@gzl10/nexus-backend 0.16.8 → 0.18.0

package/dist/main.js

@@ -106,7 +106,7 @@ var init_package = __esm({
   "package.json"() {
     package_default = {
       name: "@gzl10/nexus-backend",
-      version: "0.16.8",
+      version: "0.18.0",
       description: "Backend as a Service (BaaS) with Express 5, Knex and CASL",
       type: "module",
       main: "./dist/index.js",
@@ -162,7 +162,7 @@ var init_package = __esm({
         "jwt"
       ],
       scripts: {
-        dev: "tsx watch src/main.ts",
+        dev: "node --watch-path=./src --import tsx/esm src/main.ts",
         build: "tsup",
         start: "node dist/main.js",
         nexus: "tsx src/cli.ts",
@@ -218,22 +218,6 @@ var init_package = __esm({
         zod: "^3.24.0"
       },
       devDependencies: {
-        "@gzl10/nexus-plugin-ai": "workspace:^",
-        "@gzl10/nexus-plugin-auth-providers": "workspace:^",
-        "@gzl10/nexus-plugin-charts": "workspace:^",
-        "@gzl10/nexus-plugin-cms": "workspace:^",
-        "@gzl10/nexus-plugin-compliance": "workspace:^",
-        "@gzl10/nexus-plugin-docker": "workspace:^",
-        "@gzl10/nexus-plugin-links": "workspace:*",
-        "@gzl10/nexus-plugin-notifications": "workspace:*",
-        "@gzl10/nexus-plugin-oidc-server": "workspace:^",
-        "@gzl10/nexus-plugin-plane": "workspace:^",
-        "@gzl10/nexus-plugin-prisma": "workspace:^",
-        "@gzl10/nexus-plugin-remote": "workspace:*",
-        "@gzl10/nexus-plugin-schedules": "workspace:*",
-        "@gzl10/nexus-plugin-scim": "workspace:^",
-        "@gzl10/nexus-plugin-tags": "workspace:*",
-        "@gzl10/nexus-plugin-webhooks": "workspace:*",
         "@types/bcryptjs": "^2.4.0",
         "@types/compression": "^1.8.1",
         "@types/cookie-parser": "^1.4.10",
@@ -246,7 +230,16 @@ var init_package = __esm({
         "pino-pretty": "^13.1.3",
         "socket.io-client": "^4.8.3",
         supertest: "^7.2.2",
-        tsx: "^4.21.0"
+        tsx: "^4.21.0",
+        vite: "^8.0.3"
+      },
+      peerDependencies: {
+        vite: ">=6.0.0"
+      },
+      peerDependenciesMeta: {
+        vite: {
+          optional: true
+        }
       },
       publishConfig: {
         access: "public",
@@ -1147,15 +1140,17 @@ async function isWorkspacePackage(name) {
   }
 }
 async function installPlugin(name, opts) {
+  const isWorkspace = await isWorkspacePackage(name);
   let pkg2;
   if (opts?.version) {
     pkg2 = `${name}@${opts.version}`;
-  } else if (await isWorkspacePackage(name)) {
+  } else if (isWorkspace) {
     pkg2 = `${name}@workspace:*`;
   } else {
     pkg2 = name;
   }
-  await execAsync(`pnpm add -D ${pkg2}`);
+  const flag = isWorkspace ? "-D " : "";
+  await execAsync(`pnpm add ${flag}${pkg2}`);
   const filePath = getPluginsFilePath(opts?.projectPath);
   const plugins = readPluginsFile(filePath);
   plugins[name] = { enabled: true };
@@ -1246,7 +1241,7 @@ var init_table_prefix = __esm({
   }
 });
 
-// src/engine/store.ts
+// src/engine/module-store.ts
 function resetStore() {
   moduleStore.modules.length = 0;
   moduleStore.plugins.clear();
@@ -1257,8 +1252,8 @@ function resetStore() {
   moduleStore.tableToSubject.clear();
 }
 var moduleStore;
-var init_store = __esm({
-  "src/engine/store.ts"() {
+var init_module_store = __esm({
+  "src/engine/module-store.ts"() {
     "use strict";
     moduleStore = {
       /** Registered modules with source metadata */
@@ -1311,7 +1306,7 @@ var init_id = __esm({
   }
 });
 
-// src/engine/extractors.ts
+// src/engine/definition-extractors.ts
 function getTableAndSubject(def) {
   const caslSubject = def.casl?.subject;
   if (!TYPES_WITH_TABLE.has(def.type)) {
@@ -1379,8 +1374,8 @@ function validateModuleDependencies(modules) {
   }
 }
 var TYPES_WITH_TABLE;
-var init_extractors = __esm({
-  "src/engine/extractors.ts"() {
+var init_definition_extractors = __esm({
+  "src/engine/definition-extractors.ts"() {
     "use strict";
     TYPES_WITH_TABLE = /* @__PURE__ */ new Set(["collection", "reference", "event", "config", "temp", "view", void 0]);
   }
@@ -1500,9 +1495,9 @@ var init_registry = __esm({
     "use strict";
     init_plugin_ops();
     init_table_prefix();
-    init_store();
+    init_module_store();
     init_id();
-    init_extractors();
+    init_definition_extractors();
   }
 });
 
@@ -1554,7 +1549,28 @@ var init_paths = __esm({
   }
 });
 
-// src/engine/queries.ts
+// src/engine/module-queries.ts
+var module_queries_exports = {};
+__export(module_queries_exports, {
+  getCoreManifest: () => getCoreManifest,
+  getCoreModules: () => getCoreModules,
+  getModule: () => getModule,
+  getModules: () => getModules,
+  getOrderedModules: () => getOrderedModules,
+  getOrderedModulesInternal: () => getOrderedModulesInternal,
+  getPlugin: () => getPlugin,
+  getPluginByCode: () => getPluginByCode,
+  getPlugins: () => getPlugins,
+  getRegisteredSubjects: () => getRegisteredSubjects,
+  getSubjectForTable: () => getSubjectForTable,
+  getUserManifest: () => getUserManifest,
+  getUserModules: () => getUserModules,
+  hasModule: () => hasModule,
+  hasPlugin: () => hasPlugin,
+  hasPluginByCode: () => hasPluginByCode,
+  hasUserApp: () => hasUserApp,
+  isValidSubject: () => isValidSubject
+});
 import { join as join4 } from "path";
 import { readFileSync as readFileSync3 } from "fs";
 function readPackageJson(dir) {
@@ -1588,12 +1604,22 @@ function getOrderedModulesInternal() {
   moduleStore.modules.forEach(visit);
   return sorted;
 }
+function getModule(name) {
+  const mod = moduleStore.modules.find((m) => m.name === name);
+  return mod ? toModuleManifest(mod) : void 0;
+}
+function getPlugin(name) {
+  return moduleStore.plugins.get(name);
+}
 function getPlugins() {
   return [...moduleStore.plugins.values()];
 }
 function getRegisteredSubjects() {
   return [...moduleStore.subjects];
 }
+function isValidSubject(subject2) {
+  return moduleStore.subjects.has(subject2);
+}
 function getSubjectForTable(table) {
   return moduleStore.tableToSubject.get(table);
 }
@@ -1640,10 +1666,10 @@ function getPluginByCode(code) {
 function hasPluginByCode(code) {
   return moduleStore.pluginsByCode.has(code);
 }
-var init_queries = __esm({
-  "src/engine/queries.ts"() {
+var init_module_queries = __esm({
+  "src/engine/module-queries.ts"() {
     "use strict";
-    init_store();
+    init_module_store();
     init_paths();
   }
 });
@@ -2127,12 +2153,16 @@ var init_definitions = __esm({
       labelPlural: { en: "Masters", es: "Maestros" },
       labelField: "label",
       timestamps: true,
+      availableDisplayModes: ["board"],
+      groupBy: "type",
+      groupableFields: ["type"],
+      //columnDragFields: ['is_active'],
       fields: {
         id: useTextField2({
           label: { en: "ID", es: "ID" },
           required: true,
           size: 100,
-          hint: { en: "Format: type:code (e.g. countries:ES)", es: "Formato: type:code (ej. countries:ES)" },
+          hidden: true,
           meta: { sortable: true }
         }),
         type: useTextField2({
@@ -2153,9 +2183,20 @@ var init_definitions = __esm({
         is_active: isActiveField,
         metadata: useJsonField({
           label: { en: "Metadata", es: "Metadatos" },
-          hint: { en: "Type-specific fields (symbol, flag, etc.)", es: "Campos espec\xEDficos del tipo" }
+          hint: {
+            en: "Type-specific fields (symbol, flag, etc.)",
+            es: "Campos espec\xEDficos del tipo"
+          }
         })
       },
+      hooks: () => ({
+        beforeCreate: async (data) => {
+          if (data["type"] && data["code"] && !data["id"]) {
+            data["id"] = `${data["type"]}:${data["code"]}`;
+          }
+          return data;
+        }
+      }),
       defaultSort: { field: "order", order: "asc" },
       indexes: [{ columns: ["type", "code"], unique: true }],
       casl: { subject: "Master", permissions: masterCaslPermissions }
@@ -2164,6 +2205,10 @@ var init_definitions = __esm({
 });
 
