npm - @infuro/cms-core - Versions diffs - 1.0.16 → 1.0.19 - Mend

@infuro/cms-core 1.0.16 → 1.0.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

package/README.md +739 -724
package/dist/admin.cjs +1 -1
package/dist/admin.cjs.map +1 -1
package/dist/admin.js +1 -1
package/dist/admin.js.map +1 -1
package/dist/api.cjs +132 -57
package/dist/api.cjs.map +1 -1
package/dist/api.d.cts +1 -1
package/dist/api.d.ts +1 -1
package/dist/api.js +132 -57
package/dist/api.js.map +1 -1
package/dist/auth.cjs.map +1 -1
package/dist/auth.js.map +1 -1
package/dist/cli.cjs +21 -6
package/dist/cli.cjs.map +1 -1
package/dist/cli.js +21 -6
package/dist/cli.js.map +1 -1
package/dist/hooks.cjs.map +1 -1
package/dist/hooks.js.map +1 -1
package/dist/{index-h42MoUNq.d.cts → index-D2C1O9b4.d.cts} +8 -1
package/dist/{index-C85X7cc7.d.ts → index-GMn7-9PX.d.ts} +8 -1
package/dist/index.cjs +139 -57
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +3 -2
package/dist/index.d.ts +3 -2
package/dist/index.js +139 -57
package/dist/index.js.map +1 -1
package/dist/migrations/1772178563554-InitialSchema.ts +304 -304
package/dist/migrations/1772178563555-ChatAndKnowledgeBase.ts +55 -55
package/dist/migrations/1772178563556-KnowledgeBaseVector.ts +16 -16
package/dist/migrations/1774300000000-RbacSeedGroupsAndPermissionUnique.ts +24 -24
package/dist/migrations/1774300000001-SeedAdministratorUsersPermission.ts +35 -35
package/dist/migrations/1774400000000-CustomerAdminAccessContactUser.ts +37 -37
package/dist/migrations/1774400000001-StorefrontCartWishlist.ts +100 -100
package/dist/migrations/1774400000002-WishlistGuestId.ts +29 -29
package/dist/migrations/1774500000000-ProductCollectionHsn.ts +15 -15
package/dist/migrations/1774600000000-OrderKindParentOrderNumber.ts +36 -36
package/dist/migrations/1774700000000-CollectionVariants.ts +13 -0
package/dist/migrations/1774800000000-OtpChallengesUserPhone.ts +41 -41
package/dist/migrations/1774900000000-MessageTemplates.ts +39 -39
package/dist/migrations/1775000000000-ProductUomTypeOrderItemSnapshots.ts +29 -29
package/dist/migrations/1775200000000-MediaDriveFolders.ts +38 -38
package/dist/migrations/README.md +3 -3
package/dist/theme.cjs.map +1 -1
package/dist/theme.js.map +1 -1
package/package.json +13 -6
package/src/admin/admin.css +72 -72

package/dist/index.d.cts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { C as CompanyDetails, T as TemplateContext, E as EmailTemplateResult, a as EmailTemplateName, O as OrderPlacedLineItem, S as StorageService, b as EntityMap$2 } from './index-h42MoUNq.cjs';
-export { A as AnalyticsHandlerConfig, c as AuthHandlersConfig, B as BlogBySlugConfig, d as ChangePasswordConfig, e as CmsApiHandlerConfig, f as CmsGetter, g as CrudHandlerOptions, D as DashboardStatsConfig, h as EcommerceAnalyticsConfig, F as ForgotPasswordConfig, i as FormBySlugConfig, G as GetPublicSettingsGroupConfig, j as GetPublicSettingsGroupDataSource, I as InviteAcceptConfig, k as SetPasswordConfig, l as SettingsApiConfig, m as SocialLinkItem, n as StorefrontApiConfig, o as StorefrontOtpFlags, U as UploadHandlerConfig, p as UserAuthApiConfig, q as UserAvatarConfig, r as UserProfileConfig, s as UsersApiConfig, t as createAnalyticsHandlers, u as createBlogBySlugHandler, v as createChangePasswordHandler, w as createCmsApiHandler, x as createCrudByIdHandler, y as createCrudHandler, z as createDashboardStatsHandler, H as createEcommerceAnalyticsHandler, J as createForgotPasswordHandler, K as createFormBySlugHandler, L as createInviteAcceptHandler, M as createMediaZipExtractHandler, N as createSetPasswordHandler, P as createSettingsApiHandlers, Q as createStorefrontApiHandler, R as createUploadHandler, V as createUserAuthApiRouter, W as createUserAvatarHandler, X as createUserProfileHandler, Y as createUsersApiHandlers, Z as getCompanyDetailsFromSettings, _ as getPublicSettingsGroup, $ as mergeEmailLayoutCompanyDetails } from './index-h42MoUNq.cjs';
