.string().datetime().optional(),
+    hooks: { beforeSave: (value) => {
+      if (options.autoCreate && !value) return (/* @__PURE__ */ new Date()).toISOString();
+      return value;
+    } },
+    meta: fieldMeta(options)
+  };
+}
+function image(options = {}) {
+  return {
+    type: "image",
+    db: { type: "String", nullable: true },
+    access: options.access,
+    ui: { component: "image", props: { label: options.label, hidden: options.hidden, readOnly: options.readOnly } },
+    validation: import_zod2.z.string().optional(),
+    meta: fieldMeta(options)
+  };
+}
+var import_zod2, fields;
+var init_fields = __esm({
+  "src/core/fields/index.ts"() {
+    "use strict";
+    import_zod2 = require("zod");
+    fields = {
+      text,
+      boolean,
+      richText,
+      slug,
+      relation,
+      date,
+      image
+    };
+  }
+});
+
+// src/core/registry/index.ts
+function registerField(name, definition) {
+  if (fieldRegistry.has(name)) {
+    throw new Error(`Field "${name}" is already registered`);
+  }
+  fieldRegistry.set(name, definition);
+}
+function getField(name) {
+  return fieldRegistry.get(name);
+}
+function getRegisteredFields() {
+  return new Map(fieldRegistry);
+}
+function clearRegistry() {
+  fieldRegistry.clear();
+}
+var fieldRegistry;
+var init_registry = __esm({
+  "src/core/registry/index.ts"() {
+    "use strict";
+    fieldRegistry = /* @__PURE__ */ new Map();
+  }
+});
+
+// src/core/hooks/index.ts
+async function executeBeforeCreate(hooks, data) {
+  if (hooks?.beforeCreate) {
+    return await hooks.beforeCreate({ data });
+  }
+  return data;
+}
+async function executeAfterCreate(hooks, data, id) {
+  if (hooks?.afterCreate) {
+    await hooks.afterCreate({ data, id });
+  }
+}
+async function executeBeforeUpdate(hooks, data, id) {
+  if (hooks?.beforeUpdate) {
+    return await hooks.beforeUpdate({ data, id });
+  }
+  return data;
+}
+async function executeAfterUpdate(hooks, data, id) {
+  if (hooks?.afterUpdate) {
+    await hooks.afterUpdate({ data, id });
+  }
+}
+async function executeBeforeDelete(hooks, id) {
+  if (hooks?.beforeDelete) {
+    await hooks.beforeDelete({ id });
+  }
+}
+async function executeAfterDelete(hooks, id) {
+  if (hooks?.afterDelete) {
+    await hooks.afterDelete({ id });
+  }
+}
+var init_hooks = __esm({
+  "src/core/hooks/index.ts"() {
+    "use strict";
+  }
+});
+
+// src/core/index.ts
+var core_exports = {};
+__export(core_exports, {
+  clearRegistry: () => clearRegistry,
+  collection: () => collection,
+  defineConfig: () => defineConfig,
+  executeAfterCreate: () => executeAfterCreate,
+  executeAfterDelete: () => executeAfterDelete,
+  executeAfterUpdate: () => executeAfterUpdate,
+  executeBeforeCreate: () => executeBeforeCreate,
+  executeBeforeDelete: () => executeBeforeDelete,
+  executeBeforeUpdate: () => executeBeforeUpdate,
+  fields: () => fields,
+  getField: () => getField,
+  getRegisteredFields: () => getRegisteredFields,
+  normalize: () => normalize,
+  registerField: () => registerField,
+  serializeConfig: () => serializeConfig
+});
+var init_core = __esm({
+  "src/core/index.ts"() {
+    "use strict";
+    init_config();
+    init_collection();
+    init_normalize();
+    init_fields();
+    init_registry();
+    init_hooks();
+  }
+});
+
+// src/next.ts
+var next_exports = {};
+__export(next_exports, {
+  adminMiddleware: () => adminMiddleware,
+  assertScope: () => assertScope,
+  auth: () => auth,
+  createAdminForgeApi: () => createAdminForgeApi,
+  createAuthConfig: () => createAuthConfig,
+  createController: () => createController,
+  createRouteHandlers: () => createRouteHandlers,
+  generateAgentToken: () => generateAgentToken,
+  verifyAgentToken: () => verifyAgentToken
+});
+module.exports = __toCommonJS(next_exports);
+
+// src/api/controller.ts
+var import_zod = require("zod");
+init_agent_auth();
+function buildValidationSchema(collection2) {
+  const shape = {};
+  for (const [name, field] of Object.entries(collection2.fields)) {
+    shape[name] = field.validation;
+  }
+  return import_zod.z.object(shape);
+}
+function hasAccess(access, operation, role) {
+  if (!access) return true;
+  const allowed = access[operation];