 // src/modules/masters/registry.ts
+var registry_exports = {};
+__export(registry_exports, {
+  createMasterRegistry: () => createMasterRegistry
+});
 function createMasterRegistry() {
   const registrations = [];
   return {
@@ -8842,15 +8887,18 @@ function toEntityDefinitionDTO(def, _engine, moduleName) {
     const meta = field["meta"];
     return meta?.["sortable"] === true && !field["hidden"];
   });
+  const explicitGroupable = def["groupableFields"];
   const groupableInputTypes = ["select", "switch", "checkbox", "radio", "tags"];
-  const groupableFields = fieldEntries.filter(([, f]) => {
+  const autoGroupableFields = fieldEntries.filter(([, f]) => {
     const field = f;
     const inputType = field["input"];
     return groupableInputTypes.includes(inputType ?? "") && !field["hidden"];
   });
+  const resolvedGroupableFields = explicitGroupable ?? (autoGroupableFields.length > 0 ? autoGroupableFields.map(([name]) => name) : void 0);
   const entityType = def["type"] ?? "collection";
   const explicitDisplayMode = def["displayMode"];
-  const defaultDisplayMode = explicitDisplayMode ?? (["tree", "dag"].includes(entityType) ? "tree" : "table");
+  const explicitAvailableModes = def["availableDisplayModes"];
+  const defaultDisplayMode = explicitDisplayMode ?? (explicitAvailableModes?.length === 1 ? explicitAvailableModes[0] : void 0) ?? (["tree", "dag"].includes(entityType) ? "tree" : "table");
   const entityIdent = def["table"] ?? def["key"];
   return {
     id: def._id,
@@ -8870,9 +8918,11 @@ function toEntityDefinitionDTO(def, _engine, moduleName) {
     displayMode: explicitDisplayMode,
     defaultDisplayMode,
     availableDisplayModes: (() => {
+      const explicit = def["availableDisplayModes"];
+      if (explicit?.length) return explicit;
       const modes = ["table", "list", "masonry"];
       if (["tree", "dag"].includes(entityType)) modes.push("tree");
-      if (groupableFields.length > 0) modes.push("board");
+      if ((resolvedGroupableFields?.length ?? 0) > 0) modes.push("board");
       if (def["calendarFrom"]) modes.push("calendar");
       return modes;
     })(),
@@ -8882,10 +8932,8 @@ function toEntityDefinitionDTO(def, _engine, moduleName) {
       value: name,
       label: f["label"]
     })),
-    groupableFields: groupableFields.length > 0 ? groupableFields.map(([name, f]) => ({
-      value: name,
-      label: f["label"]
-    })) : void 0,
+    groupableFields: resolvedGroupableFields,
+    columnDragFields: def["columnDragFields"],
     groupBy: def["groupBy"],
     subgroupBy: def["subgroupBy"],
     calendarFrom: def["calendarFrom"],
@@ -8915,7 +8963,7 @@ function toModuleDTO(mod, ctx) {
     dependencies: mod.dependencies ?? [],
     routePrefix: mod.routePrefix ?? `/${mod.name}`,
     subjects: ctx.engine.getModuleSubjects(mod),
-    definitions: (mod.definitions ?? []).map(
+    definitions: (mod.definitions ?? []).filter((def) => ("expose" in def ? def.expose : true) !== false).map(
       (def) => toEntityDefinitionDTO(def, ctx.engine, mod.name)
     ),
     actions: (mod.actions ?? []).length > 0 ? (mod.actions ?? []).filter((a) => !a.hidden).map((a) => toActionDTO(a)) : void 0,
@@ -8925,21 +8973,6 @@ function toModuleDTO(mod, ctx) {
     hasInit: !!mod.init
   };
 }
-function getOrderedModulesViaContext(ctx) {
-  return ctx.engine.getModules();
-}
-async function runModuleSeedViaContext(mod, ctx) {
-  if (!mod.seed) {
-    return false;
-  }
-  try {
-    await mod.seed(ctx);
-    return true;
-  } catch (err) {
-    ctx.core.logger.error({ module: mod.name, err }, "Seed failed");
-    return false;
-  }
-}
 var init_system_helpers = __esm({
   "src/modules/system/system.helpers.ts"() {
     "use strict";
@@ -9174,7 +9207,8 @@ function createSystemController(ctx) {
       const plugins = engine.getPlugins();
       const body = {
         version: manifest.version,
-        plugins: plugins.map((p) => p.code)
+        plugins: plugins.map((p) => p.code),
+        locales: ctx.locales
       };
       res.json(body);
     }
@@ -10061,7 +10095,6 @@ var SYSTEM_TABLES, factoryResetAction;
 var init_factory_reset_action = __esm({
   "src/modules/system/actions/factory-reset.action.ts"() {
     "use strict";
-    init_system_helpers();
     SYSTEM_TABLES = /* @__PURE__ */ new Set([
       "_nexus_migrations",
       "_nexus_migration_lock",
@@ -10104,8 +10137,8 @@ var init_factory_reset_action = __esm({
           source: "core:system",
           action: "factory_reset",
           actorId: authReq.user?.id,
-          ip: req.ip,
-          userAgent: req.headers["user-agent"]
+          ip: req?.ip,
+          userAgent: req?.headers["user-agent"]
         });
         await new Promise((resolve2) => setImmediate(resolve2));
         const allTables = await getAllTables(knex3);
@@ -10143,11 +10176,11 @@ var init_factory_reset_action = __esm({
         } catch {
         }
         ctx.core.logger.info({ tables: dataTables.length }, "All data tables cleared");
-        const modules = getOrderedModulesViaContext(ctx);
+        const modules = ctx.engine.getModules();
         let modulesSeeded = 0;
         for (const mod of modules) {
           try {
-            const seeded = await runModuleSeedViaContext(mod, ctx);
+            const seeded = await ctx.db.seedModule(mod);
             if (seeded) modulesSeeded++;
           } catch (err) {
             ctx.core.logger.error({ module: mod.name, err }, "Seed failed during factory reset");
@@ -10201,8 +10234,8 @@ var init_restart_server_action = __esm({
           source: "core:system",
           action: "server_restart",
           actorId: authReq.user?.id,
-          ip: req.ip,
-          userAgent: req.headers["user-agent"]
+          ip: req?.ip,
+          userAgent: req?.headers["user-agent"]
         });
         setTimeout(() => process.exit(0), 500);
         return { success: true, message: "Server is restarting..." };
@@ -11824,7 +11857,7 @@ function createUploadMiddleware(ctx, options) {
   const rateLimit2 = ctx.core.middleware.rateLimit({
     windowMs: 60 * 1e3,
     max: 20,
-    message: "Demasiados uploads, intenta en 1 minuto"
+    message: "Too many uploads, try again in 1 minute"
   });
   const upload = multer({
     storage: multer.memoryStorage(),
@@ -12071,7 +12104,7 @@ function createStorageRoutes(ctx) {
     }
     res.status(201).json(results);
   };
-  const uploadRateLimit = ctx.core.middleware.rateLimit({ windowMs: 60 * 1e3, max: 20, message: "Demasiados uploads, intenta en 1 minuto" });
+  const uploadRateLimit = ctx.core.middleware.rateLimit({ windowMs: 60 * 1e3, max: 20, message: "Too many uploads, try again in 1 minute" });
   if (auth) {
     router.post("/upload/multiple", uploadRateLimit, auth, upload.array("files", 10), uploadMultiple);
   } else {
@@ -12105,7 +12138,7 @@ function createStorageRoutes(ctx) {
   delete filesController.create;
   delete filesController.update;
   filesController.delete = async (req, res) => {
-    const id = req.params["id"];
+    const id = String(req.params["id"] ?? "");
     if (!id) throw new ValidationError2("VALIDATION_ERROR");
     const storageService = getStorageService();
     const file = await storageService.getById(id);
@@ -12369,7 +12402,7 @@ var init_users_entity = __esm({
           ],
           nullable: true,
           meta: { sortable: true },
-          defaultValue: "es"
+          defaultValue: "en"
         }),
         timezone: useSelectField9({
           label: { en: "Timezone", es: "Zona horaria" },
@@ -12447,7 +12480,7 @@ var init_users_entity = __esm({
           middleware: (ctx) => ctx.core.middleware.rateLimit({
             windowMs: 15 * 60 * 1e3,
             max: 5,
-            message: "Demasiados intentos, intenta en 15 minutos"
+            message: "Too many attempts, try again in 15 minutes"
           }),
           handler: async (ctx, input) => {
             const {
@@ -12541,9 +12574,9 @@ var init_users_entity = __esm({
       labelField: "role_id",
       timestamps: true,
       order: 15,
-      routePrefix: "/user-roles",
       hidden: true,
       // Pivot table - managed via Users UI
+      expose: false,
       fields: {
         id: useIdField4(),
         user_id: useSelectField9({
@@ -12596,7 +12629,7 @@ function createUsersRoutes(ctx) {
   if (originalUsersDelete) {
     usersController.delete = async (req, res) => {
       const authReq = req;
-      const id = req.params["id"] ?? "";
+      const id = String(req.params["id"] ?? "");
       if (authReq.user?.id === id) {
         throw new ctx.core.errors.ForbiddenError("No puedes eliminarte a ti mismo");
       }
@@ -12671,7 +12704,7 @@ function createUsersRoutes(ctx) {
     "/:userId/roles",
     auth,
     async (req, res) => {
-      const roles = await usersService.getUserRoles(req.params["userId"]);
+      const roles = await usersService.getUserRoles(String(req.params["userId"] ?? ""));
       res.json(roles);
     }
   );
@@ -12681,18 +12714,19 @@ function createUsersRoutes(ctx) {
     validate2({ body: z4.object({ roleId: z4.string().min(1) }) }),
     async (req, res) => {
       const { roleId } = req.body;
-      await usersService.assignRole(req.params["userId"], roleId);
+      const userId = String(req.params["userId"] ?? "");
+      await usersService.assignRole(userId, roleId);
       ctx.events.notify("audit.log", {
         source: "core:users",
         action: "role_assigned",
         actorId: req.user?.id,
         resourceType: "user",
-        resourceId: req.params["userId"],
+        resourceId: userId,
         ip: req.ip,
         userAgent: req.headers["user-agent"],
         metadata: { roleId }
       });
-      const roles = await usersService.getUserRoles(req.params["userId"]);
+      const roles = await usersService.getUserRoles(userId);
       res.json(roles);
     }
   );
@@ -12702,18 +12736,19 @@ function createUsersRoutes(ctx) {
     validate2({ body: z4.object({ roleIds: z4.array(z4.string()) }) }),
     async (req, res) => {
       const { roleIds } = req.body;
-      await usersService.setRoles(req.params["userId"], roleIds);
+      const userId = String(req.params["userId"] ?? "");
+      await usersService.setRoles(userId, roleIds);
       ctx.events.notify("audit.log", {
         source: "core:users",
         action: "roles_replaced",
         actorId: req.user?.id,
         resourceType: "user",
-        resourceId: req.params["userId"],
+        resourceId: userId,
         ip: req.ip,
         userAgent: req.headers["user-agent"],
         metadata: { roleIds }
       });
-      const roles = await usersService.getUserRoles(req.params["userId"]);
+      const roles = await usersService.getUserRoles(userId);
       res.json(roles);
     }
   );
@@ -12721,16 +12756,18 @@ function createUsersRoutes(ctx) {
     "/:userId/roles/:roleId",
     auth,
     async (req, res) => {
-      await usersService.removeRole(req.params["userId"], req.params["roleId"]);
+      const userId = String(req.params["userId"] ?? "");
+      const roleId = String(req.params["roleId"] ?? "");
+      await usersService.removeRole(userId, roleId);
       ctx.events.notify("audit.log", {
         source: "core:users",
         action: "role_removed",
         actorId: req.user?.id,
         resourceType: "user",
-        resourceId: req.params["userId"],
+        resourceId: userId,
         ip: req.ip,
         userAgent: req.headers["user-agent"],
-        metadata: { roleId: req.params["roleId"] }
+        metadata: { roleId }
       });
       res.json({ success: true });
     }
@@ -13508,8 +13545,8 @@ var init_auth_entity = __esm({
       label: { en: "Refresh Token", es: "Token de refresco" },
       labelPlural: { en: "Refresh Tokens", es: "Tokens de refresco" },
       labelField: "id",
-      routePrefix: "/tokens",
       retention: { days: 7, expiresField: "expires_at" },
+      expose: false,
       fields: {
         id: useIdField5(),
         token: useTextField9({
@@ -13574,8 +13611,8 @@ var init_auth_entity = __esm({
       labelField: "provider",
       timestamps: true,
       hidden: true,
+      expose: false,
       order: 5,
-      routePrefix: "/identities",
       fields: {
         id: useIdField5(),
         user_id: useSelectField10({
@@ -16625,7 +16662,7 @@ var init_plugins_entity = __esm({
       label: "Plugins",
       icon: "mdi:puzzle",
       labelField: "code",
-      routePrefix: "/plugins",
+      routePrefix: "/",
       defaultSort: { field: "name", order: "asc" },
       fields: {
         name: useTextField12({
@@ -17038,12 +17075,12 @@ var init_loader = __esm({
   "src/engine/loader.ts"() {
     "use strict";
     init_registry();
-    init_extractors();
+    init_definition_extractors();
     init_modules();
   }
 });
 
