@aphexcms/cms-core 0.1.16 → 0.2.1

package/dist/local-api/collection-api.js

@@ -124,7 +124,7 @@ export class CollectionAPI {
      *
      * @example
      * ```typescript
-     * const page = await api.collections.pages.create(
+     * const result = await api.collections.pages.create(
      *   { organizationId: 'org_123', user },
      *   {
      *     title: 'New Page',
@@ -132,15 +132,18 @@ export class CollectionAPI {
      *     content: []
      *   }
      * );
+     * // result.document - the created document
+     * // result.validation - validation results
      * ```
      */
     async create(context, data, options) {
         // Permission check (unless overrideAccess)
         await this.permissions.canWrite(context, this.collectionName);
-        // Validate data if publishing immediately
+        // Validate and normalize data (dates converted to ISO)
+        const validationResult = await validateDocumentData(this._schema, data, data);
         if (options?.publish) {
             await this.permissions.canPublish(context, this.collectionName);
-            const validationResult = await validateDocumentData(this._schema, data, data);
+            // Block publish if validation fails
             if (!validationResult.isValid) {
                 const errorMessage = validationResult.errors
                     .map((e) => `${e.field}: ${e.errors.join(', ')}`)
@@ -148,48 +151,73 @@ export class CollectionAPI {
                 throw new Error(`Cannot publish: validation errors - ${errorMessage}`);
             }
         }
-        // Create document with draft data
+        // Create document with normalized data (dates in ISO format)
         const document = await this.databaseAdapter.createDocument({
             organizationId: context.organizationId,
             type: this.collectionName,
-            draftData: data,
+            draftData: validationResult.normalizedData,
             createdBy: context.user?.id
         });
         // Publish immediately if requested (validation already done above)
         if (options?.publish) {
             const published = await this.databaseAdapter.publishDoc(context.organizationId, document.id);
             if (published) {
-                return transformDocument(published, 'published');
+                return {
+                    document: transformDocument(published, 'published'),
+                    validation: validationResult
+                };
             }
         }
-        return transformDocument(document, 'draft');
+        return {
+            document: transformDocument(document, 'draft'),
+            validation: validationResult
+        };
     }
     /**
      * Update an existing document
      *
      * @example
      * ```typescript
-     * const updated = await api.collections.pages.update(
+     * const result = await api.collections.pages.update(
      *   { organizationId: 'org_123', user },
      *   'doc_123',
      *   { title: 'Updated Title' },
      *   { publish: true }
      * );
+     * // result.document - the updated document
+     * // result.validation - validation results
      * ```
      */
     async update(context, id, data, options) {
         // Permission check (unless overrideAccess)
         await this.permissions.canWrite(context, this.collectionName);
-        // Update draft data
-        const document = await this.databaseAdapter.updateDocDraft(context.organizationId, id, data, context.user?.id);
+        // Get existing document to merge with updates
+        const existingDoc = await this.databaseAdapter.findByDocIdAdvanced(context.organizationId, id);
+        if (!existingDoc) {
+            return null;
+        }
+        // Merge existing data with updates, but only keep fields defined in schema
+        // This prevents orphaned fields from persisting when schema changes
+        const schemaFieldNames = new Set(this._schema.fields.map((f) => f.name));
+        const cleanedExisting = {};
+        // Only copy fields from existing doc that are still in the schema
