@datrix/api 0.1.0

package/dist/index.js

@@ -0,0 +1,3354 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ApiPlugin: () => ApiPlugin,
+  ContextBuildError: () => ContextBuildError,
+  DatrixApiError: () => DatrixApiError,
+  MemorySessionStore: () => MemorySessionStore,
+  authenticate: () => authenticate,
+  buildRequestContext: () => buildRequestContext,
+  checkFieldsForWrite: () => checkFieldsForWrite,
+  checkSchemaPermission: () => checkSchemaPermission,
+  createAuthHandlers: () => createAuthHandlers,
+  createUnifiedAuthHandler: () => createUnifiedAuthHandler,
+  datrixErrorResponse: () => datrixErrorResponse,
+  evaluatePermissionValue: () => evaluatePermissionValue,
+  filterFieldsForRead: () => filterFieldsForRead,
+  filterRecordsForRead: () => filterRecordsForRead,
+  handleCrudRequest: () => handleCrudRequest,
+  handleRequest: () => handleRequest,
+  handlerError: () => handlerError,
+  jsonResponse: () => jsonResponse,
+  methodToAction: () => methodToAction,
+  parseFields: () => parseFields,
+  parsePopulate: () => parsePopulate,
+  parseQuery: () => parseQuery,
+  parseWhere: () => parseWhere,
+  queryToParams: () => queryToParams,
+  serializeQuery: () => serializeQuery
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/api.ts
+var import_core18 = require("@datrix/core");
+var import_core19 = require("@datrix/core");
+var import_core20 = require("@datrix/core");
+
+// src/auth/password.ts
+var import_node_crypto = require("crypto");
+
+// src/auth/error-helper.ts
+var import_core = require("@datrix/core");
+function throwJwtSignError(cause) {
+  throw new import_core.DatrixAuthError("Failed to sign JWT token", {
+    code: "JWT_SIGN_ERROR",
+    strategy: "jwt",
+    cause,
+    suggestion: "Check your JWT configuration and secret key"
+  });
+}
+function throwJwtVerifyError(cause) {
+  throw new import_core.DatrixAuthError("Failed to verify JWT token", {
+    code: "JWT_VERIFY_ERROR",
+    strategy: "jwt",
+    cause,
+    suggestion: "Ensure the token is valid and not tampered with"
+  });
+}
+function throwJwtDecodeError(cause) {
+  throw new import_core.DatrixAuthError("Failed to decode JWT token", {
+    code: "JWT_DECODE_ERROR",
+    strategy: "jwt",
+    cause,
+    suggestion: "Ensure the token format is correct"
+  });
+}
+function throwJwtInvalidFormat() {
+  throw new import_core.DatrixAuthError("Invalid JWT format", {
+    code: "JWT_INVALID_FORMAT",
+    strategy: "jwt",
+    suggestion: "JWT must be in format: header.payload.signature",
+    expected: "three dot-separated base64url strings"
+  });
+}
+function throwJwtInvalidHeader() {
+  throw new import_core.DatrixAuthError("Invalid JWT header", {
+    code: "JWT_INVALID_HEADER",
+    strategy: "jwt",
+    suggestion: "Ensure the JWT header has correct algorithm and type",
+    expected: 'header with typ: "JWT" and matching algorithm'
+  });
+}
+function throwJwtInvalidPayload() {
+  throw new import_core.DatrixAuthError("Invalid JWT payload", {
+    code: "JWT_INVALID_PAYLOAD",
+    strategy: "jwt",
+    suggestion: "JWT payload must contain userId, role, iat, and exp fields",
+    expected: "valid JWT payload with required fields"
+  });
+}
+function throwJwtInvalidSignature() {
+  throw new import_core.DatrixAuthError("Invalid JWT signature", {
+    code: "JWT_INVALID_SIGNATURE",
+    strategy: "jwt",
+    suggestion: "Token may have been tampered with or signed with wrong secret",
+    expected: "valid HMAC signature"
+  });
+}
+function throwJwtExpired(exp, now) {
+  throw new import_core.DatrixAuthError("JWT token expired", {
+    code: "JWT_EXPIRED",
+    strategy: "jwt",
+    context: { exp, now },
+    suggestion: "Refresh your token or login again",
+    expected: "token with exp > current time"
+  });
+}
+function throwJwtInvalidIat() {
+  throw new import_core.DatrixAuthError("JWT token issued in the future", {
+    code: "JWT_INVALID_IAT",
+    strategy: "jwt",
+    suggestion: "Check your server time synchronization",
+    expected: "token with iat <= current time (allowing 60s skew)"
+  });
+}
+function throwJwtInvalidIssuer(expected, received) {
+  throw new import_core.DatrixAuthError("JWT issuer mismatch", {
+    code: "JWT_INVALID_ISSUER",
+    strategy: "jwt",
+    expected,
+    received,
+    suggestion: `Token must be issued by: ${expected}`
+  });
+}
+function throwJwtInvalidAudience(expected, received) {
+  throw new import_core.DatrixAuthError("JWT audience mismatch", {
+    code: "JWT_INVALID_AUDIENCE",
+    strategy: "jwt",
+    expected,
+    received,
+    suggestion: `Token must be for audience: ${expected}`
+  });
+}
+function throwSessionCreateError(cause) {
+  throw new import_core.DatrixAuthError("Failed to create session", {
+    code: "SESSION_CREATE_ERROR",
+    strategy: "session",
+    cause,
+    suggestion: "Check your session store configuration"
+  });
+}
+function throwSessionNotFound(sessionId) {
+  throw new import_core.DatrixAuthError("Session not found", {
+    code: "AUTH_SESSION_NOT_FOUND",
+    strategy: "session",
+    context: { sessionId },
+    suggestion: "Login again to create a new session"
+  });
+}
+function throwSessionExpired(sessionId) {
+  throw new import_core.DatrixAuthError("Session expired", {
+    code: "AUTH_SESSION_EXPIRED",
+    strategy: "session",
+    context: { sessionId },
+    suggestion: "Login again to create a new session"
+  });
+}
+function throwSessionNotConfigured() {
+  throw new import_core.DatrixAuthError("Session strategy not configured", {
+    code: "SESSION_NOT_CONFIGURED",
+    strategy: "session",
+    suggestion: "Add session configuration to your auth config",
+    expected: "AuthConfig.session to be defined"
+  });
+}
+function throwPasswordTooShort(minLength, actualLength) {
+  throw new import_core.DatrixAuthError(
+    `Password must be at least ${minLength} characters`,
+    {
+      code: "PASSWORD_TOO_SHORT",
+      strategy: "password",
+      context: { minLength, actualLength },
+      suggestion: `Use a password with at least ${minLength} characters`,
+      expected: `password length >= ${minLength}`,
+      received: actualLength
+    }
+  );
+}
+function throwPasswordHashError(cause) {
+  throw new import_core.DatrixAuthError("Failed to hash password", {
+    code: "PASSWORD_HASH_ERROR",
+    strategy: "password",
+    cause,
+    suggestion: "Check your password hashing configuration"
+  });
+}
+function throwPasswordVerifyError(cause) {
+  throw new import_core.DatrixAuthError("Failed to verify password", {
+    code: "PASSWORD_VERIFY_ERROR",
+    strategy: "password",
+    cause,
+    suggestion: "Ensure the password hash and salt are valid"
+  });
+}
+
+// src/auth/password.ts
+var DEFAULT_CONFIG = {
+  iterations: 1e5,
+  keyLength: 64,
+  minLength: 8
+};
+var PasswordManager = class {
+  iterations;
+  keyLength;
+  minLength;
+  constructor(config = {}) {
+    this.iterations = config.iterations ?? DEFAULT_CONFIG.iterations;
+    this.keyLength = config.keyLength ?? DEFAULT_CONFIG.keyLength;
+    this.minLength = config.minLength ?? DEFAULT_CONFIG.minLength;
+  }
+  /**
+   * Hash password using PBKDF2
+   */
+  async hash(password) {
+    if (!password || password.length < this.minLength) {
+      throwPasswordTooShort(this.minLength, password?.length ?? 0);
+    }
+    try {
+      const salt = (0, import_node_crypto.randomBytes)(32).toString("hex");
+      const hash = (0, import_node_crypto.pbkdf2Sync)(
+        password,
+        salt,
+        this.iterations,
+        this.keyLength,
+        "sha512"
+      ).toString("hex");
+      return { hash, salt };
+    } catch (error) {
+      throwPasswordHashError(error instanceof Error ? error : void 0);
+    }
+  }
+  /**
+   * Verify password against hash
+   */
+  async verify(password, hash, salt) {
+    try {
+      const computedHash = (0, import_node_crypto.pbkdf2Sync)(
+        password,
+        salt,
+        this.iterations,
+        this.keyLength,
+        "sha512"
+      ).toString("hex");
+      const isValid = this.constantTimeCompare(computedHash, hash);
+      return isValid;
+    } catch (error) {
+      throwPasswordVerifyError(error instanceof Error ? error : void 0);
+    }
+  }
+  /**
+   * Constant-time string comparison (prevent timing attacks)
+   */
+  constantTimeCompare(a, b) {
+    if (a.length !== b.length) {
+      return false;
+    }
+    try {
+      const bufA = Buffer.from(a);
+      const bufB = Buffer.from(b);
+      return (0, import_node_crypto.timingSafeEqual)(bufA, bufB);
+    } catch {
+      let result = 0;
+      for (let i = 0; i < a.length; i++) {
+        result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+      }
+      return result === 0;
+    }
+  }
+};
+
+// src/auth/jwt.ts
+var import_node_crypto2 = require("crypto");
+var import_core2 = require("@datrix/core");
+
+// src/auth/types.ts
+function isJwtPayload(value) {
+  if (typeof value !== "object" || value === null) {
+    return false;
+  }
+  const obj = value;
+  return "userId" in obj && "role" in obj && "iat" in obj && "exp" in obj && typeof obj["userId"] === "number" && typeof obj["role"] === "string" && typeof obj["iat"] === "number" && typeof obj["exp"] === "number";
+}
+
+// src/auth/jwt.ts
+var JwtStrategy = class {
+  secret;
+  expiresIn;
+  // in seconds
+  algorithm;
+  issuer;
+  audience;
+  constructor(config) {
+    this.secret = config.secret;
+    this.expiresIn = this.parseExpiry(
+      config.expiresIn ?? import_core2.DEFAULT_API_AUTH_CONFIG.jwt.expiresIn
+    );
+    this.algorithm = config.algorithm ?? "HS256";
+    this.issuer = config.issuer;
+    this.audience = config.audience;
+  }
+  /**
+   * Sign a JWT token
+   */
+  sign(payload) {
+    try {
+      const now = Math.floor(Date.now() / 1e3);
+      const exp = now + this.expiresIn;
+      const basePayload = payload;
+      const fullPayload = {
+        userId: basePayload["userId"],
+        role: basePayload["role"],
+        iat: now,
+        exp,
+        ...this.issuer && { iss: this.issuer },
+        ...this.audience && { aud: this.audience },
+        ...basePayload
+      };
+      const token = this.createToken(fullPayload);
+      return token;
+    } catch (error) {
+      throwJwtSignError(error instanceof Error ? error : void 0);
+    }
+  }
+  /**
+   * Verify a JWT token
+   */
+  verify(token) {
+    try {
+      const parts = token.split(".");
+      if (parts.length !== 3) {
+        throwJwtInvalidFormat();
+      }
+      const encodedHeader = parts[0];
+      const encodedPayload = parts[1];
+      const signature = parts[2];
+      if (!encodedHeader || !encodedPayload || !signature) {
+        throwJwtInvalidFormat();
+      }
+      const expectedSignature = this.signData(
+        `${encodedHeader}.${encodedPayload}`
+      );
+      if (!this.constantTimeCompare(signature, expectedSignature)) {
+        throwJwtInvalidSignature();
+      }
+      const header = this.decodeBase64Url(encodedHeader);
+      if (!header || header.typ !== "JWT" || header.alg !== this.algorithm) {
+        throwJwtInvalidHeader();
+      }
+      const payload = this.decodeBase64Url(encodedPayload);
+      if (!payload || !isJwtPayload(payload)) {
+        throwJwtInvalidPayload();
+      }
+      const now = Math.floor(Date.now() / 1e3);
+      if (payload.exp < now) {
+        throwJwtExpired(payload.exp, now);
+      }
+      if (payload.iat > now + 60) {
+        throwJwtInvalidIat();
+      }
+      if (this.issuer !== void 0 && payload.iss !== this.issuer) {
+        throwJwtInvalidIssuer(this.issuer, payload.iss);
+      }
+      if (this.audience !== void 0 && payload.aud !== this.audience) {
+        throwJwtInvalidAudience(this.audience, payload.aud);
+      }
+      return payload;
+    } catch (error) {
+      if (error instanceof Error && error.name === "DatrixAuthError") {
+        throw error;
+      }
+      throwJwtVerifyError(error instanceof Error ? error : void 0);
+    }
+  }
+  /**
+   * Refresh a JWT token
+   *
+   * Creates a new token with updated expiration
+   */
+  refresh(token) {
+    const payload = this.verify(token);
+    const { userId, role, ...rest } = payload;
+    const { iat: _iat, exp: _exp, iss: _iss, aud: _aud, ...custom } = rest;
+    return this.sign({ userId, role, ...custom });
+  }
+  /**
+   * Decode token without verification (for debugging)
+   */
+  decode(token) {
+    try {
+      const parts = token.split(".");
+      if (parts.length !== 3) {
+        throwJwtInvalidFormat();
+      }
+      const encodedPayload = parts[1];
+      if (!encodedPayload) {
+        throwJwtInvalidFormat();
+      }
+      const payload = this.decodeBase64Url(encodedPayload);
+      if (!payload || !isJwtPayload(payload)) {
+        throwJwtInvalidPayload();
+      }
+      return payload;
+    } catch (error) {
