npm - @dyrected/core - Versions diffs - 2.5.16 → 2.5.18 - Mend

@dyrected/core 2.5.16 → 2.5.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/dist/app-BElen1tP.d.cts +1690 -0
package/dist/app-BElen1tP.d.ts +1690 -0
package/dist/app-D0ffogDd.d.cts +1690 -0
package/dist/app-D0ffogDd.d.ts +1690 -0
package/dist/app-D2uR47gK.d.cts +1690 -0
package/dist/app-D2uR47gK.d.ts +1690 -0
package/dist/chunk-ALNQINX7.js +2496 -0
package/dist/chunk-B6KDKYXB.js +2502 -0
package/dist/chunk-EXXOPW3I.js +2483 -0
package/dist/chunk-TUUHGLB5.js +2609 -0
package/dist/chunk-YNJ3YC4N.js +2483 -0
package/dist/index.cjs +170 -36
package/dist/index.d.cts +9 -2
package/dist/index.d.ts +9 -2
package/dist/index.js +1 -1
package/dist/server.cjs +170 -36
package/dist/server.d.cts +10 -10
package/dist/server.d.ts +10 -10
package/dist/server.js +1 -1
package/package.json +1 -1

package/dist/chunk-B6KDKYXB.js ADDED Viewed

@@ -0,0 +1,2502 @@
+// src/utils/config.ts
+var AUDIT_COLLECTION_SLUG = "__audit";
+var SYSTEM_FIELDS = [
+  {
+    name: "createdAt",
+    type: "date",
+    label: "Created At",
+    admin: { readOnly: true, hidden: true }
+  },
+  {
+    name: "updatedAt",
+    type: "date",
+    label: "Updated At",
+    admin: { readOnly: true, hidden: true }
+  },
+  {
+    name: "createdBy",
+    type: "text",
+    label: "Created By",
+    admin: { readOnly: true, hidden: true }
+  },
+  {
+    name: "updatedBy",
+    type: "text",
+    label: "Updated By",
+    admin: { readOnly: true, hidden: true }
+  }
+];
+var AUDIT_COLLECTION = {
+  slug: AUDIT_COLLECTION_SLUG,
+  labels: { singular: "Audit Log", plural: "Audit Logs" },
+  fields: [
+    { name: "collection", type: "text", label: "Collection", required: true },
+    { name: "documentId", type: "text", label: "Document ID" },
+    { name: "operation", type: "select", label: "Operation", options: ["create", "update", "delete"], required: true },
+    { name: "user", type: "text", label: "User ID" },
+    { name: "timestamp", type: "date", label: "Timestamp", required: true },
+    { name: "changes", type: "json", label: "Changes" }
+  ],
+  admin: { hidden: true }
+};
+function normalizeConfig(config) {
+  const collections = config?.collections || [];
+  const globals = config?.globals || [];
+  const needsAudit = collections.some((col) => col.audit);
+  const normalizedCollections = collections.map((col) => {
+    let fields = col.fields || [];
+    const existingFieldNames = new Set(fields.map((f) => f.name));
+    if (col.auth) {
+      if (!existingFieldNames.has("email")) {
+        fields = [
+          ...fields,
+          {
+            name: "email",
+            type: "email",
+            label: "Email",
+            required: true,
+            unique: true,
+            promoted: true,
+            access: {
+              update: "!id"
+            }
+          }
+        ];
+      }
+      if (!existingFieldNames.has("password")) {
+        fields = [
+          ...fields,
+          {
+            name: "password",
+            type: "text",
+            label: "Password",
+            required: true,
+            access: {
+              update: "!id || user.id == id"
+            }
+          }
+        ];
+      }
+      if (!existingFieldNames.has("roles")) {
+        fields = [
+          ...fields,
+          {
+            name: "roles",
+            type: "select",
+            label: "Roles",
+            defaultValue: [],
+            options: [
+              { value: "admin", label: "Admin" },
+              { value: "editor", label: "Editor" },
+              { value: "viewer", label: "Viewer" }
+            ],
+            access: {
+              update: "user.roles && 'admin' in user.roles"
+            }
+          }
+        ];
+      }
+      fields = fields.map((field) => {
+        if (field.name === "email") {
+          return {
+            ...field,
+            access: {
+              ...field.access || {},
+              update: "!id"
+            }
+          };
+        }
+        if (field.name === "password") {
+          return {
+            ...field,
+            admin: { ...field.admin || {} },
+            access: {
+              ...field.access || {},
+              update: "!id || user.id == id"
+            }
+          };
+        }
+        if (field.name === "roles") {
+          return {
+            ...field,
+            access: {
+              ...field.access || {},
+              // Must be an admin; cannot edit own roles (no self-elevation).
+              update: "user.roles && 'admin' in user.roles && user.id != id"
+            }
+          };
+        }
+        return field;
+      });
+    }
+    const updatedFieldNames = new Set(fields.map((f) => f.name));
+    const fieldsToInject = SYSTEM_FIELDS.filter((f) => !updatedFieldNames.has(f.name));
+    return {
+      ...col,
+      fields: [...fields, ...fieldsToInject]
+    };
+  });
+  const hasAuditCollection = normalizedCollections.some((col) => col.slug === AUDIT_COLLECTION_SLUG);
+  return {
+    ...config,
+    collections: [...normalizedCollections, ...needsAudit && !hasAuditCollection ? [AUDIT_COLLECTION] : []],
+    globals
+  };
+}
+// src/utils/hooks.ts
+async function runCollectionHooks(hooks, args, options = {}) {
+  if (!hooks || hooks.length === 0) {
+    return args.data ?? args.doc ?? void 0;
+  }
+  let currentPayload = args.data ?? args.doc ?? void 0;
+  for (const hook of hooks) {
+    try {
+      const result = await hook({
+        ...args,
+        data: args.data !== void 0 ? currentPayload : void 0,
+        doc: args.doc !== void 0 ? currentPayload : void 0
+      });
+      if (result !== void 0) {
+        currentPayload = result;
+      }
+    } catch (err) {
+      if (options.isolated) {
+        console.error("[dyrected/core] Side-effect hook failed (error isolated \u2014 DB write was successful):", err);
+      } else {
+        throw err;
+      }
+    }
+  }
+  return currentPayload;
+}
+async function executeFieldBeforeChange(fields, data, originalDoc, user) {
+  if (!data || typeof data !== "object") return data;
+  const result = { ...data };
+  for (const field of fields) {
+    if (!field.name) continue;
+    const value = result[field.name];
+    const origValue = originalDoc?.[field.name];
+    let updatedValue = value;
+    if (field.hooks?.beforeChange) {
+      for (const hook of field.hooks.beforeChange) {
+        updatedValue = await hook({
+          value: updatedValue,
+          originalDoc: originalDoc ?? void 0,
+          data: result,
+          user
+        });
+      }
+      result[field.name] = updatedValue;
+    }
+    if (updatedValue !== void 0 && updatedValue !== null) {
+      if (field.type === "object" && field.fields) {
+        result[field.name] = await executeFieldBeforeChange(
+          field.fields,
+          updatedValue,
+          origValue,
+          user
+        );
+      } else if (field.type === "array" && field.fields && Array.isArray(updatedValue)) {
+        const arrayResult = [];
+        for (let i = 0; i < updatedValue.length; i++) {
+          const item = updatedValue[i];
+          const origItem = Array.isArray(origValue) ? origValue[i] : null;
+          arrayResult.push(
+            await executeFieldBeforeChange(field.fields, item, origItem, user)
+          );
+        }
+        result[field.name] = arrayResult;
+      } else if (field.type === "blocks" && field.blocks && Array.isArray(updatedValue)) {
+        const blocksResult = [];
+        for (let i = 0; i < updatedValue.length; i++) {
+          const blockData = updatedValue[i];
+          const origBlock = Array.isArray(origValue) ? origValue[i] : null;
+          const blockConfig = field.blocks.find(
+            (b) => b.slug === blockData.blockType
+          );
+          if (blockConfig) {
+            blocksResult.push(
+              await executeFieldBeforeChange(
+                blockConfig.fields,
+                blockData,
+                origBlock,
+                user
+              )
+            );
+          } else {
+            blocksResult.push(blockData);
+          }
+        }
+        result[field.name] = blocksResult;
+      }
+    }
+  }
+  return result;
+}
+async function executeFieldAfterRead(fields, doc, user) {
+  if (!doc || typeof doc !== "object") return doc;
+  const result = { ...doc };
+  for (const field of fields) {
+    if (!field.name) continue;
+    const value = result[field.name];
+    let updatedValue = value;
+    if (field.hooks?.afterRead) {
+      for (const hook of field.hooks.afterRead) {
+        updatedValue = await hook({
+          value: updatedValue,
+          doc: result,
+          user
+        });
+      }
+      result[field.name] = updatedValue;
+    }
+    if (updatedValue !== void 0 && updatedValue !== null) {
+      if (field.type === "object" && field.fields) {
+        result[field.name] = await executeFieldAfterRead(
+          field.fields,
+          updatedValue,
+          user
+        );
+      } else if (field.type === "array" && field.fields && Array.isArray(updatedValue)) {
+        const arrayResult = [];
+        for (const item of updatedValue) {
+          arrayResult.push(
+            await executeFieldAfterRead(
+              field.fields,
+              item,
+              user
+            )
+          );
+        }
+        result[field.name] = arrayResult;
+      } else if (field.type === "blocks" && field.blocks && Array.isArray(updatedValue)) {
+        const blocksResult = [];
+        for (const blockData of updatedValue) {
+          const typedBlock = blockData;
+          const blockConfig = field.blocks.find(
+            (b) => b.slug === typedBlock.blockType
+          );
+          if (blockConfig) {
+            blocksResult.push(
+              await executeFieldAfterRead(
+                blockConfig.fields,
+                typedBlock,
+                user
+              )
+            );
+          } else {
+            blocksResult.push(blockData);
+          }
+        }
+        result[field.name] = blocksResult;
+      }
+    }
+  }
+  return result;
+}
+// src/services/defaults.service.ts
+var DefaultsService = class {
+  /**
+   * Recursively apply default values to a data object based on field definitions.
