@gzl10/nexus-backend 0.13.0 → 0.13.1

package/dist/cli.js

@@ -6403,7 +6403,9 @@ function getAuthConfig() {
     // convert to ms
     cookieDomain: authEnv.AUTH_COOKIE_DOMAIN,
     challengeThreshold: authEnv.AUTH_CHALLENGE_THRESHOLD,
-    skipRegisterOtp: authEnv.AUTH_SKIP_REGISTER_OTP
+    skipRegisterOtp: authEnv.AUTH_SKIP_REGISTER_OTP,
+    disableRegistration: authEnv.AUTH_DISABLE_REGISTRATION,
+    disableAutoCreate: authEnv.AUTH_DISABLE_AUTO_CREATE
   };
 }
 var authEnvSchema, _authEnv;
@@ -6424,7 +6426,11 @@ var init_auth_config = __esm({
       // Challenge threshold: failed attempts before requiring OTP (default: 2)
       AUTH_CHALLENGE_THRESHOLD: z5.coerce.number().default(2),
       // Skip OTP verification for registration (DEVELOPMENT ONLY - rejected in production)
-      AUTH_SKIP_REGISTER_OTP: z5.coerce.boolean().default(false)
+      AUTH_SKIP_REGISTER_OTP: z5.coerce.boolean().default(false),
+      // Disable self-registration via POST /auth/register (default: false)
+      AUTH_DISABLE_REGISTRATION: z5.coerce.boolean().default(false),
+      // Disable auto-creation of users on first OIDC login (default: false)
+      AUTH_DISABLE_AUTO_CREATE: z5.coerce.boolean().default(false)
     });
   }
 });
@@ -6544,6 +6550,7 @@ var providersAction;
 var init_providers_action = __esm({
   "src/modules/auth/actions/providers.action.ts"() {
     "use strict";
+    init_auth_config();
     providersAction = {
       type: "action",
       key: "providers",
@@ -6563,7 +6570,12 @@ var init_providers_action = __esm({
             }
           })
         );
-        return results.filter((info) => info !== null);
+        const providers = results.filter((info) => info !== null);
+        const config3 = getAuthConfig();
+        return {
+          providers,
+          registrationEnabled: !config3.disableRegistration
+        };
       }
     };
   }
@@ -6666,6 +6678,7 @@ var registerAction;
 var init_register_action = __esm({
   "src/modules/auth/actions/register.action.ts"() {
     "use strict";
+    init_auth_config();
     init_helpers2();
     registerAction = {
       type: "action",
@@ -6685,6 +6698,9 @@ var init_register_action = __esm({
         deviceName: { input: "text", label: { en: "Device Name", es: "Nombre del dispositivo" }, validation: { max: 100 } }
       },
       handler: async (ctx, input, req, res) => {
+        if (getAuthConfig().disableRegistration) {
+          throw new ctx.core.errors.ForbiddenError("AUTH_REGISTRATION_DISABLED", "Registration is disabled");
+        }
         const body = input;
         const authService = ctx.services.get("auth");
         const result = await authService.register(body, getRequestInfo(req, { deviceId: body.deviceId, deviceName: body.deviceName }));
@@ -7229,7 +7245,7 @@ function createAuthService(ctx) {
   const { errors, abilities, crypto: crypto2 } = ctx.core;
   const { generateId: generateId4 } = ctx.core;
   const { nowTimestamp: nowTimestamp2 } = ctx.db;
-  const { verifyPassword: verifyPassword2, DUMMY_HASH: _DUMMY_HASH } = crypto2;
+  const { verifyPassword: verifyPassword2, DUMMY_HASH: DUMMY_HASH2 } = crypto2;
   const events = ctx.core.events;
   const { defineAbilityFor: defineAbilityFor2, packRules: packRules2 } = abilities;
   const ErrorCodes2 = errors.codes;
@@ -7291,6 +7307,7 @@ function createAuthService(ctx) {
     const ipKey = `login_attempts:ip:${requestInfo?.ip ?? "unknown"}`;
     const user = await db2(USERS3).where({ email }).first();
     if (!user) {
+      await verifyPassword2(password, DUMMY_HASH2);
