@infuro/cms-core 1.0.15 → 1.0.18

package/dist/api.cjs

@@ -428,9 +428,11 @@ __export(api_exports, {
   createCrudByIdHandler: () => createCrudByIdHandler,
   createCrudHandler: () => createCrudHandler,
   createDashboardStatsHandler: () => createDashboardStatsHandler,
+  createEcommerceAnalyticsHandler: () => createEcommerceAnalyticsHandler,
   createForgotPasswordHandler: () => createForgotPasswordHandler,
   createFormBySlugHandler: () => createFormBySlugHandler,
   createInviteAcceptHandler: () => createInviteAcceptHandler,
+  createMediaZipExtractHandler: () => createMediaZipExtractHandler,
   createSetPasswordHandler: () => createSetPasswordHandler,
   createSettingsApiHandlers: () => createSettingsApiHandlers,
   createStorefrontApiHandler: () => createStorefrontApiHandler,
@@ -567,6 +569,28 @@ function buildSearchWhereClause(repo, search) {
   if (ors.length === 0) return {};
   return ors.length === 1 ? ors[0] : ors;
 }
+function entityHasSoftDelete(repo) {
+  return repo.metadata.columns.some((c) => c.propertyName === "deleted");
+}
+function mergeDeletedFalseWhere(repo, where) {
+  if (!entityHasSoftDelete(repo)) return where;
+  const d = { deleted: false };
+  if (Array.isArray(where)) {
+    if (where.length === 0) return [d];
+    return where.map((w) => ({ ...w, ...d }));
+  }
+  return Object.keys(where).length > 0 ? { ...where, ...d } : d;
+}
+function buildSoftDeletePayload(meta, deletedBy) {
+  const payload = { deleted: true };
+  if (meta.columns.some((c) => c.propertyName === "deletedAt")) {
+    payload.deletedAt = /* @__PURE__ */ new Date();
+  }
+  if (deletedBy != null && meta.columns.some((c) => c.propertyName === "deletedBy")) {
+    payload.deletedBy = deletedBy;
+  }
+  return payload;
+}
 function makeContactErpSync(dataSource, entityMap, getCms) {
   return async function syncContactRowToErp(row) {
     if (!getCms) return;
@@ -591,10 +615,11 @@ function createCrudHandler(dataSource, entityMap, options) {
   async function authz(req, resource, action) {
     const authError = await requireAuth(req);
     if (authError) return authError;
-    if (reqPerm) {
-      const pe = await reqPerm(req, resource, action);
-      if (pe) return pe;
+    if (!reqPerm) {
+      return json({ error: "Forbidden", reason: "entity_rbac_required", entity: resource, action }, { status: 403 });
     }
+    const pe = await reqPerm(req, resource, action);
+    if (pe) return pe;
     return null;
   }
   return {
@@ -630,7 +655,7 @@ function createCrudHandler(dataSource, entityMap, options) {
             return json({ total: 0, page, limit, totalPages: 0, data: [] });
           }
         }
-        const qb = repo2.createQueryBuilder("order").leftJoinAndSelect("order.contact", "contact").leftJoinAndSelect("order.items", "items").leftJoinAndSelect("items.product", "product").leftJoinAndSelect("product.collection", "collection").orderBy(`order.${sortField2}`, sortOrderOrders).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("order").leftJoinAndSelect("order.contact", "contact").leftJoinAndSelect("order.items", "items").leftJoinAndSelect("items.product", "product").leftJoinAndSelect("product.collection", "collection").andWhere("order.deleted = :orderDel", { orderDel: false }).orderBy(`order.${sortField2}`, sortOrderOrders).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere(
@@ -668,7 +693,7 @@ function createCrudHandler(dataSource, entityMap, options) {
         const dateTo = searchParams.get("dateTo")?.trim();
         const methodFilter = searchParams.get("method")?.trim();
         const orderNumberParam = searchParams.get("orderNumber")?.trim();
-        const qb = repo2.createQueryBuilder("payment").leftJoinAndSelect("payment.order", "ord").leftJoinAndSelect("ord.contact", "orderContact").leftJoinAndSelect("payment.contact", "contact").orderBy(`payment.${sortField2}`, sortOrderPayments).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("payment").leftJoinAndSelect("payment.order", "ord").leftJoinAndSelect("ord.contact", "orderContact").leftJoinAndSelect("payment.contact", "contact").andWhere("payment.deleted = :payDel", { payDel: false }).orderBy(`payment.${sortField2}`, sortOrderPayments).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere(
@@ -699,7 +724,7 @@ function createCrudHandler(dataSource, entityMap, options) {
         const repo2 = dataSource.getRepository(entity);
         const statusFilter = searchParams.get("status")?.trim();
         const inventory = searchParams.get("inventory")?.trim();
-        const productWhere = {};
+        const productWhere = { deleted: false };
         if (statusFilter) productWhere.status = statusFilter;
         if (inventory === "in_stock") productWhere.quantity = (0, import_typeorm.MoreThan)(0);
         if (inventory === "out_of_stock") productWhere.quantity = 0;
@@ -722,7 +747,7 @@ function createCrudHandler(dataSource, entityMap, options) {
         const typeFilter2 = searchParams.get("type")?.trim();
         const orderIdParam = searchParams.get("orderId")?.trim();
         const includeSummary = searchParams.get("includeSummary") === "1";
-        const qb = repo2.createQueryBuilder("contact").orderBy(`contact.${sortField2}`, sortOrderContacts).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("contact").andWhere("contact.deleted = :contactDel", { contactDel: false }).orderBy(`contact.${sortField2}`, sortOrderContacts).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere("(contact.name ILIKE :term OR contact.email ILIKE :term OR contact.phone ILIKE :term)", { term });
@@ -757,14 +782,38 @@ function createCrudHandler(dataSource, entityMap, options) {
       const repo = dataSource.getRepository(entity);
       const typeFilter = searchParams.get("type");
       const columnNames = new Set(repo.metadata.columns.map((c) => c.propertyName));
+      if (resource === "media") {
+        const qb = repo.createQueryBuilder("m");
+        const parentIdParam = searchParams.get("parentId");
+        if (parentIdParam != null && parentIdParam !== "") {
+          const n = Number(parentIdParam);
+          if (!Number.isFinite(n)) return json({ error: "Invalid parentId" }, { status: 400 });
+          qb.where("m.deleted = :mediaDel AND m.parentId = :pid", { mediaDel: false, pid: n });
+        } else {
+          qb.where("m.deleted = :mediaDel AND m.parentId IS NULL", { mediaDel: false });
+        }
+        if (search && typeof search === "string" && search.trim()) {
+          qb.andWhere("m.filename ILIKE :search", { search: `%${search.trim()}%` });
+        }
+        if (typeFilter) {
+          qb.andWhere(
+            new import_typeorm.Brackets((sq) => {
+              sq.where("m.kind = :folderKind", { folderKind: "folder" }).orWhere("m.mimeType LIKE :mtp", {
+                mtp: `${typeFilter}/%`
+              });
+            })
+          );
+        }
+        const allowedSort = ["filename", "createdAt", "id"];
+        const sf = allowedSort.includes(sortFieldRaw) ? sortFieldRaw : "filename";
+        const so = sortOrder === "DESC" ? "DESC" : "ASC";
+        qb.orderBy("CASE WHEN m.kind = :fk THEN 0 ELSE 1 END", "ASC").addOrderBy(`m.${sf}`, so).setParameter("fk", "folder").skip(skip).take(limit);
