@infuro/cms-core 1.0.23 → 1.0.25

package/dist/index.cjs

@@ -38,10 +38,52 @@ var __decorateClass = (decorators, target, key, kind) => {
   return result;
 };
 
+// src/plugins/erp/erp-log.ts
+function logErp(event, detail) {
+  if (detail && Object.keys(detail).length) console.info(ERP_LOG, event, detail);
+  else console.info(ERP_LOG, event);
+}
+function warnErp(event, detail) {
+  console.warn(ERP_LOG, event, detail);
+}
+function errorErp(event, detail) {
+  console.error(ERP_LOG, event, detail);
+}
+function erpSafeWebhookUrl(url) {
+  try {
+    const u = new URL(url);
+    return `${u.origin}${u.pathname}`;
+  } catch {
+    return "(invalid webhook URL)";
+  }
+}
+var ERP_LOG;
+var init_erp_log = __esm({
+  "src/plugins/erp/erp-log.ts"() {
+    "use strict";
+    ERP_LOG = "[webcore:erp]";
+  }
+});
+
 // src/plugins/erp/erp-queue.ts
+function queuePayloadSummary(payload) {
+  if (payload.kind === "order") {
+    const o = payload.order;
+    return {
+      kind: payload.kind,
+      platformOrderId: o.platformOrderId ?? o.platformOrderNumber,
+      itemCount: Array.isArray(o.items) ? o.items.length : 0
+    };
+  }
+  return { kind: payload.kind };
+}
 async function queueErp(cms, payload) {
   const queue = cms.getPlugin("queue");
-  if (!queue) return;
+  if (!queue) {
+    warnErp("queue:add_skipped", { reason: "queue_plugin_missing", ...queuePayloadSummary(payload) });
+    return;
+  }
+  logErp("queue:add", { job: ERP_QUEUE_NAME, ...queuePayloadSummary(payload) });
   await queue.add(ERP_QUEUE_NAME, payload);
 }
 function registerErpQueueProcessor(cms) {
@@ -49,18 +91,31 @@ function registerErpQueueProcessor(cms) {
   if (!queue) return;
   queue.registerProcessor(ERP_QUEUE_NAME, async (data) => {
     const erp = cms.getPlugin("erp");
-    if (!erp) return;
+    if (!erp) {
+      warnErp("queue:processor_skip", { reason: "erp_plugin_missing" });
+      return;
+    }
     const payload = data;
-    if (payload.kind === "lead") {
-      await erp.submission.submitContact(payload.contact);
-    } else if (payload.kind === "formOpportunity") {
-      await erp.submission.submitFormOpportunity(payload.contact);
-    } else if (payload.kind === "createContact") {
-      await erp.submission.submitCreateContact(payload.contact);
-    } else if (payload.kind === "order") {
-      await erp.submission.submitOrder(payload.order);
-    } else if (payload.kind === "productUpsert") {
-      await erp.submission.submitProductUpsert(payload.product);
+    logErp("queue:job_start", queuePayloadSummary(payload));
+    try {
+      if (payload.kind === "lead") {
+        await erp.submission.submitContact(payload.contact);
+      } else if (payload.kind === "formOpportunity") {
+        await erp.submission.submitFormOpportunity(payload.contact);
+      } else if (payload.kind === "createContact") {
+        await erp.submission.submitCreateContact(payload.contact);
+      } else if (payload.kind === "order") {
+        await erp.submission.submitOrder(payload.order);
+      } else if (payload.kind === "productUpsert") {
+        await erp.submission.submitProductUpsert(payload.product);
+      }
+      logErp("queue:job_done", queuePayloadSummary(payload));
+    } catch (e) {
+      errorErp("queue:job_failed", {
+        ...queuePayloadSummary(payload),
+        message: e instanceof Error ? e.message : String(e)
+      });
+      throw e;
     }
   });
 }
@@ -68,6 +123,7 @@ var ERP_QUEUE_NAME;
 var init_erp_queue = __esm({
   "src/plugins/erp/erp-queue.ts"() {
     "use strict";
+    init_erp_log();
     ERP_QUEUE_NAME = "erp";
   }
 });
@@ -119,21 +175,36 @@ async function queueErpPaidOrderForOrderId(cms, dataSource, entityMap, orderId)
     const cfgRows = await configRepo.find({ where: { settings: "erp", deleted: false } });
     for (const row of cfgRows) {
       const r = row;
-      if (r.key === "enabled" && r.value === "false") return;
+      if (r.key === "enabled" && r.value === "false") {
+        logErp("paid-order:skip", { orderId, reason: "erp_config_disabled" });
+        return;
+      }
+    }
+    if (!cms.getPlugin("erp")) {
+      logErp("paid-order:skip", { orderId, reason: "erp_plugin_missing" });
+      return;
     }
-    if (!cms.getPlugin("erp")) return;
     const orderRepo = dataSource.getRepository(entityMap.orders);
     const ord = await orderRepo.findOne({
       where: { id: orderId },
       relations: ["items", "items.product", "contact", "billingAddress", "shippingAddress", "payments"]
     });
-    if (!ord) return;
+    if (!ord) {
+      logErp("paid-order:skip", { orderId, reason: "order_not_found" });
+      return;
+    }
     const o = ord;
     const okKind = o.orderKind === void 0 || o.orderKind === null || o.orderKind === "sale";
-    if (!okKind) return;
+    if (!okKind) {
+      logErp("paid-order:skip", { orderId, reason: "order_kind_not_sale", orderKind: o.orderKind });
+      return;
+    }
     const rawPayments = o.payments ?? [];
     const completedPayments = rawPayments.filter((pay) => pay.status === "completed" && pay.deleted !== true);
-    if (!completedPayments.length) return;
+    if (!completedPayments.length) {
+      logErp("paid-order:skip", { orderId, reason: "no_completed_payments" });
+      return;
+    }
     const rawItems = o.items ?? [];
     const lines = rawItems.filter((it) => it.product).map((it) => {
       const p = it.product;
@@ -152,7 +223,10 @@ async function queueErpPaidOrderForOrderId(cms, dataSource, entityMap, orderId)
         type: itemType
       };
     });
-    if (!lines.length) return;
