@gzl10/nexus-backend 0.19.0 → 0.20.0

package/dist/index.js

@@ -14,7 +14,7 @@ var init_package = __esm({
   "package.json"() {
     package_default = {
       name: "@gzl10/nexus-backend",
-      version: "0.19.0",
+      version: "0.20.0",
       description: "Backend as a Service (BaaS) with Express 5, Knex and CASL",
       type: "module",
       main: "./dist/index.js",
@@ -9287,18 +9287,20 @@ function createSystemController(ctx) {
     /**
      * GET /system/capabilities
      * Public endpoint — no authentication required.
-     * Returns backend version and registered plugin codes.
+     * Resolves all registered capabilities (core + plugin-contributed).
      */
-    getCapabilities(_req, res) {
-      res.set("Cache-Control", "public, max-age=300");
-      const manifest = engine.getCoreManifest();
-      const plugins = engine.getPlugins();
-      const body = {
-        version: manifest.version,
-        plugins: plugins.map((p) => p.code),
-        locales: ctx.locales
-      };
-      res.json(body);
+    async getCapabilities(_req, res) {
+      try {
+        res.set("Cache-Control", "public, max-age=300");
+        const body = await ctx.capabilities.resolve();
+        res.json(body);
+      } catch (err) {
+        ctx.core.logger.error({ err }, "Failed to resolve capabilities");
+        res.set("Cache-Control", "no-cache");
+        res.status(500).json({
+          error: { code: "INTERNAL_ERROR", message: "Failed to resolve capabilities" }
+        });
+      }
     }
   };
   function toManifestDTO(manifest, req) {
@@ -9871,8 +9873,8 @@ function registerCoreVars(registry2) {
   registry2.register("auth", "core", [
     {
       name: "AUTH_SECRET",
-      description: { en: "JWT signing secret. Must be at least 32 characters. Use a cryptographically random string in production", es: "Clave de firma JWT. M\xEDnimo 32 caracteres. Usar una cadena criptogr\xE1ficamente aleatoria en producci\xF3n" },
-      required: true,
+      description: { en: "JWT signing secret (optional). If not set, auto-generated and persisted in database. Must be at least 32 characters. Set explicitly for multi-instance deployments", es: "Clave de firma JWT (opcional). Si no se establece, se genera autom\xE1ticamente y se persiste en la base de datos. M\xEDnimo 32 caracteres. Establecer expl\xEDcitamente para despliegues multi-instancia" },
+      required: false,
       sensitive: true
     },
     {
@@ -10389,96 +10391,70 @@ var init_system = __esm({
   }
 });
 
-// src/modules/ui-settings/ui-branding.entity.ts
-import { useTextField as useTextField7, useImageField } from "@gzl10/nexus-sdk/fields";
-var uiBrandingEntity;
-var init_ui_branding_entity = __esm({
-  "src/modules/ui-settings/ui-branding.entity.ts"() {
+// src/modules/ui-settings/ui-style-guide.entity.ts
+import { useTextField as useTextField7, useImageField, useSelectField as useSelectField6, useColorField, useNumberField as useNumberField4, useSwitchField as useSwitchField2 } from "@gzl10/nexus-sdk/fields";
+var uiStyleGuideEntity;
+var init_ui_style_guide_entity = __esm({
+  "src/modules/ui-settings/ui-style-guide.entity.ts"() {
     "use strict";
-    uiBrandingEntity = {
+    uiStyleGuideEntity = {
       type: "single",
       realtime: "sync",
-      key: "ui_branding",
-      label: { en: "Branding", es: "Identidad Corporativa" },
-      icon: "mdi:palette-swatch-outline",
+      key: "ui_style_guide",
+      label: { en: "Style Guide", es: "Gu\xEDa de Estilos" },
+      icon: "mdi:palette-outline",
       public: true,
-      routePrefix: "/ui-branding",
+      routePrefix: "/ui-style-guide",
       defaults: {
         appName: "Nexus",
         logo: null,
         logoDark: null,
-        favicon: null
+        favicon: null,
+        primaryColor: "#3B82F6",
+        font: "space-grotesk",
+        typographyScale: "default",
+        borderRadius: 8,
+        glassEffect: true,
+        theme: "system",
+        loginLayout: "centered"
       },
       fields: {
         appName: useTextField7({
           label: { en: "App Name", es: "Nombre de la App" },
-          hint: { en: "Displayed in the header, browser tab and emails", es: "Se muestra en el header, pesta\xF1a del navegador y emails" },
+          hint: { en: "Displayed in header, browser tab and emails", es: "Se muestra en header, pesta\xF1a del navegador y emails" },
           size: 100,
           required: true
         }),
         logo: useImageField({
           label: { en: "Logo (Light Theme)", es: "Logo (Tema Claro)" },
-          hint: { en: "Recommended: SVG or PNG with transparent background, max 200px height", es: "Recomendado: SVG o PNG con fondo transparente, m\xE1x 200px de alto" },
+          hint: { en: "SVG or PNG with transparent background, max 200px height", es: "SVG o PNG con fondo transparente, m\xE1x 200px de alto" },
           folder: "branding",
           isPublic: true,
           dedupe: true
         }),
         logoDark: useImageField({
           label: { en: "Logo (Dark Theme)", es: "Logo (Tema Oscuro)" },
-          hint: { en: "Optional: Use a lighter version for dark backgrounds", es: "Opcional: Usa una versi\xF3n m\xE1s clara para fondos oscuros" },
+          hint: { en: "Lighter version for dark backgrounds", es: "Versi\xF3n m\xE1s clara para fondos oscuros" },
           folder: "branding",
           isPublic: true,
           dedupe: true
         }),
         favicon: useImageField({
           label: { en: "Favicon", es: "Favicon" },
-          hint: { en: "Browser tab icon. Recommended: 32x32 or 64x64 PNG/ICO", es: "Icono de pesta\xF1a del navegador. Recomendado: 32x32 o 64x64 PNG/ICO" },
+          hint: { en: "32x32 or 64x64 PNG/ICO", es: "32x32 o 64x64 PNG/ICO" },
           accept: "image/x-icon,image/png,image/svg+xml",
           maxSize: "256KB",
           folder: "branding",
           isPublic: true,
           dedupe: true
-        })
-      },
-      casl: {
-        subject: "UiBranding",
-        permissions: {
-          ADMIN: { actions: ["read", "update"] }
-        }
-      }
-    };
-  }
-});
-
-// src/modules/ui-settings/ui-theme.entity.ts
-import { useSelectField as useSelectField6, useColorField } from "@gzl10/nexus-sdk/fields";
-var uiThemeEntity;
-var init_ui_theme_entity = __esm({
-  "src/modules/ui-settings/ui-theme.entity.ts"() {
-    "use strict";
-    uiThemeEntity = {
-      type: "single",
-      realtime: "sync",
-      key: "ui_theme",
-      label: { en: "Theme & Colors", es: "Tema y Colores" },
-      icon: "mdi:palette",
-      public: true,
-      routePrefix: "/ui-theme",
-      defaults: {
-        // Typography
-        font: "space-grotesk",
-        // Theme & Colors
-        theme: "system",
-        primaryColor: "#3B82F6",
-        dopamineTheme: "none",
-        // Layout
-        loginLayout: "centered"
-      },
-      fields: {
-        // === Typography ===
+        }),
+        primaryColor: useColorField({
+          label: { en: "Primary Color", es: "Color Principal" },
+          hint: { en: "Accent color for buttons, links and highlights", es: "Color de acento para botones, enlaces y resaltados" }
+        }),
         font: useSelectField6({
           label: { en: "Font", es: "Fuente" },
-          hint: { en: "Primary font for headings and UI elements", es: "Fuente principal para t\xEDtulos y elementos de interfaz" },
+          hint: { en: "Primary font for headings and UI", es: "Fuente principal para t\xEDtulos e interfaz" },
           options: [
             { value: "space-grotesk", label: "Space Grotesk" },
             { value: "inter", label: "Inter" },
@@ -10488,37 +10464,38 @@ var init_ui_theme_entity = __esm({
             { value: "system", label: { en: "System Default", es: "Sistema" } }
           ]
         }),
-        // === Theme & Colors ===
+        typographyScale: useSelectField6({
+          label: { en: "Typography Scale", es: "Escala Tipogr\xE1fica" },
+          hint: { en: "Font size scaling (WCAG 1.4.4)", es: "Escala de tama\xF1os de fuente (WCAG 1.4.4)" },
+          options: [
+            { value: "compact", label: { en: "Compact", es: "Compacta" } },
+            { value: "default", label: { en: "Default", es: "Por defecto" } },
+            { value: "relaxed", label: { en: "Relaxed", es: "Relajada" } }
+          ]
+        }),
+        borderRadius: useNumberField4({
+          label: { en: "Border Radius", es: "Radio de Bordes" },
+          hint: { en: "Corner roundness in pixels (0 = sharp, 16 = very round)", es: "Redondeo de esquinas en p\xEDxeles (0 = cuadrado, 16 = muy redondo)" },
+          defaultValue: 8,
+          validation: { min: 0, max: 16 }
+        }),
+        glassEffect: useSwitchField2({
+          label: { en: "Glass Effect", es: "Efecto Glass" },
+          hint: { en: "Glassmorphism blur on cards and modals", es: "Desenfoque glassmorphism en cards y modales" },
+          defaultValue: true
+        }),
         theme: useSelectField6({
           label: { en: "Theme", es: "Tema" },
-          hint: { en: "System follows your device preferences", es: "Sistema sigue las preferencias de tu dispositivo" },
+          hint: { en: "System follows device preferences", es: "Sistema sigue las preferencias del dispositivo" },
           options: [
             { value: "light", label: { en: "Light", es: "Claro" } },
             { value: "dark", label: { en: "Dark", es: "Oscuro" } },
             { value: "system", label: { en: "System", es: "Sistema" } }
           ]
         }),
-        dopamineTheme: useSelectField6({
-          label: { en: "Dopamine Theme", es: "Tema Dopamina" },
-          hint: { en: "Vibrant color presets optimized for light and dark modes (2025/2026 trends)", es: "Presets de colores vibrantes optimizados para modo claro y oscuro (tendencias 2025/2026)" },
-          options: [
-            { value: "none", label: { en: "None (Custom Color)", es: "Ninguno (Color personalizado)" } },
-            { value: "electric", label: { en: "Electric (Cobalt Blue)", es: "El\xE9ctrico (Azul Cobalto)" } },
-            { value: "sunset", label: { en: "Sunset (Coral Red)", es: "Atardecer (Rojo Coral)" } },
-            { value: "ocean", label: { en: "Ocean (Teal)", es: "Oc\xE9ano (Verde Azulado)" } },
-            { value: "forest", label: { en: "Forest (Mint)", es: "Bosque (Menta)" } },
-            { value: "lavender", label: { en: "Lavender (Violet)", es: "Lavanda (Violeta)" } },
-            { value: "cherry", label: { en: "Cherry (Fuchsia)", es: "Cereza (Fucsia)" } },
-            { value: "amber", label: { en: "Amber (Golden)", es: "\xC1mbar (Dorado)" } },
-            { value: "tangerine", label: { en: "Tangerine (Orange)", es: "Mandarina (Naranja)" } },
-            { value: "slate", label: { en: "Slate (Cool Gray)", es: "Pizarra (Gris Fr\xEDo)" } },
-            { value: "bronze", label: { en: "Bronze (Earth)", es: "Bronce (Tierra)" } }
-          ]
-        }),
-        // === Login Layout ===
         loginLayout: useSelectField6({
           label: { en: "Login Layout", es: "Dise\xF1o de Login" },
-          hint: { en: "Visual layout for authentication pages", es: "Dise\xF1o visual para p\xE1ginas de autenticaci\xF3n" },
+          hint: { en: "Auth page visual layout", es: "Dise\xF1o visual de p\xE1ginas de autenticaci\xF3n" },
           options: [
             { value: "centered", label: { en: "Centered", es: "Centrado" } },
             { value: "split", label: { en: "Split", es: "Dividido" } },
@@ -10526,140 +10503,10 @@ var init_ui_theme_entity = __esm({
             { value: "floating", label: { en: "Floating", es: "Flotante" } },
             { value: "minimal", label: { en: "Minimal", es: "Minimalista" } }
           ]
-        }),
-        primaryColor: {
-          ...useColorField({
-            label: { en: "Primary Color", es: "Color Principal" },
-            hint: { en: "Custom accent color for buttons, links and highlights", es: "Color de acento personalizado para botones, enlaces y resaltados" }
-          }),
-          // Hide when a dopamine theme is active (show only if 'none')
-          hidden: { field: "dopamineTheme", $ne: "none" }
-        }
-      },
-      casl: {
-        subject: "UiTheme",
-        permissions: {
-          ADMIN: { actions: ["read", "update"] }
-        }
-      }
-    };
-  }
-});
-
-// src/modules/ui-settings/ui-effects.entity.ts
-import { useSelectField as useSelectField7, useSwitchField as useSwitchField2 } from "@gzl10/nexus-sdk/fields";
-var uiEffectsEntity;
-var init_ui_effects_entity = __esm({
-  "src/modules/ui-settings/ui-effects.entity.ts"() {
-    "use strict";
-    uiEffectsEntity = {
-      type: "single",
-      realtime: "sync",
-      key: "ui_effects",
-      label: { en: "Visual Effects", es: "Efectos Visuales" },
-      icon: "mdi:shimmer",
-      public: true,
-      routePrefix: "/ui-effects",
-      defaults: {
-        glassIntensity: "medium",
-        borderStyle: "rounded",
-        enableAnimations: true,
-        enableOrganicShapes: false
-      },
-      fields: {
-        glassIntensity: useSelectField7({
-          label: { en: "Glass Intensity", es: "Intensidad Glass" },
-          hint: { en: "Glassmorphism blur effect on cards and modals", es: "Efecto de desenfoque glassmorphism en cards y modales" },
-          options: [
-            { value: "none", label: { en: "None", es: "Ninguno" } },
-            { value: "low", label: { en: "Low", es: "Baja" } },
-            { value: "medium", label: { en: "Medium", es: "Media" } },
-            { value: "high", label: { en: "High", es: "Alta" } }
-          ]
-        }),
-        borderStyle: useSelectField7({
-          label: { en: "Border Style", es: "Estilo de Bordes" },
-          hint: { en: "Corner radius for buttons, cards and inputs", es: "Radio de esquinas para botones, cards e inputs" },
-          options: [
-            { value: "sharp", label: { en: "Sharp", es: "Cuadrados" } },
-            { value: "rounded", label: { en: "Rounded", es: "Redondeados" } },
-            { value: "organic", label: { en: "Organic", es: "Org\xE1nicos" } }
-          ]
-        }),
-        enableAnimations: useSwitchField2({
-          label: { en: "Enable Animations", es: "Habilitar Animaciones" },
-          hint: { en: "Micro-interactions and transitions (hover, focus, page changes)", es: "Micro-interacciones y transiciones (hover, focus, cambios de p\xE1gina)" },
-          defaultValue: true,
-          meta: { sortable: true }
-        }),
-        enableOrganicShapes: useSwitchField2({
-          label: { en: "Enable Organic Shapes", es: "Habilitar Formas Org\xE1nicas" },
-          hint: { en: "Asymmetric border-radius for a more natural, playful look", es: "Border-radius asim\xE9trico para un aspecto m\xE1s natural y divertido" },
-          defaultValue: false,
-          meta: { sortable: true },
-          hidden: { field: "borderStyle", $ne: "organic" }
         })
       },
       casl: {
-        subject: "UiEffects",
-        permissions: {
-          ADMIN: { actions: ["read", "update"] }
-        }
-      }
-    };
-  }
-});
-
-// src/modules/ui-settings/ui-accessibility.entity.ts
-import { useSelectField as useSelectField8, useSwitchField as useSwitchField3 } from "@gzl10/nexus-sdk/fields";
-var uiAccessibilityEntity;
-var init_ui_accessibility_entity = __esm({
-  "src/modules/ui-settings/ui-accessibility.entity.ts"() {
-    "use strict";
-    uiAccessibilityEntity = {
-      type: "single",
-      realtime: "sync",
-      key: "ui_accessibility",
-      label: { en: "Accessibility", es: "Accesibilidad" },
-      icon: "mdi:human",
-      public: true,
-      routePrefix: "/ui-accessibility",
-      defaults: {
-        typographyScale: "default",
-        reducedMotion: false,
-        highContrast: false
-      },
-      fields: {
-        typographyScale: useSelectField8({
-          label: { en: "Typography Scale", es: "Escala Tipogr\xE1fica" },
-          hint: { en: "Adjusts font sizes for better readability (WCAG 1.4.4)", es: "Ajusta tama\xF1os de fuente para mejor legibilidad (WCAG 1.4.4)" },
-          options: [
-            { value: "compact", label: { en: "Compact (smaller)", es: "Compacta (m\xE1s peque\xF1a)" } },
-            { value: "default", label: { en: "Default", es: "Por defecto" } },
-            { value: "relaxed", label: { en: "Relaxed (larger)", es: "Relajada (m\xE1s grande)" } }
-          ]
-        }),
-        reducedMotion: useSwitchField3({
-          label: { en: "Reduced Motion", es: "Movimiento Reducido" },
-          defaultValue: false,
-          meta: { sortable: true },
-          hint: {
-            en: "Minimizes animations for users sensitive to motion (WCAG 2.1)",
-            es: "Minimiza animaciones para usuarios sensibles al movimiento (WCAG 2.1)"
-          }
-        }),
-        highContrast: useSwitchField3({
-          label: { en: "High Contrast", es: "Alto Contraste" },
-          defaultValue: false,
-          meta: { sortable: true },
-          hint: {
-            en: "Increases text contrast for better readability (WCAG AAA)",
-            es: "Aumenta el contraste del texto para mejor legibilidad (WCAG AAA)"
-          }
-        })
-      },
-      casl: {
-        subject: "UiAccessibility",
+        subject: "UiStyleGuide",
         permissions: {
           ADMIN: { actions: ["read", "update"] }
         }
@@ -10669,44 +10516,62 @@ var init_ui_accessibility_entity = __esm({
 });
 