+      if (error instanceof Error && error.name === "DatrixAuthError") {
+        throw error;
+      }
+      throwJwtDecodeError(error instanceof Error ? error : void 0);
+    }
+  }
+  /**
+   * Create a JWT token from payload
+   */
+  createToken(payload) {
+    const header = {
+      alg: this.algorithm,
+      typ: "JWT"
+    };
+    const encodedHeader = this.encodeBase64Url(JSON.stringify(header));
+    const encodedPayload = this.encodeBase64Url(JSON.stringify(payload));
+    const signature = this.signData(`${encodedHeader}.${encodedPayload}`);
+    return `${encodedHeader}.${encodedPayload}.${signature}`;
+  }
+  /**
+   * Sign data using HMAC
+   */
+  signData(data) {
+    const algorithm = this.algorithm === "HS256" ? "sha256" : "sha512";
+    const hmac = (0, import_node_crypto2.createHmac)(algorithm, this.secret);
+    hmac.update(data);
+    return this.encodeBase64Url(hmac.digest("base64"));
+  }
+  /**
+   * Base64 URL encode
+   */
+  encodeBase64Url(str) {
+    return Buffer.from(str).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  }
+  /**
+   * Base64 URL decode
+   */
+  decodeBase64Url(str) {
+    try {
+      let padded = str;
+      while (padded.length % 4 !== 0) {
+        padded += "=";
+      }
+      const base64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+      const decoded = Buffer.from(base64, "base64").toString("utf8");
+      return JSON.parse(decoded);
+    } catch {
+      return void 0;
+    }
+  }
+  /**
+   * Constant-time string comparison (prevent timing attacks)
+   */
+  constantTimeCompare(a, b) {
+    if (a.length !== b.length) {
+      return false;
+    }
+    try {
+      const bufferA = Buffer.from(a);
+      const bufferB = Buffer.from(b);
+      return (0, import_node_crypto2.timingSafeEqual)(bufferA, bufferB);
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Parse expiry string or number to seconds
+   */
+  parseExpiry(expiry) {
+    if (typeof expiry === "number") {
+      return expiry;
+    }
+    const match = expiry.match(/^(\d+)([smhd])$/);
+    if (!match) {
+      return 3600;
+    }
+    const [, num, unit] = match;
+    const value = parseInt(num, 10);
+    const multipliers = {
+      s: 1,
+      m: 60,
+      h: 3600,
+      d: 86400
+    };
+    return value * multipliers[unit];
+  }
+};
+
+// src/auth/session.ts
+var import_node_crypto3 = require("crypto");
+var import_core3 = require("@datrix/core");
+var import_core4 = require("@datrix/core");
+var SessionStrategy = class {
+  store;
+  maxAge;
+  // in seconds
+  checkPeriod;
+  // cleanup interval in seconds
+  cleanupTimer;
+  constructor(config) {
+    this.maxAge = config.maxAge ?? 86400;
+    this.checkPeriod = config.checkPeriod ?? 3600;
+    if (config.store && typeof config.store !== "string") {
+      this.store = config.store;
+    } else {
+      this.store = new MemorySessionStore(config.prefix);
+    }
+  }
+  /**
+   * Create a new session
+   */
+  async create(userId, role, data) {
+    try {
+      const sessionId = this.generateSessionId();
+      const now = /* @__PURE__ */ new Date();
+      const expiresAt = new Date(now.getTime() + this.maxAge * 1e3);
+      const sessionData = {
+        id: sessionId,
+        userId,
+        role,
+        createdAt: now,
+        expiresAt,
+        lastAccessedAt: now,
+        ...data
+      };
+      await this.store.set(sessionId, sessionData);
+      return sessionData;
+    } catch (error) {
+      if (error instanceof Error && error.name === "DatrixAuthError") {
+        throw error;
+      }
+      throwSessionCreateError(error instanceof Error ? error : void 0);
+    }
+  }
+  /**
+   * Get session by ID
+   */
+  async get(sessionId) {
+    const session = await this.store.get(sessionId);
+    if (session === void 0) {
+      throwSessionNotFound(sessionId);
+    }
+    const now = /* @__PURE__ */ new Date();
+    if (session.expiresAt < now) {
+      await this.store.delete(sessionId);
+      throwSessionExpired(sessionId);
+    }
+    const updatedSession = {
+      ...session,
+      lastAccessedAt: now
+    };
+    await this.store.set(sessionId, updatedSession);
+    return updatedSession;
+  }
+  /**
+   * Update session data
+   */
+  async update(sessionId, data) {
+    const session = await this.get(sessionId);
+    const updatedSession = {
+      ...session,
+      ...data,
+      id: session.id,
+      // Preserve ID
+      createdAt: session.createdAt
+      // Preserve creation time
+    };
+    await this.store.set(sessionId, updatedSession);
+    return updatedSession;
+  }
+  /**
+   * Delete session
+   */
+  async delete(sessionId) {
+    await this.store.delete(sessionId);
+  }
+  /**
+   * Refresh session (extend expiration)
+   */
+  async refresh(sessionId) {
+    const now = /* @__PURE__ */ new Date();
+    const expiresAt = new Date(now.getTime() + this.maxAge * 1e3);
+    return this.update(sessionId, { expiresAt, lastAccessedAt: now });
+  }
+  /**
+   * Validate session (check if exists and not expired)
+   */
+  async validate(sessionId) {
+    try {
+      await this.get(sessionId);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Start cleanup timer
+   */
+  startCleanup() {
+    if (this.cleanupTimer !== void 0) {
+      return;
+    }
+    this.cleanupTimer = setInterval(() => {
+      void this.store.cleanup();
+    }, this.checkPeriod * 1e3);
+    this.cleanupTimer.unref();
+  }
+  /**
+   * Stop cleanup timer
+   */
+  stopCleanup() {
+    if (this.cleanupTimer !== void 0) {
+      clearInterval(this.cleanupTimer);
+      this.cleanupTimer = void 0;
+    }
+  }
+  /**
+   * Clear all sessions
+   */
+  async clear() {
+    await this.store.clear();
+  }
+  /**
+   * Generate secure session ID
+   */
+  generateSessionId() {
+    return (0, import_node_crypto3.randomBytes)(32).toString("hex");
+  }
+};
+var MemorySessionStore = class {
+  name = "memory";
+  sessions = /* @__PURE__ */ new Map();
+  prefix;
+  constructor(prefix = import_core3.DEFAULT_API_AUTH_CONFIG.session.prefix) {
+    this.prefix = prefix;
+  }
+  async get(sessionId) {
+    try {
+      const key = this.getKey(sessionId);
+      const session = this.sessions.get(key);
+      return session;
+    } catch (error) {
+      throw new import_core4.DatrixAuthError("Failed to get session from store", {
+        code: "SESSION_CREATE_ERROR",
+        strategy: "session",
+        cause: error instanceof Error ? error : void 0
+      });
+    }
+  }
+  async set(sessionId, data) {
+    const key = this.getKey(sessionId);
+    this.sessions.set(key, data);
+  }
+  async delete(sessionId) {
+    const key = this.getKey(sessionId);
+    this.sessions.delete(key);
+  }
+  async cleanup() {
+    const now = /* @__PURE__ */ new Date();
+    let deletedCount = 0;
+    for (const [key, session] of this.sessions.entries()) {
+      if (session.expiresAt < now) {
+        this.sessions.delete(key);
+        deletedCount++;
+      }
+    }
+    return deletedCount;
+  }
+  async clear() {
+    this.sessions.clear();
+  }
+  getKey(sessionId) {
+    return `${this.prefix}${sessionId}`;
+  }
+};
+
+// src/auth/manager.ts
+var AuthManager = class {
+  passwordManager;
+  jwtStrategy;
+  sessionStrategy;
+  config;
+  get authConfig() {
+    return this.config;
+  }
+  constructor(config) {
+    this.config = config;
+    this.passwordManager = new PasswordManager(config.password);
+    if (config.jwt) {
+      this.jwtStrategy = new JwtStrategy(config.jwt);
+    }
+    if (config.session) {
+      this.sessionStrategy = new SessionStrategy(config.session);
+      this.sessionStrategy.startCleanup();
+    }
+  }
+  /**
+   * Hash password
+   */
+  async hashPassword(password) {
+    return this.passwordManager.hash(password);
+  }
+  /**
+   * Verify password
+   */
+  async verifyPassword(password, hash, salt) {
+    return this.passwordManager.verify(password, hash, salt);
+  }
+  /**
+   * Login user and create token/session
+   */
+  async login(user, options = {}) {
+    const { createToken = true, createSession = true } = options;
+    let token = void 0;
+    let sessionId = void 0;
+    if (this.jwtStrategy && createToken) {
+      token = this.jwtStrategy.sign({
+        userId: user.id,
+        role: user.role
+      });
+    }
+    if (this.sessionStrategy && createSession) {
+      const sessionData = await this.sessionStrategy.create(user.id, user.role);
+      sessionId = sessionData.id;
+    }
+    const result = {
+      user,
+      ...token !== void 0 && { token },
+      ...sessionId !== void 0 && { sessionId }
+    };
+    return result;
+  }
+  /**
+   * Logout user (destroy session)
+   */
+  async logout(sessionId) {
+    if (!this.sessionStrategy) {
+      throwSessionNotConfigured();
+    }
+    await this.sessionStrategy.delete(sessionId);
+  }
+  /**
+   * Authenticate request (extract and verify token/session)
+   */
+  async authenticate(request) {
+    const token = this.extractToken(request);
+    if (token && this.jwtStrategy) {
+      try {
+        const payload = this.jwtStrategy.verify(token);
+        return {
+          user: {
+            id: payload.userId,
+            email: "",
+            // Will be fetched from DB if needed
+            role: payload.role
+          },
+          token
+        };
+      } catch {
+      }
+    }
+    const sessionId = this.extractSessionId(request);
+    if (sessionId && this.sessionStrategy) {
+      try {
+        const session = await this.sessionStrategy.get(sessionId);
+        return {
+          user: {
+            id: session.userId,
+            email: "",
+            role: session.role
+          },
+          sessionId
+        };
+      } catch {
+      }
+    }
+    return null;
+  }
+  /**
+   * Extract JWT token from request headers
+   */
+  extractToken(request) {
+    const authHeader = request.headers.get("authorization");
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      return null;
+    }
+    return authHeader.slice(7);
+  }
+  /**
+   * Extract session ID from request cookies
+   */
+  extractSessionId(request) {
+    const cookieHeader = request.headers.get("cookie");
+    if (!cookieHeader) {
+      return null;
+    }
+    const cookies = cookieHeader.split(";").reduce(
+      (acc, cookie) => {
+        const [key, value] = cookie.trim().split("=");
+        if (key && value) {
+          acc[key] = value;
+        }
+        return acc;
+      },
+      {}
+    );
+    return cookies["sessionId"] ?? null;
+  }
+  /**
+   * Get JWT strategy (for advanced usage)
+   */
+  getJwtStrategy() {
+    return this.jwtStrategy;
+  }
+  /**
+   * Get session strategy (for advanced usage)
+   */
+  getSessionStrategy() {
+    return this.sessionStrategy;
+  }
+  /**
+   * Cleanup resources
+   */
+  async destroy() {
+    if (this.sessionStrategy) {
+      this.sessionStrategy.stopCleanup();
+    }
+    if (this.sessionStrategy) {
+      await this.sessionStrategy.clear();
+    }
+  }
+};
+
+// src/handler/auth-handler.ts
+var import_core7 = require("@datrix/core");
+
+// src/handler/utils.ts
+var import_core6 = require("@datrix/core");
+
+// src/errors/api-error.ts
+var import_core5 = require("@datrix/core");
+var DatrixApiError = class extends import_core5.DatrixError {
+  /** HTTP status code associated with this error */
+  status;
+  constructor(message, options) {
+    super(message, {
+      code: options.code,
+      operation: options.operation || "api:handler",
+      ...options.context && { context: options.context },
+      ...options.suggestion && { suggestion: options.suggestion },
+      ...options.expected && { expected: options.expected },
+      ...options.received !== void 0 && { received: options.received },
+      ...options.cause && { cause: options.cause }
+    });
+    this.status = options.status || 500;
+  }
+  /**
+   * Override toJSON to include status
+   */
+  toJSON() {
+    return {
+      ...super.toJSON(),
+      status: this.status
+    };
+  }
+};
+var handlerError = {
+  schemaNotFound(tableName, availableModels) {
+    return new DatrixApiError(`Model not found for table: ${tableName}`, {
+      code: "SCHEMA_NOT_FOUND",
+      status: 404,
+      context: { tableName, availableModels },
+      suggestion: "Check if the table name is correct and the schema is properly defined."
+    });
+  },
+  modelNotSpecified() {
+    return new DatrixApiError("Model not specified in the request URL", {
+      code: "MODEL_NOT_SPECIFIED",
+      status: 400,
+      suggestion: "Ensure the URL includes the model name (e.g., /api/users)."
+    });
+  },
+  recordNotFound(modelName, id) {
+    return new DatrixApiError(`${modelName} record not found with ID: ${id}`, {
+      code: "NOT_FOUND",
+      status: 404,
+      context: { modelName, id },
+      suggestion: "Verify the ID is correct or if the record has been deleted."