+    if (!lines.length) {
+      logErp("paid-order:skip", { orderId, reason: "no_line_items_with_product" });
+      return;
+    }
     const contact = o.contact;
     const orderTotalMajor = Number(o.total);
     const paymentDtos = completedPayments.length === 1 && Number.isFinite(orderTotalMajor) ? [paymentRowToWebhookDto(completedPayments[0], orderTotalMajor)] : completedPayments.map((pay) => paymentRowToWebhookDto(pay));
@@ -174,13 +248,28 @@ async function queueErpPaidOrderForOrderId(cms, dataSource, entityMap, orderId)
       payments: paymentDtos,
       metadata: { ...baseMeta, source: "storefront" }
     };
+    logErp("paid-order:payload_built", {
+      orderId,
+      platformOrderId: orderDto.platformOrderId,
+      status: orderDto.status,
+      itemCount: lines.length,
+      skus: lines.map((l) => l.sku),
+      paymentCount: paymentDtos.length,
+      paymentIds: paymentDtos.map((p) => p.id),
+      total: orderTotalMajor
+    });
     await queueErp(cms, { kind: "order", order: orderDto });
-  } catch {
+  } catch (e) {
+    errorErp("paid-order:enqueue_failed", {
+      orderId,
+      message: e instanceof Error ? e.message : String(e)
+    });
   }
 }
 var init_paid_order_erp = __esm({
   "src/plugins/erp/paid-order-erp.ts"() {
     "use strict";
+    init_erp_log();
     init_erp_queue();
   }
 });
@@ -816,6 +905,7 @@ async function createCmsApp(options) {
 }
 
 // src/plugins/erp/erp-submission.ts
+init_erp_log();
 var ERPSubmissionService = class {
   webhookUrl;
   webhookJwt;
@@ -895,7 +985,29 @@ var ERPSubmissionService = class {
     };
     return this.postWebhookJson(envelope);
   }
+  summarizeWebhookBody(body) {
+    if (!body || typeof body !== "object" || Array.isArray(body)) {
+      return { bodyKind: typeof body };
+    }
+    const o = body;
+    const out = { event_type: o.event_type, timestamp: o.timestamp };
+    const data = o.data;
+    if (data && typeof data === "object" && !Array.isArray(data)) {
+      const d = data;
+      out.dataKeys = Object.keys(d);
+      out.platformOrderId = d.platformOrderId ?? d.platformOrderNumber;
+      out.itemCount = Array.isArray(d.items) ? d.items.length : void 0;
+    }
+    return out;
+  }
   async postWebhookJson(body) {
+    const safeUrl = erpSafeWebhookUrl(this.webhookUrl);
+    const bodyJson = JSON.stringify(body);
+    logErp("webhook:post_start", {
+      url: safeUrl,
+      bodyBytes: bodyJson.length,
+      ...this.summarizeWebhookBody(body)
+    });
     try {
       const res = await fetch(this.webhookUrl, {
         method: "POST",
@@ -903,13 +1015,19 @@ var ERPSubmissionService = class {
           "Content-Type": "application/json",
           "X-External-Token": this.webhookJwt
         },
-        body: JSON.stringify(body)
+        body: bodyJson
       });
-      if (res.ok) return { success: true, status: res.status };
       const text = await res.text();
+      const preview = text.length > 500 ? `${text.slice(0, 500)}\u2026` : text;
+      if (res.ok) {
+        logErp("webhook:post_ok", { status: res.status, responsePreview: preview || "(empty body)" });
+        return { success: true, status: res.status };
+      }
+      warnErp("webhook:post_http_error", { status: res.status, responsePreview: preview });
       return { success: false, error: `${res.status} ${text.slice(0, 500)}`, status: res.status };
     } catch (e) {
       const message = e instanceof Error ? e.message : "ERP webhook request failed";
+      errorErp("webhook:post_fetch_failed", { url: safeUrl, message });
       return { success: false, error: message };
     }
   }
@@ -1023,7 +1141,20 @@ var ERPSubmissionService = class {
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
       data: orderDto
     };
-    return this.postWebhookJson(envelope);
+    logErp("submitOrder:envelope_ready", {
+      event_type: envelope.event_type,
+      timestamp: envelope.timestamp,
+      platformOrderId: orderDto.platformOrderId ?? orderDto.platformOrderNumber,
+      itemCount: Array.isArray(orderDto.items) ? orderDto.items.length : 0,
+      paymentCount: Array.isArray(orderDto.payments) ? orderDto.payments.length : 0
+    });
+    const result = await this.postWebhookJson(envelope);
+    if (result.success) {
+      logErp("submitOrder:complete", { ok: true, status: result.status });
+    } else {
+      warnErp("submitOrder:complete", { ok: false, status: result.status, error: result.error });
+    }
+    return result;
   }
   extractContactData(formData, formFields) {
     const contactData = {
@@ -4160,11 +4291,11 @@ async function readBufferFromPublicUrl(url) {
   throw new Error("Unsupported media URL");
 }
 function sanitizeZipPath(entryName) {
-  const norm2 = entryName.replace(/\\/g, "/").split("/").filter(Boolean);
-  for (const seg of norm2) {
+  const norm3 = entryName.replace(/\\/g, "/").split("/").filter(Boolean);
+  for (const seg of norm3) {
     if (seg === ".." || seg === ".") return null;
   }
-  return norm2;
+  return norm3;
 }
 function shouldSkipEntry(parts) {
   if (parts[0] === "__MACOSX") return true;
@@ -5184,18 +5315,37 @@ function createUsersApiHandlers(config) {
       try {
         const body = await req.json();
         if (!body?.name || !body?.email) return json({ error: "Name and email are required" }, { status: 400 });
-        const existing = await userRepo().findOne({ where: { email: body.email } });
-        if (existing) return json({ error: "User with this email already exists" }, { status: 400 });
+        const email = body.email;