 // src/modules/ui-settings/index.ts
+import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
+import { join as join6 } from "path";
 var uiSettingsModule;
 var init_ui_settings = __esm({
   "src/modules/ui-settings/index.ts"() {
     "use strict";
-    init_ui_branding_entity();
-    init_ui_theme_entity();
-    init_ui_effects_entity();
-    init_ui_accessibility_entity();
-    init_ui_branding_entity();
-    init_ui_theme_entity();
-    init_ui_effects_entity();
-    init_ui_accessibility_entity();
+    init_ui_style_guide_entity();
+    init_ui_style_guide_entity();
     uiSettingsModule = {
       name: "ui-settings",
-      label: { en: "UI Settings", es: "Configuraci\xF3n de UI" },
+      label: { en: "Style Guide", es: "Gu\xEDa de Estilos" },
       icon: "mdi:palette-outline",
       description: {
-        en: "User interface configuration: branding, themes, visual effects, and accessibility",
-        es: "Configuraci\xF3n de interfaz de usuario: marca, temas, efectos visuales y accesibilidad"
+        en: "Brand identity and visual style configuration",
+        es: "Configuraci\xF3n de identidad de marca y estilo visual"
       },
       type: "core",
       category: "settings",
       dependencies: ["logger"],
-      definitions: [
-        uiBrandingEntity,
-        uiThemeEntity,
-        uiEffectsEntity,
-        uiAccessibilityEntity
-      ],
-      routePrefix: "/ui-settings"
+      definitions: [uiStyleGuideEntity],
+      routePrefix: "/ui-settings",
+      /**
+       * Seed style guide from data/seeds/ui-style-guide.json if it exists.
+       * Idempotent: only inserts if no record exists yet.
+       *
+       * Workflow:
+       * 1. Configure style guide in dev via admin UI
+       * 2. Export: GET /api/v1/ui-settings/ui-style-guide → save to data/seeds/ui-style-guide.json
+       * 3. Commit the seed file
+       * 4. On other environments, seed runs automatically on startup
+       */
+      seed: async (ctx) => {
+        const db2 = ctx.db.knex;
+        const existing = await db2("single_records").where("key", "ui_style_guide").first();
+        if (existing) return;
+        const seedPath = join6(process.cwd(), "data", "seeds", "ui-style-guide.json");
+        if (!existsSync5(seedPath)) return;
+        try {
+          const seedData = JSON.parse(readFileSync4(seedPath, "utf-8"));
+          await db2("single_records").insert({
+            key: "ui_style_guide",
+            value: JSON.stringify(seedData)
+          });
+          ctx.core.logger.info("Seeded ui_style_guide from data/seeds/ui-style-guide.json");
+        } catch {
+          ctx.core.logger.warn("Failed to parse data/seeds/ui-style-guide.json, skipping seed");
+        }
+      }
     };
   }
 });
 
 // src/modules/storage/drivers/filesystem.driver.ts
-import { createReadStream, createWriteStream, existsSync as existsSync5, unlinkSync, mkdirSync as mkdirSync2 } from "fs";
+import { createReadStream, createWriteStream, existsSync as existsSync6, unlinkSync, mkdirSync as mkdirSync2 } from "fs";
 import { readFile, readdir, stat, copyFile, rename, mkdir } from "fs/promises";
-import { join as join6, dirname as dirname4, extname, basename } from "path";
+import { join as join7, dirname as dirname4, extname, basename } from "path";
 import { createHash } from "crypto";
 var FilesystemDriver;
 var init_filesystem_driver = __esm({
@@ -10720,7 +10585,7 @@ var init_filesystem_driver = __esm({
         this.basePath = config3.basePath;
         this.baseUrl = config3.baseUrl;
         this.generateId = config3.generateId;
-        if (!existsSync5(this.basePath)) {
+        if (!existsSync6(this.basePath)) {
           mkdirSync2(this.basePath, { recursive: true });
         }
       }
@@ -10730,9 +10595,9 @@ var init_filesystem_driver = __esm({
         const diskFilename = `${id}${ext}`;
         const folder = options?.folder || "";
         const relativePath = folder ? `${folder}/${diskFilename}` : diskFilename;
-        const fullPath = join6(this.basePath, relativePath);
+        const fullPath = join7(this.basePath, relativePath);
         const dir = dirname4(fullPath);
-        if (!existsSync5(dir)) {
+        if (!existsSync6(dir)) {
           mkdirSync2(dir, { recursive: true });
         }
         const hash = createHash("sha256").update(buffer).digest("hex");
@@ -10756,25 +10621,25 @@ var init_filesystem_driver = __esm({
         };
       }
       async get(path4) {
-        const fullPath = join6(this.basePath, path4);
-        if (!existsSync5(fullPath)) {
+        const fullPath = join7(this.basePath, path4);
+        if (!existsSync6(fullPath)) {
           throw new Error(`File not found: ${path4}`);
         }
         return createReadStream(fullPath);
       }
       async getBuffer(path4) {
-        const fullPath = join6(this.basePath, path4);
+        const fullPath = join7(this.basePath, path4);
         return readFile(fullPath);
       }
       async delete(path4) {
-        const fullPath = join6(this.basePath, path4);
-        if (existsSync5(fullPath)) {
+        const fullPath = join7(this.basePath, path4);
+        if (existsSync6(fullPath)) {
           unlinkSync(fullPath);
         }
       }
       async exists(path4) {
-        const fullPath = join6(this.basePath, path4);
-        return existsSync5(fullPath);
+        const fullPath = join7(this.basePath, path4);
+        return existsSync6(fullPath);
       }
       getUrl(path4) {
         if (!this.baseUrl) return null;
@@ -10784,14 +10649,14 @@ var init_filesystem_driver = __esm({
       // EXTENDED METHODS
       // ============================================================================
       async list(folder) {
-        const targetPath = folder ? join6(this.basePath, folder) : this.basePath;
-        if (!existsSync5(targetPath)) {
+        const targetPath = folder ? join7(this.basePath, folder) : this.basePath;
+        if (!existsSync6(targetPath)) {
           return [];
         }
         const entries = await readdir(targetPath, { withFileTypes: true });
         const results = [];
         for (const entry of entries) {
-          const entryPath = join6(targetPath, entry.name);
+          const entryPath = join7(targetPath, entry.name);
           const relativePath = folder ? `${folder}/${entry.name}` : entry.name;
           const stats = await stat(entryPath);
           results.push({
@@ -10805,10 +10670,10 @@ var init_filesystem_driver = __esm({
         return results;
       }
       async copy(src, dst) {
-        const srcPath = join6(this.basePath, src);
-        const dstPath = join6(this.basePath, dst);
+        const srcPath = join7(this.basePath, src);
+        const dstPath = join7(this.basePath, dst);
         const dstDir = dirname4(dstPath);
-        if (!existsSync5(dstDir)) {
+        if (!existsSync6(dstDir)) {
           await mkdir(dstDir, { recursive: true });
         }
         await copyFile(srcPath, dstPath);
@@ -10831,10 +10696,10 @@ var init_filesystem_driver = __esm({
         };
       }
       async move(src, dst) {
-        const srcPath = join6(this.basePath, src);
-        const dstPath = join6(this.basePath, dst);
+        const srcPath = join7(this.basePath, src);
+        const dstPath = join7(this.basePath, dst);
         const dstDir = dirname4(dstPath);
-        if (!existsSync5(dstDir)) {
+        if (!existsSync6(dstDir)) {
           await mkdir(dstDir, { recursive: true });
         }
         await rename(srcPath, dstPath);
@@ -10857,7 +10722,7 @@ var init_filesystem_driver = __esm({
         };
       }
       async getMetadata(path4) {
-        const fullPath = join6(this.basePath, path4);
+        const fullPath = join7(this.basePath, path4);
         const stats = await stat(fullPath);
         return {
           path: path4,
@@ -10871,8 +10736,8 @@ var init_filesystem_driver = __esm({
         throw new Error("Signed URLs are not supported by the filesystem driver");
       }
       async createFolder(path4) {
-        const fullPath = join6(this.basePath, path4);
-        if (!existsSync5(fullPath)) {
+        const fullPath = join7(this.basePath, path4);
+        if (!existsSync6(fullPath)) {
           await mkdir(fullPath, { recursive: true });
         }
       }
@@ -11103,8 +10968,8 @@ var init_s3_driver = __esm({
 });
 