-// src/engine/subjectExtractor.ts
+// src/engine/subject-extractor.ts
 function getModuleSubjects(mod) {
   const subjects = /* @__PURE__ */ new Set();
   for (const def of mod.definitions ?? []) {
@@ -17052,10 +17089,10 @@ function getModuleSubjects(mod) {
   }
   return [...subjects];
 }
-var init_subjectExtractor = __esm({
-  "src/engine/subjectExtractor.ts"() {
+var init_subject_extractor = __esm({
+  "src/engine/subject-extractor.ts"() {
     "use strict";
-    init_extractors();
+    init_definition_extractors();
   }
 });
 
@@ -17133,7 +17170,7 @@ function initSocketIO(httpServer, options) {
     maxHttpBufferSize: 1e6
     // 1MB - match Express json body limit
   });
-  logger.info({ maxHttpBufferSize: 1e6, cors: corsOrigin }, "Socket.IO initialized");
+  logger.info({ cors: corsOrigin }, "Socket.IO initialized");
   io.use((socket, next) => {
     const token = socket.handshake.auth?.["token"] || socket.handshake.query?.["token"];
     if (token && typeof token === "string" && jwtSecret) {
@@ -17156,7 +17193,6 @@ function initSocketIO(httpServer, options) {
     logger.warn({ code: err.code, message: err.message }, "Socket.IO connection error");
   });
   io.on("connection", handleConnection);
-  logger.info("Socket.IO initialized");
   nexusEvents.emitEvent("socket.initialized");
   return io;
 }
@@ -17737,6 +17773,12 @@ var init_app_error = __esm({
 
 // src/core/abilities/ability.factory.ts
 import { AbilityBuilder, createMongoAbility } from "@casl/ability";
+function setSeedPermissions(perms) {
+  seedPermissions = perms;
+}
+function clearSeedPermissions() {
+  seedPermissions = null;
+}
 function setCustomCaslRules(fn) {
   customCaslRules = fn;
 }
@@ -17794,16 +17836,28 @@ async function defineAbilityFor(user, roleNames) {
   if (customCaslRules) {
     await customCaslRules(user, { can, cannot });
   }
+  if (seedPermissions && !isSuperuser) {
+    for (const roleName of roleNames) {
+      const rolePerms = seedPermissions.get(roleName);
+      if (!rolePerms) continue;
+      for (const [subject2, actions] of rolePerms) {
+        for (const action of actions) {
+          can(action, subject2);
+        }
+      }
+    }
+  }
   return build();
 }
 function packRules(ability) {
   return ability.rules;
 }
-var customCaslRules, entityDefinitionsRegistry, SUPERUSER_ROLES;
+var customCaslRules, seedPermissions, entityDefinitionsRegistry, SUPERUSER_ROLES;
 var init_ability_factory = __esm({
   "src/core/abilities/ability.factory.ts"() {
     "use strict";
     init_logger();
+    seedPermissions = null;
     entityDefinitionsRegistry = null;
     SUPERUSER_ROLES = ["ADMIN", "OWNER"];
   }
@@ -17874,7 +17928,7 @@ var init_validate_middleware = __esm({
 import { z as z8 } from "zod";
 function resolveConfig() {
   env = envSchema.parse(process.env);
-  process.env.TZ = env.TZ;
+  process.env["TZ"] = env.TZ;
   resolvedConfig = {
     nodeEnv: env.NODE_ENV,
     port: env.PORT,
@@ -17929,7 +17983,7 @@ var init_env = __esm({
       FRPC_SUBDOMAIN: z8.string().optional()
     });
     env = envSchema.parse(process.env);
-    process.env.TZ = env.TZ;
+    process.env["TZ"] = env.TZ;
     resolvedConfig = null;
   }
 });
@@ -18356,7 +18410,7 @@ var init_sequence = __esm({
   }
 });
 