+import { C as CompanyDetails, T as TemplateContext, E as EmailTemplateResult, a as EmailTemplateName, O as OrderPlacedLineItem, S as StorageService, b as EntityMap$2 } from './index-D2C1O9b4.cjs';
+export { A as AnalyticsHandlerConfig, c as AuthHandlersConfig, B as BlogBySlugConfig, d as ChangePasswordConfig, e as CmsApiHandlerConfig, f as CmsGetter, g as CrudHandlerOptions, D as DashboardStatsConfig, h as EcommerceAnalyticsConfig, F as ForgotPasswordConfig, i as FormBySlugConfig, G as GetPublicSettingsGroupConfig, j as GetPublicSettingsGroupDataSource, I as InviteAcceptConfig, k as SetPasswordConfig, l as SettingsApiConfig, m as SocialLinkItem, n as StorefrontApiConfig, o as StorefrontOtpFlags, U as UploadHandlerConfig, p as UserAuthApiConfig, q as UserAvatarConfig, r as UserProfileConfig, s as UsersApiConfig, t as createAnalyticsHandlers, u as createBlogBySlugHandler, v as createChangePasswordHandler, w as createCmsApiHandler, x as createCrudByIdHandler, y as createCrudHandler, z as createDashboardStatsHandler, H as createEcommerceAnalyticsHandler, J as createForgotPasswordHandler, K as createFormBySlugHandler, L as createInviteAcceptHandler, M as createMediaZipExtractHandler, N as createSetPasswordHandler, P as createSettingsApiHandlers, Q as createStorefrontApiHandler, R as createUploadHandler, V as createUserAuthApiRouter, W as createUserAvatarHandler, X as createUserProfileHandler, Y as createUsersApiHandlers, Z as getCompanyDetailsFromSettings, _ as getPublicSettingsGroup, $ as mergeEmailLayoutCompanyDetails } from './index-D2C1O9b4.cjs';
 import { ClassValue } from 'clsx';
 import * as typeorm from 'typeorm';
 import { DataSource, EntityTarget, ObjectLiteral } from 'typeorm';
@@ -1048,6 +1048,7 @@ declare class Collection {
     description: string | null;
     image: string | null;
     metadata: Record<string, unknown> | null;
+    variants: Array<Record<string, unknown>> | null;
     active: boolean;
     sortOrder: number;
     createdAt: Date;

package/dist/index.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { C as CompanyDetails, T as TemplateContext, E as EmailTemplateResult, a as EmailTemplateName, O as OrderPlacedLineItem, S as StorageService, b as EntityMap$2 } from './index-C85X7cc7.js';
-export { A as AnalyticsHandlerConfig, c as AuthHandlersConfig, B as BlogBySlugConfig, d as ChangePasswordConfig, e as CmsApiHandlerConfig, f as CmsGetter, g as CrudHandlerOptions, D as DashboardStatsConfig, h as EcommerceAnalyticsConfig, F as ForgotPasswordConfig, i as FormBySlugConfig, G as GetPublicSettingsGroupConfig, j as GetPublicSettingsGroupDataSource, I as InviteAcceptConfig, k as SetPasswordConfig, l as SettingsApiConfig, m as SocialLinkItem, n as StorefrontApiConfig, o as StorefrontOtpFlags, U as UploadHandlerConfig, p as UserAuthApiConfig, q as UserAvatarConfig, r as UserProfileConfig, s as UsersApiConfig, t as createAnalyticsHandlers, u as createBlogBySlugHandler, v as createChangePasswordHandler, w as createCmsApiHandler, x as createCrudByIdHandler, y as createCrudHandler, z as createDashboardStatsHandler, H as createEcommerceAnalyticsHandler, J as createForgotPasswordHandler, K as createFormBySlugHandler, L as createInviteAcceptHandler, M as createMediaZipExtractHandler, N as createSetPasswordHandler, P as createSettingsApiHandlers, Q as createStorefrontApiHandler, R as createUploadHandler, V as createUserAuthApiRouter, W as createUserAvatarHandler, X as createUserProfileHandler, Y as createUsersApiHandlers, Z as getCompanyDetailsFromSettings, _ as getPublicSettingsGroup, $ as mergeEmailLayoutCompanyDetails } from './index-C85X7cc7.js';
+import { C as CompanyDetails, T as TemplateContext, E as EmailTemplateResult, a as EmailTemplateName, O as OrderPlacedLineItem, S as StorageService, b as EntityMap$2 } from './index-GMn7-9PX.js';
