@dyrected/core 2.5.25 → 2.5.27

package/dist/index.cjs

@@ -1,9 +1,7 @@
 "use strict";
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -17,20 +15,11 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
-  createDyrectedApp: () => createDyrectedApp,
   defineCollection: () => defineCollection,
   defineConfig: () => defineConfig,
   defineGlobal: () => defineGlobal,
@@ -1040,10 +1029,10 @@ function parseSqlWhere(where, getJsonField, placeholder = "?") {
   function buildSingleOp(c, op, operand) {
     switch (op) {
       case "equals":
-        params.push(operand);
+        params.push(typeof operand === "boolean" ? String(operand) : operand);
         return `${c} = ${next()}`;
       case "not_equals":
-        params.push(operand);
+        params.push(typeof operand === "boolean" ? String(operand) : operand);
         return `${c} != ${next()}`;
       case "in": {
         const vals = Array.isArray(operand) ? operand : [operand];
@@ -1328,2388 +1317,6 @@ async function executeFieldAfterRead(fields, doc, user, db) {
   return result;
 }
 
-// src/app.ts
-var import_hono = require("hono");
-var import_cors = require("hono/cors");
-var import_request_id = require("hono/request-id");
-
-// src/services/defaults.service.ts
-var DefaultsService = class {
-  /**
-   * Recursively apply default values to a data object based on field definitions.
-   */
-  static apply(fields, data = {}) {
-    const result = { ...data || {} };
-    fields.forEach((field) => {
-      if (field.type === "join") return;
-      if (field.type === "row" && field.fields) {
-        Object.assign(result, this.apply(field.fields, data));
-        return;
-      }
-      if (!field.name) return;
-      let value = result[field.name];
-      if ((value === void 0 || value === null) && field.renameTo) {
-        const legacyValue = result[field.renameTo];
-        if (legacyValue !== void 0 && legacyValue !== null) {
-          value = legacyValue;
-          result[field.name] = legacyValue;
-        }
-      }
-      if (value === void 0 || value === null) {
-        if (field.defaultValue !== void 0) {
-          result[field.name] = field.defaultValue;
-        } else {
-          if (field.type === "boolean") result[field.name] = false;
-          else if (field.type === "array") result[field.name] = [];
-          else if (field.type === "multiSelect") result[field.name] = [];
-          else if (field.type === "object") {
-            result[field.name] = this.apply(field.fields || [], {});
-          }
-        }
-      } else if (field.type === "object" && field.fields) {
-        result[field.name] = this.apply(field.fields, value);
-      } else if (field.type === "array" && field.fields && Array.isArray(value)) {
-        result[field.name] = value.map((item) => this.apply(field.fields, item));
-      }
-    });
-    return result;
-  }
-};
-
-// src/services/population.service.ts
-var PopulationService = class {
-  db;
-  collections;
-  constructor(db, collections) {
-    this.db = db;
-    this.collections = collections;
-  }
-  /**
-   * Recursively populate relationship fields in a document or array of documents.
-   */
-  async populate(args) {
-    const { data, fields, currentDepth = 0, maxDepth = 10 } = args;
-    if (currentDepth >= maxDepth || !data) {
-      return data;
-    }
-    if (Array.isArray(data)) {
-      return Promise.all(data.map((item) => this.populate({ ...args, data: item })));
-    }
-    const populatedDoc = { ...data };
-    for (const field of fields) {
-      if (field.type === "join" && field.collection && field.on && currentDepth === 0) {
-        const targetCollection = this.collections.find((c) => c.slug === field.collection);
-        if (targetCollection) {
-          const docId = populatedDoc.id;
-          if (docId) {
-            const where = { [field.on]: { equals: docId } };
-            const joinLimit = field.limit ?? 10;
-            const result = await this.db.find({
-              collection: field.collection,
-              where,
-              limit: joinLimit
-            });
-            const populatedDocs = await this.populate({
-              data: result.docs.map((doc) => DefaultsService.apply(targetCollection.fields, doc)),
-              fields: targetCollection.fields,
-              currentDepth: 1,
-              maxDepth
-            });
-            populatedDoc[field.name] = {
-              docs: populatedDocs,
-              hasNextPage: result.page * result.limit < result.total,
-              totalDocs: result.total
-            };
-          }
-        }
-        continue;
-      }
-      if (field.type === "row" && field.fields) {
-        const rowPopulated = await this.populate({ data, fields: field.fields, currentDepth, maxDepth });
-        Object.assign(populatedDoc, rowPopulated);
-        continue;
-      }
-      if (!field.name) continue;
-      const value = populatedDoc[field.name];
-      if (field.type === "relationship" && field.relationTo && value) {
-        const relatedCollection = this.collections.find((c) => c.slug === field.relationTo);
-        if (!relatedCollection) continue;
-        if (Array.isArray(value)) {
-          populatedDoc[field.name] = await Promise.all(
-            value.map(async (id) => {
-              if (!id) return id;
-              let doc = id;
-              if (typeof id === "string") {
-                doc = await this.db.findOne({ collection: field.relationTo, id });
-              }
-              if (!doc || typeof doc !== "object") return id;
-              const docWithDefaults = DefaultsService.apply(relatedCollection.fields, doc);
-              return this.populate({
-                data: docWithDefaults,
-                fields: relatedCollection.fields,
-                currentDepth: currentDepth + 1,
-                maxDepth
-              });
-            })
-          );
-        } else if (value) {
-          let doc = value;
-          if (typeof value === "string") {
-            doc = await this.db.findOne({ collection: field.relationTo, id: value });
-          }
-          if (doc && typeof doc === "object") {
-            const docWithDefaults = DefaultsService.apply(relatedCollection.fields, doc);
-            populatedDoc[field.name] = await this.populate({
-              data: docWithDefaults,
-              fields: relatedCollection.fields,
-              currentDepth: currentDepth + 1,
-              maxDepth
-            });
-          }
-        }
-      }
-      if (field.type === "url" && value && typeof value === "object" && value.type === "internal" && value.relationTo && value.value) {
-        const relatedCollection = this.collections.find((c) => c.slug === value.relationTo);
-        if (relatedCollection) {
-          const doc = await this.db.findOne({ collection: value.relationTo, id: value.value });
-          if (doc && typeof doc === "object") {
-            const docWithDefaults = DefaultsService.apply(relatedCollection.fields, doc);
-            const populatedDocValue = await this.populate({
-              data: docWithDefaults,
-              fields: relatedCollection.fields,
-              currentDepth: currentDepth + 1,
-              maxDepth
-            });
-            const identifier = docWithDefaults.slug || docWithDefaults.id;
-            const resolvedUrl = `/collections/${value.relationTo}/${identifier}`;
-            populatedDoc[field.name] = {
-              ...value,
-              url: resolvedUrl,
-              doc: populatedDocValue
-            };
-          }
-        }
-      }
-      if ((field.type === "array" || field.type === "object") && field.fields && value) {
-        populatedDoc[field.name] = await this.populate({
-          data: value,
-          fields: field.fields,
-          currentDepth,
-          // Nested fields don't consume depth, only relationships do
-          maxDepth
-        });
-      }
-      if (field.type === "blocks" && field.blocks && Array.isArray(value)) {
-        populatedDoc[field.name] = await Promise.all(
-          value.map(async (blockData) => {
-            const blockConfig = field.blocks.find((b) => b.slug === blockData.blockType);
-            if (!blockConfig) return blockData;
-            return this.populate({
-              data: blockData,
-              fields: blockConfig.fields,
-              currentDepth,
-              maxDepth
-            });
-          })
-        );
-      }
-    }
-    return populatedDoc;
-  }
-  /**
-   * Helper to populate a PaginatedResult
-   */
-  async populateResult(result, fields, maxDepth) {
-    if (maxDepth <= 0) return result;
-    const populatedDocs = await this.populate({
-      data: result.docs,
-      fields,
-      currentDepth: 0,
-      maxDepth
-    });
-    return {
-      ...result,
-      docs: populatedDocs
-    };
-  }
-};
-
-// src/services/audit.service.ts
-var AuditService = class {
-  /**
-   * Writes a single entry to the __audit collection.
-   * Called without await — runs asynchronously and never blocks the primary operation.
