@dyrected/core 2.0.0 → 2.4.0

package/dist/index.cjs

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,16 +17,28 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  createDyrectedApp: () => createDyrectedApp,
   defineCollection: () => defineCollection,
   defineConfig: () => defineConfig,
   defineGlobal: () => defineGlobal,
   generateAIPrompt: () => generateAIPrompt,
-  normalizeConfig: () => normalizeConfig
+  generateFreshSetupPrompt: () => generateFreshSetupPrompt,
+  normalizeConfig: () => normalizeConfig,
+  parseMongoWhere: () => parseMongoWhere,
+  parseSqlWhere: () => parseSqlWhere
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -36,41 +50,75 @@ function buildEnvironmentSection(frameworkLabel, isSelfHosted, config) {
 \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
 1. ENVIRONMENT
 \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
-- Framework : ${frameworkLabel}
+- Framework : ${frameworkLabel || "Detect it"}
 - Host Type : ${isSelfHosted ? "Self-Hosted (Local/Private Server)" : "Managed (Dyrected Cloud)"}
 - API Base  : ${config.baseUrl || "http://localhost:3000"}
 ${credentialLines}`;
 }
-function buildDiagnosticSection(existingSite) {
-  if (existingSite) {
-    return `
+function buildDiagnosticSection() {
+  return `
 \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
-2. PHASE 0 \u2014 DIAGNOSTIC (EXISTING SITE)
+2. PHASE 0 \u2014 DISCOVERY
 \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
-Before writing any code, scan the existing codebase and report:
-- All hardcoded text strings that should be CMS-managed
-- All repeated data structures that should become collections
-- All static pages that marketing will want to edit independently
-- Any existing fetch or API calls that overlap with Dyrected
+Before writing any code, you MUST ask the user these questions.
+Write them exactly as shown below \u2014 in plain language with examples.
+Wait for the user to answer ALL of them before proceeding.
 
-Then propose a backup plan: extract all current content into a
-migration/ folder as structured .md or .json files BEFORE
-modifying any code.
+\u2500\u2500\u2500 QUESTION 1 \u2500\u2500\u2500
+Ask:
+"Do you already have a website built, or are we starting fresh?
 
-Do NOT write any implementation code until you have reported
-your findings and the user has confirmed the content plan.`;
-  }
-  return `
-\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
-2. PHASE 0 \u2014 DISCOVERY (NEW SITE)
-\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
-This is a new project. Before designing the content model, ask:
-- "What are your core content types? (e.g. Services, Team, Blog, Projects)"
-- "Which pages should marketing manage independently with blocks?"
-- "Are there any pages that must remain static and never become CMS-managed?"
-- "What is the primary goal of the site \u2014 marketing, e-commerce, portfolio, SaaS?"
+  \u2192 Already built: share your project or describe what pages you have
+    (e.g. Home, About, Services, Contact)
+  \u2192 Starting fresh: just say 'new site' and describe what the site is for"
+
+\u2500\u2500\u2500 QUESTION 2 \u2500\u2500\u2500
+Ask:
+"What kind of content will your client need to update regularly?
+
+  Here are some examples to help you think:
+  \u2192 Blog posts or news articles
+  \u2192 Team member profiles (name, photo, bio)
+  \u2192 Services or product descriptions
+  \u2192 Testimonials or reviews
+  \u2192 Event listings
+  \u2192 FAQs
+  \u2192 Homepage text (headline, hero image, call-to-action button)
+
+  Just list the ones that apply. You can say things like:
+  'They need to update blog posts and team members'"
+
+\u2500\u2500\u2500 QUESTION 3 \u2500\u2500\u2500
+Ask:
+"Are there any pages on the site that should NEVER change \u2014 like a
+  custom-coded page you want to leave exactly as it is?
 
-Do NOT write any code until the user has answered these questions.`;
+  Example answer: 'The homepage has a custom animation, leave that alone.
+  Everything else can be managed from the CMS.'
+
+  If everything should be manageable, just say 'all pages'"
+
+\u2500\u2500\u2500 QUESTION 4 \u2500\u2500\u2500
+Ask:
+"What is this website for? Pick the closest description:
+
+  A) A business or agency marketing site (show services, get leads)
+  B) A blog or content site (publish articles regularly)
+  C) A SaaS or product site (landing page, pricing, features)
+  D) A portfolio (show work, case studies)
+  E) An e-commerce or product catalogue
+  F) Something else \u2014 describe it in one sentence"
+
+\u2500\u2500\u2500 IF EXISTING SITE \u2500\u2500\u2500
+If the user confirms they have an existing site, also:
+- Scan the codebase for all hardcoded text that should be CMS-managed
+- Identify repeated data structures that should become collections
+- Propose saving current content to a migration/ folder as .json files
+  BEFORE touching any code
+- Report your findings to the user and get confirmation before proceeding
+
+Do NOT write any implementation code until all questions are answered
+and the user has confirmed the content plan.`;
 }
 function buildConstraintsSection() {
   return `
@@ -90,7 +138,10 @@ function buildConstraintsSection() {
 - RESILIENCE         : If Dyrected backend is unreachable, fall back to
                        initialData and show stale content \u2014 never an error page.
                        All relationship fields must handle null gracefully.
-                       Every block renderer must have a default fallback case.`;
+                       Every block renderer must have a default fallback case.
+- AUTO-SEEDING        : Use initialData: [...] in CollectionConfig or GlobalConfig
+                        to automatically populate the database on first run.
+                        This is great for demo content or default settings.`;
 }
 function buildSchemaRulesSection() {
   return `
@@ -99,8 +150,10 @@ function buildSchemaRulesSection() {
 \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
 - Never drop existing fields from the schema. Mark unused fields as deprecated only.
 - All new fields must have a defaultValue.
-- Never rename a field slug \u2014 add a new field and migrate data separately.
-- Run npx @dyrected/cli sync:schema after every config change.`;
+- Use renameTo: 'oldName' to lazily migrate data when renaming fields.
+- Use promoted: true for fields that need high-performance SQL indexing or unique constraints.
+- For Cloud deployments, run npx @dyrected/cli sync:schema after every config change. Self-hosted deployments sync automatically on startup.
+`;
 }
 function buildDoNotSection() {
   return `
@@ -111,7 +164,7 @@ function buildDoNotSection() {
 - Do NOT add custom auth middleware to the admin route.
   Dyrected handles admin authentication internally. Do not wrap,
   protect, or redirect the admin route yourself.
-- Do NOT use renderAdminUI in a Nuxt project. Use the DyrectedAdmin
+- Do NOT use renderAdminUI in a Nuxt.js project. Use the DyrectedAdmin
   component which is auto-imported by @dyrected/nuxt.
 - Do NOT modify or overwrite existing pages without first preserving their data.
 - Do NOT drop, rename, or remove fields from an existing schema.
@@ -126,24 +179,29 @@ function buildTechnicalReferenceSection() {
 Use defineCollection, defineGlobal, and defineConfig from '@dyrected/core'.
 
 FIELD TYPES:
-- Primitive  : text | textarea | richText | number | boolean | date | email | url | json
+- Primitive  : text | textarea | richText | number | boolean | date | email | url | json | image
 - Choice     : select | multiSelect           (requires options: [{ label, value }])
 - Structural : array | object                 (requires nested fields: [...])
-- Relation   : relationship                   (requires collection: '<slug>')
+- Relation   : relationship                   (requires relationTo: '<slug>')
 - Media      : relationship to an upload collection (e.g. 'media')
 - Blocks     : blocks                         (requires blocks: [{ slug, labels, fields }])
 
 COLLECTION OPTIONS:
 - upload: true       \u2014 media library with file upload support
 - auth: true         \u2014 adds login/me endpoints; password field is auto-managed
+- audit: true        \u2014 enables activity logging
 - admin.useAsTitle   \u2014 field used as display title in admin list view
 - admin.group        \u2014 groups collection under a sidebar heading
 - admin.hidden       \u2014 hides collection from the sidebar (internal/system use)
 
 FIELD OPTIONS:
+- label              \u2014 user-friendly display name (REQUIRED for all fields)
 - required           \u2014 validation
 - unique             \u2014 database-level uniqueness constraint
+- hasMany            \u2014 allow multiple values (for relationship, select, image)
 - defaultValue       \u2014 fallback value (required on all new fields added to existing schemas)
+- promoted           \u2014 extracts field to a real SQL column for native indexing (SQL adapters only)
+- renameTo           \u2014 name of the old field key to migrate data from (lazy migration)
 - admin.condition    \u2014 Jexl expression string to conditionally show/hide field
                        e.g. "status == \\"published\\""
 - admin.readOnly     \u2014 display only, not editable
@@ -164,14 +222,13 @@ Always include a default case in your switch for unknown block types.
 COMPLETE SCHEMA EXAMPLE:
 \`\`\`ts
 import { defineCollection, defineGlobal, defineConfig } from '@dyrected/core'
-import { MongoAdapter } from '@dyrected/db-mongodb'
-import { S3StorageAdapter } from '@dyrected/storage-s3'
+import { SqliteAdapter } from '@dyrected/db-sqlite'
 
 const media = defineCollection({
   slug: 'media',
   upload: true,
   fields: [
-    { name: 'alt', type: 'text', label: 'Alt Text' },
+    { name: 'alt', label: 'Alt Text', type: 'text' },
   ],
 })
 
@@ -179,44 +236,45 @@ const pages = defineCollection({
   slug: 'pages',
   admin: { useAsTitle: 'title', group: 'Content' },
   fields: [
-    { name: 'title', type: 'text', required: true },
-    { name: 'slug',  type: 'text', required: true, unique: true },
-    { name: 'seo', type: 'object', fields: [
-      { name: 'metaTitle',       type: 'text' },
-      { name: 'metaDescription', type: 'textarea' },
-      { name: 'ogImage',         type: 'relationship', collection: 'media' },
+    { name: 'title', label: 'Title', type: 'text', required: true },
+    { name: 'slug',  label: 'URL Slug', type: 'text', required: true, unique: true },
+    { name: 'seo', label: 'SEO Metadata', type: 'object', fields: [
+      { name: 'metaTitle',       label: 'Meta Title',       type: 'text' },
+      { name: 'metaDescription', label: 'Meta Description', type: 'textarea' },
+      { name: 'ogImage',         label: 'OG Image',         type: 'relationship', relationTo: 'media' },
     ]},
     {
       name: 'layout',
+      label: 'Page Layout',
       type: 'blocks',
       blocks: [
         {
           slug: 'hero',
           labels: { singular: 'Hero', plural: 'Heroes' },
           fields: [
-            { name: 'heading',    type: 'text',         required: true },
-            { name: 'subheading', type: 'textarea' },
-            { name: 'image',      type: 'relationship', collection: 'media' },
-            { name: 'ctaLabel',   type: 'text' },
-            { name: 'ctaLink',    type: 'url' },
+            { name: 'heading',    label: 'Heading',    type: 'text',         required: true },
+            { name: 'subheading', label: 'Subheading', type: 'textarea' },
+            { name: 'image',      label: 'Hero Image', type: 'relationship', relationTo: 'media' },
+            { name: 'ctaLabel',   label: 'Button Label', type: 'text' },
+            { name: 'ctaLink',    label: 'Button Link',  type: 'url' },
           ],
         },
         {
           slug: 'richContent',
           labels: { singular: 'Rich Content', plural: 'Rich Content Blocks' },
           fields: [
-            { name: 'content', type: 'richText', required: true },
+            { name: 'content', label: 'Content', type: 'richText', required: true },
           ],
         },
         {
           slug: 'callToAction',
           labels: { singular: 'Call to Action', plural: 'Calls to Action' },
           fields: [
-            { name: 'heading',     type: 'text', required: true },
-            { name: 'description', type: 'textarea' },
-            { name: 'buttonLabel', type: 'text' },
-            { name: 'buttonLink',  type: 'url' },
-            { name: 'theme', type: 'select', options: [
+            { name: 'heading',     label: 'Heading',     type: 'text', required: true },
+            { name: 'description', label: 'Description', type: 'textarea' },
+            { name: 'buttonLabel', label: 'Button Text', type: 'text' },
+            { name: 'buttonLink',  label: 'Button Link',  type: 'url' },
+            { name: 'theme', label: 'Theme', type: 'select', options: [
               { label: 'Primary',   value: 'primary' },
               { label: 'Secondary', value: 'secondary' },
               { label: 'Dark',      value: 'dark' },
@@ -232,28 +290,18 @@ const settings = defineGlobal({
   slug: 'settings',
   label: 'Site Settings',
   fields: [
-    { name: 'siteName',   type: 'text' },
-    { name: 'tagline',    type: 'text' },
-    { name: 'logo',       type: 'relationship', collection: 'media' },
-    { name: 'footerText', type: 'textarea' },
+    { name: 'siteName',   label: 'Site Name',    type: 'text' },
+    { name: 'tagline',    label: 'Site Tagline', type: 'text' },
+    { name: 'logo',       label: 'Site Logo',    type: 'relationship', relationTo: 'media' },
+    { name: 'footerText', label: 'Footer Text',  type: 'textarea' },
   ],
 })
 