+        const [data2, total2] = await qb.getManyAndCount();
+        return json({ total: total2, page, limit, totalPages: Math.ceil(total2 / limit), data: data2 });
+      }
       const sortField = columnNames.has(sortFieldRaw) ? sortFieldRaw : "createdAt";
       let where = {};
-      if (resource === "media") {
-        const mediaWhere = {};
-        if (search) mediaWhere.filename = (0, import_typeorm.ILike)(`%${search}%`);
-        if (typeFilter) mediaWhere.mimeType = (0, import_typeorm.Like)(`${typeFilter}/%`);
-        where = Object.keys(mediaWhere).length > 0 ? mediaWhere : {};
-      } else if (search) {
+      if (search) {
         where = buildSearchWhereClause(repo, search);
       }
       const intFilterKeys = ["productId", "attributeId", "taxId"];
@@ -785,6 +834,7 @@ function createCrudHandler(dataSource, entityMap, options) {
           where = extraWhere;
         }
       }
+      where = mergeDeletedFalseWhere(repo, where);
       const [data, total] = await repo.findAndCount({
         skip,
         take: limit,
@@ -804,6 +854,38 @@ function createCrudHandler(dataSource, entityMap, options) {
       if (!body || typeof body !== "object" || Object.keys(body).length === 0) {
         return json({ error: "Invalid request payload" }, { status: 400 });
       }
+      if (resource === "media") {
+        const b = body;
+        const kind = b.kind === "folder" ? "folder" : "file";
+        b.kind = kind;
+        const fn = String(b.filename ?? "").trim().slice(0, 255);
+        if (!fn) return json({ error: "filename required" }, { status: 400 });
+        b.filename = fn;
+        let pid = null;
+        if (b.parentId != null && b.parentId !== "") {
+          const n = Number(b.parentId);
+          if (!Number.isFinite(n)) return json({ error: "Invalid parentId" }, { status: 400 });
+          pid = n;
+        }
+        b.parentId = pid;
+        const mediaRepo = dataSource.getRepository(entityMap.media);
+        if (pid != null) {
+          const parent = await mediaRepo.findOne({ where: { id: pid } });
+          if (!parent || parent.kind !== "folder") {
+            return json({ error: "parent must be a folder" }, { status: 400 });
+          }
+        }
+        if (kind === "folder") {
+          b.url = null;
+          b.mimeType = "inode/directory";
+          b.size = 0;
+        } else {
+          if (!b.url || typeof b.url !== "string") return json({ error: "url required for files" }, { status: 400 });
+          if (!b.mimeType || typeof b.mimeType !== "string") {
+            b.mimeType = "application/octet-stream";
+          }
+        }
+      }
       const repo = dataSource.getRepository(entity);
       sanitizeBodyForEntity(repo, body);
       const created = await repo.save(repo.create(body));
@@ -920,15 +1002,16 @@ function createCrudHandler(dataSource, entityMap, options) {
   };
 }
 function createCrudByIdHandler(dataSource, entityMap, options) {
-  const { requireAuth, json, requireEntityPermission: reqPerm, getCms } = options;
+  const { requireAuth, json, requireEntityPermission: reqPerm, getCms, getDeletedByUserId } = options;
   const syncContactRowToErp = makeContactErpSync(dataSource, entityMap, getCms);
   async function authz(req, resource, action) {
     const authError = await requireAuth(req);
     if (authError) return authError;
-    if (reqPerm) {
-      const pe = await reqPerm(req, resource, action);
-      if (pe) return pe;
+    if (!reqPerm) {
+      return json({ error: "Forbidden", reason: "entity_rbac_required", entity: resource, action }, { status: 403 });
     }
+    const pe = await reqPerm(req, resource, action);
+    if (pe) return pe;
     return null;
   }
   return {
@@ -940,7 +1023,7 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       const repo = dataSource.getRepository(entity);
       if (resource === "orders") {
         const order = await repo.findOne({
-          where: { id: Number(id) },
+          where: { id: Number(id), deleted: false },
           relations: ["contact", "billingAddress", "shippingAddress", "items", "items.product", "items.product.collection", "payments"]
         });
         if (!order) return json({ message: "Not found" }, { status: 404 });
@@ -952,7 +1035,7 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       }
       if (resource === "contacts") {
         const contact = await repo.findOne({
-          where: { id: Number(id) },
+          where: { id: Number(id), deleted: false },
           relations: ["form_submissions", "form_submissions.form", "orders", "payments", "addresses"]
         });
         if (!contact) return json({ message: "Not found" }, { status: 404 });
@@ -974,7 +1057,7 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       }
       if (resource === "payments") {
         const payment = await repo.findOne({
-          where: { id: Number(id) },
+          where: { id: Number(id), deleted: false },
           relations: ["order", "order.contact", "contact"]
         });
         if (!payment) return json({ message: "Not found" }, { status: 404 });
@@ -982,12 +1065,13 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       }
       if (resource === "blogs") {
         const blog = await repo.findOne({
-          where: { id: Number(id) },
+          where: { id: Number(id), deleted: false },
           relations: ["category", "seo", "tags"]
         });
         return blog ? json(blog) : json({ message: "Not found" }, { status: 404 });
       }
-      const item = await repo.findOne({ where: { id: Number(id) } });
+      const idWhere = entityHasSoftDelete(repo) ? { id: Number(id), deleted: false } : { id: Number(id) };
+      const item = await repo.findOne({ where: idWhere });
       return item ? json(item) : json({ message: "Not found" }, { status: 404 });
     },
     async PUT(req, resource, id) {
@@ -999,7 +1083,9 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       const repo = dataSource.getRepository(entity);
       const numericId = Number(id);
       if (resource === "blogs" && rawBody && typeof rawBody === "object" && entityMap.categories && entityMap.seos && entityMap.tags) {
-        const existing = await repo.findOne({ where: { id: numericId } });
+        const existing = await repo.findOne({
+          where: { id: numericId, deleted: false }
+        });
         if (!existing) return json({ message: "Not found" }, { status: 404 });
         const updatePayload2 = pickColumnUpdates(repo, rawBody);
         if ("category" in rawBody) {
@@ -1075,7 +1161,18 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
         });
         return updated2 ? json(updated2) : json({ message: "Not found" }, { status: 404 });
       }
+      if (entityHasSoftDelete(repo)) {
+        const cur = await repo.findOne({
+          where: { id: numericId, deleted: false }
+        });
+        if (!cur) return json({ message: "Not found" }, { status: 404 });
+      }
       const updatePayload = rawBody && typeof rawBody === "object" ? pickColumnUpdates(repo, rawBody) : {};
+      if (resource === "media") {
+        const u = updatePayload;
+        delete u.parentId;
+        delete u.kind;
+      }