-   */
-  static async log(db, args) {
-    try {
-      await db.create({
-        collection: "__audit",
-        data: {
-          collection: args.collection,
-          documentId: args.documentId ?? null,
-          operation: args.operation,
-          user: args.user?.id ?? null,
-          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-          changes: JSON.stringify({
-            before: args.before ?? null,
-            after: args.after ?? null
-          })
-        }
-      });
-    } catch (err) {
-      console.error("[dyrected/audit] Failed to write audit log:", err);
-    }
-  }
-};
-
-// src/auth/password.ts
-var import_node_util = require("util");
-var import_node_crypto = require("crypto");
-var scryptAsync = (0, import_node_util.promisify)(import_node_crypto.scrypt);
-var SALT_LEN = 16;
-var KEY_LEN = 64;
-async function hashPassword(plain) {
-  const salt = (0, import_node_crypto.randomBytes)(SALT_LEN).toString("hex");
-  const derivedKey = await scryptAsync(plain, salt, KEY_LEN);
-  return `${salt}:${derivedKey.toString("hex")}`;
-}
-async function verifyPassword(plain, stored) {
-  const [salt, storedHash] = stored.split(":");
-  if (!salt || !storedHash) return false;
-  const derivedKey = await scryptAsync(plain, salt, KEY_LEN);
-  const storedBuffer = Buffer.from(storedHash, "hex");
-  if (derivedKey.length !== storedBuffer.length) return false;
-  return (0, import_node_crypto.timingSafeEqual)(derivedKey, storedBuffer);
-}
-
-// src/utils/readonly-db.ts
-var WRITE_METHODS = ["create", "update", "delete", "updateGlobal", "execute"];
-function createReadonlyDb(db) {
-  return new Proxy(db, {
-    get(target, prop) {
-      if (WRITE_METHODS.includes(prop)) {
-        return () => {
-          throw new Error(
-            `[dyrected] Write operation "${String(prop)}" is not allowed in this hook phase. Use afterChange/afterDelete hooks for write operations.`
-          );
-        };
-      }
-      return Reflect.get(target, prop);
-    }
-  });
-}
-
-// src/controllers/collection.controller.ts
-var CollectionController = class {
-  collection;
-  constructor(collection) {
-    this.collection = collection;
-  }
-  async find(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const readonlyDb = createReadonlyDb(db);
-    const limit = Number(c.req.query("limit")) || 10;
-    const page = Number(c.req.query("page")) || 1;
-    const depth = c.req.query("depth") !== void 0 ? Number(c.req.query("depth")) : 2;
-    const sort = c.req.query("sort") || void 0;
-    const user = c.get("user");
-    let where = void 0;
-    const whereRaw = c.req.query("where");
-    if (whereRaw) {
-      try {
-        where = JSON.parse(decodeURIComponent(whereRaw));
-      } catch {
-      }
-    }
-    const beforeReadResult = await runCollectionHooks(this.collection.hooks?.beforeRead, {
-      req: c.req,
-      query: where,
-      user,
-      db: readonlyDb
-    });
-    if (beforeReadResult !== void 0) {
-      where = beforeReadResult;
-    }
-    let result = await db.find({
-      collection: this.collection.slug,
-      limit,
-      page,
-      sort,
-      where
-    });
-    if (result.total === 0 && this.collection.initialData && !where && page === 1) {
-      console.log(`[dyrected/core] Auto-seeding collection "${this.collection.slug}" from config.initialData`);
-      for (const data of this.collection.initialData) {
-        await db.create({ collection: this.collection.slug, data });
-      }
-      result = await db.find({
-        collection: this.collection.slug,
-        limit,
-        page,
-        sort,
-        where
-      });
-    }
-    result.docs = result.docs.map((doc) => DefaultsService.apply(this.collection.fields, doc));
-    const processedDocs = [];
-    for (const doc of result.docs) {
-      const docWithCollectionHooks = await runCollectionHooks(this.collection.hooks?.afterRead, {
-        doc,
-        req: c.req,
-        user,
-        db: readonlyDb
-      });
-      const docWithFieldHooks = await executeFieldAfterRead(this.collection.fields, docWithCollectionHooks, user, readonlyDb);
-      processedDocs.push(docWithFieldHooks);
-    }
-    result.docs = processedDocs;
-    if (depth > 0) {
-      const populationService = new PopulationService(db, config.collections);
-      result = await populationService.populateResult(result, this.collection.fields, depth);
-    }
-    return c.json(result);
-  }
-  async findOne(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const readonlyDb = createReadonlyDb(db);
-    const id = c.req.param("id");
-    const depth = c.req.query("depth") !== void 0 ? Number(c.req.query("depth")) : 10;
-    const user = c.get("user");
-    if (!id) return c.json({ message: "Missing ID" }, 400);
-    const doc = await db.findOne({ collection: this.collection.slug, id });
-    if (!doc) return c.json({ message: "Not Found" }, 404);
-    const docWithDefaults = DefaultsService.apply(this.collection.fields, doc);
-    const docWithCollectionHooks = await runCollectionHooks(this.collection.hooks?.afterRead, {
-      doc: docWithDefaults,
-      req: c.req,
-      user,
-      db: readonlyDb
-    });
-    const docWithFieldHooks = await executeFieldAfterRead(this.collection.fields, docWithCollectionHooks, user, readonlyDb);
-    if (depth > 0 && docWithFieldHooks) {
-      const populationService = new PopulationService(db, config.collections);
-      const populatedDoc = await populationService.populate({
-        data: docWithFieldHooks,
-        fields: this.collection.fields,
-        currentDepth: 0,
-        maxDepth: depth
-      });
-      return c.json(populatedDoc);
-    }
-    return c.json(docWithFieldHooks);
-  }
-  async create(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const readonlyDb = createReadonlyDb(db);
-    const contentType = c.req.header("Content-Type") || "";
-    if (contentType.toLowerCase().includes("multipart/form-data")) {
-      return this.upload(c);
-    }
-    const body = await c.req.json();
-    const user = c.get("user");
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    let data = {
-      ...body,
-      createdAt: now,
-      updatedAt: now,
-      createdBy: user?.sub ?? null,
-      updatedBy: user?.sub ?? null
-    };
-    if (this.collection.auth && data.password) {
-      data.password = await hashPassword(data.password);
-    }
-    data = await executeFieldBeforeChange(this.collection.fields, data, null, user, readonlyDb);
-    data = await runCollectionHooks(this.collection.hooks?.beforeChange, {
-      data,
-      req: c.req,
-      user,
-      operation: "create",
-      db: readonlyDb
-    });
-    const doc = await db.create({ collection: this.collection.slug, data });
-    if (this.collection.audit && db) {
-      AuditService.log(db, {
-        operation: "create",
-        collection: this.collection.slug,
-        documentId: doc.id,
-        user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
-        before: null,
-        after: doc
-      });
-    }
-    await runCollectionHooks(this.collection.hooks?.afterChange, {
-      doc,
-      user,
-      req: c.req,
-      operation: "create",
-      db
-    }, { isolated: true });
-    const readDoc = await runCollectionHooks(this.collection.hooks?.afterRead, {
-      doc,
-      req: c.req,
-      user,
-      db: readonlyDb
-    });
-    const finalDoc = await executeFieldAfterRead(this.collection.fields, readDoc, user, readonlyDb);
-    return c.json(finalDoc, 201);
-  }
-  async upload(c) {
-    const config = c.get("config");
-    const storage = config.storage;
-    if (!storage) return c.json({ message: "Storage not configured" }, 500);
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const readonlyDb = createReadonlyDb(db);
-    const formData = await c.req.formData();
-    const file = formData.get("file");
-    if (!file) return c.json({ message: "No file uploaded" }, 400);
-    const buffer = new Uint8Array(await file.arrayBuffer());
-    const siteId = c.get("siteId");
-    const workspaceId = c.get("workspaceId");
-    const prefix = workspaceId ? `${workspaceId}/${siteId}` : siteId;
-    const fileData = await storage.upload({
-      filename: file.name,
-      buffer,
-      mimeType: file.type,
-      prefix
-    });
-    const otherData = {};
-    formData.forEach((value, key) => {
-      if (key !== "file" && typeof value === "string") {
-        otherData[key] = value;
-      }
-    });
-    const user = c.get("user");
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    let data = {
-      ...otherData,
-      ...fileData,
-      createdAt: now,
-      updatedAt: now,
-      createdBy: user?.sub ?? null,
-      updatedBy: user?.sub ?? null
-    };
-    data = await executeFieldBeforeChange(this.collection.fields, data, null, user, readonlyDb);
-    data = await runCollectionHooks(this.collection.hooks?.beforeChange, {
-      data,
-      req: c.req,
-      user,
-      operation: "create",
-      db: readonlyDb
-    });
-    const doc = await db.create({
-      collection: this.collection.slug,
-      data
-    });
-    await runCollectionHooks(this.collection.hooks?.afterChange, {
-      doc,
-      user,
-      req: c.req,
-      operation: "create",
-      db
-    }, { isolated: true });
-    const readDoc = await runCollectionHooks(this.collection.hooks?.afterRead, {
-      doc,
-      req: c.req,
-      user,
-      db: readonlyDb
-    });
-    const finalDoc = await executeFieldAfterRead(this.collection.fields, readDoc, user, readonlyDb);
-    return c.json(finalDoc, 201);
-  }
-  async update(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const readonlyDb = createReadonlyDb(db);
-    const id = c.req.param("id");
-    if (!id) return c.json({ message: "Missing ID" }, 400);
-    const body = await c.req.json();
-    const user = c.get("user");
-    let data = { ...body };
-    if (this.collection.auth) {
-      delete data.password;
-      delete data.oldPassword;
-      delete data.confirmPassword;
-    }
-    Object.assign(data, {
-      updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
-      updatedBy: user?.sub ?? null
-    });
-    const originalDoc = await db.findOne({ collection: this.collection.slug, id });
-    if (!originalDoc) return c.json({ message: "Not Found" }, 404);
-    let before = null;
-    if (this.collection.audit) {
-      before = originalDoc;
-    }
-    data = await executeFieldBeforeChange(this.collection.fields, data, originalDoc, user, readonlyDb);
-    data = await runCollectionHooks(this.collection.hooks?.beforeChange, {
-      data,
-      doc: originalDoc,
-      req: c.req,
-      user,
-      operation: "update",
-      db: readonlyDb
-    });
-    const doc = await db.update({ collection: this.collection.slug, id, data });
-    if (this.collection.audit && db) {
-      AuditService.log(db, {
-        operation: "update",
-        collection: this.collection.slug,
-        documentId: id,
-        user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
-        before,
-        after: doc
-      });
-    }
-    await runCollectionHooks(this.collection.hooks?.afterChange, {
-      doc,
-      previousDoc: originalDoc,
-      user,
-      req: c.req,
-      operation: "update",
-      db
-    }, { isolated: true });
-    const readDoc = await runCollectionHooks(this.collection.hooks?.afterRead, {
-      doc,
-      req: c.req,
-      user,
-      db: readonlyDb
-    });
-    const finalDoc = await executeFieldAfterRead(this.collection.fields, readDoc, user, readonlyDb);
-    return c.json(finalDoc);
-  }
-  /**
-   * POST /api/collections/:slug/:id/change-password
-   *
-   * Dedicated endpoint for password changes. Requires the caller to supply:
-   *   { oldPassword, newPassword, confirmPassword }
-   *
-   * Rules:
-   *  - Only the account owner or an admin may change the password.
-   *  - Non-admin callers MUST provide a valid oldPassword.
-   *  - newPassword and confirmPassword must match.
