npm - @gzl10/nexus-backend - Versions diffs - 0.1.4 - Mend

@gzl10/nexus-backend 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,2267 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+// src/modules/system/system.controller.ts
+function toModuleDTO(mod) {
+  return {
+    name: mod.name,
+    code: mod.code,
+    label: mod.label,
+    icon: mod.icon,
+    description: mod.description,
+    version: mod.version,
+    type: mod.type ?? "core",
+    category: mod.category ?? "",
+    dependencies: mod.dependencies ?? [],
+    routePrefix: mod.routePrefix ?? `/${mod.name}`,
+    subjects: mod.subjects ?? [],
+    entities: mod.entities ?? [],
+    hasRoutes: !!mod.routes,
+    hasMigrate: !!mod.migrate,
+    hasSeed: !!mod.seed,
+    hasInit: !!mod.init
+  };
+}
+function createSystemController(ctx) {
+  const { errors } = ctx;
+  return {
+    /**
+     * GET /system/modules
+     * Lista todos los módulos registrados
+     */
+    listModules(_req, res) {
+      const modules2 = getModules().map(toModuleDTO);
+      res.json({ data: modules2, total: modules2.length });
+    },
+    /**
+     * GET /system/modules/:code
+     * Obtiene un módulo por código
+     */
+    getModule(req, res) {
+      const { code } = req.params;
+      const mod = getModules().find((m) => m.code === code.toUpperCase());
+      if (!mod) {
+        throw new errors.NotFoundError("M\xF3dulo no encontrado");
+      }
+      res.json({ data: toModuleDTO(mod) });
+    }
+  };
+}
+var init_system_controller = __esm({
+  "src/modules/system/system.controller.ts"() {
+    "use strict";
+    init_modules();
+  }
+});
+// src/modules/system/system.routes.ts
+function createSystemRoutes(ctx) {
+  const router = ctx.createRouter();
+  const controller = createSystemController(ctx);
+  router.get("/modules", controller.listModules);
+  router.get("/modules/:code", controller.getModule);
+  return router;
+}
+var init_system_routes = __esm({
+  "src/modules/system/system.routes.ts"() {
+    "use strict";
+    init_system_controller();
+  }
+});
+// src/modules/system/index.ts
+var systemModule;
+var init_system = __esm({
+  "src/modules/system/index.ts"() {
+    "use strict";
+    init_system_routes();
+    systemModule = {
+      name: "system",
+      code: "SYS",
+      label: "System",
+      icon: "mdi:cog-outline",
+      description: "System configuration, module registry, and platform metadata",
+      type: "core",
+      dependencies: [],
+      routes: createSystemRoutes,
+      routePrefix: "/system",
+      subjects: []
+    };
+  }
+});
+// src/modules/roles/roles.migrate.ts
+async function migrate(ctx) {
+  const { db: db2, logger: logger2, helpers } = ctx;
+  const { addTimestamps: addTimestamps2, addAuditFieldsIfMissing: addAuditFieldsIfMissing2 } = helpers;
+  if (!await db2.schema.hasTable("rol_roles")) {
+    await db2.schema.createTable("rol_roles", (table) => {
+      table.string("id").primary();
+      table.string("name", 50).unique().notNullable();
+      table.string("description", 255);
+      table.boolean("is_system").defaultTo(false);
+      addTimestamps2(table, db2);
+    });
+    logger2.info("Created table: rol_roles");
+  }
+  if (!await db2.schema.hasTable("rol_role_permissions")) {
+    await db2.schema.createTable("rol_role_permissions", (table) => {
+      table.string("id").primary();
+      table.string("role_id").notNullable().references("id").inTable("rol_roles").onDelete("CASCADE");
+      table.string("action", 20).notNullable();
+      table.string("subject", 50).notNullable();
+      table.json("conditions");
+      table.json("fields");
+      table.boolean("inverted").defaultTo(false);
+      addTimestamps2(table, db2);
+      table.unique(["role_id", "action", "subject"]);
+    });
+    logger2.info("Created table: rol_role_permissions");
+  }
+  await addAuditFieldsIfMissing2(db2, "rol_roles");
+  await addAuditFieldsIfMissing2(db2, "rol_role_permissions");
+}
+var init_roles_migrate = __esm({
+  "src/modules/roles/roles.migrate.ts"() {
+    "use strict";
+  }
+});
+// src/modules/roles/roles.seed.ts
+async function seed(ctx) {
+  const { db: db2, logger: logger2, generateId: generateId2 } = ctx;
+  const existingRoles = await db2("rol_roles").count("* as count").first();
+  if (Number(existingRoles?.count ?? 0) > 0) return;
+  const systemRoles = [
+    { id: generateId2(), name: "ADMIN", description: "Administrador con control total", is_system: true },
+    { id: generateId2(), name: "EDITOR", description: "Puede crear y editar contenido propio", is_system: true },
+    { id: generateId2(), name: "VIEWER", description: "Solo lectura", is_system: true }
+  ];
+  await db2("rol_roles").insert(systemRoles);
+  logger2.info("Inserted system roles: ADMIN, EDITOR, VIEWER");
+  const roles = await db2("rol_roles").select("id", "name");
+  const roleMap = Object.fromEntries(roles.map((r) => [r.name, r.id]));
+  const permissions = [
+    // ADMIN: manage all
+    { id: generateId2(), role_id: roleMap["ADMIN"], action: "manage", subject: "all", conditions: null, inverted: false },
+    // EDITOR: read users, CRUD posts (own for update/delete)
+    { id: generateId2(), role_id: roleMap["EDITOR"], action: "read", subject: "UsrUser", conditions: null, inverted: false },
+    { id: generateId2(), role_id: roleMap["EDITOR"], action: "create", subject: "PstPost", conditions: null, inverted: false },
+    { id: generateId2(), role_id: roleMap["EDITOR"], action: "read", subject: "PstPost", conditions: null, inverted: false },
+    { id: generateId2(), role_id: roleMap["EDITOR"], action: "update", subject: "PstPost", conditions: JSON.stringify({ author_id: "${user.id}" }), inverted: false },
+    { id: generateId2(), role_id: roleMap["EDITOR"], action: "delete", subject: "PstPost", conditions: JSON.stringify({ author_id: "${user.id}" }), inverted: false },
+    // VIEWER: read published posts, read own profile
+    { id: generateId2(), role_id: roleMap["VIEWER"], action: "read", subject: "PstPost", conditions: JSON.stringify({ status: "PUBLISHED" }), inverted: false },
+    { id: generateId2(), role_id: roleMap["VIEWER"], action: "read", subject: "UsrUser", conditions: JSON.stringify({ id: "${user.id}" }), inverted: false }
+  ];
+  await db2("rol_role_permissions").insert(permissions);
+  logger2.info("Inserted permissions for system roles");
+}
+var init_roles_seed = __esm({
+  "src/modules/roles/roles.seed.ts"() {
+    "use strict";
+  }
+});
+// src/modules/roles/roles.service.ts
+function createRolesService(ctx) {
+  const { db: db2, errors, generateId: generateId2 } = ctx;
+  return {
+    async findAllPermissions(query) {
+      const { page, limit } = query;
+      const offset = (page - 1) * limit;
+      const baseQuery = db2("rol_role_permissions").select(
+        "rol_role_permissions.*",
+        "rol_roles.name as role_name"
+      ).leftJoin("rol_roles", "rol_role_permissions.role_id", "rol_roles.id");
+      const [permissions, countResult] = await Promise.all([
+        baseQuery.clone().orderBy("rol_roles.name", "asc").orderBy("subject", "asc").limit(limit).offset(offset),
+        db2("rol_role_permissions").count("* as count").first()
+      ]);
+      const total = Number(countResult?.count ?? 0);
+      const items = permissions.map((p) => ({
+        ...p,
+        conditions: typeof p.conditions === "string" ? JSON.parse(p.conditions) : p.conditions,
+        fields: typeof p.fields === "string" ? JSON.parse(p.fields) : p.fields,
+        role: { name: p.role_name }
+      }));
+      const totalPages = Math.ceil(total / limit);
+      return {
+        items,
+        total,
+        page,
+        limit,
+        totalPages,
+        hasNext: page < totalPages
+      };
+    },
+    async findAll(query) {
+      const { page, limit } = query;
+      const offset = (page - 1) * limit;
+      const permissionsCountSubquery = db2("rol_role_permissions").count("*").whereRaw("rol_role_permissions.role_id = rol_roles.id").as("permissions_count");
+      const usersCountSubquery = db2("usr_users").count("*").whereRaw("usr_users.role_id = rol_roles.id").as("users_count");
+      const baseQuery = db2("rol_roles").select("rol_roles.*", permissionsCountSubquery, usersCountSubquery);
+      const [roles, countResult] = await Promise.all([
+        baseQuery.clone().orderBy("name", "asc").limit(limit).offset(offset),
+        baseQuery.clone().count("* as count").first()
+      ]);
+      const total = Number(countResult?.count ?? 0);
+      const items = roles.map((role) => ({
+        ...role,
+        permissions_count: Number(role.permissions_count ?? 0),
+        users_count: Number(role.users_count ?? 0)
+      }));
+      const totalPages = Math.ceil(total / limit);
+      return {
+        items,
+        total,
+        page,
+        limit,
+        totalPages,
+        hasNext: page < totalPages
+      };
+    },
+    async findById(id) {
+      const role = await db2("rol_roles").where({ id }).first();
+      if (!role) throw new errors.NotFoundError("Rol");
+      const permissions = await db2("rol_role_permissions").where({ role_id: id }).orderBy("subject", "asc").orderBy("action", "asc");
+      const parsedPermissions = permissions.map((p) => ({
+        ...p,
+        conditions: typeof p.conditions === "string" ? JSON.parse(p.conditions) : p.conditions,
+        fields: typeof p.fields === "string" ? JSON.parse(p.fields) : p.fields
+      }));
+      return { ...role, permissions: parsedPermissions };
+    },
+    async findByName(name) {
+      return db2("rol_roles").where({ name }).first();
+    },
+    async getPermissionsByRoleId(roleId) {