+  if (!allowed || !Array.isArray(allowed)) return true;
+  if (!role) return false;
+  return allowed.includes(role);
+}
+function createController(collection2, db, session) {
+  const validationSchema = buildValidationSchema(collection2);
+  const role = session?.user?.role || session?.agent?.role;
+  const actorId = session?.user?.id || session?.agent?.sub;
+  function requireAccess(operation) {
+    console.error(`[ACL] Operation: ${operation}, Collection: ${collection2.name}, Role: ${role}, Source: ${session?.source}`);
+    if (session?.agent) {
+      assertScope(session.agent, collection2.name, operation);
+    }
+    if (!hasAccess(collection2.access, operation, role)) {
+      console.warn(`[ACL] DENIED: ${role} not allowed to ${operation} on ${collection2.name}. Allowed:`, collection2.access?.[operation]);
+      throw new Error(`Access denied: ${operation} on ${collection2.name}`);
+    }
+    console.error(JSON.stringify({
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      type: "mutation_attempt",
+      source: session?.source || "unknown",
+      userId: actorId || "anonymous",
+      role: role || "none",
+      collection: collection2.name,
+      action: operation,
+      sessionId: session?.agent?.sessionId
+    }));
+  }
+  function buildSearchWhere(search) {
+    if (!search) return void 0;
+    const searchFields = Object.entries(collection2.fields).filter(([_, field]) => field.type === "text" || field.type === "slug" || field.type === "richText").map(([name]) => name);
+    if (searchFields.length === 0) return void 0;
+    return {
+      OR: searchFields.map((field) => ({
+        [field]: { contains: search, mode: "insensitive" }
+      }))
+    };
+  }
+  function filterFields(fields2) {
+    const filtered = {};
+    for (const [key, value] of Object.entries(fields2)) {
+      const field = collection2.fields[key];
+      if (hasAccess(field?.access, "read", role)) {
+        filtered[key] = value;
+      }
+    }
+    return filtered;
+  }
+  function filterWritableFields(fields2, operation) {
+    const filtered = {};
+    for (const [key, value] of Object.entries(fields2)) {
+      const field = collection2.fields[key];
+      if (field && hasAccess(field.access, operation, role)) {
+        filtered[key] = value;
+      }
+    }
+    return filtered;
+  }
+  function applyFieldHooks(fields2, hookName) {
+    const next = { ...fields2 };
+    for (const [key, value] of Object.entries(next)) {
+      const hook = collection2.fields[key]?.hooks?.[hookName];
+      if (hook) {
+        next[key] = hook(value);
+      }
+    }
+    return next;
+  }
+  function applyDerivedFields(fields2) {
+    const next = { ...fields2 };
+    for (const [name, field] of Object.entries(collection2.fields)) {
+      if (field.type !== "slug") continue;
+      const current = next[name];
+      if (typeof current === "string" && current.trim().length > 0) continue;
+      const from = field.ui.props?.from;
+      if (typeof from !== "string") continue;
+      const source = next[from];
+      if (typeof source !== "string" || source.trim().length === 0) continue;
+      const slugified = source.toLowerCase().normalize("NFD").replace(/[\u0300-\u036f]/g, "").replace(/\s+/g, "-").replace(/[^a-z0-9-]/g, "").replace(/-+/g, "-").replace(/^-+|-+$/g, "");
+      next[name] = slugified;
+    }
+    return next;
+  }
+  return {
+    async list(args = {}) {
+      requireAccess("read");
+      const { where, orderBy, page = 1, pageSize = 50, search } = args;
+      const searchWhere = buildSearchWhere(search);
+      const combinedWhere = searchWhere ? { ...where, ...searchWhere } : where;
+      const skip = (page - 1) * pageSize;
+      const effectiveOrderBy = orderBy || (collection2.fields.createdAt ? { createdAt: "desc" } : { id: "desc" });
+      const [raw, total] = await Promise.all([
+        db.findMany(collection2.name, { where: combinedWhere, orderBy: effectiveOrderBy, skip, take: pageSize }),
+        db.count(collection2.name, { where: combinedWhere })
+      ]);
+      const data = raw.map(filterFields);
+      return { data, total, page, pageSize };
+    },
+    async get(id) {
+      requireAccess("read");