-   */
-  async changePassword(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    if (!this.collection.auth) {
-      return c.json({ message: "This collection does not support authentication" }, 400);
-    }
-    const id = c.req.param("id");
-    if (!id) return c.json({ message: "Missing ID" }, 400);
-    const user = c.get("user");
-    if (!user) return c.json({ message: "Authentication required" }, 401);
-    const body = await c.req.json().catch(() => null);
-    const { oldPassword, newPassword, confirmPassword } = body ?? {};
-    if (!newPassword) {
-      return c.json({ message: "newPassword is required" }, 400);
-    }
-    if (newPassword !== confirmPassword) {
-      return c.json({ message: "Passwords do not match" }, 400);
-    }
-    if (newPassword.length < 8) {
-      return c.json({ message: "Password must be at least 8 characters" }, 400);
-    }
-    const isAdmin = Array.isArray(user.roles) && user.roles.includes("admin");
-    const isSelf = user.sub === id;
-    if (!isAdmin && !isSelf) {
-      return c.json({ message: "You are not authorised to change this password" }, 403);
-    }
-    if (!isAdmin) {
-      if (!oldPassword) {
-        return c.json({ message: "Current password is required" }, 400);
-      }
-      const existing = await db.findOne({ collection: this.collection.slug, id });
-      if (!existing) return c.json({ message: "User not found" }, 404);
-      const valid = await verifyPassword(oldPassword, existing.password);
-      if (!valid) {
-        return c.json({ message: "Invalid current password" }, 400);
-      }
-    }
-    const hashed = await hashPassword(newPassword);
-    const doc = await db.update({
-      collection: this.collection.slug,
-      id,
-      data: {
-        password: hashed,
-        updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
-        updatedBy: user.sub
-      }
-    });
-    if (this.collection.audit) {
-      AuditService.log(db, {
-        operation: "update",
-        collection: this.collection.slug,
-        documentId: id,
-        user: { id: user.sub, collection: user.collection, email: user.email },
-        before: null,
-        after: { id }
-      });
-    }
-    return c.json({ success: true, message: "Password updated successfully" });
-  }
-  async delete(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const readonlyDb = createReadonlyDb(db);
-    const id = c.req.param("id");
-    if (!id) return c.json({ message: "Missing ID" }, 400);
-    const user = c.get("user");
-    const doc = await db.findOne({ collection: this.collection.slug, id });
-    if (!doc) return c.json({ message: "Not Found" }, 404);
-    let before = null;
-    if (this.collection.audit) {
-      before = doc;
-    }
-    await runCollectionHooks(this.collection.hooks?.beforeDelete, {
-      id,
-      doc,
-      user,
-      req: c.req,
-      db: readonlyDb
-    });
-    await db.delete({ collection: this.collection.slug, id });
-    if (this.collection.audit && db) {
-      AuditService.log(db, {
-        operation: "delete",
-        collection: this.collection.slug,
-        documentId: id,
-        user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
-        before,
-        after: null
-      });
-    }
-    await runCollectionHooks(this.collection.hooks?.afterDelete, {
-      id,
-      doc,
-      user,
-      req: c.req,
-      db
-    }, { isolated: true });
-    return c.json({ message: "Deleted" });
-  }
-  async deleteMany(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const readonlyDb = createReadonlyDb(db);
-    const user = c.get("user");
-    let ids = [];
-    try {
-      const body = await c.req.json().catch(() => null);
-      if (body?.ids && Array.isArray(body.ids)) {
-        ids = body.ids;
-      }
-    } catch {
-    }
-    if (!ids.length) {
-      const raw = c.req.queries("ids") ?? c.req.queries("ids[]") ?? [];
-      ids = raw.filter(Boolean);
-    }
-    if (!ids.length) return c.json({ message: "No IDs provided" }, 400);
-    const deleted = [];
-    const failed = [];
-    for (const id of ids) {
-      try {
-        const doc = await db.findOne({ collection: this.collection.slug, id });
-        if (!doc) {
-          failed.push({ id, error: "Not Found" });
-          continue;
-        }
-        let before = null;
-        if (this.collection.audit) {
-          before = doc;
-        }
-        await runCollectionHooks(this.collection.hooks?.beforeDelete, {
-          id,
-          doc,
-          user,
-          req: c.req,
-          db: readonlyDb
-        });
-        await db.delete({ collection: this.collection.slug, id });
-        deleted.push(id);
-        if (this.collection.audit) {
-          AuditService.log(db, {
-            operation: "delete",
-            collection: this.collection.slug,
-            documentId: id,
-            user: user ? { id: user.sub, collection: user.collection, email: user.email } : void 0,
-            before,
-            after: null
-          });
-        }
-        await runCollectionHooks(this.collection.hooks?.afterDelete, {
-          id,
-          doc,
-          user,
-          req: c.req,
-          db
-        }, { isolated: true });
-      } catch (err) {
-        failed.push({ id, error: err?.message ?? "Unknown error" });
-      }
-    }
-    return c.json({
-      message: `Deleted ${deleted.length} document(s)`,
-      deleted,
-      ...failed.length ? { failed } : {}
-    });
-  }
-  async seed(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const body = await c.req.json();
-    const initialData = body.data;
-    if (!initialData || !Array.isArray(initialData)) {
-      return c.json({ message: "Invalid initial data" }, 400);
-    }
-    const result = await db.find({ collection: this.collection.slug, limit: 1 });
-    if (result.total > 0) {
-      return c.json({ message: "Collection is not empty, skipping seed" });
-    }
-    console.log(`[dyrected/core] Auto-seeding collection: ${this.collection.slug}`);
-    const createdDocs = [];
-    for (const data of initialData) {
-      const doc = await db.create({ collection: this.collection.slug, data });
-      createdDocs.push(doc);
-    }
-    return c.json({ message: "Seed successful", count: createdDocs.length }, 201);
-  }
-};
-
-// src/controllers/global.controller.ts
-var GlobalController = class {
-  global;
-  constructor(global) {
-    this.global = global;
-  }
-  async get(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const readonlyDb = createReadonlyDb(db);
-    const depth = c.req.query("depth") !== void 0 ? Number(c.req.query("depth")) : 10;
-    const user = c.get("user");
-    let query = void 0;
-    const beforeReadResult = await runCollectionHooks(this.global.hooks?.beforeRead, {
-      req: c.req,
-      query,
-      user,
-      db: readonlyDb
-    });
-    if (beforeReadResult !== void 0) {
-      query = beforeReadResult;
-    }
-    let data = await db.getGlobal({ slug: this.global.slug });
-    const isEmpty = !data || Object.keys(data).length === 0;
-    if (isEmpty && this.global.initialData) {
-      console.log(`[dyrected/core] Auto-seeding global "${this.global.slug}" from config.initialData`);
-      await db.updateGlobal({ slug: this.global.slug, data: this.global.initialData });
-      data = this.global.initialData;
-    }
-    const dataWithDefaults = DefaultsService.apply(this.global.fields, data);
-    const docWithCollectionHooks = await runCollectionHooks(this.global.hooks?.afterRead, {
-      doc: dataWithDefaults,
-      req: c.req,
-      user,
-      db: readonlyDb
-    });
-    const docWithFieldHooks = await executeFieldAfterRead(this.global.fields, docWithCollectionHooks, user, readonlyDb);
-    if (depth > 0 && docWithFieldHooks) {
-      const populationService = new PopulationService(db, config.collections);
-      const populatedData = await populationService.populate({
-        data: docWithFieldHooks,
-        fields: this.global.fields,
-        currentDepth: 0,
-        maxDepth: depth
-      });
-      return c.json(populatedData);
-    }
-    return c.json(docWithFieldHooks);
-  }
-  async update(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const readonlyDb = createReadonlyDb(db);
-    const body = await c.req.json();
-    const user = c.get("user");
-    const originalDoc = await db.getGlobal({ slug: this.global.slug }) || {};
-    let data = await executeFieldBeforeChange(this.global.fields, body, originalDoc, user, readonlyDb);
-    data = await runCollectionHooks(this.global.hooks?.beforeChange, {
-      data,
-      doc: originalDoc,
-      req: c.req,
-      user,
-      operation: "update",
-      db: readonlyDb
-    });
-    const updated = await db.updateGlobal({ slug: this.global.slug, data });
-    await runCollectionHooks(this.global.hooks?.afterChange, {
-      doc: updated,
-      previousDoc: originalDoc,
-      user,
-      req: c.req,
-      operation: "update",
-      db
-    }, { isolated: true });
-    const readDoc = await runCollectionHooks(this.global.hooks?.afterRead, {
-      doc: updated,
-      req: c.req,
-      user,
-      db: readonlyDb
-    });
-    const finalDoc = await executeFieldAfterRead(this.global.fields, readDoc, user, readonlyDb);
-    return c.json(finalDoc);
-  }
-  async seed(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const body = await c.req.json();
-    const initialData = body.data;
-    if (!initialData) {
-      return c.json({ message: "Invalid initial data" }, 400);
-    }
-    const existing = await db.getGlobal({ slug: this.global.slug });
-    if (existing && Object.keys(existing).length > 0) {
-      return c.json({ message: "Global is not empty, skipping seed" });
-    }
-    console.log(`[dyrected/core] Auto-seeding global: ${this.global.slug}`);
-    await db.updateGlobal({ slug: this.global.slug, data: initialData });
-    return c.json({ message: "Seed successful", data: initialData }, 201);
-  }
-};
-
-// src/controllers/media.controller.ts
-var MediaController = class {
-  collection;
-  constructor(collection = "media") {
-    this.collection = collection;
-  }
-  async upload(c) {
-    const config = c.get("config");
-    const storage = config.storage;
-    const imageService = config.image;
-    if (!storage) {
-      return c.json({ message: "Storage not configured" }, 500);
-    }
-    const body = await c.req.parseBody();
-    const file = body["file"];
-    const focalPointStr = body["focalPoint"];
-    const focalPoint = focalPointStr ? JSON.parse(focalPointStr) : void 0;
-    if (!file) {
-      return c.json({ message: "No file uploaded" }, 400);
-    }
-    const buffer = new Uint8Array(await file.arrayBuffer());
-    const siteId = c.get("siteId");
-    const workspaceId = c.get("workspaceId");
-    const prefix = workspaceId ? `${workspaceId}/${siteId}` : siteId || "default";
-    let imageMetadata = {};
-    let imageSizes = {};
-    if (imageService && file.type.startsWith("image/")) {
-      let colConfig = config.collections.find((col) => col.slug === this.collection);
-      if (!colConfig && config.onSchemaFetch && siteId) {
-        const dynamic = await config.onSchemaFetch(siteId);
-        colConfig = dynamic.collections?.find((col) => col.slug === this.collection);
-      }
-      try {
-        const processed = await imageService.process({
-          buffer,
-          mimeType: file.type,
-          config: colConfig?.upload,
-          focalPoint
-        });
-        imageMetadata = processed.metadata;
-        imageSizes = processed.sizes;
-      } catch (err) {
-        console.error("[MediaController] Image processing failed:", err);
-      }
-    }
-    const fileData = await storage.upload({
-      filename: file.name,
-      buffer,
-      mimeType: file.type,
-      prefix
-    });
-    const finalFileData = {
-      ...fileData,
-      ...imageMetadata,
-      focalPoint,
-      sizes: {}
-    };
-    if (imageSizes) {
-      for (const [sizeName, sizeData] of Object.entries(imageSizes)) {
-        const ext = file.name.split(".").pop();
-        const baseName = file.name.substring(0, file.name.lastIndexOf("."));
-        const sizeFilename = `${baseName}-${sizeName}.${ext}`;
-        try {
-          const sizeFileData = await storage.upload({
-            filename: sizeFilename,
-            buffer: sizeData.buffer,
-            mimeType: file.type,
-            prefix
-          });
-          finalFileData.sizes[sizeName] = {
-            ...sizeFileData,
-            width: sizeData.width,
-            height: sizeData.height
-          };
-        } catch (err) {
-          console.error(`[MediaController] Failed to upload size ${sizeName}:`, err);
-        }
-      }
-    }
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const doc = await db.create({
-      collection: this.collection,
-      data: finalFileData
-    });
-    return c.json(doc, 201);
-  }
-  async find(c) {
-    const db = c.get("config").db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const limit = Number(c.req.query("limit")) || 10;
-    const page = Number(c.req.query("page")) || 1;
-    const result = await db.find({
-      collection: this.collection,
-      limit,
-      page
-    });
-    return c.json(result);
-  }
-  async delete(c) {
-    const config = c.get("config");
-    const storage = config.storage;
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const id = c.req.param("id");
-    if (!id) return c.json({ message: "Missing ID" }, 400);
-    const doc = await db.findOne({ collection: this.collection, id });
-    if (!doc) return c.json({ message: "Not Found" }, 404);
-    if (storage) {
-      await storage.delete({ filename: doc.filename });
-      if (doc.sizes) {
-        for (const size of Object.values(doc.sizes)) {
-          if (size.filename) {
-            await storage.delete({ filename: size.filename });
-          }
-        }
-      }
-    }
-    await db.delete({ collection: this.collection, id });
-    return c.json({ message: "Deleted" });
-  }
-  async serve(c) {
-    const config = c.get("config");
-    const storage = config.storage;
-    if (!storage || !storage.resolve) {
-      return c.json({ message: "Storage not configured for serving" }, 404);
-    }
-    const filename = c.req.param("filename");
-    if (!filename) return c.json({ message: "Missing filename" }, 400);
-    let res = await storage.resolve({ filename });
-    if (!res && !filename.includes("/")) {
-      res = await storage.resolve({ filename: `default/${filename}` });
-    }
-    if (!res) return c.json({ message: "Not Found" }, 404);
-    c.header("Content-Type", res.mimeType);
-    return c.body(res.buffer);
-  }
-};
-
-// src/auth/token.ts
-var import_jose = require("jose");
-var import_node_util2 = require("util");
-function getSecret() {
-  const secret = process.env.DYRECTED_JWT_SECRET || process.env.JWT_SECRET;
-  if (!secret) {
-    throw new Error(
-      "[dyrected/core] DYRECTED_JWT_SECRET is not set. Add it to your environment variables to enable auth collections."