+    });
+  },
+  invalidBody(reason) {
+    return new DatrixApiError(
+      reason ? `Invalid request body: ${reason}` : "Invalid request body",
+      {
+        code: "INVALID_BODY",
+        status: 400,
+        context: { reason },
+        suggestion: "Ensure the request body is a valid JSON object and contains all required fields."
+      }
+    );
+  },
+  missingId(operation) {
+    return new DatrixApiError(`ID is required for ${operation}`, {
+      code: "MISSING_ID",
+      status: 400,
+      suggestion: `Provide a valid ID in the URL for the ${operation} operation.`
+    });
+  },
+  methodNotAllowed(method) {
+    return new DatrixApiError(
+      `HTTP Method ${method} is not allowed for this route`,
+      {
+        code: "METHOD_NOT_ALLOWED",
+        status: 405,
+        context: { method },
+        suggestion: "Check the API documentation for supported methods on this endpoint."
+      }
+    );
+  },
+  permissionDenied(reason, context) {
+    return new DatrixApiError("Permission denied", {
+      code: "FORBIDDEN",
+      status: 403,
+      context: { reason, ...context },
+      suggestion: "Check your permissions or contact an administrator."
+    });
+  },
+  unauthorized(reason) {
+    return new DatrixApiError("Unauthorized access", {
+      code: "UNAUTHORIZED",
+      status: 401,
+      context: { reason },
+      suggestion: "Provide valid authentication credentials."
+    });
+  },
+  internalError(message, cause) {
+    return new DatrixApiError(message, {
+      code: "INTERNAL_ERROR",
+      status: 500,
+      ...cause && { cause }
+    });
+  },
+  conflict(reason, context) {
+    return new DatrixApiError(reason, {
+      code: "CONFLICT",
+      status: 409,
+      ...context && { context },
+      suggestion: "Ensure the resource you are trying to create does not already exist."
+    });
+  }
+};
+
+// src/handler/utils.ts
+function jsonResponse(data, status = 200) {
+  return new Response(JSON.stringify(data), {
+    status,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function datrixErrorResponse(error) {
+  let status = 400;
+  if (error instanceof DatrixApiError) {
+    status = error.status;
+  } else if (error instanceof import_core6.DatrixValidationError) {
+    status = 400;
+  }
+  const serialized = error.toJSON();
+  return jsonResponse(
+    {
+      error: {
+        ...serialized,
+        type: error.name
+      }
+    },
+    status
+  );
+}
+function extractSessionId(request) {
+  const cookieHeader = request.headers.get("cookie");
+  if (!cookieHeader) return null;
+  const match = cookieHeader.match(/sessionId=([^;]+)/);
+  return match ? match[1] : null;
+}
+
+// src/errors/auth-error.ts
+var authError = {
+  invalidCredentials() {
+    return new DatrixApiError("Invalid email or password", {
+      code: "INVALID_CREDENTIALS",
+      status: 401,
+      suggestion: "Please check your email and password and try again."
+    });
+  },
+  invalidToken(reason) {
+    return new DatrixApiError("Invalid or expired authentication token", {
+      code: "INVALID_TOKEN",
+      status: 401,
+      context: { reason },
+      suggestion: "Please log in again to obtain a new session."
+    });
+  },
+  missingToken() {
+    return new DatrixApiError("Authentication token is missing", {
+      code: "MISSING_TOKEN",
+      status: 401,
+      suggestion: "Include an Authorization header or a session cookie in your request."
+    });
+  },
+  sessionExpired() {
+    return new DatrixApiError("Your session has expired", {
+      code: "SESSION_EXPIRED",
+      status: 401,
+      suggestion: "Log in again to continue using the application."
+    });
+  },
+  accountLocked(reason) {
+    return new DatrixApiError("This account has been locked", {
+      code: "ACCOUNT_LOCKED",
+      status: 403,
+      context: { reason },
+      suggestion: "Contact support to unlock your account."
+    });
+  }
+};
+
+// src/handler/auth-handler.ts
+var import_core8 = require("@datrix/core");
+function createAuthHandlers(config) {
+  const { datrix, authManager, authConfig } = config;
+  const userSchemaName = authConfig.userSchema?.name ?? "user";
+  const authSchemaName = authConfig.authSchemaName ?? "authentication";
+  const userEmailField = authConfig.userSchema?.email ?? "email";
+  const defaultRole = authConfig.defaultRole;
+  async function register(request) {
+    try {
+      if (authConfig.endpoints?.disableRegister) {
+        throw handlerError.permissionDenied("Registration is disabled");
+      }
+      const body = await request.json();
+      const { email, password, ...extraData } = body;
+      if (!email || typeof email !== "string") {
+        throw handlerError.invalidBody("Email is required");
+      }
+      if (!password || typeof password !== "string") {
+        throw handlerError.invalidBody("Password is required");
+      }
+      const existingAuth = await datrix.raw.findOne(
+        authSchemaName,
+        { email }
+      );
+      if (existingAuth) {
+        throw handlerError.conflict("User with this email already exists");
+      }
+      const { hash, salt } = await authManager.hashPassword(password);
+      const userData = {
+        [userEmailField]: email,
+        ...extraData
+      };
+      let user;
+      try {
+        const createdUser = await datrix.raw.create(userSchemaName, userData);
+        if (!createdUser) {
+          throw handlerError.internalError("Failed to create user record");
+        }
+        user = createdUser;
+      } catch (error) {
+        if (error instanceof import_core8.DatrixError) {
+          throw error;
+        }
+        const message = error instanceof Error ? error.message : "Failed to create user";
+        throw handlerError.invalidBody(message);
+      }
+      const authData = {
+        user: { set: [{ id: user.id }] },
+        email,
+        password: hash,
+        passwordSalt: salt,
+        role: defaultRole
+      };
+      const authRecord = await datrix.raw.create(
+        authSchemaName,
+        authData
+      );
+      if (!authRecord) {
+        await datrix.raw.delete(userSchemaName, user.id);
+        throw handlerError.internalError(
+          "Failed to create authentication record"
+        );
+      }
+      const authUser = {
+        id: authRecord.id,
+        email: authRecord.email,
+        role: authRecord.role
+      };
+      const loginResult = await authManager.login(authUser);
+      const responseBody = {
+        data: {
+          user: authUser,
+          token: loginResult.token,
+          sessionId: loginResult.sessionId
+        }
+      };
+      if (loginResult.sessionId) {
+        return new Response(JSON.stringify(responseBody), {
+          status: 201,
+          headers: {
+            "Content-Type": "application/json",
+            "Set-Cookie": `sessionId=${loginResult.sessionId}; HttpOnly; Path=/; Max-Age=86400; SameSite=Strict`
+          }
+        });
+      }
+      return jsonResponse(responseBody, 201);
+    } catch (error) {
+      if (error instanceof import_core8.DatrixError) {
+        return datrixErrorResponse(error);
+      }
+      const message = error instanceof Error ? error.message : "Internal server error";
+      return datrixErrorResponse(
+        handlerError.internalError(
+          message,
+          error instanceof Error ? error : void 0
+        )
+      );
+    }
+  }
+  async function login(request) {
+    try {
+      const body = await request.json();
+      const { email, password } = body;
+      if (!email || typeof email !== "string") {
+        throw handlerError.invalidBody("Email is required");
+      }
+      if (!password || typeof password !== "string") {
+        throw handlerError.invalidBody("Password is required");
+      }
+      const authRecord = await datrix.raw.findOne(
+        authSchemaName,
+        { email }
+      );
+      if (!authRecord) {
+        throw authError.invalidCredentials();
+      }
+      const isValid = await authManager.verifyPassword(
+        password,
+        authRecord.password,
+        authRecord.passwordSalt
+      );
+      if (!isValid) {
+        throw authError.invalidCredentials();
+      }
+      const authUser = {
+        id: authRecord.id,
+        email: authRecord.email,
+        role: authRecord.role
+      };
+      const loginResult = await authManager.login(authUser);
+      const responseBody = {
+        data: {
+          user: authUser,
+          token: loginResult.token,
+          sessionId: loginResult.sessionId
+        }
+      };
+      if (loginResult.sessionId) {
+        return new Response(JSON.stringify(responseBody), {
+          status: 200,
+          headers: {
+            "Content-Type": "application/json",
+            "Set-Cookie": `sessionId=${loginResult.sessionId}; HttpOnly; Path=/; Max-Age=86400; SameSite=Strict`
+          }
+        });
+      }
+      return jsonResponse(responseBody);
+    } catch (error) {
+      if (error instanceof import_core8.DatrixError) {
+        return datrixErrorResponse(error);
+      }
+      const message = error instanceof Error ? error.message : "Internal server error";
+      return datrixErrorResponse(
+        handlerError.internalError(
+          message,
+          error instanceof Error ? error : void 0
+        )
+      );
+    }
+  }
+  async function logout(request) {
+    try {
+      const sessionId = extractSessionId(request);
+      if (!sessionId) {
+        throw handlerError.invalidBody("No session found");
+      }
+      await authManager.logout(sessionId);
+      return new Response(JSON.stringify({ data: { success: true } }), {
+        status: 200,
+        headers: {
+          "Content-Type": "application/json",
+          "Set-Cookie": "sessionId=; HttpOnly; Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Strict"
+        }
+      });
+    } catch (error) {
+      if (error instanceof import_core8.DatrixError) {
+        return datrixErrorResponse(error);
+      }
+      const message = error instanceof Error ? error.message : "Internal server error";
+      return datrixErrorResponse(
+        handlerError.internalError(
+          message,
+          error instanceof Error ? error : void 0
+        )
+      );
+    }
+  }
+  async function me(request) {
+    try {
+      const authContext = await authManager.authenticate(request);
+      if (!authContext || !authContext.user) {
+        throw authError.invalidToken();
+      }
+      const authenticatedUser = await datrix.raw.findById(
+        authSchemaName,
+        authContext.user.id,
+        { populate: { user: "*" } }
+      );
+      if (!authenticatedUser) {
+        throw handlerError.recordNotFound(
+          userSchemaName,
+          String(authContext.user.id)
+        );
+      }
+      return jsonResponse({ data: authenticatedUser });
+    } catch (error) {
+      if (error instanceof import_core8.DatrixError) {
+        return datrixErrorResponse(error);
+      }
+      const message = error instanceof Error ? error.message : "Internal server error";
+      return datrixErrorResponse(
+        handlerError.internalError(
+          message,
+          error instanceof Error ? error : void 0
+        )
+      );
+    }
+  }
+  return { register, login, logout, me };
+}
+function createUnifiedAuthHandler(config, apiPrefix = "/api") {
+  const handlers = createAuthHandlers(config);
+  const { authConfig } = config;
+  const endpoints = {
+    register: authConfig.endpoints?.register ?? import_core7.DEFAULT_API_AUTH_CONFIG.endpoints.register,
+    login: authConfig.endpoints?.login ?? import_core7.DEFAULT_API_AUTH_CONFIG.endpoints.login,
+    logout: authConfig.endpoints?.logout ?? import_core7.DEFAULT_API_AUTH_CONFIG.endpoints.logout,
+    me: authConfig.endpoints?.me ?? import_core7.DEFAULT_API_AUTH_CONFIG.endpoints.me
+  };
+  return async function authHandler(request) {
+    const url = new URL(request.url);
+    const path = url.pathname.slice(apiPrefix.length);
+    const method = request.method;
+    if (path === endpoints.register && method === "POST") {
+      return handlers.register(request);
+    }
+    if (path === endpoints.login && method === "POST") {
+      return handlers.login(request);
+    }
+    if (path === endpoints.logout && method === "POST") {
+      return handlers.logout(request);
+    }
+    if (path === endpoints.me && method === "GET") {
+      return handlers.me(request);
+    }
+    return datrixErrorResponse(
+      handlerError.recordNotFound("Auth Route", url.pathname)
+    );
+  };
+}
+
+// src/middleware/permission.ts
+var import_core9 = require("@datrix/core");
+function buildPermCtx(ctx) {
+  const permCtx = {
+    user: ctx.user ?? void 0,
+    id: ctx.id,
+    action: ctx.action,
+    datrix: ctx.datrix
+  };
+  if (ctx.body) {
+    permCtx.input = ctx.body;
+  }
+  return permCtx;
+}
+async function evaluatePermissionValue(value, ctx) {
+  if (value === void 0) {
+    return true;
+  }
+  if (typeof value === "boolean") {
+    return value;
+  }
+  if ((0, import_core9.isPermissionFn)(value)) {
+    const permCtx = buildPermCtx(ctx);
+    return await value(permCtx);
+  }
+  if (Array.isArray(value)) {
+    if (!ctx.user) {