 // src/modules/storage/storage.config.ts
-import { join as join7, isAbsolute } from "path";
-import { existsSync as existsSync6, mkdirSync as mkdirSync3 } from "fs";
+import { join as join8, isAbsolute } from "path";
+import { existsSync as existsSync7, mkdirSync as mkdirSync3 } from "fs";
 function getDefaultScope(driver) {
   return driver === "s3" ? DEFAULT_S3_SCOPE : DEFAULT_FILESYSTEM_SCOPE;
 }
@@ -11119,7 +10984,7 @@ function resolveStoragePath(path4, projPath) {
     return path4;
   }
   const cleanPath = path4.startsWith("./") ? path4.slice(2) : path4;
-  return join7(projPath, "data", cleanPath);
+  return join8(projPath, "data", cleanPath);
 }
 async function getConfigByScope(db2, scope) {
   if (!generateIdFn) {
@@ -11150,7 +11015,7 @@ function buildConfigFromRow(row) {
   if (row.driver === "filesystem") {
     const fsMeta = metadata;
     config3.basePath = resolveStoragePath(fsMeta.basePath || "./storage", projectPath);
-    if (!existsSync6(config3.basePath)) {
+    if (!existsSync7(config3.basePath)) {
       mkdirSync3(config3.basePath, { recursive: true });
     }
   } else if (row.driver === "s3") {
@@ -11182,7 +11047,7 @@ function buildConfigFromEnv(driver) {
   if (driver === "filesystem") {
     const rawPath = process.env["STORAGE_PATH"] || "./storage";
     config3.basePath = resolveStoragePath(rawPath, projectPath);
-    if (!existsSync6(config3.basePath)) {
+    if (!existsSync7(config3.basePath)) {
       mkdirSync3(config3.basePath, { recursive: true });
     }
   } else if (driver === "s3") {
@@ -11621,7 +11486,7 @@ var init_storage_service = __esm({
 });
 
 // src/modules/storage/storage.entity.ts
-import { useIdField as useIdField3, useTextField as useTextField8, useSelectField as useSelectField9, useUrlField, useNumberField as useNumberField4, useCheckboxField as useCheckboxField3, useJsonField as useJsonField2, useMetadataField, usePublicField } from "@gzl10/nexus-sdk/fields";
+import { useIdField as useIdField3, useTextField as useTextField8, useSelectField as useSelectField7, useUrlField, useNumberField as useNumberField5, useCheckboxField as useCheckboxField3, useJsonField as useJsonField2, useMetadataField, usePublicField } from "@gzl10/nexus-sdk/fields";
 var DEFAULT_MAX_SIZE2, storageConfigEntity, storageFilesEntity;
 var init_storage_entity = __esm({
   "src/modules/storage/storage.entity.ts"() {
@@ -11656,7 +11521,7 @@ var init_storage_entity = __esm({
           hint: { en: "Unique identifier (e.g. default_filesystem, default_s3)", es: "Identificador \xFAnico (ej: default_filesystem, default_s3)" }
         }),
         driver: {
-          ...useSelectField9({
+          ...useSelectField7({
             label: { en: "Driver", es: "Controlador" },
             required: true,
             hint: { en: "Storage backend", es: "Backend de almacenamiento" },
@@ -11673,7 +11538,7 @@ var init_storage_entity = __esm({
           size: 500,
           nullable: true
         }),
-        max_file_size: useNumberField4({
+        max_file_size: useNumberField5({
           label: { en: "Max File Size (bytes)", es: "Tama\xF1o m\xE1ximo de archivo (bytes)" },
           hint: { en: "Maximum size in bytes (default: 10MB = 10485760)", es: "Tama\xF1o m\xE1ximo en bytes (default: 10MB = 10485760)" },
           nullable: false,
@@ -11866,7 +11731,7 @@ var init_storage_entity = __esm({
           index: true,
           meta: { sortable: true, searchable: true }
         }),
-        size: useNumberField4({
+        size: useNumberField5({
           label: { en: "Size", es: "Tama\xF1o" },
           required: true,
           nullable: false,
@@ -12408,7 +12273,7 @@ var init_storage = __esm({
 });
 
 // src/modules/users/users.entity.ts
-import { useIdField as useIdField4, useSelectField as useSelectField10, useEmailField, usePasswordField, useTextField as useTextField9, useDatetimeField as useDatetimeField3, useCheckboxField as useCheckboxField4, useImageField as useImageField2, useNameField as useNameField2, useMetadataField as useMetadataField2, useDescriptionField as useDescriptionField2 } from "@gzl10/nexus-sdk/fields";
+import { useIdField as useIdField4, useSelectField as useSelectField8, useEmailField, usePasswordField, useTextField as useTextField9, useDatetimeField as useDatetimeField3, useCheckboxField as useCheckboxField4, useImageField as useImageField2, useNameField as useNameField2, useMetadataField as useMetadataField2, useDescriptionField as useDescriptionField2 } from "@gzl10/nexus-sdk/fields";
 import { z as z2 } from "zod";
 var userEntity, roleEntity, userRoleEntity;
 var init_users_entity = __esm({
@@ -12482,7 +12347,7 @@ var init_users_entity = __esm({
           label: { en: "Marketing Opt-in", es: "Aceptar marketing" },
           meta: { exportable: true, showInForm: false, showInDisplay: false }
         }),
-        locale: useSelectField10({
+        locale: useSelectField8({
           label: { en: "Language", es: "Idioma" },
           options: [
             { value: "es", label: { en: "Spanish", es: "Espa\xF1ol" } },
@@ -12492,13 +12357,13 @@ var init_users_entity = __esm({
           meta: { sortable: true },
           defaultValue: "en"
         }),
-        timezone: useSelectField10({
+        timezone: useSelectField8({
           label: { en: "Timezone", es: "Zona horaria" },
           master: "timezones",
           meta: { sortable: true },
           defaultValue: "timezones:Europe/Madrid"
         }),
-        type: useSelectField10({
+        type: useSelectField8({
           label: { en: "Type", es: "Tipo" },
           defaultValue: "human",
           options: [
@@ -12667,7 +12532,7 @@ var init_users_entity = __esm({
       expose: false,
       fields: {
         id: useIdField4(),
-        user_id: useSelectField10({
+        user_id: useSelectField8({
           label: { en: "User", es: "Usuario" },
           required: true,
           table: "users",
@@ -12678,7 +12543,7 @@ var init_users_entity = __esm({
           labelField: "name",
           meta: { searchable: true }
         }),
-        role_id: useSelectField10({
+        role_id: useSelectField8({
           label: { en: "Role", es: "Rol" },
           required: true,
           table: "roles",
@@ -13622,7 +13487,7 @@ var init_users = __esm({
 });
 
 // src/modules/auth/auth.entity.ts
-import { useIdField as useIdField5, useTextField as useTextField10, useSelectField as useSelectField11, useDatetimeField as useDatetimeField4, useEmailField as useEmailField2, useMetadataField as useMetadataField3, useExpiresAtField } from "@gzl10/nexus-sdk/fields";
+import { useIdField as useIdField5, useTextField as useTextField10, useSelectField as useSelectField9, useDatetimeField as useDatetimeField4, useEmailField as useEmailField2, useMetadataField as useMetadataField3, useExpiresAtField } from "@gzl10/nexus-sdk/fields";
 var refreshTokenEntity, authIdentitiesEntity;
 var init_auth_entity = __esm({
   "src/modules/auth/auth.entity.ts"() {
@@ -13703,7 +13568,7 @@ var init_auth_entity = __esm({
       order: 5,
       fields: {
         id: useIdField5(),
-        user_id: useSelectField11({
+        user_id: useSelectField9({
           label: { en: "User", es: "Usuario" },
           table: "users",
           column: "id",
@@ -13787,8 +13652,327 @@ var init_auth_routes = __esm({
   }
 });
 