       events.emitEvent("auth.failed", { email, reason: "user_not_found" });
       await persistAuditEvent("failed", { email, requestInfo, details: { reason: "user_not_found" } });
       throw new errors.UnauthorizedError(ErrorCodes2["AUTH_INVALID_CREDENTIALS"], "Invalid credentials");
@@ -7411,7 +7428,7 @@ function createAuthService(ctx) {
       };
     },
     async refresh(refreshToken, requestInfo) {
-      const result = await db2.transaction(async (trx) => {
+      const validated = await db2.transaction(async (trx) => {
         let query = trx(REFRESH_TOKENS).where({ token: refreshToken });
         const client = db2.client.config.client;
         if (!client.includes("sqlite")) {
@@ -7431,27 +7448,29 @@ function createAuthService(ctx) {
         }
         return { user, storedToken };
       });
-      const roleIds = await usersService.getRoleIds(result.user.id);
-      const roleNames = await usersService.getRoleNames(result.user.id);
+      const roleIds = await usersService.getRoleIds(validated.user.id);
+      const roleNames = await usersService.getRoleNames(validated.user.id);
       const tokens = generateTokenPair({
-        userId: result.user.id,
-        email: result.user.email,
+        userId: validated.user.id,
+        email: validated.user.email,
         roleIds,
         roleNames
       });
-      await db2(REFRESH_TOKENS).where({ id: result.storedToken.id }).delete();
-      await db2(REFRESH_TOKENS).insert({
-        id: generateId4(),
-        token: tokens.refreshToken,
-        user_id: result.user.id,
-        expires_at: getRefreshTokenExpiration(),
-        device_id: result.storedToken.device_id ?? null,
-        device_name: result.storedToken.device_name ?? null
+      await db2.transaction(async (trx) => {
+        await trx(REFRESH_TOKENS).where({ id: validated.storedToken.id }).delete();
+        await trx(REFRESH_TOKENS).insert({
+          id: generateId4(),
+          token: tokens.refreshToken,
+          user_id: validated.user.id,
+          expires_at: getRefreshTokenExpiration(),
+          device_id: validated.storedToken.device_id ?? null,
+          device_name: validated.storedToken.device_name ?? null
+        });
       });
-      const ability = await defineAbilityFor2(result.user, roleNames);
-      events.emitEvent("auth.refresh", { userId: result.user.id });
+      const ability = await defineAbilityFor2(validated.user, roleNames);
+      events.emitEvent("auth.refresh", { userId: validated.user.id });
       await persistAuditEvent("refresh", {
-        userId: result.user.id,
+        userId: validated.user.id,
         requestInfo
       });
       return {
@@ -7691,6 +7710,9 @@ function createAuthService(ctx) {
     },
     /** Create a new user without password (for auth plugins using external providers) */
     async createUser(data) {
+      if (getAuthConfig().disableAutoCreate) {
+        throw new errors.ForbiddenError("AUTH_AUTO_CREATE_DISABLED", "Auto-creation of users is disabled");
+      }
       const user = await usersService.create({
         email: data.email,
         password: null,
@@ -9140,6 +9162,7 @@ var init_notifications = __esm({
 });
 
 // src/modules/schedules/schedules.executor.ts
+import { resolve as dnsResolve } from "dns/promises";
 function registerFunction(key, fn) {
   functionRegistry.set(key, fn);
 }
@@ -9149,6 +9172,62 @@ function unregisterFunction(key) {
 function listRegisteredFunctions() {
   return Array.from(functionRegistry.keys());
 }
+function assertSafeInternalPath(path3) {
+  if (!path3.startsWith("/")) {