+        for (const [key, value] of Object.entries(existingDoc.draftData || {})) {
+            if (schemaFieldNames.has(key)) {
+                cleanedExisting[key] = value;
+            }
+        }
+        // Merge cleaned existing data with new updates
+        const mergedData = { ...cleanedExisting, ...data };
+        // Validate and normalize the merged data
+        const validationResult = await validateDocumentData(this._schema, mergedData, mergedData);
+        // Update draft with normalized data (dates in ISO format)
+        const document = await this.databaseAdapter.updateDocDraft(context.organizationId, id, validationResult.normalizedData, context.user?.id);
         if (!document) {
             return null;
         }
-        // Validate and publish immediately if requested
         if (options?.publish) {
             await this.permissions.canPublish(context, this.collectionName);
-            // Validate the updated draft data
-            const validationResult = await validateDocumentData(this._schema, document.draftData, document.draftData);
+            // Block publish if validation fails
             if (!validationResult.isValid) {
                 const errorMessage = validationResult.errors
                     .map((e) => `${e.field}: ${e.errors.join(', ')}`)
@@ -198,10 +226,16 @@ export class CollectionAPI {
             }
             const published = await this.databaseAdapter.publishDoc(context.organizationId, document.id);
             if (published) {
-                return transformDocument(published, 'published');
+                return {
+                    document: transformDocument(published, 'published'),
+                    validation: validationResult
+                };
             }
         }
-        return transformDocument(document, 'draft');
+        return {
+            document: transformDocument(document, 'draft'),
+            validation: validationResult
+        };
     }
     /**
      * Delete a document
@@ -234,11 +268,11 @@ export class CollectionAPI {
         // Permission check (unless overrideAccess)
         await this.permissions.canPublish(context, this.collectionName);
         // Get the document to access draft data for validation
-        const document = await this.databaseAdapter.findByDocId(context.organizationId, id);
+        const document = await this.databaseAdapter.findByDocIdAdvanced(context.organizationId, id);
         if (!document || !document.draftData) {
             throw new Error('Document not found or has no draft content to publish');
         }
-        // Validate draft data before publishing
+        // Validate draft data (dates already in ISO, will be converted for validation)
         const validationResult = await validateDocumentData(this._schema, document.draftData, document.draftData);
         if (!validationResult.isValid) {
             const errorMessage = validationResult.errors

package/dist/local-api/index.d.ts

@@ -101,7 +101,7 @@ export declare function createLocalAPI(config: CMSConfig, userAdapter: DatabaseA
  * ```
  */
 export declare function getLocalAPI(): LocalAPI;
-export { CollectionAPI } from './collection-api.js';
+export { CollectionAPI, type DocumentResult } from './collection-api.js';
 export { PermissionChecker, PermissionError } from './permissions.js';
 export type { LocalAPIContext, CreateOptions, UpdateOptions } from './types.js';
 export { authToContext, requireAuth, systemContext } from './auth-helpers.js';