-// src/modules/auth/auth.config.ts
+// src/config/env.ts
 import { z as z4 } from "zod";
+function resolveConfig() {
+  env = envSchema.parse(process.env);
+  process.env["TZ"] = env.TZ;
+  resolvedConfig = {
+    nodeEnv: env.NODE_ENV,
+    port: env.PORT,
+    host: "0.0.0.0",
+    ui: {
+      enabled: env.NEXUS_UI_ENABLED,
+      base: env.NEXUS_UI_BASE,
+      path: env.NEXUS_UI_PATH
+    },
+    corsOrigin: env.CORS_ORIGIN,
+    databaseUrl: env.DATABASE_URL,
+    adminEmail: env.ADMIN_EMAIL,
+    adminPassword: env.ADMIN_PASSWORD,
+    timezone: env.TZ
+  };
+  return resolvedConfig;
+}
+function getConfig() {
+  if (!resolvedConfig) {
+    return resolveConfig();
+  }
+  return resolvedConfig;
+}
+function resetConfig() {
+  resolvedConfig = null;
+}
+var envSchema, env, resolvedConfig;
+var init_env = __esm({
+  "src/config/env.ts"() {
+    "use strict";
+    envSchema = z4.object({
+      NODE_ENV: z4.enum(["development", "production", "test"]).default("development"),
+      PORT: z4.coerce.number().default(3e3),
+      CORS_ORIGIN: z4.string().default("*"),
+      BACKEND_URL: z4.string().optional(),
+      DATABASE_URL: z4.string().default("file:./dev.db"),
+      REDIS_URL: z4.string().url().optional(),
+      REDIS_PREFIX: z4.string().default("nexus"),
+      ADMIN_EMAIL: z4.string().email().optional(),
+      ADMIN_PASSWORD: z4.string().min(6).optional(),
+      COOKIE_DOMAIN: z4.string().optional(),
+      TZ: z4.string().default("UTC"),
+      TRUST_PROXY: z4.coerce.boolean().default(false),
+      NEXUS_UI_ENABLED: z4.coerce.boolean().default(true),
+      NEXUS_UI_BASE: z4.string().default("/"),
+      NEXUS_UI_PATH: z4.string().default("../ui/dist"),
+      NEXUS_CHECK_DRIFT: z4.coerce.boolean().optional(),
+      NEXUS_FAIL_ON_DRIFT: z4.coerce.boolean().optional(),
+      FRPC_SERVER: z4.string().optional(),
+      FRPC_SERVER_PORT: z4.coerce.number().default(7e3),
+      FRPC_TOKEN: z4.string().optional(),
+      FRPC_SUBDOMAIN: z4.string().optional()
+    });
+    env = envSchema.parse(process.env);
+    process.env["TZ"] = env.TZ;
+    resolvedConfig = null;
+  }
+});
+
+// src/db/sql-utils.ts
+function extractTableFromSql(sql, type2) {
+  const match = sql.match(SQL_PATTERNS[type2]);
+  return match?.[1];
+}
+function extractTableFromSelect(sql) {
+  return extractTableFromSql(sql, "select");
+}
+function extractTableFromInsert(sql) {
+  return extractTableFromSql(sql, "insert");
+}
+function extractTableFromUpdate(sql) {
+  return extractTableFromSql(sql, "update");
+}
+function extractTableFromDelete(sql) {
+  return extractTableFromSql(sql, "delete");
+}
+var SQL_PATTERNS;
+var init_sql_utils = __esm({
+  "src/db/sql-utils.ts"() {
+    "use strict";
+    SQL_PATTERNS = {
+      select: /from\s+["'`]?(\w+)["'`]?/i,
+      insert: /insert into\s+["'`]?(\w+)["'`]?/i,
+      update: /update\s+["'`]?(\w+)["'`]?/i,
+      delete: /delete from\s+["'`]?(\w+)["'`]?/i
+    };
+  }
+});
+
+// src/db/sqlite-compat.ts
+function createSqliteBooleanProcessor() {
+  const booleanColumns = /* @__PURE__ */ new Map();
+  function registerBooleanColumn2(table, column) {
+    if (!booleanColumns.has(table)) {
+      booleanColumns.set(table, /* @__PURE__ */ new Set());
+    }
+    booleanColumns.get(table).add(column);
+  }
+  function convertBooleans2(table, row) {
+    const columns = booleanColumns.get(table);
+    if (!columns || columns.size === 0) return row;
+    const result = { ...row };
+    for (const column of columns) {
+      if (column in result) {
+        const value = result[column];
+        if (value === 0 || value === 1) {
+          result[column] = value === 1;
+        }
+      }
+    }
+    return result;
+  }
+  function postProcess(result, queryContext) {
+    const sql = queryContext?.sql?.toLowerCase() ?? "";
+    if (!sql.startsWith("select")) return result;
+    const table = extractTableFromSelect(sql);
+    if (!table) return result;
+    if (Array.isArray(result)) {
+      return result.map(
+        (row) => typeof row === "object" && row !== null ? convertBooleans2(table, row) : row
+      );
+    }
+    if (typeof result === "object" && result !== null) {
+      return convertBooleans2(table, result);
+    }
+    return result;
+  }
+  function clear() {
+    booleanColumns.clear();
+  }
+  return { registerBooleanColumn: registerBooleanColumn2, convertBooleans: convertBooleans2, postProcess, clear };
+}
+var defaultProcessor, registerBooleanColumn, convertBooleans, sqlitePostProcess;
+var init_sqlite_compat = __esm({
+  "src/db/sqlite-compat.ts"() {
+    "use strict";
+    init_sql_utils();
+    defaultProcessor = createSqliteBooleanProcessor();
+    registerBooleanColumn = defaultProcessor.registerBooleanColumn;
+    convertBooleans = defaultProcessor.convertBooleans;
+    sqlitePostProcess = defaultProcessor.postProcess;
+  }
+});
+
+// src/config/database.ts
+import { join as join9, dirname as dirname6, isAbsolute as isAbsolute2 } from "path";
+import { mkdirSync as mkdirSync4 } from "fs";
+function getDatabaseConfig() {
+  const url = getConfig().databaseUrl;
+  if (IN_MEMORY_RE.test(url)) {
+    return {
+      client: "better-sqlite3",
+      connection: { filename: ":memory:" },
+      useNullAsDefault: true,
+      postProcessResponse: sqlitePostProcess,
+      pool: { min: 0, max: 1 }
+    };
+  }
+  if (url.startsWith("file:") || url.startsWith("sqlite:")) {
+    let filename = url.replace(/^(file:|sqlite:)/, "");
+    if (!isAbsolute2(filename)) {
+      filename = join9(getProjectPath(), "data", filename);
+    }
+    mkdirSync4(dirname6(filename), { recursive: true });
+    return {
+      client: "better-sqlite3",
+      connection: { filename },
+      useNullAsDefault: true,
+      postProcessResponse: sqlitePostProcess
+    };
+  }
+  if (url.startsWith("postgresql://") || url.startsWith("postgres://")) {
+    return {
+      client: "pg",
+      connection: url,
+      pool: { min: 2, max: 10 }
+    };
+  }
+  if (url.startsWith("mysql://")) {
+    const offsetMinutes = (/* @__PURE__ */ new Date()).getTimezoneOffset();
+    const offsetHours = Math.abs(Math.floor(offsetMinutes / 60));
+    const offsetMins = Math.abs(offsetMinutes % 60);
+    const sign = offsetMinutes <= 0 ? "+" : "-";
+    const tzOffset = `${sign}${String(offsetHours).padStart(2, "0")}:${String(offsetMins).padStart(2, "0")}`;
+    return {
+      client: "mysql2",
+      connection: {
+        uri: url,
+        timezone: tzOffset
+        // mysql2 requiere formato "+HH:MM"
+      },
+      pool: { min: 2, max: 10 }
+    };
+  }
+  throw new Error(`Unsupported database URL: ${url}`);
+}
+function getDatabaseType() {
+  const url = getConfig().databaseUrl;
+  if (IN_MEMORY_RE.test(url) || url.startsWith("file:") || url.startsWith("sqlite:")) return "sqlite";
+  if (url.startsWith("postgresql://") || url.startsWith("postgres://")) return "postgresql";
+  if (url.startsWith("mysql://")) return "mysql";
+  return "sqlite";
+}
+function getDatabasePath() {
+  const url = getConfig().databaseUrl;
+  if (IN_MEMORY_RE.test(url)) return ":memory:";
+  if (url.startsWith("file:") || url.startsWith("sqlite:")) {
+    let filename = url.replace(/^(file:|sqlite:)/, "");
+    if (!isAbsolute2(filename)) {
+      filename = join9(getProjectPath(), "data", filename);
+    }
+    return filename;
+  }
+  try {
+    const parsed = new URL(url);
+    parsed.password = "***";
+    return parsed.toString();
+  } catch {
+    return url.replace(/:\/\/[^@]+@/, "://***@");
+  }
+}
+var IN_MEMORY_RE;
+var init_database = __esm({
+  "src/config/database.ts"() {
+    "use strict";
+    init_env();
+    init_paths();
+    init_sqlite_compat();
+    IN_MEMORY_RE = /^((file:|sqlite:)?:memory:?)$/;
+  }
+});
+
+// src/core/crypto/secret-resolver.ts
+import { randomBytes } from "crypto";
+function setSecretResolverDb(db2) {
+  _db = db2;
+}
+function _resetSecretResolver() {
+  _secret = null;
+  _db = null;
+}
+async function initAuthSecret(logger2) {
+  const envSecret = process.env["AUTH_SECRET"];
+  if (envSecret) {
+    if (envSecret.length < 32) {
+      throw new Error(`AUTH_SECRET must be at least 32 characters (current: ${envSecret.length})`);
+    }
+    _secret = envSecret;
+    return;
+  }
+  if (!_db) {
+    throw new Error("Secret resolver: database not initialized. Call setSecretResolverDb() first.");
+  }
+  const existing = await _db(SINGLE_RECORDS).where("key", SECRET_KEY).first();
+  if (existing?.value) {
+    const parsed2 = typeof existing.value === "string" ? JSON.parse(existing.value) : existing.value;
+    if (parsed2.secret) {
+      _secret = parsed2.secret;
+      logger2.info("AUTH_SECRET loaded from database");
+      warnIfProduction(logger2);
+      return;
+    }
+  }
+  const generated = randomBytes(SECRET_LENGTH).toString("base64url");
+  const value = JSON.stringify({ secret: generated });
+  const id = randomBytes(13).toString("base64url");
+  const now = /* @__PURE__ */ new Date();
+  const dialect = getDatabaseType();
+  if (dialect === "postgresql") {
+    await _db.raw(
+      `INSERT INTO ${SINGLE_RECORDS} (id, key, value, created_at, updated_at) VALUES (?, ?, ?, ?, ?) ON CONFLICT (key) DO NOTHING`,
+      [id, SECRET_KEY, value, now, now]
+    );
+  } else if (dialect === "mysql") {
+    await _db.raw(
+      "INSERT IGNORE INTO `single_records` (id, `key`, value, created_at, updated_at) VALUES (?, ?, ?, ?, ?)",
+      [id, SECRET_KEY, value, now, now]
+    );
+  } else {
+    await _db.raw(
+      `INSERT OR IGNORE INTO ${SINGLE_RECORDS} (id, key, value, created_at, updated_at) VALUES (?, ?, ?, ?, ?)`,
+      [id, SECRET_KEY, value, now, now]
+    );
+  }
+  const persisted = await _db(SINGLE_RECORDS).where("key", SECRET_KEY).first();
+  const parsed = typeof persisted.value === "string" ? JSON.parse(persisted.value) : persisted.value;
+  _secret = parsed.secret;
+  logger2.info("AUTH_SECRET auto-generated and persisted in database");
+  warnIfProduction(logger2);
+}
+function warnIfProduction(logger2) {
+  if (process.env["NODE_ENV"] === "production") {
+    logger2.warn("AUTH_SECRET not set via environment. Using auto-generated secret from database. For multi-instance deployments, set AUTH_SECRET explicitly.");
+  }
+}
+function getAuthSecret() {
+  if (_secret) return _secret;
+  const envSecret = process.env["AUTH_SECRET"];
+  if (envSecret) return envSecret;
+  throw new Error("AUTH_SECRET not initialized. Call initAuthSecret() during startup.");
+}
+var SINGLE_RECORDS, SECRET_KEY, SECRET_LENGTH, _secret, _db;
+var init_secret_resolver = __esm({
+  "src/core/crypto/secret-resolver.ts"() {
+    "use strict";
+    init_database();
+    SINGLE_RECORDS = "single_records";
+    SECRET_KEY = "nexus_auth_secret";
+    SECRET_LENGTH = 48;
+    _secret = null;
+    _db = null;
+  }
+});
+
+// src/modules/auth/auth.config.ts
+import { z as z5 } from "zod";
 function configError(module, errors) {
   console.error(`
 ${"\u2550".repeat(60)}`);
@@ -13803,12 +13987,6 @@ function parseAuthEnv() {
   if (!result.success) {
     const errors = result.error.issues.map((issue) => {
       const path4 = issue.path.join(".");
-      if (path4 === "AUTH_SECRET" && issue.code === "invalid_type") {
-        return "AUTH_SECRET is required. Set it in your .env file or environment.";
-      }
-      if (path4 === "AUTH_SECRET" && issue.code === "too_small") {
-        return `AUTH_SECRET must be at least 32 characters (current: ${String(process.env["AUTH_SECRET"]).length})`;
-      }
       return `${path4}: ${issue.message}`;
     });
     configError("auth", errors);
@@ -13827,7 +14005,7 @@ function getAuthEnv() {
 function getAuthConfig() {
   const authEnv = getAuthEnv();
   return {
-    secret: authEnv.AUTH_SECRET,
+    secret: getAuthSecret(),
     accessExpires: authEnv.AUTH_ACCESS_EXPIRES,
     refreshExpires: authEnv.AUTH_REFRESH_EXPIRES,
     rateLimitMax: authEnv.AUTH_RATE_LIMIT_MAX,
@@ -13844,24 +14022,24 @@ var authEnvSchema, _authEnv;
 var init_auth_config = __esm({
   "src/modules/auth/auth.config.ts"() {
     "use strict";
-    authEnvSchema = z4.object({
-      AUTH_SECRET: z4.string().min(32, "AUTH_SECRET must be at least 32 characters"),
-      AUTH_ACCESS_EXPIRES: z4.string().default("15m"),
-      AUTH_REFRESH_EXPIRES: z4.string().default("7d"),
+    init_secret_resolver();
+    authEnvSchema = z5.object({
+      AUTH_ACCESS_EXPIRES: z5.string().default("15m"),
+      AUTH_REFRESH_EXPIRES: z5.string().default("7d"),
       // Rate limiting (default: 5 requests per 15 minutes)
-      AUTH_RATE_LIMIT_MAX: z4.coerce.number().default(5),
-      AUTH_RATE_LIMIT_WINDOW: z4.coerce.number().default(900),
+      AUTH_RATE_LIMIT_MAX: z5.coerce.number().default(5),
+      AUTH_RATE_LIMIT_WINDOW: z5.coerce.number().default(900),
       // seconds
       // Cookie domain for SSO across subdomains (e.g., '.example.com')
-      AUTH_COOKIE_DOMAIN: z4.string().optional(),
+      AUTH_COOKIE_DOMAIN: z5.string().optional(),
       // Challenge threshold: failed attempts before requiring OTP (default: 2)
-      AUTH_CHALLENGE_THRESHOLD: z4.coerce.number().default(2),
+      AUTH_CHALLENGE_THRESHOLD: z5.coerce.number().default(2),
       // Skip OTP verification for registration (DEVELOPMENT ONLY - rejected in production)
-      AUTH_SKIP_REGISTER_OTP: z4.coerce.boolean().default(false),
+      AUTH_SKIP_REGISTER_OTP: z5.coerce.boolean().default(false),
       // Disable self-registration via POST /auth/register (default: false)
-      AUTH_DISABLE_REGISTRATION: z4.coerce.boolean().default(false),
+      AUTH_DISABLE_REGISTRATION: z5.coerce.boolean().default(false),
       // Disable auto-creation of users on first OIDC login (default: false)
-      AUTH_DISABLE_AUTO_CREATE: z4.coerce.boolean().default(false)
+      AUTH_DISABLE_AUTO_CREATE: z5.coerce.boolean().default(false)
     });
   }
 });
@@ -14019,7 +14197,7 @@ var init_auth_middleware = __esm({
 });
 