+        const existing = await userRepo().findOne({ where: { email } });
+        if (existing && !existing.deleted) {
+          return json({ error: "User with this email already exists" }, { status: 400 });
+        }
         const groupRepo = dataSource.getRepository(entityMap.user_groups);
         const customerG = await groupRepo.findOne({ where: { name: "Customer", deleted: false } });
         const gid = body.groupId ?? null;
         const isCustomer = !!(customerG && gid === customerG.id);
         const adminAccess = isCustomer ? false : body.adminAccess === false ? false : true;
         const blocked = body.blocked === true || body.blocked === "true" || body.blocked === 1 || body.blocked === "1";
-        const newUser = await userRepo().save(
+        const newUser = existing?.deleted ? await (async () => {
+          await userRepo().update(existing.id, {
+            deleted: false,
+            deletedAt: null,
+            deletedBy: null,
+            name: body.name,
+            email,
+            password: null,
+            blocked,
+            groupId: gid,
+            adminAccess,
+            updatedAt: /* @__PURE__ */ new Date()
+          });
+          const row = await userRepo().findOne({ where: { id: existing.id } });
+          if (!row) throw new Error("user missing after restore");
+          return row;
+        })() : await userRepo().save(
           userRepo().create({
             name: body.name,
-            email: body.email,
+            email,
             password: null,
             blocked,
             groupId: gid,
@@ -5348,21 +5498,110 @@ function createUserAvatarHandler(config) {
     }
   };
 }
+var PROFILE_EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
 function createUserProfileHandler(config) {
-  const { dataSource, entityMap, json, getSession } = config;
-  return async function PUT(req) {
+  const { dataSource, entityMap, json, getSession, onProfileUpdated } = config;
+  async function loadCurrentUser() {
     const session = await getSession();
-    if (!session?.user?.email) return json({ error: "Unauthorized" }, { status: 401 });
-    try {
-      const body = await req.json();
-      if (!body?.name) return json({ error: "Name is required" }, { status: 400 });
-      const userRepo = dataSource.getRepository(entityMap.users);
-      await userRepo.update({ email: session.user.email }, { name: body.name, updatedAt: /* @__PURE__ */ new Date() });
-      const updated = await userRepo.findOne({ where: { email: session.user.email }, select: ["id", "name", "email"] });
-      if (!updated) return json({ error: "Not found" }, { status: 404 });
-      return json({ message: "Profile updated successfully", user: { id: updated.id, name: updated.name, email: updated.email } });
-    } catch {
-      return json({ error: "Internal server error" }, { status: 500 });
+    const su = session?.user;
+    if (!su?.email && su?.id == null) {
+      return { ok: false, response: json({ error: "Unauthorized" }, { status: 401 }) };
+    }
+    const userRepo = dataSource.getRepository(entityMap.users);
+    let user = null;
+    const uidRaw = su.id != null ? String(su.id).trim() : "";
+    const uid = uidRaw && /^\d+$/.test(uidRaw) ? parseInt(uidRaw, 10) : NaN;
+    if (Number.isFinite(uid) && uid > 0) {
+      user = await userRepo.findOne({
+        where: { id: uid, deleted: false },
+        select: ["id", "name", "email", "phone", "createdAt"]
+      });
+    }
+    if (!user && su.email) {
+      const em = String(su.email).trim().toLowerCase();
+      if (em) {
+        user = await userRepo.findOne({
+          where: { email: em, deleted: false },
+          select: ["id", "name", "email", "phone", "createdAt"]
+        });
+      }
+    }
+    if (!user) return { ok: false, response: json({ error: "Not found" }, { status: 404 }) };
+    return { ok: true, user };
+  }
+  return {
+    async GET(_req) {
+      try {
+        const r = await loadCurrentUser();
+        if (!r.ok) return r.response;
+        const u = r.user;
+        return json({
+          id: u.id,
+          name: u.name ?? "",
+          email: u.email ?? "",
+          phone: u.phone ?? null,
+          createdAt: u.createdAt instanceof Date ? u.createdAt.toISOString() : u.createdAt ?? void 0
+        });
+      } catch {
+        return json({ error: "Internal server error" }, { status: 500 });
+      }
+    },
+    async PUT(req) {
+      try {
+        const r = await loadCurrentUser();
+        if (!r.ok) return r.response;
+        const current = r.user;
+        let body;
+        try {
+          body = await req.json();
+        } catch {
+          return json({ error: "Invalid JSON" }, { status: 400 });
+        }
+        const name = typeof body.name === "string" ? body.name.trim() : "";
+        if (!name) return json({ error: "Name is required" }, { status: 400 });
+        const emailRaw = typeof body.email === "string" ? body.email.trim().toLowerCase() : "";
+        if (!emailRaw || !PROFILE_EMAIL_RE.test(emailRaw)) {
+          return json({ error: "Valid email is required" }, { status: 400 });
+        }
+        const phone = body.phone === null || body.phone === void 0 ? null : typeof body.phone === "string" ? body.phone.trim() || null : null;
+        const userRepo = dataSource.getRepository(entityMap.users);
+        if (emailRaw !== String(current.email ?? "").toLowerCase()) {
+          const taken = await userRepo.findOne({
+            where: { email: emailRaw, deleted: false },
+            select: ["id"]
+          });