+export { A as AnalyticsHandlerConfig, c as AuthHandlersConfig, B as BlogBySlugConfig, d as ChangePasswordConfig, e as CmsApiHandlerConfig, f as CmsGetter, g as CrudHandlerOptions, D as DashboardStatsConfig, h as EcommerceAnalyticsConfig, F as ForgotPasswordConfig, i as FormBySlugConfig, G as GetPublicSettingsGroupConfig, j as GetPublicSettingsGroupDataSource, I as InviteAcceptConfig, k as SetPasswordConfig, l as SettingsApiConfig, m as SocialLinkItem, n as StorefrontApiConfig, o as StorefrontOtpFlags, U as UploadHandlerConfig, p as UserAuthApiConfig, q as UserAvatarConfig, r as UserProfileConfig, s as UsersApiConfig, t as createAnalyticsHandlers, u as createBlogBySlugHandler, v as createChangePasswordHandler, w as createCmsApiHandler, x as createCrudByIdHandler, y as createCrudHandler, z as createDashboardStatsHandler, H as createEcommerceAnalyticsHandler, J as createForgotPasswordHandler, K as createFormBySlugHandler, L as createInviteAcceptHandler, M as createMediaZipExtractHandler, N as createSetPasswordHandler, P as createSettingsApiHandlers, Q as createStorefrontApiHandler, R as createUploadHandler, V as createUserAuthApiRouter, W as createUserAvatarHandler, X as createUserProfileHandler, Y as createUsersApiHandlers, Z as getCompanyDetailsFromSettings, _ as getPublicSettingsGroup, $ as mergeEmailLayoutCompanyDetails } from './index-GMn7-9PX.js';
 import { ClassValue } from 'clsx';
 import * as typeorm from 'typeorm';
 import { DataSource, EntityTarget, ObjectLiteral } from 'typeorm';
@@ -1048,6 +1048,7 @@ declare class Collection {
     description: string | null;
     image: string | null;
     metadata: Record<string, unknown> | null;
+    variants: Array<Record<string, unknown>> | null;
     active: boolean;
     sortOrder: number;
     createdAt: Date;

package/dist/index.js CHANGED Viewed

@@ -4371,7 +4371,7 @@ function createFormSubmissionHandler(config) {
   };
 }
 function createUsersApiHandlers(config) {
-  const { dataSource, entityMap, json, requireAuth, requireEntityPermission, baseUrl, getCms, getCompanyDetails } = config;
+  const { dataSource, entityMap, json, requireAuth, requireEntityPermission, baseUrl, getCms, getCompanyDetails, getSessionUser } = config;
   async function trySendInviteEmail(toEmail, inviteLink, inviteeName) {
     if (!getCms) return;
     try {
@@ -4407,7 +4407,10 @@ function createUsersApiHandlers(config) {
         const sortField = url.searchParams.get("sortField") || "createdAt";
         const sortOrder = url.searchParams.get("sortOrder") === "desc" ? "DESC" : "ASC";
         const search = url.searchParams.get("search");
-        const where = search ? [{ name: ILike(`%${search}%`) }, { email: ILike(`%${search}%`) }] : {};
+        const where = search ? [
+          { name: ILike(`%${search}%`), deleted: false },
+          { email: ILike(`%${search}%`), deleted: false }
+        ] : { deleted: false };
         const [data, total] = await userRepo().findAndCount({
           skip,
           take: limit,
@@ -4472,7 +4475,7 @@ function createUsersApiHandlers(config) {
       }
       try {
         const user = await userRepo().findOne({
-          where: { id: parseInt(id, 10) },
+          where: { id: parseInt(id, 10), deleted: false },
           relations: ["group"],
           select: ["id", "name", "email", "blocked", "createdAt", "updatedAt", "groupId"]
         });
@@ -4490,11 +4493,14 @@ function createUsersApiHandlers(config) {
         if (pe) return pe;
       }
       try {
+        const uid = parseInt(id, 10);
+        const existing = await userRepo().findOne({ where: { id: uid, deleted: false } });
+        if (!existing) return json({ error: "Not found" }, { status: 404 });
         const body = await req.json();
         const { password: _p, ...safe } = body;
-        await userRepo().update(parseInt(id, 10), safe);
+        await userRepo().update(uid, safe);
         const updated = await userRepo().findOne({
-          where: { id: parseInt(id, 10) },
+          where: { id: uid, deleted: false },
           relations: ["group"],
           select: ["id", "name", "email", "blocked", "createdAt", "updatedAt", "groupId"]
         });
@@ -4511,8 +4517,23 @@ function createUsersApiHandlers(config) {
         if (pe) return pe;