-    );
-  }
-  return new import_node_util2.TextEncoder().encode(secret);
-}
-var DEFAULT_EXPIRY = "7d";
-async function signCollectionToken(payload, expiresIn = DEFAULT_EXPIRY) {
-  return new import_jose.SignJWT({ ...payload }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(expiresIn).sign(getSecret());
-}
-async function verifyCollectionToken(token) {
-  const { payload } = await (0, import_jose.jwtVerify)(token, getSecret());
-  return payload;
-}
-
-// src/services/email.service.ts
-var _devSend = null;
-var _devSendPromise = null;
-async function getDevSend() {
-  if (_devSend) return _devSend;
-  if (_devSendPromise) return _devSendPromise;
-  _devSendPromise = (async () => {
-    try {
-      const nodemailer = await import("nodemailer");
-      const account = await nodemailer.default.createTestAccount();
-      const transport = nodemailer.default.createTransport({
-        host: "smtp.ethereal.email",
-        port: 587,
-        auth: { user: account.user, pass: account.pass }
-      });
-      console.log("[dyrected/core] No email config \u2014 using Ethereal for dev email preview.");
-      console.log(`[dyrected/core] Ethereal login: https://ethereal.email  user: ${account.user}  pass: ${account.pass}`);
-      _devSend = async ({ to, subject, html }) => {
-        const info = await transport.sendMail({ from: '"Dyrected Dev" <dev@dyrected.local>', to, subject, html });
-        console.log(`[dyrected/core] Email preview URL: ${nodemailer.default.getTestMessageUrl(info)}`);
-      };
-      return _devSend;
-    } catch {
-      console.warn("[dyrected/core] nodemailer not available \u2014 emails will not be sent in dev.");
-      return null;
-    }
-  })();
-  return _devSendPromise;
-}
-async function sendEmail(config, payload) {
-  if (config.email) {
-    await config.email.send(payload);
-    return;
-  }
-  if (process.env.NODE_ENV !== "production") {
-    const devSend = await getDevSend();
-    await devSend?.(payload);
-  }
-}
-function buildWelcomeEmail(config, args) {
-  const custom = config.email?.templates?.welcome?.(args);
-  return {
-    subject: custom?.subject ?? "Welcome \u2014 your account is ready",
-    html: custom?.html ?? `
-      <table cellpadding="0" cellspacing="0" border="0" style="width:100%;background-color:#f9fafb;table-layout:fixed">
-        <tr>
-          <td align="center" style="padding:40px 16px">
-            <table cellpadding="0" cellspacing="0" border="0" style="width:100%;max-width:600px;background-color:#ffffff;border-radius:12px;border:1px solid #e5e7eb;table-layout:fixed">
-              <tr>
-                <td style="padding:32px 32px 0">
-                  <p style="margin:0 0 4px;font-size:12px;font-weight:600;color:#6b7280;font-family:sans-serif;text-transform:uppercase;letter-spacing:0.05em">Dyrected</p>
-                  <h1 style="margin:0 0 24px;font-size:22px;font-weight:700;color:#111827;font-family:sans-serif">Welcome!</h1>
-                </td>
-              </tr>
-              <tr>
-                <td style="padding:0 32px">
-                  <p style="margin:0 0 12px;font-size:14px;color:#4b5563;line-height:1.6;font-family:sans-serif">Your account has been created. You can now log in with:</p>
-                  <table cellpadding="0" cellspacing="0" border="0" style="width:100%;background-color:#f3f4f6;border-radius:6px;table-layout:fixed">
-                    <tr>
-                      <td style="padding:12px 16px;font-size:14px;font-weight:600;color:#111827;font-family:sans-serif;word-break:break-all">
-                        ${args.email}
-                      </td>
-                    </tr>
-                  </table>
-                </td>
-              </tr>
-              <tr>
-                <td style="padding:32px">
-                  <p style="margin:0;font-size:12px;color:#9ca3af;font-family:sans-serif">If you didn't create this account, you can safely ignore this email.</p>
-                </td>
-              </tr>
-            </table>
-          </td>
-        </tr>
-      </table>`
-  };
-}
-function buildInviteEmail(config, args) {
-  const custom = config.email?.templates?.invite?.(args);
-  return {
-    subject: custom?.subject ?? "You've been invited",
-    html: custom?.html ?? `
-      <table cellpadding="0" cellspacing="0" border="0" style="width:100%;background-color:#f9fafb;table-layout:fixed">
-        <tr>
-          <td align="center" style="padding:40px 16px">
-            <table cellpadding="0" cellspacing="0" border="0" style="width:100%;max-width:600px;background-color:#ffffff;border-radius:12px;border:1px solid #e5e7eb;table-layout:fixed">
-              <tr>
-                <td style="padding:32px 32px 0">
-                  <p style="margin:0 0 4px;font-size:12px;font-weight:600;color:#6b7280;font-family:sans-serif;text-transform:uppercase;letter-spacing:0.05em">Dyrected</p>
-                  <h1 style="margin:0 0 24px;font-size:22px;font-weight:700;color:#111827;font-family:sans-serif">You've been invited</h1>
-                </td>
-              </tr>
-              <tr>
-                <td style="padding:0 32px">
-                  ${args.invitedByEmail ? `<p style="margin:0 0 12px;font-size:14px;color:#4b5563;line-height:1.6;font-family:sans-serif">You were invited by <strong style="color:#111827">${args.invitedByEmail}</strong>.</p>` : ""}
-                  <p style="margin:0 0 16px;font-size:14px;color:#4b5563;line-height:1.6;font-family:sans-serif">Use the token below to accept your invitation. It expires in 7 days.</p>
-                  <table cellpadding="0" cellspacing="0" border="0" style="width:100%;background-color:#f3f4f6;border-radius:6px;table-layout:fixed">
-                    <tr>
-                      <td style="padding:12px 16px;font-family:monospace;font-size:12px;color:#374151;word-break:break-all;white-space:normal;line-height:1.4">
-                        ${args.token}
-                      </td>
-                    </tr>
-                  </table>
-                </td>
-              </tr>
-              <tr>
-                <td style="padding:32px">
-                  <p style="margin:0;font-size:12px;color:#9ca3af;font-family:sans-serif">If you weren't expecting this invitation, you can safely ignore this email.</p>
-                </td>
-              </tr>
-            </table>
-          </td>
-        </tr>
-      </table>`
-  };
-}
-function buildResetPasswordEmail(config, args) {
-  const custom = config.email?.templates?.resetPassword?.(args);
-  const resetLink = args.url;
-  return {
-    subject: custom?.subject ?? "Reset your password",
-    html: custom?.html ?? `
-      <table cellpadding="0" cellspacing="0" border="0" style="width:100%;background-color:#f9fafb;table-layout:fixed">
-        <tr>
-          <td align="center" style="padding:40px 16px">
-            <table cellpadding="0" cellspacing="0" border="0" style="width:100%;max-width:600px;background-color:#ffffff;border-radius:12px;border:1px solid #e5e7eb;table-layout:fixed">
-              <tr>
-                <td style="padding:32px 32px 0">
-                  <p style="margin:0 0 4px;font-size:12px;font-weight:600;color:#6b7280;font-family:sans-serif;text-transform:uppercase;letter-spacing:0.05em">Dyrected</p>
-                  <h1 style="margin:0 0 24px;font-size:22px;font-weight:700;color:#111827;font-family:sans-serif">Reset your password</h1>
-                </td>
-              </tr>
-              <tr>
-                <td style="padding:0 32px">
-                  <p style="margin:0 0 24px;font-size:14px;color:#4b5563;line-height:1.6;font-family:sans-serif">We received a request to reset your password. Use the button below to set a new password. It will expire in 1 hour.</p>
-                  ${resetLink ? `
-                  <table cellpadding="0" cellspacing="0" border="0" style="margin-bottom:24px">
-                    <tr>
-                      <td style="border-radius:6px;background-color:#111827">
-                        <a href="${resetLink}" style="display:inline-block;padding:12px 28px;font-size:14px;font-weight:600;color:#ffffff;text-decoration:none;font-family:sans-serif;border-radius:6px">
-                          Reset Password
-                        </a>
-                      </td>
-                    </tr>
-                  </table>
-                  ` : ""}
-                  <p style="margin:0 0 8px;font-size:12px;color:#9ca3af;font-family:sans-serif">Or copy and paste this token manually in the admin dashboard:</p>
-                  <table cellpadding="0" cellspacing="0" border="0" style="width:100%;background-color:#f3f4f6;border-radius:6px;table-layout:fixed">
-                    <tr>
-                      <td style="padding:12px 16px;font-family:monospace;font-size:12px;color:#374151;word-break:break-all;white-space:normal;line-height:1.4">
-                        ${args.token}
-                      </td>
-                    </tr>
-                  </table>
-                </td>
-              </tr>
-              <tr>
-                <td style="padding:32px">
-                  <p style="margin:0;font-size:12px;color:#9ca3af;font-family:sans-serif">If you didn't request a password reset, you can safely ignore this email.</p>
-                </td>
-              </tr>
-            </table>
-          </td>
-        </tr>
-      </table>`
-  };
-}
-function buildPasswordChangedEmail(config, args) {
-  const custom = config.email?.templates?.passwordChanged?.(args);
-  return {
-    subject: custom?.subject ?? "Your password has been changed",
-    html: custom?.html ?? `
-      <table cellpadding="0" cellspacing="0" border="0" style="width:100%;background-color:#f9fafb;table-layout:fixed">
-        <tr>
-          <td align="center" style="padding:40px 16px">
-            <table cellpadding="0" cellspacing="0" border="0" style="width:100%;max-width:600px;background-color:#ffffff;border-radius:12px;border:1px solid #e5e7eb;table-layout:fixed">
-              <tr>
-                <td style="padding:32px 32px 0">
-                  <p style="margin:0 0 4px;font-size:12px;font-weight:600;color:#6b7280;font-family:sans-serif;text-transform:uppercase;letter-spacing:0.05em">Dyrected</p>
-                  <h1 style="margin:0 0 24px;font-size:22px;font-weight:700;color:#111827;font-family:sans-serif">Password changed</h1>
-                </td>
-              </tr>
-              <tr>
-                <td style="padding:0 32px">
-                  <p style="margin:0 0 12px;font-size:14px;color:#4b5563;line-height:1.6;font-family:sans-serif">The password for your account was just changed:</p>
-                  <table cellpadding="0" cellspacing="0" border="0" style="width:100%;background-color:#f3f4f6;border-radius:6px;table-layout:fixed">
-                    <tr>
-                      <td style="padding:12px 16px;font-size:14px;font-weight:600;color:#111827;font-family:sans-serif;word-break:break-all">
-                        ${args.email}
-                      </td>
-                    </tr>
-                  </table>
-                  <table cellpadding="0" cellspacing="0" border="0" style="width:100%;margin-top:16px;background-color:#fef2f2;border-radius:6px;border:1px solid #fecaca;table-layout:fixed">
-                    <tr>
-                      <td style="padding:12px 16px;font-size:13px;color:#b91c1c;line-height:1.5;font-family:sans-serif">
-                        If you did not make this change, please contact support immediately.