+      const permissions = await db2("rol_role_permissions").where({ role_id: roleId });
+      return permissions.map((p) => ({
+        ...p,
+        conditions: typeof p.conditions === "string" ? JSON.parse(p.conditions) : p.conditions,
+        fields: typeof p.fields === "string" ? JSON.parse(p.fields) : p.fields
+      }));
+    },
+    async create(input, userId) {
+      return db2.transaction(async (trx) => {
+        const existing = await trx("rol_roles").where({ name: input.name }).first();
+        if (existing) {
+          throw new errors.ConflictError("Ya existe un rol con ese nombre");
+        }
+        const id = generateId2();
+        await trx("rol_roles").insert({
+          id,
+          name: input.name,
+          description: input.description || null,
+          is_system: false,
+          created_by: userId ?? null
+        });
+        const role = await trx("rol_roles").where({ id }).first();
+        return role;
+      });
+    },
+    async update(id, input, userId) {
+      return db2.transaction(async (trx) => {
+        const role = await trx("rol_roles").where({ id }).first();
+        if (!role) throw new errors.NotFoundError("Rol");
+        if (role.is_system) {
+          throw new errors.ForbiddenError("No se pueden modificar roles del sistema");
+        }
+        if (input.name && input.name !== role.name) {
+          const existing = await trx("rol_roles").where({ name: input.name }).first();
+          if (existing) {
+            throw new errors.ConflictError("Ya existe un rol con ese nombre");
+          }
+        }
+        await trx("rol_roles").where({ id }).update({
+          ...input,
+          updated_at: /* @__PURE__ */ new Date(),
+          updated_by: userId ?? null
+        });
+        const updated = await trx("rol_roles").where({ id }).first();
+        return updated;
+      });
+    },
+    async delete(id) {
+      const role = await db2("rol_roles").where({ id }).first();
+      if (!role) throw new errors.NotFoundError("Rol");
+      if (role.is_system) {
+        throw new errors.ForbiddenError("No se pueden eliminar roles del sistema");
+      }
+      const usersCount = await db2("usr_users").where({ role_id: id }).count("* as count").first();
+      if (Number(usersCount?.count ?? 0) > 0) {
+        throw new errors.ConflictError("No se puede eliminar un rol con usuarios asignados");
+      }
+      await db2("rol_roles").where({ id }).delete();
+    },
+    async updatePermissions(id, permissions, userId) {
+      return db2.transaction(async (trx) => {
+        const role = await trx("rol_roles").where({ id }).first();
+        if (!role) throw new errors.NotFoundError("Rol");
+        if (role.is_system && role.name === "ADMIN") {
+          throw new errors.ForbiddenError("No se pueden modificar los permisos del rol ADMIN");
+        }
+        await trx("rol_role_permissions").where({ role_id: id }).delete();
+        if (permissions.length > 0) {
+          const permissionsData = permissions.map((p) => ({
+            id: generateId2(),
+            role_id: id,
+            action: p.action,
+            subject: p.subject,
+            conditions: p.conditions ? JSON.stringify(p.conditions) : null,
+            fields: p.fields ? JSON.stringify(p.fields) : null,
+            inverted: p.inverted,
+            created_by: userId ?? null
+          }));
+          await trx("rol_role_permissions").insert(permissionsData);
+        }
+        await trx("rol_roles").where({ id }).update({
+          updated_at: /* @__PURE__ */ new Date(),
+          updated_by: userId ?? null
+        });
+        const updatedRole = await trx("rol_roles").where({ id }).first();
+        const updatedPermissions = await trx("rol_role_permissions").where({ role_id: id }).orderBy("subject", "asc").orderBy("action", "asc");
+        const parsedPermissions = updatedPermissions.map((p) => ({
+          ...p,
+          conditions: typeof p.conditions === "string" ? JSON.parse(p.conditions) : p.conditions,
+          fields: typeof p.fields === "string" ? JSON.parse(p.fields) : p.fields
+        }));
+        return { ...updatedRole, permissions: parsedPermissions };
+      });
+    }
+  };
+}
+var init_roles_service = __esm({
+  "src/modules/roles/roles.service.ts"() {
+    "use strict";
+  }
+});
+// src/modules/roles/roles.controller.ts
+function createRolesController(ctx) {
+  const { ForbiddenError: CASLForbiddenError3 } = ctx.abilities;
+  const rolesService = createRolesService(ctx);
+  return {
+    async findAllPermissions(req, res) {
+      const authReq = req;
+      CASLForbiddenError3.from(authReq.ability).throwUnlessCan("read", "RolRolePermission");
+      const result = await rolesService.findAllPermissions(req.validated?.query);
+      res.json({ success: true, data: result });
+    },
+    async findAll(req, res) {
+      const authReq = req;
+      CASLForbiddenError3.from(authReq.ability).throwUnlessCan("read", "RolRole");
+      const result = await rolesService.findAll(req.validated?.query);
+      res.json({ success: true, data: result });
+    },
+    async findById(req, res) {
+      const authReq = req;
+      CASLForbiddenError3.from(authReq.ability).throwUnlessCan("read", "RolRole");
+      const { id } = req.validated?.params;
+      const role = await rolesService.findById(id);
+      res.json({ success: true, data: role });
+    },
+    async create(req, res) {
+      const authReq = req;
+      CASLForbiddenError3.from(authReq.ability).throwUnlessCan("create", "RolRole");
+      const role = await rolesService.create(req.body, authReq.user.id);
+      res.status(201).json({ success: true, data: role });
+    },
+    async update(req, res) {
+      const authReq = req;
+      CASLForbiddenError3.from(authReq.ability).throwUnlessCan("update", "RolRole");
+      const { id } = req.validated?.params;
+      const role = await rolesService.update(id, req.body, authReq.user.id);
+      res.json({ success: true, data: role });
+    },
+    async delete(req, res) {
+      const authReq = req;
+      CASLForbiddenError3.from(authReq.ability).throwUnlessCan("delete", "RolRole");
+      const { id } = req.validated?.params;
+      await rolesService.delete(id);
+      res.json({ success: true, message: "Rol eliminado" });
+    },
+    async updatePermissions(req, res) {
+      const authReq = req;
+      CASLForbiddenError3.from(authReq.ability).throwUnlessCan("update", "RolRole");
+      const { id } = req.validated?.params;
+      const { permissions } = req.body;
+      const role = await rolesService.updatePermissions(id, permissions, authReq.user.id);
+      res.json({ success: true, data: role });
+    }
+  };
+}
+var init_roles_controller = __esm({
+  "src/modules/roles/roles.controller.ts"() {
+    "use strict";
+    init_roles_service();
+  }
+});
+// src/modules/roles/roles.schemas.ts
+import { z } from "zod";
+var createRoleSchema, updateRoleSchema, permissionSchema, updatePermissionsSchema, roleParamsSchema, roleQuerySchema;
+var init_roles_schemas = __esm({
+  "src/modules/roles/roles.schemas.ts"() {
+    "use strict";
+    createRoleSchema = z.object({
+      name: z.string().min(2, "Nombre m\xEDnimo 2 caracteres").max(50, "Nombre m\xE1ximo 50 caracteres").regex(/^[A-Z_]+$/, "Solo may\xFAsculas y guion bajo"),
+      description: z.string().max(255).optional()
+    });
+    updateRoleSchema = z.object({
+      name: z.string().min(2, "Nombre m\xEDnimo 2 caracteres").max(50, "Nombre m\xE1ximo 50 caracteres").regex(/^[A-Z_]+$/, "Solo may\xFAsculas y guion bajo").optional(),
+      description: z.string().max(255).optional()
+    });
+    permissionSchema = z.object({
+      action: z.enum(["manage", "create", "read", "update", "delete"]),
+      subject: z.enum(["UsrUser", "PstPost", "RolRole", "RolRolePermission", "all"]),
+      conditions: z.record(z.unknown()).optional(),
+      fields: z.array(z.string()).optional(),
+      inverted: z.boolean().default(false)
+    });
+    updatePermissionsSchema = z.object({
+      permissions: z.array(permissionSchema)
+    });
+    roleParamsSchema = z.object({
+      id: z.string().min(1)
+    });
+    roleQuerySchema = z.object({
+      page: z.coerce.number().min(1).default(1),
+      limit: z.coerce.number().min(1).max(100).default(10)
+    });
+  }
+});
+// src/modules/roles/roles.routes.ts
+function createRolesRoutes(ctx) {
+  const router = ctx.createRouter();
+  const { validate: validate2, auth } = ctx.middleware;
+  const controller = createRolesController(ctx);
+  router.use(auth);
+  router.get("/", validate2({ query: roleQuerySchema }), controller.findAll);
+  router.get("/permissions", validate2({ query: roleQuerySchema }), controller.findAllPermissions);
+  router.get("/:id", validate2({ params: roleParamsSchema }), controller.findById);
+  router.post("/", validate2({ body: createRoleSchema }), controller.create);
+  router.put("/:id", validate2({ params: roleParamsSchema, body: updateRoleSchema }), controller.update);
+  router.delete("/:id", validate2({ params: roleParamsSchema }), controller.delete);
+  router.put("/:id/permissions", validate2({ params: roleParamsSchema, body: updatePermissionsSchema }), controller.updatePermissions);
+  return router;
+}
+var init_roles_routes = __esm({
+  "src/modules/roles/roles.routes.ts"() {
+    "use strict";
+    init_roles_controller();
+    init_roles_schemas();
+  }
+});
+// src/modules/roles/index.ts
+var rolesModule;
+var init_roles = __esm({
+  "src/modules/roles/index.ts"() {
+    "use strict";
+    init_roles_migrate();
+    init_roles_seed();
+    init_roles_routes();
+    rolesModule = {