-// src/core/utils/error-handler.ts
+// src/core/utils/safe-json.ts
 function safeJsonParse(logger2, jsonString, fallback, context) {
   try {
     return JSON.parse(jsonString);
@@ -18365,8 +18419,8 @@ function safeJsonParse(logger2, jsonString, fallback, context) {
     return fallback;
   }
 }
-var init_error_handler = __esm({
-  "src/core/utils/error-handler.ts"() {
+var init_safe_json = __esm({
+  "src/core/utils/safe-json.ts"() {
     "use strict";
   }
 });
@@ -18375,14 +18429,15 @@ var init_error_handler = __esm({
 import express from "express";
 import { resolve, join as join9 } from "path";
 import { existsSync as existsSync9, readFileSync as readFileSync5 } from "fs";
-function createServeSPA(app) {
-  return (endpoint, distPath, options = {}) => {
+function createServeSPA(app, httpServer) {
+  return async (endpoint, distPath, options = {}) => {
     const {
       maxAge = "1d",
       etag = true,
       immutable = false,
       index = "index.html",
-      absolute = false
+      absolute = false,
+      viteSrc
     } = options;
     if (endpoint === "/api" || endpoint.startsWith("/api/")) {
       logger.error(`Cannot mount SPA on ${endpoint} - reserved for API routes`);
@@ -18393,58 +18448,117 @@ function createServeSPA(app) {
       return;
     }
     registeredEndpoints.add(endpoint);
-    let resolvedPath;
-    if (absolute) {
-      resolvedPath = distPath;
-    } else {
-      const projectPath2 = resolve(getProjectPath(), distPath);
-      if (existsSync9(projectPath2)) {
-        resolvedPath = projectPath2;
+    if (env.NODE_ENV === "development" && viteSrc) {
+      const srcPath = resolve(getProjectPath(), viteSrc);
+      if (!existsSync9(srcPath)) {
+        logger.warn({ endpoint, viteSrc, resolved: srcPath }, "Vite source not found \u2014 falling back to static");
       } else {
-        resolvedPath = resolve(getLibPath(), distPath);
+        const mounted = await mountViteDevMiddleware(app, endpoint, srcPath, httpServer);
+        if (mounted) return;
       }
     }
-    if (!existsSync9(resolvedPath)) {
-      logger.warn({ endpoint, distPath, hint: "Build the frontend first" }, `SPA directory not found: ${resolvedPath}`);
-      return;
+    mountStaticSPA(app, endpoint, distPath, { maxAge, etag, immutable, index, absolute });
+  };
+}
+async function mountViteDevMiddleware(app, endpoint, srcPath, httpServer) {
+  try {
+    const vite = await import("vite");
+    const apiUrl = env.BACKEND_URL ? `${env.BACKEND_URL}/api/v1` : "/api/v1";
+    const server2 = await vite.createServer({
+      root: srcPath,
+      server: {
+        middlewareMode: true,
+        allowedHosts: true,
+        hmr: httpServer ? { server: httpServer } : true
+      },
+      plugins: [{
+        name: "nexus-config-inject",
+        transformIndexHtml(html) {
+          const config3 = JSON.stringify({ apiUrl });
+          return html.replace("</head>", `<script>window.__NEXUS__=${config3}</script>
+</head>`);
+        }
+      }],
+      appType: "spa",
+      clearScreen: false
+    });
+    viteServers.push(server2);
+    if (endpoint === "/") {
+      app.use(server2.middlewares);
+    } else {
+      app.use(endpoint, server2.middlewares);
     }
-    const indexPath = join9(resolvedPath, index);
-    if (!existsSync9(indexPath)) {
-      logger.warn({ endpoint, index }, `Index file not found: ${indexPath}`);
-    }
-    app.use(endpoint, express.static(resolvedPath, { maxAge, etag, immutable }));
-    let injectedHtml = "";
-    if (existsSync9(indexPath)) {
-      const rawHtml = readFileSync5(indexPath, "utf-8");
-      const apiUrl = env.BACKEND_URL ? `${env.BACKEND_URL}/api/v1` : "/api/v1";
-      const nexusConfig = JSON.stringify({ apiUrl });
-      injectedHtml = rawHtml.replace(
-        "</head>",
-        `<script>window.__NEXUS__=${nexusConfig}</script>
-</head>`
-      );
+    logger.info({ path: srcPath }, `Vite dev server mounted at ${endpoint} (HMR enabled)`);
+    return true;
+  } catch (err) {
+    if (err.code === "ERR_MODULE_NOT_FOUND" || err.code === "MODULE_NOT_FOUND") {
+      logger.warn(`vite not installed \u2014 falling back to static serving for ${endpoint}`);
+      return false;
     }
-    const fallbackHandler = (_req, res) => {
-      if (!injectedHtml) {
-        res.status(404).send("index.html not found");
-        return;
-      }
-      res.set("Cache-Control", "no-cache, no-store, must-revalidate");
-      res.type("html").send(injectedHtml);
-    };
-    if (endpoint === "/") {
-      app.get("{*splat}", fallbackHandler);
+    logger.error({ err }, `Failed to mount Vite dev server at ${endpoint}`);
+    return false;
+  }
+}
+function mountStaticSPA(app, endpoint, distPath, options) {
+  const { maxAge, etag, immutable, index, absolute } = options;
+  let resolvedPath;
+  if (absolute) {
+    resolvedPath = distPath;
+  } else {
+    const projectPath2 = resolve(getProjectPath(), distPath);
+    if (existsSync9(projectPath2)) {
+      resolvedPath = projectPath2;
     } else {
-      app.get(endpoint, fallbackHandler);
-      app.get(`${endpoint}/{*splat}`, fallbackHandler);
+      resolvedPath = resolve(getLibPath(), distPath);
     }
-    logger.info({ path: resolvedPath }, `SPA mounted at ${endpoint}`);
+  }
+  if (!existsSync9(resolvedPath)) {
+    logger.warn({ endpoint, distPath, hint: "Build the frontend first" }, `SPA directory not found: ${resolvedPath}`);
+    return;
+  }
+  const indexPath = join9(resolvedPath, index);
+  if (!existsSync9(indexPath)) {
+    logger.warn({ endpoint, index }, `Index file not found: ${indexPath}`);
+  }
+  app.use(endpoint, express.static(resolvedPath, { maxAge, etag, immutable }));
+  let injectedHtml = "";
+  if (existsSync9(indexPath)) {
+    const rawHtml = readFileSync5(indexPath, "utf-8");
+    const apiUrl = env.BACKEND_URL ? `${env.BACKEND_URL}/api/v1` : "/api/v1";
+    const nexusConfig = JSON.stringify({ apiUrl });
+    injectedHtml = rawHtml.replace(
+      "</head>",
+      `<script>window.__NEXUS__=${nexusConfig}</script>
+</head>`
+    );
+  }
+  const fallbackHandler = (_req, res) => {
+    if (!injectedHtml) {
+      res.status(404).send("index.html not found");
+      return;
+    }
+    res.set("Cache-Control", "no-cache, no-store, must-revalidate");
+    res.type("html").send(injectedHtml);
   };
+  if (endpoint === "/") {
+    app.get("{*splat}", fallbackHandler);
+  } else {
+    app.get(endpoint, fallbackHandler);
+    app.get(`${endpoint}/{*splat}`, fallbackHandler);
+  }
+  logger.info({ path: resolvedPath }, `SPA mounted at ${endpoint}`);
 }
-function resetServeSPAEndpoints() {
+async function resetServeSPA() {
+  for (const server2 of viteServers) {
+    try {
+      await server2.close();
+    } catch {
+    }
+  }
+  viteServers.length = 0;
   registeredEndpoints.clear();
 }
-var registeredEndpoints;
+var registeredEndpoints, viteServers;
 var init_spa_handler = __esm({
   "src/core/spa-handler.ts"() {
     "use strict";
@@ -18452,6 +18566,7 @@ var init_spa_handler = __esm({
     init_logger();
     init_env();
     registeredEndpoints = /* @__PURE__ */ new Set();
+    viteServers = [];
   }
 });
 
