@dyrected/core 2.5.13 → 2.5.16

package/dist/chunk-3FZEUK36.js

@@ -0,0 +1,2470 @@
+// src/utils/config.ts
+var AUDIT_COLLECTION_SLUG = "__audit";
+var SYSTEM_FIELDS = [
+  {
+    name: "createdAt",
+    type: "date",
+    label: "Created At",
+    admin: { readOnly: true, hidden: true }
+  },
+  {
+    name: "updatedAt",
+    type: "date",
+    label: "Updated At",
+    admin: { readOnly: true, hidden: true }
+  },
+  {
+    name: "createdBy",
+    type: "text",
+    label: "Created By",
+    admin: { readOnly: true, hidden: true }
+  },
+  {
+    name: "updatedBy",
+    type: "text",
+    label: "Updated By",
+    admin: { readOnly: true, hidden: true }
+  }
+];
+var AUDIT_COLLECTION = {
+  slug: AUDIT_COLLECTION_SLUG,
+  labels: { singular: "Audit Log", plural: "Audit Logs" },
+  fields: [
+    { name: "collection", type: "text", label: "Collection", required: true },
+    { name: "documentId", type: "text", label: "Document ID" },
+    { name: "operation", type: "select", label: "Operation", options: ["create", "update", "delete"], required: true },
+    { name: "user", type: "text", label: "User ID" },
+    { name: "timestamp", type: "date", label: "Timestamp", required: true },
+    { name: "changes", type: "json", label: "Changes" }
+  ],
+  admin: { hidden: true }
+};
+function normalizeConfig(config) {
+  const collections = config?.collections || [];
+  const globals = config?.globals || [];
+  const needsAudit = collections.some((col) => col.audit);
+  const normalizedCollections = collections.map((col) => {
+    let fields = col.fields || [];
+    const existingFieldNames = new Set(fields.map((f) => f.name));
+    if (col.auth) {
+      if (!existingFieldNames.has("email")) {
+        fields = [
+          ...fields,
+          {
+            name: "email",
+            type: "email",
+            label: "Email",
+            required: true,
+            unique: true,
+            promoted: true,
+            access: {
+              update: "!id"
+            }
+          }
+        ];
+      }
+      if (!existingFieldNames.has("password")) {
+        fields = [
+          ...fields,
+          {
+            name: "password",
+            type: "text",
+            label: "Password",
+            required: true,
+            access: {
+              update: "!id || user.id == id"
+            }
+          }
+        ];
+      }
+      if (!existingFieldNames.has("roles")) {
+        fields = [
+          ...fields,
+          {
+            name: "roles",
+            type: "select",
+            label: "Roles",
+            defaultValue: [],
+            options: [
+              { value: "admin", label: "Admin" },
+              { value: "editor", label: "Editor" },
+              { value: "viewer", label: "Viewer" }
+            ],
+            access: {
+              update: "user.roles && 'admin' in user.roles"
+            }
+          }
+        ];
+      }
+      fields = fields.map((field) => {
+        if (field.name === "email") {
+          return {
+            ...field,
+            access: {
+              ...field.access || {},
+              update: "!id"
+            }
+          };
+        }
+        if (field.name === "password") {
+          return {
+            ...field,
+            admin: { ...field.admin || {} },
+            access: {
+              ...field.access || {},
+              update: "!id || user.id == id"
+            }
+          };
+        }
+        if (field.name === "roles") {
+          return {
+            ...field,
+            access: {
+              ...field.access || {},
+              // Must be an admin; cannot edit own roles (no self-elevation).
+              update: "user.roles && 'admin' in user.roles && user.id != id"
+            }
+          };
+        }
+        return field;
+      });
+    }
+    const updatedFieldNames = new Set(fields.map((f) => f.name));
+    const fieldsToInject = SYSTEM_FIELDS.filter((f) => !updatedFieldNames.has(f.name));
+    return {
+      ...col,
+      fields: [...fields, ...fieldsToInject]
+    };
+  });
+  const hasAuditCollection = normalizedCollections.some((col) => col.slug === AUDIT_COLLECTION_SLUG);
+  return {
+    ...config,
+    collections: [...normalizedCollections, ...needsAudit && !hasAuditCollection ? [AUDIT_COLLECTION] : []],
+    globals
+  };
+}
+
+// src/utils/hooks.ts
+async function runCollectionHooks(hooks, args) {
+  if (!hooks || hooks.length === 0) {
+    return args.data ?? args.doc ?? void 0;
+  }
+  let currentPayload = args.data ?? args.doc ?? void 0;
+  for (const hook of hooks) {
+    const result = await hook({
+      ...args,
+      data: args.data !== void 0 ? currentPayload : void 0,
+      doc: args.doc !== void 0 ? currentPayload : void 0
+    });
+    if (result !== void 0) {
+      currentPayload = result;
+    }
+  }
+  return currentPayload;
+}
+async function executeFieldBeforeChange(fields, data, originalDoc, user) {
+  if (!data || typeof data !== "object") return data;
+  const result = { ...data };
+  for (const field of fields) {
+    if (!field.name) continue;
+    const value = result[field.name];
+    const origValue = originalDoc?.[field.name];
+    let updatedValue = value;
+    if (field.hooks?.beforeChange) {
+      for (const hook of field.hooks.beforeChange) {
+        updatedValue = await hook({
+          value: updatedValue,
+          originalDoc,
+          data: result,
+          user
+        });
+      }
+      result[field.name] = updatedValue;
+    }
+    if (updatedValue !== void 0 && updatedValue !== null) {
+      if (field.type === "object" && field.fields) {
+        result[field.name] = await executeFieldBeforeChange(
+          field.fields,
+          updatedValue,
+          origValue,
+          user
+        );
+      } else if (field.type === "array" && field.fields && Array.isArray(updatedValue)) {
+        const arrayResult = [];
+        for (let i = 0; i < updatedValue.length; i++) {
+          const item = updatedValue[i];
+          const origItem = Array.isArray(origValue) ? origValue[i] : void 0;
+          const processedItem = await executeFieldBeforeChange(
+            field.fields,
+            item,
+            origItem,
+            user
+          );
+          arrayResult.push(processedItem);
+        }
+        result[field.name] = arrayResult;
+      } else if (field.type === "blocks" && field.blocks && Array.isArray(updatedValue)) {
+        const blocksResult = [];
+        for (let i = 0; i < updatedValue.length; i++) {
+          const blockData = updatedValue[i];
+          const origBlock = Array.isArray(origValue) ? origValue[i] : void 0;
+          const blockConfig = field.blocks.find((b) => b.slug === blockData.blockType);
+          if (blockConfig) {
+            const processedBlock = await executeFieldBeforeChange(
+              blockConfig.fields,
+              blockData,
+              origBlock,
+              user
+            );
+            blocksResult.push(processedBlock);
+          } else {
+            blocksResult.push(blockData);
+          }
+        }
+        result[field.name] = blocksResult;
+      }
+    }
+  }
+  return result;
+}
+async function executeFieldAfterRead(fields, doc, user) {
+  if (!doc || typeof doc !== "object") return doc;
+  const result = { ...doc };
+  for (const field of fields) {
+    if (!field.name) continue;
+    const value = result[field.name];
+    let updatedValue = value;
+    if (field.hooks?.afterRead) {
+      for (const hook of field.hooks.afterRead) {
+        updatedValue = await hook({
+          value: updatedValue,
+          doc: result,
+          user
+        });
+      }
+      result[field.name] = updatedValue;
+    }
+    if (updatedValue !== void 0 && updatedValue !== null) {
+      if (field.type === "object" && field.fields) {
+        result[field.name] = await executeFieldAfterRead(
+          field.fields,
+          updatedValue,
+          user
+        );
+      } else if (field.type === "array" && field.fields && Array.isArray(updatedValue)) {
+        const arrayResult = [];
+        for (const item of updatedValue) {
+          const processedItem = await executeFieldAfterRead(
+            field.fields,
+            item,
+            user
+          );
+          arrayResult.push(processedItem);
+        }
+        result[field.name] = arrayResult;
+      } else if (field.type === "blocks" && field.blocks && Array.isArray(updatedValue)) {
+        const blocksResult = [];
+        for (const blockData of updatedValue) {
+          const blockConfig = field.blocks.find((b) => b.slug === blockData.blockType);
+          if (blockConfig) {
+            const processedBlock = await executeFieldAfterRead(
+              blockConfig.fields,
+              blockData,
+              user
+            );
+            blocksResult.push(processedBlock);
+          } else {
+            blocksResult.push(blockData);
+          }
+        }
+        result[field.name] = blocksResult;
+      }
+    }
+  }
+  return result;
+}
+
+// src/services/defaults.service.ts
+var DefaultsService = class {
+  /**
+   * Recursively apply default values to a data object based on field definitions.
+   */
+  static apply(fields, data = {}) {
+    const result = { ...data || {} };
+    fields.forEach((field) => {
+      if (field.type === "join") return;
+      if (field.type === "row" && field.fields) {
+        Object.assign(result, this.apply(field.fields, data));
+        return;
+      }
+      if (!field.name) return;
+      let value = result[field.name];
+      if ((value === void 0 || value === null) && field.renameTo) {
+        const legacyValue = result[field.renameTo];
+        if (legacyValue !== void 0 && legacyValue !== null) {
+          value = legacyValue;
+          result[field.name] = legacyValue;
+        }
+      }
+      if (value === void 0 || value === null) {
+        if (field.defaultValue !== void 0) {
+          result[field.name] = field.defaultValue;
+        } else {
+          if (field.type === "boolean") result[field.name] = false;
+          else if (field.type === "array") result[field.name] = [];
+          else if (field.type === "multiSelect") result[field.name] = [];
+          else if (field.type === "object") {
+            result[field.name] = this.apply(field.fields || [], {});
+          }
+        }
+      } else if (field.type === "object" && field.fields) {
+        result[field.name] = this.apply(field.fields, value);
+      } else if (field.type === "array" && field.fields && Array.isArray(value)) {
+        result[field.name] = value.map((item) => this.apply(field.fields, item));
+      }
+    });
+    return result;
+  }
+};
+
+// src/services/population.service.ts
+var PopulationService = class {
+  db;
+  collections;
+  constructor(db, collections) {
+    this.db = db;
+    this.collections = collections;
+  }
+  /**
+   * Recursively populate relationship fields in a document or array of documents.