package/dist/local-api/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/local-api/index.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAIjD;;;GAGG;AACH,MAAM,WAAW,WAAW;IAE3B,CAAC,cAAc,EAAE,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;CAGjD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,qBAAa,QAAQ;IAQnB,OAAO,CAAC,MAAM;IAPR,WAAW,EAAE,WAAW,CAAM;IACrC,OAAO,CAAC,WAAW,CAAkB;IACrC,OAAO,CAAC,aAAa,CAAyB;IAC9C,OAAO,CAAC,WAAW,CAAoB;IACvC,OAAO,CAAC,OAAO,CAA0B;gBAGhC,MAAM,EAAE,SAAS,EACzB,WAAW,EAAE,eAAe,EAC5B,aAAa,CAAC,EAAE,eAAe;IAmBhC;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAqC7B;;;OAGG;IACH,OAAO,CAAC,UAAU;IAOlB;;OAEG;IACH,kBAAkB,IAAI,MAAM,EAAE;IAI9B;;OAEG;IACH,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIpC;;OAEG;IACH,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS;CAGzD;AAKD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,cAAc,CAC7B,MAAM,EAAE,SAAS,EACjB,WAAW,EAAE,eAAe,EAC5B,aAAa,CAAC,EAAE,eAAe,GAC7B,QAAQ,CAGV;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,IAAI,QAAQ,CAKtC;AAGD,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACnE,YAAY,EAAE,eAAe,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/local-api/index.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAIjD;;;GAGG;AACH,MAAM,WAAW,WAAW;IAE3B,CAAC,cAAc,EAAE,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;CAGjD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,qBAAa,QAAQ;IAQnB,OAAO,CAAC,MAAM;IAPR,WAAW,EAAE,WAAW,CAAM;IACrC,OAAO,CAAC,WAAW,CAAkB;IACrC,OAAO,CAAC,aAAa,CAAyB;IAC9C,OAAO,CAAC,WAAW,CAAoB;IACvC,OAAO,CAAC,OAAO,CAA0B;gBAGhC,MAAM,EAAE,SAAS,EACzB,WAAW,EAAE,eAAe,EAC5B,aAAa,CAAC,EAAE,eAAe;IAmBhC;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAgC7B;;;OAGG;IACH,OAAO,CAAC,UAAU;IAOlB;;OAEG;IACH,kBAAkB,IAAI,MAAM,EAAE;IAI9B;;OAEG;IACH,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIpC;;OAEG;IACH,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS;CAGzD;AAKD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,cAAc,CAC7B,MAAM,EAAE,SAAS,EACjB,WAAW,EAAE,eAAe,EAC5B,aAAa,CAAC,EAAE,eAAe,GAC7B,QAAQ,CAGV;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,IAAI,QAAQ,CAKtC;AAGD,OAAO,EAAE,aAAa,EAAE,KAAK,cAAc,EAAE,MAAM,kBAAkB,CAAC;AACtE,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AACnE,YAAY,EAAE,eAAe,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/routes/assets-cdn.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"assets-cdn.d.ts","sourceRoot":"","sources":["../../src/lib/routes/assets-cdn.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEpD,eAAO,MAAM,GAAG,EAAE,cAsLjB,CAAC"}
+{"version":3,"file":"assets-cdn.d.ts","sourceRoot":"","sources":["../../src/lib/routes/assets-cdn.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEpD,eAAO,MAAM,GAAG,EAAE,cAqMjB,CAAC"}

package/dist/routes/assets-cdn.js

@@ -97,14 +97,21 @@ export const GET = async ({ params, locals, setHeaders, request }) => {
             console.warn('[Asset CDN] Private asset accessed without auth - DENIED');
             return new Response('Unauthorized - This asset is private', { status: 401 });
         }
-        // If asset is private, verify org matches
-        if (isPrivate && organizationId && organizationId !== asset.organizationId) {
-            console.warn('[Asset CDN] Org mismatch for private asset - FORBIDDEN');
-            return new Response('Forbidden', { status: 403 });
-        }
-        // Log the decision
+        // If asset is private, verify user has access to the asset's org
+        // This includes exact match OR parent org accessing child org asset (hierarchy)
         if (isPrivate && organizationId) {
-            console.log('[Asset CDN] Private asset access ALLOWED - user has auth and org matches');
+            let hasAccess = organizationId === asset.organizationId; // Same org
+            // If not same org, check if asset's org is a child of user's org (hierarchy)
+            if (!hasAccess && databaseAdapter.getChildOrganizations) {
+                const childOrgs = await databaseAdapter.getChildOrganizations(organizationId);
+                hasAccess = childOrgs.includes(asset.organizationId);
+                console.log(`[Asset CDN] Checking hierarchy: user org ${organizationId} has ${childOrgs.length} children, asset org ${asset.organizationId} is child? ${hasAccess}`);
+            }
+            if (!hasAccess) {
+                console.warn(`[Asset CDN] Org ${organizationId} cannot access asset from org ${asset.organizationId} - FORBIDDEN`);
+                return new Response('Forbidden', { status: 403 });
+            }