 // src/modules/auth/auth.pat.entity.ts
-import { useIdField as useIdField6, useTextField as useTextField11, useSelectField as useSelectField12, useDatetimeField as useDatetimeField5, useExpiresAtField as useExpiresAtField2 } from "@gzl10/nexus-sdk/fields";
+import { useIdField as useIdField6, useTextField as useTextField11, useSelectField as useSelectField10, useDatetimeField as useDatetimeField5, useExpiresAtField as useExpiresAtField2 } from "@gzl10/nexus-sdk/fields";
 var personalTokenEntity;
 var init_auth_pat_entity = __esm({
   "src/modules/auth/auth.pat.entity.ts"() {
@@ -14036,7 +14214,7 @@ var init_auth_pat_entity = __esm({
       routePrefix: "/personal-tokens",
       fields: {
         id: useIdField6(),
-        user_id: useSelectField12({
+        user_id: useSelectField10({
           label: { en: "User", es: "Usuario" },
           table: "users",
           column: "id",
@@ -14071,7 +14249,7 @@ var init_auth_pat_entity = __esm({
           unique: true,
           meta: { exportable: false }
         }),
-        scope: useSelectField12({
+        scope: useSelectField10({
           label: { en: "Permission", es: "Permiso" },
           required: true,
           options: [
@@ -14096,44 +14274,8 @@ var init_auth_pat_entity = __esm({
         permissions: {
           "*": [
             { actions: ["read", "delete"], conditions: { user_id: "${user.id}" } }
-          ]
-        }
-      }
-    };
-  }
-});
-
-// src/modules/auth/actions/providers.action.ts
-var providersAction;
-var init_providers_action = __esm({
-  "src/modules/auth/actions/providers.action.ts"() {
-    "use strict";
-    init_auth_config();
-    providersAction = {
-      key: "providers",
-      label: { en: "Get Auth Providers", es: "Obtener proveedores de autenticaci\xF3n" },
-      icon: "mdi:account-key",
-      scope: "module",
-      hidden: true,
-      method: "GET",
-      skipAuth: true,
-      handler: async (ctx) => {
-        const providerServices = ctx.services.getBySuffix(".provider");
-        const results = await Promise.all(
-          providerServices.map(async ({ service }) => {
-            try {
-              return await service.getInfo();
-            } catch {
-              return null;
-            }
-          })
-        );
-        const providers = results.filter((info) => info !== null);
-        const config3 = getAuthConfig();
-        return {
-          providers,
-          registrationEnabled: !config3.disableRegistration
-        };
+          ]
+        }
       }
     };
   }
@@ -14695,7 +14837,6 @@ var authActions;
 var init_actions2 = __esm({
   "src/modules/auth/actions/index.ts"() {
     "use strict";
-    init_providers_action();
     init_login_action();
     init_register_action();
     init_forgot_password_action();
@@ -14711,7 +14852,6 @@ var init_actions2 = __esm({
     init_list_tokens_action();
     init_revoke_token_action();
     init_impersonate_action();
-    init_providers_action();
     init_login_action();
     init_register_action();
     init_forgot_password_action();
@@ -14727,7 +14867,6 @@ var init_actions2 = __esm({
     init_list_tokens_action();
     init_revoke_token_action();
     authActions = [
-      providersAction,
       loginAction,
       registerAction,
       forgotPasswordAction,
@@ -14946,7 +15085,7 @@ var init_otp_manager = __esm({
 });
 
 // src/modules/auth/auth.service.ts
-import { createHash as createHash4, randomBytes } from "crypto";
+import { createHash as createHash4, randomBytes as randomBytes2 } from "crypto";
 function createAuthService(ctx) {
   const { errors, abilities, crypto: crypto3 } = ctx.core;
   const { generateId: generateId4 } = ctx.core;
@@ -15363,7 +15502,7 @@ function createAuthService(ctx) {
     },
     // === Personal Access Tokens ===
     async createPersonalToken(userId, input, requestInfo) {
-      const rawToken = "nxs_" + randomBytes(32).toString("hex");
+      const rawToken = "nxs_" + randomBytes2(32).toString("hex");
       const tokenHash = createHash4("sha256").update(rawToken).digest("hex");
       const tokenPrefix = "nxs_..." + rawToken.slice(-6);
       const id = generateId4();
@@ -15529,38 +15668,38 @@ var init_auth_service = __esm({
 });
 
 // src/modules/auth/auth.types.ts
-import { z as z5 } from "zod";
+import { z as z6 } from "zod";
 var loginSchema, registerSchema, forgotPasswordSchema, resetPasswordSchema, createPersonalTokenSchema;
 var init_auth_types = __esm({
   "src/modules/auth/auth.types.ts"() {
     "use strict";
-    loginSchema = z5.object({
-      email: z5.string().email("Invalid email"),
-      password: z5.string().min(1, "Password required"),
-      otp: z5.string().length(6).optional(),
-      deviceId: z5.string().max(64).optional(),
-      deviceName: z5.string().max(100).optional()
+    loginSchema = z6.object({
+      email: z6.string().email("Invalid email"),
+      password: z6.string().min(1, "Password required"),
+      otp: z6.string().length(6).optional(),
+      deviceId: z6.string().max(64).optional(),
+      deviceName: z6.string().max(100).optional()
     });
-    registerSchema = z5.object({
-      email: z5.string().email("Invalid email"),
-      password: z5.string().min(8, "Password must be at least 8 characters"),
-      name: z5.string().min(2, "Name must be at least 2 characters"),
-      otp: z5.string().length(6).optional(),
-      deviceId: z5.string().max(64).optional(),
-      deviceName: z5.string().max(100).optional()
+    registerSchema = z6.object({
+      email: z6.string().email("Invalid email"),
+      password: z6.string().min(8, "Password must be at least 8 characters"),
+      name: z6.string().min(2, "Name must be at least 2 characters"),
+      otp: z6.string().length(6).optional(),
+      deviceId: z6.string().max(64).optional(),
+      deviceName: z6.string().max(100).optional()
     });
-    forgotPasswordSchema = z5.object({
-      email: z5.string().email("Invalid email")
+    forgotPasswordSchema = z6.object({
+      email: z6.string().email("Invalid email")
     });
-    resetPasswordSchema = z5.object({
-      email: z5.string().email("Invalid email"),
-      otp: z5.string().length(6, "OTP must be 6 digits"),
-      newPassword: z5.string().min(8, "Password must be at least 8 characters")
+    resetPasswordSchema = z6.object({
+      email: z6.string().email("Invalid email"),
+      otp: z6.string().length(6, "OTP must be 6 digits"),
+      newPassword: z6.string().min(8, "Password must be at least 8 characters")
     });
-    createPersonalTokenSchema = z5.object({
-      name: z5.string().min(1).max(100),
-      scope: z5.enum(["readonly", "readwrite"]),
-      expires_at: z5.string().datetime().optional()
+    createPersonalTokenSchema = z6.object({
+      name: z6.string().min(1).max(100),
+      scope: z6.enum(["readonly", "readwrite"]),
+      expires_at: z6.string().datetime().optional()
     });
   }
 });
@@ -15574,12 +15713,12 @@ async function seed3(ctx) {
   const db2 = ctx.db.knex;
   const { logger: logger2, generateId: generateId4 } = ctx.core;
   const { nowTimestamp: nowTimestamp2 } = ctx.db;
-  const hasTable = await db2.schema.hasTable(SINGLE_RECORDS);
+  const hasTable = await db2.schema.hasTable(SINGLE_RECORDS2);
   if (!hasTable) {
     logger2.debug("single_records table not found, skipping auth seed");
     return;
   }
-  const existing = await db2(SINGLE_RECORDS).where({ key: AUTH_CONFIG_KEY }).first();
+  const existing = await db2(SINGLE_RECORDS2).where({ key: AUTH_CONFIG_KEY }).first();
   if (existing) {
     logger2.debug("Auth config already seeded");
     return;
@@ -15592,7 +15731,7 @@ async function seed3(ctx) {
     rate_limit_window: parseInt(process.env["AUTH_RATE_LIMIT_WINDOW"] || "") || 900,
     cookie_domain: process.env["AUTH_COOKIE_DOMAIN"] || null
   };
-  await db2(SINGLE_RECORDS).insert({
+  await db2(SINGLE_RECORDS2).insert({
     id: generateId4(),
     key: AUTH_CONFIG_KEY,
     value: JSON.stringify(defaults),
@@ -15601,11 +15740,11 @@ async function seed3(ctx) {
   });
   logger2.info("Auth config seeded from environment variables");
 }
-var SINGLE_RECORDS, AUTH_CONFIG_KEY;
+var SINGLE_RECORDS2, AUTH_CONFIG_KEY;
 var init_auth_seed = __esm({
   "src/modules/auth/auth.seed.ts"() {
     "use strict";
-    SINGLE_RECORDS = "single_records";
+    SINGLE_RECORDS2 = "single_records";
     AUTH_CONFIG_KEY = "auth_config";
   }
 });
@@ -15671,7 +15810,7 @@ var init_auth = __esm({
 });
 
 // src/modules/mail/mail.config.ts
-import { z as z6 } from "zod";
+import { z as z7 } from "zod";
 function getMailConfig() {
   return {
     host: mailEnv.SMTP_HOST,
@@ -15685,13 +15824,13 @@ var mailEnvSchema, mailEnv;
 var init_mail_config = __esm({
   "src/modules/mail/mail.config.ts"() {
     "use strict";
-    mailEnvSchema = z6.object({
-      SMTP_HOST: z6.string().default("localhost"),
-      SMTP_PORT: z6.coerce.number().default(1025),
-      SMTP_SECURE: z6.string().default("false").transform((v) => v === "true" || v === "1"),
-      SMTP_USER: z6.string().optional(),
-      SMTP_PASS: z6.string().optional(),
-      SMTP_FROM: z6.string().default("noreply@nexus.local")
+    mailEnvSchema = z7.object({
+      SMTP_HOST: z7.string().default("localhost"),
+      SMTP_PORT: z7.coerce.number().default(1025),
+      SMTP_SECURE: z7.string().default("false").transform((v) => v === "true" || v === "1"),
+      SMTP_USER: z7.string().optional(),
+      SMTP_PASS: z7.string().optional(),
+      SMTP_FROM: z7.string().default("noreply@nexus.local")
     });
     mailEnv = mailEnvSchema.parse(process.env);
   }
@@ -15699,8 +15838,8 @@ var init_mail_config = __esm({
 
 // src/modules/mail/mail.service.ts
 import nodemailer from "nodemailer";
-import { readFileSync as readFileSync4, existsSync as existsSync7 } from "fs";
-import { join as join8 } from "path";
+import { readFileSync as readFileSync5, existsSync as existsSync8 } from "fs";
+import { join as join10 } from "path";
 function getMailService() {
   if (!mailServiceInstance) {
     throw new Error("MailService not initialized. Call initMailService() first.");
@@ -15717,8 +15856,8 @@ var init_mail_service = __esm({
   "src/modules/mail/mail.service.ts"() {
     "use strict";
     init_mail_config();
-    TEMPLATE_REL_PATH = join8("public", "mail", "base.html");
-    LOGO_REL_PATH = join8("public", "nexus", "nexus-light-512.png");
+    TEMPLATE_REL_PATH = join10("public", "mail", "base.html");
+    LOGO_REL_PATH = join10("public", "nexus", "nexus-light-512.png");
     mailServiceInstance = null;
     MailService = class {
       transporter;
@@ -15732,10 +15871,10 @@ var init_mail_service = __esm({
         this.logger = logger2.child({ service: "mail" });
         this.loggerService = loggerService;
         const libPath = options?.libPath ?? process.cwd();
-        this.template = readFileSync4(join8(libPath, TEMPLATE_REL_PATH), "utf-8");
-        const logoPath = join8(libPath, LOGO_REL_PATH);
-        if (existsSync7(logoPath)) {
-          const logoBase64 = readFileSync4(logoPath).toString("base64");
+        this.template = readFileSync5(join10(libPath, TEMPLATE_REL_PATH), "utf-8");
+        const logoPath = join10(libPath, LOGO_REL_PATH);
+        if (existsSync8(logoPath)) {
+          const logoBase64 = readFileSync5(logoPath).toString("base64");
           this.defaultLogoUrl = `data:image/png;base64,${logoBase64}`;
         } else {
           this.defaultLogoUrl = "";
@@ -15827,7 +15966,7 @@ var init_mail_service = __esm({
 });
 
 // src/modules/mail/mail.entity.ts
-import { useIdField as useIdField7, useTextField as useTextField12, useSelectField as useSelectField13, useNumberField as useNumberField5, useSwitchField as useSwitchField4, useEmailField as useEmailField3, usePasswordField as usePasswordField2, useTextareaField as useTextareaField3, useTagsField as useTagsField2, useDatetimeField as useDatetimeField6 } from "@gzl10/nexus-sdk/fields";
+import { useIdField as useIdField7, useTextField as useTextField12, useSelectField as useSelectField11, useNumberField as useNumberField6, useSwitchField as useSwitchField3, useEmailField as useEmailField3, usePasswordField as usePasswordField2, useTextareaField as useTextareaField3, useTagsField as useTagsField2, useDatetimeField as useDatetimeField6 } from "@gzl10/nexus-sdk/fields";
 import nodemailer2 from "nodemailer";
 async function getMailConfigFromDB(ctx) {
   const configService = ctx.services["config"];
@@ -15896,12 +16035,12 @@ var init_mail_entity = __esm({
           nullable: false,
           hint: { en: "Default: SMTP_HOST env var", es: "Por defecto: variable SMTP_HOST" }
         }),
-        port: useNumberField5({
+        port: useNumberField6({
           label: { en: "Port", es: "Puerto" },
           nullable: false,
           hint: { en: "Default: SMTP_PORT env var", es: "Por defecto: variable SMTP_PORT" }
         }),
-        secure: useSwitchField4({
+        secure: useSwitchField3({
           label: { en: "TLS/SSL", es: "TLS/SSL" },
           hint: { en: "Default: SMTP_SECURE env var", es: "Por defecto: variable SMTP_SECURE" }
         }),
@@ -16104,7 +16243,7 @@ var init_mail_entity = __esm({
           meta: { searchable: true, sortable: true }
         }),
         status: {
-          ...useSelectField13({
+          ...useSelectField11({
             label: { en: "Status", es: "Estado" },
             options: [
               { value: "pending", label: { en: "Pending", es: "Pendiente" } },
@@ -16128,7 +16267,7 @@ var init_mail_entity = __esm({
           label: { en: "Error", es: "Error" },
           nullable: true
         }),
-        sent_by: useSelectField13({
+        sent_by: useSelectField11({
           label: { en: "Sent by", es: "Enviado por" },
           table: "users",
           column: "id",
@@ -16337,7 +16476,7 @@ var init_observability_service = __esm({
 });
 