@@ -19022,7 +19137,7 @@ var init_core = __esm({
     init_id();
     init_sequence();
     init_paths();
-    init_error_handler();
+    init_safe_json();
     init_spa_handler();
     init_cache();
     init_jwt();
@@ -19737,7 +19852,9 @@ var init_base_service = __esm({
         const countResult = await qb.clone().count("* as count").first();
         const total = Number(countResult?.count ?? 0);
         qb = this.applySortingWithDefaults(qb, query);
-        qb = qb.limit(limit).offset(offset);
+        if (limit > 0) {
+          qb = qb.limit(limit).offset(offset);
+        }
         const rawItems = await qb;
         const items = this.parseJsonFieldsFromArray(rawItems);
         const processedItems = await this.afterFindAll(items);
@@ -19822,7 +19939,7 @@ var init_base_service = __esm({
           });
         }
         const total = result.length;
-        const paginatedItems = result.slice(offset, offset + limit);
+        const paginatedItems = limit === 0 ? result : result.slice(offset, offset + limit);
         return this.buildPaginatedResult(paginatedItems, total, page, limit);
       }
       /**
@@ -20077,14 +20194,14 @@ var init_base_service = __esm({
        * Build paginated result from items and count
        */
       buildPaginatedResult(items, total, page, limit) {
-        const totalPages = Math.ceil(total / limit);
+        const totalPages = limit === 0 ? 1 : Math.ceil(total / limit);
         return {
           items,
           total,
-          page,
-          limit,
+          page: limit === 0 ? 1 : page,
+          limit: limit === 0 ? total : limit,
           totalPages,
-          hasNext: page < totalPages
+          hasNext: limit === 0 ? false : page < totalPages
         };
       }
       /**
@@ -20093,8 +20210,8 @@ var init_base_service = __esm({
       getPagination(query) {
         const maxLimit = query?.maxLimit ?? 100;
         const page = Math.max(1, query?.page ?? 1);
-        const limit = Math.min(maxLimit, Math.max(1, query?.limit ?? 20));
-        const offset = (page - 1) * limit;
+        const limit = query?.limit === 0 ? 0 : Math.min(maxLimit, Math.max(1, query?.limit ?? 20));
+        const offset = limit === 0 ? 0 : (page - 1) * limit;
         return { page, limit, offset };
       }
       /**
@@ -21741,7 +21858,8 @@ function createEntityController(service, definition, ctx) {
     async list(req, res) {
       checkPermission(req, "read");
       const page = Math.max(1, parseInt(req.query["page"]) || 1);
-      const limit = Math.min(100, Math.max(1, parseInt(req.query["limit"]) || 20));
+      const rawLimit = parseInt(req.query["limit"]);
+      const limit = rawLimit === 0 ? 0 : Math.min(100, Math.max(1, rawLimit || 20));
       let filters;
       if (req.query["filters"]) {
         filters = parseFilters(req.query["filters"], ctx.core.errors);
@@ -21784,7 +21902,7 @@ function createEntityController(service, definition, ctx) {
      * Get single entity
      */
     async get(req, res) {
-      const id = req.params["id"] ?? "";
+      const id = String(req.params["id"] ?? "");
       const entity = await service.findById(id);
       if (!entity) {
         throw new ctx.core.errors.NotFoundError(`${resolveLocalized6(definition.label, "en")} not found`);
@@ -21835,7 +21953,7 @@ function createEntityController(service, definition, ctx) {
       if (!service.update) {
         throw new ctx.core.errors.ForbiddenError(`${resolveLocalized6(definition.label, "en")} does not support update`);
       }
-      const id = req.params["id"] ?? "";
+      const id = String(req.params["id"] ?? "");
       const existing = await service.findById(id);
       if (!existing) {
         throw new ctx.core.errors.NotFoundError(`${resolveLocalized6(definition.label, "en")} not found`);
@@ -21867,7 +21985,7 @@ function createEntityController(service, definition, ctx) {
       if (!service.delete) {
         throw new ctx.core.errors.ForbiddenError(`${resolveLocalized6(definition.label, "en")} does not support delete`);
       }
-      const id = req.params["id"] ?? "";
+      const id = String(req.params["id"] ?? "");
       const existing = await service.findById(id);
       if (!existing) {
         throw new ctx.core.errors.NotFoundError(`${resolveLocalized6(definition.label, "en")} not found`);
@@ -22066,7 +22184,7 @@ function createActionHandler(action, definition, ctx, scope = "row") {
   const caslSubject = (action.casl && "subject" in action.casl ? action.casl.subject : void 0) ?? definition.casl?.subject ?? capitalizeFirst(entityName ?? "Entity");
   const hasCasl = !action.skipAuth && (!!definition.casl || !!action.casl);
   return async (req, res) => {
-    const recordId = scope === "row" ? req.params["id"] : void 0;
+    const recordId = scope === "row" ? String(req.params["id"] ?? "") : void 0;
     const authReq = req;
     if (hasCasl && !authReq.ability) {
       ctx.core.logger.warn({ action: "execute", subject: caslSubject, actionKey: action.key, reqId: req.requestId, decision: "deny", reason: "unauthenticated" }, "authz:deny");
@@ -22140,6 +22258,8 @@ var init_entity_controller = __esm({
 // src/runtime/routes/entity.routes.ts
 function createEntityRouter(controller, definition, ctx, service) {
   const router = ctx.createRouter();
+  const expose = "expose" in definition ? definition.expose : true;
+  if (expose === false) return router;
   const type2 = definition.type ?? "collection";
   const isSingleton = (type2 === "single" || type2 === "config") && !("scopeField" in definition && definition.scopeField);
   const entityDef = definition;
@@ -22234,44 +22354,44 @@ function createEntityRouter(controller, definition, ctx, service) {
       res.json(await treeSvc.findRoots());
     }));
     router.post("/:id/move", ...entityMiddleware, ...authMiddleware, asyncHandler(async (req, res) => {
-      const id = req.params["id"] ?? "";
+      const id = String(req.params["id"] ?? "");
       const { parentId } = req.body;
       res.json(await treeSvc.move(id, parentId ?? null));
     }));
     router.get("/:id/ancestors", ...entityMiddleware, ...authMiddleware, asyncHandler(async (req, res) => {
-      const id = req.params["id"] ?? "";
+      const id = String(req.params["id"] ?? "");
       res.json(await treeSvc.getAncestors(id));
     }));
     router.get("/:id/descendants", ...entityMiddleware, ...authMiddleware, asyncHandler(async (req, res) => {
-      const id = req.params["id"] ?? "";
+      const id = String(req.params["id"] ?? "");
       res.json(await treeSvc.getDescendants(id));
     }));
     router.get("/:id/children", ...entityMiddleware, ...authMiddleware, asyncHandler(async (req, res) => {
-      const id = req.params["id"] ?? "";
+      const id = String(req.params["id"] ?? "");
       res.json(await treeSvc.findChildren(id));
     }));
   }
   if (type2 === "dag" && service) {
     const dagSvc = service;
     router.get("/:id/parents", ...entityMiddleware, ...authMiddleware, asyncHandler(async (req, res) => {
-      const id = req.params["id"] ?? "";
+      const id = String(req.params["id"] ?? "");
       res.json(await dagSvc.getParents(id));
     }));
     router.put("/:id/parents", ...entityMiddleware, ...authMiddleware, asyncHandler(async (req, res) => {
-      const id = req.params["id"] ?? "";
+      const id = String(req.params["id"] ?? "");
       const { parentIds } = req.body;
       await dagSvc.setParents(id, parentIds);
       res.status(204).send();
     }));
     router.post("/:id/parents", ...entityMiddleware, ...authMiddleware, asyncHandler(async (req, res) => {
-      const id = req.params["id"] ?? "";
+      const id = String(req.params["id"] ?? "");
       const { parentId } = req.body;
       await dagSvc.addParent(id, parentId);
       res.status(204).send();
     }));
     router.delete("/:id/parents/:parentId", ...entityMiddleware, ...authMiddleware, asyncHandler(async (req, res) => {
-      const id = req.params["id"] ?? "";
-      const parentId = req.params["parentId"] ?? "";
+      const id = String(req.params["id"] ?? "");
+      const parentId = String(req.params["parentId"] ?? "");
       await dagSvc.removeParent(id, parentId);
       res.status(204).send();
     }));
@@ -23205,17 +23325,18 @@ async function createModuleRouters(ctx, definitions, modulePrefix) {
     const runtime = await createEntityRuntimeAsync(ctx, definition);
     const route = inferEntityRoutePath(definition);
     const entityLabel = resolveLocalized7(definition.label, "en");
-    if (modulePrefix && route === modulePrefix) {
+    const isExposed = !("expose" in definition && definition.expose === false);
+    if (isExposed && modulePrefix && route === modulePrefix) {
       ctx.core.logger.warn(
         `Entity "${entityLabel}" inferred route "${route}" duplicates module prefix \u2014 add routePrefix to the entity definition to fix`
       );
     }
-    if (routeMap.has(route)) {
+    if (isExposed && routeMap.has(route)) {
       ctx.core.logger.warn(
         `Entity "${entityLabel}" route "${route}" collides with "${routeMap.get(route)}" in the same module`
       );
     }
-    routeMap.set(route, entityLabel);
+    if (isExposed) routeMap.set(route, entityLabel);
     router.use(route, runtime.router);
     const key = getServiceKey(definition);
     if (ctx.services.has(key)) {
@@ -23431,7 +23552,7 @@ var init_runtime = __esm({
   }
 });
 