+      const raw = await db.findUnique(collection2.name, id);
+      if (!raw) return null;
+      return filterFields(raw);
+    },
+    async create(data) {
+      requireAccess("create");
+      const allowed = filterWritableFields(data, "create");
+      const withDerived = applyDerivedFields(allowed);
+      const beforeValidate = applyFieldHooks(withDerived, "beforeValidate");
+      const parsed = validationSchema.parse(beforeValidate);
+      const beforeSave = applyFieldHooks(parsed, "beforeSave");
+      const transformed = transformRelations(beforeSave, false);
+      return db.create(collection2.name, transformed);
+    },
+    async update(id, data) {
+      requireAccess("update");
+      const allowed = filterWritableFields(data, "update");
+      const beforeValidate = applyFieldHooks(allowed, "beforeValidate");
+      const parsed = validationSchema.partial().parse(beforeValidate);
+      const beforeSave = applyFieldHooks(parsed, "beforeSave");
+      const transformed = transformRelations(beforeSave, true);
+      return db.update(collection2.name, id, transformed);
+    },
+    async delete(id) {
+      requireAccess("delete");
+      return db.delete(collection2.name, id);
+    }
+  };
+  function transformRelations(data, isUpdate) {
+    const transformed = { ...data };
+    for (const [key, value] of Object.entries(transformed)) {
+      const field = collection2.fields[key];
+      if (field?.type === "relation") {
+        const relationType = field.db.relationType ?? "many-to-one";
+        const isMulti = relationType === "many-to-many" || relationType === "one-to-many";
+        if (Array.isArray(value)) {
+          const ids = value.filter((id) => typeof id === "string" && id.length > 0);
+          transformed[key] = isUpdate ? { set: ids.map((id) => ({ id })) } : { connect: ids.map((id) => ({ id })) };
+        } else if (!isMulti && typeof value === "string" && value.length > 0) {
+          transformed[key] = { connect: { id: value } };
+        } else if ((value === null || value === "") && isUpdate) {
+          transformed[key] = { disconnect: true };
+        } else if (value === null || value === "") {
+          delete transformed[key];
+        }
+      }
+    }
+    return transformed;
+  }
+}
+
+// src/api/index.ts
+init_agent_auth();
+
+// src/api/next.ts
+init_agent_auth();
+function jsonResponse(data, status = 200) {
+  return new Response(JSON.stringify(data), {
+    status,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function getBody(request) {
+  return request.json().catch(() => ({}));
+}
+function createRouteHandlers({ config, db, auth: auth2 }) {
+  const getSecurity = async (request) => {
+    const authHeader = request.headers.get("authorization");
+    if (authHeader?.startsWith("Bearer ")) {
+      const token = authHeader.split(" ")[1];
+      try {
+        const agent = verifyAgentToken(token);
+        return {
+          source: "agent",
+          agent,
+          user: { id: agent.sub, role: agent.role }
+        };
+      } catch (e) {
+        console.error(`[Auth] Agent Verification Failed: ${e.message}`);
+      }
+    }
+    if (auth2) {
+      try {
+        const session = await auth2();
+        if (session?.user) {
+          return {
+            source: "user",
+            user: {
+              id: session.user.id || session.user.email,
+              role: session.role || "user"
+            }
+          };
+        }
+      } catch (e) {
+        console.error(`[Auth] Session Retrieval Failed: ${e.message}`);
+      }
+    }
+    return { source: "user" };
+  };
+  function generateHandlers(collectionName) {
+    const collection2 = config.collections.find((c) => c.name === collectionName);
+    if (!collection2) {
+      throw new Error(`Collection "${collectionName}" not found in config`);
+    }
+    return {
+      GET: async (request, context) => {
+        const security = await getSecurity(request);
+        const controller = createController(collection2, db, security);
+        const params = await context.params;
+        if (params.id) {
+          const result2 = await controller.get(params.id);
+          if (!result2) return jsonResponse({ error: "Not found" }, 404);