+          if (taken && taken.id !== current.id) {
+            return json({ error: "Email is already in use" }, { status: 409 });
+          }
+        }
+        await userRepo.update(
+          { id: current.id },
+          {
+            name,
+            email: emailRaw,
+            phone,
+            updatedAt: /* @__PURE__ */ new Date()
+          }
+        );
+        const updated = await userRepo.findOne({
+          where: { id: current.id },
+          select: ["id", "name", "email", "phone"]
+        });
+        if (!updated) return json({ error: "Not found" }, { status: 404 });
+        const row = updated;
+        if (onProfileUpdated) {
+          try {
+            await onProfileUpdated(req, row);
+          } catch {
+          }
+        }
+        return json({
+          message: "Profile updated successfully",
+          user: { id: row.id, name: row.name, email: row.email, phone: row.phone }
+        });
+      } catch {
+        return json({ error: "Internal server error" }, { status: 500 });
+      }
     }
   };
 }
@@ -8687,7 +8926,7 @@ function getNextAuthOptions(config) {
       }
     },
     callbacks: {
-      async jwt({ token, user }) {
+      async jwt({ token, user, trigger, session }) {
         if (user) {
           const u = user;
           token.id = u.id;
@@ -8696,11 +8935,19 @@ function getNextAuthOptions(config) {
           token.entityPerms = u.entityPerms;
           token.adminAccess = u.adminAccess;
         }
+        if (trigger === "update" && session && typeof session === "object") {
+          const s = session;
+          const t = token;
+          if (typeof s.name === "string") t.name = s.name;
+          if (typeof s.email === "string") t.email = s.email;
+        }
         return token;
       },
       async session({ session, token }) {
         if (session.user) {
           const t = token;
+          if (typeof t.name === "string") session.user.name = t.name;
+          if (typeof t.email === "string") session.user.email = t.email;
           session.user.id = t.id;
           session.user.groupId = t.groupId;
           session.user.isRBACAdmin = t.isRBACAdmin;
@@ -8716,6 +8963,66 @@ function getNextAuthOptions(config) {
 
 // src/api/crud.ts
 var import_typeorm46 = require("typeorm");
+
+// src/lib/address-geo-validation.ts
+var import_country_state_city = require("country-state-city");
+function norm2(s) {
+  return typeof s === "string" ? s.trim() : "";
+}
+function resolveCountry(input) {
+  const t = input.trim();
+  if (!t) return void 0;
+  if (t.length === 2) {
+    const byCode = import_country_state_city.Country.getCountryByCode(t.toUpperCase());
+    if (byCode) return byCode;
+  }
+  const lower = t.toLowerCase();
+  return import_country_state_city.Country.getAllCountries().find((c) => c.name.toLowerCase() === lower);
+}
+function resolveState(countryIso, input) {
+  const t = input.trim();
+  if (!t || !countryIso) return void 0;
+  const states = import_country_state_city.State.getStatesOfCountry(countryIso);
+  const lower = t.toLowerCase();
+  return states.find((s) => s.isoCode.toLowerCase() === t.toLowerCase() || s.name.toLowerCase() === lower);
+}
+function resolveCity(countryIso, stateIso, input) {
+  const t = input.trim();
+  if (!t || !countryIso || !stateIso) return void 0;
+  const lower = t.toLowerCase();
+  const cities = import_country_state_city.City.getCitiesOfState(countryIso, stateIso);
+  return cities.find((c) => c.name.toLowerCase() === lower);
+}
+function assertValidAddressHierarchy(country, state, city) {
+  const c = resolveCountry(country);
+  if (!c) return { ok: false, error: "Invalid or unknown country." };
+  const st = resolveState(c.isoCode, state);
+  if (!st) return { ok: false, error: "State or province does not match the selected country." };
+  const ct = resolveCity(c.isoCode, st.isoCode, city);
+  if (!ct) return { ok: false, error: "City does not match the selected state." };
+  return { ok: true, country: c.name, state: st.name, city: ct.name };
+}
+function validateAndNormalizeAddressRow(row) {
+  const line1 = norm2(row.line1);
+  const postalCode = norm2(row.postalCode);
+  const countryIn = norm2(row.country);
+  const stateIn = norm2(row.state);
+  const cityIn = norm2(row.city);
+  if (!line1) return "Street address (line 1) is required.";
+  if (!postalCode) return "Postal code is required.";
+  if (!countryIn || !stateIn || !cityIn) return "Country, state, and city are required.";
+  const geo = assertValidAddressHierarchy(countryIn, stateIn, cityIn);
+  if (!geo.ok) return geo.error;
+  row.line1 = line1;
+  row.line2 = norm2(row.line2) || null;
+  row.postalCode = postalCode;
+  row.country = geo.country;
+  row.state = geo.state;
+  row.city = geo.city;
+  return null;
+}
+
+// src/api/crud.ts
 var CRUD_LOG = "[cms-crud]";
 function logCrudClientError(op, detail) {
   console.warn(CRUD_LOG, op, detail);
@@ -8812,6 +9119,156 @@ function buildSearchWhereClause(repo, search) {
 function entityHasSoftDelete(repo) {
   return repo.metadata.columns.some((c) => c.propertyName === "deleted");
 }
+var LIST_QUERY_RESERVED = /* @__PURE__ */ new Set(["page", "limit", "sortField", "sortOrder", "search"]);
+function dayStartUtc(isoDay) {
+  return /* @__PURE__ */ new Date(isoDay + "T00:00:00.000Z");
+}
+function dayEndUtc(isoDay) {
+  return /* @__PURE__ */ new Date(isoDay + "T23:59:59.999Z");
+}
+function columnTypeLabel(col) {
+  const t = col.type;
+  if (typeof t === "string") return t.toLowerCase();
+  if (typeof t === "function") return t.name?.toLowerCase?.() ?? "";