+   */
+  static apply(fields, data = {}) {
+    const result = { ...data || {} };
+    fields.forEach((field) => {
+      if (field.type === "join") return;
+      if (field.type === "row" && field.fields) {
+        Object.assign(result, this.apply(field.fields, data));
+        return;
+      }
+      if (!field.name) return;
+      let value = result[field.name];
+      if ((value === void 0 || value === null) && field.renameTo) {
+        const legacyValue = result[field.renameTo];
+        if (legacyValue !== void 0 && legacyValue !== null) {
+          value = legacyValue;
+          result[field.name] = legacyValue;
+        }
+      }
+      if (value === void 0 || value === null) {
+        if (field.defaultValue !== void 0) {
+          result[field.name] = field.defaultValue;
+        } else {
+          if (field.type === "boolean") result[field.name] = false;
+          else if (field.type === "array") result[field.name] = [];
+          else if (field.type === "multiSelect") result[field.name] = [];
+          else if (field.type === "object") {
+            result[field.name] = this.apply(field.fields || [], {});
+          }
+        }
+      } else if (field.type === "object" && field.fields) {
+        result[field.name] = this.apply(field.fields, value);
+      } else if (field.type === "array" && field.fields && Array.isArray(value)) {
+        result[field.name] = value.map((item) => this.apply(field.fields, item));
+      }
+    });
+    return result;
+  }
+};
+// src/services/population.service.ts
+var PopulationService = class {
+  db;
+  collections;
+  constructor(db, collections) {
+    this.db = db;
+    this.collections = collections;
+  }
+  /**
+   * Recursively populate relationship fields in a document or array of documents.
+   */
+  async populate(args) {
+    const { data, fields, currentDepth = 0, maxDepth = 10 } = args;
+    if (currentDepth >= maxDepth || !data) {
+      return data;
+    }
+    if (Array.isArray(data)) {
+      return Promise.all(data.map((item) => this.populate({ ...args, data: item })));
+    }
+    const populatedDoc = { ...data };
+    for (const field of fields) {
+      if (field.type === "join") continue;
+      if (field.type === "row" && field.fields) {
+        const rowPopulated = await this.populate({ data, fields: field.fields, currentDepth, maxDepth });
+        Object.assign(populatedDoc, rowPopulated);
+        continue;
+      }
+      if (!field.name) continue;
+      const value = populatedDoc[field.name];
+      if (field.type === "relationship" && field.relationTo && value) {
+        const relatedCollection = this.collections.find((c) => c.slug === field.relationTo);
+        if (!relatedCollection) continue;
+        if (Array.isArray(value)) {
+          populatedDoc[field.name] = await Promise.all(
+            value.map(async (id) => {
+              if (!id) return id;
+              let doc = id;
+              if (typeof id === "string") {
+                doc = await this.db.findOne({ collection: field.relationTo, id });
+              }
+              if (!doc || typeof doc !== "object") return id;
+              const docWithDefaults = DefaultsService.apply(relatedCollection.fields, doc);
+              return this.populate({
+                data: docWithDefaults,
+                fields: relatedCollection.fields,
+                currentDepth: currentDepth + 1,
+                maxDepth
+              });
+            })
+          );
+        } else if (value) {
+          let doc = value;
+          if (typeof value === "string") {
+            doc = await this.db.findOne({ collection: field.relationTo, id: value });
+          }
+          if (doc && typeof doc === "object") {
+            const docWithDefaults = DefaultsService.apply(relatedCollection.fields, doc);
+            populatedDoc[field.name] = await this.populate({
+              data: docWithDefaults,
+              fields: relatedCollection.fields,
+              currentDepth: currentDepth + 1,
+              maxDepth
+            });
+          }
+        }
+      }
+      if (field.type === "url" && value && typeof value === "object" && value.type === "internal" && value.relationTo && value.value) {
+        const relatedCollection = this.collections.find((c) => c.slug === value.relationTo);
+        if (relatedCollection) {
+          const doc = await this.db.findOne({ collection: value.relationTo, id: value.value });
+          if (doc && typeof doc === "object") {
+            const docWithDefaults = DefaultsService.apply(relatedCollection.fields, doc);
+            const populatedDocValue = await this.populate({
+              data: docWithDefaults,
+              fields: relatedCollection.fields,
+              currentDepth: currentDepth + 1,
+              maxDepth
+            });
+            const identifier = docWithDefaults.slug || docWithDefaults.id;
+            const resolvedUrl = `/collections/${value.relationTo}/${identifier}`;
+            populatedDoc[field.name] = {
+              ...value,
+              url: resolvedUrl,
+              doc: populatedDocValue
+            };
+          }
+        }
+      }
+      if ((field.type === "array" || field.type === "object") && field.fields && value) {
+        populatedDoc[field.name] = await this.populate({
+          data: value,
+          fields: field.fields,
+          currentDepth,
+          // Nested fields don't consume depth, only relationships do
+          maxDepth
+        });
+      }
+      if (field.type === "blocks" && field.blocks && Array.isArray(value)) {
+        populatedDoc[field.name] = await Promise.all(
+          value.map(async (blockData) => {
+            const blockConfig = field.blocks.find((b) => b.slug === blockData.blockType);
+            if (!blockConfig) return blockData;
+            return this.populate({
+              data: blockData,
+              fields: blockConfig.fields,
+              currentDepth,
+              maxDepth
+            });
+          })
+        );
+      }
+    }
+    return populatedDoc;
+  }
+  /**
+   * Helper to populate a PaginatedResult
+   */
+  async populateResult(result, fields, maxDepth) {
+    if (maxDepth <= 0) return result;
+    const populatedDocs = await this.populate({
+      data: result.docs,
+      fields,
+      currentDepth: 0,
+      maxDepth
+    });
+    return {
+      ...result,
+      docs: populatedDocs
+    };
+  }
+};
+// src/services/audit.service.ts
+var AuditService = class {
+  /**
+   * Writes a single entry to the __audit collection.
+   * Called without await — runs asynchronously and never blocks the primary operation.
+   */
+  static async log(db, args) {
+    try {
+      await db.create({
+        collection: "__audit",
+        data: {
+          collection: args.collection,
+          documentId: args.documentId ?? null,
+          operation: args.operation,
+          user: args.user?.id ?? null,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          changes: JSON.stringify({
+            before: args.before ?? null,
+            after: args.after ?? null
+          })
+        }
+      });
+    } catch (err) {
+      console.error("[dyrected/audit] Failed to write audit log:", err);
+    }
+  }
+};
+// src/auth/password.ts
+import { promisify } from "util";
+import { scrypt, randomBytes, timingSafeEqual } from "crypto";
+var scryptAsync = promisify(scrypt);
+var SALT_LEN = 16;
+var KEY_LEN = 64;
+async function hashPassword(plain) {
+  const salt = randomBytes(SALT_LEN).toString("hex");
+  const derivedKey = await scryptAsync(plain, salt, KEY_LEN);
+  return `${salt}:${derivedKey.toString("hex")}`;
+}
+async function verifyPassword(plain, stored) {
+  const [salt, storedHash] = stored.split(":");
+  if (!salt || !storedHash) return false;
+  const derivedKey = await scryptAsync(plain, salt, KEY_LEN);
+  const storedBuffer = Buffer.from(storedHash, "hex");
+  if (derivedKey.length !== storedBuffer.length) return false;
+  return timingSafeEqual(derivedKey, storedBuffer);
+}
+// src/controllers/collection.controller.ts
+var CollectionController = class {
+  collection;
+  constructor(collection) {
+    this.collection = collection;
+  }
+  async find(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const limit = Number(c.req.query("limit")) || 10;
+    const page = Number(c.req.query("page")) || 1;
+    const depth = c.req.query("depth") !== void 0 ? Number(c.req.query("depth")) : 2;
+    const sort = c.req.query("sort") || void 0;
+    const user = c.get("user");
+    let where = void 0;
+    const whereRaw = c.req.query("where");
+    if (whereRaw) {
+      try {
+        where = JSON.parse(decodeURIComponent(whereRaw));
+      } catch {
+      }
+    }
+    const beforeReadResult = await runCollectionHooks(this.collection.hooks?.beforeRead, {
+      req: c.req,
+      query: where,
+      user
+    });
+    if (beforeReadResult !== void 0) {
+      where = beforeReadResult;
+    }
+    let result = await db.find({
+      collection: this.collection.slug,
+      limit,
+      page,
+      sort,
+      where
+    });
+    if (result.total === 0 && this.collection.initialData && !where && page === 1) {
+      console.log(`[dyrected/core] Auto-seeding collection "${this.collection.slug}" from config.initialData`);
+      for (const data of this.collection.initialData) {
+        await db.create({ collection: this.collection.slug, data });
+      }
+      result = await db.find({
+        collection: this.collection.slug,
+        limit,
+        page,
+        sort,
+        where
+      });
+    }
+    result.docs = result.docs.map((doc) => DefaultsService.apply(this.collection.fields, doc));
+    const processedDocs = [];
+    for (const doc of result.docs) {
+      const docWithCollectionHooks = await runCollectionHooks(this.collection.hooks?.afterRead, {
+        doc,
+        req: c.req,
+        user
+      });
+      const docWithFieldHooks = await executeFieldAfterRead(this.collection.fields, docWithCollectionHooks, user);
+      processedDocs.push(docWithFieldHooks);
+    }
+    result.docs = processedDocs;
+    if (depth > 0) {
+      const populationService = new PopulationService(db, config.collections);
+      result = await populationService.populateResult(result, this.collection.fields, depth);
+    }
+    return c.json(result);
+  }
+  async findOne(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const id = c.req.param("id");
+    const depth = c.req.query("depth") !== void 0 ? Number(c.req.query("depth")) : 10;
+    const user = c.get("user");