+   */
+  async populate(args) {
+    const { data, fields, currentDepth = 0, maxDepth = 10 } = args;
+    if (currentDepth >= maxDepth || !data) {
+      return data;
+    }
+    if (Array.isArray(data)) {
+      return Promise.all(data.map((item) => this.populate({ ...args, data: item })));
+    }
+    const populatedDoc = { ...data };
+    for (const field of fields) {
+      if (field.type === "join") continue;
+      if (field.type === "row" && field.fields) {
+        const rowPopulated = await this.populate({ data, fields: field.fields, currentDepth, maxDepth });
+        Object.assign(populatedDoc, rowPopulated);
+        continue;
+      }
+      if (!field.name) continue;
+      const value = populatedDoc[field.name];
+      if (field.type === "relationship" && field.relationTo && value) {
+        const relatedCollection = this.collections.find((c) => c.slug === field.relationTo);
+        if (!relatedCollection) continue;
+        if (Array.isArray(value)) {
+          populatedDoc[field.name] = await Promise.all(
+            value.map(async (id) => {
+              if (!id) return id;
+              let doc = id;
+              if (typeof id === "string") {
+                doc = await this.db.findOne({ collection: field.relationTo, id });
+              }
+              if (!doc || typeof doc !== "object") return id;
+              const docWithDefaults = DefaultsService.apply(relatedCollection.fields, doc);
+              return this.populate({
+                data: docWithDefaults,
+                fields: relatedCollection.fields,
+                currentDepth: currentDepth + 1,
+                maxDepth
+              });
+            })
+          );
+        } else if (value) {
+          let doc = value;
+          if (typeof value === "string") {
+            doc = await this.db.findOne({ collection: field.relationTo, id: value });
+          }
+          if (doc && typeof doc === "object") {
+            const docWithDefaults = DefaultsService.apply(relatedCollection.fields, doc);
+            populatedDoc[field.name] = await this.populate({
+              data: docWithDefaults,
+              fields: relatedCollection.fields,
+              currentDepth: currentDepth + 1,
+              maxDepth
+            });
+          }
+        }
+      }
+      if (field.type === "url" && value && typeof value === "object" && value.type === "internal" && value.relationTo && value.value) {
+        const relatedCollection = this.collections.find((c) => c.slug === value.relationTo);
+        if (relatedCollection) {
+          const doc = await this.db.findOne({ collection: value.relationTo, id: value.value });
+          if (doc && typeof doc === "object") {
+            const docWithDefaults = DefaultsService.apply(relatedCollection.fields, doc);
+            const populatedDocValue = await this.populate({
+              data: docWithDefaults,
+              fields: relatedCollection.fields,
+              currentDepth: currentDepth + 1,
+              maxDepth
+            });
+            const identifier = docWithDefaults.slug || docWithDefaults.id;
+            const resolvedUrl = `/collections/${value.relationTo}/${identifier}`;
+            populatedDoc[field.name] = {
+              ...value,
+              url: resolvedUrl,
+              doc: populatedDocValue
+            };
+          }
+        }
+      }
+      if ((field.type === "array" || field.type === "object") && field.fields && value) {
+        populatedDoc[field.name] = await this.populate({
+          data: value,
+          fields: field.fields,
+          currentDepth,
+          // Nested fields don't consume depth, only relationships do
+          maxDepth
+        });
+      }
+      if (field.type === "blocks" && field.blocks && Array.isArray(value)) {
+        populatedDoc[field.name] = await Promise.all(
+          value.map(async (blockData) => {
+            const blockConfig = field.blocks.find((b) => b.slug === blockData.blockType);
+            if (!blockConfig) return blockData;
+            return this.populate({
+              data: blockData,
+              fields: blockConfig.fields,
+              currentDepth,
+              maxDepth
+            });
+          })
+        );
+      }
+    }
+    return populatedDoc;
+  }
+  /**
+   * Helper to populate a PaginatedResult
+   */
+  async populateResult(result, fields, maxDepth) {
+    if (maxDepth <= 0) return result;
+    const populatedDocs = await this.populate({
+      data: result.docs,
+      fields,
+      currentDepth: 0,
+      maxDepth
+    });
+    return {
+      ...result,
+      docs: populatedDocs
+    };
+  }
+};
+
+// src/services/audit.service.ts
+var AuditService = class {
+  /**
+   * Writes a single entry to the __audit collection.
+   * Called without await — runs asynchronously and never blocks the primary operation.
+   */
+  static async log(db, args) {
+    try {
+      await db.create({
+        collection: "__audit",
+        data: {
+          collection: args.collection,
+          documentId: args.documentId ?? null,
+          operation: args.operation,
+          user: args.user?.id ?? null,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          changes: JSON.stringify({
+            before: args.before ?? null,
+            after: args.after ?? null
+          })
+        }
+      });
+    } catch (err) {
+      console.error("[dyrected/audit] Failed to write audit log:", err);
+    }
+  }
+};
+
+// src/auth/password.ts
+import { promisify } from "util";
+import { scrypt, randomBytes, timingSafeEqual } from "crypto";
+var scryptAsync = promisify(scrypt);
+var SALT_LEN = 16;
+var KEY_LEN = 64;
+async function hashPassword(plain) {
+  const salt = randomBytes(SALT_LEN).toString("hex");
+  const derivedKey = await scryptAsync(plain, salt, KEY_LEN);
+  return `${salt}:${derivedKey.toString("hex")}`;
+}
+async function verifyPassword(plain, stored) {
+  const [salt, storedHash] = stored.split(":");
+  if (!salt || !storedHash) return false;
+  const derivedKey = await scryptAsync(plain, salt, KEY_LEN);
+  const storedBuffer = Buffer.from(storedHash, "hex");
+  if (derivedKey.length !== storedBuffer.length) return false;
+  return timingSafeEqual(derivedKey, storedBuffer);
+}
+
+// src/controllers/collection.controller.ts
+var CollectionController = class {
+  collection;
+  constructor(collection) {
+    this.collection = collection;
+  }
+  async find(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const limit = Number(c.req.query("limit")) || 10;
+    const page = Number(c.req.query("page")) || 1;
+    const depth = c.req.query("depth") !== void 0 ? Number(c.req.query("depth")) : 2;
+    const sort = c.req.query("sort") || void 0;
+    const user = c.get("user");
+    let where = void 0;
+    const whereRaw = c.req.query("where");
+    if (whereRaw) {
+      try {
+        where = JSON.parse(decodeURIComponent(whereRaw));
+      } catch {
+      }
+    }
+    const beforeReadResult = await runCollectionHooks(this.collection.hooks?.beforeRead, {
+      req: c.req,
+      query: where,
+      user
+    });
+    if (beforeReadResult !== void 0) {
+      where = beforeReadResult;
+    }
+    let result = await db.find({
+      collection: this.collection.slug,
+      limit,
+      page,
+      sort,
+      where
+    });
+    if (result.total === 0 && this.collection.initialData && !where && page === 1) {
+      console.log(`[dyrected/core] Auto-seeding collection "${this.collection.slug}" from config.initialData`);
+      for (const data of this.collection.initialData) {
+        await db.create({ collection: this.collection.slug, data });
+      }
+      result = await db.find({
+        collection: this.collection.slug,
+        limit,
+        page,
+        sort,
+        where
+      });
+    }
+    result.docs = result.docs.map((doc) => DefaultsService.apply(this.collection.fields, doc));
+    const processedDocs = [];
+    for (const doc of result.docs) {
+      const docWithCollectionHooks = await runCollectionHooks(this.collection.hooks?.afterRead, {
+        doc,
+        req: c.req,
+        user
+      });
+      const docWithFieldHooks = await executeFieldAfterRead(this.collection.fields, docWithCollectionHooks, user);
+      processedDocs.push(docWithFieldHooks);
+    }
+    result.docs = processedDocs;
+    if (depth > 0) {
+      const populationService = new PopulationService(db, config.collections);
+      result = await populationService.populateResult(result, this.collection.fields, depth);
+    }
+    return c.json(result);
+  }
+  async findOne(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const id = c.req.param("id");
+    const depth = c.req.query("depth") !== void 0 ? Number(c.req.query("depth")) : 10;
+    const user = c.get("user");
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const doc = await db.findOne({ collection: this.collection.slug, id });
+    if (!doc) return c.json({ message: "Not Found" }, 404);
+    const docWithDefaults = DefaultsService.apply(this.collection.fields, doc);
+    const docWithCollectionHooks = await runCollectionHooks(this.collection.hooks?.afterRead, {
+      doc: docWithDefaults,
+      req: c.req,
+      user
+    });
+    const docWithFieldHooks = await executeFieldAfterRead(this.collection.fields, docWithCollectionHooks, user);
+    if (depth > 0 && docWithFieldHooks) {
+      const populationService = new PopulationService(db, config.collections);
+      const populatedDoc = await populationService.populate({
+        data: docWithFieldHooks,
+        fields: this.collection.fields,
+        currentDepth: 0,
+        maxDepth: depth
+      });
+      return c.json(populatedDoc);
+    }
+    return c.json(docWithFieldHooks);
+  }
+  async create(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const contentType = c.req.header("Content-Type") || "";
+    if (contentType.toLowerCase().includes("multipart/form-data")) {
+      return this.upload(c);
+    }