+      for (const item of value) {
+        if ((0, import_core9.isPermissionFn)(item)) {
+          const permCtx = buildPermCtx(ctx);
+          const result = await item(permCtx);
+          if (result) return true;
+        }
+      }
+      return false;
+    }
+    for (const item of value) {
+      if (typeof item === "string") {
+        if (ctx.user.role === item) {
+          return true;
+        }
+      } else if ((0, import_core9.isPermissionFn)(item)) {
+        const permCtx = buildPermCtx(ctx);
+        const result = await item(permCtx);
+        if (result) return true;
+      }
+    }
+    return false;
+  }
+  return false;
+}
+async function checkSchemaPermission(schema, ctx, defaultPermission) {
+  const { action } = ctx;
+  const schemaPermission = schema.permission;
+  let permissionValue;
+  if (schemaPermission && schemaPermission[action] !== void 0) {
+    permissionValue = schemaPermission[action];
+  } else if (defaultPermission && defaultPermission[action] !== void 0) {
+    permissionValue = defaultPermission[action];
+  }
+  const allowed = await evaluatePermissionValue(permissionValue, ctx);
+  return {
+    allowed,
+    reason: allowed ? void 0 : `Permission denied for ${action} on ${schema.name}`
+  };
+}
+async function filterFieldsForRead(schema, record, ctx) {
+  const deniedFields = [];
+  const filtered = {};
+  for (const [fieldName, fieldValue] of Object.entries(record)) {
+    const fieldDef = schema.fields[fieldName];
+    if (!fieldDef) {
+      filtered[fieldName] = fieldValue;
+      continue;
+    }
+    const fieldPermission = fieldDef.permission;
+    if (!fieldPermission || fieldPermission.read === void 0) {
+      filtered[fieldName] = fieldValue;
+      continue;
+    }
+    const allowed = await evaluatePermissionValue(fieldPermission.read, ctx);
+    if (allowed) {
+      filtered[fieldName] = fieldValue;
+    } else {
+      deniedFields.push(fieldName);
+    }
+  }
+  return { data: filtered, deniedFields };
+}
+async function checkFieldsForWrite(schema, ctx) {
+  const deniedFields = [];
+  const input = ctx.body ?? {};
+  for (const fieldName of Object.keys(input)) {
+    const fieldDef = schema.fields[fieldName];
+    if (!fieldDef) {
+      continue;
+    }
+    const fieldPermission = fieldDef.permission;
+    if (!fieldPermission || fieldPermission.write === void 0) {
+      continue;
+    }
+    const allowed = await evaluatePermissionValue(fieldPermission.write, ctx);
+    if (!allowed) {
+      deniedFields.push(fieldName);
+    }
+  }
+  return {
+    allowed: deniedFields.length === 0,
+    deniedFields: deniedFields.length > 0 ? deniedFields : void 0
+  };
+}
+function methodToAction(method) {
+  switch (method.toUpperCase()) {
+    case "GET":
+      return "read";
+    case "POST":
+      return "create";
+    case "PATCH":
+    case "PUT":
+      return "update";
+    case "DELETE":
+      return "delete";
+    default:
+      return "read";
+  }
+}
+async function filterRecordsForRead(schema, records, ctx) {
+  const filtered = [];
+  for (const record of records) {
+    const { data } = await filterFieldsForRead(schema, record, ctx);
+    filtered.push(data);
+  }
+  return filtered;
+}
+
+// src/parser/query-parser.ts
+var import_core15 = require("@datrix/core");
+var import_core16 = require("@datrix/core");
+
+// src/parser/fields-parser.ts
+var import_core12 = require("@datrix/core");
+
+// src/parser/errors.ts
+var import_core10 = require("@datrix/core");
+var import_core11 = require("@datrix/core");
+var whereError = {
+  invalidOperator(operator, path, context) {
+    throw new import_core10.ParserError(`Invalid WHERE operator: ${operator}`, {
+      code: "INVALID_OPERATOR",
+      parser: "where",
+      location: (0, import_core10.buildErrorLocation)(["where", ...path], {
+        queryParam: context?.operatorPath
+      }),
+      received: operator,
+      expected: "One of: $eq, $ne, $gt, $gte, $lt, $lte, $in, $nin, $contains, $startsWith, $endsWith, $like, $ilike, $null, $notNull, $and, $or, $not",
+      suggestion: "Use a valid WHERE operator. See documentation for full list.",
+      context: {
+        operator,
+        ...context
+      }
+    });
+  },
+  invalidFieldName(fieldName, path, context) {
+    const reasonDetail = context?.fieldValidationReason ? ` (Reason: ${context.fieldValidationReason})` : "";
+    throw new import_core10.ParserError(
+      `Invalid field name in WHERE clause: ${fieldName}${reasonDetail}`,
+      {
+        code: "INVALID_FIELD_NAME",
+        parser: "where",
+        location: (0, import_core10.buildErrorLocation)(["where", ...path]),
+        received: fieldName,
+        expected: "Field name must start with letter/underscore and contain only alphanumeric characters, underscores, and dots",
+        suggestion: "Use valid field names (e.g., 'name', 'user_id', 'profile.age')",
+        context: {
+          operator: fieldName,
+          ...context
+        }
+      }
+    );
+  },
+  invalidArrayIndex(index, operator, path, context) {
+    throw new import_core10.ParserError(
+      `Array index [${index}] can only follow array operators ($or, $and, $not, $in, $nin), found after: ${context?.previousOperator || "unknown"}`,
+      {
+        code: "ARRAY_INDEX_ERROR",
+        parser: "where",
+        location: (0, import_core10.buildErrorLocation)(["where", ...path], {
+          index: parseInt(index, 10),
+          queryParam: context?.operatorPath
+        }),
+        received: index,
+        expected: "Array index after $or, $and, $not, $in, or $nin",
+        suggestion: "Array indices can only be used with array operators",
+        context: {
+          operator,
+          arrayIndex: parseInt(index, 10),
+          ...context
+        }
+      }
+    );
+  },
+  arrayIndexAtStart(index, _path) {
+    throw new import_core10.ParserError(
+      "Array index cannot appear at the beginning of WHERE clause",
+      {
+        code: "ARRAY_INDEX_ERROR",
+        parser: "where",
+        location: (0, import_core10.buildErrorLocation)(["where"], {
+          index: parseInt(index, 10)
+        }),
+        received: index,
+        expected: "Field name or operator before array index",
+        suggestion: "WHERE clause must start with a field name, not an array index",
+        context: {
+          arrayIndex: parseInt(index, 10)
+        }
+      }
+    );
+  },
+  invalidArrayIndexFormat(index, operator, path) {
+    throw new import_core10.ParserError(
+      `Invalid array index in ${operator}: ${index} (must be non-negative integer)`,
+      {
+        code: "ARRAY_INDEX_ERROR",
+        parser: "where",
+        location: (0, import_core10.buildErrorLocation)(["where", ...path]),
+        received: index,
+        expected: "Non-negative integer (0, 1, 2, ...)",
+        suggestion: "Use valid array indices starting from 0",
+        context: {
+          operator,
+          arrayIndex: NaN
+        }
+      }
+    );
+  },
+  arrayIndexNotStartingFromZero(firstIndex, operator, path) {
+    throw new import_core10.ParserError(
+      `Array indices for ${operator} must start from 0, found: ${firstIndex}`,
+      {
+        code: "CONSECUTIVE_INDEX_ERROR",
+        parser: "where",
+        location: (0, import_core10.buildErrorLocation)(["where", ...path], {
+          index: firstIndex
+        }),
+        received: firstIndex,
+        expected: "Array indices starting from 0",
+        suggestion: "Start array indices at 0: use [0], [1], [2], etc.",
+        context: {
+          operator,
+          arrayIndex: firstIndex
+        }
+      }
+    );
+  },
+  arrayIndexNotConsecutive(missingIndex, operator, path, foundIndices) {
+    const indicesStr = foundIndices ? `. Found: [${foundIndices.join(", ")}]` : "";
+    throw new import_core10.ParserError(
+      `Array indices for ${operator} must be consecutive. Missing index: ${missingIndex}${indicesStr}`,
+      {
+        code: "CONSECUTIVE_INDEX_ERROR",
+        parser: "where",
+        location: (0, import_core10.buildErrorLocation)(["where", ...path], {
+          index: missingIndex
+        }),
+        received: foundIndices ? `Indices: [${foundIndices.join(", ")}]` : `Gap at index ${missingIndex}`,
+        expected: "Consecutive indices: [0, 1, 2, ...]",
+        suggestion: `Add ${operator}[${missingIndex}] to fix the gap`,
+        context: {
+          operator,
+          missingIndex,
+          foundIndices
+        }
+      }
+    );
+  },
+  maxValueLength(actualLength, path) {
+    throw new import_core10.ParserError(
+      `WHERE value exceeds maximum length of ${import_core11.MAX_WHERE_VALUE_LENGTH} characters`,
+      {
+        code: "MAX_LENGTH_EXCEEDED",
+        parser: "where",
+        location: (0, import_core10.buildErrorLocation)(["where", ...path]),
+        received: `${actualLength} characters`,
+        expected: `Maximum ${import_core11.MAX_WHERE_VALUE_LENGTH} characters`,
+        suggestion: "Reduce the length of your query value or use a different approach",
+        context: {
+          operator: "value_length"
+        }
+      }
+    );
+  },
+  maxDepthExceeded(depth, path) {
+    const pathStr = path.length > 0 ? ` at path: ${path.join(".")}` : "";
+    throw new import_core10.ParserError(
+      `WHERE clause nesting depth exceeds maximum of ${import_core11.MAX_LOGICAL_NESTING_DEPTH}${pathStr}`,
+      {
+        code: "MAX_DEPTH_EXCEEDED",
+        parser: "where",
+        location: (0, import_core10.buildErrorLocation)(["where", ...path], {
+          depth
+        }),
+        received: `Depth: ${depth}${pathStr}`,
+        expected: `Maximum depth: ${import_core11.MAX_LOGICAL_NESTING_DEPTH}`,
+        suggestion: "Simplify query structure or split into multiple requests",
+        context: {
+          operator: "nesting_depth",
+          currentPath: path.join("."),
+          depth
+        }
+      }
+    );
+  },
+  emptyLogicalOperator(operator, path) {
+    throw new import_core10.ParserError(
+      `Logical operator ${operator} requires at least one condition`,
+      {
+        code: "EMPTY_VALUE",
+        parser: "where",
+        location: (0, import_core10.buildErrorLocation)(["where", ...path]),
+        received: "empty array",
+        expected: "At least one condition",
+        suggestion: `Add at least one condition to ${operator} operator`,
+        context: {
+          operator
+        }
+      }
+    );
+  },
+  emptyArrayOperator(operator, path) {
+    throw new import_core10.ParserError(`Operator ${operator} requires a non-empty array`, {
+      code: "EMPTY_VALUE",
+      parser: "where",
+      location: (0, import_core10.buildErrorLocation)(["where", ...path]),
+      received: "empty array",
+      expected: "Non-empty array",
+      suggestion: `Provide at least one value for ${operator} operator`,
+      context: {
+        operator
+      }
+    });
+  },
+  invalidOperatorValue(operator, valueType, path, receivedValue) {
+    const valuePreview = receivedValue !== void 0 ? `: ${JSON.stringify(receivedValue).slice(0, 50)}` : "";
+    throw new import_core10.ParserError(
+      `Operator ${operator} requires array but received ${valueType}${valuePreview}`,
+      {
+        code: "INVALID_VALUE_TYPE",
+        parser: "where",
+        location: (0, import_core10.buildErrorLocation)(["where", ...path]),
+        received: `${valueType}${valuePreview}`,
+        expected: "array (e.g., [1, 2, 3])",
+        suggestion: `Use array format: where[field][${operator}][0]=value1&where[field][${operator}][1]=value2`,
+        context: {
+          operator,
+          receivedType: valueType
+        }
+      }
+    );
+  }
+};
+var populateError = {
+  invalidRelation(relation, path, context) {
+    throw new import_core10.ParserError(`Invalid relation name: ${relation}`, {
+      code: "INVALID_FIELD_NAME",
+      parser: "populate",
+      location: (0, import_core10.buildErrorLocation)(["populate", ...path], {
+        depth: context?.currentDepth
+      }),
+      received: relation,
+      expected: "Relation name must start with letter/underscore and contain only alphanumeric characters and underscores",
+      suggestion: "Use valid relation names (e.g., 'author', 'user_profile')",
+      context: {
+        relation,
+        ...context
+      }
+    });
+  },
+  maxDepthExceeded(depth, maxDepth, path, context) {
+    throw new import_core10.ParserError("Maximum populate depth exceeded", {
+      code: "MAX_DEPTH_EXCEEDED",
+      parser: "populate",
+      location: (0, import_core10.buildErrorLocation)(["populate", ...path], {
+        depth
+      }),
+      received: depth,
+      expected: `Maximum depth: ${maxDepth}`,
+      suggestion: "Reduce nesting level or increase maxPopulateDepth in parser options",
+      context: {
+        currentDepth: depth,
+        maxDepth,
+        relationPath: path.join("."),
+        ...context
+      }
+    });
+  },
+  emptyValue(path) {
+    throw new import_core10.ParserError("Populate value cannot be empty", {
+      code: "EMPTY_VALUE",
+      parser: "populate",
+      location: (0, import_core10.buildErrorLocation)(["populate", ...path]),
+      received: "empty string",