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const doc = await db.findOne({ collection: this.collection.slug, id });
+    if (!doc) return c.json({ message: "Not Found" }, 404);
+    const docWithDefaults = DefaultsService.apply(this.collection.fields, doc);
+    const docWithCollectionHooks = await runCollectionHooks(this.collection.hooks?.afterRead, {
+      doc: docWithDefaults,
+      req: c.req,
+      user
+    });
+    const docWithFieldHooks = await executeFieldAfterRead(this.collection.fields, docWithCollectionHooks, user);
+    if (depth > 0 && docWithFieldHooks) {
+      const populationService = new PopulationService(db, config.collections);
+      const populatedDoc = await populationService.populate({
+        data: docWithFieldHooks,
+        fields: this.collection.fields,
+        currentDepth: 0,
+        maxDepth: depth
+      });
+      return c.json(populatedDoc);
+    }
+    return c.json(docWithFieldHooks);
+  }
+  async create(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const contentType = c.req.header("Content-Type") || "";
+    if (contentType.toLowerCase().includes("multipart/form-data")) {
+      return this.upload(c);
+    }
+    const body = await c.req.json();
+    const user = c.get("user");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    let data = {
+      ...body,
+      createdAt: now,
+      updatedAt: now,
+      createdBy: user?.sub ?? null,
+      updatedBy: user?.sub ?? null
+    };
+    if (this.collection.auth && data.password) {
+      data.password = await hashPassword(data.password);
+    }
+    data = await executeFieldBeforeChange(this.collection.fields, data, null, user);
+    data = await runCollectionHooks(this.collection.hooks?.beforeChange, {
+      data,
+      req: c.req,
+      user,
+      operation: "create"
+    });
+    const doc = await db.create({ collection: this.collection.slug, data });
+    if (this.collection.audit && db) {
+      AuditService.log(db, {
+        operation: "create",
+        collection: this.collection.slug,
+        documentId: doc.id,
+        user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
+        before: null,
+        after: doc
+      });
+    }
+    await runCollectionHooks(this.collection.hooks?.afterChange, {
+      doc,
+      user,
+      req: c.req,
+      operation: "create"
+    }, { isolated: true });
+    const readDoc = await runCollectionHooks(this.collection.hooks?.afterRead, {
+      doc,
+      req: c.req,
+      user
+    });
+    const finalDoc = await executeFieldAfterRead(this.collection.fields, readDoc, user);
+    return c.json(finalDoc, 201);
+  }
+  async upload(c) {
+    const config = c.get("config");
+    const storage = config.storage;
+    if (!storage) return c.json({ message: "Storage not configured" }, 500);
+    const formData = await c.req.formData();
+    const file = formData.get("file");
+    if (!file) return c.json({ message: "No file uploaded" }, 400);
+    const buffer = new Uint8Array(await file.arrayBuffer());
+    const siteId = c.get("siteId");
+    const workspaceId = c.get("workspaceId");
+    const prefix = workspaceId ? `${workspaceId}/${siteId}` : siteId;
+    const fileData = await storage.upload({
+      filename: file.name,
+      buffer,
+      mimeType: file.type,
+      prefix
+    });
+    const otherData = {};
+    formData.forEach((value, key) => {
+      if (key !== "file" && typeof value === "string") {
+        otherData[key] = value;
+      }
+    });
+    const user = c.get("user");
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    let data = {
+      ...otherData,
+      ...fileData,
+      createdAt: now,
+      updatedAt: now,
+      createdBy: user?.sub ?? null,
+      updatedBy: user?.sub ?? null
+    };
+    data = await executeFieldBeforeChange(this.collection.fields, data, null, user);
+    data = await runCollectionHooks(this.collection.hooks?.beforeChange, {
+      data,
+      req: c.req,
+      user,
+      operation: "create"
+    });
+    const doc = await config.db.create({
+      collection: this.collection.slug,
+      data
+    });
+    await runCollectionHooks(this.collection.hooks?.afterChange, {
+      doc,
+      user,
+      req: c.req,
+      operation: "create"
+    }, { isolated: true });
+    const readDoc = await runCollectionHooks(this.collection.hooks?.afterRead, {
+      doc,
+      req: c.req,
+      user
+    });
+    const finalDoc = await executeFieldAfterRead(this.collection.fields, readDoc, user);
+    return c.json(finalDoc, 201);
+  }
+  async update(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const id = c.req.param("id");
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const body = await c.req.json();
+    const user = c.get("user");
+    let data = { ...body };
+    if (this.collection.auth) {
+      delete data.password;
+      delete data.oldPassword;
+      delete data.confirmPassword;
+    }
+    Object.assign(data, {
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      updatedBy: user?.sub ?? null
+    });
+    const originalDoc = await db.findOne({ collection: this.collection.slug, id });
+    if (!originalDoc) return c.json({ message: "Not Found" }, 404);
+    let before = null;
+    if (this.collection.audit) {
+      before = originalDoc;
+    }
+    data = await executeFieldBeforeChange(this.collection.fields, data, originalDoc, user);
+    data = await runCollectionHooks(this.collection.hooks?.beforeChange, {
+      data,
+      doc: originalDoc,
+      req: c.req,
+      user,
+      operation: "update"
+    });
+    const doc = await db.update({ collection: this.collection.slug, id, data });
+    if (this.collection.audit && db) {
+      AuditService.log(db, {
+        operation: "update",
+        collection: this.collection.slug,
+        documentId: id,
+        user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
+        before,
+        after: doc
+      });
+    }
+    await runCollectionHooks(this.collection.hooks?.afterChange, {
+      doc,
+      previousDoc: originalDoc,
+      user,
+      req: c.req,
+      operation: "update"
+    }, { isolated: true });
+    const readDoc = await runCollectionHooks(this.collection.hooks?.afterRead, {
+      doc,
+      req: c.req,
+      user
+    });
+    const finalDoc = await executeFieldAfterRead(this.collection.fields, readDoc, user);
+    return c.json(finalDoc);
+  }
+  /**
+   * POST /api/collections/:slug/:id/change-password
+   *
+   * Dedicated endpoint for password changes. Requires the caller to supply:
+   *   { oldPassword, newPassword, confirmPassword }
+   *
+   * Rules:
+   *  - Only the account owner or an admin may change the password.
+   *  - Non-admin callers MUST provide a valid oldPassword.
+   *  - newPassword and confirmPassword must match.
+   */
+  async changePassword(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    if (!this.collection.auth) {
+      return c.json({ message: "This collection does not support authentication" }, 400);
+    }
+    const id = c.req.param("id");
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const user = c.get("user");
+    if (!user) return c.json({ message: "Authentication required" }, 401);
+    const body = await c.req.json().catch(() => null);
+    const { oldPassword, newPassword, confirmPassword } = body ?? {};
+    if (!newPassword) {
+      return c.json({ message: "newPassword is required" }, 400);
+    }
+    if (newPassword !== confirmPassword) {
+      return c.json({ message: "Passwords do not match" }, 400);
+    }
+    if (newPassword.length < 8) {
+      return c.json({ message: "Password must be at least 8 characters" }, 400);
+    }
+    const isAdmin = Array.isArray(user.roles) && user.roles.includes("admin");
+    const isSelf = user.sub === id;
+    if (!isAdmin && !isSelf) {
+      return c.json({ message: "You are not authorised to change this password" }, 403);
+    }
+    if (!isAdmin) {
+      if (!oldPassword) {
+        return c.json({ message: "Current password is required" }, 400);
+      }
+      const existing = await db.findOne({ collection: this.collection.slug, id });
+      if (!existing) return c.json({ message: "User not found" }, 404);
+      const valid = await verifyPassword(oldPassword, existing.password);
+      if (!valid) {
+        return c.json({ message: "Invalid current password" }, 400);
+      }
+    }
+    const hashed = await hashPassword(newPassword);
+    const doc = await db.update({
+      collection: this.collection.slug,
+      id,
+      data: {
+        password: hashed,
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        updatedBy: user.sub
+      }
+    });
+    if (this.collection.audit) {
+      AuditService.log(db, {
+        operation: "update",
+        collection: this.collection.slug,
+        documentId: id,
+        user: { id: user.sub, collection: user.collection, email: user.email },
+        before: null,
+        after: { id }
+      });
+    }
+    return c.json({ success: true, message: "Password updated successfully" });
+  }
+  async delete(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const id = c.req.param("id");
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const user = c.get("user");
+    const doc = await db.findOne({ collection: this.collection.slug, id });
+    if (!doc) return c.json({ message: "Not Found" }, 404);
+    let before = null;
+    if (this.collection.audit) {
+      before = doc;
+    }
+    await runCollectionHooks(this.collection.hooks?.beforeDelete, {
+      id,
+      doc,
+      user,
+      req: c.req
+    });
+    await db.delete({ collection: this.collection.slug, id });
+    if (this.collection.audit && db) {
+      AuditService.log(db, {
+        operation: "delete",
+        collection: this.collection.slug,
+        documentId: id,
+        user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
+        before,
+        after: null
+      });
+    }
+    await runCollectionHooks(this.collection.hooks?.afterDelete, {
+      id,
+      doc,
+      user,
+      req: c.req
+    }, { isolated: true });
+    return c.json({ message: "Deleted" });
+  }
+  async deleteMany(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const user = c.get("user");
+    let ids = [];
+    try {
+      const body = await c.req.json().catch(() => null);
+      if (body?.ids && Array.isArray(body.ids)) {
+        ids = body.ids;
+      }
+    } catch {
+    }
+    if (!ids.length) {
+      const raw = c.req.queries("ids") ?? c.req.queries("ids[]") ?? [];
+      ids = raw.filter(Boolean);
+    }
+    if (!ids.length) return c.json({ message: "No IDs provided" }, 400);
+    const deleted = [];