+    const body = await c.req.json();
+    const user = c.get("user");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    let data = {
+      ...body,
+      createdAt: now,
+      updatedAt: now,
+      createdBy: user?.sub ?? null,
+      updatedBy: user?.sub ?? null
+    };
+    if (this.collection.auth && data.password) {
+      data.password = await hashPassword(data.password);
+    }
+    data = await executeFieldBeforeChange(this.collection.fields, data, null, user);
+    data = await runCollectionHooks(this.collection.hooks?.beforeChange, {
+      data,
+      req: c.req,
+      user,
+      operation: "create"
+    });
+    const doc = await db.create({ collection: this.collection.slug, data });
+    if (this.collection.audit && db) {
+      AuditService.log(db, {
+        operation: "create",
+        collection: this.collection.slug,
+        documentId: doc.id,
+        user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
+        before: null,
+        after: doc
+      });
+    }
+    await runCollectionHooks(this.collection.hooks?.afterChange, {
+      doc,
+      user,
+      req: c.req,
+      operation: "create"
+    });
+    const readDoc = await runCollectionHooks(this.collection.hooks?.afterRead, {
+      doc,
+      req: c.req,
+      user
+    });
+    const finalDoc = await executeFieldAfterRead(this.collection.fields, readDoc, user);
+    return c.json(finalDoc, 201);
+  }
+  async upload(c) {
+    const config = c.get("config");
+    const storage = config.storage;
+    if (!storage) return c.json({ message: "Storage not configured" }, 500);
+    const formData = await c.req.formData();
+    const file = formData.get("file");
+    if (!file) return c.json({ message: "No file uploaded" }, 400);
+    const buffer = new Uint8Array(await file.arrayBuffer());
+    const siteId = c.get("siteId");
+    const workspaceId = c.get("workspaceId");
+    const prefix = workspaceId ? `${workspaceId}/${siteId}` : siteId;
+    const fileData = await storage.upload({
+      filename: file.name,
+      buffer,
+      mimeType: file.type,
+      prefix
+    });
+    const otherData = {};
+    formData.forEach((value, key) => {
+      if (key !== "file" && typeof value === "string") {
+        otherData[key] = value;
+      }
+    });
+    const user = c.get("user");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    let data = {
+      ...otherData,
+      ...fileData,
+      createdAt: now,
+      updatedAt: now,
+      createdBy: user?.sub ?? null,
+      updatedBy: user?.sub ?? null
+    };
+    data = await executeFieldBeforeChange(this.collection.fields, data, null, user);
+    data = await runCollectionHooks(this.collection.hooks?.beforeChange, {
+      data,
+      req: c.req,
+      user,
+      operation: "create"
+    });
+    const doc = await config.db.create({
+      collection: this.collection.slug,
+      data
+    });
+    await runCollectionHooks(this.collection.hooks?.afterChange, {
+      doc,
+      user,
+      req: c.req,
+      operation: "create"
+    });
+    const readDoc = await runCollectionHooks(this.collection.hooks?.afterRead, {
+      doc,
+      req: c.req,
+      user
+    });
+    const finalDoc = await executeFieldAfterRead(this.collection.fields, readDoc, user);
+    return c.json(finalDoc, 201);
+  }
+  async update(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const id = c.req.param("id");
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const body = await c.req.json();
+    const user = c.get("user");
+    let data = { ...body };
+    if (this.collection.auth) {
+      delete data.password;
+      delete data.oldPassword;
+      delete data.confirmPassword;
+    }
+    Object.assign(data, {
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      updatedBy: user?.sub ?? null
+    });
+    const originalDoc = await db.findOne({ collection: this.collection.slug, id });
+    if (!originalDoc) return c.json({ message: "Not Found" }, 404);
+    let before = null;
+    if (this.collection.audit) {
+      before = originalDoc;
+    }
+    data = await executeFieldBeforeChange(this.collection.fields, data, originalDoc, user);
+    data = await runCollectionHooks(this.collection.hooks?.beforeChange, {
+      data,
+      doc: originalDoc,
+      req: c.req,
+      user,
+      operation: "update"
+    });
+    const doc = await db.update({ collection: this.collection.slug, id, data });
+    if (this.collection.audit && db) {
+      AuditService.log(db, {
+        operation: "update",
+        collection: this.collection.slug,
+        documentId: id,
+        user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
+        before,
+        after: doc
+      });
+    }
+    await runCollectionHooks(this.collection.hooks?.afterChange, {
+      doc,
+      previousDoc: originalDoc,
+      user,
+      req: c.req,
+      operation: "update"
+    });
+    const readDoc = await runCollectionHooks(this.collection.hooks?.afterRead, {
+      doc,
+      req: c.req,
+      user
+    });
+    const finalDoc = await executeFieldAfterRead(this.collection.fields, readDoc, user);
+    return c.json(finalDoc);
+  }
+  /**
+   * POST /api/collections/:slug/:id/change-password
+   *
+   * Dedicated endpoint for password changes. Requires the caller to supply:
+   *   { oldPassword, newPassword, confirmPassword }
+   *
+   * Rules:
+   *  - Only the account owner or an admin may change the password.
+   *  - Non-admin callers MUST provide a valid oldPassword.
+   *  - newPassword and confirmPassword must match.
+   */
+  async changePassword(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    if (!this.collection.auth) {
+      return c.json({ message: "This collection does not support authentication" }, 400);
+    }
+    const id = c.req.param("id");
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const user = c.get("user");
+    if (!user) return c.json({ message: "Authentication required" }, 401);
+    const body = await c.req.json().catch(() => null);
+    const { oldPassword, newPassword, confirmPassword } = body ?? {};
+    if (!newPassword) {
+      return c.json({ message: "newPassword is required" }, 400);
+    }
+    if (newPassword !== confirmPassword) {
+      return c.json({ message: "Passwords do not match" }, 400);
+    }
+    if (newPassword.length < 8) {
+      return c.json({ message: "Password must be at least 8 characters" }, 400);
+    }
+    const isAdmin = Array.isArray(user.roles) && user.roles.includes("admin");
+    const isSelf = user.sub === id;
+    if (!isAdmin && !isSelf) {
+      return c.json({ message: "You are not authorised to change this password" }, 403);
+    }
+    if (!isAdmin) {
+      if (!oldPassword) {
+        return c.json({ message: "Current password is required" }, 400);
+      }
+      const existing = await db.findOne({ collection: this.collection.slug, id });
+      if (!existing) return c.json({ message: "User not found" }, 404);
+      const valid = await verifyPassword(oldPassword, existing.password);
+      if (!valid) {
+        return c.json({ message: "Invalid current password" }, 400);
+      }
+    }
+    const hashed = await hashPassword(newPassword);
+    const doc = await db.update({
+      collection: this.collection.slug,
+      id,
+      data: {
+        password: hashed,
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        updatedBy: user.sub
+      }
+    });
+    if (this.collection.audit) {
+      AuditService.log(db, {
+        operation: "update",
+        collection: this.collection.slug,
+        documentId: id,
+        user: { id: user.sub, collection: user.collection, email: user.email },
+        before: null,
+        after: { id }
+      });
+    }
+    return c.json({ success: true, message: "Password updated successfully" });
+  }
+  async delete(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const id = c.req.param("id");
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const user = c.get("user");
+    const doc = await db.findOne({ collection: this.collection.slug, id });
+    if (!doc) return c.json({ message: "Not Found" }, 404);
+    let before = null;
+    if (this.collection.audit) {
+      before = doc;
+    }
+    await runCollectionHooks(this.collection.hooks?.beforeDelete, {
+      id,
+      doc,
+      user,
+      req: c.req
+    });
+    await db.delete({ collection: this.collection.slug, id });
+    if (this.collection.audit && db) {
+      AuditService.log(db, {
+        operation: "delete",
+        collection: this.collection.slug,
+        documentId: id,
+        user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
+        before,
+        after: null
+      });
+    }
+    await runCollectionHooks(this.collection.hooks?.afterDelete, {
+      id,
+      doc,
+      user,
+      req: c.req
+    });
+    return c.json({ message: "Deleted" });
+  }
+  async deleteMany(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const user = c.get("user");
+    let ids = [];
+    try {
+      const body = await c.req.json().catch(() => null);
+      if (body?.ids && Array.isArray(body.ids)) {
+        ids = body.ids;
+      }
+    } catch {
+    }
+    if (!ids.length) {
+      const raw = c.req.queries("ids") ?? c.req.queries("ids[]") ?? [];
+      ids = raw.filter(Boolean);
+    }
+    if (!ids.length) return c.json({ message: "No IDs provided" }, 400);
+    const deleted = [];
+    const failed = [];
+    for (const id of ids) {
+      try {
+        const doc = await db.findOne({ collection: this.collection.slug, id });
+        if (!doc) {
+          failed.push({ id, error: "Not Found" });
+          continue;
+        }
+        let before = null;
+        if (this.collection.audit) {
+          before = doc;
+        }
+        await runCollectionHooks(this.collection.hooks?.beforeDelete, {
+          id,
+          doc,
+          user,
+          req: c.req
+        });
+        await db.delete({ collection: this.collection.slug, id });