-                      </td>
-                    </tr>
-                  </table>
-                </td>
-              </tr>
-              <tr>
-                <td style="padding:32px">
-                  <p style="margin:0;font-size:12px;color:#9ca3af;font-family:sans-serif">This is an automated security notification.</p>
-                </td>
-              </tr>
-            </table>
-          </td>
-        </tr>
-      </table>`
-  };
-}
-
-// src/controllers/auth.controller.ts
-var AuthController = class {
-  collection;
-  constructor(collection) {
-    this.collection = collection;
-  }
-  // ---------------------------------------------------------------------------
-  // GET /init
-  // Checks if the first user needs to be created.
-  // ---------------------------------------------------------------------------
-  async init(c) {
-    const db = c.get("config").db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const result = await db.find({
-      collection: this.collection.slug,
-      limit: 1
-    });
-    return c.json({
-      initialized: result.total > 0
-    });
-  }
-  // ---------------------------------------------------------------------------
-  // POST /first-user
-  // Creates the first user if none exist.
-  // ---------------------------------------------------------------------------
-  async registerFirstUser(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const check = await db.find({
-      collection: this.collection.slug,
-      limit: 1
-    });
-    if (check.total > 0) {
-      return c.json({ error: true, message: "Initial user already exists." }, 403);
-    }
-    const body = await c.req.json().catch(() => null);
-    if (!body?.email || !body?.password) {
-      return c.json({ error: true, message: "email and password are required." }, 400);
-    }
-    const hashedPassword = await hashPassword(body.password);
-    const user = await db.create({
-      collection: this.collection.slug,
-      data: {
-        ...body,
-        password: hashedPassword,
-        roles: ["admin"]
-        // Default first user to admin
-      }
-    });
-    const token = await signCollectionToken({
-      sub: user.id,
-      email: user.email,
-      collection: this.collection.slug
-    });
-    const { subject, html } = buildWelcomeEmail(config, { email: body.email });
-    sendEmail(config, { to: body.email, subject, html }).catch(
-      (err) => console.error("[dyrected/core] Failed to send welcome email:", err)
-    );
-    const { password: _, ...safeUser } = user;
-    return c.json({ token, user: safeUser });
-  }
-  // ---------------------------------------------------------------------------
-  // POST /login
-  // ---------------------------------------------------------------------------
-  async login(c) {
-    const db = c.get("config").db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const body = await c.req.json().catch(() => null);
-    if (!body?.email || !body?.password) {
-      return c.json({ error: true, message: "email and password are required." }, 400);
-    }
-    const result = await db.find({
-      collection: this.collection.slug,
-      where: { email: body.email },
-      limit: 1
-    });
-    const user = result.docs[0];
-    if (!user) {
-      return c.json({ error: true, message: "Invalid email or password." }, 401);
-    }
-    const valid = await verifyPassword(body.password, user.password);
-    if (!valid) {
-      return c.json({ error: true, message: "Invalid email or password." }, 401);
-    }
-    const token = await signCollectionToken({
-      sub: user.id,
-      email: user.email,
-      collection: this.collection.slug
-    });
-    const { password: _, ...safeUser } = user;
-    return c.json({ token, user: safeUser });
-  }
-  // ---------------------------------------------------------------------------
-  // POST /logout
-  // Auth collections use stateless JWTs — logout is handled client-side.
-  // This endpoint exists so clients have a consistent API surface.
-  // ---------------------------------------------------------------------------
-  async logout(c) {
-    return c.json({ success: true, message: "Logged out. Discard your token." });
-  }
-  // ---------------------------------------------------------------------------
-  // GET /me
-  // ---------------------------------------------------------------------------
-  async me(c) {
-    const db = c.get("config").db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const requestUser = c.get("user");
-    if (!requestUser) {
-      return c.json({ error: true, message: "Authentication required." }, 401);
-    }
-    const user = await db.findOne({ collection: this.collection.slug, id: requestUser.sub });
-    if (!user) {
-      return c.json({ error: true, message: "User not found." }, 404);
-    }
-    const { password: _, ...safeUser } = user;
-    return c.json(safeUser);
-  }
-  // ---------------------------------------------------------------------------
-  // POST /refresh-token
-  // ---------------------------------------------------------------------------
-  async refreshToken(c) {
-    const requestUser = c.get("user");
-    if (!requestUser) {
-      return c.json({ error: true, message: "Authentication required." }, 401);
-    }
-    const token = await signCollectionToken({
-      sub: requestUser.sub,
-      email: requestUser.email,
-      collection: this.collection.slug
-    });
-    return c.json({ token });
-  }
-  // ---------------------------------------------------------------------------
-  // POST /forgot-password
-  // Requires config.email to be set. Silently succeeds if email not found
-  // to prevent email enumeration.
-  // ---------------------------------------------------------------------------
-  async forgotPassword(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const body = await c.req.json().catch(() => null);
-    if (!body?.email) {
-      return c.json({ error: true, message: "email is required." }, 400);
-    }
-    const result = await db.find({
-      collection: this.collection.slug,
-      where: { email: body.email },
-      limit: 1
-    });
-    const user = result.docs[0];
-    if (user) {
-      const resetToken = await signCollectionToken(
-        { sub: user.id, email: user.email, collection: this.collection.slug, purpose: "reset" },
-        "1h"
-      );
-      const resetUrl = body?.resetUrl;
-      const url = resetUrl ? `${resetUrl}${resetUrl.includes("?") ? "&" : "?"}token=${encodeURIComponent(resetToken)}` : void 0;
-      try {
-        const { subject, html } = buildResetPasswordEmail(config, { token: resetToken, url });
-        await sendEmail(config, { to: user.email, subject, html });
-      } catch (err) {
-        console.error("[dyrected/core] Failed to send password reset email:", err);
-      }
-    }
-    return c.json({
-      success: true,
-      message: "If an account with that email exists, a reset link has been sent."
-    });
-  }
-  // ---------------------------------------------------------------------------
-  // POST /reset-password
-  // Expects { token: string, password: string } in body.
-  // The token is the reset JWT issued by /forgot-password.
-  // ---------------------------------------------------------------------------
-  async resetPassword(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const body = await c.req.json().catch(() => null);
-    if (!body?.token || !body?.password) {
-      return c.json({ error: true, message: "token and password are required." }, 400);
-    }
-    let payload;
-    try {
-      payload = await verifyCollectionToken(body.token);
-    } catch {
-      return c.json({ error: true, message: "Reset token is invalid or has expired." }, 400);
-    }
-    if (payload.collection !== this.collection.slug || payload.purpose !== "reset") {
-      return c.json({ error: true, message: "Reset token is invalid or has expired." }, 400);
-    }
-    const hashedPassword = await hashPassword(body.password);
-    await db.update({
-      collection: this.collection.slug,
-      id: payload.sub,
-      data: { password: hashedPassword }
-    });
-    const { subject, html } = buildPasswordChangedEmail(config, { email: payload.email });
-    sendEmail(config, { to: payload.email, subject, html }).catch(
-      (err) => console.error("[dyrected/core] Failed to send password-changed email:", err)
-    );
-    return c.json({ success: true, message: "Password has been reset. You can now log in." });
-  }
-  // ---------------------------------------------------------------------------
-  // POST /invite
-  // Requires auth. Issues a signed invite token and emails it to the invitee.