+      name: "roles",
+      code: "ROL",
+      label: "Roles",
+      icon: "mdi:shield-outline",
+      description: "Role definitions and CASL-based permission rules for access control",
+      type: "core",
+      dependencies: [],
+      migrate,
+      seed,
+      routes: createRolesRoutes,
+      routePrefix: "/roles",
+      subjects: ["RolRole", "RolRolePermission"],
+      entities: [
+        {
+          name: "RolRole",
+          label: "Roles",
+          listType: "list",
+          listFields: {
+            name: "Name",
+            description: "Description"
+          },
+          formFields: {
+            name: {
+              label: "Name",
+              type: "text",
+              required: true,
+              placeholder: "ADMIN_ROLE",
+              validation: {
+                minLength: 2,
+                maxLength: 50,
+                pattern: "^[A-Z][A-Z0-9_]*$",
+                errorMessage: "Use UPPER_SNAKE_CASE (e.g., ADMIN_ROLE)"
+              }
+            },
+            description: {
+              label: "Description",
+              type: "textarea",
+              placeholder: "Role description...",
+              validation: {
+                maxLength: 500
+              }
+            }
+          },
+          labelField: "name"
+        },
+        {
+          name: "RolRolePermission",
+          label: "Permissions",
+          routePrefix: "/roles/permissions",
+          listFields: {
+            action: "Action",
+            subject: "Subject",
+            "role.name": "Role"
+          },
+          labelField: "action"
+        }
+      ]
+    };
+  }
+});
+// src/modules/users/users.migrate.ts
+async function migrate2(ctx) {
+  const { db: db2, logger: logger2, helpers } = ctx;
+  const { addTimestamps: addTimestamps2, addAuditFieldsIfMissing: addAuditFieldsIfMissing2, addColumnIfMissing: addColumnIfMissing2 } = helpers;
+  if (!await db2.schema.hasTable("usr_users")) {
+    await db2.schema.createTable("usr_users", (table) => {
+      table.string("id").primary();
+      table.string("email").unique().notNullable();
+      table.string("password").notNullable();
+      table.string("name").notNullable();
+      table.string("role_id").notNullable().references("id").inTable("rol_roles");
+      addTimestamps2(table, db2);
+    });
+    logger2.info("Created table: usr_users");
+  }
+  await migrateLegacyRoleColumn(ctx);
+  await addColumnIfMissing2(db2, "usr_users", "metadata", (table) => {
+    table.json("metadata").nullable();
+  });
+  await addAuditFieldsIfMissing2(db2, "usr_users");
+}
+async function migrateLegacyRoleColumn(ctx) {
+  const { db: db2, logger: logger2, dbType } = ctx;
+  const hasRoleColumn = await db2.schema.hasColumn("usr_users", "role");
+  const hasRoleIdColumn = await db2.schema.hasColumn("usr_users", "role_id");
+  if (!hasRoleColumn || hasRoleIdColumn) return;
+  logger2.info("Migrating usr_users.role to usr_users.role_id...");
+  const roles = await db2("rol_roles").select("id", "name");
+  const roleMap = Object.fromEntries(roles.map((r) => [r.name, r.id]));
+  await db2.schema.alterTable("usr_users", (table) => {
+    table.string("role_id").references("id").inTable("rol_roles");
+  });
+  for (const [roleName, roleId] of Object.entries(roleMap)) {
+    await db2("usr_users").where("role", roleName).update({ role_id: roleId });
+  }
+  if (dbType === "sqlite") {
+    await db2.raw(`
+      CREATE TABLE usr_users_new (
+        id TEXT PRIMARY KEY,
+        email TEXT UNIQUE NOT NULL,
+        password TEXT NOT NULL,
+        name TEXT NOT NULL,
+        role_id TEXT NOT NULL REFERENCES rol_roles(id),
+        created_at TEXT DEFAULT CURRENT_TIMESTAMP,
+        updated_at TEXT DEFAULT CURRENT_TIMESTAMP
+      )
+    `);
+    await db2.raw(`
+      INSERT INTO usr_users_new (id, email, password, name, role_id, created_at, updated_at)
+      SELECT id, email, password, name, role_id, created_at, updated_at FROM usr_users
+    `);
+    await db2.raw("DROP TABLE usr_users");
+    await db2.raw("ALTER TABLE usr_users_new RENAME TO usr_users");
+  } else {
+    await db2.schema.alterTable("usr_users", (table) => {
+      table.dropColumn("role");
+    });
+  }
+  logger2.info("Migration completed: usr_users.role -> usr_users.role_id");
+}
+var init_users_migrate = __esm({
+  "src/modules/users/users.migrate.ts"() {
+    "use strict";
+  }
+});
+// src/modules/auth/auth.utils.ts
+import bcrypt from "bcryptjs";
+function hashPassword(password) {
+  return bcrypt.hash(password, SALT_ROUNDS);
+}
+function verifyPassword(password, hash) {
+  return bcrypt.compare(password, hash);
+}
+var SALT_ROUNDS, DUMMY_HASH;
+var init_auth_utils = __esm({
+  "src/modules/auth/auth.utils.ts"() {
+    "use strict";
+    SALT_ROUNDS = 10;
+    DUMMY_HASH = "$2a$10$N9qo8uLOickgx2ZMRZoMyeUv9rT7dRVqTMtKYzOYQVxZi1qU2cFaW";
+  }
+});
+// src/modules/users/users.seed.ts
+async function seed2(ctx) {
+  const { db: db2, logger: logger2, generateId: generateId2 } = ctx;
+  const email = process.env["ADMIN_EMAIL"] || "admin@example.com";
+  const password = process.env["ADMIN_PASSWORD"] || "admin123";
+  const existing = await db2("usr_users").where({ email }).first();
+  if (existing) {
+    logger2.info({ email }, "Admin user already exists");
+    return;
+  }
+  const adminRole = await db2("rol_roles").where({ name: "ADMIN" }).first();
+  if (!adminRole) {
+    logger2.error("ADMIN role not found. Run migrations first.");
+    throw new Error("ADMIN role not found");
+  }
+  const hashedPassword = await hashPassword(password);
+  await db2("usr_users").insert({
+    id: generateId2(),
+    email,
+    password: hashedPassword,
+    name: "Administrador",
+    role_id: adminRole.id
+  });
+  logger2.info({ email }, "Admin user created");
+}
+var init_users_seed = __esm({
+  "src/modules/users/users.seed.ts"() {
+    "use strict";
+    init_auth_utils();
+  }
+});
+// src/modules/users/users.service.ts
+function excludePassword(user) {
+  const { password: _, ...rest } = user;
+  return rest;
+}
+function buildUserWithRole(row) {
+  const {
+    password: _,
+    role_name,
+    role_description,
+    role_is_system,
+    role_created_at,
+    role_updated_at,
+    ...user
+  } = row;
+  return {
+    ...user,
+    role: user.role_id ? {
+      id: user.role_id,
+      name: role_name,
+      description: role_description,
+      is_system: role_is_system,
+      created_at: role_created_at,
+      updated_at: role_updated_at
+    } : null
+  };
+}
+function createUsersService(ctx) {
+  const { db: db2, errors, generateId: generateId2 } = ctx;
+  return {
+    async findAll(query) {
+      const { page, limit, role_id } = query;
+      const offset = (page - 1) * limit;
+      let baseQuery = db2("usr_users").select(...USER_WITH_ROLE_COLUMNS).leftJoin("rol_roles", "usr_users.role_id", "rol_roles.id");
+      if (role_id) {
+        baseQuery = baseQuery.where("usr_users.role_id", role_id);
+      }
+      const [users, countResult] = await Promise.all([
+        baseQuery.clone().orderBy("usr_users.created_at", "desc").limit(limit).offset(offset),
+        baseQuery.clone().count("* as count").first()
+      ]);
+      const total = Number(countResult?.count ?? 0);
+      const items = users.map(buildUserWithRole);
+      const totalPages = Math.ceil(total / limit);
+      return {
+        items,
+        total,
+        page,
+        limit,
+        totalPages,
+        hasNext: page < totalPages
+      };
+    },
+    async findById(id) {
+      const user = await db2("usr_users").where({ id }).first();
+      if (!user) throw new errors.NotFoundError("Usuario");
+      return excludePassword(user);
+    },
+    async findByIdWithRole(id) {
+      const row = await db2("usr_users").select(...USER_WITH_ROLE_COLUMNS).leftJoin("rol_roles", "usr_users.role_id", "rol_roles.id").where("usr_users.id", id).first();
+      if (!row) throw new errors.NotFoundError("Usuario");
+      return buildUserWithRole(row);
+    },
+    async findByIdWithPassword(id) {
+      const user = await db2("usr_users").where({ id }).first();
+      if (!user) throw new errors.NotFoundError("Usuario");
+      return user;
+    },
+    async create(input, userId) {
+      const existing = await db2("usr_users").where({ email: input.email }).first();
+      if (existing) {
+        throw new errors.ConflictError("El email ya est\xE1 en uso");
+      }
+      const role = await db2("rol_roles").where({ id: input.role_id }).first();
+      if (!role) {
+        throw new errors.NotFoundError("Rol");
+      }
+      const hashedPassword = await hashPassword(input.password);
+      const id = generateId2();
+      await db2("usr_users").insert({
+        id,
+        email: input.email,
+        password: hashedPassword,
+        name: input.name,
+        role_id: input.role_id,
+        created_by: userId ?? null
+      });
+      const user = await db2("usr_users").where({ id }).first();
+      return excludePassword(user);
+    },
+    async update(id, input, userId) {
+      const currentUser = await db2("usr_users").where({ id }).first();
+      if (!currentUser) throw new errors.NotFoundError("Usuario");
+      return db2.transaction(async (trx) => {
+        if (input.email && input.email !== currentUser.email) {
+          const existing = await trx("usr_users").where({ email: input.email }).whereNot({ id }).first();
+          if (existing) {
+            throw new errors.ConflictError("El email ya est\xE1 en uso");
+          }
+        }
+        if (input.role_id) {
+          const role = await trx("rol_roles").where({ id: input.role_id }).first();