+    const failed = [];
+    for (const id of ids) {
+      try {
+        const doc = await db.findOne({ collection: this.collection.slug, id });
+        if (!doc) {
+          failed.push({ id, error: "Not Found" });
+          continue;
+        }
+        let before = null;
+        if (this.collection.audit) {
+          before = doc;
+        }
+        await runCollectionHooks(this.collection.hooks?.beforeDelete, {
+          id,
+          doc,
+          user,
+          req: c.req
+        });
+        await db.delete({ collection: this.collection.slug, id });
+        deleted.push(id);
+        if (this.collection.audit) {
+          AuditService.log(db, {
+            operation: "delete",
+            collection: this.collection.slug,
+            documentId: id,
+            user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
+            before,
+            after: null
+          });
+        }
+        await runCollectionHooks(this.collection.hooks?.afterDelete, {
+          id,
+          doc,
+          user,
+          req: c.req
+        }, { isolated: true });
+      } catch (err) {
+        failed.push({ id, error: err?.message ?? "Unknown error" });
+      }
+    }
+    return c.json({
+      message: `Deleted ${deleted.length} document(s)`,
+      deleted,
+      ...failed.length ? { failed } : {}
+    });
+  }
+  async seed(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json();
+    const initialData = body.data;
+    if (!initialData || !Array.isArray(initialData)) {
+      return c.json({ message: "Invalid initial data" }, 400);
+    }
+    const result = await db.find({ collection: this.collection.slug, limit: 1 });
+    if (result.total > 0) {
+      return c.json({ message: "Collection is not empty, skipping seed" });
+    }
+    console.log(`[dyrected/core] Auto-seeding collection: ${this.collection.slug}`);
+    const createdDocs = [];
+    for (const data of initialData) {
+      const doc = await db.create({ collection: this.collection.slug, data });
+      createdDocs.push(doc);
+    }
+    return c.json({ message: "Seed successful", count: createdDocs.length }, 201);
+  }
+};
+// src/controllers/global.controller.ts
+var GlobalController = class {
+  global;
+  constructor(global) {
+    this.global = global;
+  }
+  async get(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const depth = c.req.query("depth") !== void 0 ? Number(c.req.query("depth")) : 10;
+    const user = c.get("user");
+    let query = void 0;
+    const beforeReadResult = await runCollectionHooks(this.global.hooks?.beforeRead, {
+      req: c.req,
+      query,
+      user
+    });
+    if (beforeReadResult !== void 0) {
+      query = beforeReadResult;
+    }
+    let data = await db.getGlobal({ slug: this.global.slug });
+    const isEmpty = !data || Object.keys(data).length === 0;
+    if (isEmpty && this.global.initialData) {
+      console.log(`[dyrected/core] Auto-seeding global "${this.global.slug}" from config.initialData`);
+      await db.updateGlobal({ slug: this.global.slug, data: this.global.initialData });
+      data = this.global.initialData;
+    }
+    const dataWithDefaults = DefaultsService.apply(this.global.fields, data);
+    const docWithCollectionHooks = await runCollectionHooks(this.global.hooks?.afterRead, {
+      doc: dataWithDefaults,
+      req: c.req,
+      user
+    });
+    const docWithFieldHooks = await executeFieldAfterRead(this.global.fields, docWithCollectionHooks, user);
+    if (depth > 0 && docWithFieldHooks) {
+      const populationService = new PopulationService(db, config.collections);
+      const populatedData = await populationService.populate({
+        data: docWithFieldHooks,
+        fields: this.global.fields,
+        currentDepth: 0,
+        maxDepth: depth
+      });
+      return c.json(populatedData);
+    }
+    return c.json(docWithFieldHooks);
+  }
+  async update(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json();
+    const user = c.get("user");
+    const originalDoc = await db.getGlobal({ slug: this.global.slug }) || {};
+    let data = await executeFieldBeforeChange(this.global.fields, body, originalDoc, user);
+    data = await runCollectionHooks(this.global.hooks?.beforeChange, {
+      data,
+      doc: originalDoc,
+      req: c.req,
+      user,
+      operation: "update"
+    });
+    const updated = await db.updateGlobal({ slug: this.global.slug, data });
+    await runCollectionHooks(this.global.hooks?.afterChange, {
+      doc: updated,
+      previousDoc: originalDoc,
+      user,
+      req: c.req,
+      operation: "update"
+    }, { isolated: true });
+    const readDoc = await runCollectionHooks(this.global.hooks?.afterRead, {
+      doc: updated,
+      req: c.req,
+      user
+    });
+    const finalDoc = await executeFieldAfterRead(this.global.fields, readDoc, user);
+    return c.json(finalDoc);
+  }
+  async seed(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json();
+    const initialData = body.data;
+    if (!initialData) {
+      return c.json({ message: "Invalid initial data" }, 400);
+    }
+    const existing = await db.getGlobal({ slug: this.global.slug });
+    if (existing && Object.keys(existing).length > 0) {
+      return c.json({ message: "Global is not empty, skipping seed" });
+    }
+    console.log(`[dyrected/core] Auto-seeding global: ${this.global.slug}`);
+    await db.updateGlobal({ slug: this.global.slug, data: initialData });
+    return c.json({ message: "Seed successful", data: initialData }, 201);
+  }
+};
+// src/controllers/media.controller.ts
+var MediaController = class {
+  collection;
+  constructor(collection = "media") {
+    this.collection = collection;
+  }
+  async upload(c) {
+    const config = c.get("config");
+    const storage = config.storage;
+    const imageService = config.image;
+    if (!storage) {
+      return c.json({ message: "Storage not configured" }, 500);
+    }
+    const body = await c.req.parseBody();
+    const file = body["file"];
+    const focalPointStr = body["focalPoint"];
+    const focalPoint = focalPointStr ? JSON.parse(focalPointStr) : void 0;
+    if (!file) {
+      return c.json({ message: "No file uploaded" }, 400);
+    }
+    const buffer = new Uint8Array(await file.arrayBuffer());
+    const siteId = c.get("siteId");
+    const workspaceId = c.get("workspaceId");
+    const prefix = workspaceId ? `${workspaceId}/${siteId}` : siteId || "default";
+    let imageMetadata = {};
+    let imageSizes = {};
+    if (imageService && file.type.startsWith("image/")) {
+      let colConfig = config.collections.find((col) => col.slug === this.collection);
+      if (!colConfig && config.onSchemaFetch && siteId) {
+        const dynamic = await config.onSchemaFetch(siteId);
+        colConfig = dynamic.collections?.find((col) => col.slug === this.collection);
+      }
+      try {
+        const processed = await imageService.process({
+          buffer,
+          mimeType: file.type,
+          config: colConfig?.upload,
+          focalPoint
+        });
+        imageMetadata = processed.metadata;
+        imageSizes = processed.sizes;
+      } catch (err) {
+        console.error("[MediaController] Image processing failed:", err);
+      }
+    }
+    const fileData = await storage.upload({
+      filename: file.name,
+      buffer,
+      mimeType: file.type,
+      prefix
+    });
+    const finalFileData = {
+      ...fileData,
+      ...imageMetadata,
+      focalPoint,
+      sizes: {}
+    };
+    if (imageSizes) {
+      for (const [sizeName, sizeData] of Object.entries(imageSizes)) {
+        const ext = file.name.split(".").pop();
+        const baseName = file.name.substring(0, file.name.lastIndexOf("."));
+        const sizeFilename = `${baseName}-${sizeName}.${ext}`;
+        try {
+          const sizeFileData = await storage.upload({
+            filename: sizeFilename,
+            buffer: sizeData.buffer,
+            mimeType: file.type,
+            prefix
+          });
+          finalFileData.sizes[sizeName] = {
+            ...sizeFileData,
+            width: sizeData.width,
+            height: sizeData.height
+          };
+        } catch (err) {
+          console.error(`[MediaController] Failed to upload size ${sizeName}:`, err);
+        }
+      }
+    }
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const doc = await db.create({
+      collection: this.collection,
+      data: finalFileData
+    });
+    return c.json(doc, 201);
+  }
+  async find(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const limit = Number(c.req.query("limit")) || 10;
+    const page = Number(c.req.query("page")) || 1;
+    const result = await db.find({
+      collection: this.collection,
+      limit,
+      page
+    });
+    return c.json(result);
+  }
+  async delete(c) {
+    const config = c.get("config");
+    const storage = config.storage;
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const id = c.req.param("id");
+    if (!id) return c.json({ message: "Missing ID" }, 400);
+    const doc = await db.findOne({ collection: this.collection, id });
+    if (!doc) return c.json({ message: "Not Found" }, 404);
+    if (storage) {
+      await storage.delete({ filename: doc.filename });
+      if (doc.sizes) {
+        for (const size of Object.values(doc.sizes)) {
+          if (size.filename) {
+            await storage.delete({ filename: size.filename });
+          }
+        }
+      }
+    }
+    await db.delete({ collection: this.collection, id });
+    return c.json({ message: "Deleted" });
+  }
+  async serve(c) {
+    const config = c.get("config");
+    const storage = config.storage;
+    if (!storage || !storage.resolve) {
+      return c.json({ message: "Storage not configured for serving" }, 404);
+    }
+    const filename = c.req.param("filename");
+    if (!filename) return c.json({ message: "Missing filename" }, 400);
+    let res = await storage.resolve({ filename });
+    if (!res && !filename.includes("/")) {
+      res = await storage.resolve({ filename: `default/${filename}` });
+    }
+    if (!res) return c.json({ message: "Not Found" }, 404);
+    c.header("Content-Type", res.mimeType);
+    return c.body(res.buffer);
+  }
+};
+// src/auth/token.ts
+import { SignJWT, jwtVerify, decodeJwt } from "jose";
+import { TextEncoder } from "util";
+function getSecret() {
+  const secret = process.env.DYRECTED_JWT_SECRET || process.env.JWT_SECRET;
+  if (!secret) {
+    throw new Error(
+      "[dyrected/core] DYRECTED_JWT_SECRET is not set. Add it to your environment variables to enable auth collections."