+    throw new Error(`Invalid internal path: must start with /`);
+  }
+  if (path3.includes("..") || path3.includes("//")) {
+    throw new Error(`Invalid internal path: path traversal detected`);
+  }
+  if (!SAFE_PATH_RE.test(path3)) {
+    throw new Error(`Invalid internal path: contains unsafe characters`);
+  }
+}
+function isPrivateIP(ip) {
+  if (/^127\./.test(ip)) return true;
+  if (/^10\./.test(ip)) return true;
+  if (/^172\.(1[6-9]|2\d|3[01])\./.test(ip)) return true;
+  if (/^192\.168\./.test(ip)) return true;
+  if (/^169\.254\./.test(ip)) return true;
+  if (/^0\./.test(ip)) return true;
+  if (ip === "255.255.255.255") return true;
+  if (ip === "::1" || ip === "::") return true;
+  if (/^fe80:/i.test(ip)) return true;
+  if (/^f[cd]/i.test(ip)) return true;
+  return false;
+}
+async function assertSafeExternalUrl(urlStr) {
+  let parsed;
+  try {
+    parsed = new URL(urlStr);
+  } catch {
+    throw new Error(`Invalid URL: ${urlStr}`);
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error(`Invalid URL protocol: ${parsed.protocol} (only http/https allowed)`);
+  }
+  const hostname2 = parsed.hostname;
+  if (hostname2 === "169.254.169.254" || hostname2 === "metadata.google.internal") {
+    throw new Error("Access to cloud metadata endpoints is blocked");
+  }
+  const lowerHost = hostname2.toLowerCase();
+  if (lowerHost === "localhost" || lowerHost === "ip6-localhost" || lowerHost === "ip6-loopback") {
+    throw new Error("Access to localhost is blocked");
+  }
+  if (isPrivateIP(hostname2)) {
+    throw new Error(`Access to private IP ${hostname2} is blocked`);
+  }
+  try {
+    const addresses = await dnsResolve(hostname2);
+    for (const addr of addresses) {
+      if (isPrivateIP(addr)) {
+        throw new Error(`URL resolves to private IP ${addr} \u2014 blocked to prevent SSRF`);
+      }
+    }
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("blocked")) throw err;
+  }
+}
 async function executeServiceAction(ctx, config3) {
   const { service, action, input, recordId } = config3;
   const targetService = ctx.services.get(service);
@@ -9160,15 +9239,21 @@ async function executeServiceAction(ctx, config3) {
 }
 async function executeHttpInternal(_ctx, config3) {
   const { method, path: path3, body, headers } = config3;
+  assertSafeInternalPath(path3);
   const port = process.env["PORT"] ?? 3e3;
   const baseUrl = `http://127.0.0.1:${port}`;
   const url = `${baseUrl}${path3}`;
+  const reqHeaders = {
+    "Content-Type": "application/json",
+    ...headers
+  };
+  const internalToken = process.env["SCHEDULE_INTERNAL_TOKEN"];
+  if (internalToken && !reqHeaders["Authorization"]) {
+    reqHeaders["Authorization"] = `Bearer ${internalToken}`;
+  }
   const response = await fetch(url, {
     method,
-    headers: {
-      "Content-Type": "application/json",
-      ...headers
-    },
+    headers: reqHeaders,
     body: body ? JSON.stringify(body) : void 0
   });
   if (!response.ok) {
@@ -9183,6 +9268,7 @@ async function executeHttpInternal(_ctx, config3) {
 }
 async function executeHttpExternal(config3) {
   const { method, url, body, headers, timeout = 3e4 } = config3;
+  await assertSafeExternalUrl(url);
   const controller = new AbortController();
   const timeoutId = setTimeout(() => controller.abort(), timeout);
   try {
@@ -9249,11 +9335,12 @@ async function executeTarget(ctx, schedule) {
     };
   }
 }
-var functionRegistry;
+var functionRegistry, SAFE_PATH_RE;
 var init_schedules_executor = __esm({
   "src/modules/schedules/schedules.executor.ts"() {