+          if (!role) {
+            throw new errors.NotFoundError("Rol");
+          }
+        }
+        const data = {
+          ...input,
+          updated_at: /* @__PURE__ */ new Date(),
+          updated_by: userId ?? null
+        };
+        if (input.password) {
+          data["password"] = await hashPassword(input.password);
+        }
+        await trx("usr_users").where({ id }).update(data);
+        const user = await trx("usr_users").where({ id }).first();
+        return excludePassword(user);
+      });
+    },
+    async delete(id) {
+      const user = await db2("usr_users").where({ id }).first();
+      if (!user) throw new errors.NotFoundError("Usuario");
+      await db2("usr_users").where({ id }).delete();
+    }
+  };
+}
+var USER_WITH_ROLE_COLUMNS;
+var init_users_service = __esm({
+  "src/modules/users/users.service.ts"() {
+    "use strict";
+    init_auth_utils();
+    USER_WITH_ROLE_COLUMNS = [
+      "usr_users.*",
+      "rol_roles.name as role_name",
+      "rol_roles.description as role_description",
+      "rol_roles.is_system as role_is_system",
+      "rol_roles.created_at as role_created_at",
+      "rol_roles.updated_at as role_updated_at"
+    ];
+  }
+});
+// src/modules/users/users.controller.ts
+function createUsersController(ctx) {
+  const { errors, abilities } = ctx;
+  const { subject: subject2, ForbiddenError: CASLForbiddenError3 } = abilities;
+  const usersService = createUsersService(ctx);
+  return {
+    async findAll(req, res) {
+      const authReq = req;
+      CASLForbiddenError3.from(authReq.ability).throwUnlessCan("read", "UsrUser");
+      const result = await usersService.findAll(req.validated?.query);
+      res.json({ success: true, data: result });
+    },
+    async findById(req, res) {
+      const authReq = req;
+      const { id } = req.validated?.params;
+      const user = await usersService.findById(id);
+      CASLForbiddenError3.from(authReq.ability).throwUnlessCan("read", subject2("UsrUser", user));
+      res.json({ success: true, data: user });
+    },
+    async create(req, res) {
+      const authReq = req;
+      CASLForbiddenError3.from(authReq.ability).throwUnlessCan("create", "UsrUser");
+      const user = await usersService.create(req.body, authReq.user.id);
+      res.status(201).json({ success: true, data: user });
+    },
+    async update(req, res) {
+      const authReq = req;
+      const { id } = req.validated?.params;
+      const input = req.body;
+      const user = await usersService.findById(id);
+      CASLForbiddenError3.from(authReq.ability).throwUnlessCan("update", subject2("UsrUser", user));
+      if (input.role_id && !authReq.ability.can("manage", "UsrUser")) {
+        throw new errors.ForbiddenError("No tienes permiso para cambiar roles");
+      }
+      const updated = await usersService.update(id, input, authReq.user.id);
+      res.json({ success: true, data: updated });
+    },
+    async delete(req, res) {
+      const authReq = req;
+      const { id } = req.validated?.params;
+      const user = await usersService.findById(id);
+      CASLForbiddenError3.from(authReq.ability).throwUnlessCan("delete", subject2("UsrUser", user));
+      if (authReq.user.id === id) {
+        throw new errors.ForbiddenError("No puedes eliminarte a ti mismo");
+      }
+      await usersService.delete(id);
+      res.json({ success: true, message: "Usuario eliminado" });
+    }
+  };
+}
+var init_users_controller = __esm({
+  "src/modules/users/users.controller.ts"() {
+    "use strict";
+    init_users_service();
+  }
+});
+// src/modules/users/users.schemas.ts
+import { z as z2 } from "zod";
+var createUserSchema, updateUserSchema, userParamsSchema, userQuerySchema;
+var init_users_schemas = __esm({
+  "src/modules/users/users.schemas.ts"() {
+    "use strict";
+    createUserSchema = z2.object({
+      email: z2.string().email("Email inv\xE1lido"),
+      password: z2.string().min(6, "Password m\xEDnimo 6 caracteres"),
+      name: z2.string().min(1, "Nombre requerido"),
+      role_id: z2.string().min(1, "Rol requerido"),
+      metadata: z2.record(z2.unknown()).nullable().optional()
+    });
+    updateUserSchema = z2.object({
+      email: z2.string().email("Email inv\xE1lido").optional(),
+      password: z2.string().min(6, "Password m\xEDnimo 6 caracteres").optional(),
+      name: z2.string().min(1, "Nombre requerido").optional(),
+      role_id: z2.string().min(1).optional(),
+      metadata: z2.record(z2.unknown()).nullable().optional()
+    });
+    userParamsSchema = z2.object({
+      id: z2.string().min(1)
+    });
+    userQuerySchema = z2.object({
+      page: z2.coerce.number().min(1).default(1),
+      limit: z2.coerce.number().min(1).max(100).default(10),
+      role_id: z2.string().optional()
+    });
+  }
+});
+// src/modules/users/users.routes.ts
+function createUsersRoutes(ctx) {
+  const router = ctx.createRouter();
+  const { validate: validate2, auth } = ctx.middleware;
+  const controller = createUsersController(ctx);
+  router.use(auth);
+  router.get("/", validate2({ query: userQuerySchema }), controller.findAll);
+  router.get("/:id", validate2({ params: userParamsSchema }), controller.findById);
+  router.post("/", validate2({ body: createUserSchema }), controller.create);
+  router.put("/:id", validate2({ params: userParamsSchema, body: updateUserSchema }), controller.update);
+  router.delete("/:id", validate2({ params: userParamsSchema }), controller.delete);
+  return router;
+}
+var init_users_routes = __esm({
+  "src/modules/users/users.routes.ts"() {
+    "use strict";
+    init_users_controller();
+    init_users_schemas();
+  }
+});
+// src/modules/users/index.ts
+var usersModule;
+var init_users = __esm({
+  "src/modules/users/index.ts"() {
+    "use strict";
+    init_users_migrate();
+    init_users_seed();
+    init_users_routes();
+    usersModule = {
+      name: "users",
+      code: "USR",
+      label: "Users",
+      icon: "mdi:account-group-outline",
+      description: "User accounts, authentication profiles, and role assignments",
+      type: "core",
+      dependencies: ["roles"],
+      migrate: migrate2,
+      seed: seed2,
+      routes: createUsersRoutes,
+      routePrefix: "/users",
+      subjects: ["UsrUser"],
+      entities: [
+        {
+          name: "UsrUser",
+          label: "Users",
+          listFields: {
+            name: "Name",
+            email: "Email",
+            "role.name": "Role"
+          },
+          formFields: {
+            name: { label: "Name", type: "text", required: true },
+            email: { label: "Email", type: "email", required: true },
+            password: { label: "Password", type: "password", required: true, createOnly: true },
+            role_id: {
+              label: "Role",
+              type: "select",
+              required: true,
+              optionsEndpoint: "/roles",
+              optionValue: "id",
+              optionLabel: "name"
+            }
+          },
+          labelField: "name"
+        }
+      ]
+    };
+  }
+});
+// src/modules/auth/auth.migrate.ts
+async function migrate3(ctx) {
+  const { db: db2, logger: logger2 } = ctx;
+  if (!await db2.schema.hasTable("auth_refresh_tokens")) {
+    await db2.schema.createTable("auth_refresh_tokens", (table) => {
+      table.string("id").primary();
+      table.string("token").unique().notNullable();
+      table.string("user_id").notNullable().references("id").inTable("usr_users").onDelete("CASCADE");
+      table.timestamp("expires_at").notNullable();
+      table.timestamp("created_at").defaultTo(db2.fn.now());
+      table.index("user_id");
+      table.index("expires_at");
+    });
+    logger2.info("Created table: auth_refresh_tokens");
+  }
+}
+var init_auth_migrate = __esm({
+  "src/modules/auth/auth.migrate.ts"() {
+    "use strict";
+  }
+});
+// src/config/env.ts
+import { z as z3 } from "zod";
+function resolveConfig(config) {
+  const jwtSecret = config?.jwt?.secret ?? env.JWT_SECRET;
+  if (!jwtSecret || jwtSecret.length < 32) {
+    throw new Error("JWT_SECRET must be at least 32 characters. Provide via config.jwt.secret or JWT_SECRET env var.");
+  }
+  resolvedConfig = {
+    nodeEnv: env.NODE_ENV,
+    port: config?.port ?? env.PORT,
+    host: config?.host ?? "0.0.0.0",
+    homePath: config?.homePath ?? env.HOME_PATH,
+    corsOrigin: (Array.isArray(config?.cors?.origin) ? config.cors.origin[0] : config?.cors?.origin) ?? env.CORS_ORIGIN,
+    databaseUrl: config?.database?.url ?? env.DATABASE_URL,
+    jwtSecret,
+    jwtAccessExpires: config?.jwt?.accessExpires ?? env.JWT_ACCESS_EXPIRES,
+    jwtRefreshExpires: config?.jwt?.refreshExpires ?? env.JWT_REFRESH_EXPIRES,
+    adminEmail: config?.admin?.email ?? env.ADMIN_EMAIL,
+    adminPassword: config?.admin?.password ?? env.ADMIN_PASSWORD,
+    smtp: {
+      host: config?.smtp?.host ?? env.SMTP_HOST,
+      port: config?.smtp?.port ?? env.SMTP_PORT,
+      secure: config?.smtp?.secure ?? env.SMTP_SECURE,
+      auth: config?.smtp?.auth ?? env.SMTP_USER ? { user: config?.smtp?.auth?.user ?? env.SMTP_USER, pass: config?.smtp?.auth?.pass ?? env.SMTP_PASS } : void 0,
+      from: config?.smtp?.from ?? env.SMTP_FROM
+    }
+  };
+  return resolvedConfig;
+}
+function getConfig() {
+  if (!resolvedConfig) {
+    return resolveConfig();
+  }
+  return resolvedConfig;
+}
+function resetConfig() {
+  resolvedConfig = null;
+}
+var envSchema, env, resolvedConfig;
+var init_env = __esm({
+  "src/config/env.ts"() {
+    "use strict";
+    envSchema = z3.object({
+      NODE_ENV: z3.enum(["development", "production", "test"]).default("development"),