 // src/modules/observability/observability.config.ts
-import { z as z7 } from "zod";
+import { z as z8 } from "zod";
 function getOtelConfig() {
   if (cachedConfig) return cachedConfig;
   const env2 = otelEnvSchema.parse(process.env);
@@ -16354,12 +16493,12 @@ var otelEnvSchema, cachedConfig;
 var init_observability_config = __esm({
   "src/modules/observability/observability.config.ts"() {
     "use strict";
-    otelEnvSchema = z7.object({
-      OTEL_ENABLED: z7.coerce.boolean().default(false),
-      OTEL_SERVICE_NAME: z7.string().default("nexus"),
-      OTEL_PROMETHEUS_PORT: z7.coerce.number().int().min(0).max(65535).default(9464),
-      OTEL_EXPORTER_OTLP_ENDPOINT: z7.string().url().optional(),
-      OTEL_TRACE_SAMPLE_RATE: z7.coerce.number().min(0).max(1).default(1)
+    otelEnvSchema = z8.object({
+      OTEL_ENABLED: z8.coerce.boolean().default(false),
+      OTEL_SERVICE_NAME: z8.string().default("nexus"),
+      OTEL_PROMETHEUS_PORT: z8.coerce.number().int().min(0).max(65535).default(9464),
+      OTEL_EXPORTER_OTLP_ENDPOINT: z8.string().url().optional(),
+      OTEL_TRACE_SAMPLE_RATE: z8.coerce.number().min(0).max(1).default(1)
     });
     cachedConfig = null;
   }
@@ -16763,7 +16902,7 @@ var init_toggle_plugin_action = __esm({
 });
 
 // src/modules/plugins/plugins.entity.ts
-import { useTextField as useTextField13, useSelectField as useSelectField14, useCheckboxField as useCheckboxField5 } from "@gzl10/nexus-sdk/fields";
+import { useTextField as useTextField13, useSelectField as useSelectField12, useCheckboxField as useCheckboxField5 } from "@gzl10/nexus-sdk/fields";
 import { OFFICIAL_PLUGINS } from "@gzl10/nexus-sdk";
 var allowPluginManagement, pluginsEntity;
 var init_plugins_entity = __esm({
@@ -16805,7 +16944,7 @@ var init_plugins_entity = __esm({
           size: 20,
           nullable: false
         }),
-        category: useSelectField14({
+        category: useSelectField12({
           label: { en: "Category", es: "Categor\xEDa" },
           options: [
             { value: "content", label: { en: "Content", es: "Contenido" } },
@@ -16884,7 +17023,7 @@ var init_plugins_entity = __esm({
 
 // src/modules/plugins/plugins.routes.ts
 import { Router } from "express";
-import { existsSync as existsSync8 } from "fs";
+import { existsSync as existsSync9 } from "fs";
 function createPluginRoutes(ctx) {
   const router = Router();
   let imageMap = null;
@@ -16892,7 +17031,7 @@ function createPluginRoutes(ctx) {
     if (!imageMap) {
       const discovered = await ctx.core.plugins.discover();
       imageMap = new Map(
-        discovered.filter((p) => p.image && existsSync8(p.image)).map((p) => [p.code, p.image])
+        discovered.filter((p) => p.image && existsSync9(p.image)).map((p) => [p.code, p.image])
       );
     }
     return imageMap;
@@ -16947,7 +17086,7 @@ var init_plugins = __esm({
 import {
   useIdField as useIdField8,
   useTextField as useTextField14,
-  useSelectField as useSelectField15,
+  useSelectField as useSelectField13,
   useTextareaField as useTextareaField4,
   useJsonField as useJsonField3,
   useDatetimeField as useDatetimeField7,
@@ -16989,7 +17128,7 @@ var init_audit_entity = __esm({
           }),
           validation: { min: 1, max: 100 }
         },
-        actor_id: useSelectField15({
+        actor_id: useSelectField13({
           label: { en: "Actor", es: "Actor" },
           table: "users",
           column: "id",
@@ -17276,7 +17415,11 @@ import { Server as SocketServer } from "socket.io";
 import jwt3 from "jsonwebtoken";
 import { DEFAULT_TENANT_ID, entityRoom } from "@gzl10/nexus-sdk";
 function initSocketIO(httpServer, options) {
-  jwtSecret = options?.jwtSecret ?? process.env["AUTH_SECRET"] ?? null;
+  try {
+    jwtSecret = options?.jwtSecret ?? getAuthSecret();
+  } catch {
+    jwtSecret = null;
+  }
   if (!jwtSecret) {
     logger.warn("Socket.IO authentication disabled: AUTH_SECRET not configured. All connections will be treated as guests.");
   }
@@ -17521,6 +17664,7 @@ var init_socket = __esm({
     "use strict";
     init_emitter();
     init_logger();
+    init_secret_resolver();
     io = null;
     jwtSecret = null;
     userSockets = /* @__PURE__ */ new Map();
@@ -18072,70 +18216,6 @@ var init_validate_middleware = __esm({
   }
 });
 
-// src/config/env.ts
-import { z as z8 } from "zod";
-function resolveConfig() {
-  env = envSchema.parse(process.env);
-  process.env["TZ"] = env.TZ;
-  resolvedConfig = {
-    nodeEnv: env.NODE_ENV,
-    port: env.PORT,
-    host: "0.0.0.0",
-    ui: {
-      enabled: env.NEXUS_UI_ENABLED,
-      base: env.NEXUS_UI_BASE,
-      path: env.NEXUS_UI_PATH
-    },
-    corsOrigin: env.CORS_ORIGIN,
-    databaseUrl: env.DATABASE_URL,
-    adminEmail: env.ADMIN_EMAIL,
-    adminPassword: env.ADMIN_PASSWORD,
-    timezone: env.TZ
-  };
-  return resolvedConfig;
-}
-function getConfig() {
-  if (!resolvedConfig) {
-    return resolveConfig();
-  }
-  return resolvedConfig;
-}
-function resetConfig() {
-  resolvedConfig = null;
-}
-var envSchema, env, resolvedConfig;
-var init_env = __esm({
-  "src/config/env.ts"() {
-    "use strict";
-    envSchema = z8.object({
-      NODE_ENV: z8.enum(["development", "production", "test"]).default("development"),
-      PORT: z8.coerce.number().default(3e3),
-      CORS_ORIGIN: z8.string().default("*"),
-      BACKEND_URL: z8.string().optional(),
-      DATABASE_URL: z8.string().default("file:./dev.db"),
-      REDIS_URL: z8.string().url().optional(),
-      REDIS_PREFIX: z8.string().default("nexus"),
-      ADMIN_EMAIL: z8.string().email().optional(),
-      ADMIN_PASSWORD: z8.string().min(6).optional(),
-      COOKIE_DOMAIN: z8.string().optional(),
-      TZ: z8.string().default("UTC"),
-      TRUST_PROXY: z8.coerce.boolean().default(false),
-      NEXUS_UI_ENABLED: z8.coerce.boolean().default(true),
-      NEXUS_UI_BASE: z8.string().default("/"),
-      NEXUS_UI_PATH: z8.string().default("../ui/dist"),
-      NEXUS_CHECK_DRIFT: z8.coerce.boolean().optional(),
-      NEXUS_FAIL_ON_DRIFT: z8.coerce.boolean().optional(),
-      FRPC_SERVER: z8.string().optional(),
-      FRPC_SERVER_PORT: z8.coerce.number().default(7e3),
-      FRPC_TOKEN: z8.string().optional(),
-      FRPC_SUBDOMAIN: z8.string().optional()
-    });
-    env = envSchema.parse(process.env);
-    process.env["TZ"] = env.TZ;
-    resolvedConfig = null;
-  }
-});
-
 // src/core/middleware/error.middleware.ts
 import { ZodError } from "zod";
 import { ForbiddenError as CASLForbiddenError2 } from "@casl/ability";
@@ -18313,20 +18393,17 @@ var init_hash = __esm({
 });
 
 // src/core/crypto/symmetric.ts
-import { createCipheriv, createDecipheriv, randomBytes as randomBytes2, hkdfSync } from "crypto";
+import { createCipheriv, createDecipheriv, randomBytes as randomBytes3, hkdfSync } from "crypto";
 function getKey() {
   if (derivedKey) return derivedKey;
-  const secret = process.env["AUTH_SECRET"];
-  if (!secret) {
-    throw new Error("AUTH_SECRET not configured. Required for symmetric encryption.");
-  }
+  const secret = getAuthSecret();
   const keyBytes = hkdfSync("sha256", secret, "", HKDF_INFO, KEY_LENGTH);
   derivedKey = Buffer.from(keyBytes);
   return derivedKey;
 }
 function encrypt(plaintext) {
   const key = getKey();
-  const iv = randomBytes2(IV_LENGTH);
+  const iv = randomBytes3(IV_LENGTH);
   const cipher = createCipheriv(ALGORITHM, key, iv);
   const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
   const authTag = cipher.getAuthTag();
@@ -18350,6 +18427,7 @@ var ALGORITHM, IV_LENGTH, KEY_LENGTH, HKDF_INFO, derivedKey;
 var init_symmetric = __esm({
   "src/core/crypto/symmetric.ts"() {
     "use strict";
+    init_secret_resolver();
     ALGORITHM = "aes-256-gcm";
     IV_LENGTH = 12;
     KEY_LENGTH = 32;
@@ -18575,8 +18653,8 @@ var init_safe_json = __esm({
 
 // src/core/spa-handler.ts
 import express from "express";
-import { resolve, join as join9 } from "path";
-import { existsSync as existsSync9, readFileSync as readFileSync5 } from "fs";
+import { resolve, join as join11 } from "path";
+import { existsSync as existsSync10, readFileSync as readFileSync6 } from "fs";
 function createServeSPA(app, httpServer) {
   return async (endpoint, distPath, options = {}) => {
     const {
@@ -18598,7 +18676,7 @@ function createServeSPA(app, httpServer) {
     registeredEndpoints.add(endpoint);
     if (env.NODE_ENV === "development" && viteSrc) {
       const srcPath = resolve(getProjectPath(), viteSrc);
-      if (!existsSync9(srcPath)) {
+      if (!existsSync10(srcPath)) {
         logger.warn({ endpoint, viteSrc, resolved: srcPath }, "Vite source not found \u2014 falling back to static");
       } else {
         const mounted = await mountViteDevMiddleware(app, endpoint, srcPath, httpServer);
@@ -18612,6 +18690,7 @@ async function mountViteDevMiddleware(app, endpoint, srcPath, httpServer) {
   try {
     const vite = await import("vite");
     const apiUrl = env.BACKEND_URL ? `${env.BACKEND_URL}/api/v1` : "/api/v1";
+    const singletonDeps = ["vue", "vue-router", "pinia", "naive-ui"];
     const server2 = await vite.createServer({
       root: srcPath,
       server: {
@@ -18619,6 +18698,12 @@ async function mountViteDevMiddleware(app, endpoint, srcPath, httpServer) {
         allowedHosts: true,
         hmr: httpServer ? { server: httpServer } : true
       },
+      resolve: {
+        dedupe: singletonDeps
+      },
+      optimizeDeps: {
+        include: singletonDeps
+      },
       plugins: [{
         name: "nexus-config-inject",
         transformIndexHtml(html) {
@@ -18654,24 +18739,24 @@ function mountStaticSPA(app, endpoint, distPath, options) {
     resolvedPath = distPath;
   } else {
     const projectPath2 = resolve(getProjectPath(), distPath);
-    if (existsSync9(projectPath2)) {
+    if (existsSync10(projectPath2)) {
       resolvedPath = projectPath2;
     } else {
       resolvedPath = resolve(getLibPath(), distPath);
     }
   }
-  if (!existsSync9(resolvedPath)) {
+  if (!existsSync10(resolvedPath)) {
     logger.warn({ endpoint, distPath, hint: "Build the frontend first" }, `SPA directory not found: ${resolvedPath}`);
     return;
   }
-  const indexPath = join9(resolvedPath, index);
-  if (!existsSync9(indexPath)) {
+  const indexPath = join11(resolvedPath, index);
+  if (!existsSync10(indexPath)) {
     logger.warn({ endpoint, index }, `Index file not found: ${indexPath}`);
   }
   app.use(endpoint, express.static(resolvedPath, { maxAge, etag, immutable }));
   let injectedHtml = "";
-  if (existsSync9(indexPath)) {
-    const rawHtml = readFileSync5(indexPath, "utf-8");
+  if (existsSync10(indexPath)) {
+    const rawHtml = readFileSync6(indexPath, "utf-8");
     const apiUrl = env.BACKEND_URL ? `${env.BACKEND_URL}/api/v1` : "/api/v1";
     const nexusConfig = JSON.stringify({ apiUrl });
     injectedHtml = rawHtml.replace(
@@ -19246,11 +19331,7 @@ var init_cache = __esm({
 // src/core/jwt/index.ts
 import jwt4 from "jsonwebtoken";
 function getSecret() {
-  const secret = process.env["AUTH_SECRET"];
-  if (!secret) {
-    throw new Error("AUTH_SECRET not configured. Set AUTH_SECRET env var.");
-  }
-  return secret;
+  return getAuthSecret();
 }
 function verifyAccessToken(token) {
   return jwt4.verify(token, getSecret());
@@ -19258,6 +19339,7 @@ function verifyAccessToken(token) {
 var init_jwt = __esm({
   "src/core/jwt/index.ts"() {
     "use strict";
+    init_secret_resolver();
   }
 });
 