+  if (t && typeof t === "object" && "name" in t && typeof t.name === "string") {
+    return String(t.name).toLowerCase();
+  }
+  return "";
+}
+function isListDateColumn(col) {
+  const tl = columnTypeLabel(col);
+  return DATE_COLUMN_TYPES.has(tl) || col.type === Date || TIMESTAMP_PROP_NAMES.has(col.propertyName);
+}
+function isListNumericColumn(col) {
+  const tl = columnTypeLabel(col);
+  if (col.type === Number) return true;
+  const patterns = [
+    "int",
+    "integer",
+    "int2",
+    "int4",
+    "int8",
+    "smallint",
+    "bigint",
+    "float",
+    "double",
+    "decimal",
+    "numeric",
+    "real",
+    "tinyint",
+    "mediumint"
+  ];
+  if (patterns.some((x) => tl.includes(x))) return true;
+  if (tl.includes("unsigned") && (tl.includes("int") || tl.includes("bigint") || tl.includes("small"))) return true;
+  if (!tl && /Id$/i.test(col.propertyName) && !TIMESTAMP_PROP_NAMES.has(col.propertyName)) return true;
+  return false;
+}
+function isListBooleanColumn(col) {
+  const tl = columnTypeLabel(col);
+  return tl === "boolean" || tl === "bool" || col.type === Boolean;
+}
+function isListStringColumn(col) {
+  const tl = columnTypeLabel(col);
+  if (isListDateColumn(col) || isListNumericColumn(col) || isListBooleanColumn(col)) return false;
+  if (["varchar", "character varying", "text", "citext", "uuid", "char", "character", "enum"].some(
+    (x) => tl.includes(x)
+  )) {
+    return true;
+  }
+  if (col.type === String) return true;
+  return false;
+}
+function mergeListWhereAnd(where, patch) {
+  if (Object.keys(patch).length === 0) return where;
+  if (Array.isArray(where)) {
+    if (where.length === 0) return [patch];
+    return where.map((w) => ({ ...w, ...patch }));
+  }
+  if (where && typeof where === "object" && Object.keys(where).length > 0) {
+    return { ...where, ...patch };
+  }
+  return patch;
+}
+function buildListFilterAndFromSearchParams(repo, searchParams) {
+  const and = {};
+  const columnNames = new Set(repo.metadata.columns.map((c) => c.propertyName));
+  for (const col of repo.metadata.columns) {
+    const name = col.propertyName;
+    if (!columnNames.has(name)) continue;
+    if (name === "deleted" || name === "deletedAt" || name === "deletedBy") continue;
+    if (!isListDateColumn(col)) continue;
+    const from = searchParams.get(`${name}From`)?.trim();
+    const to = searchParams.get(`${name}To`)?.trim();
+    if (!from && !to) continue;
+    if (from && to) {
+      and[name] = (0, import_typeorm46.Between)(dayStartUtc(from), dayEndUtc(to));
+    } else if (from) {
+      and[name] = (0, import_typeorm46.MoreThanOrEqual)(dayStartUtc(from));
+    } else if (to) {
+      and[name] = (0, import_typeorm46.LessThanOrEqual)(dayEndUtc(to));
+    }
+  }
+  for (const col of repo.metadata.columns) {
+    const name = col.propertyName;
+    if (!columnNames.has(name)) continue;
+    if (name === "deleted" || name === "deletedAt" || name === "deletedBy") continue;
+    if (!isListNumericColumn(col)) continue;
+    if (Object.prototype.hasOwnProperty.call(and, name)) continue;
+    const minRaw = searchParams.get(`${name}Min`)?.trim();
+    const maxRaw = searchParams.get(`${name}Max`)?.trim();
+    if (!minRaw && !maxRaw) continue;
+    const parseNum = (s) => {
+      const n = Number(s);
+      return Number.isFinite(n) ? n : null;
+    };
+    const nMin = minRaw ? parseNum(minRaw) : null;
+    const nMax = maxRaw ? parseNum(maxRaw) : null;
+    if (nMin != null && nMax != null) {
+      and[name] = (0, import_typeorm46.Between)(nMin, nMax);
+    } else if (nMin != null) {
+      and[name] = (0, import_typeorm46.MoreThanOrEqual)(nMin);
+    } else if (nMax != null) {
+      and[name] = (0, import_typeorm46.LessThanOrEqual)(nMax);
+    }
+  }
+  for (const col of repo.metadata.columns) {
+    const name = col.propertyName;
+    if (!columnNames.has(name)) continue;
+    if (LIST_QUERY_RESERVED.has(name)) continue;
+    if (name === "deleted" || name === "deletedAt" || name === "deletedBy") continue;
+    if (!isListStringColumn(col)) continue;
+    if (Object.prototype.hasOwnProperty.call(and, name)) continue;
+    const raw = searchParams.get(name)?.trim();
+    if (!raw) continue;
+    and[name] = (0, import_typeorm46.ILike)(`%${raw}%`);
+  }
+  return and;
+}
+function buildExactListParamWhere(repo, searchParams) {
+  const extraWhere = {};
+  const columnNames = new Set(repo.metadata.columns.map((c) => c.propertyName));
+  for (const col of repo.metadata.columns) {
+    const name = col.propertyName;
+    if (!columnNames.has(name)) continue;
+    if (name === "deleted" || name === "deletedAt" || name === "deletedBy") continue;
+    if (!isListNumericColumn(col)) continue;
+    const v = searchParams.get(name)?.trim();
+    if (v == null || v === "") continue;
+    const n = Number(v);
+    if (!Number.isFinite(n)) continue;
+    extraWhere[name] = n;
+  }
+  for (const col of repo.metadata.columns) {
+    if (String(col.type) !== "boolean") continue;
+    const name = col.propertyName;
+    if (!columnNames.has(name)) continue;
+    const raw = searchParams.get(name)?.trim();
+    if (raw === "true" || raw === "false") {
+      extraWhere[name] = raw === "true";
+    }
+  }
+  return extraWhere;
+}
 function mergeDeletedFalseWhere(repo, where) {
   if (!entityHasSoftDelete(repo)) return where;
   const d = { deleted: false };
@@ -8821,6 +9278,12 @@ function mergeDeletedFalseWhere(repo, where) {
   }
   return Object.keys(where).length > 0 ? { ...where, ...d } : d;
 }
+function pickDefaultListSortField(columnNames, columns) {