       }
       try {
-        const r = await userRepo().delete(parseInt(id, 10));
-        if (r.affected === 0) return json({ error: "User not found" }, { status: 404 });
+        const uid = parseInt(id, 10);
+        const existing = await userRepo().findOne({ where: { id: uid, deleted: false } });
+        if (!existing) return json({ error: "User not found" }, { status: 404 });
+        let deletedBy = null;
+        if (getSessionUser) {
+          try {
+            const u = await getSessionUser();
+            if (u?.id) {
+              const n = Number(u.id);
+              if (Number.isFinite(n)) deletedBy = n;
+            }
+          } catch {
+          }
+        }
+        const payload = { deleted: true, deletedAt: /* @__PURE__ */ new Date() };
+        if (deletedBy != null) payload.deletedBy = deletedBy;
+        await userRepo().update(uid, payload);
         return json({ message: "User deleted successfully" });
       } catch {
         return json({ error: "Server Error" }, { status: 500 });
@@ -4526,7 +4547,10 @@ function createUsersApiHandlers(config) {
         if (pe) return pe;
       }
       try {
-        const user = await userRepo().findOne({ where: { id: parseInt(id, 10) }, select: ["email", "name"] });
+        const user = await userRepo().findOne({
+          where: { id: parseInt(id, 10), deleted: false },
+          select: ["email", "name"]
+        });
         if (!user) return json({ error: "User not found" }, { status: 404 });
         const emailToken = Buffer.from(user.email).toString("base64");
         const inviteLink = `${baseUrl}/admin/invite?token=${emailToken}`;
@@ -6581,6 +6605,7 @@ var Collection = class {
   description;
   image;
   metadata;
+  variants;
   active;
   sortOrder;
   createdAt;
@@ -6623,6 +6648,9 @@ __decorateClass([
 __decorateClass([
   Column26("jsonb", { nullable: true })
 ], Collection.prototype, "metadata", 2);
+__decorateClass([
+  Column26("jsonb", { nullable: true })
+], Collection.prototype, "variants", 2);
 __decorateClass([
   Column26("boolean", { default: true })
 ], Collection.prototype, "active", 2);
@@ -7781,6 +7809,28 @@ function buildSearchWhereClause(repo, search) {
   if (ors.length === 0) return {};
   return ors.length === 1 ? ors[0] : ors;
 }
+function entityHasSoftDelete(repo) {
+  return repo.metadata.columns.some((c) => c.propertyName === "deleted");
+}
+function mergeDeletedFalseWhere(repo, where) {
+  if (!entityHasSoftDelete(repo)) return where;
+  const d = { deleted: false };
+  if (Array.isArray(where)) {
+    if (where.length === 0) return [d];
+    return where.map((w) => ({ ...w, ...d }));
+  }
+  return Object.keys(where).length > 0 ? { ...where, ...d } : d;
+}
+function buildSoftDeletePayload(meta, deletedBy) {
+  const payload = { deleted: true };
+  if (meta.columns.some((c) => c.propertyName === "deletedAt")) {
+    payload.deletedAt = /* @__PURE__ */ new Date();
+  }
+  if (deletedBy != null && meta.columns.some((c) => c.propertyName === "deletedBy")) {
+    payload.deletedBy = deletedBy;
+  }
+  return payload;
+}
 function makeContactErpSync(dataSource, entityMap, getCms) {
   return async function syncContactRowToErp(row) {
     if (!getCms) return;
@@ -7805,10 +7855,11 @@ function createCrudHandler(dataSource, entityMap, options) {
   async function authz(req, resource, action) {
     const authError = await requireAuth(req);
     if (authError) return authError;
-    if (reqPerm) {
-      const pe = await reqPerm(req, resource, action);
-      if (pe) return pe;
+    if (!reqPerm) {
+      return json({ error: "Forbidden", reason: "entity_rbac_required", entity: resource, action }, { status: 403 });
     }
+    const pe = await reqPerm(req, resource, action);
+    if (pe) return pe;
     return null;
   }
   return {
@@ -7844,7 +7895,7 @@ function createCrudHandler(dataSource, entityMap, options) {
             return json({ total: 0, page, limit, totalPages: 0, data: [] });
           }
         }