-  // ---------------------------------------------------------------------------
-  async invite(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const requestUser = c.get("user");
-    if (!requestUser) {
-      return c.json({ error: true, message: "Authentication required." }, 401);
-    }
-    const body = await c.req.json().catch(() => null);
-    if (!body?.email) {
-      return c.json({ error: true, message: "email is required." }, 400);
-    }
-    const existing = await db.find({
-      collection: this.collection.slug,
-      where: { email: body.email },
-      limit: 1
-    });
-    if (existing.total > 0) {
-      return c.json({ error: true, message: "An account with that email already exists." }, 409);
-    }
-    const inviteToken = await signCollectionToken(
-      { sub: body.email, email: body.email, collection: this.collection.slug, purpose: "invite" },
-      "7d"
-    );
-    try {
-      const { subject, html } = buildInviteEmail(config, {
-        token: inviteToken,
-        invitedByEmail: requestUser.email
-      });
-      await sendEmail(config, { to: body.email, subject, html });
-    } catch (err) {
-      console.error("[dyrected/core] Failed to send invite email:", err);
-    }
-    return c.json({ success: true, message: `Invite sent to ${body.email}.` });
-  }
-  // ---------------------------------------------------------------------------
-  // POST /accept-invite
-  // Public. Validates the invite token and creates the user account.
-  // Body: { token, password, ...extraFields }
-  // ---------------------------------------------------------------------------
-  async acceptInvite(c) {
-    const config = c.get("config");
-    const db = config.db;
-    if (!db) return c.json({ message: "Database not configured" }, 500);
-    const body = await c.req.json().catch(() => null);
-    if (!body?.token || !body?.password) {
-      return c.json({ error: true, message: "token and password are required." }, 400);
-    }
-    let payload;
-    try {
-      payload = await verifyCollectionToken(body.token);
-    } catch {
-      return c.json({ error: true, message: "Invite token is invalid or has expired." }, 400);
-    }
-    if (payload.collection !== this.collection.slug || payload.purpose !== "invite") {
-      return c.json({ error: true, message: "Invite token is invalid or has expired." }, 400);
-    }
-    const inviteeEmail = payload.sub;
-    const existing = await db.find({
-      collection: this.collection.slug,
-      where: { email: inviteeEmail },
-      limit: 1
-    });
-    if (existing.total > 0) {
-      return c.json({ error: true, message: "An account with that email already exists." }, 409);
-    }
-    const { token: _t, password: _p, ...extraFields } = body;
-    const hashedPassword = await hashPassword(body.password);
-    const user = await db.create({
-      collection: this.collection.slug,
-      data: { ...extraFields, email: inviteeEmail, password: hashedPassword }
-    });
-    const sessionToken = await signCollectionToken({
-      sub: user.id,
-      email: inviteeEmail,
-      collection: this.collection.slug
-    });
-    const { subject, html } = buildWelcomeEmail(config, { email: inviteeEmail });
-    sendEmail(config, { to: inviteeEmail, subject, html }).catch(
-      (err) => console.error("[dyrected/core] Failed to send welcome email:", err)
-    );
-    const { password: _, ...safeUser } = user;
-    return c.json({ token: sessionToken, user: safeUser }, 201);
-  }
-};
-
-// src/controllers/preview.controller.ts
-var import_jose2 = require("jose");
-var import_node_util3 = require("util");
-var PreviewController = class {
-  getSecret() {
-    const secret = process.env.DYRECTED_JWT_SECRET || process.env.JWT_SECRET || "dyrected-preview-secret-change-me";
-    return new import_node_util3.TextEncoder().encode(secret);
-  }
-  /**
-   * POST /api/preview-token
-   * Generates a short-lived token for previewing unsaved data.
-   */
-  async createToken(c) {
-    const body = await c.req.json().catch(() => null);
-    if (!body?.collectionSlug || !body?.data) {
-      return c.json({ error: true, message: "collectionSlug and data are required." }, 400);
-    }
-    const token = await new import_jose2.SignJWT({
-      collectionSlug: body.collectionSlug,
-      documentId: body.documentId,
-      data: body.data
-    }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime("15m").sign(this.getSecret());
-    const expiresAt = new Date(Date.now() + 15 * 60 * 1e3).toISOString();
-    return c.json({ token, expiresAt });
-  }
-  /**
-   * GET /api/preview-data?token=<jwt>
-   * Returns the data stored in the preview token.
-   */
-  async getData(c) {
-    const token = c.req.query("token");
-    if (!token) {
-      return c.json({ error: true, message: "token query parameter is required." }, 400);
-    }
-    try {
-      const { payload } = await (0, import_jose2.jwtVerify)(token, this.getSecret());
-      return c.json(payload);
-    } catch (err) {
-      return c.json({ error: true, message: "Invalid or expired preview token." }, 401);
-    }
-  }
-};
-
-// src/middleware/auth.ts
-function requireAuth() {
-  return async (c, next) => {
-    const authHeader = c.req.header("Authorization");
-    const token = authHeader?.replace(/^Bearer\s+/i, "");
-    if (!token) {
-      return c.json({ error: true, message: "Authentication required." }, 401);
-    }
-    try {
-      const user = await verifyCollectionToken(token);
-      c.set("user", user);
-      await next();
-    } catch {
-      return c.json({ error: true, message: "Invalid or expired token." }, 401);
-    }
-  };
-}
-function optionalAuth() {
-  return async (c, next) => {
-    const authHeader = c.req.header("Authorization");
-    const token = authHeader?.replace(/^Bearer\s+/i, "");
-    if (token) {
-      try {
-        const user = await verifyCollectionToken(token);
-        c.set("user", user);
-      } catch {
-      }
-    }
-    await next();
-  };
-}
-
-// src/utils/openapi.ts
-function generateOpenApi(config) {
-  const spec = {
-    openapi: "3.0.0",
-    info: {
-      title: "Dyrected API",
-      version: "1.0.0",
-      description: "Automatically generated OpenAPI specification for the Dyrected project."
-    },
-    components: {
-      schemas: {},
-      securitySchemes: {
-        ApiKeyAuth: {
-          type: "apiKey",
-          in: "header",
-          name: "x-api-key"
-        }
-      }
-    },
-    paths: {},
-    security: [{ ApiKeyAuth: [] }]
-  };
-  for (const collection of config.collections) {
-    spec.components.schemas[collection.slug] = collectionToSchema(collection);
-  }
-  for (const global of config.globals) {
-    spec.components.schemas[global.slug] = globalToSchema(global);
-  }
-  for (const collection of config.collections) {
-    const slug = collection.slug;
-    const path = `/api/collections/${slug}`;
-    const labels = collection.labels || { singular: slug, plural: `${slug}s` };
-    spec.paths[path] = {
-      get: {
-        tags: ["Collections"],
-        summary: `Find ${labels.plural}`,
-        parameters: [
-          { name: "limit", in: "query", schema: { type: "integer", default: 10 } },
-          { name: "page", in: "query", schema: { type: "integer", default: 1 } },
-          { name: "where", in: "query", schema: { type: "string" }, description: "JSON filter" },
-          { name: "sort", in: "query", schema: { type: "string" }, description: "Sort field (e.g. -createdAt)" }
-        ],
-        responses: {
-          200: {
-            description: "Success",
-            content: {
-              "application/json": {
-                schema: {
-                  type: "object",
-                  properties: {
-                    docs: { type: "array", items: { $ref: `#/components/schemas/${slug}` } },
-                    total: { type: "integer" },
-                    limit: { type: "integer" },
-                    page: { type: "integer" }
-                  }
-                }
-              }
-            }
-          }
-        }
-      },
-      post: {
-        tags: ["Collections"],
-        summary: `Create ${labels.singular}`,
-        requestBody: {
-          required: true,
-          content: {
-            "application/json": {
-              schema: { $ref: `#/components/schemas/${slug}` }
-            }
-          }
-        },
-        responses: {
-          201: {
-            description: "Created",
-            content: {
-              "application/json": {
-                schema: { $ref: `#/components/schemas/${slug}` }
-              }
-            }
-          }
-        }
-      }
-    };
-    spec.paths[`${path}/{id}`] = {
-      get: {
-        tags: ["Collections"],
-        summary: `Get a single ${labels.singular}`,
-        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
-        responses: {
-          200: {
-            description: "Success",
-            content: {
-              "application/json": {
-                schema: { $ref: `#/components/schemas/${slug}` }
-              }
-            }
-          }
-        }
-      },
-      patch: {
-        tags: ["Collections"],
-        summary: `Update ${labels.singular}`,
-        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
-        requestBody: {
-          required: true,
-          content: {
-            "application/json": {
-              schema: { $ref: `#/components/schemas/${slug}` }
-            }
-          }
-        },
-        responses: {
-          200: {
-            description: "Updated",
-            content: {
-              "application/json": {
-                schema: { $ref: `#/components/schemas/${slug}` }
-              }
-            }
-          }
-        }
-      },
-      delete: {
-        tags: ["Collections"],
-        summary: `Delete ${labels.singular}`,
-        parameters: [{ name: "id", in: "path", required: true, schema: { type: "string" } }],
-        responses: {
-          204: { description: "Deleted" }
-        }
-      }
-    };
-  }
-  for (const global of config.globals) {
-    const slug = global.slug;
-    const path = `/api/globals/${slug}`;
-    spec.paths[path] = {
-      get: {
-        tags: ["Globals"],
-        summary: `Get ${global.label || slug}`,
-        responses: {
-          200: {
-            description: "Success",
-            content: {
-              "application/json": {
-                schema: { $ref: `#/components/schemas/${slug}` }
-              }
-            }
-          }
-        }
-      },
-      patch: {
-        tags: ["Globals"],
-        summary: `Update ${global.label || slug}`,
-        requestBody: {
-          required: true,
-          content: {
-            "application/json": {
-              schema: { $ref: `#/components/schemas/${slug}` }
-            }
-          }
-        },
-        responses: {
-          200: {
-            description: "Updated",
-            content: {
-              "application/json": {
-                schema: { $ref: `#/components/schemas/${slug}` }
-              }
-            }
-          }
-        }
-      }
-    };
-  }
-  if (config.storage) {
-    spec.paths["/api/media"] = {
-      get: {
-        tags: ["Media"],
-        summary: "List Media",
-        responses: {