+      expected: "Relation name or wildcard (*)",
+      suggestion: "Provide a relation name or use * to populate all relations",
+      context: {}
+    });
+  },
+  invalidType(type, path) {
+    throw new import_core10.ParserError("Populate value must be a string or array", {
+      code: "INVALID_VALUE_TYPE",
+      parser: "populate",
+      location: (0, import_core10.buildErrorLocation)(["populate", ...path]),
+      received: type,
+      expected: "string or array",
+      suggestion: "Use a string (e.g., 'author') or array format",
+      context: {}
+    });
+  },
+  invalidFieldName(fieldName, path, context) {
+    const reasonDetail = context?.fieldValidationReason ? ` (Reason: ${context.fieldValidationReason})` : "";
+    throw new import_core10.ParserError(
+      `Invalid field name in populate: ${fieldName}${reasonDetail}`,
+      {
+        code: "INVALID_FIELD_NAME",
+        parser: "populate",
+        location: (0, import_core10.buildErrorLocation)(["populate", ...path]),
+        received: fieldName,
+        expected: "Field name must start with letter/underscore and contain only alphanumeric characters, underscores, and dots",
+        suggestion: "Use valid field names (e.g., 'name', 'user_id', 'profile.age')",
+        context: {
+          fieldName,
+          ...context
+        }
+      }
+    );
+  }
+};
+var fieldsError = {
+  invalidFieldNames(invalidFields, path, context) {
+    const reasonDetail = context?.validationReasons && context.validationReasons.length > 0 ? ` (Reasons: ${context.validationReasons.join(", ")})` : "";
+    throw new import_core10.ParserError(
+      `Invalid field names: ${invalidFields.join(", ")}${reasonDetail}`,
+      {
+        code: "INVALID_FIELD_NAME",
+        parser: "fields",
+        location: (0, import_core10.buildErrorLocation)(["fields", ...path]),
+        received: invalidFields,
+        expected: "Field names must start with letter/underscore and contain only alphanumeric characters, underscores, and dots",
+        suggestion: "Use valid field names (e.g., 'name', 'user_id', 'profile.age')",
+        context: {
+          invalidFields,
+          ...context
+        }
+      }
+    );
+  },
+  emptyValue(path) {
+    throw new import_core10.ParserError(
+      "Fields parameter is empty or contains only whitespace",
+      {
+        code: "EMPTY_VALUE",
+        parser: "fields",
+        location: (0, import_core10.buildErrorLocation)(["fields", ...path]),
+        received: "empty string",
+        expected: "Field name(s) or wildcard (*)",
+        suggestion: "Provide field names (e.g., 'name,email') or use * for all fields",
+        context: {}
+      }
+    );
+  },
+  suspiciousParams(params, path) {
+    throw new import_core10.ParserError(`Unknown fields parameters: ${params.join(", ")}`, {
+      code: "UNKNOWN_PARAMETER",
+      parser: "fields",
+      location: (0, import_core10.buildErrorLocation)(["fields", ...path]),
+      received: params,
+      expected: "fields or fields[N] format",
+      suggestion: "Use 'fields=name,email' or 'fields[0]=name&fields[1]=email' format",
+      context: {
+        suspiciousParams: params
+      }
+    });
+  },
+  invalidFormat(path) {
+    throw new import_core10.ParserError("Invalid fields format", {
+      code: "INVALID_SYNTAX",
+      parser: "fields",
+      location: (0, import_core10.buildErrorLocation)(["fields", ...path]),
+      received: "unknown format",
+      expected: "string or array",
+      suggestion: "Use 'fields=name,email' or 'fields[0]=name' format",
+      context: {}
+    });
+  }
+};
+var paginationError = {
+  invalidLimit(value, path, context) {
+    throw new import_core10.ParserError(`Invalid limit value: "${value}"`, {
+      code: "INVALID_PAGINATION",
+      parser: "pagination",
+      location: (0, import_core10.buildErrorLocation)(["pagination", ...path]),
+      received: value,
+      expected: "Positive integer",
+      suggestion: "Provide a positive integer for limit (e.g., limit=10)",
+      context: {
+        parameter: "limit",
+        ...context
+      }
+    });
+  },
+  invalidOffset(value, path, context) {
+    throw new import_core10.ParserError(`Invalid offset value: "${value}"`, {
+      code: "INVALID_PAGINATION",
+      parser: "pagination",
+      location: (0, import_core10.buildErrorLocation)(["pagination", ...path]),
+      received: value,
+      expected: "Non-negative integer",
+      suggestion: "Provide a non-negative integer for offset (e.g., offset=0)",
+      context: {
+        parameter: "offset",
+        ...context
+      }
+    });
+  },
+  invalidPage(value, path, context) {
+    throw new import_core10.ParserError(`Invalid page value: "${value}" (must be >= 1)`, {
+      code: "INVALID_PAGINATION",
+      parser: "pagination",
+      location: (0, import_core10.buildErrorLocation)(["pagination", ...path]),
+      received: value,
+      expected: "Integer >= 1",
+      suggestion: "Provide a positive integer for page (e.g., page=1)",
+      context: {
+        parameter: "page",
+        minValue: 1,
+        ...context
+      }
+    });
+  },
+  invalidPageSize(value, path, context) {
+    throw new import_core10.ParserError(`Invalid pageSize value: "${value}" (must be >= 1)`, {
+      code: "INVALID_PAGINATION",
+      parser: "pagination",
+      location: (0, import_core10.buildErrorLocation)(["pagination", ...path]),
+      received: value,
+      expected: "Integer >= 1",
+      suggestion: "Provide a positive integer for pageSize (e.g., pageSize=25)",
+      context: {
+        parameter: "pageSize",
+        minValue: 1,
+        ...context
+      }
+    });
+  },
+  maxPageSizeExceeded(value, max, path) {
+    throw new import_core10.ParserError(`Page size exceeds maximum (${max})`, {
+      code: "MAX_VALUE_VIOLATION",
+      parser: "pagination",
+      location: (0, import_core10.buildErrorLocation)(["pagination", ...path]),
+      received: value,
+      expected: `Maximum: ${max}`,
+      suggestion: `Reduce pageSize to ${max} or less`,
+      context: {
+        parameter: "pageSize",
+        maxValue: max
+      }
+    });
+  },
+  maxLimitExceeded(value, max, path) {
+    throw new import_core10.ParserError(`Limit exceeds maximum page size (${max})`, {
+      code: "MAX_VALUE_VIOLATION",
+      parser: "pagination",
+      location: (0, import_core10.buildErrorLocation)(["pagination", ...path]),
+      received: value,
+      expected: `Maximum: ${max}`,
+      suggestion: `Reduce limit to ${max} or less`,
+      context: {
+        parameter: "limit",
+        maxValue: max
+      }
+    });
+  },
+  maxPageNumberExceeded(value, max, path) {
+    throw new import_core10.ParserError(`Page number exceeds maximum (${max})`, {
+      code: "PAGE_OUT_OF_RANGE",
+      parser: "pagination",
+      location: (0, import_core10.buildErrorLocation)(["pagination", ...path]),
+      received: value,
+      expected: `Maximum: ${max}`,
+      suggestion: `Use page number ${max} or less`,
+      context: {
+        parameter: "page",
+        maxValue: max
+      }
+    });
+  }
+};
+var sortError = {
+  emptyValue(path) {
+    throw new import_core10.ParserError("Sort value cannot be empty", {
+      code: "EMPTY_VALUE",
+      parser: "sort",
+      location: (0, import_core10.buildErrorLocation)(["sort", ...path]),
+      received: "empty string",
+      expected: "Field name(s) with optional direction",
+      suggestion: "Provide field names (e.g., 'name' or '-createdAt' for descending)",
+      context: {}
+    });
+  },
+  invalidFieldName(field, path, context) {
+    const reasonDetail = context?.fieldValidationReason ? ` (Reason: ${context.fieldValidationReason})` : "";
+    throw new import_core10.ParserError(`Invalid sort field: ${field}${reasonDetail}`, {
+      code: "INVALID_FIELD_NAME",
+      parser: "sort",
+      location: (0, import_core10.buildErrorLocation)(["sort", ...path]),
+      received: field,
+      expected: "Field name must start with letter/underscore and contain only alphanumeric characters, underscores, and dots. Use '-' prefix for descending order.",
+      suggestion: "Use valid field names (e.g., 'name', '-createdAt', 'user.age')",
+      context: {
+        sortField: field,
+        parameter: "sort",
+        ...context
+      }
+    });
+  }
+};
+
+// src/parser/fields-parser.ts
+function parseFields(params) {
+  const suspiciousParams = Object.keys(params).filter(
+    (key) => key.startsWith("fields") && key !== "fields" && !key.match(/^fields\[\d+\]$/)
+    // Allow fields[0], fields[1], etc.
+  );
+  if (suspiciousParams.length > 0) {
+    fieldsError.suspiciousParams(suspiciousParams, []);
+  }
+  const arrayFields = extractArrayFields(params);
+  if (arrayFields.length > 0) {
+    return validateAndReturn(arrayFields);
+  }
+  const fieldsParam = params["fields"];
+  if (fieldsParam === void 0) {
+    return "*";
+  }
+  if (fieldsParam === "*") {
+    return "*";
+  }
+  if (typeof fieldsParam === "string") {
+    const fields = fieldsParam.split(",").map((f) => f.trim()).filter(Boolean);
+    if (fields.length === 0) {
+      fieldsError.emptyValue([]);
+    }
+    return validateAndReturn(fields);
+  }
+  if (Array.isArray(fieldsParam)) {
+    const fields = fieldsParam.map((f) => String(f).trim()).filter(Boolean);
+    if (fields.length === 0) {
+      fieldsError.emptyValue([]);
+    }
+    return validateAndReturn(fields);
+  }
+  fieldsError.invalidFormat([]);
+  return void 0;
+}
+function extractArrayFields(params) {
+  const fields = [];
+  for (const key in params) {
+    const match = key.match(/^fields\[(\d+)\]$/);
+    if (!match) continue;
+    const index = parseInt(match[1], 10);
+    if (index >= import_core12.MAX_ARRAY_INDEX) {
+      continue;
+    }
+    const value = params[key];
+    if (typeof value === "string") {
+      fields.push(value.trim());
+    } else if (Array.isArray(value)) {
+      fields.push(...value.map((v) => String(v).trim()));
+    }
+  }
+  return fields;
+}
+function validateAndReturn(fields) {
+  if (fields.length === 0) {
+    return "*";
+  }
+  const invalidFieldsWithReasons = [];
+  for (const field of fields) {
+    const validation = (0, import_core12.validateFieldName)(field);
+    if (!validation.valid) {
+      invalidFieldsWithReasons.push({ field, reason: validation.reason });
+    }
+  }
+  if (invalidFieldsWithReasons.length > 0) {
+    const invalidFields = invalidFieldsWithReasons.map((item) => item.field);
+    const reasons = invalidFieldsWithReasons.map((item) => item.reason);
+    fieldsError.invalidFieldNames(invalidFields, [], {
+      validationReasons: reasons
+    });
+  }
+  return fields;
+}
+
+// src/parser/where-parser.ts
+var import_core13 = require("@datrix/core");
+function parseWhere(params) {
+  const whereClause = {};
+  for (const [key, value] of Object.entries(params)) {
+    if (!key.startsWith("where[")) {
+      continue;
+    }
+    const parts = key.slice(5).split("]").filter((p) => p.startsWith("[")).map((p) => p.slice(1));
+    if (parts.length === 0) continue;
+    for (let i = 0; i < parts.length; i++) {
+      const part = parts[i];
+      if (part.startsWith("$")) {
+        if (!(0, import_core13.isValidWhereOperator)(part)) {
+          whereError.invalidOperator(part, parts.slice(0, i), {
+            operatorPath: key
+          });
+        }
+        if (i === 0 && !(0, import_core13.isLogicalOperator)(part)) {
+          whereError.invalidFieldName(part, [], {
+            fieldValidationReason: "INVALID_FORMAT"
+          });
+        }
+      } else if (/^\d+$/.test(part)) {
+        if (i === 0) {
+          whereError.arrayIndexAtStart(part, []);
+        }
+        const previousPart = parts[i - 1];
+        if (!["$or", "$and", "$in", "$nin"].includes(previousPart)) {
+          whereError.invalidArrayIndex(part, previousPart, parts.slice(0, i), {
+            previousOperator: previousPart,
+            operatorPath: key
+          });
+        }
+      } else {
+        const validation = (0, import_core13.validateFieldName)(part);
+        if (!validation.valid) {
+          whereError.invalidFieldName(part, parts.slice(0, i), {
+            fieldValidationReason: validation.reason
+          });
+        }
+      }
+    }
+    let current = whereClause;
+    const pathParts = [...parts];
+    for (let i = 0; i < pathParts.length; i++) {
+      const part = pathParts[i];
+      const isLast = i === pathParts.length - 1;
+      if (isLast) {
+        let operatorContext;
+        const isArrayIndex = /^\d+$/.test(part);
+        if (part.startsWith("$")) {
+          const expectedType = (0, import_core13.getOperatorValueType)(part);
+          if (expectedType === "string") {
+            operatorContext = part;
+          }
+        }
+        const parsedValue = parseValue(value, operatorContext);
+        if (part.startsWith("$") && !isArrayIndex) {
+          validateOperatorValue(part, parsedValue, pathParts);
+        }
+        current[part] = parsedValue;
+      } else {
+        if (current[part] === void 0) {
+          current[part] = {};
+        }
+        current = current[part];
+      }
+    }
+  }
+  const transformResult = transformToFinalWhere(whereClause);