+            console.log(`[Asset CDN] Private asset access ALLOWED - user org ${organizationId} has access to asset org ${asset.organizationId}`);
         }
         else if (!isPrivate) {
             console.log('[Asset CDN] Public asset access ALLOWED');

package/dist/routes/assets.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"assets.d.ts","sourceRoot":"","sources":["../../src/lib/routes/assets.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEpD,eAAO,MAAM,IAAI,EAAE,cAiElB,CAAC;AAEF,eAAO,MAAM,GAAG,EAAE,cA4CjB,CAAC"}
+{"version":3,"file":"assets.d.ts","sourceRoot":"","sources":["../../src/lib/routes/assets.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEpD,eAAO,MAAM,IAAI,EAAE,cAuElB,CAAC;AAEF,eAAO,MAAM,GAAG,EAAE,cA4CjB,CAAC"}

package/dist/routes/assets.js

@@ -23,8 +23,12 @@ export const POST = async ({ request, locals }) => {
         // Get field metadata for privacy checking
         const schemaType = formData.get('schemaType') || undefined;
         const fieldPath = formData.get('fieldPath') || undefined;
+        // Get target organization (document's org takes precedence)
+        // This allows assets to belong to the document's org, not the uploader's org
+        const targetOrganizationId = formData.get('organizationId') || auth.organizationId;
         // Create asset upload data
         const uploadData = {
+            organizationId: targetOrganizationId, // Asset belongs to document's org
             buffer,
             originalFilename: file.name,
             mimeType: file.type,
@@ -40,7 +44,8 @@ export const POST = async ({ request, locals }) => {
             }
         };
         // Upload asset using the service
-        const asset = await assetService.uploadAsset(auth.organizationId, uploadData);
+        // The adapter will validate hierarchy access via withOrgContext
+        const asset = await assetService.uploadAsset(targetOrganizationId, uploadData);
         return json({
             success: true,
             data: asset

package/dist/routes/documents-by-id.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"documents-by-id.d.ts","sourceRoot":"","sources":["../../src/lib/routes/documents-by-id.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAKpD,eAAO,MAAM,GAAG,EAAE,cAuEjB,CAAC;AAGF,eAAO,MAAM,GAAG,EAAE,cAqEjB,CAAC;AAGF,eAAO,MAAM,MAAM,EAAE,cA+DpB,CAAC"}
+{"version":3,"file":"documents-by-id.d.ts","sourceRoot":"","sources":["../../src/lib/routes/documents-by-id.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAMpD,eAAO,MAAM,GAAG,EAAE,cAuEjB,CAAC;AAIF,eAAO,MAAM,GAAG,EAAE,cAkFjB,CAAC;AAGF,eAAO,MAAM,MAAM,EAAE,cA+DpB,CAAC"}

package/dist/routes/documents-by-id.js

@@ -3,6 +3,7 @@ import { json } from '@sveltejs/kit';
 import { authToContext } from '../local-api/auth-helpers.js';
 import { PermissionError } from '../local-api/permissions.js';
 // GET /api/documents/[id] - Get document by ID
+// TODO ENABLE CHILDREN ORG ACCESS BY DEFAULT - BECAUSE IF A PARENT ORG IS TRYING TO ACCESS A CHILD ORG. It should already have access to said id.
 export const GET = async ({ params, url, locals }) => {
     try {
         const { localAPI, databaseAdapter } = locals.aphexCMS;
@@ -16,7 +17,7 @@ export const GET = async ({ params, url, locals }) => {
         const depth = depthParam ? Math.max(0, Math.min(parseInt(depthParam), 5)) : 0;
         const perspective = url.searchParams.get('perspective') || 'draft';
         // First, fetch document to get its type (need this for collection-specific API)
-        const rawDoc = await databaseAdapter.findByDocId(context.organizationId, id, 0);
+        const rawDoc = await databaseAdapter.findByDocIdAdvanced(context.organizationId, id);
         if (!rawDoc) {
             return json({ success: false, error: 'Document not found' }, { status: 404 });
         }
@@ -59,6 +60,7 @@ export const GET = async ({ params, url, locals }) => {
     }
 };
 // PUT /api/documents/[id] - Update document
+// TODO ENABLE CHILDREN ORG ACCESS BY DEFAULT - BECAUSE IF A PARENT ORG IS TRYING TO ACCESS A CHILD ORG. It should already have access to said id.