       if (Object.keys(updatePayload).length > 0) {
         sanitizeBodyForEntity(repo, updatePayload);
         await repo.update(numericId, updatePayload);
@@ -1096,7 +1193,24 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       const entity = entityMap[resource];
       if (!entity) return json({ error: "Invalid resource" }, { status: 400 });
       const repo = dataSource.getRepository(entity);
-      const result = await repo.delete(Number(id));
+      const numericId = Number(id);
+      if (entityHasSoftDelete(repo)) {
+        const existing = await repo.findOne({
+          where: { id: numericId, deleted: false }
+        });
+        if (!existing) return json({ message: "Not found" }, { status: 404 });
+        let deletedBy = null;
+        if (getDeletedByUserId) {
+          try {
+            deletedBy = await getDeletedByUserId(req);
+          } catch {
+            deletedBy = null;
+          }
+        }
+        await repo.update(numericId, buildSoftDeletePayload(repo.metadata, deletedBy));
+        return json({ message: "Deleted successfully" }, { status: 200 });
+      }
+      const result = await repo.delete(numericId);
       if (result.affected === 0) return json({ message: "Not found" }, { status: 404 });
       return json({ message: "Deleted successfully" }, { status: 200 });
     }
@@ -1250,7 +1364,7 @@ function createUserAuthApiRouter(config) {
 }
 
 // src/api/cms-handlers.ts
-var import_typeorm3 = require("typeorm");
+var import_typeorm4 = require("typeorm");
 init_email_queue();
 init_erp_queue();
 
@@ -1270,6 +1384,194 @@ async function assertCaptchaOk(getCms, body, req, json) {
   return json({ error: result.message }, { status: result.status });
 }
 
+// src/lib/media-folder-path.ts
+function sanitizeMediaFolderPath(input) {
+  if (input == null) return "";
+  if (typeof input !== "string") return "";
+  const segments = input.replace(/\\/g, "/").split("/").map((s) => s.trim()).filter(Boolean).filter((s) => s !== ".." && s !== ".");
+  const joined = segments.join("/");
+  return joined.length > 512 ? joined.slice(0, 512) : joined;
+}
+function sanitizeStorageSegment(name) {
+  const s = name.replace(/[/\\]/g, "-").trim().slice(0, 255);
+  return s || "item";
+}
+
+// src/lib/media-parent-path.ts
+async function relativePathFromMediaParentId(dataSource, entityMap, parentId) {
+  if (parentId == null) return "";
+  const repo = dataSource.getRepository(entityMap.media);
+  const segments = [];
+  let id = parentId;
+  for (let d = 0; d < 64 && id != null; d++) {
+    const row = await repo.findOne({ where: { id } });
+    if (!row) break;
+    const m = row;
+    if (m.kind !== "folder") break;
+    segments.unshift(sanitizeStorageSegment(m.filename));
+    id = m.parentId ?? null;
+  }
+  return segments.join("/");
+}
+
+// src/lib/media-zip-extract.ts
+var import_typeorm3 = require("typeorm");
+var ZIP_MIME_TYPES = /* @__PURE__ */ new Set(["application/zip", "application/x-zip-compressed"]);
+var MAX_ENTRIES = 2e3;
+var MAX_TOTAL_UNCOMPRESSED = 80 * 1024 * 1024;
+function isZipMedia(mime, filename) {
+  if (mime && ZIP_MIME_TYPES.has(mime)) return true;
+  return filename.toLowerCase().endsWith(".zip");
+}
+async function readBufferFromPublicUrl(url) {
+  if (url.startsWith("http://") || url.startsWith("https://")) {
+    const r = await fetch(url);
+    if (!r.ok) throw new Error("Failed to download file");
+    return Buffer.from(await r.arrayBuffer());
+  }
+  if (url.startsWith("/")) {
+    const { readFile } = await import("fs/promises");
+    const { join } = await import("path");
+    const rel = url.replace(/^\/+/, "");
+    return readFile(join(process.cwd(), "public", rel));
+  }
+  throw new Error("Unsupported media URL");
+}
+function sanitizeZipPath(entryName) {
+  const norm = entryName.replace(/\\/g, "/").split("/").filter(Boolean);
+  for (const seg of norm) {
+    if (seg === ".." || seg === ".") return null;
+  }
+  return norm;
+}
+function shouldSkipEntry(parts) {
+  if (parts[0] === "__MACOSX") return true;
+  const last = parts[parts.length - 1];
+  if (last === ".DS_Store") return true;
+  return false;
+}
+function guessMimeType(fileName) {
+  const lower = fileName.toLowerCase();
+  if (lower.endsWith(".png")) return "image/png";
+  if (lower.endsWith(".jpg") || lower.endsWith(".jpeg")) return "image/jpeg";
+  if (lower.endsWith(".gif")) return "image/gif";
+  if (lower.endsWith(".webp")) return "image/webp";
+  if (lower.endsWith(".svg")) return "image/svg+xml";
+  if (lower.endsWith(".pdf")) return "application/pdf";
+  if (lower.endsWith(".txt")) return "text/plain";
+  if (lower.endsWith(".json")) return "application/json";
+  if (lower.endsWith(".zip")) return "application/zip";
+  return "application/octet-stream";
+}
+async function findOrCreateFolder(dataSource, entityMap, parentId, name) {
+  const safe = sanitizeStorageSegment(name);
+  const repo = dataSource.getRepository(entityMap.media);
+  const where = parentId == null ? { kind: "folder", filename: safe, parentId: (0, import_typeorm3.IsNull)() } : { kind: "folder", filename: safe, parentId };
+  const existing = await repo.findOne({ where });
+  if (existing) return existing.id;
+  const row = await repo.save(
+    repo.create({
+      kind: "folder",
+      parentId,
+      filename: safe,
+      url: null,
+      mimeType: "inode/directory",
+      size: 0,
+      alt: null,
+      isPublic: false,
+      deleted: false
+    })
+  );
+  return row.id;
+}
+async function ensureFolderChain(dataSource, entityMap, rootParentId, pathSegments) {
+  let pid = rootParentId;
+  for (const seg of pathSegments) {
+    if (!seg) continue;
+    pid = await findOrCreateFolder(dataSource, entityMap, pid, seg);
+  }
+  return pid;
+}
+async function extractZipMediaIntoParentTree(opts) {
+  const { dataSource, entityMap, zipMediaRow } = opts;
+  const row = zipMediaRow;
+  if (row.kind !== "file" || !row.url) throw new Error("Not a file");
+  if (!isZipMedia(row.mimeType, row.filename)) throw new Error("Not a zip archive");
+  const buffer = await readBufferFromPublicUrl(row.url);
+  const { default: AdmZip } = await import("adm-zip");
+  const zip = new AdmZip(buffer);
+  const entries = zip.getEntries();
+  if (entries.length > MAX_ENTRIES) throw new Error(`Too many zip entries (max ${MAX_ENTRIES})`);
+  const rootParentId = row.parentId;
+  const items = [];
+  let totalUncompressed = 0;
+  for (const e of entries) {
+    const raw = e.entryName;
+    const parts = sanitizeZipPath(raw);
+    if (!parts || shouldSkipEntry(parts)) continue;
+    const isDir = e.isDirectory || /\/$/.test(raw);
+    let data = null;
+    if (!isDir) {
+      data = e.getData();
+      totalUncompressed += data.length;
+      if (totalUncompressed > MAX_TOTAL_UNCOMPRESSED) {
+        throw new Error(`Uncompressed content exceeds limit (${MAX_TOTAL_UNCOMPRESSED} bytes)`);
+      }
+    }
+    items.push({ parts, isDir, data });
+  }
+  items.sort((a, b) => {
+    const da = a.parts.length;
+    const db = b.parts.length;
+    if (da !== db) return da - db;
+    return a.parts.join("/").localeCompare(b.parts.join("/"));
+  });
+  let files = 0;
+  let folderEntries = 0;