+        deleted.push(id);
+        if (this.collection.audit) {
+          AuditService.log(db, {
+            operation: "delete",
+            collection: this.collection.slug,
+            documentId: id,
+            user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
+            before,
+            after: null
+          });
+        }
+        await runCollectionHooks(this.collection.hooks?.afterDelete, {
+          id,
+          doc,
+          user,
+          req: c.req
+        });
+      } catch (err) {
+        failed.push({ id, error: err?.message ?? "Unknown error" });
+      }
+    }
+    return c.json({
+      message: `Deleted ${deleted.length} document(s)`,
+      deleted,
+      ...failed.length ? { failed } : {}
+    });
+  }
+  async seed(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json();
+    const initialData = body.data;
+    if (!initialData || !Array.isArray(initialData)) {
+      return c.json({ message: "Invalid initial data" }, 400);
+    }
+    const result = await db.find({ collection: this.collection.slug, limit: 1 });
+    if (result.total > 0) {
+      return c.json({ message: "Collection is not empty, skipping seed" });
+    }
+    console.log(`[dyrected/core] Auto-seeding collection: ${this.collection.slug}`);
+    const createdDocs = [];
+    for (const data of initialData) {
+      const doc = await db.create({ collection: this.collection.slug, data });
+      createdDocs.push(doc);
+    }
+    return c.json({ message: "Seed successful", count: createdDocs.length }, 201);
+  }
+};
+
+// src/controllers/global.controller.ts
+var GlobalController = class {
+  global;
+  constructor(global) {
+    this.global = global;
+  }
+  async get(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const depth = c.req.query("depth") !== void 0 ? Number(c.req.query("depth")) : 10;
+    const user = c.get("user");
+    let query = void 0;
+    const beforeReadResult = await runCollectionHooks(this.global.hooks?.beforeRead, {
+      req: c.req,
+      query,
+      user
+    });
+    if (beforeReadResult !== void 0) {
+      query = beforeReadResult;
+    }
+    let data = await db.getGlobal({ slug: this.global.slug });
+    const isEmpty = !data || Object.keys(data).length === 0;
+    if (isEmpty && this.global.initialData) {
+      console.log(`[dyrected/core] Auto-seeding global "${this.global.slug}" from config.initialData`);
+      await db.updateGlobal({ slug: this.global.slug, data: this.global.initialData });
+      data = this.global.initialData;
+    }
+    const dataWithDefaults = DefaultsService.apply(this.global.fields, data);
+    const docWithCollectionHooks = await runCollectionHooks(this.global.hooks?.afterRead, {
+      doc: dataWithDefaults,
+      req: c.req,
+      user
+    });
+    const docWithFieldHooks = await executeFieldAfterRead(this.global.fields, docWithCollectionHooks, user);
+    if (depth > 0 && docWithFieldHooks) {
+      const populationService = new PopulationService(db, config.collections);
+      const populatedData = await populationService.populate({
+        data: docWithFieldHooks,
+        fields: this.global.fields,
+        currentDepth: 0,
+        maxDepth: depth
+      });
+      return c.json(populatedData);
+    }
+    return c.json(docWithFieldHooks);
+  }
+  async update(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json();
+    const user = c.get("user");
+    const originalDoc = await db.getGlobal({ slug: this.global.slug }) || {};
+    let data = await executeFieldBeforeChange(this.global.fields, body, originalDoc, user);
+    data = await runCollectionHooks(this.global.hooks?.beforeChange, {
+      data,
+      doc: originalDoc,
+      req: c.req,
+      user,
+      operation: "update"
+    });
+    const updated = await db.updateGlobal({ slug: this.global.slug, data });
+    await runCollectionHooks(this.global.hooks?.afterChange, {
+      doc: updated,
+      previousDoc: originalDoc,
+      user,
+      req: c.req,
+      operation: "update"
+    });
+    const readDoc = await runCollectionHooks(this.global.hooks?.afterRead, {
+      doc: updated,
+      req: c.req,
+      user
+    });
+    const finalDoc = await executeFieldAfterRead(this.global.fields, readDoc, user);
+    return c.json(finalDoc);
+  }
+  async seed(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json();
+    const initialData = body.data;
+    if (!initialData) {
+      return c.json({ message: "Invalid initial data" }, 400);
+    }
+    const existing = await db.getGlobal({ slug: this.global.slug });
+    if (existing && Object.keys(existing).length > 0) {
+      return c.json({ message: "Global is not empty, skipping seed" });
+    }
+    console.log(`[dyrected/core] Auto-seeding global: ${this.global.slug}`);
+    await db.updateGlobal({ slug: this.global.slug, data: initialData });
+    return c.json({ message: "Seed successful", data: initialData }, 201);
+  }
+};
+
+// src/controllers/media.controller.ts
+var MediaController = class {
+  collection;
+  constructor(collection = "media") {
+    this.collection = collection;
+  }
+  async upload(c) {
+    const config = c.get("config");
+    const storage = config.storage;
+    const imageService = config.image;
+    if (!storage) {
+      return c.json({ message: "Storage not configured" }, 500);
+    }
+    const body = await c.req.parseBody();
+    const file = body["file"];
+    const focalPointStr = body["focalPoint"];
+    const focalPoint = focalPointStr ? JSON.parse(focalPointStr) : void 0;
+    if (!file) {
+      return c.json({ message: "No file uploaded" }, 400);
+    }
+    const buffer = new Uint8Array(await file.arrayBuffer());
+    const siteId = c.get("siteId");
+    const workspaceId = c.get("workspaceId");
+    const prefix = workspaceId ? `${workspaceId}/${siteId}` : siteId || "default";
+    let imageMetadata = {};
+    let imageSizes = {};
+    if (imageService && file.type.startsWith("image/")) {
+      let colConfig = config.collections.find((col) => col.slug === this.collection);
+      if (!colConfig && config.onSchemaFetch && siteId) {
+        const dynamic = await config.onSchemaFetch(siteId);
+        colConfig = dynamic.collections?.find((col) => col.slug === this.collection);
+      }
+      try {
+        const processed = await imageService.process({
+          buffer,
+          mimeType: file.type,
+          config: colConfig?.upload,
+          focalPoint
+        });
+        imageMetadata = processed.metadata;
+        imageSizes = processed.sizes;
+      } catch (err) {
+        console.error("[MediaController] Image processing failed:", err);
+      }
+    }
+    const fileData = await storage.upload({
+      filename: file.name,
+      buffer,
+      mimeType: file.type,
+      prefix
+    });
+    const finalFileData = {
+      ...fileData,
+      ...imageMetadata,
+      focalPoint,
+      sizes: {}
+    };
+    if (imageSizes) {
+      for (const [sizeName, sizeData] of Object.entries(imageSizes)) {
+        const ext = file.name.split(".").pop();
+        const baseName = file.name.substring(0, file.name.lastIndexOf("."));
+        const sizeFilename = `${baseName}-${sizeName}.${ext}`;
+        try {
+          const sizeFileData = await storage.upload({
+            filename: sizeFilename,
+            buffer: sizeData.buffer,
+            mimeType: file.type,
+            prefix
+          });
+          finalFileData.sizes[sizeName] = {
+            ...sizeFileData,
+            width: sizeData.width,
+            height: sizeData.height
+          };
+        } catch (err) {
+          console.error(`[MediaController] Failed to upload size ${sizeName}:`, err);
+        }
+      }
+    }
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const doc = await db.create({
+      collection: this.collection,
+      data: finalFileData
+    });
+    return c.json(doc, 201);
+  }
+  async find(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const limit = Number(c.req.query("limit")) || 10;
+    const page = Number(c.req.query("page")) || 1;
+    const result = await db.find({
+      collection: this.collection,
+      limit,
+      page
+    });
+    return c.json(result);
+  }
+  async delete(c) {
+    const config = c.get("config");
+    const storage = config.storage;
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const id = c.req.param("id");
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const doc = await db.findOne({ collection: this.collection, id });
+    if (!doc) return c.json({ message: "Not Found" }, 404);
+    if (storage) {
+      await storage.delete({ filename: doc.filename });
+      if (doc.sizes) {
+        for (const size of Object.values(doc.sizes)) {
+          if (size.filename) {
+            await storage.delete({ filename: size.filename });
+          }
+        }
+      }
+    }
+    await db.delete({ collection: this.collection, id });
+    return c.json({ message: "Deleted" });
+  }
+  async serve(c) {
+    const config = c.get("config");
+    const storage = config.storage;
+    if (!storage || !storage.resolve) {
+      return c.json({ message: "Storage not configured for serving" }, 404);
+    }
+    const filename = c.req.param("filename");
+    if (!filename) return c.json({ message: "Missing filename" }, 400);
+    let res = await storage.resolve({ filename });
+    if (!res && !filename.includes("/")) {
+      res = await storage.resolve({ filename: `default/${filename}` });
+    }
+    if (!res) return c.json({ message: "Not Found" }, 404);
+    c.header("Content-Type", res.mimeType);
+    return c.body(res.buffer);
+  }
+};
+
+// src/auth/token.ts
+import { SignJWT, jwtVerify, decodeJwt } from "jose";
+import { TextEncoder } from "util";
+function getSecret() {
+  const secret = process.env.DYRECTED_JWT_SECRET || process.env.JWT_SECRET;
+  if (!secret) {
+    throw new Error(
+      "[dyrected/core] DYRECTED_JWT_SECRET is not set. Add it to your environment variables to enable auth collections."