+  const finalClause = transformResult;
+  if (Object.keys(finalClause).length === 0) {
+    return void 0;
+  }
+  validateNestingDepth(finalClause);
+  return finalClause;
+}
+function transformToFinalWhere(obj) {
+  if (obj === null || typeof obj !== "object" || Array.isArray(obj)) {
+    return obj;
+  }
+  const typedObj = obj;
+  const result = {};
+  for (const [key, value] of Object.entries(typedObj)) {
+    const arrayOperators = ["$or", "$and", "$in", "$nin"];
+    if (arrayOperators.includes(key)) {
+      if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+        const valueObj = value;
+        const keys = Object.keys(valueObj);
+        const numericKeys = [];
+        for (const k of keys) {
+          const num = Number(k);
+          if (isNaN(num) || !Number.isInteger(num) || num < 0) {
+            whereError.invalidArrayIndexFormat(k, key, [key]);
+          }
+          numericKeys.push(num);
+        }
+        const sortedKeys = numericKeys.sort((a, b) => a - b);
+        if (sortedKeys.length > 0 && sortedKeys[0] !== 0) {
+          whereError.arrayIndexNotStartingFromZero(sortedKeys[0], key, [key]);
+        }
+        for (let i = 0; i < sortedKeys.length; i++) {
+          if (sortedKeys[i] !== i) {
+            whereError.arrayIndexNotConsecutive(i, key, [key], sortedKeys);
+          }
+        }
+        if (["$in", "$nin"].includes(key)) {
+          result[key] = sortedKeys.map((idx) => valueObj[String(idx)]);
+        } else {
+          const transformed = [];
+          for (const idx of sortedKeys) {
+            const transformResult = transformToFinalWhere(
+              valueObj[String(idx)]
+            );
+            transformed.push(transformResult);
+          }
+          result[key] = transformed;
+        }
+      } else {
+        const transformResult = transformToFinalWhere(value);
+        result[key] = transformResult;
+      }
+    } else {
+      const transformResult = transformToFinalWhere(value);
+      result[key] = transformResult;
+    }
+  }
+  return result;
+}
+function parseValue(value, operator) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (Array.isArray(value)) {
+    const parsed = [];
+    for (const v of value) {
+      if (typeof v === "string") {
+        const result = parseSingleValue(v, operator);
+        parsed.push(result);
+      } else {
+        parsed.push(v);
+      }
+    }
+    return parsed;
+  }
+  if (typeof value === "string") {
+    return parseSingleValue(value, operator);
+  }
+  return value;
+}
+function parseSingleValue(value, operator) {
+  const MAX_WHERE_VALUE_LENGTH2 = 1e3;
+  if (value.length > MAX_WHERE_VALUE_LENGTH2) {
+    whereError.maxValueLength(value.length, []);
+  }
+  if (operator) {
+    const expectedType = (0, import_core13.getOperatorValueType)(operator);
+    if (expectedType === "string") {
+      return value;
+    }
+  }
+  if (value === "null") {
+    return null;
+  }
+  if (value === "true") {
+    return true;
+  }
+  if (value === "false") {
+    return false;
+  }
+  return value;
+}
+function validateOperatorValue(operator, value, path) {
+  const expectedType = (0, import_core13.getOperatorValueType)(operator);
+  if (!expectedType) {
+    return;
+  }
+  if (expectedType === "array") {
+    if (!Array.isArray(value)) {
+      whereError.invalidOperatorValue(operator, typeof value, path, value);
+    }
+    if (value.length === 0) {
+      whereError.emptyArrayOperator(operator, path);
+    }
+  }
+}
+function validateNestingDepth(clause, depth = 0, path = []) {
+  const MAX_LOGICAL_NESTING_DEPTH2 = 10;
+  if (depth > MAX_LOGICAL_NESTING_DEPTH2) {
+    whereError.maxDepthExceeded(depth, path);
+  }
+  for (const [key, value] of Object.entries(clause)) {
+    if ((0, import_core13.isLogicalOperator)(key) && Array.isArray(value)) {
+      if (value.length === 0) {
+        whereError.emptyLogicalOperator(key, [...path, key]);
+      }
+      for (const condition of value) {
+        if (typeof condition === "object" && condition !== null) {
+          validateNestingDepth(condition, depth + 1, [
+            ...path,
+            key
+          ]);
+        }
+      }
+    } else if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+      validateNestingDepth(value, depth, [...path, key]);
+    }
+  }
+}
+
+// src/parser/populate-parser.ts
+var import_core14 = require("@datrix/core");
+var DEFAULT_MAX_DEPTH = 5;
+function parsePopulate(params, maxDepth = DEFAULT_MAX_DEPTH) {
+  if (maxDepth <= 0) {
+    populateError.maxDepthExceeded(maxDepth, maxDepth, ["config"], {
+      maxDepth
+    });
+  }
+  const populateClause = {};
+  const mainPopulate = params["populate"];
+  if (mainPopulate !== void 0) {
+    if (mainPopulate === "*") {
+      return "*";
+    }
+    if (mainPopulate === "true") {
+      return true;
+    }
+    if (typeof mainPopulate === "string") {
+      const trimmed = mainPopulate.trim();
+      if (trimmed === "") {
+        populateError.emptyValue([]);
+      }
+      const validation = (0, import_core14.validateFieldName)(trimmed);
+      if (!validation.valid) {
+        populateError.invalidRelation(trimmed, [trimmed], {
+          fieldValidationReason: validation.reason
+        });
+      }
+      populateClause[trimmed] = "*";
+    } else if (Array.isArray(mainPopulate)) {
+      for (const rel of mainPopulate) {
+        if (rel && typeof rel === "string") {
+          const trimmed = rel.trim();
+          const validation = (0, import_core14.validateFieldName)(trimmed);
+          if (!validation.valid) {
+            populateError.invalidRelation(trimmed, [trimmed], {
+              fieldValidationReason: validation.reason
+            });
+          }
+          populateClause[trimmed] = "*";
+        }
+      }
+    } else {
+      populateError.invalidType(typeof mainPopulate, []);
+    }
+  }
+  const populateParams = extractPopulateParams(params);
+  const indexedArrayRelations = [];
+  for (const [key, value] of Object.entries(params)) {
+    const indexMatch = key.match(/^populate\[(\d+)\]$/);
+    if (indexMatch && typeof value === "string") {
+      const index = Number(indexMatch[1]);
+      const relationName = value.trim();
+      const validation = (0, import_core14.validateFieldName)(relationName);
+      if (!validation.valid) {
+        populateError.invalidRelation(relationName, [relationName], {
+          fieldValidationReason: validation.reason
+        });
+      }
+      indexedArrayRelations[index] = relationName;
+    }
+  }
+  if (indexedArrayRelations.length > 0) {
+    return indexedArrayRelations.filter(
+      Boolean
+    );
+  }
+  for (const [relation, relationParams] of Object.entries(populateParams)) {
+    const parseResult = parseRelation(relation, relationParams, 1, maxDepth);
+    populateClause[relation] = parseResult;
+  }
+  if (Object.keys(populateClause).length === 0) {
+    return void 0;
+  }
+  return populateClause;
+}
+function extractPopulateParams(params) {
+  const relations = {};
+  for (const [key, value] of Object.entries(params)) {
+    if (!key.startsWith("populate[")) {
+      continue;
+    }
+    const parts = key.match(/populate\[([^\]]+)\](.*)$/);
+    if (!parts) {
+      continue;
+    }
+    const relation = parts[1];
+    const rest = parts[2];
+    if (!relation) {
+      continue;
+    }
+    if (relations[relation] === void 0) {
+      relations[relation] = {};
+    }
+    if (rest === "" && value === "*") {
+      relations[relation]["isWildcard"] = true;
+      continue;
+    }
+    if (rest !== void 0) {
+      parseRelationPath(relations[relation], rest, value);
+    }
+  }
+  return relations;
+}
+function parseRelationPath(relationData, path, value) {
+  if (path === "") {
+    return;
+  }
+  const match = path.match(/^\[([^\]]+)\](.*)$/);
+  if (!match) {
+    return;
+  }
+  const key = match[1];
+  const rest = match[2];
+  if (key === "fields") {
+    if (relationData["fields"] === void 0) {
+      relationData["fields"] = [];
+    }
+    const fieldsArray = Array.isArray(relationData["fields"]) ? relationData["fields"] : [];
+    if (rest === "") {
+      if (value === "*") {
+        relationData["fields"] = "*";
+      } else if (typeof value === "string") {
+        const fields = value.split(",").map((f) => f.trim());
+        for (const field of fields) {
+          const validation = (0, import_core14.validateFieldName)(field);
+          if (!validation.valid) {
+            populateError.invalidFieldName(field, ["fields"], {
+              fieldValidationReason: validation.reason
+            });
+          }
+        }
+        fieldsArray.push(...fields);
+      }
+    } else if (rest !== void 0) {
+      const indexMatch = rest.match(/^\[(\d+)\]$/);
+      if (indexMatch && typeof value === "string") {
+        const field = value.trim();
+        const validation = (0, import_core14.validateFieldName)(field);
+        if (!validation.valid) {
+          populateError.invalidFieldName(field, ["fields"], {
+            fieldValidationReason: validation.reason
+          });
+        }
+        fieldsArray.push(field);
+      }
+    }
+  } else if (key === "populate") {
+    if (relationData["populate"] === void 0) {
+      relationData["populate"] = {};
+    }
+    const populateObj = typeof relationData["populate"] === "object" && !Array.isArray(relationData["populate"]) ? relationData["populate"] : {};
+    relationData["populate"] = populateObj;
+    if (rest === "") {
+      if (value === "*") {
+        relationData["isWildcard"] = true;
+      } else if (typeof value === "string") {
+        const relations = value.split(",").map((r) => r.trim()).filter(Boolean);
+        for (const rel of relations) {
+          if (rel === "*") {
+            relationData["isWildcard"] = true;
+          } else if (populateObj[rel] === void 0) {
+            populateObj[rel] = { isWildcard: true };
+          }
+        }
+      }
+    } else if (rest !== void 0) {
+      const nestedMatch = rest.match(/^\[([^\]]+)\](.*)$/);
+      if (nestedMatch) {
+        const nestedRelation = nestedMatch[1];
+        const nestedRest = nestedMatch[2];
+        if (nestedRelation) {
+          if (populateObj[nestedRelation] === void 0) {
+            populateObj[nestedRelation] = {};
+          }
+          if (nestedRest === "" && value === "*") {
+            populateObj[nestedRelation]["isWildcard"] = true;
+          } else if (nestedRest !== void 0) {
+            parseRelationPath(populateObj[nestedRelation], nestedRest, value);
+          }
+        }
+      }
+    }
+  }
+}
+function parseRelation(relation, params, currentDepth, maxDepth, path = []) {
+  const validation = (0, import_core14.validateFieldName)(relation);
+  if (!validation.valid) {
+    populateError.invalidRelation(relation, [...path, relation], {
+      relationPath: [...path, relation].join("."),
+      fieldValidationReason: validation.reason
+    });
+  }
+  if (currentDepth > maxDepth) {
+    populateError.maxDepthExceeded(
+      currentDepth,
+      maxDepth,
+      [...path, relation],
+      {
+        relation,
+        relationPath: [...path, relation].join("."),
+        currentDepth,
+        nestedRelations: [...path, relation]
+      }
+    );
+  }
+  if (params.isWildcard) {
+    return "*";
+  }
+  const options = {};
+  if (params.fields !== void 0) {
+    if (typeof params.fields === "string" && params.fields === "*") {
+      options["select"] = "*";
+    } else if (Array.isArray(params.fields) && params.fields.length > 0) {
+      options["select"] = params.fields;
+    }
+  }
+  if (params.populate !== void 0) {
+    const nestedPopulate = {};
+    for (const [nestedRelation, nestedParams] of Object.entries(
+      params.populate
+    )) {
+      nestedPopulate[nestedRelation] = parseRelation(
+        nestedRelation,
+        nestedParams,
+        currentDepth + 1,
+        maxDepth,
+        [...path, relation]
+      );
+    }
+    if (Object.keys(nestedPopulate).length > 0) {
+      options["populate"] = nestedPopulate;
+    }
+  }
+  if (Object.keys(options).length === 0) {
+    return "*";
+  }
+  return options;
+}
+
+// src/parser/query-parser.ts
+var DEFAULT_OPTIONS = {
+  maxPageSize: 100,
+  defaultPageSize: 25,
+  maxPopulateDepth: 5,
+  allowedOperators: [],
+  strictMode: false
+};
+function parseQuery(params, options) {
+  const opts = {
+    ...DEFAULT_OPTIONS,
+    ...options
+  };
+  const fields = parseFields(params);
+  const where = parseWhere(params);
+  const populate = parsePopulate(params, opts.maxPopulateDepth);
+  const pagination = parsePagination(params, opts);
+  const sort = parseSort(params);
+  const unknownParams = detectUnknownParams(params);
+  if (unknownParams.length > 0) {
+    throw new import_core15.ParserError(
+      `Unknown query parameters: ${unknownParams.join(", ")}`,
+      {
+        code: "UNKNOWN_PARAMETER",
+        parser: "query",
+        location: (0, import_core15.buildErrorLocation)(unknownParams),
+        received: unknownParams,
+        expected: "Known parameters: fields, where, populate, page, pageSize, sort",
+        suggestion: "Check for typos. Common mistake: use 'where' instead of 'filters'."