 export default defineConfig({
   collections: [media, pages],
-  globals: [settings],
-  db: new MongoAdapter({
-    url: process.env.DATABASE_URL!,
-    dbName: 'dyrected_cms',
-  }),
-  storage: new S3StorageAdapter({
-    bucket: process.env.S3_BUCKET!,
-    region: process.env.S3_REGION!,
-    credentials: {
-      accessKeyId: process.env.S3_ACCESS_KEY_ID!,
-      secretAccessKey: process.env.S3_SECRET_ACCESS_KEY!,
-    },
-  }),
+  globals:     [settings],
+  // Use SqliteAdapter for local, PostgresAdapter or MySqlAdapter for production
+  db: new SqliteAdapter({ filename: './dyrected.db' }),
 })
 \`\`\``;
 }
@@ -272,7 +320,8 @@ Return your response in exactly this order. Do not combine steps. Do not skip st
 6. Migration/fallback strategy \u2014 numbered steps
 7. Schema sync command
 
-API Reference: https://docs.dyrected.com`;
+API Reference: https://docs.dyrected.com
+If you are unsure about any syntax or property, refer to the documentation above.`;
 }
 function buildFrameworkSection(activeTab, isSelfHosted, config) {
   const envPrefix = activeTab === "next" ? "NEXT_PUBLIC_" : activeTab === "nuxt" ? "NUXT_PUBLIC_" : "";
@@ -294,14 +343,14 @@ export const dyrected = createClient({
 })
 \`\`\`
 
-2. Admin Route (app/admin/[[...slug]]/page.tsx):
+2. Admin Route (app/cms/page.tsx):
 \`\`\`tsx
 import { DyrectedAdmin } from '@dyrected/next/admin'
 
 export default function AdminPage() {
   // DyrectedAdmin handles routing, auth, and CSS automatically.
   // Do NOT wrap this in custom auth middleware.
-  return <DyrectedAdmin basename="/admin" />
+  return <DyrectedAdmin basename="/cms" />
 }
 \`\`\`
 
@@ -326,9 +375,9 @@ export default async function CmsPage({ params }: { params: { slug: string[] } }
 \`\`\``,
     nuxt: `
 \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
-8. IMPLEMENTATION \u2014 Nuxt
+8. IMPLEMENTATION \u2014 Nuxt.js
 \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
-1. Nuxt Config (nuxt.config.ts):
+1. Nuxt.js Config (nuxt.config.ts):
 \`\`\`ts
 export default defineNuxtConfig({
   modules: ['@dyrected/nuxt'],
@@ -340,7 +389,7 @@ export default defineNuxtConfig({
 })
 \`\`\`
 
-2. Admin Route (pages/admin.vue):
+2. Admin Route (pages/cms/index.vue):
 \`\`\`vue
 <script setup lang="ts">
 // DyrectedAdmin is auto-imported by @dyrected/nuxt.
@@ -352,7 +401,7 @@ definePageMeta({ layout: false })
 
 <template>
   <ClientOnly>
-    <DyrectedAdmin basename="/admin" />
+    <DyrectedAdmin basename="/cms" />
   </ClientOnly>
 </template>
 \`\`\`
@@ -399,7 +448,7 @@ export const dyrected = createClient({
 })
 \`\`\`
 
-2. Admin Route (pages/admin.tsx):
+2. Admin Route (pages/cms.tsx):
 \`\`\`tsx
 import { AdminUI } from '@dyrected/admin'
 import '@dyrected/admin/styles'
@@ -431,7 +480,7 @@ export const dyrected = createClient({
 })
 \`\`\`
 