-// src/db/module-runner.ts
+// src/db/seed-runner.ts
 import { existsSync as existsSync10 } from "fs";
 import { join as join10 } from "path";
 import { pathToFileURL } from "url";
@@ -23499,8 +23620,8 @@ function hasSeedData(seed5) {
   if (!Array.isArray(seed5) && "source" in seed5 && seed5.source === "url") return true;
   return Array.isArray(seed5) && seed5.length > 0;
 }
-var init_module_runner = __esm({
-  "src/db/module-runner.ts"() {
+var init_seed_runner = __esm({
+  "src/db/seed-runner.ts"() {
     "use strict";
     init_runtime();
     init_paths();
@@ -23603,7 +23724,7 @@ var init_migration_sources = __esm({
     init_shared();
     init_paths();
     init_plugin_ops();
-    init_store();
+    init_module_store();
   }
 });
 
@@ -23936,7 +24057,7 @@ async function runMigrations(knexInstance, sources) {
     const executedMigrations = await knex3("_nexus_migrations").where({ status: "completed" }).select("name").then((rows) => new Set(rows.map((r) => r.name)));
     const pendingMigrations = migrationFiles.filter((m) => !executedMigrations.has(m.name));
     if (pendingMigrations.length === 0) {
-      logger.info("No pending migrations");
+      logger.debug("No pending migrations");
       return;
     }
     const batch = await getNextBatch(knex3);
@@ -24336,6 +24457,27 @@ var init_migration_helpers = __esm({
 import path2 from "path";
 import fs2 from "fs/promises";
 import { readFileSync as readFileSync6, mkdirSync as mkdirSync5, realpathSync } from "fs";
+function getColumnIndexBytes(field) {
+  if (!field?.db) return 255 * MYSQL_BYTES_PER_CHAR;
+  const size = field.db.size ?? 255;
+  if (field.db.type === "text") return 0;
+  if (field.db.type === "string") return size * MYSQL_BYTES_PER_CHAR;
+  if (field.db.type === "integer") return 4;
+  if (field.db.type === "boolean") return 1;
+  if (field.db.type === "datetime" || field.db.type === "date") return 8;
+  if (field.db.type === "uuid") return 16;
+  return size * MYSQL_BYTES_PER_CHAR;
+}
+function warnIfIndexExceedsMySQLLimit(table, columns, unique, fields) {
+  if (!fields) return;
+  const totalBytes = columns.reduce((sum, col) => sum + getColumnIndexBytes(fields[col]), 0);
+  if (totalBytes > MYSQL_MAX_INDEX_BYTES) {
+    const indexType = unique ? "UNIQUE" : "INDEX";
+    logger.warn(
+      `${indexType} on ${table}(${columns.join(", ")}) requires ${totalBytes} bytes \u2014 exceeds MySQL utf8mb4 limit of ${MYSQL_MAX_INDEX_BYTES} bytes. Reduce column sizes or restructure the index for MySQL compatibility.`
+    );
+  }
+}
 async function detectSchemaDrift(knexInstance) {
   const knex3 = knexInstance ?? getDb();
   const entities = getAllPersistentEntities();
@@ -24443,6 +24585,7 @@ function computeSchemaDiff(entities, currentSchema, options) {
     for (const idx of entityIndexes) {
       const key = normalizeKey(idx.columns, !!idx.unique);
       if (!currentKeys.has(key)) {
+        warnIfIndexExceedsMySQLLimit(tableName, idx.columns, !!idx.unique, entity.fields);
         diff.newIndexes.push({ columns: idx.columns, unique: !!idx.unique });
       }
     }
@@ -24614,7 +24757,7 @@ function formatDriftMessage(drift) {
   lines.push('Run "pnpm migrate:dev" to generate and apply migrations.');
   return lines.join("\n");
 }
-var PERSISTENT_TYPES;
+var MYSQL_MAX_INDEX_BYTES, MYSQL_BYTES_PER_CHAR, PERSISTENT_TYPES;
 var init_migration_generator = __esm({
   "src/db/migration-generator.ts"() {
     "use strict";
@@ -24623,9 +24766,11 @@ var init_migration_generator = __esm({
     init_paths();
     init_schema_reader();
     init_engine();
-    init_queries();
+    init_module_queries();
     init_migration_helpers();
-    init_store();
+    init_module_store();
+    MYSQL_MAX_INDEX_BYTES = 3072;
+    MYSQL_BYTES_PER_CHAR = 4;
     PERSISTENT_TYPES = /* @__PURE__ */ new Set([
       "collection",
       "tree",
@@ -24679,6 +24824,13 @@ async function runAllGeneratedMigrations(ctx, modules) {
         table.string("created_by", 26).nullable();
         table.string("updated_by", 26).nullable();
       }
+      const hasSoftDelete = entityDef.softDelete;
+      if (hasSoftDelete) {
+        table.timestamp("deleted_at").nullable();
+      }
+      if (entityDef.type === "tree") {
+        table.string("parent_id", 26).nullable().references(`${tableName}.id`).onDelete("SET NULL");
+      }
     });
     const entityIndexes = entityDef.indexes;
     if (entityIndexes?.length) {
@@ -24795,7 +24947,16 @@ function addColumn(table, fieldName, field, db2) {
     column.unique();
   }
   if (dbConfig.default !== void 0) {
-    column.defaultTo(dbConfig.default);
+    const isJsonColumn = dbConfig.type === "json" || dbConfig.type === "array";
+    if (isJsonColumn && typeof dbConfig.default === "string") {
+      try {
+        column.defaultTo(JSON.parse(dbConfig.default));
+      } catch {
+        column.defaultTo(dbConfig.default);
+      }
+    } else {
+      column.defaultTo(dbConfig.default);
+    }
   } else if (dbConfig.defaultFn === "now") {
     column.defaultTo(db2.fn.now());
   }
@@ -26183,7 +26344,7 @@ var init_db = __esm({
     init_schema_helpers();
     init_sql_utils();
     init_sqlite_compat();
-    init_module_runner();
+    init_seed_runner();
     init_ensure_system_tables();
     init_migration_sources();
     init_migration_runner();
@@ -26273,12 +26434,20 @@ async function discoverPlugins(projectPath2) {
             manifest.image = imagePath;
           }
         }
+        if (!manifest.llms) {
+          const llmsPath = join12(projectPath2, "node_modules", pkgName, "llms.txt");
+          if (existsSync11(llmsPath)) {
+            manifest.llms = readFileSync7(llmsPath, "utf-8");
+          }
+        }
         discovered.push(manifest);
       } else {
         logger.warn({ plugin: pkgName }, "Plugin discovery: no PluginManifest export, skipping");
       }
     } catch (err) {
-      logger.warn({ plugin: pkgName, err: err.message }, "Plugin discovery: failed to import");
+      const errorMsg = err.message;
+      logger.warn({ plugin: pkgName, err: errorMsg }, "Plugin discovery: failed to import");
+      console.error(`  \u26A0 Plugin '${pkgName}' failed to load: ${errorMsg}`);
     }
   }
   return discovered;
@@ -26346,7 +26515,9 @@ async function discoverModules(projectPath2) {
         discovered.push(...manifests);
       }
     } catch (err) {
-      logger.warn({ module: entry, err: err.message }, "Module discovery: failed to import");
+      const errorMsg = err.message;
+      logger.warn({ module: entry, err: errorMsg }, "Module discovery: failed to import");
+      console.error(`  \u26A0 Module '${entry}' failed to load: ${errorMsg}`);
     }
   }
   return discovered;
@@ -26437,8 +26608,11 @@ var init_events_api = __esm({
 