+      }
+    );
+  }
+  const result = {
+    ...fields !== void 0 && fields !== "*" && { select: fields },
+    ...where !== void 0 && { where },
+    ...populate !== void 0 && { populate },
+    ...pagination !== void 0 && {
+      page: pagination.page ?? 1,
+      pageSize: pagination.pageSize ?? opts.defaultPageSize
+    },
+    ...sort !== void 0 && Array.isArray(sort) && sort.length > 0 && { orderBy: sort }
+  };
+  return result;
+}
+function parsePagination(params, options) {
+  const { page, pageSize } = params;
+  const parsedPage = page !== void 0 ? parseInt(String(page), 10) : 1;
+  const parsedPageSize = pageSize !== void 0 ? parseInt(String(pageSize), 10) : options.defaultPageSize;
+  const MAX_PAGE_NUMBER = 1e6;
+  if (isNaN(parsedPage) || parsedPage < 1) {
+    paginationError.invalidPage(page ?? "", ["page"]);
+  }
+  if (parsedPage > MAX_PAGE_NUMBER) {
+    paginationError.maxPageNumberExceeded(parsedPage, MAX_PAGE_NUMBER, [
+      "page"
+    ]);
+  }
+  if (isNaN(parsedPageSize) || parsedPageSize < 1) {
+    paginationError.invalidPageSize(pageSize ?? "", ["pageSize"]);
+  }
+  if (parsedPageSize > options.maxPageSize) {
+    paginationError.maxPageSizeExceeded(parsedPageSize, options.maxPageSize, [
+      "pageSize"
+    ]);
+  }
+  return {
+    page: parsedPage,
+    pageSize: parsedPageSize
+  };
+}
+function parseSort(params) {
+  const sortParam = params["sort"];
+  if (sortParam === void 0) {
+    return void 0;
+  }
+  if (typeof sortParam === "string" && sortParam.trim() === "") {
+    sortError.emptyValue([]);
+  }
+  const sorts = [];
+  const sortStrings = typeof sortParam === "string" ? sortParam.split(",").map((s) => s.trim()) : Array.isArray(sortParam) ? sortParam.map((s) => String(s).trim()) : [String(sortParam).trim()];
+  for (const sortStr of sortStrings) {
+    if (!sortStr) {
+      continue;
+    }
+    const isDescending = sortStr.startsWith("-");
+    const field = isDescending ? sortStr.slice(1) : sortStr;
+    if (!field) {
+      sortError.invalidFieldName(sortStr, [sortStr]);
+    }
+    const validation = (0, import_core16.validateFieldName)(field);
+    if (!validation.valid) {
+      sortError.invalidFieldName(sortStr, [sortStr], {
+        fieldValidationReason: validation.reason
+      });
+    }
+    const direction = isDescending ? "desc" : "asc";
+    sorts.push({ field, direction });
+  }
+  return sorts.length > 0 ? sorts : void 0;
+}
+var KNOWN_PARAM_PREFIXES = [
+  "fields",
+  "where",
+  "populate",
+  "page",
+  "pageSize",
+  "sort"
+];
+function detectUnknownParams(params) {
+  const unknownKeys = [];
+  for (const key of Object.keys(params)) {
+    const isKnown = KNOWN_PARAM_PREFIXES.some(
+      (prefix) => key === prefix || key.startsWith(`${prefix}[`)
+    );
+    if (!isKnown) {
+      unknownKeys.push(key);
+    }
+  }
+  return unknownKeys;
+}
+
+// src/middleware/context.ts
+function extractTableNameFromPath(pathname, prefix) {
+  const segments = pathname.split("/").filter(Boolean);
+  const prefixSegments = prefix.split("/").filter(Boolean);
+  const pathSegments = segments.slice(prefixSegments.length);
+  if (pathSegments.length === 0) {
+    return null;
+  }
+  return pathSegments[0] ?? null;
+}
+function extractIdFromPath(pathname, prefix) {
+  const segments = pathname.split("/").filter(Boolean);
+  const prefixSegments = prefix.split("/").filter(Boolean);
+  const pathSegments = segments.slice(prefixSegments.length);
+  if (pathSegments.length < 2) {
+    return null;
+  }
+  const val = parseInt(pathSegments[1], 10);
+  return isNaN(val) ? null : val;
+}
+var ContextBuildError = class extends Error {
+  parserError;
+  constructor(parserError) {
+    super(parserError.message);
+    this.name = "ContextBuildError";
+    this.parserError = parserError;
+  }
+};
+async function buildRequestContext(request, datrix, api, options = {}) {
+  const apiPrefix = options.apiPrefix ?? "/api";
+  const url = new URL(request.url);
+  const method = request.method;
+  const authEnabled = api.isAuthEnabled();
+  const tableName = extractTableNameFromPath(url.pathname, apiPrefix);
+  const modelName = tableName === "upload" && api.upload ? api.upload.getModelName() : datrix.getSchemas().findModelByTableName(tableName);
+  const schema = modelName ? datrix.getSchema(modelName) ?? null : null;
+  const action = methodToAction(method);
+  const id = extractIdFromPath(url.pathname, apiPrefix);
+  let user = null;
+  if (authEnabled && api.authManager) {
+    const authResult = await api.authManager.authenticate(request);
+    user = authResult?.user ?? null;
+  }
+  let query = null;
+  const queryParams = {};
+  url.searchParams.forEach((value, key) => {
+    const existing = queryParams[key];
+    if (existing !== void 0) {
+      if (Array.isArray(existing)) {
+        existing.push(value);
+      } else {
+        queryParams[key] = [existing, value];
+      }
+    } else {
+      queryParams[key] = value;
+    }
+  });
+  if (Object.keys(queryParams).length > 0) {
+    query = parseQuery(queryParams);
+  }
+  let body = null;
+  if (["POST", "PATCH", "PUT"].includes(method)) {
+    try {
+      const contentType = request.headers.get("content-type");
+      if (contentType?.includes("application/json")) {
+        body = await request.json();
+      }
+    } catch {
+    }
+  }
+  const headers = {};
+  request.headers.forEach((value, key) => {
+    headers[key] = value;
+  });
+  return {
+    schema,
+    action,
+    id,
+    method,
+    query,
+    body,
+    headers,
+    url,
+    request,
+    user,
+    datrix,
+    api,
+    authEnabled
+  };
+}
+
+// src/handler/unified.ts
+var import_core17 = require("@datrix/core");
+async function handleGet(ctx) {
+  const { datrix, schema, authEnabled } = ctx;
+  if (!schema) {
+    throw handlerError.schemaNotFound(ctx.url.pathname);
+  }
+  const { upload } = ctx.api;
+  if (ctx.id) {
+    const result = await datrix.findById(schema.name, ctx.id, {
+      select: ctx.query?.select,
+      populate: ctx.query?.populate
+    });
+    if (!result) {
+      throw handlerError.recordNotFound(schema.name, ctx.id);
+    }
+    if (authEnabled) {
+      const { data: filteredResult } = await filterFieldsForRead(
+        schema,
+        result,
+        ctx
+      );
+      const data2 = upload ? await upload.injectUrls(filteredResult) : filteredResult;
+      return jsonResponse({ data: data2 });
+    }
+    const data = upload ? await upload.injectUrls(result) : result;
+    return jsonResponse({ data });
+  } else {
+    const page = ctx.query?.page ?? 1;
+    const pageSize = ctx.query?.pageSize ?? 25;
+    const limit = pageSize;
+    const offset = (page - 1) * pageSize;
+    const result = await datrix.findMany(schema.name, {
+      where: ctx.query?.where,
+      select: ctx.query?.select,
+      populate: ctx.query?.populate,
+      orderBy: ctx.query?.orderBy,
+      limit,
+      offset
+    });
+    const total = await datrix.count(schema.name, ctx.query?.where);
+    const totalPages = Math.ceil(total / pageSize);
+    if (authEnabled) {
+      const filteredResults = await filterRecordsForRead(schema, result, ctx);
+      const data2 = upload ? await upload.injectUrls(filteredResults) : filteredResults;
+      const response2 = {
+        data: data2,
+        meta: { total, page, pageSize, totalPages }
+      };
+      return jsonResponse(response2);
+    }
+    const data = upload ? await upload.injectUrls(result) : result;
+    const response = {
+      data,
+      meta: { total, page, pageSize, totalPages }
+    };
+    return jsonResponse(response);
+  }
+}
+async function handlePost(ctx) {
+  const { datrix, schema, authEnabled, body, query } = ctx;
+  if (!schema) {
+    throw handlerError.schemaNotFound(ctx.url.pathname);
+  }
+  if (!body || typeof body !== "object" || Array.isArray(body)) {
+    throw handlerError.invalidBody();
+  }
+  if (authEnabled) {
+    const fieldCheck = await checkFieldsForWrite(schema, ctx);
+    if (!fieldCheck.allowed) {
+      throw handlerError.permissionDenied(
+        `Permission denied for fields: ${fieldCheck.deniedFields?.join(", ")}`,
+        { deniedFields: fieldCheck.deniedFields }
+      );
+    }
+  }
+  const { upload } = ctx.api;
+  const result = await datrix.create(schema.name, body, {
+    select: query?.select,
+    populate: query?.populate
+  });
+  if (authEnabled) {
+    const { data: filteredResult } = await filterFieldsForRead(
+      schema,
+      result,
+      ctx
+    );
+    const data2 = upload ? await upload.injectUrls(filteredResult) : filteredResult;
+    return jsonResponse({ data: data2 }, 201);
+  }
+  const data = upload ? await upload.injectUrls(result) : result;
+  return jsonResponse({ data }, 201);
+}
+async function handleUpdate(ctx) {
+  const { datrix, schema, authEnabled, body, id } = ctx;
+  if (!schema) {
+    throw handlerError.schemaNotFound(ctx.url.pathname);
+  }
+  if (!id) {
+    throw handlerError.missingId("update");
+  }
+  if (!body || typeof body !== "object" || Array.isArray(body)) {
+    throw handlerError.invalidBody();
+  }
+  const existingRecord = await datrix.findById(schema.name, id);
+  if (!existingRecord) {
+    throw handlerError.recordNotFound(schema.name, id);
+  }
+  if (authEnabled) {
+    const fieldCheck = await checkFieldsForWrite(schema, ctx);
+    if (!fieldCheck.allowed) {
+      throw handlerError.permissionDenied(
+        `Permission denied for fields: ${fieldCheck.deniedFields?.join(", ")}`,
+        { deniedFields: fieldCheck.deniedFields }
+      );
+    }
+  }
+  const result = await datrix.update(schema.name, id, body, {
+    select: ctx.query?.select,
+    populate: ctx.query?.populate
+  });
+  if (!result) {
+    throw handlerError.recordNotFound(schema.name, id);
+  }
+  const { upload } = ctx.api;
+  if (authEnabled) {
+    const { data: filteredResult } = await filterFieldsForRead(
+      schema,
+      result,
+      ctx
+    );
+    const data2 = upload ? await upload.injectUrls(filteredResult) : filteredResult;
+    return jsonResponse({ data: data2 });
+  }
+  const data = upload ? await upload.injectUrls(result) : result;
+  return jsonResponse({ data });
+}
+async function handleDelete(ctx) {
+  const { datrix, schema, id } = ctx;
+  if (!schema) {
+    throw handlerError.schemaNotFound(ctx.url.pathname);
+  }
+  if (!id) {
+    throw handlerError.missingId("delete");
+  }
+  const deleted = await datrix.delete(schema.name, id);
+  if (!deleted) {
+    throw handlerError.recordNotFound(schema.name, id);
+  }
+  return jsonResponse({ data: { id, deleted: true } });
+}
+async function handleCrudRequest(request, datrix, api, options) {
+  try {
+    const ctx = await buildRequestContext(request, datrix, api, options);
+    if (!ctx.schema) {
+      throw handlerError.modelNotSpecified();
+    }
+    if (api.excludeSchemas.includes(ctx.schema.name)) {
+      throw handlerError.schemaNotFound(ctx.url.pathname);
+    }
+    if (ctx.authEnabled) {
+      const permissionResult = await checkSchemaPermission(
+        ctx.schema,
+        ctx,
+        api.authDefaultPermission
+      );
+      if (!permissionResult.allowed) {
+        throw ctx.user ? handlerError.permissionDenied("Schema scope permission denied") : handlerError.unauthorized();
+      }
+    }
+    api.setUser(ctx.user);
+    switch (ctx.method) {
+      case "GET":
+        return await handleGet(ctx);
+      case "POST":
+        return await handlePost(ctx);
+      case "PATCH":
+      case "PUT":
+        return await handleUpdate(ctx);
+      case "DELETE":
+        return await handleDelete(ctx);
+      default: {
+        throw handlerError.methodNotAllowed(ctx.method);
+      }
+    }
+  } catch (error) {
+    if (error instanceof import_core17.DatrixValidationError || error instanceof import_core17.DatrixError) {
+      return datrixErrorResponse(error);
+    }
+    console.error("Unified Handler Error:", error);
+    const message = error instanceof Error ? error.message : "Internal server error";
+    return datrixErrorResponse(
+      handlerError.internalError(
+        message,
+        error instanceof Error ? error : void 0
+      )
+    );
+  }
+}
+
+// src/api.ts
+var ApiPlugin = class extends import_core18.BasePlugin {
+  name = "api";
+  version = "1.0.0";
+  authManager;
+  user = null;
+  datrixInstance;
+  get datrix() {
+    return this.datrixInstance;
+  }
+  get upload() {
+    return this.options.upload;
+  }
+  setUser(user) {
+    this.user = user;
+  }
+  get authConfig() {
+    return this.options.auth;
+  }
+  get apiConfig() {
+    return this.options;
+  }
+  get authSchemaName() {
+    return this.authConfig?.authSchemaName ?? "authentication";
+  }
+  get userSchemaName() {
+    return this.authConfig?.userSchema?.name ?? "user";
+  }
+  get userSchemaEmailField() {
+    return this.authConfig?.userSchema?.email ?? "email";
+  }
+  get authDefaultPermission() {
+    return this.authConfig?.defaultPermission;
+  }
+  get authDefaultRole() {
+    return this.authConfig?.defaultRole;
+  }
+  get excludeSchemas() {
+    return [
+      ...this.apiConfig.excludeSchemas ?? [],
+      "_datrix",
+      "_datrix_migrations"
+    ];
+  }
+  getTableName(schemaName) {
+    const schema = this.datrix.getSchema(schemaName);