     "use strict";
     functionRegistry = /* @__PURE__ */ new Map();
+    SAFE_PATH_RE = /^\/[a-zA-Z0-9/_\-.~%]+$/;
   }
 });
 
@@ -11675,6 +11762,11 @@ var init_filter_helpers = __esm({
 });
 
 // src/modules/charts/charts.service.ts
+function assertSafeIdentifier(name, label) {
+  if (!SAFE_IDENTIFIER_RE.test(name)) {
+    throw new Error(`Invalid ${label}: "${name}" is not a valid column name`);
+  }
+}
 function createChartService(ctx) {
   const { db: db2 } = ctx;
   async function getChartData(request) {
@@ -11688,18 +11780,24 @@ function createChartService(ctx) {
       limit = 100,
       sort = "asc"
     } = request;
+    if (!VALID_AGGREGATIONS.has(aggregation)) {
+      throw new Error(`Invalid aggregation: "${aggregation}"`);
+    }
+    assertSafeIdentifier(xAxis, "xAxis");
+    assertSafeIdentifier(yAxis, "yAxis");
+    if (groupBy) assertSafeIdentifier(groupBy, "groupBy");
+    const aggFn = AGGREGATION_SQL[aggregation];
     const knex2 = db2.knex;
     let query = knex2(entity);
     if (Object.keys(filters).length > 0) {
       const { applyFilters: applyFilters2 } = await Promise.resolve().then(() => (init_filter_helpers(), filter_helpers_exports));
       query = applyFilters2(query, filters);
     }
+    const clampedLimit = Math.min(Math.max(limit, 1), 5e3);
     if (groupBy) {
-      const aggFn = getAggregationFunction(aggregation);
-      query = query.select(xAxis).select(groupBy).select(knex2.raw(`${aggFn}(${yAxis}) as value`)).groupBy(xAxis, groupBy).orderBy(xAxis, sort).limit(limit);
+      query = query.select(xAxis, groupBy).select(knex2.raw(`${aggFn}(??) as ??`, [yAxis, "value"])).groupBy(xAxis, groupBy).orderBy(xAxis, sort).limit(clampedLimit);
     } else {
-      const aggFn = getAggregationFunction(aggregation);
-      query = query.select(xAxis).select(knex2.raw(`${aggFn}(${yAxis}) as value`)).groupBy(xAxis).orderBy(xAxis, sort).limit(limit);
+      query = query.select(xAxis).select(knex2.raw(`${aggFn}(??) as ??`, [yAxis, "value"])).groupBy(xAxis).orderBy(xAxis, sort).limit(clampedLimit);
     }
     const rows = await query;
     const data = rows.map((row) => ({
@@ -11716,7 +11814,11 @@ function createChartService(ctx) {
     };
   }
   async function getRawData(entity, fields, filters = {}, limit = 1e3) {
-    let query = db2.knex(entity).select(fields).limit(limit);
+    for (const field of fields) {
+      assertSafeIdentifier(field, "field");
+    }
+    const knex2 = db2.knex;
+    let query = knex2(entity).select(fields).limit(Math.min(Math.max(limit, 1), 5e3));
     if (Object.keys(filters).length > 0) {
       const { applyFilters: applyFilters2 } = await Promise.resolve().then(() => (init_filter_helpers(), filter_helpers_exports));
       query = applyFilters2(query, filters);
@@ -11728,25 +11830,19 @@ function createChartService(ctx) {
     getRawData
   };
 }
-function getAggregationFunction(type2) {
-  switch (type2) {
-    case "sum":
-      return "SUM";
-    case "avg":
-      return "AVG";
-    case "count":
-      return "COUNT";
-    case "min":
-      return "MIN";
-    case "max":
-      return "MAX";
-    default:
-      return "SUM";
-  }
-}
+var VALID_AGGREGATIONS, AGGREGATION_SQL, SAFE_IDENTIFIER_RE;
 var init_charts_service = __esm({
   "src/modules/charts/charts.service.ts"() {
     "use strict";
+    VALID_AGGREGATIONS = /* @__PURE__ */ new Set(["sum", "avg", "count", "min", "max"]);
+    AGGREGATION_SQL = {
+      sum: "SUM",
+      avg: "AVG",
+      count: "COUNT",
+      min: "MIN",
+      max: "MAX"
+    };