+  const repo = dataSource.getRepository(entityMap.media);
+  for (const it of items) {
+    if (it.isDir) {
+      await ensureFolderChain(dataSource, entityMap, rootParentId, it.parts);
+      folderEntries++;
+      continue;
+    }
+    const fileName = it.parts[it.parts.length - 1];
+    const dirParts = it.parts.slice(0, -1);
+    const parentFolderId = await ensureFolderChain(dataSource, entityMap, rootParentId, dirParts);
+    const buf = it.data;
+    const relBase = await relativePathFromMediaParentId(dataSource, entityMap, parentFolderId);
+    const relativeUnderUploads = relBase ? `${relBase}/${fileName}` : fileName;
+    const contentType = guessMimeType(fileName);
+    let publicUrl;
+    if (opts.storage) {
+      publicUrl = await opts.storage.upload(buf, `uploads/${relativeUnderUploads}`, contentType);
+    } else {
+      const fs = await import("fs/promises");
+      const pathMod = await import("path");
+      const dir = pathMod.join(process.cwd(), opts.localUploadDir);
+      const filePath = pathMod.join(dir, relativeUnderUploads);
+      await fs.mkdir(pathMod.dirname(filePath), { recursive: true });
+      await fs.writeFile(filePath, buf);
+      publicUrl = `/${opts.localUploadDir.replace(/^\/+/, "").replace(/\\/g, "/")}/${relativeUnderUploads.replace(/\\/g, "/")}`;
+    }
+    await repo.save(
+      repo.create({
+        kind: "file",
+        parentId: parentFolderId,
+        filename: fileName,
+        url: publicUrl,
+        mimeType: contentType,
+        size: buf.length,
+        alt: null,
+        isPublic: false,
+        deleted: false
+      })
+    );
+    files++;
+  }
+  return { files, folderEntries };
+}
+
 // src/api/cms-handlers.ts
 function createDashboardStatsHandler(config) {
   const { dataSource, entityMap, json, requireAuth, requirePermission, requireEntityPermission } = config;
@@ -1287,26 +1589,209 @@ function createDashboardStatsHandler(config) {
     try {
       const sevenDaysAgo = new Date(Date.now() - 7 * 24 * 60 * 60 * 1e3);
       const repo = (name) => entityMap[name] ? dataSource.getRepository(entityMap[name]) : void 0;
-      const [contactsCount, formsCount, formSubmissionsCount, usersCount, blogsCount, recentContacts, recentSubmissions] = await Promise.all([
+      const [contactsCount, formsCount, formSubmissionsCount, usersCount, blogsCount, recentContacts, recentSubmissions, contactTypeRows] = await Promise.all([
         repo("contacts")?.count() ?? 0,
         repo("forms")?.count({ where: { deleted: false } }) ?? 0,
         repo("form_submissions")?.count() ?? 0,
         repo("users")?.count({ where: { deleted: false } }) ?? 0,
         repo("blogs")?.count({ where: { deleted: false } }) ?? 0,
-        repo("contacts")?.count({ where: { createdAt: (0, import_typeorm3.MoreThanOrEqual)(sevenDaysAgo) } }) ?? 0,
-        repo("form_submissions")?.count({ where: { createdAt: (0, import_typeorm3.MoreThanOrEqual)(sevenDaysAgo) } }) ?? 0
+        repo("contacts")?.count({ where: { createdAt: (0, import_typeorm4.MoreThanOrEqual)(sevenDaysAgo) } }) ?? 0,
+        repo("form_submissions")?.count({ where: { createdAt: (0, import_typeorm4.MoreThanOrEqual)(sevenDaysAgo) } }) ?? 0,
+        repo("contacts")?.createQueryBuilder("c").select("COALESCE(NULLIF(TRIM(c.type), ''), 'unknown')", "type").addSelect("COUNT(*)", "count").where("c.deleted = :deleted", { deleted: false }).groupBy("COALESCE(NULLIF(TRIM(c.type), ''), 'unknown')").getRawMany() ?? []
       ]);
       return json({
         contacts: { total: contactsCount, recent: recentContacts },
         forms: { total: formsCount, submissions: formSubmissionsCount, recentSubmissions },
         users: usersCount,
-        blogs: blogsCount
+        blogs: blogsCount,
+        contactTypes: (contactTypeRows ?? []).map((row) => ({
+          type: row.type || "unknown",
+          count: Number(row.count || 0)
+        }))
       });
     } catch (err) {
       return json({ error: "Failed to fetch dashboard stats" }, { status: 500 });
     }
   };
 }
+function toNum(v) {
+  const n = typeof v === "number" ? v : Number(v ?? 0);
+  return Number.isFinite(n) ? n : 0;
+}
+function toIsoDate(d) {
+  return d.toISOString().slice(0, 10);
+}
+function createEcommerceAnalyticsHandler(config) {
+  const { dataSource, entityMap, json, requireAuth, requireEntityPermission } = config;
+  return async function GET(req) {
+    const authErr = await requireAuth(req);
+    if (authErr) return authErr;
+    if (requireEntityPermission) {
+      const pe = await requireEntityPermission(req, "analytics", "read");
+      if (pe) return pe;
+    }
+    if (!entityMap.orders || !entityMap.order_items || !entityMap.payments || !entityMap.products) {
+      return json({ error: "Store analytics unavailable" }, { status: 404 });
+    }
+    try {
+      const url = new URL(req.url);
+      const rawDays = parseInt(url.searchParams.get("days") || "30", 10);
+      const days = Number.isFinite(rawDays) ? Math.min(365, Math.max(7, rawDays)) : 30;
+      const end = /* @__PURE__ */ new Date();
+      const start = new Date(end.getTime() - days * 24 * 60 * 60 * 1e3);
+      const orderRepo = dataSource.getRepository(entityMap.orders);
+      const paymentRepo = dataSource.getRepository(entityMap.payments);
+      const itemRepo = dataSource.getRepository(entityMap.order_items);
+      const productRepo = dataSource.getRepository(entityMap.products);
+      const [salesOrders, returnOrders, replacementOrders, payments, products] = await Promise.all([
+        orderRepo.find({
+          where: { deleted: false, createdAt: (0, import_typeorm4.MoreThanOrEqual)(start), orderKind: "sale", status: (0, import_typeorm4.In)(["confirmed", "processing", "completed"]) },
+          select: ["id", "contactId", "createdAt", "subtotal", "discount", "tax", "total", "status"]
+        }),
+        orderRepo.find({
+          where: { deleted: false, createdAt: (0, import_typeorm4.MoreThanOrEqual)(start), orderKind: "return" },
+          select: ["id", "createdAt", "total"]
+        }),
+        orderRepo.find({
+          where: { deleted: false, createdAt: (0, import_typeorm4.MoreThanOrEqual)(start), orderKind: "replacement" },
+          select: ["id", "createdAt", "total"]
+        }),
+        paymentRepo.find({
+          where: { deleted: false, createdAt: (0, import_typeorm4.MoreThanOrEqual)(start) },
+          select: ["id", "status", "method", "amount", "createdAt"]
+        }),
+        productRepo.find({
+          where: { deleted: false },
+          select: ["id", "name", "quantity"]
+        })
+      ]);
+      const saleOrderIds = salesOrders.map((o) => o.id);
+      const orderItems = saleOrderIds.length ? await itemRepo.find({
+        where: { orderId: (0, import_typeorm4.In)(saleOrderIds) },
+        select: ["id", "orderId", "productId", "quantity", "total"]
+      }) : [];
+      const grossSales = salesOrders.reduce((sum, o) => sum + toNum(o.subtotal), 0);
+      const discounts = salesOrders.reduce((sum, o) => sum + toNum(o.discount), 0);
+      const taxes = salesOrders.reduce((sum, o) => sum + toNum(o.tax), 0);
+      const returnsValue = returnOrders.reduce((sum, o) => sum + toNum(o.total), 0);