@@ -19367,91 +19449,6 @@ var init_schema_helpers = __esm({
   }
 });
 
-// src/db/sql-utils.ts
-function extractTableFromSql(sql, type2) {
-  const match = sql.match(SQL_PATTERNS[type2]);
-  return match?.[1];
-}
-function extractTableFromSelect(sql) {
-  return extractTableFromSql(sql, "select");
-}
-function extractTableFromInsert(sql) {
-  return extractTableFromSql(sql, "insert");
-}
-function extractTableFromUpdate(sql) {
-  return extractTableFromSql(sql, "update");
-}
-function extractTableFromDelete(sql) {
-  return extractTableFromSql(sql, "delete");
-}
-var SQL_PATTERNS;
-var init_sql_utils = __esm({
-  "src/db/sql-utils.ts"() {
-    "use strict";
-    SQL_PATTERNS = {
-      select: /from\s+["'`]?(\w+)["'`]?/i,
-      insert: /insert into\s+["'`]?(\w+)["'`]?/i,
-      update: /update\s+["'`]?(\w+)["'`]?/i,
-      delete: /delete from\s+["'`]?(\w+)["'`]?/i
-    };
-  }
-});
-
-// src/db/sqlite-compat.ts
-function createSqliteBooleanProcessor() {
-  const booleanColumns = /* @__PURE__ */ new Map();
-  function registerBooleanColumn2(table, column) {
-    if (!booleanColumns.has(table)) {
-      booleanColumns.set(table, /* @__PURE__ */ new Set());
-    }
-    booleanColumns.get(table).add(column);
-  }
-  function convertBooleans2(table, row) {
-    const columns = booleanColumns.get(table);
-    if (!columns || columns.size === 0) return row;
-    const result = { ...row };
-    for (const column of columns) {
-      if (column in result) {
-        const value = result[column];
-        if (value === 0 || value === 1) {
-          result[column] = value === 1;
-        }
-      }
-    }
-    return result;
-  }
-  function postProcess(result, queryContext) {
-    const sql = queryContext?.sql?.toLowerCase() ?? "";
-    if (!sql.startsWith("select")) return result;
-    const table = extractTableFromSelect(sql);
-    if (!table) return result;
-    if (Array.isArray(result)) {
-      return result.map(
-        (row) => typeof row === "object" && row !== null ? convertBooleans2(table, row) : row
-      );
-    }
-    if (typeof result === "object" && result !== null) {
-      return convertBooleans2(table, result);
-    }
-    return result;
-  }
-  function clear() {
-    booleanColumns.clear();
-  }
-  return { registerBooleanColumn: registerBooleanColumn2, convertBooleans: convertBooleans2, postProcess, clear };
-}
-var defaultProcessor, registerBooleanColumn, convertBooleans, sqlitePostProcess;
-var init_sqlite_compat = __esm({
-  "src/db/sqlite-compat.ts"() {
-    "use strict";
-    init_sql_utils();
-    defaultProcessor = createSqliteBooleanProcessor();
-    registerBooleanColumn = defaultProcessor.registerBooleanColumn;
-    convertBooleans = defaultProcessor.convertBooleans;
-    sqlitePostProcess = defaultProcessor.postProcess;
-  }
-});
-
 // src/runtime/types.ts
 var init_types = __esm({
   "src/runtime/types.ts"() {
@@ -23737,8 +23734,8 @@ var init_runtime = __esm({
 });
 
 // src/db/seed-runner.ts
-import { existsSync as existsSync10 } from "fs";
-import { join as join10 } from "path";
+import { existsSync as existsSync11 } from "fs";
+import { join as join12 } from "path";
 import { pathToFileURL } from "url";
 async function runModuleSeed(mod, ctx) {
   let seeded = false;
@@ -23746,8 +23743,8 @@ async function runModuleSeed(mod, ctx) {
     await mod.seed(ctx);
     seeded = true;
   } else {
-    const seedPath = join10(getLibPath(), "dist", "modules", mod.name, `${mod.name}.seed.js`);
-    if (existsSync10(seedPath)) {
+    const seedPath = join12(getLibPath(), "dist", "modules", mod.name, `${mod.name}.seed.js`);
+    if (existsSync11(seedPath)) {
       const seedModule = await import(pathToFileURL(seedPath).href);
       if (typeof seedModule.seed === "function") {
         await seedModule.seed(ctx);
@@ -23901,94 +23898,6 @@ var init_migration_sources = __esm({
   }
 });
 
-// src/config/database.ts
-import { join as join11, dirname as dirname6, isAbsolute as isAbsolute2 } from "path";
-import { mkdirSync as mkdirSync4 } from "fs";
-function getDatabaseConfig() {
-  const url = getConfig().databaseUrl;
-  if (IN_MEMORY_RE.test(url)) {
-    return {
-      client: "better-sqlite3",
-      connection: { filename: ":memory:" },
-      useNullAsDefault: true,
-      postProcessResponse: sqlitePostProcess,
-      pool: { min: 0, max: 1 }
-    };
-  }
-  if (url.startsWith("file:") || url.startsWith("sqlite:")) {
-    let filename = url.replace(/^(file:|sqlite:)/, "");
-    if (!isAbsolute2(filename)) {
-      filename = join11(getProjectPath(), "data", filename);
-    }
-    mkdirSync4(dirname6(filename), { recursive: true });
-    return {
-      client: "better-sqlite3",
-      connection: { filename },
-      useNullAsDefault: true,
-      postProcessResponse: sqlitePostProcess
-    };
-  }
-  if (url.startsWith("postgresql://") || url.startsWith("postgres://")) {
-    return {
-      client: "pg",
-      connection: url,
-      pool: { min: 2, max: 10 }
-    };
-  }
-  if (url.startsWith("mysql://")) {
-    const offsetMinutes = (/* @__PURE__ */ new Date()).getTimezoneOffset();
-    const offsetHours = Math.abs(Math.floor(offsetMinutes / 60));
-    const offsetMins = Math.abs(offsetMinutes % 60);
-    const sign = offsetMinutes <= 0 ? "+" : "-";
-    const tzOffset = `${sign}${String(offsetHours).padStart(2, "0")}:${String(offsetMins).padStart(2, "0")}`;
-    return {
-      client: "mysql2",
-      connection: {
-        uri: url,
-        timezone: tzOffset
-        // mysql2 requiere formato "+HH:MM"
-      },
-      pool: { min: 2, max: 10 }
-    };
-  }
-  throw new Error(`Unsupported database URL: ${url}`);
-}
-function getDatabaseType() {
-  const url = getConfig().databaseUrl;
-  if (IN_MEMORY_RE.test(url) || url.startsWith("file:") || url.startsWith("sqlite:")) return "sqlite";
-  if (url.startsWith("postgresql://") || url.startsWith("postgres://")) return "postgresql";
-  if (url.startsWith("mysql://")) return "mysql";
-  return "sqlite";
-}
-function getDatabasePath() {
-  const url = getConfig().databaseUrl;
-  if (IN_MEMORY_RE.test(url)) return ":memory:";
-  if (url.startsWith("file:") || url.startsWith("sqlite:")) {
-    let filename = url.replace(/^(file:|sqlite:)/, "");
-    if (!isAbsolute2(filename)) {
-      filename = join11(getProjectPath(), "data", filename);
-    }
-    return filename;
-  }
-  try {
-    const parsed = new URL(url);
-    parsed.password = "***";
-    return parsed.toString();
-  } catch {
-    return url.replace(/:\/\/[^@]+@/, "://***@");
-  }
-}
-var IN_MEMORY_RE;
-var init_database = __esm({
-  "src/config/database.ts"() {
-    "use strict";
-    init_env();
-    init_paths();
-    init_sqlite_compat();
-    IN_MEMORY_RE = /^((file:|sqlite:)?:memory:?)$/;
-  }
-});
-
 // src/db/query-interceptor.ts
 function setupQueryInterceptor(knexInstance) {
   const queryTimings = /* @__PURE__ */ new Map();
@@ -24629,7 +24538,7 @@ var init_migration_helpers = __esm({
 // src/db/migration-generator.ts
 import path2 from "path";
 import fs2 from "fs/promises";
-import { readFileSync as readFileSync6, mkdirSync as mkdirSync5, realpathSync } from "fs";
+import { readFileSync as readFileSync7, mkdirSync as mkdirSync5, realpathSync } from "fs";
 function getColumnIndexBytes(field) {
   if (!field?.db) return 255 * MYSQL_BYTES_PER_CHAR;
   const size = field.db.size ?? 255;
@@ -26543,8 +26452,8 @@ var init_db = __esm({
 });
 
 // src/config/load-config.ts
-import { join as join12 } from "path";
-import { existsSync as existsSync11, readFileSync as readFileSync7, readdirSync, statSync } from "fs";
+import { join as join13 } from "path";
+import { existsSync as existsSync12, readFileSync as readFileSync8, readdirSync, statSync } from "fs";
 import { pathToFileURL as pathToFileURL2 } from "url";
 function isPluginManifest(value) {
   if (!value || typeof value !== "object" || typeof value === "function") return false;
@@ -26560,25 +26469,25 @@ function extractPluginManifest(mod) {
   return null;
 }
 function resolvePluginEntry(projectPath2, pkgName) {
-  const pkgDir = join12(projectPath2, "node_modules", pkgName);
-  const pkgJsonPath = join12(pkgDir, "package.json");
-  if (!existsSync11(pkgJsonPath)) return null;
+  const pkgDir = join13(projectPath2, "node_modules", pkgName);
+  const pkgJsonPath = join13(pkgDir, "package.json");
+  if (!existsSync12(pkgJsonPath)) return null;
   try {
-    const pluginPkg = JSON.parse(readFileSync7(pkgJsonPath, "utf-8"));
+    const pluginPkg = JSON.parse(readFileSync8(pkgJsonPath, "utf-8"));
     const exports = pluginPkg.exports;
     const importEntry = exports?.["."]?.import;
     const entry = (typeof importEntry === "string" ? importEntry : importEntry?.default) ?? (typeof exports === "string" ? exports : null) ?? pluginPkg.main ?? pluginPkg.module ?? "index.js";
-    const entryPath = join12(pkgDir, entry);
-    return existsSync11(entryPath) ? entryPath : null;
+    const entryPath = join13(pkgDir, entry);
+    return existsSync12(entryPath) ? entryPath : null;
   } catch {
     return null;
   }
 }
 async function discoverPlugins(projectPath2) {
-  const pkgPath = join12(projectPath2, "package.json");
+  const pkgPath = join13(projectPath2, "package.json");
   let pkg2;
   try {
-    pkg2 = JSON.parse(readFileSync7(pkgPath, "utf-8"));
+    pkg2 = JSON.parse(readFileSync8(pkgPath, "utf-8"));
   } catch {
     return [];
   }
@@ -26600,21 +26509,21 @@ async function discoverPlugins(projectPath2) {
       const manifest = extractPluginManifest(mod);
       if (manifest) {
         if (!manifest.migrationsDir) {
-          const defaultMigrationsDir = join12(projectPath2, "node_modules", pkgName, "migrations");
-          if (existsSync11(defaultMigrationsDir)) {
+          const defaultMigrationsDir = join13(projectPath2, "node_modules", pkgName, "migrations");
+          if (existsSync12(defaultMigrationsDir)) {
             manifest.migrationsDir = defaultMigrationsDir;
           }
         }
         if (!manifest.image) {
-          const imagePath = join12(projectPath2, "node_modules", pkgName, "image.png");
-          if (existsSync11(imagePath)) {
+          const imagePath = join13(projectPath2, "node_modules", pkgName, "image.png");
+          if (existsSync12(imagePath)) {
             manifest.image = imagePath;
           }
         }
         if (!manifest.llms) {
-          const llmsPath = join12(projectPath2, "node_modules", pkgName, "llms.txt");
-          if (existsSync11(llmsPath)) {
-            manifest.llms = readFileSync7(llmsPath, "utf-8");
+          const llmsPath = join13(projectPath2, "node_modules", pkgName, "llms.txt");
+          if (existsSync12(llmsPath)) {
+            manifest.llms = readFileSync8(llmsPath, "utf-8");
           }
         }
         discovered.push(manifest);
@@ -26650,8 +26559,8 @@ function extractModuleManifests(mod) {
   return manifests;
 }
 async function discoverModules(projectPath2) {
-  const modulesDir = process.env["MODULES_DIR"] || join12(projectPath2, "src", "modules");
-  if (!existsSync11(modulesDir)) return [];
+  const modulesDir = process.env["MODULES_DIR"] || join13(projectPath2, "src", "modules");
+  if (!existsSync12(modulesDir)) return [];
   let entries;
   try {
     entries = readdirSync(modulesDir);
@@ -26660,7 +26569,7 @@ async function discoverModules(projectPath2) {
   }
   const discovered = [];
   for (const entry of entries) {
-    const entryPath = join12(modulesDir, entry);
+    const entryPath = join13(modulesDir, entry);
     try {
       if (!statSync(entryPath).isDirectory()) continue;
     } catch {
@@ -26668,8 +26577,8 @@ async function discoverModules(projectPath2) {
     }
     let indexPath = null;
     for (const ext of ["index.js", "index.ts"]) {
-      const candidate = join12(entryPath, ext);
-      if (existsSync11(candidate)) {
+      const candidate = join13(entryPath, ext);
+      if (existsSync12(candidate)) {
         indexPath = candidate;
         break;
       }
@@ -26783,6 +26692,49 @@ var init_events_api = __esm({
   }
 });
 