+    );
+  }
+  return new TextEncoder().encode(secret);
+}
+var DEFAULT_EXPIRY = "7d";
+async function signCollectionToken(payload, expiresIn = DEFAULT_EXPIRY) {
+  return new SignJWT({ ...payload }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(expiresIn).sign(getSecret());
+}
+async function verifyCollectionToken(token) {
+  const { payload } = await jwtVerify(token, getSecret());
+  return payload;
+}
+// src/services/email.service.ts
+var _devSend = null;
+var _devSendPromise = null;
+async function getDevSend() {
+  if (_devSend) return _devSend;
+  if (_devSendPromise) return _devSendPromise;
+  _devSendPromise = (async () => {
+    try {
+      const nodemailer = await import("nodemailer");
+      const account = await nodemailer.default.createTestAccount();
+      const transport = nodemailer.default.createTransport({
+        host: "smtp.ethereal.email",
+        port: 587,
+        auth: { user: account.user, pass: account.pass }
+      });
+      console.log("[dyrected/core] No email config \u2014 using Ethereal for dev email preview.");
+      console.log(`[dyrected/core] Ethereal login: https://ethereal.email  user: ${account.user}  pass: ${account.pass}`);
+      _devSend = async ({ to, subject, html }) => {
+        const info = await transport.sendMail({ from: '"Dyrected Dev" <dev@dyrected.local>', to, subject, html });
+        console.log(`[dyrected/core] Email preview URL: ${nodemailer.default.getTestMessageUrl(info)}`);
+      };
+      return _devSend;
+    } catch {
+      console.warn("[dyrected/core] nodemailer not available \u2014 emails will not be sent in dev.");
+      return null;
+    }
+  })();
+  return _devSendPromise;
+}
+async function sendEmail(config, payload) {
+  if (config.email) {
+    await config.email.send(payload);
+    return;
+  }
+  if (process.env.NODE_ENV !== "production") {
+    const devSend = await getDevSend();
+    await devSend?.(payload);
+  }
+}
+function buildWelcomeEmail(config, args) {
+  const custom = config.email?.templates?.welcome?.(args);
+  return {
+    subject: custom?.subject ?? "Welcome \u2014 your account is ready",
+    html: custom?.html ?? `
+      <div style="font-family:sans-serif;max-width:600px;margin:0 auto">
+        <h2>Welcome!</h2>
+        <p>Your account has been created. You can now log in with:</p>
+        <p><strong>${args.email}</strong></p>
+      </div>`
+  };
+}
+function buildInviteEmail(config, args) {
+  const custom = config.email?.templates?.invite?.(args);
+  return {
+    subject: custom?.subject ?? "You've been invited",
+    html: custom?.html ?? `
+      <div style="font-family:sans-serif;max-width:600px;margin:0 auto">
+        <h2>You've been invited</h2>
+        ${args.invitedByEmail ? `<p>Invited by <strong>${args.invitedByEmail}</strong>.</p>` : ""}
+        <p>Use the token below to accept your invitation. It expires in 7 days.</p>
+        <pre style="background:#f4f4f4;padding:12px;border-radius:4px;word-break:break-all">${args.token}</pre>
+      </div>`
+  };
+}
+function buildResetPasswordEmail(config, args) {
+  const custom = config.email?.templates?.resetPassword?.(args);
+  const resetLink = args.url;
+  return {
+    subject: custom?.subject ?? "Reset your password",
+    html: custom?.html ?? `
+      <div style="font-family:sans-serif;max-width:600px;margin:0 auto;padding:20px;border:1px solid #e5e7eb;border-radius:12px;background-color:#ffffff">
+        <h2 style="font-size:20px;font-weight:600;color:#111827;margin-bottom:16px">Reset your password</h2>
+        <p style="font-size:14px;color:#4b5563;line-height:1.5;margin-bottom:24px">
+          We received a request to reset your password. Use the button below to set a new password. It will expire in 1 hour.
+        </p>
+        ${resetLink ? `
+        <div style="margin-bottom:28px">
+          <a href="${resetLink}" style="display:inline-block;background-color:#111827;color:#ffffff;font-size:14px;font-weight:500;padding:10px 24px;text-decoration:none;border-radius:6px">
+            Reset Password
+          </a>
+        </div>
+        ` : ""}
+        <p style="font-size:12px;color:#9ca3af;margin-bottom:8px">Or copy and paste this token manually in the admin dashboard:</p>
+        <table cellpadding="0" cellspacing="0" border="0" style="width:100%;background-color:#f3f4f6;border-radius:6px;margin:0;table-layout:fixed">
+          <tr>
+            <td style="padding:12px;font-family:monospace;font-size:12px;color:#374151;word-break:break-all;white-space:normal;line-height:1.4">
+              ${args.token}
+            </td>
+          </tr>
+        </table>
+      </div>`
+  };
+}
+function buildPasswordChangedEmail(config, args) {
+  const custom = config.email?.templates?.passwordChanged?.(args);
+  return {
+    subject: custom?.subject ?? "Your password has been changed",
+    html: custom?.html ?? `
+      <div style="font-family:sans-serif;max-width:600px;margin:0 auto">
+        <h2>Password changed</h2>
+        <p>The password for <strong>${args.email}</strong> was just changed.</p>
+        <p>If you did not make this change, please contact support immediately.</p>
+      </div>`
+  };
+}
+// src/controllers/auth.controller.ts
+var AuthController = class {
+  collection;
+  constructor(collection) {
+    this.collection = collection;
+  }
+  // ---------------------------------------------------------------------------
+  // GET /init
+  // Checks if the first user needs to be created.
+  // ---------------------------------------------------------------------------
+  async init(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const result = await db.find({
+      collection: this.collection.slug,
+      limit: 1
+    });
+    return c.json({
+      initialized: result.total > 0
+    });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /first-user
+  // Creates the first user if none exist.
+  // ---------------------------------------------------------------------------
+  async registerFirstUser(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const check = await db.find({
+      collection: this.collection.slug,
+      limit: 1
+    });
+    if (check.total > 0) {
+      return c.json({ error: true, message: "Initial user already exists." }, 403);
+    }
+    const body = await c.req.json().catch(() => null);
+    if (!body?.email || !body?.password) {
+      return c.json({ error: true, message: "email and password are required." }, 400);
+    }
+    const hashedPassword = await hashPassword(body.password);
+    const user = await db.create({
+      collection: this.collection.slug,
+      data: {
+        ...body,
+        password: hashedPassword,
+        roles: ["admin"]
+        // Default first user to admin
+      }
+    });
+    const token = await signCollectionToken({
+      sub: user.id,
+      email: user.email,
+      collection: this.collection.slug
+    });
+    const { subject, html } = buildWelcomeEmail(config, { email: body.email });
+    sendEmail(config, { to: body.email, subject, html }).catch(
+      (err) => console.error("[dyrected/core] Failed to send welcome email:", err)
+    );
+    const { password: _, ...safeUser } = user;
+    return c.json({ token, user: safeUser });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /login
+  // ---------------------------------------------------------------------------
+  async login(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json().catch(() => null);
+    if (!body?.email || !body?.password) {
+      return c.json({ error: true, message: "email and password are required." }, 400);
+    }
+    const result = await db.find({
+      collection: this.collection.slug,
+      where: { email: body.email },
+      limit: 1
+    });
+    const user = result.docs[0];
+    if (!user) {
+      return c.json({ error: true, message: "Invalid email or password." }, 401);
+    }
+    const valid = await verifyPassword(body.password, user.password);
+    if (!valid) {
+      return c.json({ error: true, message: "Invalid email or password." }, 401);
+    }
+    const token = await signCollectionToken({
+      sub: user.id,
+      email: user.email,
+      collection: this.collection.slug
+    });
+    const { password: _, ...safeUser } = user;
+    return c.json({ token, user: safeUser });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /logout
+  // Auth collections use stateless JWTs — logout is handled client-side.
+  // This endpoint exists so clients have a consistent API surface.
+  // ---------------------------------------------------------------------------
+  async logout(c) {
+    return c.json({ success: true, message: "Logged out. Discard your token." });
+  }
+  // ---------------------------------------------------------------------------
+  // GET /me
+  // ---------------------------------------------------------------------------
+  async me(c) {
+    const db = c.get("config").db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const requestUser = c.get("user");
+    if (!requestUser) {
+      return c.json({ error: true, message: "Authentication required." }, 401);
+    }
+    const user = await db.findOne({ collection: this.collection.slug, id: requestUser.sub });
+    if (!user) {
+      return c.json({ error: true, message: "User not found." }, 404);
+    }
+    const { password: _, ...safeUser } = user;
+    return c.json(safeUser);
+  }
+  // ---------------------------------------------------------------------------
+  // POST /refresh-token
+  // ---------------------------------------------------------------------------
+  async refreshToken(c) {
+    const requestUser = c.get("user");
+    if (!requestUser) {
+      return c.json({ error: true, message: "Authentication required." }, 401);
+    }
+    const token = await signCollectionToken({
+      sub: requestUser.sub,
+      email: requestUser.email,
+      collection: this.collection.slug
+    });
+    return c.json({ token });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /forgot-password
+  // Requires config.email to be set. Silently succeeds if email not found
+  // to prevent email enumeration.
+  // ---------------------------------------------------------------------------
+  async forgotPassword(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json().catch(() => null);
+    if (!body?.email) {
+      return c.json({ error: true, message: "email is required." }, 400);
+    }
+    const result = await db.find({
+      collection: this.collection.slug,
+      where: { email: body.email },
+      limit: 1
+    });
+    const user = result.docs[0];
+    if (user) {
+      const resetToken = await signCollectionToken(
+        { sub: user.id, email: user.email, collection: this.collection.slug, purpose: "reset" },
+        "1h"
+      );
+      const resetUrl = body?.resetUrl;
+      const url = resetUrl ? `${resetUrl}${resetUrl.includes("?") ? "&" : "?"}token=${encodeURIComponent(resetToken)}` : void 0;
+      try {
+        const { subject, html } = buildResetPasswordEmail(config, { token: resetToken, url });
+        await sendEmail(config, { to: user.email, subject, html });
+      } catch (err) {
+        console.error("[dyrected/core] Failed to send password reset email:", err);
+      }
+    }
+    return c.json({
+      success: true,
+      message: "If an account with that email exists, a reset link has been sent."
+    });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /reset-password
+  // Expects { token: string, password: string } in body.
+  // The token is the reset JWT issued by /forgot-password.
+  // ---------------------------------------------------------------------------
+  async resetPassword(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json().catch(() => null);
+    if (!body?.token || !body?.password) {
+      return c.json({ error: true, message: "token and password are required." }, 400);
+    }
+    let payload;
+    try {
+      payload = await verifyCollectionToken(body.token);
+    } catch {
+      return c.json({ error: true, message: "Reset token is invalid or has expired." }, 400);
+    }
+    if (payload.collection !== this.collection.slug || payload.purpose !== "reset") {
+      return c.json({ error: true, message: "Reset token is invalid or has expired." }, 400);
+    }
+    const hashedPassword = await hashPassword(body.password);
+    await db.update({
+      collection: this.collection.slug,
+      id: payload.sub,
+      data: { password: hashedPassword }
+    });
+    const { subject, html } = buildPasswordChangedEmail(config, { email: payload.email });
+    sendEmail(config, { to: payload.email, subject, html }).catch(
+      (err) => console.error("[dyrected/core] Failed to send password-changed email:", err)
+    );
+    return c.json({ success: true, message: "Password has been reset. You can now log in." });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /invite
+  // Requires auth. Issues a signed invite token and emails it to the invitee.