+      PORT: z3.coerce.number().default(3e3),
+      HOME_PATH: z3.string().default("/ui"),
+      CORS_ORIGIN: z3.string().default("http://localhost:3001"),
+      BACKEND_URL: z3.string().optional(),
+      DATABASE_URL: z3.string().default("file:./dev.db"),
+      JWT_SECRET: z3.string().min(32).optional(),
+      JWT_ACCESS_EXPIRES: z3.string().default("15m"),
+      JWT_REFRESH_EXPIRES: z3.string().default("7d"),
+      ADMIN_EMAIL: z3.string().email().optional(),
+      ADMIN_PASSWORD: z3.string().min(6).optional(),
+      COOKIE_DOMAIN: z3.string().optional(),
+      // SMTP
+      SMTP_HOST: z3.string().default("kendra.server.arpa"),
+      SMTP_PORT: z3.coerce.number().default(1025),
+      SMTP_SECURE: z3.coerce.boolean().default(false),
+      SMTP_USER: z3.string().optional(),
+      SMTP_PASS: z3.string().optional(),
+      SMTP_FROM: z3.string().default("noreply@nexus.local")
+    });
+    env = envSchema.parse(process.env);
+    resolvedConfig = null;
+  }
+});
+// src/modules/auth/jwt.utils.ts
+import jwt from "jsonwebtoken";
+import crypto from "crypto";
+function parseExpiration(exp) {
+  const match = exp.match(/^(\d+)([smhd])$/);
+  if (!match) return 900;
+  const value = parseInt(match[1], 10);
+  const unit = match[2];
+  switch (unit) {
+    case "s":
+      return value;
+    case "m":
+      return value * 60;
+    case "h":
+      return value * 60 * 60;
+    case "d":
+      return value * 60 * 60 * 24;
+    default:
+      return 900;
+  }
+}
+function generateAccessToken(payload) {
+  const config = getConfig();
+  return jwt.sign(payload, config.jwtSecret, {
+    expiresIn: config.jwtAccessExpires
+  });
+}
+function generateRefreshToken() {
+  return crypto.randomBytes(64).toString("hex");
+}
+function getRefreshTokenExpiration() {
+  const seconds = parseExpiration(getConfig().jwtRefreshExpires);
+  return new Date(Date.now() + seconds * 1e3);
+}
+function generateTokenPair(payload) {
+  return {
+    accessToken: generateAccessToken(payload),
+    refreshToken: generateRefreshToken()
+  };
+}
+var init_jwt_utils = __esm({
+  "src/modules/auth/jwt.utils.ts"() {
+    "use strict";
+    init_env();
+  }
+});
+// src/modules/auth/auth.service.ts
+function createAuthService(ctx) {
+  const { db: db2, errors, generateId: generateId2, abilities, events } = ctx;
+  const { defineAbilityFor: defineAbilityFor2, packRules: packRules2 } = abilities;
+  const rolesService = createRolesService(ctx);
+  async function getUserWithRole(userId) {
+    const user = await db2("usr_users").leftJoin("rol_roles", "usr_users.role_id", "rol_roles.id").where("usr_users.id", userId).select(
+      "usr_users.*",
+      "rol_roles.name as role_name",
+      "rol_roles.description as role_description",
+      "rol_roles.is_system as role_is_system"
+    ).first();
+    if (!user) return null;
+    const { role_name, role_description, role_is_system, password: _, ...userWithoutPassword } = user;
+    return {
+      ...userWithoutPassword,
+      role: {
+        id: user.role_id,
+        name: role_name,
+        description: role_description,
+        is_system: role_is_system
+      }
+    };
+  }
+  return {
+    async login(input) {
+      const user = await db2("usr_users").where({ email: input.email }).first();
+      const hashToCheck = user?.password ?? DUMMY_HASH;
+      const validPassword = await verifyPassword(input.password, hashToCheck);
+      if (!user || !validPassword) {
+        events.emitEvent("auth.failed", {
+          email: input.email,
+          reason: user ? "invalid_password" : "user_not_found"
+        });
+        throw new errors.UnauthorizedError("Credenciales inv\xE1lidas");
+      }
+      const tokens = generateTokenPair({
+        userId: user.id,
+        email: user.email,
+        roleId: user.role_id
+      });
+      await db2("auth_refresh_tokens").insert({
+        id: generateId2(),
+        token: tokens.refreshToken,
+        user_id: user.id,
+        expires_at: getRefreshTokenExpiration()
+      });
+      const permissions = await rolesService.getPermissionsByRoleId(user.role_id);
+      const ability = defineAbilityFor2(user, permissions);
+      const userWithRole = await getUserWithRole(user.id);
+      events.emitEvent("auth.login", { userId: user.id, email: user.email });
+      return {
+        user: userWithRole,
+        accessToken: tokens.accessToken,
+        refreshToken: tokens.refreshToken,
+        abilities: packRules2(ability)
+      };
+    },
+    async refresh(refreshToken) {
+      const result = await db2.transaction(async (trx) => {
+        let query = trx("auth_refresh_tokens").where({ token: refreshToken });
+        if (ctx.dbType !== "sqlite") {
+          query = query.forUpdate();
+        }
+        const storedToken = await query.first();
+        if (!storedToken) {
+          throw new errors.UnauthorizedError("Refresh token inv\xE1lido");
+        }
+        if (new Date(storedToken.expires_at) < /* @__PURE__ */ new Date()) {
+          await trx("auth_refresh_tokens").where({ id: storedToken.id }).delete();
+          throw new errors.UnauthorizedError("Refresh token expirado");
+        }
+        const user = await trx("usr_users").where({ id: storedToken.user_id }).first();
+        if (!user) {
+          throw new errors.UnauthorizedError("Usuario no encontrado");
+        }
+        const tokens = generateTokenPair({
+          userId: user.id,
+          email: user.email,
+          roleId: user.role_id
+        });
+        await trx("auth_refresh_tokens").where({ id: storedToken.id }).delete();
+        await trx("auth_refresh_tokens").insert({
+          id: generateId2(),
+          token: tokens.refreshToken,
+          user_id: user.id,
+          expires_at: getRefreshTokenExpiration()
+        });
+        return { user, tokens };
+      });
+      const permissions = await rolesService.getPermissionsByRoleId(result.user.role_id);
+      const ability = defineAbilityFor2(result.user, permissions);
+      events.emitEvent("auth.refresh", { userId: result.user.id });
+      return {
+        accessToken: result.tokens.accessToken,
+        refreshToken: result.tokens.refreshToken,
+        abilities: packRules2(ability)
+      };
+    },
+    async logout(refreshToken, userId) {
+      const deleted = await db2("auth_refresh_tokens").where({ token: refreshToken }).delete();
+      if (deleted > 0 && userId) {
+        events.emitEvent("auth.logout", { userId });
+      }
+      return deleted > 0;
+    },
+    async me(userId) {
+      const userWithRole = await getUserWithRole(userId);
+      if (!userWithRole) {
+        throw new errors.NotFoundError("Usuario");
+      }
+      const permissions = await rolesService.getPermissionsByRoleId(userWithRole.role_id);
+      const ability = defineAbilityFor2(userWithRole, permissions);
+      return {
+        user: userWithRole,
+        abilities: packRules2(ability)
+      };
+    },
+    async cleanupExpiredTokens() {
+      const deleted = await db2("auth_refresh_tokens").where("expires_at", "<", /* @__PURE__ */ new Date()).delete();
+      return deleted;
+    }
+  };
+}
+var init_auth_service = __esm({
+  "src/modules/auth/auth.service.ts"() {
+    "use strict";
+    init_roles_service();
+    init_jwt_utils();
+    init_auth_utils();
+  }
+});
+// src/modules/auth/auth.controller.ts
+function createAuthController(ctx) {
+  const { errors } = ctx;
+  const authService = createAuthService(ctx);
+  function getCookieOptions(req) {
+    const isSecure = req.secure || req.get("x-forwarded-proto") === "https";
+    return {
+      httpOnly: true,
+      secure: isSecure,
+      sameSite: isSecure ? "strict" : "lax",
+      path: "/api/v1",
+      maxAge: 7 * 24 * 60 * 60 * 1e3
+      // 7 days
+    };
+  }
+  return {
+    async login(req, res) {
+      const result = await authService.login(req.body);
+      res.cookie("refreshToken", result.refreshToken, getCookieOptions(req));
+      res.json({
+        success: true,
+        data: {
+          user: result.user,
+          accessToken: result.accessToken,
+          abilities: result.abilities
+        }
+      });
+    },
+    async refresh(req, res) {
+      const refreshToken = req.cookies?.["refreshToken"];
+      if (!refreshToken) {
+        throw new errors.UnauthorizedError("Refresh token required");
+      }
+      const result = await authService.refresh(refreshToken);
+      res.cookie("refreshToken", result.refreshToken, getCookieOptions(req));
+      res.json({
+        success: true,
+        data: {
+          accessToken: result.accessToken,
+          abilities: result.abilities
+        }
+      });
+    },
+    async logout(req, res) {
+      const refreshToken = req.cookies?.["refreshToken"];
+      const authReq = req;
+      if (refreshToken) {
+        await authService.logout(refreshToken, authReq.user?.id);
+      }
+      res.clearCookie("refreshToken", { path: "/api/v1" });
+      res.json({ success: true, message: "Session closed" });
+    },
+    async me(req, res) {
+      const authReq = req;
+      const result = await authService.me(authReq.user.id);
+      res.json({ success: true, data: result });
+    }
+  };
+}
+var init_auth_controller = __esm({
+  "src/modules/auth/auth.controller.ts"() {
+    "use strict";
+    init_auth_service();
+  }
+});
+// src/modules/auth/auth.schemas.ts
+import { z as z4 } from "zod";
+var loginSchema;
+var init_auth_schemas = __esm({
+  "src/modules/auth/auth.schemas.ts"() {
+    "use strict";
+    loginSchema = z4.object({
+      email: z4.string().email("Email inv\xE1lido"),