-          200: {
-            description: "Success",
-            content: {
-              "application/json": {
-                schema: {
-                  type: "object",
-                  properties: {
-                    docs: { type: "array", items: { type: "object", additionalProperties: true } }
-                  }
-                }
-              }
-            }
-          }
-        }
-      },
-      post: {
-        tags: ["Media"],
-        summary: "Upload Media",
-        requestBody: {
-          content: {
-            "multipart/form-data": {
-              schema: {
-                type: "object",
-                properties: {
-                  file: { type: "string", format: "binary" }
-                }
-              }
-            }
-          }
-        },
-        responses: {
-          201: { description: "Uploaded" }
-        }
-      }
-    };
-  }
-  return spec;
-}
-function collectionToSchema(collection) {
-  const { properties, required } = fieldsToProperties(collection.fields);
-  return {
-    type: "object",
-    properties: {
-      id: { type: "string" },
-      createdAt: { type: "string", format: "date-time" },
-      updatedAt: { type: "string", format: "date-time" },
-      ...properties
-    },
-    required: ["id", ...required]
-  };
-}
-function globalToSchema(global) {
-  const { properties, required } = fieldsToProperties(global.fields);
-  return {
-    type: "object",
-    properties,
-    required
-  };
-}
-function fieldsToProperties(fields) {
-  const props = {};
-  const required = [];
-  for (const field of fields) {
-    if (!field.name || field.type === "join" || field.type === "row") continue;
-    props[field.name] = fieldToSchema(field);
-    if (field.required) {
-      required.push(field.name);
-    }
-  }
-  return { properties: props, required };
-}
-function fieldToSchema(field) {
-  let schema = {};
-  switch (field.type) {
-    case "text":
-    case "textarea":
-    case "email":
-    case "url":
-      schema = { type: "string" };
-      break;
-    case "number":
-      schema = { type: "number" };
-      break;
-    case "boolean":
-      schema = { type: "boolean" };
-      break;
-    case "date":
-      schema = { type: "string", format: "date-time" };
-      break;
-    case "select":
-    case "radio":
-      schema = { type: "string", enum: Array.isArray(field.options) ? field.options.map((o) => typeof o === "string" ? o : o.value) : void 0 };
-      break;
-    case "multiSelect":
-      schema = {
-        type: "array",
-        items: { type: "string", enum: Array.isArray(field.options) ? field.options.map((o) => typeof o === "string" ? o : o.value) : void 0 }
-      };
-      break;
-    case "relationship":
-      schema = { type: "string", description: `ID of a ${field.relationTo} record` };
-      break;
-    case "object": {
-      const { properties, required } = fieldsToProperties(field.fields || []);
-      schema = { type: "object", properties, required };
-      break;
-    }
-    case "array": {
-      const { properties, required } = fieldsToProperties(field.fields || []);
-      schema = { type: "array", items: { type: "object", properties, required } };
-      break;
-    }
-    case "json":
-    case "richText":
-      schema = { type: "object", additionalProperties: true };
-      break;
-    case "blocks":
-      schema = {
-        type: "array",
-        items: {
-          oneOf: field.blocks?.map((block) => {
-            const { properties, required } = fieldsToProperties(block.fields);
-            return {
-              type: "object",
-              properties: {
-                blockType: { type: "string", enum: [block.slug] },
-                ...properties
-              },
-              required: ["blockType", ...required]
-            };
-          })
-        }
-      };
-      break;
-    default:
-      schema = { type: "string" };
-  }
-  if (field.label) schema.description = field.label;
-  return schema;
-}
-
-// src/utils/swagger.ts
-function getSwaggerHtml(specUrl = "/api/openapi.json") {
-  return `
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <meta name="description" content="SwaggerUI" />
-  <title>Dyrected API Documentation</title>
-  <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui.css" />
-</head>
-<body>
-<div id="swagger-ui"></div>
-<script src="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui-bundle.js" charset="UTF-8"></script>
-<script src="https://unpkg.com/swagger-ui-dist@5.11.0/swagger-ui-standalone-preset.js" charset="UTF-8"></script>
-<script>
-  window.onload = () => {
-    // Forward the apikey query param when loading the spec and making API calls
-    const params = new URLSearchParams(window.location.search);
-    const apiKey = params.get('apikey');
-    const specUrlWithKey = apiKey ? '${specUrl}?apikey=' + encodeURIComponent(apiKey) : '${specUrl}';
-
-    window.ui = SwaggerUIBundle({
-      url: specUrlWithKey,
-      dom_id: '#swagger-ui',
-      presets: [
-        SwaggerUIBundle.presets.apis,
-        SwaggerUIStandalonePreset
-      ],
-      layout: "BaseLayout",
-      deepLinking: true,
-      showExtensions: true,
-      showCommonExtensions: true,
-      // Inject x-api-key header on every request made from the Swagger UI
-      requestInterceptor: (request) => {
-        if (apiKey) {
-          request.headers['x-api-key'] = apiKey;
-        }
-        return request;
-      }
-    });
-  };
-</script>
-</body>
-</html>
-  `;
-}
-
-// src/auth/jexl.ts
-var import_jexl = __toESM(require("jexl"), 1);
-async function evaluateAccess(expression, context) {
-  if (expression === void 0 || expression === null) return false;
-  if (typeof expression === "boolean") return expression;
-  try {
-    const result = await import_jexl.default.eval(expression, context);
-    return !!result;
-  } catch (err) {
-    console.error("[dyrected/core] Jexl evaluation failed:", err);
-    return false;
-  }
-}
-
-// src/router.ts
-function accessGate(target, action) {
-  return async (c, next) => {
-    const user = c.get("user");
-    const accessExpr = target.access?.[action];
-    if (accessExpr === void 0 || accessExpr === null) {
-      return await next();
-    }
-    const accessArgs = { user, req: c.req, doc: null };
-    const allowed = await evaluateAccess(accessExpr, accessArgs);
-    if (!allowed) {
-      return c.json({ error: true, message: `Access denied: ${action} on ${target.slug}` }, 403);
-    }
-    await next();
-  };
-}
-async function checkAccess(access, accessArgs) {
-  if (access === void 0 || access === null) return true;
-  if (typeof access === "function") {
-    try {
-      const result = await access(accessArgs);
-      return typeof result === "boolean" ? result : !!result;
-    } catch (err) {
-      console.error("[dyrected/core] Functional access check failed:", err);
-      return false;
-    }
-  }
-  if (typeof access === "string" || typeof access === "boolean") {
-    return evaluateAccess(access, accessArgs);
-  }
-  return true;
-}
-function serializeFieldForApi(f) {
-  if (!f) return f;
-  const serialized = { ...f };
-  if (serialized.admin?.hooks) {
-    const hooks = { ...serialized.admin.hooks };
-    if (typeof hooks.onChange === "function") {
-      hooks.onChange = hooks.onChange.toString();
-    }
-    if (typeof hooks.options === "function") {
-      hooks.options = hooks.options.toString();
-    }
-    serialized.admin = { ...serialized.admin, hooks };
-  }
-  if (typeof serialized.options === "function" || serialized.options && typeof serialized.options === "object" && "resolve" in serialized.options) {
-    serialized.options = { _dynamic: true };
-  }
-  if (serialized.fields) {
-    serialized.fields = serialized.fields.map(serializeFieldForApi);
-  }
-  if (serialized.blocks) {
-    serialized.blocks = serialized.blocks.map((b) => ({
-      ...b,
-      fields: b.fields?.map(serializeFieldForApi)
-    }));
-  }
-  return serialized;
-}
-function registerRoutes(app, config) {
-  app.get("/api/schemas", optionalAuth(), async (c) => {
-    const siteId = c.req.header("X-Site-Id");
-    let collections = [...config.collections];
-    let globals = [...config.globals];
-    if (siteId && config.onSchemaFetch) {
-      const dynamic = await config.onSchemaFetch(siteId);
-      if (dynamic.collections) collections = [...collections, ...dynamic.collections];
-      if (dynamic.globals) globals = [...globals, ...dynamic.globals];
-      if (dynamic.admin) {
-        config.admin = { ...config.admin, ...dynamic.admin };
-      }
-    }
-    const user = c.get("user");
-    const accessArgs = { user, req: c.req, doc: null };
-    const serializeAccess = async (access) => {
-      if (typeof access === "string") return access;
-      if (typeof access === "boolean") return access;
-      return checkAccess(access, accessArgs);
-    };
-    const filteredCollections = await Promise.all(collections.filter((col) => !siteId || col.shared || !col.siteId || col.siteId === siteId).map(async (col) => ({
-      slug: col.slug,
-      labels: col.labels,
-      access: {
-        read: await serializeAccess(col.access?.read),
-        create: await serializeAccess(col.access?.create),
-        update: await serializeAccess(col.access?.update),
-        delete: await serializeAccess(col.access?.delete)
-      },
-      fields: await Promise.all(col.fields.map(serializeFieldForApi).map(async (f) => ({
-        name: f.name,
-        type: f.type,
-        label: f.label,
-        required: f.required,
-        defaultValue: f.defaultValue,
-        options: f.options,
-        relationTo: f.relationTo,
-        hasMany: f.hasMany,
-        fields: f.fields,
-        blocks: f.blocks,
-        collection: f.collection,
-        on: f.on,
-        limit: f.limit,
-        admin: f.admin,
-        access: {
-          read: await serializeAccess(f.access?.read),
-          update: await serializeAccess(f.access?.update)
-        }
-      }))),
-      upload: !!col.upload,
-      auth: !!col.auth,
-      admin: col.admin
-    })));
-    const filteredGlobals = await Promise.all(globals.filter((glb) => !siteId || glb.shared || !glb.siteId || glb.siteId === siteId).map(async (glb) => ({
-      slug: glb.slug,
-      label: glb.label,
-      access: {
-        read: await serializeAccess(glb.access?.read),
-        update: await serializeAccess(glb.access?.update)
-      },
-      fields: await Promise.all(glb.fields.map(serializeFieldForApi).map(async (f) => ({
-        name: f.name,
-        type: f.type,
-        label: f.label,
-        required: f.required,
-        defaultValue: f.defaultValue,
-        options: f.options,
-        relationTo: f.relationTo,
-        hasMany: f.hasMany,
-        fields: f.fields,
-        blocks: f.blocks,
-        collection: f.collection,
-        on: f.on,
-        limit: f.limit,
-        admin: f.admin,
-        access: {
-          read: await serializeAccess(f.access?.read),
-          update: await serializeAccess(f.access?.update)
-        }
-      }))),
-      admin: glb.admin
-    })));
-    return c.json({
-      collections: filteredCollections,
-      globals: filteredGlobals,
-      admin: config.admin || {}
-    });
-  });
-  app.get("/api/dyrected/options/:collection/:field", optionalAuth(), async (c) => {