-        const qb = repo2.createQueryBuilder("order").leftJoinAndSelect("order.contact", "contact").leftJoinAndSelect("order.items", "items").leftJoinAndSelect("items.product", "product").leftJoinAndSelect("product.collection", "collection").orderBy(`order.${sortField2}`, sortOrderOrders).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("order").leftJoinAndSelect("order.contact", "contact").leftJoinAndSelect("order.items", "items").leftJoinAndSelect("items.product", "product").leftJoinAndSelect("product.collection", "collection").andWhere("order.deleted = :orderDel", { orderDel: false }).orderBy(`order.${sortField2}`, sortOrderOrders).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere(
@@ -7882,7 +7933,7 @@ function createCrudHandler(dataSource, entityMap, options) {
         const dateTo = searchParams.get("dateTo")?.trim();
         const methodFilter = searchParams.get("method")?.trim();
         const orderNumberParam = searchParams.get("orderNumber")?.trim();
-        const qb = repo2.createQueryBuilder("payment").leftJoinAndSelect("payment.order", "ord").leftJoinAndSelect("ord.contact", "orderContact").leftJoinAndSelect("payment.contact", "contact").orderBy(`payment.${sortField2}`, sortOrderPayments).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("payment").leftJoinAndSelect("payment.order", "ord").leftJoinAndSelect("ord.contact", "orderContact").leftJoinAndSelect("payment.contact", "contact").andWhere("payment.deleted = :payDel", { payDel: false }).orderBy(`payment.${sortField2}`, sortOrderPayments).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere(
@@ -7913,7 +7964,7 @@ function createCrudHandler(dataSource, entityMap, options) {
         const repo2 = dataSource.getRepository(entity);
         const statusFilter = searchParams.get("status")?.trim();
         const inventory = searchParams.get("inventory")?.trim();
-        const productWhere = {};
+        const productWhere = { deleted: false };
         if (statusFilter) productWhere.status = statusFilter;
         if (inventory === "in_stock") productWhere.quantity = MoreThan2(0);
         if (inventory === "out_of_stock") productWhere.quantity = 0;
@@ -7936,7 +7987,7 @@ function createCrudHandler(dataSource, entityMap, options) {
         const typeFilter2 = searchParams.get("type")?.trim();
         const orderIdParam = searchParams.get("orderId")?.trim();
         const includeSummary = searchParams.get("includeSummary") === "1";
-        const qb = repo2.createQueryBuilder("contact").orderBy(`contact.${sortField2}`, sortOrderContacts).skip(skip).take(limit);
+        const qb = repo2.createQueryBuilder("contact").andWhere("contact.deleted = :contactDel", { contactDel: false }).orderBy(`contact.${sortField2}`, sortOrderContacts).skip(skip).take(limit);
         if (search && typeof search === "string" && search.trim()) {
           const term = `%${search.trim()}%`;
           qb.andWhere("(contact.name ILIKE :term OR contact.email ILIKE :term OR contact.phone ILIKE :term)", { term });
@@ -7977,9 +8028,9 @@ function createCrudHandler(dataSource, entityMap, options) {
         if (parentIdParam != null && parentIdParam !== "") {
           const n = Number(parentIdParam);
           if (!Number.isFinite(n)) return json({ error: "Invalid parentId" }, { status: 400 });
-          qb.where("m.parentId = :pid", { pid: n });
+          qb.where("m.deleted = :mediaDel AND m.parentId = :pid", { mediaDel: false, pid: n });
         } else {
-          qb.where("m.parentId IS NULL");
+          qb.where("m.deleted = :mediaDel AND m.parentId IS NULL", { mediaDel: false });
         }
         if (search && typeof search === "string" && search.trim()) {
           qb.andWhere("m.filename ILIKE :search", { search: `%${search.trim()}%` });
@@ -8023,6 +8074,7 @@ function createCrudHandler(dataSource, entityMap, options) {
           where = extraWhere;
         }
       }
+      where = mergeDeletedFalseWhere(repo, where);
       const [data, total] = await repo.findAndCount({