+    SAFE_IDENTIFIER_RE = /^[a-zA-Z_][a-zA-Z0-9_]{0,63}$/;
   }
 });
 
@@ -16609,6 +16705,8 @@ var init_error_codes = __esm({
       AUTH_SESSION_NOT_FOUND: "AUTH_SESSION_NOT_FOUND",
       AUTH_SESSION_SELF_REVOKE: "AUTH_SESSION_SELF_REVOKE",
       AUTH_VERIFICATION_CODE_INVALID: "AUTH_VERIFICATION_CODE_INVALID",
+      AUTH_REGISTRATION_DISABLED: "AUTH_REGISTRATION_DISABLED",
+      AUTH_AUTO_CREATE_DISABLED: "AUTH_AUTO_CREATE_DISABLED",
       // User
       USER_NOT_FOUND: "USER_NOT_FOUND",
       USER_EMAIL_EXISTS: "USER_EMAIL_EXISTS",
@@ -17917,7 +18015,8 @@ async function generateMigrationForSource(name, scope = "all", targetDir, prefix
     return "";
   }
   const currentSchema = await readDatabaseSchema(knex2);
-  const changes = computeSchemaDiff(allEntities, currentSchema);
+  const ownedTables = collectOwnedTables(allEntities);
+  const changes = computeSchemaDiff(allEntities, currentSchema, { ownedTables });
   if (isEmptyDiff(changes)) {
     logger.info("No schema changes detected");
     console.log("\n\u2705 No schema changes detected\n");
@@ -17989,24 +18088,25 @@ async function devMigration(name, scope) {
   if (effectiveScope !== "project") {
     logger.info({ scope: effectiveScope }, "Auto-detected plugin scope");
   }
-  const filepath = await generateMigrationForSource(migrationName, effectiveScope);
   const { runMigrations: runMigrations2, loadAllMigrationFiles: loadAllMigrationFiles2 } = await Promise.resolve().then(() => (init_migration_runner(), migration_runner_exports));
   const { getDb: getDb2 } = await Promise.resolve().then(() => (init_connection(), connection_exports));
   const db2 = getDb2();
   const migrationFiles = await loadAllMigrationFiles2();
   const executed = await db2("_nexus_migrations").where({ status: "completed" }).select("name").then((rows) => new Set(rows.map((r) => r.name)));
-  const pending = migrationFiles.filter((m) => !executed.has(m.name));
-  if (pending.length > 0) {
-    if (!filepath) {
-      console.log(`
-No schema changes for scope "${effectiveScope}", but ${pending.length} pending migration(s) found.
+  const pendingBefore = migrationFiles.filter((m) => !executed.has(m.name));
+  if (pendingBefore.length > 0) {
+    console.log(`
+Applying ${pendingBefore.length} pending migration(s)...
 `);
-    } else {
-      console.log("Applying migration...\n");
-    }
+    await runMigrations2();
+    console.log("\u2705 Pending migrations applied\n");
+  }
+  const filepath = await generateMigrationForSource(migrationName, effectiveScope);
+  if (filepath) {
+    console.log("Applying new migration...\n");
     await runMigrations2();
     console.log("\n\u2705 Migration applied successfully\n");
-  } else if (!filepath) {
+  } else if (pendingBefore.length === 0) {
     logger.info({ scope: effectiveScope }, "No changes detected and no pending migrations");
   }
 }
@@ -18017,7 +18117,8 @@ async function detectSchemaDrift(knexInstance) {
     return null;
   }
   const currentSchema = await readDatabaseSchema(knex2);
-  const diff = computeSchemaDiff(entities, currentSchema);
+  const ownedTables = collectOwnedTables(entities);
+  const diff = computeSchemaDiff(entities, currentSchema, { ownedTables });
   return isEmptyDiff(diff) ? null : diff;
 }
 function getAllPersistentEntities() {
@@ -18051,13 +18152,24 @@ function extractEntitiesFromModules(modules) {
   }
   return entities;
 }
-function computeSchemaDiff(entities, currentSchema) {
+function collectOwnedTables(entities) {
+  const tables = /* @__PURE__ */ new Set();
+  for (const entity of entities) {