-    const { collection: colSlug, field: fieldName } = c.req.param();
-    const siteId = c.req.header("X-Site-Id");
-    let collections = [...config.collections];
-    if (siteId && config.onSchemaFetch) {
-      const dynamic = await config.onSchemaFetch(siteId);
-      if (dynamic.collections) collections = [...collections, ...dynamic.collections];
-    }
-    const user = c.get("user");
-    let collection = collections.find((col) => col.slug === colSlug);
-    let field;
-    if (collection) {
-      const accessExpr = collection.access?.read;
-      if (accessExpr !== void 0 && accessExpr !== null) {
-        const accessArgs = { user, req: c.req, doc: null };
-        const allowed = await checkAccess(accessExpr, accessArgs);
-        if (!allowed) {
-          return c.json({ error: true, message: `Access denied: read on ${colSlug}` }, 403);
-        }
-      }
-      field = collection.fields.find((f) => f.name === fieldName);
-    } else {
-      let globals = [...config.globals];
-      if (siteId && config.onSchemaFetch) {
-        const dynamic = await config.onSchemaFetch(siteId);
-        if (dynamic.globals) globals = [...globals, ...dynamic.globals];
-      }
-      const glb = globals.find((g) => g.slug === colSlug);
-      if (!glb) {
-        return c.json({ error: true, message: `${colSlug} not found as collection or global` }, 404);
-      }
-      const accessExpr = glb.access?.read;
-      if (accessExpr !== void 0 && accessExpr !== null) {
-        const accessArgs = { user, req: c.req, doc: null };
-        const allowed = await checkAccess(accessExpr, accessArgs);
-        if (!allowed) {
-          return c.json({ error: true, message: `Access denied: read on global ${colSlug}` }, 403);
-        }
-      }
-      field = glb.fields.find((f) => f.name === fieldName);
-    }
-    if (!field) {
-      return c.json({ error: true, message: `Field ${fieldName} not found in ${colSlug}` }, 404);
-    }
-    let resolver;
-    if (typeof field.options === "function") {
-      resolver = field.options;
-    } else if (field.options && typeof field.options === "object" && "resolve" in field.options) {
-      resolver = field.options.resolve;
-    }
-    if (!resolver) {
-      return c.json({ error: true, message: `Field ${fieldName} in ${colSlug} is not dynamic` }, 400);
-    }
-    try {
-      const db = c.get("db") || config.db;
-      const queryParams = c.req.query();
-      const reqContext = {
-        query: queryParams,
-        headers: c.req.header(),
-        raw: c.req.raw
-      };
-      const result = await resolver({
-        db,
-        user,
-        req: reqContext
-      });
-      return c.json(result);
-    } catch (err) {
-      console.error(`[dyrected/core] Failed to resolve dynamic options for field ${fieldName}:`, err);
-      return c.json({ error: true, message: err.message || "Failed to resolve dynamic options" }, 500);
-    }
-  });
-  app.get("/api/openapi.json", (c) => {
-    return c.json(generateOpenApi(config));
-  });
-  app.get("/api/docs", (c) => {
-    return c.html(getSwaggerHtml());
-  });
-  app.get("/api/media/:filename{.+$}", async (c) => {
-    const mediaController = new MediaController("media");
-    return mediaController.serve(c);
-  });
-  app.get("/media/:filename{.+$}", async (c) => {
-    const mediaController = new MediaController("media");
-    return mediaController.serve(c);
-  });
-  if (config.storage) {
-    const uploadCollections = config.collections.filter((c) => c.upload);
-    for (const col of uploadCollections) {
-      const mediaController = new MediaController(col.slug);
-      const prefix = `/api/collections/${col.slug}`;
-      app.get(`${prefix}/media`, accessGate(col, "read"), (c) => mediaController.find(c));
-      app.get(`${prefix}/media/:filename{.+$}`, (c) => mediaController.serve(c));
-      app.post(`${prefix}/media`, accessGate(col, "create"), (c) => mediaController.upload(c));
-      app.delete(`${prefix}/media/:id`, accessGate(col, "delete"), (c) => mediaController.delete(c));
-    }
-  }
-  for (const collection of config.collections) {
-    if (!collection.auth) continue;
-    const path = `/api/collections/${collection.slug}`;
-    const authController = new AuthController(collection);
-    app.post(`${path}/login`, (c) => authController.login(c));
-    app.post(`${path}/logout`, (c) => authController.logout(c));
-    app.get(`${path}/init`, (c) => authController.init(c));
-    app.post(`${path}/first-user`, (c) => authController.registerFirstUser(c));
-    app.get(`${path}/me`, requireAuth(), (c) => authController.me(c));
-    app.post(`${path}/refresh-token`, requireAuth(), (c) => authController.refreshToken(c));
-    app.post(`${path}/forgot-password`, (c) => authController.forgotPassword(c));
-    app.post(`${path}/reset-password`, (c) => authController.resetPassword(c));
-    app.post(`${path}/invite`, requireAuth(), (c) => authController.invite(c));
-    app.post(`${path}/accept-invite`, (c) => authController.acceptInvite(c));
-  }
-  for (const collection of config.collections) {
-    const path = `/api/collections/${collection.slug}`;
-    const controller = new CollectionController(collection);
-    app.get(path, accessGate(collection, "read"), (c) => controller.find(c));
-    app.post(path, accessGate(collection, "create"), (c) => controller.create(c));
-    app.post(`${path}/media`, accessGate(collection, "create"), (c) => controller.create(c));
-    app.delete(`${path}/delete-many`, accessGate(collection, "delete"), (c) => controller.deleteMany(c));
-    app.get(`${path}/:id`, accessGate(collection, "read"), (c) => controller.findOne(c));
-    app.patch(`${path}/:id`, accessGate(collection, "update"), (c) => controller.update(c));
-    app.delete(`${path}/:id`, accessGate(collection, "delete"), (c) => controller.delete(c));
-    app.post(`${path}/seed`, (c) => controller.seed(c));
-    if (collection.auth) {
-      app.post(`${path}/:id/change-password`, requireAuth(), (c) => controller.changePassword(c));
-    }
-  }
-  for (const global of config.globals) {
-    const path = `/api/globals/${global.slug}`;
-    const controller = new GlobalController(global);
-    app.get(path, accessGate(global, "read"), (c) => controller.get(c));
-    app.patch(path, accessGate(global, "update"), (c) => controller.update(c));
-    app.post(`${path}/seed`, (c) => controller.seed(c));
-  }
-  const previewController = new PreviewController();
-  app.post("/api/preview-token", requireAuth(), (c) => previewController.createToken(c));
-  app.get("/api/preview-data", (c) => previewController.getData(c));
-  app.all("/api/collections/:slug/:id?", async (c) => {
-    const slug = c.req.param("slug");
-    const id = c.req.param("id");
-    const siteId = c.req.header("X-Site-Id") || c.get("siteId");
-    const config2 = c.get("config");
-    if (config2.collections.some((col) => col.slug === slug)) {
-      return c.json({ message: "Method Not Allowed" }, 405);
-    }
-    if (config2.onSchemaFetch && siteId) {
-      const dynamic = await config2.onSchemaFetch(siteId);
-      let collection = dynamic.collections?.find((col) => col.slug === slug);
-      if (!collection && slug === "media") {
-        collection = {
-          slug: "media",
-          labels: { singular: "Media", plural: "Media" },
-          upload: true,
-          fields: []
-        };
-      }
-      if (collection) {
-        if (collection.auth && id) {
-          const authController = new AuthController(collection);
-          const method2 = c.req.method;
-          if (method2 === "POST" && id === "login") return authController.login(c);
-          if (method2 === "POST" && id === "logout") return authController.logout(c);
-          if (method2 === "GET" && id === "me") return authController.me(c);
-          if (method2 === "POST" && id === "refresh-token") return authController.refreshToken(c);
-          if (method2 === "POST" && id === "forgot-password") return authController.forgotPassword(c);
-          if (method2 === "POST" && id === "reset-password") return authController.resetPassword(c);
-        }
-        const controller = new CollectionController(collection);
-        const method = c.req.method;
-        if (id) {
-          if (method === "GET") return controller.findOne(c);
-          if (method === "PATCH") return controller.update(c);
-          if (method === "DELETE" && id === "delete-many") return controller.deleteMany(c);
-          if (method === "DELETE") return controller.delete(c);
-          if (method === "POST" && id === "media") return controller.create(c);
-          if (method === "POST" && id === "seed") return controller.seed(c);
-        } else {
-          if (method === "GET") return controller.find(c);
-          if (method === "POST") return controller.create(c);
-        }
-      }
-    }
-    return c.json({ message: `Collection "${slug}" not found` }, 404);
-  });
-  app.all("/api/globals/:slug", async (c) => {
-    const slug = c.req.param("slug");
-    const siteId = c.req.header("X-Site-Id") || c.get("siteId");
-    const config2 = c.get("config");
-    if (config2.globals.some((glb) => glb.slug === slug)) {
-      return c.json({ message: "Method Not Allowed" }, 405);
-    }
-    if (config2.onSchemaFetch && siteId) {
-      const dynamic = await config2.onSchemaFetch(siteId);
-      const global = dynamic.globals?.find((glb) => glb.slug === slug);
-      if (global) {
-        const controller = new GlobalController(global);
-        if (c.req.method === "GET") return controller.get(c);
-        if (c.req.method === "PATCH") return controller.update(c);
-      }
-    }
-    return c.json({ message: `Global "${slug}" not found` }, 404);
-  });
-}
-
-// src/app.ts
-async function createDyrectedApp(rawConfig) {
-  const config = normalizeConfig(rawConfig);
-  const app = new import_hono.Hono();
-  if (config.db?.sync) {
-    await config.db.sync(config.collections, config.globals);
-  }
-  app.use("*", (0, import_request_id.requestId)());
-  app.use("*", optionalAuth());
-  app.use("*", async (c, next) => {
-    const start = Date.now();
-    await next();
-    const ms = Date.now() - start;
-    console.log(`[dyrected/api] ${c.req.method} ${c.req.path} ${c.res.status} - ${ms}ms`);
-  });
-  app.use("*", (0, import_cors.cors)());
-  app.use("*", async (c, next) => {
-    c.set("config", config);
-    if (!c.get("siteId")) {
-      c.set("siteId", "default");
-    }
-    await next();
-  });
-  app.get("/health", (c) => c.json({ status: "ok", version: "0.0.1" }));
-  app.get("/routes", (c) => {
-    const routes = app.routes.map((r) => ({ method: r.method, path: r.path }));
-    return c.json({ routes });
-  });
-  app.onError((err, c) => {
-    console.error(`[dyrected/core] Uncaught Error:`, err);
-    return c.json({
-      message: err.message || "Internal Server Error",
-      stack: process.env.NODE_ENV === "development" ? err.stack : void 0
-    }, 500);
-  });
-  registerRoutes(app, config);
-  return app;
-}
-
 // src/index.ts
 function defineCollection(config) {
   return config;
@@ -3722,7 +1329,6 @@ function defineConfig(config) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  createDyrectedApp,
   defineCollection,
   defineConfig,
   defineGlobal,