 export const PUT = async ({ params, request, locals }) => {
     try {
         const { localAPI, databaseAdapter } = locals.aphexCMS;
@@ -71,7 +73,7 @@ export const PUT = async ({ params, request, locals }) => {
         const documentData = body.draftData || body.data;
         const shouldPublish = body.publish || false;
         // Fetch document to get its type
-        const rawDoc = await databaseAdapter.findByDocId(context.organizationId, id, 0);
+        const rawDoc = await databaseAdapter.findByDocIdAdvanced(context.organizationId, id);
         if (!rawDoc) {
             return json({ success: false, error: 'Document not found' }, { status: 404 });
         }
@@ -84,16 +86,17 @@ export const PUT = async ({ params, request, locals }) => {
                 message: `Collection '${rawDoc.type}' not found`
             }, { status: 400 });
         }
-        // Update via LocalAPI (permission checks happen inside)
-        const updatedDocument = await collection.update(context, id, documentData, {
+        // Update via LocalAPI (permission checks and validation happen inside)
+        const result = await collection.update(context, id, documentData, {
             publish: shouldPublish
         });
-        if (!updatedDocument) {
+        if (!result) {
             return json({ success: false, error: 'Document not found' }, { status: 404 });
         }
         return json({
             success: true,
-            data: updatedDocument
+            data: result.document,
+            validation: result.validation
         });
     }
     catch (error) {
@@ -105,6 +108,14 @@ export const PUT = async ({ params, request, locals }) => {
                 message: error.message
             }, { status: 403 });
         }
+        // Validation errors from publish attempts
+        if (error instanceof Error && error.message.includes('validation errors')) {
+            return json({
+                success: false,
+                error: 'Validation failed',
+                message: error.message
+            }, { status: 400 });
+        }
         return json({
             success: false,
             error: 'Failed to update document',
@@ -122,7 +133,7 @@ export const DELETE = async ({ params, locals }) => {
             return json({ success: false, error: 'Document ID is required' }, { status: 400 });
         }
         // Fetch document to get its type
-        const rawDoc = await databaseAdapter.findByDocId(context.organizationId, id, 0);
+        const rawDoc = await databaseAdapter.findByDocIdAdvanced(context.organizationId, id);
         if (!rawDoc) {
             return json({ success: false, error: 'Document not found' }, { status: 404 });
         }

package/dist/routes/documents-publish.js

@@ -16,7 +16,7 @@ export const POST = async ({ params, locals }) => {
             }, { status: 400 });
         }
         // Fetch document to get its type
-        const rawDoc = await databaseAdapter.findByDocId(context.organizationId, id, 0);
+        const rawDoc = await databaseAdapter.findByDocIdAdvanced(context.organizationId, id);
         if (!rawDoc) {
             return json({
                 success: false,
@@ -86,7 +86,7 @@ export const DELETE = async ({ params, locals }) => {
             }, { status: 400 });
         }
         // Fetch document to get its type
-        const rawDoc = await databaseAdapter.findByDocId(context.organizationId, id, 0);
+        const rawDoc = await databaseAdapter.findByDocIdAdvanced(context.organizationId, id);
         if (!rawDoc) {
             return json({
                 success: false,

package/dist/routes/documents-query.d.ts

@@ -17,7 +17,9 @@ import type { RequestHandler } from '@sveltejs/kit';
  *   "page": 1,
  *   "sort": ["-publishedAt", "title"],
  *   "depth": 1,
- *   "perspective": "published"
+ *   "perspective": "published",
+ *   "filterOrganizationIds": ["org_child1", "org_child2"],
+ *   "includeChildOrganizations": false
  * }
  */
 export declare const POST: RequestHandler;

package/dist/routes/documents-query.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"documents-query.d.ts","sourceRoot":"","sources":["../../src/lib/routes/documents-query.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AASpD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,IAAI,EAAE,cAqFlB,CAAC"}