+      const replacementsValue = replacementOrders.reduce((sum, o) => sum + toNum(o.total), 0);
+      const netSales = grossSales - discounts - returnsValue;
+      const ordersCount = salesOrders.length;
+      const aov = ordersCount > 0 ? netSales / ordersCount : 0;
+      const returnRate = ordersCount > 0 ? returnOrders.length / ordersCount * 100 : 0;
+      const salesByDate = /* @__PURE__ */ new Map();
+      const returnsByDate = /* @__PURE__ */ new Map();
+      for (const o of salesOrders) {
+        const key = toIsoDate(new Date(o.createdAt));
+        const row = salesByDate.get(key) ?? { value: 0, orders: 0 };
+        row.value += toNum(o.total);
+        row.orders += 1;
+        salesByDate.set(key, row);
+      }
+      for (const o of returnOrders) {
+        const key = toIsoDate(new Date(o.createdAt));
+        const row = returnsByDate.get(key) ?? { value: 0, count: 0 };
+        row.value += toNum(o.total);
+        row.count += 1;
+        returnsByDate.set(key, row);
+      }
+      const salesOverTime = [];
+      const returnsTrend = [];
+      for (let i = days - 1; i >= 0; i--) {
+        const d = new Date(end.getTime() - i * 24 * 60 * 60 * 1e3);
+        const key = toIsoDate(d);
+        const sales = salesByDate.get(key) ?? { value: 0, orders: 0 };
+        const returns = returnsByDate.get(key) ?? { value: 0, count: 0 };
+        salesOverTime.push({ date: key, value: Number(sales.value.toFixed(2)), orders: sales.orders });
+        returnsTrend.push({ date: key, value: Number(returns.value.toFixed(2)), count: returns.count });
+      }
+      const productNameMap = /* @__PURE__ */ new Map();
+      for (const p of products) productNameMap.set(Number(p.id), (p.name || `Product #${p.id}`).trim());
+      const productAgg = /* @__PURE__ */ new Map();
+      for (const item of orderItems) {
+        const productId = Number(item.productId);
+        const productName = productNameMap.get(productId) || `Product #${productId}`;
+        const row = productAgg.get(productId) ?? { name: productName, units: 0, sales: 0 };
+        row.units += toNum(item.quantity);
+        row.sales += toNum(item.total);
+        productAgg.set(productId, row);
+      }
+      const topProducts = Array.from(productAgg.values()).sort((a, b) => b.sales - a.sales).slice(0, 5).map((p) => ({ ...p, sales: Number(p.sales.toFixed(2)) }));
+      const allSaleOrderContactIds = Array.from(new Set(salesOrders.map((o) => Number(o.contactId)).filter((n) => Number.isInteger(n) && n > 0)));
+      const allTimeCounts = allSaleOrderContactIds.length ? await orderRepo.createQueryBuilder("o").select("o.contactId", "contactId").addSelect("COUNT(*)", "total").where("o.deleted = :deleted", { deleted: false }).andWhere("o.orderKind = :orderKind", { orderKind: "sale" }).andWhere("o.contactId IN (:...contactIds)", { contactIds: allSaleOrderContactIds }).groupBy("o.contactId").getRawMany() : [];
+      const countMap = /* @__PURE__ */ new Map();
+      for (const c of allTimeCounts) countMap.set(Number(c.contactId), Number(c.total));
+      const purchasingCustomers = allSaleOrderContactIds.length;
+      const returningCustomers = allSaleOrderContactIds.filter((id) => (countMap.get(id) ?? 0) > 1).length;
+      const newCustomers = Math.max(0, purchasingCustomers - returningCustomers);
+      const returningCustomerRate = purchasingCustomers > 0 ? returningCustomers / purchasingCustomers * 100 : 0;
+      const totalPayments = payments.length;
+      const completedPayments = payments.filter((p) => p.status === "completed").length;
+      const failedPayments = payments.filter((p) => p.status === "failed").length;
+      const paymentSuccessRate = totalPayments > 0 ? completedPayments / totalPayments * 100 : 0;
+      const paymentMethodMap = /* @__PURE__ */ new Map();
+      for (const p of payments) {
+        const method = (p.method || "unknown").toLowerCase();
+        const row = paymentMethodMap.get(method) ?? { method, count: 0, amount: 0 };
+        row.count += 1;
+        row.amount += toNum(p.amount);
+        paymentMethodMap.set(method, row);
+      }
+      const paymentMethods = Array.from(paymentMethodMap.values()).sort((a, b) => b.count - a.count).map((p) => ({ ...p, amount: Number(p.amount.toFixed(2)) }));
+      const totalInventory = products.reduce((sum, p) => sum + toNum(p.quantity), 0);
+      const outOfStockCount = products.filter((p) => toNum(p.quantity) <= 0).length;
+      const lowStockCount = products.filter((p) => toNum(p.quantity) > 0 && toNum(p.quantity) <= 5).length;
+      const inventoryRisk = {
+        outOfStockCount,
+        lowStockCount,
+        totalInventory
+      };
+      return json({
+        rangeDays: days,
+        kpis: {
+          netSales: Number(netSales.toFixed(2)),
+          grossSales: Number(grossSales.toFixed(2)),
+          ordersPlaced: ordersCount,
+          averageOrderValue: Number(aov.toFixed(2)),
+          returningCustomerRate: Number(returningCustomerRate.toFixed(2)),
+          returnRate: Number(returnRate.toFixed(2)),
+          returnValue: Number(returnsValue.toFixed(2)),
+          discounts: Number(discounts.toFixed(2)),
+          taxes: Number(taxes.toFixed(2)),
+          paymentSuccessRate: Number(paymentSuccessRate.toFixed(2))
+        },
+        salesOverTime,
+        topProducts,
+        customerMix: {
+          newCustomers,
+          returningCustomers,
+          repeatPurchaseRate: Number(returningCustomerRate.toFixed(2))
+        },
+        returnsTrend,
+        paymentPerformance: {
+          successCount: completedPayments,
+          failedCount: failedPayments,
+          successRate: Number(paymentSuccessRate.toFixed(2)),
+          methods: paymentMethods
+        },
+        conversionProxy: {
+          sessions: 0,
+          checkoutStarted: 0,
+          ordersPlaced: ordersCount
+        },
+        salesBreakdown: {
+          sales: { count: ordersCount, value: Number(grossSales.toFixed(2)) },
+          returns: { count: returnOrders.length, value: Number(returnsValue.toFixed(2)) },
+          replacements: { count: replacementOrders.length, value: Number(replacementsValue.toFixed(2)) }
+        },
+        geoPerformance: [],
+        inventoryRisk
+      });
+    } catch {
+      return json({ error: "Failed to fetch ecommerce analytics" }, { status: 500 });
+    }
+  };
+}
 function createAnalyticsHandlers(config) {
   const { json, getAnalyticsData, getPropertyId, getPermissions } = config;
   return {
@@ -1338,8 +1823,27 @@ function createAnalyticsHandlers(config) {
   };
 }
 function createUploadHandler(config) {
-  const { json, requireAuth, requireEntityPermission, storage, localUploadDir = "public/uploads", allowedTypes, maxSizeBytes = 10 * 1024 * 1024 } = config;
-  const allowed = allowedTypes ?? ["image/jpeg", "image/png", "image/gif", "image/webp", "application/pdf", "text/plain"];
+  const {
+    json,
+    requireAuth,
+    requireEntityPermission,
+    storage,
+    localUploadDir = "public/uploads",
+    allowedTypes,
+    maxSizeBytes = 10 * 1024 * 1024,
+    dataSource,
+    entityMap
+  } = config;
+  const allowed = allowedTypes ?? [
+    "image/jpeg",
+    "image/png",
+    "image/gif",