+      password: z4.string().min(1, "Password requerido")
+    });
+  }
+});
+// src/modules/auth/auth.routes.ts
+function createAuthRoutes(ctx) {
+  const router = ctx.createRouter();
+  const { validate: validate2, auth } = ctx.middleware;
+  const controller = createAuthController(ctx);
+  router.post("/login", validate2({ body: loginSchema }), controller.login);
+  router.post("/refresh", controller.refresh);
+  router.post("/logout", auth, controller.logout);
+  router.get("/me", auth, controller.me);
+  return router;
+}
+var init_auth_routes = __esm({
+  "src/modules/auth/auth.routes.ts"() {
+    "use strict";
+    init_auth_controller();
+    init_auth_schemas();
+  }
+});
+// src/modules/auth/auth.middleware.ts
+import jwt2 from "jsonwebtoken";
+function createAuthMiddleware(ctx) {
+  const { config, errors, abilities } = ctx;
+  const { defineAbilityFor: defineAbilityFor2 } = abilities;
+  const rolesService = createRolesService(ctx);
+  return async (req, _res, next) => {
+    const authHeader = req.headers.authorization;
+    if (!authHeader?.startsWith("Bearer ")) {
+      throw new errors.UnauthorizedError("Token no proporcionado");
+    }
+    const token = authHeader.slice(7);
+    try {
+      const decoded = jwt2.verify(token, config.jwtSecret);
+      const user = await ctx.db("usr_users").where({ id: decoded.userId }).first();
+      if (!user) {
+        throw new errors.UnauthorizedError("Usuario no encontrado");
+      }
+      const permissions = await rolesService.getPermissionsByRoleId(user.role_id);
+      req.user = user;
+      req.ability = defineAbilityFor2(user, permissions);
+      next();
+    } catch (error) {
+      if (error instanceof jwt2.JsonWebTokenError) {
+        throw new errors.UnauthorizedError("Token inv\xE1lido");
+      }
+      if (error instanceof jwt2.TokenExpiredError) {
+        throw new errors.UnauthorizedError("Token expirado");
+      }
+      throw error;
+    }
+  };
+}
+function createOptionalAuthMiddleware(ctx) {
+  const { config, abilities } = ctx;
+  const { defineAbilityFor: defineAbilityFor2 } = abilities;
+  const rolesService = createRolesService(ctx);
+  return async (req, _res, next) => {
+    const authHeader = req.headers.authorization;
+    if (!authHeader?.startsWith("Bearer ")) {
+      return next();
+    }
+    const token = authHeader.slice(7);
+    try {
+      const decoded = jwt2.verify(token, config.jwtSecret);
+      const user = await ctx.db("usr_users").where({ id: decoded.userId }).first();
+      if (user) {
+        const permissions = await rolesService.getPermissionsByRoleId(user.role_id);
+        req.user = user;
+        req.ability = defineAbilityFor2(user, permissions);
+      }
+    } catch {
+    }
+    next();
+  };
+}
+var init_auth_middleware = __esm({
+  "src/modules/auth/auth.middleware.ts"() {
+    "use strict";
+    init_roles_service();
+  }
+});
+// src/modules/auth/index.ts
+var authModule;
+var init_auth = __esm({
+  "src/modules/auth/index.ts"() {
+    "use strict";
+    init_auth_migrate();
+    init_auth_routes();
+    init_auth_middleware();
+    authModule = {
+      name: "auth",
+      code: "AUTH",
+      label: "Authentication",
+      icon: "mdi:lock-outline",
+      description: "JWT authentication with refresh tokens, session management, and password security",
+      type: "core",
+      dependencies: ["users"],
+      migrate: migrate3,
+      init: (ctx) => {
+        ctx.registerMiddleware("auth", createAuthMiddleware(ctx));
+        ctx.registerMiddleware("optionalAuth", createOptionalAuthMiddleware(ctx));
+      },
+      routes: createAuthRoutes,
+      routePrefix: "/auth",
+      subjects: []
+    };
+  }
+});
+// src/modules/index.ts
+function validateModuleConventions(mod) {
+  const errors = [];
+  if (!/^[A-Z]+$/.test(mod.code)) {
+    errors.push(`code debe ser UPPERCASE (recibido: '${mod.code}')`);
+  }
+  const codePrefix = mod.code.charAt(0) + mod.code.slice(1).toLowerCase();
+  for (const subject2 of mod.subjects ?? []) {
+    if (!subject2.startsWith(codePrefix)) {
+      errors.push(`subject '${subject2}' debe empezar con '${codePrefix}' (patr\xF3n: {Code}{Entity})`);
+    }
+  }
+  for (const entity of mod.entities ?? []) {
+    if (!entity.name.startsWith(codePrefix)) {
+      errors.push(`entity.name '${entity.name}' debe empezar con '${codePrefix}' (patr\xF3n: {Code}{Entity})`);
+    }
+  }
+  if (errors.length > 0) {
+    throw new Error(`M\xF3dulo '${mod.name}' viola convenciones de nombrado:
+  - ${errors.join("\n  - ")}`);
+  }
+}
+function getOrderedModules() {
+  const sorted = [];
+  const visited = /* @__PURE__ */ new Set();
+  const moduleMap = new Map(modules.map((m) => [m.name, m]));
+  function visit(mod) {
+    if (visited.has(mod.name)) return;
+    visited.add(mod.name);
+    for (const dep of mod.dependencies ?? []) {
+      const depMod = moduleMap.get(dep);
+      if (depMod) visit(depMod);
+    }
+    sorted.push(mod);
+  }
+  modules.forEach(visit);
+  return sorted;
+}
+function registerModule(mod) {
+  validateModuleConventions(mod);
+  modules.push(mod);
+}
+function getModules() {
+  return [...modules];
+}
+function getModule(name) {
+  return modules.find((m) => m.name === name);
+}
+function getRegisteredSubjects() {
+  const subjects = /* @__PURE__ */ new Set(["all"]);
+  for (const mod of modules) {
+    for (const subject2 of mod.subjects ?? []) {
+      subjects.add(subject2);
+    }
+    for (const entity of mod.entities ?? []) {
+      subjects.add(entity.name);
+    }
+  }
+  return [...subjects];
+}
+function isValidSubject(subject2) {
+  return getRegisteredSubjects().includes(subject2);
+}
+var modules;
+var init_modules = __esm({
+  "src/modules/index.ts"() {
+    "use strict";
+    init_system();
+    init_roles();
+    init_users();
+    init_auth();
+    modules = [];
+    [systemModule, rolesModule, usersModule, authModule].forEach((mod) => {
+      validateModuleConventions(mod);
+      modules.push(mod);
+    });
+  }
+});
+// src/events/emitter.ts
+import pkg from "eventemitter2";
+var EventEmitter2, TypedEventEmitter, nexusEvents;
+var init_emitter = __esm({
+  "src/events/emitter.ts"() {
+    "use strict";
+    ({ EventEmitter2 } = pkg);
+    TypedEventEmitter = class extends EventEmitter2 {
+      emitEvent(event, ...args) {
+        return this.emit(event, ...args);
+      }
+      onEvent(event, listener) {
+        this.on(event, listener);
+        return this;
+      }
+      onceEvent(event, listener) {
+        this.once(event, listener);
+        return this;
+      }
+      offEvent(event, listener) {
+        this.off(event, listener);
+        return this;
+      }
+    };
+    nexusEvents = new TypedEventEmitter({
+      wildcard: true,
+      delimiter: ".",
+      maxListeners: 20,
+      verboseMemoryLeak: true
+    });
+  }
+});
+// src/db/query-interceptor.ts
+function setupQueryInterceptor(knexInstance2) {
+  knexInstance2.on("query-response", (response, query) => {
+    const sql = query.sql?.toLowerCase() ?? "";
+    let action;
+    let table;
+    if (sql.startsWith("insert into")) {
+      action = "created";
+      table = extractTableFromInsert(sql);
+    } else if (sql.startsWith("update")) {
+      action = "updated";
+      table = extractTableFromUpdate(sql);
+    } else if (sql.startsWith("delete from")) {
+      action = "deleted";
+      table = extractTableFromDelete(sql);
+    }
+    if (action && table && !IGNORED_TABLES.has(table)) {
+      nexusEvents.emit(`db.${table}.${action}`, {
+        table,
+        action,
+        data: response,
+        timestamp: /* @__PURE__ */ new Date()
+      });
+    }
+  });
+  return knexInstance2;
+}
+function extractTableFromInsert(sql) {
+  const match = sql.match(/insert into\s+["'`]?(\w+)["'`]?/i);
+  return match?.[1];
+}
+function extractTableFromUpdate(sql) {
+  const match = sql.match(/update\s+["'`]?(\w+)["'`]?/i);
+  return match?.[1];
+}
+function extractTableFromDelete(sql) {
+  const match = sql.match(/delete from\s+["'`]?(\w+)["'`]?/i);
+  return match?.[1];
+}
+var IGNORED_TABLES;
+var init_query_interceptor = __esm({
+  "src/db/query-interceptor.ts"() {
+    "use strict";
+    init_emitter();
+    IGNORED_TABLES = /* @__PURE__ */ new Set(["refresh_tokens", "knex_migrations", "knex_migrations_lock"]);
+  }
+});
+// src/config/database.ts
+import knex from "knex";
+function getDatabaseConfig() {
+  const url = env.DATABASE_URL;
+  if (url.startsWith("file:") || url.startsWith("sqlite:")) {
+    const filename = url.replace(/^(file:|sqlite:)/, "");
+    return {
+      client: "better-sqlite3",
+      connection: { filename },
+      useNullAsDefault: true
+    };
+  }
+  if (url.startsWith("postgresql://") || url.startsWith("postgres://")) {
+    return {
+      client: "pg",
+      connection: url,
+      pool: { min: 2, max: 10 }
+    };
+  }
+  if (url.startsWith("mysql://")) {
+    return {
+      client: "mysql2",
+      connection: url,
+      pool: { min: 2, max: 10 }
+    };
+  }
+  throw new Error(`Unsupported database URL: ${url}`);
+}
+function getDatabaseType() {
+  const url = env.DATABASE_URL;
+  if (url.startsWith("file:") || url.startsWith("sqlite:")) return "sqlite";
+  if (url.startsWith("postgresql://") || url.startsWith("postgres://")) return "postgresql";
+  if (url.startsWith("mysql://")) return "mysql";
+  return "sqlite";
+}
+async function destroyDb() {
+  if (globalForKnex.db) {
+    await globalForKnex.db.destroy();
+    globalForKnex.db = void 0;
+  }
+}
+var globalForKnex, knexInstance, db;
+var init_database = __esm({
+  "src/config/database.ts"() {
+    "use strict";
+    init_env();