         skip,
         take: limit,
@@ -8190,15 +8242,16 @@ function createCrudHandler(dataSource, entityMap, options) {
   };
 }
 function createCrudByIdHandler(dataSource, entityMap, options) {
-  const { requireAuth, json, requireEntityPermission: reqPerm, getCms } = options;
+  const { requireAuth, json, requireEntityPermission: reqPerm, getCms, getDeletedByUserId } = options;
   const syncContactRowToErp = makeContactErpSync(dataSource, entityMap, getCms);
   async function authz(req, resource, action) {
     const authError = await requireAuth(req);
     if (authError) return authError;
-    if (reqPerm) {
-      const pe = await reqPerm(req, resource, action);
-      if (pe) return pe;
+    if (!reqPerm) {
+      return json({ error: "Forbidden", reason: "entity_rbac_required", entity: resource, action }, { status: 403 });
     }
+    const pe = await reqPerm(req, resource, action);
+    if (pe) return pe;
     return null;
   }
   return {
@@ -8210,7 +8263,7 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       const repo = dataSource.getRepository(entity);
       if (resource === "orders") {
         const order = await repo.findOne({
-          where: { id: Number(id) },
+          where: { id: Number(id), deleted: false },
           relations: ["contact", "billingAddress", "shippingAddress", "items", "items.product", "items.product.collection", "payments"]
         });
         if (!order) return json({ message: "Not found" }, { status: 404 });
@@ -8222,7 +8275,7 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       }
       if (resource === "contacts") {
         const contact = await repo.findOne({
-          where: { id: Number(id) },
+          where: { id: Number(id), deleted: false },
           relations: ["form_submissions", "form_submissions.form", "orders", "payments", "addresses"]
         });
         if (!contact) return json({ message: "Not found" }, { status: 404 });
@@ -8244,7 +8297,7 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       }
       if (resource === "payments") {
         const payment = await repo.findOne({
-          where: { id: Number(id) },
+          where: { id: Number(id), deleted: false },
           relations: ["order", "order.contact", "contact"]
         });
         if (!payment) return json({ message: "Not found" }, { status: 404 });
@@ -8252,12 +8305,13 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       }
       if (resource === "blogs") {
         const blog = await repo.findOne({
-          where: { id: Number(id) },
+          where: { id: Number(id), deleted: false },
           relations: ["category", "seo", "tags"]
         });
         return blog ? json(blog) : json({ message: "Not found" }, { status: 404 });
       }
-      const item = await repo.findOne({ where: { id: Number(id) } });
+      const idWhere = entityHasSoftDelete(repo) ? { id: Number(id), deleted: false } : { id: Number(id) };
+      const item = await repo.findOne({ where: idWhere });
       return item ? json(item) : json({ message: "Not found" }, { status: 404 });
     },
     async PUT(req, resource, id) {
@@ -8269,7 +8323,9 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       const repo = dataSource.getRepository(entity);
       const numericId = Number(id);
       if (resource === "blogs" && rawBody && typeof rawBody === "object" && entityMap.categories && entityMap.seos && entityMap.tags) {
-        const existing = await repo.findOne({ where: { id: numericId } });
+        const existing = await repo.findOne({
+          where: { id: numericId, deleted: false }
+        });
         if (!existing) return json({ message: "Not found" }, { status: 404 });
         const updatePayload2 = pickColumnUpdates(repo, rawBody);
         if ("category" in rawBody) {
@@ -8345,6 +8401,12 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
         });
         return updated2 ? json(updated2) : json({ message: "Not found" }, { status: 404 });
       }