-2. Admin Route (pages/admin.vue):
+2. Admin Route (pages/cms.vue):
 \`\`\`vue
 <template>
   <div ref="container" style="height: 100vh" />
@@ -459,14 +508,350 @@ onUnmounted(() => cleanup?.())
   };
   return sections[activeTab] || sections.next;
 }
+function generateFreshSetupPrompt(activeTab, config) {
+  const frameworkLabel = activeTab === "next" ? "Next.js" : activeTab === "nuxt" ? "Nuxt.js" : activeTab ? activeTab.charAt(0).toUpperCase() + activeTab.slice(1) : "the project's detected framework";
+  const isSelfHosted = config.isSelfHosted === true || !config.apiKey && !config.siteId;
+  const frameworkSetup = {
+    nuxt: `
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+3. INSTALLATION STEPS \u2014 Run these in order
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+Tell the user to follow these steps exactly. Explain each one in plain
+language before showing the command. Do not skip any step.
+
+STEP 1 \u2014 Initialize Dyrected
+Tell the user:
+"Run this command in your terminal inside your Nuxt.js project folder.
+It will set everything up for you automatically."
+
+\`\`\`bash
+npx @dyrected/cli init
+\`\`\`
+
+When it asks questions, tell the user to:
+- Choose: Nuxt.js 3
+- Choose: SQLite (easiest option, no extra setup needed)
+
+The CLI will automatically:
+- Install all required packages
+- Create a dyrected.config.ts file
+- Mount the Admin UI at pages/cms/index.vue
+- Generate a .env.example file
+
+STEP 2 \u2014 Register the module
+Tell the user to open nuxt.config.ts and add '@dyrected/nuxt' to modules:
+
+\`\`\`ts
+export default defineNuxtConfig({
+  modules: ['@dyrected/nuxt'],
+})
+\`\`\`
+
+STEP 3 \u2014 Set up environment variables
+Tell the user:
+"Find the file called .env.example in your project.
+Make a copy of it and rename the copy to .env
+Then open .env and fill in the values."
+
+STEP 4 \u2014 Start the project
+\`\`\`bash
+pnpm dev
+\`\`\`
+
+STEP 5 \u2014 Open the dashboard
+Tell the user to open their browser and go to:
+http://localhost:3000/cms
+
+If they see the Dyrected admin dashboard, the installation worked.
+Tell them: "You are ready. Now let's set up your content."`,
+    next: `
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+3. INSTALLATION STEPS \u2014 Run these in order
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+Tell the user to follow these steps exactly. Explain each one in plain
+language before showing the command. Do not skip any step.
+
+STEP 1 \u2014 Initialize Dyrected
+Tell the user:
+"Run this command in your terminal inside your Next.js project folder."
+
+\`\`\`bash
+npx @dyrected/cli init
+\`\`\`
+
+When it asks questions, tell the user to:
+- Choose: Next.js
+- Choose: SQLite (easiest option, no extra setup needed)
+
+The CLI will automatically:
+- Install all required packages
+- Create a dyrected.config.ts file
+- Mount the Admin UI at app/cms/page.tsx
+- Generate a .env.example file
+
+STEP 2 \u2014 Set up environment variables
+Tell the user:
+"Find the file called .env.example in your project.
+Make a copy of it and rename the copy to .env.local
+Then open .env.local and fill in the values."
+
+STEP 3 \u2014 Start the project
+\`\`\`bash
+pnpm dev
+\`\`\`
+
+STEP 4 \u2014 Open the dashboard
+Tell the user to open their browser and go to:
+http://localhost:3000/cms
+
+If they see the Dyrected admin dashboard, the installation worked.
+Tell them: "You are ready. Now let's set up your content."`,
+    react: `
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+3. INSTALLATION STEPS \u2014 Run these in order
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+STEP 1 \u2014 Install the SDK and admin packages
+\`\`\`bash
+npm install @dyrected/sdk @dyrected/admin
+\`\`\`
+
+STEP 2 \u2014 Set up the client (lib/dyrected.ts):
+\`\`\`ts
+import { createClient } from '@dyrected/sdk'
+
+export const dyrected = createClient({
+  baseUrl: '${config.baseUrl || "https://api.dyrected.cloud"}',${isSelfHosted ? "" : `
+  apiKey:  '${config.apiKey}',
+  siteId:  '${config.siteId}',`}
+})
+\`\`\`
+
+STEP 3 \u2014 Mount the Admin UI (pages/cms.tsx):
+\`\`\`tsx
+import { AdminUI } from '@dyrected/admin'
+import '@dyrected/admin/styles'
+
+export default function AdminPage() {
+  return (
+    <div style={{ height: '100vh' }}>
+      <AdminUI
+        baseUrl="${config.baseUrl || "https://api.dyrected.cloud"}"${isSelfHosted ? "" : `
+        apiKey="${config.apiKey}"
+        siteId="${config.siteId}"`}
+      />
+    </div>
+  )
+}
+\`\`\``,
+    vue: `
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+3. INSTALLATION STEPS \u2014 Run these in order
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+STEP 1 \u2014 Install the SDK and admin packages
+\`\`\`bash
+npm install @dyrected/sdk @dyrected/admin
+\`\`\`
+
+STEP 2 \u2014 Set up the client (lib/dyrected.ts):
+\`\`\`ts
+import { createClient } from '@dyrected/sdk'
+
+export const dyrected = createClient({
+  baseUrl: '${config.baseUrl || "https://api.dyrected.cloud"}',${isSelfHosted ? "" : `
+  apiKey:  '${config.apiKey}',
+  siteId:  '${config.siteId}',`}
+})
+\`\`\`
+
+STEP 3 \u2014 Mount the Admin UI (pages/cms.vue):
+\`\`\`vue
+<template>
+  <div ref="container" style="height: 100vh" />
+</template>
+
+<script setup>
+import { ref, onMounted, onUnmounted } from 'vue'
+import { renderAdminUI } from '@dyrected/admin'
+import '@dyrected/admin/styles'
+
+const container = ref(null)
+let cleanup
+
+onMounted(() => {
+  cleanup = renderAdminUI(container.value, {
+    baseUrl: '${config.baseUrl || "https://api.dyrected.cloud"}',${isSelfHosted ? "" : `
+    apiKey: '${config.apiKey}',
+    siteId: '${config.siteId}',`}
+  })
+})
+
+onUnmounted(() => cleanup?.())
+</script>
+\`\`\``
+  };
+  return [
+    `You are a friendly technical assistant helping someone set up Dyrected CMS for the very first time in a ${frameworkLabel} project. They have NOT installed anything yet.
+
+Your job is to:
+1. Understand who you are talking to before giving any instructions
+2. Ask simple questions about their project and content needs
+3. Walk them through setup in a way that matches their technical level
+4. Confirm each step worked before moving to the next
+5. Help them design their content so their client can manage it
+
+Speak in plain language at all times. Never assume technical knowledge.
+Never show more than one step at a time.
+Never mention the terminal, command line, or any commands until you have
+confirmed the user is comfortable running them.`,
+    `
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+1. ENVIRONMENT
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+- Framework : ${frameworkLabel}
+- Host Type : ${isSelfHosted ? "Self-Hosted" : "Dyrected Cloud"}
+- API Base  : ${config.baseUrl || "http://localhost:3000"}
+${isSelfHosted ? "" : `- Site ID  : ${config.siteId}
+- API Key  : ${config.apiKey}`}`.trim(),
+    `
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+2. PHASE 0 \u2014 UNDERSTAND THE USER FIRST
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+Ask these questions one at a time. Wait for each answer before asking the next.
+Never ask more than one question at a time.
+
+\u2500\u2500\u2500 QUESTION 1 \u2014 TECH LEVEL \u2500\u2500\u2500
+This is the most important question. Ask it first.
+
+Ask exactly this:
+"Before we dive in \u2014 how would you describe yourself?
+
+  A) I write code myself (I'm comfortable with the terminal and editing files)
+  B) I use tools like Lovable, Bolt, or v0 to build with AI \u2014 I don't write much code myself
+  C) I'm a designer or project manager \u2014 someone else usually handles the technical stuff
+  D) Something else \u2014 just describe how you work"
+
+Use their answer to decide how to guide them for the rest of the setup:
+- If A \u2192 they are TECHNICAL. You may show terminal commands and code directly.
+- If B \u2192 they are SEMI-TECHNICAL. Explain what each step does before showing
+          any code or commands. Ask before running anything in the terminal.
+          For Lovable users specifically: guide them to use the built-in
+          terminal or ask them to paste code into the right file in their editor.
+- If C \u2192 they are NON-TECHNICAL. Do not show terminal commands at all.
+          Generate all the code and config for them. Walk them through
+          copy-pasting into specific files by name. If a terminal step is
+          unavoidable, warn them first and offer to write the exact command
+          with a clear explanation of what it does and where to run it.
+- If D \u2192 ask one follow-up question to understand their workflow before
+          deciding which path above fits best.
+
+\u2500\u2500\u2500 QUESTION 2 \u2014 PROJECT STATUS \u2500\u2500\u2500
+Ask after Q1 is answered:
+
+"Do you already have a ${frameworkLabel} project open,
+or are we starting from scratch?
+
+  \u2192 Already have a project: tell me what the site is about or
+    share the folder name
+  \u2192 Starting fresh: just say 'new project' and I will help you
+    create one first"
+
+\u2500\u2500\u2500 QUESTION 3 \u2014 SITE PURPOSE \u2500\u2500\u2500
+Ask after Q2 is answered:
+
+"What kind of website is this?
+
+  A) A business or agency site (show services, get enquiries)
+  B) A blog or news site (publish articles regularly)
+  C) A SaaS or product landing page (features, pricing, sign up)
+  D) A portfolio (show work and past projects)
+  E) Something else \u2014 describe it in one sentence"
+
+\u2500\u2500\u2500 QUESTION 4 \u2014 CONTENT NEEDS \u2500\u2500\u2500
+Ask after Q3 is answered:
+
+"What will your client need to update themselves \u2014 without calling you?
+
+  Some examples to help you think:
+  \u2192 Blog posts or news articles
+  \u2192 Team member profiles (name, photo, bio)
+  \u2192 Services or product descriptions
+  \u2192 Homepage text (headline, buttons, images)
+  \u2192 Testimonials or reviews
+  \u2192 FAQs
+  \u2192 Event listings or announcements
+
+  Just list the ones that apply. Or say 'not sure yet'
+  and we will figure it out together."
+
+\u2500\u2500\u2500 AFTER ALL QUESTIONS \u2500\u2500\u2500
+Once all four questions are answered:
+1. Summarise what you understood in plain English
+2. Ask the user to confirm before touching any code
+3. Then move to the installation steps using the correct path
+   for their tech level from Question 1`,
+    frameworkSetup[activeTab] || frameworkSetup.nuxt,
+    `
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+4. AFTER INSTALLATION \u2014 CONTENT SETUP
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+Once the dashboard is confirmed working, help the user design their
+content model in dyrected.config.ts based on what they told you in
+Phase 0.
+
+RULES for this phase:
+- Use defineCollection and defineConfig from '@dyrected/core'
+- Use client.collection(slug) only \u2014 never client.collections
+- Always use initialData in all data fetches
+- Use a catch-all pages collection for marketing-managed pages
+- Use blocks for flexible page layouts
+- Use type: 'relationship', relationTo: 'collectionSlug' for relations
+- Never throw during render \u2014 fall back to initialData on errors
+- All relationship fields must handle null gracefully
+
+CONTENT SETUP DELIVERABLES \u2014 in this order:
+1. dyrected.config.ts \u2014 complete file based on their answers
+2. Catch-all page route for CMS-managed pages
+3. Block components list (names and fields only)
+4. One example fetch showing how to load content on a page
+
+After delivering the config, tell the user to sync their schema.
+For TECHNICAL users show the command directly:
+\`\`\`bash
+npx @dyrected/cli sync:schema
+\`\`\`
+For SEMI-TECHNICAL or NON-TECHNICAL users explain it first:
+"This next step tells Dyrected to read your content setup file
+and prepare the database. Here is the command to run:" then show it.
+
+Then ask: "Do you want me to help you connect this content to your
+frontend pages now?"
+
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+DO NOT
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+- Do NOT show terminal commands before confirming the user's tech level
+- Do NOT assume the user knows what a terminal, CLI, or package manager is
+- Do NOT show all steps at once \u2014 one step at a time always
+- Do NOT use client.collections \u2014 use client.collection(slug)
+- Do NOT add custom auth middleware to the admin route
+- Do NOT use renderAdminUI in a Nuxt.js project
+- Do NOT skip the confirmation after each installation step
+- Do NOT use jargon without explaining it in plain English first
+- Do NOT assume the installation worked \u2014 ask the user to confirm
+
+API Reference: https://docs.dyrected.com
+If you are unsure about any syntax, refer to the official documentation above.`
+  ].join("\n");
+}
 function generateAIPrompt(activeTab, config) {
-  const frameworkLabel = activeTab === "next" ? "Next.js" : activeTab === "nuxt" ? "Nuxt" : activeTab.charAt(0).toUpperCase() + activeTab.slice(1);
+  const frameworkLabel = activeTab === "next" ? "Next.js" : activeTab === "nuxt" ? "Nuxt.js" : activeTab ? activeTab.charAt(0).toUpperCase() + activeTab.slice(1) : "the project's detected framework";
   const isSelfHosted = config.isSelfHosted === true || !config.apiKey && !config.siteId;
   const existingSite = config.existingSite ?? false;
+  const missionText = existingSite ? `You are a Senior Content Architect. Your mission is to integrate Dyrected CMS into an EXISTING ${frameworkLabel} project. Your absolute priority is DATA PRESERVATION and MIGRATION of existing hardcoded content into a flexible, blocks-based schema that empowers marketing teams to move independently.` : `You are a Senior Content Architect. Your mission is to integrate Dyrected CMS into a NEW ${frameworkLabel} project. Your priority is DATA PRESERVATION and creating a CMS that empowers marketing teams to move independently without raising tickets to engineering.`;
   const sections = [
-    `You are a Senior Content Architect. Your mission is to integrate Dyrected CMS into a ${frameworkLabel} project. Your priority is DATA PRESERVATION and creating a CMS that empowers marketing teams to move independently without raising tickets to engineering.`,
+    missionText,
     buildEnvironmentSection(frameworkLabel, isSelfHosted, config),
-    buildDiagnosticSection(existingSite),
+    buildDiagnosticSection(),
     buildConstraintsSection(),
     buildSchemaRulesSection(),
     buildDoNotSection(),
@@ -540,6 +925,1952 @@ function normalizeConfig(config) {
   };
 }
 