+{"version":3,"file":"documents-query.d.ts","sourceRoot":"","sources":["../../src/lib/routes/documents-query.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AASpD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,eAAO,MAAM,IAAI,EAAE,cAuFlB,CAAC"}

package/dist/routes/documents-query.js

@@ -23,7 +23,9 @@ const DEFAULT_PAGE = 1;
  *   "page": 1,
  *   "sort": ["-publishedAt", "title"],
  *   "depth": 1,
- *   "perspective": "published"
+ *   "perspective": "published",
+ *   "filterOrganizationIds": ["org_child1", "org_child2"],
+ *   "includeChildOrganizations": false
  * }
  */
 export const POST = async ({ request, locals }) => {
@@ -60,7 +62,9 @@ export const POST = async ({ request, locals }) => {
             sort: body.sort,
             depth: body.depth !== undefined ? Math.max(0, Math.min(body.depth, 5)) : 0,
             select: body.select,
-            perspective: body.perspective || 'draft'
+            perspective: body.perspective || 'draft',
+            includeChildOrganizations: body.includeChildOrganizations,
+            filterOrganizationIds: body.filterOrganizationIds
         };
         // Query via LocalAPI
         const result = await localAPI.collections[documentType].find(context, findOptions);

package/dist/routes/documents.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"documents.d.ts","sourceRoot":"","sources":["../../src/lib/routes/documents.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AASpD,eAAO,MAAM,GAAG,EAAE,cAiGjB,CAAC;AAGF,eAAO,MAAM,IAAI,EAAE,cAsElB,CAAC"}
+{"version":3,"file":"documents.d.ts","sourceRoot":"","sources":["../../src/lib/routes/documents.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AASpD,eAAO,MAAM,GAAG,EAAE,cAwGjB,CAAC;AAGF,eAAO,MAAM,IAAI,EAAE,cAmFlB,CAAC"}

package/dist/routes/documents.js

@@ -18,6 +18,11 @@ export const GET = async ({ url, locals }) => {
         const depthParam = url.searchParams.get('depth');
         const sortParam = url.searchParams.get('sort');
         const perspective = url.searchParams.get('perspective') || 'draft';
+        const includeChildOrganizations = url.searchParams.get('includeChildOrganizations') === 'true';
+        const filterOrganizationIds = url.searchParams
+            .get('filterOrganizationIds')
+            ?.split(',')
+            .filter(Boolean);
         // Parse pagination
         const page = pageParam ? Math.max(1, parseInt(pageParam)) : DEFAULT_PAGE;
         const pageSize = pageSizeParam ? parseInt(pageSizeParam) : DEFAULT_PAGE_SIZE;
@@ -52,7 +57,9 @@ export const GET = async ({ url, locals }) => {
             offset: offset,
             depth: depth,
             sort: sortParam || undefined,
-            perspective
+            perspective,
+            includeChildOrganizations,
+            filterOrganizationIds
         });
         return json({
             success: true,
@@ -109,13 +116,14 @@ export const POST = async ({ request, locals }) => {
                 message: `Collection '${documentType}' not found. Available: ${localAPI.getCollectionNames().join(', ')}`
             }, { status: 400 });
         }
-        // Create via LocalAPI (permission checks happen inside)
-        const newDocument = await collection.create(context, documentData, {
+        // Create via LocalAPI (permission checks and validation happen inside)
+        const result = await collection.create(context, documentData, {
             publish: shouldPublish
         });
         return json({
             success: true,
-            data: newDocument
+            data: result.document,
+            validation: result.validation
         }, { status: 201 });
     }
     catch (error) {
@@ -127,6 +135,14 @@ export const POST = async ({ request, locals }) => {
                 message: error.message
             }, { status: 403 });
         }
+        // Validation errors from publish attempts
+        if (error instanceof Error && error.message.includes('validation errors')) {
+            return json({
+                success: false,
+                error: 'Validation failed',
+                message: error.message
+            }, { status: 400 });
+        }
         return json({
             success: false,
             error: 'Failed to create document',

package/dist/routes/index.d.ts

@@ -5,4 +5,5 @@ export * as documentsPublish from './documents-publish.js';
 export * as assets from './assets.js';