 // src/engine/context.ts
 import { ForbiddenError as CASLForbiddenError3, subject } from "@casl/ability";
-import { DEFAULT_TENANT_ID as DEFAULT_TENANT_ID2 } from "@gzl10/nexus-sdk";
+import { DEFAULT_TENANT_ID as DEFAULT_TENANT_ID2, DEFAULT_LOCALES } from "@gzl10/nexus-sdk";
 import { Redis as Redis2 } from "ioredis";
+function setLocales(locales) {
+  platformLocales = locales;
+}
 function getSharedCacheManager() {
   if (!sharedCacheManager) {
     const redisUrl = env.REDIS_URL;
@@ -26514,7 +26688,7 @@ function createModuleContext() {
   const defaultAdapter = createKnexAdapter(knex3);
   const defaultSchemaAdapter = createKnexSchemaAdapter(knex3);
   adaptersRegistry["temp"] = { data: getSharedTempAdapter() };
-  logger.debug(env.REDIS_URL ? "Temp adapter: Redis (shared)" : "Temp adapter: InMemory (shared)");
+  logger.trace(env.REDIS_URL ? "Temp adapter: Redis (shared)" : "Temp adapter: InMemory (shared)");
   const middleware = {
     validate,
     rateLimit: createRateLimit,
@@ -26622,7 +26796,9 @@ function createModuleContext() {
         throw new Error(`Knex connection for adapter "${adapter}" not found. Available: ${Object.keys(knexConnections).join(", ")}`);
       }
       return conn;
-    }
+    },
+    // Placeholder — bound after ctx construction (needs full ModuleContext)
+    seedModule: null
   };
   const configContext = {
     env,
@@ -26715,7 +26891,8 @@ function createModuleContext() {
     adapters: adaptersContext,
     // Root-level shortcuts for frequently used utilities
     events: createEventsApi(nexusEvents, logger),
-    createRouter: () => createRouter()
+    createRouter: () => createRouter(),
+    locales: platformLocales
   };
   servicesRegistry["cacheManager"] = getSharedCacheManager();
   ctx.runtime = {
@@ -26724,9 +26901,10 @@ function createModuleContext() {
     createEntityController: (service, def) => createEntityController(service, def, ctx),
     createEntityRouter: (controller, def) => createEntityRouter(controller, def, ctx)
   };
+  ctx.db.seedModule = (mod) => runModuleSeed(mod, ctx);
   return ctx;
 }
-var sharedCacheManager, sharedTempAdapter;
+var platformLocales, sharedCacheManager, sharedTempAdapter;
 var init_context = __esm({
   "src/engine/context.ts"() {
     "use strict";
@@ -26739,7 +26917,9 @@ var init_context = __esm({
     init_plugin_ops();
     init_load_config();
     init_events_api();
+    init_seed_runner();
     init_cache_manager();
+    platformLocales = DEFAULT_LOCALES;
     sharedCacheManager = null;
     sharedTempAdapter = null;
   }
@@ -26750,11 +26930,11 @@ var init_engine = __esm({
   "src/engine/index.ts"() {
     "use strict";
     init_registry();
-    init_queries();
+    init_module_queries();
     init_loader();
-    init_store();
-    init_subjectExtractor();
-    init_extractors();
+    init_module_store();
+    init_subject_extractor();
+    init_definition_extractors();
     init_context();
   }
 });
@@ -27290,7 +27470,7 @@ async function createApp(options = {}) {
     // Only accept arrays and objects
   }));
   app.use(cookieParser());
-  const serveSPA = createServeSPA(app);
+  const serveSPA = createServeSPA(app, options.httpServer);
   if (options.beforeRoutes) {
     const result = options.beforeRoutes(app, serveSPA);
     if (result instanceof Promise) {
@@ -27384,11 +27564,11 @@ async function createApp(options = {}) {
   });
   const sortedSpas = [...servedSpas].sort((a, b) => b.endpoint.length - a.endpoint.length);
   for (const spa of sortedSpas) {
-    serveSPA(spa.endpoint, spa.path, spa);
+    await serveSPA(spa.endpoint, spa.path, { ...spa, viteSrc: spa.viteSrc });
   }
   const { ui } = getConfig();
   if (ui.enabled) {
-    serveSPA(ui.base, ui.path);
+    await serveSPA(ui.base, ui.path, { viteSrc: "../ui" });
   }
   app.use(errorMiddleware);
   return app;
@@ -27414,58 +27594,32 @@ var init_app = __esm({
   }
 });
 
-// src/core/utils/net.ts
+// src/core/utils/port-check.ts
 import net from "net";
 import { execSync } from "child_process";
 function findProcessOnPort(port) {
   try {
     const output = execSync(`lsof -ti :${port} 2>/dev/null`, { encoding: "utf-8" });
     const pid = parseInt(output.trim().split("\n")[0] ?? "", 10);
-    return isNaN(pid) ? null : pid;
+    if (isNaN(pid)) return null;
+    let name = "unknown";
+    try {
+      name = execSync(`ps -o comm= -p ${pid} 2>/dev/null`, { encoding: "utf-8" }).trim();
+    } catch {
+    }
+    return { pid, name };
   } catch {
     return null;
   }
 }
-function isSameProcessGroup(pid) {
-  if (pid === process.pid || pid === process.ppid) return true;
-  try {
-    const ourPgid = execSync(`ps -o pgid= -p ${process.pid} 2>/dev/null`, { encoding: "utf-8" }).trim();
-    const targetPgid = execSync(`ps -o pgid= -p ${pid} 2>/dev/null`, { encoding: "utf-8" }).trim();
-    return ourPgid === targetPgid;
-  } catch {
-    return false;
-  }
-}
-function killProcessOnPort(port) {
-  const pid = findProcessOnPort(port);
-  if (!pid) return false;
-  if (isSameProcessGroup(pid)) {
-    logger.warn({ port, pid }, `Skipping same process group (PID ${pid}) on port ${port}`);
-    return false;
-  }
-  try {
-    process.kill(pid, "SIGTERM");
-    logger.warn({ port, pid }, `Killed process ${pid} on port ${port}`);
-    return true;
-  } catch {
-    return false;
-  }
-}
 async function checkPortAvailable(port, host = "0.0.0.0") {
   return new Promise((resolve2, reject) => {
     const server2 = net.createServer();
     server2.once("error", (err) => {
       if (err.code === "EADDRINUSE") {
-        if (process.env["NODE_ENV"] !== "production") {
-          if (killProcessOnPort(port)) {
-            setTimeout(() => {
-              checkPortAvailable(port, host).then(resolve2).catch(reject);
-            }, 500);
-            return;
-          }
-        }
-        logger.error({ port }, `Port ${port} is already in use`);
-        reject(new Error(`Port ${port} is already in use`));
+        const proc = findProcessOnPort(port);
+        const msg = proc ? `Port ${port} is already in use by "${proc.name}" (PID ${proc.pid}). Stop that process first.` : `Port ${port} is already in use`;
+        reject(new Error(msg));
       } else {
         reject(err);
       }
@@ -27476,10 +27630,9 @@ async function checkPortAvailable(port, host = "0.0.0.0") {
     server2.listen(port, host);
   });
 }
-var init_net = __esm({
-  "src/core/utils/net.ts"() {
+var init_port_check = __esm({
+  "src/core/utils/port-check.ts"() {
     "use strict";
-    init_logger();
   }
 });
 
@@ -27574,6 +27727,150 @@ var init_tunnel = __esm({
   }
 });
 