+  for (const candidate of ["createdAt", "updatedAt", "id", "name", "sortOrder", "title"]) {
+    if (columnNames.has(candidate)) return candidate;
+  }
+  return columns[0]?.propertyName ?? "id";
+}
 function normalizeProductSku(value) {
   if (value == null) return null;
   const s = String(value).trim();
@@ -8923,6 +9386,18 @@ function createCrudHandler(dataSource, entityMap, options) {
         if (statusFilter) qb.andWhere("order.status = :status", { status: statusFilter });
         if (dateFrom) qb.andWhere("order.createdAt >= :dateFrom", { dateFrom: /* @__PURE__ */ new Date(dateFrom + "T00:00:00.000Z") });
         if (dateTo) qb.andWhere("order.createdAt <= :dateTo", { dateTo: /* @__PURE__ */ new Date(dateTo + "T23:59:59.999Z") });
+        const totalMin = searchParams.get("totalMin")?.trim();
+        const totalMax = searchParams.get("totalMax")?.trim();
+        if (totalMin) {
+          const n = Number(totalMin);
+          if (Number.isFinite(n)) qb.andWhere("order.total >= :totalMin", { totalMin: n });
+        }
+        if (totalMax) {
+          const n = Number(totalMax);
+          if (Number.isFinite(n)) qb.andWhere("order.total <= :totalMax", { totalMax: n });
+        }
+        const currency = searchParams.get("currency")?.trim();
+        if (currency) qb.andWhere("order.currency ILIKE :orderCurrency", { orderCurrency: `%${currency}%` });
         if (orderIdsFromPayment && orderIdsFromPayment.length) qb.andWhere("order.id IN (:...orderIds)", { orderIds: orderIdsFromPayment });
         const [rows, total2] = await qb.getManyAndCount();
         const data2 = rows.map((order) => {
@@ -8961,8 +9436,30 @@ function createCrudHandler(dataSource, entityMap, options) {
         if (statusFilter) qb.andWhere("payment.status = :status", { status: statusFilter });
         if (dateFrom) qb.andWhere("payment.createdAt >= :dateFrom", { dateFrom: /* @__PURE__ */ new Date(dateFrom + "T00:00:00.000Z") });
         if (dateTo) qb.andWhere("payment.createdAt <= :dateTo", { dateTo: /* @__PURE__ */ new Date(dateTo + "T23:59:59.999Z") });
+        const paidAtFrom = searchParams.get("paidAtFrom")?.trim();
+        const paidAtTo = searchParams.get("paidAtTo")?.trim();
+        if (paidAtFrom) {
+          qb.andWhere("payment.paidAt >= :paidAtFrom", { paidAtFrom: /* @__PURE__ */ new Date(paidAtFrom + "T00:00:00.000Z") });
+        }
+        if (paidAtTo) {
+          qb.andWhere("payment.paidAt <= :paidAtTo", { paidAtTo: /* @__PURE__ */ new Date(paidAtTo + "T23:59:59.999Z") });
+        }
         if (methodFilter) qb.andWhere("payment.method = :method", { method: methodFilter });
         if (orderNumberParam) qb.andWhere("ord.orderNumber ILIKE :orderNumber", { orderNumber: `%${orderNumberParam}%` });
+        const amountMin = searchParams.get("amountMin")?.trim();
+        const amountMax = searchParams.get("amountMax")?.trim();
+        if (amountMin) {
+          const n = Number(amountMin);
+          if (Number.isFinite(n)) qb.andWhere("payment.amount >= :amountMin", { amountMin: n });
+        }
+        if (amountMax) {
+          const n = Number(amountMax);
+          if (Number.isFinite(n)) qb.andWhere("payment.amount <= :amountMax", { amountMax: n });
+        }
+        const extRef = searchParams.get("externalReference")?.trim();
+        if (extRef) {
+          qb.andWhere("payment.externalReference ILIKE :extRef", { extRef: `%${extRef}%` });
+        }
         const [rows, total2] = await qb.getManyAndCount();
         const data2 = rows.map((payment) => {
           const order = payment.order;
@@ -8981,18 +9478,36 @@ function createCrudHandler(dataSource, entityMap, options) {
         const repo2 = dataSource.getRepository(entity);
         const statusFilter = searchParams.get("status")?.trim();
         const inventory = searchParams.get("inventory")?.trim();
-        const productWhere = { deleted: false };
+        const productWhere = {
+          deleted: false,
+          ...buildListFilterAndFromSearchParams(repo2, searchParams)
+        };
         if (statusFilter) productWhere.status = statusFilter;
         if (inventory === "in_stock") productWhere.quantity = (0, import_typeorm46.MoreThan)(0);
         if (inventory === "out_of_stock") productWhere.quantity = 0;
+        for (const key of ["brandId", "categoryId", "collectionId"]) {
+          const raw = searchParams.get(key)?.trim();
+          if (raw) {
+            const n = Number(raw);
+            if (Number.isFinite(n)) productWhere[key] = n;
+          }
+        }
+        const featuredRaw = searchParams.get("featured")?.trim();
+        if (featuredRaw === "true" || featuredRaw === "false") {
+          productWhere.featured = featuredRaw === "true";
+        }
         if (search && typeof search === "string" && search.trim()) {
           productWhere.name = (0, import_typeorm46.ILike)(`%${search.trim()}%`);
         }
+        const productColumnNames = new Set(repo2.metadata.columns.map((c) => c.propertyName));
+        const defaultProductSort = pickDefaultListSortField(productColumnNames, repo2.metadata.columns);
+        const sortParam2 = (searchParams.get("sortField") ?? "").trim();
+        const productSortField = sortParam2 && productColumnNames.has(sortParam2) ? sortParam2 : defaultProductSort;
         const [data2, total2] = await repo2.findAndCount({
           where: Object.keys(productWhere).length ? productWhere : void 0,
           skip,
           take: limit,
-          order: { [sortFieldRaw]: sortOrder }