 export * as schemas from './schemas.js';
 export * as schemasByType from './schemas-by-type.js';
+export * as userPreferences from './user-preferences.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/routes/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/routes/index.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,SAAS,MAAM,aAAa,CAAC;AACzC,OAAO,KAAK,aAAa,MAAM,mBAAmB,CAAC;AACnD,OAAO,KAAK,cAAc,MAAM,mBAAmB,CAAC;AACpD,OAAO,KAAK,gBAAgB,MAAM,qBAAqB,CAAC;AAGxD,OAAO,KAAK,MAAM,MAAM,UAAU,CAAC;AAGnC,OAAO,KAAK,OAAO,MAAM,WAAW,CAAC;AACrC,OAAO,KAAK,aAAa,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/routes/index.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,SAAS,MAAM,aAAa,CAAC;AACzC,OAAO,KAAK,aAAa,MAAM,mBAAmB,CAAC;AACnD,OAAO,KAAK,cAAc,MAAM,mBAAmB,CAAC;AACpD,OAAO,KAAK,gBAAgB,MAAM,qBAAqB,CAAC;AAGxD,OAAO,KAAK,MAAM,MAAM,UAAU,CAAC;AAGnC,OAAO,KAAK,OAAO,MAAM,WAAW,CAAC;AACrC,OAAO,KAAK,aAAa,MAAM,mBAAmB,CAAC;AAGnD,OAAO,KAAK,eAAe,MAAM,oBAAoB,CAAC"}

package/dist/routes/index.js

@@ -10,3 +10,5 @@ export * as assets from './assets.js';
 // Schema information routes
 export * as schemas from './schemas.js';
 export * as schemasByType from './schemas-by-type.js';
+// User management routes
+export * as userPreferences from './user-preferences.js';

package/dist/routes/user-preferences.d.ts

@@ -0,0 +1,4 @@
+import type { RequestHandler } from '@sveltejs/kit';
+export declare const GET: RequestHandler;
+export declare const PATCH: RequestHandler;
+//# sourceMappingURL=user-preferences.d.ts.map

package/dist/routes/user-preferences.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-preferences.d.ts","sourceRoot":"","sources":["../../src/lib/routes/user-preferences.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAIpD,eAAO,MAAM,GAAG,EAAE,cAiCjB,CAAC;AAGF,eAAO,MAAM,KAAK,EAAE,cAkEnB,CAAC"}

package/dist/routes/user-preferences.js

@@ -0,0 +1,77 @@
+// Aphex CMS User Preferences API Handler
+import { json } from '@sveltejs/kit';
+// GET /api/user/preferences - Get user preferences
+export const GET = async ({ locals }) => {
+    try {
+        const { databaseAdapter } = locals.aphexCMS;
+        const auth = locals.auth;
+        if (!auth || auth.type !== 'session') {
+            return json({
+                success: false,
+                error: 'Unauthorized',
+                message: 'Session authentication required'
+            }, { status: 401 });
+        }
+        const userProfile = await databaseAdapter.findUserProfileById(auth.user.id);
+        return json({
+            success: true,
+            data: userProfile?.preferences || {}
+        });
+    }
+    catch (error) {
+        console.error('Failed to get user preferences:', error);
+        return json({
+            success: false,
+            error: 'Failed to get user preferences',
+            message: error instanceof Error ? error.message : 'Unknown error'
+        }, { status: 500 });
+    }
+};
+// PATCH /api/user/preferences - Update user preferences (partial update)
+export const PATCH = async ({ request, locals }) => {
+    try {
+        const { databaseAdapter } = locals.aphexCMS;
+        const auth = locals.auth;
+        if (!auth || auth.type !== 'session') {
+            return json({
+                success: false,
+                error: 'Unauthorized',
+                message: 'Session authentication required'
+            }, { status: 401 });
+        }
+        const body = (await request.json());
+        // Validate the preferences object
+        if (typeof body !== 'object' || body === null) {
+            return json({
+                success: false,
+                error: 'Invalid request body',
+                message: 'Expected an object with preference values'
+            }, { status: 400 });
+        }
+        // Validate individual preference types
+        if (body.includeChildOrganizations !== undefined &&
+            typeof body.includeChildOrganizations !== 'boolean') {
+            return json({
+                success: false,
+                error: 'Invalid preference value',
+                message: 'includeChildOrganizations must be a boolean'
+            }, { status: 400 });
+        }
+        // Update preferences
+        await databaseAdapter.updateUserPreferences(auth.user.id, body);
+        // Get updated profile
+        const userProfile = await databaseAdapter.findUserProfileById(auth.user.id);