+    const tableName = entity.table;
+    if (tableName) tables.add(tableName);
+    if (entity.type === "dag") {
+      const parentsTable = entity.parentsTable ?? `${tableName}_parents`;
+      tables.add(parentsTable);
+    }
+  }
+  return tables;
+}
+function computeSchemaDiff(entities, currentSchema, options) {
   const changes = {
     newTables: [],
     droppedTables: [],
     alteredTables: []
   };
-  const _entityMap = new Map(entities.map((e) => [e.table, e]));
   for (const entity of entities) {
     const tableName = entity.table;
     const currentTable = currentSchema.tables.get(tableName);
@@ -18072,16 +18184,18 @@ function computeSchemaDiff(entities, currentSchema) {
       }
     }
   }
-  const entityTables = new Set(entities.map((e) => e.table));
-  for (const entity of entities) {
-    if (entity.type === "dag") {
-      const parentsTable = entity.parentsTable ?? `${entity.table}_parents`;
-      entityTables.add(parentsTable);
+  if (options?.ownedTables && options.ownedTables.size > 0) {
+    const entityTables = new Set(entities.map((e) => e.table));
+    for (const entity of entities) {
+      if (entity.type === "dag") {
+        const parentsTable = entity.parentsTable ?? `${entity.table}_parents`;
+        entityTables.add(parentsTable);
+      }
     }
-  }
-  for (const [tableName] of currentSchema.tables) {
-    if (!entityTables.has(tableName) && !isSystemTable(tableName)) {
-      changes.droppedTables.push(tableName);
+    for (const tableName of options.ownedTables) {
+      if (!entityTables.has(tableName) && currentSchema.tables.has(tableName) && !isSystemTable(tableName)) {
+        changes.droppedTables.push(tableName);
+      }
     }
   }
   return changes;
@@ -18149,7 +18263,8 @@ function compareTable(entity, currentTable) {
   const systemFields = /* @__PURE__ */ new Set(["id", "created_at", "updated_at", "created_by", "updated_by", "deleted_at", "parent_id"]);
   for (const columnName of currentColumnNames) {
     if (!expectedColumns.has(columnName) && !systemFields.has(columnName)) {
-      result.droppedColumns.push(columnName);
+      const col = currentTable.columns.get(columnName);
+      result.droppedColumns.push({ name: columnName, type: col.type });
     }
   }
   return result;
@@ -18178,6 +18293,39 @@ function normalizeColumnType(type2) {
   };
   return typeMap[normalized] || normalized;
 }
+function mapDbTypeToKnex(dbType, colName) {
+  const name = colName ? `'${colName}'` : `'column'`;
+  const upper = dbType.replace(/\(.*\)/, "").trim().toUpperCase();
+  const sizeMatch = dbType.match(/\((\d+)\)/);
+  const size = sizeMatch ? sizeMatch[1] : null;
+  const mapping = {
+    "VARCHAR": size ? `table.string(${name}, ${size}).nullable()` : `table.string(${name}).nullable()`,
+    "CHARACTER VARYING": size ? `table.string(${name}, ${size}).nullable()` : `table.string(${name}).nullable()`,
+    "CHAR": size ? `table.string(${name}, ${size}).nullable()` : `table.string(${name}).nullable()`,
+    "TEXT": `table.text(${name}).nullable()`,
+    "INT": `table.integer(${name}).nullable()`,
+    "INTEGER": `table.integer(${name}).nullable()`,
+    "BIGINT": `table.bigInteger(${name}).nullable()`,
+    "FLOAT": `table.float(${name}).nullable()`,
+    "DOUBLE": `table.float(${name}).nullable()`,
+    "DOUBLE PRECISION": `table.float(${name}).nullable()`,
+    "DECIMAL": `table.decimal(${name}).nullable()`,
+    "NUMERIC": `table.decimal(${name}).nullable()`,
+    "BOOLEAN": `table.boolean(${name}).nullable()`,
+    "BOOL": `table.boolean(${name}).nullable()`,