+// src/engine/capabilities-registry.ts
+var CapabilitiesRegistry;
+var init_capabilities_registry = __esm({
+  "src/engine/capabilities-registry.ts"() {
+    "use strict";
+    CapabilitiesRegistry = class {
+      resolvers = /* @__PURE__ */ new Map();
+      logger;
+      constructor(logger2) {
+        this.logger = logger2;
+      }
+      register(key, resolver) {
+        if (this.resolvers.has(key)) {
+          this.logger?.warn({ key }, "Capability key already registered, overwriting");
+        }
+        this.resolvers.set(key, resolver);
+      }
+      async resolve() {
+        const entries = Array.from(this.resolvers.entries());
+        const results = await Promise.allSettled(
+          entries.map(async ([key, resolver]) => {
+            const value = await resolver();
+            return [key, value];
+          })
+        );
+        const capabilities = {};
+        for (const result of results) {
+          if (result.status === "fulfilled") {
+            const [key, value] = result.value;
+            capabilities[key] = value;
+          } else {
+            this.logger?.warn(
+              { err: result.reason?.message ?? String(result.reason) },
+              "Capability resolver failed"
+            );
+          }
+        }
+        return capabilities;
+      }
+    };
+  }
+});
+
 // src/engine/context.ts
 import { ForbiddenError as CASLForbiddenError3, subject } from "@casl/ability";
 import { DEFAULT_TENANT_ID as DEFAULT_TENANT_ID2, DEFAULT_LOCALES } from "@gzl10/nexus-sdk";
@@ -27056,6 +27008,9 @@ function createModuleContext() {
       return name in adaptersRegistry;
     }
   };
+  const capabilitiesRegistry = new CapabilitiesRegistry(
+    logger.child({ service: "capabilities" })
+  );
   const ctx = {
     tenantId: DEFAULT_TENANT_ID2,
     core: coreContext,
@@ -27066,6 +27021,7 @@ function createModuleContext() {
     engine: engineContext,
     services: servicesContext,
     adapters: adaptersContext,
+    capabilities: capabilitiesRegistry,
     // Root-level shortcuts for frequently used utilities
     events: createEventsApi(nexusEvents, logger),
     createRouter: () => createRouter(),
@@ -27079,6 +27035,9 @@ function createModuleContext() {
     createEntityRouter: (controller, def) => createEntityRouter(controller, def, ctx)
   };
   ctx.db.seedModule = (mod) => runModuleSeed(mod, ctx);
+  capabilitiesRegistry.register("version", () => getCoreManifest().version);
+  capabilitiesRegistry.register("plugins", () => getPlugins().map((p) => p.code));
+  capabilitiesRegistry.register("locales", () => platformLocales);
   return ctx;
 }
 var platformLocales, sharedCacheManager, sharedTempAdapter;
@@ -27094,6 +27053,7 @@ var init_context = __esm({
     init_plugin_ops();
     init_load_config();
     init_events_api();
+    init_capabilities_registry();
     init_seed_runner();
     init_cache_manager();
     platformLocales = DEFAULT_LOCALES;
@@ -27113,6 +27073,7 @@ var init_engine = __esm({
     init_subject_extractor();
     init_definition_extractors();
     init_context();
+    init_capabilities_registry();
   }
 });
 
@@ -27855,7 +27816,7 @@ var init_port_check = __esm({
 // src/core/tunnel.ts
 import { spawn, execSync as execSync2 } from "child_process";
 import { writeFileSync as writeFileSync2, unlinkSync as unlinkSync2 } from "fs";
-import { join as join13 } from "path";
+import { join as join14 } from "path";
 import { tmpdir } from "os";
 function buildFrpcConfig(config3) {
   const lines = [
@@ -27893,7 +27854,7 @@ async function startTunnel(config3) {
     return false;
   }
   const toml = buildFrpcConfig(config3);
-  tmpConfigPath = join13(tmpdir(), `nexus-frpc-${process.pid}.toml`);
+  tmpConfigPath = join14(tmpdir(), `nexus-frpc-${process.pid}.toml`);
   writeFileSync2(tmpConfigPath, toml);
   tunnelProcess = spawn("frpc", ["-c", tmpConfigPath], {
     stdio: ["ignore", "pipe", "pipe"]
@@ -27984,22 +27945,22 @@ var init_shared = __esm({
 });
 
 // src/cli/migrate-commands.ts
-import { readFileSync as readFileSync8, existsSync as existsSync12 } from "fs";
-import { join as join14 } from "path";
+import { readFileSync as readFileSync9, existsSync as existsSync13 } from "fs";
+import { join as join15 } from "path";
 import { pathToFileURL as pathToFileURL3 } from "url";
 import Table from "cli-table3";
 import { consola as consola2 } from "consola";
 async function loadSelfPlugin() {
   const projectPath2 = getProjectPath();
-  const pkgPath = join14(projectPath2, "package.json");
-  if (!existsSync12(pkgPath)) return;
+  const pkgPath = join15(projectPath2, "package.json");
+  if (!existsSync13(pkgPath)) return;
   try {
-    const pkg2 = JSON.parse(readFileSync8(pkgPath, "utf-8"));
+    const pkg2 = JSON.parse(readFileSync9(pkgPath, "utf-8"));
     const pkgName = pkg2?.name;
     if (!pkgName || !/nexus-plugin-/.test(pkgName)) return;
-    const srcEntry = join14(projectPath2, "src", "index.ts");
-    const distEntry = join14(projectPath2, "dist", "index.js");
-    if (existsSync12(srcEntry)) {
+    const srcEntry = join15(projectPath2, "src", "index.ts");
+    const distEntry = join15(projectPath2, "dist", "index.js");
+    if (existsSync13(srcEntry)) {
       try {
         const { tsImport } = await import("tsx/esm/api");
         const mod = await tsImport(
@@ -28009,7 +27970,7 @@ async function loadSelfPlugin() {
         const manifest = extractPluginManifest(mod);
         if (manifest) {
           if (!manifest.migrationsDir) {
-            manifest.migrationsDir = join14(projectPath2, "migrations");
+            manifest.migrationsDir = join15(projectPath2, "migrations");
           }
           registerPlugin(manifest);
           return;
@@ -28018,13 +27979,13 @@ async function loadSelfPlugin() {
         console.error(`  \u26A0 Failed to load plugin src/index.ts: ${err.message}`);
       }
     }
-    if (existsSync12(distEntry)) {
+    if (existsSync13(distEntry)) {
       try {
         const mod = await import(pathToFileURL3(distEntry).href);
         const manifest = extractPluginManifest(mod);
         if (manifest) {
           if (!manifest.migrationsDir) {
-            manifest.migrationsDir = join14(projectPath2, "migrations");
+            manifest.migrationsDir = join15(projectPath2, "migrations");
           }
           registerPlugin(manifest);
           return;
@@ -28074,8 +28035,8 @@ __export(seed_commands_exports, {
   handleSeedExport: () => handleSeedExport,
   importSeedFiles: () => importSeedFiles
 });
-import { existsSync as existsSync13, mkdirSync as mkdirSync6, writeFileSync as writeFileSync3, readdirSync as readdirSync2, readFileSync as readFileSync9 } from "fs";
-import { join as join15, basename as basename4 } from "path";
+import { existsSync as existsSync14, mkdirSync as mkdirSync6, writeFileSync as writeFileSync3, readdirSync as readdirSync2, readFileSync as readFileSync10 } from "fs";
+import { join as join16, basename as basename4 } from "path";
 import { consola as consola3 } from "consola";
 function deserializeJsonFields(record, fields) {
   const result = { ...record };
@@ -28104,7 +28065,7 @@ async function handleSeedExport(entity) {
   const db2 = getDb();
   try {
     const modules = getOrderedModules();
-    const seedDir = join15(getProjectPath(), "data", "seeds");
+    const seedDir = join16(getProjectPath(), "data", "seeds");
     const seedableEntities = [];
     for (const mod of modules) {
       for (const def of mod.definitions ?? []) {
@@ -28125,7 +28086,7 @@ async function handleSeedExport(entity) {
       }
       return;
     }
-    if (!existsSync13(seedDir)) {
+    if (!existsSync14(seedDir)) {
       mkdirSync6(seedDir, { recursive: true });
     }
     for (const { module: modName, table, fields } of seedableEntities) {
@@ -28137,7 +28098,7 @@ async function handleSeedExport(entity) {
       const exported = rows.map(
         (row) => deserializeJsonFields(row, fields)
       );
-      const filePath = join15(seedDir, `${table}.json`);
+      const filePath = join16(seedDir, `${table}.json`);
       writeFileSync3(filePath, JSON.stringify(exported, null, 2) + "\n", "utf-8");
       consola3.success(`${table}: exported ${rows.length} records to data/seeds/${table}.json (module: ${modName})`);
     }
@@ -28149,8 +28110,8 @@ async function handleSeedExport(entity) {
   }
 }
 async function importSeedFiles(db2, modules, logger2) {
-  const seedDir = join15(getProjectPath(), "data", "seeds");
-  if (!existsSync13(seedDir)) return;
+  const seedDir = join16(getProjectPath(), "data", "seeds");
+  if (!existsSync14(seedDir)) return;
   const files = readdirSync2(seedDir).filter((f) => f.endsWith(".json"));
   if (files.length === 0) return;
   const seedableDefs = /* @__PURE__ */ new Map();
@@ -28171,8 +28132,8 @@ async function importSeedFiles(db2, modules, logger2) {
       logger2.debug(`data/seeds/${file}: skipped (entity "${table}" is not seedable)`);
       continue;
     }
-    const filePath = join15(seedDir, file);
-    const raw = readFileSync9(filePath, "utf-8");
+    const filePath = join16(seedDir, file);
+    const raw = readFileSync10(filePath, "utf-8");
     let records;
     try {
       records = JSON.parse(raw);
@@ -28418,6 +28379,12 @@ async function runMigrationsAndSeeds(config3) {
   loadCoreModules();
   logger.info({ type: getDatabaseType(), path: getDatabasePath() }, "Database ready");
   await ensureSystemTables(getDb());
+  setSecretResolverDb(getDb());
+  await initAuthSecret(logger);
+  const isPM2Cluster = !!(process.env["PM2_HOME"] && process.env["NODE_APP_INSTANCE"]);
+  if (isPM2Cluster && getDatabaseType() === "sqlite") {
+    logger.warn("SQLite detected with PM2 cluster mode. SQLite does not support concurrent writes reliably. Use PostgreSQL for multi-process deployments, or set PM2 instances to 1.");
+  }
   const fileConfig = await loadNexusConfig();
   const effectiveConfig = { ...config3 };
   const programmaticPluginNames = new Set((config3?.plugins ?? []).map((p) => p.name));
@@ -28672,6 +28639,7 @@ async function stop() {
     resetConfigCache();
     clearCustomCaslRules();
     clearSeedPermissions();
+    _resetSecretResolver();
     await resetServeSPA();
     return;
   }
@@ -28707,6 +28675,7 @@ async function stop() {
   resetConfigCache();
   clearCustomCaslRules();
   clearSeedPermissions();
+  _resetSecretResolver();
   await resetServeSPA();
   currentConfig = void 0;
   server = null;
@@ -28776,6 +28745,7 @@ var init_server = __esm({
     init_ensure_system_tables();
     init_load_config();
     init_tunnel();
+    init_secret_resolver();
     server = null;
     gracefulShutdownRegistered = false;
     setupGracefulShutdown();