+    );
+  }
+  return new TextEncoder().encode(secret);
+}
+var DEFAULT_EXPIRY = "7d";
+async function signCollectionToken(payload, expiresIn = DEFAULT_EXPIRY) {
+  return new SignJWT({ ...payload }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(expiresIn).sign(getSecret());
+}
+async function verifyCollectionToken(token) {
+  const { payload } = await jwtVerify(token, getSecret());
+  return payload;
+}
+
+// src/services/email.service.ts
+var _devSend = null;
+var _devSendPromise = null;
+async function getDevSend() {
+  if (_devSend) return _devSend;
+  if (_devSendPromise) return _devSendPromise;
+  _devSendPromise = (async () => {
+    try {
+      const nodemailer = await import("nodemailer");
+      const account = await nodemailer.default.createTestAccount();
+      const transport = nodemailer.default.createTransport({
+        host: "smtp.ethereal.email",
+        port: 587,
+        auth: { user: account.user, pass: account.pass }
+      });
+      console.log("[dyrected/core] No email config \u2014 using Ethereal for dev email preview.");
+      console.log(`[dyrected/core] Ethereal login: https://ethereal.email  user: ${account.user}  pass: ${account.pass}`);
+      _devSend = async ({ to, subject, html }) => {
+        const info = await transport.sendMail({ from: '"Dyrected Dev" <dev@dyrected.local>', to, subject, html });
+        console.log(`[dyrected/core] Email preview URL: ${nodemailer.default.getTestMessageUrl(info)}`);
+      };
+      return _devSend;
+    } catch {
+      console.warn("[dyrected/core] nodemailer not available \u2014 emails will not be sent in dev.");
+      return null;
+    }
+  })();
+  return _devSendPromise;
+}
+async function sendEmail(config, payload) {
+  if (config.email) {
+    await config.email.send(payload);
+    return;
+  }
+  if (process.env.NODE_ENV !== "production") {
+    const devSend = await getDevSend();
+    await devSend?.(payload);
+  }
+}
+function buildWelcomeEmail(config, args) {
+  const custom = config.email?.templates?.welcome?.(args);
+  return {
+    subject: custom?.subject ?? "Welcome \u2014 your account is ready",
+    html: custom?.html ?? `
+      <div style="font-family:sans-serif;max-width:600px;margin:0 auto">
+        <h2>Welcome!</h2>
+        <p>Your account has been created. You can now log in with:</p>
+        <p><strong>${args.email}</strong></p>
+      </div>`
+  };
+}
+function buildInviteEmail(config, args) {
+  const custom = config.email?.templates?.invite?.(args);
+  return {
+    subject: custom?.subject ?? "You've been invited",
+    html: custom?.html ?? `
+      <div style="font-family:sans-serif;max-width:600px;margin:0 auto">
+        <h2>You've been invited</h2>
+        ${args.invitedByEmail ? `<p>Invited by <strong>${args.invitedByEmail}</strong>.</p>` : ""}
+        <p>Use the token below to accept your invitation. It expires in 7 days.</p>
+        <pre style="background:#f4f4f4;padding:12px;border-radius:4px;word-break:break-all">${args.token}</pre>
+      </div>`
+  };
+}
+function buildResetPasswordEmail(config, args) {
+  const custom = config.email?.templates?.resetPassword?.(args);
+  return {
+    subject: custom?.subject ?? "Reset your password",
+    html: custom?.html ?? `
+      <div style="font-family:sans-serif;max-width:600px;margin:0 auto">
+        <h2>Reset your password</h2>
+        <p>Use the token below to reset your password. It expires in 1 hour.</p>
+        <pre style="background:#f4f4f4;padding:12px;border-radius:4px;word-break:break-all">${args.token}</pre>
+      </div>`
+  };
+}
+function buildPasswordChangedEmail(config, args) {
+  const custom = config.email?.templates?.passwordChanged?.(args);
+  return {
+    subject: custom?.subject ?? "Your password has been changed",
+    html: custom?.html ?? `
+      <div style="font-family:sans-serif;max-width:600px;margin:0 auto">
+        <h2>Password changed</h2>
+        <p>The password for <strong>${args.email}</strong> was just changed.</p>
+        <p>If you did not make this change, please contact support immediately.</p>
+      </div>`
+  };
+}
+
+// src/controllers/auth.controller.ts
+var AuthController = class {
+  collection;
+  constructor(collection) {
+    this.collection = collection;
+  }
+  // ---------------------------------------------------------------------------
+  // GET /init
+  // Checks if the first user needs to be created.
+  // ---------------------------------------------------------------------------
+  async init(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const result = await db.find({
+      collection: this.collection.slug,
+      limit: 1
+    });
+    return c.json({
+      initialized: result.total > 0
+    });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /first-user
+  // Creates the first user if none exist.
+  // ---------------------------------------------------------------------------
+  async registerFirstUser(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const check = await db.find({
+      collection: this.collection.slug,
+      limit: 1
+    });
+    if (check.total > 0) {
+      return c.json({ error: true, message: "Initial user already exists." }, 403);
+    }
+    const body = await c.req.json().catch(() => null);
+    if (!body?.email || !body?.password) {
+      return c.json({ error: true, message: "email and password are required." }, 400);
+    }
+    const hashedPassword = await hashPassword(body.password);
+    const user = await db.create({
+      collection: this.collection.slug,
+      data: {
+        ...body,
+        password: hashedPassword,
+        roles: ["admin"]
+        // Default first user to admin
+      }
+    });
+    const token = await signCollectionToken({
+      sub: user.id,
+      email: user.email,
+      collection: this.collection.slug
+    });
+    const { subject, html } = buildWelcomeEmail(config, { email: body.email });
+    sendEmail(config, { to: body.email, subject, html }).catch(
+      (err) => console.error("[dyrected/core] Failed to send welcome email:", err)
+    );
+    const { password: _, ...safeUser } = user;
+    return c.json({ token, user: safeUser });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /login
+  // ---------------------------------------------------------------------------
+  async login(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json().catch(() => null);
+    if (!body?.email || !body?.password) {
+      return c.json({ error: true, message: "email and password are required." }, 400);
+    }
+    const result = await db.find({
+      collection: this.collection.slug,
+      where: { email: body.email },
+      limit: 1
+    });
+    const user = result.docs[0];
+    if (!user) {
+      return c.json({ error: true, message: "Invalid email or password." }, 401);
+    }
+    const valid = await verifyPassword(body.password, user.password);
+    if (!valid) {
+      return c.json({ error: true, message: "Invalid email or password." }, 401);
+    }
+    const token = await signCollectionToken({
+      sub: user.id,
+      email: user.email,
+      collection: this.collection.slug
+    });
+    const { password: _, ...safeUser } = user;
+    return c.json({ token, user: safeUser });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /logout
+  // Auth collections use stateless JWTs — logout is handled client-side.
+  // This endpoint exists so clients have a consistent API surface.
+  // ---------------------------------------------------------------------------
+  async logout(c) {
+    return c.json({ success: true, message: "Logged out. Discard your token." });
+  }
+  // ---------------------------------------------------------------------------
+  // GET /me
+  // ---------------------------------------------------------------------------
+  async me(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const requestUser = c.get("user");
+    if (!requestUser) {
+      return c.json({ error: true, message: "Authentication required." }, 401);
+    }
+    const user = await db.findOne({ collection: this.collection.slug, id: requestUser.sub });
+    if (!user) {
+      return c.json({ error: true, message: "User not found." }, 404);
+    }
+    const { password: _, ...safeUser } = user;
+    return c.json(safeUser);
+  }
+  // ---------------------------------------------------------------------------
+  // POST /refresh-token
+  // ---------------------------------------------------------------------------
+  async refreshToken(c) {
+    const requestUser = c.get("user");
+    if (!requestUser) {
+      return c.json({ error: true, message: "Authentication required." }, 401);
+    }
+    const token = await signCollectionToken({
+      sub: requestUser.sub,
+      email: requestUser.email,
+      collection: this.collection.slug
+    });
+    return c.json({ token });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /forgot-password
+  // Requires config.email to be set. Silently succeeds if email not found
+  // to prevent email enumeration.
+  // ---------------------------------------------------------------------------
+  async forgotPassword(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json().catch(() => null);
+    if (!body?.email) {
+      return c.json({ error: true, message: "email is required." }, 400);
+    }
+    const result = await db.find({
+      collection: this.collection.slug,
+      where: { email: body.email },
+      limit: 1
+    });
+    const user = result.docs[0];
+    if (user) {
+      const resetToken = await signCollectionToken(
+        { sub: user.id, email: user.email, collection: this.collection.slug, purpose: "reset" },
+        "1h"
+      );
+      try {
+        const { subject, html } = buildResetPasswordEmail(config, { token: resetToken });
+        await sendEmail(config, { to: user.email, subject, html });
+      } catch (err) {
+        console.error("[dyrected/core] Failed to send password reset email:", err);
+      }
+    }
+    return c.json({
+      success: true,
+      message: "If an account with that email exists, a reset link has been sent."
+    });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /reset-password
+  // Expects { token: string, password: string } in body.
+  // The token is the reset JWT issued by /forgot-password.
+  // ---------------------------------------------------------------------------
+  async resetPassword(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json().catch(() => null);
+    if (!body?.token || !body?.password) {
+      return c.json({ error: true, message: "token and password are required." }, 400);
+    }
+    let payload;
+    try {
+      payload = await verifyCollectionToken(body.token);
+    } catch {
+      return c.json({ error: true, message: "Reset token is invalid or has expired." }, 400);
+    }
+    if (payload.collection !== this.collection.slug || payload.purpose !== "reset") {
+      return c.json({ error: true, message: "Reset token is invalid or has expired." }, 400);
+    }
+    const hashedPassword = await hashPassword(body.password);
+    await db.update({
+      collection: this.collection.slug,
+      id: payload.sub,
+      data: { password: hashedPassword }
+    });
+    const { subject, html } = buildPasswordChangedEmail(config, { email: payload.email });
+    sendEmail(config, { to: payload.email, subject, html }).catch(
+      (err) => console.error("[dyrected/core] Failed to send password-changed email:", err)
+    );
+    return c.json({ success: true, message: "Password has been reset. You can now log in." });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /invite
+  // Requires auth. Issues a signed invite token and emails it to the invitee.
+  // ---------------------------------------------------------------------------
+  async invite(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const requestUser = c.get("user");
+    if (!requestUser) {
+      return c.json({ error: true, message: "Authentication required." }, 401);
+    }
+    const body = await c.req.json().catch(() => null);
+    if (!body?.email) {
+      return c.json({ error: true, message: "email is required." }, 400);
+    }
+    const existing = await db.find({
+      collection: this.collection.slug,
+      where: { email: body.email },
+      limit: 1
+    });
+    if (existing.total > 0) {
+      return c.json({ error: true, message: "An account with that email already exists." }, 409);
+    }
+    const inviteToken = await signCollectionToken(
+      { sub: body.email, email: body.email, collection: this.collection.slug, purpose: "invite" },
+      "7d"
+    );
+    try {
+      const { subject, html } = buildInviteEmail(config, {
+        token: inviteToken,
+        invitedByEmail: requestUser.email
+      });
+      await sendEmail(config, { to: body.email, subject, html });
+    } catch (err) {
+      console.error("[dyrected/core] Failed to send invite email:", err);
+    }
+    return c.json({ success: true, message: `Invite sent to ${body.email}.` });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /accept-invite
+  // Public. Validates the invite token and creates the user account.