+      if (entityHasSoftDelete(repo)) {
+        const cur = await repo.findOne({
+          where: { id: numericId, deleted: false }
+        });
+        if (!cur) return json({ message: "Not found" }, { status: 404 });
+      }
       const updatePayload = rawBody && typeof rawBody === "object" ? pickColumnUpdates(repo, rawBody) : {};
       if (resource === "media") {
         const u = updatePayload;
@@ -8371,7 +8433,24 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
       const entity = entityMap[resource];
       if (!entity) return json({ error: "Invalid resource" }, { status: 400 });
       const repo = dataSource.getRepository(entity);
-      const result = await repo.delete(Number(id));
+      const numericId = Number(id);
+      if (entityHasSoftDelete(repo)) {
+        const existing = await repo.findOne({
+          where: { id: numericId, deleted: false }
+        });
+        if (!existing) return json({ message: "Not found" }, { status: 404 });
+        let deletedBy = null;
+        if (getDeletedByUserId) {
+          try {
+            deletedBy = await getDeletedByUserId(req);
+          } catch {
+            deletedBy = null;
+          }
+        }
+        await repo.update(numericId, buildSoftDeletePayload(repo.metadata, deletedBy));
+        return json({ message: "Deleted successfully" }, { status: 200 });
+      }
+      const result = await repo.delete(numericId);
       if (result.affected === 0) return json({ message: "Not found" }, { status: 404 });
       return json({ message: "Deleted successfully" }, { status: 200 });
     }
@@ -8799,9 +8878,10 @@ function createCmsApiHandler(config) {
     userProfile,
     settings: settingsConfig,
     chat: chatConfig,
-    requireEntityPermission: reqEntityPerm,
+    requireEntityPermission: userRequireEntityPermission,
     getSessionUser
   } = config;
+  const requireEntityPermissionEffective = userRequireEntityPermission ?? (async (_req, entity, action) => config.json({ error: "Forbidden", reason: "entity_rbac_required", entity, action }, { status: 403 }));
   const analytics = analyticsConfig ?? (getCms ? {
     json: config.json,
     requireAuth: async () => null,
@@ -8839,12 +8919,20 @@ function createCmsApiHandler(config) {
   const crudOpts = {
     requireAuth: config.requireAuth,
     json: config.json,
-    requireEntityPermission: reqEntityPerm,
-    getCms
+    requireEntityPermission: requireEntityPermissionEffective,
+    getCms,
+    ...getSessionUser ? {
+      getDeletedByUserId: async () => {
+        const u = await getSessionUser();
+        if (!u?.id) return null;
+        const n = Number(u.id);
+        return Number.isFinite(n) ? n : null;
+      }
+    } : {}
   };
   const crud = createCrudHandler(dataSource, entityMap, crudOpts);
   const crudById = createCrudByIdHandler(dataSource, entityMap, crudOpts);
-  const mergePerm = (c) => !c ? void 0 : reqEntityPerm ? { ...c, requireEntityPermission: reqEntityPerm } : c;
+  const mergePerm = (c) => !c ? void 0 : { ...c, requireEntityPermission: requireEntityPermissionEffective };
   const adminRoles = getSessionUser && createAdminRolesHandlers({
     dataSource,
     entityMap,
@@ -8860,12 +8948,7 @@ function createCmsApiHandler(config) {
       json: config.json,
       requireAuth: config.requireAuth
     }
-  ) ?? {
-    dataSource,
-    entityMap,
-    json: config.json,
-    requireAuth: config.requireAuth
-  };
+  );
   const ecommerceAnalyticsGet = createEcommerceAnalyticsHandler(ecommerceAnalyticsResolved);
   const analyticsHandlers = analytics ? createAnalyticsHandlers(analytics) : null;
   const uploadMerged = upload ? {
@@ -8884,7 +8967,11 @@ function createCmsApiHandler(config) {
   const usersApiMerged = usersApi && getCms ? {
     ...usersApi,
     getCms: usersApi.getCms ?? getCms,
-    getCompanyDetails: usersApi.getCompanyDetails ?? config.getCompanyDetails
+    getCompanyDetails: usersApi.getCompanyDetails ?? config.getCompanyDetails,