+    "image/webp",
+    "application/pdf",
+    "text/plain",
+    "application/zip",
+    "application/x-zip-compressed"
+  ];
   return async function POST(req) {
     const authErr = await requireAuth(req);
     if (authErr) return authErr;
@@ -1352,28 +1856,92 @@ function createUploadHandler(config) {
       const file = formData.get("file");
       if (!file) return json({ error: "No file uploaded" }, { status: 400 });
       if (!allowed.includes(file.type)) return json({ error: "File type not allowed" }, { status: 400 });
-      if (file.size > maxSizeBytes) return json({ error: "File size exceeds limit" }, { status: 400 });
+      const defaultMax = 10 * 1024 * 1024;
+      const maxZipBytes = 80 * 1024 * 1024;
+      const baseMax = maxSizeBytes ?? defaultMax;
+      const effectiveMax = file.type === "application/zip" || file.type === "application/x-zip-compressed" ? Math.max(baseMax, maxZipBytes) : baseMax;
+      if (file.size > effectiveMax) return json({ error: "File size exceeds limit" }, { status: 400 });
+      const parentRaw = formData.get("parentId");
+      let parentId = null;
+      if (parentRaw != null && String(parentRaw).trim() !== "") {
+        const n = Number(parentRaw);
+        if (!Number.isFinite(n)) return json({ error: "Invalid parentId" }, { status: 400 });
+        parentId = n;
+      }
+      let folder = "";
+      if (parentId != null) {
+        if (!dataSource || !entityMap?.media) {
+          return json({ error: "Upload handler needs dataSource and entityMap for folder uploads" }, { status: 400 });
+        }
+        const repo = dataSource.getRepository(entityMap.media);
+        const p = await repo.findOne({ where: { id: parentId } });
+        if (!p || p.kind !== "folder") {
+          return json({ error: "parent must be a folder" }, { status: 400 });
+        }
+        folder = await relativePathFromMediaParentId(dataSource, entityMap, parentId);
+      } else {
+        const folderRawLegacy = formData.get("folder") ?? formData.get("folderPath");
+        if (folderRawLegacy && typeof folderRawLegacy === "string" && folderRawLegacy.trim()) {
+          folder = sanitizeMediaFolderPath(folderRawLegacy);
+        }
+      }
       const buffer = Buffer.from(await file.arrayBuffer());
       const fileName = `${Date.now()}-${file.name}`;
       const contentType = file.type || "application/octet-stream";
+      const relativeUnderUploads = folder ? `${folder}/${fileName}` : fileName;
       const raw = typeof storage === "function" ? storage() : storage;
       const storageService = raw instanceof Promise ? await raw : raw;
       if (storageService) {
-        const fileUrl = await storageService.upload(buffer, `uploads/${fileName}`, contentType);
-        return json({ filePath: fileUrl });
+        const fileUrl = await storageService.upload(buffer, `uploads/${relativeUnderUploads}`, contentType);
+        return json({ filePath: fileUrl, parentId });
       }
       const fs = await import("fs/promises");
       const path = await import("path");
       const dir = path.join(process.cwd(), localUploadDir);
-      await fs.mkdir(dir, { recursive: true });
-      const filePath = path.join(dir, fileName);
+      const filePath = path.join(dir, relativeUnderUploads);
+      await fs.mkdir(path.dirname(filePath), { recursive: true });
       await fs.writeFile(filePath, buffer);
-      return json({ filePath: `/${localUploadDir.replace(/^\/+/, "").replace(/\\/g, "/")}/${fileName}` });
+      const urlRel = `${localUploadDir.replace(/^\/+/, "").replace(/\\/g, "/")}/${relativeUnderUploads.replace(/\\/g, "/")}`;
+      return json({ filePath: `/${urlRel}`, parentId });
     } catch (err) {
       return json({ error: "File upload failed" }, { status: 500 });
     }
   };
 }
+function createMediaZipExtractHandler(config) {
+  const { json, requireAuth, requireEntityPermission, storage, localUploadDir = "public/uploads", dataSource, entityMap } = config;
+  return async function POST(_req, zipMediaId) {
+    const authErr = await requireAuth(_req);
+    if (authErr) return authErr;
+    if (requireEntityPermission) {
+      const pe = await requireEntityPermission(_req, "media", "create");
+      if (pe) return pe;
+    }
+    if (!dataSource || !entityMap?.media) {
+      return json({ error: "Media extract requires dataSource and entityMap" }, { status: 500 });
+    }
+    const id = Number(zipMediaId);
+    if (!Number.isFinite(id)) return json({ error: "Invalid id" }, { status: 400 });
+    const repo = dataSource.getRepository(entityMap.media);
+    const row = await repo.findOne({ where: { id } });
+    if (!row) return json({ error: "Not found" }, { status: 404 });
+    try {
+      const raw = typeof storage === "function" ? storage() : storage;
+      const storageService = raw instanceof Promise ? await raw : raw;
+      const result = await extractZipMediaIntoParentTree({
+        dataSource,
+        entityMap,
+        zipMediaRow: row,
+        storage: storageService,
+        localUploadDir
+      });
+      return json({ ok: true, ...result });
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : "Extract failed";
+      return json({ error: msg }, { status: 400 });
+    }
+  };
+}
 function createBlogBySlugHandler(config) {
   const { dataSource, entityMap, json } = config;
   return async function GET(_req, slug) {
@@ -1750,7 +2318,7 @@ function createFormSubmissionHandler(config) {
   };
 }
 function createUsersApiHandlers(config) {
-  const { dataSource, entityMap, json, requireAuth, requireEntityPermission, baseUrl, getCms, getCompanyDetails } = config;
+  const { dataSource, entityMap, json, requireAuth, requireEntityPermission, baseUrl, getCms, getCompanyDetails, getSessionUser } = config;
   async function trySendInviteEmail(toEmail, inviteLink, inviteeName) {
     if (!getCms) return;
     try {
@@ -1786,7 +2354,10 @@ function createUsersApiHandlers(config) {
         const sortField = url.searchParams.get("sortField") || "createdAt";
         const sortOrder = url.searchParams.get("sortOrder") === "desc" ? "DESC" : "ASC";
         const search = url.searchParams.get("search");
-        const where = search ? [{ name: (0, import_typeorm3.ILike)(`%${search}%`) }, { email: (0, import_typeorm3.ILike)(`%${search}%`) }] : {};
+        const where = search ? [
+          { name: (0, import_typeorm4.ILike)(`%${search}%`), deleted: false },
+          { email: (0, import_typeorm4.ILike)(`%${search}%`), deleted: false }
+        ] : { deleted: false };
         const [data, total] = await userRepo().findAndCount({
           skip,
           take: limit,
@@ -1851,7 +2422,7 @@ function createUsersApiHandlers(config) {
       }
       try {
         const user = await userRepo().findOne({
-          where: { id: parseInt(id, 10) },
+          where: { id: parseInt(id, 10), deleted: false },
           relations: ["group"],
           select: ["id", "name", "email", "blocked", "createdAt", "updatedAt", "groupId"]
         });
@@ -1869,11 +2440,14 @@ function createUsersApiHandlers(config) {
         if (pe) return pe;
       }
       try {
+        const uid = parseInt(id, 10);
+        const existing = await userRepo().findOne({ where: { id: uid, deleted: false } });