+    return schema?.tableName || `${schemaName.toLowerCase()}s`;
+  }
+  async onCreateQueryContext(context) {
+    if (this.user) {
+      context.user = this.user;
+    }
+    return context;
+  }
+  async init(context) {
+    this.context = context;
+    if (!this.authConfig) {
+      return;
+    }
+    if (context.schemas.has("auth")) {
+      throw this.createError(
+        "Schema name 'auth' is reserved for API authentication routes",
+        "RESERVED_SCHEMA_NAME"
+      );
+    }
+    if (!context.schemas.has(this.userSchemaName)) {
+      throw this.createError(
+        `User schema '${this.userSchemaName}' not found. Create it before enabling auth.`,
+        "USER_SCHEMA_NOT_FOUND"
+      );
+    }
+    const userSchema = context.schemas.get(this.userSchemaName);
+    const emailField = this.userSchemaEmailField;
+    if (!userSchema?.fields[emailField]) {
+      throw this.createError(
+        `User schema must have an '${emailField}' field`,
+        "MISSING_EMAIL_FIELD"
+      );
+    }
+    if (this.authConfig.jwt) {
+      if (this.authConfig.jwt.secret.length < 32) {
+        throw this.createError(
+          "JWT secret must be at least 32 characters long for security",
+          "WEAK_JWT_SECRET"
+        );
+      }
+    }
+    this.authManager = new AuthManager(this.authConfig);
+  }
+  async destroy() {
+  }
+  async getSchemas() {
+    const schemas = [];
+    if (this.options.upload) {
+      const uploadSchemas = await this.options.upload.getSchemas();
+      schemas.push(...uploadSchemas);
+    }
+    if (!this.authConfig) {
+      return schemas;
+    }
+    const authSchema = (0, import_core19.defineSchema)({
+      name: this.authSchemaName,
+      fields: {
+        user: {
+          type: "relation",
+          required: true,
+          kind: "belongsTo",
+          model: this.userSchemaName
+        },
+        email: {
+          type: "string",
+          required: true
+        },
+        password: {
+          type: "string",
+          required: true
+        },
+        passwordSalt: {
+          type: "string",
+          required: true
+        },
+        role: {
+          type: "string",
+          required: true,
+          default: this.authDefaultRole ?? "user"
+        }
+      },
+      indexes: [
+        {
+          name: `${this.authSchemaName}_email_idx`,
+          fields: ["email"],
+          unique: true
+        },
+        {
+          name: `${this.authSchemaName}_userId_idx`,
+          fields: ["user"],
+          unique: true
+        }
+      ]
+    });
+    schemas.push(authSchema);
+    return schemas;
+  }
+  async onBeforeQuery(query, context) {
+    if (!this.authConfig) {
+      return query;
+    }
+    const userTable = this.getTableName(this.userSchemaName);
+    if (query.type === "insert" && query.table === userTable) {
+      context.metadata["api:createAuth"] = true;
+      context.metadata["api:userData"] = query.data[0];
+    }
+    if (query.type === "update" && query.table === userTable) {
+      const data = query.data;
+      const emailField = this.userSchemaEmailField;
+      if (data && emailField in data) {
+        context.metadata["api:syncEmail"] = query.data[emailField];
+        context.metadata["api:userId"] = query.where?.["id"];
+      }
+    }
+    return query;
+  }
+  async onAfterQuery(result, context) {
+    if (!this.authConfig) {
+      return result;
+    }
+    const pluginContext = this.getContext();
+    if (context.metadata["api:createAuth"]) {
+      const { id: userId } = Array.isArray(result) ? result[0] : result;
+      if (typeof userId === "number") {
+        const user = {
+          ...context.metadata["api:userData"],
+          userId
+        };
+        await this.createAuthenticationRecord(user, pluginContext);
+      }
+    }
+    if (context.metadata["api:syncEmail"] && context.metadata["api:userId"]) {
+      const newEmail = context.metadata["api:syncEmail"];
+      const userId = context.metadata["api:userId"];
+      await this.syncAuthenticationEmail(userId, newEmail, pluginContext);
+    }
+    return result;
+  }
+  async createAuthenticationRecord(_user, _context) {
+    const emailField = this.userSchemaEmailField;
+    const user = _user;
+    const authData = {
+      user: user["userId"],
+      email: user[emailField],
+      password: user["password"] || "",
+      passwordSalt: user["passwordSalt"] || "",
+      role: user["role"] || this.authConfig?.defaultRole || "user"
+    };
+    await this.datrixInstance.raw.create(this.authSchemaName, authData);
+  }
+  async syncAuthenticationEmail(userId, newEmail, _context) {
+    await this.datrix.raw.updateMany(
+      this.authSchemaName,
+      { user: { id: { $eq: userId } } },
+      { email: newEmail }
+    );
+  }
+  /**
+   * Handle HTTP request
+   *
+   * Main entry point for all API requests.
+   * Routes to auth handlers or CRUD handlers.
+   */
+  async handleRequest(request, datrix) {
+    if (!this.isInitialized()) {
+      return datrixErrorResponse(
+        handlerError.internalError("API plugin not initialized")
+      );
+    }
+    this.datrixInstance = datrix;
+    const url = new URL(request.url);
+    const prefix = this.apiConfig.prefix ?? "/api";
+    if (!url.pathname.startsWith(prefix)) {
+      return datrixErrorResponse(
+        handlerError.internalError("Invalid API prefix")
+      );
+    }
+    const pathAfterPrefix = url.pathname.slice(prefix.length);
+    const segments = pathAfterPrefix.split("/").filter(Boolean);
+    const model = segments[0];
+    if (this.authConfig && this.isAuthPath(pathAfterPrefix)) {
+      return this.handleAuthRequest(request, datrix);
+    }
+    if (model === "upload" && this.apiConfig.upload && request.method !== "GET") {
+      return this.apiConfig.upload.handleRequest(request, datrix);
+    }
+    return handleCrudRequest(request, datrix, this, {
+      apiPrefix: prefix
+    });
+  }
+  isAuthPath(pathname) {
+    const e = this.authConfig?.endpoints;
+    const d = import_core20.DEFAULT_API_AUTH_CONFIG.endpoints;
+    const login = e?.login ?? d.login;
+    const register = e?.register ?? d.register;
+    const logout = e?.logout ?? d.logout;
+    const me = e?.me ?? d.me;
+    const authPrefix = [login, register, logout, me].map((p) => p.split("/")[1]).find(Boolean) ?? "auth";
+    return pathname.startsWith(`/${authPrefix}/`) || pathname === `/${authPrefix}`;
+  }
+  /**
+   * Handle authentication requests
+   */
+  async handleAuthRequest(request, datrix) {
+    if (!this.authManager) {
+      return datrixErrorResponse(
+        handlerError.internalError("Authentication not configured")
+      );
+    }
+    const handler = createUnifiedAuthHandler(
+      {
+        datrix,
+        authManager: this.authManager,
+        authConfig: this.authConfig
+      },
+      this.apiConfig.prefix ?? "/api"
+    );
+    return handler(request);
+  }
+  /**
+   * Check if API is enabled
+   */
+  isEnabled() {
+    return !(this.apiConfig.disabled ?? false);
+  }
+  /**
+   * Check if authentication is enabled
+   */
+  isAuthEnabled() {
+    return this.authConfig !== void 0;
+  }
+  /**
+   * Get auth manager (for external use)
+   */
+  getAuthManager() {
+    return this.authManager;
+  }
+};
+
+// src/helper/index.ts
+var import_core21 = require("@datrix/core");
+async function handleRequest(datrix, request) {
+  try {
+    const api = datrix.getPlugin("api");
+    if (!api || !(api instanceof ApiPlugin)) {
+      const errRes = handlerError.internalError(
+        'API is not configured in datrix.config.ts. Add "api: new DatrixApi({ ... })" to your configuration.'
+      );
+      return datrixErrorResponse(errRes);
+    }
+    if (!api.isEnabled()) {
+      const errRes = handlerError.internalError(
+        'API is disabled. Remove "disabled: true" from ApiPlugin configuration.'
+      );
+      return datrixErrorResponse(errRes);
+    }
+    return await api.handleRequest(request, datrix);
+  } catch (error) {
+    if (error instanceof import_core21.DatrixError) {
+      return datrixErrorResponse(error);
+    }
+    console.error("[Datrix API] Unexpected error:", error);
+    const message = error instanceof Error ? error.message : "Internal server error";
+    const errRes = handlerError.internalError(
+      message,
+      error instanceof Error ? error : void 0
+    );
+    return datrixErrorResponse(errRes);
+  }
+}
+
+// src/middleware/auth.ts
+async function authenticate(request, authManager) {
+  if (!authManager) {
+    return null;
+  }
+  const authContext = await authManager.authenticate(request);
+  if (!authContext || !authContext.user) {
+    return null;
+  }
+  return authContext.user;
+}
+
+// src/serializer/query.ts
+function queryToParams(query) {
+  if (!query) return "";
+  const serialized = serializeQuery(query);
+  const parts = [];
+  Object.entries(serialized).forEach(([key, value]) => {
+    if (Array.isArray(value)) {
+      value.forEach((v) => {
+        parts.push(`${key}=${encodeURIComponent(String(v))}`);
+      });
+    } else if (value !== void 0) {
+      parts.push(`${key}=${encodeURIComponent(String(value))}`);
+    }
+  });
+  return parts.join("&");
+}
+function serializeQuery(query) {
+  const params = {};
+  const validKeys = [
+    "select",
+    "where",
+    "populate",
+    "orderBy",
+    "page",
+    "pageSize"
+  ];
+  const queryKeys = Object.keys(query);
+  const unknownKeys = queryKeys.filter((key) => !validKeys.includes(key));
+  if (unknownKeys.length > 0) {
+    throw new Error(
+      `Unknown query keys: ${unknownKeys.join(", ")}. Valid keys are: ${validKeys.join(", ")}`
+    );
+  }
+  if (query.select) {
+    if (query.select === "*") {
+      params["fields"] = "*";
+    } else if (Array.isArray(query.select)) {
+      params["fields"] = query.select.join(",");
+    }
+  }
+  if (query.where) {
+    serializeWhere(query.where, "where", params);
+  }
+  if (query.populate) {
+    serializePopulate(query.populate, "populate", params);
+  }
+  if (query.orderBy) {
+    if (typeof query.orderBy === "string") {
+      params["sort"] = query.orderBy;
+    } else if (Array.isArray(query.orderBy)) {
+      const sortStrings = query.orderBy.map((item) => {
+        if (typeof item === "string") {
+          return item;
+        } else {
+          return item.direction === "desc" ? `-${item.field}` : item.field;
+        }
+      });
+      if (sortStrings.length > 0) {
+        params["sort"] = sortStrings.join(",");
+      }
+    }
+  }
+  if (query.page !== void 0) params["page"] = String(query.page);
+  if (query.pageSize !== void 0) params["pageSize"] = String(query.pageSize);
+  return params;
+}
+function serializeWhere(where, prefix, params) {
+  if (where === null || typeof where !== "object") {
+    params[prefix] = String(where);
+    return;
+  }
+  for (const [key, value] of Object.entries(where)) {
+    const newPrefix = `${prefix}[${key}]`;
+    if (Array.isArray(value)) {
+      if (["$or", "$and", "$not"].includes(key)) {
+        value.forEach((item, index) => {
+          serializeWhere(item, `${newPrefix}[${index}]`, params);
+        });
+      } else {
+        value.forEach((item, index) => {
+          params[`${newPrefix}[${index}]`] = String(item);
+        });
+      }
+    } else if (value !== null && typeof value === "object") {
+      serializeWhere(value, newPrefix, params);
+    } else {
+      params[newPrefix] = String(value);
+    }
+  }
+}
+function serializePopulate(populate, prefix, params) {
+  if (populate === "*") {
+    params[prefix] = "*";
+    return;
+  }
+  if (populate === "true") {
+    params[prefix] = true;
+    return;
+  }
+  if (populate === true) {
+    params[prefix] = true;
+    return;
+  }
+  if (Array.isArray(populate)) {
+    populate.forEach((relation, index) => {
+      params[`${prefix}[${index}]`] = String(relation);
+    });
+    return;
+  }
+  if (typeof populate !== "object") return;
+  for (const [relation, options] of Object.entries(populate)) {
+    const relPrefix = `${prefix}[${relation}]`;
+    if (options === "*" || options === true) {
+      params[relPrefix] = options;
+    } else if (typeof options === "object") {
+      const opts = options;
+      if (opts.select) {
+        if (opts.select === "*") {
+          params[`${relPrefix}[fields]`] = "*";
+        } else if (Array.isArray(opts.select)) {
+          opts.select.forEach((field, index) => {
+            params[`${relPrefix}[fields][${index}]`] = field;
+          });
+        }
+      }
+      if (opts.populate) {
+        serializePopulate(opts.populate, `${relPrefix}[populate]`, params);
+      }
+    }
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ApiPlugin,
+  ContextBuildError,
+  DatrixApiError,
+  MemorySessionStore,
+  authenticate,
+  buildRequestContext,
+  checkFieldsForWrite,
+  checkSchemaPermission,
+  createAuthHandlers,
+  createUnifiedAuthHandler,
+  datrixErrorResponse,
+  evaluatePermissionValue,
+  filterFieldsForRead,
+  filterRecordsForRead,
+  handleCrudRequest,
+  handleRequest,
+  handlerError,
+  jsonResponse,
+  methodToAction,
+  parseFields,
+  parsePopulate,
+  parseQuery,
+  parseWhere,
+  queryToParams,
+  serializeQuery
+});
+//# sourceMappingURL=index.js.map