+          order: { [productSortField]: sortOrder }
         });
         return json({ total: total2, page, limit, totalPages: Math.ceil(total2 / limit), data: data2 });
       }
@@ -9085,27 +9600,22 @@ function createCrudHandler(dataSource, entityMap, options) {
         }
         return json({ total: total2, page, limit, totalPages: Math.ceil(total2 / limit), data: data2 });
       }
-      const sortField = columnNames.has(sortFieldRaw) ? sortFieldRaw : "createdAt";
+      const defaultSortField = pickDefaultListSortField(columnNames, repo.metadata.columns);
+      const sortParam = (searchParams.get("sortField") ?? "").trim();
+      const sortField = sortParam && columnNames.has(sortParam) ? sortParam : defaultSortField;
       let where = {};
       if (search) {
         where = buildSearchWhereClause(repo, search);
       }
-      const intFilterKeys = ["productId", "attributeId", "taxId"];
-      const extraWhere = {};
-      for (const key of intFilterKeys) {
-        const v = searchParams.get(key);
-        if (v != null && v !== "" && columnNames.has(key)) {
-          const n = Number(v);
-          if (Number.isFinite(n)) extraWhere[key] = n;
-        }
-      }
-      if (Object.keys(extraWhere).length > 0) {
+      where = mergeListWhereAnd(where, buildListFilterAndFromSearchParams(repo, searchParams));
+      const exactParamWhere = buildExactListParamWhere(repo, searchParams);
+      if (Object.keys(exactParamWhere).length > 0) {
         if (Array.isArray(where)) {
-          where = where.map((w) => ({ ...w, ...extraWhere }));
+          where = where.map((w) => ({ ...w, ...exactParamWhere }));
         } else if (where && typeof where === "object" && Object.keys(where).length > 0) {
-          where = { ...where, ...extraWhere };
+          where = { ...where, ...exactParamWhere };
         } else {
-          where = extraWhere;
+          where = exactParamWhere;
         }
       }
       where = mergeDeletedFalseWhere(repo, where);
@@ -9185,6 +9695,10 @@ function createCrudHandler(dataSource, entityMap, options) {
       }
       const repo = dataSource.getRepository(entity);
       const persistBody = resource === "media" ? body : pickColumnUpdates(repo, body);
+      if (resource === "contacts" && "type" in persistBody) {
+        const t = persistBody.type;
+        if (t === "" || t === "none" || t == null) persistBody.type = null;
+      }
       if (resource !== "media" && Object.keys(persistBody).length === 0) {
         logCrudClientError("POST create", {
           reason: "no_scalar_columns_after_pick",
@@ -9207,6 +9721,17 @@ function createCrudHandler(dataSource, entityMap, options) {
           }
         }
       }
+      if (resource === "addresses") {
+        const cid = Number(persistBody.contactId);
+        if (!Number.isFinite(cid)) {
+          return json({ error: "Valid contactId is required." }, { status: 400 });
+        }
+        if (persistBody.tag === "") persistBody.tag = null;
+        const addrErr = validateAndNormalizeAddressRow(persistBody);
+        if (addrErr) {
+          return json({ error: addrErr }, { status: 400 });
+        }
+      }
       sanitizeBodyForEntity(repo, persistBody);
       let created;
       try {
@@ -9524,10 +10049,60 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
         if (!cur) return json({ message: "Not found" }, { status: 404 });
       }
       const updatePayload = rawBody && typeof rawBody === "object" ? pickColumnUpdates(repo, rawBody) : {};
+      if (resource === "contacts" && "type" in updatePayload) {
+        const t = updatePayload.type;
+        if (t === "" || t === "none" || t == null) updatePayload.type = null;
+      }
       if (resource === "media") {
         const u = updatePayload;
-        delete u.parentId;
         delete u.kind;
+        if (rawBody && typeof rawBody === "object" && "parentId" in rawBody) {
+          let pid = null;
+          const p = rawBody.parentId;
+          if (p != null && p !== "") {
+            const n = Number(p);
+            if (!Number.isFinite(n)) {
+              return json({ error: "Invalid parentId" }, { status: 400 });
+            }
+            pid = n;
+          }
+          if (pid != null) {
+            const parent = await repo.findOne({
+              where: { id: pid, deleted: false }
+            });
+            if (!parent || parent.kind !== "folder") {
+              return json({ error: "parent must be a folder" }, { status: 400 });
+            }
+          }
+          const row = await repo.findOne({
+            where: { id: numericId, deleted: false }
+          });
+          if (!row) return json({ message: "Not found" }, { status: 404 });
+          if (pid === numericId) {
+            return json({ error: "Invalid parentId" }, { status: 400 });
+          }
+          if (row.kind === "folder" && pid != null) {
+            let walk = pid;
+            const seen = /* @__PURE__ */ new Set();
+            while (walk != null) {
+              if (walk === numericId) {
+                return json(
+                  { error: "Cannot move a folder into itself or a descendant folder" },
+                  { status: 400 }
+                );
+              }
+              if (seen.has(walk)) break;
+              seen.add(walk);
+              const anc = await repo.findOne({
+                where: { id: walk, deleted: false }
+              });
+              walk = anc ? anc.parentId ?? null : null;
+            }
+          }
+          u.parentId = pid;
+        } else {
+          delete u.parentId;