+  // ---------------------------------------------------------------------------
+  async invite(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const requestUser = c.get("user");
+    if (!requestUser) {
+      return c.json({ error: true, message: "Authentication required." }, 401);
+    }
+    const body = await c.req.json().catch(() => null);
+    if (!body?.email) {
+      return c.json({ error: true, message: "email is required." }, 400);
+    }
+    const existing = await db.find({
+      collection: this.collection.slug,
+      where: { email: body.email },
+      limit: 1
+    });
+    if (existing.total > 0) {
+      return c.json({ error: true, message: "An account with that email already exists." }, 409);
+    }
+    const inviteToken = await signCollectionToken(
+      { sub: body.email, email: body.email, collection: this.collection.slug, purpose: "invite" },
+      "7d"
+    );
+    try {
+      const { subject, html } = buildInviteEmail(config, {
+        token: inviteToken,
+        invitedByEmail: requestUser.email
+      });
+      await sendEmail(config, { to: body.email, subject, html });
+    } catch (err) {
+      console.error("[dyrected/core] Failed to send invite email:", err);
+    }
+    return c.json({ success: true, message: `Invite sent to ${body.email}.` });
+  }
+  // ---------------------------------------------------------------------------
+  // POST /accept-invite
+  // Public. Validates the invite token and creates the user account.
+  // Body: { token, password, ...extraFields }
+  // ---------------------------------------------------------------------------
+  async acceptInvite(c) {
+    const config = c.get("config");
+    const db = config.db;
+    if (!db) return c.json({ message: "Database not configured" }, 500);
+    const body = await c.req.json().catch(() => null);
+    if (!body?.token || !body?.password) {
+      return c.json({ error: true, message: "token and password are required." }, 400);
+    }
+    let payload;
+    try {
+      payload = await verifyCollectionToken(body.token);
+    } catch {
+      return c.json({ error: true, message: "Invite token is invalid or has expired." }, 400);
+    }
+    if (payload.collection !== this.collection.slug || payload.purpose !== "invite") {
+      return c.json({ error: true, message: "Invite token is invalid or has expired." }, 400);
+    }
+    const inviteeEmail = payload.sub;
+    const existing = await db.find({
+      collection: this.collection.slug,
+      where: { email: inviteeEmail },
+      limit: 1
+    });
+    if (existing.total > 0) {
+      return c.json({ error: true, message: "An account with that email already exists." }, 409);
+    }
+    const { token: _t, password: _p, ...extraFields } = body;
+    const hashedPassword = await hashPassword(body.password);
+    const user = await db.create({
+      collection: this.collection.slug,
+      data: { ...extraFields, email: inviteeEmail, password: hashedPassword }
+    });
+    const sessionToken = await signCollectionToken({
+      sub: user.id,
+      email: inviteeEmail,
+      collection: this.collection.slug
+    });
+    const { subject, html } = buildWelcomeEmail(config, { email: inviteeEmail });
+    sendEmail(config, { to: inviteeEmail, subject, html }).catch(
+      (err) => console.error("[dyrected/core] Failed to send welcome email:", err)
+    );
+    const { password: _, ...safeUser } = user;
+    return c.json({ token: sessionToken, user: safeUser }, 201);
+  }
+};
+// src/controllers/preview.controller.ts
+import { SignJWT as SignJWT2, jwtVerify as jwtVerify2 } from "jose";
+import { TextEncoder as TextEncoder2 } from "util";
+var PreviewController = class {
+  getSecret() {
+    const secret = process.env.DYRECTED_JWT_SECRET || process.env.JWT_SECRET || "dyrected-preview-secret-change-me";
+    return new TextEncoder2().encode(secret);
+  }
+  /**
+   * POST /api/preview-token
+   * Generates a short-lived token for previewing unsaved data.
+   */
+  async createToken(c) {
+    const body = await c.req.json().catch(() => null);
+    if (!body?.collectionSlug || !body?.data) {
+      return c.json({ error: true, message: "collectionSlug and data are required." }, 400);
+    }
+    const token = await new SignJWT2({
+      collectionSlug: body.collectionSlug,
+      documentId: body.documentId,
+      data: body.data
+    }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime("15m").sign(this.getSecret());
+    const expiresAt = new Date(Date.now() + 15 * 60 * 1e3).toISOString();
+    return c.json({ token, expiresAt });
+  }
+  /**
+   * GET /api/preview-data?token=<jwt>
+   * Returns the data stored in the preview token.
+   */
+  async getData(c) {
+    const token = c.req.query("token");
+    if (!token) {
+      return c.json({ error: true, message: "token query parameter is required." }, 400);
+    }
+    try {
+      const { payload } = await jwtVerify2(token, this.getSecret());
+      return c.json(payload);
+    } catch (err) {
+      return c.json({ error: true, message: "Invalid or expired preview token." }, 401);
+    }
+  }
+};
+// src/middleware/auth.ts
+function requireAuth() {
+  return async (c, next) => {
+    const authHeader = c.req.header("Authorization");
+    const token = authHeader?.replace(/^Bearer\s+/i, "");
+    if (!token) {
+      return c.json({ error: true, message: "Authentication required." }, 401);
+    }
+    try {
+      const user = await verifyCollectionToken(token);
+      c.set("user", user);
+      await next();
+    } catch {
+      return c.json({ error: true, message: "Invalid or expired token." }, 401);
+    }
+  };
+}
+function optionalAuth() {
+  return async (c, next) => {
+    const authHeader = c.req.header("Authorization");
+    const token = authHeader?.replace(/^Bearer\s+/i, "");
+    if (token) {
+      try {
+        const user = await verifyCollectionToken(token);
+        c.set("user", user);
+      } catch {
+      }
+    }
+    await next();
+  };
+}
+// src/utils/openapi.ts
+function generateOpenApi(config) {
+  const spec = {
+    openapi: "3.0.0",
+    info: {
+      title: "Dyrected API",
+      version: "1.0.0",
+      description: "Automatically generated OpenAPI specification for the Dyrected project."
+    },
+    components: {
+      schemas: {},
+      securitySchemes: {
+        ApiKeyAuth: {
+          type: "apiKey",
+          in: "header",
+          name: "x-api-key"
+        }
+      }
+    },
+    paths: {},
+    security: [{ ApiKeyAuth: [] }]
+  };
+  for (const collection of config.collections) {
+    spec.components.schemas[collection.slug] = collectionToSchema(collection);
+  }
+  for (const global of config.globals) {
+    spec.components.schemas[global.slug] = globalToSchema(global);
+  }
+  for (const collection of config.collections) {
+    const slug = collection.slug;
+    const path = `/api/collections/${slug}`;
+    const labels = collection.labels || { singular: slug, plural: `${slug}s` };
+    spec.paths[path] = {
+      get: {
+        tags: ["Collections"],
+        summary: `Find ${labels.plural}`,
+        parameters: [
+          { name: "limit", in: "query", schema: { type: "integer", default: 10 } },
+          { name: "page", in: "query", schema: { type: "integer", default: 1 } },
+          { name: "where", in: "query", schema: { type: "string" }, description: "JSON filter" },
+          { name: "sort", in: "query", schema: { type: "string" }, description: "Sort field (e.g. -createdAt)" }
+        ],
+        responses: {
+          200: {
+            description: "Success",
+            content: {
+              "application/json": {
+                schema: {
+                  type: "object",
+                  properties: {
+                    docs: { type: "array", items: { $ref: `#/components/schemas/${slug}` } },
+                    total: { type: "integer" },
+                    limit: { type: "integer" },
+                    page: { type: "integer" }
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      post: {
+        tags: ["Collections"],
+        summary: `Create ${labels.singular}`,
+        requestBody: {
+          required: true,
+          content: {
+            "application/json": {
+              schema: { $ref: `#/components/schemas/${slug}` }
+            }
+          }
+        },
+        responses: {
+          201: {
+            description: "Created",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      }
+    };
+    spec.paths[`${path}/{id}`] = {
+      get: {
+        tags: ["Collections"],
+        summary: `Get a single ${labels.singular}`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        responses: {
+          200: {
+            description: "Success",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      },
+      patch: {
+        tags: ["Collections"],
+        summary: `Update ${labels.singular}`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        requestBody: {
+          required: true,
+          content: {
+            "application/json": {
+              schema: { $ref: `#/components/schemas/${slug}` }
+            }
+          }
+        },
+        responses: {
+          200: {
+            description: "Updated",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      },
+      delete: {
+        tags: ["Collections"],
+        summary: `Delete ${labels.singular}`,
+        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
+        responses: {
+          204: { description: "Deleted" }
+        }
+      }
+    };
+  }
+  for (const global of config.globals) {
+    const slug = global.slug;
+    const path = `/api/globals/${slug}`;
+    spec.paths[path] = {
+      get: {
+        tags: ["Globals"],
+        summary: `Get ${global.label || slug}`,
+        responses: {
+          200: {
+            description: "Success",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      },
+      patch: {
+        tags: ["Globals"],
+        summary: `Update ${global.label || slug}`,
+        requestBody: {
+          required: true,
+          content: {
+            "application/json": {
+              schema: { $ref: `#/components/schemas/${slug}` }
+            }
+          }
+        },
+        responses: {
+          200: {
+            description: "Updated",
+            content: {
+              "application/json": {
+                schema: { $ref: `#/components/schemas/${slug}` }
+              }
+            }
+          }
+        }
+      }
+    };
+  }
+  if (config.storage) {
+    spec.paths["/api/media"] = {
+      get: {
+        tags: ["Media"],
+        summary: "List Media",
+        responses: {
+          200: {
+            description: "Success",
+            content: {
+              "application/json": {
+                schema: {
+                  type: "object",
+                  properties: {
+                    docs: { type: "array", items: { type: "object", additionalProperties: true } }
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      post: {