+        if (!existing) return json({ error: "Not found" }, { status: 404 });
         const body = await req.json();
         const { password: _p, ...safe } = body;
-        await userRepo().update(parseInt(id, 10), safe);
+        await userRepo().update(uid, safe);
         const updated = await userRepo().findOne({
-          where: { id: parseInt(id, 10) },
+          where: { id: uid, deleted: false },
           relations: ["group"],
           select: ["id", "name", "email", "blocked", "createdAt", "updatedAt", "groupId"]
         });
@@ -1890,8 +2464,23 @@ function createUsersApiHandlers(config) {
         if (pe) return pe;
       }
       try {
-        const r = await userRepo().delete(parseInt(id, 10));
-        if (r.affected === 0) return json({ error: "User not found" }, { status: 404 });
+        const uid = parseInt(id, 10);
+        const existing = await userRepo().findOne({ where: { id: uid, deleted: false } });
+        if (!existing) return json({ error: "User not found" }, { status: 404 });
+        let deletedBy = null;
+        if (getSessionUser) {
+          try {
+            const u = await getSessionUser();
+            if (u?.id) {
+              const n = Number(u.id);
+              if (Number.isFinite(n)) deletedBy = n;
+            }
+          } catch {
+          }
+        }
+        const payload = { deleted: true, deletedAt: /* @__PURE__ */ new Date() };
+        if (deletedBy != null) payload.deletedBy = deletedBy;
+        await userRepo().update(uid, payload);
         return json({ message: "User deleted successfully" });
       } catch {
         return json({ error: "Server Error" }, { status: 500 });
@@ -1905,7 +2494,10 @@ function createUsersApiHandlers(config) {
         if (pe) return pe;
       }
       try {
-        const user = await userRepo().findOne({ where: { id: parseInt(id, 10) }, select: ["email", "name"] });
+        const user = await userRepo().findOne({
+          where: { id: parseInt(id, 10), deleted: false },
+          select: ["email", "name"]
+        });
         if (!user) return json({ error: "User not found" }, { status: 404 });
         const emailToken = Buffer.from(user.email).toString("base64");
         const inviteLink = `${baseUrl}/admin/invite?token=${emailToken}`;
@@ -2146,7 +2738,7 @@ function createChatHandlers(config) {
         if (contextParts.length === 0) {
           const terms = getQueryTerms(message);
           if (terms.length > 0) {
-            const conditions = terms.map((t) => ({ content: (0, import_typeorm3.ILike)(`%${t}%`) }));
+            const conditions = terms.map((t) => ({ content: (0, import_typeorm4.ILike)(`%${t}%`) }));
             const chunks = await chunkRepo().find({
               where: conditions,
               take: KB_CHUNK_LIMIT,
@@ -2515,6 +3107,7 @@ function createCmsApiHandler(config) {
     getCms,
     userAuth: userAuthConfig,
     dashboard,
+    ecommerceAnalytics,
     analytics: analyticsConfig,
     upload,
     blogBySlug,
@@ -2527,9 +3120,10 @@ function createCmsApiHandler(config) {
     userProfile,
     settings: settingsConfig,
     chat: chatConfig,
-    requireEntityPermission: reqEntityPerm,
+    requireEntityPermission: userRequireEntityPermission,
     getSessionUser
   } = config;
+  const requireEntityPermissionEffective = userRequireEntityPermission ?? (async (_req, entity, action) => config.json({ error: "Forbidden", reason: "entity_rbac_required", entity, action }, { status: 403 }));
   const analytics = analyticsConfig ?? (getCms ? {
     json: config.json,
     requireAuth: async () => null,
@@ -2567,12 +3161,20 @@ function createCmsApiHandler(config) {
   const crudOpts = {
     requireAuth: config.requireAuth,
     json: config.json,
-    requireEntityPermission: reqEntityPerm,
-    getCms
+    requireEntityPermission: requireEntityPermissionEffective,
+    getCms,
+    ...getSessionUser ? {
+      getDeletedByUserId: async () => {
+        const u = await getSessionUser();
+        if (!u?.id) return null;
+        const n = Number(u.id);
+        return Number.isFinite(n) ? n : null;
+      }
+    } : {}
   };
   const crud = createCrudHandler(dataSource, entityMap, crudOpts);
   const crudById = createCrudByIdHandler(dataSource, entityMap, crudOpts);
-  const mergePerm = (c) => !c ? void 0 : reqEntityPerm ? { ...c, requireEntityPermission: reqEntityPerm } : c;
+  const mergePerm = (c) => !c ? void 0 : { ...c, requireEntityPermission: requireEntityPermissionEffective };
   const adminRoles = getSessionUser && createAdminRolesHandlers({
     dataSource,
     entityMap,
@@ -2581,8 +3183,23 @@ function createCmsApiHandler(config) {
   });
   const userAuthRouter = userAuth ? createUserAuthApiRouter(userAuth) : null;
   const dashboardGet = dashboard ? createDashboardStatsHandler(mergePerm(dashboard) ?? dashboard) : null;
+  const ecommerceAnalyticsResolved = mergePerm(
+    ecommerceAnalytics ?? {
+      dataSource,
+      entityMap,
+      json: config.json,
+      requireAuth: config.requireAuth
+    }
+  );
+  const ecommerceAnalyticsGet = createEcommerceAnalyticsHandler(ecommerceAnalyticsResolved);
   const analyticsHandlers = analytics ? createAnalyticsHandlers(analytics) : null;
-  const uploadPost = upload ? createUploadHandler(mergePerm(upload) ?? upload) : null;
+  const uploadMerged = upload ? {
+    ...mergePerm(upload) ?? upload,
+    dataSource: upload.dataSource ?? dataSource,
+    entityMap: upload.entityMap ?? entityMap
+  } : null;
+  const uploadPost = uploadMerged ? createUploadHandler(uploadMerged) : null;
+  const zipExtractPost = uploadMerged ? createMediaZipExtractHandler(uploadMerged) : null;
   const blogBySlugGet = blogBySlug ? createBlogBySlugHandler(blogBySlug) : null;
   const formBySlugGet = formBySlug ? createFormBySlugHandler(formBySlug) : null;
   const formSaveHandlers = formSaveConfig ? createFormSaveHandlers(mergePerm(formSaveConfig) ?? formSaveConfig) : null;
@@ -2592,7 +3209,11 @@ function createCmsApiHandler(config) {
   const usersApiMerged = usersApi && getCms ? {
     ...usersApi,
     getCms: usersApi.getCms ?? getCms,
-    getCompanyDetails: usersApi.getCompanyDetails ?? config.getCompanyDetails
+    getCompanyDetails: usersApi.getCompanyDetails ?? config.getCompanyDetails,
+    ...getSessionUser ? { getSessionUser: usersApi.getSessionUser ?? getSessionUser } : {}
+  } : usersApi ? {
+    ...usersApi,
+    ...getSessionUser ? { getSessionUser: usersApi.getSessionUser ?? getSessionUser } : {}
   } : usersApi;
   const usersHandlers = usersApiMerged ? createUsersApiHandlers(mergePerm(usersApiMerged) ?? usersApiMerged) : null;
   const avatarPost = userAvatar ? createUserAvatarHandler(userAvatar) : null;
@@ -2603,7 +3224,7 @@ function createCmsApiHandler(config) {
     entityMap,
     json: config.json,
     requireAuth: config.requireAuth,
-    requireEntityPermission: reqEntityPerm
+    requireEntityPermission: requireEntityPermissionEffective
   });
   const chatHandlers = chatConfig ? createChatHandlers(chatConfig) : null;
   function resolveResource(segment) {
@@ -2612,12 +3233,10 @@ function createCmsApiHandler(config) {
   }
   return {