+    init_query_interceptor();
+    globalForKnex = globalThis;
+    knexInstance = globalForKnex.db ?? knex(getDatabaseConfig());
+    db = globalForKnex.db ? knexInstance : setupQueryInterceptor(knexInstance);
+    if (env.NODE_ENV !== "production") {
+      globalForKnex.db = db;
+    }
+  }
+});
+// src/shared/logger.ts
+import pino from "pino";
+var isDev, logger;
+var init_logger = __esm({
+  "src/shared/logger.ts"() {
+    "use strict";
+    isDev = process.env["NODE_ENV"] !== "production";
+    logger = pino({
+      level: process.env["LOG_LEVEL"] || "info",
+      transport: isDev ? { target: "pino-pretty", options: { colorize: true } } : void 0
+    });
+  }
+});
+// src/shared/utils/id.ts
+import crypto2 from "crypto";
+function generateId() {
+  const timestamp = Date.now().toString(36);
+  const randomPart = crypto2.randomBytes(8).toString("base64url");
+  return `${timestamp}${randomPart}`.slice(0, 25);
+}
+var init_id = __esm({
+  "src/shared/utils/id.ts"() {
+    "use strict";
+  }
+});
+// src/db/helpers.ts
+function addTimestamps(table, db2) {
+  table.timestamp("created_at").defaultTo(db2.fn.now());
+  table.timestamp("updated_at").defaultTo(db2.fn.now());
+}
+async function addAuditFieldsIfMissing(db2, tableName) {
+  if (!await db2.schema.hasColumn(tableName, "created_by")) {
+    await db2.schema.alterTable(tableName, (table) => {
+      table.string("created_by").nullable();
+      table.string("updated_by").nullable();
+    });
+    logger.info(`Added audit fields to: ${tableName}`);
+  }
+}
+async function addColumnIfMissing(db2, tableName, columnName, columnBuilder) {
+  if (!await db2.schema.hasColumn(tableName, columnName)) {
+    await db2.schema.alterTable(tableName, columnBuilder);
+    logger.info(`Added column: ${tableName}.${columnName}`);
+    return true;
+  }
+  return false;
+}
+var init_helpers = __esm({
+  "src/db/helpers.ts"() {
+    "use strict";
+    init_logger();
+  }
+});
+// src/shared/middleware/validate.middleware.ts
+function validate(schemas) {
+  return (req, _res, next) => {
+    req.validated = {};
+    if (schemas.body) {
+      req.body = schemas.body.parse(req.body);
+    }
+    if (schemas.query) {
+      req.validated.query = schemas.query.parse(req.query);
+    }
+    if (schemas.params) {
+      req.validated.params = schemas.params.parse(req.params);
+    }
+    next();
+  };
+}
+var init_validate_middleware = __esm({
+  "src/shared/middleware/validate.middleware.ts"() {
+    "use strict";
+  }
+});
+// src/shared/errors/app-error.ts
+var AppError, NotFoundError, UnauthorizedError, ForbiddenError, ConflictError;
+var init_app_error = __esm({
+  "src/shared/errors/app-error.ts"() {
+    "use strict";
+    AppError = class extends Error {
+      statusCode;
+      constructor(message, statusCode = 400) {
+        super(message);
+        this.statusCode = statusCode;
+        this.name = "AppError";
+        Error.captureStackTrace(this, this.constructor);
+      }
+    };
+    NotFoundError = class extends AppError {
+      constructor(resource = "Recurso") {
+        super(`${resource} no encontrado`, 404);
+        this.name = "NotFoundError";
+      }
+    };
+    UnauthorizedError = class extends AppError {
+      constructor(message = "No autorizado") {
+        super(message, 401);
+        this.name = "UnauthorizedError";
+      }
+    };
+    ForbiddenError = class extends AppError {
+      constructor(message = "Acceso denegado") {
+        super(message, 403);
+        this.name = "ForbiddenError";
+      }
+    };
+    ConflictError = class extends AppError {
+      constructor(message = "Conflicto") {
+        super(message, 409);
+        this.name = "ConflictError";
+      }
+    };
+  }
+});
+// src/shared/abilities/ability.factory.ts
+import { AbilityBuilder, createMongoAbility } from "@casl/ability";
+function interpolateConditions(conditions, user) {
+  const result = {};
+  for (const [key, value] of Object.entries(conditions)) {
+    if (typeof value === "string" && value.startsWith("${user.")) {
+      const prop = value.slice(7, -1);
+      result[key] = user[prop];
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function defineAbilityFor(user, permissions) {
+  const { can, cannot, build } = new AbilityBuilder(createMongoAbility);
+  for (const perm of permissions) {
+    const action = perm.action;
+    const subject2 = perm.subject;
+    const conditions = perm.conditions ? interpolateConditions(perm.conditions, user) : void 0;
+    const fields = perm.fields;
+    if (perm.inverted) {
+      if (fields?.length) {
+        cannot(action, subject2, fields, conditions);
+      } else {
+        cannot(action, subject2, conditions);
+      }
+    } else {
+      if (fields?.length) {
+        can(action, subject2, fields, conditions);
+      } else {
+        can(action, subject2, conditions);
+      }
+    }
+  }
+  return build();
+}
+function packRules(ability) {
+  return ability.rules;
+}
+function unpackRules(rules) {
+  return createMongoAbility(rules);
+}
+var init_ability_factory = __esm({
+  "src/shared/abilities/ability.factory.ts"() {
+    "use strict";
+  }
+});
+// src/shared/mail/mail.service.ts
+import nodemailer from "nodemailer";
+import { readFileSync, existsSync } from "fs";
+import { dirname, join } from "path";
+import { fileURLToPath } from "url";
+var __dirname, TEMPLATE_PATH, LOGO_PATH, MailService;
+var init_mail_service = __esm({
+  "src/shared/mail/mail.service.ts"() {
+    "use strict";
+    __dirname = dirname(fileURLToPath(import.meta.url));
+    TEMPLATE_PATH = join(__dirname, "templates", "base.html");
+    LOGO_PATH = join(__dirname, "../../../public/logo.png");
+    MailService = class {
+      transporter;
+      defaultFrom;
+      defaultLogoUrl;
+      logger;
+      template;
+      constructor(config, logger2) {
+        this.defaultFrom = config.from;
+        this.logger = logger2.child({ service: "mail" });
+        this.template = readFileSync(TEMPLATE_PATH, "utf-8");
+        if (existsSync(LOGO_PATH)) {
+          const logoBase64 = readFileSync(LOGO_PATH).toString("base64");
+          this.defaultLogoUrl = `data:image/png;base64,${logoBase64}`;
+        } else {
+          this.defaultLogoUrl = "";
+        }
+        this.transporter = nodemailer.createTransport({
+          host: config.host,
+          port: config.port,
+          secure: config.secure,
+          auth: config.auth,
+          // MailHog y servidores dev no necesitan TLS
+          ...config.auth ? {} : { ignoreTLS: true }
+        });
+      }
+      async send(options) {
+        const from = options.from ?? this.defaultFrom;
+        const to = Array.isArray(options.to) ? options.to.join(", ") : options.to;
+        const html = options.title || options.message ? this.renderTemplate(options) : options.html;
+        this.logger.info({ to, subject: options.subject }, "Sending email");
+        try {
+          const result = await this.transporter.sendMail({
+            from,
+            to,
+            subject: options.subject,
+            text: options.text,
+            html,
+            replyTo: options.replyTo,
+            attachments: options.attachments
+          });
+          this.logger.info(
+            { messageId: result.messageId, accepted: result.accepted },
+            "Email sent"
+          );
+          return {
+            messageId: result.messageId,
+            accepted: result.accepted,
+            rejected: result.rejected
+          };
+        } catch (error) {
+          this.logger.warn({ error, to, subject: options.subject }, "Failed to send email (continuing)");
+          return null;
+        }
+      }
+      renderTemplate(options) {
+        let html = this.template;
+        html = html.replace(/\{\{subject\}\}/g, options.subject);
+        html = html.replace(/\{\{logoUrl\}\}/g, options.logoUrl ?? this.defaultLogoUrl);
+        html = html.replace(/\{\{year\}\}/g, (/* @__PURE__ */ new Date()).getFullYear().toString());
+        html = this.processConditionalBlock(html, "title", options.title);
+        html = this.processConditionalBlock(html, "message", options.message);
+        if (options.actions?.length) {
+          const actionsHtml = options.actions.map(
+            (a) => `<a href="${a.url}" style="display:inline-block; background-color:#18181b; color:#ffffff; padding:12px 24px; text-decoration:none; border-radius:6px; margin:4px; font-weight:500;">${a.label}</a>`
+          ).join("");
+          html = html.replace(
+            /\{\{#if actions\}\}([\s\S]*?)\{\{\/if\}\}/g,
+            (_, content) => content.replace(/\{\{actions\}\}/g, actionsHtml)
+          );
+        } else {
+          html = html.replace(/\{\{#if actions\}\}[\s\S]*?\{\{\/if\}\}/g, "");
+        }
+        return html;
+      }
+      processConditionalBlock(html, name, value) {
+        const pattern = new RegExp(`\\{\\{#if ${name}\\}\\}([\\s\\S]*?)\\{\\{\\/if\\}\\}`, "g");
+        if (value) {
+          return html.replace(
+            pattern,
+            (_, content) => content.replace(new RegExp(`\\{\\{${name}\\}\\}`, "g"), value)
+          );
+        }
+        return html.replace(pattern, "");
+      }
+      async verify() {
+        try {
+          await this.transporter.verify();
+          this.logger.info("SMTP connection verified");
+          return true;
+        } catch (error) {
+          this.logger.warn({ error }, "SMTP connection failed (emails may not work)");
+          return false;
+        }
+      }
+    };
+  }
+});
+// src/shared/mail/index.ts
+var init_mail = __esm({
+  "src/shared/mail/index.ts"() {
+    "use strict";