+          return jsonResponse(result2);
+        }
+        const url = new URL(request.url);
+        const page = parseInt(url.searchParams.get("page") ?? "1");
+        const pageSize = parseInt(url.searchParams.get("pageSize") ?? "10");
+        const search = url.searchParams.get("search") ?? void 0;
+        const result = await controller.list({ page, pageSize, search });
+        return jsonResponse(result);
+      },
+      POST: async (request) => {
+        const security = await getSecurity(request);
+        const controller = createController(collection2, db, security);
+        const body = await getBody(request);
+        try {
+          const result = await controller.create(body);
+          return jsonResponse(result, 201);
+        } catch (err) {
+          const error = err;
+          if (error.name === "ZodError") {
+            const issues = error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join(", ");
+            return jsonResponse({ error: `Validation failed: ${issues}` }, 400);
+          }
+          return jsonResponse({ error: error.message }, 400);
+        }
+      },
+      PATCH: async (request, context) => {
+        const security = await getSecurity(request);
+        const controller = createController(collection2, db, security);
+        const params = await context.params;
+        if (!params.id) return jsonResponse({ error: "ID required" }, 400);
+        const body = await getBody(request);
+        try {
+          const result = await controller.update(params.id, body);
+          return jsonResponse(result);
+        } catch (err) {
+          const error = err;
+          if (error.name === "ZodError") {
+            const issues = error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join(", ");
+            return jsonResponse({ error: `Validation failed: ${issues}` }, 400);
+          }
+          return jsonResponse({ error: error.message }, 400);
+        }
+      },
+      DELETE: async (request, context) => {
+        const security = await getSecurity(request);
+        const controller = createController(collection2, db, security);
+        const params = await context.params;
+        if (!params.id) return jsonResponse({ error: "ID required" }, 400);
+        try {
+          const result = await controller.delete(params.id);
+          return jsonResponse(result);
+        } catch (err) {
+          const error = err;
+          return jsonResponse({ error: error.message }, 400);
+        }
+      }
+    };
+  }
+  return { generateHandlers };
+}
+function createAdminForgeApi({ config, db, auth: auth2 }) {
+  const { generateHandlers } = createRouteHandlers({ config, db, auth: auth2 });
+  const getCollectionAndId = (slug2) => {
+    const [collectionName, id] = slug2;
+    const handlers = generateHandlers(collectionName);
+    return { handlers, id };
+  };
+  return {
+    async GET(request, { params }) {
+      try {
+        const resolvedParams = await params;
+        const slug2 = resolvedParams.slug || resolvedParams.admin || Object.values(resolvedParams)[0];
+        if (slug2.includes("_config")) {
+          if (config.auth?.enabled && auth2) {
+            try {
+              const session = await auth2();
+              if (!session?.user) {
+                return jsonResponse({ error: "Unauthorized" }, 401);
+              }
+            } catch {
+              return jsonResponse({ error: "Unauthorized" }, 401);
+            }
+          }
+          const { serializeConfig: serializeConfig2 } = await Promise.resolve().then(() => (init_core(), core_exports));
+          return jsonResponse(serializeConfig2(config));
+        }
+        const { handlers, id } = getCollectionAndId(slug2);
+        return handlers.GET(request, { params: Promise.resolve({ id: id || "" }) });
+      } catch (err) {
+        return jsonResponse({ error: err.message }, 404);
+      }
+    },
+    async POST(request, { params }) {
+      try {
+        const resolvedParams = await params;
+        const slug2 = resolvedParams.slug || resolvedParams.admin || Object.values(resolvedParams)[0];
+        if (slug2[0] === "_media") {
+          const formData = await request.formData();