+// src/utils/parse-where.ts
+function assertNever(op, context) {
+  throw new Error(`[dyrected/core] Unhandled where operator "${op}" in ${context}`);
+}
+function parseSqlWhere(where, getJsonField, placeholder = "?") {
+  const params = [];
+  let pgIndex = 1;
+  function next() {
+    return placeholder === "pg" ? `$${pgIndex++}` : "?";
+  }
+  function col(field) {
+    return field === "id" ? "id" : getJsonField(field);
+  }
+  function buildOperator(field, value) {
+    const c = col(field);
+    if (typeof value !== "object" || value === null || Array.isArray(value)) {
+      params.push(value);
+      return `${c} = ${next()}`;
+    }
+    const entries = Object.entries(value);
+    if (entries.length !== 1) {
+      return entries.map(([op2, operand2]) => buildSingleOp(c, op2, operand2)).join(" AND ");
+    }
+    const [op, operand] = entries[0];
+    return buildSingleOp(c, op, operand);
+  }
+  function buildSingleOp(c, op, operand) {
+    switch (op) {
+      case "equals":
+        params.push(operand);
+        return `${c} = ${next()}`;
+      case "not_equals":
+        params.push(operand);
+        return `${c} != ${next()}`;
+      case "in": {
+        const vals = Array.isArray(operand) ? operand : [operand];
+        if (vals.length === 0) return "1=0";
+        const placeholders = vals.map((v) => {
+          params.push(v);
+          return next();
+        });
+        return `${c} IN (${placeholders.join(", ")})`;
+      }
+      case "not_in": {
+        const vals = Array.isArray(operand) ? operand : [operand];
+        if (vals.length === 0) return "1=1";
+        const placeholders = vals.map((v) => {
+          params.push(v);
+          return next();
+        });
+        return `${c} NOT IN (${placeholders.join(", ")})`;
+      }
+      case "gt":
+        params.push(operand);
+        return `${c} > ${next()}`;
+      case "gte":
+        params.push(operand);
+        return `${c} >= ${next()}`;
+      case "lt":
+        params.push(operand);
+        return `${c} < ${next()}`;
+      case "lte":
+        params.push(operand);
+        return `${c} <= ${next()}`;
+      case "contains":
+        params.push(`%${operand}%`);
+        return `${c} LIKE ${next()}`;
+      case "starts_with":
+        params.push(`${operand}%`);
+        return `${c} LIKE ${next()}`;
+      case "exists":
+        return operand ? `${c} IS NOT NULL` : `${c} IS NULL`;
+      default:
+        return assertNever(op, "parseSqlWhere");
+    }
+  }
+  function buildClause(w) {
+    const parts = [];
+    for (const [field, value] of Object.entries(w)) {
+      if (field === "OR" && Array.isArray(value)) {
+        const sub = value.map((v) => `(${buildClause(v)})`).join(" OR ");
+        parts.push(`(${sub})`);
+      } else if (field === "AND" && Array.isArray(value)) {
+        const sub = value.map((v) => `(${buildClause(v)})`).join(" AND ");
+        parts.push(`(${sub})`);
+      } else {
+        parts.push(buildOperator(field, value));
+      }
+    }
+    return parts.length ? parts.join(" AND ") : "1=1";
+  }
+  const sql = buildClause(where);
+  return { sql, params };
+}
+function parseMongoWhere(where) {
+  function buildOperator(field, value) {
+    if (typeof value !== "object" || value === null || Array.isArray(value)) {
+      return { [field]: { $eq: value } };
+    }
+    const entries = Object.entries(value);
+    if (entries.length !== 1) {
+      const merged = {};
+      for (const [op2, operand2] of entries) {
+        Object.assign(merged, buildSingleOp(field, op2, operand2)[field]);
+      }
+      return { [field]: merged };
+    }
+    const [op, operand] = entries[0];
+    return buildSingleOp(field, op, operand);
+  }
+  function buildSingleOp(field, op, operand) {
+    switch (op) {
+      case "equals":
+        return { [field]: { $eq: operand } };
+      case "not_equals":
+        return { [field]: { $ne: operand } };
+      case "in":
+        return { [field]: { $in: Array.isArray(operand) ? operand : [operand] } };
+      case "not_in":
+        return { [field]: { $nin: Array.isArray(operand) ? operand : [operand] } };
+      case "gt":
+        return { [field]: { $gt: operand } };
+      case "gte":
+        return { [field]: { $gte: operand } };
+      case "lt":
+        return { [field]: { $lt: operand } };
+      case "lte":
+        return { [field]: { $lte: operand } };
+      case "contains":
+        return { [field]: { $regex: operand, $options: "i" } };
+      case "starts_with":
+        return { [field]: { $regex: `^${operand}`, $options: "i" } };
+      case "exists":
+        return { [field]: { $exists: operand } };
+      default:
+        return assertNever(op, "parseMongoWhere");
+    }
+  }
+  function buildClause(w) {
+    const conditions = [];
+    for (const [field, value] of Object.entries(w)) {
+      if (field === "OR" && Array.isArray(value)) {
+        conditions.push({ $or: value.map(buildClause) });
+      } else if (field === "AND" && Array.isArray(value)) {
+        conditions.push({ $and: value.map(buildClause) });
+      } else {
+        conditions.push(buildOperator(field, value));
+      }
+    }
+    if (conditions.length === 0) return {};
+    if (conditions.length === 1) return conditions[0];
+    return { $and: conditions };
+  }
+  return buildClause(where);
+}
+
+// src/app.ts
+var import_hono = require("hono");
+var import_cors = require("hono/cors");
+var import_request_id = require("hono/request-id");
+
+// src/services/population.service.ts
+var PopulationService = class {
+  db;
+  collections;
+  constructor(db, collections) {
+    this.db = db;
+    this.collections = collections;
+  }
+  /**
+   * Recursively populate relationship fields in a document or array of documents.
+   */
+  async populate(args) {
+    const { data, fields, currentDepth, maxDepth } = args;
+    if (currentDepth >= maxDepth || !data) {
+      return data;
+    }
+    if (Array.isArray(data)) {
+      return Promise.all(data.map((item) => this.populate({ ...args, data: item })));
+    }
+    const populatedDoc = { ...data };
+    for (const field of fields) {
+      const value = populatedDoc[field.name];
+      if (field.type === "relationship" && field.relationTo && value) {
+        const relatedCollection = this.collections.find((c) => c.slug === field.relationTo);
+        if (!relatedCollection) continue;
+        if (Array.isArray(value)) {
+          populatedDoc[field.name] = await Promise.all(
+            value.map(async (id) => {
+              if (!id) return id;
+              let doc = id;
+              if (typeof id === "string") {
+                doc = await this.db.findOne({ collection: field.relationTo, id });
+              }
+              if (!doc || typeof doc !== "object") return id;
+              return this.populate({
+                data: doc,
+                fields: relatedCollection.fields,
+                currentDepth: currentDepth + 1,
+                maxDepth
+              });
+            })
+          );
+        } else if (value) {
+          let doc = value;
+          if (typeof value === "string") {
+            doc = await this.db.findOne({ collection: field.relationTo, id: value });
+          }
+          if (doc && typeof doc === "object") {
+            populatedDoc[field.name] = await this.populate({
+              data: doc,
+              fields: relatedCollection.fields,
+              currentDepth: currentDepth + 1,
+              maxDepth
+            });
+          }
+        }
+      }
+      if ((field.type === "array" || field.type === "object") && field.fields && value) {
+        populatedDoc[field.name] = await this.populate({
+          data: value,
+          fields: field.fields,
+          currentDepth,
+          // Nested fields don't consume depth, only relationships do
+          maxDepth
+        });
+      }
+      if (field.type === "blocks" && field.blocks && Array.isArray(value)) {
+        populatedDoc[field.name] = await Promise.all(
+          value.map(async (blockData) => {
+            const blockConfig = field.blocks.find((b) => b.slug === blockData.blockType);
+            if (!blockConfig) return blockData;
+            return this.populate({
+              data: blockData,
+              fields: blockConfig.fields,
+              currentDepth,
+              maxDepth
+            });
+          })
+        );
+      }
+    }
+    return populatedDoc;
+  }
+  /**
+   * Helper to populate a PaginatedResult
+   */
+  async populateResult(result, fields, maxDepth) {
+    if (maxDepth <= 0) return result;
+    const populatedDocs = await this.populate({
+      data: result.docs,
+      fields,
+      currentDepth: 0,
+      maxDepth
+    });
+    return {
+      ...result,
+      docs: populatedDocs
+    };
+  }
+};
+
+// src/services/defaults.service.ts
+var DefaultsService = class {
+  /**
+   * Recursively apply default values to a data object based on field definitions.
+   */
+  static apply(fields, data = {}) {
+    const result = { ...data || {} };
+    fields.forEach((field) => {
+      let value = result[field.name];
+      if ((value === void 0 || value === null) && field.renameTo) {
+        const legacyValue = result[field.renameTo];
+        if (legacyValue !== void 0 && legacyValue !== null) {
+          value = legacyValue;
+          result[field.name] = legacyValue;
+        }
+      }
+      if (value === void 0 || value === null) {
+        if (field.defaultValue !== void 0) {
+          result[field.name] = field.defaultValue;
+        } else {
+          if (field.type === "boolean") result[field.name] = false;
+          else if (field.type === "array") result[field.name] = [];
+          else if (field.type === "multiSelect") result[field.name] = [];
+          else if (field.type === "object") {
+            result[field.name] = this.apply(field.fields || [], {});
+          }
+        }
+      } else if (field.type === "object" && field.fields) {
+        result[field.name] = this.apply(field.fields, value);
+      } else if (field.type === "array" && field.fields && Array.isArray(value)) {
+        result[field.name] = value.map((item) => this.apply(field.fields, item));
+      }
+    });
+    return result;
+  }
+};
+
+// src/services/audit.service.ts
+var AuditService = class {
+  /**
+   * Writes a single entry to the __audit collection.
+   * Called without await — runs asynchronously and never blocks the primary operation.
+   */
+  static async log(db, args) {
+    try {
+      await db.create({
+        collection: "__audit",
+        data: {
+          collection: args.collection,
+          documentId: args.documentId ?? null,
+          operation: args.operation,
+          user: args.user?.id ?? null,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          changes: JSON.stringify({
+            before: args.before ?? null,
+            after: args.after ?? null
+          })
+        }
+      });
+    } catch (err) {
+      console.error("[dyrected/audit] Failed to write audit log:", err);
+    }
+  }
+};
+
+// src/controllers/collection.controller.ts
+var CollectionController = class {
+  collection;
+  constructor(collection) {
+    this.collection = collection;
+  }
+  async find(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const limit = Number(c.req.query("limit")) || 10;
+    const page = Number(c.req.query("page")) || 1;
+    const depth = c.req.query("depth") !== void 0 ? Number(c.req.query("depth")) : 1;
+    const sort = c.req.query("sort") || void 0;
+    let where = void 0;
+    const whereRaw = c.req.query("where");
+    if (whereRaw) {
+      try {
+        where = JSON.parse(decodeURIComponent(whereRaw));
+      } catch {
+      }
+    }
+    let result = await db.find({
+      collection: this.collection.slug,
+      limit,
+      page,
+      sort,
+      where
+    });
+    if (result.total === 0 && this.collection.initialData && !where && page === 1) {
+      console.log(`[dyrected/core] Auto-seeding collection "${this.collection.slug}" from config.initialData`);
+      for (const data of this.collection.initialData) {
+        await db.create({ collection: this.collection.slug, data });
+      }
+      result = await db.find({
+        collection: this.collection.slug,
+        limit,
+        page,
+        sort,
+        where
+      });
+    }
+    result.docs = result.docs.map((doc) => DefaultsService.apply(this.collection.fields, doc));
+    if (depth > 0) {
+      const populationService = new PopulationService(db, config.collections);
+      result = await populationService.populateResult(result, this.collection.fields, depth);
+    }
+    return c.json(result);
+  }
+  async findOne(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const id = c.req.param("id");
+    const depth = c.req.query("depth") !== void 0 ? Number(c.req.query("depth")) : 1;
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const doc = await db.findOne({ collection: this.collection.slug, id });
+    if (!doc) return c.json({ message: "Not Found" }, 404);
+    const docWithDefaults = DefaultsService.apply(this.collection.fields, doc);
+    if (depth > 0 && docWithDefaults) {
+      const populationService = new PopulationService(db, config.collections);
+      const populatedDoc = await populationService.populate({
+        data: docWithDefaults,
+        fields: this.collection.fields,
+        currentDepth: 0,
+        maxDepth: depth
+      });
+      return c.json(populatedDoc);
+    }