+  // Body: { token, password, ...extraFields }
+  // ---------------------------------------------------------------------------
+  async acceptInvite(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json().catch(() => null);
+    if (!body?.token || !body?.password) {
+      return c.json({ error: true, message: "token and password are required." }, 400);
+    }
+    let payload;
+    try {
+      payload = await verifyCollectionToken(body.token);
+    } catch {
+      return c.json({ error: true, message: "Invite token is invalid or has expired." }, 400);
+    }
+    if (payload.collection !== this.collection.slug || payload.purpose !== "invite") {
+      return c.json({ error: true, message: "Invite token is invalid or has expired." }, 400);
+    }
+    const inviteeEmail = payload.sub;
+    const existing = await db.find({
+      collection: this.collection.slug,
+      where: { email: inviteeEmail },
+      limit: 1
+    });
+    if (existing.total > 0) {
+      return c.json({ error: true, message: "An account with that email already exists." }, 409);
+    }
+    const { token: _t, password: _p, ...extraFields } = body;
+    const hashedPassword = await hashPassword(body.password);
+    const user = await db.create({
+      collection: this.collection.slug,
+      data: { ...extraFields, email: inviteeEmail, password: hashedPassword }
+    });
+    const sessionToken = await signCollectionToken({
+      sub: user.id,
+      email: inviteeEmail,
+      collection: this.collection.slug
+    });
+    const { subject, html } = buildWelcomeEmail(config, { email: inviteeEmail });
+    sendEmail(config, { to: inviteeEmail, subject, html }).catch(
+      (err) => console.error("[dyrected/core] Failed to send welcome email:", err)
+    );
+    const { password: _, ...safeUser } = user;
+    return c.json({ token: sessionToken, user: safeUser }, 201);
+  }
+};
+
+// src/controllers/preview.controller.ts
+import { SignJWT as SignJWT2, jwtVerify as jwtVerify2 } from "jose";
+import { TextEncoder as TextEncoder2 } from "util";
+var PreviewController = class {
+  getSecret() {
+    const secret = process.env.DYRECTED_JWT_SECRET || process.env.JWT_SECRET || "dyrected-preview-secret-change-me";
+    return new TextEncoder2().encode(secret);
+  }
+  /**
+   * POST /api/preview-token
+   * Generates a short-lived token for previewing unsaved data.
+   */
+  async createToken(c) {
+    const body = await c.req.json().catch(() => null);
+    if (!body?.collectionSlug || !body?.data) {
+      return c.json({ error: true, message: "collectionSlug and data are required." }, 400);
+    }
+    const token = await new SignJWT2({
+      collectionSlug: body.collectionSlug,
+      documentId: body.documentId,
+      data: body.data
+    }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime("15m").sign(this.getSecret());
+    const expiresAt = new Date(Date.now() + 15 * 60 * 1e3).toISOString();
+    return c.json({ token, expiresAt });
+  }
+  /**
+   * GET /api/preview-data?token=<jwt>
+   * Returns the data stored in the preview token.
+   */
+  async getData(c) {
+    const token = c.req.query("token");
+    if (!token) {
+      return c.json({ error: true, message: "token query parameter is required." }, 400);
+    }
+    try {
+      const { payload } = await jwtVerify2(token, this.getSecret());
+      return c.json(payload);
+    } catch (err) {
+      return c.json({ error: true, message: "Invalid or expired preview token." }, 401);
+    }
+  }
+};
+
+// src/middleware/auth.ts
+function requireAuth() {
+  return async (c, next) => {
+    const authHeader = c.req.header("Authorization");
+    const token = authHeader?.replace(/^Bearer\s+/i, "");
+    if (!token) {
+      return c.json({ error: true, message: "Authentication required." }, 401);
+    }
+    try {
+      const user = await verifyCollectionToken(token);
+      c.set("user", user);
+      await next();
+    } catch {
+      return c.json({ error: true, message: "Invalid or expired token." }, 401);
+    }
+  };
+}
+function optionalAuth() {
+  return async (c, next) => {
+    const authHeader = c.req.header("Authorization");
+    const token = authHeader?.replace(/^Bearer\s+/i, "");
+    if (token) {
+      try {
+        const user = await verifyCollectionToken(token);
+        c.set("user", user);
+      } catch {
+      }
+    }
+    await next();
+  };
+}
+
+// src/utils/openapi.ts
+function generateOpenApi(config) {
+  const spec = {
+    openapi: "3.0.0",
+    info: {
+      title: "Dyrected API",
+      version: "1.0.0",
+      description: "Automatically generated OpenAPI specification for the Dyrected project."
+    },
+    components: {
+      schemas: {},
+      securitySchemes: {
+        ApiKeyAuth: {
+          type: "apiKey",
+          in: "header",
+          name: "x-api-key"
+        }
+      }
+    },
+    paths: {},
+    security: [{ ApiKeyAuth: [] }]
+  };
+  for (const collection of config.collections) {
+    spec.components.schemas[collection.slug] = collectionToSchema(collection);
+  }
+  for (const global of config.globals) {
+    spec.components.schemas[global.slug] = globalToSchema(global);
+  }
+  for (const collection of config.collections) {
+    const slug = collection.slug;
+    const path = `/api/collections/${slug}`;
+    const labels = collection.labels || { singular: slug, plural: `${slug}s` };
+    spec.paths[path] = {
+      get: {
+        tags: ["Collections"],
+        summary: `Find ${labels.plural}`,
+        parameters: [
+          { name: "limit", in: "query", schema: { type: "integer", default: 10 } },
+          { name: "page", in: "query", schema: { type: "integer", default: 1 } },
+          { name: "where", in: "query", schema: { type: "string" }, description: "JSON filter" },
+          { name: "sort", in: "query", schema: { type: "string" }, description: "Sort field (e.g. -createdAt)" }
+        ],
+        responses: {
+          200: {
+            description: "Success",
+            content: {
+              "application/json": {
+                schema: {
+                  type: "object",
+                  properties: {
+                    docs: { type: "array", items: { $ref: `#/components/schemas/${slug}` } },
+                    total: { type: "integer" },
+                    limit: { type: "integer" },
+                    page: { type: "integer" }
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      post: {
+        tags: ["Collections"],
+        summary: `Create ${labels.singular}`,
+        requestBody: {
+          required: true,
+          content: {
+            "application/json": {
+              schema: { $ref: `#/components/schemas/${slug}` }
+            }
+          }
+        },
+        responses: {
+          201: {
+            description: "Created",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      }
+    };
+    spec.paths[`${path}/{id}`] = {
+      get: {
+        tags: ["Collections"],
+        summary: `Get a single ${labels.singular}`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        responses: {
+          200: {
+            description: "Success",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      },
+      patch: {
+        tags: ["Collections"],
+        summary: `Update ${labels.singular}`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        requestBody: {
+          required: true,
+          content: {
+            "application/json": {
+              schema: { $ref: `#/components/schemas/${slug}` }
+            }
+          }
+        },
+        responses: {
+          200: {
+            description: "Updated",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      },
+      delete: {
+        tags: ["Collections"],
+        summary: `Delete ${labels.singular}`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        responses: {
+          204: { description: "Deleted" }
+        }
+      }
+    };
+  }
+  for (const global of config.globals) {
+    const slug = global.slug;
+    const path = `/api/globals/${slug}`;
+    spec.paths[path] = {
+      get: {
+        tags: ["Globals"],
+        summary: `Get ${global.label || slug}`,
+        responses: {
+          200: {
+            description: "Success",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      },
+      patch: {
+        tags: ["Globals"],
+        summary: `Update ${global.label || slug}`,
+        requestBody: {
+          required: true,
+          content: {
+            "application/json": {
+              schema: { $ref: `#/components/schemas/${slug}` }
+            }
+          }
+        },
+        responses: {
+          200: {
+            description: "Updated",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      }
+    };
+  }
+  if (config.storage) {
+    spec.paths["/api/media"] = {
+      get: {
+        tags: ["Media"],
+        summary: "List Media",
+        responses: {
+          200: {
+            description: "Success",
+            content: {
+              "application/json": {
+                schema: {
+                  type: "object",
+                  properties: {
+                    docs: { type: "array", items: { type: "object", additionalProperties: true } }
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      post: {
+        tags: ["Media"],
+        summary: "Upload Media",
+        requestBody: {
+          content: {
+            "multipart/form-data": {
+              schema: {
+                type: "object",
+                properties: {
+                  file: { type: "string", format: "binary" }
+                }
+              }
+            }
+          }
+        },
+        responses: {
+          201: { description: "Uploaded" }
+        }
+      }
+    };
+  }
+  return spec;
+}
+function collectionToSchema(collection) {
+  const { properties, required } = fieldsToProperties(collection.fields);
+  return {
+    type: "object",
+    properties: {
+      id: { type: "string" },
+      createdAt: { type: "string", format: "date-time" },
+      updatedAt: { type: "string", format: "date-time" },
+      ...properties
+    },
+    required: ["id", ...required]
+  };
+}
+function globalToSchema(global) {
+  const { properties, required } = fieldsToProperties(global.fields);
+  return {
+    type: "object",
+    properties,
+    required
+  };
+}
+function fieldsToProperties(fields) {
+  const props = {};