+// src/db/seed-context.ts
+var seed_context_exports = {};
+__export(seed_context_exports, {
+  createSeedContext: () => createSeedContext
+});
+function createSeedContext(deps) {
+  const { knex: db2, generateId: generateId4, hashPassword: hashPassword2, pluginPrefixes, logger: logger2 } = deps;
+  const permissionsMap = /* @__PURE__ */ new Map();
+  const seedContext = {
+    masters: {
+      register(type2, entries, options) {
+        deps.masterRegistry.register(type2, entries, options);
+      }
+    },
+    roles: {
+      async add(role) {
+        const hasTable = await db2.schema.hasTable("roles");
+        if (!hasTable) return;
+        const existing = await db2("roles").where({ name: role.name }).first();
+        if (!existing) {
+          const description = role.description ? JSON.stringify(typeof role.description === "string" ? { en: role.description } : role.description) : null;
+          await db2("roles").insert({
+            id: generateId4(),
+            name: role.name,
+            description,
+            is_system: role.is_system ?? false
+          });
+          logger2.info({ role: role.name }, "Seeded role");
+        }
+        if (role.permissions) {
+          let rolePerms = permissionsMap.get(role.name);
+          if (!rolePerms) {
+            rolePerms = /* @__PURE__ */ new Map();
+            permissionsMap.set(role.name, rolePerms);
+          }
+          for (const [subject2, actions] of Object.entries(role.permissions)) {
+            const normalized = subject2.charAt(0).toUpperCase() + subject2.slice(1);
+            rolePerms.set(normalized, actions);
+          }
+        }
+      }
+    },
+    users: {
+      async add(user) {
+        const hasTable = await db2.schema.hasTable("users");
+        if (!hasTable) return;
+        const existing = await db2("users").where({ email: user.email }).first();
+        if (existing) return;
+        const userId = generateId4();
+        await db2("users").insert({
+          id: userId,
+          type: user.type ?? "human",
+          email: user.email,
+          password: await hashPassword2(user.password),
+          name: user.name ?? user.email
+        });
+        if (user.roles?.length) {
+          for (const roleName of user.roles) {
+            const role = await db2("roles").where({ name: roleName }).first();
+            if (role) {
+              await db2("user_roles").insert({
+                id: generateId4(),
+                user_id: userId,
+                role_id: role.id
+              });
+            } else {
+              logger2.warn({ role: roleName, user: user.email }, "Role not found, skipping assignment");
+            }
+          }
+        }
+        logger2.info({ email: user.email, roles: user.roles }, "Seeded user");
+      }
+    },
+    plugin(pluginName) {
+      return {
+        entity(entityName) {
+          return {
+            async upsert(data, options) {
+              let prefix = pluginPrefixes.get(pluginName) ?? "";
+              if (!prefix) {
+                for (const [key2, pfx] of pluginPrefixes) {
+                  if (pluginName === key2 || pluginName.endsWith(`-${key2}`)) {
+                    prefix = pfx;
+                    break;
+                  }
+                }
+              }
+              const fullTable = `${prefix}${entityName}`;
+              const hasTable = await db2.schema.hasTable(fullTable);
+              if (!hasTable) {
+                logger2.warn({ table: fullTable, plugin: pluginName }, "Table not found for plugin entity seed");
+                return 0;
+              }
+              const key = options?.key ?? "id";
+              let seeded = 0;
+              for (const row of data) {
+                const keyValue = row[key];
+                if (keyValue != null) {
+                  const existing = await db2(fullTable).where({ [key]: keyValue }).first();
+                  if (existing) continue;
+                }
+                const insertData = { ...row };
+                if (key === "id" && !insertData["id"]) {
+                  insertData["id"] = generateId4();
+                }
+                await db2(fullTable).insert(insertData);
+                seeded++;
+              }
+              if (seeded > 0) {
+                logger2.info({ table: fullTable, seeded }, "Seeded plugin entity data");
+              }
+              return seeded;
+            }
+          };
+        }
+      };
+    },
+    async raw(table, data) {
+      logger2.warn({ table }, "Using seed.raw() \u2014 prefer typed helpers when available");
+      const hasTable = await db2.schema.hasTable(table);
+      if (!hasTable) {
+        logger2.warn({ table }, "Table not found for raw seed");
+        return 0;
+      }
+      const rows = Array.isArray(data) ? data : [data];
+      await db2(table).insert(rows);
+      return rows.length;
+    }
+  };
+  return {
+    ctx: seedContext,
+    flushPermissions: () => {
+      if (permissionsMap.size > 0 && deps.onPermissionsCollected) {
+        deps.onPermissionsCollected(permissionsMap);
+      }
+    }
+  };
+}
+var init_seed_context = __esm({
+  "src/db/seed-context.ts"() {
+    "use strict";
+  }
+});
+
 // src/core/server.ts
 var server_exports = {};
 __export(server_exports, {
@@ -27582,7 +27879,9 @@ __export(server_exports, {
   start: () => start,
   stop: () => stop
 });
+import http from "http";
 import { entityRoom as entityRoom6 } from "@gzl10/nexus-sdk";
+import { DEFAULT_LOCALES as DEFAULT_LOCALES2 } from "@gzl10/nexus-sdk";
 async function runMigrationsAndSeeds(config3) {
   initLoggerService(getLoggerConfig());
   setLoggerInstance(getPinoLogger());
@@ -27635,7 +27934,7 @@ async function runMigrationsAndSeeds(config3) {
     const sources = buildMigrationSources();
     const migrationFiles = await loadAllMigrationFiles(sources);
     if (migrationFiles.length > 0) {
-      logger.info({ count: migrationFiles.length }, "Deploying pending migrations...");
+      logger.info({ sources: sources.length, files: migrationFiles.length }, "Running migration deploy...");
       try {
         await runMigrations(void 0, sources);
       } catch (err) {
@@ -27644,7 +27943,7 @@ async function runMigrationsAndSeeds(config3) {
         throw err;
       }
     }
-    logger.info("Checking schema drift...");
+    logger.debug("Checking schema drift...");
     const drift = await detectSchemaDrift();
     if (drift && (drift.newTables.length > 0 || drift.alteredTables.length > 0)) {
       const message = formatDriftMessage(drift);
@@ -27691,7 +27990,7 @@ ${dirs}`);
   }
   const allDefinitions = modules.flatMap((m) => m.definitions ?? []);
   await createMemoryTables(allDefinitions);
-  logger.info("Running seeds...");
+  logger.debug("Running seeds...");
   for (const mod of modules) {
     try {
       await runModuleSeed(mod, ctx);
@@ -27699,12 +27998,39 @@ ${dirs}`);
       logger.error({ module: mod.name, err }, "Seed failed - continuing with next module");
     }
   }
+  if (config3?.onSeed) {
+    const { getPlugins: getPlugins2 } = await Promise.resolve().then(() => (init_module_queries(), module_queries_exports));
+    const { createMasterRegistry: createMasterRegistry2 } = await Promise.resolve().then(() => (init_registry2(), registry_exports));
+    const masterRegistry = ctx.services.has("masters") ? ctx.services.get("masters") : createMasterRegistry2();
+    const pluginPrefixes = /* @__PURE__ */ new Map();
+    for (const plugin of getPlugins2()) {
+      pluginPrefixes.set(plugin.code, `${plugin.code}_`);
+      const shortName = plugin.name.replace(/^@[^/]+\/nexus-plugin-/, "");
+      if (shortName !== plugin.code) {
+        pluginPrefixes.set(shortName, `${plugin.code}_`);
+      }
+    }
+    const { createSeedContext: createSeedContext2 } = await Promise.resolve().then(() => (init_seed_context(), seed_context_exports));
+    const { ctx: seedCtx, flushPermissions } = createSeedContext2({
+      knex: ctx.db.knex,
+      generateId: ctx.core.generateId,
+      hashPassword: ctx.core.crypto.hashPassword,
+      masterRegistry,
+      pluginPrefixes,
+      logger: ctx.core.logger,
+      onPermissionsCollected: (perms) => setSeedPermissions(perms)
+    });
+    await config3.onSeed(seedCtx);
+    await masterRegistry.seed(ctx);
+    flushPermissions();
+  }
 }
 async function start(config3) {
   if (server) {
     throw new Error("Server already running. Call stop() first.");
   }
   currentConfig = config3;
+  setLocales(config3?.locales ?? DEFAULT_LOCALES2);
   if (env.NODE_ENV === "development" && env.FRPC_SERVER && env.FRPC_SUBDOMAIN && !env.BACKEND_URL) {
     process.env["BACKEND_URL"] = getTunnelUrl(env.FRPC_SUBDOMAIN, env.FRPC_SERVER);
   }
@@ -27729,13 +28055,17 @@ async function start(config3) {
   await initTelemetry2();
   await runMigrationsAndSeeds(config3);
   const effectiveCorsOrigins = buildEffectiveCorsOrigins(env.CORS_ORIGIN, config3?.spas);
+  const httpServer = http.createServer();
   const app = await createApp({
     beforeRoutes: config3?.beforeRoutes,
     afterRoutes: config3?.afterRoutes,
-    spas: config3?.spas
+    spas: config3?.spas,
+    httpServer
   });
+  httpServer.on("request", app);
   return new Promise((resolve2) => {
-    server = app.listen(resolved.port, resolved.host, async () => {
+    server = httpServer;
+    httpServer.listen(resolved.port, resolved.host, async () => {
       const timeoutMs = parseInt(process.env["REQUEST_TIMEOUT_MS"] || "30000", 10);
       if (timeoutMs > 0) {
         server.setTimeout(timeoutMs);
@@ -27771,12 +28101,10 @@ async function start(config3) {
         });
       }
       const baseUrl = env.BACKEND_URL || `http://localhost:${actualPort}`;
-      logger.info({ libPath: getLibPath(), projectPath: getProjectPath() }, "Paths");
-      logger.info(`API: ${baseUrl}/api/v1`);
-      if (resolved.ui.enabled) {
-        logger.info(`UI: ${baseUrl}`);
-      }
-      logger.info({ port: actualPort, mode: resolved.nodeEnv }, "Server started");
+      logger.debug({ libPath: getLibPath(), projectPath: getProjectPath() }, "Paths");
+      const urls = { api: `${baseUrl}/api/v1` };
+      if (resolved.ui.enabled) urls["ui"] = baseUrl;
+      logger.info({ port: actualPort, mode: resolved.nodeEnv, ...urls }, "Server started");
       nexusEvents.emitEvent("server.started", { port: actualPort, host: resolved.host });
       if (config3?.onReady) {
         try {
@@ -27802,7 +28130,8 @@ async function stop() {
     await resetSharedAdapters();
     resetConfigCache();
     clearCustomCaslRules();
-    resetServeSPAEndpoints();
+    clearSeedPermissions();
+    await resetServeSPA();
     return;
   }
   if (currentConfig?.beforeClose) {
@@ -27836,7 +28165,8 @@ async function stop() {
   await resetSharedAdapters();
   resetConfigCache();
   clearCustomCaslRules();
-  resetServeSPAEndpoints();
+  clearSeedPermissions();
+  await resetServeSPA();
   currentConfig = void 0;
   server = null;
   nexusEvents.emitEvent("server.stopped");
@@ -27896,7 +28226,7 @@ var init_server = __esm({
     init_cors();
     init_logger();
     init_error_middleware();
-    init_net();
+    init_port_check();
     init_engine();
     init_context();
     init_db();