+    return c.json(docWithDefaults);
+  }
+  async create(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const contentType = c.req.header("Content-Type") || "";
+    if (contentType.toLowerCase().includes("multipart/form-data")) {
+      return this.upload(c);
+    }
+    const body = await c.req.json();
+    const user = c.get("user");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const data = {
+      ...body,
+      createdAt: now,
+      updatedAt: now,
+      createdBy: user?.sub ?? null,
+      updatedBy: user?.sub ?? null
+    };
+    const doc = await db.create({ collection: this.collection.slug, data });
+    if (this.collection.audit && db) {
+      AuditService.log(db, {
+        operation: "create",
+        collection: this.collection.slug,
+        documentId: doc.id,
+        user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
+        before: null,
+        after: doc
+      });
+    }
+    return c.json(doc, 201);
+  }
+  async upload(c) {
+    const config = c.get("config");
+    const storage = config.storage;
+    if (!storage) return c.json({ message: "Storage not configured" }, 500);
+    const formData = await c.req.formData();
+    const file = formData.get("file");
+    if (!file) return c.json({ message: "No file uploaded" }, 400);
+    const buffer = new Uint8Array(await file.arrayBuffer());
+    const siteId = c.get("siteId");
+    const workspaceId = c.get("workspaceId");
+    const prefix = workspaceId ? `${workspaceId}/${siteId}` : siteId;
+    const fileData = await storage.upload({
+      filename: file.name,
+      buffer,
+      mimeType: file.type,
+      prefix
+    });
+    const otherData = {};
+    formData.forEach((value, key) => {
+      if (key !== "file" && typeof value === "string") {
+        otherData[key] = value;
+      }
+    });
+    const user = c.get("user");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const doc = await config.db.create({
+      collection: this.collection.slug,
+      data: {
+        ...otherData,
+        ...fileData,
+        createdAt: now,
+        updatedAt: now,
+        createdBy: user?.sub ?? null,
+        updatedBy: user?.sub ?? null
+      }
+    });
+    return c.json(doc, 201);
+  }
+  async update(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const id = c.req.param("id");
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const body = await c.req.json();
+    const user = c.get("user");
+    const data = {
+      ...body,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      updatedBy: user?.sub ?? null
+    };
+    let before = null;
+    if (this.collection.audit) {
+      before = await db.findOne({ collection: this.collection.slug, id });
+    }
+    const doc = await db.update({ collection: this.collection.slug, id, data });
+    if (this.collection.audit && db) {
+      AuditService.log(db, {
+        operation: "update",
+        collection: this.collection.slug,
+        documentId: id,
+        user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
+        before,
+        after: doc
+      });
+    }
+    return c.json(doc);
+  }
+  async delete(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const id = c.req.param("id");
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const user = c.get("user");
+    let before = null;
+    if (this.collection.audit) {
+      before = await db.findOne({ collection: this.collection.slug, id });
+    }
+    await db.delete({ collection: this.collection.slug, id });
+    if (this.collection.audit && db) {
+      AuditService.log(db, {
+        operation: "delete",
+        collection: this.collection.slug,
+        documentId: id,
+        user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
+        before,
+        after: null
+      });
+    }
+    return c.json({ message: "Deleted" });
+  }
+  async deleteMany(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const user = c.get("user");
+    let ids = [];
+    try {
+      const body = await c.req.json().catch(() => null);
+      if (body?.ids && Array.isArray(body.ids)) {
+        ids = body.ids;
+      }
+    } catch {
+    }
+    if (!ids.length) {
+      const raw = c.req.queries("ids") ?? c.req.queries("ids[]") ?? [];
+      ids = raw.filter(Boolean);
+    }
+    if (!ids.length) return c.json({ message: "No IDs provided" }, 400);
+    const deleted = [];
+    const failed = [];
+    for (const id of ids) {
+      try {
+        let before = null;
+        if (this.collection.audit) {
+          before = await db.findOne({ collection: this.collection.slug, id });
+        }
+        await db.delete({ collection: this.collection.slug, id });
+        deleted.push(id);
+        if (this.collection.audit) {
+          AuditService.log(db, {
+            operation: "delete",
+            collection: this.collection.slug,
+            documentId: id,
+            user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
+            before,
+            after: null
+          });
+        }
+      } catch (err) {
+        failed.push({ id, error: err?.message ?? "Unknown error" });
+      }
+    }
+    return c.json({
+      message: `Deleted ${deleted.length} document(s)`,
+      deleted,
+      ...failed.length ? { failed } : {}
+    });
+  }
+  async seed(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json();
+    const initialData = body.data;
+    if (!initialData || !Array.isArray(initialData)) {
+      return c.json({ message: "Invalid initial data" }, 400);
+    }
+    const result = await db.find({ collection: this.collection.slug, limit: 1 });
+    if (result.total > 0) {
+      return c.json({ message: "Collection is not empty, skipping seed" });
+    }
+    console.log(`[dyrected/core] Auto-seeding collection: ${this.collection.slug}`);
+    const createdDocs = [];
+    for (const data of initialData) {
+      const doc = await db.create({ collection: this.collection.slug, data });
+      createdDocs.push(doc);
+    }
+    return c.json({ message: "Seed successful", count: createdDocs.length }, 201);
+  }
+};
+
+// src/controllers/global.controller.ts
+var GlobalController = class {
+  global;
+  constructor(global) {
+    this.global = global;
+  }
+  async get(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const depth = c.req.query("depth") !== void 0 ? Number(c.req.query("depth")) : 1;
+    let data = await db.getGlobal({ slug: this.global.slug });
+    const isEmpty = !data || Object.keys(data).length === 0;
+    if (isEmpty && this.global.initialData) {
+      console.log(`[dyrected/core] Auto-seeding global "${this.global.slug}" from config.initialData`);
+      await db.updateGlobal({ slug: this.global.slug, data: this.global.initialData });
+      data = this.global.initialData;
+    }
+    const dataWithDefaults = DefaultsService.apply(this.global.fields, data);
+    if (depth > 0 && dataWithDefaults) {
+      const populationService = new PopulationService(db, config.collections);
+      const populatedData = await populationService.populate({
+        data: dataWithDefaults,
+        fields: this.global.fields,
+        currentDepth: 1,
+        maxDepth: depth
+      });
+      return c.json(populatedData);
+    }
+    return c.json(dataWithDefaults);
+  }
+  async update(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json();
+    const data = await db.updateGlobal({ slug: this.global.slug, data: body });
+    return c.json(data);
+  }
+  async seed(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json();
+    const initialData = body.data;
+    if (!initialData) {
+      return c.json({ message: "Invalid initial data" }, 400);
+    }
+    const existing = await db.getGlobal({ slug: this.global.slug });
+    if (existing && Object.keys(existing).length > 0) {
+      return c.json({ message: "Global is not empty, skipping seed" });
+    }
+    console.log(`[dyrected/core] Auto-seeding global: ${this.global.slug}`);
+    await db.updateGlobal({ slug: this.global.slug, data: initialData });
+    return c.json({ message: "Seed successful", data: initialData }, 201);
+  }
+};
+
+// src/controllers/media.controller.ts
+var MediaController = class {
+  collection;
+  constructor(collection = "media") {
+    this.collection = collection;
+  }
+  async upload(c) {
+    const config = c.get("config");
+    const storage = config.storage;
+    const imageService = config.image;
+    if (!storage) {
+      return c.json({ message: "Storage not configured" }, 500);
+    }
+    const body = await c.req.parseBody();
+    const file = body["file"];
+    const focalPointStr = body["focalPoint"];
+    const focalPoint = focalPointStr ? JSON.parse(focalPointStr) : void 0;
+    if (!file) {
+      return c.json({ message: "No file uploaded" }, 400);
+    }
+    const buffer = new Uint8Array(await file.arrayBuffer());
+    const siteId = c.get("siteId");
+    const workspaceId = c.get("workspaceId");
+    const prefix = workspaceId ? `${workspaceId}/${siteId}` : siteId || "default";
+    let imageMetadata = {};
+    let imageSizes = {};
+    if (imageService && file.type.startsWith("image/")) {
+      let colConfig = config.collections.find((col) => col.slug === this.collection);
+      if (!colConfig && config.onSchemaFetch && siteId) {
+        const dynamic = await config.onSchemaFetch(siteId);
+        colConfig = dynamic.collections?.find((col) => col.slug === this.collection);
+      }
+      try {
+        const processed = await imageService.process({
+          buffer,
+          mimeType: file.type,
+          config: colConfig?.upload,
+          focalPoint
+        });
+        imageMetadata = processed.metadata;
+        imageSizes = processed.sizes;
+      } catch (err) {
+        console.error("[MediaController] Image processing failed:", err);
+      }
+    }
+    const fileData = await storage.upload({
+      filename: file.name,
+      buffer,
+      mimeType: file.type,
+      prefix
+    });
+    const finalFileData = {
+      ...fileData,
+      ...imageMetadata,
+      focalPoint,
+      sizes: {}
+    };
+    if (imageSizes) {
+      for (const [sizeName, sizeData] of Object.entries(imageSizes)) {
+        const ext = file.name.split(".").pop();
+        const baseName = file.name.substring(0, file.name.lastIndexOf("."));
+        const sizeFilename = `${baseName}-${sizeName}.${ext}`;
+        try {
+          const sizeFileData = await storage.upload({
+            filename: sizeFilename,
+            buffer: sizeData.buffer,
+            mimeType: file.type,
+            prefix
+          });
+          finalFileData.sizes[sizeName] = {
+            ...sizeFileData,
+            width: sizeData.width,
+            height: sizeData.height
+          };
+        } catch (err) {
+          console.error(`[MediaController] Failed to upload size ${sizeName}:`, err);
+        }
+      }
+    }
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const doc = await db.create({
+      collection: this.collection,
+      data: finalFileData
+    });
+    return c.json(doc, 201);
+  }
+  async find(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const limit = Number(c.req.query("limit")) || 10;
+    const page = Number(c.req.query("page")) || 1;
+    const result = await db.find({
+      collection: this.collection,
+      limit,
+      page
+    });
+    return c.json(result);
+  }
+  async delete(c) {
+    const config = c.get("config");
+    const storage = config.storage;
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const id = c.req.param("id");
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const doc = await db.findOne({ collection: this.collection, id });
+    if (!doc) return c.json({ message: "Not Found" }, 404);
+    if (storage) {
+      await storage.delete({ filename: doc.filename });
+      if (doc.sizes) {
+        for (const size of Object.values(doc.sizes)) {
+          if (size.filename) {
+            await storage.delete({ filename: size.filename });
+          }
+        }
+      }
+    }
+    await db.delete({ collection: this.collection, id });
+    return c.json({ message: "Deleted" });
+  }
+  async serve(c) {
+    const config = c.get("config");
+    const storage = config.storage;
+    if (!storage || !storage.resolve) {
+      return c.json({ message: "Storage not configured for serving" }, 404);
+    }
+    const filename = c.req.param("filename");
+    if (!filename) return c.json({ message: "Missing filename" }, 400);
+    let res = await storage.resolve({ filename });
+    if (!res && !filename.includes("/")) {
+      res = await storage.resolve({ filename: `default/${filename}` });
+    }
+    if (!res) return c.json({ message: "Not Found" }, 404);
+    c.header("Content-Type", res.mimeType);
+    return c.body(res.buffer);
+  }
+};
+
+// src/auth/password.ts
+var import_node_util = require("util");
+var import_node_crypto = require("crypto");
+var scryptAsync = (0, import_node_util.promisify)(import_node_crypto.scrypt);
+var SALT_LEN = 16;
+var KEY_LEN = 64;
+async function hashPassword(plain) {
+  const salt = (0, import_node_crypto.randomBytes)(SALT_LEN).toString("hex");
+  const derivedKey = await scryptAsync(plain, salt, KEY_LEN);
+  return `${salt}:${derivedKey.toString("hex")}`;
+}
+async function verifyPassword(plain, stored) {
+  const [salt, storedHash] = stored.split(":");
+  if (!salt || !storedHash) return false;
+  const derivedKey = await scryptAsync(plain, salt, KEY_LEN);
+  const storedBuffer = Buffer.from(storedHash, "hex");
+  if (derivedKey.length !== storedBuffer.length) return false;