+  const required = [];
+  for (const field of fields) {
+    if (!field.name || field.type === "join" || field.type === "row") continue;
+    props[field.name] = fieldToSchema(field);
+    if (field.required) {
+      required.push(field.name);
+    }
+  }
+  return { properties: props, required };
+}
+function fieldToSchema(field) {
+  let schema = {};
+  switch (field.type) {
+    case "text":
+    case "textarea":
+    case "email":
+    case "url":
+      schema = { type: "string" };
+      break;
+    case "number":
+      schema = { type: "number" };
+      break;
+    case "boolean":
+      schema = { type: "boolean" };
+      break;
+    case "date":
+      schema = { type: "string", format: "date-time" };
+      break;
+    case "select":
+      schema = { type: "string", enum: field.options?.map((o) => typeof o === "string" ? o : o.value) };
+      break;
+    case "multiSelect":
+      schema = {
+        type: "array",
+        items: { type: "string", enum: field.options?.map((o) => typeof o === "string" ? o : o.value) }
+      };
+      break;
+    case "relationship":
+      schema = { type: "string", description: `ID of a ${field.relationTo} record` };
+      break;
+    case "object": {
+      const { properties, required } = fieldsToProperties(field.fields || []);
+      schema = { type: "object", properties, required };
+      break;
+    }
+    case "array": {
+      const { properties, required } = fieldsToProperties(field.fields || []);
+      schema = { type: "array", items: { type: "object", properties, required } };
+      break;
+    }
+    case "json":
+    case "richText":
+      schema = { type: "object", additionalProperties: true };
+      break;
+    case "blocks":
+      schema = {
+        type: "array",
+        items: {
+          oneOf: field.blocks?.map((block) => {
+            const { properties, required } = fieldsToProperties(block.fields);
+            return {
+              type: "object",
+              properties: {
+                blockType: { type: "string", enum: [block.slug] },
+                ...properties
+              },
+              required: ["blockType", ...required]
+            };
+          })
+        }
+      };
+      break;
+    default:
+      schema = { type: "string" };
+  }
+  if (field.label) schema.description = field.label;
+  return schema;
+}
+
+// src/utils/swagger.ts
+function getSwaggerHtml(specUrl = "/api/openapi.json") {
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <meta name="description" content="SwaggerUI" />
+  <title>Dyrected API Documentation</title>
+  <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui.css" />
+</head>
+<body>
+<div id="swagger-ui"></div>
+<script src="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui-bundle.js" charset="UTF-8"></script>
+<script src="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui-standalone-preset.js" charset="UTF-8"></script>
+<script>
+  window.onload = () => {
+    // Forward the apikey query param when loading the spec and making API calls
+    const params = new URLSearchParams(window.location.search);
+    const apiKey = params.get('apikey');
+    const specUrlWithKey = apiKey ? '${specUrl}?apikey=' + encodeURIComponent(apiKey) : '${specUrl}';
+
+    window.ui = SwaggerUIBundle({
+      url: specUrlWithKey,
+      dom_id: '#swagger-ui',
+      presets: [
+        SwaggerUIBundle.presets.apis,
+        SwaggerUIStandalonePreset
+      ],
+      layout: "BaseLayout",
+      deepLinking: true,
+      showExtensions: true,
+      showCommonExtensions: true,
+      // Inject x-api-key header on every request made from the Swagger UI
+      requestInterceptor: (request) => {
+        if (apiKey) {
+          request.headers['x-api-key'] = apiKey;
+        }
+        return request;
+      }
+    });
+  };
+</script>
+</body>
+</html>
+  `;
+}
+
+// src/auth/jexl.ts
+import jexl from "jexl";
+async function evaluateAccess(expression, context) {
+  if (expression === void 0 || expression === null) return false;
+  if (typeof expression === "boolean") return expression;
+  try {
+    const result = await jexl.eval(expression, context);
+    return !!result;
+  } catch (err) {
+    console.error("[dyrected/core] Jexl evaluation failed:", err);
+    return false;
+  }
+}
+
+// src/router.ts
+function accessGate(target, action) {
+  return async (c, next) => {
+    const user = c.get("user");
+    const accessExpr = target.access?.[action];
+    if (accessExpr === void 0 || accessExpr === null) {
+      return await next();
+    }
+    const accessArgs = { user, req: c.req, doc: null };
+    const allowed = await evaluateAccess(accessExpr, accessArgs);
+    if (!allowed) {
+      return c.json({ error: true, message: `Access denied: ${action} on ${target.slug}` }, 403);
+    }
+    await next();
+  };
+}
+async function checkAccess(access, accessArgs) {
+  if (access === void 0 || access === null) return true;
+  if (typeof access === "function") {
+    try {
+      const result = await access(accessArgs);
+      return typeof result === "boolean" ? result : !!result;
+    } catch (err) {
+      console.error("[dyrected/core] Functional access check failed:", err);
+      return false;
+    }
+  }
+  if (typeof access === "string" || typeof access === "boolean") {
+    return evaluateAccess(access, accessArgs);
+  }
+  return true;
+}
+function serializeFieldForApi(f) {
+  if (!f) return f;
+  const serialized = { ...f };
+  if (serialized.admin?.hooks) {
+    const hooks = { ...serialized.admin.hooks };
+    if (typeof hooks.onChange === "function") {
+      hooks.onChange = hooks.onChange.toString();
+    }
+    if (typeof hooks.options === "function") {
+      hooks.options = hooks.options.toString();
+    }
+    serialized.admin = { ...serialized.admin, hooks };
+  }
+  if (typeof serialized.options === "function" || serialized.options && typeof serialized.options === "object" && "resolve" in serialized.options) {
+    serialized.options = { _dynamic: true };
+  }
+  if (serialized.fields) {
+    serialized.fields = serialized.fields.map(serializeFieldForApi);
+  }
+  if (serialized.blocks) {
+    serialized.blocks = serialized.blocks.map((b) => ({
+      ...b,
+      fields: b.fields?.map(serializeFieldForApi)
+    }));
+  }
+  return serialized;
+}
+function registerRoutes(app, config) {
+  app.get("/api/schemas", optionalAuth(), async (c) => {
+    const siteId = c.req.header("X-Site-Id");
+    let collections = [...config.collections];
+    let globals = [...config.globals];
+    if (siteId && config.onSchemaFetch) {
+      const dynamic = await config.onSchemaFetch(siteId);
+      if (dynamic.collections) collections = [...collections, ...dynamic.collections];
+      if (dynamic.globals) globals = [...globals, ...dynamic.globals];
+      if (dynamic.admin) {
+        config.admin = { ...config.admin, ...dynamic.admin };
+      }
+    }
+    const user = c.get("user");
+    const accessArgs = { user, req: c.req, doc: null };
+    const serializeAccess = async (access) => {
+      if (typeof access === "string") return access;
+      if (typeof access === "boolean") return access;
+      return checkAccess(access, accessArgs);
+    };
+    const filteredCollections = await Promise.all(collections.filter((col) => !siteId || col.shared || !col.siteId || col.siteId === siteId).map(async (col) => ({
+      slug: col.slug,
+      labels: col.labels,
+      access: {
+        read: await serializeAccess(col.access?.read),
+        create: await serializeAccess(col.access?.create),
+        update: await serializeAccess(col.access?.update),
+        delete: await serializeAccess(col.access?.delete)
+      },
+      fields: await Promise.all(col.fields.map(serializeFieldForApi).map(async (f) => ({
+        name: f.name,
+        type: f.type,
+        label: f.label,
+        required: f.required,
+        defaultValue: f.defaultValue,
+        options: f.options,
+        relationTo: f.relationTo,
+        hasMany: f.hasMany,
+        fields: f.fields,
+        blocks: f.blocks,
+        admin: f.admin,
+        access: {
+          read: await serializeAccess(f.access?.read),
+          update: await serializeAccess(f.access?.update)
+        }
+      }))),
+      upload: !!col.upload,
+      auth: !!col.auth,
+      admin: col.admin
+    })));
+    const filteredGlobals = await Promise.all(globals.filter((glb) => !siteId || glb.shared || !glb.siteId || glb.siteId === siteId).map(async (glb) => ({
+      slug: glb.slug,
+      label: glb.label,
+      access: {
+        read: await serializeAccess(glb.access?.read),
+        update: await serializeAccess(glb.access?.update)
+      },
+      fields: await Promise.all(glb.fields.map(serializeFieldForApi).map(async (f) => ({
+        name: f.name,
+        type: f.type,
+        label: f.label,
+        required: f.required,
+        defaultValue: f.defaultValue,
+        options: f.options,
+        relationTo: f.relationTo,
+        hasMany: f.hasMany,
+        fields: f.fields,
+        blocks: f.blocks,
+        admin: f.admin,
+        access: {
+          read: await serializeAccess(f.access?.read),
+          update: await serializeAccess(f.access?.update)
+        }
+      }))),
+      admin: glb.admin
+    })));
+    return c.json({
+      collections: filteredCollections,
+      globals: filteredGlobals,
+      admin: config.admin || {}
+    });
+  });
+  app.get("/api/dyrected/options/:collection/:field", optionalAuth(), async (c) => {
+    const { collection: colSlug, field: fieldName } = c.req.param();
+    const siteId = c.req.header("X-Site-Id");
+    let collections = [...config.collections];
+    if (siteId && config.onSchemaFetch) {
+      const dynamic = await config.onSchemaFetch(siteId);
+      if (dynamic.collections) collections = [...collections, ...dynamic.collections];
+    }
+    const user = c.get("user");
+    let collection = collections.find((col) => col.slug === colSlug);
+    let field;
+    if (collection) {
+      const accessExpr = collection.access?.read;
+      if (accessExpr !== void 0 && accessExpr !== null) {
+        const accessArgs = { user, req: c.req, doc: null };
+        const allowed = await checkAccess(accessExpr, accessArgs);
+        if (!allowed) {
+          return c.json({ error: true, message: `Access denied: read on ${colSlug}` }, 403);
+        }
+      }
+      field = collection.fields.find((f) => f.name === fieldName);