+        return json({
+            success: true,
+            data: userProfile?.preferences || {}
+        });
+    }
+    catch (error) {
+        console.error('Failed to update user preferences:', error);
+        return json({
+            success: false,
+            error: 'Failed to update user preferences',
+            message: error instanceof Error ? error.message : 'Unknown error'
+        }, { status: 500 });
+    }
+};

package/dist/schema-utils/utils.d.ts

@@ -21,10 +21,14 @@ export declare function getDocumentTypes(schemas: SchemaType[]): SchemaType[];
 export declare function schemaExists(schemas: SchemaType[], name: string): boolean;
 /**
  * Get the available types for an array field
+ * Supports both schema references and inline object definitions
  */
 export declare function getArrayTypes(schemas: SchemaType[], arrayField: {
     of?: Array<{
         type: string;
+        name?: string;
+        title?: string;
+        fields?: any[];
     }>;
 }): SchemaType[];
 //# sourceMappingURL=utils.d.ts.map

package/dist/schema-utils/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/lib/schema-utils/utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnD;;;GAGG;AAEH;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAEtF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG,UAAU,EAAE,CAElE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG,UAAU,EAAE,CAEpE;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAEzE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAC5B,OAAO,EAAE,UAAU,EAAE,EACrB,UAAU,EAAE;IAAE,EAAE,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAAE,GAC1C,UAAU,EAAE,CAKd"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/lib/schema-utils/utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnD;;;GAGG;AAEH;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAEtF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG,UAAU,EAAE,CAElE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG,UAAU,EAAE,CAEpE;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAEzE;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC5B,OAAO,EAAE,UAAU,EAAE,EACrB,UAAU,EAAE;IAAE,EAAE,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,GAAG,EAAE,CAAA;KAAE,CAAC,CAAA;CAAE,GACzF,UAAU,EAAE,CA0Bd"}

package/dist/schema-utils/utils.js

@@ -28,10 +28,31 @@ export function schemaExists(schemas, name) {
 }
 /**
  * Get the available types for an array field
+ * Supports both schema references and inline object definitions
  */
 export function getArrayTypes(schemas, arrayField) {
     if (!arrayField.of)
         return [];
-    const typeNames = arrayField.of.map((item) => item.type);
-    return schemas.filter((schema) => typeNames.includes(schema.name));
+    const availableTypes = [];
+    arrayField.of.forEach((item) => {
+        // Check if this is an inline object definition
+        if (item.fields) {
+            // Create a temporary SchemaType from inline definition
+            const schemaName = item.name || item.type;
+            availableTypes.push({
+                type: 'object',
+                name: schemaName,
+                title: item.title || item.name || item.type,
+                fields: item.fields
+            });
+        }
+        else {
+            // Look it up in the schema registry
+            const schema = schemas.find((s) => s.name === item.type);
+            if (schema) {
+                availableTypes.push(schema);
+            }
+        }
+    });
+    return availableTypes;
 }

package/dist/schema-utils/validator.d.ts

@@ -1,4 +1,8 @@
 import type { SchemaType } from '../types/schemas.js';
+/**
+ * Check if a field name is reserved
+ */
+export declare function isReservedFieldName(fieldName: string): boolean;
 /**
  * Validate all schema references to ensure they exist
  */

package/dist/schema-utils/validator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../../src/lib/schema-utils/validator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAS,MAAM,kBAAkB,CAAC;AAE1D;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG,IAAI,CAoDpE"}
+{"version":3,"file":"validator.d.ts","sourceRoot":"","sources":["../../src/lib/schema-utils/validator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAS,MAAM,kBAAkB,CAAC;AAkB1D;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAE9D;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG,IAAI,CAoMpE"}