+        tags: ["Media"],
+        summary: "Upload Media",
+        requestBody: {
+          content: {
+            "multipart/form-data": {
+              schema: {
+                type: "object",
+                properties: {
+                  file: { type: "string", format: "binary" }
+                }
+              }
+            }
+          }
+        },
+        responses: {
+          201: { description: "Uploaded" }
+        }
+      }
+    };
+  }
+  return spec;
+}
+function collectionToSchema(collection) {
+  const { properties, required } = fieldsToProperties(collection.fields);
+  return {
+    type: "object",
+    properties: {
+      id: { type: "string" },
+      createdAt: { type: "string", format: "date-time" },
+      updatedAt: { type: "string", format: "date-time" },
+      ...properties
+    },
+    required: ["id", ...required]
+  };
+}
+function globalToSchema(global) {
+  const { properties, required } = fieldsToProperties(global.fields);
+  return {
+    type: "object",
+    properties,
+    required
+  };
+}
+function fieldsToProperties(fields) {
+  const props = {};
+  const required = [];
+  for (const field of fields) {
+    if (!field.name || field.type === "join" || field.type === "row") continue;
+    props[field.name] = fieldToSchema(field);
+    if (field.required) {
+      required.push(field.name);
+    }
+  }
+  return { properties: props, required };
+}
+function fieldToSchema(field) {
+  let schema = {};
+  switch (field.type) {
+    case "text":
+    case "textarea":
+    case "email":
+    case "url":
+      schema = { type: "string" };
+      break;
+    case "number":
+      schema = { type: "number" };
+      break;
+    case "boolean":
+      schema = { type: "boolean" };
+      break;
+    case "date":
+      schema = { type: "string", format: "date-time" };
+      break;
+    case "select":
+    case "radio":
+      schema = { type: "string", enum: Array.isArray(field.options) ? field.options.map((o) => typeof o === "string" ? o : o.value) : void 0 };
+      break;
+    case "multiSelect":
+      schema = {
+        type: "array",
+        items: { type: "string", enum: Array.isArray(field.options) ? field.options.map((o) => typeof o === "string" ? o : o.value) : void 0 }
+      };
+      break;
+    case "relationship":
+      schema = { type: "string", description: `ID of a ${field.relationTo} record` };
+      break;
+    case "object": {
+      const { properties, required } = fieldsToProperties(field.fields || []);
+      schema = { type: "object", properties, required };
+      break;
+    }
+    case "array": {
+      const { properties, required } = fieldsToProperties(field.fields || []);
+      schema = { type: "array", items: { type: "object", properties, required } };
+      break;
+    }
+    case "json":
+    case "richText":
+      schema = { type: "object", additionalProperties: true };
+      break;
+    case "blocks":
+      schema = {
+        type: "array",
+        items: {
+          oneOf: field.blocks?.map((block) => {
+            const { properties, required } = fieldsToProperties(block.fields);
+            return {
+              type: "object",
+              properties: {
+                blockType: { type: "string", enum: [block.slug] },
+                ...properties
+              },
+              required: ["blockType", ...required]
+            };
+          })
+        }
+      };
+      break;
+    default:
+      schema = { type: "string" };
+  }
+  if (field.label) schema.description = field.label;
+  return schema;
+}
+// src/utils/swagger.ts
+function getSwaggerHtml(specUrl = "/api/openapi.json") {
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <meta name="description" content="SwaggerUI" />
+  <title>Dyrected API Documentation</title>
+  <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui.css" />
+</head>
+<body>
+<div id="swagger-ui"></div>
+<script src="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui-bundle.js" charset="UTF-8"></script>
+<script src="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui-standalone-preset.js" charset="UTF-8"></script>
+<script>
+  window.onload = () => {
+    // Forward the apikey query param when loading the spec and making API calls
+    const params = new URLSearchParams(window.location.search);
+    const apiKey = params.get('apikey');
+    const specUrlWithKey = apiKey ? '${specUrl}?apikey=' + encodeURIComponent(apiKey) : '${specUrl}';
+    window.ui = SwaggerUIBundle({
+      url: specUrlWithKey,
+      dom_id: '#swagger-ui',
+      presets: [
+        SwaggerUIBundle.presets.apis,
+        SwaggerUIStandalonePreset
+      ],
+      layout: "BaseLayout",
+      deepLinking: true,
+      showExtensions: true,
+      showCommonExtensions: true,
+      // Inject x-api-key header on every request made from the Swagger UI
+      requestInterceptor: (request) => {
+        if (apiKey) {
+          request.headers['x-api-key'] = apiKey;
+        }
+        return request;
+      }
+    });
+  };
+</script>
+</body>
+</html>
+  `;
+}
+// src/auth/jexl.ts
+import jexl from "jexl";
+async function evaluateAccess(expression, context) {
+  if (expression === void 0 || expression === null) return false;
+  if (typeof expression === "boolean") return expression;
+  try {
+    const result = await jexl.eval(expression, context);
+    return !!result;
+  } catch (err) {
+    console.error("[dyrected/core] Jexl evaluation failed:", err);
+    return false;
+  }
+}
+// src/router.ts
+function accessGate(target, action) {
+  return async (c, next) => {
+    const user = c.get("user");
+    const accessExpr = target.access?.[action];
+    if (accessExpr === void 0 || accessExpr === null) {
+      return await next();
+    }
+    const accessArgs = { user, req: c.req, doc: null };
+    const allowed = await evaluateAccess(accessExpr, accessArgs);
+    if (!allowed) {
+      return c.json({ error: true, message: `Access denied: ${action} on ${target.slug}` }, 403);
+    }
+    await next();
+  };
+}
+async function checkAccess(access, accessArgs) {
+  if (access === void 0 || access === null) return true;
+  if (typeof access === "function") {
+    try {
+      const result = await access(accessArgs);
+      return typeof result === "boolean" ? result : !!result;
+    } catch (err) {
+      console.error("[dyrected/core] Functional access check failed:", err);
+      return false;
+    }
+  }
+  if (typeof access === "string" || typeof access === "boolean") {
+    return evaluateAccess(access, accessArgs);
+  }
+  return true;
+}
+function serializeFieldForApi(f) {
+  if (!f) return f;
+  const serialized = { ...f };
+  if (serialized.admin?.hooks) {
+    const hooks = { ...serialized.admin.hooks };
+    if (typeof hooks.onChange === "function") {
+      hooks.onChange = hooks.onChange.toString();
+    }
+    if (typeof hooks.options === "function") {
+      hooks.options = hooks.options.toString();
+    }
+    serialized.admin = { ...serialized.admin, hooks };
+  }
+  if (typeof serialized.options === "function" || serialized.options && typeof serialized.options === "object" && "resolve" in serialized.options) {
+    serialized.options = { _dynamic: true };
+  }
+  if (serialized.fields) {
+    serialized.fields = serialized.fields.map(serializeFieldForApi);
+  }
+  if (serialized.blocks) {
+    serialized.blocks = serialized.blocks.map((b) => ({
+      ...b,
+      fields: b.fields?.map(serializeFieldForApi)
+    }));
+  }
+  return serialized;
+}
+function registerRoutes(app, config) {
+  app.get("/api/schemas", optionalAuth(), async (c) => {
+    const siteId = c.req.header("X-Site-Id");
+    let collections = [...config.collections];
+    let globals = [...config.globals];
+    if (siteId && config.onSchemaFetch) {
+      const dynamic = await config.onSchemaFetch(siteId);
+      if (dynamic.collections) collections = [...collections, ...dynamic.collections];
+      if (dynamic.globals) globals = [...globals, ...dynamic.globals];
+      if (dynamic.admin) {
+        config.admin = { ...config.admin, ...dynamic.admin };
+      }
+    }
+    const user = c.get("user");
+    const accessArgs = { user, req: c.req, doc: null };
+    const serializeAccess = async (access) => {
+      if (typeof access === "string") return access;
+      if (typeof access === "boolean") return access;
+      return checkAccess(access, accessArgs);
+    };
+    const filteredCollections = await Promise.all(collections.filter((col) => !siteId || col.shared || !col.siteId || col.siteId === siteId).map(async (col) => ({
+      slug: col.slug,
+      labels: col.labels,
+      access: {
+        read: await serializeAccess(col.access?.read),
+        create: await serializeAccess(col.access?.create),
+        update: await serializeAccess(col.access?.update),
+        delete: await serializeAccess(col.access?.delete)
+      },
+      fields: await Promise.all(col.fields.map(serializeFieldForApi).map(async (f) => ({
+        name: f.name,
+        type: f.type,
+        label: f.label,
+        required: f.required,
+        defaultValue: f.defaultValue,
+        options: f.options,
+        relationTo: f.relationTo,
+        hasMany: f.hasMany,
+        fields: f.fields,
+        blocks: f.blocks,
+        admin: f.admin,
+        access: {
+          read: await serializeAccess(f.access?.read),
+          update: await serializeAccess(f.access?.update)
+        }
+      }))),
+      upload: !!col.upload,
+      auth: !!col.auth,
+      admin: col.admin
+    })));
+    const filteredGlobals = await Promise.all(globals.filter((glb) => !siteId || glb.shared || !glb.siteId || glb.siteId === siteId).map(async (glb) => ({
+      slug: glb.slug,
+      label: glb.label,
+      access: {
+        read: await serializeAccess(glb.access?.read),
+        update: await serializeAccess(glb.access?.update)
+      },
+      fields: await Promise.all(glb.fields.map(serializeFieldForApi).map(async (f) => ({
+        name: f.name,
+        type: f.type,
+        label: f.label,
+        required: f.required,
+        defaultValue: f.defaultValue,
+        options: f.options,
+        relationTo: f.relationTo,
+        hasMany: f.hasMany,
+        fields: f.fields,
+        blocks: f.blocks,
+        admin: f.admin,
+        access: {
+          read: await serializeAccess(f.access?.read),
+          update: await serializeAccess(f.access?.update)
+        }
+      }))),
+      admin: glb.admin
+    })));
+    return c.json({
+      collections: filteredCollections,
+      globals: filteredGlobals,
+      admin: config.admin || {}
+    });
+  });
+  app.get("/api/dyrected/options/:collection/:field", optionalAuth(), async (c) => {
+    const { collection: colSlug, field: fieldName } = c.req.param();
+    const siteId = c.req.header("X-Site-Id");
+    let collections = [...config.collections];
+    if (siteId && config.onSchemaFetch) {
+      const dynamic = await config.onSchemaFetch(siteId);