+  return (0, import_node_crypto.timingSafeEqual)(derivedKey, storedBuffer);
+}
+
+// src/auth/token.ts
+var import_jose = require("jose");
+var import_node_util2 = require("util");
+function getSecret() {
+  const secret = process.env.DYRECTED_JWT_SECRET || process.env.JWT_SECRET;
+  if (!secret) {
+    throw new Error(
+      "[dyrected/core] DYRECTED_JWT_SECRET is not set. Add it to your environment variables to enable auth collections."
+    );
+  }
+  return new import_node_util2.TextEncoder().encode(secret);
+}
+var DEFAULT_EXPIRY = "7d";
+async function signCollectionToken(payload, expiresIn = DEFAULT_EXPIRY) {
+  return new import_jose.SignJWT({ ...payload }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(expiresIn).sign(getSecret());
+}
+async function verifyCollectionToken(token) {
+  const { payload } = await (0, import_jose.jwtVerify)(token, getSecret());
+  return payload;
+}
+
+// src/services/email.service.ts
+var _devSend = null;
+var _devSendPromise = null;
+async function getDevSend() {
+  if (_devSend) return _devSend;
+  if (_devSendPromise) return _devSendPromise;
+  _devSendPromise = (async () => {
+    try {
+      const nodemailer = await import("nodemailer");
+      const account = await nodemailer.default.createTestAccount();
+      const transport = nodemailer.default.createTransport({
+        host: "smtp.ethereal.email",
+        port: 587,
+        auth: { user: account.user, pass: account.pass }
+      });
+      console.log("[dyrected/core] No email config \u2014 using Ethereal for dev email preview.");
+      console.log(`[dyrected/core] Ethereal login: https://ethereal.email  user: ${account.user}  pass: ${account.pass}`);
+      _devSend = async ({ to, subject, html }) => {
+        const info = await transport.sendMail({ from: '"Dyrected Dev" <dev@dyrected.local>', to, subject, html });
+        console.log(`[dyrected/core] Email preview URL: ${nodemailer.default.getTestMessageUrl(info)}`);
+      };
+      return _devSend;
+    } catch {
+      console.warn("[dyrected/core] nodemailer not available \u2014 emails will not be sent in dev.");
+      return null;
+    }
+  })();
+  return _devSendPromise;
+}
+async function sendEmail(config, payload) {
+  if (config.email) {
+    await config.email.send(payload);
+    return;
+  }
+  if (process.env.NODE_ENV !== "production") {
+    const devSend = await getDevSend();
+    await devSend?.(payload);
+  }
+}
+function buildWelcomeEmail(config, args) {
+  const custom = config.email?.templates?.welcome?.(args);
+  return {
+    subject: custom?.subject ?? "Welcome \u2014 your account is ready",
+    html: custom?.html ?? `
+      <div style="font-family:sans-serif;max-width:600px;margin:0 auto">
+        <h2>Welcome!</h2>
+        <p>Your account has been created. You can now log in with:</p>
+        <p><strong>${args.email}</strong></p>
+      </div>`
+  };
+}
+function buildInviteEmail(config, args) {
+  const custom = config.email?.templates?.invite?.(args);
+  return {
+    subject: custom?.subject ?? "You've been invited",
+    html: custom?.html ?? `
+      <div style="font-family:sans-serif;max-width:600px;margin:0 auto">
+        <h2>You've been invited</h2>
+        ${args.invitedByEmail ? `<p>Invited by <strong>${args.invitedByEmail}</strong>.</p>` : ""}
+        <p>Use the token below to accept your invitation. It expires in 7 days.</p>
+        <pre style="background:#f4f4f4;padding:12px;border-radius:4px;word-break:break-all">${args.token}</pre>
+      </div>`
+  };
+}
+function buildResetPasswordEmail(config, args) {
+  const custom = config.email?.templates?.resetPassword?.(args);
+  return {
+    subject: custom?.subject ?? "Reset your password",
+    html: custom?.html ?? `
+      <div style="font-family:sans-serif;max-width:600px;margin:0 auto">
+        <h2>Reset your password</h2>
+        <p>Use the token below to reset your password. It expires in 1 hour.</p>
+        <pre style="background:#f4f4f4;padding:12px;border-radius:4px;word-break:break-all">${args.token}</pre>
+      </div>`
+  };
+}
+function buildPasswordChangedEmail(config, args) {
+  const custom = config.email?.templates?.passwordChanged?.(args);
+  return {
+    subject: custom?.subject ?? "Your password has been changed",
+    html: custom?.html ?? `
+      <div style="font-family:sans-serif;max-width:600px;margin:0 auto">
+        <h2>Password changed</h2>
+        <p>The password for <strong>${args.email}</strong> was just changed.</p>
+        <p>If you did not make this change, please contact support immediately.</p>
+      </div>`
+  };
+}
+
+// src/controllers/auth.controller.ts
+var AuthController = class {
+  collection;
+  constructor(collection) {
+    this.collection = collection;
+  }
+  // ---------------------------------------------------------------------------
+  // GET /init
+  // Checks if the first user needs to be created.
+  // ---------------------------------------------------------------------------
+  async init(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const result = await db.find({
+      collection: this.collection.slug,
+      limit: 1
+    });
+    return c.json({
+      initialized: result.total > 0
+    });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /first-user
+  // Creates the first user if none exist.
+  // ---------------------------------------------------------------------------
+  async registerFirstUser(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const check = await db.find({
+      collection: this.collection.slug,
+      limit: 1
+    });
+    if (check.total > 0) {
+      return c.json({ error: true, message: "Initial user already exists." }, 403);
+    }
+    const body = await c.req.json().catch(() => null);
+    if (!body?.email || !body?.password) {
+      return c.json({ error: true, message: "email and password are required." }, 400);
+    }
+    const hashedPassword = await hashPassword(body.password);
+    const user = await db.create({
+      collection: this.collection.slug,
+      data: {
+        ...body,
+        password: hashedPassword,
+        roles: ["admin"]
+        // Default first user to admin
+      }
+    });
+    const token = await signCollectionToken({
+      sub: user.id,
+      email: user.email,
+      collection: this.collection.slug
+    });
+    const { subject, html } = buildWelcomeEmail(config, { email: body.email });
+    sendEmail(config, { to: body.email, subject, html }).catch(
+      (err) => console.error("[dyrected/core] Failed to send welcome email:", err)
+    );
+    const { password: _, ...safeUser } = user;
+    return c.json({ token, user: safeUser });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /login
+  // ---------------------------------------------------------------------------
+  async login(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json().catch(() => null);
+    if (!body?.email || !body?.password) {
+      return c.json({ error: true, message: "email and password are required." }, 400);
+    }
+    const result = await db.find({
+      collection: this.collection.slug,
+      where: { email: body.email },
+      limit: 1
+    });
+    const user = result.docs[0];
+    if (!user) {
+      return c.json({ error: true, message: "Invalid email or password." }, 401);
+    }
+    const valid = await verifyPassword(body.password, user.password);
+    if (!valid) {
+      return c.json({ error: true, message: "Invalid email or password." }, 401);
+    }
+    const token = await signCollectionToken({
+      sub: user.id,
+      email: user.email,
+      collection: this.collection.slug
+    });
+    const { password: _, ...safeUser } = user;
+    return c.json({ token, user: safeUser });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /logout
+  // Auth collections use stateless JWTs — logout is handled client-side.
+  // This endpoint exists so clients have a consistent API surface.
+  // ---------------------------------------------------------------------------
+  async logout(c) {
+    return c.json({ success: true, message: "Logged out. Discard your token." });
+  }
+  // ---------------------------------------------------------------------------
+  // GET /me
+  // ---------------------------------------------------------------------------
+  async me(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const requestUser = c.get("user");
+    if (!requestUser) {
+      return c.json({ error: true, message: "Authentication required." }, 401);
+    }
+    const user = await db.findOne({ collection: this.collection.slug, id: requestUser.sub });
+    if (!user) {
+      return c.json({ error: true, message: "User not found." }, 404);
+    }
+    const { password: _, ...safeUser } = user;
+    return c.json(safeUser);
+  }
+  // ---------------------------------------------------------------------------
+  // POST /refresh-token
+  // ---------------------------------------------------------------------------
+  async refreshToken(c) {
+    const requestUser = c.get("user");
+    if (!requestUser) {
+      return c.json({ error: true, message: "Authentication required." }, 401);
+    }
+    const token = await signCollectionToken({
+      sub: requestUser.sub,
+      email: requestUser.email,
+      collection: this.collection.slug
+    });
+    return c.json({ token });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /forgot-password
+  // Requires config.email to be set. Silently succeeds if email not found
+  // to prevent email enumeration.
+  // ---------------------------------------------------------------------------
+  async forgotPassword(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json().catch(() => null);
+    if (!body?.email) {
+      return c.json({ error: true, message: "email is required." }, 400);
+    }
+    const result = await db.find({
+      collection: this.collection.slug,
+      where: { email: body.email },
+      limit: 1
+    });
+    const user = result.docs[0];
+    if (user) {
+      const resetToken = await signCollectionToken(
+        { sub: user.id, email: user.email, collection: this.collection.slug, purpose: "reset" },
+        "1h"
+      );
+      try {
+        const { subject, html } = buildResetPasswordEmail(config, { token: resetToken });
+        await sendEmail(config, { to: user.email, subject, html });
+      } catch (err) {
+        console.error("[dyrected/core] Failed to send password reset email:", err);
+      }
+    }
+    return c.json({
+      success: true,
+      message: "If an account with that email exists, a reset link has been sent."
+    });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /reset-password
+  // Expects { token: string, password: string } in body.
+  // The token is the reset JWT issued by /forgot-password.
+  // ---------------------------------------------------------------------------
+  async resetPassword(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json().catch(() => null);
+    if (!body?.token || !body?.password) {
+      return c.json({ error: true, message: "token and password are required." }, 400);
+    }
+    let payload;
+    try {
+      payload = await verifyCollectionToken(body.token);
+    } catch {
+      return c.json({ error: true, message: "Reset token is invalid or has expired." }, 400);
+    }
+    if (payload.collection !== this.collection.slug || payload.purpose !== "reset") {
+      return c.json({ error: true, message: "Reset token is invalid or has expired." }, 400);
+    }
+    const hashedPassword = await hashPassword(body.password);
+    await db.update({
+      collection: this.collection.slug,
+      id: payload.sub,
+      data: { password: hashedPassword }
+    });
+    const { subject, html } = buildPasswordChangedEmail(config, { email: payload.email });
+    sendEmail(config, { to: payload.email, subject, html }).catch(
+      (err) => console.error("[dyrected/core] Failed to send password-changed email:", err)
+    );
+    return c.json({ success: true, message: "Password has been reset. You can now log in." });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /invite
+  // Requires auth. Issues a signed invite token and emails it to the invitee.
+  // ---------------------------------------------------------------------------
+  async invite(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const requestUser = c.get("user");
+    if (!requestUser) {
+      return c.json({ error: true, message: "Authentication required." }, 401);
+    }
+    const body = await c.req.json().catch(() => null);
+    if (!body?.email) {
+      return c.json({ error: true, message: "email is required." }, 400);
+    }
+    const existing = await db.find({
+      collection: this.collection.slug,
+      where: { email: body.email },
+      limit: 1
+    });
+    if (existing.total > 0) {
+      return c.json({ error: true, message: "An account with that email already exists." }, 409);
+    }
+    const inviteToken = await signCollectionToken(
+      { sub: body.email, email: body.email, collection: this.collection.slug, purpose: "invite" },
+      "7d"
+    );
+    try {
+      const { subject, html } = buildInviteEmail(config, {
+        token: inviteToken,
+        invitedByEmail: requestUser.email
+      });
+      await sendEmail(config, { to: body.email, subject, html });
+    } catch (err) {
+      console.error("[dyrected/core] Failed to send invite email:", err);
+    }
+    return c.json({ success: true, message: `Invite sent to ${body.email}.` });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /accept-invite