     async handle(method, path, req) {
-      const perm = reqEntityPerm;
       async function analyticsGate() {
         const a = await config.requireAuth(req);
         if (a) return a;
-        if (perm) return perm(req, "analytics", "read");
-        return null;
+        return requireEntityPermissionEffective(req, "analytics", "read");
       }
       if (path[0] === "admin" && path[1] === "roles") {
         if (!adminRoles) return config.json({ error: "Not found" }, { status: 404 });
@@ -2631,6 +3250,11 @@ function createCmsApiHandler(config) {
       if (path[0] === "dashboard" && path[1] === "stats" && path.length === 2 && method === "GET" && dashboardGet) {
         return dashboardGet(req);
       }
+      if (path[0] === "dashboard" && path[1] === "ecommerce" && path.length === 2 && method === "GET" && ecommerceAnalyticsGet) {
+        const g = await analyticsGate();
+        if (g) return g;
+        return ecommerceAnalyticsGet(req);
+      }
       if (path[0] === "analytics" && analyticsHandlers) {
         if (path.length === 1 && method === "GET") {
           const g = await analyticsGate();
@@ -2649,6 +3273,9 @@ function createCmsApiHandler(config) {
         }
       }
       if (path[0] === "upload" && path.length === 1 && method === "POST" && uploadPost) return uploadPost(req);
+      if (path[0] === "media" && path[1] === "extract" && path.length === 3 && method === "POST" && zipExtractPost) {
+        return zipExtractPost(req, path[2]);
+      }
       if (path[0] === "blogs" && path[1] === "slug" && path.length === 3 && method === "GET" && blogBySlugGet) {
         return blogBySlugGet(req, path[2]);
       }
@@ -2693,19 +3320,17 @@ function createCmsApiHandler(config) {
         const group = path[1];
         const isPublic = settingsConfig?.publicGetGroups?.includes(group);
         if (method === "GET") {
-          if (!isPublic && perm) {
+          if (!isPublic) {
             const a = await config.requireAuth(req);
             if (a) return a;
-            const pe = await perm(req, "settings", "read");
+            const pe = await requireEntityPermissionEffective(req, "settings", "read");
             if (pe) return pe;
           }
           return settingsHandlers.GET(req, group);
         }
         if (method === "PUT") {
-          if (perm) {
-            const pe = await perm(req, "settings", "update");
-            if (pe) return pe;
-          }
+          const pe = await requireEntityPermissionEffective(req, "settings", "update");
+          if (pe) return pe;
           return settingsHandlers.PUT(req, group);
         }
       }
@@ -2721,10 +3346,8 @@ function createCmsApiHandler(config) {
       if (path[0] === "orders" && path.length === 3 && path[2] === "invoice" && method === "GET" && getCms) {
         const a = await config.requireAuth(req);
         if (a) return a;
-        if (perm) {
-          const pe = await perm(req, "orders", "read");
-          if (pe) return pe;
-        }
+        const pe = await requireEntityPermissionEffective(req, "orders", "read");
+        if (pe) return pe;
         const cms = await getCms();
         const { streamOrderInvoicePdf: streamOrderInvoicePdf2 } = await Promise.resolve().then(() => (init_erp_order_invoice(), erp_order_invoice_exports));
         const oid = Number(path[1]);
@@ -2734,10 +3357,8 @@ function createCmsApiHandler(config) {
       if (path[0] === "orders" && path.length === 3 && path[2] === "repost-erp" && getCms) {
         const a = await config.requireAuth(req);
         if (a) return a;
-        if (perm) {
-          const pe = await perm(req, "orders", method === "GET" ? "read" : "update");
-          if (pe) return pe;
-        }
+        const pe = await requireEntityPermissionEffective(req, "orders", method === "GET" ? "read" : "update");
+        if (pe) return pe;
         const oid = Number(path[1]);
         if (!Number.isFinite(oid)) return config.json({ error: "Invalid id" }, { status: 400 });
         const cms = await getCms();
@@ -2786,7 +3407,7 @@ function createCmsApiHandler(config) {
 }
 
 // src/api/storefront-handlers.ts
-var import_typeorm5 = require("typeorm");
+var import_typeorm6 = require("typeorm");
 
 // src/lib/is-valid-signup-email.ts
 var MAX_EMAIL = 254;
@@ -3046,7 +3667,7 @@ async function queueSms(cms, payload) {
 
 // src/lib/otp-challenge.ts
 var import_crypto = require("crypto");
-var import_typeorm4 = require("typeorm");
+var import_typeorm5 = require("typeorm");
 var OTP_TTL_MS = 10 * 60 * 1e3;
 var MAX_SENDS_PER_HOUR = 5;
 var MAX_VERIFY_ATTEMPTS = 8;
@@ -3080,7 +3701,7 @@ function normalizePhoneE164(raw, defaultCountryCode) {
 async function countRecentOtpSends(dataSource, entityMap, purpose, identifier, since) {
   const repo = dataSource.getRepository(entityMap.otp_challenges);
   return repo.count({
-    where: { purpose, identifier, createdAt: (0, import_typeorm4.MoreThan)(since) }
+    where: { purpose, identifier, createdAt: (0, import_typeorm5.MoreThan)(since) }
   });
 }
 async function createOtpChallenge(dataSource, entityMap, input) {
@@ -3094,7 +3715,7 @@ async function createOtpChallenge(dataSource, entityMap, input) {
   await repo.delete({
     purpose,
     identifier,
-    consumedAt: (0, import_typeorm4.IsNull)()
+    consumedAt: (0, import_typeorm5.IsNull)()
   });
   const expiresAt = new Date(Date.now() + OTP_TTL_MS);
   const codeHash = hashOtpCode(code, purpose, identifier, pepper);
@@ -3115,7 +3736,7 @@ async function verifyAndConsumeOtpChallenge(dataSource, entityMap, input) {
   const { purpose, identifier, code, pepper } = input;
   const repo = dataSource.getRepository(entityMap.otp_challenges);
   const row = await repo.findOne({
-    where: { purpose, identifier, consumedAt: (0, import_typeorm4.IsNull)() },
+    where: { purpose, identifier, consumedAt: (0, import_typeorm5.IsNull)() },
     order: { id: "DESC" }
   });
   if (!row) {
@@ -3349,7 +3970,7 @@ function createStorefrontApiHandler(config) {
     const u = await userRepo().findOne({ where: { id: userId } });
     if (!u) return null;
     const unclaimed = await contactRepo().findOne({
-      where: { email: u.email, userId: (0, import_typeorm5.IsNull)(), deleted: false }
+      where: { email: u.email, userId: (0, import_typeorm6.IsNull)(), deleted: false }
     });
     if (unclaimed) {
       await contactRepo().update(unclaimed.id, { userId });
@@ -4390,7 +5011,7 @@ function createStorefrontApiHandler(config) {
           const previewByOrder = {};
           if (orderIds.length) {
             const oItems = await orderItemRepo().find({
-              where: { orderId: (0, import_typeorm5.In)(orderIds) },
+              where: { orderId: (0, import_typeorm6.In)(orderIds) },
               relations: ["product"],
               order: { id: "ASC" }
             });
@@ -4523,9 +5144,11 @@ function createStorefrontApiHandler(config) {
   createCrudByIdHandler,
   createCrudHandler,
   createDashboardStatsHandler,
+  createEcommerceAnalyticsHandler,
   createForgotPasswordHandler,
   createFormBySlugHandler,
   createInviteAcceptHandler,
+  createMediaZipExtractHandler,
   createSetPasswordHandler,
   createSettingsApiHandlers,
   createStorefrontApiHandler,