+    } else {
+      let globals = [...config.globals];
+      if (siteId && config.onSchemaFetch) {
+        const dynamic = await config.onSchemaFetch(siteId);
+        if (dynamic.globals) globals = [...globals, ...dynamic.globals];
+      }
+      const glb = globals.find((g) => g.slug === colSlug);
+      if (!glb) {
+        return c.json({ error: true, message: `${colSlug} not found as collection or global` }, 404);
+      }
+      const accessExpr = glb.access?.read;
+      if (accessExpr !== void 0 && accessExpr !== null) {
+        const accessArgs = { user, req: c.req, doc: null };
+        const allowed = await checkAccess(accessExpr, accessArgs);
+        if (!allowed) {
+          return c.json({ error: true, message: `Access denied: read on global ${colSlug}` }, 403);
+        }
+      }
+      field = glb.fields.find((f) => f.name === fieldName);
+    }
+    if (!field) {
+      return c.json({ error: true, message: `Field ${fieldName} not found in ${colSlug}` }, 404);
+    }
+    let resolver;
+    if (typeof field.options === "function") {
+      resolver = field.options;
+    } else if (field.options && typeof field.options === "object" && "resolve" in field.options) {
+      resolver = field.options.resolve;
+    }
+    if (!resolver) {
+      return c.json({ error: true, message: `Field ${fieldName} in ${colSlug} is not dynamic` }, 400);
+    }
+    try {
+      const db = c.get("db") || config.db;
+      const queryParams = c.req.query();
+      const reqContext = {
+        query: queryParams,
+        headers: c.req.header(),
+        raw: c.req.raw
+      };
+      const result = await resolver({
+        db,
+        user,
+        req: reqContext
+      });
+      return c.json(result);
+    } catch (err) {
+      console.error(`[dyrected/core] Failed to resolve dynamic options for field ${fieldName}:`, err);
+      return c.json({ error: true, message: err.message || "Failed to resolve dynamic options" }, 500);
+    }
+  });
+  app.get("/api/openapi.json", (c) => {
+    return c.json(generateOpenApi(config));
+  });
+  app.get("/api/docs", (c) => {
+    return c.html(getSwaggerHtml());
+  });
+  app.get("/api/media/:filename{.+$}", async (c) => {
+    const mediaController = new MediaController("media");
+    return mediaController.serve(c);
+  });
+  app.get("/media/:filename{.+$}", async (c) => {
+    const mediaController = new MediaController("media");
+    return mediaController.serve(c);
+  });
+  if (config.storage) {
+    const uploadCollections = config.collections.filter((c) => c.upload);
+    for (const col of uploadCollections) {
+      const mediaController = new MediaController(col.slug);
+      const prefix = `/api/collections/${col.slug}`;
+      app.get(`${prefix}/media`, accessGate(col, "read"), (c) => mediaController.find(c));
+      app.get(`${prefix}/media/:filename{.+$}`, (c) => mediaController.serve(c));
+      app.post(`${prefix}/media`, accessGate(col, "create"), (c) => mediaController.upload(c));
+      app.delete(`${prefix}/media/:id`, accessGate(col, "delete"), (c) => mediaController.delete(c));
+    }
+  }
+  for (const collection of config.collections) {
+    if (!collection.auth) continue;
+    const path = `/api/collections/${collection.slug}`;
+    const authController = new AuthController(collection);
+    app.post(`${path}/login`, (c) => authController.login(c));
+    app.post(`${path}/logout`, (c) => authController.logout(c));
+    app.get(`${path}/init`, (c) => authController.init(c));
+    app.post(`${path}/first-user`, (c) => authController.registerFirstUser(c));
+    app.get(`${path}/me`, requireAuth(), (c) => authController.me(c));
+    app.post(`${path}/refresh-token`, requireAuth(), (c) => authController.refreshToken(c));
+    app.post(`${path}/forgot-password`, (c) => authController.forgotPassword(c));
+    app.post(`${path}/reset-password`, (c) => authController.resetPassword(c));
+    app.post(`${path}/invite`, requireAuth(), (c) => authController.invite(c));
+    app.post(`${path}/accept-invite`, (c) => authController.acceptInvite(c));
+  }
+  for (const collection of config.collections) {
+    const path = `/api/collections/${collection.slug}`;
+    const controller = new CollectionController(collection);
+    app.get(path, accessGate(collection, "read"), (c) => controller.find(c));
+    app.post(path, accessGate(collection, "create"), (c) => controller.create(c));
+    app.post(`${path}/media`, accessGate(collection, "create"), (c) => controller.create(c));
+    app.delete(`${path}/delete-many`, accessGate(collection, "delete"), (c) => controller.deleteMany(c));
+    app.get(`${path}/:id`, accessGate(collection, "read"), (c) => controller.findOne(c));
+    app.patch(`${path}/:id`, accessGate(collection, "update"), (c) => controller.update(c));
+    app.delete(`${path}/:id`, accessGate(collection, "delete"), (c) => controller.delete(c));
+    app.post(`${path}/seed`, (c) => controller.seed(c));
+    if (collection.auth) {
+      app.post(`${path}/:id/change-password`, requireAuth(), (c) => controller.changePassword(c));
+    }
+  }
+  for (const global of config.globals) {
+    const path = `/api/globals/${global.slug}`;
+    const controller = new GlobalController(global);
+    app.get(path, accessGate(global, "read"), (c) => controller.get(c));
+    app.patch(path, accessGate(global, "update"), (c) => controller.update(c));
+    app.post(`${path}/seed`, (c) => controller.seed(c));
+  }
+  const previewController = new PreviewController();
+  app.post("/api/preview-token", requireAuth(), (c) => previewController.createToken(c));
+  app.get("/api/preview-data", (c) => previewController.getData(c));
+  app.all("/api/collections/:slug/:id?", async (c) => {
+    const slug = c.req.param("slug");
+    const id = c.req.param("id");
+    const siteId = c.req.header("X-Site-Id") || c.get("siteId");
+    const config2 = c.get("config");
+    if (config2.collections.some((col) => col.slug === slug)) {
+      return c.json({ message: "Method Not Allowed" }, 405);
+    }
+    if (config2.onSchemaFetch && siteId) {
+      const dynamic = await config2.onSchemaFetch(siteId);
+      let collection = dynamic.collections?.find((col) => col.slug === slug);
+      if (!collection && slug === "media") {
+        collection = {
+          slug: "media",
+          labels: { singular: "Media", plural: "Media" },
+          upload: true,
+          fields: []
+        };
+      }
+      if (collection) {
+        if (collection.auth && id) {
+          const authController = new AuthController(collection);
+          const method2 = c.req.method;
+          if (method2 === "POST" && id === "login") return authController.login(c);
+          if (method2 === "POST" && id === "logout") return authController.logout(c);
+          if (method2 === "GET" && id === "me") return authController.me(c);
+          if (method2 === "POST" && id === "refresh-token") return authController.refreshToken(c);
+          if (method2 === "POST" && id === "forgot-password") return authController.forgotPassword(c);
+          if (method2 === "POST" && id === "reset-password") return authController.resetPassword(c);
+        }
+        const controller = new CollectionController(collection);
+        const method = c.req.method;
+        if (id) {
+          if (method === "GET") return controller.findOne(c);
+          if (method === "PATCH") return controller.update(c);
+          if (method === "DELETE" && id === "delete-many") return controller.deleteMany(c);
+          if (method === "DELETE") return controller.delete(c);
+          if (method === "POST" && id === "media") return controller.create(c);
+          if (method === "POST" && id === "seed") return controller.seed(c);
+        } else {
+          if (method === "GET") return controller.find(c);
+          if (method === "POST") return controller.create(c);
+        }
+      }
+    }
+    return c.json({ message: `Collection "${slug}" not found` }, 404);
+  });
+  app.all("/api/globals/:slug", async (c) => {
+    const slug = c.req.param("slug");
+    const siteId = c.req.header("X-Site-Id") || c.get("siteId");
+    const config2 = c.get("config");
+    if (config2.globals.some((glb) => glb.slug === slug)) {
+      return c.json({ message: "Method Not Allowed" }, 405);
+    }
+    if (config2.onSchemaFetch && siteId) {
+      const dynamic = await config2.onSchemaFetch(siteId);
+      const global = dynamic.globals?.find((glb) => glb.slug === slug);
+      if (global) {
+        const controller = new GlobalController(global);
+        if (c.req.method === "GET") return controller.get(c);
+        if (c.req.method === "PATCH") return controller.update(c);
+      }
+    }
+    return c.json({ message: `Global "${slug}" not found` }, 404);
+  });
+}
+
+// src/app.ts
+import { Hono } from "hono";
+import { cors } from "hono/cors";
+import { requestId } from "hono/request-id";
+async function createDyrectedApp(rawConfig) {
+  const config = normalizeConfig(rawConfig);
+  const app = new Hono();
+  if (config.db?.sync) {
+    await config.db.sync(config.collections, config.globals);
+  }
+  app.use("*", requestId());
+  app.use("*", optionalAuth());
+  app.use("*", async (c, next) => {
+    const start = Date.now();
+    await next();
+    const ms = Date.now() - start;
+    console.log(`[dyrected/api] ${c.req.method} ${c.req.path} ${c.res.status} - ${ms}ms`);
+  });
+  app.use("*", cors());
+  app.use("*", async (c, next) => {
+    c.set("config", config);
+    if (!c.get("siteId")) {
+      c.set("siteId", "default");
+    }
+    await next();
+  });
+  app.get("/health", (c) => c.json({ status: "ok", version: "0.0.1" }));
+  app.get("/routes", (c) => {
+    const routes = app.routes.map((r) => ({ method: r.method, path: r.path }));
+    return c.json({ routes });
+  });
+  app.onError((err, c) => {
+    console.error(`[dyrected/core] Uncaught Error:`, err);
+    return c.json({
+      message: err.message || "Internal Server Error",
+      stack: process.env.NODE_ENV === "development" ? err.stack : void 0
+    }, 500);
+  });
+  registerRoutes(app, config);
+  return app;
+}
+
+export {
+  normalizeConfig,
+  runCollectionHooks,
+  executeFieldBeforeChange,
+  executeFieldAfterRead,
+  CollectionController,
+  GlobalController,
+  MediaController,
+  AuthController,
+  PreviewController,
+  registerRoutes,
+  createDyrectedApp
+};