+  // Public. Validates the invite token and creates the user account.
+  // Body: { token, password, ...extraFields }
+  // ---------------------------------------------------------------------------
+  async acceptInvite(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json().catch(() => null);
+    if (!body?.token || !body?.password) {
+      return c.json({ error: true, message: "token and password are required." }, 400);
+    }
+    let payload;
+    try {
+      payload = await verifyCollectionToken(body.token);
+    } catch {
+      return c.json({ error: true, message: "Invite token is invalid or has expired." }, 400);
+    }
+    if (payload.collection !== this.collection.slug || payload.purpose !== "invite") {
+      return c.json({ error: true, message: "Invite token is invalid or has expired." }, 400);
+    }
+    const inviteeEmail = payload.sub;
+    const existing = await db.find({
+      collection: this.collection.slug,
+      where: { email: inviteeEmail },
+      limit: 1
+    });
+    if (existing.total > 0) {
+      return c.json({ error: true, message: "An account with that email already exists." }, 409);
+    }
+    const { token: _t, password: _p, ...extraFields } = body;
+    const hashedPassword = await hashPassword(body.password);
+    const user = await db.create({
+      collection: this.collection.slug,
+      data: { ...extraFields, email: inviteeEmail, password: hashedPassword }
+    });
+    const sessionToken = await signCollectionToken({
+      sub: user.id,
+      email: inviteeEmail,
+      collection: this.collection.slug
+    });
+    const { subject, html } = buildWelcomeEmail(config, { email: inviteeEmail });
+    sendEmail(config, { to: inviteeEmail, subject, html }).catch(
+      (err) => console.error("[dyrected/core] Failed to send welcome email:", err)
+    );
+    const { password: _, ...safeUser } = user;
+    return c.json({ token: sessionToken, user: safeUser }, 201);
+  }
+};
+
+// src/controllers/preview.controller.ts
+var import_jose2 = require("jose");
+var import_node_util3 = require("util");
+var PreviewController = class {
+  getSecret() {
+    const secret = process.env.DYRECTED_JWT_SECRET || process.env.JWT_SECRET || "dyrected-preview-secret-change-me";
+    return new import_node_util3.TextEncoder().encode(secret);
+  }
+  /**
+   * POST /api/preview-token
+   * Generates a short-lived token for previewing unsaved data.
+   */
+  async createToken(c) {
+    const body = await c.req.json().catch(() => null);
+    if (!body?.collectionSlug || !body?.data) {
+      return c.json({ error: true, message: "collectionSlug and data are required." }, 400);
+    }
+    const token = await new import_jose2.SignJWT({
+      collectionSlug: body.collectionSlug,
+      documentId: body.documentId,
+      data: body.data
+    }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime("15m").sign(this.getSecret());
+    const expiresAt = new Date(Date.now() + 15 * 60 * 1e3).toISOString();
+    return c.json({ token, expiresAt });
+  }
+  /**
+   * GET /api/preview-data?token=<jwt>
+   * Returns the data stored in the preview token.
+   */
+  async getData(c) {
+    const token = c.req.query("token");
+    if (!token) {
+      return c.json({ error: true, message: "token query parameter is required." }, 400);
+    }
+    try {
+      const { payload } = await (0, import_jose2.jwtVerify)(token, this.getSecret());
+      return c.json(payload);
+    } catch (err) {
+      return c.json({ error: true, message: "Invalid or expired preview token." }, 401);
+    }
+  }
+};
+
+// src/middleware/auth.ts
+function requireAuth() {
+  return async (c, next) => {
+    const authHeader = c.req.header("Authorization");
+    const token = authHeader?.replace(/^Bearer\s+/i, "");
+    if (!token) {
+      return c.json({ error: true, message: "Authentication required." }, 401);
+    }
+    try {
+      const user = await verifyCollectionToken(token);
+      c.set("user", user);
+      await next();
+    } catch {
+      return c.json({ error: true, message: "Invalid or expired token." }, 401);
+    }
+  };
+}
+function optionalAuth() {
+  return async (c, next) => {
+    const authHeader = c.req.header("Authorization");
+    const token = authHeader?.replace(/^Bearer\s+/i, "");
+    if (token) {
+      try {
+        const user = await verifyCollectionToken(token);
+        c.set("user", user);
+      } catch {
+      }
+    }
+    await next();
+  };
+}
+
+// src/utils/openapi.ts
+function generateOpenApi(config) {
+  const spec = {
+    openapi: "3.0.0",
+    info: {
+      title: "Dyrected API",
+      version: "1.0.0",
+      description: "Automatically generated OpenAPI specification for the Dyrected project."
+    },
+    components: {
+      schemas: {},
+      securitySchemes: {
+        ApiKeyAuth: {
+          type: "apiKey",
+          in: "header",
+          name: "x-api-key"
+        }
+      }
+    },
+    paths: {},
+    security: [{ ApiKeyAuth: [] }]
+  };
+  for (const collection of config.collections) {
+    spec.components.schemas[collection.slug] = collectionToSchema(collection);
+  }
+  for (const global of config.globals) {
+    spec.components.schemas[global.slug] = globalToSchema(global);
+  }
+  for (const collection of config.collections) {
+    const slug = collection.slug;
+    const path = `/api/collections/${slug}`;
+    const labels = collection.labels || { singular: slug, plural: `${slug}s` };
+    spec.paths[path] = {
+      get: {
+        tags: ["Collections"],
+        summary: `Find ${labels.plural}`,
+        parameters: [
+          { name: "limit", in: "query", schema: { type: "integer", default: 10 } },
+          { name: "page", in: "query", schema: { type: "integer", default: 1 } },
+          { name: "where", in: "query", schema: { type: "string" }, description: "JSON filter" },
+          { name: "sort", in: "query", schema: { type: "string" }, description: "Sort field (e.g. -createdAt)" }
+        ],
+        responses: {
+          200: {
+            description: "Success",
+            content: {
+              "application/json": {
+                schema: {
+                  type: "object",
+                  properties: {
+                    docs: { type: "array", items: { $ref: `#/components/schemas/${slug}` } },
+                    total: { type: "integer" },
+                    limit: { type: "integer" },
+                    page: { type: "integer" }
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      post: {
+        tags: ["Collections"],
+        summary: `Create ${labels.singular}`,
+        requestBody: {
+          required: true,
+          content: {
+            "application/json": {
+              schema: { $ref: `#/components/schemas/${slug}` }
+            }
+          }
+        },
+        responses: {
+          201: {
+            description: "Created",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      }
+    };
+    spec.paths[`${path}/{id}`] = {
+      get: {
+        tags: ["Collections"],
+        summary: `Get a single ${labels.singular}`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        responses: {
+          200: {
+            description: "Success",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      },
+      patch: {
+        tags: ["Collections"],
+        summary: `Update ${labels.singular}`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        requestBody: {
+          required: true,
+          content: {
+            "application/json": {
+              schema: { $ref: `#/components/schemas/${slug}` }
+            }
+          }
+        },
+        responses: {
+          200: {
+            description: "Updated",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      },
+      delete: {
+        tags: ["Collections"],
+        summary: `Delete ${labels.singular}`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        responses: {
+          204: { description: "Deleted" }
+        }
+      }
+    };
+  }
+  for (const global of config.globals) {
+    const slug = global.slug;
+    const path = `/api/globals/${slug}`;
+    spec.paths[path] = {
+      get: {
+        tags: ["Globals"],
+        summary: `Get ${global.label || slug}`,
+        responses: {
+          200: {
+            description: "Success",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      },
+      patch: {
+        tags: ["Globals"],
+        summary: `Update ${global.label || slug}`,
+        requestBody: {
+          required: true,
+          content: {
+            "application/json": {
+              schema: { $ref: `#/components/schemas/${slug}` }
+            }
+          }
+        },
+        responses: {
+          200: {
+            description: "Updated",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      }
+    };
+  }
+  if (config.storage) {
+    spec.paths["/api/media"] = {
+      get: {
+        tags: ["Media"],
+        summary: "List Media",
+        responses: {
+          200: {
+            description: "Success",
+            content: {
+              "application/json": {
+                schema: {
+                  type: "object",
+                  properties: {
+                    docs: { type: "array", items: { type: "object", additionalProperties: true } }
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      post: {
+        tags: ["Media"],
+        summary: "Upload Media",
+        requestBody: {
+          content: {
+            "multipart/form-data": {
+              schema: {
+                type: "object",
+                properties: {
+                  file: { type: "string", format: "binary" }
+                }
+              }
+            }
+          }
+        },
+        responses: {
+          201: { description: "Uploaded" }
+        }
+      }
+    };
+  }
+  return spec;
+}
+function collectionToSchema(collection) {
+  const { properties, required } = fieldsToProperties(collection.fields);
+  return {
+    type: "object",
+    properties: {
+      id: { type: "string" },
+      createdAt: { type: "string", format: "date-time" },
+      updatedAt: { type: "string", format: "date-time" },
+      ...properties
+    },
+    required: ["id", ...required]
+  };
+}
+function globalToSchema(global) {
+  const { properties, required } = fieldsToProperties(global.fields);
+  return {
+    type: "object",
+    properties,
+    required
+  };
+}
+function fieldsToProperties(fields) {
+  const props = {};
+  const required = [];
+  for (const field of fields) {
+    props[field.name] = fieldToSchema(field);
+    if (field.required) {
+      required.push(field.name);
+    }
+  }
+  return { properties: props, required };
+}
+function fieldToSchema(field) {
+  let schema = {};
+  switch (field.type) {
+    case "text":
+    case "textarea":
+    case "email":
+    case "url":
+      schema = { type: "string" };
+      break;
+    case "number":
+      schema = { type: "number" };
+      break;
+    case "boolean":
+      schema = { type: "boolean" };
+      break;
+    case "date":
+      schema = { type: "string", format: "date-time" };
+      break;
+    case "select":
+      schema = { type: "string", enum: field.options?.map((o) => typeof o === "string" ? o : o.value) };
+      break;
+    case "multiSelect":
+      schema = {
+        type: "array",
+        items: { type: "string", enum: field.options?.map((o) => typeof o === "string" ? o : o.value) }
+      };
+      break;
+    case "relationship":
+      schema = { type: "string", description: `ID of a ${field.relationTo} record` };
+      break;
+    case "object": {
+      const { properties, required } = fieldsToProperties(field.fields || []);
+      schema = { type: "object", properties, required };
+      break;
+    }
+    case "array": {
+      const { properties, required } = fieldsToProperties(field.fields || []);
+      schema = { type: "array", items: { type: "object", properties, required } };
+      break;
+    }
+    case "json":
+    case "richText":
+      schema = { type: "object", additionalProperties: true };
+      break;
+    case "blocks":
+      schema = {
+        type: "array",
+        items: {
+          oneOf: field.blocks?.map((block) => {
+            const { properties, required } = fieldsToProperties(block.fields);
+            return {
+              type: "object",
+              properties: {
+                blockType: { type: "string", enum: [block.slug] },
+                ...properties
+              },
+              required: ["blockType", ...required]
+            };
+          })
+        }
+      };
+      break;
+    default:
+      schema = { type: "string" };
+  }
+  if (field.label) schema.description = field.label;
+  return schema;
+}
+
+// src/utils/swagger.ts
+function getSwaggerHtml(specUrl = "/api/openapi.json") {
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <meta name="description" content="SwaggerUI" />
+  <title>Dyrected API Documentation</title>
+  <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui.css" />
+</head>
+<body>
+<div id="swagger-ui"></div>
+<script src="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui-bundle.js" charset="UTF-8"></script>
+<script src="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui-standalone-preset.js" charset="UTF-8"></script>
+<script>
+  window.onload = () => {
+    // Forward the apikey query param when loading the spec and making API calls
+    const params = new URLSearchParams(window.location.search);