+          const file = formData.get("file");
+          if (!file) return jsonResponse({ error: "No file uploaded" }, 400);
+          const bytes = await file.arrayBuffer();
+          const buffer = Buffer.from(bytes);
+          const path = await import("path");
+          const fs = await import("fs/promises");
+          const uploadDir = path.join(process.cwd(), "public", "uploads");
+          try {
+            await fs.mkdir(uploadDir, { recursive: true });
+          } catch {
+          }
+          const filename = `${Date.now()}-${file.name.replace(/\s+/g, "-")}`;
+          const filePath = path.join(uploadDir, filename);
+          await fs.writeFile(filePath, buffer);
+          return jsonResponse({
+            url: `/uploads/${filename}`,
+            filename
+          }, 201);
+        }
+        if (slug2[0] === "_tokens") {
+          const { generateAgentToken: generateAgentToken2 } = await Promise.resolve().then(() => (init_agent_auth(), agent_auth_exports));
+          const body = await request.json();
+          const { scope, expiresIn = 600 } = body;
+          if (!Array.isArray(scope)) {
+            return jsonResponse({ error: "Scope must be an array" }, 400);
+          }
+          for (const s of scope) {
+            const [collection2, action] = s.split(":");
+            const exists = config.collections.find((c) => c.name === collection2);
+            if (!exists) return jsonResponse({ error: `Invalid collection: ${collection2}` }, 400);
+            if (!["create", "read", "update", "delete"].includes(action)) {
+              return jsonResponse({ error: `Invalid action: ${action}` }, 400);
+            }
+          }
+          let userId = "admin";
+          let role = "admin";
+          if (auth2) {
+            const session = await auth2();
+            if (session?.user) {
+              userId = session.user.id || session.user.email;
+              role = session.role || "admin";
+            }
+          }
+          const token = generateAgentToken2(userId, role, scope, expiresIn);
+          return jsonResponse({ token });
+        }
+        const { handlers } = getCollectionAndId(slug2);
+        return handlers.POST(request);
+      } catch (err) {
+        return jsonResponse({ error: err.message }, 404);
+      }
+    },
+    async PATCH(request, { params }) {
+      try {
+        const resolvedParams = await params;
+        const slug2 = resolvedParams.slug || resolvedParams.admin || Object.values(resolvedParams)[0];
+        const { handlers, id } = getCollectionAndId(slug2);
+        return handlers.PATCH(request, { params: Promise.resolve({ id: id || "" }) });
+      } catch (err) {
+        return jsonResponse({ error: err.message }, 404);
+      }
+    },
+    async DELETE(request, { params }) {
+      try {
+        const resolvedParams = await params;
+        const slug2 = resolvedParams.slug || resolvedParams.admin || Object.values(resolvedParams)[0];
+        const { handlers, id } = getCollectionAndId(slug2);
+        return handlers.DELETE(request, { params: Promise.resolve({ id: id || "" }) });
+      } catch (err) {
+        return jsonResponse({ error: err.message }, 404);
+      }
+    }
+  };
+}
+
+// src/auth/config.ts
+function createAuthConfig(options) {
+  return {
+    ...options,
+    providers: ["credentials"]
+  };
+}
+var auth = {
+  providers: {
+    credentials: {
+      id: "credentials",
+      name: "Credentials"
+    }
+  }
+};
+
+// src/auth/middleware.ts
+function adminMiddleware(handler) {
+  return async (request) => {
+    const sessionCookie = request.headers.get("cookie") ?? "";
+    const hasSession = sessionCookie.includes("next-auth.session-token");
+    if (!hasSession) {
+      return new Response(JSON.stringify({ error: "Unauthorized" }), {
+        status: 401,
+        headers: { "Content-Type": "application/json" }
+      });
+    }
+    return handler(request);
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  adminMiddleware,
+  assertScope,
+  auth,
+  createAdminForgeApi,
+  createAuthConfig,
+  createController,
+  createRouteHandlers,
+  generateAgentToken,
+  verifyAgentToken
+});
+//# sourceMappingURL=next.cjs.map