+    ...getSessionUser ? { getSessionUser: usersApi.getSessionUser ?? getSessionUser } : {}
+  } : usersApi ? {
+    ...usersApi,
+    ...getSessionUser ? { getSessionUser: usersApi.getSessionUser ?? getSessionUser } : {}
   } : usersApi;
   const usersHandlers = usersApiMerged ? createUsersApiHandlers(mergePerm(usersApiMerged) ?? usersApiMerged) : null;
   const avatarPost = userAvatar ? createUserAvatarHandler(userAvatar) : null;
@@ -8895,7 +8982,7 @@ function createCmsApiHandler(config) {
     entityMap,
     json: config.json,
     requireAuth: config.requireAuth,
-    requireEntityPermission: reqEntityPerm
+    requireEntityPermission: requireEntityPermissionEffective
   });
   const chatHandlers = chatConfig ? createChatHandlers(chatConfig) : null;
   function resolveResource(segment) {
@@ -8904,12 +8991,10 @@ function createCmsApiHandler(config) {
   }
   return {
     async handle(method, path, req) {
-      const perm = reqEntityPerm;
       async function analyticsGate() {
         const a = await config.requireAuth(req);
         if (a) return a;
-        if (perm) return perm(req, "analytics", "read");
-        return null;
+        return requireEntityPermissionEffective(req, "analytics", "read");
       }
       if (path[0] === "admin" && path[1] === "roles") {
         if (!adminRoles) return config.json({ error: "Not found" }, { status: 404 });
@@ -8993,19 +9078,17 @@ function createCmsApiHandler(config) {
         const group = path[1];
         const isPublic = settingsConfig?.publicGetGroups?.includes(group);
         if (method === "GET") {
-          if (!isPublic && perm) {
+          if (!isPublic) {
             const a = await config.requireAuth(req);
             if (a) return a;
-            const pe = await perm(req, "settings", "read");
+            const pe = await requireEntityPermissionEffective(req, "settings", "read");
             if (pe) return pe;
           }
           return settingsHandlers.GET(req, group);
         }
         if (method === "PUT") {
-          if (perm) {
-            const pe = await perm(req, "settings", "update");
-            if (pe) return pe;
-          }
+          const pe = await requireEntityPermissionEffective(req, "settings", "update");
+          if (pe) return pe;
           return settingsHandlers.PUT(req, group);
         }
       }
@@ -9021,10 +9104,8 @@ function createCmsApiHandler(config) {
       if (path[0] === "orders" && path.length === 3 && path[2] === "invoice" && method === "GET" && getCms) {
         const a = await config.requireAuth(req);
         if (a) return a;
-        if (perm) {
-          const pe = await perm(req, "orders", "read");
-          if (pe) return pe;
-        }
+        const pe = await requireEntityPermissionEffective(req, "orders", "read");
+        if (pe) return pe;
         const cms = await getCms();
         const { streamOrderInvoicePdf: streamOrderInvoicePdf2 } = await Promise.resolve().then(() => (init_erp_order_invoice(), erp_order_invoice_exports));
         const oid = Number(path[1]);
@@ -9034,10 +9115,8 @@ function createCmsApiHandler(config) {
       if (path[0] === "orders" && path.length === 3 && path[2] === "repost-erp" && getCms) {
         const a = await config.requireAuth(req);
         if (a) return a;
-        if (perm) {
-          const pe = await perm(req, "orders", method === "GET" ? "read" : "update");
-          if (pe) return pe;
-        }
+        const pe = await requireEntityPermissionEffective(req, "orders", method === "GET" ? "read" : "update");
+        if (pe) return pe;
         const oid = Number(path[1]);
         if (!Number.isFinite(oid)) return config.json({ error: "Invalid id" }, { status: 400 });
         const cms = await getCms();
@@ -10494,6 +10573,9 @@ var DEFAULT_ADMIN_NAV = [
   { href: "/admin/submissions", label: "Submissions" },
   { href: "/admin/pages", label: "Pages" }
 ];
+// src/index.ts
+console.log("\u{1F525} USING LOCAL CMS CORE (index.ts loaded) \u{1F525}");
 export {
   ADMIN_GROUP_NAME,
   Address,