+    const apiKey = params.get('apikey');
+    const specUrlWithKey = apiKey ? '${specUrl}?apikey=' + encodeURIComponent(apiKey) : '${specUrl}';
+
+    window.ui = SwaggerUIBundle({
+      url: specUrlWithKey,
+      dom_id: '#swagger-ui',
+      presets: [
+        SwaggerUIBundle.presets.apis,
+        SwaggerUIStandalonePreset
+      ],
+      layout: "BaseLayout",
+      deepLinking: true,
+      showExtensions: true,
+      showCommonExtensions: true,
+      // Inject x-api-key header on every request made from the Swagger UI
+      requestInterceptor: (request) => {
+        if (apiKey) {
+          request.headers['x-api-key'] = apiKey;
+        }
+        return request;
+      }
+    });
+  };
+</script>
+</body>
+</html>
+  `;
+}
+
+// src/auth/jexl.ts
+var import_jexl = __toESM(require("jexl"), 1);
+async function evaluateAccess(expression, context) {
+  if (expression === void 0 || expression === null) return false;
+  if (typeof expression === "boolean") return expression;
+  try {
+    const result = await import_jexl.default.eval(expression, context);
+    return !!result;
+  } catch (err) {
+    console.error("[dyrected/core] Jexl evaluation failed:", err);
+    return false;
+  }
+}
+
+// src/router.ts
+function accessGate(target, action) {
+  return async (c, next) => {
+    const user = c.get("user");
+    const accessExpr = target.access?.[action];
+    if (accessExpr === void 0 || accessExpr === null) {
+      return await next();
+    }
+    const accessArgs = { user, req: c.req, doc: null };
+    const allowed = await evaluateAccess(accessExpr, accessArgs);
+    if (!allowed) {
+      return c.json({ error: true, message: `Access denied: ${action} on ${target.slug}` }, 403);
+    }
+    await next();
+  };
+}
+function registerRoutes(app, config) {
+  app.get("/api/schemas", optionalAuth(), async (c) => {
+    const siteId = c.req.header("X-Site-Id");
+    let collections = [...config.collections];
+    let globals = [...config.globals];
+    if (siteId && config.onSchemaFetch) {
+      const dynamic = await config.onSchemaFetch(siteId);
+      if (dynamic.collections) collections = [...collections, ...dynamic.collections];
+      if (dynamic.globals) globals = [...globals, ...dynamic.globals];
+      if (dynamic.admin) {
+        config.admin = { ...config.admin, ...dynamic.admin };
+      }
+    }
+    const user = c.get("user");
+    const accessArgs = { user, req: c.req, doc: null };
+    const resolveAccess = async (access) => {
+      if (access === void 0 || access === null) return true;
+      if (typeof access === "function") {
+        try {
+          const result = await access(accessArgs);
+          return typeof result === "boolean" ? result : !!result;
+        } catch (err) {
+          console.error("[dyrected/core] Functional access check failed:", err);
+          return false;
+        }
+      }
+      if (typeof access === "string" || typeof access === "boolean") {
+        return evaluateAccess(access, accessArgs);
+      }
+      return true;
+    };
+    const filteredCollections = await Promise.all(collections.filter((col) => !siteId || col.shared || !col.siteId || col.siteId === siteId).map(async (col) => ({
+      slug: col.slug,
+      labels: col.labels,
+      access: {
+        read: await resolveAccess(col.access?.read),
+        create: await resolveAccess(col.access?.create),
+        update: await resolveAccess(col.access?.update),
+        delete: await resolveAccess(col.access?.delete)
+      },
+      fields: await Promise.all(col.fields.map(async (f) => ({
+        name: f.name,
+        type: f.type,
+        label: f.label,
+        required: f.required,
+        defaultValue: f.defaultValue,
+        options: f.options,
+        relationTo: f.relationTo,
+        hasMany: f.hasMany,
+        fields: f.fields,
+        blocks: f.blocks,
+        admin: f.admin,
+        access: {
+          read: await resolveAccess(f.access?.read),
+          update: await resolveAccess(f.access?.update)
+        }
+      }))),
+      upload: !!col.upload,
+      auth: !!col.auth,
+      admin: col.admin
+    })));
+    const filteredGlobals = await Promise.all(globals.filter((glb) => !siteId || glb.shared || !glb.siteId || glb.siteId === siteId).map(async (glb) => ({
+      slug: glb.slug,
+      label: glb.label,
+      access: {
+        read: await resolveAccess(glb.access?.read),
+        update: await resolveAccess(glb.access?.update)
+      },
+      fields: await Promise.all(glb.fields.map(async (f) => ({
+        name: f.name,
+        type: f.type,
+        label: f.label,
+        required: f.required,
+        defaultValue: f.defaultValue,
+        options: f.options,
+        relationTo: f.relationTo,
+        hasMany: f.hasMany,
+        fields: f.fields,
+        blocks: f.blocks,
+        admin: f.admin,
+        access: {
+          read: await resolveAccess(f.access?.read),
+          update: await resolveAccess(f.access?.update)
+        }
+      }))),
+      admin: glb.admin
+    })));
+    return c.json({
+      collections: filteredCollections,
+      globals: filteredGlobals,
+      admin: config.admin || {}
+    });
+  });
+  app.get("/api/openapi.json", (c) => {
+    return c.json(generateOpenApi(config));
+  });
+  app.get("/api/docs", (c) => {
+    return c.html(getSwaggerHtml());
+  });
+  app.get("/api/media/:filename{.+$}", async (c) => {
+    const mediaController = new MediaController("media");
+    return mediaController.serve(c);
+  });
+  app.get("/media/:filename{.+$}", async (c) => {
+    const mediaController = new MediaController("media");
+    return mediaController.serve(c);
+  });
+  if (config.storage) {
+    const uploadCollections = config.collections.filter((c) => c.upload);
+    for (const col of uploadCollections) {
+      const mediaController = new MediaController(col.slug);
+      const prefix = `/api/collections/${col.slug}`;
+      app.get(`${prefix}/media`, accessGate(col, "read"), (c) => mediaController.find(c));
+      app.get(`${prefix}/media/:filename{.+$}`, (c) => mediaController.serve(c));
+      app.post(`${prefix}/media`, accessGate(col, "create"), (c) => mediaController.upload(c));
+      app.delete(`${prefix}/media/:id`, accessGate(col, "delete"), (c) => mediaController.delete(c));
+    }
+  }
+  for (const collection of config.collections) {
+    if (!collection.auth) continue;
+    const path = `/api/collections/${collection.slug}`;
+    const authController = new AuthController(collection);
+    app.post(`${path}/login`, (c) => authController.login(c));
+    app.post(`${path}/logout`, (c) => authController.logout(c));
+    app.get(`${path}/init`, (c) => authController.init(c));
+    app.post(`${path}/first-user`, (c) => authController.registerFirstUser(c));
+    app.get(`${path}/me`, requireAuth(), (c) => authController.me(c));
+    app.post(`${path}/refresh-token`, requireAuth(), (c) => authController.refreshToken(c));
+    app.post(`${path}/forgot-password`, (c) => authController.forgotPassword(c));
+    app.post(`${path}/reset-password`, (c) => authController.resetPassword(c));
+    app.post(`${path}/invite`, requireAuth(), (c) => authController.invite(c));
+    app.post(`${path}/accept-invite`, (c) => authController.acceptInvite(c));
+  }
+  for (const collection of config.collections) {
+    const path = `/api/collections/${collection.slug}`;
+    const controller = new CollectionController(collection);
+    app.get(path, accessGate(collection, "read"), (c) => controller.find(c));
+    app.post(path, accessGate(collection, "create"), (c) => controller.create(c));
+    app.post(`${path}/media`, accessGate(collection, "create"), (c) => controller.create(c));
+    app.delete(`${path}/delete-many`, accessGate(collection, "delete"), (c) => controller.deleteMany(c));
+    app.get(`${path}/:id`, accessGate(collection, "read"), (c) => controller.findOne(c));
+    app.patch(`${path}/:id`, accessGate(collection, "update"), (c) => controller.update(c));
+    app.delete(`${path}/:id`, accessGate(collection, "delete"), (c) => controller.delete(c));
+    app.post(`${path}/seed`, (c) => controller.seed(c));
+  }
+  for (const global of config.globals) {
+    const path = `/api/globals/${global.slug}`;
+    const controller = new GlobalController(global);
+    app.get(path, accessGate(global, "read"), (c) => controller.get(c));
+    app.patch(path, accessGate(global, "update"), (c) => controller.update(c));
+    app.post(`${path}/seed`, (c) => controller.seed(c));
+  }
+  const previewController = new PreviewController();
+  app.post("/api/preview-token", requireAuth(), (c) => previewController.createToken(c));
+  app.get("/api/preview-data", (c) => previewController.getData(c));
+  app.all("/api/collections/:slug/:id?", async (c) => {
+    const slug = c.req.param("slug");
+    const id = c.req.param("id");
+    const siteId = c.req.header("X-Site-Id") || c.get("siteId");
+    const config2 = c.get("config");
+    if (config2.collections.some((col) => col.slug === slug)) {
+      return c.json({ message: "Method Not Allowed" }, 405);
+    }
+    if (config2.onSchemaFetch && siteId) {
+      const dynamic = await config2.onSchemaFetch(siteId);
+      let collection = dynamic.collections?.find((col) => col.slug === slug);
+      if (!collection && slug === "media") {
+        collection = {
+          slug: "media",
+          labels: { singular: "Media", plural: "Media" },
+          upload: true,
+          fields: []
+        };
+      }
+      if (collection) {
+        if (collection.auth && id) {
+          const authController = new AuthController(collection);
+          const method2 = c.req.method;
+          if (method2 === "POST" && id === "login") return authController.login(c);
+          if (method2 === "POST" && id === "logout") return authController.logout(c);
+          if (method2 === "GET" && id === "me") return authController.me(c);
+          if (method2 === "POST" && id === "refresh-token") return authController.refreshToken(c);
+          if (method2 === "POST" && id === "forgot-password") return authController.forgotPassword(c);
+          if (method2 === "POST" && id === "reset-password") return authController.resetPassword(c);
+        }
+        const controller = new CollectionController(collection);
+        const method = c.req.method;
+        if (id) {
+          if (method === "GET") return controller.findOne(c);
+          if (method === "PATCH") return controller.update(c);
+          if (method === "DELETE" && id === "delete-many") return controller.deleteMany(c);
+          if (method === "DELETE") return controller.delete(c);
+          if (method === "POST" && id === "media") return controller.create(c);
+          if (method === "POST" && id === "seed") return controller.seed(c);
+        } else {
+          if (method === "GET") return controller.find(c);
+          if (method === "POST") return controller.create(c);
+        }
+      }
+    }
+    return c.json({ message: `Collection "${slug}" not found` }, 404);
+  });
+  app.all("/api/globals/:slug", async (c) => {
+    const slug = c.req.param("slug");
+    const siteId = c.req.header("X-Site-Id") || c.get("siteId");
+    const config2 = c.get("config");
+    if (config2.globals.some((glb) => glb.slug === slug)) {
+      return c.json({ message: "Method Not Allowed" }, 405);
+    }
+    if (config2.onSchemaFetch && siteId) {
+      const dynamic = await config2.onSchemaFetch(siteId);
+      const global = dynamic.globals?.find((glb) => glb.slug === slug);
+      if (global) {
+        const controller = new GlobalController(global);
+        if (c.req.method === "GET") return controller.get(c);
+        if (c.req.method === "PATCH") return controller.update(c);
+      }
+    }
+    return c.json({ message: `Global "${slug}" not found` }, 404);
+  });
+}
+
+// src/app.ts
+async function createDyrectedApp(rawConfig) {
+  const config = normalizeConfig(rawConfig);
+  const app = new import_hono.Hono();
+  if (config.db?.sync) {
+    await config.db.sync(config.collections, config.globals);
+  }
+  app.use("*", (0, import_request_id.requestId)());
+  app.use("*", optionalAuth());
+  app.use("*", async (c, next) => {
+    const start = Date.now();
+    await next();
+    const ms = Date.now() - start;
+    console.log(`[dyrected/api] ${c.req.method} ${c.req.path} ${c.res.status} - ${ms}ms`);
+  });
+  app.use("*", (0, import_cors.cors)());
+  app.use("*", async (c, next) => {
+    c.set("config", config);
+    if (!c.get("siteId")) {
+      c.set("siteId", "default");
+    }
+    await next();
+  });
+  app.get("/health", (c) => c.json({ status: "ok", version: "0.0.1" }));
+  app.get("/routes", (c) => {
+    const routes = app.routes.map((r) => ({ method: r.method, path: r.path }));
+    return c.json({ routes });
+  });
+  app.onError((err, c) => {
+    console.error(`[dyrected/core] Uncaught Error:`, err);
+    return c.json({
+      message: err.message || "Internal Server Error",
+      stack: process.env.NODE_ENV === "development" ? err.stack : void 0
+    }, 500);
+  });
+  registerRoutes(app, config);
+  return app;
+}
+
 // src/index.ts
 function defineCollection(config) {
   return config;
@@ -552,9 +2883,13 @@ function defineConfig(config) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  createDyrectedApp,
   defineCollection,
   defineConfig,
   defineGlobal,
   generateAIPrompt,
-  normalizeConfig
+  generateFreshSetupPrompt,
+  normalizeConfig,
+  parseMongoWhere,
+  parseSqlWhere
 });