+        }
       }
       if (resource === "products") {
         const currentRow = await repo.findOne({
@@ -9546,6 +10121,26 @@ function createCrudByIdHandler(dataSource, entityMap, options) {
           updatePayload.sku = effSku;
         }
       }
+      if (resource === "addresses" && Object.keys(updatePayload).length > 0) {
+        const currentRow = await repo.findOne({
+          where: { id: numericId }
+        });
+        if (!currentRow) return json({ message: "Not found" }, { status: 404 });
+        const merged = {
+          ...currentRow,
+          ...updatePayload
+        };
+        if (merged.tag === "") merged.tag = null;
+        const addrErr = validateAndNormalizeAddressRow(merged);
+        if (addrErr) {
+          return json({ error: addrErr }, { status: 400 });
+        }
+        for (const k of Object.keys(updatePayload)) {
+          if (k in merged) {
+            updatePayload[k] = merged[k];
+          }
+        }
+      }
       if (Object.keys(updatePayload).length > 0) {
         sanitizeBodyForEntity(repo, updatePayload);
         await repo.update(numericId, updatePayload);
@@ -10717,7 +11312,7 @@ function createCmsApiHandler(config) {
   } : usersApi;
   const usersHandlers = usersApiMerged ? createUsersApiHandlers(mergePerm(usersApiMerged) ?? usersApiMerged) : null;
   const avatarPost = userAvatar ? createUserAvatarHandler(userAvatar) : null;
-  const profilePut = userProfile ? createUserProfileHandler(userProfile) : null;
+  const profileHandlers = userProfile ? createUserProfileHandler(userProfile) : null;
   const settingsHandlers = settingsConfig ? createSettingsApiHandlers(settingsConfig) : null;
   const smsMessageTemplateHandlers = createSmsMessageTemplateHandlers({
     dataSource,
@@ -10816,7 +11411,10 @@ function createCmsApiHandler(config) {
         }
         if (path.length === 2) {
           if (path[1] === "avatar" && m === "POST" && avatarPost) return avatarPost(req);
-          if (path[1] === "profile" && m === "PUT" && profilePut) return profilePut(req);
+          if (path[1] === "profile" && profileHandlers) {
+            if (m === "GET") return profileHandlers.GET(req);
+            if (m === "PUT") return profileHandlers.PUT(req);
+          }
           const id = path[1];
           if (m === "GET") return usersHandlers.getById(req, id);
           if (m === "PUT" || m === "PATCH") return usersHandlers.update(req, id);
@@ -11547,18 +12145,19 @@ function createStorefrontApiHandler(config) {
           const contactOrErr = await getContactForAddresses();
           if (contactOrErr instanceof Response) return contactOrErr;
           const b = await req.json().catch(() => ({}));
-          const created = await addressRepo().save(
-            addressRepo().create({
-              contactId: contactOrErr.contactId,
-              tag: typeof b.tag === "string" ? b.tag.trim() || null : null,
-              line1: typeof b.line1 === "string" ? b.line1.trim() || null : null,
-              line2: typeof b.line2 === "string" ? b.line2.trim() || null : null,
-              city: typeof b.city === "string" ? b.city.trim() || null : null,
-              state: typeof b.state === "string" ? b.state.trim() || null : null,
-              postalCode: typeof b.postalCode === "string" ? b.postalCode.trim() || null : null,
-              country: typeof b.country === "string" ? b.country.trim() || null : null
-            })
-          );
+          const row = {
+            contactId: contactOrErr.contactId,
+            tag: typeof b.tag === "string" ? b.tag.trim() || null : null,
+            line1: typeof b.line1 === "string" ? b.line1 : "",
+            line2: typeof b.line2 === "string" ? b.line2.trim() || null : null,
+            city: typeof b.city === "string" ? b.city : "",
+            state: typeof b.state === "string" ? b.state : "",
+            postalCode: typeof b.postalCode === "string" ? b.postalCode : "",
+            country: typeof b.country === "string" ? b.country : ""
+          };
+          const addrErr = validateAndNormalizeAddressRow(row);
+          if (addrErr) return json({ error: addrErr }, { status: 400 });
+          const created = await addressRepo().save(addressRepo().create(row));
           return json(serializeAddress2(created));
         }
         if (path[0] === "addresses" && path.length === 2 && (method === "PATCH" || method === "PUT")) {
@@ -11577,7 +12176,16 @@ function createStorefrontApiHandler(config) {
           if (b.state !== void 0) updates.state = typeof b.state === "string" ? b.state.trim() || null : null;
           if (b.postalCode !== void 0) updates.postalCode = typeof b.postalCode === "string" ? b.postalCode.trim() || null : null;
           if (b.country !== void 0) updates.country = typeof b.country === "string" ? b.country.trim() || null : null;
-          if (Object.keys(updates).length) await addressRepo().update(id, updates);
+          if (Object.keys(updates).length) {
+            const merged = { ...existing, ...updates };
+            if (merged.tag === "") merged.tag = null;
+            const addrErr = validateAndNormalizeAddressRow(merged);
+            if (addrErr) return json({ error: addrErr }, { status: 400 });
+            for (const k of Object.keys(updates)) {
+              if (k in merged) updates[k] = merged[k];
+            }
+            await addressRepo().update(id, updates);
+          }
           const updated = await addressRepo().findOne({ where: { id } });
           return json(serializeAddress2(updated));
         }