+    init_mail_service();
+  }
+});
+// src/modules/context.ts
+import { Router } from "express";
+import { ForbiddenError as CASLForbiddenError, subject } from "@casl/ability";
+function createModuleContext() {
+  const middleware = {
+    validate
+  };
+  return {
+    db,
+    logger,
+    generateId,
+    dbType: getDatabaseType(),
+    helpers: {
+      addTimestamps,
+      addAuditFieldsIfMissing,
+      addColumnIfMissing
+    },
+    createRouter: () => Router(),
+    middleware,
+    registerMiddleware: (name, handler) => {
+      middleware[name] = handler;
+    },
+    config: getConfig(),
+    errors: {
+      AppError,
+      NotFoundError,
+      UnauthorizedError,
+      ForbiddenError,
+      ConflictError
+    },
+    abilities: {
+      defineAbilityFor,
+      packRules,
+      subject,
+      ForbiddenError: CASLForbiddenError
+    },
+    events: nexusEvents,
+    mail: new MailService(getConfig().smtp, logger)
+  };
+}
+var init_context = __esm({
+  "src/modules/context.ts"() {
+    "use strict";
+    init_database();
+    init_env();
+    init_logger();
+    init_id();
+    init_helpers();
+    init_validate_middleware();
+    init_app_error();
+    init_ability_factory();
+    init_emitter();
+    init_mail();
+  }
+});
+// src/shared/middleware/error.middleware.ts
+import { ZodError } from "zod";
+import { ForbiddenError as CASLForbiddenError2 } from "@casl/ability";
+function errorMiddleware(err, req, res, _next) {
+  if (env.NODE_ENV !== "production") {
+    logger.error({ err, url: req.url, method: req.method }, "Error en request");
+  }
+  if (err instanceof ZodError) {
+    return res.status(400).json({
+      success: false,
+      error: "Error de validaci\xF3n",
+      details: err.errors.map((e) => ({
+        path: e.path.join("."),
+        message: e.message
+      }))
+    });
+  }
+  if (err instanceof CASLForbiddenError2) {
+    return res.status(403).json({
+      success: false,
+      error: "No tienes permiso para esta acci\xF3n"
+    });
+  }
+  if (err instanceof AppError) {
+    return res.status(err.statusCode).json({
+      success: false,
+      error: err.message
+    });
+  }
+  logger.error({ err, url: req.url, method: req.method, stack: err.stack }, "Unhandled error");
+  res.status(500).json({
+    success: false,
+    error: env.NODE_ENV === "production" ? "Error interno del servidor" : err.message
+  });
+}
+var init_error_middleware = __esm({
+  "src/shared/middleware/error.middleware.ts"() {
+    "use strict";
+    init_app_error();
+    init_env();
+    init_logger();
+  }
+});
+// src/app.ts
+import express from "express";
+import cors from "cors";
+import helmet from "helmet";
+import compression from "compression";
+import cookieParser from "cookie-parser";
+import path from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import { randomUUID } from "crypto";
+function createApp() {
+  const app = express();
+  app.use(helmet({
+    contentSecurityPolicy: env.NODE_ENV === "production" ? void 0 : false
+  }));
+  app.use(cors({
+    origin: env.CORS_ORIGIN,
+    credentials: true,
+    allowedHeaders: ["Content-Type", "Authorization", "X-Correlation-ID", "X-Request-ID"],
+    exposedHeaders: ["X-Correlation-ID", "X-Request-ID"]
+  }));
+  app.use((req, res, next) => {
+    const requestId = randomUUID();
+    const correlationId = req.get("X-Correlation-ID") || req.get("X-Request-ID") || requestId;
+    res.setHeader("X-Request-ID", requestId);
+    res.setHeader("X-Correlation-ID", correlationId);
+    req.requestId = requestId;
+    req.correlationId = correlationId;
+    next();
+  });
+  const logLevel = process.env["LOG_LEVEL"];
+  if (logLevel === "debug" || logLevel === "trace") {
+    app.use((req, res, next) => {
+      const start2 = Date.now();
+      res.on("finish", () => {
+        const ms = Date.now() - start2;
+        const msg = `[${req.correlationId.slice(0, 8)}] ${req.method} ${req.originalUrl} ${res.statusCode} ${ms}ms`;
+        if (req.originalUrl.startsWith("/api/")) {
+          logger.debug(msg);
+        } else {
+          logger.trace(msg);
+        }
+      });
+      next();
+    });
+  }
+  app.use(compression());
+  app.use(express.json());
+  app.use(cookieParser());
+  const ctx = createModuleContext();
+  const modules2 = getModules();
+  for (const mod of modules2) {
+    if (mod.init) {
+      mod.init(ctx);
+    }
+  }
+  for (const mod of modules2) {
+    if (mod.routes) {
+      const prefix = mod.routePrefix ?? `/${mod.name}`;
+      app.use(`/api/v1${prefix}`, mod.routes(ctx));
+    }
+  }
+  app.get("/health", (_req, res) => {
+    res.json({ status: "ok", timestamp: (/* @__PURE__ */ new Date()).toISOString() });
+  });
+  app.get("/", (_req, res) => {
+    res.redirect(getConfig().homePath);
+  });
+  const publicPath = path.join(__dirname2, "../public");
+  app.use("/public", express.static(publicPath));
+  const uiPath = path.join(__dirname2, "../ui/dist");
+  app.use("/ui", express.static(uiPath));
+  app.get("/ui/{*splat}", (_req, res) => {
+    res.sendFile(path.join(uiPath, "index.html"));
+  });
+  app.use(errorMiddleware);
+  return app;
+}
+var __dirname2;
+var init_app = __esm({
+  "src/app.ts"() {
+    "use strict";
+    init_modules();
+    init_context();
+    init_error_middleware();
+    init_env();
+    init_logger();
+    __dirname2 = path.dirname(fileURLToPath2(import.meta.url));
+  }
+});
+// src/shared/utils/net.ts
+import net from "net";
+async function checkPortAvailable(port, host = "0.0.0.0") {
+  return new Promise((resolve, reject) => {
+    const server2 = net.createServer();
+    server2.once("error", (err) => {
+      if (err.code === "EADDRINUSE") {
+        logger.error({ port }, `Port ${port} is already in use`);
+        reject(new Error(`Port ${port} is already in use`));
+      } else {
+        reject(err);
+      }
+    });
+    server2.once("listening", () => {
+      server2.close(() => resolve());
+    });
+    server2.listen(port, host);
+  });
+}
+var init_net = __esm({
+  "src/shared/utils/net.ts"() {
+    "use strict";
+    init_logger();
+  }
+});
+// src/server.ts
+var server_exports = {};
+__export(server_exports, {
+  isRunning: () => isRunning,
+  restart: () => restart,
+  start: () => start,
+  stop: () => stop
+});
+async function runMigrationsAndSeeds() {
+  const ctx = createModuleContext();
+  const modules2 = getOrderedModules();
+  logger.info("Running migrations...");
+  for (const mod of modules2) {
+    if (mod.migrate) {
+      await mod.migrate(ctx);
+    }
+  }
+  logger.info("Running seeds...");
+  for (const mod of modules2) {
+    if (mod.seed) {
+      await mod.seed(ctx);
+    }
+  }
+  logger.info("Database ready");
+}
+async function start(config) {
+  if (server) {
+    throw new Error("Server already running. Call stop() first.");
+  }
+  const resolved = resolveConfig(config);
+  await checkPortAvailable(resolved.port, resolved.host);
+  nexusEvents.emitEvent("server.starting", { port: resolved.port, host: resolved.host });
+  await runMigrationsAndSeeds();
+  const app = createApp();
+  return new Promise((resolve) => {
+    server = app.listen(resolved.port, resolved.host, () => {
+      const baseUrl = env.BACKEND_URL || `http://localhost:${resolved.port}`;
+      logger.info({ port: resolved.port, mode: resolved.nodeEnv }, "Server started");
+      logger.info(`API: ${baseUrl}/api/v1`);
+      logger.info(`UI: ${baseUrl}/ui`);
+      nexusEvents.emitEvent("server.started", { port: resolved.port, host: resolved.host });
+      resolve(server);
+    });
+  });
+}
+async function stop() {
+  if (!server) return;
+  nexusEvents.emitEvent("server.stopping");
+  await new Promise((resolve, reject) => {
+    server.close((err) => {
+      if (err) reject(err);
+      else resolve();
+    });
+  });
+  await destroyDb();
+  nexusEvents.emitEvent("db.disconnected");
+  resetConfig();
+  server = null;
+  nexusEvents.emitEvent("server.stopped");
+  logger.info("Server stopped");
+}
+async function restart(config) {
+  nexusEvents.emitEvent("server.restarting");
+  await stop();
+  return start(config);
+}
+function isRunning() {
+  return server !== null;
+}
+function setupGracefulShutdown() {
+  let shuttingDown = false;
+  const shutdown = async (signal) => {
+    if (shuttingDown) return;
+    shuttingDown = true;
+    logger.info({ signal }, "Graceful shutdown initiated");
+    try {
+      await stop();
+      process.exit(0);
+    } catch (err) {
+      logger.error({ err }, "Error during shutdown");
+      process.exit(1);
+    }
+  };
+  process.on("SIGTERM", () => shutdown("SIGTERM"));
+  process.on("SIGINT", () => shutdown("SIGINT"));
+}
+var server;
+var init_server = __esm({
+  "src/server.ts"() {
+    "use strict";
+    init_app();
+    init_database();
+    init_env();
+    init_emitter();
+    init_logger();
+    init_net();
+    init_modules();
+    init_context();
+    server = null;
+    setupGracefulShutdown();
+  }
+});
+// src/index.ts
+init_server();
+init_app();
+init_database();
+init_env();
+init_modules();
+init_modules();
+init_ability_factory();
+init_emitter();
+import "dotenv/config";
+if (import.meta.url === `file://${process.argv[1]}`) {
+  const { start: start2 } = await Promise.resolve().then(() => (init_server(), server_exports));
+  start2();
+}
+export {
+  createApp,
+  db,
+  defineAbilityFor,
+  destroyDb,
+  getConfig,
+  getDatabaseType,
+  getModule,
+  getModules,
+  getOrderedModules,
+  getRegisteredSubjects,
+  isRunning,
+  isValidSubject,
+  nexusEvents,
+  packRules,
+  registerModule,
+  restart,
+  start,
+  stop,
+  unpackRules
+};
+//# sourceMappingURL=index.js.map