+      if (dynamic.collections) collections = [...collections, ...dynamic.collections];
+    }
+    const user = c.get("user");
+    let collection = collections.find((col) => col.slug === colSlug);
+    let field;
+    if (collection) {
+      const accessExpr = collection.access?.read;
+      if (accessExpr !== void 0 && accessExpr !== null) {
+        const accessArgs = { user, req: c.req, doc: null };
+        const allowed = await checkAccess(accessExpr, accessArgs);
+        if (!allowed) {
+          return c.json({ error: true, message: `Access denied: read on ${colSlug}` }, 403);
+        }
+      }
+      field = collection.fields.find((f) => f.name === fieldName);
+    } else {
+      let globals = [...config.globals];
+      if (siteId && config.onSchemaFetch) {
+        const dynamic = await config.onSchemaFetch(siteId);
+        if (dynamic.globals) globals = [...globals, ...dynamic.globals];
+      }
+      const glb = globals.find((g) => g.slug === colSlug);
+      if (!glb) {
+        return c.json({ error: true, message: `${colSlug} not found as collection or global` }, 404);
+      }
+      const accessExpr = glb.access?.read;
+      if (accessExpr !== void 0 && accessExpr !== null) {
+        const accessArgs = { user, req: c.req, doc: null };
+        const allowed = await checkAccess(accessExpr, accessArgs);
+        if (!allowed) {
+          return c.json({ error: true, message: `Access denied: read on global ${colSlug}` }, 403);
+        }
+      }
+      field = glb.fields.find((f) => f.name === fieldName);
+    }
+    if (!field) {
+      return c.json({ error: true, message: `Field ${fieldName} not found in ${colSlug}` }, 404);
+    }
+    let resolver;
+    if (typeof field.options === "function") {
+      resolver = field.options;
+    } else if (field.options && typeof field.options === "object" && "resolve" in field.options) {
+      resolver = field.options.resolve;
+    }
+    if (!resolver) {
+      return c.json({ error: true, message: `Field ${fieldName} in ${colSlug} is not dynamic` }, 400);
+    }
+    try {
+      const db = c.get("db") || config.db;
+      const queryParams = c.req.query();
+      const reqContext = {
+        query: queryParams,
+        headers: c.req.header(),
+        raw: c.req.raw
+      };
+      const result = await resolver({
+        db,
+        user,
+        req: reqContext
+      });
+      return c.json(result);
+    } catch (err) {
+      console.error(`[dyrected/core] Failed to resolve dynamic options for field ${fieldName}:`, err);
+      return c.json({ error: true, message: err.message || "Failed to resolve dynamic options" }, 500);
+    }
+  });
+  app.get("/api/openapi.json", (c) => {
+    return c.json(generateOpenApi(config));
+  });
+  app.get("/api/docs", (c) => {
+    return c.html(getSwaggerHtml());
+  });
+  app.get("/api/media/:filename{.+$}", async (c) => {
+    const mediaController = new MediaController("media");
+    return mediaController.serve(c);
+  });
+  app.get("/media/:filename{.+$}", async (c) => {
+    const mediaController = new MediaController("media");
+    return mediaController.serve(c);
+  });
+  if (config.storage) {
+    const uploadCollections = config.collections.filter((c) => c.upload);
+    for (const col of uploadCollections) {
+      const mediaController = new MediaController(col.slug);
+      const prefix = `/api/collections/${col.slug}`;
+      app.get(`${prefix}/media`, accessGate(col, "read"), (c) => mediaController.find(c));
+      app.get(`${prefix}/media/:filename{.+$}`, (c) => mediaController.serve(c));
+      app.post(`${prefix}/media`, accessGate(col, "create"), (c) => mediaController.upload(c));
+      app.delete(`${prefix}/media/:id`, accessGate(col, "delete"), (c) => mediaController.delete(c));
+    }
+  }
+  for (const collection of config.collections) {
+    if (!collection.auth) continue;
+    const path = `/api/collections/${collection.slug}`;
+    const authController = new AuthController(collection);
+    app.post(`${path}/login`, (c) => authController.login(c));
+    app.post(`${path}/logout`, (c) => authController.logout(c));
+    app.get(`${path}/init`, (c) => authController.init(c));
+    app.post(`${path}/first-user`, (c) => authController.registerFirstUser(c));
+    app.get(`${path}/me`, requireAuth(), (c) => authController.me(c));
+    app.post(`${path}/refresh-token`, requireAuth(), (c) => authController.refreshToken(c));
+    app.post(`${path}/forgot-password`, (c) => authController.forgotPassword(c));
+    app.post(`${path}/reset-password`, (c) => authController.resetPassword(c));
+    app.post(`${path}/invite`, requireAuth(), (c) => authController.invite(c));
+    app.post(`${path}/accept-invite`, (c) => authController.acceptInvite(c));
+  }
+  for (const collection of config.collections) {
+    const path = `/api/collections/${collection.slug}`;
+    const controller = new CollectionController(collection);
+    app.get(path, accessGate(collection, "read"), (c) => controller.find(c));
+    app.post(path, accessGate(collection, "create"), (c) => controller.create(c));
+    app.post(`${path}/media`, accessGate(collection, "create"), (c) => controller.create(c));
+    app.delete(`${path}/delete-many`, accessGate(collection, "delete"), (c) => controller.deleteMany(c));
+    app.get(`${path}/:id`, accessGate(collection, "read"), (c) => controller.findOne(c));
+    app.patch(`${path}/:id`, accessGate(collection, "update"), (c) => controller.update(c));
+    app.delete(`${path}/:id`, accessGate(collection, "delete"), (c) => controller.delete(c));
+    app.post(`${path}/seed`, (c) => controller.seed(c));
+    if (collection.auth) {
+      app.post(`${path}/:id/change-password`, requireAuth(), (c) => controller.changePassword(c));
+    }
+  }
+  for (const global of config.globals) {
+    const path = `/api/globals/${global.slug}`;
+    const controller = new GlobalController(global);
+    app.get(path, accessGate(global, "read"), (c) => controller.get(c));
+    app.patch(path, accessGate(global, "update"), (c) => controller.update(c));
+    app.post(`${path}/seed`, (c) => controller.seed(c));
+  }
+  const previewController = new PreviewController();
+  app.post("/api/preview-token", requireAuth(), (c) => previewController.createToken(c));
+  app.get("/api/preview-data", (c) => previewController.getData(c));
+  app.all("/api/collections/:slug/:id?", async (c) => {
+    const slug = c.req.param("slug");
+    const id = c.req.param("id");
+    const siteId = c.req.header("X-Site-Id") || c.get("siteId");
+    const config2 = c.get("config");
+    if (config2.collections.some((col) => col.slug === slug)) {
+      return c.json({ message: "Method Not Allowed" }, 405);
+    }
+    if (config2.onSchemaFetch && siteId) {
+      const dynamic = await config2.onSchemaFetch(siteId);
+      let collection = dynamic.collections?.find((col) => col.slug === slug);
+      if (!collection && slug === "media") {
+        collection = {
+          slug: "media",
+          labels: { singular: "Media", plural: "Media" },
+          upload: true,
+          fields: []
+        };
+      }
+      if (collection) {
+        if (collection.auth && id) {
+          const authController = new AuthController(collection);
+          const method2 = c.req.method;
+          if (method2 === "POST" && id === "login") return authController.login(c);
+          if (method2 === "POST" && id === "logout") return authController.logout(c);
+          if (method2 === "GET" && id === "me") return authController.me(c);
+          if (method2 === "POST" && id === "refresh-token") return authController.refreshToken(c);
+          if (method2 === "POST" && id === "forgot-password") return authController.forgotPassword(c);
+          if (method2 === "POST" && id === "reset-password") return authController.resetPassword(c);
+        }
+        const controller = new CollectionController(collection);
+        const method = c.req.method;
+        if (id) {
+          if (method === "GET") return controller.findOne(c);
+          if (method === "PATCH") return controller.update(c);
+          if (method === "DELETE" && id === "delete-many") return controller.deleteMany(c);
+          if (method === "DELETE") return controller.delete(c);
+          if (method === "POST" && id === "media") return controller.create(c);
+          if (method === "POST" && id === "seed") return controller.seed(c);
+        } else {
+          if (method === "GET") return controller.find(c);
+          if (method === "POST") return controller.create(c);
+        }
+      }
+    }
+    return c.json({ message: `Collection "${slug}" not found` }, 404);
+  });
+  app.all("/api/globals/:slug", async (c) => {
+    const slug = c.req.param("slug");
+    const siteId = c.req.header("X-Site-Id") || c.get("siteId");
+    const config2 = c.get("config");
+    if (config2.globals.some((glb) => glb.slug === slug)) {
+      return c.json({ message: "Method Not Allowed" }, 405);
+    }
+    if (config2.onSchemaFetch && siteId) {
+      const dynamic = await config2.onSchemaFetch(siteId);
+      const global = dynamic.globals?.find((glb) => glb.slug === slug);
+      if (global) {
+        const controller = new GlobalController(global);
+        if (c.req.method === "GET") return controller.get(c);
+        if (c.req.method === "PATCH") return controller.update(c);
+      }
+    }
+    return c.json({ message: `Global "${slug}" not found` }, 404);
+  });
+}
+// src/app.ts
+import { Hono } from "hono";
+import { cors } from "hono/cors";
+import { requestId } from "hono/request-id";
+async function createDyrectedApp(rawConfig) {
+  const config = normalizeConfig(rawConfig);
+  const app = new Hono();
+  if (config.db?.sync) {
+    await config.db.sync(config.collections, config.globals);
+  }
+  app.use("*", requestId());
+  app.use("*", optionalAuth());
+  app.use("*", async (c, next) => {
+    const start = Date.now();
+    await next();
+    const ms = Date.now() - start;
+    console.log(`[dyrected/api] ${c.req.method} ${c.req.path} ${c.res.status} - ${ms}ms`);
+  });
+  app.use("*", cors());
+  app.use("*", async (c, next) => {
+    c.set("config", config);
+    if (!c.get("siteId")) {
+      c.set("siteId", "default");
+    }
+    await next();
+  });
+  app.get("/health", (c) => c.json({ status: "ok", version: "0.0.1" }));
+  app.get("/routes", (c) => {
+    const routes = app.routes.map((r) => ({ method: r.method, path: r.path }));
+    return c.json({ routes });
+  });
+  app.onError((err, c) => {
+    console.error(`[dyrected/core] Uncaught Error:`, err);
+    return c.json({
+      message: err.message || "Internal Server Error",
+      stack: process.env.NODE_ENV === "development" ? err.stack : void 0
+    }, 500);
+  });
+  registerRoutes(app, config);
+  return app;
+}
+export {
+  normalizeConfig,
+  runCollectionHooks,
+  executeFieldBeforeChange,
+  executeFieldAfterRead,
+  CollectionController,
+  GlobalController,
+  MediaController,
+  AuthController,
+  PreviewController,
+  registerRoutes,
+  createDyrectedApp
+};