+    "TINYINT": `table.boolean(${name}).nullable()`,
+    "TIMESTAMP": `table.timestamp(${name}).nullable()`,
+    "DATETIME": `table.timestamp(${name}).nullable()`,
+    "TIMESTAMP WITHOUT TIME ZONE": `table.timestamp(${name}).nullable()`,
+    "TIMESTAMP WITH TIME ZONE": `table.timestamp(${name}).nullable()`,
+    "DATE": `table.date(${name}).nullable()`,
+    "TIME": `table.time(${name}).nullable()`,
+    "JSON": `table.json(${name}).nullable()`,
+    "JSONB": `table.jsonb(${name}).nullable()`,
+    "UUID": `table.uuid(${name}).nullable()`
+  };
+  return { code: mapping[upper] || `table.specificType(${name}, '${dbType}').nullable()` };
+}
 function isEmptyDiff(diff) {
   return diff.newTables.length === 0 && diff.droppedTables.length === 0 && diff.alteredTables.length === 0;
 }
@@ -18292,8 +18440,8 @@ function generateUpCode(changes) {
       lines.push(`    // Modify ${col.name}: ${col.oldType} \u2192 ${col.newType}`);
       lines.push(`    table.dropColumn('${col.name}')`);
     }
-    for (const colName of alteration.droppedColumns) {
-      lines.push(`    table.dropColumn('${colName}')`);
+    for (const col of alteration.droppedColumns) {
+      lines.push(`    table.dropColumn('${col.name}')`);
     }
     lines.push(`  })`);
     lines.push("");
@@ -18316,9 +18464,9 @@ function generateDownCode(changes) {
     const hasChanges = alteration.newColumns.length > 0 || alteration.droppedColumns.length > 0 || alteration.modifiedColumns.length > 0;
     if (!hasChanges) continue;
     lines.push(`  await knex.schema.alterTable('${alteration.table}', (table) => {`);
-    for (const colName of alteration.droppedColumns) {
-      lines.push(`    // NOTE: Cannot recreate dropped column '${colName}' without type definition`);
-      lines.push(`    // table.specificType('${colName}', 'TYPE')`);
+    for (const col of alteration.droppedColumns) {
+      const knexType = mapDbTypeToKnex(col.type, col.name);
+      lines.push(`    ${knexType.code} // was: ${col.type}`);
     }
     for (const col of alteration.modifiedColumns.slice().reverse()) {
       lines.push(`    // Revert ${col.name}: ${col.newType} \u2192 ${col.oldType}`);
@@ -20382,14 +20530,29 @@ async function loadSelfPlugin() {
     const pkg3 = JSON.parse(readFileSync7(pkgPath, "utf-8"));
     const pkgName = pkg3?.name;
     if (!pkgName || !/nexus-plugin-/.test(pkgName)) return;
-    const candidates = [
-      join13(projectPath2, "dist", "index.js"),
-      join13(projectPath2, "src", "index.ts")
-    ];
-    for (const candidate of candidates) {
-      if (!existsSync10(candidate)) continue;
+    const srcEntry = join13(projectPath2, "src", "index.ts");
+    const distEntry = join13(projectPath2, "dist", "index.js");
+    if (existsSync10(srcEntry)) {
+      try {
+        const { tsImport } = await import("tsx/esm/api");
+        const mod = await tsImport(
+          pathToFileURL3(srcEntry).href,
+          import.meta.url
+        );
+        const manifest = extractPluginManifest(mod);
+        if (manifest) {
+          if (!manifest.migrationsDir) {
+            manifest.migrationsDir = join13(projectPath2, "migrations");
+          }
+          registerPlugin(manifest);
+          return;
+        }
+      } catch {
+      }
+    }
+    if (existsSync10(distEntry)) {
       try {
-        const mod = await import(pathToFileURL3(candidate).href);
+        const mod = await import(pathToFileURL3(distEntry).href);
         const manifest = extractPluginManifest(mod);
         if (manifest) {
           if (!manifest.migrationsDir) {